panyuicacongress2009.com

A security hole in OAuth, the open-source protocol that acts as a “valet key” for users’ log-in information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned.

Some developers were dismayed when Twitter pulled its support for OAuth, which it had only recently started to implement: blogger Jesse Stay wrote in a post about other restrictions to Twitter’s developer API that its removal of OAuth is one of a number of recent examples of how the microblogging service has “pulled the rug out from under its developers.”

In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social-engineering tactics to trick users into exposing their data. The OAuth protocol itself requires tweaking to remove the vulnerability, and a source close to OAuth’s development team said that there have been no known violations, that it has been aware of it for a few days now, and has been coordinating responses with vendors. A solution should be announced soon.

This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service’s application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications.

“OAuth is still in beta, for what it’s worth,” Twitter API lead Alex Payne said in (of course) a Twitter message on Wednesday. “We should have the current issue with it resolved soon.”

Eran Hammer-Lahav, the OAuth community coordinator for this specific threat, spoke to CNET News later on Wednesday afternoon. “We have been aware of this threat for about a week now, and we have been coordinating with all known providers to help them understand the threat and deploy whatever mitigating factors they can,” Hammer-Lahav said, adding that full details will be made available on the OAuth Web site at midnight Pacific time on Thursday. “There are no known exploits of this, so there are no reported attacks and the providers have either already deployed matters to address this or are doing it right now.”

He highlighted Twitter’s role in helping to keep things on the down-low at its own expense; when the service disabled OAuth, it did not mention that there was a security hole at its root.

“The community is extremely grateful to Twitter, despite the fact that they have been standing alone in the line of fire and taking the heat for this threat as if it was their own issue,” Hammer-Lahav explained. “They basically took the PR hit in order to allow other companies to address it. They were doing it not to protect themselves, but to protect other companies.”

Twitter co-founder Biz Stone responded to the threat on the company blog: “We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions,” Stone wrote. “The developers working on Twitter projects that are in our beta test group felt this disruption the hardest and their patience is extremely appreciated.”

This post was last expanded at 1:36 p.m. PT.

The portable speaker for the iPhone can be folded up into a compact "ball" that's very easy to transport.

(Credit:
Dong Ngo/CNET Networks)

Now that you’ve gotten your
iPhone 3G, it’s time to get some accessories for it.

Digital Life Outfiter (DLO) didn’t wait for long and has just come out with a slew of stuff that you can use to protect, carry, and enhance your iPhone 3G. Most of them work with the original iPhone and the
iPod Touch, too.

To keep your iPhone from scratching or bumped around if dropped, you can choose either the HybridShell ($24.99) that’s bulky yet stylish, or the VideoShell ($19.99), which is clear and sturdy. Of course, you can get other old-school outfits like the Jam Jacket ($19.99) or the HipCase ($29.99).

Personally, I prefer the Action Jacket ($29.99) for iPhone, which works well for when you go jogging, which is probably the only time I would want to use a case for a smartphone/music player.

DLO also has the Portable Speakers that instantly turns your iPhone into a mini boom box, which works well for a small room or when you are on the go. The speakers can be folded up into an “egg” that’s a compact 6 inches in diameter. It’s rather expensive, though, at $49.99.

The problem is, according to a MessageLabs representative, that the hackers’ e-mail messages employ an embedded
Microsoft Office database file within the zipped attachment. Microsoft said in a recent security advisory that customers not running
Windows Vista or Windows Server 2003 are vulnerable to allowing remote attackers to gain full access to a compromised machine.

Research from MessageLabs shows that while the e-mails state that they come from the International Olympic Committee in Switzerland, most have IP addressed based in Asia.

Once the malicious code is installed, an attacker could steal personal data. MessageLabs further predicts that malicious-code writers will change formats by using 1 Byte XOR Key, Multiple XOR keys, and ROR, ROL, ADD, and SUB formats.

