BlackBerry users, your tweet game just stepped up a notch, as Twitter for BlackBerry version 2.0 is now available in BlackBerry Beta Zone. Thanks to a newly adopted "iterative development approach" at Research in Motion, this newest version comes to us less than a month after version 1.1 dropped.

The biggest improvement can be found in Twitter Search, which now combines the Find People, Search, and Popular Topics functions into a single unified search screen. Trends and Saved Searches are also tucked in there, making for a more streamlined search experience overall. And for BlackBerry 6 users, Universal Search on your phone can now pull from Twitter Search categories as well. Finally, version 2.0 beta sports a new black-chrome color scheme and a Compose Tweet button right on the app's omnipresent nav bar. This means easy tweeting from anywhere in the app.

With its navigational enhancements and slight face-lift, Twitter for BlackBerry 2.0 beta should make your mobile tweeting experience just a bit more enjoyable. Sign up for BlackBerry Beta Zone if you'd like to give it a test drive.

Popular third-party password manager LastPass revealed yesterday that it may well have been hacked and that some e-mail usernames and master passwords may have been stolen. Does this mean it's time to migrate to another password manager, or even abandon the entire concept of online password management for a pen-and-paper solution?

Given the facts of the situation from LastPass' blog post explaining what happened, I'd say no to giving LastPass the boot, and definitely not to abandoning digital password management for a "little black book."

Leaving a paper trail is a horrendous idea for two reasons. The first is that if you lose your book or it gets stolen, it's gone and you've got a statistically tiny chance of recovering it. The other is that the book itself offers zero security. If somebody else sees it, your passwords are compromised even if the book doesn't get stolen. From any angle, it's just a bad idea.

Before I get to why it's OK to stick with LastPass, though, let's review some of the reasons people use third-party password managers in the first place. Though the five major browsers now offer some method of password protection and management, including syncing between mutliple devices, many people have flocked to third-party password protection because it tends to be browser-agnostic. You can access it from any browser, including on your smartphone, and the third-party vendors often provide more features, such as stronger security, password grouping, password generation, password-associated note-taking, and password sharing to trusted individuals.

In fact, one of the best reasons to use LastPass is that it uses 256-bit AES encryption to protect your data, and the company is solely focused on providing password protection. LastPass also uses one-way salted hashes, which is not a potato-based concoction. A "salted hash" in cyptographic terms means that random binary numbers are used in conjunction with a password to ensure that the data transfer is legitimate and not being spoofed. It prevents pregenerated password tables from being used to gain access to the system, because the random binary part of the hash would be too large to easily spoof.

LastPass noted in its blog announcing the possible breach that the company has taken the opportunity to implement salted hash 256-AES protection with PBKDF2. This is a very strong manner of encryption, and brings us to why it's still a good idea to continue to use LastPass. Unlike recent high-profile data theft cases involving companies like Sony, Ashampoo, Verizon, and Epsilon, LastPass has been very forthcoming with information on the steps the company has taken to ensure continued user protection. This includes noting that despite thin evidence that the possible breach had affected many customers, LastPass decided to take the precautionary step of resetting everybody's master, and not just those of users on the affected server.

The key paragraph from the LastPass blog post announcing the possible breach is this:

"In this case, we couldn't find that root cause. After delving into the anomaly, we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's e-mail addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users' encrypted data blobs."

So, assuming that LastPass is being forthright and not lying, the following statement also makes sense:

"If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you--the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your e-mail address."

Again, assuming honesty from LastPass--which admittedly may be too much for some people--it appears that LastPass is taking extreme measures to protect all its users from what potentially might have been a data breach. Another reason that LastPass might be requiring all users to reset their passwords is that the company doesn't have access to the salt hashes on its own servers. They couldn't see your passwords if they wanted to.

It's this kind of straightforward frankness about data breaches that other companies would do well to learn from. Data breaches are inevitable. There is no such thing as a foolproof system, whether we're talking about security virus definition updates or securing data on a server. But as more and more of our personal data is stored up in the cloud, what will differentiate the responsible corporations and companies from the reckless ones is clear and quick communication about both security upgrades and data breaches.

Related stories
• LastPass (review)
• LastPass Pocket for USB and offline use (download)
• How to avoid sharing personal info online
• Study: Negligence cause of most data breaches

Users who manage and store their passwords through password management service LastPass are being forced to change their master passwords after the site noticed an issue this week that raised the spectre of a possible security breach.

