Let's face it: The planet is heating up, Earth's population is expanding at an exponential rate, and the the natural resources vital to our survival are running out faster than we can replace them with sustainable alternatives. Even if the human race manages not to push itself to the brink of nuclear extinction, it is still a foregone conclusion that our aging sun will expand and swallow the Earth in roughly 7.6 billion years.

So, according to famed theoretical physicist Stephen Hawking, it's time to free ourselves from Mother Earth. "I believe that the long-term future of the human race must be in space," Hawking tells Big Think. "It will be difficult enough to avoid disaster on planet Earth in the next hundred years, let alone the next thousand, or million. The human race shouldn't have all its eggs in one basket, or on one planet. Let's hope we can avoid dropping the basket until we have spread the load."
Hawking says he is an optimist, but his outlook for the future of man's existence is fairly bleak. In the recent past, humankind's survival has been nothing short of "a question of touch and go" he says, citing the Cuban Missile Crisis in 1963 as just one example of how man has narrowly escaped extinction. According to the Federation of American Scientists there are still about 22,600 stockpiled nuclear weapons scattered around the planet, 7,770 of which are still operational. In light of the inability of nuclear states to commit to a global nuclear non-proliferation treaty, the threat of a nuclear holocaust has not subsided.
In fact, "the frequency of such occasions is likely to increase in the future," says Hawking, "We shall need great care and judgment to negotiate them all successfully."

Even if humans manage to avoid a nuclear stand-off over the next thousand years, our fate on this planet is still pretty much certain. University of Sussex astrophysicist Dr. Robert Smith says eventually the aging Sun will accelerate global warming to a point where all of Earth's water will simply evaporate.
"Life on Earth will have disappeared long before 7.6 billion years," says Smith, "Scientists have shown that the Sun's slow expansion will cause the temperature at the surface of the Earth to rise. Oceans will evaporate, and the atmosphere will become laden with water vapor, which (like carbon dioxide) is a very effective greenhouse gas. Eventually, the oceans will boil dry and the water vapor will escape into space. In a billion years from now the Earth will be a very hot, dry and uninhabitable ball."
Finally, between the next thousand years or so that Hawking says it will take man to make the planet uninhabitable and the billion years it will take for the sun to turn our planet into an arid wasteland, there is always the chance that a nearby supernova, an asteroid, or a quick and painless black hole could do us in.

Takeaway
One way or another, the life on Earth will likely become uninhabitable for mankind in the future. We need to start seriously thinking about how we will free ourselves from the constraints of this dying planet.  

Why We Should Reject This Idea

Despite what Hawking describes as humankind's "selfish and aggressive instinct," there may be some biological impediments to finding another planet to inhabit.
"The nearest star [to Earth] is Proxima Centauri which is 4.2 light years away," says University of Michigan astrophysicist Katherine Freese, "That means that, if you were traveling at the speed of light the whole time, it would take 4.2 years to get there."
Unfortunately, at the moment we can only travel at about ten thousandth of light speed, which means if man were to use chemical fuel rockets similar to the those used during the Apollo mission to the moon, the journey would take about 50,000 years. Without the use of a science-fiction-like warp drive or cryogenic freezing technology, no human would live long enough to survive the journey. In addition, "the radiation you would encounter alone would kill you, even if you could get a rocket to go anywhere near that fast," says Freese.
On the upside, if man ever develops the technology to travel at the speed of light while remaining shielded from cosmic radiation, he could effectively travel into the future. "A five year trip at light speed could push an astronaut forward by 1000 earth years," says Freese, "If he wanted to see if any humans were still around by then."

More Resources:
— Stephen Hawking's homepage.
— Dr. Katherine Freese's homepage.

Source: http://bigthink.com

LAS VEGAS, NEVADA -- DEFCON 2010 -- With the help of the cloud, taking down small and midsize companies' networks is easy, two consultants told attendees here last week.

With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.

With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.

"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.

It's surprising how easy it is to block a company's lifeblood connection to the Internet, the consultants said. To set up an account on Amazon EC2, there are no special bandwidth agreements or detection of servers taking malicious actions, they claimed. Moreover, complaints to Amazon by the client apparently went unanswered.

"We never got a response from Amazon," Anderson said. "We haven't gotten a call; we never got an email."

Amazon could not comment on the consultants' specific claims, but stressed that the company does have a rigorous response process.

"We do have a process for both detecting and responding to reports of abuse," Amazon spokeswoman Kay Kinton said in an email response. "We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down."

Small and midsize businesses should focus on basic strategies to defend themselves against cloud-based denial-of-service attacks, experts say. While cloud services are a new way to deliver attacks, the steps needed to defend a business' network and keep it connected are no different than those used to defend against run-of-the-mill packet floods.

First, employees responsible for a business's IT should have a DoS mitigation strategy and test it. An example of how not to do it: The target of the consultants' attack, a small financial institution, had defensive hardware in place, but had the threshold bandwidth set way too high. The attack failed to trigger defensive measures, but the bandwidth was still enough to take down the network, Bryan said.

"You have to make sure to tune your defenses," he said.

Clear responsibilities in the event of an attack are also key, the consultants said. Once attacked, the client's employees became angry with each other and debated who was responsible for responding.

"In the event of an attack or incident, you cannot be adversarial," Bryan said. "Information sharing is key."

Most cybercriminals use botnets to conduct denial-of-service attacks on their targets. Many botnets can be rented, or a subset of machines leased, essentially giving would-be attackers a criminal "cloud" from which to buy services.

But renting server time from a legitimate cloud service is cheaper and can be more effective, according to Bryan and Anderson. Because the traffic comes from Amazon's Internet space, it can be harder to filter. And scaling the attack up is as easy as instantiating a new virtual server. Moreover, many cloud services -- especially infrastructure-as-a-service clouds -- appear to respond slowly to abuse.

"It's essentially a town without a sheriff," Bryan said.

Amazon refuted those assertions, saying that dealing with attacking servers is much easier since it can identify them and shut them down.

"One thing I'd point out is that abusers who choose to run their software in an environment like Amazon EC2 make it easier for us to access and disable their software," Amazon's Kinton says. "This is a significant improvement over the Internet as a whole, where abusive hosts can be inaccessible and run unabated for long periods of time."

The two consultants created a prototype attack tool, called Thunder Clap, that uses cloud-based services to send a flood of packets toward the target company's network. The software can be controlled directly or through a command left on a social network, the researchers said.

The consultants recommended that providers that offer easy-to-configure cloud services -- Amazon, Google, Microsoft and Rackspace -- should be more responsive to complaints and more aware of the attack potential of their networks.

"If we complain loudly enough, maybe they will become more responsive," Anderson said.

Source: http://www.darkreading.com

At the DEFCON hacking conference, which ended yesterday, IT security researchers Nicholas Percoco and Christian Papathanasiou demonstrated what they claim is the first rootkit for Android. Their aim was to show how slight the obstacles to the development of a such a rootkit are and how powerful the result can be. Android is Linux-based and desktop Linux rootkits are nothing out of the ordinary. The demo rootkit, dubbed "Mindtrick", is a Loadable Kernel Module (LKM) and can conceal itself from other processes. The demo was included in a DVD given to DEFCON delegates.

The rootkit can gain access to Android devices, either through using unpatched vulnerabilities, or by pretending to be a legitimate app. Two other researchers recently showed that it's possible to spread infected apps to thousands of devices. Once installed, the rootkit is activated by calling the infected mobile from a specific number. It then establishes a connection to the attacker's computer, which allows the phone to be controlled remotely. As the researchers demonstrated in their talk, this gives the attacker access to the Android phone's SQLite database, allowing them to view, for example, a victim's texts or contacts.

It's also possible to remotely read the device's current GPS coordinates and to make outgoing calls without this being shown on the display. Criminals could make use of the latter by running up costs for expensive sex lines which they in turn operate. According to the researchers, current anti-virus software for Android does not (yet) detect the rootkit.

It is not clear whether Google would be able to disarm such a module using its remote delete function – the deletion process applies to the application level, not the kernel level. According to Percoco, the easiest way to protect against infection via a Loadable Kernel Module would be for smartphone makers to only allow modules digitally signed by the maker. The HTC device used for the demonstration clearly doesn't have this kind of check.

See also:

• Google uses remote delete to remove Android apps from smartphones

Source: http://www.h-online.com

Edwin Perello discovered that Bing, the Microsoft search engine, could find addresses in his rural Indiana town when Google could not. Laura Michelson, an administrative assistant in San Francisco, was lured by Bing’s flight fare tracker. Paul Callan, a photography buff in Chicago, fell for Bing’s vivid background images.

Like most Americans, they still use Google as their main search tool. But more often, they find themselves navigating to Microsoft’s year-old Bing for certain tasks, and sometimes they stay a while.

“I was a Google user before, but the more I used Bing the more I liked it,” Mr. Callan said. “It’s more like muscle memory takes me to Google.”

Bing still handles a small slice of Web searches in the United States, 12.7 percent in June, compared with Google’s 62.6 percent, as measured by comScore, the Web analytics firm. But Bing’s share has been growing, as has Yahoo’s, while Google’s has been shrinking.

And while no one argues that Google’s dominance is in immediate jeopardy, Google is watching Microsoft closely, mimicking some of Bing’s innovations — like its travel search engine, its ability to tie more tools to social networking sites and its image search — or buying start-ups to help it do so in the future.

Google has even taken on some of Bing’s distinctive look, like giving people the option of a Bing-like colorful background, and the placement of navigation tools on the left-hand side of the page.

When Microsoft introduced it last year, Bing made a splash with its vivid background images.
In June, Google presented searchers the option of a colorful background rather than the stark, white page.

The result is a renaissance in search, resulting in more sophisticated tools for consumers who want richer answers to complex questions than the standard litany of blue links.

The competition is a remarkable and surprising twist: Microsoft, knocked around for so long as a bumbling laggard, has given the innovative upstart Google a kick in the pants. As the search engines introduce feature after competing feature, some analysts say they have set off an arms race, with the companies poised to spend whatever it takes to win the second phase of Web search.

“There is a cold war going on,” said Sandeep Aggarwal, senior Internet and software analyst at Caris & Company, who watches both companies. “Clearly, you can see how Bing’s competition is forcing Google to try and catch up in some places.”

Google officials agree there is more competition, but say they are not simply reacting to the younger search engine.

Google’s new features have not been in response to Bing, said Marissa Mayer, the company’s vice president for search products and user experience. “A lot of these things have been in the works for a long time,” she said. “Left-hand navigation we worked on for almost two years. We wanted to make sure we had it exactly right.”

Microsoft’s gains are far from staggering. Its share of searches has grown to 12.7 percent, from 8 percent, since Bing was introduced in May 2009, and Yahoo, which has a search deal with Microsoft, still handles a larger share of searches than Bing. And in the newest search frontier, mobile devices, Google has even more market share than on the Web at large.

Still, Bing’s gains have impressed analysts, who have watched Google fend off repeated assaults on its lucrative search and ad business, which accounts for some 95 percent of its revenue.

Building a more comprehensive, faster and more accurate search engine than Google is a daunting challenge, and a long list of big companies and start-ups have failed in their attempts. Microsoft endured plenty of ribbing as it spent years building and then scrapping search systems meant to help it compete against Google. But it kept experimenting until it found a way.

Microsoft has spent billions of dollars building the computing centers needed to power search and advertising systems and acquiring start-ups with niche expertise. In addition, it has thrown money at consumers, through cash-back programs on purchases, and at partners willing to promote Bing ahead of Google. Over the last year, Microsoft’s online services division lost $2.36 billion on revenue of $2.2 billion.

With Bing, Microsoft has tried to attract people like Mr. Callan by excelling at answering frequently asked questions, like those related to travel, health, shopping, entertainment and local businesses. For example, Bing has flight search and prediction tools that reveal price fluctuations for certain routes, and advises customers whether to buy or wait. Bing Health uses data from sources like the Mayo Clinic and Healthwise.

The hope is that “somebody would come back just for that and then, down the line, they would do other types of searches, too,” said Danny Sullivan, a longtime industry analyst and editor in chief of the blog Search Engine Land.

People do not always want to click on links and dig through pages to hunt out information, so when Bing started in May 2009, it pulled relevant information and stuck it on the top and left-hand side of the results pages. Search “Angelina Jolie,” for instance, and see a slide show and a list of her movies on top and related links on the side.

“We said, ‘Let’s change the entire way we lay out pages,’ ” said Yusuf Mehdi, a senior vice president for Microsoft’s online audiences business. “We will not be shackled by blue links.”

Google, meanwhile, has quietly introduced its own new features that have in several instances looked a lot like Bing’s.

For example, in May, it too added the left-hand navigation tools — though Ms. Mayer of Google pointed out that many of the tools had already been available, just not easily visible from the search page.

“Certainly there’s been increased competition in the space,” Ms. Mayer said of Bing. “When there’s more competition, everyone’s search gets better, that serves the users a lot better.”

Bing’s travel tool uses technology from Farecast, which Microsoft bought in early 2008. In July, Google announced plans to acquire ITA Software for $700 million; ITA makes the same comparison shopping software for flights that Bing’s Farecast uses.

Then there is the look of the main search pages for each site. Microsoft has argued that the vivid images ever-present behind the Bing search box have helped its appeal; young people and women have shown a particular fondness for Bing. In June, Google offered people the option to have a colorful background image like the Golden Gate Bridge on its main search page rather than the stark, white page that helped make Google famous.

Google has also played catch-up to Microsoft in offering ways to search for and digest more images in one go, and has trailed in adding some tie-ins to social networking sites.

“Google’s new innovations have come at a slower pace,” Mr. Aggarwal said. “There was no one challenging Google until Microsoft decided it was a business they would not give up.”

Still, Mr. Sullivan and other analysts also say Google has been making many significant but subtle behind-the-scenes changes that make it better at responding to obscure and complex queries. Google made 500 tweaks to its secret search algorithm last year and introduced personalized search, which customizes results based on what users frequently click on.

Google executives often chide Microsoft that it overengineers software like Office and bombards people with needless features. But now Google has swapped its clean, simple approach to search in favor of a feature war with Microsoft.

“Google seems to do things because Bing has done something,” Mr. Sullivan said. “It’s a kind of knee-jerk thing — we have to do this product now because we don’t want people to think we’re weak.”

Source: http://www.nytimes.com

Network World - LAS VEGAS -- Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010.

FBI details worst social networking cyber crime problemsNot only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a Web site in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely - including top-of-the-line models hawked by major wireless carriers.

In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.

In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.

The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.

The best way to distribute malware that could exploit the flaw - known as CVE-2009 1185 - is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."

CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.

But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.

When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.

But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says.

Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous Web sites to mask where the data is being sent, Wyatt says.

The best course for users is to beware the applications they buy and if they are suspicious, not to download the apps, Lineberry says.

Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.

Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.

Source: www.computerworld.com

Yahoo Inc. engineers began testing keywords in Microsoft Corp.'s search advertising system for the first time last week, a key step toward implementing a comprehensive search agreement the two companies hope will reshape the industry.

The so-called "shadow tests" replicate how keywords will perform when Yahoo's advertisers are plugged into Microsoft's adCenter system, which will soon power the paid search businesses of both companies. The test results will help determine whether Yahoo and Microsoft can flip the switch on their unusual partnership this fall, as they hope.

"The next couple of weeks are going to be critical," said David Karnstedt, who runs search engine marketer Efficient Frontier.

The tests, which come almost one year after the alliance was announced, are part of a meticulously planned blueprint that Yahoo and Microsoft hope will position them as an effective counterweight to industry leader Google Inc.

Though the partners will have less than a third of the $12.4 billion U.S. search market, they want to achieve enough scale to generate better returns for advertising clients, more revenue for themselves and greater profits for investors.

Microsoft hopes the 10-year revenue-sharing pact will help turn its ailing online services division into a profitable business. Yahoo says the agreement will enable it to cut costs, focus on display advertising and deliver search results in more innovative ways.

Microsoft's Bing search engine will power searches on Yahoo Web sites. The two companies' small and midsize advertisers will use Microsoft's adCenter paid search platform to buy keywords and put ads on Web pages. Yahoo's sales staff will handle the largest advertising accounts for both companies.

While Yahoo is free to choose any partner for mobile search and search advertising, the company said it will rely on Microsoft in the U.S., Canada, the U.K. and France. Yahoo said the shift in each market is expected to coincide with the desktop migration schedule and it may soon add other markets.

For the past two months, Yahoo and Microsoft have been shadow-testing the algorithmic search technologies that generate the non-paid search results on their Web pages, according to Mark Morrissey, who runs Yahoo's integration team.

The project remains on schedule as engineers eliminate bugs in the system, he said. They aim to gradually increase the volume of Yahoo traffic that passes through Bing, eventually fabricating imaginary queries so they can stress-test the system beyond full capacity.

"The most challenging time is when we get to 100%-130% (of full capacity) because it tests not only the functionality, but the limits of the infrastructure," Mr. Morrissey said.

Shifting Yahoo's advertisers to Microsoft's adCenter will be far more complicated. Microsoft must beef up adCenter to process four times the traffic it currently handles. Engineers also have been adding features from Yahoo's Panama search advertising system that weren't in adCenter, such as giving advertisers more control over where their ads appear.

Key questions remain. The most critical is whether the alliance will generate better returns for advertisers, as well as more revenue per search for the companies.

Second-quarter data from Efficient Frontier shows Microsoft's advertisers get an average return on investment that is 21% higher than Google--the industry standard--while Yahoo returns 25% less than Google. Advertisers focus on ROI because it enables them to measure the performance of search ads against the overall cost of such campaigns.

Chris Lien, who runs search marketer Marin Software Inc., said Yahoo's relatively low ROI might simply cancel out Microsoft's, reducing the combined platform's appeal to advertisers.

Still, Yahoo and Microsoft aim to make the transition in the U.S. and Canada by Oct. 15, giving advertisers, ad agencies and search-engine marketers enough time to switch over before the crucial holiday shopping season. Mr. Morrissey said the two companies have hit every major milestone on schedule. But they won't flip the switch until they are comfortable the combined market place can deliver adequate ROI for advertisers.

Source: http://online.wsj.com

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting …

By Mark Bowden

Image credit: Alex Ostroy

The first surprising thing about the worm that landed in Philip Porras’s digital petri dish 18 months ago was how fast it grew.

He first spotted it on Thursday, November 20, 2008. Computer-security experts around the world who didn’t take notice of it that first day soon did. Porras is part of a loose community of high-level geeks who guard computer systems and monitor the health of the Internet by maintaining “honeypots,” unprotected computers irresistible to “malware,” or malicious software. A honeypot is either a real computer or a virtual one within a larger computer designed to snare malware. There are also “honeynets,” which are networks of honeypots. A worm is a cunningly efficient little packet of data in computer code, designed to slip inside a computer and set up shop without attracting attention, and to do what this one was so good at: replicate itself.

Most of what honeypots snare is routine, the viral annoyances that have bedeviled computer-users everywhere for the past 15 years or so, illustrating the principle that any new tool, no matter how useful to humankind, will eventually be used for harm. Viruses are responsible for such things as the spamming of your inbox with penis-enlargement come-ons or million-dollar investment opportunities in Nigeria. Some malware is designed to damage or destroy your computer, so once you get the infection, you quickly know it. More-sophisticated computer viruses, like the most successful biological viruses, and like this new worm, are designed for stealth. Only the most technically capable and vigilant computer-operators would ever notice that one had checked in.

Porras, who operates a large honeynet for SRI International in Menlo Park, California, noted the initial infection, and then an immediate reinfection. Then another and another and another. The worm, once nestled inside a computer, began automatically scanning for new computers to invade, so it spread exponentially. It exploited a flaw in Microsoft Windows, particularly Windows 2000, Windows XP, and Windows Server 2003—some of the most common operating systems in the world—so it readily found new hosts. As the volume increased, the rate of repeat infections in Porras’s honeynet accelerated. Within hours, duplicates of the worm were crowding in so rapidly that they began to push all the other malware, the ordinary daily fare, out of the way. If the typical inflow is like a stream from a faucet, this new strain seemed shot out of a fire hose. It came from computer addresses all over the world. Soon Porras began to hear from others in his field who were seeing the same thing. Given the instant and omnidirectional nature of the Internet, no one could tell where the worm had originated. Overnight, it was everywhere. And on closer inspection, it became clear that voracity was just the first of its remarkable traits.

Various labs assigned names to the worm. It was dubbed “Downadup” and “Kido,” but the name that stuck was “Conficker,” which it was given after it tried to contact a fake security Web site, trafficconverter.biz. Microsoft security programmers shuffled the letters and came up with Conficker, which stuck partly because ficker is German slang for “motherfucker,” and the worm was certainly that. At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide—an estimated 500,000 in the first month.

Why? What was its purpose? What was it telling all those computers to do?

Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully comprehend all its inner workings. The ship contains many complex, interrelated systems, each with its own function and history—systems for, say, guidance, maneuvers, power, air and water, communications, temperature control, weapons, defensive measures, etc. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments, keeping it running or ready. When idling or cruising, the ship essentially runs itself without a word from Captain Kirk. It obeys when he issues a command, and then returns to its latent mode, busily doing its own thing until the next time it is needed.

Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander. He enlists the various operating functions of the ship to do his bidding, careful to avoid tripping any alarms. Captain Kirk is still up on the bridge in his swivel chair with the magnificent instrument arrays, unaware that he now has a rival in the depths of his ship. The Enterprise continues to perform as it always has. Meanwhile, the invader begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.

And now imagine a vast fleet, in which the Enterprise is only one ship among millions, all of them infiltrated in exactly the same way, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a worm like Conficker is to infect and link together as many computers as possible—the phenomenon witnessed by Porras and other security geeks in their honeypots. Thousands of botnets exist, most of them relatively small—a few thousand or a few tens of thousands of infected computers. More than a billion computers are in use around the world, and by some estimates, a fourth of them have been surreptitiously linked to a botnet. But few botnets approach the size and menace of the one created by Conficker, which has stealthily linked between 6 million and 7 million computers.

Once created, botnets are valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information from otherwise secure Web sites or computers, to assist in fraudulent schemes, or to launch denial-of-service attacks—overwhelming a target computer with a flood of requests for response. The creator of an effective botnet, one with a wide range and the staying power to defeat security measures, can use it himself for one of the above scams, or he can sell or lease it to people who specialize in exploiting botnets. (Botnets can be bought or leased in underground markets online.)

Beyond criminal enterprise, botnets are also potentially dangerous weapons. If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world, and potentially hobble or even destroy almost any computer network, including those that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself.

The key word there is could, because so far Conficker has done none of those things. It has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one yet fully understands how it works. No one knows how to stop it or kill it. And no one even knows for sure why it exists.

If yours is one of the infected machines, you are like Captain Kirk, seemingly in full command of your ship, unaware that you have a hidden rival, or that you are part of this vast robot fleet. The worm inside your machine is not idle. It is stealthily running, issuing small maintenance commands, working to protect itself from being discovered and removed, biding its time, and periodically checking in with its command-and-control center. Conficker has taken over a large part of our digital world, and so far most people haven’t even noticed.

The struggle against this remarkable worm is a sort of chess match unfolding in the esoteric world of computer security. It pits the cleverest attackers in the world, the bad guys, against the cleverest defenders in the world, the good guys (who have been dubbed the “Conficker Cabal”). It has prompted the first truly concerted global effort to kill a computer virus, extraordinary feats of international cooperation, and the deployment of state-of-the-art decryption techniques—moves and countermoves at the highest level of programming. The good guys have gone to unprecedented lengths, and have had successes beyond anything they would have thought possible when they started. But a year and a half into the battle, here’s the bottom line:

The worm is winning.

