(Credit:
CNET)
In addition to the Windows Starter Kit, and its companion Security Starter Kit, we at CNET Download.com have decided to spin off the utilities section into its own freeware collection. The Utilities Starter Kit recognizes that there are far too many excellent freeware utilities to improve basic Windows features and functions to not give them their own place to live.
In the Utilities Starter Kit we focus on seven key areas: defraggers, system cleaners, uninstallers, Task Manager replacements, launchers and docks, and Notepad replacements. There's also a section for Essential Extras, containing two must-have utilities that more or less defy category and, for the moment, competition. One is the Belarc Advisor, which gives you a detailed list of what hardware, drivers, and operating system patches you've got, and what's in dire need of an update or a fix. The other is WinDirStat, which provides a visual analysis of your disk space, with quick access to adjusting it. There are a few other visual disk space analyzers, but nothing comes even remotely close to what the Linux-derived WinDirStat offers.
What other programs made the cut? Click through to the Utilities Starter Kit and find out, and let us know what you think in the comments below.
You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
A small update to version 1.2 lets you upload photos from your phone and share favorite businesses with friends.
(Credit: Yelp)Yelp's first foray on Google's Android phones wasn't much to look at.
The initial feature set of Yelp's business review app for Android, which debuted December 7, was minimalist. It contained enough features--read-only access to Yelp.com, click-to-call, and a hyperlink to get directions from the browser or Google Maps--to avoid a user riot, but one would hardly call it the answer to Yelp's iPhone app.
On Tuesday, Yelp is making good on its promise to quickly pad the app's features. Version 1.2, an update available through the Android Market app on your smartphone, now lets you upload pictures from your Android phone to Yelp's site.
If you're meeting someone at a restaurant, bar, or museum, you can now share Yelp's business listing with others over SMS, e-mail, Facebook, and other third-party apps you may have installed on your phone, like a Twitter service. As a third addition, you're also free to sign in to your Yelp profile from the smartphone.
These changes may seem like small potatoes at first--you still can't add your own rating, write tips, or review a place from the phone--but they reverse two of our complaints. Yelp tells us we should expect to see more interactive features in early 2010, like drafting a review for later publishing, and bookmarking a business.
The icons that reside in the Windows notification area (near the clock in the taskbar) convey much useful information at a glance. Is my network link live? How's my notebook's battery? Is there really yet another Windows update ready to be installed?
But one bit of information I often want to know is how much of my CPU is in use at any given time. Now the notification area gives me the lowdown on my processor as well. All I did was add a Task Manager shortcut to Windows' start-up folder and set the shortcut to open minimized.
Old-school taskbar customization
Windows gives you lots of options for altering the shortcuts on your Start menu (more on these below). Unfortunately, getting a CPU-usage indicator in the mix isn't one of the prefab customizations available. Instead, you have to do it yourself.
Add Task Manager's CPU graph to the taskbar's notification area.
(Credit: Microsoft)Start by right-clicking the Start button and choosing Open. Click or double-click the Programs folder and then the start-up folder. Right-click in the right pane and choose New > Shortcut. Type taskmgr in the location field and click Next. Give the shortcut a name, such as "Task Manager shortcut," and click Finish.
Now right-click the shortcut you just created, choose Minimized in the Run drop-down menu, and click OK. When you restart Windows, Task Manager's CPU graph will appear in the notification area. Hover the mouse over it to see the percentage of your CPU in use. Double-click it to open Task Manager.
Change your Start menu's behavior
I was surprised at how similar Windows 7's Start menu options are to its predecessors. To view your Start menu options, right-click the Start button and choose Properties. You can revert to the old-style Start menu by selecting Classic Start menu. If you're like me and prefer a combination of old and new, retain the default Start menu option and click Customize under the Start Menu tab.
By default, Windows shows Start menu items as links that you click to open. I like seeing Computer, Control Panel, Documents, and other system folders as menus, so I choose "Display as a menu."
This dialog also lets you change the e-mail program and Web browser shortcuts that appear on the Start menu, as well as the number of recent programs to show on the right side of the menu. To protect your privacy, return to the Start menu tab of the Taskbar and Start Menu Properties dialog and uncheck the options for storing and displaying recent files and programs.
Show Computer, Control Panel, Documents, and other Start menu folders as menus rather than links via the Customize Start Menu dialog.
(Credit: Microsoft)You can also customize the behavior of the icons in your notification area. Click the Notification Area tab of the Taskbar and Start Menu Properties dialog and choose the Customize button (make sure "Hide inactive icons" is checked). The default for most notification area icons is "Hide when inactive." To always hide or always show an icon, select it and choose Hide or Show on the drop-down menu that appears.
