Announcement

Collapse
No announcement yet.

Pc News

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Microsoft's Security Efforts Noted

    KUALA LUMPUR, MALAYSIA -- Code Red, Nimda and Blaster. These high-profile worms, which exploited flaws in Microsoft Windows and other applications, made Microsoft the butt of security jokes and forced the company to reexamine its approach to developing secure software.

    "Throughout Microsoft, we thought Windows 2000 was a very solid, reliable operating system, perfect for deployment in the enterprise," said Ian Hellen, a security program manager at Microsoft's Windows Security Engineering Team. "Those tiny pieces of code were real wake-up calls, saying Windows 2000 isn't there yet. It's just not designed to cope with these kinds of threats."

    That was then. With the commercial release of Vista just months away, Microsoft's efforts to improve security are now showing results, though much remains to be done by the company, said security experts attending the Hack In The Box Security Conference (HITB) here this week.

    Recognized Need
    "Microsoft has done a left-hand turn in its business and said, 'Right, we've got to start building secure applications,'" said Mark Curphey, vice president of professional services at McAfee's Foundstone division. "They've implemented a very rigorous process across their organization and now they're starting to see the benefits of that."

    The progress that Microsoft has made can be seen in recent versions of software, such as Microsoft Internet Information Services (IIS) 6, which has had one high-risk vulnerability uncovered, Curphey said.

    "They've done a lot better," said Bruce Schneier, the chief technology officer of Counterpane Internet Security.

    Curphey and others credit Microsoft's Security Development Lifecycle (SDL) software-development process with reducing the number of design and coding errors that lead to security vulnerabilities. "We spent a long time trying to reorganize our whole development process so that all of Microsoft's products, particularly the Windows operating system, is reoriented to have security engineering at its core," Hellen said.

    To some degree, Windows XP Service Pack 2 and Windows Server 2003 demonstrate how SDL has helped Microsoft improve the security of its products. "But it's really only in Windows Vista that we've been able to implement this in a comprehensive way," Hellen said, adding there is room for further improvement.

    Vista Still Needs Help
    One security improvement that has yet to be made to Windows Vista is a defense against Blue Pill, a prototype technology that uses hardware virtualization to install undetectable malware on a computer running the OS.

    Blue Pill, developed by Polish researcher Joanna Rutkowska, was first demonstrated using the second beta release of Vista. However, the latest pre-production release of Vista, called RC1, does not include defenses against Blue Pill, Rutkowska said, adding she was "surprised" by the omission.

    Blue Pill does not exploit any bugs in Vista, but Rutkowska recommended Microsoft disable paging of kernel memory in Vista, which would prevent Blue Pill from accessing the operating-system kernel and executing code. In response, Microsoft executives attending HITB said the company continues work on improving security in Vista, while making no specific promise that changes will be made to prevent Blue Pill attacks in the production version of Vista.

    Microsoft gets credit for improving the overall security of its products, but more can be done. However, users must first decide if the company's progress in this area is sufficient. "If we think it's enough, we're done. If we don't, than we have to do more," Schneier said. "They're going to fix the problem to the limit of their economic losses."

    One option is to make vendors like Microsoft liable for the economic risks of the security vulnerablilities that users face--something that is unlikely to happen given the current political environment, Schneier said. "If we want more security, we have to raise the cost of not having it," he said.

    Comment


    • Sony Shows PSP Add-Ons

      CHIBA, JAPAN -- Amid the furor over next-generation gaming consoles--notably the PlayStation 3 from Sony Computer Entertainment (SCEI) and Nintendo's Wii--there's still energy for excitement about the less-pervasive handheld games consoles.

      SCEI's PlayStation Portable (PSP) in particular has had its share of bad press recently when the company projected lower sales this year, the PSP's second full year on the market. One thing that may help arrest that decline, however, is the belated arrival of two peripherals for the PSP that have been long-awaited by many handheld owners.

      Both were on show Friday as the Tokyo Game Show here, east of Tokyo.

      Camera, GPS Add-Ons
      The first, a $43 digital camera add-on called "Chotto Shotto" (Quick Snap), is due to go on sale on November 2 in Japan. The 1.31-megapixel swiveling camera is housed in a shiny chrome case that attaches to the mini USB slot at the top of the PSP. While no games exist that make use of the camera yet, the supplied software allows users to take shots of themselves or others and add simple graphics.

      The second accessory is a $51 GPS receiver that works in conjunction with four software titles initially--a golf-course guide and shot advisor, a car-navigation package, a star-gazing application and a new version of Metal Gear Solid. The GPS unit also connects via the PSP's USB port and will go on sale in Japan on December 7. Overseas prices and availability have yet to be announced.

      Comment


      • Three Minutes: BitTorrent Founder Navin Talks DRM

        Ashwin Navin, co-founder and president of file-sharing software developer BitTorrent, thinks that advertising-supported content will win out over digital rights management (DRM) in the long run for movie and TV show downloads. But his company is embracing DRM as it opens a new movie download Web site that will compete with the Unbox store launched by Amazon.com and Apple Computer's iTunes Store. In an interview with the IDG News Service, he presented BitTorrent's views on DRM and its online movie store plan.

        IDGNS: What's your view on DRM and how it will impact the movie download business?

        Navin: The bottom line is that DRM is bad for the content provider and it's bad for the consumer, and the reason it's being used today is because we're in the very early stages of a new product cycle for the entertainment industry and they want to walk before they run.