A Digital Sam Spade

Twenty years ago, computers were bedeviled by hackers. These were savvy outlaws who used their deep knowledge of operating systems to invade, steal, and destroy, or sometimes just to tap into secure facilities and show off their skills. Hackers became heroes to a generation of teenagers, and had all sorts of motives, but their most distinctive trait was a tendency to show off.

Some had truly malicious intent. In his 1989 best seller, The Cuckoo’s Egg, Cliff Stoll told the story of his stubborn, virtually single-handed hunt for an elusive hacker in Germany who was using Stoll’s computer system at the Lawrence Berkeley National Laboratory as a portal to Defense Department computers. For many people, Stoll’s book was the introduction to the netherworld of rarefied gamesmanship that defines computer security. Stoll’s hacker never penetrated the most secret corners of the national-security net, and even relatively serious breaches like the one Stoll described were more nuisance than threat. But the individual hacker working as a spy or vandal has evolved into something more organized and menacing.

Andre’ M. DiMino, a computer sleuth who is part of the Conficker Cabal, is considered one of the world’s foremost authorities on botnets. He stumbled into his avocation on a Monday morning a decade ago, when he discovered that over the weekend, someone had broken into the computer system he was administering for a small company in New Jersey. DiMino has an undergraduate degree in electrical engineering with an emphasis in computer science, but he has mostly taught himself up to his present level of expertise, which is extreme. At 45, he is a slender, affable idealist who keeps a small array of computers in an upstairs bedroom. When I stopped by to talk to him, he baked me pizza. His day job is doing computer forensics for law enforcement in Bergen County, New Jersey, but he has a kind of alter ego as what he calls a “botnet hunter.”

Back when he discovered the weekend break-in, DiMino assumed at first that it was the work of a hacker, a vandal, or possibly a former employee, only to discover, based on an analysis of the IP (Internet Protocol) addresses of the incoming data, that his little computer network had been invaded by someone from Turkey or Ukraine. What would someone halfway around the planet want with the computer system of a small business-management firm in a New Jersey office park? Apparently, judging by what he found, his invader was in the business of selling pirated software, movies, and music. Needing large amounts of digital storage space to hide stolen inventory, the culprit seemed to have conducted an automated search over the Internet, looking worldwide for vulnerable systems with large amounts of unused disc space—DiMino equates it to walking around rattling doorknobs, looking for one door left unlocked. DiMino’s system fit the bill, so the crooks had dumped a huge bloc of data onto his discs. He erased the stash and locked the door that had allowed the pirates in. As far as the company was concerned, that solved the problem. No harm done. No need to call the police or investigate further.

But DiMino was intrigued. He reviewed the server logs for previous weeks and saw that this successful invasion was one of many such efforts. Other attackers had been rattling the doors of his network, looking for vulnerabilities. If there were bad guys actively exploiting other people’s computers all over the world, designing sophisticated programs to exploit weaknesses … how cool was that? And who was trying to stop them?

DiMino set about educating himself on the fine points of this obscure battle of wits. He eventually co-founded the Shadowserver Foundation, a nonprofit partnership of defense-minded geeks at war with malware, effectively transforming himself into a digital Sam Spade—indeed, the graphic atop Shadowserver’s home page features a Dashiell Hammett–style detective emerging from shadow.

Both sides in this cyberwar have become astonishingly sophisticated, operating at the cutting edge of programming theory and cryptography. Both understand the limits of security methodology, the one side working to broaden its reach, the other working to surpass it. Because malware has been automated, the good guys usually can only guess at who they are up against.

Trojans, Viruses, and Worms

Rodney Joffe heads the cabal that has been battling Conficker. He is a burly, garrulous South African–born American who serves as senior vice president and chief technologist for Neustar, a company that provides trunk-line service for competing cell-phone companies around the world. Joffe’s interest in stopping the worm did not stem just from his outrage and sense of justice. His concern for Neustar’s operation is professional, and illustrative.

The company runs a huge local-number-portability database. Almost every phone call in North America, before it’s completed, must ask Neustar where to go. Back in the old days, when the phone company was a monopoly, telecommunications were relatively simple. You could figure out where a phone call was going, right down to the building where the target phone would ring, just by looking at the number. Today we have competing telephone companies, and cell phones, and a person’s telephone number is no longer necessarily tied to a geographic location. In this more complex world, someone needs to keep track of every single phone number, and know where to route calls so they end up in the right place. Neustar performs this service for telephone calls, and is one of many registries that oversee high-level Internet domains. It is, in Joffe’s words, “the map.”

“If I disappear, there’s no map,” he says. “So if you take us down, whole countries can actually disappear from the grid. They’re connected, but no one can find their way there, because the map’s disappeared.”

A botnet like Conficker could theoretically be used to shut down Neustar’s system. So Joffe helped form the Conficker Cabal. He scoffed when he read in late 2009 that the Obama administration’s Department of Homeland Security planned to hire “a thousand” computer-security experts over the next three years. “There aren’t more than a few hundred people in the world who understand this stuff.”

Most of us use the word virus to describe all malware, but in geekspeak, it means something more specific. There are three types of the stuff: Trojans, viruses, and worms. A Trojan is a piece of software that works like a Trojan horse, masquerading as one thing to get inside a computer, and then attacking. A virus attacks the host computer after slipping in through a hole in its operating system. It depends on the computer-operator—you—doing something stupid to activate it, like opening an attachment to an e-mail that appears innocuous, or clicking on an enticing link. A worm works like a virus, exploiting flaws in operating systems, but it doesn’t attack once it breaks in. It generally doesn’t have a malicious payload. Exactly like the most-sophisticated viruses in the biological world, it does not cripple or kill its host. It is primarily designed to spread. The instructions that will put a worm like Conficker to work are not embedded in its code; they will be delivered later, from a remote command center.

In the old days, when your computer got infected, it slowed down because your commands had to compete for processing with viral invaders. You knew something was wrong because the machine took 10 times longer to boot up, or there was a delay between command and response. You began to get annoying pop-ups on your screen directing you to download supposedly remedial software. Programs would freeze. In this sense, the old malware was like the Ebola virus, a very scary strain that messily kills nearly everyone it infects—which is another way of saying that it is grossly ineffective, because it burns out the very host organisms it needs to survive. The miscreants who created computer viruses years ago learned that malware that announces itself in these ways doesn’t last.

So today’s malware produces no pop-ups, no slowdowns. A worm is especially quiet, since all it does, at least initially, is spread. Conficker stealthily sets up shop without making a ripple, and—other than calling home periodically for instructions—just waits. Its regular messages to its command center amount to only a couple hundred bytes of data, which is not enough to even light up the little bulb that flashes when a computer hard drive is at work.

After Phil Porras and others began snaring Conficker in increasing numbers, they began dissecting it. The worm itself was exquisite. It consisted of only a few hundred lines of code, no more than 35 kilobytes—slightly smaller than a 2,000-word document. In comparison, the average home computer today has anywhere from 40 to 200 gigabytes of storage. Unless you were looking for it, unless you knew how to look for it, you would never see it. Conficker drifts in like a mote.

It exploited a specific hole, Port 445, in the Microsoft operating systems, a vulnerability that the manufacturer had tried to repair just weeks earlier. Ports are designated “listening” points in a system, designed to transmit and receive particular kinds of data. There are many of them, more than 65,000, because an operating system consists of layer upon layer of functions. A firewall is a security program that guards these ports, controlling the flow of data in and out. Some ports, like the one that handles e-mail, are heavily trafficked. Most are not; they listen for updates and instructions that deal with a narrow and specific function, usually routine procedures that never rise to the notice of computer-users. Only certain very specific kinds of data can flow through ports, and then only with the appropriate codes. Windows opens Port 445 by default to perform tasks like issuing instructions for print-sharing or file-sharing. Late in the summer of 2008, Microsoft learned that even a system protected by a firewall was vulnerable at Port 445 if print-sharing and file-sharing were enabled (which they were on many computers). In other words, even a well-protected computer had a hole. On October 23, 2008, the company issued a rare “critical security bulletin” (MS08-067) with a patch to repair that hole. A specially crafted “remote procedure call” could allow the port to be used by a remote operator, the security bulletin warned, and “an attacker could exploit this vulnerability without authentication to run arbitrary code.” The patch Microsoft offered theoretically slammed the door on a worm like Conficker almost a month before it appeared.

Theoretically.

In fact, the bulletin itself may have inspired the creation of Conficker. Many, many computer-operators worldwide—you know who you are—fail to diligently heed security updates. And the patches are issued only to computers with validated software installations; millions of computers run on bootlegged operating systems, which have never been validated. Microsoft issues its updates on the second Tuesday of every month. Every geek in the world knows this; it’s called “Patch Tuesday.” The company employs some of the best programmers in the world to stay one step ahead of the bad guys. If everyone applied the new patches promptly, Windows would be nigh impregnable. But because so many people fail to apply the patches promptly, and because so many machines run on illegitimate Windows systems, Patch Tuesday has become part of Microsoft’s problem. The company points out its own vulnerabilities, which is like a general responsible for defending a fort making a public announcement—“The back door to the supply shed in the southeast corner of the garrison has a broken lock; here’s how to fix it.” When there is only one fort, and it is well policed, the lock is fixed and the vulnerability disappears. But when you are defending millions of forts, and a goodly number of the people responsible for their security snooze right through Patch Tuesday, the security bulletin doesn’t just invite attack, it provides a map! Twenty-eight days after the MS08-067 security bulletin appeared, Conficker started worming its way into unpatched computers.

The Cabal’s Sandboxes

Conficker’s rate of replication got everyone’s attention, so a loose-knit gaggle of geeky “good guys,” including Porras, Joffe, and DiMino, began picking the worm apart. The online-security community consists of software manufacturers like Microsoft, companies like Symantec that sell security packages to computer owners, large telecommunication registries like Neustar and VeriSign, nonprofit research centers like SRI International, and botnet hunters like Shadowserver. In addition to maintaining honeypots, these security experts operate “sandboxes”—isolated computers (or, again, virtual computers inside larger ones) where they can place a piece of malware, turn it on, and watch it run. In other words, where they can play with it.

They all started playing with Conficker, comparing notes on what they found, and brainstorming ways to defeat it. That’s when someone dubbed the group the “Conficker Cabal,” and the name stuck, despite discomfort with the darker implications of the word. Here are some of the things the cabal discovered about the worm in those first few weeks:

• It patched the hole it came through at Port 445, making sure it would not have to compete with other worms. This was smart, because surely other hackers had seen security bulletin MS08-067.
•It tried to prevent communication with security providers (many computer-users subscribe to commercial services that regularly update antivirus software).
•When it started, if the IP address of the infected computer was Ukrainian, the worm self-destructed. When in attack mode, searching for other computers to infect, it skipped any with a Ukrainian IP address.
•It disabled the Windows “system restore” points, a useful tool that allows users with little expertise to simply reset an infected machine to a date prior to its infection. (System restore is one of the easiest ways to debug a machine.)

All of these things were clever. They indicated that Conficker’s creator was up on all the latest tricks. But the main feature that intrigued the cabal was the way the worm called home. This is, of course, what worms designed to create botnets do. They settle in and periodically contact a command center to receive instructions. Botnet hunters like DiMino regularly wipe out whole malicious networks by deciphering the domain name of the command center and then getting it blocked. In the old days, this was easier because malware pointed to only a few IP addresses, which could be blocked by hosting providers and Internet service providers. The newer worms like Conficker bumped the game up to a higher level, generating domain names that involve many providers and a wide range of IP addresses, and that security experts can block only by contacting Internet registries—organizations that manage the domain registrations for their realm. But Conficker did not call home to a fixed address.

Shortly after it was discovered, the worm began performing a new operation: generating a list of domain names seemingly at random, 250 a day across five top-level domains (top-level domains are defined by the final letters in a Web address, such as .com or .edu or .uk). The worm would then go down the list until it hit upon the one connected to its remote controller’s server. All Conficker’s controller had to do was register one of the addresses, which can be done for a fee of about $10, and await the worm’s regular calls. If he wished, he could issue instructions. It was as if the boss of a crime family told his henchmen to check in daily by turning to the bottom of a certain page in each day’s Racing Form, where there would be a list of potential numbers. They would then call each number until the boss picked up. So it was not apparent from day to day where the worm would call home.

With the Racing Form trick, if you were a cop and were tipped off where to look, you might arrange with the paper’s publisher to see the page before it was printed, and thus be one step ahead of the henchmen and their boss. To defeat Conficker, the geeks would have to figure out in advance what the numbers (or, in this case, domain names) would be, and then hustle to either buy up or contact every one, block it, or cajole whoever owned it to cooperate before the worm “made the call.”

Michael Ligh, a young Brooklyn researcher employed by the computer-security company iDefense, is one of several people who went to work unraveling Conficker’s methods. Ligh and others had seen algorithms for random-domain-name generation before, and most were keyed to the infected computer’s clock. If new places to call home must be generated every day, or every few hours, then the worm needs to know when to perform the procedure. So the malware simply checks the time on its host computer. This provided the good guys with a tool to defeat it. They turned the clock forward on their sandbox computer, forcing their captured strain of the worm to spit out all the domain names it would generate for as long into the future as they cared to look. It was like stealing the teacher’s edition of a classroom textbook, the one with all the answers to the quizzes and tests printed in the back. Once you knew all the places the malware would be calling, you could cordon off those sites in advance, effectively stranding the worm.

Conficker had an answer for that. Instead of using the infected computer’s clock, the worm set its schedule by the time on popular corporate home pages, like Yahoo, Google, or Microsoft’s own msn.com.

“That was interesting,” Ligh said. “There was no way we could turn the clock forward on Google’s home page.”

So there was no easy way to predict the list of domain names in advance. But there was a way. The first step was to set up a proxy server to, in effect, intercept the time update from the big corporate Web site before it got back to the worm, alter the information, and then send it on. You could then tell the worm it was a date sometime in the future, and the worm would spit out the domain names for that date. This was a tedious way to proceed, since you could generate only one set of new domain names at a time. So Ligh and other researchers reverse-engineered the worm’s algorithm, extracted the time-update function, and wedded it to a piece of code they could control. They instructed their copy to generate the future lists in advance. They could then buy up or block all the sites, and direct all the worm’s communications into a “sinkhole,” a dead-end location where calls go unanswered. Conficker’s creators had deliberately made the task so onerous and expensive that no one would go to the trouble of blocking all possible command centers.

Or so they thought. The cabal, through a determined and unprecedented effort, did manage to cordon off the worm. By the end of 2008, Conficker had infected an estimated 1.5 million machines worldwide, but it was on its way to full containment. In the great chess match, the good guys had called “Check!”

Then the worm turned.

MD-6

On December 29, 2008, a new version of Conficker showed up, and if the geeks had been intrigued with the original version, they now experienced something more akin to respect … mingled with fear.

One of the early theories about the worm was that it had slipped out of a computer-science lab, the product of some fooling-around by a sophisticated graduate student or group of students. They had loosed it on the world inadvertently, or maybe on purpose as a prank or experiment without realizing how effective it would be. This hypothesis appealed to optimists.

The new version of the worm, Conficker B, exploded the benevolent-accident theory. It was clear that the worm’s creator had been watching every move the good guys made, and was adjusting accordingly. He didn’t care that the good guys could predict its upcoming lists of domain names. He just rejiggered the worm to spread the new lists out over eight top-level domains instead of five, making the job of blocking them far more difficult. The worm had no trouble contacting all of these locations. If it received no command from one, it simply tried the next one on its list. Conficker B could go on like this for months, even years. It had to find its controller only once to receive instructions.

“That’s a high number,” Rodney Joffe, of Neustar, told me. “The cops will get sick and tired of knocking on 250 doors a day and finding there’s no one there. And if I’m the chief bad guy, all I have to do is be behind one of those doors on one of those days.”

There were other improvements to Conficker. Among them: besides shutting down whatever security system was installed on the computer it invaded, and preventing it from communicating with computer-security Web sites, it stopped the computer from connecting with Microsoft to perform Windows updates. So even though Microsoft was providing patches, the infected machines could not get to them. In addition, it modified the computer’s bandwidth settings to increase speed and propagate itself faster; and it began to spread itself in different ways, including via USB drives. This last innovation meant that even “closed” computer networks, those with no connection to the Internet, were vulnerable, since users who cannot readily transmit files from point to point via the Web often store and transport them on small USB drives. If one of those USB drives, or a CD, was plugged into an infected computer, it could deliver the worm to an entire closed network.

All of this was impressive—but something else stopped researchers cold. Analysts with Conficker B isolated in their sandboxes could watch it regularly call home and receive a return message. The exchange was in code, and not just any code.

Breaking codes used to be the province of clever puzzle masters, who during World War II devised encryption and code-breaking methods so difficult that operators needed machines to do the work. Computers today can perform so many calculations so fast that, theoretically at least, no cipher is too difficult to crack. One simply applies what computer scientists call “brute force”: trying every possible combination systematically until the secret is revealed. The game is to make a cipher so difficult that the amount of computing power needed to break it renders the effort pointless—the “thief” would have to spend more to obtain the prize than the prize is worth. In his 1999 history of code-making and -breaking, The Code Book, Simon Singh wrote: “It is now routine to encrypt a message [so securely] that all the computers on the planet would need longer than the age of the universe to break the cipher.”

The basis for the highest-level modern ciphers is a public-key encryption method invented in 1977 by three researchers at MIT: Ron Rivest (the primary author), Adi Shamir, and Leonard Adleman. In the more than 30 years since it was devised, the method has been improved several times. The National Institute of Standards and Technology sets the Federal Information Processing Standard, which defines the cryptography algorithms that government agencies must use to protect communications. Because it is the most sophisticated oversight effort of its kind, the standard is determined by an international competition among the world’s top cryptologists, with the winning entry becoming by default the worldwide standard. The current highest-level standard is labeled SHA-2 (Secure Hash Algorithm–2). Both this and the first SHA standard are versions of Rivest’s method. The international competition to upgrade SHA-2 has been under way for several years and is tentatively scheduled to conclude in 2013, at which point the new standard will become SHA-3.

Rivest’s proposal for the new standard, MD-6 (Message Digest–6), was submitted in the fall of 2008, about a month before Conficker first appeared, and began undergoing rigorous peer review—the very small community of high-level cryptographers worldwide began testing it for flaws.

Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”

So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective mind was blown.

“It was clear that these guys were not your average high-school kids or hackers or predominantly lazy,” Joffe told me. “They were making use of some very, very sophisticated techniques.

“Not only are we not dealing with amateurs, we are possibly dealing with people who are superior to all of our skills in crypto,” he said. “If there’s a surgeon out there who’s the world’s foremost expert on treating retinitis pigmentosa, he doesn’t do bunions. The guy who is the world expert on bunions—and, let’s say, bunions on the third digit of Anglo-American males between the ages of 35 and 40, that are different than anything else—he doesn’t do surgery for retinitis pigmentosa. The knowledge it took to employ Rivest’s proposal for SHA-3 demonstrated a similarly high level of specialization. We found an equivalent of three or four of those in the code—different parts of it.

“Take Windows,” he explained. “The understanding of Windows’ operating system, and how it worked in the kernel, needed that kind of a domain expert, and they had that kind of ability there. And we realized as a community that we were not dealing with something normal. We’re dealing with one of two things: either we’re dealing with incredibly sophisticated cyber criminals, or we’re dealing with a group that was funded by a nation-state. Because this wasn’t the kind of team that you could just assemble by getting your five buddies who play Xbox 360 and saying, ‘Let’s all work together and see what we can do.’”

The plot thickened—it turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the competition had duly gone to work trying to crack the code, and one had succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it, and resubmitted it. This gave the cabal an opening. If the original Rivest proposal was flawed, then so was the encryption method for Conficker B. If they were able to eavesdrop on communications between Conficker and its mysterious controller, they might be able to figure out who he was, or who they were. How likely was it that the creator of Conficker would know about the flaw discovered in MD-6?

Once again, the good guys had the bad guys in check.

About six weeks later, another new version of the worm appeared.

It employed Rivest’s revised MD-6 proposal.

Game on.

“Our Finest Hour”

By early 2009, Conficker B had infected millions of machines. It had invaded the United Kingdom’s Defense Ministry. As CBS prepared a 60 Minutes segment on the worm, its computers were struck. In both instances, security experts scrambled to uproot the invader, badly disrupting normal functioning of the system. Conficker now had the world’s attention. In February 2009, the cabal became more formal. Headed initially by a Microsoft program manager, and eventually by Joffe, it became the Conficker Working Group. Microsoft offered a $250,000 bounty for the arrest and conviction of the worm’s creators.

The newly named team went to work trying to corral Conficker B. Getting rid of it was out of the question. Even though they could scrub it from an infected computer, there was no way they could scrub it from all infected computers. The millions of machines in the botnet were spread all over the world, and most users of infected ones didn’t even know it. It was theoretically feasible to unleash a counter-worm, something to surreptitiously enter computers and take out Conficker, but in free countries, privacy laws frown on invading people’s home computers. Even if all the governments got together to allow a massive attack on Conficker—an unlikely event—the new version of the worm had new ways of evading the threat.

Conficker C appeared in March 2009, and in addition to being impressed by its very snazzy crypto, the Conficker Working Group noticed that the new worm’s code threatened to up the number of domain names generated every day to 50,000. The new version would begin generating that many domain names daily on April 1. At the same time, all computers infected with the old variants of Conficker that could be reached would be updated with this new strain. The move suggested that the bad guys behind Conficker understood not just cryptology, but also the mostly volunteer nature of the cabal.

“You know you’re dealing with someone who not only knows how botnets work, but who understands how the security community works,” Andre’ DiMino told me. “This is not just a bunch of organized criminals that, say, commission someone to write a botnet for them. They know the challenges that the security community faces internally, politically, and economically, and are exploiting them as well.”

The bad guys knew, for instance, that preregistering even 250 domain names a day at $10 a pop was doable for the good guys. As long as the number remained relatively small, the cabal could stay ahead of them. But how could the good guys cope with a daily flood of 50,000? It would require an unprecedented degree of cooperation among competing security firms, software manufacturers, nonprofit organizations like Shadowserver, academics, and law enforcement.

“You can’t just register all 50,000—you’ve got to go one by one and make sure the domain name doesn’t already exist,” Joffe says. “And if it exists, you’ve got to make sure that it belongs to a good guy, not a bad guy. You’ve got to make a damn phone call for any of the new ones, and have to send someone out there to do it—and these are spread all over the world, including some very remote places, Third World countries. Now the bar had been raised to a level that was almost insurmountable.”

The worm was already running rings around the good guys, and then, just for good measure, it planted a pie in their faces on, of all days, April 1. By playing with the new variant in their sandboxes, the cabal knew that the enhanced domain-name-generating algorithm would click in on that day. If the update succeeded, it would be a game-changer. It was the most dramatic moment since Conficker had surfaced the previous November. Apparently, at long last, this extraordinary tool was going to be put to use. But for what? The potential was scary. Few people outside the upper echelon of computer security even understood what Conficker was, much less what was at stake on April 1, but word of a vague impending digital doomsday spread. The popular press got hold of it. There were headlines and the usual spate of ill-informed reports on cable TV and the Internet. When the day arrived, those who had been warning about the dangers of this new worm were sure to see their fears vindicated.

The cabal mounted a heroic effort to shut down the worm’s potential command centers in advance of the update, coordinating directly with the Internet Corporation for Assigned Names and Numbers, the organization that supervises registries worldwide. “It was our finest hour,” Joffe says.

“I don’t think that the bad guys could have expected the research community to come together as it did, because it was pretty unprecedented,” Ramses Martinez, director of information security for VeriSign, told me. “That was a new thing that happened. I mean, if you would have told me everybody’s going to come together—by everybody, I mean all these guys in this computer-security world that know each other—and they’re going to do this thing, I would have said, ‘You’re crazy.’ I don’t think the bad guys could have expected that.”

