G$earch

The Download Blog: Software tips, news, and opinions from Download.com editors

Posted by Harshad

The Download Blog: Software tips, news, and opinions from Download.com editors


Chrome dev for Mac earns minor but useful bump

Posted: 14 Jan 2010 02:50 PM PST

An update Thursday to the Google Chrome developer's build for Mac introduces more than just stability-fixes. Included in version 4.0.295.0 are the basic beginnings of a bookmark manager and a trackpad gesture that allows users to open the previous and next pages in a new tab using the CMD-three finger swipe. The cookie manager has also been included in this minor update, so those three combined equal some actual feature improvements in this update.

Two other fixes, in addition to the spate of stability improvements, include making the devtools window dockable and fixing stuck hover states on tab close buttons. The Windows and Linux versions of Chrome dev also updated to version 4.0.295.0, although with different changes. The full changelog can be read here.

Way cool: Google Mobile App e-mail search for BlackBerry

Posted: 14 Jan 2010 01:08 PM PST

If you could download only one application for the BlackBerry smartphone, which would you choose? For many people, the single-must-have add-on is Google Mobile App. An update Thursday, to version 3.5.48, makes the free download even more useful.

Now, Google Mobile App will search through your phone's e-mail and address book--in addition to the Web--when you type or speak a name into the search bar. What's more, the e-mail address or phone contact appears in the app's search suggestions after you type (denoted by a tiny icon).

Google Mobile App for BlackBerry--Contact search

Now you can search for contacts and e-mail content.

(Credit: Screenshot by Jessica Dolcourt/CNET)

The latest version of Google's mobile app responds to keywords as well as names, with unobtrusive (read: minuscule) icons that match the keyword you entered to the content of your address book records or e-mails. That's in addition to retuning a full Web search.

Google Mobile App--BlackBerry

Google Mobile App now also matched keywords to e-mail messages and contacts.

(Credit: Screenshot by Jessica Dolcourt/CNET)

You're able to call one of your contact's numbers or launch an SMS from Google Mobile App.

Google Mobile App on BlackBerry--Contact call

New functionality lets you call a number from Google Mobile App on BlackBerry or send an SMS.

(Credit: Screenshot by Jessica Dolcourt/CNET)

In addition, Google Mobile App contains a quick link for replying to an e-mail, which you can also convert to a forwarded message by going through the menu options.

Google Mobile App for BlackBerry

Reply to a message or forward it along from the app.

(Credit: Screenshot by Jessica Dolcourt/CNET)

Toggling between Web and device search results is made possible by clicking a "breadcrumb" link that appears in the search box.

Not everyone will want to open up Google Mobile App in order to seek out e-mail messages and buddies, but we're impressed on the whole with the phone search feature's quickness and efficiency.

The search feature is similar in objective to fellow Bay Area e-mail search company Xobni's in-production alpha for BlackBerry.

On the whole, the practice of parsing through locally stored content isn't new to smartphones. Palm's WebOS, Apple's iPhone 3.0 operating system, and Google's 2.0 operating system all support universal search across some combination of a smartphone's contact, e-mail, and often calendar, multimedia, and notes applications. As far as we're concerned, this breed of multitasked search is the way forward, and should be implemented into third-party apps, particularly if the smartphone's OS searches only one native app at a time.

BlackBerry users can download Google Mobile App version 3.5 over-the-air by pointing the mobile browser to m.google.com.

New IE hole exploited in attacks on U.S. firms

Posted: 14 Jan 2010 12:37 PM PST

Attackers targeting Google and a host of other U.S. companies recently used software that exploits a new hole in Internet Explorer, Microsoft said Thursday.

"Internet Explorer was one of the vectors" used in the attacks that Google disclosed earlier this week, Microsoft said in a statement. "To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6," the statement said.

The vulnerability affects Internet Explorer 6, IE 7, and IE 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4, Microsoft said in an advisory on Thursday afternoon.