        I think the future will not be marked by digital rights management. It will be marked by advertising-supported content that's clear of DRM, because the content publisher wants it to be as widely distributed as possible and consumed over as many platforms as possible. And we hope to be part of that evolution, and to drive that evolution wherever we can.

        IDGNS: How is DRM bad for content providers?

        Navin: The reason it's bad for content providers is because typically a DRM ties a user to one hardware platform, so if I buy my all my music on iTunes, I can't take that content to another hardware environment or another operating platform. There are a certain number of consumers who will be turned off by that, especially people who fear that they may invest in a lot of purchases on one platform today and be frustrated later when they try to switch to another platform, and be turned off with the whole experience. Or some users might not invest in any new content today because they're not sure if they want to have an iPod for the rest of their life.

        IDGNS: When do you plan to launch BitTorrent's online movie store?

        Navin: We'll launch country by country. We'll launch in the U.S. this year. We've publicly announced that we're in trials with the largest cable company in the U.K., NTL Group cable service, but it's not likely we'll launch there this year.

        IDGNS: How will BitTorrent's download site be different from others?

        Navin: With the launches from Amazon and Apple, we realize we have to do something that's interesting and set ourselves apart, so one thing we're doing is leveraging BitTorrent delivery to get people their content faster, particularly for files that are popular. And we want to aggregate content that no one else is aggregating as well.

        We haven't made any announcements yet, but we've aggregated Chinese language films, we've aggregated Indian language films and other--to us in the U.S.--foreign language films, to pull together a community at BitTorrent that is really depending on us for delivering content that's not easily available, stuff that's not at Wal-Mart and all the other retail locations.

        IDGNS: What else will BitTorrent do to make its movie store attractive?

        Navin: We're also working with hardware makers to embed our technology into their hardware and then hook it into a service that people can use to get content. I'm in Taiwan to talk about partnerships with hardware makers.

        Asus made an announcement on a hardware device that supports BitTorrent, a non-PC platform device made for downloads, and we expect to have many more similar arrangements with hardware companies in Taiwan and elsewhere. Hardware that supports BitTorrent protocol, obviously, can hook into our service, and people who consume it can tap into it even away from their PC.

        IDGNS: Is the fear of illegal file-sharing a threat to your business?

        Navin: It depends on what the economic model is for the legitimate service. If the legitimate service is reasonably priced, if the content is good, it's been encoded properly, it's predictable in its results. As a BitTorrent user, I'm sure you know that if you're not on a well-seeded Torrent, your download speeds aren't going to be that great. You could be waiting for days for your download to complete. In a commercial environment, you can take what's great about BitTorrent, the efficiency, and combine it with a predictable user experience, make sure everything is properly seeded, make sure the peers you're talking to are close by in the network.

        Everybody expects content to be delivered over the Internet, it's just that we're still in the very early days today. There's a lot that needs to take place in terms of creating the environment that makes people comfortable opening their pocket books and paying for a service they find valuable. We're doing everything we can to make the service compelling, and right now its all about getting the content providers and the hardware companies to converge over the platform that we're building. I think we're going to be extremely successful.

        Comment


        • Microsoft Outlook 2003 Vulnerable to Critical IE Bug

          A critical bug in the Internet Explorer (IE) browser also affects users of the Outlook 2003 e-mail client, making it much more serious than previously thought.

          The vulnerability can be triggered when IE or Outlook 2003 processes Web-based graphics code written in the Vector Markup Language (VML). It was first reported Monday by researchers at Sunbelt Software.

          Sunbelt posted a workaround for the vulnerability.

          Attackers have not yet begun exploiting the e-mail attack, but a handful of Web sites now serve the code, and hackers have publicly posted software that exploits the vulnerability.

          Only IE Thought Affected At First
          Initially, researchers thought that only Internet Explorer was vulnerable to attacks that exploited this flaw, but Sunbelt has now concluded that Outlook 2003 users are also at risk.

          That's because researchers have discovered a way to execute malicious code without using scripting code, which would normally be blocked by Outlook. By embedding a machine-language "shellcode" program in the VML tags, researchers have been able run unauthorized software on systems running the latest version of Outlook 2003.

          This has raised concerns because it means that some victims could have their PCs compromised with little or no user action.

          Easier to Target Victims with Outlook
          To attack Internet Explorer, criminals would first need to trick users into visiting a malicious Web site. But with an Outlook attack, it becomes much easier to target a victim.

          "All you have to do is send an HTML e-mail, and the user is hosed," said Eric Sites, Sunbelt's vice president of research and development.

          Microsoft plans to patch the VML problem as part of its next set of security patches, due Oct. 10, but Sites believes that hackers may force the software vendor to rush out an early fix. "I think it will get bad enough that they will have to," he said.

          Researchers at VeriSign's iDefense unit have also confirmed that some configurations of Outlook will launch the code with no user action, said Ken Dunham, the director of the iDefense Rapid Response Team.

          Users who have Outlook's Reading Pane enabled to read messages in HTML are particularly vulnerable to this attack, Dunham said.

          Microsoft advises users who want to protect themselves to set Outlook to read e-mail messages in plain text format. The Microsoft advisory describes the problem in greater detail.

          According to one researcher, Outlook 2003 should not be rendering VML code automatically, but the product appears to be vulnerable due to a second bug in Microsoft's software. "Some versions of Outlook will render VML despite the fact that they shouldn't," said Russ Cooper, a senior information security analyst with Cybertrust. "We should be raking Microsoft over the coals for this."

          Sites agreed that "there seems to be a bug in the latest version of Outlook."