Much of the computer world was watching, in considerable suspense, to see what would happen on April 1. It was like the moment in a movie when the bad guy at last has cornered the hero. He pulls out an enormous gun and aims it at the hero’s head, pulls the trigger … and out pops a little flag with the word BANG!

Conficker found one or two domain names that Joffe’s group had missed, which was all it needed. The cabal’s efforts had succeeded in vastly reducing the number of machines that got the update, but the ones that did went to work distributing a very conventional, well-known malware called Waledac, which sends out e-mail spam selling a fake anti-spyware program. The worm was used to distribute Waledac for two weeks, and then stopped.

But something much more important had happened. The updated worm didn’t just up the ante by generating 50,000 domain names daily; it effectively moved the game out of the cabal’s reach.

“April 1 came and went, and in the middle of that night the systems switched over to the new algorithm,” Conficker C, Joffe told me. “That’s all that was supposed to happen, and it happened. But the Internet didn’t get infected; it was just an algorithm change in the software. So of course the press said, ‘Conficker is a bust.’”

Public concern over the worm fizzled, just as the problem grew worse: the new version of Conficker introduced peer-to-peer communications, which was disheartening to the good guys, to say the least. Peer-to-peer operations meant the worm no longer had to sneak in through Windows Port 445 or a USB drive; an infected computer spread the worm directly to every machine it interacted with. It also meant that Conficker no longer needed to call out to a command center for instructions; they could be distributed directly, computer to computer. And since the worm no longer needed to call home, there was no longer any way to tell how many computers were infected.

In the great chess match, the worm had just pronounced “Checkmate.”

Watching and Waiting

As of this writing, 17 months after it appeared and about a year after the April 1 update, Conficker has created a stable botnet. It consists of anywhere from hundreds of thousands of computers to 12 million. No one knows for sure anymore, because with peer-to-peer communications, the worm no longer needs to check in with an outside command center, which is how the good guys kept count. Joffe estimates that with the four distinct strains (yet another one appeared on April 8, 2009), 6.5 million computers are probably infected.

The investigators see no immediate chance or even any effective way to kill it.

“There are a bunch of infected machines that are out there, and they can be taken over, given the right circumstances, by the bad guys,” VeriSign’s Martinez says. “Will they do that? I don’t know. So it’s a potential threat. It’s something that’s out there, sitting there, and it needs to be addressed, but I don’t think, honestly, that we know how. How do we address this? If it was sitting in the U.S., it would be a fairly easy thing to do. The fact is that it’s spread out all around the world.”

Ever since the paltry Waledac scam, the worm has been biding its time.

“They are watching us watch them,” says Andre’ DiMino, the botnet hunter. “I think it’s really either that or somebody let this thing get bigger, and it’s advanced bigger and further than they ever dreamed possible. A lot of people think that. But in looking at the sophistication of this thing and looking at the evolution of this thing, I think they knew exactly what they were doing. I think they were trying something, and I think that they’re too smart to do what everybody figured they were going to do. You have to remember, the world was watching this thing and waiting for the world to end from Conficker on April 1, 2009. The last thing you’d want to do if you’re the bad guy is make something happen on April 1. You’re never going to do that, because everybody’s watching it. You’re going to do something when you’re least suspected. So these guys are sophisticated. They have good code. And just even seeing the evolution from Conficker A to B to C, where there’s the peer-to-peer component, which … strikes fear into the heart of botnet hunters because it’s just so damn difficult to track—these guys know exactly what they’re doing.”

So who are they?

One of the things Martinez’s team does, patrolling the perimeter at VeriSign looking for threats, is dip into the obscure digital forums where cyber criminals converse. Those who are engaged in writing sophisticated malware boast and threaten and compare notes. The good guys venture in to collect intelligence, or just out of curiosity, or for fun. They sometimes pretend to be malware creators themselves, sometimes not. Sometimes they engage in a little cyber trash talk.

“In the past you were just sort of making sure they didn’t steal your proprietary information,” Martinez says. “Now we go in to engage them. You talk to them and you exchange information. You have a guy in Russia selling malware, working with a guy in Mexico doing phishing attacks, who’s talking to a kid in Brazil, who’s doing credit-card fraud, and they’re introducing each other to some guy in China doing something else.”

Martinez said he recently eavesdropped on a dialogue between a security researcher and a man he suspects was at least partly responsible for Conficker. He wouldn’t say how he drew that connection, only that he had good reasons for believing it to be true. The suspect in the conversation was eastern European. The standard image of a malware creator is the Hollywood one: a brilliant 20-something with long hair and a bad attitude, in need of a bath. This is not how Martinez sees his nemesis—or nemeses.

“I see him, or them, as a really well-educated, smart businessman,” he said. “He may be 50 years old. These guys are not chumps. They’re not just out to make a buck.”

The eastern European, backpedaling from further dialogue with the security geek, wrote, “You’re the good guys; we’re the bad guys. Bacillus can’t live with antibodies.”

“Now, I didn’t grow up in a bad neighborhood or anything,” said Martinez, “but the few thugs that I saw would never use a word like bacillus or make an analogy like that.”

One of the early clues in the hunt was the peculiarity in the Conficker code that made computers with active Ukrainian keyboards immune. Much of the world’s aggressive malware comes from eastern Europe, where there are high levels of education and technical expertise, and also thriving organized criminal gangs. Martinez believes Conficker was written by a group of highly skilled programmers. Like Joffe, he sees it as a group of creators, because designing the worm required expertise in so many different disciplines. He suspects that these skilled programmers and technicians either were hired by a criminal gang, or created the worm as their own illicit business venture. If that’s true, then the Waledac maneuver was like flexing Conficker’s pinkie—just a demonstration, a way of showing that despite the best and most concerted effort of the world’s computer-security establishment, the worm was fully operational and under their control.

Will they be caught?

“I have no idea,” Martinez says. “I would say probably not. I’ll be shocked if they’re ever arrested. And arrest them for what? Is breaking into people’s computers even illegal where they’re from? Because in a lot of countries, it isn’t. As a matter of fact, in some countries, unless you’re touching a computer in their jurisdiction, their country, that’s not illegal. So who’s going to arrest them, even if we know who they are?”

Ridding computers of the worm poses another kind of overwhelming problem.

“There are controls, or checks and balances, in place to limit what police can do, because we have civil liberties to protect,” he says. “If you do away with these checks and balances, where the government can come in and reimage your computer overnight, now you’re infringing on people’s civil liberties. So, I mean, we can talk about this all day, but I’ll tell you, it’s going to be a long time, in my opinion, before we really see the government being able to effectively deal with cyber crime, because I think we’re still learning as a culture, as a nation, and as a world how to deal with this stuff. It’s too new.”

Imagining Conficker’s creators as a skilled group of illicit cyber entrepreneurs remains the prevailing theory. Some of the good guys feel that the worm will never be used again. They argue that it has become too notorious, too visible, to be useful. Its creators have learned how to whip computer-security systems worldwide, and will now use that knowledge to craft an even stealthier worm, and perhaps sell it to the highest bidder. Few believe Conficker itself is the work of any one nation, because other than the initial quirk of the Ukrainian-keyboard exemption, it spreads indiscriminately. China is the nation most often suspected in cyber attacks, but there may be more Conficker-infected computers in China than anywhere else. Besides, a nation seeking to create a botnet weapon is unlikely to create one as brazen as Conficker, which from the start has exhibited a thumb-in-your-eye, catch-me-if-you-can personality. It is hard to imagine Conficker’s creators not enjoying the high level of cyber gamesmanship. The good guys certainly have.

“It’s cops and robbers, so to speak, and that was a really interesting aspect of the work for me,” says Martinez. “It’s guys trying to outwit each other and exploit vulnerabilities in this vast network. “

In chess, when your opponent checkmates you, you have no recourse. You concede and shake the victor’s hand. In the real-world chess match over Conficker, the good guys have another recourse. They can, in effect, upend the board and go after the bad guys physically. Which is where things stand. The hunt for the mastermind (or masterminds) behind the worm is ongoing.

“It’s an active investigation,” Joffe says. “That’s all I can say. Law enforcement is fully engaged. We have some leads. This story is not over.”

This article available online at: http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/

The stats seem to support Steve Jobs' contention that Adobe's video format is fading fast

In the Thoughts on Flash essay that Steve Jobs posted last week, Apple's CEO took on Adobe's oft-repeated contention that Apple's (AAPL) mobile products — the iPhone, iPad and iPod touch — don't offer access to the "full Web" because they don't support Adobe's Flash format. 75% of the video on the Web, Adobe's supporters point out, is encoded in Flash.

"What they don't say," Jobs wrote, "is that almost all this video is also available in a more modern format, H.264" — which iPads and iPhones do support.

"Almost all" may be an exaggeration, but the chart above, posted Saturday by TechCrunch's Erick Schonfeld, suggests that the trends are headed Apple's way.

The chart was produced by Encoding.com, which does on-demand Web video encoding for a variety of clients, from MySpace to MTV Network. It encoded some 5 million videos last year, so it has a pretty good handle on which formats are up and which are down. Schonfeld explains:

As the chart shows, in the past four quarters, the H.264 format went from 31 percent of all videos to 66 percent, and is now the largest format by far. Meanwhile, Flash is represented by Flash VP6 and FLV, which combined represent only 26 percent of all videos. That is down from a combined total of 69 percent four quarters ago. So the native Flash codecs and H.264 have completely flipped in terms of market share (Flash also supports H.264, however, but you don’t need a Flash player to watch H.264 videos).

Once again, Apple may be skating not to where the puck is, but where it's going to be.

See also:

• Steve Jobs' Flash manifesto
• Has Steve Jobs gone mad?
• Why Is Steve Jobs Flash-obsessed?

Now that Microsoft has announced the availability of the public beta of Windows Home Server Codename Vail, I wanted to share an overview to benefit both those of you that will be installing the Beta as well as those that don’t plan to install the Beta but are curious about what Vail delivers.

Remember that this is a beta product with no announced final release date, so what we are seeing today may not be what the final product looks like. Also remember that if you choose to run the Vail beta, you should only do so on a test system and definitely do not store your production data on it.

Initial Thoughts
At first glance, Vail has a very similar feature set to Windows Home Server v1. The Home Server will back up your client PCs, you can easily add and remove hard drives to expand your storage, you can remotely access your files and computers from outside the home, and you can install Add-Ins to increase the functionality of your Home Server. While the basic features look and even feel similar to it’s predecessor, Vail has been polished, refined and improved in many ways, and delivers a few key new features that should provide a better experience for Windows Home Server users.

If you like the way Windows Home Server currently functions, I think you’ll be mostly pleased with the changes in Vail. However if you were hoping to see significant new features such as Media Center integration or the ability for Windows Home Server to be the only box that is always running on your home network, you’ll likely be disappointed. There are also a few key changes to Windows Home Server Vail that I think may be show-stopping issues for some of you. Please read on for all the details.

As a further reminder that this is a Beta release, Microsoft has an extensive list of Known Issues that I recommend you review before installing Vail.

Supported Client Operating Systems

The following home computer operating systems are supported by Windows Home Server Vail.

The Windows 7 Operating System

• Windows 7 Home Basic (x86 and x64)
• Windows 7 Home Premium (x86 and x64)
• Windows 7 Professional (x86 and x64)
• Windows 7 Ultimate (x86 and x64)
• Windows 7 Enterprise (x86 and x64)
• Windows 7 Starter (x86)

The Windows Vista Operating System

• Windows Vista Home Basic with Service Pack 2 (SP2) (x86 and x64)
• Windows Vista Home Premium with SP2 (x86 and x64)
• Windows Vista Business with SP2 (x86 and x64)
• Windows Vista Ultimate with SP2 (x86 and x64)
• Windows Vista Enterprise with SP2 (x86 and x64)
• Windows Vista Starter with SP2 (x86)

The Windows XP Operating System

• Windows XP Home with Service Pack 3 (SP3)
• Windows XP Professional with SP3
• Windows XP Media Center Edition 2005 with SP3

New and Improved Features
There are number of new and improved features in Windows Home Server Vail that I believe will make a large number of you happy. Here’s a summary of some of these changes, I talk about some of them more later in the article, you can read more in the Getting Started guide, and of course explore Vail after you’ve installed it.

First, the client PC backup feature has been made more robust and so we should see less errors and erratic failures that we are used to in Windows Home Server v1. They have also added a computer backup archive feature, so that you can save off the backup of a PC that you wish to retire and not have it count as one of the 10 connected PCs. Vail also borrows a cue from the popularity of my BDBB Add-In and has a “Backup the Backups” feature, just like you can back up the shared folders. This is a welcome change, but means I’ll have to find a new Add-In to work on for Vail.

The shared folder backups can now be scheduled, and also include the ability to back up and restore the entire Vail operating system, which was one of the most requested features.

Drive Extender has been extensively worked on and claims to have increased robustness and control. One of the issues we saw with v1 was that failed or failing hard drives could cause significant issues with Windows Home Server, often leaving the user with no idea of how to repair their server. Here are the listed changes from the Getting Started guide, I believe they are important enough to call out specifically here.

• Allows you to remove the system drive from the storage pool to help increase the speed of the OS
• Automatically detects and corrects many silent hard drive data errors
• Allows you to remove a drive without server down time
• Offers improved drive health monitoring and alerting
• Makes data for duplicated folders available when a drive is missing without requiring you to remove the missing drive first
• Supports 60GB hard drives or larger, and up to 10 drives can be a part of the server storage pool

I imagine that last bullet point has several of you with your jaws hanging open. This is the first I’ve heard of a 10 drive limit in Vail, and if it is true I believe this is a bad idea and will be feeding that back to Microsoft.

One other concern point I have is that while drives can be viewed and added to other Vail servers, due to the technical changes in Drive Extender there is currently no way to access your data on your server hard drives should you need to. The drives are no longer formatted with NTFS and so your data is “hidden” behind the abstraction of Drive Extender. I’m hopeful that Microsoft will be able to create a utility or driver that provides access to your files for when you need access without building a new server.

Another positive Drive Extender feature is that Previous Versions can be enabled in Vail, which is a nice improvement over v1. This allows you to keep historical versions of changed files on the server, in case of accidental or unintended changes. You will need to manually turn this feature on to use it, however, as it is disabled out of the box.

Finally, DLNA Streaming and “PlayTo” are now supported by Windows Home Server Vail which delivers an improved media streaming experience to the Xbox 360 and other media streaming devices in the home. Vail also provides HomeGroup support which is included in Windows 7 and simplifies the process of sharing files and printers on a home network.

Now we’ll take a look at what the new user interface looks like, and examine the Remote Access and streaming features of Windows Home Server Vail.

Client Installation and Setup
We have full guides on how to either manually or automatically install Vail onto your MediaSmart Server as well as your own server so be sure to check those articles to see what the installation process looks like.

After the installation completes you are ready to join your client PCs to your Vail server. This process is now completely web based instead of requiring a Client Install CD, which means you perform the installation and configuration simply by pointing your browser to http://servername/connect. This will download a small file to run on your computer that joins your PC with your Vail server.

In my case, I still had the Connector software from my Windows Home Server v1 installed on my client PC, which Vail detected and required me to uninstall. After uninstalling v1 I restarted the client install and proceeded through the steps.

Having the ability the add a description for your PC is a nice touch for identifying each PC that you join with your Home Server. As you can see I’ve stressed the importance of this particular PC.

The rest of the installation should be familiar to current Windows Home Server users. You can choose to wake the computer for backups, participate in the Microsoft feedback program, and then the actual join with the Home Server occurs.

At the end you are left with three shortcuts on your desktop and a system tray application giving you access to the Launchpad, Dashboard, and server notifications.

Client Launchpad
In addition to the system tray icon and Shared Folders desktop shortcut that was included in v1, Vail now includes a client Launchpad application. The Launchpad gives you access to the Home Server features running on the client PC, such as the ability to see Recent Backup status, Backup Now, and the Server Health Notifications. An interesting new item is the “Remote Access” item that launches a browser to your servers Remote Access URL, and will be handy running on your laptop when away from home.

Add-In developers are also able to add their own items to the Launchpad to extend the functionality of Windows Home Server.

Server Dashboard
The Server Console has been renamed in Vail to the Server Dashboard but should be familiar in layout to users of Windows Home Server v1. The Home tab has basic instructional information.

The Users tab allows you to add, edit, and view the users configured with your Vail server. The Add User feature allows for a little more fine-grained control of user permissions.

The Computers and Backup tab gives you access to the joined client PCs as well as the exciting new Server Backup features that allow you to backup up the Operating System of the server to protect against system drive failure, schedule automated server backups, and even backup the Client PC Backups (I guess they took a hint from the popularity of my WHS BDBB Add-In ). In the below screenshots I’ve attached a 1.5TB USB drive and designated it as a Server Backup drive, and am now configuring the server to back itself up.

The Storage tab allows you to add and remove drives as either Storage or Backup, as well as configure the shared folders. One noteworthy item is that the individual Users shares are no longer created by default. If these were valuable to you then you’ll have to manually create them yourself. In the first two shots you can see that Duplication is unavailable because I only have a single drive in the server.

A nice feature is the ability to name or add a label to your drive when you install it. You’ll likely want to use a more descriptive name than I did.

Another nice feature is that Vail now automatically enables duplication on your shared folders after additional drives are added.

The Add-Ins tab will give you access to any installed Add-Ins. We’ll see how long it takes for the community add-ins to begin showing up.

The Settings tab is simplified and my understanding is that Add-In developers will no longer be able to add their own settings tab. One area I’d like to see improved is the configuration for Media Streaming. Currently in Vail, streaming provides access to all media types in each share. This means that my music album art appears in the Photos stream, which is incredibly annoying. I mention this more in the Remote Access section later.

The Remote Access configuration has been improved so that you can choose to manually configure your Remote Access. This is useful if your router doesn’t support UPnP, or if you prefer to manually forward ports. You can also add your own custom images and links to the Remote Access pages.

Finally, the Alerts tab allows you to view the health status of your home server.

Remote Access Features
The Remote Access features have been significantly updated in Vail, and Microsoft has now built-in many of the features that differentiated the HP MediaSmart Server from other Home Server offerings. Your Media is now completely accessible from anywhere on the internet, thanks to the new Remote Media Streaming features.

The initial login is familiar with Windows Home Server v1, and provides access to the Server Console as well as Remote Desktop sessions to any PC that supports RDP and has it enabled. Unfortunately the ActiveX control that provides RDP access was out of date and required me to download a new version (and then reboot my PC) before I could utilize this feature. There is also access to upload and download files from the shared folders.

The music streaming is one of my favorite features, as I like to listen to music on my headphones while at work. The interface is very attractive, and usable even with relatively large libraries. I have over 7,000 tracks in more than 500 albums, and the browser was able to load the album art fairly quickly. Music streams started within a couple of seconds and there is little to no delay between track changes.

The user interface is very similar to the Windows 7 Media Center experience, with scrolling album covers in the background.

The Music Streaming experience is more attractive than the current offering from HP, however the “beta” state of Vail has shown itself and I am experiencing issues with playback where tracks randomly stop playing and skip to the next. I’ve not yet determined if specific files cause this or if it is a more common issue.

Video streaming is also included and features on-the-fly transcoding of files on the server. This means that when you start to stream a video over the web interface, your server will automatically convert it to a resolution and format that streams well. This does require some decent horsepower from your server’s CPU so if you plan on using this feature you may want to take that into consideration when deciding what hardware to use.

Streaming videos from my home has never been very important to me, I just don’t seem to have the interest or need to watch the videos stored on my home server while away from home. I did perform some testing, and unfortunately this feature also has some issues. My Recorded TV shows wouldn’t play (apparently unsupported file formats but they appear in the Remote Media display) and more importantly my home video 720p AVCHD files in MP4 container from my digital video camera wouldn’t play their normal widescreen aspect ratio and are instead squished which ruins the experience of watching the video. Interestingly enough the thumbnail image that is generated shows the correct widescreen aspect ratio. I also found that my test .mts files, which are another common digital video camera format, weren’t able to be played by the streamer even though the Getting Started guide claims to support them. The mkv files that are so popular for storing ripped movies are also not supported. Of course WMV files all worked great, including a sample 1080p version of Terminator 2 that have for testing.

In all cases the playback began quickly and the transcoding seems to work well. I did experience many lockups of Internet Explorer during my testing, while Chrome and Firefox seemed more robust.

One of the biggest frustrations for me is that all my media is mixed up (combined) when displayed by the Vail media streamer, meaning that my Album Art from my Music share is showing up in the Pictures stream. I find this to be quite annoying and it makes the Photo streaming feature pretty much useless. I’ll be advocating very strongly for more configuration options for media management in the shipping version of Vail.

The photo slideshow feature is pretty much what you’d expect and worked fine in my light testing. I’m not sure how useful this will be given that a Remote Access user account is required to access the photos.

Summary
There is a lot of excitement about what Windows Home Server Vail will deliver as a second generation operating system. Even though Windows Home Server v1 had it’s warts and issues, it is a popular product that serves us very well at protecting our data and making it accessible wherever we are. Vail improves on these features in many ways, however I have some significant concerns that I’m hoping our feedback as beta testers will convince Microsoft to make some changes.

Here is what I want to see changed in Vail as it exists today:

• Don’t restrict us to 10 hard drives. There’s no good reason to do this, especially on a “Premium” labeled SKU and when v1 supported 32 drives.
• Make Vail storage disks readable on non-Vail computers, just like they are in v1. This has been a much needed feature in the current version, people’s systems do fail and they need to feel confident that their data is safe
• Make the Media Streaming more configurable, I really hate having my album art mixed in with my photos.
• Keep improving the Remote Streaming experience. It’s fairly buggy right now, and I’d like to see improved media support for Recorded TV and other video containers such as the extremely popular MKV. There is also the need for real widescreen aspect ratio support as currently that doesn’t seem to work well for many files.

Finally, be sure to submit bugs on Connect, and make sure Microsoft hears what you think of Vail and how it is working for you. Post in the comments or the forums to share what you think about the new and changed features in Vail, as well as your experience when you run the Beta.

[via www.mediasmartserver.net]

The saga of Adobe and Apple or, more precisely, Flash app development for the iPhone, is drawing to its inevitable conclusion.

It all started with Apple’s change to its iPhone Developer Program License Agreement – the notorious article 3.3.1 – which banned the use of the Flash-to-iPhone converter. In the simplest of terms, the article makes it meaningless for developers to create Flash apps that target the iPhone because Apple can ban them at any time.

Now Mike Chambers, the principal product manager for developer relations for the Flash platform at Adobe, has put a full stop to the story from Adobe’s side. In a lengthy blog post, he calls for developers of Flash apps for smartphones to focus on Android and stop developing apps for the iPhone. He also announces Adobe’s intention to stop working on the Flash-to-iPhone converter.

“We will still be shipping the ability to target the iPhone and iPad in Flash CS5. However, we are not currently planning any additional investments in that feature,” Mike says. In the post, he also criticizes Apple’s treatment of developers. “If you want to develop for the iPhone you have to be prepared for Apple to reject or restrict your development at anytime, and for seemingly any reason,” he says.

So, that’s it for Flash apps on the iPhone. Apple may have won this round, but the wall around its garden just got a little bit taller.

[via mashable.com]

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.

Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from US$25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.

Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

[via www.pcworld.com]

Hacker bietet 1,5 Millionen Facebook-Konten zum Verkauf

"Kirllos" bietet rund 1,5 Millionen Facebook-Zugangsdaten im Netz zum Verkauf an. Dabei sind die Preise überraschend billig: Für 1000 Konten fordert er zwischen 25 und 45 Dollar. 700.000 Accounts soll Kirllos bereits verscherbelt haben. Ein Ende ist nicht in Sicht.

