Archive for December 9, 2010

Latest Security applications News

Posted: December 9, 2010 in Security

‘Trojanized’ Google Android security tool found in China

Suspicious code is lurking in a repackaged Chinese version of a tool Google released last weekend to remotely clean malicious apps off Android phones, Symantec said Thursday.

This “trojanized” package was found on an unregulated third-party Chinese marketplace and not on the official Android Market, the security vendor said in a blog post.

After 58 malicious apps were found on the Android Market last week and downloaded onto about 260,000 devices, Google removed the apps from the market and then wiped them from the phones too.

Now, Symantec says someone appears to have taken the “Android Market Security Tool” used to clean up the devices infected with the malware, repackaged it and inserted code in it that seems to be able to send SMS messages if instructed by a command-and-control server.

It also looks like the code used in the new threat is based on a project hosted on Google Code and licensed under the Apache License, according to Symantec.

A Google spokesman provided this statement when asked for comment: “We encourage Android users to only install applications from sources they trust.”

Several things should raise red flags for people with this threat–it’s not on the official, trusted Android Market and it requires a user to install it whereas the Google tool used an automatic push function to distribute the legitimate app.

The initial malware found on the Android Market, dubbed “DroidDream”, not only could capture user and product information from a device but also had the ability to download more code capable of further damage.

“We have added detection for the trojanized version of Google’s application as Android.Bgserv,” Symantec said.

Meanwhile, a Kaspersky researcher has questioned the efficacy and methods of Google’s Android security tool itself.

Study: Negligence cause of most data breaches

Negligence is the biggest cause of data breaches at corporations, but criminal attacks are growing fastest, a study released Wednesday concludes.

The average cost of a data breach for a victimized organization increased to US$7.2 million, and the average cost per record came to US$214, up US$10 from the previous year, according to the 2010 Annual Study: U.S. Cost of a Data Breach, which was conducted by the Ponemon Institute and based on data supplied by 51 U.S. companies across 15 different industry sectors.

The costs associated with a breach involve detecting the incident, investigation, forensics, customer notification, paying for identity-protection services for victims, business disruption, and productivity losses, said Larry Ponemon, chairman and founder of the Ponemon Institute. A record can contain only one piece of information on an individual or multiple pieces of data, including social security number, contact information, driver’s license number, purchasing habits, and account number, he said.

Malicious or criminal attacks are the most expensive and make up the fastest-growing category, with 31 percent of all breaches involving malice or crime. Negligence was the most common threat, with 41 percent of all breaches, according to the study, which was sponsored by Symantec.

The most expensive breach reported in the study was US$35.3 million, and the least expensive was US$780,000.

The companies have devised an online Data Breach Calculator for helping estimate how likely a breach is and how much a breach would cost based on an organization’s size, industry, location, and security practices.

Report: Malware-laden sites double from a year ago

More than 1 million Web sites were believed to be infected with malware in the fourth quarter of last year, nearly double from the previous year, according to figures released today by Dasient.

Malvertising, advertising containing malware, also is on the rise, with impressions doubling to 3 million per day from the third quarter of 2010, Dasient said in a blog post.

“The probability that an average Internet user will hit an infected page after three months of Web browsing is 95 percent,” the company said.

The news corresponds with information released this week by another security firm. An analysis of than 3,000 Web sites across 400 organizations last year found that 44 percent of them had serious vulnerabilities at all times, while 24 percent were frequently vulnerable for an average of at least 270 days a year, according to WhiteHat Security, which provides Web site testing and security services for companies. Meanwhile, only 16 percent of the sites examined were found to be rarely vulnerable, the report said.

About 64 percent of those sites had at least one information leakage vulnerability, which inched past Cross-site scripting as the most prevalent vulnerability, WhiteHat said.

Neither WhiteHat nor Dasient identified the Web sites they analyzed or disclosed whether any of the biggest Web brands were among those with malware or vulnerabilities.

Dasient researchers wanted to see how easy it would be to spread malware on social-networking sites and created some test accounts to spread various types of links. More than 80 percent of the dozen unidentified sites it tested allowed through links that were on Google’s Safe Browsing list, while all of them allowed through links that led to a benign drive-by download.

In another test, the researchers posted an ad whose click-through links led to a benign drive-by download and found that the social-networking site kept the ad up for more than three weeks before pulling it. The ad had the headline “Click for a security test”, led to a site at “hackerhome.org,” and said a Windows calculator would pop up if the computer was vulnerable.

China-related DoS attack takes down Codero-hosted Web sites

A distributed denial-of-service attack that affected thousands of customers at Codero and other hosting providers appeared to come from within China and to be launched at a Chinese site that is critical of communism or its Domain Name System provider, Codero said Tuesday.

The disruptions that took Codero’s customers offline for most of the morning were collateral damage in the attack, Ryan Elledge, chief operating officer at Codero, told ZDNet Asia’s sister site CNET.

Directly in the path of the attack was a Codero customer that hosts DNS records for sites on the Internet, including a Web site critical of communism that appeared to be the ultimate end target, he said. At least three other hosting providers for that Web site were also affected by the attack, he said. Elledge declined to name any of the companies involved or the Web site.

Meanwhile, all of Codero’s customers were back up by 1 p.m. PT, according to Elledge.

About 5,000 servers in its Phoenix data center were affected, which meant slowdowns or outages for at least that many customers, Elledge said. He could not say how many customers had been affected in total.

Initially, Codero thought the problem was due to issues with one of its upstream providers, but that turned out not to be the case, he said. “We were receiving more than 1.5 million packets per second in the attack. It paralyzed our core routers, and our upstream providers were unable to pinpoint where the target IPs were,” he said.

The company reported problems beginning about 7:30 a.m. PT. “We are experiencing network issues affecting part of our PHX data center,” the company posted on its Twitter page. “Engineers are working with upstream providers.”

“Another attempt is now under way at routing traffic to specific segments of our network,” Codero tweeted around 9:30 a.m. PT.

Codero, which has points of presence in Irvine, Calif.; Denver; Chicago; and Ashburn, Va., is migrating a data center from San Diego to Phoenix. Only the Phoenix location was affected by the attack, Elledge said.

Google confirms it pulled malicious Android apps

After several days of silence on the issue, Google has confirmed it removed several malicious apps from its Android Market earlier this week and said it would remove the apps from users’ devices as well.

Only devices running an Android version earlier than version 2.2.2 were susceptible to the rogue apps, which took advantage of known vulnerabilities, the Internet giant reported yesterday in company blog. The company believes the only information that was accessed by the apps were the unique codes used to identify the the specific device and the version of Android that it was running.

Fifty-eight malicious apps were identified and removed but not before they were downloaded to about 260,000 devices, according to a TechChrunch report. Google said it would use a kill switch to remotely remove the apps from users’ devices and push an Android security update to affected users to repair the damage done by the apps. Affected users can expect to receive an e-mail from Android Market support explaining the action, Google said.

The developer accounts associated with the apps were suspended and law enforcement officials were contacted, Google said.

Earlier this week, a Reddit user discovered that pirated versions of legitimate apps on the Android Market were infected by a Trojan called DroidDream, which uses a root exploit dubbed “rageagainstthecage” to compromise a device, according to a report on enthusiast site Android Police.

The malware was described as especially virulent because it apparently cannot only capture user and product information from a device but also has the ability to download more code capable of further damage.

Google representatives did not immediately respond to a request for further information or comment.

DDoS attacks harmless: Anonymous user

Distributed denial-of-service (DDoS) attacks are harmless, according to Australian Matthew George, who was charged for his role in the Anonymous group’s bid to crash federal government websites last year.

George was one of possibly hundreds of Australians under the Anonymous banner who participated in DDoS protest attacks against the Australian Parliament House and Department of Broadband, Communications and the Digital Economy Web sites. Melbourne resident Steve Slayo was the only other user charged for participating in the attacks.

For his role, George faced 10 years imprisonment for “causing unauthorized impairment of electronic communication to or from a Commonwealth computer”, but received a US$550 fine with a recorded conviction. Federal police raided George’s home in June last year and he faced court in October.

Speaking to ZDNet Asia’s sister site ZDNet Australia, George rebuked comments by the Australian Federal Police that sentences for DDoS attacks are too weak, instead saying that the act does not cause permanent damage.

“DDoS service attacks are harmless. Most hosting companies have DDoS attack precautions in place and there is no long-term damage caused to any servers or Web sites,” George said.

“It is far different to hacking in and defacing or rooting a server [because] when the DDoS attack is stopped everything goes back to normal as if nothing had ever happened.”

“You can’t compare DDoS attacks to child porn, hacking or writing a virus–it’s like comparing apples with oranges.

“As far as saying that the sentence was too weak, maybe they should pass that on to the district public prosecutors as [it] agreed that the sentence was fair in my case.”

AFP High Tech Collection and Capability manager Grant Edwards told a security conference this month that the courts are unwilling to issue tougher sentences for DDoS attacks because “they don’t understand the threat”.

Edwards cited the penalties handed to George and Slayo, who received a good behavior order, as examples of soft sentences.

George said the criminal conviction may make it harder for him to gain employment opportunities.

He said he believes most participants in the DDoS attacks were from Australia. The AFP has refused to confirm if it is investigating other users for their role in the attacks. It had not received requests by the likes of MasterCard and Visa, which were hit with DDoS attacks for blocking funds to whistleblower Web site Wikileaks.

A ZDNet global poll found that readers do not support DDoS attacks on companies that cut off Wikileaks.

This article was first published at ZDNet Australia.

WordPress hit with second big attack in two days

The popular blogging-site hoster WordPress was hit with another distributed denial-of-service last Friday, the second in two days.

“Unfortunately, the DDoS attack from yesterday returned in a different form this morning and affected sitewide performance,” the company said in a notice on its Automattic site, which serves as a dashboard for the service. “The good news is that we were able to mitigate it quickly and performance returned to normal around 11:15 UTC. We are continuing to monitor the situation closely.”

Stats on Automattic.com show that the site was affected for about an hour or so starting around 3:15 a.m. PST. One day earlier, WordPress was hit with an attack that reached “multiple Gigabits per second and tens of millions of packets per second,” hampering the company’s three data centers and disrupting nearly 18 million hosted blogs and members of its VIP service, including the Financial Post and TechCrunch.

Typically, DDoS attacks are accomplished using botnets of thousands of compromised computers that are directed to a target Web site with the motivation of overwhelming the site and taking it offline.

WordPress did not provide many details about either attack, but founder Matt Mullenweg told ZDNet Asia’s sister site CNET on Thursday that the first attack may have been politically motivated against one of the site’s non-English blogs. He did not immediately respond to an e-mail seeking comment on Friday.

Expert: Android Market should scan for malware

Android Market apps should be scanned for traces of malware to protect Android customers from downloading apps that look legitimate but are in fact malicious, a security expert said.

Last week Google removed a bunch of malicious apps, most disguised as legitimate apps, from the Android Market after they were found to contain malware. The malware, dubbed DroidDream, uses two exploits to steal information such as phone ID and model, and to plant a back door on the phone that could be used to drop further malware on the device and take it over.

“At a minimum, they have to do signature-based scanning for known malware,” said Chris Wysopal, chief technology officer at Veracode, an application security provider. “DroidDream is now a malware kit and it would be easy for people to make variations of it and insert it into new software.”

But traditional signature-based antivirus software isn’t good at detecting brand new malware or existing malware that has been modified enough to slip past the antivirus programs. To catch something like DroidDream then, behavioral-based antivirus scanning should also be used, according to Wysopal.

“Downloading and installing additional software onto the device outside of the app store is the kind of behavior that should be scanned for,” he said.

A Google spokesman declined to comment beyond confirming that the company had removed some apps and disabled several developer accounts for violating Android Market policies.

Most if not all of the 55 or so apps that were pulled from the Android Market were repackaged versions of legitimate apps, said Kevin Mahaffey, chief technology officer at Lookout, which provides security software and services for Android, BlackBerry, and Windows. This means that even more cautious Android users could have been more easily duped into downloading one of the apps, he said. (Symantec has a list of some of the apps removed from the Android Market here.)

Depending on the handset used, Android versions may be patched by now, but others are not, he said. The vulnerabilities exploited by the malicious apps have been patched in Android 2.3, also known as Gingerbread, but older versions could still be vulnerable, according to Mahaffey.

It’s not clear whether DroidDream did in fact download any software onto devices that installed any of the malicious apps. The command-and-control server the malware set up to communicate with the victim devices is offline now and “we haven’t seen any evidence that the server was pushing apps to the devices,” Mahaffey said.

It’s also a mystery who is behind the malicious apps, but there’s a possibility it’s someone in China as the malware was also found on alternative Android marketplaces that target Chinese users, he said.

Cleanup can be a pain; in addition to removing the app, any additional software it may have hidden in the device must be wiped. Lookout can walk Android users who need help through the cleanup process, Mahaffey said.

The Android Market is flourishing, with the number of apps growing faster than the iPhone market, according to Lookout. Android also has greater overall market share of mobile operating systems in the U.S. (29 percent) than Apple’s iOS and Blackberry (both 27 percent), Nielsen announced last week.

Much of the success of the platform is due to the fact that the operating system is open-source and thus attracts a large number of developers. The openness of Android’s platform fosters innovation, but leaves much of the responsibility for security on the shoulders of Android customers, experts say. (More details on the different security models between Android and iPhone is here.)

In one analogy Wysopal has come across, the iPhone environment has been likened to Disney World and Android to New York City. You might not have as much freedom and choice at Disney World, but you probably feel safer.

“How are people who don’t read CNET supposed to know that they need to do something on their phone to bring it back to its factory state because it’s been compromised” by a malicious app, Wysopal said. Apple could send a warning out to all iPhone users if it needed to but that can’t happen on the Android because of all the different flavors of the operating system running on the different handsets, he said.

This may be the first time Google has removed malicious apps from the Android Market, but it’s not the first time apps have been pulled. Last year two proof-of-concept apps designed to test how easy it would be to distribute an innocuous program that could later be made malicious were removed. Later in the year Google pulled another app the same researcher created to illustrate a flaw in the mobile framework that allowed apps to be installed without a user’s knowledge. That hole also was plugged.

WordPress hit by ‘extremely large’ DDoS attack

Blog host WordPress.com was the target of a distributed denial-of-service (DDoS) attack earlier today described by the company as the largest in its history.

As a result, a number of blogs–including those that are a part of WordPress’ VIP service–suffered connectivity issues. That includes the Financial Post, the National Post, TechCrunch, along with the service’s nearly 18 million hosted blogs.

According to a post by Automattic employee Sara Rosso on the company’s VIP Lobby (which had been down at the time of the attacks, though was archived by Graham Cluley over at Naked Security), the size of the attack reached “multiple Gigabits per second and tens of millions of packets per second”. Rosso had also said putting a stop to the attack was “proving rather difficult”.

Rosso had also said the company would be handling its VIP sites ahead of general users.

Denial-of-service attacks are designed to overwhelm Web sites with requests, effectively shutting them down. The ones that are distributed present a much larger challenge to combat, since they can come from a wider variety of networks and hosts.

In an e-mail to ZDNet Asia’s sister site CNET, WordPress founder Matt Mullenweg said the attack had affected three of the company’s data centers, and was the largest its seen in the company’s six-year history. Mullenweg also said that the attack “may have been politically motivated against one of our non-English blogs”, but that that detail had not been confirmed. Full e-mail below:

There’s an ongoing DDoS attack that was large enough to impact all three of our data centers in Chicago, San Antonio, and Dallas–it’s currently been neutralized but it’s possible it could flare up again later, which we’re taking proactive steps to implement.

This is the largest and most sustained attack we’ve seen in our six-year history. We suspect it may have been politically motivated against one of our non-English blogs but we’re still investigating and have no definitive evidence yet.

WordPress later updated that the problem has been fixed. “Our systems are back to normal. We’ll continue to monitor them and post updates here if needed,” the company said on its status page. No word yet on if the company had gotten to the bottom of which of its blogs had been the target of the attack.

Google pulls infected apps from Android Market

Google has taken down more than 50 infected programs from its official app store, Android Market.

The apps contained malware called DroidDream hidden in seemingly legitimate apps and were pulled on Tuesday, mobile security company Lookout said in a blog post on Wednesday. Between 50,000 and 200,000 users downloaded the infected apps, said the company.

“Unlike previous instances of malware in the wild that were only available in targeted alternative app markets, DroidDream was available in the official Android Market in addition to alternative markets, indicating a growing need for Android users to take extra caution when downloading apps,” the blog post said.

Read more of “Google pulls infected apps from Android Market” at ZDNet UK.

Air traffic control system ‘not safe’, say UK controllers

Technology being introduced at one of the two major U.K. air traffic control hubs is “not fit for purpose” and did not adequately handle a breakdown in air traffic communications, according to a number of air traffic controllers.

The EFD (Electronic Flight Data) system rolled out at the Scottish and Oceanic Air Traffic Control (ATC) Centre at Glasgow Prestwick Airport has had difficulty handling complex inputs, according to people posting on an air traffic control forum.

“[Controllers] don’t want to use this system, not because they like to have a whinge, but because they know it is neither safe, nor efficient enough to do the job,” wrote one Prestwick controller, Arty-Ziff, on the Pprune forum in February. “This system should have been tested properly before it went into live operations.”

Read more of “Air traffic control system is ‘not safe’, say UK controllers” at ZDNet UK.

Microsoft fixes hole in its antivirus engine

Microsoft has plugged a hole in its antivirus and antispyware software that could allow an attacker authenticated on the local system to gain LocalSystem privileges.

The fix for the privilege escalation vulnerability is included in an update to the Microsoft Malware Protection Engine. Since the malware protection updates are automatically applied, most end users and administrators won’t need to do anything, Microsoft said in its advisory, issued Wednesday. The update should be applied within 48 hours of the advisory release, or by the weekend.

The vulnerability is rated “important” for Windows Live OneCare, Microsoft Security Essentials, Windows Defender, Microsoft Malicious Software Removal tool, Forefront Client Security, and Forefront Endpoint Protection 2010.

“The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key,” the advisory says. “An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.”

Workstations and terminal servers are primarily at risk, Microsoft said.

Apple shares Mac OS X Lion with security experts

Apple not only released a preview of its next operating system, Mac OS X Lion, to developers on Thursday, the company is also giving it to security experts for review.

“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” said a letter sent by Apple to an unknown number of security researchers. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”

Dino Dai Zovi and several other researchers tweeted about being invited to try out the prerelease version of the new Mac OS. “This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers,” Dai Zovi wrote. “I won’t be able to comment on it until its release, but hooray for free access!”

I asked Charlie Miller, another expert on Mac security, if this was the first time Apple had offered to show an OS preview to security experts, and what the significance is.

“As far as I know they have never reached out to security researchers in this way. Also, we won’t have to pay for it like everybody else,” he wrote in an e-mail. “It’s not hiring us to do pen-tests of it, but at least it’s not total isolation anymore, and at least security crosses their mind now.”

“I haven’t downloaded it yet, but if I had, I couldn’t talk about it,” he added. “Damn NDAs.”

Google flags London Stock Exchange site for malware

Google has temporarily flagged up the London Stock Exchange’s website as a malware danger, due to a third-party advertiser on that site hosting malicious software.

The issue came up on Sunday, a spokesperson for the London Stock Exchange (LSE) told ZDNet Asia’s sister site ZDNet UK. “We were previously carrying an advert from a third-party provider,” a spokesperson said on Monday. “That advert, if you clicked through to the third-party website, had a flag up as being a virus or something similar. We’ve obviously taken the advert down off our website.”

According to Google’s Safe Browsing diagnostic page, a visit to a page on the LSE site on Saturday resulted in malicious software being downloaded and installed without user consent. The malware was hosted on a site called stripli.com, while two others — unanimis.co.uk and borsaitaliana.it — appeared to be “functioning as intermediaries for distributing malware to visitors of this site”, Google said.

Read more of “Google flags London Stock Exchange site for malware” at ZDNet UK.

Microsoft fixes hole in its antivirus engine

Microsoft has plugged a hole in its antivirus and antispyware software that could allow an attacker authenticated on the local system to gain LocalSystem privileges.

The fix for the privilege escalation vulnerability is included in an update to the Microsoft Malware Protection Engine. Since the malware protection updates are automatically applied, most end users and administrators won’t need to do anything, Microsoft said in its advisory, issued Wednesday. The update should be applied within 48 hours of the advisory release, or by the weekend.

The vulnerability is rated “important” for Windows Live OneCare, Microsoft Security Essentials, Windows Defender, Microsoft Malicious Software Removal tool, Forefront Client Security, and Forefront Endpoint Protection 2010.

“The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key,” the advisory says. “An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.”

Workstations and terminal servers are primarily at risk, Microsoft said.

Apple shares Mac OS X Lion with security experts

Apple not only released a preview of its next operating system, Mac OS X Lion, to developers on Thursday, the company is also giving it to security experts for review.

“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” said a letter sent by Apple to an unknown number of security researchers. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”

Dino Dai Zovi and several other researchers tweeted about being invited to try out the prerelease version of the new Mac OS. “This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers,” Dai Zovi wrote. “I won’t be able to comment on it until its release, but hooray for free access!”

I asked Charlie Miller, another expert on Mac security, if this was the first time Apple had offered to show an OS preview to security experts, and what the significance is.

“As far as I know they have never reached out to security researchers in this way. Also, we won’t have to pay for it like everybody else,” he wrote in an e-mail. “It’s not hiring us to do pen-tests of it, but at least it’s not total isolation anymore, and at least security crosses their mind now.”

“I haven’t downloaded it yet, but if I had, I couldn’t talk about it,” he added. “Damn NDAs.”

Facebook seeking encryption for apps, mobile

In response to complaints that a recent announcement of secure connections doesn’t go far enough, Facebook said today that it’s planning to roll out additional changes that would shield mobile devices and all apps from eavesdropping.

Last month, Facebook began offering the ability for users to turn on HTTPS (Hypertext Transfer Protocol Secure) to encrypt all communications with the site. However, F-Secure and others have noticed that some apps require users to switch to a regular HTTP connection to use the app, but don’t warn users that the switch then becomes permanent.

Asked for comment, a Facebook representative said the company is working to make it so that the switch to unencrypted communications is only temporary and that Facebook is encouraging developers to write apps that support HTTPS.

“We are pushing our third-party developers to begin supporting HTTPS as soon as possible. We’ve provided an easy way for third-party developers to encourage to do this, and we hope to transition to fully persistent HTTPS soon,” the rep said in an e-mail. “However, we recognize that there is currently too much friction in this process and we are iterating on the flow so that the setting will only be temporarily disabled for that session. The account will then return to HTTPS on the next successful log in. We are testing this flow now and hope to launch it in the near future.”

Also this week, a computer science professor at Rice University demonstrated that his Motorola Droid X running Android could be eavesdropped on with the right sniffing software. Dan Wallach ran the Wireshark network protocol analyzer and Mallory proxy in his undergraduate security class a few days ago. He found that Facebook sends data (except log-in credentials) in the clear, even though he has his Facebook account set to use HTTPS whenever possible, he wrote on the Freedom to Tinker blog.

Asked for comment, the Facebook representative said the company is working to provide Secure Sockets Layer (used in HTTPS) on mobile platforms in coming months.

“After launching SSL for the site, we are still testing across all Facebook platforms, and hope to provide it as an option for our mobile users in the coming months,” the rep said in a statement. “As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”

Wallach also found that Google Calendar traffic is not encrypted. In response, a Google representative said, “We plan to begin encrypting traffic to Google Calendar on Android in a future maintenance release. When possible, we recommend using encrypted Wi-Fi networks.”

(A tip of the hat to Dan Goodin at The Register.)

EU outlines shortcomings in UK data law

The European Commission has revealed details of where it sees shortfalls in U.K. data law, as it considers whether to take action against the British government over the matter.

Data protection expert Chris Pounder received the information from the Commission as part of a long-running Freedom of Information exchange. In a blog post earlier this week, he shared the details of a letter sent to him by the European body, outlining where the U.K. Data Protection Act does not meet the requirements of the European Union’s Data Protection Directive.

“This case concerns an alleged failure of the U.K. legislation to implement various provisions of the Directive 95/46/EC on data protection,” the Commission said in the letter dated Feb. 16 (PDF). “As we have already informed you, the provisions concerned are Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 of that Directive.”

Read more of “EU outlines shortcomings in UK data law” at ZDNet UK.

US agents seek new ways to bypass encryption

SAN FRANCISCO–When agents at the Drug Enforcement Administration learned a suspect was using PGP to encrypt documents, they persuaded a judge to let them sneak into an office complex and install a keystroke logger that recorded the passphrase as it was typed in.

A decade ago, when the search warrant was granted, that kind of black bag job was a rarity. Today, however, law enforcement agents are encountering well-designed encryption products more and more frequently, forcing them to invent better ways to bypass or circumvent the technology.

“Every new agent who goes to the Secret Service academy goes through a week of training” in computer forensics, including how to deal with encrypted files and hard drives, U.S. Secret Service agent Stuart Van Buren said at the RSA computer security conference last week.

One way to circumvent encryption: Use court orders to force Web-based providers to cough up passwords the suspect uses and see if they match. “Sometimes if we can go in and find one of those passwords, or two or three, I can start to figure out that in every password, you use the No. 3,” Van Buren said. “There are a lot of things we can find.”

Last week’s public appearance caps a gradual but nevertheless dramatic change from 2001, when the U.S. Department of Justice spent months arguing in a case involving an alleged New Jersey mobster that key loggers were “classified information” (PDF) and could not be discussed in open court.

Now, after keystroke-logging spyware has become commonplace, even being marketed to parents as a way to monitor kids’ activities, there’s less reason for secrecy. “There are times when the government tries to use keystroke loggers,” Van Buren acknowledged.

As first reported by CNET, FBI general counsel Valerie Caproni told a congressional committee last week that encryption and lack of ability to conduct wiretaps was becoming a serious problem. “On a regular basis, the government is unable to obtain communications and related data,” she said. But the FBI did not request mandatory backdoors for police.

Also becoming more readily available, if not exactly in common use, is well-designed encryption built into operating systems, including Apple’s FileVault and Microsoft’s BitLocker. PGP announced whole disk encryption for Windows in 2005; it’s also available for OS X.

Howard Cox, assistant deputy chief for the Justice Department’s Computer Crime and Intellectual Property Section, said he did not believe a defendant could be legally forced–upon penalty of contempt charges, for instance–to turn over a passphrase.

“We believe we don’t have the legal authority to force you to turn over your password unless we already know what the data is,” said Cox, who also spoke at RSA. “It’s a form of compulsory testimony that we can’t do… Compelling people to turn over their passwords for the most part is a non-starter.”

In 2009, the Justice Department sought to compel a criminal defendant suspected of having child porn on his Alienware laptop to turn over the passphrase. (A border guard said he opened the defendant’s laptop, accessed the files without a password or passphrase and discovered “thousands of images of adult pornography and animation depicting adult and child pornography.”)

Another option, Cox said, is to ask software and hardware makers for help, especially when searching someone’s house or office and encryption is suspected. “Manufacturers may provide us with assistance,” he said. “We’ve got to make all of those arrangements in advance.” (In a 2008 presentation, Cox reportedly alluded to the Turkish government beating a passhprase out of one of the primary ringleaders in the TJ Maxx credit card theft investigation.)

Sometimes, Van Buren said, there’s no substitute for what’s known as a brute force attack, meaning configuring a program to crack the passphrase by testing all possible combinations. If the phrase is short enough, he said, “there’s a reasonable chance that if I do lower upper and numbers I might be able to figure it out.”

Finding a seven-character password took three days, but because there are 62 likely combinations (26 uppercase letters, 26 lowercase letters, 10 digits), an eight-character password would take 62 times as long. “All of a sudden I’m looking at close to a year to do that,” he said. “That’s not feasible.”

To avoid brute-force attacks, the Secret Service has found that it’s better to seize a computer that’s still turned on with the encrypted volume mounted and the encryption key and passphrase still in memory. “Traditional forensics always said pull the plug,” Van Buren said. “That’s changing. Because of encryption…we need to make sure we do not power the system down before we know what’s actually on it.”

A team of Princeton University and other researchers published a paper in February 2008 that describes how to bypass encryption products by gaining access to the contents of a computer’s RAM–through a mechanism as simple as booting a laptop over a network or from a USB drive–and then scanning for encryption keys.

It seems clear that law enforcement is now doing precisely that. “Our first step is grabbing the volatile memory,” Van Burean said. He provided decryption help in the Albert “Segvec” Gonzalez prosecution, and the leaked HBGary e-mail files show he “went through a Responder Pro class about a year ago”. Responder Pro is a “memory acquisition software utility” that claims to display “passwords in clear text”.

Cox, from the Justice Department’s computer crime section, said “there are certain exploits you can use with peripheral devices that will allow you to get in”. That seems to be a reference to techniques like one Maximillian Dornseif demonstrated in 2004, which showed how to extract the contents of a computer’s memory merely by plugging in an iPod to the Firewire port. A subsequent presentation by “Metlstorm” in 2006 expanded the Firewire attack to Windows-based systems.

And how to make sure that the computer is booted up and turned on? Van Buren said that one technique was to make sure the suspect is logged on, perhaps through an Internet chat, and then send an agent dressed as a UPS driver to the door. Then the hapless computer user is arrested and the contents of his devices are seized.

Father of firewall: Security’s all about attention to detail

newsmaker Marcus J. Ranum is a world-renowned expert and innovator on IT security, whose pragmatic approach is lauded by industry peers. Two decades ago he designed and implemented Digital Equipment Corporation’s (DEC) Secure External Access Link–regarded by many, but not Ranum, as the first commercial firewall.

He has held senior security roles at a variety of high-profile companies in which he has administered the White House e-mail system. He has consulted for many Fortune 500 organizations, and has been a key presenter at countless security events around the world. Ranum resides on a remote farm in Pennsylvania far from the cities and fast Internet. He’d welcome the end in the battle for IT security, even if it meant the end of the industry.

Q: Why did you enter the information security industry? What do you find most interesting about it?
Ranum: I got dragged in quite by accident when my boss at DEC, Fred Avolio, put me in charge of one of the company’s Internet gateways and told me to “build a firewall like Brian Reid and Bill Cheswick’s”–20 years later I suppose you could say I’m still working on that assignment. And, to be honest, I didn’t find anything particularly interesting about computer security; once you understand the strategic problem then it’s all just a lot of attention to detail.

Marcus Ranum 

(Credit: Munir Kotadia/ZDNet Australia)

What I do find most interesting about security is how people react to it: they want to do something dangerous safely and are generally resentful when you tell them that’s not going to work. So I see the whole industry as a vast dialectic between hope and concrete effort on one side, and cynical marketing and wilful ignorance on the other.

What do you find is the most pressing issue in the information security industry and what can be done to fix it?
The most pressing issue in information security is one we’re never likely to do anything about, and that’s achieving reliable software (security is a subset of reliability) on end-point systems. That means operating system design and reliable coding, two things that the trend lines are moving in the opposite direction of right now. Consequently, the current trend is “cloud computing”, which, in effect, is visualizing the mainframe: acknowledging that end-points are badly managed and unreliable and putting data and processes in the hands of professionals who are expected to do a better job maintaining them and making them reliable–and cheap–than departmental IT.

Of course, that’s a pipe dream, because the same practices that brought us unreliable code-mass on the end points are being used to build the aggregated services. The backlash when it’s all revealed to be a pipe dream is going to be expensive and interesting, in that order.

What can be done to fix it? Again, the trend lines are all going the wrong direction–the fix requires technically sophisticated management with healthy scepticism toward marketing claims, good software engineering and a focus on getting the job done right, not getting something that you can’t understand from the lowest bidder. It will correct itself. The industry will re-aggregate into competence centers, which will become more expensive when they realize they have the upper hand, and that will re-trigger the fragmentation to the desktop and department cycle.

To fix things, we’d need to all focus ruthlessly on reliability, which means also quality, and not … “ooo! Shiny thing!”

You’re no fan of blacklisting, yet much of the industry is built on it and it’s the source of a lot of cash. Can you explain your opposition to blacklisting and whether you think change to a dominant whitelisting model is inevitable? What would happen to revenues in the security industry if such a shift happened?
I’m a huge fan of blacklisting! It’s a crucial technology! It just doesn’t answer the question that many people are expecting it to, which is “is this software good?” Blacklisting is the best technique for identifying something, because it can answer not only the question “is this thing bad?” but “what is it?” It seems to be human nature to want to know what was thrown at us, and that’s why people are so intellectually comfortable with signature-based intrusion detection/prevention and signature-based antivirus. It’s easy to implement and it’s easy to understand–and it’s easy to keep selling signature update subscriptions.

When you’ve got companies like Symantec saying that blacklists don’t work, I think it’s an important acknowledgement that a lot of the security industry is just happy to keep churning the money-pump as long as it’s not sucking air. The trend there seems to be reputation–[meaning] “continue to trust someone else’s opinion”–it’s a more flexible approach to building a cloudy and hype-ful dynamic blacklist, but in the long run it’s not going to work any better than static blacklists. By work I mean “solve the malware problem for customers”. If by work you mean “solve the relevance and financial problems for antivirus vendors”, I think it will “work” just fine for a long enough [time] to keep them happy.

Meanwhile, I keep asking IT managers “do you have any idea why you gave a user a computer?” and “if you know why they have a computer, why not configure that computer so that what it can do is what it’s supposed to do and not much else”–where much else means things like “participate in botnets”. I’m constantly baffled by how many IT managers say it’d be hard to enumerate all the software they run. It’s bizarre because knowing the answer to that question is what IT’s job is. If my company gave me a computer so I can do e-mail and edit company documents, it seems pretty simple to imagine that it ought to run some office apps and an e-mail client configured to talk to our IMAP server and maybe nothing else. For a while I was hopeful that the app-store model on increasingly powerful handheld devices would let us do away with the current “bucket of fish guts” approach to desktop security, but it looks like the app stores are going to be a big target and eventually a distribution vehicle for badware.

So, you need blacklists so that you can tell someone “that piece of weird stuff you just tried to run is called Stuxnet” and that’s interesting and useful, but you need the whitelists more, because that’s how you define your notion of what you think your computer should be doing. If you cast the problem in terms of a firewall policy it’s the old default-permit versus default-deny all over again. Default-deny is what the survivors do, and default-permit is for the guys who want to spend all their time doing incident response and forensics. None of this is anything less than completely obvious.

As far as security industry revenues–who cares? Nobody is worrying about the impact that the internal combustion industry has had on the steam-power boilermakers’ industry, are they? In fact, I think it’d be awesome if we could someday dry our hands, put away our tools and say “There, fixed it, now let’s write something fun!” Believe it or not there was a time early in the firewall industry when I thought we’d built all the tools that security would need; it was just a matter of fielding policy-based access control, offline authentication, point-to-point cryptography and then levelling up software quality. But in the late ’90s the lunatics took over the asylum and–well, the results speak for themselves.

You said once that businesses lack the willpower to brand devices as corporate, rather than personal, assets. Must this happen? Are platforms to “secure” bring-your-own devices not enough?
Let me throw that back at you, OK? How would you feel if the U.S. announced that we were putting our ballistic missile systems control into an iPad application and we were going to let the guys in the silos use their personal iPads so we could save a whole bunch of money?

It always depends: it depends what’s at stake, how replaceable it is, how easy it is to clean up an “oopsie” and whether you are really willing to be part of that “oopsie”. Every single journalist who has ever complained that some agency or company leaked a zillion credit cards or patient data or secrets should never ask the question you just asked me.

You should be asking why do they tolerate systems and software that are so bad, so shoddy, so mismanaged that they’ve got no idea what they are doing, yet they allow them to be used to access my bank account? Are you insane?! These problems are inevitable side-effects of poor configuration management, which is poor system management, which means “don’t know how to do IT”.

Yes, I do realize that I am arguing against today’s prevailing trends in IT management.

Do you still equate penetrate and patch to turd polishing? How prevalent is this and is it realistic to expect software vendors to change their attitude to security?
Yes, I do. It’s one thing for a sculptor to say they start with a block of marble and then chip away everything that doesn’t look like an angel, but that doesn’t work for software. You can’t start with the idea that a buggy mass of stuff [will] eventually turn into enterprise-class, failure-proof software by fixing bugs until there aren’t any more. No matter how much polish you put on a turd, it’s still a turd.

The software industry almost understands this–you’ll occasionally see some piece of software get completely re-architected because its original framework became limiting. As pieces of software get more complex and powerful, developers usually resort to things like source-code revision control, unit testing, regression testing, et cetera. Why doesn’t the idea that a security bug is just another bug sink in? If a manager can comprehend that there’s a major cost to an out-of-cycle patch because of some reliability failure, they ought to be able to understand that a security flaw is just a particularly painful out-of-cycle patch with bad publicity attached to it.

The problem is that the software industry is target-locked on time-to-market because that is where the big rewards are–asking them to do anything that might affect time-to-market is asking them to risk being an also-ran. Some of that can be managed by adopting a model of “write a toy version, throw it over the fence, and if it succeeds take the lessons learned and write a real version shortly after”, but I’m afraid that sometimes the toy version becomes the production codebase for a decade. We’ve seen the results of that and they’re not very pretty.

It’s been about six years into the 10 by which you predicted hackers would no longer be portrayed as cool and educating neo-luddite users on security would become a null point. What’s your take of the current climate?
I think that, at least partly, thanks to the spread of malware and botnets, and the professionalization of cybercrime, a lot more “normal people” are less impressed with hacker culture. The “grey hat” community’s commercial interest is pretty clear to just about everyone now, so I think the hacking community has some reputation damage to deal with.

As far as educating neo-luddites, I think I was pretty much completely wrong there. Not wrong that education won’t help, but wrong that the newer generation of executives will have a better grasp of security. From where I sit it looks like it’s actually getting worse.

Which mobile platform will (or do you hope will) win out–the open Android, walled Apple or locked down Blackberry?
I wish they would all go away. Which they inevitably will. The song “Every OS Sucks” sums up my views very nicely. A disclosure: I bought an iPad because it plays movies nicely and doesn’t pretend to be a telephone. I do like the delivery model of “app store” systems for fielding software–it’s much better than letting users install things themselves or worse yet when the system comes bundled with 10,000 pieces of shovel-ware. I’m concerned about code quality, of course: it’s not going to be possible for the app stores to vet code for malware, and I’m not convinced the “walls” in the “walled garden” aren’t made of Swiss cheese.

You once told me privacy is a myth and something held by the privileged few. What is your take on privacy now, where do you think it is heading and what significance will this have?
I think that what I might have said is more that privacy has only ever been for the wealthy and powerful. What we’ve seen lately is the veneer coming off–the U.S. government is consistently and cheerfully trampling on privacy and has pardoned itself and its lackeys for all transgressions. Meanwhile, we see that if you read Sarah Palin’s e-mail you get in trouble, but if you read Joe Average’s e-mail you’re the FBI. Privacy is a privilege of power, because the powerful need it so they can enjoy the fruits of their power without everyone realizing how good they’ve got it.

Meanwhile, the entire population of the planet seems to want to join social-networking Web sites that exist to collect and re-sell marketing information and push ads in their users’ faces, then they complain when they discover that the sites are doing exactly what they were created to do. What else did they expect? I never really cared about privacy, but a few years ago I adopted a strategy of leading a fairly open life. It’s easy to get my phone number and address and e-mail address and to find out where I’ve been and who I’m sleeping with and what and how much I drink or what music I listen to. There are only a few things about my lack of privacy that annoy me and it’s mostly the stupidity of commercial marketing–I get a credit card offer from the same big bank every month. I’ve gotten one from them every month for 15 years. I periodically wonder why it hasn’t sunk in to them that I’m not interested, but I have a big garbage can and it’s their money they’re wasting.

I’m a subscriber of your six dumbest ideas–are there some that you would update?
The piece was originally going to have a few more dumb ideas than it did, but the next one to write about was “ignoring transitive trust“. I wrote that piece while I was stuck in Frankfurt Airport and I was pretty tired and trying to explain why transitive trust makes a mockery out of most of what we see as “Internet security” was just too much for me to attempt. If I’d had more courage I’d have also tackled “cost savings achieved now will continue forever” for the outsourcing and cloud computing fans.

Could you briefly explain why you think cyberwar is BS?
There are several reasons cyberwar is BS: technological, strategic and logistical. The people who are promoting it are either running a snow-job (there’s a lot of money at stake!) or simply don’t understand that warfare is the domain of practicality and cyberwar is just a shiny, impractical toy. Unfortunately, there’s so much money involved that the people who are pushing it simply dismiss rational objections and incite knee-jerk fear responses by painting pictures of burning buildings and national collapse and whatnot.

[See a longer explanation of the cyberwar phenomenon on Ranum’s Rearguard podcast.]

Probably the shortest rebuttal of cyberwar is to point out that it’s only practical if you’re the power that would already expect to win a conventional war–because a lesser power that uses cyberwar against a superpower is going to invite a real-world response, whereas it’s attractive if you already have overwhelming real-world force–but then it’s redundant. Cyberwar proponents often argue by conflating cybercrime, cyberespionage, cyberterror and cyberwar under the rubric of “cyberwar” but they ignore the obvious truth that those activities have different and sometimes competing agendas.

A short cyberwar: “be glad we jacked you up with Stuxnet because otherwise we’d have bombed you”. A shorter cyberwar: “be afraid. give me money”.

This article was first published at ZDNet Australia.

Rapid tech adoption overwhelming security staff

Information security professionals are overwhelmed by the rapid deployment of new technologies in the workplace, potentially putting government agencies, businesses and consumers at risk, reveals a new study released Friday.

According to the 2011 (ISC)2 Global Information Security Workforce Study (GISWS), IT security personnel are challenged by the proliferation of mobile devices as well as the rise of cloud computing and social networking. Many of the professionals admitted they needed more training to manage these technologies, yet, reported that such tools were already deployed without security in mind.

Conducted by Frost & Sullivan in the second half of 2010, the study surveyed over 10,400 IT security professionals from the public and private sectors. U.S.-based respondents made up 61 percent of total respondents, while 22.5 percent were from Europe, Middle East and Africa. Respondents in Asia accounted for 16.5 percent of the sample pool.

Mobile “single most dangerous threat”
Organizations polled ranked mobile devices as No. 2 security concern, after application vulnerabilities. At the same time, almost 70 percent of respondents said their companies had in place policies and technologies such as encryption and mobile VPN (virtual private network) to meet the security challenges posed by portable devices.

In the report, Frost & Sullivan said mobile security could be the “single most dangerous threat to organizations for the foreseeable future”.

Security professionals, on the other hand, appeared more lax in their approach toward social media, treating it as a personal platform and doing little to manage it, reported the analyst firm. Less than half, or 44 percent, indicated their companies had policies in place to control access to social media sites.

Frost & Sullivan said it was “disappointed” that 28 percent of organizations globally had no restrictions on the use of social media.

Robert Ayoub, the research firm’s global program director for information security and author of the report, said in a statement that the pressure to “secure too much” and a resulting skills gap increasingly put a strain on IT security professionals. This, in turn, creates risk for organizations across the world in the coming years.

“The good news from this study is that information security professionals finally have management support and are being relied upon and compensated for the security of the most mission-critical data and systems within an organization,” Ayoub said. “The bad news is that they are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands.”

He added: “Information security professionals are stretched thin, and like a series of small leaks in a dam, the current overstretched workforce may show signs of strain.”

Manpower, skills key to risk management
The risks, according to Ayoub, can be mitigated by attracting quality talent to the field and investing in professional development for emerging skills.

The need for skills improvement was especially evident in the area of cloud computing–over 70 percent of survey respondents reported the need for new skills to properly secure cloud-based technologies.

However, nearly two-third of respondents in the (ISC)2 study indicated that they did not expect any budget increases this year for IT security personnel and training.

In terms of manpower growth, Frost & Sullivan estimates there are 2.28 million information security professionals globally as of 2010, of whom around 750,000 are based in the Asia-Pacific region. The analyst firm expects the region’s demand for security professionals to increase at a compound annual growth rate of 11.9 percent to over 1.3 million by 2015.

Ayoub noted: “As the study finds, these solutions are underway but the question remains whether enough new professionals and training will come soon enough to keep global critical infrastructures in the private and public sectors protected.”

SA chief wants to protect ‘critical’ private networks

SAN FRANCISCO–The head of the National Security Agency (NSA) said today that the U.S. military should have the authority to defend “critical networks” from malware and other disruptions.

Gen. Keith Alexander, who is also the head of the Pentagon’s U.S. Cyber Command, said at the RSA Conference here that the NSA’s “active defenses” designed to defend military networks should be extended to civilian government agencies, and then key private-sector networks as well.

“I believe we have the talent to build a cyber-secure capability that protects our civil liberties and our privacy,” Alexander said.

Alexander’s comments come only two days after William Lynn, the deputy secretary of defense, offered the same suggestion. In an essay last year, Lynn likened active defenses to a cross between a “sentry” and a “sharpshooter” that can also “hunt within” a network for malicious code or an intruder who managed to penetrate the network’s perimeter.

But the power to monitor civilian networks for bad behavior includes the ability to monitor in general, and it was the NSA that ran the controversial warrantless wiretapping program under the Bush administration. Concerns about privacy are likely to turn on the details, including the extent of the military’s direct involvement, and whether Web sites like Google.com and Hotmail.com could be considered “critical” or the term would only be applied to facilities like the Hoover Dam.

Alexander offered little in the way of specifics today. “We need to continue to refine the roles of government and the private sector in securing this nation’s critical networks,” he said. “How do we extend this secure zone, if you will? How do we help protect the critical infrastructure, key resources?”

At the moment, the Department of Homeland Security (DHS) has primary responsibility for protecting critical infrastructure. A presidential directive (HSPD 7) says the department will “serve as a focal point for the security of cyberspace”. During an appearance at RSA two years ago, Alexander stressed that “we do not want to run cybersecurity for the U.S. government.”

That was then. After Cyber Command was created–following reports of a power struggle between DHS and the NSA–it moved quickly to consolidate its authority. An October 2010 memorandum of agreement (PDF) between the two agencies says they agree to “provide mutually beneficial logistical and operational support” to one another.

Senators Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) recently pledged to reintroduce a controversial bill handing President Obama power over privately owned computer systems during a “national cyberemergency,” with limited judicial review. It’s been called an Internet “kill switch” bill, especially after Egypt did just that.

Alexander didn’t address that point. “The intent would be: let’s build how we can do this with DOD, show we can extend that to the government, and then to key critical infrastructure,” he said.

Fighting spam and scams on Twitter

SAN FRANCISCO–Twitter presents a relatively new frontier for spammers, malware creators, and all around bad guys, which in turn has created the opportunity for security researchers and vendors alike to try to figure out, and put a stop to, their efforts.

One company that’s trying to get a handle on the size of the problem, and on ways to fight it, is Barracuda Networks. During a talk at the RSA security conference here, which wraps up Friday, Barracuda outlined some of the research it has been doing in this area over the past two years.

Paul Judge, chief research officer and vice president of cloud services for Barracuda, noted that what makes Twitter a particularly attractive target is that it is both a social network and a search engine. This lets scammers place their wares on a public feed to reach a list of followers, as well as seek new eyeballs by making use of trending keywords to have their wares appear in Twitter search results.

But who, you’re wondering, would follow a scammer on Twitter? It’s more common than you’d think, said Barracuda research scientist Daniel Peck. One example the company tracked was Download-Heaven, a site that was using a Twitter account to push links to hosted shareware filled with malware and Trojans.

Download-Heaven had 445 followers while following only one account itself. Peck said the scammers were following other Twitter users as a way of getting them to return the favor and follow Download-Heaven. Then the scammers would simply unfollow those users while leaving them to continue receiving its updates, including links to malware.

Barracuda looked for that sort of imbalance as it tracked a raw stream of data from Twitter. It also looked for accounts that had been unfollowed by a lot of users over time; such accounts have often been recognized by other Twitter users as bad news. Finally, Barracuda tried to figure out the behaviors of typical users to see if it could put together additional filters that would spot users who were up to no good.

The result was a reputation system that looked at the Twitter public stream (through its API), as well as an extra 20,000 queries per hour outside of the normal public stream. The test ran for two years and evaluated tweet-to-follower ratios as well as the content of what users were sharing. What Barracuda found was that just 43 percent of Twitter users could be classified as “true”. These were users that had more than 10 followers, friends, and tweets. That was compared with the other 57 percent of the network, which fell into a bucket of questionables.

By analyzing the flow of accounts, Barracuda was also able to create a “crime rate”–the percentage of accounts created per month that end up getting suspended by Twitter. This number would swing wildly based on real-world events, such as Oprah joining the network, or the World Cup kicking into gear, which would bring in big swells of new Twitter users, and, in turn, flocks of scammers.

These topical items were another area Barracuda focused on during the test. Much like trying to game conventional search engines to get new eyeballs, scammers were adding topic tags and/or popular words and phrases to tweets to get them to show up in the “Trends” field on Twitter pages and higher up on Twitter’s search results pages. To track how widespread this practice was, Barracuda began grabbing popular search terms on Twitter every hour, and doing searches for them on the site. It would then look at the tweets that turned up, follow any included links, and look for malicious code on the resulting Web sites.

What they found, after five months of searching for popular words and phrases on Twitter as well as on more traditional search engines like Google, Yahoo and Bing, was a total of 34,627 samples of malware. Twitter accounted for 8 percent of this total, with the other search engines logging the remainder.

“It’s interesting, because we’ve been doing this work for probably nine months of a year now, and the last time we really examined it and looked back on this, it charted very differently,” Judge said. “About 69 percent of the malware that we found was on Google at the time, only 1 percent was on Twitter.”

“A couple things happened,” Judge continued. “Google didn’t necessarily get better–there was more malware–basically Bing, Twitter, and Yahoo got worse. So, as the amount of malware increased, Google pretty much stayed steady with the amount of malware that was found there, but the other engines we started to see become a little more equal opportunity.”

To Twitter’s credit, the company has made several efforts to keep this malware at bay. Back in March of last year, it began routing links through a filter that scans for malware and keeps sullied links from being posted. It also employed its own link-shortening service that similarly vets links. And the company transitioned to using OAuth, which lets users authenticate their credentials without providing a username or password, potentially keeping users from having their credentials hijacked by rogue third-party applications.

Judge closed by noting that Barracuda had put together its own tool that can help users see if they’ve accidentally befriended one of these spammy or scammy users, or posted one of their links. The free Profile Protector scans both your Facebook and Twitter profiles and identifies users that are on the company’s watch list.

FBI: We’re not demanding encryption backdoors

The FBI said today that it’s not calling for restrictions on encryption without backdoors for law enforcement.

FBI general counsel Valerie Caproni told a congressional committee that the bureau’s push for expanded Internet wiretapping authority doesn’t mean giving law enforcement a master key to encrypted communications, an apparent retreat from her position last fall.

“No one’s suggesting that Congress should re-enter the encryption battles of the late 1990s,” Caproni said. There’s no need to “talk about encryption keys, escrowed keys, and the like–that’s not what this is all about”.

Instead, she said, discussions should focus on requiring that communication providers and Web sites have legally mandated procedures to divulge unencrypted data in their possession.

The FBI says that because of the rise of Web-based e-mail and social networks, it’s “increasingly unable” to conduct certain types of surveillance that would be possible on cellular and traditional telephones. Any solution, it says, should include a way for police armed with wiretap orders to conduct surveillance of “Web-based e-mail, social-networking sites, and peer-to-peer communications technology”.

Caproni tried to distance the FBI from its stance a decade ago, when it was in the forefront of trying to ban secure encryption products that are, in theory, unbreakable by police or intelligence agencies.

“We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism,” then FBI director Louis Freeh told the Senate Judiciary committee in September 1998. “Not just bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices.”

In response to lobbying from the FBI, a House committee in 1997 approved a bill that would have banned the manufacture, distribution, or import of any encryption product that did not include a backdoor for the federal government. The full House never voted on that measure. (See related transcript.)

