Web-based image editor Picnik, which is now a part of Google, has long been the built-in editor for Yahoo's Flickr photo-hosting service. And if you've found yourself wishing it was just as simple to edit other images around the Web, you're in luck. A relatively new Firefox extension called "Instant Image Edit with Picnik" lets you edit any image on any site, using Picnik--all with little more than a right-click.

The extension was built using a new part of Mozilla's Jetpack API, which lets developers add items to the contextual menu of a user's browser. In this case it's a link to "edit image with Picnik," which shows up when you right-click on an image. Doing so kicks you out to Picnik's Adobe Flash-based editor, which will load up the image editor in a new tab without you even having to sign in or register for Picnik itself.

There is one big caveat, which is more an issue with the way Picnik acquires the images than what the extension does. Picnik cannot fetch images that are behind a VPN or password-protected page. This means you can't go and edit a photo you've received in your Web mail in-box without first downloading it locally, or hosting it elsewhere. That aside, with this installed you can get the same kind of Flickr-like simplicity for editing your photos in places like Picasa and Facebook--all without having to head over to Picnik to get things started.

Chrome users should not feel too left out, as there's a similar extension (and a first-party one at that) from Picnik that lets you do the same thing.

See also: Aviary's screen capture tool for Firefox and Chrome, which can slurp in entire Web pages for editing.

Originally posted at Web Crawler

Know what I just realized? I'm on game overload. There are too many great games for the iPhone and iPod Touch and not nearly enough hours in the day.

In fact, I'm concerned about the platform's effect on national productivity. I can't prove it, but I think Apple is responsible for lowering the country's GDP. Thankfully, I was able to resist the siren song of gaming just long enough to write up these five new arrivals:

Chop Chop Tennis  So this is what the kids of South Park would look like if they dressed as ninjas and played tennis. The latest in the Chop Chop series lets you play singles or doubles on any of five colorful courts. The gameplay is decidedly Wii-style, but here you're swiping (with your finger) instead of swinging. Alas, for now it's a one-person outing, though developer Gamerizon says local multiplayer is coming soon. (But what it really needs is online multiplayer.) Price: $2.99.

Fast & Furious: Adrenaline  Does the iPhone really need another racing game? Hey, if they're good, keep 'em coming. Fast & Furious: Adrenaline (the latest title based loosely on the movie franchise) breaks little new ground in the genre, but it delivers plenty of high-speed, free-wheeling action for those who like arcade-style street racing. Multiplayer is limited to local competition, but at least the price is right: 99 cents.

Flick Baseball Pro  There's been a lot of advance buzz about this title, and with good reason: it's without a doubt the best arcade-baseball game to date. You get to pitch, bat, and even field fly balls, all by engaging in various types of timed tapping. The graphics, audio, and presentation are all console-quality, making it all the more surprising that the game is priced at just $2.99.

Iron Man 2  When it comes to crafting action titles, Gameloft knows its stuff. In this movie tie-in, you get to play as either the titular hero or War Machine, upgrading your suit with bigger, badder weaponry as you progress through the levels. Kick butt on the ground and in the air across nine global locations. The iPhone/iPod version costs $6.99; there's also an HD iPad version for $9.99.

SpongeBob's Krusty Komics  It's a comic book, yes, but there's also a game in the mix: a basic nine-square sliding puzzle. Obviously the target audience here skews young, and the free app is really just a tease to sell you more SpongeBob comics and games, both of which you can buy inside the app. But for kids and/or SpongeBob fans, it's all good stuff.

Have you seen any new and noteworthy games this week? What titles have been tanking your productivity? Name 'em in the comments.

Originally posted at iPhone Atlas

BlackBerry users are a loyal bunch--just ask rapper and producer will.i.am, who has two jewel-encrusted models. These days, BlackBerry-toters are just as often on the receiving end of a long wait time to get a popular service rolled out for their phones.

On Thursday, makers of the Trillian multinetwork instant messaging app uttered their first peep about a beta version of Trillian 1.0 for BlackBerry. The app is currently in a limited closed beta, which means that only a select group of testers has access to the app--and the bugs. The company predicts a short timeline of "a few weeks" before releasing the final version.

What the hordes of BlackBerry chatters can expect in Trillian's BlackBerry build? For a start, there's support for Yahoo, Google Talk, Windows Live Messenger, AIM, Facebook, MySpaceIM, and Jabber/XMPP chat networks. You'll be able to sync your Trillian details, including contacts and avatars, with Trillian on Windows, Mac, iPhone, and the Web.

So far the closed beta also handles tasks you'd expect, like updating your status, avatar, and display name, support for emoticons, copy/paste, and photo-sharing. As far as customization goes, there are also two themes: one black, one white.