          Microsoft executives were not immediately available to comment for this story.

          Comment


          • First Look: Apple's New and Improved 80GB iPod

            Refinement: That's what you get out of Apple's latest iPod. For this latest generation of players, Apple hasn't made any huge changes, but it has introduced a brighter screen and an extra 20GB of capacity on the high-end model. I tested the 80GB model (priced at $349) and found a music and occasional video player that's just about as good as it can get.

            The 80GB model is the flagship of the revamped iPod line that Apple announced on September 12. Other new models are an enhanced 30GB hard-drive player at $249; new 2GB ($149, silver only), 4GB ($199), and 8GB ($249, black only) iPod Nanos in colorful iPod Mini-style aluminum cases; and a super-tiny new 1GB iPod Shuffle at $79.

            Movies debut as well in the iTunes store built into iTunes 7, along with features such as automatic downloads of cover art, and a "cover flow" view of the iTunes library that lets you flip through albums as if you were examining a rack of CDs.

            For music playback, not much has changed. The iPod remains an excellent MP3 player, and its sound quality continues to rank with the best around. The latest version adds gapless playback, eliminating the pauses between tracks on an album, and thereby permitting a smoother listening experience. In our lab tests, the iPod earned very good scores for audio quality, comparable to those received by Creative's Zen VisionM and Toshiba's Gigabeat S. I did notice a slight hiss when listening to the iPod through a pair of high-end Shure E500 PTH headphones, however.

            Apple's familiar ClickWheel lets you navigate your music library with ease, scrolling through individual items and then through letters of the alphabet as you accelerate. A new search feature lets you scroll to select a few letters in order to pick out a song, artist, or album. With 80GB of storage on board--20GB more than most competitors (and the previous high-end iPod) muster--such features are welcome.

            On Display
            Apple claims that the 2.5-inch 320-by-240-pixel screen on the new iPods is 60 percent brighter than the screen that previous models used--and the new display does look great, on a par with the excellent screen on the Creative Zen VisionM. Videos were very watchable on the display, and they're easier to get. The new iTunes 7 features a movie store with an impressive array of releases available for $10 apiece, complementing its growing library of TV episodes. Most full-length features ran about 1.5GB. The title I tested (Pirates of the Caribbean: The Curse of the Black Pearl) looked very crisp for a 320-pixel production.

            Games make an appearance on the iPod as well, with nine titles--including Tetris, Pac-Man, and Bejewled--available from the iTunes store for $5 each. Happy as ever to find yet another device to play Tetris on, I downloaded a copy and had a blast learning to line up blocks using the Click Wheel.

            Unfortunately, iTunes 7 was battling its fair share of problems at press time. I experienced occasional crashes on both a PC and a Mac, and also was disappointed by the new album art search feature, which often failed to find art for releases that had valid links back to the iTunes store. That and the small but noticeable hiss I picked up were the new iPod's only blemishes.

            Comment


            • New Security Group Patches Latest IE Flaw

              Microsoft may be waiting until next month to patch a nasty bug in Outlook and Internet Explorer, but security researchers are offering users a more immediate option.

              A loose affiliation of security researchers going by the name of ZERT (Zeroday Emergency Response Team) has released a patch for the VML (Vector Markup Language) vulnerability, which increasingly is being exploited by criminals in malware attacks.

              Microsoft is scheduled to fix the bug on October 10, the date it has set to release its monthly batch of security updates, but the company is under increasing pressure to release an earlier, "out-of-cycle" patch. The SANS Internet Storm Center today raised its alert level from green to yellow, an indication that attacks are becoming more widespread.

              Microsoft's Solutions
              Microsoft has suggested a number of workarounds to the problem, and the software vendor does not recommend that users install the new ZERT patch.

              "We think it's great that there are people out there working to help protect our customers. But as we've always said, we cannot endorse third party updates," wrote Microsoft Security Response center operations manager Scott Deacon in a blog posting today.

              Microsoft rigorously tests its patches to try to cut off any problems that the new software might introduce. The ZERT patch has not been widely tested and could introduce new problems when installed, security experts warn.

              ZERT's Actions
              ZERT plans to continue to release its own patches when particularly critical unpatched flaws begin to pose a "serious risk to the public, the infrastructure of the Internet or both," the group claims in a manifesto, published on its Web site.

              "The purpose of ZERT is not to 'crack' products, but rather to 'uncrack' them by averting security vulnerabilities in them before they can be widely exploited," the group says.

              ZERT sprang out of discussions on e-mail lists set up a few years ago by security researcher Gadi Evron, said ZERT member Randy Abrams, director of technical education with Eset in San Diego.

              "Microsoft wants to assign a monthly patch and we understand that," said ZERT member Roger Thompson, who is chief technology officer with Atlanta's Exploit Prevention Labs. "There's a certain benefit of staying on the monthly patch, but when things start to pop, as we think this VML thing is, there's a need to do something."

              The group's formation was spurred by Microsoft's WMF (Windows Metafile) vulnerability, which emerged in late 2005. Tens of thousands of Microsoft users downloaded third-party patches to fix that bug and Microsoft was eventually forced to release an out-of-cycle patch to address the problem.

              "This has been the first real vulnerability [since then] that the members have felt can be patched fairly quickly," Abrams said.

              Microsoft clearly does not want its users to get into the habit of installing third-party security patches, so if the ZERT software is widely downloaded, Microsoft may move more quickly with its own VML patch, Abrams said.