Schon lange ist es kein Geheimnis mehr, dass soziale Netzwerke wie Facebook und StudiVZ Datenschützern und Verbraucherschützern ein Dorn im Auge sind. Die Skepsis ist nicht unbegründet, denn immer wieder kommt es zu überraschenden Datenlecks, die auf unklare Datenschutzbestimmungen und ein unverantwortliches Verhalten seitens der Nutzer zurückzuführen sind. Auch der neueste Fall lässt zahlreiche Netzaktivisten aufschrecken. Einem Bericht von "PC World" zufolge bietet der russischstämmige Hacker "Kirllos" rund 1,5 Millionen Zugangsdaten des sozialen Netzwerks Facebook zum Verkauf an. Mit Schleuderpreisen versucht der Hacker die Kunden auf seine Seite zu gewinnen. Für Datensätze von 1000 Konten verlangt er nur 25 bis 45 US-Dollar. 700.000 Accounts konnte "Kirllos" auf diese Weise bereits zu Geld machen.

Auf das Angebot des Hackers sei man erstmals in einem bekannten Hacker-Forum aufmerksam geworden. Schnell habe sich die Offerte von "Kirllos" in Kennerkreisen herumgesprochen, da die Preise ungewöhnlich niedrig waren. Während man in der Regel ein bis 20 US-Dollar pro Account einfordere, biete der russischstämmige Hacker die Accounts zu Schnäppchenpreisen an, heißt es. Mit durchschnittlich nicht einmal zwei Cent pro Account sei der Preis in diesem Fall überraschend günstig. Je nachdem, wie viele Freunde die jeweiligen Konten aufzuweisen haben, variiere der Preis der Datensätze. Für die Preisgestaltung sei auch die Aktivität des Nutzers von großer Bedeutung.
Welche Nutzer es getroffen hat, ist noch nicht bekannt. In Anbetracht der Tatsache, dass Facebook derzeit mehr als 400 Millionen Benutzer zählt und der Hacker "Kirllos" im Besitz von 1,5 Millionen Accounts ist, scheint das Ausmaß jedoch überwältigend. Sollten die Angaben stimmen, hätte der Hacker Zugang auf ungefähr jedes 267ste Konto.

[via www.gulli.com]

Email

• 90 trillion – The number of emails sent on the Internet in 2009.
• 247 billion – Average number of email messages per day.
• 1.4 billion – The number of email users worldwide.
• 100 million – New email users since the year before.
• 81% – The percentage of emails that were spam.
• 92% – Peak spam levels late in the year.
• 24% – Increase in spam since last year.
• 200 billion – The number of spam emails per day (assuming 81% are spam).

Websites

• 234 million – The number of websites as of December 2009.
• 47 million – Added websites in 2009.

Web servers

• 13.9% – The growth of Apache websites in 2009.
• -22.1% – The growth of IIS websites in 2009.
• 35.0% – The growth of Google GFE websites in 2009.
• 384.4% – The growth of Nginx websites in 2009.
• -72.4% – The growth of Lighttpd websites in 2009.

Domain names

• 81.8 million – .COM domain names at the end of 2009.
• 12.3 million – .NET domain names at the end of 2009.
• 7.8 million – .ORG domain names at the end of 2009.
• 76.3 million – The number of country code top-level domains (e.g. .CN, .UK, .DE, etc.).
• 187 million – The number of domain names across all top-level domains (October 2009).
• 8% – The increase in domain names since the year before.

Internet users

• 1.73 billion – Internet users worldwide (September 2009).
• 18% – Increase in Internet users since the previous year.
• 738,257,230 – Internet users in Asia.
• 418,029,796 – Internet users in Europe.
• 252,908,000 – Internet users in North America.
• 179,031,479 – Internet users in Latin America / Caribbean.
• 67,371,700 – Internet users in Africa.
• 57,425,046 – Internet users in the Middle East.
• 20,970,490 – Internet users in Oceania / Australia.

Social media

• 126 million – The number of blogs on the Internet (as tracked by BlogPulse).
• 84% – Percent of social network sites with more women than men.
• 27.3 million – Number of tweets on Twitter per day (November, 2009)
• 57% – Percentage of Twitter’s user base located in the United States.
• 4.25 million – People following @aplusk (Ashton Kutcher, Twitter’s most followed user).
• 350 million – People on Facebook.
• 50% – Percentage of Facebook users that log in every day.
• 500,000 – The number of active Facebook applications.

Images

• 4 billion – Photos hosted by Flickr (October 2009).
• 2.5 billion – Photos uploaded each month to Facebook.
• 30 billion – At the current rate, the number of photos uploaded to Facebook per year.

Videos

• 1 billion – The total number of videos YouTube serves in one day.
• 12.2 billion – Videos viewed per month on YouTube in the US (November 2009).
• 924 million – Videos viewed per month on Hulu in the US (November 2009).
• 182 – The number of online videos the average Internet user watches in a month (USA).
• 82% – Percentage of Internet users that view videos online (USA).
• 39.4% – YouTube online video market share (USA).
• 81.9% – Percentage of embedded videos on blogs that are YouTube videos.

Web browsers

Malicious software

• 148,000 – New zombie computers created per day (used in botnets for sending spam, etc.)
• 2.6 million – Amount of malicious code threats at the start of 2009 (viruses, trojans, etc.)
• 921,143 – The number of new malicious code signatures added by Symantec in Q4 2009.

Data sources: Website and web server stats from Netcraft. Domain name stats from Verisign and Webhosting.info. Internet user stats from Internet World Stats. Web browser stats from Net Applications. Email stats from Radicati Group. Spam stats from McAfee. Malware stats from Symantec (and here) and McAfee. Online video stats from Comscore, Sysomos and YouTube. Photo stats from Flickr and Facebook. Social media stats from BlogPulse, Pingdom (here and here), Twittercounter, Facebook and GigaOm.

Don’t hold your breath waiting for the iPhone to support Adobe’s Flash software: Apple’s terms-of-service agreement prohibits it.

Although Adobe says it is working on a version of its popular Flash player for the iPhone, Apple is unlikely ever to permit it to appear in the handset’s App Store, no matter how much customers want it.

“I’m pretty skeptical that Flash could be implemented in a way that doesn’t violate the Terms of Service of the developer’s agreement,” said Bart Decrem, CEO of Tapulous, developer of the popular Tap Tap Revenge iPhone game.

Flash is Adobe’s highly popular platform for displaying interactive graphics, animations and multimedia within a browser. According to Adobe, 98 percent of desktop computers currently support Flash, which has led to its widespread use by web developers. Adobe’s recent announcement that it is working on a version of Flash for Windows Mobile has prompted speculation that an iPhone version might be coming soon. But the speculators may be waiting in vain, based on Apple’s TOS and the company’s history of tightly controlling applications for its smartphone platform.

Allowing Flash — which is a development platform of its own — would just be too dangerous for Apple, a company that enjoys exerting total dominance over its hardware and the software that runs on it. Flash has evolved from being a mere animation player into a multimedia platform capable of running applications of its own. That means Flash would open a new door for application developers to get their software onto the iPhone: Just code them in Flash and put them on a web page. In so doing, Flash would divert business from the App Store, as well as enable publishers to distribute music, videos and movies that could compete with the iTunes Store.

Apple’s well aware of these problems, which is why the company wrote a clause in its iPhone developers’ Terms of Service agreement (.pdf) that prohibits Flash from appearing on the iPhone:

“An Application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise,” reads clause 3.3.2 of the iPhone SDK agreement, which was recently published on WikiLeaks. “No interpreted code may be downloaded and used in an Application except for code that is interpreted and run by Apple’s Published APIs and built-in interpreter(s).”

This could come as major disappointment to iPhone owners, as the lack of Flash support has been a paramount complaint about the handset since its release. No Flash means that the iPhone browser is incapable of displaying a large portion of the internet. For example, free Flash games aren’t supported, videos can’t be streamed from the vastly popular television and movie site Hulu, and websites that use Flash to render content or navigation won’t work on the iPhone.

It’s no wonder Adobe is expressing reluctance about the prospects of Flash for iPhone. The company on Monday demonstrated a version of Flash for Windows
Mobile handsets. And all that product manager Michele Turner could say about iPhone was, “We are working on Flash on the iPhone, but it is really up to Apple.”

Adam Dann, CEO of Nullriver, agrees that Flash would take away some of Apple’s control. Apple eventually banned Nullriver’s application NetShare because it violated AT&T Terms of Service agreement by turning the iPhone into a wireless modem for tethering. If Apple introduced Flash to iPhone, it’s possible Nullriver could code a Flash version of NetShare, repeating that violation, Dann said.

Dann added that the only way Flash could ever appear on the iPhone is if Adobe offered an extremely stripped-down version of the software. But even if there is a “Flash Lite” for iPhone, that just reinforces the point that the handset’s owners still will not have a true Flash experience.

And aside from taking software control away from Apple, Flash would introduce a slew of other potential headaches as well. Flash apps could hurt battery life, suck up the graphics-processing unit’s power, use an inordinate amount of memory, or potentially introduce security risks. Apple has plenty of customer complaints to address about the iPhone; the last thing it needs is to add Adobe and Flash to the pile.

In August, Britain’s Advertising Standards Authority pulled an iPhone advertisement because the commercial said, “All the parts of the internet are on the iPhone.” The lack of Flash and Java support on iPhone were enough for the ad to be deemed misleading. And it’s looking like Apple won’t be able to air that ad again.

Apple did not return phone calls for comment.

[via wired ], [Download Apple iPhone SDK Agreement via wikileaks]

Its nearly hear. Microsoft has officially announced that next Tuesday on the 24th of November Power Pack 3 will be available via Windows Update.

The release will be available in Chinese, English, French, German, Italian, Japanese, and Spanish and users must have Windows Home Server with Power Pack 2 already installed on their home server to receive the update.

Power Pack 3 (PP3) improves the Windows Home Server experience with both Windows 7 and Windows Media Center by providing backup and restore of computers running Windows 7, Windows 7 Libraries integration, enhancements for Windows Media Center, and better support for notebook computers.

That’s new in PP3:

• Windows 7 Libraries integration
  When you install the Windows Home Server Connector and log on a computer running Windows 7, you can access the Windows Home Server shared folders from the Windows 7 libraries.
• Windows 7 Action Center backup warning suppression
  After you install the Windows Home Server Connector to enable the home server backup for your computer running Windows 7, you can suppress the Action Center warning reminding you that Windows Backup has not been set up.
• Windows 7 power settings
  You can configure your computer running Windows 7 to wake up at a scheduled backup time and then go back to sleep after the backup finishes.
• Console support for Windows 7
  Windows 7 is properly displayed as the operating system shown in the Computers & Backup tab.
• Windows Search
  Windows Search 4 is included to improve query search times, indexing times, and reliability. Extended Remote Discovery increases the efficiency of searching across all your libraries running Windows Search 4.  Files encrypted with EFS are now supported.
• TV archive
  Windows Home Server can automatically archive recorded TV by moving your recordings from a Windows Media Center computer to your home server in the format of your choice.  This enables playback in the correct format for your home computers and/or portable devices.
• Console view
  You can view information about your home server’s storage space, hard drives, backup status, and more from Windows Media Center.

Can’t wait till Tuesday, can you?

Microsoft announced a broad range of new functionality for Bing, its search engine, on Nov. 11. In addition to incorporating results from Wolfram Alpha, a "computational engine" that provides a definitive numerical answer to a search query, the revamped Bing offers a more robust video page—with feeds from MSN Video, Hulu, and ABC—and more intensive search in categories such as local events and cities.

In a sign of the increased importance of social networking to corporations such as Microsoft and Google, Bing has also incorporated Facebook and Twitter into its search features.

New study places Firefox at the top of vulnerability list for for the first half of 2009:

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

As to why Firefox's numbers were so high, Cenzic has a few ideas.

"It's a combination of different things," Lars Ewe, CTO of Cenzic, told InternetNews.com. "They've gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins."

One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins.

"The plug-in architecture that they have is a selling fact for the browser and one of the reasons why I love using it," Ewe said. "They can't control security aspects of all the plug-ins and the vulnerabilities are a side effect of that."

Mozilla has made numerous efforts this year to bolster its plug-in security. Recently they launched a plug-in checker service to ensure that users are running up-to-date versions. The Firefox 3.0.9 update, which came out in April, specifically addressed several key plug-in vulnerabilities.

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable.

Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place.

"The process that we follow is looking at a number of different vulnerability databases and sources that we have and trying to come up with a fair percentage based on the deviations we see between the databases," Ewe said. "You could make the argument, that's its 40 percent or 42 percent and there might be some variation on how you analyze it, but certainly it's not off by 20 percent."

While the Cenzic report shows Firefox at the top of the browser vulnerability pile, Ewe was quick to note that Cenzic uses Mozilla technology within its own solutions.

"Full disclosure here, Mozilla plays an important role in Cenzic's solution," Ewe said. "We are actually sitting on top of Mozilla as our agent of preference for scanning sites."

Cenzic develops an application scanning solution that uses the underlying Mozilla browser technology to test out security on Web site insides of a real browser context.

"We have a technology that we refer to as stateful assessment technology," Ewe said. "The idea behind it is to have as faithful an interaction with a Web site as possible and to determine vulnerabilities not on simple signatures but on behavioral basis of the application."

Ewe explained that when you do a cross-site scripting attack with a signature-based approach you'd just look for a server response that would indicate that the script tag has been injected. He added that the problem with that approach is that it's not faithful and the security researcher doesn't know if there is any additional logic on the client side that takes care of the script tag.

"If you want to be really faithful in the process you need to have full rendering capabilities and have all the JavaScript event handling," Ewe said. "So we leverage the entire Firefox architecture in order for us to actually have as faithful an interaction with a server as possible and maintain the client state. That results in low false-positives."

Source: www.internetnews.com

This exploration combines ideas for more natural multi-touch hardware with a smartly simplified canvas interface:

Source: http://10gui.com

Zune HD is the latest player in the Zune device family, available in 16GB and 32GB capacities and is the first touch screen Zune with HD functionality and powerful technology to give consumers a different way to experience music and video on-the-go.

• HD Radio –Zune HD comes with a built-in FM HD Radio receiver enabling users to tune to more free stations with even better clarity and sound quality.
• HD Video Out – Connect your Zune HD to the optional Zune Premium A/V docking station and watch HD videos, TV shows and movies in your large screen TV in 720p high definition
• Internet Browser and Wi-Fi - Zune HD includes a full-screen Internet browser optimized for multi-touch and Wi-Fi connectivity

Zune Software

• QuickPlay – A whole new user interface that offers one-click access to your favorites, and recent activity on both the PC and your Zune HD
• Smart DJ -  With one click, Zune becomes your personal DJ, creating and serving you an endless playlist based on the genre, style and influences of the song or artist you choose

Zune Services (Zune Marketplace and Zune.net)

• For the first time, Zune Marketplace is offering full-length movies in HD and SD format for download and rental; download HD TV shows and movies and watch them on your Zune or PC.  Or with the optional A/V docking station, watch them in high definition on your HDTV
• Zune.net Streaming - With a Zune Pass, stream music directly from Zune.net from any internet-connected computer.  No client software download needed
• Zune Pass - Access nearly 6 million songs for only $14.99 a month and keep 10 free MP3 downloads each month 
• Zune Pass + SmartDJ - If you have a Zune Pass you can use SmartDJ to stream an endless playlist from the nearly 6 million song Zune catalog from any internet connected PC via Zune.net, no download required

Expansion into Xbox

• Later this fall, Microsoft will bring the Zune video service to the nearly 20 million Xbox Live users as Zune becomes the video store for Xbox Live
• “Buy Once, Play Anywhere” - Consumers will be able to buy a movie once and watch it on multiple devices:  Xbox 360, Zune device and PC

Pricing

• Zune HD 16GB for $219.99 on Amazon (as of 9/17/09)
• Zune HD 32GB for $289.99 on Amazon (as of 9/17/09)

Zune HD is available in the retail channel on Sept 15, but for the time being the Zune HD device will remain US only.

Learn more: http://www.zune.net/en-us/products/zunehd/default.htm

Slingbox owners love their devices. They allow you to watch your home television content anywhere you are in the world with an Internet connection. A new startup, Spawn Labs, launching today at TechCrunch50 wants to extend that concept to video games.

But Spawn Labs offering is actually a bit more robust because it includes a social element as well. A key part to playing video games is playing them against other people. And with the Spawn HD Pro appliance, you’ll be able to do just that. Say a friend has an Xbox 360 in California and wants to play a game against you, but you’re in New York. From New York, you would simply install the Spawn Player application on your computer, and you could remotely connect to their system, to play a game.

The key to all of this is of course the Spawn HD Pro box, which will retail for $199 (available on their site today). These boxes will be able to transmit HD-quality (720p) content over the Internet to the computer on the other end. On those computers, users can play the game with an input device of their choosing.

The idea of playing popular video games over the web is a hot area right now. The two most well-known names in this field are OnLive and OTOY. But both of those are attempting to use their own servers to create a completely online experience, Spawn Labs is simply allowing you to take an existing console and transmit the content over the Internet. Of course, one potential issue with this method is that someone must be on the other end (where the console is) to make sure it has the game disc you want to play inside of it.

Eventually, the plan is to expand Spawn Labs’ technology beyond video games as well. They’d basically like to handle any and all video content over their box. Computers, other set-top boxes, and even mobile devices are all in the pipeline to be hooked up to Spawn Labs’ services.

Today, President and CEO David Wilson presented alongside QA engineer Daniel Bethke.

Expert Panel Q&A (paraphrased)

The experts: Don Dodge, Yossi Vardi, Ron Conway, George Zachary, and Jason Hirschhorn.

Q: Is it a weakness to have one game in at a time?
DW: That is something we thought about, but the direction of the industry is to have games on console’s hard drives.

Q: How do the graphics travel? And is this software on the console itself eventually?
DW: When you’re in a bandwidth constrained around, the network will downscale.

Q: So this is more targeted in the home?
DW: We’re targeting both.

Q: The bet is that customers will pay $200 for a hardware device to play games remotely. How often do players do that?
DW: Right now they can’t do it. But there is a strong desire for this. We have orders from several of the top game developers in the world for this.

Q: What kind of support?
DW: It runs any game on the supported consoles. (Xbox 360, Wii, Gabecube, PS3, etc)

Q: This also assumes the player has their controller?
DW: You don’t need one, but you can use any controller you want.

Q:  What about the handhelds?
DW: Theoretically yes, not sure yet though.

Pictures:

Source: http://www.techcrunch.com

Photograph by Leander Johnson

In 1971, the oft-quoted political scientist Herbert Simon predicted that in an information age, cultural producers (that's designers, but also filmmakers, theater types, musicians, artists) would quickly face a shortage of attention. "What information consumes is rather obvious: it consumes the attention of its recipients," he wrote. The more information, the less attention, and "the need to allocate that attention efficiently among the overabundance of information sources that might consume it."

Now we have a wide-ranging discussion about what is and what can't be free (Malcolm Gladwell on Chris Anderson, Virginia Postrel on Chris Anderson), which is basically about the future of profit. Maybe we should be considering a dilemma of a human nature: the future of attention.

Because there's a connection between the two.

Making something "free" is obviously an allocation strategy. "Free" attracts attention. Making things brief is an allocation strategy as well. The problem is that free isn't sustainable, and that brief is underpriced.

We need a Ronald Reagan of attention, someone to inspire us away from the fight over smaller and smaller pieces of the attention pie. Someone who will inspire us to make the attention pie bigger.

I imagine attention festivals: week-long multimedia, cross-industry carnivals of readings, installations, and performances, where you go from a tent with 30-second films, guitar solos, 10-minute video games, and haiku to the tent with only Andy Warhol movies, to a myriad of venues with other media forms and activities requiring other attention lengths. In the Nano Tent, you can hear ringtones and read tweets. A festival organized not by the forms of the commodities themselves but of the experience of interacting with them. Not organized by time elapsed, but by cognitive investment: a pop song, which goes by quickly, can resonate for days; a poem, which can go by more quickly, sticks through a season. A festival in which you can see images of your brain on knitting and on Twitter.

I imagine a retail sector for cultural products that's organized around the attention span: not around "books" or "music" but around short stories and pop songs in one aisle, poems and arias in the other. In the long store: 5,000 piece jigsaw puzzles, big novels, beer brewing equipment, DVDs of The Wire. Clerks could suggest and build attentional menus. We would develop attentional connoisseurship: the right pairings of the short and long. We would understand, and promote, attentional health.

I imagine attention-based pricing, in which prices of information commodities are inversely adjusted to the cognitive investment of consuming them. All the candy for the human brain — haiku, ringtones, bumper stickers — would be priced like the luxuries that they are. Things requiring longer attention spans would be cheaper — they might even be free, and the higher fixed costs of producing them would be covered by the higher sales of the short attention span products. Single TV episodes would be more expensive to purchase than whole seasons, in the same way that a six-pack of Oreos at the gas station is more expensive, per cookie, than a whole tray at the grocery store.

I imagine an attention tax that aspiring cultural producers must pay. A barrier to entry. If you want people to read your book, then you have to read books; if you want people to buy your book, then you buy books. Give your attention to the industry of your choice. Like indie musicians have done for decades, conceive of the scene as an attention economy, in which those who pay in (e.g., I go to your shows) get to take out (e.g., come to my show). It would also mitigate one oft-claimed peril of the rise of the amateur, which is that they don't know from quality: consuming many other examples from a variety of sources, even amateur producers would generate a sense of what's good and what's bad: in other words, in their community they'd evolve a set of standards. This might frustrate the elitists, who want to impose their standards. But standards would, given enough time, emerge. (In this I have faith.)

I imagine software, a smartphone app, perhaps, you can use to audit your attentional expenditures. So that before you embark on trying to write a book, you will be able to see how much time you spent reading books over the last month or year. So that before you design a marketing campaign that assumes that people aren't doing much else with their time until you show up, you will be able to see what you yourself were doing with your time, which was something perfectly good. This will show you that you're a savvy allocator of your attentional resources — and so is everybody else.

And yet I can't shake fantasizing about attention that has no price, that can't be bought or sold, but is given freely: a gift. I buy and read books because I want to give the gift of my attention to the attention economy I'm (as a writer) a part of. I'm inspired by Lewis Hyde in The Gift, who says that what distinguishes commodities is that they're used up, but what distinguishes gifts is that they circulate — the gift is never trapped, consumed, used up, contained or confined. That seems like the best basis for cultural production to thrive.

So this is what it's come to: when an attention gift economy seems more practical and sustainable than an exchange economy for information commodities, which is being rotted by the gift's ugly negation: the free.

Source: http://observatory.designobserver.com/

Interface complexity is an issue every designer wrestles with when designing a reasonably sophisticated application. A complex interface can reduce user effectiveness, increase the learning curve of the application, and cause users to feel intimidated and overwhelmed.

I’ve spent the past year redesigning a particularly complex application with my primary focus being on reducing complexity. In this article, I’ll go over some of the issues surrounding complexity and techniques that can be used to manage it.

Progressive Disclosure

Progressive disclosure is the most popular means of managing complexity. The idea is that clutter and cognitive overhead can be reduced by hiding less frequently used elements behind some avenue of accessing those elements, like a mouse click or a keyboard shortcut. It requires that the designer accurately determine which elements are frequently and infrequently used and to what degree.