Even after today’s hearing ended, it wasn’t immediately clear whether the members of the House Judiciary crime subcommittee would seek to expand wiretapping laws as a result.

Rep. Bobby Scott, D-Va., said that the panel’s members received a secret briefing last week from the FBI, but that the bureau should make its arguments in public. “It is critical that we discuss this issue in as public a matter as possible,” he said. It’s “ironic to tell the American people that their privacy rights may be jeopardized because of discussions held in secret”.

Rep. John Conyers, D-Mich., said “to me this is a question of building backdoors into systems…I believe that legislatively forcing telecommunications providers into building backdoors into systems will actually make us less safe and less secure.”

That was echoed by Susan Landau, a computer scientist at Harvard University’s Radcliffe Institute for Advanced Study, who said “there aren’t concrete suggestions on the table…I don’t quite understand what the FBI is pushing for.”

Caproni said her appearance before the panel was designed to highlight the problems, not call for specific legislation. But, she added, “it’s something that’s being actively discussed in the administration.”

Under a 1994 federal law called the Communications Assistance for Law Enforcement Act, or CALEA, telecommunications carriers are required to build in backdoors into their networks to assist police with authorized interception of conversations and “call-identifying information”.

As CNET was the first to report in 2003, representatives of the FBI’s Electronic Surveillance Technology Section in Chantilly, Va., began quietly lobbying the FCC to force broadband providers to provide more-efficient, standardized surveillance facilities. The Federal Communications Commission approved that requirement a year later, sweeping in Internet phone companies that tie into the existing telecommunications system. It was upheld in 2006 by a federal appeals court.

But the FCC never granted the FBI’s request to rewrite CALEA to cover instant messaging and VoIP programs that are not “managed”–meaning peer-to-peer programs like Apple’s Facetime, iChat/AIM, Gmail’s video chat, and Xbox Live’s in-game chat that do not use the public telephone network.

Also not covered by CALEA are e-mail services or social-networking sites, although they must comply with a wiretap order like any other business or face criminal charges. The difference is that those companies don’t have to engineer their systems in advance to make them easily wiretappable.

Cybercrime costs US$43B a year

Cybercrime is costing the United Kingdom 27 billion pounds (US$43.5 billion) a year, according to the government, which has pledged to work with businesses to combat the problem.

The total figure covers 21 billion pounds (US$33.8 billion) from losses suffered by businesses, 3.1 billion pounds (US$5 billion) by citizens and 2.2 billion pounds (US$3.5 billion) by government, the Office of Cyber Security and Information Assurance (Ocsia) said in a report summary published on Thursday. It did not account for the other 700 million pounds (US$1.1 billion).

The report, produced by Ocsia and BAE Systems security subsidiary Detica, marks the first time the government has made a public estimate of cybercrime costs. At a press launch event, security minister Baroness Pauline Neville-Jones emphasized that while the figures are an estimate, they still give an indication of the scale of economic loss suffered by the U.K.

Read more of “Cybercrime costs the UK £27bn a year” at ZDNet UK.

Securing the smart grid no small task

SAN FRANCISCO–The road to a secure smart grid is still being built. Can it be finished in time to keep next-generation threats at bay?

That question was left largely unanswered during a panel discussion on “securing the smart grid” at the RSA security conference taking place here this week.

The smart grid promises to bring a number of benefits to both consumers and utilities in the coming years–things like intelligent off-peak appliance use; real-time metering; and customer education on efficiency and conservation. But bringing that kind of experience to fruition is still a work in progress, with some of the blame being placed on utility companies for not being agile enough when it comes to security, interconnectivity, and the like.

According to specialists, the problem is (and continues to be) huge fragmentation among the power companies, something that on its own is issue enough, but as the panelists lamented, the same problem threatens the technologies these companies plan to roll out.

“In my experience, utility companies are very siloed,” said Mike Echols, the program manager for critical-infrastructure protection at the Salt River Project in Arizona. “Each of those silos has its own IT groups, and there’s a reason for that. They don’t want to converge because in typical IT that’s considered a risk.”

In the electricity industry that risk has become more apparent after what happened last year with Stuxnet, the computer virus that targeted homogenized industrial systems and represents the first in a wave of expected attacks aimed at infrastructure. As the grid gets more intertwined with consumer electronics and home area networks, the likelihood of a wider range of targets is expected to increase.

So what would it take to make utilities less fractured from an IT perspective? Echols suggested that IT security be put higher on the ladder of the corporate structure of these utility companies, so that important decisions trickled down into the subgroups. “Cybersecurity tends not to be in a leadership position,” he said, while noting that this is beginning to change with increased compliance, which is driving changes in the power industry.

Another big issue, as noted by panelist Gib Sorebo, chief cybersecurity technologist for SAIC, is that outside security companies looking to do business with the utilities first need to gain a deep understanding of power companies before trying to tackle security challenges.

“We have to know how important it is for us to understand how everyone does their jobs, what the concerns are, and what the potential impact is depending upon what kind of events take place–and to show that communication,” Sorebo said. “You see that same kind of thing happening in banking.”

One question that lingers is whether a system that’s simply more secure will be able to handle evolving threats. Heath Thompson, the CTO at Landis & Gyr, said the industry hadn’t come to grips with that yet but that there were the beginnings of a foundation for stronger security across the entire ecosystem. To attack new threats head on, however, the systems need to be readily adjustable with things like upgradeable firmware and infrastructure.

Ultimately though, making the grid too connected from a technology perspective could do just as much harm as good, which is why the right safeguards have to be put in place. “The smart grid can do a lot of wonderful things in terms of automation and finding events quickly,” Sorebo said. “But it can also automate disaster, and that’s something that more and more people obviously need to focus on.”

S’pore sets data protection law for 2012

SINGAPORE–It took several years in the making but the nation is now ready to take another step closer to introducing a data protection regime, with the Singapore government announcing plans to put forth legislation for debate in parliament early-2012.

The proposed laws will provide a “baseline standard for data protection in Singapore”, Lui Tuck Yew, minister for the Information, Communication and the Arts, indicated on Monday in a written response to a parliamentary question.

According to Lui, a review–initiated five years ago–to assess the need for a data protection system and the appropriate model for the country, has now been completed.

The government, he said, “concluded it would be in Singapore’s overall interests” to put in place such a regime, designed to “protect individuals’ personal data against unauthorized use and disclosure for profit”.

“The proposed law is intended to curb excessive and unnecessary collection of individuals’ personal data by businesses, and include requirements such as obtaining the consent of individuals to disclose their personal information,” the minister said.

“It will also enhance Singapore’s overall competitiveness and strengthen our position as a trusted hub for businesses and a choice location for global data management and processing services.”

As part of the data protection regime, a Data Protection Council is expected to be established to oversee the implementation of the legislation, Lui added.

Meanwhile, the country’s ICT regulator, the Infocomm Development Authority of Singapore (IDA), will engage relevant stakeholders in further consultation and work to address concerns from the “public, private and people sectors”.

Bryan Tan, director at Keystone Law, pointed out that businesses must “start making preparations for the arrival of the legislation”. To prepare for the data protection regime, they need to reexamine their databases and data collection practices, the Singapore-based lawyer said in a circular Tuesday.

“Businesses that are unprepared may have to pay a heavy price,” he warned.

HP, VMware plan further product integration

HP and VMware plan to develop and market a range of intrusion prevention security products, in a collaboration that builds on existing work.

The hardware maker and virtualisation company said on Tuesday that they aim to tailor HP’s TippingPoint Intrusion Prevention System (IPS) range of products to fit VMware‘s virtualisation security vShield and management vCloud Director packages.

The companies said the integration will allow security management to extend across physical and virtual IT stacks, and allow IT professionals to automate “the processes of scanning, identifying threats and blocking attacks” across these areas, HP said in a statement.

Read more of “HP and VMware plan further product integration” at ZDNet UK.

Microsoft looks to healthcare for improved security

SAN FRANCISCO–Microsoft wants to make tomorrow’s tech-security world work a lot like tomorrow’s healthcare industry.

While the comparison has long been made in the security industry, with threats like “viruses”, Scott Charney, corporate vice president in Microsoft’s Trustworthy Computing group, noted that the response to those problems has fallen short in areas where healthcare has proved more agile.

“Every year there’s a new version of the flu,” Charney said to attendees of this year’s RSA Conference. “There was a time before SARS, and a time before H1N1. And when those threats appeared, [the healthcare industry] didn’t scramble to know what to do, they already had defenses.”

Microsoft’s multistep plan to put a similar safety net in place approaches the problems from both a security and a data ownership position.

Charney said one option is cryptographically signed health certificates. These would be provided for users who had gone through various security check protocols to prove their machine was not dripping with malware before getting on something like a bank’s site or a local intranet.

The second aspect of this measure would be alerting people to possible security holes ahead of when their machines have been compromised. That way, they could put fixes into place before encountering attack scenarios, as well as to avoid compatibility issues with sites and services.

Charney also highlighted the importance of making sure whatever lockdown system went into place for compromised machines would not go too far, so critical services like VoIP weren’t being sealed off as well. After all, Charney said, nobody wants to be kept from calling 911 during a heart attack because their computer needs to download software updates.

Symantec brings reputation security to the enterprise

SAN FRANCISCO–Security giant Symantec is trying to give companies a better way to determine how trustworthy files are.

At the RSA Conference here, Symantec CEO Enrique Salem outlined the new reputation-based security feature built into the company’s new Endpoint Protection 12, client-side security software that gives files a score based on the scanning of 2.5 billion files the company keeps track of in its cloud-based database.

Dubbed the “Insight Reputation System”, the feature looks at files that have been downloaded from the Web and gives each one a score based on risk. This is based on what kinds of things the file does, as well as who it’s from.

“The idea of a blacklisting approach is no longer going to be effective, and Internet Protocol-based recognition where we track IP addresses is not good enough,” Salem said. “We need real-time, contextual tracking that look at a series of attributes; things like file age, download source, prevalence, and brings all those things together.”

The tool for that, Salem said, is Endpoint Protection 12, which the company claims is the only reputation-based system that’s context-aware. The new tool, which is the first major update to the Endpoint Protection suite in three years, will be released in April.

Salem also went into specifics about how it was becoming increasingly important to identify threats at the point of download given the consumerization of IT and the proliferation of consumer devices within businesses–both things that have made it increasingly difficult to keep threats at bay, and represent the new battleground for threat activity itself.

“It wasn’t that long ago that you as security professionals had control,” Salem said. “You had control of the desktop, you had control of the database, you had control of the applications, you had control of the servers, and to some extent, you even had control of the users.”

The problem, Salem said, was that control had been toppled with new devices, and new ways of doing business. “Now what’s happening is that those days are over, because all kinds of devices are coming into your office: USB drives, notebooks, and many of them aren’t your devices. They’re your partners, they’re people that are bringing them into your environment,” Salem said. “And what are they doing? They’re accessing corporate e-mail, they’re logging into their Facebook pages, and their Twitter accounts.”

Symantec’s solution to get above the problem is a new initiative called O3, which Salem compared to the Earth’s ozone layer, protecting the surface from outside forces. O3 is made up of three security layers:

1. A rules engine for enforcing the information specific devices can access from where.
2. A protection enforcement layer that determines what employees from what devices can access the information.
3. A compliance/monitoring layer for access and understanding of what policies are being enforced.

“That’s our approach, that’s our vision for what has to be done. It has to be a layer above the clouds,” Salem said.

US Defense Dept. proposes armoring civilian networks

SAN FRANCISCO– A top Defense Department official said today that the United States military should “extend” a technological shield used to protect its own networks to important private sector computers as well, which could sweep in portions of the Internet and raise civil liberty concerns.

William Lynn, the deputy secretary of defense, proposed at the RSA Conference extending “the high level of protection afforded by active defenses to private networks that operate infrastructure” that’s crucial to the military or the U.S. economy.

What Lynn refers to as “active defenses” were pioneered by the National Security Agency. In an essay last year, Lynn likened them to a cross between a “sentry” and a “sharpshooter” that can also “hunt within” a network for malicious code or an intruder who managed to penetrate the network’s perimeter.

But the power to monitor civilian networks for bad behavior includes the ability to monitor in general, and it was the NSA that also pioneered a controversial warrantless wiretapping program under the Bush administration. NSA director Keith Alexander was named head of the U.S. Cyber Command last year, an idea that Lynn had championed.

Concerns about privacy are likely to turn on the details, including whether the military merely provides source code for defensive and offensive technologies–or if it includes actual authority and oversight. Another open question is whether Web sites like Google.com and Hotmail.com could be considered “critical infrastructure”, or the definition would be narrowed to facilities like power plants.

Lynn, who has been speaking frequently about cybersecurity threats in the last year, didn’t elaborate. “Securing military networks will matter little if the power grid goes down or the rest of the government stops functioning,” he said.

That echoes comments made by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), who have pledged to reintroduce a controversial bill handing President Obama power over privately owned computer systems during a “national cyberemergency”, with limited judicial review. It’s been called an Internet “kill switch” bill, especially after Egypt did just that.

At the moment, the Pentagon is responsible only for defending .mil computers, and the Department of Homeland Security has responsibility for other governmental networks. Lynn said the military (and remember, the NSA is part of the Defense Department) is aiding DHS, much like it provides troops and helicopters to aid after a natural disaster

“The military provides support to DHS in the cyber domain,” Lynn said. Like equipment and troops provided to FEMA, he added, military “cyber” support will be “available to civilian leaders to help protect the networks that support government operations and critical infrastructure…These resources will be under civilian control and be used according to civilian laws.”

“Through classified threat-based information and the technology we have developed to employ a network defense,” he said, “we can significantly increase the effectiveness of cybersecurity practices that industry is carrying out.”

Homeland Security hinted at this during an interview with ZDNet Asia’s sister site CNET last year at the RSA conference. The department said at the time that it might eventually extend its Einstein 3 technology, which is designed to detect and prevent in-progress cyberattacks by sharing information with the NSA, to networks operated by the private sector.

Stuxnet expert: other sites were hit but Natanz was true target

Stuxnet may have hit different organizations, but its main target was still the Natanz nuclear enrichment plant in Iran, an expert who has analyzed the code said Monday.

Ralph Langner, who has been analyzing the code used in the complicated Stuxnet worm that used a Windows hole to target industrial control systems used in gas pipelines and power plants last year and possibly earlier, said the initial distribution of Stuxnet was limited to a few key installations.

“My bet is that one of the infected sites is Kalaye Electric,” he wrote in an e-mail to ZDNet Asia’s sister site CNET. “Again, we don’t have evidence for this, but this is how we would launch the attack–infecting a handful of key contractors with access to Natanz.”

Langner was responding to a report (PDF) released late last week by Symantec that said five different organizations in Iran were targeted by a variant of Stuxnet, several of them more than once, dating back to June 2009.

“We have a total of 3,280 unique samples representing approximately 12,000 infections,” the Symantec researchers write in a blog post about the report. “While this is only a percentage of all known infections, we were able to learn some interesting aspects of how Stuxnet spread and where it was targeted.”

The Symantec researchers, who have made other important discoveries in the quest to de-code Stuxnet, don’t name the organizations they suspect as targets. As of September 2010, they had estimated there were more than 100,000 infected hosts, nearly 60 percent of them in Iran.

“Unfortunately Symantec doesn’t tell the geographic location of the targeted organizations,” Langner said. “My theory is that not all may be in Iran since chances are that at least one significant contractor is a foreign organization (this is something we are researching presently).”

Langner said he and partners have been able to match data structures from one of the parts of the multi-pronged Stuxnet attack code with the centrifuge cascade structures in Natanz.

“The significance of this is that it is now 100 percent clear that Stuxnet is about Natanz, and Natanz only,” he said. “Further evidence (that matches with the recent discoveries of Symantec) suggests that Stuxnet was designed as a long-term attack with the intention not only to destroy centrifuges but also to lower the output of enriched uranium.”

Langner, based in Germany, offers more technical details of Stuxnet on his blog.

Symantec and Intel collaborate on security

Symantec and Intel have worked together to embed two-factor authentication technology into the hardware of second-generation Intel Core and Core VPro processors.

The work will integrate Symantec‘s VeriSign Identity Protection (VIP) cloud-based security product with Intel’s Identity Protection Technology (IPT), the security company announced last Wednesday.

“By synchronizing VIP with the Intel chipset, we have created the first ever strong authentication credential that you will never see but will always have in your PC,” Atri Chatterjee, vice president of User Authentication at Symantec, said in a statement. “The combination of our proven VIP service with Intel IPT provides users with a new level of ‘built-in’ strong authentication.”

Read more of “Symantec and Intel collaborate on security” at ZDNet UK.

Facebook scams aplenty

With Valentine’s Day round the corner, cybercriminals are once again “cashing in” on the commercialization of the event, hoping to scam unsuspecting Facebook users.

A new entry on Sophos’ Naked Security blog warned that rogue apps with names such as Valentine’s Day and Special Valentine have been making rounds in the social media site, tricking users to involve their friends in the scam.

Senior technology consultant Graham Cluley said the modus operandi of these apps was to get users to click on the splash screen, which would then display a teaser, claiming it would send a poem to the selected friends.

But what the apps are really after, are personal information of users who unknowingly “Allow” them access, warned Cluley. The apps would then post messages on the user’s wall, luring his or her friends to complete an online survey which was disguised as a “Facebook Anti-Spam Verification” dialog box. The scammers earn commission for every completed survey.

The security expert also cautioned that in the past, cybercriminals are known to have sent rogue Valentine’s Day e-cards to spread virus on computers, hence called for users not to let their guard down.

Cheap spam tool
Separately, Symantec engineers have detected a popular viral Facebook application toolkit known as NeoApp that allows one to create applications for the social network. The toolkit guides the ‘developer’ to, for example, place links to funny videos and where to put the survey links in order to maximize cashback.

Once a user installs the applications created with the toolkit, the cybercriminal can send messages to unsuspecting users and friends through statistic pages and easy-to-use templates, the security vendor warned in a blog post.

With the app priced at US$50 or less, it “pretty much allows anyone, even those without coding skills, to create a fast-spreading viral message on Facebook”, Symantec’s Candid Wueest said.

According to him, the app will also have access to affected user’s private data, such as personal e-mail address, and “administrators” controlling the app will be able to send convincing spam mail.

Wuesst added that the app itself and what it does are against the usage policy of Facebook.

He advised that there is no need to install an application just to see images, and users of the social media site should always excercise vigilance when an app requests access to personal information.

McAfee: Data theft attacks besiege oil industry

For years, companies in the oil and energy industry have been the victims of attempts to steal e-mail and other sensitive information from hackers believed to be in China, according to a new report from McAfee.

The attacks, to which McAfee gave the sinister name “Night Dragon”, penetrated company networks through Web servers, compromised desktop computers, bypassed safeguards by misusing administrative credentials, and used remote administration tools to obtain the information, the security firm said Thursday. McAfee and other security companies now have identified the method and can provide a defense.

“Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defense industrial base, government, and military computers to include global corporate and commercial targets,” McAfee said in a white paper (PDF) published today.

And the attack was at least partially successful, McAfee said. “Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers.

“In some cases, the files were copied to and downloaded from company Web servers by the attackers. In certain cases, the attackers collected data from SCADA systems,” the supervisory control and data acquisition systems that control and monitor industrial processes.”

McAfee didn’t reveal details about what SCADA data was involved, but it’s a potentially serious matter: such systems are at the operational heart of everything from oil pipelines and refineries to factories and electrical power distribution networks.

McAfee told The Wall Street Journal that the attacks appeared to be purely about espionage, not sabotage. The latter possibility has become a more vivid fear with the Stuxnet attack that apparently damaged Iranian nuclear operations. China is a particular concern: it’s a rising industrial power that Google has implicated in attempts to crack its own network and obtain sensitive information.

McAfee notified the FBI of the Night Dragon attacks, and the FBI is investigating, the Journal reported.

Several Night Dragon attacks were launched in November 2009, McAfee CTO George Kurtz said in a blog post, but attacks have been going on for at least two years and likely as long as four.

“We have strong evidence suggesting that the attackers were based in China,” Kurtz said. “The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.”

The attacks themselves used a variety of methods that, although described as “relatively unsophisticated”, were nonetheless effective.

First came an attack to compromise a Web server that then became a host for a variety of hacking tools that could probe the company’s internal network. Password cracking and other tools were used to gain access to PCs and servers. Remote administration software, including one called zwShell, let attackers control compromised Windows PCs to gather more data and push the attack toward more sensitive areas.

An appendix of the white paper offers more details on the Chinese connection:

While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers–this individual is based in Heze City, Shandong Province, China. Although we don’t believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions.

The individual runs a company that, according to the company’s advertisements, provides “Hosted Servers in the U.S. with no records kept” for as little as 68 RMB (US$10) per year for 100 MB of space. The company’s U.S.-based leased servers have been used to host the zwShell C&C [command and control] application that controlled machines across the victim companies.

Beyond the connection to the hosting services reseller operation, there is other evidence indicating that the attackers were of Chinese origin. Beyond the curious use of the “zw.china” password that unlocks the operation of the zwShell C&C Trojan, McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP [Internet Protocol] addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were “company men” working on a regular job, rather than freelance or unprofessional hackers. In addition, the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums. These included Hookmsgina and WinlogonHack, tools that intercept Windows logon requests and hijack usernames and passwords…

Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely. Further, it is unclear who would have the motivation to go to these extraordinary lengths to place the blame for these attacks on someone else.

Researchers demo iPhone passwords hack

A German research firm has demonstrated how passwords stored on an iPhone can be retrieved in less than six minutes without needing to know the passcode.

Researchers from German engineering and research firm Fraunhofer tested the hack on an iPhone 4 and iPad 3G running iOS 4.2.1 and found that it was possible to access a range of passwords stored on the device, including: MobileMe, Google Mail as a Microsoft Exchange account, Microsoft Exchange email accounts, VPN logins and Wi-Fi network credentials.

The researchers said that the hack was relatively easy to perform and used freely available tools. However, they did have to jailbreak the device and install an SSH server in order to access the phone and copy the keychain access script that allows access to the stored information.

Read more of “Researchers demo iPhone passwords hack” at ZDNet UK.

Major Aust banks expose credit card data

Australia’s biggest banks are posting credit card numbers in clear view on mailed customer statements in a direct violation of credit card security regulations.

Placing numbers where any mail thief could grab them is a fundamental breach of the troubled Payment Card Industry Card Data Security Standard (PCI DSS), according to sources in the industry.

The industry standard, drafted by card issuers Visa, MasterCard and American Express and enforced by banks, is a series of security rules to which any business dealing with credit card transactions must adhere.

The standard is a collaborative industry effort to reduce financial fraud by mandating baseline security measures that essentially must accompany any credit card transaction. A call center operator, for example, would be required to destroy a paper note if it was used to temporarily jot down a credit card number, while a Web site that stores transaction information must ensure it is adequately secure.

Non-compliant large businesses–or tier 1 organizations bound by strict rules–face hundreds of thousands of dollars in fines, and risk losing their ability to process credit cards. The fines scale according to the number of credit card transactions processed.

But St George and the Commonwealth Bank have breached rule 101 of the standard by sending out potentially millions of paper statements to letterboxes that clearly detail credit card numbers in full.

The credit card numbers are listed as an account reference, and match that shown on cards number-for-number.

The breach has been known to card issuers for years, but they have failed to push the banks to change their practice.

Sources within the issuers working with PCI DSS compliance say they want the banks to truncate, or scramble, the numbers but they have since received a cold response.

Commonwealth Bank said that it was considering this as an overall security issue, but internal and external assessments led it to believe that it was compliant with the PCI DSS standard.

St George had not responded at the time of writing.

ANZ Bank has truncated the last four digits of its account numbers detailed on paper statements so they do not match Visa and MasterCard credit cards.

The bank said it made the change in 2001 during a “large investment” to improve credit card security. Its customers use a single account number for all dealings with the bank.

IP Payments director Mark Lewis said the banks practised double standards by allegedly ignoring the PCI DSS breach while enforcing the regulations on merchants.

“The banks have been beating their drum that everyone should be PCI [DSS] compliant when the standard came into effect. It is hypocritical,” Lewis said. His company offers PCI DSS compliance services, which includes means to truncate credit card numbers as they appear on printed statements.

“The systems are so old that changing those numbers would be a nightmare. At the end of the day, these systems are 30 years old, much older than PCI [DSS], and the banks are struggling to keep them compliant.” Yet he didn’t think banks could rest on that excuse.

While the paper statements omit credit card expiry dates or Card Security Value numbers, the former can be simply guessed or ascertained through social engineering, according to PCI DSS experts.

Since credit cards expire inside of four years, a fraudster can use a process of elimination to determine the date. They need only enter the number associated with each month over that period into a Web site until one works.

“It is potentially a huge risk,” Lewis said. “The volume of numbers going out if someone was to cotton on to it would make it an ideal target.” He said a criminal would attempt to intercept the statements, by exploiting potential vulnerabilities in the production and distribution process.

Only some online and telephone-based payment systems require the Card Security Value number located on the back of credit cards. This cannot be guessed but could be acquired from banks by masquerading as a victim using their identity credentials lifted from the statement and Internet Web sites.

Sense of Security chief operating officer Murray GoldSchmidt said the banks are dealing with more risky fraud vulnerabilities.

“Some 72 percent of fraud is card-not-present, or online fraud; the amount of fraud through other means is smaller and could be at a level.

“Online databases of credit cards are clearly an easy way for criminals to extract large amounts of data in the time it would take to steal a few [paper] statements.”

A source at another card issuer agreed that the standard was focused on “frying bigger fish”, although they did say that putting the numbers on statements was a clear breach of standard requirements.

The industry has struggled to adhere to the standard since its introduction some five years ago, even after the November 2010 deadline meant non-compliance would bring financial penalties. Banks have allegedly been absorbing penalties, a practice Lewis expects will continue into the near future.

This article was first published at ZDNet Australia.

Google extends two-step log-in process to all

Now all Google users can take advantage of the two-step log-in procedure previously available to Google Apps customers.

The company started rolling out the option to use two-step verification to Google Account holders Friday, according to a blog post. The idea comes from a classic security tactic, the notion that accounts are more secure when you log in using two factors: something you know, such as a password, and something that only you have, such as your phone.

Google Apps users started using this feature in September. Account holders log in to Google as usual, but the first time they enable the two-step process they will receive a code via a voice call or text message, or they can generate their own code using a mobile app available for iPhone, Android, or BlackBerry. That code can be saved for 30 days.

Obviously it will be much harder for anyone bent on hacking your account to steal a code sent to your phone (unless you’re a valuable enough target to warrant stealing your phone and hacking your password). It’s an optional feature, but one strongly recommended by security experts.

Experts renew call for greater Facebook security

With security threats continuing to plague Facebook, such as the recent abuse of CEO Mark Zuckerberg’s fan page, experts have renewed calls for the social networking site to step up user protection and education.

Zuckerberg was not the only prominent personality to suffer from a Facebook page hack last month–French President Nicholas Sarkozy was also a victim, according to the Huffington Post. The two high-profile incidents happened in the same week.

Yet Facebook, according to these security observers, remains extremely popular despite these incidents and other threats such as rogue apps.

On one hand, Facebook wants compelling applications to attract new subscribers and increase the amount of time users spend on the site. However, there are less than stringent controls on developers.

“Anyone can sign up and create a bogus Facebook application,” said Chester Wisniewski, senior security advisor at Sophos, in an e-mail interview, adding that users who are affected can be redirected to malicious URLs without being prompted.”

This, he explained, happened with the Koobface worm, which prompted users to download a “FacebookPhotos###.exe” file even before requesting permission for data access.

Wisniewski added that this form of “clickjacking” still occurs, but Facebook claims it is a “browser problem”.

In an earlier report published by ZDNet Asia’s sister site CNET, Facebook’s chief security officer Joe Sullivans was quoted as saying the team does not practice the “gatekeeper approach” when it comes to apps vetting. Instead, it “devotes its energy to the ones that could cause the most damage if they were bad”.

Measures taken, but more can be done
To its credit, Facebook has activated “advanced security controls” to protect at-risk accounts. According to the CNET report, when an account is detected as having an unusually large number of posts, or posting dubious links, the “roadblocks” devised by the team will direct the user to a McAfee cleanup tool that can be used immediately.

The team, which includes staff dedicated to incident response, has also just rolled out the HTTPS (hypertext transfer protocol secure) encryption feature for all activities, not just password entering.

Still, the approach was challenged by Wisniewski, who claimed that security should be adopted from “inside out”, such as configuring the firewall, and not the other way round. To that end, Facebook should make HTTPS a default, not something for the user to opt into, he argued.

“Facebook has taken the opposite approach and I feel [its] users will pay the price in privacy and security until it chooses to implement stronger privacy controls in reaction to these incidents,” said Wisniewski.

Randy Abrams, ESET’s director of technical education, also agreed Facebook can do more for its users. “Facebook doesn’t consider security to be enough of a priority to even mention the word on the log-in screen.

“Facebook can and should do a lot more to promote security education with their users.”

Users an ‘unsolved vulnerability’
Likening Facebook to an “operating system” such as Microsoft Windows, Abrams said it will be subject to security breaches and not be able to protect everyone.

“An operating system is designed to run programs, but it can’t know if the program is good or bad,” he explained.

While Facebook is far from facing a security crisis, Abrams said its users remain “the biggest unsolved vulnerability which Facebook falls flat on its face”.

Sophos’ Wisniewski concurred, noting that users “simply don’t care” about security.

Users, he pointed out, do not seem to be aware of the security issues associated with Facebook; security breaches have also not stopped those concerned and worried about their profiles, from logging in and sharing their lives on the site.

Other sites beware
Other social media sites are also equally at risk, even though their user base may be smaller, warned both experts.

According to Abrams, apart from the user base, there are risk factors such as ease of attack and an attacker’s own motivations. “Other social media sites are equally susceptible but may not get as much attention from the criminal element,” he said, adding that criminals are always on the lookout for vulnerabilities.

No matter how secure a Web site is, users cannot prevent their profiles from getting hacked, said Abrams and Wisnewski. One important way of staying safe is to limit the information that is made public, they noted.

In addition, users should set strong passwords that are not recycled for other sites, and enable the HTTPS option when it is available in the profile.

“Ultimately if a social media site is hacked badly enough then your profile and all of its information is owned by someone else. The risk is rather small, but it is there, so think carefully about what information you put online anywhere,” Abrams warned.

Anonymous hacks security company, say reports

Anonymous, a group of online activists, has attacked a security company that was investigating the collective.

The website of HBGary Federal was defaced with a message from Anonymous, as the group had discovered that HBGary Federal was planning to divulge alleged members of Anonymous to the FBI. In addition, Anonymous downloaded over 60,000 emails from HBGary Federal and posted them on The Pirate Bay file-sharing website, according to security company Sophos.

“You think you’ve gathered full names and addresses of the ‘higher-ups’ of Anonymous? You haven’t,” the group posted on the HBGary Federal website. “You think Anonymous has a founder and various co-founders? False.”

Read more of “Anonymous hacks security company, say reports” at ZDNet UK.

Cloud a haven for cybercriminals

The affordability and increasing popularity of cloud services are providing a new avenue for cybercriminals, say industry observers who note that service providers play a role in curbing such illegal activities. However, they warn that doing so will not be an easy task.

A security researcher last month warned that cloud services can be exploited for criminal purposes. At the Black Hat security conference, Thomas Roth said he was planning to release an open source kit which will enable users to crack Wi-Fi passwords by leveraging the computing power of the Amazon Web Services (AWS) cloud running on GPU-based servers.

There are other similar tools that use leasable cloud services to crack Wi-Fi security authentication mechanisms, such as Wi-Fi Protected Access (WPA), using the cloud infrastructure’s processor cluster to run dictionary attacks.

According to security players, the accessibility of such tools is not uncommon.

In an e-mail interview, Ronnie Ng, manager of systems engineering at Symantec Singapore, pointed to a 2009 blog post which noted that a Web site was purportedly selling automated Wi-Fi Protected Access (WPA) password crackers that used cloud computing technology.

The site allowed anyone to “pay a token sum of US$34 to rent time on a large 400-node computer cluster and check over 135,000,000 potential passwords against a targeted victim in just 20 minutes”. The Symantec blogger noted that even without technical knowledge, a malicious attacker would be able to obtain and use the password for illegal means such as to spy on the victim’s network.

Magnus Kalkuhl, director of Kaspersky Labs’s Europe global research and analysis team, also noted that cloud infrastructure has been misused for hosting malware. He told ZDNet Asia in an e-mail that there have been instances in the past where Amazon Elastic Compute Cloud (Amazon EC2) was used as malware hosting platforms, including a recent instance in which a trojan was spread using Rapidshare.

Kalkuhl noted that, in fact, certain malware “for years” have already been running on their own cloud. “Actually all DDoS (distributed denial-of-service) attacks and spamming services offered by cybercriminals are based on a cloud architecture, [which is] their own botnets made of thousands or even millions of infected PCs.”

In an e-mail interview, Paul Ducklin, head of technology for Sophos Asia-Pacific, added: “Almost anything you can do in the way of cybercrime on a standalone PC can be achieved through the cloud.”

In fact, he noted that cloud-based services such as social networks can make cybercrime easier.

Spams and scams can spread on Facebook, for instance, without ever raising an alarm on the user’s PC, Ducklin explained, noting that the benefit of distributing content automatically from many users to many users over social networks can work to the advantage of cybercriminals.

Responsibility on service providers
With more users moving onto the cloud platform, Ng cautioned that criminal activities on the cloud will rise.

“The cloud’s growing popularity will increase the risk of [users] being targeted by cybercriminals,” he said. He noted that the onus is on cloud service providers to “demonstrate due diligence” in ensuring organizations that lease their services do not engage in malicious activities.

Ducklin concurred: “Why would [businesses] be willing to store [their] data with a cloud provider that also allows cybercrooks and dodgy operators to use its services?”

Citing the case of DDoS attacks related to Wikileaks, he stressed that other users can be affected if a service provider is indiscriminate about whom it provides its services to.

“If your cloud provider services a wide range of businesses, the chance that one of them might become the victim of vigilantes carrying out a DDoS attack is higher,” Ducklin said. “You might lose quality of service due to sociopolitical problems suffered by someone else ‘in your cloud’.”

But while the security players agreed that cloud service providers should be vigilant when providing services, they noted that ensuring total control is not easily achieved.

Kalkuhl said concerns over privacy limit service providers’ ability to have complete control.

“Major cloud service providers like Amazon may check outgoing traffic for suspicious patterns such as DDoS attacks against other machines, [as well as instruct] customers who use virtual machines to conduct system penetration tests to inform the service provider in advance.

“However, it is not possible for the providers to scan the content of [network] traffic for keywords or malware signatures, for instance,” he explained. “Neither are they allowed to scan or manually check what files are stored in a provided [cloud] environment. Otherwise, people would lose their trust in cloud providers and the whole business model would be put at risk.”

Microsoft to seal 22 security holes this month

Microsoft has said it will address 22 vulnerabilities as part of this week’s Patch Tuesday, three of which are critical.

Three of the 12 bulletin items released by Microsoft earlier today are classified as critical, and affect Microsoft’s Windows operating system, with one affecting Microsoft’s Internet Explorer browser as well. The rest are classified as “important”.

In a post on Microsoft’s Security Response Center blog, the company said it will be making fixes for vulnerabilities in the Windows Graphics Rendering Engine, as well as a CSS exploit in Internet Explorer that could allow an attacker to gain remote code execution.

Along with the fixes for the rendering engine and the CSS exploit, Microsoft says it will be addressing zero-day flaws that created vulnerabilities in the FTP service found inside of Internet Information Services (IIS) 7.0 and 7.5.

Not included in this month’s batch of announced patches is a fix for the recently-discovered script injection attacks that affect Internet Explorer. Acknowledged by the company last month in Security Advisory 2501696, the exploit targeted the way IE handled MHTML on certain types of Web pages and document objects, and could provide hackers with access to user information. According to Wolfgang Kandek, chief technology officer at Qualys, the best route to prevent those attacks continues to be the workaround Microsoft outlined in its initial security advisory about the problem.

Microsoft has a full list of the pending issues here.

Report: Hackers penetrated Nasdaq computers

Federal authorities are investigating repeated intrusions into the computer network that runs the Nasdaq stock exchange, according to a Wall Street Journal report that cited people familiar with the matter.

The intrusions did not compromise the tech-heavy exchange’s trading platform, which executes investors’ trades, but it was unknown which other sections of the network were accessed, according to the report.

“So far, [the perpetrators] appear to have just been looking around,” one person involved in the Nasdaq matter told the Journal.

The Secret Service reportedly initiated an investigation involving New York-based Nasdaq OMX Group last year, and the Federal Bureau of Investigation has launched a probe as well. Investigators are considering a range of motives for the breach, including national security threat, personal financial gain and theft of trade secrets, the newspaper reported.

Nasdaq representatives could not be reached for comment.

Investigators have not been able to follow the intruders’ path to any specific individual or country, but people familiar with the matter say some evidence points to Russia, according to the report. However, they caution that hackers may just be using Russia as a conduit for their activities.

The Nasdaq, which is thought to be as critical from a security standpoint as the national power grid or air traffic control operations, has been targeted by hackers before. In 1999, a group called “United Loan Gunmen” defaced Nasdaq’s public Web site with a story headlined “United Loan Gunmen take control of Nasdaq stock market.” The vandalism was quickly erased, and Nasdaq officials said at the time that the exchange’s internal network was unaffected.

Aust pubs tap biometrics to curb violence

Pubs and clubs in Australia are signing up in droves to national and state biometrics databases that capture patron fingerprints, photos and scanned driver licenses in efforts to curb violence.

The databases of captured patron information mean that individuals banned at one location could be refused entry across a string of venues. Particularly violent individuals could be banned for years.

The databases are virtually free from government regulation as biometrics are not covered by privacy laws, meaning that the handling of details are left to the discretion of technology vendors.

Venues typically impose bans of one month to a year, and it is up to the discretion of clubs to adopt or share exclusion lists.

Australia’s largest database idEye, which pitches itself as the only national repository, has said that it has received an explosion of venues signing up to share lists.

“The takeup is growing very rapidly,” said Peter Perrett, chief executive of ID-Tect, the company which created idEye. “It has exploded.”

“You don’t get on the list because you didn’t want to go home–you get on there because you are a safety risk.

“Bans are only effective from one venue, but you will also be flagged…it will pop up and show that this guy is banned, here are three photographs, his details and the offence.”

Venues may choose to accept or ban any individual on the list, and data is encrypted and stored on “secure servers”.

State governments have been cracking down on violence in pubs and clubs, and threatening to impose tough measures on the worst offenders and impose night-time curfews.

The national database can be tweaked to suit a venue, allowing them to source different patron identifiers such as facial recognition, optical character recognition or fingerprint scans.

Perrett would not be drawn further on the database’s adoption, citing commercial sensitivity, but said it is “a lot larger in [use and adoption] than you’d think”.

While patrons remain divided on the need to surrender biometric data to buy a beer, the system appears to have led to a halt in violence in pubs and clubs.

The Woodport Inn on the NSW Central Coast has obliterated the incidents of violence which had once troubled its night club.

“[The] violent people here are gone, just gone,” said one bar manager. “They are scared of it. They know they will be caught.”

The venue is one of several in the area that use NightKey fingerprint scanners, including the Central Coast Hotel and Woy Woy Leagues Club, but it does not share ban lists.

A manager from a Sydney CBD bar, who requested anonymity, said that the ban database had cut violence, adding that the venue may soon be able to reduce its security headcount. The machines are not classified by NSW Police as security equipment and can be operated by a staff member.

Alcohol-related incidences have dropped by up to 80 percent in some venues that use the scanners, according to Perrett. He said the data is a smoking gun that police can use to convict violent offenders.

He said that “very, very serious crime in major places” carried out by offenders currently up before the courts has resulted from investigations lasting “minutes” rather than weeks because of being able to link biometric data to CCTV footage.

Used alone, Perrett said CCTV is inefficient and offenders “are not worried about it”. He added that crime in venues is unreported due to the negative publicity it generates.

The patron data collected in the database is destroyed within 28 days unless an offence is committed beforehand. The data is not automatically fed into police records.

However, many might be concerned about the privacy implications of the collection of such data.

Biometrics Institute head Isabelle Moeller said that pubs and clubs are still refusing to sign onto its biometric charter of use, which has the backing of the Federal Privacy Commissioner.

“[Venues] may roll biometrics out innocently or they may not want to bother with privacy concerns,” Moeller said. “Biometrics needs to be part of privacy law, the government needs to take control of this.”

She said that Clubs NSW has agreed to sign onto the charter and will participate in upcoming biometric privacy discussions, but the reception from other states has been cold.

The Australian Hotels Association (AHA) (NSW) chief executive Sally Fielke said in a statement that the implementation of biometric scanners is a decision for individual clubs. “The introduction of ID scanning is a business decision for individual venues.”

“The AHA (NSW) encourages members to look at a whole range of proactive initiatives to continue to ensure that their venues remain safe…and assists venues to comply with all legal obligations including privacy laws.”

Fielke said that the take-up of the services by AHA (NSW)’s members was low.

It did not respond to questions about whether it would recommend venues use biometric scanning.

This article was first posted on ZDNet Australia.

Microsoft warns of Windows zero-day flaw

Microsoft has warned of a zero-day vulnerability in Windows that could let an attacker collect any information stored in an Internet Explorer user’s browser.

The flaw allows a hacker to inject a malicious client-side script in an otherwise legitimate Web-request response made by the Internet Explorer (IE) browser, Microsoft said in a security advisory on Monday. The script could post content or perform actions online that would appear to have been initiated by the victim.

Alternatively, the vulnerability, which lies in the MHTML Web protocol, could allow the script to collect an IE user’s information, or spoof content displayed in the browser to “interfere with the user’s experience”, Microsoft security advisor Angela Gunn said in a blog post.

Read more of “Microsoft warns of Windows zero-day flaw” at ZDNet UK.

Anonymous: UK arrests are a ‘declaration of war’

Anonymous has issued a warning to the U.K. government after five young men suspected of being connected to the group were arrested on Thursday.
The group, which has claimed responsibility for a series of distributed denial-of-service (DDoS) attacks launched in support of whistle-blowing site Wikileaks, said it viewed the arrests as “a declaration of war” by the British authorities.

“Anonymous believes… that pursuing this direction is a sad mistake on your behalf. Not only does it reveal the fact that you do not seem to understand the present-day political and technological reality, we also take this as a serious declaration of war from yourself, the U.K. government, to us, Anonymous, the people,” the group said in a statement (PDF) on Thursday.

Read more of “Anonymous: UK arrests are a ‘declaration of war’” at ZDNet UK.

A new (old) way to protect privacy: Disclose less

A new pilot project from Microsoft and IBM offers a high-tech twist on this bit of common sense: allowing you to divulge less information about yourself protects your privacy.

Their joint effort is built on the observation that, in many cases, there’s no need for someone verifying your credentials to know everything about you. A bouncer at a nightclub needs to know that you’re 21, not your name or home address. A county database may only require proof that you’re a local resident, not your phone number or e-mail address.

Microsoft and IBM’s solution is called Attribute-Based Credentials, or ABC, and their pilot project is scheduled to be announced tomorrow to coincide with what’s being called Data Privacy Day. ABC is supposed to last four years and result in both a credential architecture and a reference implementation complete with source code that will be made publicly available.

“Our goal is to provide the technical tools but also the societal discussions about how we can achieve privacy in an electronic society,” Jan Camenisch, a Zurich-based cryptographer with IBM Research told ZDNet Asia’s sister site CNET.

The first application is scheduled to appear at Norrtullskolan, a secondary school in Sëderhamn, Sweden, and will allow students and parents to communicate with school officials and access a social network–while protecting their privacy at the same time. Another pilot will be implemented for grading the faculty at the Research Academic Computer Technology Institute in Patras, Greece.

Both pilot project rely on a system called ABC4Trust, which is designed to allow students or parents to “prove” certain aspects of their identity without revealing others. A student can cryptographically prove that she’s a member of a sports team, or demonstrate that he has attended a certain class.

“The problem with today’s solutions is that they don’t make these kind of distinctions,” Ronny Bjones, a Microsoft security technology architect, said. “We leave such a digital footprint around on all these different sites.”

One likely application for the ABC system: electronic identity cards issued by national governments. Microsoft has already demonstrated a system that can verify that someone is at least 18 years old and resides in Berlin, without disclosing an actual birthdate.

The idea of using encryption technology to enable people to disclose less about themselves isn’t exactly new. The legendary cryptographer David Chaum, the father of digital cash who’s now building secure electronic voting systems, developed some of these ideas in the late 1980s.

A decade later, University of Pennsylvania computer scientist Matt Blaze and other researchers published a paper (PDF on what they called “decentralized trust management.” But it was Dutch cryptographer Stefan Brands who fully developed the concept of limited disclosure digital certificates to its fullest.

Microsoft bought Brands’ company, Credentica, in 2008, and released the U-Prove specification last year along with a promise not to file patent lawsuits over its use.

ABC will use both U-Prove and IBM’s related technology called Identity Mixer. “It’s extremely important that we can help people that build solutions (that) build privacy by design,” Bjones said.

This article was first published as a blog post on CNET News.

UK police nab 5 Anonymous DDoS suspects

U.K. police have arrested five young men on suspicion of taking part in distributed denial-of-service attacks launched by Anonymous, the group that has targeted corporate sites for attack in defence of Wikileaks.

The five, who are aged between 15 and 26, were detained at 7am on Thursday at addresses in the West Midlands, Northamptonshire, Hertfordshire, Surrey and London, the Metropolitan Police Central eCrime Unit (PCeU) said in a statement. The suspects were taken to local police stations and remain in custody, the police added.

The Anonymous group of activists undertook a number of distributed denial-of-service (DDoS) attacks last year, using a tool called the Low Orbit Ion Cannon (LOIC) to try to overwhelm servers. The group successfully took down websites belonging to companies including Visa, MasterCard and PayPal, in protest at their suspension of donation-payment processing for the Wikileaks whistle-blowing operation.

Read more of “Anonymous DDoS swoop results in five arrests” at ZDNet UK.

Facebook lets users turn on crypto

Facebook announced Wednesday it is now offering users the ability to use encryption to protect their accounts from being compromised when they are interacting with the site, something security experts have been seeking for a while.

The site currently uses HTTPS (Hypertext Transfer Protocol Secure) when users log in with their passwords, but now everything a user does on the site will be encrypted if he turns the feature on, the company said in a blog post.

Enabling full-session HTTPS eliminates the ability for attackers to use tools like the Firefox plug-in called Firesheep to snoop on communications between a person’s computer and the site’s server.

“Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, or schools,” the post says. “The option will exist as part of our advanced security features, which you can find in the Account Security section of the Account Settings page.”

Using HTTPS may mean that some pages will take a little bit longer to load, and some third-party applications aren’t currently supported, the company said. The option is rolling out over the next few weeks. “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future,” the post says.

“Every user’s Facebook page is unique and it’s been complex pulling together all the different parts,” said Facebook Chief Security Officer Joe Sullivan when asked what the time frame is to making HTTPS the default setting. “It’s an interesting technical challenge for the company.”

While banking and e-commerce sites use encryption, social media and other sites have been somewhat slow to move in that direction–the exception being Google. Google has always offered Gmail users the ability to use HTTPS and set it as a default a year ago. The company also offers encryption for use with Google Docs and Web search.

Facebook blames bug for Zuckerberg page hack

A bug allowed an unidentified person to post a message on Facebook CEO Mark Zuckerberg’s fan page on the site yesterday, a spokesman told ZDNet Asia’s sister site CNET on Wednesday.

The odd message that garnered more than 1,800 “likes” and more than 400 comments before it was taken down was: “Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011”

A Facebook spokesman provided this e-mail statement today: “A bug enabled status postings by unauthorized people on a handful of public pages. The bug has been fixed.”

Whoever is responsible only had the ability to post on the page and did not have access to private data on the Facebook account, Joe Sullivan, chief security officer at Facebook, said in a follow-up interview with CNET. “It was a very limited bug in that it only applied to the ability to post,” he said.

Specifically, the bug was in an API (application programming interface) that allows publishing functionality on the site, said Ryan McGeehan, security manager for incident response at Facebook.

Only a handful of high-profile accounts were affected, they said, declining to offer exactly whose pages were targeted. They also declined to comment on whether the hack earlier this week of French President Nicolas Sarkozy’s Facebook page was related. Someone had posted a message on the official’s page saying he would be stepping down next year.

Asked if they knew who was responsible for the breaches, Sullivan said he could not comment further because it is an active investigation.

“It’s astonishing the level of speculation without accurate information” in published reports, he said. “There was the (false) assumption that there was unauthorized access to information…Our commitment is to try and prevent that and respond incredibly quickly when something happens.”

“Facebook users–famous or not–need to take better care of their social-networking security,” said Graham Clulely, senior technology consultant at Sophos, in a statement. “Mark Zuckerberg might be wanting to take a close look at his privacy and security settings after this embarrassing breach. It’s not clear if he was careless with his password, was phished, or sat down in a Starbucks and got sidejacked while using an unencrypted wireless network, but however it happened, it’s left egg on his face just when Facebook wants to reassure users that it takes security and privacy seriously.”

Sophos elaborated more about the incident in its security blog.

The odd message posted to Zuckerberg’s fan page relates to Facebook’s announcement last week that it had raised US$1.5 billion at a US$50 billion valuation; US$1 billion of it comes from investment bank Goldman Sachs, which opened up the round to participation from wealthy overseas clients.

Also today, Facebook announced that it is now offering users the ability to secure their connection with the site using HTTPS (Hypertext Transfer Protocol Secure). It is rolling the option out to users and hopes to offer it as a default in the future. Enabling full-session HTTPS will eliminate the ability for attackers to compromise Facebook accounts by using tools like the Firefox plug-in called Firesheep.

CNET’s Caroline McCarthy contributed to this report.

RSA muscles up on core capabilities

newsmaker RSA COO Tom Heiser doesn’t consider himself a visionary because he “cannot predict where things are going to be in five years”. But the company veteran is certain about one thing: security will be an increasingly critical component as cloud and mobile adoption continue to grow.

Heiser joined EMC, which acquired RSA in 2006, as a sales trainee in 1984 after graduating from the University of Massachussetts. The executive progressed through 12 positions within the company before landing up at the EMC security arm in July 2008.

With over 26 years of experience under his belt, the COO considers formulating and executing strategies his strongest suit–skills that are critical in building up RSA’s core strengths in authentication and security management, which he described as “hot growth areas”–thanks to the rise of cloud and mobile computing.

Recently in Singapore to meet up with sales partners, Heiser met up with ZDNet Asia to discuss RSA’s business plans and chat about new year resolutions and the risks in migrating to cloud computing.

It’s been three years since the economic downturn in 2008 and things are finally looking bullish for the global economy. Is one of RSA’s new year resolutions to capitalize on this upswing and enter new markets?
There’s this book called Profit From The Core which we use as a template, and this talks about how close we should stay true to one’s core businesses.

Using this as part of our strategic planning process, we determined that RSA has three cores to our business. One core is authentication, the second is security management, while our third “emerging” core is around virtualization and cloud computing.

Are we branching out of these? Probably not. I mean, we take a look at the whole landscape of security, and we see what’s hot, where’s the growth. Security management is super hot, virtualization and cloud computing is crazy hot, so we’re already in these hot, high-growth areas.

What we don’t want to do is delude ourselves. You won’t see us getting into network-based security or endpoint-based security, firewall or antivirus. Those are big but, like antivirus, super slow growth and ripe for disruption. You can take a look at the numbers–antivirus is estimated to be effective 35 percent of the time. So, we’re assuming the firewall will be breached and antivirus won’t work.

Where do you see RSA’s focus heading in 2011?
What RSA has done is we have assembled a portfolio of products, solutions and services into a suite that addresses customers’ challenges. IT spend is supposed to grow 4 to 6 percent this year, and the security market is supposed to grow 9 percent. If you look at these figures, security is twice what the IT spend is. This demonstrates that we’re in areas of high growth.