              Comment


              • First Impressions of Sony's PlayStation 3

                CHIBA, JAPAN -- Although Sony's PlayStation 3 has already been shown in prototype form at various trade events for more than a year now, most sightings have been of development kits only. We finally got a look at the console in action at the Tokyo Game Show today.

                In Sony's own booth, about a dozen home-spun games were playable, with several more on display for eye-candy value alone. The standout titles drawing most attention from the huge first-day crowds of journalists, exhibitors, and assorted hangers-on were "Gran Turismo HD"--a racing game being demoed in mock-ups of sports-car cockpits--and "Minna No Golf 5" (Everybody's Golf 5), a fun golfing game that looked remarkably similar to the versions already available for other platforms.

                The game console is due to go on sale in the U.S. on November 17, but Sony has already announced that it expects to ship far fewer PS3s than originally announced due to component shortages.

                High-Definition Gaming
                Away from the games at the Sony booth, it appears that Sega has the best lineup of PS3 games. The outstanding title there was clearly "Power Smash 3," a tennis game that is presented in full 1080p high-definition resolution, which makes it appear closer to a simulation than a traditional game.

                Hi-def gaming may take some getting used to, however. For example, close-ups of tennis star James Blake's shaven head that were shown between points were more than a little off-putting. Scratch beneath the glossy hi-def surface, though, and actual game play was surprisingly simple and easy to grasp. That caused a traffic jam of players so engaged that they had to be ushered along to keep the line moving and allow someone else a turn.

                Other Sega standards were also out in impressive force. These included "Virtua Fighter 5" and "Sega Golf Club." The former game could hardly fail to impress, with detailed renditions of blizzards of sakura cherry blossoms falling from background trees and realistic-looking Japanese temples. Sega's golf title, on the other hand, looked slightly dated, especially when compared with the Sony golf offering.

                Finally, not all PS3 games on show were complete. One of the most interesting games still on the drawing board, but available to lust over, was previewed under the working title of "Lair" and is surely the first high-definition fire-breathing dragon-riding game for any console.

                List of PS3 Games
                The software title line-up that will be available on November 11 when the PlayStation 3 console launches in Japan became clearer today.

                At least six games are expected to be available on the PlayStation 3's launch day. Two games each will come from Sony and Bandai Namco and a title each from Konami and Sega.

                One game was also given a price: "Konami's Mahjong Fight Club Online" will cost $43.

                Demonstration versions of many of the games are on display at the show, which continues through Sunday.

                PlayStation 3 Games List
                Here are upcoming PlayStation 3 titles, publishers, and genres, grouped by the date they are projected to launch in Japan.

                November 11:

                "Resistance: Fall of Man" (SCEI) / First person shooter
                "Genji: Days of the Blade" (SCEI) / Action
                "Ridge Racer 7" (Namco Bandai) / Racing
                "Mobile Suit Gundam: Target In Sight" (Namco Bandai) / 3D action shooting
                "MahJong Fight Club Online" (Konami) / Mahjong
                "Sega Golf Club featuring Miyazato Family" (Sega) / Golf
                November 2006:

                "Mahjong Taikai IV" (Koei) / Mahjong
                December 2006:

                "Gran Turismo HD" (working title) (SCEI) / Real driving simulator
                "Armored Core 4" (FromSoftware) / High-speed mech-action
                "MotorStorm" (SCEI) / Race
                "Formula One Championship" (working title) (SCEI) / F1 simulator
                2006:

                "Fatal Inertia" (Koei) / Flying combat racing
                "Sonic the Hedgehog" (Sega) / Action adventure
                "Railfan" (Ongakukan) / Variety
                "Need for Speed Carbon" (Electronic Arts) / Street race
                "NBA Live 07" (Electronic Arts) / Basketball
                "Enchant Arm" (FromSoftware) / Role playing game
                Early 2007:

                "Heavenly Sword" (SCEI) / Action adventure
                "The Eye of Judgment" (SCEI) / 3D card battle
                "Virtua Fighter 5" (Sega) / 3D CG battle
                "Ninja Gaiden Sigma" (Tecmo) / Action adventure
                "Monster Kingdom: Unknown Realms" (working title) (SCEI) / Action adventure
                "Lair" (tentative name for Japan) (SCEI) / Flight action adventure
                "Virtua Tennis 3" (Sega) / Tennis
                "Wangan Midnight" (Genki) / Race game
                Midyear 2007:

                "Warhawk" (SCEI) / Flight action adventure
                "Everybody's Golf 5" (working title) (SCEI) / Golf
                Third quarter 2007:

                "Dark Sector" (D3 Publisher) / Combat action
                2007:

                "Afrika" (working title) (SCEI) / no genre given
                "Metal Gear Solid 4: Guns of the Patriots" (Konami Digital Entertainment) / Tactical espionage action
                No date given:

                "Shirokishi Monogatari" (SCEI) / Role-playing game
                "Devil May Cry 4" (Capcom) / Stylish action
                "Final Fantasy XIII" (Square Enix) / Role playing game
                "Bladestorm: The Hundred Years' War" (Koei) / Action
                "Coded Arms: Assault" (Konami Digital Entertainment) / First person shooter
                "fl0w" (working title) (SCEI) / no genre given

                Comment


                • Microsoft Outlook 2003 Vulnerable to Critical IE Bug

                  A critical bug in the Internet Explorer (IE) browser also affects users of the Outlook 2003 e-mail client, making it much more serious than previously thought.

                  The vulnerability can be triggered when IE or Outlook 2003 processes Web-based graphics code written in the Vector Markup Language (VML). It was first reported Monday by researchers at Sunbelt Software.

