TV with DVR & Internet: $89.90/mo
With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.
In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.
(Credit: Google)Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.
"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.
Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.
Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.
For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.
Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.
With Chrome, "applications can't just download any binary and run it," Sengupta said.
Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)
"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."
If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.
Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.
All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.
Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.
In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.
Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.
There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.
Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.
Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.
(Credit:
Google)
One of the highlights of Android 2.0 has been the Google Maps Navigation app that delivers voice-guided turn-by-turn navigation on your phone for free. Until now, only Motorola Droid owners could take advantage of this sweet perk, but times they are a-changing.
On Monday, Google announced that its navigation app is now available for devices running Android 1.6 and higher, including the T-Mobile G1 and T-Mobile MyTouch 3G. While still in beta, the app provides voice-guided directions between two points, traffic information, and business searches.
This release also includes a new Layers feature that lets you overlay more information on the map, such as transit lines and Wikipedia articles about places, but it does not support the "Navigate to" voice command feature found on Android 2.0, so you'll have to input all your destinations using your phone's keyboard.
Google Maps Navigation for Android 1.6 is now available for download from the Android Market. Unlike other navigation apps or location-based services from the likes of TomTom, Garmin, and TeleNav, you don't have to pay a one-time fee or monthly subscription to use Google Maps Navigation. All you need is a data connection and you're good to go.
(Credit:
Josh Lowensohn / CNET)
Buying off of Craigslist can be quite a process, and of all the things for sale, the cars and trucks section is one of the most daunting. Unlike digital cameras and random bits of furniture, cars are (usually) expensive and come with an important history both from the owner, and the manufacturer.
That's why browser extension Craigslist Car Research is so useful. It adds an entire layer of data on top of each listing to make it easier to both find out more about the car, and others like it for sale on Craigslist; all without having to leave Craigslist.
The extension works the same for Firefox and Chrome. Users with Greasemonkey installed can also just add it to their list of scripts. Once it's up and running, every car listing on Craigslist gets a few extra pages of data below whatever the poster has provided, including things like:
• Car reviews from CarSurvey.org and Edmunds.com
• Recall or safety notices
• Price estimates from places like Motor Trend, Automotive.com, Kelly Blue Book, and the Canadian Black Book
•Other similar listings on Craigslist (with prices)
• A quick way to check and see other listings that seller has up on Craigslist.
All of this information can be hidden, either all at once or by specific feature. The extension also scans each list for problem words or phrases, and will tip you off on whether it's worth following up with the owner to see if it's been in an accident.
With the extension installed you get comparison shopping for other cars on Craigslist, as well as a heads-up on whether it's worth looking at other things for sale from that seller and if you should call to see if the car's been in an accident.
(Credit: CNET)Along with this extension, developer Tech4Computer has another script that can figure out the price of importing a car from the U.S. into Canada. There's also a version of the car and truck shopping extension for motorcycle buyers.
Amid promises to "reinvent the Web," the browser Opera debuted a new beta feature earlier this year called Unite that has been deemed stable enough to offer to all users. Opera's own hype aside, the Unite service provides people with the capability to serve files, host and stream music, and send messages to each other from inside the browser itself--a feature that is unique among the big five browsers. Opera 10.10 is available for Windows, Mac, and Linux.
Much like Opera's built-in e-mail client, Unite is basically a cloud-based, customizable server that includes multiple services, but its open API allows you to write and share your own services. The initial offering includes the default Unite Home, which is the Opera Unite Web page that is given to each user, a media player for creating your own publicly available music stream, the "fridge" for a Facebook-style message wall, an instant messenger with a public/private toggle, a photo sharing app, and file serving and Web hosting capabilities.
Besides including Unite, Opera 10.10 also includes an array of bug fixes, mostly aimed at smoothing out the Unite experience, tweaking mail, news, and chat features, and fixing three security problems. Two are relatively minor, one concerning an error message leak and the other a buffer overflow. The third error Opera is refusing to disclose at this time, but stated that it was discovered by the Google Security Team's Chris Evans. The full changelog for Opera 10.10 is available.
As I've tested Unite over the past few months, it's generally been a stable experience, with a few hiccups to be expected by the beta. However, it hasn't exactly set the browsing world on fire, either, and its target audience is still hard to define. Do you have an opinion on Unite? Let me know in the comments.