One of these areas is in security management. We’re putting RSA’s enVision, security information and security management, data loss prevention (DLP) and Archer Technologies’ GRC (governance, risk and compliance) products into a suite, which is where customers are spending their dollars.

The other trend is the explosion of virtualization and cloud computing, and their associated risks. We have tons of data on that, and one statistic that jumped out at me was that 91 percent of CIOs are concerned about security with cloud deployments. Another survey showed that 51 percent of CIOs said security was their No. 1 concern. So, we’re attacking this concern and our portfolio is uniquely positioned to capitalize on that.

That would mean that some companies still can’t quite manage the security risks involved when moving to the cloud?
Absolutely. It’s something I see all the time.

About two months ago, for instance, we were talking to one of the top five global healthcare companies which recently completed a huge private cloud deployment. The company was very progressive and driving cloud for cost savings and operational efficiencies. So it was virtualizing its IT infrastructure and was going crazy with that.

But when we met the CIO and his team, he was, like, ‘I need a strategy to keep up with this thing’. He wasn’t involved in the upfront deployment, so now what he’s doing is playing catch-up with how to protect that environment. This happens all the time.

I wouldn’t call the CIO’s reaction as panic, but you could see huge concern on his part where it was reactive rather than proactively building security into the company’s cloud deployment.

You identified authentication as one of RSA’s core areas. Could you give us a glimpse of authentication innovations that are on the cards?
If we go back seven years ago, over 80 percent of RSA’s business was SecurID. In 2011, this will be the first year that SecurID constitutes less than half of our business. It’s not that the business is declining, but that all the other areas are seeing high growth.

If we fast forward, we still have the largest market in authentication but what we’re doing is deploying it in a cloud environment, which is the next big thing.

Mobile authentication is also a big growth area for us. There are over 300 million identities we’re protecting through our software-as-a-service (SaaS) application products. There’ll also be other things through mobile and non-token-based authentication, which are coming up real soon.

Mobile security presents a huge opportunity for us. How do we protect smartphones and make sure these are secured? The other challenge is how we can turn this device into an authenticator.

So these are great opportunities on both fronts: to secure the device, and using the device to secure.

Rivals such as Dell Computer, which acquired storage vendor Compellent last month, and Hewlett-Packard have been pretty active on the acquisition front. Are you planning to join in on the M&A (mergers and acquisitions) fray?
We will be acquisitive, mark my word on that.

Acquisitions aside, though, we’re driving a lot of internal innovations as well. So, we’ll stay true to our core, but we’re going to complement it both organically with our own development as well as through M&A activities.

You’ve been with EMC since 1984, fresh out of graduating from the University of Massachusetts. Ever thought of doing something else, like, investing in your own startup?
You know it’s an interesting question because I once thought of becoming a venture capitalist (VC). But, I’m not a visionary, I can tell you that now. I think I’m very good with execution, and I can develop a strategy but I can’t predict where things are going to be in five years.

I probably picked only one stock to invest in in the past five years–General Electric at US$8 a share–because I knew it wasn’t going to go under. That’s why I never became a VC!

Today, I put everything into my work and family but leave the rest, such as investing, to the professionals.

Did you plan to stay with the same company for so long?
I didn’t plan for it. I would have bet anything that I wouldn’t have been with the same company for 26, almost 27 years. Never in a million ways would I have planned it the way my career has panned out.

In fact, I was 22 years old when I first started out and I wanted to work for IBM, but that offer didn’t come in until after I started with EMC. By then, Roger Marino, one of the founders of EMC, wouldn’t let me quit. I still see him socially and I thank him for keeping me here every time.

I don’t know if you consider it a role or a job but, to me, I had about 12 different jobs in my almost-27 years at EMC. That has allowed me to stay fresh and learn. It’s like every time I’m wrapping up a role, they would say, ‘Hey, do you want to run M&A?’ and I’d think, ‘I’d love to run M&A!’ So I go run M&A. Or ‘Hey, RSA’s got some changes going on’ and I’d say ‘I love RSA! They’ve got so much potential’, and there I go. It’s just been unbelievable for me.

In one sense, being at EMC is all I know, and yet, it’s also kind of embarrassing. But who knows what’s next? One of my tenets is to do the best job possible and your career and compensation will follow. It’s a little bit idealistic, but I haven’t seen anybody following this motto not get rewarded by it.

Retailer’s Web site hack exposes credit card details

Cosmetics company Lush has warned customers that its U.K. Web site has been hacked repeatedly over the past three months, exposing credit-card details to fraudulent use.

Lush did not release technical details of the attack, nor specify the number of customers compromised or the security techniques used to handle the data involved, but anecdotal evidence indicates that some customers have been the victims of fraud.

The company sent an email statement to customers last Thursday outlining the incident and urging them to contact their banks.

Read more of “Attacks on Lush website expose credit-card details” at ZDNet UK.

Hackers target carbon emissions trading market

In a digital heist reminiscent of a John le Carré novel, more than US$9 million worth of greenhouse-gas emissions permits were stolen from the Czech Republic electricity and carbon trading registry last week and transferred to accounts in other countries, at the same time as the Prague-based registry office was evacuated due to a bomb threat.

That electronic theft, the latest in a series of security breaches affecting the market for carbon emissions, led the European Commission to suspend transactions in national European Union registries last Wednesday for a week.

“Three attacks have taken place since the beginning of the year and other registries are known to be vulnerable to similar attacks,” the European Commission said in a statement last Friday. “The Commission’s best estimate is that roughly 2 million allowances, representing a total of less than 0.02 percent of allowances in circulation, have been illegally transferred out of certain accounts.” The much-larger carbon futures market was not affected, the agency said.

Valued at 14.48 euros each, those 2 million allowances would be worth about US$39.4 million based on last Friday’s trading.

Carbon emissions allowances, or permits, are not your typical computer hacker target. Similar to other commodities that are traded on spot and futures markets, European Union Allowances permit energy companies and industrial factories to trade their pollution permits by buying and selling allowances allocated by their government. For instance, a Romanian energy company that expects to emit less carbon dioxide for a particular year can sell its extra government-issued emissions allowances to a utility in Germany that expects to emit more carbon dioxide than its government permits.

Ostensibly, the trading system should be highly secure and trades carefully accounted for to prevent fraud and theft. But lax security at some of the registries and the fact that transactions can be completed quickly on the spot market are likely what is appealing to thieves, sources told ZDNet Asia’s sister site CNET.

“It seems it is relatively easy to access the registries in this country and other countries,” said Nikos Tornikidis, carbon portfolio manager at Blackstone Global Ventures, from whose account 475,000 allowances were stolen.

“Once you get your hands on the allowances, it is quite easy to sell them and the settlement is almost instantaneous,” he told CNET in an interview. “In a matter of hours you can get money out of the system. This doesn’t happen when you trade other things.”

The bomb threat coinciding with the theft of the allowances is just “too coincidental”, said a trader close to the matter who asked to remain anonymous. “The registries have lax security,” he said. “They don’t have mechanisms to filter the accounts” by serial number to prevent theft.

Some people suspect that an insider was involved, the trader said, adding that he believes it was computer hacking instead.

The market was operating normally until around 12:30 p.m. Tuesday when Prague police received a tip of a bomb threat and the offices of the Czech registry, OTE, which stands for Electricity Market Operator, had to be evacuated, according to Reuters.

Early the next morning, employees at Blackstone Global Ventures went to check their carbon permissions account and noticed that it had been nearly emptied out. In addition, the contact information on the account had been changed, something that should only be accomplished by someone with administrator privileges at the registry, said Tornikidis.

Blackstone reported the matter immediately to the Czech Republic registry and was able to find out the unique serial numbers for the missing allowances, he said. “I hope that we managed to stop the trading at a point where our allowances are with the first buyers after the hacker sold them,” he added.

The Czech Republic registry said a total of 1.3 million permits were missing from six accounts and that the digital assets were transferred to accounts in Poland, Italy, Estonia, Lichtenstein, and Germany, and possibly other countries, according to Reuters.

As custodian of the carbon emissions permissions, the OTE has a fiduciary obligation to account holders and should replace any that are missing, Tornikidis said.

“I don’t know how it is possible in today’s IT world that someone is able to hack into an account where someone’s assets are and transfer them out,” he said. “Why can’t they follow the money trail?”

Jiri Stastny, chief executive officer at the OTE in Prague, could not be reached for comment and other employees at the government-run registry directed all calls to him.

The Czech Republic is not the only country to have security problems crop up in the relatively new carbon emissions trading market. The Austrian registry reported theft of allowances due to hackers two weeks ago and 1.6 million allowances belonging to cement maker Holcim in Romania were reported stolen from that country’s registry in November. A year ago, 250,000 allowances were stolen in Germany after companies there were targeted by phishing attacks, according to reports.

The European Commission is likely to require additional security procedures at the national registries, such as passwords being sent to mobile phones or other two-factor authentication methods, according to a Bloomberg report.

This article was first published as a blog post on CNET News.

Malware toolkits guarded with stolen DRM

Malware writers are pinching anti-pirate technology embedded into some of the world’s most popular software to protect their own, according to Symantec.

The antivirus company said writers of complex malware toolkits can embed measures to prevent users from stealing their work.

This means the writers are able to rent the toolkits to non-technical users who then embed the malware into websites in hopes of duping victims out of information such as bank account details.

Writers may also take a commission in an “affiliate system” from the value of victim information stolen using the kits.

Anti-piracy measures used in the most popular software, including Symantec products, have been reverse-engineered and distributed over the internet.

“They are using the same Digital Rights Management (DRM) technology used as major software,” Symantec head Craig Scroggie said. “They are locking down their software for a minimal amount of use or they are changing the IP reply domain so they have to be involved in the sale.”

“They will build their own DRM, steal it from the big names or cobble it together.”

Most would-be buyers of the toolkits lack the technical understanding to reverse-engineer the DRM measures.

The price of a malware toolkit has risen substantially, Scroggie said, from about US$15 in 2006 to more than US$8000.

“The premium is because of the success rate,” Scroggie said.

This article was first published at ZDNet Australia.

S’pore government preps 2FA facility

SINGAPORE–The local government has set up a wholly-owned subsidiary to operate the country’s IT security facility focusing on two-factor authentication (2FA), which is part of an initiative first announced in 2005.

Called Assurity Trusted Solutions, the subsidiary will oversee operations of the national authentication framework (NAF), a nationwide security layer to authenticate online transactions between the government, businesses and citizens.

Officials from the Infocomm Development of Singapore (IDA) said at a media briefing here Thursday, that Assurity is scheduled to roll out its services in the second half of this year, offering 2FA services to service providers and consumers. ST Electronics has been contracted to design, build, operate and maintain the NAF infrastructure, in a deal spanning five years. When asked, IDA officials declined to reveal how much the contract was worth.

More details to follow…

Report finds smart-grid security lacking

Echoing concerns of security experts, a new report from the Government Accountability Office warns that smart-grid systems are being deployed without built-in security features.

Certain smart meters have not been designed with a strong security architecture and lack important security features like event logging and forensics capabilities used to detect and analyze cyberattacks, while smart-grid home area networks that manage electricity usage of appliances also lack adequate built-in security, according to the report released last week by the GAO, the auditing and investigative arm of the U.S. Congress.

“Without securely designed smart-grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring,” said the report.

The report also took aim at the self-regulatory nature of the industry, saying utilities are focusing on complying with minimum regulatory requirements rather than having adequate security to prevent cyberattacks.

The National Institute of Standards and Technology “does not have a definitive plan and schedule, including specific milestones, for updating and maintaining its cybersecurity guidelines to address key missing elements”, the report concluded. One of the important elements NIST has failed to address is the risk of attacks that use both cyber and physical means, the report said.

“Furthermore, Federal Energy Regulatory Commission has not established an approach coordinated with other regulators to monitor the extent to which industry is following the smart-grid standards it adopts,” the report said. “The voluntary standards and guidelines developed through the NIST and FERC processes offer promise. However, a voluntary approach poses some risks when applied to smart-grid investments, particularly given the fragmented nature of regulatory authority over the electricity industry.”

In comments on the report that were included as an appendix, the Department of Commerce–which oversees NIST–says NIST “agrees that the risk of combined cyber-physical attacks on the smart grid is an area that needs to be more fully explored in the future.”

Meanwhile, FERC Chairman Jon Wellinghoff said in comments included in an appendix to the report that he will ask his staff to evaluate ways to improve coordination among regulators and assess whether challenges identified in the report should be addressed in FERC’s cybersecurity efforts, but will need to work within the commission’s statutory authority.

The goal of the smart grid is to improve reliability and efficiency by incorporating information technology systems into power lines and customer meters for monitoring power distribution and usage without having to send operators into the field.

(Via Threatpost)

This article was first published as a blog post on CNET News.

Australian university exposes student info

The University of Sydney has exposed thousands of student details including names, addresses and course information to public access via the Internet.

The details were stored in a way that allowed it to be accessed by altering identification numbers revealed in a university Web address.

University of Sydney vice chancellor spokesperson, Andrew Potter, said the details have been pulled offline and the university is investigating the matter.

“We confirmed that method of access was possible and immediately we shut it down,” Potter said. “We do not know as yet if details were compromised.”

Potter did not rule out contacting students to warn them of the breach, but was unsure if an IT forensic investigation was underway.

A review of logs could reveal if the details were compromised, but industry track records suggest many similar attempts do not.

“It depends on having the right logging, which is seldom the case,” HackLabs director Chris Gatford said.

Such vulnerabilities, where data can be accessed by entering sequential numbers into a URL address, are common and are often introduced by software developers.

But common mitigation efforts also fail.

“Developers move the identity from the URL to part of a post request, but it still doesn’t mitigate the vulnerability,” Gatford said. “You can use a local proxy then to identify that value and do the attack in the post of the request”.

The vulnerability was pointed out to the university by the Sydney Morning Herald, which also reported earlier this week that the university’s Web site and corporate Web pages had been hacked and defaced.

This article was first published at ZDNet Australia.

Two charged in AT&T-iPad data breach

Two men were charged with computer crimes today for allegedly hacking into AT&T servers and stealing e-mail addresses and other information of about 120,000 iPad users last summer.

Andrew Auernheimer, 25, was arrested in his home town of Fayetteville, Ark., while appearing in state court on unrelated drug charges, and Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in Newark, N.J., according to the U.S. Attorney’s office in New Jersey. Both men were expected to appear before federal judges in Arkansas and New Jersey.

They each face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. They’re also looking at a maximum of 10 years in prison and a US$500,000 fine.

Auernheimer was ordered held until a bail hearing set for Friday, while Spitler was released on US$50,000 bail and ordered not to use the Internet except at his job as a security at a Borders bookstore, according to an Associated Press report. In comments to reporters outside the Newark courthouse, Spitler said he was innocent and that: “The information in the complaint is false. This case has been blown way out of proportion.”

Auernheimer told the magistrate that he had been drinking until 6:30 that morning and said of the complaint: “This is a great affidavit–fantastic reading,” according to the AP report.

Last June, Auernheimer told ZDNet Asia’s sister site CNET that members of his hacker group, which calls itself Goatse Security, uncovered a hole in AT&T’s Web site used by iPad customers on the 3G wireless network and went public with it by revealing details to Gawker Media.

Up until then, AT&T automatically linked an iPad 3G user’s e-mail address to the iPad’s unique number, called Integrated Circuit Card Identifier (ICC-ID) so that whenever the customer accessed the AT&T Web site, the ICC-ID was recognized, the e-mail address was automatically populated and the ICC-ID was displayed in the URL in plain text.

Spitler is accused of writing a script called the “iPad 3G Account Slurper” and using it to harvest AT&T customer data via a brute force attack on the site, which fooled the site into revealing the confidential information, according to the criminal complaint filed last week but unsealed and released publicly today.

The complaint includes Internet Relay Chat messages supposedly sent between Auernheimer and Spitler in which they talk about selling the e-mail addresses to spammers, shorting AT&T stock before releasing details of the breach, and destroying evidence.

“If we can get a big dataset we could direct market iPad accessories,” Auernheimer says in a message to Spitler, according to the complaint.

In another chat session included in the complaint, Spitler says he would like to stay anonymous so he doesn’t get sued. “Absolutely may be legal risk yeah, mostly civil you absolutely could get sued,” Auernheimer replied, the complaint read.

Before going to Gawker, Auernheimer also allegedly contacted Thomson-Reuters and the San Francisco Chronicle, and sent an e-mail to a board member at News Corp. whose e-mail address was leaked in the breach in attempts to get news articles written about the incident, according to the complaint.

Asked if he reported the hole to AT&T, Auernheimer replied “totally but not really…I don’t (expletive) care I hope they sue me”, according to the chat logs.

“Those chats not only demonstrate that Spitler and Auernheimer were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security,” the U.S. Attorney’s office said in a statement.

AT&T has spent about US$73,000 as a result of the breach, including contacting all iPad 3G customers to notify them, the complaint says. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.

Auernheimer told CNET last summer that the data exposed in the breach was contained. The concern was that iPad users who had their e-mail addresses exposed would then be at risk of receiving phishing or spam e-mail that appeared to be from Apple or AT&T but which was designed instead to trick them into revealing more information or downloading malware.

Auernheimer did not return an e-mail seeking comment, and Spitler could not be reached. AT&T did not immediately respond to a request for comment.

Auernheimer, a self-described Internet “troll”, was arrested last June when authorities found drugs while searching his home for evidence related to the AT&T-iPad investigation. He was later released on bail.

This article was first published as a blog post on CNET News.

App servers potential threat to mobile landscape

While both Web and app servers face pressing security issues, the latter is increasingly in the firing line as more users are now utilizing mobile devices to access apps. The risk is further exacerbated due to the fact that technologies behind app servers are more complex, cautioned a security executive.

According to Jonathan Andresen, technology evangelist at Blue Coat Systems Asia-Pacific, there are two factors behind the security challenges presented by app servers. First, the two-way communication between the user and the app server has intensified. This can result in users unknowingly “uploading” malicious content to an app server that is not protected, Andresen said in an e-mail.

Second, compared with Web servers, app servers need more CPU power, he said, noting that this makes app servers more vulnerable to denial-of-service (DoS) attacks.

These two factors, combined with a rise in threats targeting mobile devices, put app servers in an “especially challenging” position, he said.

Another security player agreed with Andresen’s observation.

Paul Oliveria, technical marketing researcher at Trend Micro, noted that many apps today are essentially “mini browsers” in which they gather user input, send it to a server and display the results for users to view.

Oliveria explained: “These [app] servers are vulnerable to all the usual attacks that traditional Web servers are vulnerable to, and in fact, probably more so.”

He pointed out that “almost anyone” can now develop an application and sell it. In the case of Google Android apps, for example, interested developers can simply submit an application form, pay US$25 and start developing apps.

Given the scenario, and for a relatively small investment required from the developers, he questioned whether these developers would be as committed, compared with more established developers, to beefing up their app server security.

To combat potential threat to app servers, Oliveria reckoned that any good and reputable developer would expect users to behave in unpredictable ways and code apps to restrict the type of information sent by users to the app server.

He also called on developers to pay attention to securing their server-side infrastructure which can be accessed not only via an app, but also through a Web browser or direct network connection.

Paul Ducklin, head of technology at Sophos Asia-Pacific, added that less is more with regard to the amount of information users should be allowed to access via app servers.

He noted that a traditional Web server is set up to help a company get as many people as possible to visit its corporate Web site and learn about its operations, but the Web administrator will only put up information that the company wants the public to see.

App servers, however, often give public access to information that is traditionally not made available to users outside the company, Ducklin noted.

“So developers need to ensure that when they make it easier for users to access the app servers [for more information], they don’t open up too much or they may experience their personal ‘Wikileaks moment‘,” he warned.

Andresen recommended deploying purpose-built security appliances such as application firewalls as a best practice to secure app servers. He explained that adding another layer in front of the application server would ensure security is not compromised, regardless of whether coding for the application is secure or not.

He also zoomed in on social networking apps, noting that with over 30 billion pieces of content such as Web links, blog posts and photos, shared on these platforms each month, it is “extremely difficult for application vendors to detect malicious content uploaded by users”.

In this landscape, it would not be viable for mobile users to deploy a complete PC-centric security tool on devices that have limited processing abilities, Andresen added.

“What users need is a lightweight browsing capability that can leverage the processing capabilities of a user-driven cloud network [to filter, validate and secure Web content delivered to mobile devices],” he surmised.

RSA: SMS bank tokens vulnerable

Mobile phone attacks will increase this year as criminals attempt to intercept SMS-based authentication tokens, according to security company RSA.

The tokens are designed to complement username and password log-in checks by requiring users to validate payments with unique numerical codes, in this instance sent by SMS.

It is becoming more popular, and the Commonwealth Bank of Australia claims to have 80 per cent of its customer base using tokens to validate third-party payments via SMS or through safer handheld token-number generators. The bank isn’t forcing customers to use it, but those who don’t will not be permitted to carry out high-risk transactions over NetBank.

RSA said in a 2011 predictions report that sending tokens via SMS will make phones a target.

“The use of out-of-band authentication SMS…as an additional layer of security adds to the vulnerabilities in the mobile channel,” the company said in its report.

“A criminal can…conduct a telephony denial-of-service (DoS) attack which essentially renders a consumer’s mobile device unavailable.

“SMS forwarding services are also becoming mainstream in the fraud underground and enable the [token] sent by a bank via text to a user’s mobile phone to be intercepted and forwarded directly to the cybercriminal’s phone.”

The company said that mobile phone smishing attacks, or phishing scams sent via SMS, will also rise this year.

“Success rates are higher with a smishing attack compared to a standard phishing attack, as consumers are not conditioned to receiving spam on their mobile phone so are more likely to believe the communication is legitimate,” the report said.

It said there are no effective technologies to prevent smishing.

The report also claimed that the infamous Zeus malware, widely blamed for most of the online transaction fraud, will merge with rival SpyEye to create a hybrid trojan.

It alleges that the new hybrid will include a kernel mode rootkit, improved HTML infection abilities and remote desktop access.

“Should [its creator] act on his plans, this already spells evolution in the type of commercially available malware likely to be sold in the underground in 2011,” the report read.

This article was first published on ZDNet Australia.

OECD: Cyberwar risk is exaggerated

While governments need to prepare for cyberattacks involving espionage or malware, the likelihood of a sophisticated attack like Stuxnet is small, according to a study by the Organisation for Economic Co-operation and Development (OECD).

In a cyberwarfare report (PDF) released yesterday, the OECD said that the risk of a catastrophic attack on critical national systems has been exaggerated. The majority of cyberattacks are low-level and cause inconvenience rather than serious or long-term disruption, according to a co-author of the report, professor Peter Sommer of the London School of Economics.

“There are many scare stories, which, when you test, don’t actually pan out,” Sommer said. “When you analyze malware, a lot is likely to be short-term, or fail.”

Read more of “Cyber-war risk is exaggerated, says OECD study” at ZDNet UK.

Facebook tweak reveals addresses, phone numbers

In what is potentially another privacy misstep, Facebook has made a change to a permissions dialog box users see when downloading third-party Facebook apps–a change that potentially makes users’ addresses and phone numbers available to app developers.

The tweak was made known to developers of third-party apps last Friday night, by way of a post on the Facebook Developer Blog. Basically, when a person starts downloading a third-party Facebook app, a “Request for Permission” dialog box appears that asks for access to basic information including the downloader’s name, profile picture, gender, user ID, list of friends, and more. What’s new as of Friday is an additional section that asks for access to the downloader’s current address and mobile phone number.

As mentioned in numerous media reports, the concern among Facebook users and privacy advocates is that users won’t notice the change and will click the dialog box’s Allow button unthinkingly. Further, people are worried that unscrupulous developers could cook up bogus apps with the sole purpose of capturing the private information–apps that wouldn’t necessarily be spotted and taken down immediately. Aside from the potential for outright hacking and identity theft, it’s not unheard of for app developers to sell information on Facebook users to data brokers.

Users of third-party Facebook apps can simply click the Don’t Allow button–which reportedly won’t interfere with a successful download–or they can remove their address and phone number from their Facebook profile.

Graham Cluely, with security company Sophos, suggested in his own blog post that users do the latter. (The post was brought to our attention by PC Magazine.)

“My advice to you is simple,” Cluely wrote, highlighting the following with boldface text, “remove your home address and mobile phone number from your Facebook profile now.”

Cluely also wondered if Facebook could have taken a safer approach.

“Wouldn’t it be better if only app developers who had been approved by Facebook were allowed to gather this information?” he wrote. “Or–should the information be necessary for the application–wouldn’t it be more acceptable for the app to request it from users, specifically, rather than automatically grabbing it?”

ZDNet Asia’s sister site CNET e-mailed Facebook a request for comment but hadn’t heard back by publication time.

Privacy was a major issue for Facebook last year, with the company provoking the concern of privacy advocates, lawmakers, and social-networking fans alike.

This article was first published as a blog post on CNET News.

App marketplace vendors mum on account hacks

Mobile app store vendors were coy about incidents related to account hacks when asked if they had preventive measures to safeguard hacked accounts from being exploited.

Following recent reports of hacked Apple iTunes accounts being sold on Chinese online auction site Taobao, ZDNet Asia queried app marketplace operators about security measures they implemented to protect accounts from being hacked and used illegally.

Chris Chin, Microsoft’s Asia Pacific director of developer marketing for mobile communication, said users who discover that their Windows Live ID has been compromised should recover their account by resetting their password. Windows Phone 7 users buy apps from the Microsoft Windows Phone Marketplace which is linked to their Windows Live accounts.

Chin added: “If you believe unauthorized Marketplace purchases were made with your account, contact our support team.” However, he did not reveal if there have been reports of hacked Windows Live accounts being used to buy apps illegally or the types of safeguards Microsoft has implemented to prevent such incidents from happening.

Chin, however, did say that the company is “focused on helping to educate people about what they can do to increase their online safety and reduce the risk of fraud”.

Noting that a common cause of compromised online accounts is threats from malware and phishing, he added that users should use a secure Web browser when surfing online.

Google declined to comment for the story

When contacted, Apple did not respond specifically to ZDNet Asia’s queries on what preventive measures it had implemented to protect its users. Instead, a company spokesperson pointed to a news report that revealed Taobao had since taken down auctions of hacked iTunes accounts and added that the Chinese company should instead be contacted for comments.

Taobao spokesperson, Justine Chao, told ZDNet Asia in an e-mail interview that the Chinese auction site removed the listing of hacked accounts after receiving complaints from Taobao users that the iTunes accounts sold were “not what they expected”.

“We had not been advised by Apple to take any action thus far,” she noted. “Our decision to remove the listings was done in the interest of protecting the consumers who shop on Taobao.”

Previous reports noted that the site was reluctant to take down the listings unless it receives “a valid takedown request”.

Hacked user shares experience
A ZDNet Asia reader, Kassandra, recalled the harrowing experience she encountered when her iTunes account had been hacked and used to purchase apps, and the long process it took to dispute the charges.

In an e-mail interview, she explained that she discovered on May 11, 2010, that her iTunes account was used to purchase apps that she did not download. The New York-based sales coordinator said the apps purchased were in Mandarin and were transacted in China.

She said she has always been careful about managing her financial information and frequently changes all her passwords. A credit card number she used was stolen once but Kassandra said she had taken care then to change all her credit cards.

When she realized the app purchases had been made illegally via her iTunes account, she tried to contact Apple but could not find a dedicated iTunes customer service number to call.

“Getting to talk to an actual human being [at Apple iTunes] was a process,” she recalled. “I e-mailed their customer service but I needed action to be taken immediately, so I called the main Apple customer service and just kept talking to whoever I could and asking to be transferred [to the relevant person].”

“They repeatedly told me to e-mail iTunes but I wouldn’t take that for an answer,” Kassandra said. Her perseverance was rewarded when she was transferred to a department handling Apple accounts and the customer service representative was helpful, she noted.

The representative then said the company would do whatever it could to resolve the issue but added that it was not possible for an iTunes account to be hacked. “I found out that wasn’t true when I searched online and found that many people have experienced their accounts getting hacked into,” Kassandra said.

She noted the Apple representative told her the bank would handle the money issue. However, she added that her bank had to contact Apple to dispute the charges, which racked up to over US$400. She added that she made frequent calls to the bank to make sure the dispute would be managed smoothly.

Kassandra said: “At one point, the bank was not going to take the charges off because it said the purchases ‘were similar to my purchase history with Apple’.”

While the dispute was eventually resolved, the incident has made her nervous about making purchases online. “I do not feel safe,” said Kassandra.

Another mobile user, Nicole Nilar, shared that while she is not worried about online security when buying apps, she is more concerned about purchasing fake applications. A senior digital marketing executive who owns an Android phone, Nilar told ZDNet Asia in an instant message interview that she had heard about illegitimate applications masquerading as real applications in Google’s Android Market.

“The developers rip off the screenshots of popular apps and sell them at a high price. It’s only after buyers have made their purchase before they realize they paid US$6 to US$8 for only a wallpaper,” she said.

While she noted that Apple might be too strict with its app ecosystem, she said Google should take a few leaves out Cupertino’s book and implement measures to ensure apps on its marketplace are legitimate.

Global spam traffic rebounds as Rustock wakes

Spam is on the rise after the Rustock botnet awoke from its Christmas slumber, according to Symantec.

On Monday the Rustock botnet, responsible for a significant portion of the world’s spam, resumed activity after pausing spam operations on Dec. 25.

“As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on Jan. 9,” Symantec wrote on Monday. “It is too early to say what effect this will have on global spam levels, or if this return is permanent, but at the moment it certainly seems as if the holiday is over and it’s now back to business as usual,” it said.

Read more of “Global spam traffic rebounds as Rustock wakes” at ZDNet UK.

Tablets unsafe for enterprise adoption?

With tablets becoming more popular on the consumer and enterprise front, experts agree that security is an element that must be dealt with, especially as more applications are developed to enhance their usability.

Edison Yu, manager for ICT practice at Frost and Sullivan, warned that it is “pertinent” for users to start being aware of the risks. Many of the apps, he said in an e-mail, “may actually look to leverage on the increasingly prevalent habit of users sharing their personal data around freely, and [enable] cybercriminals to steal and sell private information”.

According to Kwa Kim Chiong, CEO of JustLogin, the security risks tied to accessing apps via tablets are no different from that of accessing them via the Web. “Whichever means you choose to access the applications, there will be threats”, he said in an e-mail.

The head of the Singapore-based software-as-a-service (SaaS) provider added that the Wi-Fi which tablet users log on to, contributes to the overall risk level as the data transmitted could be intercepted by hackers.

However, Bryan Ma, associate vice president for devices and peripherals at IDC Asia-Pacific’s domain research and practice groups, said the threat to tablets is for now not a concern. This is because “theoretically speaking”, while tablets, as with other computing devices, are open to threats, the user base is not big.

“If you look at security threats, they tend to threaten the Windows platform, mainly because of the sheer number of users,” Ma noted.

Tablet usage, though, is on the uptrend. In a report released last November, research analyst Gartner predicted that media tablets will displace around 10 percent of PC units by 2014. A separate forecast from FBR Capital Markets indicated that 70 million of such devices will be sold this year, with a PC sale lost for every 2.5 tablets sold.

Secure tablet ecosystem takes many hands to clap
As more enterprises adopt tablets, Frost & Sullivan’s Yu agreed that vendors can look to incorporate into future models more security features, on top of the ability to communicate with other devices and technologies.

“It is critical for the tablet to take on more enterprise-class capabilities, be it support for enterprise apps or reaching the required performance levels,” he noted. “With mobility expected to characterize the office environment of the future, the tablet could find itself at the forefront of the enterprise mobile computing trend.”

One such tablet that is already perceived to be “safe”, is the Playbook by Research in Motion (RIM). The highly publicized but yet-to-be launched device, would have security functions built in, as RIM’s customer base tend to be businesses and IT managers, Ma of IDC said. Security protocols to protect sensitive data from unauthorized access, for instance, would be among such features, he explained.

Kwa, whose SaaS company develops human resource and collaboration apps for the Apple iPhone and iPad, said JustLogin’s apps communicate directly with the Web services hosted at their own servers, and no data is stored locally on the tablets.

“Before the user is able to access the data, the application will encrypt the password entered on the tablet and call one of the Web services. The validation is done through a series of handshaking protocols before the data is sent over,” he explained.

Handshaking protocols refer to technical rules a computer must observe to establish connection with another system.

Asked who should shoulder the responsibility to ensure a safer tablet ecosystem, both Kwa and Frost & Sullivan’s Yu said all parties–from hardware vendors to app stores and users–have their roles to fulfill.

While IDC’s Ma argued the hardware vendor’s responsibility is merely to make its product as attractive as possible, Yu said adding security features is the way forward, as vendors “can do their bit in protecting end users from cyberthreats since many consumers may not be as security-savvy.”

End users could limit information sharing on the Web, and enterprises “have to realize that tablets are still consumer-based, therefore these devices may not be safe for corporate adoption”, Yu cautioned.

Kwa pointed out that apps, too, have to be secure. To that end, he noted that Apple’s App Store is more secure than Web applications available on the Internet, as they are vetted before they are released for users to download.

“At least [the process] is controlled and there is an identifiable owner behind each application,” Kwa said.

Sophos: Spam to get more malicious

Spam is becoming more malicious in nature as trickery tactics change in line with current user interests, according to a new report released Tuesday by Sophos.

The security vendor’s “Dirty Dozen” report, reviewing global spam trends between October and December 2010, noted that more unsolicited e-mail messages were spreading malware and attempting to trick unsuspecting users into giving confidential data such as user names and passwords.

Sophos also noted an increase in more focused, targeted e-mail attacks, or spear-phishing. Cybercrooks continued to seek victims via social networks, with a growing number of reports of malicious apps, compromised profiles and unwanted messages spreading across social networking sites such as Facebook and Twitter.

“Spam is certainly here to stay, however, the motivations and methods are continuing to change in order to reap the greatest rewards for the spammers,” Graham Cluley, senior technology consultant at Sophos, said in a statement. “What’s becoming even more prevalent is the mailing of links to poisoned Web pages–victims are tricked into clicking a link in an e-mail, and then led to a site that attacks their computer with exploits or attempts to implant fake antivirus software.”

Traditional spam messages touting pharmaceutical products have not gone away either, Sophos noted. Tens of millions of Americans are believed to have purchased drugs from unlicensed online sellers, it added in the report.

Cluley noted: “As long as spammers continue to make money from these schemes, Internet users can be sure that they’ll continue to receive unsolicited e-mail and social networking scams.

“To combat this, it’s essential that computer users remain wary of clicking on unknown links, regardless of whether they appear to be on a trusted contact’s social networking page.”

US reigns as spam king
Europe and Asia were the top two continents of spam origin, with a combined share of 64 percent, while the United States continued to be the country responsible for the most junk e-mail. The U.S. accounted for 18.8 percent of spam messages worldwide in the previous quarter, and continues to be plagued by bots, or zombie PCs that are remotely controlled by hackers, Sophos said.

Three Asian nations made the latest Dirty Dozen list: India took second spot with a 6.9 percent share of spam relayed between October and December 2010; South Korea was No. 8 with 3 percent; and Vietnam, which accounted for 2.8 percent, clocked in at No. 10. The three countries have consistently been ranked among the Top 12 over the last year, according to Sophos.

Microsoft plugs three Windows holes, works on others

Microsoft today issued two bulletins fixing three holes in Windows, including one rated critical for Windows XP, Vista, and Windows 7 as part of Patch Tuesday.

“We are not aware of proof-of-concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month’s release,” the company wrote in a Microsoft Security Response Center blog post.

The critical vulnerability is addressed in Bulletin MS11-002. The bulletin fixes the critical hole and an “important” vulnerability, both in Microsoft Data Access Components, that could allow an attacker to take over the computer if a user merely viewed a malicious Web page.

The second bulletin, MS11-001, resolves an “important” vulnerability that could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a malicious library file. The user would have to visit an untrusted remote file system or WebDAV (Web-based Distributed Authoring and Versioning) share for the attack to be successful.

More details are in the security advisory for this month.

Meanwhile, Microsoft revised Security Advisory 2488013 related to Cascading Style Sheets (CSS) to add an additional workaround for a vulnerability that affects Internet Explorer and for which there have been reports of targeted attacks.

“The most important vulnerability, known as “css.css”, affects all versions of Internet Explorer and is rated critical,” said Wolfgang Kandek, chief technology officer at Qualys. “The exploit code is public and targeted attacks have been observed.”

Security experts said they were more interested in when Microsoft plans to patch existing zero-day holes than in the fixes that were released.

“Instead of talking about the number of bulletins being patched today, everyone’s mind is on the five vulnerabilities that are not being patched,” said Andrew Storms, director of security operations for nCircle.

Microsoft has a list of the pending issues here. On that list is a bug in IE disclosed by Google security researcher Michal Zalewski for which he said an exploit had been leaked to the Web. He also publicly released a tool he said he had used to find the hole and others in major browsers. Microsoft says it is still assessing the issues Zalewski brought up.

This article was first published as a blog post on CNET News.

US memo on insider threats leaked

A White House memo on how to improve data security in the wake of the publication of hundreds of thousands of leaked US documents on WikiLeaks has been leaked.

 

Leaked memo on WikiLeaks aftermath

The memo, which was circulated to the heads of U.S. government departments and agencies on Jan. 3, was handed to MSNBC news. The document was formulated in response to leaks to the WikiLeaks Web site by whistleblowers and designed for use by agencies handling classified material.

The memo asks whether government agencies that handle national security documents have adequate data security practices in place, including appropriate access controls. The document provides a checklist, with questions including whether disparate information about employee evaluations, polygraph tests and IT auditing of user activities, are pieced together to give indicators of insider threats. The memo also asks whether the agency uses psychiatrists and sociologists to gauge employee “despondence and grumpiness as a means to gauge waning trustworthiness”.

Read more of “US memo on insider threats leaked” at ZDNet UK.

China’s US$90B ups cyberwar stakes

Last year, Northrup Grumman released a report warning that China had a mighty cyber arsenal which it could use in a possible future cyber conflict. News last week that Chinese defense spending could be double the public figure could mean that such claims are true, and perhaps even conservative.

The news arose in diplomatic cables dating back to 2006 obtained from Wikileaks by Fairfax newspapers. Australian diplomats reported to the United States that the Australian Government believed China’s military budget was US$90 billion, double the US$45 billion publicly announced by Beijing.

Australian intelligence and defence agencies told the U.S. that China was building a military capability well above that needed to repel a move for independence by Taiwan, and said it had become a risk to stability in the region.

“China’s longer-term agenda is to develop ‘comprehensive national power’, including a strong military, that is in keeping with its view of itself as a great power,” the cables said.

A document (PDF) provided to the U.S.-China Economic and Security Review Commission by Northrop Grumman in October last year claimed that China’s had a significant cyber warfare capability, including a military and civilian militia comprised of network specialists, and fully-functional offensive hacking and counter-intelligence wings.

The document also claimed the country has stockpiled a kinetic arsenal that includes lasers, high-power microwave systems and nuclear-generated electromagnetic pulses to supplement its cyber warfare force. It also claimed the country is training its forces to work under “complex electromagnetic conditions”.

While it is unclear if defense specialists espousing China’s cyber warfare capabilities, such as Northrop Grumman, were privy to this information, the larger defense budget would seem to lend credence to their claims.

It’s something governments do not like to discuss. Last year, the United States opened its Cyber Command, but that is still heavily dependent on private industry. Meanwhile, the Australian Defence Force revealed in its Defence Whitepaper that it will “invest in a major enhancement of [its] cyber warfare capability”, yet that appears to centre on response and defensive means.

The extent and intent of cyber warfare arsenals is hotly contested and there are as many cyberwar sceptics as proponents.

Yet, it’s certainly reasonable to suggest China did not splurge US$90 billion on guns and bombs alone. In a time heavy with cyberwar rhetoric, it would make sense for them to hedge their bets.

This article was first published at ZDNet Australia.

Chinese auction site touts hacked iTunes accounts

Tens of thousands of reportedly hacked iTunes accounts have been found on Chinese auction site Taobao, but the company claims it is unable to take action unless there are direct complaints, according to news reports.

The Global Times reported Thursday as many as 50,000 illegally obtained iTunes accounts were sold on China’s biggest consumer auction site. The Beijing-based newspaper also interviewed a seller who admitted the accounts were hacked but did not reveal how they were obtained.

Taobao, however, said that to protect its users, it would not be taking action until it has received a formal request. In a statement carried by BBC, the company said: “We take all reasonable and necessary measures to protect the rights of consumers who use Taobao, of our sellers and of third-parties. Until we receive a valid takedown request, we cannot take action.”

Advertisements on Taobao for the iTunes accounts offer heavily marked down prices. One of the listings visited by ZDNet Asia allowed buyers to decide how much they wanted in the accounts, with US$1 in exchange for only 1 RMB (US$0.15). Buyers are required to purchase at least US$10 and at the time of writing, 175 transactions have been made.

Access to the iTunes account is, however, limited to 12 hours, according to the listing. It also cautioned buyers that apps bought via this means are not upgradeable and that it would be a matter of time before illegally acquired iTunes accounts are closed.

Apple had declined to comment on the news, according to BBC.

This is not the first time Apple iTunes accounts have been compromised. In July 2010, reports surfaced that customers accounts were hacked and used to purchase software. However, it is not clear whether the accounts being sold on Taobao are related to the previous incident.

Corporate data accessed by too many

With increasing ease of access to corporate data, organizations are in danger of “breaches” in the form of files, rather than database records, warned security vendor Imperva, adding that the number of affected companies is set to rise.

As more and more sensitive data gets disseminated as unstructured content, hackers may seek to take advantage of the loopholes, and make away with confidential data for financial or personal gains, Stree Naidu, Imperva’s Asia-Pacific vice president, told ZDNet Asia in an e-mail interview.

“While most business applications use structured storage such as databases to maintain and process sensitive and critical data, users are constantly creating and storing more unstructured content, based on the information taken from these systems,” he said.

Such information include data stored in excel spreadsheets, presentations and medical lab results sent as letters to patients. However, it is not merely the transfer of the information that is opening up loopholes and opportunities for unauthorized access, Naidu explained.

The documents do not actually need to be sent anywhere for a threat to exist. What we’ve observed, and the recent WikiLeaks incidents have shown, is that data is accessible by too many people within the business–people who do have a legitimate need for access, despite strict company policies,” he pointed out.

Therefore, reducing access rights to a business need-to-know level and monitoring access activity are some ways to mitigate the risk.

Furthermore, with data volume increasing at 60 percent every year, increased sharing of data, as well as data retention policies, are also contributing to the threat of security breaches, Naidu said.

The situation is further complicated by the fact that files are “autonomous entities”, which organizations do not have control of even with today’s tools, he added. Unlike database records, which are created by pre-programmed applications, the inability to maintain control of files “may result in excessive access privileges and an inadequate audit trail of access to sensitive information”.

Cloud-based software such as Google Docs and Jive, and internal document management systems such as Microsoft’s SharePoint or EMC’s Documentum becoming part of enterprise IT, have also upped the attack surfaces and, therefore, risk of threats.

The Wikileaks incident last year was a clear indication that “massive leakage and compromise of sensitive information is indeed becoming a clear and present danger”, according to Naidu.

Another case of high-profile breach involved a former Goldman Sachs employee, who stole source code used for a proprietary high-frequency trading program, by using his desktop to upload the code to a server based in Germany, Naidu noted.

The bank identified the misconduct after observing large amounts of data leaving the servers, which led to the rogue employee’s arrest.

With these in mind, Naidu said organizations ought to budget and plan for the next generation of file access monitoring and governance tools to reduce the risk of file exposure. Some key characteristics to take note of include:

  • Policies set and expressed by content of file, rather than metadata
  • Flexible deployment, without impacting data stores or network architecture
  • Adaptive deployment with focus on the most accessed files, without compromising the ability to track sensitive information in older files
  • Ability to identify file owners and excessive rights to files

The executive also advised that enterprises be constantly on the lookout as hacking methods are always “improving and evading detection”. Businesses, he urged, should increase monitoring visibility of traffic and setting security controls across all organization layers.

“A security control should understand these shifts in the hacker industry and rapidly incorporate these changes in their organization,” said Naidu. “This could even include incorporating a reputation-based control, which could stop large automated Web-based attacks known to originate from malicious sources.”

Spam drops sharply over Christmas

The amount of spam being pumped out by networks of compromised computers dropped sharply over the festive period, according to Symantec.

The security company’s subsidiary MessageLabs said the steep drop was in part due to spam coming from the Rustock botnet slowing to a trickle, while two botnets, Lethic and Xarvester, appear to have ceased activity.

“Rustock is sending spam in much-reduced volumes, while the other two botnets have stopped sending spam altogether,” MessageLabs intelligence senior analyst Paul Wood told ZDNet UK on Thursday.

Read more of “Spam drops sharply over Christmas” at ZDNet UK.

Microsoft to fix Windows holes, but not ones in IE

Microsoft said Thursday that it will release two security bulletins next week fixing three holes in Windows, but it is still investigating or working on fixing holes in Internet Explorer that have been reportedly exploited in attacks.

One bulletin due out on Patch Tuesday, rated “important,” affects only Windows Vista but the second one, with an aggregate rating of “critical,” affects all supported versions of Windows.

Microsoft said it is not releasing updates to address a hole affecting Windows Graphics Rendering Engine that it disclosed earlier this week, or one disclosed in late December, Security Advisory 2488013, that affects Internet Explorer and for which there have been reports of targeted attacks, the company said in a post on the Microsoft Security Response Center blog.

“We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks,” the post said. “If customers have not already, we recommend they consult the Advisory for the mitigation recommendations. We continue to watch the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.”

Also not mentioned in the Patch Tuesday preview announcement by Microsoft is a bug in IE disclosed last weekend by Michal Zalewski, a security researcher for Google based in Poland. Zalewski released a tool he used to find the hole and others in all the major browsers and said that an exploit for the IE bug had been leaked to the Web accidentally. Security firm Vupen has confirmed the critical hole in IE 8. Microsoft says in Security Advisory 2490606 that it is investigating the bug reports.

Josh Abraham, a security researcher at Rapid7, was surprised that Microsoft was not rushing to fix holes that were reportedly being used in attacks.

“With only two bulletins this month, the big shock is that Microsoft is not addressing two security advisories that have already been weaponized,” Abraham said. “I would bet that if the malicious attackers start using the exploits, then we will see an out-of-band patch.”

Meanwhile, as Microsoft released its Patch Tuesday preview, Sophos is warning people about a fake Microsoft security update e-mail circulating that contained a worm. The subject line says “Update your Windows” and urges recipients to download an attached executable. But Microsoft does not issue security patches via e-mail attachments. Another clue that it’s a scam–Microsoft is misspelled in the forged e-mail header as “microsft.”

This article was first published as a blog post on CNET News.

Sourcefire buys Immunet for US$21M

Network security company Sourcefire is acquiring Immunet, a cloud-based anti-malware startup, for US$21 million in cash, the companies announced Thursday.

The acquisition expands the cloud-based offerings for Sourcefire, creator of the open-source Snort intrusion detection technology.

Columbia, Md.-based Sourcefire said it will not lay off any of Immunet’s full-time staff, which is based in Palo Alto, Calif.

Sourcefire paid US$17 million at the closing of the deal and will pay US$4 million during the next 18 months dependent on product delivery milestones, the companies said in a statement.

Immunet chief executive Oliver Friedrich co-founded SecurityFocus, which Symantec acquired in 2002, and Secure Networks, which McAfee bought in 1998.

The acquisition announcement comes on the heels of news Wednesday that Dell is acquiring SecureWorks.

This article was first published as a blog post on CNET News.

US govt e-card scam hits confidential data

A fake U.S. government Christmas e-card has managed to siphon off gigabytes of sensitive data from a number of law enforcement and military staff who work on cybersecurity matters, many of whom are involved in computer crime investigations.

According to news.softpedia.com, the rogue e-mail messages sent out on Dec. 23 last year had the subject “Merry Christmas” and purported to originate from a jeff.jones@whitehouse.gov address.

The body message read: “As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings.

“Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”

This was followed by two links to the alleged greeting cards, which lead to pages hosted on compromised legit Web sites. Victims who clicked on the links were infected with a Zeus Trojan variant, which stole passwords and documents, and uploaded them onto a server in Belarus, reported krebsonsecurity.com.

The article also revealed that the latest attack bore the same technique to one uncovered last year, where 74,000 PCs were found to be part of a botnet. In the earlier incident, victim machines were controlled by Web sites registered with the same e-mail address. Alex Cox, principal research analyst with NetWitness, said the new case either involved the same person or copied the exact same technique.

Security blogger Mila Parkour pointed out that the “pack.exe” file downloaded by the Trojan was a Perl script converted to an executable file by way of a commercial application called Perl2exe. The pack program was responsible for stealing the documents on a victim’s computer and relaying the data to a file repository in Belarus.

Krebsonsecurity.com author Brian Kerb said: “The attack appears to be the latest salvo from Zeus malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing both financial data and documents from victim machines.”

He explained that this activity was unusual as most criminals using Zeus were interested in money-related activities, whereas the siphoning of government data was associated with advanced persistent threat attacks, the same category that of stuxnet attacks.

Some of the victims included an employee at the National Science Foundation’s Office of Cyber Infrastructure, an intelligence analyst in Massachusetts State Police and an employee at the Financial Action Task Force.

Another report by news agency AP said there was no evidence that the stolen classified information had been compromised.

Microsoft warns of Windows flaw affecting image rendering

Microsoft warned on Tuesday of a Windows vulnerability that could allow an attacker to take control of a computer if the user is logged on with administrative rights.

To be successful, an attacker would have to send an e-mail with an attached Microsoft Word or PowerPoint file containing a specially crafted thumbnail image and convince the recipient to open it, Microsoft said in its advisory, which also contains information on workarounds.

An attacker also could place the malicious image file on a network share and potential victims would have to browse to the location in Windows Explorer.

The flaw, which is in the Windows Graphics Rendering Engine, could allow an attacker to run arbitrary code in the security context of the logged-on user, meaning that accounts that are configured to have fewer user rights would be affected less.

The vulnerability affects Windows XP Service Pack 3, XP Professional x64 Edition Service Pack 2, Server 2003 Service Pack 2, Server 2003 x64 Edition Service Pack 2, Server 2003 with SP2 for Itanium-based systems, Vista Service Pack 1 and Service Pack 2, Vista x64 Edition Service Pack 1 and Service Pack 2, Server 2008 for 32-bit, 64-bit, and Itanium-based systems and Service Pack 2 for each.

Microsoft said it is not aware of attacks exploiting the vulnerability or of any impact on customers at this time. The company is working on a fix but did not indicate when it would be available.

This article was first published as a blog post on CNET News.

US agency hunts down international cybercrime ring

A Vietnam-based international cybercrime ring believed to be involved in identity theft, wire fraud and money laundering is the target of a U.S. law enforcement agency following the house raid of two Vietnamese students suspected to be “money transfer mules”, news agencies reported.

On Monday, technology news site ComputerWorld reported that the U.S. Department of Homeland Security (DHS)’s Immigration and Customs Enforcement (ICE) investigations unit had raided the house of two Vietnamese Winona State University exchange students and seized their documents and computer equipment.

The 22-year-old students, Tram Vo and Khoi Van, are suspected of working as money transfer mules for a Vietnam-based international cybercrime ring, having made more than US$1.2 million selling software, video games and Apple’s iTunes gift cards on eBay purchased with stolen credit card numbers, the report stated, citing the affidavit filed in support of the search warrant issued for the raid.

Both of them controlled more than 180 eBay accounts and more than 360 PayPal accounts, which were opened using stolen identities, noted a separate report by the Star Tribune, a Minnesota, U.S.-based spreadsheet.

ComputerWorld explained that the students had posed as eBay sellers using the stolen identities to sell discounted products such as Rosetta Stone software, video games, textbooks and Apple iTunes gift cards.