Within the last six months, MessageLabs has found at least 13 new Trojan horse programs associated with e-mails bearing subjects such as “The Beijing 2008 Torch Relay” and “National Olympic Committee and Ticket Sales Agents.”

So far, such attacks appear to be a corporate threat, as opposed to an individual threat.

The e-mails, however, are not random. MessageLabs says the Trojan horses are often targeted to individuals within a specific organization in an attempt to gain access to the corporate network. This practice is known as “spear phishing.”

Once again, criminal hackers are targeting a worldwide event to deposit their malicious software on victims’ PCs, according to one security vendor.

Before attempting to connect to a wireless network, the article warns that “you’ll have to make sure that the computer’s wireless connection is turned on or that your adapter has been installed and set up.”

Ethernet is not required. You can connect to the router using the wireless network and make changes to the router this way, including adding or changing the password for the WiFi network. Most likely, after adding/changing the password, the router will re-start itself and you’ll have to connect to the wireless network again, using the new password.

Newest computer? I can’t even guess where this came from. Initial router configuration should be done using an Ethernet connection and any computer that can read CDs and has an Ethernet port will do.

I have, in the past, been critical of computer articles in the newspapers I regularly read, the Wall Street Journal and the New York Times. Often I’ve warned that you don’t read PC Magazine for mutual fund advice and you shouldn’t read the Wall Street Journal for computer advice. Yet, the reporters in these newspapers are significantly more technically qualified than the Orlando Sentinel.

The article left out a number of important issues.

Today, I’m in south Florida, where the Sun Sentinel is the local paper. They reprinted an article by Etan Horowitz (no relation), Set up a home wireless network, that originally appeared last month in the Orlando Sentinel.

Networking a printer that does not do networking on its own, requires a print server. As far as I know, there is no such thing as a wireless networking adapter for a printer. And the print server does not need wireless networking at all, a wired/Ethernet print server can connect to a router and make any printer available to a WiFi based laptop computer.

If you get as far as trying to connect to a wireless network, the article says “You will be asked to choose the type of security setting (WEP, WPA etc) and enter the network key.” Windows XP users that let Windows control the WiFi connection are not asked to chose the type of security. Windows is smart enough to figure out the type of security being used all by itself. And, an article targeted at a general audience has to point out that “network key” means “WiFi password”.

The article doesn’t mention changing the default password for the router itself. This has nothing to do with the WiFi network, instead it controls all access to the router for the purpose of making configuration changes. I blogged about this in March, see Defending your router, and your identity, with a password change.

The instructions for connecting to an existing wireless network are not the most useful. Quoting: “On Windows computers, look in the Control Panel to enable wireless connectivity and search for available networks.”

Note: One of the earliest postings I wrote on this blog, back in July 2007, was about steps to take in preparation for networking failures. See The blinking lights on a router are talking to you.

See a summary of all my Defensive Computing postings.

Connecting directly to the router requires knowing its IP address. If you don’t know it, the article suggests a Google search for the default IP address used by the manufacturer of the router. This is not the best approach. For one, default IP addresses may change over time. For another, your router may not be using the factory default IP address. Your computer always knows the IP address of the router, any computer running TCP/IP knows this. In Windows, open a command prompt and type “ipconfig”. The IP address of your router is referred to in the output as the “Default Gateway”.

Ethernet came up again in the discussion of adding a password to a WiFi network that doesn’t have one. The article says “If you aren’t prompted to do this while setting up your network, you’ll need to connect a computer to your router via an Ethernet cable …”

If you are in south Florida, you may want to complain to the newspapers. Otherwise, you’ll get more of the same.

Finally, the article didn’t even include the word firewall. Discussing wireless networking without mentioning firewalls borders on malpractice.

The article says “Most new laptop and desktop computers have built-in wireless networking…” New desktop computers with built-in wireless networking? Not the ones I’ve seen.

It warns that “…if you are using an old computer you may have to buy a wireless network adapter.” True enough, but they come in multiple form factors (PC card, Express card, PCI and USB) an important point that is not mentioned.