Quite a bit of care needs to be put into the progressive disclosure hierarchy and the mechanisms used for disclosure. Poorly considered use of progressive disclosure can achieve the opposite of the intended effect by making the interface even more complex. As an example, Microsoft Windows has been trending towards removing the menu bar from individual windows and instead packing each function into the main interface (often using pull down menus), which has some issues. I’ll go over a few of them:

• There are inconsistent ways of accessing common functionality. The Print function, for example, is in different locations in both the application’s interface and the progressive disclosure hierarchy. The Print controls in Internet Explorer, Contacts (Windows Explorer), and WordPad are highlighted in the screenshot below, to illustrate this. Competing first-party Mac applications (Safari, Address Book, and TextEdit, respectively) have the Print function available in a consistent location – the last item in the File menu. A user who learns how to print in one of those Mac applications won’t have to hunt to find the Print function in other applications. It’s a “learn once, use everywhere” model.

  

• There’s a tendency to overwhelm the user with progressive disclosure points. The default Internet Explorer interface (with Windows Live installed) has a total of 17 pull down buttons – highlighted below. Further, all of these progressive disclosure controls require screen real estate. As more screen real estate is occupied by administrative actions, less is dedicated to displaying the actual content of the application (which, in this case, are webpages).

  

Contextual Actions

This is a form of progressive disclosure where contextually appropriate controls are exposed on a particular object. The most common implementation are contextual menus, activated on the Mac by a right-click or a control-click. While contextual menus are a consistent and useful way of revealing contextual actions on objects, they’re hard to discover, which makes them inappropriate for workflow-critical actions that necessitate greater weight in the interface.

The standard way to give these actions greater weight is to integrate them in your interface by providing the set of contextual controls in front of or near each object. Complexity is increased substantially, because the set of controls is repeated for every object on screen. We can get rid of most of this complexity by using a different progressive disclosure technique. Controls can be displayed on a single object if the object is selected, the object has focus, or when the mouse is over the object. This solves the complexity issue since there’s only one set of contextual controls being shown at a particular time, but it’s not without its downsides. Consider whether this sort of technique is appropriate for your interface before deciding one way or the other.

Alignment & Visual Hierarchy

Aligning elements in a user interface to a simple, consistent grid, will go great lengths in reducing the appearance of complexity. The use of strict alignment and a thoughtfully laid out grid can turn an interface from chaotic and overwhelming to harmonious and appealing.

Some compelling examples are the inspectors in Microsoft Expression Blend and Adobe Lightroom. While a host of factors are responsible for the Expression Blend inspector looking considerably more complex than the Lightroom inspector, the rough horizontal alignment is certainly a primary one. The horizontal alignment lines have been drawn in red to illustrate the differences.

The examples shown above also demonstrate the effectiveness of the techniques used in each interface to indicate hierarchy. The Lightroom inspector has very strong visual distinctions between section headings and their contents. Headings are prominent. Set in large type with generous padding and a relatively high contrast foreground-background color combination, sections, headings, and the relationships between them are immediately clear.

Visual Noise & Contrast

The amount of visual noise in an interface has a great deal of impact on the perceived complexity of the interface. And contrast plays an important role with respect to visual noise. Using lower contrast UI elements reduces visual noise which will often reduce the effective complexity of the interface, as you’ll see in the next couple of examples.

The Address Book UI eschews fields with relatively high contrast borders in favour of fields with borders that are only visible if the field has focus. This causes the fields to blend in with the rest of the interface. The Create Contact window in Entourage 2008 uses the standard window background color and standard text field styling which contributes to the interface looking more complex than the Address Book interface.

As another example, I’ve taken the Filter window in Aperture 2.0 and mocked up what it would look like with the transparent controls from iLife ‘08 (and parts of iLife ‘09) with high contrast edges instead of the relatively low contrast controls that it shipped with. The UI I’ve mocked up looks notably more complex than the shipping interface because of the higher contrast controls. Simply adjusting the styling of your controls can have a considerable impact on complexity.

Use of Icons

Interfaces widely regarded as complex with high learning curves are often characterized by an abundance of icons or glyphs that lack descriptive labels. When a user opens an application for the first time with an interface covered in label-less glyphs, it can be quite daunting. Every icon with a non-obvious meaning will have to be learned for the user to feel any sort of mastery over the application.

This is a difficult problem to solve. There often isn’t room for a label to sit next to an icon, and in many cases there is cost involved in replacing an icon with a label (mainly, users will not be able to quickly scan the interface for the icon). Deciding when to use an icon, a label, or both, is an art all in itself.

Nevertheless, here are some tips for those faced with this issue:

• Revamp your icons so they convey their meaning more effectively. Improve metaphors, adjust sizes, colors, etc.
• Use grouping to imply meaning. Grouping related icons together can often provide sufficient context to imply their function.
• Using progressive disclosure, place less often used icon-only buttons in a pull down menu with both icons and their labels. A nice benefit of this is that the user will learn the meaning of each icon when they use the pull down menu, and if the menu is designed to be used early on in a user’s experience with the application, you can get away with using those icons without labels in other places in the app (since the user will have already learned their meanings at that point).

Mental Models

A great way to reduce effective complexity is to align the conceptual model expressed by your interface with your user’s mental model as closely as possible. A poorly thought out model contributes to complexity by adding a significant amount of cognitive work that your users have to perform to learn your interface.

The recurrence UI in Windows Calendar, for instance, reflects the developer’s model of the task rather than the user’s model. Take a look at the second set of radio options in this screenshot:

1. What’s the “28th last day of the month”?
2. What’s the “4th last Tuesday of the month”?
3. How long did you spend trying to work that out?

These options feel complex because the language used and functionality that’s represented doesn’t reflect your understanding of repeating events. Combat this issue by researching how your users conceptualize relevant tasks so your models are intuitive. You can read more about mental models in the HIG.

Use your Judgement

Finally, use your own judgement. There are costs associated with nearly every technique I’ve listed here. Carefully consider each technique in the context of your interface and determine which are most appropriate for your application and how best to apply them.

Source: http://www.brandonwalkin.com/

In less than a week since Windows 7 was released to manufacturing, the first crack for the Ultimate edition of the latest iteration of the Windows client is already available in the wild. The Windows 7 Build 6.1.7600.16385 Ultimate crack is capable of activating the high-end SKU of the operating system indefinitely. The product key comes from the only source possible, an OEM, as original equipment manufacturers are the first and for the time being the last group to receive the gold bits of the operating system from Microsoft. Together with the RTM development milestone of Windows 7, the Redmond company has also supplied OEM partners with activation product keys, one of which was extracted from a leaked OEM image of the platform.

Reports from various forums and websites (which I will not link to because they offer the proof-of-concept of the Windows 7 RTM Ultimate crack, along with the activation product key, which is illegal) indicate that the cracked client can bypass Windows genuine Advantage validation with no problems whatsoever. A Windows 7 Ultimate OEM DVD ISO from Lenovo has reportedly made the hack possible. Leaked on a Chinese forum, complete with the download links, the ISO allowed for hackers to grab the OEM-SLP (System-Locked Preinstallation) product key as well as the OEM certificate for Windows 7 RTM Ultimate via boot.wim.

The bypass designed for Windows 7 RTM involves abusing OEM activation 2.1, and in this regard the circumventing process is nothing more than an OEM hack. Via OEM activation 2.1, namely SLP 2.1, Microsoft allows OEMs to pre-activate Windows 7 for distribution preinstalled on new computers. In this context, the activation bypass process leading to the hacked Windows 7 RTM needs to be based on a BIOS (SLIC) hack first of all.

The procedure is by no means new. Hackers have managed to crack Windows Vista much in the same manner. In fact, the Windows 7 RTM Ultimate activation crack also relies on an OEM certificate from Windows Vista in order to function. At the time of this article hackers have made available in the wild SLIC 2.1 BIN harvested from computers on the market, as well as the genuine OEM certificate digitally signed by Microsoft, which automatically brings to the table the Private Key and the OEM Public Key as well as the OEMID (from SLIC in BIOS). Together with the leaked OEM SLP master product key Windows 7 can be hacked and the activation process bypassed. The result is a cracked copy of Windows 7 RTM Ultimate permanently activated.

It also seems that the crack is not limited to Lenovo machines. The activation process can also be circumvented on HP, Dell, and MSI computers according to reports. Because of the OEM product key, the crack is limited to the Ultimate edition of Windows 7 (useless for all other SKUs, Home Basic, Home Premium, Professional), but can be used on both 32-bit and 64-bit versions of the operating system.

Source: http://news.softpedia.com/

SUNNYVALE, CA and REDMOND, WA — 29 July, 2009 — Yahoo! and Microsoft announced an agreement that will improve the Web search experience for users and advertisers, and deliver sustained innovation to the industry. In simple terms, Microsoft will now power Yahoo! search while Yahoo! will become the exclusive worldwide relationship sales force for both companies' premium search advertisers.

For Web users and advertisers, this deal will accelerate the pace and breadth of innovation by combining both companies' complementary strengths and search platforms into a market competitor with the scale to fuel sustained development in search and search advertising. Users will find what they care about faster and with more personal relevance. Microsoft's competitive search platforms will lead to more value for advertisers, better results for web publishers, and increased innovation and efficiency across the Internet.

Under this agreement, Yahoo! will focus on its core business of providing consumers with great experiences with the world's favorite online destinations and Web products.

"This agreement comes with boatloads of value for Yahoo!, our users, and the industry. And I believe it establishes the foundation for a new era of Internet innovation and development," said Yahoo! CEO Carol Bartz. "Users will continue to experience search as a vital part of their Yahoo! experiences and will enjoy increased innovation thanks to the scale and resources this deal provides. Advertisers will also benefit from scale and enjoy greater ease of use and efficiencies working with a single platform and sales team for premium advertisers. Finally, this deal will help us increase our investments in priority areas in winning audience properties, display advertising capabilities, and mobile experiences."

Providing a viable alternative to advertisers, this deal will combine Yahoo! and Microsoft search marketplaces so that advertisers no longer have to rely on one company that dominates more than 70 percent of all search. With the addition of Yahoo!'s search volume, Microsoft will achieve the size and scale required to unleash competition and innovation in the market, for consumers as well as advertisers.

Microsoft CEO Steve Ballmer said the agreement will provide Microsoft's search engine, Bing, the scale necessary to more effectively compete, attracting more users and advertisers, which in turn will lead to more relevant ads and search results.

"Through this agreement with Yahoo!, we will create more innovation in search, better value for advertisers, and real consumer choice in a market currently dominated by a single company," said Ballmer. "Success in search requires both innovation and scale. With our new Bing search platform, we've created breakthrough innovation and features. This agreement with Yahoo! will provide the scale we need to deliver even more rapid advances in relevancy and usefulness. Microsoft and Yahoo! know there's so much more that search could be. This agreement gives us the scale and resources to create the future of search."

"This deal fits the long-term strategic direction of Yahoo! to remain the world's leading online media company and Carol Bartz has the full and unanimous support of the Yahoo! Board behind this deal," said Roy Bostock, chairman, Yahoo! Inc. "This is a significant opportunity for us. Microsoft is an industry innovator in search, and it is a great opportunity for us to focus our investments in other areas critical to our future."

The key terms of the agreement are as follows:

• The term of the agreement is 10 years;

• Microsoft will acquire an exclusive 10 year license to Yahoo!'s core search technologies, and Microsoft will have the ability to integrate Yahoo! search technologies into its existing web search platforms;

• Microsoft's Bing will be the exclusive algorithmic search and paid search platform for Yahoo! sites. Yahoo! will continue to use its technology and data in other areas of its business such as enhancing display advertising technology.

• Yahoo! will become the exclusive worldwide relationship sales force for both companies' premium search advertisers. Self-serve advertising for both companies will be fulfilled by Microsoft's AdCenter platform, and prices for all search ads will continue to be set by AdCenter's automated auction process.

• Each company will maintain its own separate display advertising business and sales force.

• Yahoo! will innovate and "own" the user experience on Yahoo! properties, including the user experience for search, even though it will be powered by Microsoft technology.

• Microsoft will compensate Yahoo! through a revenue sharing agreement on traffic generated on Yahoo!'s network of both owned and operated (O&O) and affiliate sites.

  • Microsoft will pay traffic acquisition costs (TAC) to Yahoo! at an initial rate of 88% of search revenue generated on Yahoo!'s O&O sites during the first 5 years of the agreement.

  • Yahoo! will continue to syndicate its existing search affiliate partnerships.

• Microsoft will guarantee Yahoo!'s O&O revenue per search (RPS) in each country for the first 18 months following initial implementation in that country.

• At full implementation (expected to occur within 24 months following regulatory approval), Yahoo! estimates, based on current levels of revenue and current operating expenses, that this agreement will provide a benefit to annual GAAP operating income of approximately $500 million and capital expenditure savings of approximately $200 million. Yahoo! also estimates that this agreement will provide a benefit to annual operating cash flow of approximately $275 million.

• The agreement protects consumer privacy by limiting the data shared between the companies to the minimum necessary to operate and improve the combined search platform, and restricts the use of search data shared between the companies. The agreement maintains the industry-leading privacy practices that each company follows today.

The agreement does not cover each company's web properties and products, email, instant messaging, display advertising, or any other aspect of the companies' businesses. In those areas, the companies will continue to compete vigorously.

The transaction will be subject to regulatory review. The agreement entered into today anticipates that the parties will enter into more detailed definitive agreements prior to closing. Microsoft and Yahoo! expect the agreement to be closely reviewed by the industry and government regulators, and welcome questions. The companies are hopeful that closing can occur in early 2010.

The companies have established a website at http://www.choicevalueinnovation.com to provide consumers, advertisers and publishers with additional information about the benefits of the agreement.

Conference Call – 5:30 a.m. PDT, Wednesday, July 29

Yahoo! and Microsoft will host a conference call with Yahoo! CEO Carol Bartz and Microsoft CEO Steve Ballmer to discuss the agreement at 5:30 a.m. Pacific/8:30 a.m. Eastern Time today. To listen to the call, please dial 1-866-515-2908 in the U.S. and Canada; +1-617-399-5122 international, reservation number: 47968026. A live webcast of the call can be accessed through Yahoo!’s Investor Relations website at http://yhoo.client.shareholder.com/results.cfm. The companies have also established a website at http://www.choicevalueinnovation.com to provide consumers, advertisers and publishers with additional information about the benefits of the agreement. In addition, an archive of the webcast will be available through the same link. An audio replay of the call will be available for two weeks following the conference call by calling 1-888-286-8010 in the U.S. and Canada; +1-617-801-6888 international, reservation number: 91217610.

Non-GAAP Financial Measures

This release refers to operating cash flow (operating income before depreciation, amortization of intangible assets, and stock-based compensation expense, or OCF), which is a non-GAAP financial measure. The most comparable GAAP measure is income from operations. The estimated annual OCF benefit of $275 million included in this press release is the estimated annual benefit in income from operations of $500 million less approximately $225 million of estimated annual savings in depreciation, amortization and stock-based compensation expense.

Source: http://www.choicevalueinnovation.com

Today's browser wars are nothing like the early browser wars of the mid '90s, but there are still plenty of casualties and lots of underlying uncertainty. However, there may be a bright spot on the horizon.

Current Browser Rankings

Based upon relatively recent data from Net Applications, there are really only four main browsers in the game today: Internet Explorer (IE) with roughly 66% of the market, Firefox with 22% of the market, Safari at 8% control, and Chrome with almost 2% of the market. Opera and all other browsers combined come in at only 2% of the market, even though the way that many of these browsers emulate other, better-known, user-agent strings to identify themselves might mean that they actually control a bit more of the market than is immediately obvious. But, even so, that really only leaves IE, FireFox, and Safari as the primary combatants.

Things get interesting though when you break down usage among versions of IE, especially if you start comparing those percentages against other browsers. At this point, no single browser is able to claim a true majority of Internet users. In fact, it becomes a rough-and-tumble race for supremacy. For example, IE 7 is the current, dominant, flavor of Internet Explorer - with roughly 27% market share. That puts it in roughly the same league as Firefox. Whereas IE 8, which seems to be seeing some decent yet rather slow adoption (among IE 7 users) comes in at 12%, roughly in the same league as Safari.

That leaves that ponderously old and terribly despised (by web developers at least) beast known as IE 6 still commanding roughly 20% of overall market share.

Internet Explorer 6 is Old, Beastly, and Holds the Future of the Web

IE 6 was released in August of 2001—it's now been around a little under 8 years, which is an eternity in Internet time. Yet it's still going strong with roughly 20% of the overall browser market. Of course, what's unknown is how many of those still on IE 6 are using it explicitly to maintain backward compatibility with their own internal web applications, or how many of them are either lazy users who can't be bothered to upgrade, or simply don't care about upgrading. Even though Microsoft clearly has upgrade paths for these users many haven't taken advantage of those paths (IE 7 and now IE 8) over the years.

I think it’s ironic that IE 6 users hold the key to the future of the web, at least in terms of which browsers will gain dominance. The 20% of users running IE6 today represent veterans of a browser war that was fought (and won by Microsoft) nearly a decade ago. And what these users choose as their next browser could have a big impact on which browser emerges victorious in the current skirmish we're seeing among IE, Firefox, Safari, and even Chrome.

On the one hand, if the majority of IE 6 users are just lazy or don't know how to upgrade, it's relatively safe to assume that they'll just upgrade to IE 8 as they become aware of easy upgrade options (or get new machines, though some could convert to Safari in this process). On the other hand, if the majority of these users explicitly need IE 6 to make corporate sites work correctly, then it's conceivable that many will like stay on current hardware, use IE 6 for their apps, and install Firefox or Chrome along with IE6 for any of the more modern browsing needs they may have. Either way, there's a large segment of users out there who can have a big impact on where things head in the future. As more and more pressure mounts on those users to switch or upgrade it will be interesting to see what happens, especially considering some of the recent turbulence in this arena (that has apparently been so big that it's caused Net Application Data to review their most recent numbers for a few days now).

Ditching IE 6

It's no secret, of course, that IE6 has long been viewed quite critically by web developers. In fact, it's probably safe to say that most web developers despise it. A key reason for that less than amicable sentiment is the amount of tweaking and hacking it takes to get new sites and content to work in IE 6. Or, as more than one sarcastic comment on http://www.saveie6.com/ points out, with IE6 out of the mix web developers and designers might end up going bankrupt as they'd lose half of all of their billable hours trying translate their sites and designs to render correctly on IE 6.

As a developer who has spent way too much time battling CSS hacks and other problems with sites for rendering in IE 6, I'd only be too happy if IE 6 would go away tomorrow. Sadly, it looks like that won't be the case, and I've checked browser statistics on a couple of the sites I work with over the past few months to see how soon I could begin possibly ignoring IE6 traffic. But sadly, on most of the sites I work with or maintain, IE 6 still represents 10-20% of the traffic, which is truly heartbreaking for me.

I relished a decision by YouTube to discontinue support for IE 6 relatively shortly. Even better, this news comes on the heels of other reports pointing out that other sites will be dropping support for IE6 as well.

Of course, as much as I could hope that this would trigger a cascade of other sites deciding to similarly pull support (making it easier for me to do the same), it's probably worth remembering that if the majority of IE 6 users are truly using IE 6 to explicitly maintain compatibility with their own intranet or business applications, then the content on YouTube or Digg likely isn't going to be a huge loss to these users. But we can always hope.

The Future of IE 6

What does all of this mean for web developers? Not a lot at this exact moment. Someday we might hit that bright-spot where we no longer need to waste time making sites work in IE 6. If enough sites take a cue from YouTube and Digg (and hopefully a few will) that might drive some momentum for change. That, in turn, could propel some IE 6 users to jump ship, changing the balance even more dramatically. When that happens, we'll be that much closer to cutting out a huge amount of effort when it comes to web development in general.

Source: http://www.devproconnections.com

The people who run the world's internet systems are a rather secretive bunch.  Three times a year, senior technical officers from companies such as Google, Yahoo, AT&T, Comcast and Verizon meet to discuss ways of stopping the internet from being swamped by rising levels of spam, viruses and hacking attacks by organised criminals. They do not generally like discussing these meetings.  "Some people might get nervous if they knew all the things we talked about," said Michael O'Rierdan, chairman of the Messaging Anti-Abuse Working Group (MAAWG). "It’s our job to make the internet safe, but we don't want to put people off using the web."  They are also worried about being targeted by the cyber-criminals they are trying to thwart.

Most of the spam and hacking on the internet is run by organised crime rings. There is an underground economy that hacks into computers, sells stolen identities and orchestrates the sending of spam e-mails about everything from fake Viagra pills to banking scams. There is a lot of money at stake in keeping these operations running.  “We get threats every day," said Larry, chief technical officer of Spamhaus, a non-profit organisation that exposes spammers. He prefers not to reveal his surname. "In the US it is people bringing lawsuits against us. And then there are organised criminals in Russia and Ukraine, who use different methods."  Steve Linford, the organisation's founder, has been advised by police not to open unexpected packages arriving at his home.

MAAWG meetings are also places to discuss some of the controversial measures that internet companies need to take in the fight against spam, such as blocking some types of e-mail traffic. This measure sits awkwardly with civil liberties bodies.  The 270 delegates from 19 countries who met at Amsterdam's venerable Hotel Krasnapolsky last week were far from the usual, suit-wearing conference crowd. An eclectic mix of tattoos, ponytails, high-waisted trousers and backpacks indicated that these were true operations people who work in the bowels of the network.  Membership is strictly vetted and journalists are not normally invited to attend, but MAAWG has started to lift its veil a little. There is a growing feeling that the industry must reach out to consumers and get them to help fight cyber-crime.

In 2008, 349.6bn spam messages were sent across the internet, according to Symantec, the internet security company. Spam accounts for an average of almost 94 per cent of all e-mail messages.  Nearly 90 per cent of spam is sent from computers that have been hacked into and are being remotely programmed to send out spam.  More than 9.4m computers have been hijacked in this way and their owners are usually entirely unaware it is going on. It will be impossible to clean up these machines without talking to consumers.

"Sometimes we want people to know what we are doing, so they can yell at the politicians to give us more help," said Jerry Upton, executive director of MAAWG.  There is a rising sense of crisis among internet companies about the cost of spam. Few are willing to quantify how much they have to spend to fight spam, but Mr O'Rierdan estimated that big internet service providers employ five to 10 staff just to look at spam. In addition they must buy spare servers, routers and other equipment to cope with the volumes of junk mail, buy spam-filtering software and run support centers for their customers.

Viriya Upatising, chief technical officer of True Internet, a Thai internet service provider, said junk mail was a crippling cost for the company because it was paying to send the unwanted data across undersea cable connections to destinations such as the US and Europe.  "The cost of bandwidth is expensive in Asia," Mr Upatising said. "It costs us $250 per megabit per month to send data internationally."  The company put in place a draconian system that prevents suspected spammers from using its network. The measures have cut unwanted messages from 3.5m a day to a more manageable 250,000.

"We are all sharing these costs," said Patrick Peterson, chief technology officer at Ironport Systems, Cisco's e-mail security arm. "Spam is a stealth tax on consumers. ISPs have to pay for the spam, for the extra bandwidth, for equipment, and they are forced to put up their prices for consumers."

There is a fear among internet security professionals that they might be losing the battle to cyber-criminals. This may also be why they now want the public to know more about what they do, to show they have at least tried.  "I don't know if we can control it," said Dave Crocker, one of the early pioneers of e-mail and now a senior technical adviser to MAAWG.  He added: "It is an arms race. We are getting better at filtering out rogue messages but every day the criminals get better too, and they are better organized and more aggressive."

Keywords: the dark side of the web

* Spam: Unsolicited electronic messages, most commonly e-mail, but also increasingly common in instant messaging, blogs and mobile phone messages. The first e-mail spam is believed to have been sent in 1978.

* Malware: Malicious software designed to infiltrate or damage a computer system without the owners' consent. Symantec, the internet security company, has estimated there is now more malware released each year than legitimate software programs. There are many different types of malware, including viruses, worms and Trojan horses.