When a legitimate eBay buyer orders the products, they would purchase the items from a third-party merchant using stolen credit card accounts and request for the items to be sent to the buyer. However, the merchant would not able to claim the payment of the products as the owner of the stolen credit card will inform the relevant bank that the payment was an unauthorized transaction, the report stated.

Online retailers such as eBay, PayPal, Amazon, Apple, Dell and Verizon Wireless were among the high-profile victims, noted Star Tribune.

Cybercrime gangs’ growing sophistication
The DHS investigation on the Vietnamese cybercrime outfit, code-named “Operation eMule”, began in September 2009, according to the abovementioned affidavit.

In the document, DHS Special Agent Daniel Schwarz wrote: “The criminal ring makes online purchases from e-commerce merchants using stolen credit card information and then utilizes an elaborate network of mules based in the United States. The criminals get stolen credit or bank card numbers by hacking PCs or databases. In some cases, they simply buy the stolen personal information from underground online marketplaces.”

According to ComputerWorld, money mule networks are needed by cybercrime organizations to get the stolen money out of the country, which is the “hard part”. Mules working for the Vietnamese organization, for instance, would get their orders via a secured Web site that is available only to “vetted members”, Schwartz said. He added that the money involved in such crimes is “estimated to exceed hundreds of millions of dollars”.

Such sophisticated cybercrime rings are on the rise, too.

In October last year, authorities arrested more than 100 people in the U.S. and U.K. in connection with another money mule operation, which was operating out of Ukraine, the report stated. Then, scammers hacked into bank accounts, transferred money around and used mules to move the money offshore via services provided by payment companies such as Western Union.

A ZDNet Asia report in July last year also revealed that a Russian check-counterfeiting ring had netted US$9 million through a combination of malware, botnets, virtual private networks and money mules recruited online.

Microsoft warns of Office-related malware

Microsoft’s Malware Protection Center issued a warning this week that it has spotted malicious code on the Internet that can take advantage of a flaw in Word and infect computers after a user does nothing more than read an e-mail.

The flaw was addressed in November in a fix issued on Patch Tuesday, but with malicious code now spotted in the wild, the protection center apparently wants to be sure the update wasn’t overlooked.

Symantec underlined the seriousness of the flaw to ZDNet Asia’s sister site CNET’s Elinor Mills in November:

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious e-mail to be infected,” Joshua Talbot, security intelligence manager at Symantec Security Response, said at the time. “All that is required is for the content of the e-mail to appear in Outlook’s Reading Pane. If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their in-box; that e-mail will appear in the Reading Pane by default and the computer will be infected.”

Users of Microsoft Office should be sure to install the fix. You can use your Start menu to check for updates: Click the Start button, click All Programs, and then click Windows Update. Details of the MS10-087 update, including which software versions are affected, can be found here.

This article was first published as a blog post on CNET News.

Researcher reports apparent China interest in IE hole

A security researcher who created a tool he used to find numerous bugs in major browsers has released it to the public, saying the importance of its distribution is heightened by the leak to the Web of an unpatched vulnerability in Internet Explorer.

Michal Zalewski, a Google security researcher based in Poland, announced in a blog post that he was releasing a tool called “cross_fuzz” and said its distribution was a priority because at least one of the vulnerabilities discovered by the tool appears to be known to a mysterious third party.

“I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China,” Zalewski wrote in a separate post.

“While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot,” he continued. “I have confirmed that following this accident, no other unexpected parties discovered or downloaded the tool.”

On December 30, there were two search queries from an IP address in China that matched keywords mentioned in one of the indexed cross_fuzz files, he said.

Of the 100 or so bugs Zalewski said he found in IE, Firefox, Opera, and browsers powered by WebKit, including Chrome and Safari, he said he notified the vendors or developers in July and that they are in varying stages of resolution. He provides a timeline for contacting Microsoft here, noting that his first contact on the matter was in May 2008.

“At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Jerry Bryant, group manager for Trustworthy Computing response communications at Microsoft, said in a statement.

This article was first published as a blog post on CNET News.

Data breach affects 4.9 million Honda customers

Japanese automaker Honda has put some 2.2 million customers in the United States on a security breach alert after a database containing information on the owners and their cars was hacked, according to reports.

The compromised list contained names, login names, e-mail addresses and 17-character Vehicle Identification Number–an automotive industry standard–which was used to send welcome e-mail messages to customers that had registered for an Owner Link account.

Another 2.7 million My Acura account users were also affected by the breach, but Honda said the list contained only e-mail addresses. Acura is the company’s luxury vehicle brand.

According to Honda’s notification e-mail to affected customers, the list was managed by a vendor. All Things Digital suggested, but could not confirm, that the vendor in question is e-mail marketing firm Silverpop Systems, which has been linked with the recent hacking incidents including that of fast-food giant McDonald’s.

In a Web page addressing affected customers, Honda said it would be “difficult” for a victim’s identity to be stolen based on the information that had been leaked. However, it has warned that customers ought to be wary of unsolicited e-mail messages requesting for personal information such as social security or credit card numbers.

Compelling scams an ‘obvious danger’
Graham Cluley, senior technology consultant at Sophos, pointed out that cybercriminals who possess the list may e-mail the car owners to trick them into clicking on malicious attachments or links, or fool them into handing over personal information.

“If the hackers were able to present themselves as Honda, and reassured you that they were genuine by quoting your Vehicle Identification Number, then as a Honda customer you might very likely click on a link or open an attachment,” he explained in a blog post.

Acura customers, he added, could also be on the receiving end of spam campaigns.

Cluley noted that the incident serves as a reminder that companies not only need to have adequate measures in place to protect customer data in their hands, they also need their partners and third-party vendors to “follow equally stringent best practices”.

“It may not be your company [that] is directly hacked, but it can still be your customers’ data that ends up exposed, and your brand name that is tarnished,” he said.

Mozilla exposes older user-account database

Mozilla has disabled 44,000 older user accounts for its Firefox add-ons site after a security researcher found part of a database of the account information on a publicly available server.

The file had passwords obscured with the now-obsolete MD5 hashing algorithm, which has been rendered cryptographically weak and which Mozilla scrapped for the more robust SHA-512 algorithm as of Apr. 9, 2009. The older database didn’t end up anywhere dangerous, Mozilla believes.

“We were able to account for every download of the database. This issue posed minimal risk to users, however, as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure,” said Chris Lyon, Mozilla’s director of infrastructure security, in a blog post about the database exposure Tuesday.

Mozilla notified affected users of the problem by e-mail yesterday, it said. “Current addons.mozilla.org users and accounts are not at risk,” Lyon said.

Password security has become a more prominent concern after a hack of Gawker blog sites earlier this month. Even with passwords obscured by strong hash algorithms, user names can be valuable in further hack attempts, especially when people reuse the same password on multiple sites.

“Unique passwords are a requirement, not a luxury,” said Chester Wisniewski of security firm Sophos in a blog post about the event.

This article was first published as a blog post on CNET News.

McAfee: Smartphones, Apple top ’11 crime targets

Security firm McAfee expects malicious activity in 2011 to target smartphones, URL shorteners, geolocation services like Foursquare, and Apple products across the board, according to a report released Tuesday.

“We’ve seen significant advancements in device and social-network adoption, placing a bulls-eye on the platforms and services users are embracing the most,” Vincent Weafer, senior vice president of McAfee Labs, said in a release announcing the report. “These platforms and services have become very popular in a short amount of time, and we’re already seeing a significant increase in vulnerabilities, attacks and data loss.”

In other words, the security infrastructure surrounding popular new services and devices–and more importantly public awareness of potential threats that people may face when using them–may not be up to par with better-established technologies. Take URL shorteners, for example. Because it’s so easy to mask longer URLs with them and because Twitter users have grown accustomed to clicking them without much thought, McAfee expects that they will continue to be targets for spam, scams, and viruses.

Social networks will remain hotbeds of malicious attacks, McAfee predicted, but geolocation services like Foursquare and Facebook Places will see new prominence. “In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using,” McAfee noted. “This wealth of personal information on individuals enables cybercriminals to craft a targeted attack.”

As for hardware, mobile devices (particularly those used on corporate networks), Internet TV platforms like Google TV, and devices running Apple operating systems are anticipated to be prime targets.

McAfee also said that the saga of WikiLeaks, the controversial classified-document repository that dominated headlines around the world late in 2010, is likely to spawn copycats in 2011. The security firm expects “politically motivated attacks” to be on the rise.

This article was first published as a blog post on CNET News.

Microsoft warns of IE zero-day

Microsoft has warned of a vulnerability that affects all versions of the Internet Explorer web browser.

Hackers can use the flaw to take control of a computer, Microsoft said in an advisory on Thursday.

“Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer,” said the advisory. “The main impact of the vulnerability is remote code execution.”

Read more of “Microsoft warns of IE zero-day” at ZDNet UK.

Lookout raises US$19.5 million for smartphone security

Lookout Mobile Security, which specializes in armoring smartphones from hackers, said today that it’s raised an additional US$19.5 million in funding.

The San Francisco-based startup says it now has nearly 50 employees and about four million registered users of its software, which includes a spyware scanner, remote backups, and a stolen phone locator. That’s up from a reported 2 million users in September and 3 million in November.

Lookout’s security apps currently are available for Android, BlackBerry and Windows Mobile. In an interview with ZDNet Asia’s sister site CNET, Lookout CEO John Hering said an iPhone version will be “coming very shortly” and customers should expect to “see something in 2011”.

New features in Apple’s iOS 4 operating system, announced in April and made available a few months later, aid development, Hering said. Those changes “enable us to do quite a bit more,” he said.

Some of Lookout’s features, like remote wipe and and a more comprehensive remote backup, are available only to customers who purchase the premium version for US$3 a month.

Wednesday’s funding round came from Index Ventures and existing investors Accel Partners and Khosla Ventures.

This article was first published as a blog post on CNET News.

Irate hackers bring down sports body’s Web site

The World Taekwondo Federation’s (WTF) Web site was hacked after it punished a Taiwanese fighter for cheating at the Asian Games, AFP reported.

According to the news agency, the South Korea-based governing body’s site was taken down on Tuesday night, defaced with the words “still unfair” by attacked who supported Taiwan’s taekwondo exponent, Yang Shu-chun. The report did not state how long the site was down for. It is now operational.

The seeds of the hackers’ discontent were sown during the Asian Games last month when Yang was found to have extra “detachable” sensors in her socks, an action considered to be illegal in the sporting event. Fighters are only allowed to wear sensors built into their socks, which are then used as part of the electronic scoring system, AFP explained.

Following weeks of investigation, the WTF decided on Tuesday to punish Yang’s wrongdoing with a three-month suspension from the sport. Additionally, her coach received a 20-month suspension, while the Chinese Taipei Amateur Taekwondo Association was fined US$50,000 for “negligence and wrongdoing” for its role in the chain of events.

The decision angered Yang’s supporters and triggered the attack on the governing body’s Web site, said AFP.

Taking the WTF’s site offline was not the first transgression by the hackers, though. Earlier, while investigations were still ongoing, the Asian Taekwondo Union’s Web site carried a statement condemning Yang for a “shocking act of deception”, the news agency reported.

The statement set off a wave of anti-Korean ire in Taiwan, which resulted in hackers bringing down the ATU’s Web site in November, it added.

APAC enterprises still not DDoS-aware

Distributed denial-of-service (DDoS) attacks have been around for at least a decade, with thousands of such incidents taking place each day around the world. But, a whopping 99 percent of these attacks go unreported, according to a security expert.

In light of recent high-profile WikiLeaks and consequent security incidents, Mark Teolis, general manager of DOSarrest, explained that while most large e-commerce sites have some level of protection, many are not adequate to deal with such assaults, especially complex layer 7 DoS attacks (L7DA), in an e-mail interview with ZDNet Asia.

Frost and Sullivan’s analyst, Edison Yu, agreed. He noted that this is the case particularly in the Asia-Pacific region, where instead of using an application firewall, many enterprises still rely on traditional firewall and intrusion prevention system (IPS) for protection against L7DA.

Yu explained that these sophisticated DDoS attacks are able to bypass the traditional firewall and target applications, bringing down Web sites due to an overwhelming volume of service requests being sent out by botnets.

The “Brute Force” program is said to be able to send more than 1 million attempts per second. L7DA also has the capability to slow down the HTTP server.

According to DOSarrest, the top misconception enterprises have is that traditional firewalls are able to thwart all DDoS attacks. The security vendor added that over the past 12 months, L7DA consisted of 60 percent of the overall DoS threat landscape, followed by SYN type floods which comprised 30 percent, and UDP/ICMP attacks taking 10 percent.

The company also revealed that 80 percent of DoS attacks had a layer 7 component, while the same percentage carried a combination of two or more components.

Teolis noted that “most purpose-built, so-called DDoS mitigation devices” will not stop all layer 7 attacks, but enterprises can thwart them by adopting a “robust multi-layer strategy”. This includes eliminating all non-essential traffic in the cloud, having good SYN protection and implementing a well-designed robust system for layer 7.

DOSarrest, which represents various merchants in different industries including pharmaceuticals, gaming and music downloads, revealed that one of its customers was a victim of “Operation Payback” during the WikiLeaks-related attacks but suffered zero downtime. A coordinated series of attacks comprising Internet activists that target opponents of online piracy, Operation Payback launched <a href=”http://www.zdnetasia.com/facebook-twitter-boot-wikileaks-supporters-after-visa-attack-62205075.htm&#8221; _cke_saved_href=”http://www.zdnetasia.com/facebook-twitter-boot-wikileaks-supporters-after-visa-attack-62205075.htm”>attacks on Web sites of banks</a> that withdrew its services from WikiLeaks.

Internet not built for trust
Yu, who has been tracking the developments of DDoS attacks, noted that what used to be reserved to drive “cyber espionage”, is now being exploited by cyber criminals to gain sensitive data or compromise monetary transactions.

He described it as a “two-way situation” where, increasingly, enterprises are migrating to the Web for commercial reasons. By making more information available online to provide employees and customers easy access, businesses are giving criminals greater opportunities to scrutinize system loopholes, thereby, making their sites more vulnerable, he said.

“The Wikileaks incident has emphasized that the Web was never designed as a trusted environment,” Yu cautioned. “I think that’s something we tend to forget when we go online and embrace the Web in personal and professional domains.”

Jonas Frey of Probe Networks, was quoted in a recent NetworkWorld article, saying that even as ways to mitigate and thwart attacks continue to emerge, attackers have also been successful in discovering new security loopholes. He added that there is “no real solution right now”.

“Nowadays the consumers have a lot more bandwidth and it’s easier than ever to set up your own botnet by infecting users with malware and alike,” Frey said in the report. “There’s not much you can do about the unwillingness of users to keep their software or operating system up-to-date. There is just no patch for human stupidity.”

While the figures paint a grim picture, Teolis believes the overall risk is still low. However, he noted that the landscape remains unpredictable.

Yu noted: “DDoS is becoming more and more contentious, given the nature and motivation behind the attacks, [and this is] something which enterprises are not very wary of.”

In a bid to minimize risk exposure, the analyst urged enterprises to relook access to the corporate network through mobile devices, and evaluate if their IT infrastructure is capable of handling these security threats.

As more criminals target layer 7 DDoS attacks, an increasing number of security vendors are launching service offerings that specifically target such risks. Kaspersky, for instance, recently announced plans to start selling an “experimented DDoS shield” globally if it is able to work effectively.

Sophos: Beware Facebook’s new facial-recognition feature

Facebook’s new facial recognition software might result in undesirable photos of users being circulated online, warned a security expert, who urged users to keep abreast with the social network’s privacy settings to prevent the abovementioned scenario from becoming a reality.

Graham Cluley, senior technology consultant at security vendor Sophos, said in a statement released Monday that the new facial recognition software introduced last week by Facebook have capabilities to match peoples’ faces in photos uploaded by other members. While users will not be automatically identified, or “tagged” in Facebook parlance, members who upload these pictures will be prompted to tag a list of suggested friends identified by the facial recognition software, Cluley noted.

Furthermore, he added that once a Facebook user has identified people to be tagged in a photo, these individuals run the risk of being singled out by the social networking site to other friends.

“Even people who are not on Facebook, or who choose not to identify themselves openly in uploaded pictures, may nevertheless end up [being] easy to find in online photos,” he explained.

In an earlier report, Facebook’s vice president of product, Chris Cox, told ZDNet Asia’s sister site CNET News that photo tagging is “really important” for control because every time a tag is created, it highlights a photo of the user which he was not aware had been uploaded online. “Once you know [this picture exists], you can remove the tag, or you can promote it to your friends, or you can write the person and say, ‘I’m not that psyched about this photo’,” Cox said.

He said the feature will be rolled out to about 5 percent of Facebook’s U.S. users this week and, “assuming that goes well”, the company will continue to launch it in other markets. He also stressed that there will be an opt-out option for the new feature, so if members do not want to show up in their friends’ tagging suggestions, they will not.

Cluley, however, spoke out against Facebook for maintaining an opt-out, rather than opt-in, stance toward user information. “While this feature may be appealing for those Facebook users that are keen to share every detail of their social life with their online friends, it is alarming to those who wish to have a little more anonymity,” he said.

He cited a recent Sophos poll that revealed 90 percent of Facebook users surveyed called for features on the social networking site to become opt-in. With the introduction of the facial recognition capability, he predicted that this percentage will rise.

To prevent privacy loss, Cluley recommended that users opt out when the feature is turned on. He added that keeping on top of new features and ensuring privacy settings are up-to-date is essential for Facebook users in order to make sure they do not share too much personal information online.

This is not the first time the social network has received flak for instituting an opt-out policy for its features. In March, Facebook users were up in arms after the site announced it would automatically share user data with a select group of third-party sites without specific permission.

Security expert suggests demilitarizing cybersecurity

perspective As if the wars on terror and drugs weren’t keeping U.S. officials busy enough, the drum beats of cyberwar are increasing.

There were the online espionage attacks Google said originated in China. Several mysterious activities with Internet traffic related to China. The Stuxnet worm that experts say possibly targeted Iranian nuclear centrifuges. An attack on the WikiLeaks site after it released classified documents damaging to U.S. foreign policy. And don’t forget the Internet attack on Estonia from a few years ago.

To deal with the geopolitical dramas that are projected in the online world, the U.S. is using military strategy and mindset to approach cybersecurity, creating a Cyber Command and putting oversight for national cybersecurity under the auspices of the Department of Defense.

But offense isn’t always the best defense, and it never is when it comes to Internet security, says Gary McGraw, author and chief technology officer at security consultancy Cigital. More secure software, not cyber warriors, is needed to protect networks and online data, he writes in a recent article, “Cyber Warmongering and Influence Peddling.”

ZDNet Asia’s sister site CNET talked with McGraw about how the militarization of cybersecurity draws attention from serious threats.

CNET: So, Tell me what’s wrong with going to DEFCON 1 in cyberspace now?
McGraw: I wrote an article with Ivan Arce, the founder and chief technology officer of Core Security Technologies. He’s from Argentina. Every time I talk to him he asks ‘what is up with you Americans and cyberwar anyway? Why are you so obsessed with cyberwar?’ Because nobody else is talking about it in the rest of the world. I travel a lot internationally and he is right. So we started talking about why that was. One of our main points is that there is a confusing blend of cyberwar stuff, cyber-espionage stuff and cybercrime stuff, and the stories are used to justify whatever political or economic end people may have, instead of trying to disambiguate these three things and talk about what they actually are.

What’s the danger with that?
The danger is that if we lump everything under ‘cyberwar’, then our natural propensity in the United States is to allow the Defense Department to deal with it. The DoD set up a Cyber Command in May. Cyber Command has an overemphasis on offense, on creating cyber-sharpshooters and exploiting systems more quickly than the enemy can exploit them. I don’t think that’s smart at all. I liken it to the world living in glass houses and Cyber Command is about figuring out ways to throw rocks more accurately and quickly inside of the glass house. We would all be better suited trying to think about our dependence on these systems that are riddled with defects and trying to eliminate the defects, instead.

Is the rhetoric all driven by attracting money? That’s a very cynical way of thinking.
A lot of people think it is. The military industrial complex in the U.S. is certainly tied very closely to the commercial security industry. That is not surprising, nor is it that bad. The problem is the commercial security industry is only now getting around to understanding security engineering and software security. The emphasis over the past years has been on trying to block the bad people with a firewall and that has failed. The new paradigm is trying to build stuff that’s not broken in the first place. That’s the right way to go. If we want to work on cybercrime and espionage and war, to solve all three problems at once, the one answer is to build better systems.

You mention that cybercrime and cyber-espionage are more important than cyberwar. Why is that?
Because there is a lot of crime, less espionage, and very little cyberwar. (chuckles) And the root cause for capability in all these things is the same. That is dependence on systems that are riddled with security defects. We can address all three of those problems. The most important is cybercrime, which is costing us the most money right now. Here’s another way to think about it: everyone is talking about the WikiLeaks stuff, and the impact the latest (confidential files) release is having on foreign policy in the U.S.

The question is, would offensive capability for cyberwar help us solve the WikiLeaks problem? The answer is obvious. No. Would an offensive cyberwar capability have helped us solve the Aurora problem where Google’s intellectual property got sucked down by the Chinese? The answer is no.

What would have helped address those two problems? The answer is defense. That is building stuff properly. Software security. Thinking about things like why on earth would a private (officer) need access to classified diplomatic cables on the SIPRNET (Secret IP Router Network)? Why? If we thought about constructing that system properly and providing access only to those who need it, then things would be much better off.

The term “cyber” makes it seem more scary. We’re just talking about Internet, right? Might there be a problem with semantics?
There could be. There has been an over emphasis on cyber war in the U.S. The problem with cybersecurity is that there is just as much myth and FUD and hyperbole as there are real stories. It’s difficult for policy makers and CEOs and the public to figure out what to believe because the hype has been so great, such as with the Estonia denial-of-service attack from 2007. So that when we talk about Stuxnet it gets dismissed.

So it’s the boy who cried wolf problem?
Yes.

Stuxnet is real. Is that cyberwar?
It seems like a cyberweapon. I think it qualifies as a cyberwar action. My own qualification is that a cyberattack needs to have kinetic impact. That means something physical goes wrong. Stuxnet malicious code did what it could to ruin physical systems in Iran that were controlling centrifuges or that were in fact centrifuges. If you look at the number of centrifuges operating in Iran you see some big drops that are hard to explain. (Iranian President Mahmoud) Ahmadinejad admitted there was a cyberattack on the centrifuges.

So why does the attack on Estonia not qualify?
The kinetic impact is important, but also an act of war is the act of a nation-state. The Estonia attacks fail the nation-state actor test. It also fails the real impact test. Sure, their network went down, but whoop dee do! Who cares? If you took that same sort of attack against Google or Amazon they wouldn’t even notice. I think people were using that attack–which was carried out by individual cybercriminals in Russia, not by the state–to hype up the cyber war thing. In fact, in my work in Washington [D.C.], the Estonia story keeps coming up, over and over again, as an example of cyberwar.

What is your qualification to discuss cyberwar matters and policy?
This year, I’ve been working more in Washington than I have in past. I’ve been to the White House, the Pentagon, talked to think tanks. I’m a little bit worried that the discourse is too much about cyberwar. We should try to untangle the war, espionage, and crime aspects and maybe emphasize building better systems and getting ourselves out of the glass house as opposed to trying make a whole new cadre of cyber-sharpshooters as [CIA Director] General Hayden suggests. For policymakers the conception of our field [of security] is muddled.

I’m worried we’re not spending on [Internet security] defense at all. There’s no way to divide and conquer networks. That is, we can’t defend the military network or the SIPRNET but not defend the Internet because we’re ignoring 90 percent of the risk. Most of the infrastructure in the U.S., 90 percent of it that’s important, is controlled by corporations and private concerns, not by the government. The notion that we can protect military networks and not the rest of it just doesn’t make any sense. That’s one problem.

The other problem is the Air Force has always been about domination in the air and taking away that capability from the enemy early and eradicating infrastructure. This notion of a ‘no-fly zone’ is kind of interesting. Unfortunately those tactics don’t work in cyberspace because there is a completely different physics there. There is no such thing as taking ground or controlling air space in cyberspace. Things move at superhuman speed in cyberspace. So some of these guys who are good military tacticians are having a hard time with cyberwar policy and cyberdefense because of the analogies they’re using.

You mentioned in your article that “in the end, somebody must pay for broken security and somebody must reward good security”. Are you suggesting that we hold software makers liable for flaws?
I don’t know what the answer is. We need to change the discourse to be around how do we incentivize people to build better systems that are more secure and how do we disincentive building of insecure systems that are riddled with risk? As long as we can have that conversation then policy makers might be able to come up with right sort of levers to cause things to move in the right direction. We’re not suggesting any particular approaches, like liability. We’re just trying to change the discourse from being about war to being about security engineering.

Anything else?
I think we are at risk and I do think cyberwar is a real problem we have to grapple with. But even though we are at risk, we need to have rational conversations about this. Too much FUD and hyperbole don’t do anything to help the situation. The poor guys that are charged with setting policy have a hard time doing that because we’re having the wrong conversation at the policy level right now.

This article was first published as a blog post on CNET News.

LinkedIn disables passwords in wake of Gawker attack

LinkedIn is disabling passwords of users whose e-mail addresses were included in the customer data that was exposed in an attack on the Gawker blog sites.

The professional-networking site is taking this action to prevent any of its customers from having their LinkedIn accounts hijacked in the event that they used the same password that they used on any of the Gawker sites.

“There is no indication that your LinkedIn account has been affected, but since it shares an e-mail with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password,” the company said in an e-mail to users today.

To reset your LinkedIn password, go to the Web site and click on “Sign In” and “Forgot Password?” and follow the directions.

Gawker’s Web site and back-end database were compromised, and passwords, usernames, and e-mail addresses for about 1.3 million user accounts were posted on the Pirate Bay Bit torrent site over the weekend. The passwords were encrypted with technology. However, weak passwords can easily be cracked by brute force attacks. (To find out how to check if you are at risk and get more details about the incident read this FAQ.)

People who use the same password on multiple sites are at risk of having their accounts on those other sites compromised. This happened already on Twitter, with some accounts being used to send spam shortly after the Gawker breach was publicized.

Security experts urge people to choose strong passwords, to change them often and to not use the same password on multiple sites.

This article was first published as a blog post on CNET News.

New scam tactic: Fake disk defraggers

We’ve all heard about fake antivirus programs, also known as scareware. These programs falsely claim that your computer is infected with malware and prompt you to buy a product that will do nothing for you, except put your credit card number into the hands of criminals.

Well now there are fake disk defraggers that masquerade as applications that fix disk errors on a computer. In a blog post, the GFI Labs (formerly Sunbelt Software) blog Dubbed the programsFakeAV-Defrag rogues and said they had names like HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus.

It would appear that the scammers are trying out the new programs to see which might best confuse potential victims and evade detection by legitimate antivirus software. The defragger clones emerged last month with names like UltraDefragger, ScanDisk and WinHDD and which pretended to find “HDD read/write errors. Earlier this month, there was PCoptimizer, PCprotection Center, and Privacy Corrector that were more generic security products rather than specifically antivirus, the post says.

Computer users should be suspicious of applications that are advertised via e-mail, pop up warnings about problems (especially immediately after you click on a Web page video), demand that you make a purchase before it will fix the problems, and prompt you to update your browser, GFI Labs said.

If you aren’t sure if a program is legitimate, you can search by the name on a search engine or onGFI Labs’ site.

This article was first published as a blog post on CNET News.

Microsoft to boost Office security

Microsoft plugged 40 holes with 17 patches on Tuesday and said it will improve the security of Office 2003 and Office 2007 by adding a feature to the older versions of its productivity software that opens files in Protected View.

Customers should focus on the two critical bulletins that are part of Microsoft’s monthly Patch Tuesday security update, says Jerry Bryant, group manager for response communications in Microsoft’s Trustworthy Computing Group. The first is MS10-090, a cumulative update for Internet Explorer. It fixes seven vulnerabilities in the browser and affects IE 6, 7 and 8. There have been attacks targeting IE 6 on Windows XP, Bryant said.

The other critical bulletin is MS10-091, which fixes several vulnerabilities in the Windows Open Type Font driver. It affects all versions of Windows, primarily on third-party browsers that natively render the Open Type Font, which IE does not, according to Bryant.

The other bulletins are not critical and “could potentially be put off until after Christmas”, he said in an interview with CNET. Windows (all supported versions), Office IE, SharePoint, and Exchange are affected by the bulletins. Details are in the security advisory here and in the Microsoft Security Response Center blog post.

Meanwhile, the company will be porting Office File Validation, which is currently in Office 2010, to Office 2003 and Office 2007 by the first quarter of next year, Bryant said. It will be an optional update.

The move will help protect customers from attacks that target about 80 percent of the Office vulnerabilities, Bryant said. Attackers typically create a document that uses an exploit and e-mail the maliciously crafted document to potential victims or host it on a Web site and prompt people to open it.

Office File Validation checks the file-format binary schema, such as .doc or .xls, and opens the file in a protected view if it detects a problem. “If the user wants to edit or continue to open the document then there are severe warnings about what that might mean” and that it could be dangerous, Bryant said.

This article was first published as a blog post on CNET News.

McDonald’s warns customers about data breach

McDonald’s (U.S) is warning customers who signed up for promotions or registered at any of its online sites that their e-mail address has been compromised by an unauthorized third party.

The customer name, postal address, phone number, birth date, gender, and information about promotional preferences may also have been exposed, the company said in an FAQ on its Web site. Social Security numbers were not included in the database, the company said.

The data was managed by an e-mail database management firm hired by Arc Worldwide, a “longtime business partner” of McDonald’s, according to a recorded message on the company’s toll-free number. The unnamed database management firm’s computer systems were improperly accessed by a third party, McDonald’s said.

McDonald’s did not disclose the number of records involved or when the breach happened. McDonald’s representatives did not immediately return a call seeking comment this morning.

“This incident has nothing to do with credit card use at the restaurants,” the FAQ says. “The database that was accessed by the unauthorized third party did not contain any credit card information or any other financial information. Further, the information in the database was not gathered from our restaurant registers, but from voluntary subscriptions to our websites or promotions.”

McDonald’s is informing customers by sending e-mails to people who subscribed on the sites and has notified law enforcement authorities. The company advised customers to be wary of anyone calling them reporting to be from McDonald’s and to report it to the company if that happens.

This article was first published as a blog post on CNET News.

Malware for smartphones is a ‘serious risk’

Businesses and consumers are at risk of data breaches through smartphone use, according to the European Network and Information Security Agency .

Data leakage and disclosure, phishing and spyware are among the more common risks, the European Network and Information Security Agency (Enisa) said in a report.

The report focused on threats posed to the end user, company employees and high-level company officials–people that use smartphone devices for managing disparate aspects of their lives.

Read more of “Enisa: Malware for smartphones is a ‘serious risk’” at ZDNet UK.

Akamai says it can withstand Anon attacks

Akamai managers say they could have bolstered the Web sites that buckled under attacks launched recently by Internet vigilantes.

The world’s largest content delivery network says it has enough servers and the right kind of network to “mitigate distributed denial-of-service (DDoS) attacks”, Neil Cohen, Akamai’s senior director of product marketing told ZDNet Asia’s sister site CNET. DDoS describes the practice of overwhelming a Web site with traffic so that it can’t be accessed.

Some well-known sites were the targets of DDoS attacks launched by a loosely connected group of WikiLeaks supporters who call themselves Anonymous or Anon for short. The group lashed out at companies they consider to be hostile to WikiLeaks, the service responsible for publicizing an enormous amount of classified U.S. government documents. Some of those attacked were MasterCard, Visa, PayPal, and Amazon.

MasterCard, Visa, and PayPal stopped processing donations made to WikiLeaks while Amazon stopped hosting WikiLeaks servers. At this point it appears that Amazon was able to withstand the attack while MasterCard and Visa’s sites were inaccessible for extended periods.

Cohen said few other companies have as much experience as his with defending Web sites from this kind of threat. He said that late last month, a number of U.S. retail sites came under DDoS attack from multiple different countries. Cohen said he was unaware of who was behind it or why, but he said that Akamai helped some of the retailers withstand the onslaught of hits to their sites, which in some cases reached to 10,000 times the normal daily traffic to some of these sites. None of the sites went down, he said.

“What we did over the last decade was built out our network and we now have 80,000 servers in 70 countries,” Cohen said. “We can mitigate DDoS attacks by having a server extremely close to the court rather than try to absorb the attack in one centralized location. As an attack grows in size and distributes out to more bots, we have a server near the compromised machines. As the attack gets bigger, our network scales on demand.”

While there are reports that Anonymous is giving up on DDoS attacks related to the WikiLeaks case, it is unlikely that we’ve seen the end of them. In retaliation against the entertainment industry’s antipiracy attempts, Anonymous knocked out the Web sites belonging to the Motion Picture Association of America, the Recording Industry Association of America, Hustler magazine, and the U.S. Copyright Office.

This article was first published as a blog post on CNET News.

App firewall helps counter DDoS threats

With cyberattacks getting more sophisticated, enterprises that rely on Web applications should look to application firewall for better protection, particularly against distributed denial-of-service (DDoS) attacks, urged a security expert.

Vladimir Yordanov, director of technology at F5 Networks, explained that with 80 percent of attacks hitting Web apps these days, traditional protection such as the conventional perimeter system firewall offers very little protection. Such systems are the reason why DDoS-type attacks are successfully executed to compromise Web sites and payment systems, he added.

“Tradition systems, such as intrusion prevention or intrusion detection systems, cannot block effective requests as these are not easily detected. The attacks targeting coding or browser flaws are usually let through, and it is the application firewall’s job to weed out bad traffic,” Yordanov noted during an one-on-one interview with ZDNet Asia on Monday.

Typically, the application firewall responds by sending a cookie or response to ensure the user is real and sending a valid request, before allowing access into its system, the security expert pointed out. In many instances of DDoS attacks used recently against PayPal, MasterCard and Visa, requests are sent out by botnets, or zombie machines, and these computers are not able to respond to requests, he added.

According to earlier reports, this series of attacks–codenamed “Operation Payback”–were initiated by supporters of jailed WikiLeaks founder Julian Assange, whose Web site has been shut down by Internet service providers, Web hosting companies and payment providers across the U.S. and Europe.

As a form of protest to the treatment of WikiLeaks and Assange, supporters made use of 3,000 voluntary computers and up to 30,000 hacked machines to shut down the Web sites of PayPal, Mastercard and Visa, which had earlier deemed WikiLeaks to be a criminal organization and denied it their services.

No foolproof solution
Besides creating app firewalls, other forms of protection that enterprises could look at include “clean pipes” from ISPs that filter out bad traffic and putting in place a high level network security, Yordanov pointed out. Also, enterprises can sanitize their protocols, ensure that all information needed to establish the connection is present before allowing access, he added.

However, as security technology is constantly evolving, hackers and cybercriminals have managed to find ways to compromise systems, and this is made worse by the increasing access of networks from mobile devices. Yordanov let on that the more dispersed a workforce is, the greater risk of an attack, which is currently a situation that criminals are exploiting.

Conceding that no solution is 100 percent foolproof, the executive said the best way for a system to be kept safe from attacks is to have the system shut down.

“Rather than having the Web site be compromised, it’s better to have it shut down completely,” Yordanov said. “If the engineers are able to trace the IP addresses of where the requests are sent, they can also eliminate the sources by blocking the addresses, but only if they are static. But increasingly, these requests change frequently, so it is not that useful.”

The F5 director noted that while shutting down the system is helpful, the option is suited only for enterprises with enough manpower to constantly monitor Web traffic.

Cloudy security prospects
When quizzed on the level of security for cloud computing, the IT expert expressed pessimism at the current situation, but said things will improve given time.

He revealed that he had personally gone through SLAs (service level agreements) offered by six cloud providers, but none made commitments to protect customers’ data.

“One even asked for all of your data, but there is no procedure that tells you how to get it back, and how they actually protect the data,” Yordanov noted. “[Protection agreements] are all worded loosely now.”

He went on to say that the industry is still at an early stage, rather like e-commerce when it first started. The executive expects to see a similar “revolution” within cloud computing to spur adoption, though.

In the meantime, many large enterprises are eyeing the private, rather than public, cloud, he said. That is because cloud providers are not sure if they can fully guarantee the safety of their clients’ data, so private cloud deployments are a way of shielding themselves from potential legal action, Yodanov added.


Filet-O-Phish: details stolen in McDonald’s hack

McDonald’s has lost thousands of customer details to a hacker, including names, phone numbers and street and e-mail addresses. The fast food chain is also warning of pending phishing scams.

The customer details were lost after a hacker broke into the fast-food restaurant’s U.S. marketing partner and stole the details provided by customers who sign up for promotions.

McDonald’s was concerned that the hacker might use the details to conduct phishing scams.Phishing scams are fraudulent email campaigns run by criminals to steal financial and identity information, or infect users computers with malware.

“In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us… McDonald’s would not ask for that type of information online or through e-mail,” the company wrote on its website.

“Law enforcement officials have been notified and are investigating this incident.”

The company apologized for the breach.

McDonald’s spokesperson Bronwyn Stubbs said Australian customers were not affected.

An e-mail provider hired by promotion company Arc Worldwide was responsible for the loss, which did not include credit card data or social security numbers.

This story was first posted in ZDNet Australia.

Gawker wrestles with reader data breach, hacking

Gawker.com has apparently been the victim of a pair of security compromises last weekend, one of which put reader’s data at risk.

The tech gossip site informed readers last week in a blog post that its database of reader commenting accounts had been compromised and urged its users to change their passwords:

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.

Later in the day, it was revealed that the site itself was compromised as well when a post appeared on the site reportedly linking to the site’s source code at The Pirate Bay. The story appeared under the byline of Gawker writer Adrian Chen, but Chen tweeted that he had not written the story and the site had been hacked.

Gawker representatives did not immediately respond to a request for additional information.

This article was first published as a blog post on CNET News.

Symantec: DDoS attacks hard to defend

It has surfaced that the distributed denial of service (DDoS) attacks on Visa and MasterCard Web sites on Wednesday were carried out by a toolkit known as low orbit ion cannon (LOIC).

In an e-mail interview with ZDNet Asia, Ronnie Ng, senior manager for systems engineering at Symantec Singapore, explained that LOIC is a network stress testing application that attempts a DOS attack on the target site by flooding the server with TCP, UDP and HTTP requests. The intention here is to disrupt the service of a particular host.

It is widely understood that there are free attack toolkits readily available on the Web, and LOIC is one of them.

“There are many applications out there that are capable of carrying out such attacks, some of which are legitimate, depending on the user’s intention, and can be found with a simple search,” Ng added.

“However, there are many underground tools also designed for malicious use that can be utilised efficiently with methods such as botnets. Even a simple tool that sends out small packets can have a great impact if used collectively,” he said.

While the DDoS form of attack is not new, the security expert gave consolation that cyber criminals are not always one step ahead of protection that Web merchants have today.

Ng said: “Attackers are constantly looking for ways to get the information they are after. This varies from using DoS to exploiting vulnerabilities–low or high severity ones–to compromise a system.”

He added that as protection technologies continue to evolve to provide maximum protection, proper patch management and user awareness of today’s cyber threats are necessary to ensure a higher security stand.

While it is possible to maintain high-level security for the payment merchants, Ng admitted that difficulties remain in defending against typically distributed DDoS attacks.

Online merchants will need to audit gateways and firewall rules to ensure they are capable of dealing with small-scale everyday attacks and have comprehensive policies in place to defend themselves against large-scale attacks,” he said.

Some of these policies can include more aggressive packet filtering, setting adjustments to determine how and when packets may be dropped, implementation of rules for IP addresses, and IP address block blacklisting when certain thresholds are reached, the expert recommended.

Visa and MasterCard’s sites were hacked on Wednesday by a network of 15,000 online activists, who coined the attack “Operation Payback”. This was carried out in retaliation of the credit card companies and PayPal’s announcement that they would no longer process donations toWikiLeaks.The hackers also tried to hit Amazon.com, but failed.

The group of hackers, called Anonymous, have vowed to target British government Web sites if WikiLeaks founder, Australian Julian Assange, was extradited to Sweden, where he is wanted over allegations of sexual assault. Assange is now in remand in the U.K. over rape charges.

In a separate development, several ex-members who participated in the WikiLeaks program have said they are planning to launch a new site, known as OpenLeaks, to continue to support whistle-blowing activities.

In the Netherlands, Dutch police confirmed the arrest of a 16-year-old teenager who has admitted to participating in the attacks.

Microsoft to plug critical IE, final Stuxnet Windows holes

Microsoft said today that next week’s Patch Tuesday will bring 17 updates plugging 40 holes and featuring two rated “critical”, including one in Internet Explorer (IE) that was targeted in attacks last month.

The critical IE vulnerability was written for IE6 and 7 but IE8 is also vulnerable, Microsoft said when it issued a warning about it in November.

Also fixed on Tuesday will be the final of four holes in Windows that the Stuxnet malware used.

“This is a local Elevation of Privilege vulnerability and we’ve seen no evidence of its use in active exploits aside from the Stuxnet malware,” Mike Reavey, director of the Microsoft Security Response Center, said in a blog post.

Windows (all supported versions), Office IE, SharePoint, and Exchange are affected by the bulletins, today’s advisory says.

This brings Microsoft’s total bulletin count for the year to a record 106, Reavey said. He attributed that to vulnerability reports in Microsoft products increasing slightly and older products “meeting newer attack methods, coupled with overall growth in the vulnerability marketplace”.

“Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we’re able to release a comprehensive security update before the issue is broadly known,” Reavey wrote.

This article was first published as a blog post on CNET News.

Debit cards a magnet for fraud

Debit card fraud has increased dramatically in the year to June 2010 thanks to an explosion of ATM (automated teller machine) skimming.

The cost of skimming fraud has rocketed by 94 percent to more than AUD$22 million (US$21.56 million) since 2009 and accounts for 79 per cent of debit card fraud.

Debit cards are vulnerable to ATM skimming, where fraudsters replace the terminals with devices capable of reading PINs and stealing account information from the magnetic strips.

Figures from the Australian Payments Clearing House show incidents of fraud on magnetic stripe debit cards used for EFTPOS PIN transactions have jumped to about 3 in every 1000 transactions, or some 84,000 in the year ending June 2010.

The cost of that fraud over the same period has risen to close to AUD$28 million (US$27.44 million), from 7.4 cents to 10.7 cents in every AUD$1000 (US$980.1) transacted.

An industry source told the Australian Financial Review that the spike in ATM skimming was caused by a string of scams targeting McDonald’s restaurants in which criminals replaced handheld EFTPOS devices with replicas capable of transmitting account details via Bluetooth.

But the same figures show the cost of fraud affecting credit cards with embedded chips has dropped from 60.1 cents to 58.6 cents in every AUD$1000 (US$980.1) transacted, and the likes of Visa and MasterCard are chuffed.

“This is great news for cardholders and merchants alike and shows that the industry investment in chip is paying off,” Visa’s local general manager Chris Clark said.

The clearing house is more sobering; it points out that while the cost of credit card fraud has dropped, the amount of fraud has increased.

It attributes the rise to moves by banks to lower the threshold value of fraud investigated, meaning banks will detect more but cheaper fraud.

The drop in the value of fraud detected coincides with a push by MasterCard and Visa to drive the use of contactless credit cards such as payWave and PayPass, which bypass identity confirmation measures for transactions less than AUD$100 (US$98.01).

The system uses a fast wireless system to process the transactions and does not transmit account information, according to the system’s developers.

While fraudsters have moved away from scamming credit cards, they are having a field day with vulnerable online shoppers.

Fraud targeting Internet, mail or phone shoppers–where citation of credit cards is not required–has surged by 25 per cent to AUD$102.6 million (US$100.56 million).

It accounts for more than half of all frauds on credit, debit and charge cards, according to the clearing house.

The clearing house said better IT security in line with adherence to the Payment Card Industry(PCI) Data Security Standard (DSS) is critical to reduce online or “card-not-present” fraud.

The house’s chief executive officer Chris Hamilton said that Australia had a lower incidence of fraud than other nations: “Australia [is] less attractive for fraudsters from other countries.”

This article was first published at ZDNet Australia.

Facebook, Twitter boot WikiLeaks supporters after Visa attack

A hacker group that calls itself “Anonymous” says it took the Visa Web site down on Wednesday in retaliation for the credit card company suspending payments to the WikiLeaks site.

Earlier Wednesday the group hit the MasterCard site with a distributed denial-of-service attack for the same reason, and it took down PayPal over the weekend. The MasterCard site was back up this afternoon.

“IT’S DOWN! KEEP FIRING!!!” the group tweeted on its Operation Payback campaign page.

On Tuesday, Visa said it was suspending payments to the controversial whistle-blower site, joining MasterCard and PayPal.

Operation Payback also said its page had been banned from Facebook for violating terms of use, and late Wednesday afternoon the group’s Twitter account was suspended as well. Attempts to reach the group’s Twitter page displayed a warning that said “Sorry, the profile you are trying to view has been suspended.” A Twitter representative declined to comment on the matter.

Facebook bans pages that are “hateful” or “threatening” or which attack an individual or group, according to a warning Operation Payback posted to Twitter. A Facebook spokesperson provided this statement: “Specifically, we’re sensitive to content that includes pornography, bullying, hate speech, and threats of violence. We also prohibit the use of Facebook for unlawful activity. The goal of these policies is to strike a very delicate balance between giving people the freedom to express their opinions and viewpoints–even those that may be controversial to some–and maintaining a safe and trusted environment.”

Meanwhile, Icelandic hosting company DataCell EHF said it will take legal action against Visa and MasterCard over their refusal to process donations for WikiLeaks. DataCell said that it had been losing revenue as a result of those actions.

WikiLeaks has come under attack since it posted its latest release of about 250,000 confidential U.S. diplomatic cables to the Web last month, embarrassing officials and incurring the wrath of foreign leaders. That release followed posting of cables related to the U.S. operations in Afghanistan and Iraq earlier in the year.

As U.S. politicians cry foul and WikiLeaks’ payment and infrastructure providers cut their ties to the beleaguered site, supporters have stepped up efforts to keep the site up, creating mirrors of the site, and enacting revenge on those companies that turn their backs on the project.

While that war is being waged, Julian Assange, the public face of WikiLeaks, is behind bars for accusations not believed to be directly related to WikiLeaks. He was arrested on Tuesday in London on allegations of sexual assault in Sweden. Assange says he and the Web site are being unfairly punished for telling people what their governments are doing.

Asked for comment, Visa said in a statement Wednesday that its processing network that handles transactions was functioning normally but that its Web site was down. “Visa’s corporate Web site–Visa.com–is currently experiencing heavier than normal traffic. The company is taking steps to restore the site to full operations within the next few hours.”

Anonymous’ Operation Payback account on Twitter having been suspended and at 3 p.m. to include comments from Visa and Facebook.

This article was first published as a blog post on CNET News.

PC quarantines raise tough complexities

The concept of quarantining PCs to prevent widespread infection is “interesting, but difficult to implement, with far too many problems”, said security experts.

It was mentioned by Microsoft’s security chief Scott Charney that ISPs could be allowed toquarantine infected PCs in “infection wards” to ensure the machine is cleared of malware before allowing connection to resume.

In an e-mail interview with ZDNet Asia, Michael Sentonas, McAfee’s CTO for Asia-Pacific, questioned the effectiveness of cutting Internet connection off a computer, when updates on security software and operating system patches can be done only online.

“There is also the issue around educating consumers or non-security professionals on what to do if they are infected and quarantined. Many non-security trained Internet users understandably leverage the Web to resolve issues. How are they going to achieve this without Internet [access]?” asked Sentonas.

Other uncertainties pertaining to resolution may also be difficult to ascertain, such as once the machine is remediated, who releases the computer from quarantine and who determines the machine is safe, he asked.

Sentonas also likened to the concept of not allowing an unsafe car to go on the roads so others are protected, which ESET’s senior research fellow David Harley said works up to a point”. However, he added that success would depend on individual implementations.

While enterprises have used [the concept] for years to protect their own networks, home users who are also the system administrators are often “ill-equipped” for such a role, Harley commented. But he admitted that such an approach could have a significant mitigating impact, subject to the diagnostic accuracy of the ISP, which very often could be a hit-and-miss situation.

Should the quarantine action be adopted, the question of where it should be done and what the standards and procedures should be can be tricky when conditions differ from country to country, and are dependant on the contract between the consumer and ISP, both experts said.

As Sentonas pointed out, the situation in an enterprise is less complicated than that of a home user, as “configuration of individual systems may be standardized and regulated centrally”. To deal with home PCs, however, raises numerous possibilities and complexities with the different systems and applications.

Legally, Harley was concerned with loss of earnings due to quarantining a PC. “If the PC is infected, VoIP may be impacted. [The question then is whether] the total loss of VoIP access would put the user in a precarious position. Consider the situation where the user does use some software, paid or even free. What appeal process does he have?”

On the other hand, this “walled garden” approach may be a revenue stream for security providers supplying contracted services to other service providers, said Harley. That said, if it is being used as a marketing tool for the security provider, this might create illegal problems.

“Indeed, we’re already seeing instances where fake support services circumvent legislation that regulates cold calling by ‘solving’ security problems on the victim’s PC, but for a fee,” explained the ESET research fellow.

“The walled garden approach can be said to be ‘grooming’ end users for this sort of abuse,” he added, noting that banks could in the future require the use of approved security measures before allowing a customer to connect to its servers.

Advertisements

Latest Communications News

Posted: December 9, 2010 in Communications

Next Windows Phone 7 update gets small delay

Citing hiccups following the rollout of last month’s Windows Phone 7 software update, Microsoft is pushing back the release date of the update that will bring Windows Phone users new features.

“I believe it’s important that we learn all we can from the February update,” wrote Eric Hautala, Microsoft’s general manager of Customer Experience Engineering, in a post on the Windows Phone blog. “So I’ve decided to take some extra time to ensure the update process meets our standards, your standards, and the standards of our partners. As a result, our plan is to start delivering the copy-and-paste update in the latter half of March.”

The news is likely to be unwelcome to those who were looking forward to finally getting their hands on the copy-and-paste feature Microsoft first unveiled all the way back in October, as well as some of the speed improvements the company detailed at the Consumer Electronics Show in January. That update had originally been destined to reach users in the first two weeks of March, leaving just four days from now for Microsoft to deliver.

Even with the changes, Hautala said that this does not change the launch time frame of the much larger update, due sometime in the next three months.

“This short pause should in no way impact the timing of future updates, including the one announced recently at Mobile World Congress featuring multitasking, a Twitter feature, and a new HTML 5-friendly version of Internet Explorer Mobile,” Hautala said.

The now infamous February update Hautala had been referring to was meant to prepare phones for this first update that will bring copy and paste, among other additions. It ended up leaving some users with Samsung devices unable to update their system software, with the process hanging just beyond the halfway point. In some cases this left users with an unusable device. Microsoft then pulled the update to make fixes, before re-releasing it. Even then, however, a handful of users still ran into problems.

All told, Microsoft had said that about 10 percent of customers were running into problems with the update. That includes other problems such as not being able to download the software due to Internet connectivity issues, as well as not having enough onboard storage, the company had said.

“Let me be crystal clear: We’re not satisfied when problems prevent you from enjoying the latest Windows Phone updates,” Hautala wrote. “When we find an issue, we study and fix it. To that end, we’re carefully studying the current update process and will apply the lessons learned from it to all future ones. This is how we get better.”

Are you paying too much to surf overseas?

Are you a frequent traveler and feel you’re paying way too much to access the Web while overseas?

ZDNet Asia, along with ZDNet Australia and ZDNet UK, are running an online survey concurrently in our respective regions to find out how our readers utilize mobile broadband abroad on their smartphones, tablets, laptops and other mobile devices.