Another iPhone worm has been spotted in the wild.
Unlike the previous exploitation, which merely changed a jailbroken iPhone's wallpaper to a picture of Rick Astley of "Rickrolling" fame, this new threat allows hackers to steal sensitive information.
According to security firm Sophos, which wrote about the exploitation after a Dutch ISP spotted it late last week, the worm attacks jailbroken iPhone and iPod Touch devices only.
The worm "uses command-and-control, like a traditional PC botnet," Sophos wrote in a blog post on Saturday to warn users about the exploit. "It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server to upload stolen data and cede control to the bot master."
Jailbreaking, which has been around for about two years, is a hack that enables iPhone and iPod Touch users to download applications unavailable through Apple's App Store.
Sophos wrote that the worm attacks users on several ISPs, including UPC in the Netherlands, Optus in Australia, and T-Mobile in several countries worldwide. Worse, the worm spreads faster on a Wi-Fi connection than a 3G connection. Users with affected devices might notice extremely short battery life while on Wi-Fi. According to Sophos, that's mainly due to the worm engaging in "so much network activity."
When a device is infected, it's assigned a unique number so that the attackers can easily pinpoint a single device. It also looks for authentication systems that use SMS, better known as mTANs. mTANs are frequently used by banks that send an SMS message with a password to mobile phones, allowing people to log in to their online accounts, Sophos wrote.
In essence, this threat is serious.
Sophos recommends that people with infected iPhones and iPod Touch devices restore them back to Apple's most recent firmware update. For now, there is no other way to fix the problem.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Retailers aren't the only ones gearing up for the holiday season. Criminals are also out in force.
To highlight the increased crime during the holidays, security company McAfee has come up with the "12 Scams of Christmas" ranging from bogus electronic greeting cards that deliver malware instead of cheer to fake charities that steal your money and your identity.
It's especially important to be extra careful this time of year, says McAfee's David Marcus. "The bad guys know people are spending more time online, they're paying more bills online so [the criminals] stand a chance of being a bit more successful this time of year.
In a podcast interview (scroll down to listen), Marcus counted down the 12 scams of Christmas starting with:
- Charitable phishing scams: Marcus warns consumers to be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.
- Fake invoices from delivery services: During this period, scammers will send out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the U.S. Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.
- Social networking friend requests: Bad guys take advantage of this social time of year by sending out authentic looking friend requests via e-mail. Marcus recommends that you not click on those links but sign into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.
- Holiday e-cards: Be careful before clicking on a holiday e-card, especially if it's from a site you haven't heard of. This is a way to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know. If you're going to send an e-card, be sure you're dealing with a reputable service lest you risk infecting yourself and your friends.
- Fake "luxury" jewelry: If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money or merchandise that will probably never arrive (or be fake if it does). Some of these sites, according to McAfee, even display the logos of the Better Business Bureau.
- Practice safe holiday shopping. Make sure your wireless network is secure and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https. The "s" stands for "secure."
- Christmas carol lyrics can be dangerous: Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.
- Job search related scams: With the unemployment rate at 10.2 percent, there are plenty of job seekers looking for work. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too. Marcus said that some "get rich quick" sites are all about money laundering, asking you to accept an inbound financial transfer and pay them.
- Auction site fraud: McAfee has observed a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with.
- Password stealing scams: Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.
- E-mail banking scams: A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's Web address manually if you need to access your account.
- Files for ransom: Hackers use malware to gain control of your computer and lock your data files. To access your own data you have to pay them ransom.
Listen to Larry's interview with McAfee's David Marcus
Listen now: Download today's podcast
Firefox has a CPU usage issue and, consequently, can cause overheating problems in some laptops, particularly ultraportables. That's what I've found over the last couple of years.
But don't take my word for it. This is documented on a Mozilla support page entitled "Firefox consumes a lot of CPU resources." The page states: "At times, Firefox may require significant CPU [central processing unit] resources in order to download, process, and display Web content." And forum postings like this one about a Dell Netbook are not uncommon: "Mini9 would get way too hot."