* Phishing : The fraudulent attempt to acquire sensitive information such as passwords, bank account details and credit card numbers. Typically it is in the form of an e-mail that directs people to a fake website - that looks like the legitimate site of a bank or other trusted organisation - where people are asked to enter personal details.

* Botnets: A network of computers that have been hacked and are being remotely controlled by cyber-criminals. Typically they are used to send out spam messages or viruses in large numbers. Most users will be unaware if their computer has been infiltrated and added to a botnet. Symantec estimated there were more than 9.4m machines hijacked in this way in 2008.

Source: http://www.ft.com

You can set a custom background for the logon screen in the release candidate and release to manufacturing versions of Windows 7, here is how it works:

To set a custom picture, place a JPG named backgroundDefault.jpg in the %windir%\system32\oobe\info\backgrounds folder. Now go to the registry and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background. There should be a DWORD value named OEMBackground (create it if it's missing). Set the value to 1 and click OK.

Now when you log off or switch users the new background picture will be displayed. No reboot is necessary.

You can also place custom files in the backgrounds folder with the name background<resolution> to have different pictures for different resolutions. For example, a 1024×768 resolution picture should be save as background1024x768.jpg.

BOSTON, June 10 (Reuters) Microsoft Corp (MSFT.O) is getting ready to unveil a long-anticipated free anti-virus service for personal computers that will compete with products sold by Symantec Corp (SYMC.O) and McAfee Inc (MFE.N).

A Microsoft spokesman said on Wednesday that the world's biggest software maker is testing an early version of the product with its own employees. Microsoft would "soon" make a trial version, or product beta, available via its website, he added, but declined to provide a specific date.

Symantec shares fell 0.5 percent on Nasdaq and McAfee fell 1.3 percent on the New York Stock Exchange, while Microsoft was up 2.1 percent. The Nasdaq composite index .IXIC was down 0.47 percent.

Investors are closely monitoring the free service, code-named Morro after Brazil's Morro de Sao Paolo beach, amid concern it could hurt sales of products from Symantec and McAfee, which generate billions of dollars of revenue a year protecting Windows PCs from attacks by hackers.

"It's a long-term competitive threat," said Daniel Ives, an analyst with FBR Capital Markets, though he added that the near-term impact was minimal.

Microsoft has said that Morro will offer basic features for fighting a wide range of viruses, which would likely make it comparable to low-end consumer products from Symantec and McAfee that cost about $40 per year.

Their top-selling products are security suites that come with features including encryption, firewalls, password protection, parental controls and data backup.

Three years ago, Microsoft entered that market with Live OneCare, which turned out to be a commercial flop. It announced plans in November to kill that product suite, saying it would launch the free Morro service by the end of 2009.

Analysts said they are looking forward to Morro's beta to see exactly how its features compare to those in products from competitors.

Microsoft has said it will provide protection from several types of malicious software including viruses, spyware, rootkits and trojans.

Officials with Symantec and McAfee have said they do not see Morro as a threat. 

"Microsoft's free product is basically a stripped down version of the OneCare product Microsoft pulled from the shelves," said Symantec Consumer division president Janice Chaffin. "A full Internet security suite is what consumers require today to stay fully protected."

Joris Evers, a spokesman for No. 2 security software maker McAfee, said his company is already enjoying strong growth despite competition from free anti-virus products that are on the market.

"On a level playing field, we are confident in our ability to compete with anyone who might enter the marketplace," he said.

A spokeswoman for Trend Micro Inc (4704.T), the No. 3 player, declined to comment. (Reporting by Jim Finkle; Editing by Steve Orlofsky, Brian Moss, Richard Chang)

Source: http://www.reuters.com

The near-final version of Microsoft's next operating system, Windows 7, became available late Monday to the general public.

Microsoft will collect feedback on the Windows 7 release candidate over the next few months, fixing small issues. The company allowed developers and other testers to begin downloading the release candidate last week.

[ Microsoft will let users run Windows 7 RC for more than a year . | Get the analysis and insights that only Randall C. Kennedy can provide on Windows tech in InfoWorld's Enterprise Desktop blog and Technology: Windows newsletter. And download our free Windows performance-monitoring tool. ]

Windows 7 comes nearly three years after Windows Vista, which took five years for Microsoft to engineer but was regarded by some as underwhelming. Microsoft hasn't said when the final Windows 7 version will be released, although it's rumored to be out before year's end.

Microsoft warned it is not offering technical support for the Windows 7 release candidate, so those who install it are on their own. Users should be familiar with installing an operating system from scratch, formatting a hard drive and backing up data, among other skills, Microsoft advised.

In the Windows 7 release notes, Microsoft warns of several problems that haven't been resolved, including issues with its latest Web browser, Internet Explorer 8 (IE8).

Debugging JavaScript with the developer tools in IE8 could throw up a warning that a Web site is not responding, but that warning can be ignored. Also, some Web pages may have misaligned text or missing images. Microsoft recommends clicking on the "compatibility view" button on the address bar as a fix.

Microsoft released the Windows 7 beta in Arabic and Hindi, but those languages have been replaced with French and Spanish in the release candidate. English is available for both versions.

"We needed to ensure certain features were tested for worldwide functionality, and Hindi and Arabic help us test a number of language-related features," Microsoft said.

Source: http://www.infoworld.com

As promised, on Thursday, April 30, 2009, Microsoft made the Windows 7 Release Candidate (RC, see my review) available to MSDN and TechNet subscribers. But it also made an updated (but not yet rebranded) version of XP Mode for Windows 7 and Windows Virtual PC available via the same distribution points. Since Rafael and I gained access to the first external build of XP Mode (then as in this beta called Virtual Windows XP, or VXP), we've been eager to see a more updated version. So what do we see here?

First, Microsoft is formally describing this technology as Windows Virtual PC, "a new optional component for the Windows 7 operating system that you can use to evaluate and migrate to Windows 7 while maintaining compatibility with applications that run on older versions of Windows." Windows Virtual PC includes a number of new features, one of which, of course, is XP Mode.

Windows Virtual PC is available in both 32-bit and 64-bit versions, so you'll need to version that is correct for your OS. However, you can only run 32-bit virtual machines inside of Windows Virtual PC, as was the case with the previous version of this product, Virtual PC 2007.

Windows Virtual PC will be delivered to Windows 7 Professional, Enterprise, and Ultimate customers via a web download that includes two executables. The first, Windows6.1-KB958559-x86.msu (32-bit) or Windows6.1-KB958559-x64.msu (64-bit), depending on your platform, updates Windows 7 and actually provides the expected Start Menu entry points. And then you reboot.

When that's done you must also run a second EXE, VirtualWindowsXP_64_en-US (or VirtualWindowsXP_32_en-US) to install XP Mode and its Windows XP with SP3 virtual machine (VM). Once you've done that, you'll be prompted to run Virtual XP (XP Mode).

Now, you're prompted to configure a password for the default user (creatively named User and not changeable during Setup), and configure Automatic Updates. Then, Setup configures the virtual machine. This phase takes a long time and involves setting up the VM for first use, initializing the VM, starting the OS, and enabling integration features. What it's really doing, of course, is running through the XP Setup process in silent mode.

Eventually you'll hear the familiar strains of the XP startup sound and Windows XP springs to life in a window. Voila! It's time to do some XP configuration, install AV and any third party apps, and then shut down the VM and access those apps from the Windows 7 Start Menu.

Of course, Rafael and I have already thoroughly documented all this. So if you've been reading along since we first revealed this feature, you know by now that nothing has changed. That's both reassuring and alarming, since the build we originally got is well over a month old by now. Presumably, between now and Windows 7 RTM, Microsoft will rebrand these components as needed.

Of more interest here is what's going on under the hood? How does Windows Virtual PC differ from its predecessor?

First, the integration components now support XP with SP3, Vista with SP1, and Windows 7, so you're free to install these other OSes in VMs if you'd like. As per previous Virtual PC versions, you get seamless mouse movement between the host and VMs, can access a combined host/VM clipboard, access physical drives and printers on the host from within VMs, and, in a new twist, some USB devices. (This was a notable missing feature in Virtual PC.) Microsoft says that USB-based printers, storage devices and smart card readers are now automatically shared with virtual machines. You can also redirect other USB devices to VMs via the new USB menu in the VM window; each attached USB device on the host is listed.

And don't forget Rafael's secret about getting built-in Windows XP applications to appear in the Windows 7 Start Menu. Just drag and drop them into the All Users Start Menu and they will appear. Voila!

Source: http://www.winsupersite.com

Microsoft will begin offering its first hosted security service under the Forefront brand on Thursday, dubbed Forefront Online Security for Exchange and designed to help keep malware and spam out of e-mail in-boxes.

The hosted service, which will cost $20 per user per year or less based on volume licensing, targets enterprise Exchange customers and includes a Web-based console for setting up policies for virus and spam protection, said Doug Leland, general manager of Microsoft's Identity and Security Business Group.

The releases will follow the timeline of Exchange 2010, which entered public beta this week. More hosted security services will be coming but Leland declined to elaborate.

Microsoft also will finally release on Thursday a new, public beta version of its Stirling security suite, which is the next generation of the Forefront software.

The initial beta version of Stirling was released a year ago and was supposed to be refreshed by the end of 2008. It will include client, server, and application security technology and offer a single management console.

Stirling components will come in staggered releases starting later this year with Forefront Security for Exchange and Threat Management and continuing through the first half of 2010, Leland said. The company also is changing the name of its Identity Lifecycle Manager product to Forefront Identity Manager and plans to offer a new set of technologies, code-named Geneva, for helping corporations improve the security of software and services, Microsoft said.

In addition, Microsoft said it is investing $75 million in a partner ecosystem, including making a strategic partnership with RSA. Other companies integrating with Stirling include Kaspersky, Brocade, Juniper Networks, Guardium, Imperva, Sourcefire, StillSecure, Q1 Labs, and Tipping Point.

The moves are part of the company's strategy to provide "Business Ready Security."

The moves are part of Microsoft's effort to broaden the scope of its security offerings to incorporate data protection, access and management, all built around the concept of identity, Leland said.

Microsoft wants to offer the ability for corporations to set "fine-grained security policies and have a deeper understanding about who in the organization is triyng to access data and what they are trying to do with it," he said.

Source: http://news.cnet.com

[Update]: Forefront Online Security for Exchange is not only limited to Exchange Server, it can be used by all other mail server.

More than 97% of all e-mails sent over the net are unwanted, according to a Microsoft security report.

The e-mails are dominated by spam adverts for drugs, and general product pitches and often have malicious attachments.

The report found that the global ratio of infected machines was 8.6 for every 1,000 uninfected machines.

It also found that Office document attachments and PDF files were increasingly being targeted by hackers.

Microsoft said people should not panic about the high levels of unwanted e-mail.

Cliff Evans, head of security and privacy for Microsoft in the UK, told BBC News: "The good news is that the majority of that never hits your inbox although some will get through."

Ed Gibson, chief cyber security advisor at Microsoft, said the rise in spam was due to traditional organised crime figures moving away from exploiting software vulnerabilities and "targeting the weak link that is you and me".

"With higher capacity broadband and better OS (operating systems), and higher power computers it is easier now to send out billions of spams. Three or four years ago the capacity wasn't there."

Malware ecosystem

Paul Woods, senior analyst at e-mail security firm Message Labs, said he was surprised the Microsoft figure for unwanted e-mail was so high.

"Our own analysis shows that around 81% of e-mail traffic we were processing was identified as spam and unwanted," he said.

MessageLabs said spam rates had fallen at the end of 2008 as an ISP which had been hijacked to send out spam mails to users had been taken offline.

"As a result of that, a number of developers in botnet technology at the end of last year were trying to regain botnet control and increase capacity and return to previous spam levels.

"It wont be far off before we see return to those levels."

The report, which looked at online activity during the second half of 2008, also pinpoints the countries that are suffering from the most infections of malicious software, or malware.

Russia and Brazil top the global chart of infections, followed by Turkey and Serbia and Montenegro.

It said that the type of malware varied from country to country.

"As the malware ecosystem becomes more reliant on social engineering, threats worldwide have become more dependent on language and cultural factors," it reported.

In China, several malicious web browser modifiers are common, while in Brazil, malware that targets users of online banks is more widespread.

In Korea, viruses such as Win32/Virut and Win32/Parite are common.

Global average

The global average for infected machines is 8.6 for every 1,000 uninfected PCs.

The UK's infection rate is 5.7, according to the Microsoft report.

The report highlighted the need to keep operating systems, web browsers and applications up to date with the latest versions.

Increasingly, hackers are using common file formats, such as Microsoft Office documents and Adobe's PDF format as the carrier of malicious exploits or programs.

More than 91% of attacks exploiting vulnerabilities in Microsoft Office were using security holes that had been plugged by updates that had been available for more than two years.

Attacks using PDF files rose sharply in the second half of 2008, the report noted.

The vulnerabilities all of the attacks exploited had already been fixed by Adobe, and were not present in the most recent versions of the software.

Mr Gibson told BBC News people had to be aware that if they did not update their applications, such as Office and Adobe, they were not just putting themselves at risk, but others on the internet also.

"If you don't update your software you are not just a hazard to yourself, you are hazard to others because you can be part of a botnet [if your computer is hijacked]."

Mr Evans said Microsoft was very happy with the approach consumers were taking to updating applications via automatic updates.

"For consumers it is happening but for business less so. We have encourage businesses to make more use of automatic updates."

Scareware

Mr Woods said malicious hackers were exploiting Office document attachments and PDF files in order to make more targeted attacks.

"They tend to be used in selective attacks to named individuals in organisations.

"A lot of social engineering will be used to appear legitimate and convince a user to open the attachment

"Once opened, a vulnerability in the application used to open the document will be exploited and often a tiny piece of code will execute and then download a larger file from a rogue website.

"This program will then attempt to search the computer for a particular document or file and sent it to a remote PC."

The report also highlighted the rise in the use of so-called scareware, fake security programs which falsely tell people they need to install software which does nothing other than attempt to steal personal details from a users' PC.

"It's criminals playing on people's fears," said Mr Evans.

"The advice remains the same - ensuring you have up to date software, whether that's your applications, your browser or your OS."

Source: http://news.bbc.co.uk

Remember the dire predictions surrounding the "millennium bug?" The doom-and-gloom scenarios bandied about by security analysts on how computers could act when their clocks turned to January 1, 2000?

Well, researchers are hoping that a potential April Fools' time bomb -- the Conficker.c that is supposed to hit computers on April 1 -- turns out to be equally unfounded.

But realizing that hope alone is not a prudent option, here is a primer on the worm so you can adequately prepare yourself -- and your computer.

Computer users will not know that Conficker.c has infected their machine.

What is Conficker.c and what do analysts fear it may do?

Conficker.c is a worm, a malicious program thought to have already infected between 5 million and 10 million computers.

Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

What happens on April Fools' Day is anyone's guess.

The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.

More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.

Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs

How does the Conficker.c work?

Conficker.c imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent it from causing damage.

The program's code is also written to evolve over time and its author appears to be making updates to thwart attempts to neuter the worm.

Who wrote the program?

It's unclear who wrote the program, but anti-work researchers -- a group calling itself the Conficker Cabal -- are looking for clues.

First, they know that some recent programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.

Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.

In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old programs to see if their programming styles are similar to that of Conficker C.

The prospects for catching the program's author are not good, Morganelli said. "Unless they open their mouth, they'll never be found," he said.

So, the most effective counter-assault simply may be damage control.

How can I tell if my computer's infected?

One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.

Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."

Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected, the company's statement says.

People who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker.c.

How did the worm evolve?

The first version of Conficker -- strain A -- was released in late 2008. That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.

The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.

Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.

A second variant, Conficker.b, was released in January and infected millions more machines.

The Conficker, strain C, will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.

What is being done to fight Conficker?

Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.

They're motivated in part by a $250,000 bounty from Microsoft.

Source: http://www.cnn.com

As part of Scott Guthrie's keynote March 18th at Mix 2009, Microsoft announced the final release of ASP.NET Model View Controller (MVC). If you haven't had a chance to look at it yet, now is your chance as it's officially out of beta and into full production.

ASP.NET MVC—Why All the Hype?

In case you haven't heard, Microsoft has made it abundantly clear that ASP.NET MVC isn't designed to replace ASP.NET Webforms development. Instead, it's another option that Microsoft is making available to developers. This is similar to Microsoft's decision to allow developers to code in both Visual Basic and C# - the idea being that developers chose what best meets their needs and particular styles.

Personally, I'll never go back to WebForms, because I'm sold on the way MVC solutions give me complete control over my markup, facilitate testing, and allow greater control over URL routing while making my code much more modular (which in turn, makes it easier to manage and extend). So, while MVC development might not be for everyone, it's definitely for me, and I'm completely sold on it.

ASP. NET MVC as a Testament to Innovation at Microsoft

But what I really love the most about ASP.NET MVC (in addition to all of the time it saves me as a developer), is that it's a perfect example of some very new, and innovative, approaches that Microsoft has taken in regards to addressing business and the web in general. Once upon a time, Microsoft's approach to the web and competing products and platforms basically consisted of doing nothing more than pretending that those offerings didn't exist. You can see some examples of this mindset by visiting some parts of the Microsoft corporate site, where many pages and applications simply don't work correctly with browers other than Internet Explorer. Likewise, this mindset was also at the heart (in my opinion) of much of the complaints leveled at Microsoft for being nonconformant with industry accepted standards.

But the MVC is part of a vanguard of new products and services delivered by Microsoft  where the company seems to take an entirely different approach. Rather than simply pretending that other offerings don't exist, this approach focuses on accepting the strengths of other platforms, analyzing those strengths, rolling them into Microsoft products where applicable, and then building supporting and competing Microsoft products that developers, and IT professionals, just can't do without.

IIS 7, for example, no longer pretends that PHP doesn't exist. Instead, it fully embraces it, and is striving to provide such a powerful hosting platform for it that businesses will choose to run PHP on IIS7 given the ease of management, extensibility, and flexibility that they'll enjoy from hosting PHP on a Windows Server. And if Microsoft is able to deliver? Then businesses will be buying Windows Server licenses for their web workloads, instead of using Apache licenses. It's a bold business approach to be sure, but I much prefer this approach to meeting the competition head-on, rather than watching Microsoft merely burying its head in the sand.

What's better though, is that it appears that as Microsoft continues to take this head-on business approach, we're finally starting to see some really innovative things coming out of Redmond. And in my mind, a prime example of that innovation has been the effort and energy devoted to the creation of ASP.NET MVC functionality. As an ASPInsider, I've been able to see just how innovative the ASP.NET team working on this project has been - and how careful they've been in creating this platform in order to ensure that it really, and truly, met real-world business needs.

A further example of how this innovation and its associated paradigm shift is taking root at Microsoft is the BizSpark program, which takes a very aggressive approach at preventing start-ups from courting the LAMP stack as a cheaper alternative to the Microsoft Stack by giving them three years to use Microsoft products and licenses for free.

And, if you think that I've possibly gone off the deep-end, or imbibed a bit too much of the Microsoft Kool-Aid, make sure to check out Bill Buxton and Scott Guthrie's Keynote from Mix '09. Here’s the link: http://live.visitmix.com/. You’ll need to mouse over the player, select the Other Videos option, and select the Day1 Keynote.

Unless there's something seriously wrong with you, this keynote will get you excited about development again, and it will totally make you rethink your relationship with Microsoft. You'll also see some great examples of real-life innovation.

Getting Started with ASP.NET MVC

As for ASP.NET MVC itself, if you've been waiting for it to mature a bit before playing with it (or just haven't had the time yet), now is a great time to pull it down and try it out. It now has a brand new portal page on the www.asp.net web site itself, and there are also a number of great videos that will help you get quickly spun up on how it works, and what it does. In fact, if you'd like a very quick overview of how MVC applications work, make sure to check out Stephen Walther's new video that shows a start-to-finish MVC app.

Likewise, one of the great things about MVC development is that it's insanely extensible and lends itself very well to customizations and tweaks. I've leveraged these capabilities extensively in my own projects, and a huge resource that's helped me in doing so has been access to the actual source code for ASP.NET MVC itself - which you can peruse (or even download) from the codeplex site.

Another resource that you'll want to pay attention to if you're interested in MVC development is MVCContrib, which is an extensive suite of open-source extensions and augmentations that can be used to improve MVC development. I've also found that Phil Haack’s and Rob Conery's blogs are great resources; they document some MVC features and functionality. But more importantly, these blogs are great resources in terms of explaining why certain features are implemented as they are. The resulting transparency from those blogs helps (in my mind) play a big part in much of the innovative spirit that makes MVC and other recent releases from Microsoft so exciting and refreshing.

Source: http://www.devproconnections.com/

The new OS is winning over notoriously skeptical tech bloggers and benchmarking sites. We put together a roundup of some of the results that show why Windows 7 could be faster than Vista.

The boot time and readiness of the OS has been getting the biggest plaudits from bloggers and benchmarkers, especially with its capacity to bring the computer to a functional state very quickly and to operate on less memory than Vista (the latter is largely thanks to the fact that Windows 7 doesn’t allocate video memory for non-visible Windows).

Other benchmark results are mixed, with Windows 7 beating its predecessors in some tests and lagging them in others (of course, it's still in beta, where XP and Vista are both production versions).

Here’s a sampling of some of the best results:

• The Firing Squad has a comprehensive test of the gaming and USB performance of Windows 7 vs XP and Vista. It’s hard to draw conclusions from its test result since they’re all over the place: Windows XP, Windows Vista and Windows 7 each had their ups and downs, and there was no clear winner overall.
• PC Games Hardware tests fewer games, but gives Windows 7 a slight edge in Far Cry 2 and Left 4 Dead. Its other tests were again a mixed bag, with some showing Windows 7 improving on Vista, and others showing it worse.
• Infoworld has a fascinating look at multi-core database performance. The short version is that Windows 7 and Windows Vista take better advantage of multi-core systems, but Windows XP actually performs better than they do on fewer cores.
• It’s not big on the details, but tests run by a ZDNet blogger give some major props to Windows 7. These tests cover mostly common tasks, like file copying and application starts.
• Hot Hardware has benchmarks that give Windows 7 a significant performance advantage over Windows Vista. The gaming performance of the two was roughly equal, but the Futuremark PCMark Vantage overall result for Windows 7 was 20% higher than Windows Vista.

In a sense, it seems to gel with the ZDNet tests – that Windows 7 does well at “mundane” tasks, but doesn’t thrash the competition in gaming.

Of course, if you’re tired of looking at benchmarks and want to try Windows 7 for yourself, you can download it from here until Feb 10.

The good news is that it’s very stable – I’m running it and have yet to have a crash. It’s not that different from Vista overall, and if you’d like to know more about it without having to install it, you can also check out Atomic’s visual Windows 7 Beta Walkthrough.

Source: http://www.pcauthority.com.au/

[QUOTE]
After a nearly five month search, Microsoft Corp. on Thursday said it has found a new executive to lead its charge against Google Inc. in the online search and advertising business: Qi Lu, a technologist who was previously a top executive at Yahoo Inc.

The move represents a switching of teams for Dr. Lu, whose former employer was the target of a $47.5 billion acquisition offer that Microsoft abandoned earlier this year. When he begins work as president of the online services group at the Redmond, Wash., company on Jan. 5, Dr. Lu, 47 years old, will face the formidable task of improving Microsoft from a distant third place position in Internet search, behind Google and Yahoo. His familiarity with Yahoo could make that easier if Microsoft is able to strike a deal to acquire Yahoo's search business, as Microsoft CEO Steve Ballmer has said he's keen to do.

In the first joint interview together, Mr. Ballmer and Dr. Lu on Friday morning discussed their plan for making Microsoft more competitive on the Internet. Mr. Ballmer also reiterated his interest in acquiring in Yahoo's search business and how it would be better for both companies if they can do a deal "sooner than later."