                  Sunbelt posted a workaround for the vulnerability.

                  Attackers have not yet begun exploiting the e-mail attack, but a handful of Web sites now serve the code, and hackers have publicly posted software that exploits the vulnerability.

                  Only IE Thought Affected At First
                  Initially, researchers thought that only Internet Explorer was vulnerable to attacks that exploited this flaw, but Sunbelt has now concluded that Outlook 2003 users are also at risk.

                  That's because researchers have discovered a way to execute malicious code without using scripting code, which would normally be blocked by Outlook. By embedding a machine-language "shellcode" program in the VML tags, researchers have been able run unauthorized software on systems running the latest version of Outlook 2003.

                  This has raised concerns because it means that some victims could have their PCs compromised with little or no user action.

                  Easier to Target Victims with Outlook
                  To attack Internet Explorer, criminals would first need to trick users into visiting a malicious Web site. But with an Outlook attack, it becomes much easier to target a victim.

                  "All you have to do is send an HTML e-mail, and the user is hosed," said Eric Sites, Sunbelt's vice president of research and development.

                  Microsoft plans to patch the VML problem as part of its next set of security patches, due Oct. 10, but Sites believes that hackers may force the software vendor to rush out an early fix. "I think it will get bad enough that they will have to," he said.

                  Researchers at VeriSign's iDefense unit have also confirmed that some configurations of Outlook will launch the code with no user action, said Ken Dunham, the director of the iDefense Rapid Response Team.

                  Users who have Outlook's Reading Pane enabled to read messages in HTML are particularly vulnerable to this attack, Dunham said.

                  Microsoft advises users who want to protect themselves to set Outlook to read e-mail messages in plain text format. The Microsoft advisory describes the problem in greater detail.

                  According to one researcher, Outlook 2003 should not be rendering VML code automatically, but the product appears to be vulnerable due to a second bug in Microsoft's software. "Some versions of Outlook will render VML despite the fact that they shouldn't," said Russ Cooper, a senior information security analyst with Cybertrust. "We should be raking Microsoft over the coals for this."

                  Sites agreed that "there seems to be a bug in the latest version of Outlook."

                  Microsoft executives were not immediately available to comment for this story.

                  Comment


                  • Dynamic Duo: Two Wide-Screen LCDs Get the Job Done

                    For general office work, a single monitor is adequate. For some jobs, a dual-monitor configuration, with two monitors side by side, makes more sense. And then there are people whose tasks require the expansive views of wide-screen displays to accommodate large documents or a host of applications.

                    A dual-monitor setup is ideal for tasks best performed when viewing several windows at once, according to Rhoda Alexander, director of monitor research at iSuppli. "Employees in a call center, for example, can have a script on one and a call list on the other," she says. Alexander also notes that a multiple-display setup confers an ergonomic advantage because, among other things, "it minimizes head rotation."

                    Researchers who do transcription or cut-and-paste work can also thrive with dual monitors, though Alexander thinks they benefit from wide-screen formats as well. Having application screens side by side on a panoramic monitor is efficient for "getting data from one field and inputting it in another," she says. Wide-screen monitors, particularly 23-inch and 24-inch models, are popular for computer-aided design work, film production, and animation. Alexander adds that, more and more, employees in these fields receive a secondary, often regular-aspect monitor for their non-core but important business applications, such as e-mail or office programs; the arrangement minimizes the distraction of having to switch between applications.

                    More often than not, however, monitor and desktop setups are dictated by corporate IT budgets and the IT staff's determination of what constitutes a good price/productivity ratio. Alexander thinks this is precisely why 19-inch LCD monitors didn't take off in the corporate market: "IT pros didn't think the increase in price equaled an increase in productivity."

                    The Quest for the Ideal Monitor Setup
                    Fortunately, Jordan Malkin isn't too encumbered by external IT constraints. As the operations manager at MicroStandard, based in Redmond, Washington, his budget and his relations with computer vendors allow him to experiment with different computer configurations.

                    Now perched on Malkin's desk are two 23-inch ViewSonic VP2330wb LCD monitors, which display a variety of computer product information, such as stock levels, sales metrics, and incoming systems. Malkin manages the purchase and sales of these computer components and systems. To do so, he runs various databases and reports to coordinate the complex purchasing and stocking chain on which the company depends. Often he has a spreadsheet on one monitor and a database program displayed on the other. Five staff members on his operations team help him execute plans and react to important data trends he sees on his two screens.

                    One regularly viewed document is a 200-column Excel spreadsheet. Its information allows Malkin to track trends at different stores to which his company supplies computers. Typical monitor setups were too small for him to see the spreadsheet comfortably.

                    Before he settled on his current setup, Malkin tried a 32-inch wide-screen LCD TV, but found the resolution insufficient for his work. (TVs typically have lower resolution than desktop monitors of the same size do.) Malkin then replaced it with a 42-inch TV, "but the resolution was still limited," he says.

                    Finally, he brought in the two 23-inch wide-screen ViewSonic monitors. He finds the bezels thin enough not to distract when they're next to each other. On a typical day, "I might have my stocking spreadsheet [open on one monitor], while programming or running Access on the other." Sometimes, he may have a project that requires spanning both monitors. "On one side is control data," Malkin explains, "while I change the data on the right side."

                    Dream Monitor Setup Equals Undreamed-Of Productivity
                    After a rather cumbersome search, Malkin thinks he has discovered the right solution at last. "I find this arrangement 100 percent satisfactory," he says.