Google disclosed the attacks targeting it and other U.S. companies on Tuesday and said the attacks originated in China. Human rights activists who use Gmail also were targeted, Google said.

Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.

Microsoft said the vulnerability in IE exists as an invalid pointer reference and that it could allow an attacker to take control of a computer if the target were duped into clicking on a link in an e-mail or an instant message that led to a Web site hosting malware. "It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems," Microsoft said in the statement.

Microsoft is working on a fix but could not say whether it would address the issue as part of its next Patch Tuesday scheduled for February 9 or before.

Keeping the IE Internet zone security setting on "high" will protect users from the vulnerability by prompting before running ActiveX Controls and Active Scripting, Microsoft said. Customers should also enable Data Execution Prevention (DEP), which helps mitigate online attacks, the company said. DEP is enabled by default in IE 8 but must be manually turned on in earlier versions.

Microsoft acknowledged Google, Mandiant, Adobe Systems, and McAfee for working with the company and providing details on the attack.

Operation Aurora
Earlier on Thursday, McAfee CTO George Kurtz detailed the vulnerability in a blog post.

"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property," Kurtz wrote. "These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That's when the exploitation takes place, using the vulnerability in Microsoft's Internet Explorer."

Many targeted attacks involve a "cocktail" of zero-day vulnerabilities combined with social engineering, he said. "So there very well may be other attack vectors that are not known to us at this time," he wrote.

Initially, security researchers investigating the attacks believed that a hole in Adobe Reader was a culprit, but Adobe has said that it has no evidence to suggest that a vulnerability in its technology was an attack vector.

McAfee believes the internal name attackers gave to the operation was "Aurora," which the code indicated was the directory name on the computer where the code was compiled into an executable file, said Dmitri Alperovitch, vice president of threat research at McAfee.

The attack was notable for its level of sophistication, using obfuscation techniques not typically seen in attacks on corporations, he said. It dropped about 10 different malicious files with different capabilities that were used at different stages of the infection and used crypto and other techniques to avoid detection, he added.

"The exploit itself was a piece of JavaScript code that encrypted itself and had multiple layers of encryption that got you to the executable binary code, which phoned home and then pulled an encrypted file from an external server," Alperovitch said. "That file used multiple keys for encryption and once it was decrypted it turned into an executable that dropped various modules onto the infected system."

One of the modules was a back door that phoned home to a different server and established an encrypted channel designed to avoid detection by masquerading as an Secure Sockets Layer protocol, he said. "That allowed the hackers to connect to the machine and basically take it over remotely. From then on they had a beachhead to explore the rest of the network for reconnaissance."

Asked what what type of data or areas of the network the code was programmed to look for or access, Alperovitch said "We saw the backdoor, but we did not see the capability in the malware to scan networks and locate things."

The attacks lasted about three weeks, from mid-December until January 4 and were most likely timed to coincide with the holiday season when offices would be closed or lightly staffed, he said.

In early January the command-and-control channels that the code used to receive instructions from the attackers were shut down, he said, adding, "So, we could not verify where the data was going or whether there were links to China."

He said he does not know why the command-and-control servers were shut down. They were located in Taiwan and in Texas and Illinois, he said.

"We believe this attack is a watershed moment," Alperovitch said. "We've never seen this level of sophistication on attacks targeting commercial companies that aren't affiliated with a government or the defense industrial base."

Wired initially reported the IE hole earlier on Thursday, citing an unnamed source.

Updated 7:10 p.m. PST with more details from McAfee and 3:30 p.m. PST with Microsoft advisory and details and 2:33 p.m. PST to clarify that Google, not McAfee, said attacks came from China and 1:05 p.m. PST with Microsoft comment and more details from McAfee's George Kurtz.

Originally posted at InSecurity Complex

Glide OS gets its own 'GDrive' with free 30GB

Posted: 14 Jan 2010 10:20 AM PST

Web "operating system" Glide on Thursday finally gave a name to its online storage service, calling it the "GDrive." It also bumped its capacity from 20GB to 30GB, making it one of the largest free storage offerings on the Web.