The Mozilla support page goes on to say that "you can review and monitor CPU usage through specific tools" and describes ways to limit CPU usage, such as: "A Firefox add-on, called Flashblock, allows you to selectively enable and disable Flash content on Web sites."
Let me describe my experience. I find that tab for tab, Firefox uses decidedly more resources than other browsers--Safari, for example. And in the past (when I was actively using a Windows Vista-based machine) Firefox also compared unfavorably with Microsoft's Internet Explorer for CPU usage.
More specifically, here's the behavior as I see it. When I'm accessing sites with multimedia content such as the CNET front door, Firefox CPU usage will bounce around between 30 and 60 percent, and sometimes spike higher (80 percent and above), as indicated by the Mac OS 10.6.2 Activity Monitor.
On the other hand, the Safari CPU usage with the same pages open is much lower--typically between 2 percent and 10 percent.
My theory is that most users don't notice this because in mainstream laptops, this isn't an issue. But it can become an issue in ultraportables--typically under an inch thick--which are more sensitive to heat because of the design constraints. The ultrathin Apple MacBook Air, which I use as my main machine, is a good example.
The fan is usually an audible indicator of CPU usage issues. When I'm using Firefox and I have tabs open on multimedia-rich sites (which is par for the course these days), the Air's fan will almost invariably kick on and stay on until I close the tabs. As I write this, the fan has finally shut down after I closed the Firefox tabs (e.g, CNET front door). Those same tabs in Safari are still open and not causing any significant spike in CPU usage or fan activity.
When I contacted Mozilla, a technical support person guessed that Safari is possibly better at optimizing Flash-based sites compared to Firefox. And that may be true. However, I had similar issues before when I was using a Hewlett-Packard business ultraportable (also very thin like the Air) that were not necessarily tied to Flash usage. In short, Firefox was less efficient with CPU usage compared to Microsoft's IE 8. And the behavior was similar. The HP laptop would quickly heat up and the fan would kick on.
Finally, let me reemphasize that I'm guessing that most users don't notice this because heat dissipation is not a big issue for mainstream laptops that are not necessarily thermally-challenged when accessing multimedia-rich Web pages. That said, this has been a steady problem for me because I use ultraportables almost exclusively and has forced me to limit my use of Firefox.
(Credit:
CNET)
With more than 100,000 apps in the iTunes App Store and huge success around the world with the iPhone, it would appear Apple has done just about everything right with the launch of its first mobile handset. But as any iPhone app developers will tell you, the app approval process is less than ideal, with some developers waiting well beyond Apple's 14-day waiting period and sometimes longer to get their apps approved. Though Apple has stated it is working on the app approval process, there has been little in the way of progress if you ask iPhone app developers.
Recently, Apple added an automated system for weeding out developers who use Apple's private APIs, a process that may be part of a larger plan to cut down on some of the wait time. Unfortunately, developers are still struggling to get their apps to the iTunes store, finding out at the end of the 14-day waiting period that it was the automated system that turned them down. Hopefully, as more time passes, Apple will be able to figure out a way to make the process more efficient while still being able to provide high-quality and secure apps for everyone. Happy iPhone app developers mean more and better apps, so it's in all of our best interests for Apple to make the process better.
This week's apps include a new (to iPhone) multiservice chat client and a stunt-racing game with beautiful 3D graphics.
Use the tabs at the top to switch conversations
(Credit: Screenshot by Jason Parker/CNET)Trillian ($4.99) is a popular multiservice chat client on Windows machines that you can now use on your iPhone. Multiservice chat clients are ideal for those who have accounts across several services like Yahoo, Google, ICQ/AIM, and MSN, and want to use just one client to access them all. The interface is fairly intuitive, letting you add your user names and passwords for each service, and then letting you log on to all or specific services with only a few taps on your touch screen. Trillian does not support landscape mode for typing yet, but the developers say it is coming soon.