Excerpts of the telephone interview with both men follow:

WALL STREET JOURNAL: Steve, was this a difficult or particularly long search to find the right person to run your online business?

STEVE BALLMER: I'll say, no, actually to both. Somebody might have a different point of view. I think people would have wished, hey, just fill the job quickly. But "difficult" would imply it was tough to find the right guy. I think it was important for me to take the time to get to know many people in the online industry, which was great.

 
Steve Ballmer

And yet, it was not a difficult choice, I think, for what we need to accomplish, you know, sort of four key things. There's general management, and I've got great confidence in Qi [pronounced "Chee"] as a leader and manager. There's technology, certainly Qi has an unparalleled background. There's product as opposed to technology, and really what it takes to build a winning product. And if you want to build a winning product in search, again, there's no better guy on the planet than Qi, so I felt very good about that.

WSJ: His predecessor running Microsoft's Online Business had more of a sales and marketing background. Did you decide that deep technical skills first and foremost were the most important thing for improving your position in search?

Mr. Ballmer: There's a difference between technical skills and product skills. Both were important. There are a lot of people in our industry who understand the technology, but don't actually understand really what it takes to build a winning product. So perhaps the most important thing was the product skills, and really the understanding of what people want, and what they're trying to accomplish and get done. Then it's also great to have the skills to map that back into the technology itself.

We did restructure the job some, which made it easier to focus in on product, and general management as opposed to other things. We did take our sales force and move it so that we could manage it under our chief Operating Officer Kevin Turner, and that made it more pure to focus in on this issue. Also, because we moved the Windows Live pieces into the Windows group, which I think is appropriate, it created clear focus on search, portal and advertising as the product.

WSJ: Qi, what are your first priorities for helping Microsoft improve its competitive position on the Internet?

QI LU: I haven't started yet, but looking from outside, at the fundamental level, product quality, user experience is the key to being competitive in this space that we're in. Focusing on fundamental areas such as talent, core infrastructures, basic processes of doing things will be very important areas for me to focus. The way I do things I usually always prefer to have a very clear strategy and be very focused. At the same time to be very rock solid, and crisp in execution.

Qi Lu

WSJ: At Yahoo you were obviously in a competitive position against the dominant player in this business, Google. Do you feel like at Microsoft you will have better resources to more effectively compete against Google?

Mr. Lu: In my interaction with Steve the one thing that impressed and won me over is the level of commitment they are investing. They're investing resources, they're investing in our ability to distribute a product, investing in things that we can do to ensure we have at the highest quality of user experience, and that's very, very important.

WSJ: Do you feel at Yahoo that level of investment wasn't as high as it needed to be?

Mr. Lu: Yahoo was operating in a slightly different situation. The company has a different profile, type of business, and the operating margin structures it needs to operate with. So it's different.

WSJ: Steve, should a Yahoo search deal come to pass with Microsoft, would Qi's hiring make it easier for Microsoft to integrate whatever assets it acquired from Yahoo?

Mr. Ballmer: I think a search deal makes great sense for Microsoft, and Yahoo, and I think I've been very open about that. That's as true with Qi joining us as it was before Qi joined us. Obviously the logistics of any such integration…can only be simpler by having somebody who will know both sides. But, that was not a factor in hiring Qi.

Our focus on portal and search is super-strong, and even if we never do a Yahoo deal or anything else, I wanted to have Qi come on board. It is kind of a bonus that if something happened with Yahoo I'm sure it's somewhat simpler.

WSJ: In your last comments on this, you said that there are no talks going on with Yahoo. Has that changed? Are there any kind of talks about a search deal between Microsoft and Yahoo at the moment?

Mr. Ballmer: The answer is no, but I wouldn't tell you if there were. But in this case it's easy.

WSJ: Do you feel like you're in a situation where you can go slow with regards to Yahoo and any conversations, or do you need to move quickly?

Mr. Ballmer: We're fully prepared to compete without any partnership with Yahoo. We don't need to act. Would it be advantageous for both of us to make a deal? Look, the fundamental basis for doing the search deal with Yahoo has to do with critical mass in the advertising marketplace. It doesn't have to do with technology, or any of these other things, it really is a market phenomenon. Together we would have more advertisers….which means we'd have more relevant ads on our page. We'd have higher monetization levels possible in front of us because there would be more people bidding on more key words. Most importantly, Google would have perhaps a real credible competitor sooner.

I think good ideas are usually better done quickly than slowly, so it would probably be better for both us, and certainly for Yahoo, if we were to do it sooner than later. But at the end of the day, that would have be something Yahoo would be as interested in as I have expressed our interest.

WSJ: Do you think that that's unlikely before Yahoo finds a new CEO?

Mr. Ballmer: It's not my place to speculate there, I'm afraid.

WSJ: Qi, let me turn this around. You were at Yahoo when Microsoft made its acquisition bid. I'm curious what it was like being on the other side, and how you, as a Yahoo person, viewed Microsoft and how others inside the company viewed Microsoft?

Mr. Lu: For me, Microsoft has been one of the most, if not the most, successful technology companies. And the one thing you can say about Microsoft is about their competitiveness. They may not get it right in the first version of the product, but they're coming at and they'll keep coming at it and improving the product. And so we always respected that, and viewed Microsoft as you can never count them out as very worthy competitors.

With regards to the acquisition, certainly the management team and the board of directors made their decisions, and we all know about that now. Sometimes the employees, different people have different views. That's perhaps all I have to say.

WSJ: Do you think if the scenario that we talked about should come to pass, some kind of collaboration between Microsoft and Yahoo on search, that top talent would remain, and that there would be a relatively smooth integration of their assets with Microsoft?

Mr. Lu: Based on what I know of, I think certainly a case can be made that a lot of employees will remain, and they will be able to put together a smooth transition. Just to add to what Steve said earlier, the key value of consolidating the two search assets is by combining the supply and demand in the ad marketplace so that you have more advertiser base, and given that you will have ads that are more relevant, serve the user better, and create more [return on investment] for the advertisers, and certainly provide more yield, economic value for all parties involved.

WSJ: Should we look at an improvement in Microsoft's market share position in search, or are there other measurements by which you'll judge that the Internet business is headed in the right direction at Microsoft?

Mr. Lu: To me, ultimately in the search case, it's market share. Beside search share, there's a different set of metrics that can tell us how competitive our products are. There's a lot about measuring the quality of the search experience, and there's also a lot of measurements you can use that will tell us how effective our ad marketplace is at being able to provide yield.

Mr. Ballmer: The only thing I would add is, on the portal side of the business -- that's where we actually have our biggest revenue stream today -- we have a lot we think we can do to continue to drive page views.

WSJ: Can you set some expectations for how much you think you can improve your market share in the absence of a deal with Yahoo?

Mr. Ballmer: I don't choose to make forecasts on that kind of stuff ever. It's a function of a lot of things – how rapidly the product improves, how quickly we can sort of capture user imagination on the kinds of improvements we're making, how effective we are in getting our search product distributed. I said to our shareholders that we are prepared to invest significant amounts of money in our online business, 5 to 10 percent of operating income if we had to, for the next five years.

WSJ: Steve, are you concerned that with the departure of Brian McAndrews, the former senior vice president of Microsoft's advertiser and publisher solutions group, and before him Steve Berkowitz, that Microsoft may seem like a inhospitable place to outside executives who come in to run your online business?

Mr. Ballmer: No. You probably should ask Qi. He's an outside exec who is coming in to run our online business.

WSJ: But he doesn't start until January.

Mr. Ballmer: Yes, that's right. So if you want to scare him away, this is the call, I guess. I'm teasing.

No, I don't think so. I mean, Brian, we acquired his company [aQuantive]. And Brian is a CEO, he's been a CEO for a long-time, and you've got to make a judgment. It's different than acquiring a small startup, and when Brian came in he said, hey, look, I'll help you with the transition and I'll see what I think. And he had a chance to do that, this is sort of the right time for him to make a transition. We don't say he's retiring because I suspect he'll be a public company CEO again someplace in the not too distant future, but he's been a great facilitator of the integration of aQuantive, for which I'm very thankful. He's a good friend. Our sons play on the same basketball team.

In general, I would say we have a very good track record in terms of executives coming in from the outside, but a very good record is never 100%. I was talking to the CEO of a Fortune 10 -- the head of HR for a Fortune 10 company – and I said what's your track record? He said we keep about 50%. I said, well, we do a lot better than that we keep about 70-75%. So I think we do pretty well.

WSJ: It was pretty widely known that Brian McAndrews was interested in this job, running the online business. Did you make any effort to try and keep him in some other role?

Mr. Ballmer: I love Brian. It would have been great to have him stay at Microsoft, but I respect the decision he made for his career goals and ambitions.

WSJ: Microsoft I think has hired another Yahoo, former Yahoo technologist, Sean Suchter. Are you specifically attempting to hire talent away from Yahoo?

Mr. Ballmer: I should take that, because Qi has had absolutely nothing to do with any recruiting we've been doing as a company to date, because he hasn't started. We have an A team in search. We have a great competitor, but we have an A team. Sean, who I had a chance to talk with during the process, is another great talent. I'm sure there's other people we've hired from Yahoo. I've been reading there's people they've hired from us. It's a small industry, so some of the talent will flow that direction.

WSJ: Steve, does the souring economy affect your ability to improve your position in search, either on the upside or the downside?

Mr. Ballmer: I don't think it makes a material difference.

WSJ: I'm curious if any pull back in spending on advertising will negatively affect your goals here.

Mr. Ballmer: You asked about market position, which to me implies share. Will online advertising suffer with the economy? The answer to that is sure, of course it will. It makes the P&L tougher. There's no question about that.

On the other hand, relative to building share and position in search and portal, and share of advertising, I don't think the economy is really a factor for us. I don't know if you know the old story about the two guys out in the woods who see a bear, and one guy says, boy, we'd better really run fast, or that bear is going to get us. We've got to run faster than the bear does. And the other guy says, no, I've just got to run faster than you do. In this economy, maybe that's the right way to think about it.
[/QUOTE]

Source: online.wsj.com

>> Dan released the first 'technology preview' release of EncodeHD to replace the Encode360(info) tool. EncodeHD is a an application to re-encode all types of video files for use on your home media player or on-the-go device. It aims to provide a simple interface with no fuss.
From dcunningham.net:

[QUOTE]
So firstly, let's talk EncodeHD. Look at the current beta release (0.71) as a 'technology preview' of sorts. The idea here is to verify that we've got the primary encoding mechanisms up to scratch. So what I'm looking for here is to make sure that video converts for all devices as expected and that the quality is good (or great).

The key things to note for EncodeHD are:

• Outputted video is MPEG4 and H.264 with AAC (or AC3) audio, NOT WMV (this is not strictly for X-Box 360 anymore)
• This means that 5.1 audio for the X-Box 360 is not yet supported in these formats
• Subtitles are also not yet possible, although I'm looking into it

As of now, there's still a lot of unimplemented functionality that will be added later. If you want to see something in particular, please let me know. However, if it's going to cludge up the interface and start making things complex, I may not implement requests. We'll have to see.

One of the nice things about EncodeHD is that it has built-in bug reporting. If you hit a problem, it will ask you if you want to submit a bug report - including all the details I need to help solve the issue. If however, the problem is with video output, it may not detect any problems. In this case, could I ask you to email my bug-tracking system: cases@dcunningham.fogbugz.com, and attach the EncodeHD.Log file which you can find in your Temp folder (Click Start > Run and type %TEMP% to access it).
[/QUOTE]

Official Site: http://dcunningham.net
Download: here

[QUOTE]
Half the things" Microsoft wanted to put into the New Xbox Experience were cut out, Europe's Xbox Live boss has told CVG.

Speaking in a recent interview Microsoft's Jerry Johnson said that the redesigned Xbox 360 dash isn't finished yet and detailed plans to bolster the backend with new applications and content.

"There's still a lot of stuff we want to do," Johnson told CVG in an interview. "Half the things we wanted to do [in NXE] we cut out of the service.

"One of the nice things we did was this architectural change to make things more published and driven from the service. All of a sudden we opened up the platform to say 'I don't have to wait until once or twice a year to release something onto the dashboard'.

"There's a Photo Party app that will be part of the platform," the XBL man added. "The way it will be distributed is all of a sudden you'll see a slot on the dashboard and if you don't have it you click on it and it's going to download from the service onto your application part of the dashboard. Those are the type of things we're going to start doing. Johnson also confirmed that Xbox Live Primetime, which offers server based 'game show' style online games, will be launched in spring 2009.

"I think we're going to see more social, more content-type apps. I also think from a platform perspective we can continue to do a lot of new things," he said.
[/QUOTE]

Source: http://www.computerandvideogames.com

[QUOTE]

Microsoft claims that the New Xbox Experience — that big dashboard upgrade being pushed to all 360 owners on November 19 — will allow your favorite Xbox 360 games to load more quickly. To enjoy that benefit, a gamer will have to install their disc-based games onto their 360’s hard drive.

People keep asking me if doing the installation is worth the trouble. Are loading times that much better?

I tested Microsoft’s claim on four games, using my NXE-enabled 360. Above, you can watch the initial loading for “Grand Theft Auto IV,” DVD vs Hard Drive. After the jump, check out loading comparisons for “Fable II” and “Gears of War.”

(Videos not viewable by users logging in from Canada or the U.K.)

In all cases, I spammed the A button of my controller as soon as the game started loading, so you’re seeing my fastest attempts to get from the new dashboard to the new games.

Each of the games took about 11 minutes to install and required between 6.6 and 6.8GB. It shaved off about nine to 15 seconds off the initial load times.Think it’s worth it?

[/QUOTE]

Source: http://multiplayerblog.mtv.com

[QUOTE]
Just months after his Microsoft farewell, Bill Gates is quietly creating a new company -- complete with high-tech office space, a cryptic name and even its own trademark.

Public documents describe the new Gates entity -- bgC3 LLC -- as a “think tank.” It’s housed within a Kirkland office that the Microsoft co-founder established on his own after leaving his day-to-day executive role at the company this summer.

Is this Bill Gates’ next big business? A Gates insider gives an emphatic no  -- saying it’s not a commercial venture but rather a vehicle to coordinate the software mogul’s work on his business and philanthropic endeavors.

However, bgC3 will also oversee Gates’ personal pursuit of breakthrough ideas in science and technology. The insider said the goal isn’t necessarily to create new companies, although ideas could be passed along to Microsoft, the Bill & Melinda Gates Foundation -- or others – as it makes sense.

Whatever the ultimate role of the company, the circumstances surrounding its creation provide a behind-the-scenes glimpse into the new era of Gates’ life.

State records show that the company, originally called Carillon Holdings, was established in March 2008. It formally changed its name to bgC3 in early July, 10 days after Gates left his full-time job at the company he built into an industry giant. He remains Microsoft’s chairman and continues to work part-time on projects.

The records describe bgC3 as a “holding company” headquartered in Kirkland –a relatively short, picturesque drive from Gates’ home on Lake Washington.

Federal trademark filings provide more clues – describing bgC3 as a think tank, under a generic trademark classification that corresponds broadly to areas including "scientific and technological services," "industrial analysis and research," and "design and development of computer hardware and software."

But what does bgC3 mean? The logical assumption might be “Bill Gates Company Three” – his third enterprise after Microsoft and the Bill & Melinda Gates Foundation. But that’s only partially right, according to the Gates insider.
The “bg” is Bill Gates, the insider says, but the “C” stands for “catalyst.” The idea is that Gates will play that role as he brings together new people and ideas. The “three” reflects the notion of a third place, apart from Microsoft and the foundation.

Before beginning his transition this summer, Gates told reporters that he would focus full-time on the foundation, and part-time on selected Microsoft assignments.
He acknowledged plans for his own office in Kirkland, apart from Microsoft and the foundation, but didn't discuss specifically any plans to organize that office under a new company. At the same time, he said he would be open to personally supporting breakthrough ideas where he sees a chance to advance the state of mankind.

It's not clear exactly where those interests will lead, or precisely what role bgC3 will play in the long run. But Gates, who turns 53 next week, has increasingly expanded his focus beyond Microsoft to problems of technology, science and society.

Much of that broader focus has come through the Gates Foundation, which deals in issues of education and global health. People associated with Gates say he is still expected to focus primarily on the foundation in this new era of his life.

But particularly at a time of economic turmoil, Gates' status and wealth could put him in a position to bring in top scientists and other notable people to work with bgC3. Gates has historically surrounded himself with smart people, and he’s famously thirsty for knowledge. His interests go well beyond computer science into fields as disparate as energy, biotechnology, and global economics.

The concept of a technological think tank wouldn’t be new to Gates. He has taken part in high-powered brainstorming sessions organized by his friend, Nathan Myhrvold, Microsoft's former chief technology officer, who now heads a company called Intellectual Ventures LLC, based in Bellevue. Projects that Gates is backing through Myhrvold include an effort to create an alternative nuclear reactor that produces clean power without waste or proliferation.
Whatever its aims, the new Gates organization doesn't appear to have ambitions of becoming another behemoth. In a letter last year to a Kirkland city official, a Gates representative wrote that total occupancy would be limited to between 40 and 60 people, including employees and visitors, in the space that bgC3 now occupies.

At the same time, it’s no ordinary office space. Visitors say it’s fully stocked with Microsoft technologies, including a Surface tabletop computer with a virtual guestbook application.

Some of bgC3’s activity has been recent. According to the U.S. Patent and Trademark database, the company filed Sept. 29 for federal trademarks on "BGC3" and the "C3" logo. The latter (pictured above) is an intertwined "C" and "3" in block letters.

The Microsoft chairman has established companies before to serve specific purposes, primarily behind the scenes. Watermark Estate Management Services LLC oversees many of Gates’ personal and family matters, and Cascade Investments LLC oversees his stock and other financial holdings.

Several of Gates’ associates are named in the documents tied to bgC3, although Gates himself isn't identified by name in public records associated with the company – a main reason its existence hasn't received media attention until now.
[/QUOTE]

Source: http://www.techflash.com

[QUOTE]
That's right! You can download it now! We'll be asking your help to put this baby through her paces as we lead up to the official release later this year. It is your input that makes us stronger, faster and better.

Download XNA Game Studio 3.0 Beta at Launch Center

If you do find any bugs or just have a suggestion on ways we can make XNA Game Studio 3.0 more awesome head over to Microsoft Connect to submit them to us.

Here is a list of the changes:

Zune

• Compatibility with the upcoming Zune 3.0 Firmware release. Please note that the XNA Game Studio 3.0 CTP will no longer work once you have upgraded your Zune device to the 3.0 firmware.
• Improved deployment stability.
• Support for Zune deployment on Windows Vista x64 Systems!
• You can now use the Remote Performance Monitor for Zune games.

Xbox 360

• Xbox 360 project templates (You will not be able to develop on the Xbox 360 until our final release. We felt this was important to include so that you could get projects converted over and look at the system, even if you are not able to run the games, yet).
• Support for the Big Button Pad.

Framework & Visual Studio Features

• Enumerate and play back media on your Windows computer or Xbox 360.
• Simple sound effect support on Windows computers and Xbox 360.
• Support for Rich Presence (lets friends know what’s going on in your game).
• Support for Invites (ask your friends to join you in a multiplayer game) and Join Session In Progress (after you see what your friends are doing, you can join their current session with just a couple of button presses, even if that’s a different game to the one you are currently playing)
• Compress your content and save space with the new content compression features!
• ClickOnce packaging support for distributing your XNA Framework games on Windows.
• Upgrade your project from XNA Game Studio 2.0 using the Project Upgrade Wizard!
• Take screen captures of your game running on Zune through the XNA Game Studio Device Center.
• Support for .NET language features like Linq
• Create multiple content projects and leverage cross project synchronization in Visual Studio.
• FBX importer improvements: read materials containing multiple textures, and export custom shader materials directly out of Max or Maya.

[/QUOTE]

Source: blogs.msdn.com

[QUOTE]
1. Connect your Xbox 360 to two screens at once

If you've got one of the component/composite dual video cables – the one that comes in the box with most 360s – you can have your console display its gamey goodness on two TVs simultaneously. The trick is to flick the cable's switch to Standard Definition but hook up the composite (yellow) cable to one screen and the component (the red, green, blue) cables to another. It won't be high-def, but it could be handy if you're staging a mini LAN party and want to set up a display for bored spectators to point their eyes at.

2. Play your own music in original Xbox games

That you can fire up your own MP3s during a 360 game is common knowledge (and re-soundtracking moody horror games with the Benny Hill theme tune never stops being funny), but it doesn't work if you're playing a title from the original Xbox. There's a way around it – start playing your album or playlist before you load the game, and it'll keep on playing once you do fire the title up. The game's own music won't be muted, however, so if you can't do that in its settings you'll go mad from the weird cacophony.

3. It can write its own blog

Ah, the internet – founded upon crazy men making crazy things for free. Such as a blog supposedly written by your 360, based on what you've been using it for. It monitors your Live account and automatically generates entries about what it's been up to that day (or what it hasn't been up to – expect many posts about neglect if you don't turn it on for a while). The tone is very much American geek, but it's a fun record of your own gaming habits, and of keeping an eye on what your chums are up to. Get set up atwww.360voice.com.

4. Play Xbox 360 games online for free – without a Live account

That you have to pay a subscription for online gaming, something that's free on other consoles and on the PC, is perhaps the 360's greatest bugbear. Stage your own form of peaceful process by playing online without paying a penny. You'll need XLink Kai, a free app you run from a PC on the same network as the console that tricks the 360 into thinking the internet is a LAN.

So it'll treat remote opponents as though they're in the same room as you – and you don't have to pay for local multiplayer. Clever! One snag – Microsoft has set the 360 to boot out anyone with a ping higher than 30ms, so you'll have to be selective about who you play with. Local chums are best, not your Chinese penpal.

5. Interact with your Xbox 360 music

Hit X whilst playing a music CD or file (whether from the 360's hard drive, an MP3 player you've plugged in, or streamed from a PC) and you'll enter Psychedelic Wonderland. Well, some artful visualisations, anyway. Grab a controller or two (or up to four, as it happens) and start moving thumbpads and pressing buttons to interact with the crazed shifting colours. There are actually some fairly elaborate controls – read the full manual athttp://www.llamasoft.co.uk/x360manual.php. Good at parties, this.

6. Connect your Xbox 360 to a wireless network without an official adaptor

The good news is you don't have to drop £50 on Microsoft's offensively overpriced Wi-Fi adaptor. The bad news is you'll need a laptop with W-Fi to do it. Head to Control Panel – Network Connections (In Windows XP) or Network & Sharing Center – Manage Network Connections (in Vista). Select the Local Area Connection and the Wireless Network Connection at once, then right-click and hit 'bridge connections'.

Disconnect then reconnect to your wireless network, run a network cable from the laptop's Ethernet port to the 360's, and you should be good to go. Unfortunately, you may have to remove the bridge (repeat the above process and you'll see the option) whenever you want to browse the net with the laptop.

7. Play music from your iPod

Not a secret as such, but Microsoft doesn't exactly shout about the fact it plays nice with a device made by uber-rival Apple. Hidden in the depths of the Marketplace, you'll find a teeny download called 'optional iPod support'. Once you've grabbed that, plug in your iPod (iPhones aren't supported yet, sadly) and head to the Media Blade. You'll see your pod appear there, and can now browse its music by album, artist, genre or whatever. It'll also charge via the USB port, usefully.

8. Reset your Xbox 360 video settings

Remember this one if you're in the habit of carrying your console to chum's houses and hooking it up to different displays. It can end up trying to output the wrong signal, so you can't see anything or get a flickering screen. Fortunately, there's a fairly simple fix if this happens. Remove any discs from the tray and turn the thing off. Then turn it on using a gamepad. As it boots, hold down the Y button, then hit and hold the right trigger. The video settings will reset to default, and you'll stop your sobbing.