                    Malkin's monitor configuration illustrates Alexander's findings on multiple-display usage. Certain jobs require viewing several applications simultaneously, and the right monitor setup is crucial. Of course, cost will play a part in the decision to move to a wide-screen or dual-display monitor setup. But an increase in productivity may just be the push you (or your IT department) need to take the plunge.

                    Comment


                    • New Security Group Patches Latest IE Flaw

                      Microsoft may be waiting until next month to patch a nasty bug in Outlook and Internet Explorer, but security researchers are offering users a more immediate option.

                      A loose affiliation of security researchers going by the name of ZERT (Zeroday Emergency Response Team) has released a patch for the VML (Vector Markup Language) vulnerability, which increasingly is being exploited by criminals in malware attacks.

                      Microsoft is scheduled to fix the bug on October 10, the date it has set to release its monthly batch of security updates, but the company is under increasing pressure to release an earlier, "out-of-cycle" patch. The SANS Internet Storm Center today raised its alert level from green to yellow, an indication that attacks are becoming more widespread.

                      Microsoft's Solutions
                      Microsoft has suggested a number of workarounds to the problem, and the software vendor does not recommend that users install the new ZERT patch.

                      "We think it's great that there are people out there working to help protect our customers. But as we've always said, we cannot endorse third party updates," wrote Microsoft Security Response center operations manager Scott Deacon in a blog posting today.

                      Microsoft rigorously tests its patches to try to cut off any problems that the new software might introduce. The ZERT patch has not been widely tested and could introduce new problems when installed, security experts warn.

                      ZERT's Actions
                      ZERT plans to continue to release its own patches when particularly critical unpatched flaws begin to pose a "serious risk to the public, the infrastructure of the Internet or both," the group claims in a manifesto, published on its Web site.

                      "The purpose of ZERT is not to 'crack' products, but rather to 'uncrack' them by averting security vulnerabilities in them before they can be widely exploited," the group says.

                      ZERT sprang out of discussions on e-mail lists set up a few years ago by security researcher Gadi Evron, said ZERT member Randy Abrams, director of technical education with Eset in San Diego.

                      "Microsoft wants to assign a monthly patch and we understand that," said ZERT member Roger Thompson, who is chief technology officer with Atlanta's Exploit Prevention Labs. "There's a certain benefit of staying on the monthly patch, but when things start to pop, as we think this VML thing is, there's a need to do something."

                      The group's formation was spurred by Microsoft's WMF (Windows Metafile) vulnerability, which emerged in late 2005. Tens of thousands of Microsoft users downloaded third-party patches to fix that bug and Microsoft was eventually forced to release an out-of-cycle patch to address the problem.

                      "This has been the first real vulnerability [since then] that the members have felt can be patched fairly quickly," Abrams said.

                      Microsoft clearly does not want its users to get into the habit of installing third-party security patches, so if the ZERT software is widely downloaded, Microsoft may move more quickly with its own VML patch, Abrams said.

                      Comment


                      • Microsoft's Security Efforts Noted

                        KUALA LUMPUR, MALAYSIA -- Code Red, Nimda and Blaster. These high-profile worms, which exploited flaws in Microsoft Windows and other applications, made Microsoft the butt of security jokes and forced the company to reexamine its approach to developing secure software.

                        "Throughout Microsoft, we thought Windows 2000 was a very solid, reliable operating system, perfect for deployment in the enterprise," said Ian Hellen, a security program manager at Microsoft's Windows Security Engineering Team. "Those tiny pieces of code were real wake-up calls, saying Windows 2000 isn't there yet. It's just not designed to cope with these kinds of threats."

                        That was then. With the commercial release of Vista just months away, Microsoft's efforts to improve security are now showing results, though much remains to be done by the company, said security experts attending the Hack In The Box Security Conference (HITB) here this week.

                        Recognized Need
                        "Microsoft has done a left-hand turn in its business and said, 'Right, we've got to start building secure applications,'" said Mark Curphey, vice president of professional services at McAfee's Foundstone division. "They've implemented a very rigorous process across their organization and now they're starting to see the benefits of that."

                        The progress that Microsoft has made can be seen in recent versions of software, such as Microsoft Internet Information Services (IIS) 6, which has had one high-risk vulnerability uncovered, Curphey said.

                        "They've done a lot better," said Bruce Schneier, the chief technology officer of Counterpane Internet Security.

                        Curphey and others credit Microsoft's Security Development Lifecycle (SDL) software-development process with reducing the number of design and coding errors that lead to security vulnerabilities. "We spent a long time trying to reorganize our whole development process so that all of Microsoft's products, particularly the Windows operating system, is reoriented to have security engineering at its core," Hellen said.

                        To some degree, Windows XP Service Pack 2 and Windows Server 2003 demonstrate how SDL has helped Microsoft improve the security of its products. "But it's really only in Windows Vista that we've been able to implement this in a comprehensive way," Hellen said, adding there is room for further improvement.

                        Vista Still Needs Help
                        One security improvement that has yet to be made to Windows Vista is a defense against Blue Pill, a prototype technology that uses hardware virtualization to install undetectable malware on a computer running the OS.

                        Blue Pill, developed by Polish researcher Joanna Rutkowska, was first demonstrated using the second beta release of Vista. However, the latest pre-production release of Vista, called RC1, does not include defenses against Blue Pill, Rutkowska said, adding she was "surprised" by the omission.