Windows 7's notification area adds an overflow pop-up window. To view its contents, click the up arrow to the left of the area. Click Customize to open the Notification Area Icons Control Panel applet. The options are renamed, but the actions are the same as in Vista: show, hide, or hide when inactive. (A couple of weeks ago, I described several more-useful new interface features in Windows 7.)
Automate your Start menu customizations
If you use Windows XP, the free Tweak UI utility (part of Microsoft's PowerToys suite) provides some one-click Start-menu customizations. Unfortunately, there's no PowerToys or Tweak UI equivalent for Vista and Windows 7.
Several freeware programs enhance your Start menu customization and management options. Start Menu Organizer from Winstep Software Technologies adds folders to the menu with links to system and Internet tools and lets you create your own custom Start menu folders.
Mithril Software's Start Menu Cleaner focuses on removing orphan menu entries and the useless items added by misbehaving program installers. Vista Start Menu from OrdinarySoft is particularly noteworthy for the many keyboard shortcuts the program adds to Vista's Start menu. However, CNET's reviewer was unable to get some of the utility's features to work, though it's unclear whether those functions are restricted to the paid version of the program.
Article updated Tuesday, December 22 at 7:30 am PT with corrected pricing information.
Tax time. We're dreading it as much as you are, but the fact remains that soon after we ring in 2010, we'll be paying for 2009.
In anticipation of the 2009 tax season, we've gathered some preliminary information about tax prep software for the DIY tax-doers among you. There are noteworthy changes to H&R Block's and Intuit's software, the two developers that take up the lion's share of the tax software market and the two we therefore focus on in our coverage. The prices of some applications in the two product families have crept up $10 but others remain steady compared with last year.
If choosing among multiple products weren't confusing enough, you also get to determine if online or desktop apps are the way to go. To that end, we've rounded up pros and cons for these two tax prep approaches.
Taxes are complicated, and the software offerings are no different. We tried to keep information simple and organized in a chart below, but with extra charges for state returns and extra e-file submissions, it's easy to get lost. Keep in mind that this is a preview, not an exhaustive comparison, and that we'll return in early 2010--after we get our own forms in the mail--with in-depth reviews on some of the software products mentioned here.
... Read more
TweetDeck gets promotional with a Sherlock Holmes movie theme.
(Credit: Screenshot by Stephen Shankland/CNET)In a sign that both the movie industry and the Twitter industry are adapting to the times, TweetDeck released a promotional version of its Twitter-user software that sports a look and function tied to Warner Bros.' Sherlock Holmes movie and related 221B video game.
The Sherlock Holmes promotional version is called TweetDeck Telegram Co. and sports black-and-white icons and a couple period touches that try, but don't really succeed, to make you think you're in the 19th century. It also adds a new column for 221B-related tweets that tie into the online video game.
"Alongside the development of our core products we've also been partnering up with a select group of bands, record labels, movie studios, and media companies to develop themed TweetDecks," said TweetDeck founder and Chief Executive Iain Dodsworth in a blog post Monday. "These special TweetDecks not only offer a potentially radical look and feel but also a dedicated channel straight to the artist or movie alongside the usual TweetDeck columns."
These special TweetDecks are a nice idea, especially for a start-up in search of new revenue sources. But here's what I don't like: you must install a new version of the software.
Happily, Adobe Systems' AIR (Adobe Integrated Runtime) foundation makes this reasonably easy. But I'd much rather have a TweetDeck skin that does the trick, especially because uninstalling this to go back to regular TweetDeck is another hoop to jump through.
TweetDeck, for those unfamiliar with the software, lets you get more out of Twitter by constantly publishing tweets from those you follow, categorizing those you follow, shortening Web addresses, and automating various administrative tasks. It also can act as a front end to Facebook, MySpace, and LinkedIn.
Twitter is a free service and TweetDeck is free software to use it. Promotional deals are one way to make money off the ecosystem. Another, apparently, are Twitter's search deals with Google and Microsoft.
(Credit:
CNET)
As we close out another great year at Download.com, we've been putting together several end-of-year software collections. Just like last year, Jessica Dolcourt and I have split up the iPhone apps of the year into two groups. Jessica has put together the iPhone Starter Kit that's perfect for grabbing the best productivity apps to make your life more...productive. My job is quite the opposite. I went through my favorite games of 2009 (and quickly realized I had too many), and was able to narrow it down to 17 of my most played games. If you're looking to waste some time, this collection was made for you!
I tried to make a collection of games that would have something for everyone, so I included quick casual games along with strategy, tower defense, first-person shooters, word games, and more. Obviously, I recommend every game in this list, but hopefully you'll be able to find a genre you like so you have something to play over the holidays.
Without further ado, here are my favorite games for 2009.