The news comes just two days after Google launched its own storage service, something that was widely expected to be called the GDrive. Glide's CEO and founder, Donald Leka, told CNET in a phone call on Thursday that his company simply jumped on Google's failure to claim it. "It was a rumored name," he said. "We looked at it and we said 'wait a minute, they should have used it!' so we decided to use it instead."

Glide now offers users 30GB of free, online storage.

(Credit: CNET)

Despite the familiarity some users may have had with the GDrive moniker, the two offerings are quite different, with the main differentiation being privacy. Unlike Google, Glide does not scan through user-uploaded files for advertising purposes, something Leka said his company would never do. "I think people, for some reason, are not concerned about the issue of collection of data," Leka said. "I don't think people are fully aware of it for some reason. I don't know why that is."

On the feature front, the two also differ. For instance, Glide is giving users 30GB instead of 1GB, all without any individual file size restrictions. It's also charging quite a bit less for additional storage, at $0.20 per gigabyte per year instead of Google's $0.25 per GB/year, something that can add up for users who end up paying for large chunks of storage over a long period of time. However, just like Google, Glide requires users to buy additional storage in one chunk. Currently, that's an extra 220GB, which costs users $50 a year, though Leka said that his company is evaluating a single gigabyte purchase system that would let users buy only what they need, when they need it.

Next week Glide plans to introduce a revamped version of its Web file browser, something Leka compared to Apple's Finder. Leka said it will make it easier to browse and sort through files, as well as choose where they go at the time of upload.

Previously: Webtops hoping for a brighter future

Originally posted at Web Crawler

Littlest Pet Shop comes to iPhone

Posted: 14 Jan 2010 09:34 AM PST

Most girls younger than 10 will want to get their paws on Littlest Pet Shop.

(Credit: Electronic Arts)

What's that sound you hear you ask? It's a gazillion tween-age girls squealing with delight. Littlest Pet Shop, one of my 10-year-old daughter's favorite toys for the last several years, just got the iPhone-iPod Touch treatment (iTunes link).

For those unfamiliar with the toys, they are cute little plastic pets--dogs, cats, turtles, parrots, and the like.

As for the game, it's a decidedly "littler" version of the popular Littlest Pet Shop title for Nintendo DS and Wii. Players can collect three pets (not enough, so my daughter says), dress them with various accessories, engage in digipet-style activities (brushing, tickling, and so on), and play a few minigames (again, she says there's not enough of them).

Thus, for older and more hardcore Littlest Pet Shop fans, the iPhone-iPod Touch game will be fun for a while, but ultimately it is unsatisfying. I do think younger children will enjoy it more--and, let's face it, at $2.99, it costs less than a single Littlest Pet Shop pet.

In related news, here's a roundup of five other Nintendo DS games that have migrated to the App Store.

Originally posted at iPhone Atlas

Want really secure Gmail? Try GPG encryption

Posted: 14 Jan 2010 04:00 AM PST

Perhaps Google's announcement that Chinese cyber attackers went after human rights activists' Gmail accounts has made you skittish about just how private your own messages are on the Google e-mail service.

Well, if you want to take a significant step in keeping prying eyes away from your electronic correspondence, one good encryption technology that predates Google altogether is worth looking at. It's called public key encryption, and I'm sharing some instructions on how to get it working if you want try it.

Unfortunately, better security typically goes hand in hand with increased inconvenience. But some human rights activists who used Gmail right now likely wish they'd put up with a little hardship to help keep hackers at bay. I'm not going so far as to recommend you use e-mail encryption, but I think this is a good time to take a close look at it.

Specifically, I'll show here how to use a collection of free or open-source software packages: GPG, or GNU Privacy Guard, Mozilla Messaging's Thunderbird e-mail software, and its Enigmail plug-in. CNET Download.com also hosts Thunderbird for Windows and Mac and Enigmail for all platforms.