                        Blue Pill does not exploit any bugs in Vista, but Rutkowska recommended Microsoft disable paging of kernel memory in Vista, which would prevent Blue Pill from accessing the operating-system kernel and executing code. In response, Microsoft executives attending HITB said the company continues work on improving security in Vista, while making no specific promise that changes will be made to prevent Blue Pill attacks in the production version of Vista.

                        Microsoft gets credit for improving the overall security of its products, but more can be done. However, users must first decide if the company's progress in this area is sufficient. "If we think it's enough, we're done. If we don't, than we have to do more," Schneier said. "They're going to fix the problem to the limit of their economic losses."

                        One option is to make vendors like Microsoft liable for the economic risks of the security vulnerablilities that users face--something that is unlikely to happen given the current political environment, Schneier said. "If we want more security, we have to raise the cost of not having it," he said.

                        Comment


                        • Browser Bugs Doubled in 2006, Symantec Says

                          Hackers are hitting pay dirt in their search for browser bugs.

                          According to Symantec's twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla's open-source browsers and 38 bugs in Microsoft Internet Explorer during the first six months of this year. That's up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months.

                          Even Apple's Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.

                          And while Internet Explorer remained the most popular choice of attackers, no one is invulnerable. According to the report, 31 percent of attacks during the period targeted more than one browser, and 20 percent took aim at Mozilla's Firefox.

                          All Browsers Targets
                          "There is no safe browser," said Vincent Weafer, senior director with Symantec Security Response. "If you've got a browser, make sure you're configuring it correctly," he added. "That's a far better strategy than running some browser just because you haven't heard of it."

                          Part of the rise is due to the growing market for vulnerabilities, Weafer said. Legitimate companies such as 3Com's Tipping Point and Verisign' s iDefense pay for this information, and there is also a growing black market for exploits. "People are encouraged and getting money for finding vulnerabilities, so now you have more people looking," said Weafer.

                          Browser bugs are also relatively easy to find and exploit, said Marc Maiffret, chief technology officer with eEye Digital Security. "Everyone has realized that targeting the applications on the desktop is a better way to break into businesses and consumers and steal things than server flaws," he said via instant message.

                          Businesses and consumers may both be targets, but home users are the victims in about 86 percent of all attacks, according to Symantec.

                          Fastest Patches
                          And the U.S. is the biggest source of online attacks, thanks to its large number of compromised machines with broadband connections, Weafer said. About 37 percent of all online attacks originate in the U.S., he said.

                          While there may have been more bugs in Mozilla than in IE, Symantec gave the open-source project high marks for its bug-fixing. On average, it patched bugs within one day of their public disclosure--the fastest turn-around of all measured browsers. Opera came in second, averaging two days. Safari was next, with a five-day window, followed by Microsoft, which averaged nine days per patch.

                          Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec. The slowest? Sun Microsystems.

                          Comment


                          • Google Will Boost Product Searches

                            Google plans to extend the product search capabilities on its main Google.com Web search engine in the fourth quarter, in time for the holiday shopping season.

                            A Google official shared the news with attendees of the Professional eBay Sellers Alliance (PESA) Summit in San Francisco last week, according to people who were at the conference.

                            Drill Down to Buy
                            When people search for products on Google.com, the system will present them with another search box so that they can refine their query, wrote Bear Stearns & Co. analysts in a note published Friday.

                            After people refine their query, Google will take them to a second page populated with product results from the Google Base listings service, wrote the analysts, who attended Google official's presentation.

                            "Ranking will be determined by the attributes that the sellers listed for the product as well as by relevancy," the analysts wrote.

                            Currently, Google has no plans to monetize this product-search capability with display ads or listing fees, but that could change, they wrote.

                            The plan also involves de-emphasizing Froogle as a destination Web site and moving its comparison-shopping capabilities to Google.com, because, as the Google official explained, most product searches happen on Google.com, according to the note.

                            Google.com can already detect if someone is looking for real estate to buy, and asks users to refine their queries before delivering listings from Google Base. Thus, the plan outlined at the PESA conference would apparently be a significant extension of this existing feature toward multiple product categories.

                            Boosting Google Base
                            Jonathan Garriss, PESA's executive director, got very excited after learning at the conference of Google's plans.

                            "Anything that improves product search and helps shoppers find what they want is always positive for a merchant like me," said Garriss, CEO of Gotham City Online, an apparel store on eBay that also has its own site.

                            Garriss already feeds product information from his store to Google Base. But after talking to Google officials at the conference, he plans to improve it. "It will make it a it smarter search. Google is giving us an opportunity to do that," Garriss said.

                            PESA groups about 600 large eBay sellers that collectively generate more than 70 million eBay transactions and $1 billion in eBay gross merchandise volume annually.

                            Google Base was introduced last November as a service for individuals and organizations to post content to the Google search index, including products for sale.

                            From the beginning, Google said that Base isn't meant as a destination Web site, but more like a database to feed information to Google search sites, like Google.com. To stress this point, Google recently removed the search box from the Google Base site.

                            Silence and Speculation
                            The Bear Stearns analysts didn't immediately reply to requests for comment.

                            A Google spokesperson declined to comment, saying only that Google has integrated content from Google Base, and from other Google products, into Google.com search results for some time.

                            A recent sign that Google was working on its product search was the removal of the link to Froogle on Google.com, said analyst Greg Sterling, of Sterling Market Intelligence.

                            "Everyone was surprised and Froogle's traffic immediately suffered, but Google wouldn't opt out of the shopping search space," Sterling said.