Data roaming, as it is commonly described, is taking off as adoption of mobile devices and Web access via mobile platforms continue to see significant growth across the globe. In fact, an Ovum study predicts that, by 2015, 1 billion users worldwide will use only their mobile devices to access the Internet, where the Asia-Pacific region will account for 518.4 million of the overall population.

So, do take 10 minutes to complete the survey and tell us if you think your operator is doing enough to deliver affordable data roaming usage and charges to subscribers who want to remain connected during their travels.

We will discuss the results in a special report once the poll ends. Start the survey now.

Android to dethrone Symbian in APAC

Nokia’s strategy to go with Windows Phone 7 for its smartphone operating system (OS) will likely cost the company its “undisputed” position as the market leader in the Asia-Pacific region, excluding Japan, as early as 2011, according to a new report.

In a statement released Thursday, IDC predicted that devices running Google’s Android OS could overtake those powered by Symbian “as soon as this year”, given that Nokia’s Windows Phone 7 devices are not expected to be available in the market until the end of the year.

The Finnish phonemaker announced in February that it is partnering Microsoft to bring the Windows Phone 7 OS to its smartphone range. However, support for Symbian will still continue, the company had reassured.

IDC reported that from this year onwards, “a lot more” brands will come out with Android-based devices at a lower price point. This will not only buoy the demand for smartphones in emerging markets but will also encourage feature phone users in all markets to consider upgrading to smartphones, the research firm added.

Smartphone shipments in the region is expected to hit 137 million units this year, IDC said, noting that this is the first time shipments will surpass the 100 million mark.

Total mobile phone shipment, which include feature phones and smartphones, will grow at a five-year compound annual growth rate (CAGR) of 34 percent in the region. Shipment will nearly double in five years’ time to reach 942 million units, up from 551 million units in 2010, said IDC.

According to IDC, smartphones will grow eight times as fast as feature phones to reach 359 million units by 2015. By that time, three in five mobile phones shipped will be smartphones, in contrast to one in five in 2010.

Melissa Chau, research manager for client devices at IDC Asia-Pacific’s domain research group, said in a statement: “Smartphones were a hot item in 2010, with more than double the shipments of 2009. In 2011, IDC expects this fire to keep burning.”

The Singapore-based analyst attributed the growth of smartphones to mobile phone vendors racing to get consumers on higher-margin devices and mobile platform stakeholders’ battle to woo app developers. She added that operators are also pushing smartphones to drive mobile data revenue.

A separate report from Canalys last month revealed that global shipments of Android phones had overtaken Symbian-based devices during the fourth quarter of 2010.

Canalys earlier this year also predicted that, globally, the Android platform will grow twice as fast as its rivals this year.

Tata Comms launches cloud platform in S’pore

SINGAPORE–Tata Communications has launched its infrastructure-as-a-service (IaaS) cloud offering in Singapore, and is targeting to derive US$250 million in revenue from cloud services over the next three years.

Singapore is the second country after India, the telecoms player’s home market, to offer InstaCompute, David Wirt, Tata Communications’ global head of managed services and senior vice president, said at a briefing here Tuesday. Driven out of its local data center Tata Communications Exchange (TCX), the cloud service will also cater to neighboring markets such as Malaysia, Hong Kong, Thailand, Indonesia, Vietnam and the Philippines.

According to Wirt, Tata Communications has identified a market opportunity in cloud offerings and expects such services to bring in US$250 million in revenue over the next three years.

“We’re betting Tata Communications on the cloud,” he said. “We really believe that telecommunications service providers have an advantage in this market.”

Carriers, noted Wirt, have the advantage over non-carrier cloud providers as network latency is not an issue. He added that even traditional cloud providers are buying wholesale connectivity from Tata Communications as they understand that the network is the enabler for cloud.

Wirt said a competitive differentiator of InstaCompute is its Web management portal which allows companies to easily govern their cloud initiatives. Administrators are able to establish different projects and set a threshold for each user based on the budget allocated to the project, he said. The system can automatically send out alerts that a user is reaching an assigned threshold or even turn off the account to prevent overspending.

The executive did not name Amazon Web Services as a competitor in the region, but admitted Tata Communications uses AWS as a benchmark.

According to Wirt, after InstaCompute was launched in India, 55 to 60 percent of InstaCompute customers are from India, while the majority of clientele outside of India hail from the United States and Singapore.

Vinod Kumar, managing director and CEO of Tata Communications, noted that InstaCompute is targeted at companies of all sizes. Kumar said small and midsize businesses will likely run all applications on the platform while large enterprises will use it for non-mission critical apps or as a sandbox for testing applications.

During the briefing, Aroon Tan, managing director of Magma Studios, shared his experience hosting the company’s latest massively multiplayer online role-playing game (MMORG) on the InstaCompute platform. He said the move to cloud computing eliminated the need to guess the rate of business growth in order to purchase physical servers, as now virtual machines can be turned on when needed.

Microsoft’s contract with Nokia rumored at $1B

It’s been less than a month since Microsoft and Nokia announced their strategic partnership that will see the two companies working together in a number of areas, though mainly mobile phones. One detail that was not disclosed at the time was what kind of dollar investment Microsoft had promised Nokia for developing and marketing Nokia-made handsets that will ship with Microsoft’s Windows Phone OS.

That detail has been made a bit clearer with a report by Bloomberg earlier Monday saying that Microsoft plans to pay Nokia more than US$1 billion, while Nokia, in turn, pays Microsoft a licensing fee for each copy of Windows Phone 7, as well as the right to use some of Microsoft’s expansive patent portfolio.

In addition, Microsoft is said to be paying some of its investment long before the first Nokia phones running Windows Phone 7 go into the sales channel.

The deal, Bloomberg’s Dina Bass says, will run for more than five years and has not yet been signed.

A Microsoft representative declined to comment on the matter. Nokia did not immediately respond to a request for comment.

Qt no more
In addition to the reported financial details of the Nokia and Microsoft deal, Nokia announced earlier Monday that it would be selling off its Qt application development framework business. Qt had let application developers create apps that run on both Symbian and MeeGo, two mobile operating systems that Nokia is pushing aside to put the focus on Microsoft’s Windows Phone OS.

Nokia picked up Qt in its US$150 million acquisition of Trolltech in 2008. Buying it from Nokia is Finland-based Digia, which says it’s going to set up subsidiaries in the U.S. and Norway to run Qt-related commercial licensing and operations businesses for the nearly 3,500 companies that currently use its Qt commercial licensing. The close of the sale is set for later this month for an undisclosed sum.

The move is not the death of Qt, and Nokia will continue to be involved with serving Qt commercial licensees, wrote Sebastian Nyström, who is the vice president of Qt and Webkit along with being the head of MeeGo for Nokia.

“Although Digia will now be responsible for issuing all Qt Commercial software licenses and for providing dedicated services and support to licensees, Nokia’s Qt technical support team will support and work closely with Digia for the next year,” Nyström said. “We will now begin work with Digia to ensure a smooth transition of all licenses and commercial relationships.”

The new ownership will also bring some extra features to the platform Nyström said.

“Digia will invest significant resources in the ongoing development of Qt as a commercial framework. In particular, their plans include emphasizing Qt in the desktop and embedded environments and exploring new support models and feature requests,” Nyström explained. “Commercial customers can also expect improvements in support and functionality for older platforms that were not on the Nokia development road map. If you are a holder of a Qt commercial license you can expect to hear more about this soon.”

Operators in emerging markets feel network pressure

Operators from emerging markets are boosting their mobile networks to handle growing traffic from smartphones and mobile broadband devices, but an industry observer says they should relook their current business strategies to stay relevant.

Arun Bansal, Ericsson head of Southeast Asia and Oceania, told ZDNet Asia that the region has seen an influx of smartphones and mobile data growth, driving operators expand their mobile networks in terms of coverage and capacity.

In a separate interview, David Chambers, Amdocs’ product marketing manager, concurred that the growth of mobile broadband is putting a strain on operators’ network.

However, despite the rush to boost their 3G infrastructure, Chambers said it is not technically possible for operators to build out capacity fast enough to meet forecasted demand.

He noted that these service providers are instead looking at Wi-Fi or femtocells to help offload data traffic, pointing to China Mobile’s plans to deploy 1 million WiFi hotspots as an example.

Customer experience a differentiator
According to Chambers, customer experience will play a big role in boosting an operator’s competitive edge. He explained that operators previously focused on selling the latest smartphones in the market because consumers’ selection of a mobile operator was “90 percent based on the device and 10 percent on networks”, he said.

This scenario will change, said Chambers, as users will increasingly choose their operator based on the quality of its networks. “Unless you are with the right network, [having the phone is] less useful,” he added.

He also pushed for operators to offer tiered data plans instead of unlimited data plans since they will need to ensure their networks can cater to loads that cannot be determined. Contrary to consumer belief that unlimited data plans are better, he said customers will appreciate charges that are “more directly related to what they think they should pay for” instead of paying a higher premium for unlimited data plans.

Instead of offering a general billing system, operators should also provide ways for customers to check in real-time how much data they are using, he said, noting that operators should cap customers’ data traffic when they reach the data limit instead of abruptly cutting them off.

Zeus fraud gang trial in the UK hits another delay

Plea hearings for 11 people arrested for their part in an an alleged multimillion-pound Zeus fraud ring in the U.K.  have been delayed because the prosecution is still trying to assemble evidence against them.
The complex case is thought to involve a gang operating across a host of countries from Russia to the United States. It has left U.K. prosecutors sifting through a mass of computer logs and financial records that will not now be served as evidence in their entirety until Apr. 1, and has led to several postponements of plea hearings.
Eleven east Europeans attended Croydon Crown Court on Friday to enter pleas against charges of conspiracy to defraud and money laundering. They are alleged to have committed the crimes using the Zeus Trojan.

Read more of “Zeus fraud gang trial hits another delay” at ZDNet UK.

Apple gives developers iOS 4.3 Gold Master

Apple has given developers the Gold Master copy of iOS 4.3, which is slated to go out to users as a free download at the end of next week. The Gold Master is typically the same build users get when the software is released.

The software update was formally unveiled during Wednesday’s iPad 2 event. Developers had first gotten their hands on it in mid-January.

Among the new features that come with iOS 4.3 are support for Home Sharing (which lets you play your iTunes library from anywhere in the house), the capability to turn your iPhone into a Wi-Fi hot spot, improved AirPlay support, and a new JavaScript engine for Safari that Apple says brings Safari mobile up to speed with its Mac OS X counterpart.

Other iPad-specific improvements include a software toggle to turn the switch on the right side of the device into either a mute button, or the screen orientation lock switch–functionality Apple had changed with a previous software update.

Apple said that only the iPad, iPhone 4, iPhone 3GS, and third- and fourth-generation iPod Touch devices will be eligible for the software update.

China to track cell phones for traffic reasons–really

A Chinese government committee announced plans this week to try to ease vehicle traffic congestion by monitoring the whereabouts and movement of millions of mobile phones.

“Aha!” you might say, cynically thinking it’s a ruse by the government to conduct surveillance on its citizens. But that kind of surveillance is already being done there (as it is in the U.S.).

If you had been in the gnarly 62-mile traffic jam that took nine days to clear up near Beijing last August you wouldn’t be so suspicious of the news. Beijing, an urban hub in northern China, has a population of more than 22 million.

“In Beijing, where [I’m from], the traffic is a nightmare,” Andrew Lih, an associate professor at the University of Southern California’s Annenberg School of Communication and Journalism, told ZDnet Asia’s sister site CNET today. “They are going from the 1930s to the 1980s in one-fifth the time…It’s a genuine announcement and there’s a real need for it, but it seems creepy in American eyes.”

The announcement from the Beijing Science and Technology Commission talks about publishing real-time information based on cellular base station technology that can determine how far and in what direction the phones are traveling. The system can target specific congested areas and include public transit systems. Eventually, commuters will be able to get specific information about their routes that can be used to make more efficient travel plans.

It’s not clear from the announcement exactly how the system will work, but it likely involves triangulating an approximate location of a phone based on signals between the device and cell towers in the area. This may or may not involve the GPS (Global Positioning System) in the phone itself.

“GPS is useful, but isn’t necessary at this stage; if the cell tower wants it, it can get it,” said Don A. Bailey, a senior security consultant at iSec Partners.

“Overall, what they’re doing (in China) is not at all strange. They can get as much location information as they want now, so they wouldn’t have to create some new program to get it. They’d just get it,” he said.

Sure, there is the potential for misuse, but, again, that’s nothing new. Telecom providers can see the phone number associated with a phone and get access to the billing information, all of which must be turned over to the government if agents come knocking on the door, according to Bailey.

“Not everything China does is underhanded and shady,” he said.

StarHub launches data roaming management tool

SINGAPORE–Local telco StarHub intends to make it easier for customers to monitor their data roaming usage with Roam Manager, an unstructured supplementary service data (USSD) command which they can key into their phone to receive related information.

StarHub subscribers can access the free service from today by typing *100# on their handsets.”We are seeing an increasing number of data bill shock complaints,” Joanna Chan, vice president of personal solutions at StarHub, said without revealing specific figures at the product launch here Wednesday.

Chan noted that more people are traveling overseas and there is a general lack of awareness when it comes to managing data roaming costs.

Web browsing, e-mail access, mobile applications, social networks and video streaming are the most popular functions that require a data connection, she said.

Aside from checking daily data roaming costs, Roam Manager also provides users with information such as contact numbers to emergency hotlines and local embassies. They can also opt to receive notifications when data roaming usage hits a specified amount in a day. These “warning signals” are available in four levels, with amounts varying between S$20 and S$100 for Level 1, and between S$200 and S$1,000 for Level 4. The existing alert triggers when usage reaches S$100.

By the end of this month, StarHub customers will also be able to suspend and reconnect their data roaming service directly via Roam Manager.

Along with the new service, the operator also introduced four new monthly data roaming plans, which cost between S$30 (10MB) and S$200 (100MB), for 21 countries around the world. These will complement the existing data plan with a daily cap of S$15 in 11 Asia-Pacific countries.

Service providers will differ for users who opt for the monthly plan instead of the daily model. For example, in Hong Kong, the daily plan is supported by a tie-up with Hutchison Telecommunications, while the monthly plan will be tied to either CSL or China Mobile HK.

Singapore’s two other mobile operators, SingTel and M1, also offer similar daily plans with prices capped at S$20 and S$15, respectively, for post-paid customers.

M1 said an SMS alert can be sent to customers when they hit 5MB of data usage. Subsequent alerts, the local mobile operator added, will be sent at 20MB, 40MB and 100MB intervals. SingTel also offers the same SMS alert service when usage hits 5MB, 15MB and 25MB.

This article was first posted in CNETAsia.

Gartner: Consider alternative networking vendor

The networking market has changed over the last decade, with more viable players capable of competing with frontrunner Cisco Systems, according to an industry analyst, who notes that switching to a different vendor has its advantages.

In an interview with ZDNet Asia, Mark Fabbi, vice president and distinguished analyst at Gartner, said the networking landscape has moved from a seller’s market dominated by Cisco ten years ago, to a more competitive environment today populated with more players. Toronto-based Fabbi was speaking at a media briefing hosted by Hewlett-Packard last week.

“If you look back at the last decade, Cisco really set the terms and conditions of the market,” the Gartner analyst noted. “It was the one providing the messages and directions in the market, as well as setting the price-points in the marketplace both for equipment and services.”

The landscape, however, has changed in the last few years with “true viable competition” coming from vendors equipped with broad portfolios as well as good service and support, he said. Hewlett-Packard with its acquisition of 3Com and move into the enterprise sector, and efforts in ramping up its technology and capabilities, are among the challengers Cisco now faces, he added.

Instead of defaulting to Cisco, Fabbi said enterprises should shortlist products from other vendors as well build a better network and save money.

“No vendor, no matter who they are, is best at everything.” 

— Mark Fabbi
Gartner

He pointed out that some IT organizations are unwilling to consider alternative vendors because they are comfortable with the current system or believe it is too difficult to switch partners. However, the latter is a perception rather than reality, the analyst noted.

Cisco, however, remained unfazed.

In an e-mail interview with ZDNet Asia, a Cisco spokesperson said the company “has always enjoyed healthy competition in the networking market”. This is no different now, she added.

“Customers have consistently spoken with their wallets,” she said, pointing out that Cisco remains the vendor with the biggest market share globally for managed switching, enterprise routing and network security based on findings by Dell’Oro.

Benefits of different vendor
According to Fabbi, a benefit of procuring products from other vendors is that enterprises are able to build a better network–one built to fit the requirements of the company.

“No vendor, no matter who they are, is best at everything,” he pointed out. “Enterprises have to start answering, ‘Why am I buying this technology? What problems is it solving? Should I look at other vendors?”

Economic pressures have also led enterprises to shortlist alternative vendors, instead of just Cisco, for equipment refresh, he added. That said, enterprises should not use price as a determining factor for switching vendors, he added.

“Saving money is nice but [it should not be] not the primary reason for the enterprise to look around and compare vendors,” cautioned Fabbi.

Instead, organizations have to make sure the network built is the right size for the company.

“In some cases, you may find you will spend more money in some places and less in others,” he explained. “By doing an analysis, you can make the right choice.”

Contrary to perceptions that customers are locked in by Cisco’s proprietary technologies, Fabbi said the networking giant’s lack of integration between its acquired products makes it is easier for competitors to “infiltrate and sell into parts of the Cisco infrastructure”.

“Cisco grew by acquisition,” he said. “Despite the fact that it sells a lot of things, operationally, [the products] all look and behave a little bit different.” Citing Cisco’s Catalyst and Nexus families of switchers as an example, Fabbi said: “A Cisco network is as multi-vendor as another network [built] with [products from] Juniper Networks, HP, F5 Networks or some other vendor.”

He added that there are some elements in Cisco products, such as the Cisco Discovery Protocol (CDP), in which “it continues to try to maintain proprietary capabilities [even though there are industry] standards”. Customers that want choice and openness may, as a result of this, turn to other vendors, he said.

Cisco: Innovation key ingredient
In response to this observation, the Cisco spokesperson said the company “has consistently pursued a standards-based approach to innovation”–whether it is products from the Cisco Catalyst or Nexus family line, or its architectural approach to “borderless networks and the unified fabric in the data center”.

She added that Cisco addresses its competition by “leading with innovation”. “Cisco is focused on innovation and on solving our customers’ problems. We let our customers decide who is best for their business,” she said.

To drive innovation in its product, the networking company spends over 10 percent of its revenues in research and development, she noted, adding that the company last year spent US$5.3 billion on product development.

‘Social Network’ disappoints at Oscars

Its fortunes didn’t fare quite so well as the company it was based on: “The Social Network,” a controversial recounting of the origins of Facebook, did not win the Oscar for Best Picture at the 83rd Annual Academy Awards tonight. As many had been expecting, the award went instead to historical drama “The King’s Speech”.

“The Social Network” also failed to win Best Director (that also went to “The King’s Speech”), Best Cinematography, Best Sound Mixing, and Best Actor, where Jesse Eisenberg’s portrayal of Facebook founder Mark Zuckerberg fell in favor of “King’s Speech” lead actor Colin Firth. In the Best Actor category, Eisenberg had not been expected to win (in addition to Firth, he was up against the likes of Jeff Bridges and Javier Bardem), but director David Fincher had had a good shot at Best Director and the film was widely considered the front-runner for Best Picture until buzz about “The King’s Speech” started to escalate.

The Fincher-directed film did, however, win Best Film Editing, Best Original Score for the music written by Trent Reznor and Atticus Ross, and Best Screenplay Adaptation for Aaron Sorkin’s acclaimed script.

The hype surrounding “The Social Network” had hit a fever pitch in the weeks before its release, and some critics say that it reached a point of overhype that ultimately made it a less palatable choice for the voters in the American Academy of Motion Picture Arts and Sciences. Some pundits also said that alleged factual inaccuracies–Facebook has decried its portrayal of Zuckerberg as a mean-spirited, near-pathological manipulator of human social connections–may have hurt its chances with the Academy.

That said, “The King’s Speech” was also hit by some claims of twisted history.

Facebook initially fought against the unauthorized “The Social Network” (and the book it was based on, Ben Mezrich’s “The Accidental Billionaires”). But as its release date grew closer, the company changed its tune and said that while Facebook still considered the film “fiction,” that it was an entertaining piece of cinema–Zuckerberg himself has said that he hoped it would inspire young people to pursue careers in computer science, and as a surprise prank appeared alongside Eisenberg in an episode of “Saturday Night Live”.

US domain name veto dumped

The Obama administration has failed in its bid to allow it and other governments to veto future top-level domain names, a proposal before ICANN that raised questions about balancing national sovereignty with the venerable Internet tradition of free expression.

A group of nations rejected (PDF) that part of the U.S. proposal last week, concluding instead that governments can offer nonbinding “advice” about controversial suffixes such as .gay but will not receive actual veto power.

Other portions of the U.S. proposal were adopted, including one specifying that individual governments may file objections to proposed suffixes without paying fees and another making it easier for trademark holders to object. The final document, called a “scorecard”, will be discussed at a two-day meeting that has started in Brussels.

At stake are the procedures to create the next wave of suffixes to supplement the time-tested .com, .org, and .net. Hundreds of proposals are expected this year, including .car, .health, .love, .movie, and .web, and the application process could be finalized at a meeting next month in San Francisco of ICANN, or the Internet Corporation for Assigned Names and Numbers.

Proposed domain suffixes like .gay are likely to prove contentious among more conservative nations, as are questions over whether foreign firms should be able to secure potentially lucrative rights to operate geographical suffixes such as .nyc, .paris, and .london. And nobody has forgotten the furor over .xxx, which has been in limbo for seven years after receiving an emphatic thumbs-down from the Bush administration.

“We are very pleased that this consensus-based process is moving forward,” a spokeswoman for the U.S. Commerce Department said in a statement provided to CNET over the weekend. “The U.S., along with many other GAC members, submitted recommendations for consideration and as expected, these recommendations provided valuable input for the development of the new scorecard.”

GAC is the Governmental Advisory Committee of ICANN and composed of representatives of scores of national governments from Afghanistan to Yemen. The Commerce Department’s National Telecommunications and Information Administration, or NTIA, serves as the committee’s representative from the United States.

ICANN representatives did not respond to a request for comment.

Milton Mueller, a professor of information studies at Syracuse University and author of a recently published book on Internet governance, says an effort he supported–complete with an online petition–“shamed” GAC representatives “into thinking about the free expression consequences” of a governmental veto.

“When I started this campaign, I knew that the Department of Commerce could never defend what they were doing publicly,” Mueller said. “There are also potential constitutional issues.”

Complicating the Obama administration’s embrace of a governmental veto was its frequently expressed support for Internet freedoms including free speech, laid out in Secretary of State Hillary Clinton’s speech last January. Clinton reiterated the administration’s commitment to “the freedom to connect” again in a speech in Washington, D.C. this month.

One argument for the veto over new-top level domains is that it could fend off the possibility of a more fragmented Internet, which would likely happen if less liberal governments adopt technical measures to prevent their citizens from connecting to .gay and .xxx Web sites. In addition, handing governments more influence inside ICANN could reduce the odds of a revolt that would vest more Internet authority with the United Nations, a proposal that China allies supported last year.

“I suspect that the U.S. government put (the veto power) in there to show that it wants to respect the wishes of governments,” said Steve DelBianco, executive director of the NetChoice coalition. “I think the U.S. would prefer to see a string rejected rather than let it get into the root and have multiple nations block the top-level domain.”

DelBianco, whose coalition’s members include AOL, eBay, Oracle, VeriSign, and Yahoo, said “blocking creates stability and consistency problems with the Internet…The U.S. government was showing a preference for having one global root.”

Today’s meeting in Brussels between the ICANN board and national government, which appears to be unprecedented in the history of the organization, signals a deepening rift and an attempt to resolve disputes before ICANN’s next public meeting beginning March 13 in San Francisco. (The language of the official announcement says the goal is “arrive at an agreed upon resolution of those differences.”)

A seven-page statement (PDF) in December 2010 from the national governments participating in the ICANN process says they are “very concerned” that “public policy issues raised remain unresolved.” In addition to concern over the review of “sensitive” top-level domains, the statement says, there are also issues about “use and protection of geographical names.”

That statement followed years of escalating tensions between ICANN and representatives of national governments, including a letter (PDF) they sent in August 2010 suggesting that “the absence of any controversial [suffixes] in the current universe of top-level domains to date contributes directly to the security and stability of the domain name and addressing system.” And the German government recently told (PDF) ICANN CEO Rod Beckstrom that there are “outstanding issues”–involving protecting trademark holders–that must be resolved before introducing “new top-level domains”.

WAC stores to co-exist with major app stores

Telco-supported mobile app shops established by the Wholesale Applications Community (WAC) can co-exist with existing app stores operated by platform owners such as Apple and Google, but not without some challenges, say analysts.

Comprising 68 members from the telecom industry as well as handset manufacturers, WAC aims to provide a “wholesale” platform offering apps that are developed to run on multiple devices. It was commercially launched at last week’s Mobile World Congress in Barcelona.

In a phone interview with ZDNet Asia, Marc Einstein, industry manager at Frost & Sullivan, noted that WAC app stores are able to co-exist with other major OS-specific app stores in the short-term period. A vast majority of mobile phones are not supported by an app store, Einstein noted, adding that out of the 1.6 billion phones shipped last year, only about 300 million units were smartphones.

Daryl Chiam, principal analyst at Canalys, concurred that WAC app stores can co-exist with major app stores. To compete with existing app stores and boost the use of WAC app store, Chiam said operators need to ensure the store comes preinstalled in the phones they sell.

Based on its latest specifications, one of the benefits WAC apps are touted to offer is billing integration with the operator’s network–a capability many app stores currently lack, he said. WAC app stores also allow operators the opportunity to resell apps and increase their mobile revenue, he added.

However, Chiam noted that all is not rosy for the WAC ecosystem. He explained that developers will need to sacrifice user experience for “write once, run everywhere” apps to cater to the different platforms. To address this challenge, he suggested developers figure out how to increase user engagement.

Einstein added that players involved in promoting WAC need to ensure there are enough compatible devices in the market to support demand for its apps.

Market in developing markets
According to the Frost & Sullivan analyst, a bigger opportunity for these carrier-supported app stores lies in the developing markets. He noted that emerging markets are not as saturated with app stores, specifically, Apple’s App store or Google’s Android Market. A previous report from Frost & Sullivan noted that smartphone sales in the Asia-Pacific region accounted for 54 percent of total devices sold in 2010, up from 9 percent in 2009.

George Huang, vice president of Huawei Software Technologies, concurred.

In an interview with ZDNet Asia, he noted that the WAC platform can offer more apps for mobile users in emerging markets as most of them cannot afford expensive smartphones.

However, Huang believes that WAC app stores can also persevere in developed markets and compete against existing app store operators by offering users a wider choice of applications.

He added that app stores can co-exist, pointing to operators such as China Mobile and China Telecom which have included applications from Nokia’s Ovi Store in their own app stores.

Ninety percent of Windows Phones updating fine

Microsoft has provided more detail into the number of phones that are having problems with a software update it began to roll out at the beginning of the week.

Speaking to ZDNet about reports that some phones were becoming unusable after the update, a Microsoft representative said the company had seen a 90-percent success rate by customers who were attempting to install the update.

“Of the remaining 10 percent, the top two issues encountered are the result of customer Internet connectivity issues and inadequate storage space on the phone or PC,” the company representative said. “These account for over half of the reported issues with this update.”

Reports of problems with the update, which had been pushed out to phones to help prepare them for the first of two updates that will add new features, began appearing shortly after the update began to make its way into the hands of users. Microsoft had sent out notifications about the update to users in waves, letting some grab the updated software before others.

Users with Samsung devices appear to have captured the brunt of the problems. Microsoft responded by temporarily pulling the update for Samsung Windows Phone users. For some updaters, the process hung just past the halfway point, leaving them with a non-functioning device. Microsoft yesterday told news site WinRumors that it had identified the cause of the problem, but had pulled the update as a precaution until a fixed version could be sent out.

Microsoft is urging those users with phones that had been left unusable after the update to contact their mobile operator or device manufacturer for repair options. In the meantime, the Hardware 2.0 blog over at ZDNet has instructions for doing a full restore of the phone for users who may have gotten stuck during the update process.

This update had been a precursor to the long-awaited first update to the Windows Phone 7 platform that will bring new features like copy and paste, an improved Marketplace search tool, and faster load times for some games and applications. This update had been sent out to ease the installation of that update package, much like Microsoft does ahead of major service packs for its Windows operating system.

Google rolls out Honeycomb SDK for Android tablets

Google has released the full software development kit for Honeycomb, the tablet-friendly version 3.0 of its Android operating system.

In a blog post on Tuesday, Android SDK tech lead Xavier Ducrohet wrote that the release made it possible for developers to create applications for the new platform and publish them to the Android Market.

Honeycomb looks quite different to other versions of Android, as it is designed for use on larger screens than those present on smartphones. The new SDK makes it easier to manage screen space usage and the kinds of gestures that people will use on tablets such as the Motorola Xoom, which will be the first Honeycomb-bearing tablet to hit the market.

Read more of “Google rolls out Honeycomb SDK for Android tablets” at ZDNet UK.

Major mobile operators close in on NFC

The largest mobile operators in the U.K. and abroad have all agreed to provide services using near-field communications, the technology that powers smart cards and contactless bank cards.

On Monday, Deutsche Telekom, Vodafone, Orange and Telefonica issued a joint statement along with other operators, saying they intended to launch commercial near-field communication (NFC) services for handsets in select markets by 2012. The mobile companies operate the T-Mobile, Vodafone, Orange and O2 brands in the U.K., respectively.

“NFC is perhaps best known for its role in enabling mobile payments, but its applications go far beyond that,” said Franco Bernabe, the chairman of international operator body the GSM Association (GSMA), in the statement. “NFC represents an important innovation opportunity and will facilitate a wide range of interesting services and applications for consumers, such as mobile ticketing, mobile couponing, the exchange of information and content, control access to cars, homes, hotels, offices, car parks and much more.”

Read more of “Major mobile operators close in on NFC” at ZDNet UK.

Intel seeks new MeeGo partner

Intel chief executive Paul Otellini has said the company is looking for a new partner to help develop the MeeGo OS, following Nokia’s switch to Windows Phone 7.

Nokia has not abandoned MeeGo, but its decision to focus on Windows Phone 7 for its smartphones has left question marks over the OS’s future. Intel is not throwing in the towel, however, having recently demonstrated the OS at the Mobile World Congress in Barcelona. “We will find another partner,” Otellini told news wire Reuters in an interview. “The carriers still want a third ecosystem and the carriers want an open ecosystem, and that’s the thing that drives our motivation.

“Some closed models will certainly survive, because you can optimize the experience, but in general, if you harness the ability of all the engineers in the world and the developers in the world, open wins,” Otellini added.

Read more of “Intel looking for new MeeGo partner after Nokia’s move to Windows Phone” at CNET UK.

Sony Ericsson eyes No.1 Android maker label

newsmaker BARCELONA–Sony Ericsson wants to be the No. 1 Google Android handset maker in the world. And it needs a strong foothold in the U.S. market to make that goal a reality, said company CEO Bert Nordberg.

Sony Ericsson, a joint venture between Japanese consumer electronics maker Sony and Swedish telecommunications equipment maker Ericsson, has been on the mobile phone scene for about a decade. The company has mostly concentrated on delivering high-end phones to the European and Asian markets. But it’s never had a strong presence in the United States, which has helped keep its overall market share in the bottom half of major handset providers.

But Sony Ericsson has bigger ambitions. ZDNet Asia’s sister site CNET sat down with Nordberg on the eve of the GSM Association’s Mobile World Congress to hear how the company plans to become the No. 1 Android device maker. Nordberg talked about Sony Ericsson’s highly anticipated Xperia Play, dubbed the Sony Ericsson PlayStation phone.

The phone, which is based on Google’s latest Android software and was introduced Sunday at Sony Ericsson’s press conference, will become its flagship smartphone in the U.S. market. To generate buzz ahead of the launch, Sony Ericsson ran an advertisement during the broadcast of the Super Bowl. And according to Nordberg, it worked. He wouldn’t say how much the company spent on that ad. But he said the CEO of a major U.S. carrier called him directly to ask when his network could get the new phone.

“It was the first time we had a Super Bowl ad,” he said. “But it was money well spent.”

Nordberg also shared some candid opinions about the deal announced last week between rival handset maker Nokia and Microsoft. And he discussed the importance of Sony Ericsson cracking the U.S. carrier market. Below is an edited excerpt of the conversation.

Before we talk about Sony Ericsson’s big news, let’s discuss the newly announced Nokia-Microsoft partnership. Last week, Nokia announced that it will use Microsoft’s Windows Phone 7 operating system as its primary OS. What does this mean for Sony Ericsson?
Well, it’s clear that our focus is on Android. It’s where our focus has been this past year. And we will continue that. In fact, we plan to double the number of Android phones in the market this year. It’s an ongoing journey, but we like our position in the Android ecosystem. And we’ve made big contributions to the open-source software.

We think the Nokia news is quite interesting for others, especially those who have invested in the Windows Phone 7 ecosystem.

But Sony Ericsson has supported the Microsoft mobile platform in the past. Does this mean that you aren’t going to be a Windows Phone 7 supporter?
We are not big supporters of the Microsoft platform. It’s not a big part of our strategy, so it’s not really an issue for me. But for companies that have invested a lot in Windows Phone 7, they have to ask if Nokia will get an advantage that will change the game.

That said, as a European I think it says a lot about where the industry is going. It looks like the last stronghold in Europe in mobile has moved to the West Coast of the U.S. The U.S. is taking over. They are first with LTE. So much of the OS innovation is happening there. It’s obvious that it’s more important to come from the Internet world than from the mobile world. And that is why California is so important.

Nokia is still the world’s largest maker of cell phones. From a competitive standpoint are you still worried about them?
I was worried about them more before their announcement with Microsoft. It’s probably going to work out better for us. They would have had a greater impact on us if they had gone with Android.

Speaking of Android, how can you as a handset maker differentiate your product on Android, when so many of your competitors are also using the software?
That is the trick. We can build beautiful phones that connect to the living room, because we are partly owned by Sony. So we can connect to TVs. We have better screen technology, better cameras. And then our other parent is Ericsson, which owns the network. So we know about changes and features for the fastest speed networks. Ericsson has a very strong network patent portfolio, and we can leverage the ecosystem for those network technologies to get good margins.

So hardware is where you see Sony Ericsson differentiating itself?
Yes, that is where we can offer innovation by merging products and platforms, like the Sony Ericsson PlayStation phone. And we also have big ownership in content: movies, music, and TV programs. So we have a strong relationship there as well.

Upgrades to Android come out so quickly. What is the strategy for supporting all these different versions of software? That must create a bit of a problem in terms of how long you can support a particular phone.
Upgrades in the mobile market have become a lot like the computer industry. The upgrades are coming rapidly. And it really changes the nature of the industry. Mobile phones used to be phones with computers built into them. But now that’s changing. They’re now computing devices with a phone. That’s why so much of the development has gone to the West Coast in the U.S. And it’s why we are working so closely with Google.

One of our competitors has said they will support upgraded software for up to two years and then cut if off. We haven’t set specific timing on this. That’s difficult to do. But because the chipsets get upgraded every three years, it means that after three years some CPUs won’t be able to run the software of today. So I think two years is not too bad a strategy when you are talking about supporting software upgrades.

You just announced the Xperia Play smartphone, which has been dubbed the Sony Ericsson PlayStation phone. It’s one of the first iconic devices from the company to launch in the U.S. And it’s the first device you’re selling on Verizon Wireless. Why the U.S. and why Verizon?
We’ve always launched products in Europe and then the U.S. But we’ve learned that the U.S. won’t take a device unless they’re first. So the strategy has turned around. As I said before, we’re seeing a lot of activity in mobile happening in California now. It’s why we moved our CTO and chief creative team from Europe to the U.S. So I now have two executive teams reporting to me from California. This is not a joke. Operators in the U.S. know we are serious about this market and we’re coming to them.

So why launch with Verizon Wireless first? You’ve offered other Sony Ericsson devices on GSM carriers in the U.S., such as AT&T and T-Mobile USA.
Verizon Wireless is such a big player in the U.S. market, so it’s become very important. And also Verizon is a great company with a good network. It doesn’t mean that they will be alone in offering this device. We’re not big on exclusivity. So I think we should remain open.

Some handset makers have lamented about how difficult it is to get into an American carrier. What’s your take on this?
They (U.S. operators) have 23,000 different things you have to do to be allowed on their networks. So it’s damn difficult to get in there. There is a lot of coding and special adaptation that needs to be done. And they only accept very good phones in the network. But once you get in, the investment is done. So we hope that is step one.

As you’ve stated, it’s not easy to break into a U.S. carrier. So how did you do it with Verizon?
One of our parent companies is Ericsson, and that’s how we got in. Ericsson sells LTE gear to Verizon. And Ericsson also bought some networking businesses from Nortel, which also sold to Verizon. So we could build a relationship from that. Then we started to show them the phones. And they loved the Xperia Play.

Some people say that CDMA is a dying technology. And Nokia has chosen to essentially ignore the CDMA market. Once LTE is deployed, there won’t be the need for CDMA or even older generations of GSM technology. But with the Sony Xperia Play, you are expanding your CDMA product portfolio to support devices on Verizon. How important is it for you to support CDMA, especially in the U.S.?
All CDMA customers will evolve into LTE customers. HSPA customers will also become LTE customers. And then the technologies will merge. But that hasn’t happened yet. And it will take some time. So we could wait and introduce LTE devices. But why would we? Some U.S. carriers are still dependent on the CDMA technology. We want to work with them now as they are in transition. There is a big race to 4G. And we are well-placed because Ericsson is building these LTE networks. So I expect we will have an advantage in that.

The smartphone market is so competitive these days. And Sony Ericsson is not in the top three of handset makers worldwide. What is your goal for the company going forward? Do you hope to be one of the top handset makers?
We want to be No. 1 on Google Android.

Do you mean No. 1 on Android in the world or in the U.S.?
Yes, in the world. Last year, in nine months, we took 14 percent market share in Android worldwide. And we only had four devices. It could have been better. But I’d say that’s not a bad start. We are definitely the No. 1 Android player in Western Europe. But we can’t be No. 1 in the world without the U.S. We need to get into the U.S. market. And we think we need 25 percent of the market to be No. 1 in the world. We are already No. 1 in Japan and Sweden.

Motorola already has a strong Android brand in the U.S., particularly on Verizon’s network. You will now also offer some Android phones on Verizon. How much of a threat is Motorola to your plan to be No. 1 in Android worldwide?
Motorola has a similar strategy with Android that we have. In the U.S. they are very strong. But the difference between us and them is that over 70 percent of their business is in the U.S. Right now, we are limited in the U.S. So we can only do better in the U.S. Motorola is strong where we are weak, and we are strong where they are weak.

Verizon Wireless is launching a lot of very cool new phones this spring. It just launched the Apple iPhone. Neither Apple nor Verizon have released sales figures yet, but Verizon has said that presales of the device were stronger than in previous device launches. How will the Sony Ericsson Xperia Play compete against the Apple iPhone?
I think our phone addresses a different segment of the market. I expect the iPhone will do well. But we will be targeting different customers. We offer a different proposition. This is a gaming and entertainment device. I’d show how some of the games work, but honestly, it’s targeted to a much younger consumer. Besides I have three daughters. And unfortunately they were into horses much more than they were into games.

Service providers need to look ahead

BARCELONA–Service providers need to invest in technologies to bring them into the future even if it is not obvious now that these will help them win the race, urge a panel of speakers who identify mobile Internet as a high growth area.

During his keynote at the Mobile World Congress 2011 here Wednesday, Cisco Systems Chairman and CEO John Chambers said service providers need to look forward and place their bets on technologies relevant for the future, even though its advantages might not be obvious now.

“You have to be willing to place your investments [on technologies] three to five years before they are obvious,” he said. “You have to be willing to ride through short-term criticisms and not be distracted by where you are taking your company.”

Chambers believes the future will be dominated by mobile Internet and video.

“People used to talk about these as separate categories. In my opinion, these will be the characteristics of all fundamental innovation and business change for the next ten years,” he said.

Masayoshi Son, chairman and CEO of Japanese telecommunications company, Softbank, pointed to his own organization as an example to underscore the importance of staying ahead of the curve. He described the company’s 2006 acquisition of Vodafone Japan as a “crazy bet” at that time because the US$20 billion deal was transacted in cash and used mostly to pay off debts.

Moreover, Softbank was losing US$1 billion a year, brought on by the dot.com bust at the turn of the millennium and its share price dipped 60 percent following the announcement of the acquisition.

The bet, however, paid off, Son said, noting that Softbank managed to increased in value despite the telecom market’s flat revenue growth and increasing CAPEX (capital expenditure). This was driven by the growth of its market share as well as the increase of total ARPU (average revenue per user), he said.

The company’s gamble on data services also played a role in boosting ARPU, which helped to offset the drop in ARPU for voice services, he added.

Today, all Softbank customers are 3G subscribers compared to the world average of 22 percent, and 85 percent of new subscribers are smartphone users, he said. The mobile operator is Japan’s third-largest.

Son projected that data traffic increased 1,200 times per user in the past 10 years and this is set to grow even more, particularly as content such as video become richer. This is the reason why mobile Internet will continue to be a big bet for the company, he said.

Liau Yun Qing of ZDNet Asia reported from Mobile World Congress 2011 in Barcelona, Spain.

RIM and Nokia: Carrier-friendly smartphone alternatives

BARCELONA, Spain–Research In Motion and Nokia share a similar vision for success: help wireless carriers avoid becoming a dumb pipe.

RIM co-CEO Jim Balsillie and Nokia CEO Stephen Elop shared the stage here Wednesday at the Mobile World Congress as part of a keynote panel. Competition is heating up between the two handset makers after Nokia’s announcement last week that it will team up with software maker Microsoft.

Since the announcement last Friday, Elop has been calling the Nokia-Microsoft pairing the “third horse” in what today is shaping up to be a two-horse race in the mobile industry between the Apple iOS and Google Android platforms. While Nokia and RIM still rank No. 1 and No. 2, respectively, in terms of worldwide smartphone sales, their market share has been giving ground to the Apple and Google platforms.

But where Apple and Google are often seen as a threat to wireless operators because they offer value-added services, such as music, navigation, and even language translation, RIM’s Balsillie said he wants to help wireless operators extract value from their networks. And Nokia’s Elop agreed.

“The tricky dilemma is that there are 900 different carriers,” Balsillie said. “How do you enable these different carriers so that they are not hijacked [by someone else’s services]?”

Balsillie said he sees RIM first and foremost as a hardware and e-mail service provider, offering the most network-efficient push e-mail service on the market. He claims that RIM’s BlackBerry devices consume about half the network resources that similar products from competitors consume. The company also provides an added layer of security to its services that make it less vulnerable to attacks.

One of the important aspects of RIM’s app store, Balsillie said, is the fact that it allows carrier billing for apps as well as within apps. This not only provides a more convenient way for customers to purchase apps or services within apps, but it also allows the carrier to extract some value from the transaction as well.

“We are not an app company,” he said. “What we want to do is plug into what the carriers are already doing.”

Elop said that when carriers talk about Apple and Google there is a sense that they are enabling services thorugh which profits are going in another direction. He said that it’s important for the “third ecosystem” in mobile to help carriers retain a lucrative stake.

“The philosophy of this third ecosystem and what Nokia has done for many years is to find a balance with carriers,” he said. “There needs to be an operator-friendly player. And we aim to be the most operator-friendly platform out there.”

Carriers around the world are embracing devices running iOS software and Android, mostly because these are the devices and services that consumers want. But there is a real fear among wireless operators that the services and capabilities developed as part of these platforms will make the carrier itself irrelevant. It will be Google and Apple that offer all the value to consumers via applications and app store services, while the carrier will only provide basic connectivity. In other words, carriers will become a mere conduit.

“What is most important is how we can avoid being reduced to a ‘dumb pipe’,” said Ryuji Yamada, CEO of Japan’s NTT DoCoMo, who also participated in the keynote panel Wednesday. “We are susceptible more than ever to becoming this dumb pipe because of smartphones. And we are determined to avoid it by all means.”

China Mobile CEO Wang Jianzhou in his keynote presentation Tuesday expressed similar sentiments and advised carriers to continue innovating to avoid falling into this trap.

But some providers say that it’s too late.

“Mobile carriers are becoming dumb pipes,” Masayoshi Son, CEO of SoftBank, said during a keynote session earlier. “That’s the depressing reality.”

Indeed, NTT’s Yamada described a service his company could offer that provides automatic translation for people speaking different languages. For example, a Japanese person could talk to his friend who speaks Spanish by using an NTT service.

But Google is already offering this exact service. In fact, the Web powerhouse showcased the Google Translation application at Mobile World Congress a year ago. Yamada acknowledged that the battle to stay relevant will not be easy. But he said it’s a battle that carriers must win.

“Theoretically, we could offer [this translation] service as part of a carrier cloud service or through a third party,” he said.

“It’s a race between the camps,” he continued. “But as a network operator, we are in the best position to know what the network is capable of. And we are determined not to lose this race.”

Nokia’s Microsoft deal leads to shareholder revolt

Were the champagne celebrations of a Nokia-Microsoft partnership premature?

An unnamed “group of nine young Nokia shareholders” who have also been employees released an open letter on Tuesday to the company’s other shareholders and institutional investors that, in a nutshell, said that the Microsoft deal is a bad one for Nokia and that CEO Stephen Elop should be replaced. (Techmeme)

In the letter, the group said it plans to challenge the Microsoft partnership and strategy at the company’s Annual General Meeting for Shareholders on May 3. It said that it has also developed a “Plan B” approach that involves not only replacing Elop but also looks to revamp the company’s hiring strategy and eliminate “outdated and bureaucratic R&D practices.”

Read more of “Nokia’s Microsoft deal leads to shareholder revolt, call for a “Plan B”” at ZDNet.

An iPhone with slide-out keyboard?

Would Apple really consider a slide-out keyboard for its next-generation iPhone?

So goes the latest rumor. A Taiwanese blog, Apple.pro, says it has its hands on information pointing to three different models being considered for final production as the iPhone 5, expected to be released this summer (here’s a Google Translate link).

One has a physical keyboard that slides out, and another is said to be like an iPhone 4 in styling but with a longer-lasting battery and a better camera. The upgrade from an iPhone 4 to that model of iPhone 5, according to the report, would be similar to the modest improvements from iPhone 3G to iPhone 3GS.

Obviously the report is to be taken with a grain of salt or two, but the site has gotten some reliable leaks in the past. It’s been wrong too, according to Apple Insider.

Steve Jobs has expressed his distaste for physical cell phone keyboards in the past. When the original iPhone was introduced in January 2007, Jobs told the MacWorld audience that Apple chose to use a multitouch virtual keyboard in lieu of a physical one, in part because once a keyboard is put on a mobile phone, it’s there forever and hard to change the buttons to work with different applications.

Not that Jobs has never changed his mind before. But Apple is also carrying the banner for all things touch-related, which likely extends to iPhone keyboards for the foreseeable future.

Ericsson bets on mobile broadband, cloud

BARCELONA–Ericsson is looking at mobile broadband and cloud services to drive its efforts toward a “networked society” and announces a partnership with content delivery provider, Akamai, to push content to mobile devices.

During his keynote speech at the Mobile World Congress tradeshow here Monday, Ericsson President and CEO Hans Vestberg promoted the concept of a networked society, in which “anything that can be benefited by a network will be connected”. In fact, the networking equipment vendor last year predicted that by 2020, the world will have 50 billion connected devices, he said.

According to Vestberg, the three factors that will bring this vision to fruit are mobility, broadband and cloud.

He noted that the number of mobile subscribers is expected to balloon from 5.3 billion at the end of 2010 to reach 7 to 8 billion in 2015, adding that this does not include machine-to-machine adoption.

For operators, broadband has become one of the most important revenue growth areas, he said, adding that mobile broadband adoption is growing so fast that, by 2015, network traffic passing through smart devices is expected to equal that of PC.

Mobile broadband will have a huge impact on society as it is able to reach more people, said Vestberg. He added that among the 500 million smart devices in the world, about 50 percent of overall traffic pass through Ericsson’s networks.

To boost its capability to provide the right content to the right smart device at the right time, the company today signed an exclusive partnership with content delivery company, Akamai. The deal will leverage Ericsson’s experience in provisioning data in networks as well as Akamai’s relationship with content providers, to more efficiently deliver content to mobile consumers, said Vestberg.

Looking to the cloud
Ericsson is also looking to ride the cloud bandwagon and has been providing a range of cloud offerings such as hosted applications and services.

According to Vestberg, the company last year invested in India-based Novatium, which provides PC-as-a-service technology, and currently offers a PC-on-the-cloud service–targeted at operators–that will enable service providers to create new profit avenues from their existing network infrastructure.

At the company’s exhibition booth, Novatium CTO Vinod Kumar Gopinath explained that its service differs from the competition because its provision spans from device to connectivity. Companies and individuals do not need to worry about the hardware specification, software, broadband connection or maintenance, he told ZDNet Asia.

The service was launched commercially two years ago and currently has about 40,000 users in India, said Gopinath. Users purchase the devices, priced from US$140, and pay about US$3 per month to use the service, he said.

Liau Yun Qing of ZDNet Asia reported from Mobile World Congress 2011 in Barcelona, Spain.

LG cautious over Nokia-Microsoft deal

LG has reacted tentatively to Microsoft’s new partnership with Nokia, which will give the Finnish handset maker much deeper input into Windows Phone’s development than that allowed to other companies using the platform in their devices.

At an LG press conference on Monday at Mobile World Congress in Barcelona, company business strategy chief Yong-seok Jang told ZDNet Asia’s sister site ZDNet UK that there “must be a strategy rationale” for the partnership announced on Friday.

The deal will see Nokia abandon MeeGo as its chosen platform for high-end phones, but will give Nokia more standing in the Windows Phone ecosystem than LG, Dell, HTC and Samsung.

Read more of “LG cautious over Nokia-Microsoft Windows Phone deal” at ZDNet UK.

Mobile operators not liable for forced shutdown

Neither mobile operators nor users are entitled to legal recourse when service providers are forced to shut down or disrupt services by authorities in the markets they operate in, according to lawyers.

The scenario played out in the recent protests in Egypt against now-ousted President Hosni Mubarak. Mobile network operators in the country were ordered by the government to shut down all their network services on Jan. 28, according to the Wall Street Journal.

Two foreign-owned telcos, Vodafone of the United Kingdom and France Telecom, also claimed the authorities forcibly used their text messaging networks to send out pro-government and army-endorsed SMSes to their citizen subscribers, a separate report by the Journal stated. Vodafone said the Egyptian government utilized the emergency powers provisions of the Telecoms Act to send out the messages.

Rajesh Sreenivasan, head of technology, media and telecoms practice at Rajah & Tann Singapore, told ZDNet Asia in a phone interview that telcos are able to operate in a particular jurisdiction because they are issued a license by the government. Because of that, they will have to comply with the terms of that license; if the telco chooses not to comply, it could face “the wrath of regulation breach”, he pointed out.

The same exclusion of operator liability via a license clause can also extend to the sending of pro-government text-messages to citizen subscribers, added Sreenivasan. When a government invokes emergency powers, it covers a broad spectrum of what they can do, from shutting down places to imposing curfews; hence, it is a “non-issue” for telcos to comply with the authorities’ requests, he explained.

That same power, he said, is used to issue tsunami warnings, for example, because SMS is the easiest way to get the message across.

Bryan Tan, director of Keystone Law, held a similar view. “Under normal circumstances, the government would have covered themselves with the ability to order the shutdown of services for national interests.

“This would be covered by legislation or under the licenses granted to the mobile network operators,” he said in an e-mail.

No need for operators to claim damages
Rajah & Tann’s Sreenivasan also pointed out that in the case of Egypt, it would be “unnecessary” for a telco to claim for damages as losses have curbed due to the restoration of most services. Revenue from text messages, he added, is not as high as voice and data.