... Read moreMozilla Messaging hopes to release Thunderbird 3.1 in early April, a date that reflects a new frequent-release strategy adopted from the better-known Firefox effort at Mozilla.
Dan Mosedale, a programmer for the open-source e-mail software, published the date in a Thunderbird schedule draft he announced Thursday.
"If we're lucky, we relabel 3.1RC1 [release candidate 1] as final and ship it on Tuesday, April 6. Otherwise, there's an RC2," Mosedale said in the planning document.
The new version is due to get an updated Web browser engine. Using the same Gecko project that Firefox is built atop means Thunderbird messages can integrate with Web activity such as Google Calendar.
Another possibility for 3.1 is a revamp of the Thunderbird start page, Mozilla Messaging CEO David Ascher said Friday. That redesign, which Ascher described in May, could show more useful information than the present splash screen--for example, information about what activity people has been up to help pick up where they left off.
"The 'start page,' which makes a lot of sense in Firefox, never made a huge amount of sense to me in Thunderbird. In particular, it's shown only when a folder is selected, and no message is selected. That's hardly a logical time to show the (colorful, pretty, but fairly useless) page we show now. Instead, why not show information about the selected folder and help people who clearly intended to select a folder, so most likely wanted to do something related to that folder," Ascher said in the blog post.
The faster Thunderbird release cycle is just one attribute the Thunderbird team is trying to adopt from Mozilla's higher-profile Firefox effort. Also on the longer-term plan is financial self-sustenance. Those are big challenges, though. An easier adoption will be fun names.
Starting now, Thunderbird versions will be named after beaches, Ascher said in a blog post this week.
"Firefox releases have cool code names while in gestation," Acher said. "Firefox picks national parks as code names, as metaphors for the values that go into making a Firefox release. The idea made a lot of sense to us, so we decided to follow suit for Thunderbird. Rather than parks, we picked beaches."
First up: Hawaii. Thunderbird 3.1 gets the name Lanikai, Ascher said, adding that he misspelled it "Lanakai" in the blog post.
The Sony A850, the least expensive full-frame SLR on the market, now has raw-image support from Adobe.
(Credit: Sony Electronics)Adobe Systems released an update to its Photoshop and Lightroom products on Thursday night to support raw images from a raft of newer cameras from Canon, Nikon, Sony, and others.
Raw image formats, which record the unprocessed image sensor data from various higher-end cameras, offer higher quality and more flexibility than JPEGs but require more processing and take up more space. Adobe, Apple, and others write their own modules to decode the proprietary formats.
Adobe's update supports several newer SLRs from Canon, Nikon, Pentax, and Sony; compact cameras from Olympus, Panasonic, and Canon; and several medium-format camera models from Mamiya. Here's the full list of cameras now supported in Lightroom 2.6, the Camera Raw 5.6 plug-in for Photoshop CS4, and the DNG Converter 5.6 utility:
• Canon EOS-1D Mark IV
• Canon EOS 7D
• Canon PowerShot G11
• Canon PowerShot S90
• Leaf Aptus II 5
• Mamiya DM22, DM28, DM33, DM56, M18, M22, M31
• Nikon D3S
• Olympus E-P2
• Pentax K-x
• Panasonic FZ38
• Sigma DP1s
• Sony A500
• Sony A550
• Sony A850
The software also fixes a problem that, on PowerPC-based Macs, could create artifacts in highlight areas in some circumstances with medium-format sensors and with some cameras from Sony, Olympus, and Panasonic.
The Camera Raw plug-in also works for customers of Photoshop Elements 8 and Premiere Elements 8. The free DNG Converter software can translate raw files into the Digital Negative format Adobe is trying to promote and standardize as a way to address file format longevity issues for archiving, expand use of raw photography, and handle metadata better.
Supporting raw processing keeps software makers on a new-camera treadmill. Apple updated its support for some of the new cameras on Wednesday, and DxO Labs announced it supports Canon's high-end S90 compact with the new DxO Optics Pro v6.1.1.
Mozilla, racing to release Firefox 3.6 by the end of the year, issued a fifth, and likely final, beta version of the new browser.
The open-source browser backer announced the new Firefox beta (download for Windows and Mac OS X) in a blog announcement Thursday.
Firefox 3.6 builds in a feature called Personas for customizing the browser's appearance, adds the File interface for better file management such as selecting what to upload, and, my personal favorite, placement of new tabs next to the ones that spawned them.
A total of 127 bugs were fixed since the fourth beta, but this time Mozilla didn't announce any new features. The first Firefox 3.6 beta arrived in October.
Mozilla had considered issuing its first Firefox 3.6 release candidate this week: "If we can go to build today or tomorrow, QA [quality assurance] will scrap Beta 5 and we'll release RC to the beta audience ASAP," the Mozilla meeting notes said.