9. Play any media file, plus online videos on your Xbox 360

Free app Tversity neatly sidesteps the pointless video/audio restrictions Microsoft, Sony and Nintendo alike slap on their consoles, making them able to play any format. Again, you'll need a PC on the same network, but it's a simple matter of installing the program and having it scan the folders you keep your media in. It'll replace the standard network file-sharing system Windows uses, but behaves pretty much the same way at the 360's end. As well as that, it'll convert unsupported files on the fly – though you'll need a pretty beefy PC to do this with large video files, otherwise you'll be waiting ages. You can also add online video URLs on the PC's end – including Youtube – and then access those from the console.

10. Use any HDMI cable and still get digital surround sound

Though the newer 360s have an HDMI output for optimal video quality, they've built the ports in such a way that you can't have the standard component/composite video cable, with its crucial optical audio output, plugged in at the same time as HDMI. Instead, you're supposed to drop a frightening amount of money on the official HDMI cable with audio adapter. Balls to that. See the big plastic box at the end of the standard video cable that connects to the console? Wedge a knife or screwdriver into the join and twist to pop it off. The result looks messy, but is small enough to plug in alongside a standard, cheapo HDMI cable.
[/QUOTE]

Source: www.techradar.com

[QUOTE]
Here's a video of the Google Tech Talks titled "The Xbox 360 Security System and its Weaknesses" by Michael Steil (mist) and Felix Domke (tmbinc): "After the disaster of the original Xbox, Microsoft put a lot of effort in designing what is probably the most sophisticated consumer hardware security system... "

[/QUOTE]

Source:xbox-linux.org via www.xbox-scene.com

This tutorial is about how to configure your web server to stream your own movies on your web page just like video.google.com does.

Requirements:

• Windows Server 2003
• IIS 5.0/6.0
• ffmpeg.exe (from http://ffmpeg.mplayerhq.hu or download latest beta version here)
• flvtool2 (from http://inlet-media.de/flvtool2)
• a GUI for ffmpeg (if you don't want to use the console, e.g. Avanti http://avanti.arrozcru.com)
• a FLV Streaming Player (e.g. FLV-Scrubber 3.0 by Fabian Topfstedt: http://topfstedt.de/FLVScrubber3/FLVScrubber.swf)
• a FLV Player (e.g. http://flv-player.softonic.de)
  

1. Configuring Windows Server 2003 and IIS

Add a new web site in your IIS and don't forget to select "Run Scripts (such as ASP)".

Using this HTTP handler you can easily FLV streaming downloads just like . All you need is to install on your IIS 5.0/6.0 the following HTTP handler and to get this to work correctly, you will need to make sure that IIS handles request for .flv files. In your site's properties, click the "Home directory tab" and click the "Configuration" button. You'll get a form like this:

Add the entry for .flv, click edit, and copy the path in the executable field. This is the aspnet_isapi.dll for the current version of the .NET Framework of your virtual site. Cancel out of that dialog and click "add." Paste the path into the executable, use the extension .flv and set your verbs limited to "GET, POST, HEAD, DEBUG" like this:

Now any request for a .flv file on the site will be handled by ASP.NET. Since the server-wide machine.config file doesn't specify what class should handle the request, a default handler is used unless we add the following lines to the web.config file (of your web site):

2. Coding

Web.config

<httpHandlers>
verb="*" path="*.flv" type="FLVStreaming" />
</httpHandlers>

FLVStreaming.cs

using System;
using System.IO;
using System.Web;
public class FLVStreaming : IHttpHandler
{

    // FLV header
private static readonly byte[] _flvheader = HexToByte("464C5601010000000900000009");

public FLVStreaming()
    {
    }
public void ProcessRequest(HttpContext context)
    {
try
{
int pos;
int length;
// Check start parameter if present
string filename = Path.GetFileName(context.Request.FilePath);
using (FileStream fs = new FileStream(context.Server.MapPath(filename), FileMode.Open, FileAccess.Read, FileShare.Read))
            {
string qs = context.Request.Params["start"];
if (string.IsNullOrEmpty(qs))
                {
                    pos = 0;
                    length = Convert.ToInt32(fs.Length);
                }
else
{
                    pos = Convert.ToInt32(qs);
                    length = Convert.ToInt32(fs.Length - pos) + _flvheader.Length;
                }
// Add HTTP header stuff: cache, content type and length       
context.Response.Cache.SetCacheability(HttpCacheability.Public);
                context.Response.Cache.SetLastModified(DateTime.Now);
                context.Response.AppendHeader("Content-Type", "video/x-flv");
                context.Response.AppendHeader("Content-Length", length.ToString());
// Append FLV header when sending partial file
if (pos > 0)
                {
                    context.Response.OutputStream.Write(_flvheader, 0, _flvheader.Length);
                    fs.Position = pos;
                }
// Read buffer and write stream to the response stream
const int buffersize = 16384;
byte[] buffer = new byte[buffersize];
int count = fs.Read(buffer, 0, buffersize);
while (count > 0)
                {
if (context.Response.IsClientConnected)
                    {
                        context.Response.OutputStream.Write(buffer, 0, count);
                        count = fs.Read(buffer, 0, buffersize);
                    }
else
{
                        count = -1;
                    }
                }
            }
        }
catch (Exception ex)
        {
            System.Diagnostics.Debug.WriteLine(ex.ToString());
        }
    }
public bool IsReusable
    {
get { return true; }
    }
private static byte[] HexToByte(string hexString)
    {
byte[] returnBytes = new byte[hexString.Length / 2];
for (int i = 0; i < returnBytes.Length; i++)
            returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16);
return returnBytes;
    }

}

All you need now to stream your favorite FLV movies is a custom-made player which is fetching the contents passing to the request the ?start= parameter in order to seek the current position inside the video file.

Fabian Topfstedt has one available onto his site (get the player and place it in your site document root).

To use Fabian player you have to embed the following HTML code inside your page (and of course you should change the path to you .flv video and player):

 <object id="FLVScrubber" width="450" height="253" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"><param name="movie" value="http://topfstedt.de/FLVScrubber3/FLVScrubber.swf"/><param name="bgcolor" value="#000000"/><param name="allowScriptAccess" value="sameDomain"/><param name="allowFullScreen" value="true"/><param name="flashVars" value="file=http://www.nibbler.at/republicofideas.flv&previewImage=http://nibbler.at/republicofideas.jpg"/><embed src="http://www.topfstedt.de/FLVScrubber3/FLVScrubber.swf" bgcolor="#000000" width="450" height="253" name="FLVScrubber" allowScriptAccess="sameDomain" allowFullScreen="true" flashVars="file=http://www.nibbler.at/republicofideas.flv&previewImage=http://nibbler.at/republicofideas.jpg" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer"></object>

There are three attributes of interest: Width and height define the resolution of FLV-Scrubber. If your videos’ native resolution is eg. 320×240 pixels, you might want to set width to 320 and height to 240. No problem if does not match, the video just will be scaled up or down. The third attribute is “flashvars”. That’s where you change the bahaviour and pass over information to FLVScrubber. You need to set at least file here, to link to the video you want to play. Everything else is optional (key/value pairs inside the flashvar attribute are separated using &). Here is a complete list:

• file=[URL] defines which video to show
• &autoStart lets the video start immediately
• &bufferTime=[number] changes the buffer time (default is 3 seconds)
• &clickTag=[URL] defines a target to call after video ended
• &credit=[(URL encoded) text] to show a credit like your company name in the context menu
• &link=[URL] defines a website to open when user clicks into the video
• &linkTarget=[blank,parent,self,top] defines the target of the website above (default: blank)
• &loop=true lets your video replay itself instead of ending (default: false)
• &previewImage=[URL] sets an backgroundimage as preview before playback starts
• &scrubbing=false use that, if you’re webserver has no enabled module for fake streaming (default: true)
• &seeking=false disallows the user to seek inside the video (default: true)
• &secondsToHide=[number] defines amount of seconds that the controlbar waits before hiding (0 means never, default is 5)
• &startAt=[number] defines the the second where the playback will start (default:0)

3. Converting your movie into FLV format

Now you need to convert/encode a video file (e.g. .avi) into a .flv by using ffmpeg and flvtool2 to index your in order to add the correct metadata inside the FLV file. You can do this by using the console (e.g):

ffmpege.exe -i test.avi test.flv
flvtool2.exe -U test.flv

or by using a GUI for ffmpeg like Avanti (http://avanti.arrozcru.com):

(don't forget to copy the ffmpeg.exe in your ../avanti/ffmpeg folder and load the "FLASH HQ" template from the Avanti menu). If you are a proud owner of Adobe Flash Professional 8 you can use the Flash 8 Video Encoder and you don't need ffmpeg and flvtool2 to encode and index your videos.

After encoding your video you can use a PLV Player (e.g. http://flv-player.softonic.de) to check if .flv file match your needs (e.g. correct resolution, bitrate...).

Now upload all file to your web server and your web site root should look like:

yourdirectory/App_Code/FLVStreaming.cs
yourdirectory/Web.Config
yourdirectory/default.htm
yourdirectory/FLVScrubber.swf
yourdirectory/yourmovie.flv

[QUOTE]
According to Commtouch Software, an average of about 10 million zombie computers worldwide are sending an average of 3 million messages every day. Some time periods indicate a collective peak spam output of 8 million to 10 million messages.

Many of those messages are sent through the top three web-based mail services. Gmail, operated by Google, ranks #3 among the top 10 origins for spam. Yahoo ranks #6, and Hotmail, operated by Microsoft, ranks #7. It's probably not coincidental that the rankings correspond to the popularity of each company's search engines and other online services.

The current top 2 offending domains origins are nearly unheard of by the majority of Internet users. Active-encounter.com, operated by marketing company iLead Media, ranks #1 and authentic-mechanic.com, registered to Tad Asaro, ranks #2. Asaro is registrant of the relatively new BabytoBee.com site.

Commtouch's cost calculator currently indicates that a company with 50 employees, each with an average salary of $50,000 per year, who also receive 25 messages per day - half of which are spam - would spent $14,300 per year as a direct result of dealing with spam.
[/QUOTE]

Source: windowsitpro.com

[QUOTE]
Apple's MobileMe and Google'sGmail online e-mail services suffered hours-long outages Monday, leaving millions of users unable to access their accounts.

Google restored service within about two and a half hours, but it took Apple approximately seven hours to restore full access to its online mail service.

Apple users first reported trouble accessing the service's servers from their desktop mail clients around 2 p.m. Eastern, and in the next several hours, posted several hundred messages on the MobileMe support forum about the outage.

A notice on the service's main support page acknowledged the problem. "MobileMe members are intermittently unable to access MobileMe Mail using a desktop e-mail application, iPhone or iPod touch," said Apple. "Access to www.me.com/mail is unaffected. Service will be restored ASAP. We apologize for any inconvenience."

By 9 p.m. Eastern that notice had been replaced with an all-clear indicator.

Google's Gmail, meanwhile, went offline around 5 p.m. Eastern, and greeted users with a message reading in part, "We're sorry, but your Gmail account is currently experiencing errors."

A little over two hours later, Google added a notice to its Gmail help page that attributed the outage to "the contacts system used by Gmail which is preventing Gmail from loading properly. We are starting to roll out a fix now and hope to have the problem resolved as quickly as possible."

Shortly after that, at about 7:30 p.m., Google declared the outage over. "Users who were temporarily affected by the 502 errors should now be able to access their account," read a message posted to the Gmail Help Discussion forum. "Thanks for your patience while we worked to resolve this issue for everyone."

Apple users were especially livid, in part because they, unlike Gmail's users, pay for their service, and also because of the multiple problems they had with MobileMe since its launch a month ago.

"I'm so disgusted with Apple right now I don't even know what to say," said a user identified as "Furi0us.Bee" in a message posted to the longest forum thread on the subject.

"This is crazy," said another user, "mac_wa," on the same thread. "I have had more down time with my mac/me mail than any other service I've had... and I pay for this."

But Owen Schultz had one of the best takes of any user. "Dear MS Outlook," Schultz started, "I am so sorry about our breakup several year ago. I have been thinking about you a lot since then. Will you please consider taking me back? Just one more chance? I'm sorry about all the horrible things I said about you and your operating system. You were the best I ever had! MobileMe and I are finished!"

MobileMe's travails -- ranging from an extended migration from its predecessor, .Mac, to an 11-day mail outage last month -- prompted Apple's CEO, Steve Jobs, to issue a memo to company employees last week in which he called the rollout "not up to Apple's standards."

Jobs shook up Apple's management team over the series of snafus, and handed responsibility for the service to Eddy Cue, who heads iTunes.
[/QUOTE]

Source: www.infoworld.com

In addition to stating that PlayStation 3 owners are most likely to have other "next-generation" consoles than Wii and Xbox 360 owners, NPD claimed that only 10% of PS2 owners have a PS3. In the realm of portables, 45% of PSP owners have a Nintendo DS, but only 21% of DS owners have a PSP.

Despite the broad declarations, NPD did not provide specific figures for console and PC playtime. Likewise, an exact breakdown showing the ownership patterns of those that have multiple "next-generation" consoles was absent from the release.

Using information gathered back in January and February, the report separated the North American game-playing populace into the following seven categories, totaling 174 million gamers:

• Young Heavy Gamers: 22%
• Seconday Gamers: 20%
• Console Games: 17%
• Offline PC Gamers: 15%
• Online PC Gamers: 14%
• Avid PC Gamers: 9%
• Extreme Gamers: 3%

The segments are categorized by usage, ownership and frequency numbers, though the specifics definitions were not provided.

Though PCs were "used more than any single console for gaming," NPD stressed that "Console Gamers, Young Heavy Gamers and Extreme Gamers are more likely to use consoles than a PC to play video games."

As for sales, NPD reports that 14% of games purchased between November 2007 and January 2008 were digital downloads. Extreme Gamers bought nearly 24 titles across the three month period, with NPD claiming that figure is "over seven times more than the second leading purchasing segment.""Although Extreme Gamers are heavily involved with the industry, they represent a small portion of the potential market for any new game that comes to market," commented analyst Anita Frazier. "In order to promote continued growth, we must better understand all of the gaming segments."

Details on the methodology of the report are as follows:

"The data was collected from more than 20,000 members of NPD's online consumer panel, ages two to 65+. Responses for consumers ages six to 12 were captured by instructing a parent to take his or her child in this age range to the computer to answer the questions, either with or without the parent's assistance. Qualified respondents reported they personally play video games on a PC, on a console or portable system, or on another device such as a mobile phone. The following four key variables were used to create the gamer segments: ownership; usage; frequency; and purchased/received video games. Final survey data was weighted to represent the U.S. population of individuals ages 2 and older. Fieldwork was conducted from January 11-February 5, 2008."

Note: This study was conducted in January, meaning that questions that refer to consumer behavior in the past three months include the Christmas/Hanukkah holidays.

[/QUOTE]

Source:www.shacknews.com

[QUTOE]

Las Vegas (NV) – The Internet relies on trust, but what if all that trust comes tumbling down?  That’s exactly the problem noted security researcher Dan Kaminsky described today in his Black Hat talk about DNS cache poisoning.  Several months ago, Kaminsky discovered a vulnerability in the DNS protoctol that allowed bogus name information to be sent to other servers and desktop computers – in essence hackers could redirect web surfers, chat clients and even email servers to machines of their choosing.  Specific details about the vulnerability and the ways to exploit it have been kept secret until today …

Kaminsky is the director of penetration testing for IOActive and specializes in playing around with DNS.  He says he found the vulnerability by accident while he was poking around for other “toys”. To fully understand the bug, let’s go into a brief introduction into how DNS or domain name service works.  Network gurus can probably skip the next few paragraphs.

Almost every Internet service you use, from email to web browsing uses DNS convert the easily remembered names like www.google.com, www.youtube.com and others into IP address like 123.456.789.123.  This conversion is needed because people can remember names easier.  Also companies can change names while keeping all their services pointed to the same numerical IP address.
Behind the scenes, DNS servers make this magic happen by holding a database of DNS records which are lists of names with corresponding IP addresses – think of it as a big list of example.com = 123.456.789.123, example2.com = XXX.XXX.XXX.XXX, etc.  Client computers ask for an IP address by sending a DNS request to the server and the server will reply back with the answer.  Of course servers can only hold so much information, and will hand off the request to a more authoritative server, if it doesn’t know the answer.  The requests can be further bounced up the chain until they reach the ultimate or root domain name servers for the Internet.  If these guys don’t know the answer, then the name to IP address mapping doesn’t exist.
Now imagine yourself as a 411 operator who has to find telephone numbers when asked about a certain place - let’s say Outback Steak House in Torrance, California (our favorite place in the world).  On the first call, you’d probably type it into your computer and wait for the answer, but let’s say the place is really popular and you get tons of calls every day for the place.  Eventually, a smart operator would write the number on a Sticky-Note and post it on the monitor for quick retrieval.  Then when a person calls, you simply read the number on the note, rather than taking the time to type it into the computer.  Well this is exactly what DNS servers do in form of cache.
Kaminksy’s DNS bug, as some people are calling it, exploits this cache by sending malicious requests and once a sufficient number of requests have been sent, the hacker can start rewriting the entries.  It’s important to distinguish that the actual records of the DNS server is not corrupted by this bug, rather it’s the entries in the cache itself.
Kaminsky sat down with us afterwards to give us all the gory details that would make the average man’s head explode, but hey that’s why you come to TG Daily isn’t it.  His attack forces your local domain name server (which is probably your Internet router) to basically perform all the work.  The bad guy forces the DNS server to purposely miss the cache by asking for the IP address of crazy domain names like 1.foo.com, 2.foo.com, 3.foo.com.  Your local domain name server won’t know the details so it then asks other servers to obtain the answer.
As requests and replies flow out and back to your local server, the attacker then unleashes a torrent of specially crafted packets to the victim domain name server.  These packets try to guess the transaction ID of the DNS reply which is a number that ranges from 1 to 65536.  The attacker also has to forward the packet to the correct port which in most cases is the default DNS port 53.
The attack is basically a race of a the hacker stream of DNS replies versus the real reply coming from the real DNS server.  Once the victim DNS server receives a reply with a valid transaction ID, the attacker can substitute any IP address for the domain name.  “The hacker’s packet blows away the response from the real server,” Kaminsky told TG Daily.

Kaminsky was kind enough to draw out the attack for us.  The client computer is on the left and the first node to the right is your local domain name server.

Ok, so I’m sure some of you see two big problems with this.  First, how the heck do you guess the correct transaction ID out of more than 65000 numbers and how do you get the local domain name server to issue the query that starts the whole ball rolling?  Kaminsky says most DNS servers simply increment their transaction ids which makes guessing them fairly trivial.  Also some implementations of DNS are run on a buggy random number generator that produces predictable patterns of numbers.  As far as getting the domain name server to issue the query, Kaminsky told use there are at least eight ways that he knows of and probably tons more that he doesn’t.  “Sometimes you can just ask and the server will issue a query, but it’s amazingly easy to get a DNS server to look something up,” he said.

So what does a hacker gain from attacking DNS servers?  According to Kaminsky, owning the .COM dns space would get you pretty much anything you wanted.  Everything from intercepting emails to taking over spam filters could be accomplished.  He even outlined grabbing passwords to webmail and other services by exploiting the “Forgot Your Password” feature used by many vendors.  But perhaps the biggest risk was to SSL security because certificate vendors could be duped into giving certs to bogus companies.

SSL certificate authorities issue the certificates by identifying the applicant through email.  The vendor looks up the domain’s address in WHOIS and then sends an email to the mail address contained in the record.  But if you were able to poison the DNS to redirect Microsoft’s DNS entry, then you could conceivably gain a Microsoft or another large company’s certificate.
Kaminsky found the bug approximately five months ago and initially worked solely with vendors to patch the bug because he feared any leak would invite malicious hackers into taking over the Internet.  “I spent the last few months terrified that companies would have their emails stolen because of a bug I found,” he told us. 
Kaminsky was lambasted by some security researchers because hackers, by their very nature, are quite the peer oriented group.  Those critics were eventually silenced after Kaminsky had a conference call with the doubters.
In a press conference after the talk, Kaminsky told reporters that vendors have been “fantastic” in responding and patching the bug.  Microsoft even hosted a summit on March 31st where Kaminsky and fellow researchers flew to Redmond Washington in a marathon session to hammer out a fix – something that took thousands of man hours and “thousands of pizzas”.
That patch, dubbed the “sledgehammer fix” by Kaminsky, randomized the transaction IDs and upped the range to more than a 100,000,000 possibilities.  Hopefully a competent IT administrator would notice hundreds of millions of malicious packets hitting their DNS servers, Kaminsky said.
On July 8th, most of the major vendors like Microsoft, Sun, Cisco and Red Hat had patched their servers and Kaminksy has stayed in constant contact with major web companies like MySpace, Craigslist and eBay, all in the hopes of educating IT administrators of the problem.  “I’ve been on the phone a lot, a whole lot,” he said, adding that he doesn’t want to look at his mobile phone bill for the last month.
But Kaminsky warns that the danger isn’t completely over and that the next bug may not come with as much warning and the hacker finding it may not be as considerate.  “They probably won’t be as friendly as me,” he said.
[/QUOTE]

Source: www.tgdaily.com

[QUOTE]
Electric Tuner over at the xbox-underground.net forums posted what seems to be the first picture of the Xbox360 'Opus' Motherboard.

The 'Opus' is a 'Falcon' generation motherboard designed to fit in a Xenon case. So that means a 90nm GPU, a 65nm CPU and no HDMI port. Microsoft will probably mostly use these boards to return to people suffering from the RRoD on Xenon boards. That seems to match the with the picture below ... it has no HDMI port and while we cannot see the CPU/GPU chips it uses the new CPU heatsink and has less inductors next to the CPU which indicates it uses the 65nm chip. Also notice how this Opus board has the HANA scaler/video chip (like the zephyr/falcon boards) ... so it's maybe not impossible to hack your own native HDMI port to these motherboards.

Picture News-Source: xbox-underground.net
[/QUOTE]

Source: www.xbox-scene.com

[QUOTE]
General Manager of XBox Live has spoken of even more new features he expects to come to the Xbox Live dashboard - including the ability to control your console over the internet, and ultimately a hardware-free future. He also confirmed that hard drive installs will work with all current and future Xbox games.

Speaking to OXM at E3, Marc Whitten said that the new update is "only the beginning" of the social networking features that Microsoft want to deploy.
He also said that we can expect future updates to include the ability to switch on your Xbox from any PC and download content to it remotely - "at some point in the future you'll hear more from us about that."

Asked if we'd ever be able to copy DVDs to the hard drive like the newly-added game install process, he said that was an "evil world" and he didn't fancy talking to the lawyers about making it happen.
[/QUOTE]

Source & full interview: OXM.co.uk

[QUOTE]
One of the not-so-cosmetic changes in the fall update will be the ability to let you play your games directly from the hard disk. The new feature will let users install all of the game content directly onto the hard drive to improve game load times. Microsoft reports that it has seen a 30 percent improvement in load times in internal testing. As an interesting data point, Microsoft went out of its way to tell a group of reporters that the full Devil May Cry 4 hard disk installation took roughly 10 minutes on the Xbox 360. The installation took twice as long when we conducted our own installation tests on the PlayStation 3. Another side benefit of having games installed on the hard disk is reduced noise, since the optical disc no longer needs to spin up. However, you will still need to have the game disc in your optical drive while you're playing it, presumably as a piracy check.
[/QUOTE]

Source: gamespot.com via xbox-scene.com