The app doesn't look half bad from the screenshots we saw, but the real test will be how well we can wield it, particularly when transferring links and files, and switching between multiple open chats. CNET has confirmed that Trillian for BlackBerry will be a premium application when it comes to BlackBerry's App World; its price point and feature set will determine how it fares against other premium chat apps in the category, including Beejive IM, one of our favorites. Watch this space because we'll certainly be watching Trillian.

Trillian 1.0 for BlackBerry will at least work with the BlackBerry Bold, Storm, Curve, and Pearl, though publisher Cerulean Studio has not yet announced the complete list of compatible handsets. The chat app supports Wi-Fi and direct TCP connections, as well as the BlackBerry-specific BIS, BES.

If you'd like to be among the first to know when Trillian's BlackBerry chat app makes its next move, sign up for the beta here.

A worm is spreading via Yahoo Instant Messenger Thursday that tricks people into downloading what they think is a photo from a friend but is instead malware that installs a backdoor on Windows systems and spreads to a victim's IM contacts.

The worm arrives via a message from a contact with the word "photo" or "photos" and a smiley face icon, along with a link to a Web site resembling a Facebook page, MySpace page, or some other page where photos might reside.

If the user clicks on the link on a Macintosh system, an executable file will be downloaded, but no further action will occur. On a Windows system, the executable will download and if the user runs the file, the computer will become infected and the malicious message will be distributed to all of the IM contacts.

"Once run, the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List," modifies registry keys, and stops the Windows Updates service, according to Symantec.

Symantec detects the malware as W32.Yimfoca and said it affects Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, and Windows 2000.

"It's very dangerous," Zulfikar Ramzan, technical director at Symantec Security Response, said in an interview. "When you get an IM from someone you know you're more likely to click on it."

The worm drops software onto infected computers that can be used to turn them into zombies on a botnet, he said. But, once that back door is on the compromised system anything really is possible, he added.

BitDefender said in a blog post that the "aggressive" worm is part of a family of worms that can intercept passwords and other sensitive data.

Security firm Bkis also has information on the worm, which has been spreading throughout the week.

Yahoo said in a blog post that it was aware of the issue and working to address it.

"We recently learned of an issue where some users have received spam messages from their contact list. Yahoo Messenger has quickly worked to resolve the situation," the post said. "As always, we recommend that any Yahoo Messenger user who receives a suspicious instant message with a link first IM their friend to ensure the message is legitimate before moving forward. Users should not download executable (.exe) files that are sent through Yahoo Messenger." Internet users should also keep their antivirus up to date, Yahoo recommended.

Originally posted at InSecurity Complex

Microsoft on Tuesday will issue two critical bulletins that will fix vulnerabilities in Windows and Office, which if exploited successfully, could allow a remote attacker to take control of the computer, the company said Thursday.

The bulletins, part of the company's monthly Patch Tuesday fixes, affect Windows 2000, XP, Vista, Windows 7, Server 2003 and Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, and Microsoft Visual Basic for Applications and Visual Basic for Applications software development kit. Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, however, the company said in a post on the Microsoft Security Response Center (MSRC) blog.

Absent from the Patch Tuesday's bulletins, however, will be a fix for a vulnerability in SharePoint Services 3.0 and SharePoint Server 2007 that was disclosed last week and which could lead to a cross-site scripting attack via the browser. Proof of concept exploit code has been published.

"Our teams are still working on an update for that issue," Jerry Bryant, group manager for response communications at the MSRC wrote in the post. "In the meantime, we recommend customers review the advisory and apply the workarounds."

Meanwhile, Microsoft said support for Windows 2000 and XP SP2 will end after July 13 and customers should upgrade to a supported operating system or the latest service pack to continue receiving security updates.

Originally posted at InSecurity Complex

This past weekend I was at a wedding where the bride, groom, and both of their families came from different sides of the Pacific Ocean (Japan and central California to be precise). At the party the night before the ceremony a few of us broke out our phones to play with translation apps, which of course, led to comical results.

One of the highlights was when the groom-to-be (who happens to be bilingual) looked at my attempt to translate "I think you've had enough beer," from English to Japanese and said "That's good, but far too formal. You basically just said that like David Attenborough."

Shortcomings aside, there is something to be said about instant, on-the-fly translation. It may not always be perfect, but it's certainly better than nothing.

To aid in this process, Google's Goggles software, which remains an Android-exclusive (though not for long), has been freshly updated to translate text that has been captured by your phone's camera. Google has essentially embedded in its Google Translate service (which exists as another standalone app for Android). The new option shows up as a button just beneath whatever text is captured. Just like identifying works of art, books, CDs, and buildings, you just have to take a photo and it does the rest.