Once you're logged in, the Trillian interface looks a lot like it does in the Windows client, complete with your buddies' avatars, contact categories (friends, coworkers, etc.), and color-coded icons to indicate which service your friends are using. The way Trillian handles multiple chat sessions on the iPhone client is excellent, with a touch-scrollable tabbed interface, making it easy to switch conversations quickly. Also especially useful (and clever) is the push notification system, that sends you the first message of a chain so you know someone is trying to reach you, but doesn't send a huge list of messages when you don't want them. At this time, you can only stay logged-in (with the app suspended) for a maximum of 24 hours, but the folks at Trillian say it will be lengthened to seven days in future updates. Though the price is a little steep in my opinion, Trillian is a high-quality chat client that will appeal to those who use multiple services.
The screenshot doesn't do it justice, but this game looks and plays great
(Credit: Screenshot by Jason Parker/CNET)Jet Car Stunts is a stunt-racing game that runs surprisingly smoothly on first gen iPhones on up to the 3GS. Beyond the beautiful graphics, the driving control system is excellent, using the accelerometer for steering and onscreen controls for gas and brakes. What makes the game unique from other racing games are the controls for your rocket boost to complete big jumps, and the braking system that works both on the ground and in the air.
You can choose from two different game types including Time Trial and Platforming. In Time Trial, you race five laps around a track with corkscrew twists, tight turns, and huge jumps, to qualify for bronze-, silver-, or gold-medal times. Platforming has no time limit, but instead records the number of tries it takes you to complete difficult tracks--and they get very difficult in both game types. Time Trial has three skill levels, with four tracks to complete in each to move on the next skill level. Platforming has five difficulty levels, with five tracks in each to pass before moving on. Overall, Jet Car Stunts is one of the more unique racing games and features excellent graphics, extremely smooth controls, and plenty of replay value, with increasingly challenging tracks. I've had the game for a week and I still can't get over both how good it looks and how smooth it plays.
What's your favorite iPhone app? Were you waiting for a big-name multiservice chat client like Trillian before spending your money? Is Jet Car Stunts hard or am I just not good enough? Let me know in the comments!
The Twitter service with the cutesy raccoon mascot is making a new home on BlackBerry and Google Android phones. The free Seesmic, like its proliferate rivals, lets you read, manage, and compose Twitter messages much more flexibly than you can do from Twitter's Web site. We crash-tested both mobile versions as soon as we heard the news.
Seesmic on Android
Seesmic 1.0 for Android is available from the Android Market app, which is located on the smartphone. It takes up just over 1MB. The interface spreads four tabs along the top in both landscape and portrait mode, one each for the timeline, replies, direct messages, and your profile. There's also a ribbon on the screen that you can tap to refresh the feed. Click to open a tweet and you can save it as a favorite, retweet, or reply as a public "@" message or as a private posting. From the menu button, you can refresh, compose, or tinker with the settings.
Although Seesmic's Android interface is much more stripped down than its desktop AIR app for Windows and Mac, the app manages to remain flexible by giving you a choice over the kinds of notifications you'd like to receive, and over the partner services you'd prefer to use to send a photo, video, or shorten a URL.
Sure, it's blurry (blaming the BlackBerry camera), but squint hard enough and you'll see that Seesmic associated a picture with my account that's not actually my face.
(Credit: Jessica Dolcourt/CNET)The biggest flaws we've noticed so far? ... Read more
When we hear "update" and "Google Earth" in the same sentence, we're used to groundbreaking additions to Google's high-powered, interactive, and ever-expanding desktop globe. In Google Earth 5, that's meant tools to explore the oceans, sky, and Earth's ruddy neighboring planet.
But Google Earth 5.1 for Windows and Mac is a mere tremor. In fact, if you've been playing around with Google Earth 5.1 beta, only Mac users should notice a change--that the Google Earth browser plug-in comes bundled in the download.
Still, the minor update should still be noticeable for those making the switch from Google Earth 5. Google has made some changes under the hood to improve speed and performance. Using compression technology to make images load faster, and improving the other ways that the app handles graphics, Google claims that Earth now loads 25 percent faster and soars the globe in smoother motions.
In addition, both Mac and Windows versions of Google Earth 5.1 pack in the browser plug-in, so you can explore Google Earth from the browser--Firefox and Safari for Mac users; Chrome, Safari, Firefox, Internet Explorer for Windows. Before, you needed to install the plug-ins separately. The move to drop the beta from Google Earth 5.1 comes just two days after Google released Google Earth for iPhone 2.0.