A statement from Vodafone indicated that the operator’s services for voice and data were restored on Jan. 29 and Feb. 3, respectively.

At press time however, there were no updates on the restoration of text messaging services, even though the end to the hostilities came into sight on Friday, when the country’s leader decided to end his 30-year reign.

If there were no clauses in the telco’s license and the emergency powers are not wide enough to cover the activities the government carries out, there is ground for telcos to claim that they were obligated to carry out actions that caused them to suffer losses, Sreenivasan added.

Mobile users can’t sue
Similarly, it is common for telcos to have a general exclusion of liability in the event of a government request to suspend their services, according to Sreenivasan.

Keystone Law’s Tan noted that the network operators would themselves be covered by the service contract in the event of a shutdown due to government orders. “As the [telcos] really don’t have a choice or discretion, mobile subscribers may have little recourse.”

There is typically a provision in the service contract that if an operator cannot fulfill their service agreement because of a government order or a force majeure, natural disasters such as floods for example, they would not be held liable, Tan said.

Asked about managing customer relations in the event of an authority-backed service shutdown, Ivan Lim, deputy director of corporate communications and investor relations at M1, said in an e-mail statement that the telco will focus on minimizing subscriber anxiety by keeping their customers notified of the latest developments.

“Should the situation arise where the authority informs of the shutdown of network operations for the sake of national interests and security, we will ensure that our customers are consistently and adequately provided with up-to-date information on the [situation, and] supported with a readied business continuity plan,” he said.

Nokia: Windows Phone 7 to be market challenger

BARCELONA–The Nokia-Microsoft partnership will make Windows Phone 7 a third challenger in the current mobile operating system market, says Nokia CEO, who adds that the decision is welcomed by telcos as it will give users choice.

In a press briefing here Sunday evening, Nokia CEO Stephen Elop acknowledged that both Microsoft and Google had courted the Finnish company to ink a partnership, before the phonemaker chose the Windows Phone 7 platform instead of Google Android.

The collaboration will place Windows Phone 7 a strong third challenger in the smartphone market currently dominated by Apple iOS and Android, said Elop.

Citing his discussions with telcos, he said the decision to create another challenger in the market is well received by mobile operators as it will bring more handsets into the market and offer consumers more choice.

If Nokia had decided to go with Android, the collaboration could make the Google OS a “monopoly” due to the platform’s market share and Nokia’s strong footprint in the smartphone market, he said.

Elop clarified that the partnership does not make Nokia an OEM (original equipment manufacturer). Instead, the smartphone maker will contribute a variety of services such as the Ovi Store and location-based functionality to the Windows mobile platform which can be deployed by other Windows Phone 7 handset manufacturers.

He added that Microsoft will bring its Bing search engine, mobile ads and Xbox integration to Nokia’s handsets. The value transfer to Nokia is estimated to be “in the billions” of dollars, he said.

The Finnish company is currently working on new concepts of Windows Phone 7 handsets, revealed Elop but did not give a specific launch date for these devices, saying that the company wants to first ensure the products’ commercial viability.

Asked if he sees Research in Motion’s enterprise-targeted BlackBerry as a competitor, Elop said the Nokia-Microsoft partnership will be a strong rival to the Canadian phonemaker due to the relationship with the Microsoft Office creator and Nokia’s experience in Symbian and E-series phones.

During the media briefing, the CEO also touched on Nokia’s efforts in regaining its footprint in the smartphone market, noting that the company is working on the low-end segment of the market. He said the company will be bringing “fresh” features to these handsets as well as country-targeted efforts such as dual-SIM phones for markets such as India.

“Bold decision” but right
In a research note Monday on the Nokia-Microsoft partnership, Ovum’s principal analyst Tony Cripps noted that there were limited short-term options available for the Finnish company to catch up with the growth of iOS and Android. In particular, the Google mobile platform had looked set to bypass Nokia in terms of smartphone shipments, Cripps said.

“This is a bold decision by Nokia but absolutely the right one, both for itself and for Microsoft given the drastically changed landscape for smartphones in the past couple of years,” the analyst said.

Adam Leach, also a principal analyst at Ovum, said in the same report: “It’s ironic that the sole purpose of Symbian was to stop Microsoft from repeating its domination of the PC market in handsets.

“Nokia now has the opportunity to cast itself in the role that Intel has taken in the Windows PC market as a mutually beneficial, symbiotic marriage between equals rather than as simply a box-shifter.”

Leach, however, noted that there are still potential risks that Nokia could become “merely a vehicle” for Microsoft and its services should the Finnish company fail to differentiate itself from other Windows Phone 7 makers such as HTC, Samsung and LG.

Ovum’ analyst Nick Dillon added: “For Microsoft, this is nothing less than a coup and the shot in the arm its new Windows Phone 7 platform needed, which despite winning acclaim for its innovative design and user experience has so far failed to set the market alight in terms of sales.”

Liau Yun Qing of ZDNet Asia reported from the sidelines of the Mobile World Congress in Barcelona, Spain.

Nokia, Microsoft becoming Windows Phone bedfellows

Microsoft and Nokia announced a broad mobile phone partnership on Friday that joins two powerful but lagging companies into mutually reliant allies in the mobile phone market.

As expected, Nokia plans to use Microsoft’s Windows Phone 7 operating system as part of a plan to recover from competitive failings detailed in Nokia Chief Executive Stephen Elop’s “burning platform” memo.

But it’s deeper than just an agreement to install the OS on Nokia’s phones. Instead, the companies call it an attempt to build a “third ecosystem”, acknowledging that competing with Apple’s iOS and Google’s Android involves a partnership that must encompass phones, developers, mobile services, partnerships with carriers, and app stores to distribute software.

“There are other mobile ecosystems. We will disrupt them. There will be challenges. We will overcome them. Success requires speed. We will be swift,” Elop and Microsoft CEO Steve Ballmer said in a boldly worded open letter. “Together, we see the opportunity, and we have the will, the resources and the drive to succeed.”

The companies will cooperate tightly under an agreement the companies just describe so far as proposed, not final. Under the deal, Windows Phone 7 would become Nokia’s “principal” operating system, and Nokia would help Microsoft develop it and ensure a broad range of phones using it are available globally.

Nokia will use many Microsoft online services, many of which trail Google rivals, such as Bing for search and maps and AdCenter for advertisements.

When it comes to the sales part of the ecosystem, each company brings something to the deal. Microsoft phones will be able to link up with Nokia’s agreements for carrier billing–a popular option in parts of the world where credit cards are less common. And Nokia will fold its own app store into the Microsoft Marketplace.

It’s not immediately clear what needs to be done to make the deal final; details “specific details of the deal are being worked out,” the companies said.

Nokia, once the dominant power of the mobile phone industry, has ceded the smartphone initiative to Apple’s iPhone and Google’s Android, and Elop believes Nokia’s own Symbian and MeeGo operating systems aren’t competitive. Microsoft has tried for years to penetrate the mobile phone market, and although it now has a credible option with Windows Phone 7, it trails Android when it comes to developer interest and the breadth of phones available.

The two companies can expect their combined might will be more convincing for software authors debating whether they need to bring their apps to yet another ecosystem. But it’s not yet clear how the alliance will extend to another hot new market, tablets, where Microsoft prefers Windows instead of the Windows Phone operating system. In contrast, iOS and Android developers enjoy the same mobile operating system on phones and tablets.

Elop is set to detail the proposal later today at an analyst meeting in London that will be publicly Webcast. The news also arrives immediately before the vast Mobile World Congress trade show in Barcelona, Spain, where a large number of new Android phones and tablets can be expected.

It’s uncertain what effect the alliance will have. Microsoft has had strong operating system partnerships with multiple competing PC makers, but the Nokia alliance, with mutually developed products and shared road maps, appears much deeper than the average relationship Microsoft has with hardware makers. That could encourage those who’ve made strong Android commitments–HTC, Motorola, Sony Ericsson, LG Electronics, Samsung, and more–to double down. After all, they’re all enjoying a period of relative freedom with Nokia in its present relatively uncompetitive state, and strongly pushing Windows Phone products arguably would be abetting the enemy.

The announcement was accompanied by a YouTube video featuring Microsoft and Nokia’s chief executives praising the deal.

“Today, Nokia and Microsoft intend to enter into a strategic alliance,” Elop said in the video, a precursor of a turnaround plan he’s set to detail later today at an analyst conference in London. “Together, we will bring consumers a new mobile experience, with stellar hardware, innovative software, and great services. We will create opportunities beyond anything that currently exists.”

Ballmer said the partnership “brings the brands mobile consumers want, like Bing, Office, and of course Xbox Live.”

Lack of IPv6 mobiles not worrying

Mobile devices that support only IPv4 could pose problems for users in future, but analysts say current dearth of IPv6-enabled smart devices in the market is not cause for worry yet.

In a phone interview with ZDNet Asia, Craig Skinner, senior consultant at Ovum, said apart from “a handful of Nokia devices”, not many mobile phones are able to handle IPv6 (Internet Protocol version 6) through 3G connection. However, some companies such as Apple with its iPhone and iPad devices, as well as HTC, enable IPv6 connection over the Wi-Fi interface, he noted.

Marc Einstein, Frost & Sullivan’s Asia-Pacific industry manager for ICT practice, concurred, noting that a vast majority of smartphones in the market are IPv4-only devices.

Phones that are not IPv6-compliant can become a problem for users, according to Einstein. He predicted a “disturbing” time in the future when owners of IPv4-only phones are not able to access IPv6-only addresses.

Despite this, users planning to get a new device should not be deterred by the lack of IPv6-compatible devices as IPv4 addresses have “not fully run out” yet, he pointed out.

On Feb. 1, the Internet Assigned Numbers Authority (IANA) allotted the last two on-demand lots of IPv4 addresses to the Asia-Pacific Network Information Center (APNIC). Subsequently, IANA also distributed the last five lots of IPv4 addresses to the five regional Internet registries (RIR).

Ovum’s Skinner added that service providers are “not shutting down” IPv4 and will run both versions concurrently.

A Nokia spokesperson echoed the analysts’ views that users should not worry if their phone does not support IPv6. “Based on the present design principle, almost all the existing services on the Internet will remain reachable for IPv4-only phone users for the foreseeable future,” he said in an e-mail interview.

By the time users upgrade their phones to newer models, they will “switch seamlessly” to IPv6, he added.

‘Chicken and egg’ problem
Skinner described the lack of IPv6-compliant phones as a “chicken and egg problem”. He noted that phone makers did not include cater for IPv6 in the devices because of the lack of such networks. On the other hand, network service providers saw no need to deploy IPv6 as there were no handsets in the market demanding the protocol, he added.

The situation, however, will start changing. Skinner said, pointing to U.S. carrier Verizon Wireless which included IPv6 support as a criteria for devices to work on its LTE (Long Term Evolution) network.

Web-connected devices to boost IPv6 uptake
Aside from network provider mandate, Skinner noted that the mobile device usage will also be a driver of IPv6 adoption. Traditionally, service providers “extended the use of IPv4” by reusing and sharing network IP addresses to communicate with devices. Increasingly, with smartphones and laptops connected to the Internet–and hence IP addresses–for a longer period, there may be “congestion” if there are not enough IP addresses, he said.

According to him, IPv6 will only affect mobile app developers “a little” as many apps are agnostic to the two protocols. However, he cautioned that older mobile applications may have code specific to IPv4 and hence are unable to handle the longer IPv6 addresses.

To work around that, app developers should ensure they work with the right set of API, Skinner said, adding that mobile operating system providers have updated their application programming interface.

S’pore telcos see value in Mi-Fi handsets

Mi-Fi-enabled handsets are starting to gain traction in the market, but rather than see them as a threat to their mobile broadband business, two Singapore-based carriers believe such devices can boost mobile data traffic.

Ivan Lim, deputy director of corporate communications and investor relations at M1, said Mi-Fi support on mobile handsets will provide consumers an “added alternative” to access wireless broadband via their mobile devices.

Ng Long Shyang, head of marketing and sales at StarHub, agreed and added that the carrier has no plans to disable handsets with Mi-Fi capabilities.

He explained that from a business perspective, growing mobile data traffic and in turn, revenues, are “important considerations” for operators and it does not make sense to clamp down on mobile handsets because they help drive mobile data usage among consumers.

With Mi-Fi devices, users can create mobile hotspots that allow multiple devices to connect to a 3G cellular Internet service–also called tethering. Some smartphones are also equipped with Mi-Fi capabilities, including those powered by Google’s Android 2.2, known as Froyo such as Dell’s Streak and HTC’s Desire devices.

Apple is also reportedly looking to include Mi-Fi support in its next iOS 4.3 software update. According to technology Web site, Ars Technica, iPhones sold by U.S.-based Verizon Wireless already come with a mobile hotspot feature which will be rolled out to all compatible handsets in the upcoming OS update.

In a previous ZDNet Asia report, Springboard Research analyst Bryan Wang said some telcos may ban smartphone tethering and encourage consumers to buy multiple data SIM cards for every device they want to Web-enable.

Mi-Fi solves broadband congestion?
Revenues aside, Mi-Fi-enabled handsets can also help alleviate 3G broadband traffic congestion.

Nitin Bhat, partner at research house Frost & Sullivan Asia-Pacific, had earlier predicted that Mi-Fi devices such as smartphones will have a “robust business case” as their ability to offload data traffic will ease the strain on existing 3G networks. Bhat added that consumers can do without multiple data plans and SIM cards with Mi-Fi, utilizing one plan for multiple devices instead.

Lim agreed, noting that because Mi-Fi supports multiple users or devices on one network source, the network operator will only identify the primary user accessing the network and not its accompanying users.

That said, he acknowledged that this method of easing wireless broadband congestion is not ideal. “Sharing of data among several devices or parties will subsequently lead to a lag in connectivity as oppose to the connection quality of one dedicated source. The user experience will thus be affected,” he explained.

Ng, however, did not believe Mi-Fi-enabled handsets would alleviate 3G broadband traffic, given that such devices would still tap on the existing broadband infrastructure to support multiple devices.

Ovum’s senior analyst, Nicole McCormick, shared his sentiments. She said in her e-mail that Mi-Fi-enabled handsets and devices will likely increase the amount of traffic on 3G broadband connections. This, though, will generate additional revenue opportunities for carriers, McCormick said.

The analyst instead pointed to femtocells as a better solution to alleviate network congestion. She said femtocells, which provide a local mobile 3G hotspot with fixed network backhaul, would be more attractive to operators looking to address rising demand for bandwidth.

Industry insiders, however, said in an earlier ZDNet Asia report that femtocells lacked a compelling business case which is hindering mass adoption of the device.

As femtocells are managed by users, carriers have no way of ensuring its wireless coverage quality can be adequately maintained from the consumer end. Furthermore, the lack of operator buy-in means the device remains pricey, which is another barrier for adoption.

Meanwhile, operators are already looking at other options to improve mobile broadband coverage quality.

StarHub, for instance, upgraded its network on two levels, Ng revealed. First, it implemented HSPA+ dual carriage technology, which could potentially double mobile broadband speeds to 42.2 Mbps, he said. Second, the carrier is working with Huawei Technologies on a smartphone signaling offering that optimizes the way handsets communicate with the network.

Ng said: “This signaling technology effectively halves redundant signaling loads, hence improving mobile broadband connectivity and overall smartphone performance.” He added that StarHub is looking at long-term evolution (LTE) in its next phase of mobile network development projects.

M1 is also looking to LTE to improve its mobile broadband business in the future.

Lim said: “The adoption and upgrade of our network to LTE is an area that we’ll be placing much focus on as we anticipate a strong growth in mobile data, and LTE would be an efficient mode in supporting this growth.”

Social media most evolved in S’pore

SINGAPORE–The city-state is among the world’s most evolved social media markets and its people’s national pastime, shopping, is clearly reflected in their online habits, according to a research conducted by Firefly Millward Brown.

Released during a press briefing here Thursday, the survey findings revealed that Singaporeans’ lives converge online and offline, where their families, friends, interests, work and hobbies could be found in the tangible as well as virtual world.

Nichola Rastrick, managing director of the research firm, said: “For example, if they can see branded products in a shop, they expect to also find them in an online environment.” This was unlike other countries in the region, where Internet users relied on social media more for communication, she said.

Covering 15 countries including Singapore, China, India and the United States, the qualitative survey was developed based on the observations of 32 selected bloggers in each country, according to the Firefly.

Christoper Madison, the company’s regional director of digital strategy, said Singapore’s evolved social landscape is due to the fact that its citizens are brand-savvy and genuinely want to be associated with fashion brands even in the digital world.

“The things that they do in [Singapore’s shopping strip] Orchard Road, can be very similar to what they are doing online, such as to find out more about discounts and events offered by the popular brands,” said Madison.

Hence, he noted that companies and marketers are also more proactive in making their online presence felt by engaging consumers through Facebook and other social media platforms, in the form of viral videos and regular news updates.

Besides shopping, food blogs and banks were also some of the more popular “encounters”, or mentions, in Singapore’s social media scene, according to the survey.

It added that easy and cheap access to the Internet, as well as the comfort level with going online, are some of the reasons why social media is more pervasive here.

While the study showed that the experience and behavior of social media users did not vary too much among the 15 countries surveyed, the “shopping association” was less obvious in Thailand and Indonesia.

Firefly’s findings revealed the Thais used social media to create a sense of community, and much of the online conversation revolved around expressions of friendship and connectedness.

Indonesians, however, regarded social media as a way to establish social status, success and as a platform for self-promotion.

Rastrick added that mobile penetration rate is extremely high in Indonesia, and with the constant traffic jams, platforms that provide brief and quick means of communicating such as Twitter are gaining popularity.

And while Facebook might not be readily available in China, the country’s online citizens were still active participants on social media networks, turning instead to local platforms such as Renren for online conversations, according to Firefly.

However, due to the restriction of Facebook, Chinese social media users felt left out of global dialogues, the survey found.

Businesses still figuring out social reach
But while social media may be the rage now, companies and marketers are still grasping to find the right way to reach out to consumers, according to Firefly.

Rastrick explained that the survey findings clearly showed that consumers did not want social platforms to turn into an avenue to hawk goods and services. Instead, they wanted marketers to engage them in dialogues, she said.

She warned that the biggest mistake marketers can make is to treat social media networks as a “marketplace”.

Madison added that businesses should cultivate a two-way conversation with the online community and establish a proper social media team to run effective campaigns.

“It’s easier to get on than [keep a campaign going]… Once you start something in the social media space, it is a commitment,” he said.

Using Singapore as an example, Madison said consumers are savvy and know what they want, and companies should invest in the social media space to respond to this market.

He also identified some rules for social media engagement, such as being selective about the platforms and using tactics to motivate the influencers and social media “stars”, or high-profile social personalities. This can be achieved by having good knowledge of the local market, he added.

Other rules include paying attention to small details, allowing negative comments so that consumers can make informed decisions, and building social media credentials through “humanization” of the brand, he suggested.

Nokia prepares for major shake-up

Nokia’s CEO Stephen Elop is reportedly preparing for a major shake-up at the company as he searches for a way to save the once mighty cell phone brand.

Elop is expected to unveil a new strategy for turning around the company at its investors’ conference in London on Friday. Nokia has been slipping in terms of market share the last several quarters as it faces stiff competition at the high end of the market from Apple’s iPhone as well as phones running Google’s Android platform. And at the low end, the company is also facing competition from Chinese manufacturers.

News outlets are already reporting bits and pieces of the new strategy supposedly leaked from insiders. Reuters said Wednesday that unnamed sources at the company confirmed that Nokia has halted development of its new high-end mobile operating system, Meego. And The Register in the U.K. said in its story that “well-placed sources” inside of the company told it that Nokia is considering moving its headquarters from Espoo, Finland, to Silicon Valley.

And Nokia this week may announce that it is adopting an operating system from one of its rivals, either Microsoft’s Windows Phone 7 or Google’s Android, according to The Wall Street Journal. The Journal said today that Nokia is in talks with Microsoft about making use of Windows Phone 7, along with its own Symbian software. Before joining Nokia last fall, Elop was a top executive at Microsoft.

Nokia representatives declined to comment.

Elop, who hinted at sweeping new changes during the company’s most recent earnings call with investors, wrote a scathing internal memo that was leaked to The Wall Street Journal and Engadget this week.

In that memo, he said the company has lost its competitive edge to competitors Apple and Google. Apple’s iPhone has dominated the smartphone market for the past couple of years, and Google’s Android operating system has quickly picked up momentum as Nokia’s traditional handset competitors adopt the free, open-source platform.

In the memo, he noted that the company’s own two operating systems– Symbian and Meego–may not be enough to combat rivals. The traditional Symbian OS is unwieldy, and the Meego effort, announced almost a year ago for high-end devices, is woefully late.

“We thought MeeGo would be a platform for winning high-end smartphones,” he said in the memo. “However, at this rate, by the end of 2011, we might have only one MeeGo product in the market.”

The company has already started to cancel product launches in the U.S. Last month is was reported that the company canceled the upcoming U.S. release of a new smartphone, the X7, which was supposed to be exclusive to AT&T. The company also supposedly canceled the launch of another device on T-Mobile USA’s network.

As for possible plans to virtually relocate the company’s headquarters? It’s not entirely unlikely. The board of directors made a bold move in putting Elop in charge. He is the first non-Finnish CEO in the company’s 150-year history.

Nokia moved into its current headquarters in Espoo in the 1980s, The Register said. If the company moved headquarters to the U.S., it likely wouldn’t affect the company’s main development facility in Finland.

Other executives have also taken bold moves to change the company throughout its history. The Register noted that the late CEO Kari Kairamo ushered Nokia into the high-tech age with numerous acquisitions in the 1980s. And Jorma Olilla shed many of the company’s legacy industrial businesses. Later, he ditched Nokia’s consumer electronics and computing products.

While Nokia’s presence in the U.S. today is minimal, the company did have a major facility in Irving, Texas, for several years. In an effort to regain market share in the U.S., the company opened a new office in Sunnyvale, Calif., in December, which could serve as the new headquarters.

New phone to feature Android plus Facebook

British start-up INQ Mobile will be releasing a new phone that spices up the Android operating system with tight Facebook integration. Among the features of the new phone, called the INQ Cloud Touch, are four Facebook-related buttons on the home screen, Facebook friends integrated with contacts, and a prominently featured real-time News Feed of Facebook activity.

According to a demo video taped by TechCrunch, the phone is intended to be a mid-level device geared toward teenagers, meaning that it could be available for a rather low price–perhaps as low as US$50–when purchased with a contract. The Cloud Touch will also be available overseas before it hits the United States market.

Rumors of a “Facebook phone” circulated last fall, causing some to believe that Facebook would developing, branding, and selling a device in the manner of Google’s Nexus One, which was ultimately a failure. Facebook repeatedly denied that it was building a phone, but executives have said that the promises of the mobile world mean that you’ll be seeing Facebook on both smartphones and lower-end devices far more.

Chief Operating Officer Sheryl Sandberg explained last September that the company’s strategy would be to work on getting Facebook synced up to many different kinds of mobile devices, and that it sometimes requires partnerships and deals. “We want to make Facebook available everywhere on every device,” she said at the time.

“That’s actually complicated in a world of so many cell phones, so many mobile operators…even the screen size is different, so you have to work with the different devices [to develop apps].”

Making these mobile inroads is important as Facebook, which has more than 600 million active users around the world, works to expand in regions where it historically has not had a strong presence. In many of these regions, Internet access happens primarily on mobile devices rather than PCs.

To that end, Facebook recently worked with mobile development firm Snaptu to build an app for lower-end cell phones that will be accessible free of data charges in a handful of overseas markets.

Software brings Android apps to other platforms

Mobile software specialist Myriad is preparing to launch new software that allows non-Android-based smartphones to run apps designed for Google’s mobile operating system.

The software, known as Alien Dalvik, will allow non-Android operating systems to run Android Package (APK) files with little modification, the company said in an announcement on Tuesday.

“The proliferation of Android has been staggering, but there is still room for growth,” said Simon Wilkinson, chief executive of the Myriad Group, in a statement. “By extending Android to other platforms, we are opening up the market even further, creating new audiences and revenue opportunities.”

Read more of “Alien Dalvik brings Android apps to other platforms” at ZDNet UK.

Alcatel-Lucent shrinks cell tower technology

Telecommunications infrastructure maker Alcatel-Lucent announced this week new technology that will help wireless carriers expand their networks to keep up with the explosive growth in mobile data.

The company announced this week a new compact cell phone antenna system called lightRadio, which incorporates radio technology and base station technology in a single box. The entire system, which can fit on a lamp post, is a fraction of the size of today’s cellular equipment. Current cellular networks require massive and power-hungry cell phone towers that house the antennas with a separate base station at the bottom of those towers that control the antennas.

When carriers have needed to add capacity or improve coverage, they’ve had to deploy these massive cell site towers. Alcatel-Lucent’s lightRadio system, which will be ready for carrier trials later this year, allows carriers to deploy new cell sites much faster and less expensively than they have been able to do in the past. It also means that carriers can reduce the electricity used to power the cell phone towers and base stations.

All in all, wireless operators can reduce the cost of deploying and maintaining a new cell site by almost half of what it is today.

That has huge implications for the wireless industry, which is struggling to keep up with demand for more data services from smartphones and tablet PCs. In fact wireless data traffic is expected to increase 26 times between 2010 and 2015 according to Cisco’s latest Visual Networking Index Forecast. Cisco conducts the survey every year to track network growth.

“It’s clear that the explosion in mobile data will continue,” said Wim Sweldens, president of Alcatel-Lucent’s wireless division. “The architecture that Alcatel-Lucent is proposing will help avert a potential wireless crisis. If carriers don’t move in this architectural direction then the problems we are starting to see today will only get bigger. And growing the networks will not be economically viable.”

Wireless carriers have been preparing for traffic increases by adding more capacity to their radio networks as well as their back-haul networks that carry the traffic from the radio towers to the Internet. The wireless industry has been pushing the Federal Communications Commission to make more wireless spectrum available so that they can increase capacity. But getting new spectrum into the market takes time.

One way to add more capacity to the available spectrum is to deploy more cell sites that are smaller in area. Splitting cell sites means that wireless operators can serve more customers or provide more bandwidth to individual customers in each cell site.

Carriers have already begun using a mix of a smaller and smaller cell sites in their networks. For example, femtocells provide personal cell sites that can be in a home or business. The smaller cell sites are connected to a home or office broadband connection to improve wireless indoor coverage.

But splitting cell sites on a macro level in a metropolitan area is a little trickier if the old cell tower and base station architecture is used. Getting new cell towers approved is time consuming. And putting up those towers is expensive. It’s also expensive to run these towers, which means long-term this architecture isn’t viable.

That’s where Alcatel-Lucent says it’s lightRadio technology comes in. It would allow wireless operators to deploy smaller cell sites much more quickly and at a much lower cost.

“We are applying the same principles that we’ve talked about in using femtocells for the entire mobile network,” Sweldens said. “We start by replacing the big towers with smaller elements that are easier to deploy, use less power, and connect smaller sites to broadband infrastructure that is already in place. So we can take advantage of the cloud-like architecture to get better economies of scale that either lead to reducing costs for operators or the ability to deliver more bits at the same cost.”

The new technology has other important benefits as well. Because the antennas are software configurable, carriers can use the same set of equipment to offer 2G, 3G, and 4G service from the same access point. What’s more, upgrading from one technology to another simply requires a software upgrade.

This is very different from what is done now. Today, when wireless carriers upgrade from a 3G technology such as EV-DO or HSPA to a next-generation technology, such as LTE, they are required to deploy new hardware. But with the Alcatel-Lucent lightRadio system, they simply do the upgrade in software.

But Alcatel-Lucent’s new technology, which is modular in design like building blocks in a Lego set, is not just a big improvement for existing wireless players. It can also be used to help other companies, such as cable operators, get into the wireless market at a much lower cost.

Cable companies already have a lot of high-capacity broadband infrastructure in the ground. And some of them also own wireless spectrum licenses. Cox Communications has used some of that spectrum to build a regional wireless network, while others such as Comcast and Time Warner Cable have invested in other wireless services like Clearwire.

“The future for any broadband provider is building one network that can serve customers whether they are mobile or at home,” Sweldens said. “Our new technology will help companies leverage their existing wireline infrastructure to provide wireless services. The cable MSO market is definitely one of our target markets.”

Alcatel-Lucent isn’t the only company that is developing smaller, more modular and wireless configurable cell phone access points. Market leaders, such as Ericsson and Huawei, have also been working on software-defined radio technology. But Sweldens believes that Alcatel-Lucent is the first company to announce plans for these products.

“This is indeed part of a general trend in the industry,” he said. “But what we’ve done is made a breakthrough by building the smaller cubes that fit together. We feel pretty confident that we are the first to commit to such a product road map. And that is the news.”

Report: Google, EC in early settlement talks

Google could be a little closer to resolving at least one of its regulatory headaches, according to a report.

Reuters notes that Google and the European Commission have entered into talks over the antitrust investigation that began last November. It’s still pretty early in the process: Reuters’ source said there were “some tentative discussions in resolving the issue, but no really concrete proposals on the table.”

Google is even more dominant in Europe than it is in the U.S., with market share over 90 percent in a few countries. A few companies, led by Foundem, have long complained that Google unfairly penalizes their sites in search results because they compete with Google, a charge that Google denies.

When it launched the investigation the Commission said that it would investigate those complaints as well as complaints about Google’s quality score for determining ad placement, but said it didn’t necessarily have proof of any wrongdoing. Regulators have been sending questionnaires to Web businesses as part of their effort, as noted by Search Engine Land earlier this year.

The European investigation is the most significant probe of Google’s business practices yet launched, although authorities in the U.S. have been sniffing around the proposed acquisition of ITA Software and the long-delayed ratification of Google’s settlement with author and publisher groups over Google Book Search.

Report: Microsoft management changes in the works

Microsoft is said to be on the brink of another shuffle among its senior management.

Microsoft CEO Steve Ballmer plans to make changes to the company’s senior management in order to improve the company’s competitive edge in Web services, smartphones, and tablet computers, according to a Bloomberg report that cites unnamed sources.

Those changes, Bloomberg says, will be announced “this month”.

What remains unclear is whether the changes will bump out any of the existing division heads, in place of talent from within or outside of the company, versus changing the number of business units and their executive make-up. Bloomberg did say that a central part of the company’s plan was to “promote managers who have engineering chops and experience executing on product plans,” which would imply moving someone at the top to make way for that promotion.

A Microsoft representative declined to comment.

Microsoft has a long history of making changes to its management structure. While Ballmer has stayed at the helm for a little more than 11 years now, the company has made drastic changes to the number and depth of its business units.

Microsoft’s last big management shuffle took place back in October, with Ballmer naming Kurt DelBene to the head of Microsoft’s Office Division, Don Mattrick to the head of the Interactive Entertainment Business, and Andy Lees to the head of Microsoft’s Mobile Communication’s business. That was following the departures of Stephen Elop, who left to become the CEO at Nokia, as well as Robbie Bach, who retired from his spot as the president of the Entertainment and Devices unit last May.

More recently, the company had a shake-up in its Server and Tool Business, with the company announcing the planned departure of Bob Muglia, who had served as president for the division. Muglia had been promoted just two years prior as part of Microsoft’s elevation of the server unit into a larger part of the company’s business.

What should Nokia do?

commentary It’s hard to know what to make of Nokia these days. Though it still holds a huge worldwide market share and sells more phones than its competitors, it doesn’t quite capture the buzz it once had, and its presence in the United States has dwindled.

Sure, the Finns maintain a healthy business selling low-end handsets in emerging markets, but over the last three years, smartphones are where the action is. And though Nokia still succeeds in that space occasionally–we quite liked the Nokia N8, for example–its strategy has been rather unclear.

To its credit, Nokia is aware of the problem. At last September’s Nokia World, company execs vowed to “shift into high gear” and “fight back in smartphone leadership“. How exactly that fight will unfold remains a popular point of debate in the wireless industry–many analysts have urged Nokia to join the Android family–but up until now, Nokia has kept its cards close.

Come Friday, however, Nokia will fully outline its new strategy at an investor meeting in London. CEO Stephen Elop announced the Feb. 11 meeting during the company’s quarterly earnings call. Elop didn’t get specific, but he set off a wave of speculation when he said the company needs to “build or join a competitive ecosystem”.

“The game has changed from a battle of devices to a war of ecosystems,” Elop said during the call. “And competitive ecosystems are gaining momentum and share.” Immediately, some Nokia watchers theorized that the company would announce that it was developing a handset based on Windows Phone 7 or Android.

Such a move would be surprising, considering that as of late the company has been mildly dismissive of Android while continuing to promote Symbian and the developing MeeGo platform. But with the market throttling forward at rapid speed, Nokia may have decided the radical change is necessary. So what could its options be?

Stay with MeeGo
From what I’ve seen, most of my tech journalist colleagues are advocating this path. ZDNet Asia’s sister site ZDNet’s Mary Jo Foley, for instance, doesn’t see an OS switch to Microsoft happening. Similarly, PCMag’s Sacha Segan and Eric Zeman at Information Week also urged Nokia to develop MeeGo as a worthy competitor to Google and Microsoft.

Though I agree that this is the most likely scenario, I can’t say that it excites me. Experienced Symbian users may love Symbian, but the OS can be maddening for everyone else. Sure, Nokia did give Symbian 3 a nice upgrade on the N8, but it needs to do more. And though I’m always a fan of customer choice, MeeGo just doesn’t spark my interest at this point. It could be really cool, and I’m hoping that it is, but Nokia needs to deliver real MeeGo handsets soon.

Android
The most unlikely of the three, I’d say, but still not impossible. Indeed, jumping into Android would entail risks. The OS is growing fast and it’s attracted the attention of major players like Motorola, HTC, and Samsung. Nokia would be arriving late to the party and its rivals will fight to keep the leadership positions they’ve assumed. On the other hand, Nokia could play an “always late, but worth the wait” role.

Windows Phone 7
Honestly, I wouldn’t mind if Nokia went this route while also developing MeeGo. Windows Phone 7 is new and it has its growing pains, but the OS has a lot of promise. Nokia could benefit by getting involve with an OS from the ground up, and Microsoft–which is Elop’s previous employer, by the way–could use the exposure from an industry giant.

Whatever happens, we’ll know for sure this week after Elop breaks the news in London. CNET also will be at Mobile World Congress a few days after that in Barcelona, Spain, where Nokia will kick off its presence at the show by holding a press conference Feb. 13.

This article was first published as a blog post on CNET News.

Microsoft eases procurement of WP7 dev phones

Microsoft is making it a little easier for developers to get their hands on Windows Phone 7 devices for building and testing applications.

In a blog post last week detailing some previously announced updates to the Windows Phone Developer Tools, Brandon Watson, who is Microsoft’s director of developer relations, said that the company has partnered with Zones.com to let developers buy Windows Phone 7 devices without a voice or data contract.

The phones, which include HTC’s HD7 and Surround as well as the Samsung Focus, come carrier-locked, but can be had for about $500 without venturing to a carrier or third-party retail site to make the purchase.

In the past Microsoft has made a concerted effort to get devices into developer hands even before an official launch. At last year’s Professional Developers Conference, all paid attendees were given phones following the keynote speech, a week ahead of the U.S launch. That said, to get additional or replacement devices, Microsoft had been encouraging developers to go through carriers, where contract strings were attached.

Momentum builds
Watson also provided an update to the number of Windows Phone 7 developers and apps within its library, and there have been noted improvements in just a week’s time.

Microsoft now says the number of registered Windows Phone developers is 27,000, up from the 24,000 metric the company cited a week ago. Those developers have also bumped up the number of apps on Microsoft’s Windows Phone Marketplace to “more than 7,500,” marking an increase of 1,000 apps since last week.

Microsoft has yet to provide concrete numbers on overall app downloads, though during the company’s CES keynote address, CEO Steve Ballmer said that more than half of Windows Phone 7 users were downloading a new application every day. By comparison, competitor Apple announced it had topped 10 billion application downloads in its less-than-three-year-old app store last month.

Google wants to fight smartphone battle on Web

Google has been playing catch-up to Apple in the mobile world for several years, but it’s starting to carve out its own niche by emphasizing its strength on the Web.

The Android Market Web Store was the most interesting thing to emerge from last week’s event at Google headquarters, and it’s one that Apple can’t easily duplicate overnight. It’s also in keeping with Google’s philosophy of pushing Web development over native software development when possible, a strategy that isn’t always practical on smartphones but is starting to make more sense as computing power grows in tablets.

Most importantly for Google, it gives Android users a cleaner, simpler, and more user-friendly option for buying apps than the much-maligned Android Market. It should also appeal to developers, who will have many more options at their fingertips for promoting their apps on the store and a better chance of being found within the sea of applications.

The advantages of the Android Market Web Store are simple: Android users can browse app selections just like any other Web site from any Web-connected device, rather than dealing with the small, cluttered, and awkward Android Market interface on their phones. A purchased app is linked with a Google Account rather than a device, so it can be automatically pushed to any Android devices registered to that account at the time of purchase.

And Google has also come up with something that hits Apple where it hurts: Web services. For all its skill in designing mobile hardware and software, Apple hasn’t been able to come up with all that many services that tie everything together over the Web. (Find My iPhone is a notable exception, but that requires a US$99 annual subscription to MobileMe while iPhone 4 users with iOS 4.2 installed can get this for free.)

Apple’s iTunes is the hub for its mobile strategy, and even the most diehard Apple fan would admit that desktop application is getting a bit long in the tooth. iTunes has given Apple an centralized distribution and payment-processing system that’s arguably as responsible for the growth of iOS as anything, but it’s resource-intensive and linked to a single computer: you can manage and purchase apps on the iPhone or iPad, of course, but if you want to back them up, you have to physically connect the device to a computer.

Google has long sought to eliminate that link with its Android strategy, pitching its Web-based services as a selling point for those concerned about app backup and contact management. However, it didn’t really have a credible alternative to the ease-of-use that accompanies app shopping on a bigger screen, not to mention the rather poor experience in the native Android Market. Now it does.

Eric Chu, mobile platforms product manager for Google, said that the Web Store won’t replace the native Android Market on phones and tablets as yet. He said Google will continue to make improvements to the native store because that’s still probably the best experience on phones.

But Google’s quest in this world is to one day replace software developed for specific machines with software developed on and for the Web. Mobile devices lag behind their desktop counterparts when it comes to supporting this kind of strategy (and even desktops aren’t all the way there) but as standards get sorted out and mobile browsers become more powerful, the conditions needed to allow that to happen will start to come together.

This is also a powerful differentiator for Google and its partners. By emphasizing Android’s hooks into Google’s broader array of Web services, Google gives its partners a selling point that others can’t match without a great deal of investment in skills that aren’t necessarily complementary to those of mobile operating system developers and industrial designers.

It’s not exactly a game changer, but it’s a nice example of how the many companies trying to live up to the high bar set by Apple with iOS can score points by knowing their strengths and focusing on sore points in the iPhone and iPad experience.

Now if Google can address some of the sore points in the Android experience–such as the slow pace of operating system updates actually reaching phones, for one–it might start setting the pace on its own.

This article was first published as a blog post on CNET News.

Cisco sees 26-fold wireless data increase in 5 years

Wireless carriers will see mobile data traffic increase 26 times between 2010 and 2015 according to Cisco’s latest Visual Networking Index Forecast. Will wireless operators be ready for it?

That’s the big question. The prediction of steep increases in traffic load are not entirely unexpected. Wireless carriers have been preparing for traffic increases by adding more capacity not only to their radio networks, but also in the back-haul networks that carry the traffic from the radio towers to the Internet.

By 2015, Cisco says that mobile data traffic will grow to 6.3 exabytes of data or about 1 billion gigabytes of data per month. The report indicates that two-thirds of the mobile data traffic on carrier networks in 2015 will come from video services. This trend follows a similar trend in traditional broadband traffic growth. And it suggests that as wireless networks get faster, devices get more processing power with bigger and better screens, people will increasingly watch more video on the go.

“What we’re seeing here is true convergence,” said Doug Webster, Cisco’s senior director of worldwide service provider marketing. “We’ve talked about this for a long time, but it’s really starting to happen where people are doing all the things they used to do on broadband connections at home when they’re on-the-go.”

But according to Cisco’s results, mobile data traffic is actually growing faster than traditional landline-based broadband traffic. In 2010 data traffic grew 159 percent, which is roughly 3.3 times faster than traditional landline broadband. And it was higher than the 149 percent growth rate Cisco had predicted in earlier Visual Networking Index reports. But over the next five years, the growth should taper off, Cisco’s report indicates. For example, annual growth rates are expected to go from 131 percent in 2011 to 64 percent in 2015.

So what exactly is driving the growth? The first main driver is the proliferation of mobile devices, said Suraj Shetty, a Cisco marketing vice president. Last year, Cisco’s Index predicted that the smartphone installed base would increase 22 percent in 2010, but Informa Telecoms and Media data indicates that the number of smartphones in use grew by 32 percent during the year, Cisco said.

In addition to the increase in smartphone adoption, there was a sharp increase in those smartphones that have the highest usage profile: iPhones and Android phones. The number of iPhones and Android devices in use grew 72 percent in 2010, bringing the combined iOS and Android share of smartphones to 23 percent, up from 11 percent in 2009.

And the trend is only expected to continue, especially as devices other than smartphones are added to the mix. By 2015, there are expected to be 5.6 billion mobile devices and 1.5 billion machine-to-machine devices in the world. These devices will include mobile phones, as well as Internet-connected cameras, Net-connected cars, tablets, laptops and more devices.

In addition to simply having more devices connected to wireless networks, more of these devices will also have better computing capabilities, Shetty added. We’re already starting to see this with smartphones running dual-core processors. The screens on mobile devices are also getting bigger and sharper. Not only are tablets coming on the scene, but smartphones themselves are getting larger and will have greater computing capacity than devices available today.

Network speeds are also increasing as wireless operators move to new generations of technology. In the U.S. wireless operators are talking about their “4G” wireless networks, which can offer download speeds anywhere between 5Mbps and 20Mbps, depending on the technology used. T-Mobile USA and AT&T have their HSPA+ networks. And Verizon Wireless has its LTE network. (AT&T also plans to launch an LTE network this year.) And Sprint Nextel has its WiMax network.

Cisco’s report indicates that network doubled in 2010 and speeds will only increase over the next five years with the average download speeds expected to increase 10-fold by 2015.

The faster speed networks, more capable devices with better screens, and the plain fact that there will be more connected devices in five years, means that wireless consumers will use more resources.

“There will be more devices with bigger screens and better processors that allow for multiple apps to run simultaneously, and the predominant type of network traffic will be video,” Shetty said. “These trends are all coming together and will have a significant impact on the network.”

What it means for wireless operators is that they need to find a way to keep up with the growing demands on their networks. In the wireless world, the need to keep up with growing demand means a need for more wireless spectrum. Carriers such as T-Mobile say they have enough spectrum today to meet current growth projections. But they say more is needed down the road.

This is why the Federal Communications Commission is working to get an additional 500MHz of wireless on the market in the next decade with a plan for 300MHz spectrum to be freed up in the next five years.

But adding more spectrum takes time and it will not be enough to solve the capacity crunch that wireless operators will likely face in the next few years. Shetty said that wireless operators will have to get more efficient in how they use their network resources. Shetty said that Cisco has technology that can help wireless operators improve network efficiency.

“There are lot of demands and challenges that carriers face to keep up with demand,” he said. “Cisco can help them better engineer the network. And allow them to scale the network.”

But carriers will also have to invest in other network technologies to help keep up with demand. This will likely include offloading traffic onto femto cells and Wi-Fi networks.

It may also mean shifting business models to encourage consumers to use mobile data more efficiently. Last June, AT&T eliminated its unlimited data plan and began offering a tiered data service offering with usage caps. Other wireless operators in the U.S. haven’t followed yet. But Verizon Wireless, the largest U.S. wireless operator, has indicated that it will move to tiered pricing. Whether it gets rid of an unlimited entirely is still unknown. But it’s likely the company will raise the price of unlimited if it keeps it all.

The other wild card in this whole scenario are tablets and other connected devices. While more people in the world today have cell phones than have electricity, devices such as tablet PCs will eat up capacity even further, because they can do so much more than many mobile handsets.

It doesn’t take nearly as many tablets in the world to have a significant effect on network loads. For example, a smartphone generates about 24 times more data on a wireless network than a basic feature phone. But a tablet generates about 122 times more data consumption than a basic feature phone, according to Cisco.

Webster said a year ago, tablets weren’t even on the radar screen when it came to predicting future mobile data growth. But with the introduction of the Apple iPad last year and now a growing number of tablet PCs, the category is expected to have a significant effect on data usage patterns in the next five years.

“Last year there was zero data traffic on the network from tablet PCs,” Webster said. “And it went from basically nothing to being a significant contributor to mobile network traffic by 2015. This is just indicative of how dynamic this market is with one type of device ramping up so quickly. It has huge architectural implications.”

Yahoo apologizes for Windows Phone 7 data bloat

Yahoo on Tuesday offered an apology to Windows Phone 7 users affected by an inefficiency that left some with larger than usual data usage.

The data problem had cropped up shortly after the launch of Microsoft’s latest mobile venture, with some users finding their allotted cellular data use going up to an unusually high rate. Microsoft acknowledged the problem in mid-January following a query from the BBC, and later said that it was an unnamed third-party’s fault.

Last night Microsoft fessed up that Yahoo was that third-party, and that the issue centered around its Web mail service. This was following a packet sniffing investigation by tech blogger Rafael Rivera, who discovered Yahoo was sending back larger than usual amounts of data every time the phone checked for new mail.

“Tens of millions of people check their Yahoo Mail from their mobile device each day, and we know they want their mobile mail experience to be fast, rich, and real-time,” Yahoo said in a statement. “While our default settings on all mobile platforms realize this approach, we have determined that an inefficiency exists in the synchronization of e-mail between Windows Phone Mail clients and Yahoo Mail, which can result in larger than expected data usage for some users.”

Yahoo reiterated that a fix for the problem was on the way, and will be here “in the coming weeks”, but that for now users needed to dial back how often Windows Phone 7 devices check for mail updates. Yahoo also noted that the data issue was not affecting other phone platforms and apologized for any inconvenience to users.

There’s no word yet on whether the fix can be made without users having to update their phone’s system software. Yahoo did not immediately respond to a request for clarification on that issue.

Lawsuit: AT&T overbills iPhone data use

One of the biggest problems that consumers have faced with mobile phone billing in recent years is that there’s really no way of independently measuring the amount of data that’s being consumed by a mobile Web session. Consumers are at the mercy of the wireless carriers and have put their trust in these providers to accurately bill them.

Now, AT&T finds itself at the center of a class action lawsuit that alleges that the provider’s bills “systematically overstate the amount of data used on each data transaction”. Granted, the overstatement that’s being alleged is small–somewhere in the range of 7to 14 percent monthly, according to a post on the Electronista blog.

What’s especially telling is how a consulting firm that was hired by the lawyers of the plaintiff conducted its own test of the data billing. Instead of using data and trying to measure it independently for comparison against the bill, the consultant did the exact opposite. The firm bought a new iPhone and immediately turned off all push notifications and location services, made sure that no apps or email accounts were active and then left the iPhone idle for 10 days.

Read more of “Lawsuit: AT&T “systematically overstates” data usage on iPhone bills” at ZDNet.

eBay snags Bing’s development manager, Facebook scientist

Adding to the list of recent departures, Microsoft has lost the principal development manager of its Bing search engine to commerce giant eBay.

According to All Things Digital, Scott Prevost who joined Microsoft as part of the Powerset acquisition in 2008, has left to become the VP of product management for eBay’s search tool. He’s joined by now former Facebook research scientist Dennis DeCoste, who will be eBay’s director of research. Together, the pair are said to be working on improving the relevancy of eBay’s built-in search tool.

A Microsoft representative confirmed Prevost’s departure, and said “we wish him well in his future endeavor”.

Prior to his two-year stint as the GM and director of product for Powerset, Prevost had been the CEO and CTO at the Animated Speech Corporation, which merged with educational software and research company TeachTown in 2006. As for DeCoste, he too had been a Microsoft employee, though had worked as a principal scientist for the company, following his stint as the director of research for Yahoo’s Research group.

Prevost joins a handful of recent departures from Microsoft’s management and engineering ranks. Earlier this month, Microsoft announced that server and tools boss Bob Muglia would be leaving the company later this year. More recently, Brad Brooks, who served as corporate vice president in Microsoft’s Windows Group left the company to join Juniper Networks. Meanwhile, Matt Miszewski–the former general manager of Microsoft’s government business–left Microsoft for Salesforce.com in late December, though was temporarily blocked from taking his post as a VP due to Microsoft winning a restraining order based on non-compete and confidentiality agreements Miszewski had signed. There’s also Johnny Chung Lee, the Wii hacker Microsoft hired to work in its Applied Sciences group to develop Kinect algorithms, who jumped ship for Google earlier this month.

Motorola Solutions rides Asia’s urbanization wave

As people become more affluent in rapidly growing Asian markets including China and India, government spending on areas such as public safety and train systems is likely to increase–providing opportunities that Motorola Solutions is looking to tap for continued growth.

Phey Teck Moh, corporate vice president at Motorola Solutions Asia-Pacific, noted that as Asia’s economies expand, a bigger middle class will emerge and this group of people will demand better public safety and transport systems, to name a few focus areas. This, in turn, will force governments to improve either the equipment used or increase the number of devices to support the demand, Phey said in an interview with ZDNet Asia.

He cited the example of walkie-talkies used by the police, where one device is shared by 7 to 10 officers in emerging markets. With urbanization, the number of officers sharing one radio set will be reduced to 3 to 4 policemen, he said.

Metro systems, he added, is another growth area Motorola Solutions is eyeing. According to Phey, China has approved and is deploying 58 railway lines, with plans to lay out another 100 to 150 lines in the next 10 years.

A report by Chinese news agency, South China Morning Post, said the Chinese government has pledged 1.25 trillion yuan (US$189.75 billion)–stretching from 2011 to 2015–to build 2,200 kilometers of rail lines in 16 cities.

Phey said: “Every mega first-tier city is growing its second- and third-tier cities, and it’s not just in public safety and transport. Retail and healthcare industries are also expected to grow in the process.”

Cashing in on enterprise mobility
The Singapore-based Motorola executive noted that while consumer mobile devices for white-collar workers are currently hogging the limelight where enterprise mobility is concerned, “true” enterprise mobility is actually more keenly felt in the blue-collar workers’ domain. These sectors include logistics, delivery and repair, among others, he said.

Citing figures from research firm IDC, Phey said the number of mobile workers accessing enterprise systems worldwide will top 1 billion this year and reach 1.2 billion by 2013. Asia-Pacific markets will contribute the most significant gains, although the United States will remain home to the world’s most mobile workforce, he said.

With more workers becoming mobile, it is imperative that ruggedized mobile devices they use “function properly over a long period of time, are compatible with existing apps even as the operating system is refreshed constantly and that security features are in place”, he said.

He noted that 15 percent to 20 percent of non-ruggedized consumer devices fail in their first year of operation. “Field devices such as mobile scanners are very hot now and this is because of the ongoing workforce mobilization trend,” he added.

According to Phey, Motorola Solution’s business proposition is now clearer following the split from its mobile devices business on Jan. 4.

It now has a “strategic flexibility” that allows the company to conduct relevant research and development projects, and attract investors that appreciate its long-term, low-volatility growth. In fact, it will be investing US$1 billion globally in R&D projects that are focused on the company’s core capabilities of offering “mission- and business-critical” communication networks combined with applications and services, he stated.

Lawsuit roils on
Asked if its business is affected by the lawsuit initiated by Chinese networking company Huawei Technologies, Phey said no. Motorola does not play in the same service provider spaces of selling network equipment as Huawei, and it does not have sensitive information to pass on to Nokia Siemens, he explained.