As described in a blog yesterday, LastPass (download) recently followed a string of breadcrumbs that pointed to an anomaly in its network traffic on Tuesday. Though such anomalies aren't unusual, LastPass found a matching anomaly in one of its databases. Unable to identify a root cause for either anomaly, the company made the decision to assume the worst--that some of its data had been hacked.

Although LastPass hasn't identified a specific breach, it's erring on the side of caution by now forcing its members to change their master passwords. For you non-LastPass users, what exactly does that mean?

Services like LastPass and rival RoboForm let users create and manage passwords to more easily log in to the vast array of secure Web sites they visit. Those passwords can be stored on a PC or mobile device as well as online. As one means of protection, both companies typically urge users to create a single complex master password that can unlock the key to accessing their passwords. Of course, if that master password is compromised, hackers potentially can gain access to all the individual passwords, one reason why these companies advise users to employ complex master passwords.

In this case, LastPass said it believes that users with complex non-dictionary master passwords were probably safe even if any data was compromised. But the company knows that many users out of force of habit often choose simple, easily decipherable passwords. Though it sees the need to require all users to change their passwords as an overreaction, as LastPass says, "we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

In the meantime, LastPass says that it's taking further precautions against the anomaly by shutting down and moving certain key services and verifying all of its source code. The company is also enhancing the encryption used to protect its data.

Update 9:30 a.m. PT: LastPass is now reporting on its blog that the company is being overwhelmed by support requests and is having trouble keeping up with the number of password changes. The company has since set up a way for users to confirm their e-mail addresses without having to change their passwords. As a result, LastPass is urging people who are using the service from the same computer or IP address to hold off on changing their passwords for a few days.

"We're asking if you're not being asked to change your password then hold off--we're protecting everyone."

The company further suggests accessing your LastPass data offline by disconnecting from the Internet and then logging in or by downloading its LastPass Pocket software, which lets you carry around your data on a USB stick.

Update 11:07 a.m. PT: Security researchers at Duo Security have also offered their take on the LastPass security anomaly with recommendations on what LastPass users should do at this point.

Originally posted at News - Security

Most of us store music in two places: on our computer and on our iPod (or other MP3 player). But if your computer crashes indefinitely, all the music you (hopefully) purchased disappears along with it. So what's left? A handicapped iPod, as Apple restricts its gadgets to sync with one music library--any attempts to sync with a different computer will result in a deleted iPod.

Naturally, there's a workaround. If you'd like to safely move songs from your iPod (except the iPod Touch) to any computer, follow these steps:

How to transfer music from an iPod to a Mac
Step 1: Connect your iPod and launch iTunes. In the iPod management screen, scroll down to Options and check "Enable disk use." iTunes will give you a warning--select OK.

Step 2: Now your iPod will show up as a drive on your Desktop. But before you can access its files, download and install a program called Houdini. Houdini lets you view the music folder that's automatically hidden by Apple.

Step 3: Open Houdini, click "Folders," and then "Reveal." Locate your iPod, and open "iPod_controls." Highlight "Music," and press Choose.

Step 4: Now in your iPod folder, open iPod_Controls > Music. Highlight all of the folders and drag them into the desired folder on your hard drive. This might take a while, depending on how much music you're transferring.

Once the files are copied, you've successfully transferred the music. However, you'll notice that the songs have four-letter names and are scattered among many folders. It's OK. Once you import the music into iTunes (or any other media player), the program will reinstate the titles of the songs.

How to transfer music to an iPod to a Windows computer
Step 1: Connect your iPod and launch iTunes. In the iPod management screen, scroll down to Options and check "Enable disk use." iTunes will give you a warning--select OK.

Note: If you get an error message asking you to reformat upon connecting, your iPod was originally formatted for Mac and cannot be used in Windows. One workaround is to install a program like MacDrive, which will allow your Windows machine to read Mac-formatted drives. Clicking "reformat" will erase your iPod.

Step 2: Now open My Computer and open your iPod drive.

Step 3: Open Tools > Folder Options. Click the View tab and check "Show hidden files and folders."

Step 4: Now in your iPod folder, open iPod_Controls > Music. Highlight all of the folders and drag them into the desired folder on your hard drive. This might take a while, depending on how much music you're transferring.

Step 5: Highlight all of the folders again, right-click, and select Properties. Uncheck "Hidden." Close this window.

Once the files are copied, you've successfully transferred the music. However, you'll notice that the songs have four-letter names and are scattered among many folders. It's OK. Once you import the music into iTunes (or any other media player), the program will reinstate the titles of the songs.

Originally posted at Crave