Many people share a single broadband Internet connection but don’t need to share files between their computers. If that’s the case for you, you’re much better off turning off File and Printer sharing in the definition of the wireless network and/or the wired network connection.

First of all, that’s an “and” not an “or”. If either of those conditions are not met, the computer won’t connect to any wireless network. And just what was meant by a wireless network connection being turned on? It could refer to the switch on the outside of the laptop computer that controls the wireless radio. It might refer to the definition of the wireless network being enabled rather than disabled. It might refer to a host of things.

Even with this sentence, however, WPA is not at all secure if you chose a short password or use a word in the dictionary. When it comes to WPA, you should think in terms of pass sentence rather than password. The recommendation is to use at least a 20 character password. Steve Gibson offers great 64 character passwords.

As for the initial router configuration, the article says “… follow the instructions that came with your router and use the installation CD. If you have a desktop computer that will always be in the same room as your modem or router, run the CD on that computer. Otherwise run the CD on your newest computer.”

(Credit:
Belkin)

The article contains a number of technical inaccuracies, which I’ll discuss below and well as some important omissions. The hardest part of technology may very well be learning what advice to trust.

The Sun Sentinel version of the story says nothing about choosing WEP, WPA or WPA2 when configuring a new network. It turns out the Sun Sentinel removed this sentence from the original story: “There are several levels of security you can add to your network, but one of the most basic is to choose a security setting such as “WEP” or “WPA” and generate network keys. If possible, use WPA.”

It says that “..a printer may … require a wireless networking adapter.”

Omissions

Flypaper, formerly FreshBrew, creates cool Flash presentations without requiring the user to actually know Flash.

Flypaper lets you make professional-quality presentations from ordinary events.

GoldMail took the stage right after FlyPaper. It’s oriented a bit more toward setting up linear presentations, which I think makes more sense. I covered GoldMail in November. At Demo 2008, the company is launching its business version, which adds custom branding, tracking, and a direct response feature.

See also, Vuvox, which I saw at Demo 2007.

Still, the output that we saw here was good. The “stories” that Flypaper makes look like professional Flash presentations. Whether you actually want your vacation photos or resumes in a Flash application is a question only you can answer.

The presentations are based on templates, which users can then put their own data in, including audio and video, if the template supports it. The authoring application is a clunky downloaded application, which is weird for a glitzy Flash content company, but it does give you more drag-and-drop capabilities than you would probably get with a pure Flash authoring application.

But the Shuttle KPC is just so dang cute. Even more so, I daresay, than Dell’s mini desktop offering announced earlier this week, the Studio Hybrid, which starts at $499 with Vista.

(Credit:
Shuttle)

Last week my esteemed colleague Rich Brown made an excellent case for why buying a cheap desktop isn’t necessarily the most practical choice for the average PC buyer. First, they’re not that much cheaper than what Hewlett-Packard, Dell, and Acer are offering in traditional, more robust desktop systems. And second, “While the
Mac Minis and Eee Boxes of the world have visual appeal by themselves, customers still have to figure out how to use them, and their aesthetic and space-saving benefits can vanish once you connect them to a display, and a mouse and keyboard.”

But looks aren’t everything. It’s hard to tell just how big a demand there is for this class of desktop. Is this something you’d be interested in? Let us know in the comments.

Rear view of the KPC 4800.

It runs Foresight Linux, but has an option to upgrade to 32-bit
Windows Vista. The Linux version starts at $279; the Vista machine at $479. Monitor, speakers, keyboard, mouse, and other necessary computing accoutrements are sold separately.

Shuttle is at it again with its oh-so-adorable and affordable mini desktops. Late Tuesday night, the KPC 4800 popped up on the company’s Web site.

It’s similar to the original KPC, the $199 4500, which was introduced at CES earlier this year. The main difference is that the 4800 has an optical drive and dual-monitor support. Also, your color choice this time is, well, there really isn’t one. So far, only black is available on Shuttle’s site.