However, Phey’s comments came before the Chinese company gained the upper-hand when a U.S. court granted it a temporary restraining order. Huawei had earlier sued Motorola to prevent it from passing on confidential information about Huawei’s technology to Nokia Siemens, which is attempting to buy over Motorola’s wireless networks business in a deal worth about US$1.2 billion.

Motorola since 2000 has been reselling Huawei radio access gear for GSM and UMTS wireless networks. As part of this relationship, Motorola employees are trained to sell and troubleshoot Huawei’s wireless products. Nokia Siemens also sells wireless products that rival Huawei’s offerings.

Mobile broadband is killing free Wi-Fi

After spending two weeks in Japan scrounging for free Wi-Fi, I’ve come to the conclusion that mobile broadband is killing free Wi-Fi.

In seeking to avoid monster costs for global roaming while I was abroad, I disabled that feature on my phone before I left, meaning I was entirely reliant on Wi-Fi to get in contact with friends and family back home.

In Australia, free Wi-Fi is generally available at stores like McDonald’s and Starbucks, as well as the ever-reliable Apple. Apart from using my iPad (which is the Wi-Fi model), I have little use for free Wi-Fi within this country because my 3G download quota with Optus for my iPhone is generally sufficient for all my internet needs, so I had not paid too much attention to what was available.

But prior to departing for my trip earlier this month, I thought I should research what Internet facilities were available. It was a bleak view to say the least, but I was optimistic because my accommodation provided free Internet and the Apple stores were a last resort, so it would all be good.

When I landed in Japan, I found that McDonald’s and Starbucks generally didn’t have any free Wi-Fi and the stores that did offer Wi-Fi often opted for paid services. The most common I found was BB Mobilepoint, a consortium of telcos that offers connections through hotspots mostly at train stations around Tokyo.

Handy for locals, sure, but not so much for tourists. In Australia, Telstra has a similar program in place with its hotspots.

When I was visiting the sights in Akihabara, the “electric town” in Tokyo that boasts dozens of stores with all the computer and high-tech gear you could ask for, I discovered that most of these stores sold WiMax broadband dongles and it was clear looking at the signs around town that most internet access would be through those.

When I did find places with Wi-Fi (the Wired cafes in Ueno and Shibuya, for example), I would often spend at least an hour or so there, and have a full meal at the same time, so I agree with Darren Greenwood that it is a smart business decision for stores to make the investment in free Wi-Fi.

I could only come to the conclusion that because most of the locals in Japan had existing mobile Internet accounts, free Wi-Fi was less of a pressing issue for them, so it wasn’t as worthwhile for more businesses to offer free Wi-Fi to its customers. 3G killed the free Wi-Fi star.

After my experience in Japan, I could only think of how it would affect tourists visiting Australia, and I think it would be great to see our telcos team up to offer Wi-Fi services in areas where their 3G networks are lagging, and also invest in offering a free (or cheap) alternative for tourists who lack the ability to access it.

Or the telcos could look at reducing the incredibly outrageous global roaming costs, so we wouldn’t need to scrounge for free Wi-Fi. But somehow, I still think that’s a long way off.

This article was first published at ZDNet Australia.

Egypt’s Internet disconnect reaches 24 hours

Egypt’s unprecedented Internet disconnection has now lasted 24 hours without signs of ending.

At this time of reporting, one by one, the country’s electronic links to the outside world fell silent. It started at 2:12 p.m. PT with the mostly state-owned Telecom Egypt disabling its networks, with four smaller network providers following suit between 2:13 p.m. PT and 2:25 p.m. PT.

Egyptian President Hosni Mubarak appeared on state television at approximately 2:15 p.m. PT last Saturday to announce that he would sack his cabinet but would not resign–an indication that no end to the disconnect was near. “I will not be lax or tolerant,” he said, according to an Al Jazeera English translation. There’s a fine line, he said, between permitting free speech and allowing chaos to spread.

Last Friday’s network disconnection was followed soon after by mobile networks pulling the plug as well. Vodafone confirmed in a statement that “all mobile operators in Egypt have been instructed to suspend services in selected areas”. So did Mobinil, the country’s largest mobile provider. (See ZDNet Asia sister site CNET’s previous coverage.)

Those outages come as four days of clashes between security forces and tens of thousands of protesters continued on the streets of Cairo and other major cities, despite an official curfew in effect Friday evening. Tanks have taken up positions around some TV stations and foreign embassies, and Al Jazeera English is reporting that the end of three decades of autocratic rule by Mubarak may be nearing.

United States Secretary of State Hillary Clinton said in a speech earlier that “we urge the Egyptian authorities to allow peaceful protests and to reverse the unprecedented steps it has taken to cut off communications”.

“We think the government, as many of us have said throughout the day, need to turn the Internet and social-networking sites back on,” White House press secretary Robert Gibbs said. He added: “Individual freedoms includes the freedom to access the Internet and the freedom to–to use social-networking sites.”

Egypt’s Internet connections aren’t completely down: the Noor Group appears to be the only Internet provider in Egypt that’s fully functioning. Cairo-based bloggers have speculated that its unique status grows out of its client list, which includes western firms including ExxonMobil, Toyota, Hyatt, Nestle, Fedex, Coca-Cola, and Pfizer, plus the Egyptian stock exchange.

An analysis posted by network analyst Andree Toonk, who runs a Web site devoted to monitoring networks, shows that before the outage, there were 2,903 Egyptian networks publicly accessible via the Internet. Today, there are only 327 networks.

A chart prepared by European networking organization RIPE provides a detailed glimpse at how Egypt’s network went dark. Until yesterday afternoon, there was the normal noise of networks being added and deleted, followed by a sharp spike yesterday between 2 p.m. and 2:30 p.m. ET. There’s been virtually no activity since.

Before last Friday’s outage, Egyptian use of the Tor anonymizing network had experienced a dramatic spike that coincided with the beginning of widespread protests. Normal usage was hovering around 400 users a day, but leaped to more than 1,200 as of Jan. 24. (Here’s a different view.)

Contrary to some reports, however, there’s no evidence that Syria’s Internet connection is down. Compare this chart from an Egyptian provider showing the network going completely dark with this one from the government-owned Syrian Telecommunications Establishment that depicts normal activity.

The rumors about Syria originated a few hours ago when Al Arabiya news service said that “Syria suspends all Internet services,” and followed up with a denial from the authorities. Reuters reported earlier this week that Syrian authorities have banned programs that allow access to Facebook Chat from cell phones.

There are some parallels. The now-defunct HotWired site, succeeded by Wired.com, reported in 1996 that “the U.S. government has quietly pulled the plug on Iran’s Internet connection”. During a state of emergency in Bangladesh in 2007, satellite providers were ordered to cease airing any news shows. And in Burma later that year, the country’s ruling military junta pulled the plug on the nation’s limited Internet access.

But Burma is not Egypt, a country of more than 80 million people equipped with tens of millions of computers and cell phones–who have now found themselves almost entirely disconnected from the rest of the world.

Egypt receives more than US$1.3 billion annually from U.S. taxpayers in the form of military aid, according to the U.S. State Department.

“Thanks to the blanket communications shutdown, the protests today took place in an information vacuum,” according to a dispatch from Index on Censorship’s Egypt regional editor Ashraf Khalil in Cairo. “On Tuesday, even during the demonstration, everybody was checking Twitter both to coordinate and for news on what was happening across the country. This time nobody knew what was happening anywhere else–not even on the other side of the river in Tahrir Square.”

This article was first published as a blog post on CNET News.

Amazon’s capital spending plans spur debate, worry

There’s quite a tug-of-war underway over Amazon’s capital spending plans. Amazon reported a solid fourth quarter, but also added that it will continue to invest in fulfillment centers and infrastructure to build up Amazon Web Services.

Enter the worrywarts. Amazon is a bit of a conundrum for Wall Street. When the company is harvesting its investments, investors love it. But when the company’s outlook disappoints because it is spending on infrastructure some analysts freak. It’s a familiar pattern with tech companies:

When Verizon said it would do something crazy like bring fiber-optic lines to homes for its FiOS network, there were a few quarters of disbelief. Why would Verizon do that? Today, analyst yap all the time about Verizon’s future proof network. Of course, they also want to see better returns out of FiOS.

Read more of “Amazon’s capital spending plans spur debate, worry” at ZDNet.

Rivals weaken Nokia, Motorola Mobility outlooks

Both the shares of Nokia and Motorola fell amid dismal forecasts for the first quarter, according to reports, undermining their leaders’ efforts to boost handset sales as the onslaught from Apple and Android continues.

Bloomberg reported on Friday that Motorola Mobility–the mobile devices arm following the Jan. 4 split from its networking division–dropped 12 percent on the New York Stock Exchange to US$30.51.

The company predicted a first-quarter loss of 9 to 21 cents per share as sales slowed due to Verizon Wireless’ impending iPhone launch next month, the report added.

Analysts polled by Bloomberg expressed a more positive outlook, though, forecasting a 1 US cent profit per share.

Finnish handset maker Nokia also saw its shares slip after CEO Stephen Elop acknowledged it was facing “some significant challenges in our competitiveness and our execution”, according to a separate Bloomberg report.

Nokia’s share tumbled 8.7 percent in Helsinki, and closed closing 0.8 percent lower at 7.74 euros (US$10.60), it stated.

Both reports had industry voices bemoaning the bleak financial outlooks of the two companies.

London-based analyst Pierre Ferragu from Sanford C. Bernstein, for one, called Motorola Mobility’s outlook “slightly disappointing” and expressed concerns that Motorola’s growth potential is limited by the company’s footprint.

Meanwhile, Leon Cappaert, fund manager at KBC Asset Management in Belgium, which has investments in Nokia shares, similarly expressed anxiety over the Finnish company. “What spooks everyone is the outlook: a combination of lack of giving an upside and disappointing margins,” he said.

Apple and Android loom large
Both Motorola Mobility CEO Sanjay Jha and Elop are looking to fend off competition from Apple’s iPhone and Google’s Android-based smartphones, Bloomberg noted.

For Motorola Mobility, competition will intensify once Verizon begins sales of the iPhone. The carrier is one of Motorola’s staunchest allies, selling more of its phones than other U.S.-based carriers, the news wire said.

“We have seen some slowdown as a result of the announcement at Verizon,” Jha said in the report, adding that “Android’s popularity will help [Motorola] compete with Apple”.

He also revealed that Motorola expects to ship between 20 to 23 million smartphones and tablets in 2011, and that Xoom, its first tablet, will be competitively priced to take on more expensive models like the iPad from Apple.

Since adopting the Android OS for its mobile devices, the company’s sales have gotten a shoot in the arm, culminating in the company’s return to profit for the first time since 2006, the report noted.

Nokia on the ropes
Nokia, on the other hand, are in more dire straits with neither analysts nor investors holding out any hopes for an improvement in company’s fortunes, Bloomberg stated.

Alexander Peterc, an analyst with Exane BNP Paribas, said that he expected downgrades between 15 and 20 percent per share for first-quarter earnings and between 5 and 15 percent for full-year earnings, “depending on how negative people get”.

Fellow analyst, Andy Perkins from Societe Generale Corporate & Investment Bank, said that Nokia itself is predicting a difficult first quarter that is “certainly much tougher than the markets were hoping for”.

Analysts are expecting Nokia to ditch Symbian for either Google’s Android or Microsoft’s Windows Phone 7 OSes, said a New York Times report.

However, Nokia announced last December that Symbian will continue to be its main business-phone platform, even when its new top-end OS, MeeGo, is launched.

However, devices powered by MeeGo OS have yet to enter the market, Bloomberg pointed out.

” If we rush to market with something that is below what our brand should stand for, then we will do long-term harm,” Elop explained in the report. The CEO added that he will lay out his strategy for the company at Nokia’s investor meeting in London on Feb. 11.

News Corp.’s iPad magazine launching Feb. 2

News Corp. has chosen Groundhog Day for its launch of The Daily, a digital publication designed for tablet devices–and it’s chosen New York, not the previously rumored San Francisco, for the Feb. 2 event.

News Corp. CEO Rupert Murdoch will be making the announcement at the event at the Solomon R. Guggenheim Museum, and Apple Vice President of Internet Services Eddy Cue will join him. This is in contrast to News Corp.’s initial plans to hold the event at the San Francisco Museum of Modern Art in late January.

A source close to the matter had informed ZDNet Asia’s sister site CNET that Apple had a significant part in the decision-making process for The Daily’s launch, and that Jobs would be joining Murdoch to make the announcement. Apple fans closely followed the rumors of a close partnership between Apple and News Corp., hoping that it might provide some insight into Apple’s strategy about how it sees the iPad as a device for digital media consumption. A Jobs appearance at the launch of The Daily would be a big deal indeed.

But on Jan. 17, a day before the company’s quarterly earnings announcement, Jobs announced that he would be stepping aside on a medical leave. While Jobs–a pancreatic cancer survivor who has already taken one medical leave from his post–will remain CEO, chief operating officer Tim Cook will temporarily take over his duties at the company.

So The Daily will launch without Jobs. Cue, a longtime Apple exec, has been instrumental in the development of the iTunes Store, App Store, and the future of applications on the iPad.

The Daily, which News Corp. hired former MTV digital executive Greg Clayman to spearhead, will be the second high-profile tablet-based publication to be launched by a billionaire mogul. In late November, British entrepreneur Richard Branson’s Virgin Group released Project Magazine, a slick monthly lifestyle publication for the iPad. No Apple executives made appearances, but vice president of product marketing Michael Tchao was in the audience and chatting with attendees afterward.

At the time, The Daily’s launch was rumored to be imminent–but it’s taken another three months to finally get it up and running.

A notably smaller tablet publication company, Nomad Editions, launched earlier this week. It’s run by Mark Edmiston, former president of Newsweek magazine.

This article was first published as a blog post on CNET News.

Are online polls reliable enough?

2011 is election year in New Zealand and this week, Prime Minister John Key and Labour Leader Phil Goff set out their stalls along with Obama-style “state of the nation” speeches.

The pollies will be eyeing upcoming opinion polls, but can the polls be trusted anyway, especially the ones that use online polling?

Despite some success overseas, I doubt such polls are mature enough to be trusted here yet, at least for political polling, even if they do have acclaimed merits of speed and cost.

The Fairfax-owned Sunday Star-Times has begun using Horizon Research, a company that uses online panels.

But its findings have been so far out of line with the others that the polls’ credibility is often questioned.

The polls in New Zealand, including those conducted by Australia’s Roy Morgan, have tended to show National and its coalition government way out in front, but Horizon keeps showing it in danger of losing its majority.

This has led fellow pollster, David Farrar of Kiwiblog to write a post talking about how trustworthy or untrustworthy polls can be.

Admittedly, Farrar’s own market research company, Curia, often conducts polls for the ruling National Party, so he might be biased. But his comments seem fair, especially noting the longstanding records of rival pollsters and these rivals all producing similar results.

So while online polling, especially if you rely on volunteers, is cheaper, perhaps you only get what you pay for. The phone polling or face-to-face interviewing does seem more accurate, especially with random sampling and other weighting. Horizon says it samples and weighs its panels but one could question if it is doing it properly.

Yet pollsters in Australia have been assessing their methodology, with even Roy Morgan testing online methods, though it prefers interviewing people face to face.

Galaxy, which also operates in Australia, seems happy with its online methods, though in Australia, it uses telephones and random sampling for its federal voting intention surveys.

YouGov is another online pollster and is used and trusted by major UK papers, as well as the Economist.

YouGov claims a good accuracy record, citing large sample sizes in its polling — numbers far higher than New Zealand’s own Horizon Research.

Maybe this is one of the many things Horizon needs to look at.

Of course in the end, there is only one poll that counts: Election Day. Only then will we truly know who is right!

This article was first published at ZDNet Australia.

Reports: Internet disruptions hit Egypt

Amid a third day of anti-government protests, Internet outages and disruptions were reported today in Egypt, according to reports.

Facebook and Twitter confirmed the reports for their sites.

“We are aware of reports of disruption to service and have seen a drop in traffic from Egypt this morning,” a Facebook spokesman said in a statement. “You may want to visit Herdict.org, a project of the Berkman Center for Internet & Society at Harvard University that offers insight into what users around the world are experiencing in terms of web accessibility.”

According to Herdict.org, there were 459 reports of inaccessible sites in Egypt and 621 reports of accessible sites.

Twitter’s Global PR account reported on the site that: “Egypt continues to block Twitter & has greatly diminished traffic. However, some users are using apps/proxies to successfully tweet.”

Meanwhile, there were numerous reports of outages around the Web.

Danny O’Brien, San Francisco-based Internet Advocacy Coordinator for the Committee to Protect Journalists, reported to the North American Network Operators’ Group (NANOG) e-mail list that the organization had lost all Internet connectivity with its contacts in Egypt and was hearing reports of loss of Internet connectivity on major broadband ISPs, SMS outage and loss of mobile service in major cities there.

“The working assumption here is that the Egyptian government has made the decision to shut down all external, and perhaps internal electronic communication as a reaction to the ongoing protests in that country,” he wrote. His post included a link to a Pastebin.com page where someone at a European-based Internet activist group has started an effort to provide alternative methods — such as shortwave and pirate radio — for protesters in Egypt to communicate with each other and the outside world.

“A major service provider for Egypt, Italy-based Seabone, reported early Friday that there was no Internet traffic going into or out of the country after 12:30 a.m. local time,” the Associated Press reported. “Associated Press reporters in Cairo were also experiencing outages.”

The Los Angeles Times reported that BlackBerry users were not able to reach the Internet on their devices.

RIM provided this statement when asked for comment: “We can confirm that RIM has not implemented any changes that would impact service in Egypt and that RIM’s BlackBerry Infrastructure has continued to be fully operational throughout the day. For questions regarding a specific network in Egypt, please contact the carrier who operates the network.

A Twitter post by Ben Wedeman, CNN senior correspondent in Cairo, around 3 p.m PDT says: “No internet, no SMS, what is next? Mobile phones and land lines? So much for stability.”

The Arabist blog had mixed reports, with someone in Cairo saying Internet service was down while a foreign journalist was able to get onto the Internet Semiramis Intercontinental hotel.

Twitter representatives did not respond immediately to an e-mail request for more information.

The Internet disruptions spurred activist action. Anonymous, the group that launched distributed denial-of-service attacks on Web sites of financial institutions and others opposing WikiLeaks last year, released a video online in which it threatened to launch DOS attacks on Egyptian government Web sites if the authorities did not curtail censorship efforts. Earlier today, five people were arrested in the U.K. in connection with those attacks.

Because Twitter has been found to be an effective communications tool during social unrest and protests–in Iran and Moldova, along with Tunisia and Egypt, more recently–it is an attractive target for governments to try to block, along with Facebook.

This article was first published as a blog post on CNET News.

Asia to lead mobile-only Web population

As the mobile broadband market continues its rapid growth, the population of users that use only their mobile devices to access the Internet will hit 1 billion by 2015, with Asia-Pacific dominating this segment of the market.

According to an Ovum study released Thursday, by 2015, some 28 percent of all mobile broadband users worldwide will use this form of connectivity as their only mode of Internet access.

Additionally, more than half of this population will be based in the Asia-Pacific region, which will account for 518.4 million mobile broadband users in 2015, up from 119.1 million in 2011. The region’s market dominance is primarily due to the lack of fixed-line infrastructure in populous markets such as China and India, Ovum explained.

“Asia-Pacific’s role is extremely important in the fixed-mobile services (FMS) space,” Nicole McCormick, senior analyst at Ovum, said in the report. “The region has the third-highest penetration rate, at 34 percent, as well as the fastest-growing mobile-only [broadband] penetration of any region.”

Fixed broadband to grow, too
Despite the growing mobile broadband adoption, the takeup rate for fixed broadband will still see growth, Ovum pointed out. This is because broadband fixed-mobile convergence (FMC) services, which encompasses users who buy both fixed and mobile broadband services, are expected to spike by 120 percent globally in the next five years to 2015.

The report added that FMC users from the Asia-Pacific region will grow from 259 million in 2011 to 465 million by 2015.

McCormick noted that in absolute terms, the region dominates the global FMC market due to the presence of China, South Korea and Japan–all of which have significant fiber-optic deployments and are large broadband markets.

“Bundling opportunities in Asia-Pacific are expected to gather pace over the forecast period as some operators continue to seek ways to protect their fixed-line revenue bases,” she said.

On a macro level, the International Telecommunication Union (ITU) reported on Wednesday that the global Internet population will hit the 2-billion mark this year.

Broadband was cited as the growth catalyst, with ITU Secretary-General Hamadoun Toure noting that the technology “generates jobs, drives growth and productivity, and underpins long-term economic competitiveness”.

US senator proposes mobile-privacy legislation

U.S. federal law needs to be updated to halt the common police practice of tracking the whereabouts of Americans’ mobile devices without a search warrant, a Democratic senator said Wednesday.

Ron Wyden, an Oregon Democrat, said it was time for Congress to put an end to this privacy-intrusive practice, which the U.S. Justice Department under the Barack Obama administration has sought to defend in court.

In a luncheon speech at the libertarian Cato Institute in Washington, D.C., Wyden said his staff was drafting legislation to restore “the balance necessary to protect individual rights” by requiring police to obtain a search warrant signed by a judge before obtaining location information.

Even though police are tapping into the locations of mobile phones thousands of times a year, the legal ground rules remain hazy, and courts have been divided on the constitutionality and legality of the controversial practice. In September, the first federal appeals court to rule on the legality indicated that no search warrant was needed, but sent the case back to a district judge for further proceedings.

Because the two-way radios in mobile phones are constantly in contact with cellular towers, service providers like AT&T and Verizon know–and can provide to police if required–at least the rough location of each device that connects to their mobile wireless network. If the phone is talking to multiple towers, triangulation yields a rough location fix. And, of course, the location of GPS-enabled phones can be determined with near-pinpoint accuracy.

Wyden said this kind of eerily accurate remote surveillance is akin to searching a person’s home, which requires probable cause and a search warrant signed by a judge. “You just can’t argue logically to me…that secretly tracking a person’s movements 24/7 is not a significant intrusion into their privacy,” he said.

The forthcoming legislation, he said, is being drafted with Rep. Jason Chaffetz (R-Utah), and will apply to “all acquisitions of geolocation information,” including GPS tracking devices that police are generally allowed to place on cars without warrants under current law.

It will address both law enforcement and intelligence investigations, including saying that Americans who are overseas continue to enjoy the same location-privacy rights, a nod to the debate a few years ago over rewriting federal wiretapping law. It will also extend the same privacy protections to both “real-time monitoring and acquisition of past movements.”

Not long ago, the concept of tracking cell phones would have been the stuff of spy movies. In 1998’s “Enemy of the State,” Gene Hackman warned that the National Security Agency has “been in bed with the entire telecommunications industry since the ’40s–they’ve infected everything”. After a decade of appearances in “24” and “Live Free or Die Hard”, location-tracking has become such a trope that it was satirized in a scene with Seth Rogen from “Pineapple Express” (2008).

In 2005, CNET disclosed that police were engaging in warrantless tracking of cell phones. In a subsequent Arizona case, agents from the Drug Enforcement Administration tracked a tractor trailer with a drug shipment through a GPS-equipped Nextel phone owned by the suspect. Texas DEA agents have used cell site information in real time to locate a Chrysler 300M driving from Rio Grande City to a ranch about 50 miles away. Verizon Wireless and T-Mobile logs showing the location of mobile phones at the time of calls became evidence in a Los Angeles murder trial.

Verizon Wireless, for instance, keeps phone records including cell site location for 12 months, a company official said at a federal task force meeting in Washington, D.C., last year. Phone bills without cell site location are kept for seven years, and SMS text messages are stored for only a very brief time. (A representative of the International Association of Chiefs of Police said yesterday that Verizon keeps incoming SMS messages for “only three to five days”.)

Wyden’s push to advance Fourth Amendment-like privacy protections through legislation is likely to be met with applause among technology firms. Last March, as CNET was the first to report, a group called the Digital Due Process coalition including Facebook, Google, Microsoft, Loopt, and AT&T as members endorsed the principle of location privacy. (Loopt says it already requires a search warrant before divulging location information.)

One of the coalition’s principles says: “A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.”

The Obama Justice Department, on the other hand, has argued that warrantless tracking is permitted because Americans enjoy no “reasonable expectation of privacy” in their–or at least their cell phones’–whereabouts. U.S. Department of Justice lawyers have argued in court documents that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls.

Windows Phone 7 sales top 2 million

Microsoft says it has sold more than 2 million Windows Phone 7 devices since launch. That number represents handsets sold to mobile operators and retailers and not necessarily consumers.

The first initial report of Windows Phone 7 sales came from Microsoft in late December and topped 1.5 million units. Back then, Achim Berg, vice president of business and marketing for Windows Phone, said that number was “in line” with company expectations.

In a phone call with ZDNet Asia’s sister site CNET, Greg Sullivan, senior product manager for Windows Phone 7, said while sales were certainly a measure of the platform’s success, customer satisfaction and developer investment were more important leading indicators. And to that end, the company has been pleased.

“93 percent of Windows Phone customers are satisfied or very satisfied with Windows Phone 7, and 90 percent would recommend the phone to others,” Sullivan said. Those numbers were based on a recent survey of Windows Phone 7 customers numbering in the hundreds.

At the Consumer Electronics Show earlier this month, Microsoft CEO Steve Ballmer had articulated that people “fell in love” with Windows Phone 7 once they saw the device, and that getting it into the hands of consumers would be “job number one”. To that end, Sullivan said Microsoft is planning more marketing outreach.

“We’re absolutely doing things to turn people onto this great thing, that those who have experienced it, love,” he said. “You will see us continue to do some very visible things in terms of getting that word out, that–boy–once people use this phone, they fall in love with it very quickly.”

As for why Microsoft doesn’t have a more precise number on the actual number of handsets that have been sold to users, Sullivan noted that mobile operators were not contractually obligated to provide Microsoft with the activation numbers and the sell-through data. “We have a high degree of confidence in the precision of the sell-in numbers, which is why that’s what we’re providing,” he explained.

Sullivan said there are now more than 6,500 apps in Microsoft’s Marketplace application and the company currently has more than 24,000 registered developers. That’s compared to the 5,500 apps and 20,000 developers announced at CES earlier this month.

Microsoft plans to release the first of two announced software updates to Windows Phone 7 devices in what Sullivan said would be within “the next few months.” This first one will bring copy and paste functionality, along with better application loading performance and some bug fixes. The second update, planned for release in “the first half” of this year, will bring support for CDMA networks such as Sprint and Verizon, where Windows phones are currently unavailable.

Study: iOS, iPad gain enterprise computing share

Apple has said many times that the iPhone and iPad are gaining popularity with enterprise-level businesses. We’ve heard most recently that the iPad is either being used or tested for use at “more than 80 percent” of Fortune 100 companies, according to Apple COO Tim Cook. Today, a company that makes enterprise software is providing additional evidence that corporate customers are warming to the iPad, with details on which industries are embracing it already.

Good Technology makes enterprise software for mobile devices (Good For Enterprise), and over the last year has been tracking which devices its clients put its software on. Using data gleaned from more than 2,000 clients, Good found that during the fourth quarter of 2010, more than 65 percent of all activations using its software were on iOS devices–which means iPhones and iPads. iPad activations grew from 14 percent of all new devices to 22 percent of all new devices during that same time period.

The most activated devices Good saw during the quarter were, in order, iPhone 4, iPad, iPhone 3GS, Motorola Droid X, and Motorola Droid 2. Overall, Android phones remained about a third of new devices activated during the quarter, roughly the same as the previous three months, according to the study. For the first time, there were no Windows Mobile or Symbian devices in the top 10 most activated new devices, Good found.

It should be noted that Windows Phone 7 is not included since Good doesn’t support that platform yet, and all BlackBerry software is run off the BlackBerry Enterprise Server, so Good does not have access to data regarding activations of RIM’s smart phone devices.

We also get some detail on where the iPad is being used. Good found that the industry its customers are most using the iPad in are financial services, followed by health care, legal/professional services, high tech, government/public sector, and wholesale/retail.

Apple obviously has a head start in tablets since the iPad has been available since April 2010, but in the coming year it should have some competition. There are several Android tablets expected to be released this year, as well as WebOS tablets from Hewlett-Packard, which is a heavyweight when it comes to enterprise customers. But the biggest challenge for tablet adoption in enterprise is likely to come from RIM, which, as previously mentioned, won’t be included in Good’s numbers. The PlayBook is expected to go on sale this year as a companion device to the BlackBerry, which has been long-entrenched in the corporate world.

S’pore may auction 4G spectrum in 2012

The Singapore government intends to auction off 4G wireless spectrum rights as early as next year, paving the way for a faster rollout of Long Term Evolution (LTE) in the country.

According to local reports, ICT regulator the Infocomm Development Authority of Singapore (IDA) announced Monday it would avail six lots of spectrum for service providers to implement high-speed mobile data services. 4G is said to offer speeds at five to 10 times faster than the existing 3G technology.

Currently, SingTel, StarHub, M1, QMax and PacketOne have the rights to use the 2.3/2.5 GHz spectrum, which the service providers successfully bid for in 2005. These rights will expire in 2015, after which the spectrum will be dedicated exclusively for the deployment of 4G services, said the IDA.

In the meantime, operators can seek approval from the government to deploy LTE with their existing spectrum rights in the 900/1800 MHz and 2.3/2.5 GHz bands.

Operators quoted in the reports did not specify when LTE services will be made commercially available. SingTel, StarHub and M1 have conducted or have ongoing LTE trials.

SingTel noted that the availability of 4G-compatible devices such as dongles and handsets is a key factor influencing the rollout of LTE services. An Ovum analyst ZDNet Asia spoke to last year predicted that 4G handsets will only be available in the mass market in 2012.

A Gartner report in October 2010 estimated that the 4G standard will only be a mainstream reality in five to 10 years.

The IDA in October last year awarded the country’s remaining unused 3G spectrum lots to three local carriers–SingTel, M1 and StarHub–for S$20 million (US$15.6 million) each.

Huawei sues Motorola over sale to Nokia

Chinese telecom equipment maker Huawei is suing Motorola, claiming the American company will illegally transfer its trade secrets in the proposed sale of its wireless business unit to Nokia Siemens.

Huawei filed the lawsuit in the U.S. District Court in Illinois. The company seeks to stop Motorola employees and information associated with Motorola’s UMTS and GSM equipment businesses from being transferred to Nokia Siemens Networks. Motorola announced in July 2010 that it plans to sell its entire wireless infrastructure business, which includes products it sells for 3G wireless networks, in a deal that is worth about US$1.2 billion.

Huawei argues in its complaint that the transfer of Motorola assets to Nokia Siemens would cause “the massive disclosure of Huawei’s confidential information to NSN, with irreparable harm to Huawei”. Specifically, the company argues that a large number of Motorola employees, who will be transferred as part of the deal to Nokia Siemens, have direct knowledge of Huawei’s confidential information.

Neither Motorola nor Nokia Siemens have responded to the lawsuit yet.

Motorola has been reselling Huawei radio access gear for GSM and UMTS wireless networks since 2000. As part of this relationship, Motorola employees have been trained to sell and troubleshoot Huawei’s wireless products. Nokia Siemens also makes and sells GSM and UMTS gear that competes directly with Huawei’s equipment.

“The entire intent of filing the injunction is to prevent our intellectual property from being handed over to one of our competitors on a silver platter,” said Bill Plummer, a vice president of external affairs for Huawei.

Plummer said that Huawei has tried to negotiate with Motorola since the deal was announced, but so far Motorola has not provided assurances to Huawei that its intellectual property will be protected once the deal is complete.

This is the first time that Chinese-based Huawei has initiated legal proceedings against a U.S. company. However, Huawei has been the target of lawsuits by others. Several years ago, Cisco Systems sued the company for infringing on its patents for IP network equipment. The suit was eventually settled. In June, Motorola sued Huawei for supposedly stealing its trade secrets as part of a corporate espionage case. The legal action follows a suit from 2008 in which Motorola sued five former employees for sharing information with IP networking firm Lemko, headquartered in Schaumberg, Ill., where Motorola is also located. Lemko has a reseller agreement with Huawei.

Congressional leaders have also tried to block the sale of Huawei’s telecommunications products to U.S. wireless operators over security concerns.

But Huawei representatives say the company respects intellectual property and is simply defending its own trade secrets with this lawsuit.

“As a global technology leader with a rich IP and patent portfolio, Huawei respects the rights of intellectual property holders and is equally committed to the protection of its own innovations and intellectual property,” the company said in an e-mail statement. Nearly half of Huawei’s 100,000 plus employees are engaged in research and development and Huawei allocates an average of 10 percent of all revenues to research and development annually. By the end of 2010, Huawei had applied for 49,040 essential patents on a global basis.”

This article was first published as a blog post on CNET News.

New Windows Phone 7 jailbreak tool coming soon

While Microsoft may have put the kibosh on the first jailbreak for the Windows Phone 7 platform, another one is on the way.

Developer Julien Schapman, speaking to blog Winrumors, outlined his plans to release a Windows Phone 7 “Device Manager” that will let users do things like side-load applications, explore the phone’s file system, add custom ringtones, and manage applications. In other words, a handful of things the device does not currently offer out of the box.

Schapman said the software would be released following Microsoft’s first software update, which is expected next month, so as to keep Microsoft from closing the loophole which is being used for the unlock. Schapman also said that his solution gets around one of Microsoft’s built-in security measures, which would phone home to verify the software, and re-lock the software if it found any differences. This check occurred every two weeks, forcing users to re-run the unlocking software each time it happened.

If launched, Schapman’s solution would be the second jailbreaking tool to be made available for the Windows Phone 7 platform. The first, ChevronWP7, was released in late November, and was pulled down just days later by the request of Microsoft, which had contacted the three-man development group about “officially facilitating home-brew development” on the platform. In early January, the ChevonWP7 creators also announced that Microsoft planned to close the exploit the team had been using, as part of the first system software update.

Earlier this week, famed PlayStation 3 and Apple iOS hacker George Hotz had announced that he intended to jailbreak the new Windows phones. Microsoft responded by offering to provide Hotz with a device, encouraging him to “let dev creativity flourish”.

This article was first published as a blog post on CNET News.

Motorola Mobility needs to aim for stability

Motorola Mobility is seeing an upswing in fortunes due to its close ties with Google’s Android mobile operating system (OS), but the company still needs to aim for continued stability in its performance amid growing pressures from rival mobile makers chasing after the same pie, note analysts.

Bryan Ma, associate vice president of client devices at IDC Asia-Pacific’s domain research and practice groups, said Motorola Mobility–the consumer device division spun off from Motorola on Jan. 4 this year–is showing “encouraging signs of revival” in recent times.

Elaborating, the analyst pointed out that Motorola Mobility’s decision to ditch its own development plans and align its smartphones with Google’s Android OS has “picked them back up”. The smartphone maker reported in an earnings call last October that its mobile device business posted a profit for the first time since 2006, largely driven by Android-based device sales. In numbers, Motorola witnessed a US$3 million operating profit in the third quarter of 2010, compared to a loss of US$183 million in the same quarter last year.

Ma said in a phone interview with ZDNet Asia that the decision to go with the Android platform shows Motorola is learning from its mistakes, and have avoided becoming a “one-hit wonder” in the industry with its Razr handset which was sold in 2005.

“Because the mobile market evolves so quickly, they have learnt that it is not enough to produce a handset with mass appeal and then market it in several new colors to generate revenue,” the analyst said.

Other analysts ZDNet Asia spoke to agreed.

Tony Cripps, principal analyst at Ovum, said Motorola Mobility’s wholesale adoption of Android was a “pragmatic decision” after it had previously “wasted considerable time and money on its own, largely unsuccessful, smartphone platform strategy”.

Gerald Tan, GfK Asia’s regional account director for IT and office, noted that within Southeast Asia itself, the Android platform is enjoying “huge success” within the smartphone category. Compared with six months ago, Tan said the proportion of Android-powered smartphones grew 9 percent to a double-digit share of the region’s overall mobile OS market.

“In fact, the major brands that adopted Android OS all saw significant growth in market share within the smartphone segment,” he added.

Motorola challenged in Android realm
Therein lies the problem, though.

Cripps noted that while the move to power its handsets with Android has paid off for the company, Motorola Mobility faces “immense competition” from other Android OEMs (original equipment manufacturers) for customer attention.

Furthermore, consumers perceive considerable value from the vertical integration between devices, services and applications, he added, noting that Motorola may find it difficult to compete with other OEMs that have tighter integrations and the ability to publish more content for their customers.

HTC, for example, is an OEM that is investing heavily into Android as well, Ma pointed out. The company also offers its HTCSense.com service, which allows users to save their text and e-mail messages as well as offers security features such as remote wipes.

Despite these challenges, Ma said Motorola Mobility’s seemingly close ties with Google will stand it in good stead. This can be seen through its Xoom consumer tablet, unveiled during the Consumer Electronics Show held in Las Vegas earlier this month, which is powered by Google’s latest version of Android, Honeycomb, the IDC analyst said.

Cripps, too, regarded Motorola’s relationship with Google as a decisive plus. “Motorola looks like being an early adopter of the latest Android builds, so it may have an advantage over cheaper options for those seeking the latest technology,” said the Ovum analyst.

The Xoom tablet is expected to give Apple’s iPad, which is currently dominating the tablet device segment, a good run for its money. Expected to hit the markets in the first quarter of 2011, the Motorola tablet has a designed-for-tablet OS in the form of Android Honeycomb, and also boasts hardware specifications such as dual-core processor, front- and back-facing cameras and a HDMI socket to boot.

Stability-first strategy needed
The analysts, though, called on Motorola Mobility to capitalize on its resurgence to stabilize its previously volatile business.

Cripps, for one, is expecting the company to be a “more consistent performer” from now on, but warned that the company should not be harboring thoughts of reclaiming its former position of second-ranked handset manufacturer in terms of shipments.

The analyst explained that there are now better-funded, more ambitious rivals such as Samsung and Apple in the ascendency, and major Chinese OEMs are also making good strides.

“Getting the fundamentals right is paramount for Motorola Mobility following its extended period of instability,” he urged.

Similarly, Ma acknowledged that the company has “many balls to juggle” but it should be looking to sustain its current upswing and stabilize its business.

The IDC analyst said several factors will aid the company in its goals, pointing to Motorola Mobility’s technical know-how, good brand name and, following its split from Motorola’s networking business, some financial staying power.

Third-party blamed for Windows Phone 7 phantom data use

The culprit behind some mysteriously high cellular data usage by Windows Phone 7 devices has been attributed to a third-party service, and not necessarily the software OS itself, Microsoft said on Wednesday.

The “phantom data” problem, which has left some users burning through their monthly cellular data allotment in short order (even when they were connected to Wi-Fi), was addressed by the software giant last week. Microsoft pledged that it would begin an investigation into the matter, though had not yet provided an update.

Speaking to the Seattle Post Intelligencer, a Microsoft representative said the company had figured out what it believed to be the cause of the heavy data downloads, which it attributed to an unnamed third party.

The company also said that it was at work on ways to fix the problem, which had affected only a “small” percentage of Windows Phone customers. The spokesperson said in a statement, “We have determined that a third-party solution commonly accessed from Windows Phones is configured in a manner that potentially causes larger than expected data downloads. We are in contact with the third party to assist them in making the necessary fixes, and are also pursuing potential workarounds to address the configuration issue in case those are needed. At this point in our investigation, we believe this is responsible for most of the reported incidents.

“We are investigating additional potential root causes for the remainder of the reports,” said the spokesperson. “A small (low single-digit) percentage of Windows Phone customers have reported being affected. We are continuing to investigate this issue and will update with additional information and guidance as it becomes available.”

Assuming Microsoft can work out the leaky data issue with the unnamed third-party, the problem could be fixed without the need for a system software update. The first update for Windows Phone 7 is headed to carriers for testing later this month.

This article was first published as a blog post on CNET News.

Microsoft’s OneNote Mobile arrives on the iPhone

In an important step towards making its note-taking and notebook-authoring service available in more places, Microsoft today has released a pocket-sized version of its OneNote application for Apple’s iOS.

The software lets users make things like bulleted lists and checklists, as well as grab and insert photos from the user’s photo library or the camera app. All these things can be combined into one note with a slightly modified version of the iOS keyboard that adds feature shortcuts just above the keys.

OneNote Mobile for iOS shares a similar feature set to its cousin on Windows Phone 7, both in its authoring tools, as well as the capability to sync up to Windows Live SkyDrive. This means users can pen notes within the app, sync up, then continue working on them through the OneNote software back on their PC–and vice versa.

In a call with ZDNet Asia’s sister site CNET about the app on Tuesday, Jason Bunge, who is the senior director for Office Product Management at Microsoft, said SkyDrive sync works just like it does on Windows Phone 7, but that everything else about the app has been made to fit in and feel like a standard iPhone app.

“We certainly optimized each app for the device that it runs on,” Bunge said. “So if you go and download OneNote for the iPhone today, it will feel like an iPhone app, just as if you look at Office Mobile on the Windows Phone and the OneNote experience on that device, it absolutely feels integrated with that Windows Experience.”

OneNote currently has some 80 million users in the U.S., all of which are coming from the company’s Office software on the PC. And as for why it’s arriving on iOS before the more well-known Office applications like Word, PowerPoint, or Excel, Bunge said it’s a better fit for the needs of the mobile office worker.

“We absolutely want to make sure we’re delivering the right mobile experiences to our broad Office customer base, and note-taking absolutely popped to the top,” Bunge said. “We also know from Windows Phone 7 use, that note-taking ability in that app is one of the most-used Office features, so for us this was a natural priority, frankly, to address user needs and feedback,” he said.

Microsoft plans to charge for the application, but as part of a limited time offer is making it available as a free download. How much it will cost, and when the free offer runs out, the company has not yet said.

OneNote joins a select handful of other iOS apps made by Microsoft, like Bing, Wonderwall, Windows Live Messenger, Tag Reader, and the now-retired Sea Dragon app, which was the company’s first iPhone effort. When OneNote’s price does–eventually–go up, it will be the first paid application in Microsoft’s portfolio.

Update at 10:32 a.m. PT: We’ve just heard the application is currently available only for U.S. App Store users. No word yet on if, or when it will be available in other markets.

This article was first published as a blog post on CNET News.

RIM speaks on PlayBook’s future

Research In Motion has yet to deliver its BlackBerry PlayBook, a standalone Wi-Fi connected tablet announced in September, into buyers’ hands. But the company still took the opportunity of CES 2011 in January to unveil its plans for the second wave of PlayBooks, which include a 4G version bound for the US.

However, high-speed 4G networks–also known as LTE–are not expected to be up and running in the United Kingdom until at least 2015 due to operators’ narrow profit margins and the infrastructure costs required for the new technology.

Given this time lag, ZDNet Asia’s sister site ZDNet UK caught up with senior product manager Alex Kinsella at CES in Las Vegas to discuss RIM’s tablet plans closer to home, and to find out what the company expects to gain for the PlayBook from its acquisition in December of user interface design and integration specialists The Astonishing Tribe.

Read more of “RIM speaks on PlayBook’s future in the UK” at ZDNet UK.

Will Windows Phone 7 apps smile for the camera?

One of my favorite features in Apple’s iOS is the quietly-hidden capability to take screenshots. Back when I was doing deep dives on iPhone apps for stories, the feature was just there, and it worked.

Outside of CNET, it let me do things like grab pictures from sites and put together quick step-by-step how-to guides for friends and family, turning the device into less of a consumptive tool, and into something that would help me get work done without a computer.

But in the past few months of me putting Microsoft’s Windows Phone 7 through its paces as a primary device, I’ve been missing the feature dearly. So naturally, I asked Microsoft if it was on the short list of features to be added later on down the line.

The short answer? No.

“I have never sat in a user group–and I sit in a lot of user groups, a lot of retail groups–I’ve never heard an end user go ‘why can’t I take a screenshot of that?'” Aaron Woodman, director of Microsoft’s mobile communications business, told ZDNet Asia’s sister site CNET in an interview at the Consumer Electronics Show (CES) last week.

Well ahead of a screenshot tool is a laundry list of features Microsoft plans to add, including the ones competitors have already put out, which Woodman referred to as “gaps”.

“One of the reasons that personally pulled me over to the Windows Phone space was that there’s a lot of choices to make,” Woodman said. “It’s not like we didn’t know copy and paste was a feature that people could potentially want, it’s a question of how important it is to the user experience. When can you get to it?”

According to Woodman, it’s also not always the users who help Microsoft determine which features need to be fast-tracked. “We do a lot of things for reporters,” Woodman said. “I would argue things like the Mac connector software–the software that lets you take your Windows Phone and connect it to an Apple PC of some form, and basically pull over music from iTunes and photos and that kind of stuff–it wasn’t built because we thought there was a significant market opportunity for Mac loyalists out there who were dying to buy a Windows Phone. It was built because reporters would show up with Macs,” Woodman said.

The other half of the equation, Woodman explained, is that developers who wanted to take screenshots of their applications have had the means since the introduction of the Windows Phone 7 SDK. “There’s a ton of ways to do it in within the emulator, so application developers have no problem with that,” Woodman said.

If you’re thinking to yourself, “this is a niche feature”, look no further than Damn You, Auto Correct, a site that popped up back in October of last year and is now up to more than 1,300 posts containing unintentionally humorous instances of the iPhone’s autocorrect feature gone wrong, snapped and sent in by users.

However, something that would let you snap photos of text conversations is one thing. Where Woodman said some problems could arise is with capturing certain types of content if there’s copy-protection involved.

“The reality is, we have a DRM requirement for our marketplace, which makes things like HDMI and those types of things out, more difficult,” Woodman said. “We’ve made a choice to have a more protected set of content on the phone and available to consumers, so we do have restrictions within that,” he said.

What that would mean for such a feature is that you wouldn’t be able to snap a shot of what you were doing if there was a copy protection layer in place. This is similar to what Apple does with the built-in screen grab software in Mac OS X when movies are playing inside the DVD player application.

Woodman said the feature could end up in a future build of the OS software though. “Not that we couldn’t technically do it. I mean, at the end of the day it’s software,” he said. “We could definitely choose to do screenshot capabilities if you’re not in these three experiences.”

Windows Phone 7’s first software update since its launch late last year is just around the corner. Besides the addition of copy and paste, you can find out more about what kind of benefits it will bring to things like application load times and the Marketplace search tool in our other chat with Woodman from last week.

This article was first published as a blog post on CNET News.

RIM security access appeases Indian authorities

BlackBerry smartphone manufacturer Research In Motion has provided the government of India with access to data sent using its BlackBerry Messenger and BlackBerry Internet Service email in a bid to avoid the services being blocked in the country.

Research In Motion (RIM) announced last week that it had reached an agreement with the Indian authorities to provide access to consumer e-mail and messenger services but reasserted that it has not granted access to services using its BlackBerry Enterprise Server, which it classes as “essentially a VPN”.

“We are pleased to have delivered a solution well before a mutually agreed milestone date of January 31, 2011,” the company said in a statement. “We also wish to underscore, once again, that this enablement of lawful access does not extend to BlackBerry Enterprise Server (BES).”

Read more of “RIM security access appeases Indian authorities” at ZDNet UK.

LG rep: Windows Phone 7 launch underwhelmed

In an interview with blog Pocket Lint, James Choi, LG’s marketing strategy and planning team director, reportedly dubbed the launch of Microsoft’s Windows Phone 7 late last year to be underwhelming.

According to the site, Choi said that while Microsoft’s handset OS was “very intuitive and easy to use”, and appealed to “certain segments”, the platform failed to live up to the company’s expectations of grabbing consumer attention.

“From an industry perspective we had a high expectation, but from a consumer point of view the visibility is less than we expected,” Choi told Pocket Lint.

That said, Choi noted that LG likes to balance out its lineup of phones on various carriers with more than one operating system, and that Microsoft had gone a long way towards helping LG to fulfill that goal.

“There is a need and demand from the operators saying there is too much ‘Android’ in the portfolio. In that sense, LG always tries to balance our portfolio, and that’s not just in sense of hardware but OSes as well,” Choi reportedly said.

Microsoft launched its Windows Phone 7 platform in Europe and Asia back in late October of last year, with the U.S. launch in the second week of November. In late December, the company announced that it had sold 1.5 million of the devices to mobile operators since the platform’s launch.

This article was first published as a blog post on CNET News.

T-Mobile performs U-turn on data cap cut

T-Mobile has backtracked on its decision to drastically cut the mobile data use allowances for existing as well as new smartphone customers, following an explosion of public anger at the move.

On Thursday, the operator said it will now only offer the reduced levels of data to new and upgrading customers, while existing customers will get the 1-3GB they signed up for until their contracts run out.

The U-turn, announced on Thursday afternoon, came shortly after the consumer group Which? said its legal team were of the opinion that T-Mobile was breaking its own terms and conditions by announcing the ‘fair use’ cap cut less than a month after it will come into force on 1 February. The cut, which will mean an 83 percent reduction in the amount of data an Android user is supposed to use each month–from 3GB to 500MB–was only announced over the weekend.

Read more of “T-Mobile performs U-turn on data cap cut” at ZDNet UK.

Mobile networks flag as backups die in Aus floods

The areas worst affected by the Queensland floods may have further problems, with mobile service outages possible if battery backups fail later on.

Mains power was cut early Wednesday morning, forcing some mobile towers to fail over to 8-hour battery backups. Some remain inaccessible, meaning Telstra technicians cannot replace their batteries.

Telstra is manning some of the most critical towers in the Brisbane central business district (CBD), and has deployed generators that can maintain power for up to five days.

If services fail, the telco may be able to reroute traffic between its functional network towers to ensure services continue.

But the network is already heavily stretched and has suffered a four-fold increase in the number of service outages.

“We’ve got battery backup so we’re not experiencing issues. That could change in eight hours when those run down,” Telstra said.

“We will replace batteries and generators as we can. Obviously we can’t get into some areas due to submerged roads and that will stay the same possibly for several weeks. It’s going to take a long time to recover.

“Our biggest issue is mains power.”

The telco is unsure what regions may have services cut because the floods have not yet peaked and conditions are changing.

In the interim, technicians are on rotation, and are replacing batteries that can still be accessed. They have also built rudimentary reinforcements to protect valuable exchanges from flooding and some technicians are even sleeping within the exchanges.

Of Telstra’s three critical exchanges, its Wollaston and Charlotte street facilities are considered safe, but a third at Edison Street is at risk because it lies in a basement.

Optus is experiencing the same issues, with some areas of the mobile and fixed Optus networks affected as of 1 p.m. Wednesday.

“As the flooding situation is changing rapidly, an increasing number of mobile sites as well as fixed network nodes are at risk due to power outages which may disrupt fixed and mobile services to customers,” the company said in a statement. As with Telstra, Optus was trying to deploy backup generators where possible.

Optus expected some disruption of 2G, 3G and business Internet services in the Brisbane CBD later on Wednesday because of the power outage. With network capacity prioritized for voice, mobile internet will also be slow. Several hybrid-fibre coaxial nodes have been impacted in Ipswich, affecting home phone and internet services to some customers.

In Toowoomba and surrounds, two mobile towers are currently without power, although there is still limited coverage being supplied by alternate towers. The mobile towers in the Lockyer Valley ran out of battery power at 9:10 p.m. last night, cutting off all mobile services. This morning, the telco deployed power generators to partially restore services at five mobile sites.

One of Optus’ Sydney-to-Brisbane fibre links has also been cut due to the floods. Services have been switched to an alternate link.

Floods have also been affecting Vodafone services. Two transmission facilities in Grantham and Withcott have experienced outages and are expected to have operations restored Wednesday afternoon. Other areas are expected to lose voice and data services due to power outages if the situation deteriorates.

The floods have also disrupted the National Relay Service, which provides telecommunications services to deaf and hearing- or speech-impaired people. Emergency services are still operating. The service was scheduled to evacuate its main call centre in Brisbane Wednesday.

Australian Communications and Media Authority chairman Chris Chapman said that his organisation was working with the service to find a dry location to host its backup server.