But first, some background about how it works.

Public key cryptography
Encryption scrambles messages so that only someone with a key (or a tremendous amount of computing horsepower, or knowledge of how to exploit an encryption weakness) can decode them. One form is called, curiously, public key encryption, and this is what GPG and Enigmail use.

Here's the quick version of how it works. You get a private key known only to yourself and a public key that's available for anyone else to use. The person you're corresponding with also has such a pair of keys. Although the public and private keys are mathematically related, you can't derive one from the other.

To send a private message, someone encrypts it with your public key; you then decrypt it with your private key. When it's time to reply, you encrypt your message with the recipient's public key and the recipient decodes it with his or her private key.

Messages in transit from one machine to another are a bunch of textual gobbledygook until decoded. If you're being cautious enough to encrypt your e-mail, you should be aware that there's still some information that leaks out to the outside world. The subject line isn't encrypted, and somebody might take interest in the identity of your active e-mail contacts and the timing and frequency of communications.

So how do you find out what your correspondent's public key is? You can either fetch the key firsthand from the correspondent, or you search for it on public computers on the Net called key servers--mine is stored at pool.sks-keyservers.net.

This form of encryption has another advantage: you can sign your e-mail electronically so the recipient knows it really is from you. This time the process works in reverse: you sign your e-mail with your private key, then your recipient verifies it's from you using your public key.

Drawbacks aplenty
Weighed against the encryption advantages of privacy and message signing is the fact that you'll lose access to service you may like or depend on.

When you see an encrypted e-mail in the Web-based Gmail, it's gibberish. Google doesn't index it, so Gmail search doesn't work. And the strong points of cloud computing--reading your e-mail from your mobile phone, your friend's computer, a computer kiosk on the airport--isn't possible. You're once again anchored to your PC with the encryption software installed.

Gmail won't be able to make heads or tails of your encrypted e-mail.

Gmail won't be able to make heads or tails of your encrypted e-mail.

(Credit: Screenshot by Stephen Shankland/CNET)

Another doozy is that the technology, while conceptually manageable in my opinion, quickly gets complicated. It's the kind of thing where you benefit from some hand-holding from your technologically sophisticated pal. Encryption is chiefly used by the expert crowd, so the documentation quickly gets technical, the options quickly go beyond most people's comprehension, and the help quickly can shift from Spartan manuals to grasping at straws on a search engine results page.

Given time and experience, intractable technology can be beaten into submission, though. The bigger problem with encrypted mail is convincing others to install the software and use it. Until then, you'll be like the proverbial owner of the world's single fax machine: nice technology, but there's nothing you can do with it until someone else gets one.

My personal hope is that encrypted e-mail will become more common and that wider use will encourage some flavor of it that will work more transparently with existing systems, perhaps through local plug-ins on a computer such as FireGPG, though there appears to be challenges getting it to work with Gmail.

Meanwhile, here's one collection of software that's available today for public key e-mail encryption.

Install the software
First, install Thunderbird e-mail software, if you haven't already. I recommend the new version 3.0, which is available for Windows, Mac OS X, and Linux. One particularly nice feature is that the software will ask you for your e-mail address and password on its first launch, and Gmail users will find the software automatically handles the tangle of configuration details that previously had to be manually set.

Next up is GPG, the command-line software that handles the actual encryption, decryption, and key management behind the scenes. Fetch the appropriate copy for your operating system from the "binaries" links at the GPG downloads page. Technophiles will like using this actual software from the command line, but don't worry--you don't have to.

Last is installing the Enigmail plug-in for Thunderbird. Fetch the appropriate version from the Enigmail download site and make a note of where you save the file.

Enigmail isn't the kind of file you double-click to install. Instead, go to Thunderbird, open the Tools menu and click Add-ons. In the lower-left corner of the dialog box that appears, click "Install..." When prompted for a location, point to where you saved the plug-in; the filename should be "enigmail-1.0-tb-win.xpi" or some other operating system-appropriate variation.