                            Presenting product listings via Google.com is another move by Google to integrate vertical search services on its main search engine, which is by far its most popular site, Sterling said. In addition to real estate listings, Google.com also detects searches for topics like movies and recording artists, and treats them with special results.

                            "Google has a fire hose of traffic through Google.com and less success directing people to other Google domains," Sterling said. "For this reason, Google has always been ambivalent about having different destinations."

                            Comment


                            • Gamers Applaud PlayStation 3

                              CHIBA, JAPAN -- After months of playing the waiting game, serious game fans among the general public finally got their hands on Sony Computer Entertainment's PlayStation 3 (PS3) at the Tokyo Game Show here during the weekend, and initial reactions were all favorable.

                              Titles such as "Resistance: Fall of Man," "Genji: Days of the Blade" and "Ridge Racer 7" will be among the games available at the console's Japan launch on November 11 but there was also considerable interest in some of the software that is on show in an unfinished state. The show was also the first chance for most potential customers to get their hands on a console.

                              Praise for Graphics
                              "Heavenly Sword" from Sony, which is slated for release some time in early 2007, is a swords and sorcery game featuring a heroine on a stereotypically impossible quest. Keen gamer Rei Itoh from Tokyo spent 20 minutes playing the game this morning and was eager to buy both a PS3 and a copy of "Heavenly Quest."

                              "It has such great graphics--the cut-scenes between games are just like movies," she said, adding that the destructible scenery made hacking to pieces furniture--as well as dastardly opponents--a welcome feature.

                              Another would-be PS3 owner, Dan Bourque from Canada, waited in line for a taste of the new first-person-shooter (FPS) "Resistance: Fall of Man."

                              "We shouldn't expect too much from a new console at first, as it's unfair to the developers--they need time to find out what the hardware can do," Bourque said.

                              "A good FPS has to be the benchmark of a console, so I am excited about checking out Resistance," he added. On the sensitive subject of price he said that, although a relative would be buying him a PS3 as a gift, "Six hundred dollars is just way too much--that's a price to make your eyes bleed."

                              New Techniques
                              Bourque also singled out the unusual "flOw," a game featuring simple graphics of wormlike microorganisms moving through water that are controlled using only the PS3 controller's motion sensors, and the off-road racing game "Motor Storm" for praise. "FlOw," he said, was "intuitive and fun but only worth $10," while "Motor Storm" featured "gorgeous physics and was cool but as hard as hell."

                              The motion sensing used in "flOw" is something he hoped to see in more PS3 games in future, but for the meantime he said he would have to get his hit of simple, fun gaming from Nintendo's Wii, which he also intends to purchase if he can "get his hands on one."

                              When asked for her immediate impression of the PlayStation 3, a Japanese gamer who declined to be named remarked "sugoi ***ei," which means "really pretty" in Japanese--a pithy phrase that may well sum-up how the next-generation console battle will be fought in the minds of consumers.

                              Comment


                              • New Security Group Patches Latest IE Flaw

                                Microsoft may be waiting until next month to patch a nasty bug in Outlook and Internet Explorer, but security researchers are offering users a more immediate option.

                                A loose affiliation of security researchers going by the name of ZERT (Zeroday Emergency Response Team) has released a patch for the VML (Vector Markup Language) vulnerability, which increasingly is being exploited by criminals in malware attacks.

                                Microsoft is scheduled to fix the bug on October 10, the date it has set to release its monthly batch of security updates, but the company is under increasing pressure to release an earlier, "out-of-cycle" patch. The SANS Internet Storm Center today raised its alert level from green to yellow, an indication that attacks are becoming more widespread.

                                Microsoft's Solutions
                                Microsoft has suggested a number of workarounds to the problem, and the software vendor does not recommend that users install the new ZERT patch.

                                "We think it's great that there are people out there working to help protect our customers. But as we've always said, we cannot endorse third party updates," wrote Microsoft Security Response center operations manager Scott Deacon in a blog posting today.

                                Microsoft rigorously tests its patches to try to cut off any problems that the new software might introduce. The ZERT patch has not been widely tested and could introduce new problems when installed, security experts warn.

                                ZERT's Actions
                                ZERT plans to continue to release its own patches when particularly critical unpatched flaws begin to pose a "serious risk to the public, the infrastructure of the Internet or both," the group claims in a manifesto, published on its Web site.

                                "The purpose of ZERT is not to 'crack' products, but rather to 'uncrack' them by averting security vulnerabilities in them before they can be widely exploited," the group says.

                                ZERT sprang out of discussions on e-mail lists set up a few years ago by security researcher Gadi Evron, said ZERT member Randy Abrams, director of technical education with Eset in San Diego.

                                "Microsoft wants to assign a monthly patch and we understand that," said ZERT member Roger Thompson, who is chief technology officer with Atlanta's Exploit Prevention Labs. "There's a certain benefit of staying on the monthly patch, but when things start to pop, as we think this VML thing is, there's a need to do something."

                                The group's formation was spurred by Microsoft's WMF (Windows Metafile) vulnerability, which emerged in late 2005. Tens of thousands of Microsoft users downloaded third-party patches to fix that bug and Microsoft was eventually forced to release an out-of-cycle patch to address the problem.

                                "This has been the first real vulnerability [since then] that the members have felt can be patched fairly quickly," Abrams said.

                                Microsoft clearly does not want its users to get into the habit of installing third-party security patches, so if the ZERT software is widely downloaded, Microsoft may move more quickly with its own VML patch, Abrams said.

                                Comment

                                Working...
                                X