One very nice new feature to come along with this is a live crop of what's on your camera's screen. This lets you select a free-form box around the region you'd like captured, which can be helpful for things like menus, or any other busy piece of paper where you want to focus on one part.

For the ultimate translation tool, Android users will still want to keep around Google's standalone Google Translation app, which pulls from the same results. The reason for this is to retain the live speech-to-text translation which can save you some keystrokes if you're pecking out something that's not on a written page. Maybe Google will even embed similar, photo-taking prowess into that app for the sake of simplicity.

Originally posted at Web Crawler

A strange and scary incident while I was researching a story this week has led me to reconsider my recommendation of the Invisible Hand browser extension. This issue also serves to remind us that there are online privacy issues we all face from sites other than Facebook.

As the video in this post shows, when I was looking up information on a product on Google, I found shortly afterward that Amazon knew about my Google search and put the product I was looking at in my "Recently Viewed" slot when I loaded up the retail site.

This cross-site data leakage was due to the way the Invisible Hand extension works on Google's Chrome browser. The same issue happens on Internet Explorer when Invisible Hand is installed. Firefox is immune.

What Invisible Hand does--which is extremely useful--is compare prices of products you're looking at on the Web against multiple other sites. It operates in the background and remains completely out of the user's way until it finds useful data to display. To do its background research, it has your computer look up pricing data on stores like Amazon, Wal-Mart, Best Buy, and others. When it does those look-ups on Chrome or IE, these target sites see your query as human browsing behavior. While Amazon appears to be the only one that actually uses the data on its storefront, showing you your "last viewed" item, all the other sites that Invisible Hand checks essentially get the same information: what you are shopping for, anywhere on the Web.

Firefox has a feature that allows background HTTP requests to be done in isolation ("sandboxed") from open browser tabs, which prevents target sites from using cookies created during the background look-ups to be used by browser tabs that the user is running directly.

Although this behavior may end up being useful to users in some cases, I consider it a serious privacy breach. I don't want Amazon or any other store to know what I'm doing on Google or on other stores, and I'll wager few users do. I'll leave the nightmare scenarios as exercises for the reader; I came up with several involving spouses and gifts (for people other than the spouses), medical supplies, behavior that reveals sexual preference, and so on.

Why so leaky?
After isolating the cause of this leakage, I spoke to Robin Landy, the founder of Invisible Hand. He told me that what I was seeing is a function of the way Chrome handles background Web requests, which is what Invisible relies on to gather data. Google Chrome and Internet Explorer do not allow "sandboxed HTTP requests." When you're using Chrome or IE with the Invisible Hand plug-in, each look-up ends up creating a cookie in your browser; retail sites like Amazon use that (and other information) to create a custom page for you.

Ironically, Invisible Hand's architecture ensures that Invisible Hand itself doesn't see your shopping data or benefit from this cross-site data sharing in any way. The IH extension works locally, on users' computers. Invisible Hand, the company, does not collect your browsing behavior or know its users identities. It doesn't even require sign-up to use.

Another irony: I would trust Invisible Hand with this data more than I would the several retail sites that it gathers data from, and who are now getting users' behavior data in the process. Invisible Hand is just one company, with a CEO that I found earnest and approachable, and its financial motives are pure. It literally makes money when its users save money. It has no vested interest in mining data further--unlike the retail sites whose pricing data it scrapes.

A source at Google looked into this and told me that this is an issue that the Chrome developers are now interested in addressing. (They should study Firefox.) I was also reminded that extensions can do as much on your computer as executable apps and should only be installed when absolutely trusted. Invisible Hand remains a "featured" extension for Chrome as of this writing.

The fixes
Users of the Invisible Hand extension have a few options to make it a little less of a privacy concern. By default, the extension disables itself if you use Incognito or Private browsing modes. Also, a configuration option turns it off for Google searches; although it will still exhibit data leaking between stores (for example, if you look at an item on BestBuy.com, Amazon will show that item as "recently viewed"). And, most importantly, the data leakage does not occur on Firefox.

Invisible Hand itself at one point considered a different architecture that would shield users from the leakage problem, by running the price look-ups on its servers instead of on users' computers. Landy told me that the performance trade-offs were unacceptable.

To close, CNET to the Rescue reminds users that interactions among browsers, sites, and extensions are complex and can potentially lead to cross-site data leaks, even when all the companies involved are ones you trust. Users are especially reminded that services that operate in the background on your behalf may share data that you are accustomed to thinking of as private and isolated. See Blippy, for example. I have seen other examples of this and will be following up.

Originally posted at CNET to the Rescue