Set up the software
Next, it's time to get started. Enigmail offers useful instructions that generally are up to date, though they don't mention Thunderbird 3.0 and some other matters.

You'll likely get a setup Wizard from Enigmail, which is fine. My advice: set it to sign encrypted messages by default but not to encrypt messages by default unless you're confident you're going to use it a lot.

The first task is generate your public and private keys--your "keypair." Enigmail can handle this chore. In Thunderbird, click the OpenGPG menu, then the "Key Management" option. A new window will pop up with its own set of menus. Click the rightmost one, "Generate."

The default options are pretty good, though setting the key not to expire might be preferable for some people. That can be changed later, if you have second thoughts. For your passphrase, the usual password rules apply: the longer it is and the farther away from anything in a dictionary it is, the harder it is to crack.

Now comes the best part of the whole thing: helping out the random number generator while the keys are being generated. It doesn't take long, but doing something else while it happens--browsing a Web page or loading a word processing file, for example--creates events that actually inject a little helpful unpredictability into the algorithm. It's one of those wacky computer science moments.

Once the keys are generated, upload yours to a key server so your pals can find your key. It's easy: click the "Keyserver" menu, "Upload Public Keys," and go with the default pool.sks-keyservers.net server.

Try it out
Now it's time to get viral. You have to find somebody to experiment on. Go through your list of nerdy, security-minded, perhaps somewhat paranoid friends and start recruiting. A tinfoil hat isn't a prerequisite for using e-mail encryption, but there's a connection.

Once you've got a companion--or set up a second keypair with another e-mail account--start a new e-mail message and type in a subject line and some text. In the OpenPGP menu, select "sign message," "encrypt message," and if your message recipient is using Enigmail, "Use PGP/MIME for this message." (The latter option has some advantages, but isn't supported universally.)

When you send the message, you'll need to use your recipient's public key to encrypt the message and your own passphrase to sign the message with your private key.

When it's time to read, you'll need the public key of your correspondent to verify the signature and your own passphrase to decrypt it.

Sending and receiving is where those public key servers come in handy. Seek, and if ye don't find, ask your friend to e-mail you the public key.

There's a whole new world of encryption out there--the web of trust, key signing, fingerprints and such--that I won't get into here. I recommend a look at the Enigmail configuration manual and the Enigmail Handbook.

If you're a command-line nut, I recommend Brendan Kidwell's practical introduction and, with my usual reservations about the utter lack of informative examples, the GPG man page. History buffs can check the Wikipedia pages (the saga of Phil Zimmermann vs. the U.S. government concerning GPG's precursor, PGP, or Pretty Good Privacy, is particularly notable), and one 10th-anniversary GPG retrospective from founder Werner Koch.

In closing: backup your key
There is one last task you should attend to: export your keypair. Enigmail can handle this fine: In the search field, type your name until your key appears, click it to select it, then click "File" and "Export Keys to File."

This backup will be useful for decrypting your mail on a new computer, installing software from scratch, or otherwise managing the inevitable digital transitions in your life. But be warned: that private key is what somebody needs to crack your encryption, so don't leave it where somebody can find it.

I'm not convinced that GPG will rule the world. Indeed, I'm concerned that so much documentation I encountered for this article was written before Windows Vista arrived.

But I am convinced there are serious holes with our current security and privacy arrangements. A 2,048-bit encryption key won't thwart phishing scams or other social engineering attacks that appear to have been employed in the Google-China case, but it's a good place to start.

And using encryption sends a message to the technology world: perhaps it's time to start taking our security more seriously. Google opted for encrypted Gmail network connections, even though it will tax their servers with more processing, which is a good start. Better security can be inconvenient and expensive, but don't forget to consider the drawbacks of poor security.

Originally posted at Deep Tech

0 comments:

Post a Comment