(Credit:
Shuttle)

From The Times of London:

He told The Times that he had now found that the Chinese Yahoo site had also blocked his name and that he planned to bring actions against both companies. “Since January 1, a lot of friends told me that Web sites with my name had been closed. They told me it’s impossible to search for my information on Google and Yahoo.”

See The Times’ full article, “Dissident Chinese professor to sue Yahoo! and Google for erasing his name.” Hat tip goes to Techdirt.

A former Chinese university professor who was dismissed after he founded a democratic opposition party, plans to sue Yahoo and Google in the United States for blocking his name from search results in China.

I won’t pretend to be a lawyer, but it seems unlikely that Guo will be successful. He acknowledges that there’s no chance in Chinese court, but it would be interesting if he succeeds in bringing a suit against the companies in U.S. court.

Guo Quan, an expert on classical Chinese literature and the 1937 Nanjing massacre of Chinese civilians by Japanese troops, last week issued an open letter pledging to bring a lawsuit against Google after he discovered that his name had been excised in searches of its Google.cn portal in China.

Samsung Jitterbug Dial is affected by a recall.

(Credit:
CNET.com)

Customers who are affected by the recall will receive a letter in the mail as well as a prepaid envelope to send the phone back. Samsung promises to return the phone in about a week.

(Via Phone Scoop)

Jitterbug has said that this does not affect basic cell phone services, and its 160,000 or so customers can still make and answer calls, as well as to 911 services, as long as they have a cell signal. This software problem happens only when the phones are roaming outside of their service areas. Still, we would definitely encourage you to either visit a designated Samsung service center or send the phone directly to Samsung for a software upgrade.

Samsung has just issued a recall for all Jitterbug phones sold after March 1, 2008. The Jitterbug phones, as you might recall, are simple clamshells designed for seniors, mostly for emergency purposes. Apparently some of these affected phones can sometimes fail to connect to 911 services when outside of a defined calling area, which is definitely a problem for a phone that’s designed to assist the elderly in case of emergencies. Both models of the Jitterbug are affected by the voluntary recall, the Jitterbug Dial and the Jitterbug OneTouch, respectively.

Want!
Waiting for revamped iPods
Have no need for it
Taking a wait-and-see approach
I’ll stick with my ‘82 Walkman

So now that you know what to expect when the Zune HD shows up in September, what are your thoughts? Vote in our poll.

Among the device’s features are its OLED (organic light-emitting diode) display and multitouch Web browser. It will be able to send video in 720p to an HDTV (using a dock, sold separately).

View results

This week, Microsoft let more Zune HD details out of the bag. The black 16GB version of the upcoming touch-screen media player will sell for $219.99, while a 32GB version in a “platinum” shade will cost $289.99.

(Credit:
Microsoft)

CNET News Poll Gotta have it?
What are your thoughts on the upcoming Zune HD?

Here’s to the screaming ones. The chair-throwers. The death-threat makers. The imperious gazers. The ones who see things differently — and will stare you down until you do, too….[T]hey have no respect for conversational decibel levels. You can cower before them, hide from them, quote them behind their backs, or vilify them. About the only thing you can’t do is ignore them. Because they’re so damn loud.

commentary

That’s the description. Here’s the list. You’ll need to visit Valleywag, however, to find out just how abrasive these people can be:

Enjoy.

Perhaps it was just a stunt to drive traffic (It’s working!), but I enjoyed Valleywag’s collection of the “10 most terrible tyrants of tech.” It’s perhaps telling that some of the industry’s top companies (Microsoft, Apple, Salesforce.com) are headed by some of the most difficult people with whom to work:

Apple CEO Steve Jobs
RealNetworks CEO Rob Glaser
Salesforce.com CEO Marc Benioff
VMware cofounder Diane Greene
Ex-Jobster CEO Jason Goldberg
Microsoft chairman Bill Gates
Ex-AOL sales chief David Colburn
TechCrunch editor Michael Arrington
Google SVP Jonathan Rosenberg
Microsoft CEO Steve Ballmer