This article was first published at ZDNet Australia.

US senate to try again on controversial antipiracy bill

The U.S. Senate judiciary committee will take another crack at arming the government with broad antipiracy powers.

Sen. Patrick Leahy (D-Vt.), the judiciary committee’s chairman, said that the government must take action against “online criminals” who harm American jobs by obtaining the nation’s intellectual property without paying for it. Leahy made the statements as he laid out the committee’s agenda for this session of Congress.

In September, Leahy introduced legislation called the Combating Online Infringement and Counterfeits Act, which could boast bipartisan support and unanimously passed in the judiciary committee, but failed to pass in a full Senate vote.

“Online infringement costs our national economy billions of dollars every year,” Leahy said, according to a transcript of his speech. “Our intellectual property-based businesses are among the most productive in our economy and among its best employers. We cannot stand by and see them ravaged, and American consumers subjected to counterfeits. We will renew our effort this year.”

Among the bill’s supporters are the Motion Picture Association of America, the U.S. Chamber of Commerce, and the Recording Industry Association of America. Among the legislation’s opponents are the Electronic Frontier Foundation, the Distributed Computing Industry Association, and American Civil Liberties Union, who say the bill is little more than censorship.

Under the proposed legislation, the Justice Department would file a civil action against accused pirate domain names. If the domain name resides in the U.S., the attorney general could request that the domain name in question be seized.

The bill would also authorize the attorney general to order other specified third parties, such as Internet service providers, payment processors, and online ad network providers, to take action against pirate sites. For example, ISPs could be ordered to block access in this country to file-sharing sites based overseas or order Visa to stop taking processing transactions from the sites.

The legislation’s supporters in the entertainment industry say its introduction has already produced benefits. Last month, ZDNet Asia’s sister site CNET reported that Mastercard was willing to stop processing transactions from sites trafficking in pirated music, movies, games, and other digital copyrighted content and would support Leahy’s bill.

Meanwhile, others have been less than supportive. The major ISPs have yet to weigh in on the issue but some executives from the sector have told me they are skeptical of Leahy’s chances at getting his bill passed anytime soon.

This article was first published as a blog post on CNET News.

Microsoft looks into ‘phantom’ Windows Phone 7 data use

Microsoft said it’s investigating a Windows Phone 7 software behavior that has the phone slurping up cellular data, even when the phone is connected to Wi-Fi.

The cause of this data use is not yet known, but the BBC points to a handful of reports that say it is a built-in feedback tool that is essentially phoning home.

If true, this type of behavior would not be out of place compared to other smartphone operating systems. In fact, Apple’s iPhone came under similar scrutiny last year, with some users reporting large chunks of data getting sent in the wee hours of the night.

A Microsoft spokesperson said simply that the company was “investigating this issue to determine the root cause and will update with information and guidance as it becomes available”.

Several years ago background data use would not have been as much of an issue, however, within the last year, carriers such as AT&T and Verizon have moved away from so-called “unlimited” data plans, to packages of data that can be purchased in allotments. For consumers these represent a more economical way to buy into a smartphone purchase over the course of a long-term contract, but can carry steep penalties for overages.

With some entry-tier data plans hovering in the 150MB to 200MB range, depending on which carrier the user is on, that amount can be reached quickly when normal use is mixed with this extra data polling, which is said to range from 30MB to 50MB of data per day.

Microsoft’s first big update to its Windows Phone 7 platform is set to roll out to users in the next month or so. It is not yet clear whether that update will address this issue, or whether new software will be necessary to make any changes.

Mobile advertising faces tough reception

Marketing managers should not expect mobile advertising to match the returns that can be achieved from advertising to PC users online, analysts have warned.

In spite of predictions that 80 per cent of mobile handsets sold in the U.K. will be Internet-enabled by 2012, the effectiveness of mobile advertising will be limited by several key factors, according to Enders Analysis.

Even with the boom in smartphone sales, Enders Analysis predicts that in 2015 mobile usage will still only account for less than one-third, 28 per cent, of all the time spent online.

“There isn’t the inventory in media to have substantial advertising revenues–you need the audience, you need the views,” said Enders analyst James Barford.

The small screen size of mobile devices will also continue to limit the size of adverts compared to what is possible when targeting PC users.

“Ultimately, if you’re trying to put your brand to someone, if you’ve got more space and a more interactive advert [as on a PC screen], then that should result in more revenue,” Barford said.

The relatively limited amount of time spent browsing the Web on mobile devices will also restrict the take-up of retail over mobile devices (m-commerce), an area that search-based mobile advertising could exploit.

Barford said the purchasing of more expensive products–such as financial services and holidays–is likely to remain PC-based, meaning the potential of m-commerce and associated advertising is limited.

“The search revenue on mobile will be considerably less than fixed line. Because of these big ticket items, the majority of e-commerce will still be taking place within a PC environment,” he said.

Enders analyst Ian Maude agreed there are still several obstacles to overcome before mobile advertising can match the revenues generated by other forms of advertising.

“[The mobile advertising market is] just very nascent. A lot of the creative agencies want to get into it to be seen to do the latest thing but the problem is there’s not very much money in it. And there’s certainly not much profit in it for a lot of the interactive agencies,” Maude told silicon.com.

Other factors currently holding mobile advertising back include the lack of standardisation between mobile platforms and the comparatively few ways of measuring how users are responding to mobile ads. Barford is confident these are issues that can ultimately be overcome as the mobile advertising market grows.

Despite these limiting factors, Enders predicts the amount of money spent on mobile advertising will hit £419m (US$647.35 millnion) by 2015, up from £46m US$71.07 million) in 2009.

This article was first published on Silicon.com.

India snags APAC mobile ad crown

India is the largest mobile advertising market in the Asia-Pacific region with 5.8 billion impressions monthly, according to a new report.

Released Thursday by InMobi, the report showed that the Indian market grew by over 1 billion impressions over a 90-day period between July and October last year, reflecting an increase of 22 percent. An impression refers the delivery of an advertisement to a user.

“The Indian mobile advertising market continues to show rapid growth due to the improving ad ecosystem,” said James Lamberti, vice president of global research and marketing, in a statement.” Major publishers are bringing their media into the mobile channel while brands are simultaneously discovering the power of mobile advertising.”

In addition, 3G network infrastructure improvements in the country will also help propel India to become one of the most influential markets in mobile advertising, the executive noted.

Other data revealed that smartphones “remain relatively nascent” in India’s mobile ad market, with 88 percent of all impressions served on advanced phones. Indian mobile users also favored Nokia, with the Finnish mobile maker’s devices occupying 12 of the 15 top devices.

InMobi’s co-founder Amit Gupta added: “With so many consumers using mobile devices as a primary means to digital media consumption, mobile is the complimentary media channel to TV for reach extension while still maintaining a compelling brand experience that will only improve as smartphones penetrate at scale over the next year.”

Like India, Nokia-manufactured devices also took the top spot (57 percent) in mobile ad impressions for the rest of the Asia-Pacific region, according to a separate InMobi report released on Wednesday. While Apple’s iPhone was the top device, the remaining nine in the top 10 devices belonged to Nokia.

In terms of operating platforms, Apple’s iPhone OS and Google’s Android saw their share of impressions improve by 9.3 percent within the same period, although they still trailed Nokia and Symbian OS, which together accounted for 41.2 percent of the region’s impressions.

Between July and October, the region registered a 9 percent increase at just under 1 billion impressions, driven by huge increases in smartphone impressions.

Robert Woolfrey, InMobi’s director of brand sales in the Asia-Pacific region, pointed out that with the increasing adoption of smartphones in the region, advertisers are able to leverage creatively on a new platform to potentially reach millions of consumers.

“The smartphone revolution in the region will only enhance that trend in 2011,” he said.

Qualcomm buys Atheros for US$3.1B

In a move to round out its wireless and networking product portfolio, Qualcomm acquired Atheros for US$3.1 billion, or US$45 a share. For Qualcomm, the acquisition highlights a strategy to move beyond its traditional cellular market into more mainstream computing.

Word of the deal surfaced on Wednesday via reports on CNBC, the New York Times and the Wall Street Journal.

With the Atheros acquisition, Qualcomm gains access to wireless LAN, Ethernet, Bluetooth, GPS, passive optical networking and powerline technologies. Qualcomm will take those products and ultimately integrate them with its smartphone and tablet chips.

Read more of “Qualcomm buys Atheros for $3.1 billion, moving into ‘silicon beyond cellular’” at ZDNet.

Android programming’s ups and downs

newsmakers As smartphones using Google’s Android operating system become mainstream, James Steele and Nelson To are in a pretty good position.

As authors of The Android Developer’s Cookbook, they’re a step ahead in a growing market, apps for the mobile device OS. Andy Rubin, the Google vice president of engineering overseeing Android, said earlier in December that 300,000 Android phones now are activated each day.

But one major issue facing programmers hoping to reach those phones today is that they have different hardware and software–a problem called Android fragmentation. Programmers must adapt their software as the operating system spreads not just to significantly different mobile phones, but also to tablets with even larger screens and to other devices including televisions, cars and music players.

Fragmentation can be a problem. But Steele also sees fragmentation from the other side: the breadth of the Android market means programmers can tackle many devices that otherwise would be far away in some other coding ecosystem.

“The structure of the Android OS helps minimize the changes required for an app to work across these platforms. It is great for a developer to have such a low threshold to be able to take advantage of this diversification,” Steele said.

Steele and To chatted with CNET’s Stephen Shankland about what Android coders can expect with Android. Here is an edited version of the conversation.

Q: Why publish an Android development book now?
Steele: Both Nelson and I have been working on Android for over two years now and we have seen the continual growth. Even more so, 2010 has been a breakout year for Android across the world. The OS and hardware have both matured with rich features, but some are still not documented well. There are many resources for learning Android but few full working examples. Our goal with the book is to provide a developer with self-contained working examples in as modular a form as possible, so they can be incorporated as-is into someone’s code.

What are the most compelling things about programming on Android?
Steele: Android is an embedded platform which has potential and momentum to go well beyond just smartphones and tablets. Being open source, it is compelling for a variety of different hardware manufacturers, for example set-top boxes and automobiles. Also, almost the entire OS is open for usage and extension. This opens the possibility for sophisticated changes as needed.

And on the flip side, what are Android’s biggest warts?
Steele: As for the biggest difficulties in creating Android applications today, we mention in the book it is the need to ensure apps work on multiple platforms and multiple code versions. Therefore, we dedicate a few sections to writing general enough code as well as discuss methods of testing…Hardware manufacturers tend to try to differentiate themselves, which makes it hard to write an app that is applicable to all platforms. We provide some advice and important techniques to minimize issues with cross-platform usability. Google is always improving feedback, now providing stack trace results [a look at what a program was doing just before it crashed] from users on applications that failed after they downloaded them from the market. Also, we are seeing many markets for applications, which could be a good thing but for now is confusing to the end user as well as developer.

How hard is it to deal with the varying screen sizes, physical buttons, processing power, and other hardware of the profusion of Android phones today?
Steele: It is a challenge Android developers should be aware of, but it is surmountable. In the book we provide concrete examples on how to ensure code is robust across multiple platforms for all the above cases.

You mention processing power, which is less of an issue now given processing power is within a factor of two, but newer devices will start to take advantage of hardware accelerators which might differentiate performance using SMP or SIMD [“symmetrical multiprocessing,” which for Android means chips with multiple processing cores, and “single instruction, multiple data,” chip features that accelerate multimedia and other processing]. This will lead to a factor of ten difference for some applications (such as 3D gaming for example), and that needs to be considered.

Also, sensors such as accelerometers and magnetometers (compasses) have various different specifications now, as we discuss in the book, but there is a push to improve the quality of these sensors and hopefully we will soon see a convergence in this regard.

How suited to multicore mobile processors is Android? Dual-core Android devices will start arriving soon. Will that be a boon for multitasking, background apps, performance of foreground apps, or other specific scenarios?
To: I am really excited about that. I think this definitely will take the Android to another level in terms of the responsiveness and the ability to handle the application switching. However, I have another concern, the battery power lifetime, considering this will consume battery power even faster than what we have. I think in the long run the battery power is something that all the device manufacturers should really focus on. In the current market, I still haven’t found any devices that can sustain power as long as the iPhone.

What features is an iOS programmer going to miss most on Android? And what about vice-versa?
Steele: I’m not sure what they will miss, but the open APIs [application programming interfaces], ability to leverage the cloud, and more computing power are things they will enjoy.

How come games on Android are so weak compared to Apple’s iOS? Processing power, APIs, developer tools, market size, developer interest, or what?
Steele: The iPhone, being introduced first, had an early lead in games and apps. But now the quality of Android apps is maturing well.

The Native Developer Kit lets programmers write software that runs at a lower level than the usual Java-like environment for Android apps. What NDK changes come with Android 2.3, aka Gingerbread?
Steele: There are more hooks for native code to manage events and surfaces. For the end user, this provides an even faster gaming experience. For the developer, it also enables a more natural port of existing C/C++ applications. Also, note more processors are coming out that support the parallelism that the NDK can offer, which will also provide large benefits.

[Surface management] applies to 3D graphics in Android. Drawing an object so that it looks three-dimensional on the screen requires building it up from simple shapes such as triangles and squares. These two-dimensional shapes are called surfaces.

If you’re writing a game, how big a deal is the fragmentation? You say that there are steps you can take for generalization, but is that something that takes 3 percent of a developer’s time? 50 percent?
To: Android provides different mechanisms for developers to leverage different kind of screen sizes. That includes providing the different picture quality [options] inside an application, which allows it to run on the different screen [sizes], and providing layout format mechanisms. As a good Android developer, this work has to be taken as part of the their fundamental design spec. This can take up to 5 percent to 10 percent of the whole project effort.

What features within Android 2.3 are likely to be most interesting to programmers?
To: I think one of the most significant improvements in 2.3 is they provide a way to access the native code without going through the JNI [the Java Native Interface mechanism for linking Java programs to other software]. Another feature provided in 2.3 is the SIP [session initiation protocol] stack and framework API [application programming interface] which allow developers to develop the SIP application (Internet telephony application) a lot easier.

If you’re a Java programmer, how hard is it to learning to code for Android?
Steele: We wrote the book assuming the user has a basic familiarity with Java. However, a programmer with no background in Java will pick things up very quickly. On the flip side, as mentioned in the book, Android is not Java. Someone very familiar with Java and especially J2ME [Java 2 Mobile Edition] may feel frustrated to realize things are sometimes done differently, but still it will be easier than learning a new language from scratch.

What are you going to do with your book now that Gingerbread is out, presumably with bigger changes coming in Honeycomb?
Steele: The feedback has been very positive so far on the Android Developer’s Cookbook. People really like the format to allow them to jump in and start using recipes in their own apps and also on how current it is compared to other books available. There will always be changes to the OS, but this book provides the foundation to utilize the incremental updates.

In your conversations with developers, have you heard complaints that the 24-hour return period for paid Android apps is a problem? Google is changing it to 15 minutes.
To: I happened to talk to a couple Android developers about the return policy on the Android Market. They feel frustrated that the return rate on the applications is extremely high. One of the reasons is the way the Android Market allows users to return [apps] is way easier than the return policy on the iPhone.

One neat thing about Android is the ability to hand off a task to another app on the phone–for example, clicking the share button can plug into Facebook, Twitter, and Gmail, or tapping a link can launch a choice of browsers. But can this turn into an ugly mess, where there’s a huge list of applications all trying to vie for the user’s attention. What’s the best way for programmers to help keep things tidy?
Steele: This is a great feature of Android. Virtually any function served by the OS can be replaced by a third-party application. We mention in the book how to do this using intent filters. Then when users are provided the choice, they are offered a chance to choose a default method of servicing such intents in the future.

How truly open-source is Android? It seems like it’s written in-house at Google for the most part, with periodic code dumps when the new versions are released. If you’re a manufacturer, do you have better access to the planning and code under development? Do you have to join the Open Handset Alliance to get that influence and access?
Steele: Manufacturers do make their own changes on top of Android to differentiate themselves. These benefits of open source will also be a benefit to Google TV when it is made available.

How good is Android today for tablets? What changes do you think would make Android better for tablets?
Steele: Android already works well for tablets. The HD video and large-screen support are key.

Will we ever see the fragmentation issue ease with Android? Is there anything that can be done about it? I see games with lists of which devices they’ll run on (confused greatly by the different device names in different countries), discussions about testing on multiple devices, and Rovio Mobile planning to release two separate versions of Angry Birds to deal with low-end and high-end processing abilities. So clearly it’s an issue, even if it’s not enough of an issue to stop Android growth.
Steele: The Android Developer’s Cookbook provides some important examples of how to generalize apps to multiple platforms. As a developer, I would rather spend a little extra time to take care of the different devices out there and reap the benefits of the larger distribution of my apps.

This article was first published as a blog post on CNET News.

Enterprise developers want strong platform support

As more mobile platform operators are positioning their operating systems (OS) to support enterprise applications alongside consumer ones, they will have to focus on providing an up-to-date software development kit (SDK) as well as a strong, active support ecosystem, developers noted.

Tan Hua Koon, chief operating officer (COO) of Orange Gum, a Singapore-based short message service gateway provider that customizes app across various mobile platforms such as Research In Motion’s (RIM) BlackBerry OS, Apple’s iOS and Google’s Android OS, pointed out that having an active developer community helps cut app development time significantly.

This is because fellow community members would, for instance, post up sample codes and explanations of why certain lines of codes work and others don’t, which reduces one’s time used for testing an app, he told ZDNet Asia during a phone interview.

He cited RIM’s BlackBerry Developer Zone as an example of how an active developer community should be, pointing out that it is “easy to navigate, has complete code documentation and is always moderated”. Additionally, Tan gave the thumbs-up to how the company extends a personal touch to its developers. The executive, who is a BlackBerry Alliance member, said a business development manager from RIM would contact him periodically for his feedback and to enquire whether he has encountered any problems working on the platform.

“The personal touch is one of the things I like about developing for the RIM platform, as support is just a phone call away and [the Blackberry maker] provides attentive service even though we’re a [relatively] small company,” he added.

Erik van Hoof, founder and business lead of CWR Mobility‘s Emea (Europe, Middle East and Africa) region, also emphasized the need for strong developer support. His company has been developing CRM (customer relationship management) apps for Microsoft’s Windows Phone 7 and Windows Mobile platforms as well as for the iOS and BlackBerry platform.

Zooming in on the company’s experience developing for Windows Phone 7, he added that while the SDK for the OS is new, the “underlying Silverlight and .Net frameworks are widely used and have a very big community support”.

“We have not run into any issues that were not already discussed and solved within the developer community,” van Hoof said.

van Hoof also noted that, in general, the tools for developing for Windows Phone 7, Microsoft’s latest mobile OS, are “far superior” to any other platforms the company has worked with, adding that Visual Studio 2010 is the “most advanced development environment available today”. Visual Studio is Redmond’s integrated development environment (IDE) tool that allows developers to code for its mobile platforms, the Web, SharePoint and Windows OS.

As enterprise applications are more complex than smaller consumer apps, team collaboration, unit testing and debugging, among other processes, are much more important, and Visual Studio provides the necessary environment for the company to develop its apps on, elaborated van Hoof.

He added that with Linq and other .Net-based libraries, working with data coming from enterprise systems is “a breeze”. “When developing for platforms like iOS or BlackBerry, a lot of the parsing needs to be done manually and that takes a lot of time to develop [an app]. Such parsing is [also] very sensitive to errors,” he noted.

Mobile operators’ enterprise focus
Asked if they had included any tools that are catered to developing for enterprise apps, platform operators told ZDNet Asia that while certain enhancements were made to existing SDKs for the enterprise environment, the tools provided are generally the same, whether the apps are for consumers or business users.

Microsoft, for one, has streamlined the process for existing Windows developers to build apps for its Windows Phone 7 platform.

According to Chris Chin, developer marketing director for Microsoft’s mobile communication business in the Asia-Pacific region, developers can make use of its new Express SKU (stock-keeping unit) for Visual Studio 2010. He explained in an e-mail that for developers already using the latest version of the IDE tool, there is a file within the SKU that will install only the components required to build for Windows Phone 7. These components include the Windows Phone emulator, templates for coding Silverlight– and .XNA-based apps, among others, he pointed out.

Nokia, too, said that it is providing APIs (application programming interfaces) for developers to integrate security features into mobile devices that will allow administrators to have full control of the device in “sensitive environments”.

Gary Chan, Nokia’s head of developer relations for Southeast Asia and the Pacific, said such APIs are based on its Qt development framework, which the Finnish phonemaker had recently made as the default coding tool for internal and third-party developers. Qt allows apps to run across its Symbian, Maemo and MeeGo devices.

“Qt represents a move toward a higher level of developer productivity and maximum code reuse, which translate into a code reduction of approximately 70 percent lines of code to create the same app compared with developing using the previous Symbian C++ framework,” he noted.

RIM, on the other hand, said there are no specific developer tools that targets either consumer or business apps. Andrew Vardon, head of alliances at RIM Asia-Pacific, instead pointed out that the Canadian company has opened up APIs around “location, advertising, and its BlackBerry Messenger instant messaging service”.

“This way, if a developer wishes to integrate these features into an enterprise app, he or she can do so,” he added.

Vardon also said that the company’s PlayBook tablet device, which is aimed for the enterprise space, is a “big opportunity” for enterprise developers. He noted that RIM has opened up APIs, such as the SDK to develop Adobe Air-based apps, for developers since the announcement of the device in September.

Rival mobile OS operator Apple declined comment but pointed ZDNet Asia to two enterprise developers who had built apps for its iOS platform, but they were not able to comment as well. Google, too, could not respond to the questions in time.

China clamps down on Web telephony

The Chinese government is clamping down on Internet telephony services in the country, a move that could stumble players such as Skype, according to news reports.

The Ministry of Industry and Information Technology (MIIT) announced a crackdown on “illegal” voice-over-Internet Protocol (VoIP) services in China in a circular released earlier this month, AFP reported on Thursday. It did not say when the ruling will take effect, the news agency added.

Xi Guohua, vice minister at MIIT, noted only state-owned major Chinese telcos were licensed to provide PC-to-phone services, AFP said, citing the Beijing Morning Post.

According to him, China Telecom and China Unicom have licenses to provide PC-to-phone services in four cities on a trial basis. The government is considering an expansion of the program, he said.

PC-to-PC communications, Xi pointed out, remained open to all service providers in the country.

Kan Kaili, a professor at the Beijing University of Posts and Telecommunications, told AFP the decision was to “protect the interests of state-owned monopolies”. VoIP services, which offer a cheap alternative for long-distance calling, have impacted the margins of carriers’ international call services, he explained.

The government, he added, could also be attempting to block VoIP services such as Skype which use encryption that make communications difficult to monitor.

A Skype spokesperson ZDNet Asia contacted did not comment specifically on the development, but noted in an e-mail that users in China can currently access Skype via TOM Online, the majority stakeholder in the two companies’ joint venture. TOM Online is the Internet business division of TOM Group, a leading Chinese-language media corporation,  its Web site stated.

According to the spokesperson, TOM Online offers local versions of Skype for Windows and Mac operating systems as well as mobile platforms such as Symbian and Windows Mobile.

He added that the Luxembourg-based VoIP service provider has around 25 million concurrent users logged into Skype globally at any given time, but could not state the numbers for China.

Governments’ rising intervention
Earlier this year, Indian authorities were said to have security concerns over services offered by Google and Skype. This follows the Indian government’s threat in August to shut down Blackberry services offered by Research In Motion (RIM).

China’s move comes at a time when Net usage in the country is growing rapidly. As of end-November, China’s online population hit 450 million, with around one in three Chinese having accessed the Internet. This represents a year-on-year jump of 20.3 percent, Chinese news agency Xinhua reported.

Nokia Siemens’ Motorola buy hits delay

Nokia Siemens Networks (NSN) is expected to delay its purchase of Motorola’s wireless network infrastructure assets after the company disclosed it has not obtained the necessary regulatory clearance for the deal.

In a statement Tuesday, the Finnish-German company said the Anti-Monopoly Bureau of China’s Ministry of Commerce is still reviewing the proposed transaction. The US$1.2 billion deal was announced in July, and had been originally targeted to close by year-end.

Rajeev Suri, CEO of Nokia Siemens Networks, said in the statement the delay was “disappointing”, but added that the company expects to finalize the acquisition in early 2011.

“We are continuing to work closely with the authority in China to finalize the clearance process in that country,” he said. “We recognize its efforts in addressing this case as a matter of importance.”

According to NSN, the deal has been given the green light by antitrust authorities in the United States, European Union (EU), Brazil, Japan, Russia, South Africa, Taiwan and Turkey. The EU approved the deal two weeks ago, news wire Reuters reported.

Motorola had announced in February it would split into two separate companies in 2011–one for its mobile devices and home entertainment technology and the other comprising its networking and enterprise mobility businesses. The company confirmed in a statement on Nov. 30 that the separation will be formal from Jan. 4, 2011, with the businesses renamed Motorola Mobility and Motorola Solutions.

NSN said around 7,500 employees from Motorola’s public carrier wireless network infrastructure business are expected to join the company when the transaction closes. Research and development sites in the U.S., China and India owned by the Motorola division will also be transferred to NSN.

Apple sued for mobile app privacy breach

Apple is being sued by a U.S. resident for allowing iOS-based mobile apps that run on its iPhone and iPad devices to transmit users’ personal information to advertising networks without their permission, according to news reports.

Bloomberg, for one, reported that the complaint, which was filed on Dec. 23 in a U.S. federal court in California, alleged that Cupertino’s iPhones and iPads are encoded with identifiers, specifically the Unique Device Identifier (UDID). The UDID then allows advertising networks to track what apps users are downloading, how frequently they download content and for how long, the report noted.

Besides Apple, developers of apps such as Pandora, Paper Toss, the Weather Channel and Dictionary.com were singled out as defendants in the lawsuit. Their inclusion was based on the allegation that these apps are “selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views”, stated Bloomberg, citing the lawsuit that was filed.

The claim runs counter to what Apple professes to be doing, which is that it would review all applications submitted to its App Store before publishing them and disallow apps to transmit user data without customers’ permission, the report noted.

Also citing the lawsuit, the Wall Street Journal added: “Apple…purports to have implemented app privacy standards and claims to have created ‘strong privacy protections’ for its customers.”

The class action, or group, lawsuit was filed on behalf of users who have downloaded an app on their iPhone or iPad between Dec. 1, 2008 and Dec. 23, 2010. The Journal went on to report that the claimant is seeking damages, restitution and an injunction that in part requires defendants to provide “notice and choice to consumers regarding defendants’ data collection, profiling, merger and deanonymization activities”.

The lawsuit was filed less than a week after the Journal had raised the issue of personal information being transmitted without users’ consent.

On Dec. 17, the newspaper had published a report stating that based on its study of 101 mobile apps for Apple’s iOS and Google’s Android mobile platforms, 56 of the apps had transmitted the phone’s UDID to other companies without users’ awareness or consent. Another 47 apps transmitted the phone’s location in some way while five sent age, gender and other personal details to outsiders.

Mobile platform operators, though, are not the only ones being scrutinized for how they protect users’ privacy. Popular social networking site Facebook is also in the spotlight, following the revelation that a data broker had been buying up user information from developers.

A November report revealed that Facebook apps were transmitting user IDs, which can be used to look up users’ names and, in some cases, the names of their friends, to at least 25 advertising and data firms. Developers who were found to be guilty of selling user information to the broker had received a six-month suspension and would have to submit their data practices to an audit in the future, according to Facebook.

Alcatel-Lucent settles US bribery charges

Alcatel-Lucent has agreed to pay over US$137 million to U.S. authorities to settle charges of bribery in Asia and Latin America.

The French telecommunications equipment maker and three of its subsidiaries channeled over US$8 million of bribes via consultants to government officials in Costa Rica, Honduras, Malaysia and Taiwan in order to win or retain contracts, according to statements released Monday by the U.S. Securities and Exchange Commission (SEC) and the Department of Justice (DOJ).

Alcatel admitted it earned about US$48.1 million in profits as a result of the corrupt payments, said the DOJ.

The payouts were carried out between December 2001 and June 2006, prior to Alcatel’s merger with Lucent Technologies.

The two agencies stated that Alcatel violated the Foreign Corrupt Practices Act (FCPA) by paying bribes to illegally win business. The payments were either undocumented or improperly recorded as consulting fees that were then incorporated in its subsidiaries’ financial statements. The company was also taken to task for inadequate internal controls which allowed the misconduct to take place.

“Alcatel and its subsidiaries failed to detect or investigate numerous red flags suggesting their employees were directing sham consultants to provide gifts and payments to foreign government officials to illegally win business,” Robert Khuzami, director of the SEC’s Division of Enforcement, said in the statement.

Alcatel, added the DOJ, also violated the FCPA by the improper hiring of third-party agents in countries including Bangladesh, Nigeria, and Uganda. Alcatel-Lucent has since eliminated the practice of using third-party sales and marketing agents for its worldwide business.

Court documents revealed that an Alcatel subsidiary won three contracts in Costa Rica worth over US$300 million through illicit means, resulting in a profit of more than US$23 million. Two consultants in the country received more than US$18 million, of which over half were presented to government officials.

In exchange for favorable treatment, Alcatel also paid the family of a senior Honduran government official via a consultant connected with the family. As a result, the company earned US$870,000 by retaining contracts worth US$47 million.

Over in Asia, an Alcatel subsidiary paid two consultants more than US$950,000 to earn a US$19.2 million contract to supply railway axle counters to the Taiwan Railway Administration, even though neither had telecommunications experience. The sum included payments to Taiwanese legislators who had influence over the awarding of the deal, which eventually saw Alcatel reap US$4.3 million.

The SEC also indicated an Alcatel subsidiary had made payments to Malaysian government officials in order to procure a telecommunications contract, but did not offer more details.

The SEC ordered Alcatel-Lucent to pay US$45.4 million, while the DOJ imposed a US$92 million penalty on the vendor. Alcatel-Lucent will also improve its FCPA compliance program and engage a third-party to monitor its compliance for three years, as well as submit yearly reports to the DOJ.

Mobile Web usage to spike with security tie-ups

Securing mobile apps and Web access from mobile devices are key to spurring the adoption of mobile Internet usage, particularly in markets such as China where mobile phone security is still an emerging market, an analyst noted. Partnerships between Internet companies and security firms will help address the security issues.

Jane Wang, senior analyst at Ovum, said that in markets such as China, mobile phone security has not been taken seriously by Internet companies and mobile device makers. However, the emergence of mobile viruses, SMS (short message service) spam and spyware specifically targeting devices such as smartphones, has threatened to compromise users’ privacy, personal information and even business-related data, she added.

“The depth of mobile applications will require more security protection than ever before,” the analyst pointed out in her e-mail. Ovum is forecasting that China’s 3G broadband connections will overtake fixed broadband connections by 2014, with mobile Internet apps becoming more abundant.

The recent partnership between Chinese Internet service provider Tencent and Russian security vendor Kaspersky Lab, aims to raise user awareness of mobile security, according to Wang. This will lead to increased acceptance of mobile Internet services, she noted, adding that Tencent is the first in the industry to enter into such partnerships with a third-party security vendor.

The partnership, which was announced on Dec. 7, will see Kaspersky Lab’s mobile antivirus technology integrated into Tencent’s QQ security expert. The two companies will also work jointly on mobile security products and initiatives to further improve on existing technologies, according to the security vendor’s press release.

In the media statement, Tencent’s president of mobile value-added services division Tel Liu said: “We are fully confident that we will be able to provide users with professional and comprehensive mobile security protection by integrating Kaspersky Lab’s antivirus technology with our own.”

Beyond boosting mobile Internet uptake, though, Lynn Jin, market analyst for software research at Springboard Research, said that the tie-up was motivated by each company’s business priorities.

She told ZDNet Asia in an e-mail that the partnership is a “win-win cooperation”. For the Chinese company, this is a step toward expanding its footprint in the security arena and will help it gain the initiative in the mobile market against local competitors such as Qihoo, Jin stated.

As for the Russian company, the partnership is an attempt to wrest back market share from China-based security vendors that are all providing free antivirus products currently. “It is an opportunity for Kaspersky to gain mobile customers fast and to regain PC users due to [Tencent’s large consumer base],” the Springboard analyst said.

Asked if such partnerships hold any value beyond the Chinese market, Jin pointed out that as Tencent has no plans to venture overseas, this specific partnership will not be replicated in other markets. In general, however, partnerships between mobile and Internet service providers with security vendors “may have value” elsewhere.

Such value may be further driven by “mobilution“, a term IDC coined for a growing trend where mobile devices including smartphones and slates such as Apple’s iPad are becoming today’s desktops. Additionally, the research firm predicts more than 550 million people in Asia-Pacific alone will become mobile Internet users by 2015.

When contacted, Kaspersky Labs was not able to reply in time while Tencent did not respond to ZDNet Asia’s questions.

Alcatel-Lucent settles US bribery charges

Alcatel-Lucent has agreed to pay over US$137 million to U.S. authorities to settle charges of bribery in Asia and Latin America.

The French telecommunications equipment maker and three of its subsidiaries channeled over US$8 million of bribes via consultants to government officials in Costa Rica, Honduras, Malaysia and Taiwan in order to win or retain contracts, according to statements released Monday by the U.S. Securities and Exchange Commission (SEC) and the Department of Justice (DOJ).

Alcatel admitted it earned about US$48.1 million in profits as a result of the corrupt payments, said the DOJ.

The payouts were carried out between December 2001 and June 2006, prior to Alcatel’s merger with Lucent Technologies.

The two agencies stated that Alcatel violated the Foreign Corrupt Practices Act (FCPA) by paying bribes to illegally win business. The payments were either undocumented or improperly recorded as consulting fees that were then incorporated in its subsidiaries’ financial statements. The company was also taken to task for inadequate internal controls which allowed the misconduct to take place.

“Alcatel and its subsidiaries failed to detect or investigate numerous red flags suggesting their employees were directing sham consultants to provide gifts and payments to foreign government officials to illegally win business,” Robert Khuzami, director of the SEC’s Division of Enforcement, said in the statement.

Alcatel, added the DOJ, also violated the FCPA by the improper hiring of third-party agents in countries including Bangladesh, Nigeria, and Uganda. Alcatel-Lucent has since eliminated the practice of using third-party sales and marketing agents for its worldwide business.

Court documents revealed that an Alcatel subsidiary won three contracts in Costa Rica worth over US$300 million through illicit means, resulting in a profit of more than US$23 million. Two consultants in the country received more than US$18 million, of which over half were presented to government officials.

In exchange for favorable treatment, Alcatel also paid the family of a senior Honduran government official via a consultant connected with the family. As a result, the company earned US$870,000 by retaining contracts worth US$47 million.

Over in Asia, an Alcatel subsidiary paid two consultants more than US$950,000 to earn a US$19.2 million contract to supply railway axle counters to the Taiwan Railway Administration, even though neither had telecommunications experience. The sum included payments to Taiwanese legislators who had influence over the awarding of the deal, which eventually saw Alcatel reap US$4.3 million.

The SEC also indicated an Alcatel subsidiary had made payments to Malaysian government officials in order to procure a telecommunications contract, but did not offer more details.

The SEC ordered Alcatel-Lucent to pay US$45.4 million, while the DOJ imposed a US$92 million penalty on the vendor. Alcatel-Lucent will also improve its FCPA compliance program and engage a third-party to monitor its compliance for three years, as well as submit yearly reports to the DOJ.

Skype service resumes after major outage

Skype is online again after a major outage that hit the majority of the Internet telephony service’s users.

Skype has been stabilized
after engineers added extra infrastructure to the service’s communications fabric, Skype’s chief executive Tony Bates wrote in a blog post last Thursday night.

“At this stage we feel we have pretty much stabilized the network for the core services–IM [instant messenger], audio and video–and we’re running roughly at around 90-plus percent of what we’d typically see from a user load on a day like today,” Bates said in a video that accompanied the post.

Read more of “Skype service resumes after major outage” at ZDNet UK.

Why Netflix has content and Google TV doesn’t

If Google managers hope to license premium TV shows and films for Google TV and YouTube, they should do what Netflix did and “build relationships through traditional means”.

That’s the recommendation of one studio executive who was referring to a tradition that has helped forge partnerships in the movie industry for decades: doing lunch. Sounds simple, but in an industry that relies so heavily on personal relationships forged over arugula salads and sparkling water, Google’s usual data-heavy, interchangeable-executive approach doesn’t cut it. In Hollywood, it seems, Google has had a people problem.

Google managers now seem to have plenty of motivation to hit the cafes on Sunset Boulevard and do some schmoozing. Netflix’s streaming video service has jumped out to a big lead in distributing movies and TV shows online and the company continues to cut licensing deals. Earlier this month, Netflix announced it has renewed an agreement that enables it to stream TV shows from the Disney Channel and ABC.

Not only does Netflix possess more content but the company has is far ahead in building out a distribution infrastructure. Managers at the studios and TV networks can look around and see Netflix’s streaming service is a prominent feature on scores of Web-connected TVs and set-top boxes. These partnerships have served to enable subscribers the all-important ability of viewing Netflix movies on their TV sets.

Meanwhile, Google has stumbled rolling out Google TV, the software platform that debuted on Sony TVs and Logitech’s Revue Box in October. The offering is designed to enable owners to view Web video on TV sets, but so far, the largest broadcast networks have blocked it from accessing their Web shows. The software’s complexity has also helped generate mixed reviews.

Google TV on pause
On Sunday, came another embarrassing headline. The New York Times reported that Google has asked several TV manufacturers, including Toshiba and LG Electronics, to postpone plans to unveil their Internet-connected sets at the Consumer Electronics Show in Las Vegas next month. Google asked them to wait until it can overhaul the software, according to the Times. Google didn’t respond to an interview request but the company has stated publicly that it is happy with the performance of Google TV.

If the software problems cause only a brief delay it may not mean much, but it’s certainly another sign that Google TV was launched before it was ready. If it was fully baked, why did the company appear so unprepared by the rejection of the platform by broadcasters?

Some in Hollywood suspect the reason is that Google didn’t know it was coming. After two years wooing the film and TV sectors, Google is still not very tuned in to the industry, said two film sector insiders who spoke to ZDNet Asia’s sister site CNET.

These same executives cautioned against naming Netflix the winner of Internet distribution, adding that there’s a long way to go in this contest. But both sources acknowledged that Netflix has had more success acquiring content thanks to the company’s big head start in the sector as well as adopting a smarter approach to Hollywood.

Ten years ago, Google was building an advertising juggernaut while Reed Hastings toiled away on the mail-order rental service he co-founded in 1997. Netflix employees have been knocking on the studios’ doors ever since.

TV networks and film studios are also more comfortable with Netflix’s distribution methods. Netflix pays to acquire material for a specific period and then streams it on demand to paying subscribers. Cable and broadcast TV have operated much the same way for decades.

In contrast, Google TV doesn’t technically need a license to present TV shows. The material is made freely available over the Web and all Google does is make it available on a TV. Boxee, a company that began offering similar software years ago, received the same kind of reception from some of the broadcasters.

For the right to present TV shows to a living-room set, cable and traditional broadcast channels pay a lot of money. That money might dry up if Google were allowed to deliver those shows without paying for them.

Rishi Chandra, Google TV’s lead product manager, has said that Google TV is just a platform, one that will offer apps, Web browsing, and more. Requiring a platform to pay for content would be comparable to charging Microsoft for enabling video viewing on its Web browser, Chandra said. He qualified that by saying Google is willing to pay to acquire content for YouTube’s paid-rental store.

The Wall Street Journal reported last month that Google is in discussions to license films from Miramax, producer of such movies as “Reservoir Dogs” and “The English Patient”. That suggests Google TV owners might get licensed content via YouTube’s rental service.

Of course, Google must first acquire that content for YouTube.

Google still a Hollywood outsider
In November 2008, CNET broke the news that YouTube was in talks to acquire feature films, and, soon after, the company signed a modest deal with MGM Studios. Google has made little progress since. To date, Google’s approach to film acquisition has been hobbled by several factors, according to multiple studio managers. Many in the film industry don’t trust the company. Some suspect Google has little respect for content or the people who create it. Finally, the search engine’s prior attempts to build ties to Hollywood were described by one executive as “disorganized.”

Some of the bad blood at the studios comes from Google’s handling of YouTube after acquiring the iconic service in 2006. The company appeared at first unwilling to do much to prevent users from posting pirated clips to the site. Then there’s the way Google, and other tech companies including Apple, have used the Internet to wrest control of digital distribution from other media categories, including print publishing and music.

The studios don’t want Google or anyone else doing that to them.

But where Google really trails Netflix is in connecting on a personal level with the studios. Google’s face in Hollywood isn’t yet defined. The search engine has sent too many different representatives to town, said one studio executive. There were Google people and YouTube people, different lawyers, agents and managers, pitching studio chiefs, the source said.

In contrast, Netflix’s content-acquisition team, including Ted Sarandos, the unit’s leader, has been based in Hollywood for 10 years. Sarandos and his team received high marks for being “good listeners” and for being persistent, the studio sources said. “They don’t come off as arrogant,” said one insider.

Google is apparently moving to improve relations with entertainment companies. The search engine has recently announced plans to step up antipiracy efforts. In September, Google hired Robert Kyncl, one of Netflix’s top content-acquisition execs to oversee its partnership program. On Monday, the blog PaidContent reported that Google has also added Malik Ducard, a senior executive from Paramount Pictures’ digital division.

One studio executive warned not to expect any quick fixes. The source said that while Kyncl and Ducard are well-liked in town, Google should look at content acquisition as a long-term goal.

“The smartest thing they could have done [initially] was to take people out to lunch and try to have a dialogue versus just coming in and saying ‘this is it,'” said the exec. “When you think about trying to [make inroads] in Hollywood, a lot of people fail out of sheer arrogance or they just don’t know how to build the relationships…You’ve got to work on it ,and it’s more than just having a great product and the money. There has to be some trust.”

This article was first published as a blog post on CNET News.

VC attention shifts from green tech to Internet

After being the hot venture capital investment category for the last few years, green tech appears to be cooling off.

The National Venture Capital Association in the U.S. released results from a survey of venture capitalists and entrepreneurs which showed that only 38 percent thought energy investment would increase in 2011. Forty percent expect it to decline.

Worries about an overinvestment, or a bubble, have subsided greatly with only 28 percent of respondents seeing clean tech as “frothy” in the year ahead.

Instead, the biggest concern of overheated investment is consumer Internet, according to the survey which is done with Dow Jones VentureWire. When ranked, the consumer Internet category was the industry most venture capitalists expect to see “froth” followed by cloud computing software.

Overall, the NVCA found that both investors and CEOs of companies have more confidence going into the new year.

When VCs were asked which sector will fare better in 2011, information technology came out way ahead with 69 percent, followed by 19 percent for biotech, and 12 percent for clean tech. CEOs had a different view, saying clean tech would to slightly better than the other sectors.

There are already signs of a contraction in venture money into the green technology area. Third quarter data from the Cleantech group found that the total venture investing was US$1.6 billion in the third quarter this year, a 25 percent decrease from the previous quarter although there were more deals in total.

Lower investment levels overall does not mean that VCs are moving out of green tech en masse. But it could signal a shift in how they finance their companies’ growth or which areas they invest in. Energy efficiency is often considered a promising area because it doesn’t require the large amounts of capital to build a solar manufacturing plant or biofuels refinery, for example.

One of the big questions facing all VCs is whether they will have successful exits through an initial public offering or acquisition. Thirty four percent of the NVCA respondents thought that the number of IPOs in clean tech would increase, although few are publicly known at this point.

Compared to the IT industry, investing in energy, materials and water typically requires a lot of capital to develop the technology and it can take many years for it to be adopted into the market. That has prompted many companies to change their investment strategies by diversifying their funding sources beyond just venture capital.

This article was first published as a blog post on CNET News.

IDC: Windows Phone marketplace to be third biggest in 2011

A report by research firm IDC pegs 2011 as a big year for Microsoft’s Windows Phone applications platform, saying that the software maker is already seeing faster growth in terms of its app library than competitors, and could even grab the third spot in terms of overall app volume by mid-2011.

IDC analyst Al Hilwa’s research on mobile momentum, which was picked up by eWeek, notes that Microsoft’s Windows Phone 7 Marketplace reached 4,000 apps in two months time–a feat that took Android some five months after its launch (from October 2008 to March 2009). At that pace, Hilwa conjectures, Microsoft could be in third spot behind Apple and Google, beating out rivals like Research In Motion (RIM) and Nokia in terms of app volume by mid-2011.

There are some details to note with these claims, the first one being that the app development scene is very different from where it was in 2008, as is Microsoft’s market penetration. In fact, on Tuesday we’ve gotten a clearer picture of that, with the company having announced that it has sold more than 1.5 million Windows Phone 7’s worldwide. Now that’s not a precise number of how many users have made actual purchases yet, but it does very handily beat out the 1.5 million G1 Android phones (the first Android phone to hit the market), which took six months to sell.

Coming back to the development side though, developers now have a much stronger, and deeper set of tools available for them than they did two or even three years ago. And companies like Microsoft, Apple, and Google are going to greater lengths to get developers to code an app or a game for their platform. Leading up to the release of Windows Phone 7, Microsoft did this extensively, offering developers prime real estate in the Marketplace app–something that can bring a big boost to sales.

Microsoft also stands to have what could be a larger impact on the types of games and media applications that are able to run on its platform with the continuing development of Silverlight, a technology that makes up part of the Windows Phone 7 SDK, and something that could become a big differentiator in future iterations of the platform.

This article was first published as a blog post on CNET News.

Google to deliver Android 2.3 Gingerbread for Nexus One

Android 2.3, also known as Gingerbread, will soon be available for Nexus One handsets, according to Google.

Nexus users will be able to upgrade from Android 2.2, known as Froyo, via an over-the-air (OTA) update, according to a post from the company’s official ‘GoogleNexus’ Twitter account on Monday.

“The Gingerbread OTA for Nexus One will happen in the coming weeks. Just hang tight,” the announcement from GoogleNexus reads. Google did not announce any specific timescale for the update.

Read more of “Google to deliver Android 2.3 Gingerbread for Nexus One” at ZDNet UK.

Motorola’s ITC complaint against Microsoft to be heard

If there’s any coal in Motorola’s stocking this year, it could be from Microsoft.

Reuters is reporting that the U.S. International Trade Commission (ITC) has agreed to hear Motorola’s case against Microsoft, which it filed in late November.

Handset maker Motorola Mobility, which Motorola plans to spin off next year, filed its complaint against Microsoft due to the company’s use of Motorola patents in its Xbox game console. Included in those patents were things like wireless networking and video decoding.

Motorola is seeking an exclusion order, as well as a cease and desist order against Microsoft in order to keep its game systems from being imported into the U.S.

The ITC notes that the case still needs to be assigned to one of its six administrative law judges before a hearing can be scheduled. Whatever decision is made by that judge then gets reviewed by the commission, a process that can take up to 45 days after the hearing takes place.

This article was first published as a blog post on CNET News.

South Korea positions for digital healthcare push

Driven by large investments in healthcare IT, South Korea is on track to bring the concept of ubiquitous health, or U-health, to reality, according to Frost & Sullivan.

The company’s research analyst, Amritpall Singh, said in a report released Tuesday that under the nation’s projected U-health system, a patient’s body vital statistics can be monitored continuously from an environment away from the hospitals. Diagnostics for blood sugar content, blood pressure and body weight can be monitored and recorded based on everyday common routine, he added.

The U-health system also enables physician to perform “real-time monitoring” on patients’ vital signs and lifestyle patterns to identify the possible forming of diseases and focus entirely on disease prevention, Singh added.

This adoption of a U-health system will allow South Korean hospitals to minimize their long triage processing times and realign their roles to focus on treating chronic diseases, the analyst pointed out.

“With the amount of information collected from the patient’s daily routine, it is far easier for the physician to react with a treatment plan,” he said.

Besides better diagnoses and treatment, investing in healthcare IT–which is the foundation upon which U-health is built on–becomes an “enabler” for countries such as South Korea to expand their current infrastructure, Singh pointed out. Such investments mean that the government will not need to build bigger hospitals or increase the number of beds to cope with the challenges of managing an aging population, he added.

To turn its U-health concept into reality, the South Korean government has been encouraging more hospitals through subsidies and policies to adopt the electronic medical records (EMR) system, which is an integral pillar of the system, the analyst said. Additionally, in 2009, it pledged US$151.5 billion to strengthen its competitiveness in the IT sector, according to the report.

Private-sector interests have also been encouraging, Singh noted. Last year, General Electric announced a US$6 million plan, spanning over five years, to build a U-health research and development (R&D) center in South Korea’s Incheon free economic zone, he pointed out.

Challenges ahead
While the healthcare infrastructure is receiving financial support, Singh said achieving an integrated healthcare system in South Korea is not without its challenges.

Given the advanced nature of the technology involved in healthcare IT, the country faces a shortage of IT professionals, the analyst noted. This is because more university students are enrolling into more lucrative courses such as business and management, and this trend may eventually slow down the expansion of the local healthcare sector.

To address this, the government has resorted to recruiting foreign IT talents as well as offering specialized IT-related courses through its Korea Advanced Institute of Science and Technology (KAIST) center, he said.

Another roadblock hospitals are facing is the need for integration across existing hospital systems, and he urged the government to step in. He explained that hospitals may find it “extremely difficult” to manage the integration while maintaining the relevance of various technologies and applications that will be used by healthcare professionals.

To date, South Korea’s U-health system remains in its infancy stage. However, Singh expressed confidence that with the right technologies and platform for development, the nation will have a fully-integrated healthcare delivery model by 2015.

In a separate report released in October, Frost & Sullivan projected that 90 percent of a country’s healthcare budget is spent on only 30 percent of its population. Pointing to technology as a driver of healthcare advancements, the research firm predicted that revenue for the global telehealth services market would increase to US$9 billion by end-2010.

Apart from South Korea, other Asian economies such as China, India and Singapore are also looking to drive their respective IT healthcare market.

Service plans to evolve with increasing Web-connected devices

As more 3G-enabled devices enter the market, mobile users looking to own Web-connected devices are strapped with multiple data plans due to the way service providers currently charge. However, this may change in the future when telcos evolve to provide a universal data plan or more flexible mobile plans that can be shared by many devices, industry analysts note.

In a phone interview with ZDNet Asia, Craig Skinner, senior consultant at Ovum, said most telcos today assign a standalone data plan that is tied to a SIM card for each subsidized 3G-enabled device. Even for unsubsidized devices, most operators currently tag smartphones and tablets with different data plans, he said.

Skinner pointed to telcos’ wish to protect their voice service revenues as a reason for separating smartphone and tablet with service plans. However, he said, this would change in the future.

Moving forward, the Ovum analyst explained that data and voice charges will reach a point where price plans for both will be similar. It will then be easier for telcos to provide a universal data plan, he said.

This could happen in six months or a few years’ time, he noted. However, before telcos evolve to this charging model, they will first need to begin consolidating their customers’ multiple data plans into a single bill, he said.

This will allow users to make only one payment per month since the system will be able to pull data from different data plans into a single bill, he added. With a single bill payment, telcos can also attract customers by providing loyalty discounts to those who subscribe multiple services, he noted.

Chua Swee Kiat, spokesperson for Singapore mobile operator, M1, told ZDNet Asia in an e-mail interview that the company offers loyalty discounts in the form of the multiple-line saver plans. M1 customers receive a 25 percent discount in their monthly subscription plans if they subscribe to three M1 phone lines, 30 percent discount for four lines and 35 percent discount for five lines, Chua said.

He added that the mobile operator offers a multi-SIM service where customers can tag one mobile number to multiple SIM cards, up to three, for three different devices such as smartphones and BlackBerry devices.

Skinner noted that providing a single bill for multiple service plans is a “first step” for telcos, after which they should look at providing a universal data plan for multiple devices. He explained that many companies do not have such services yet as it will take some time for telcos to develop the IT capability to dynamically manage data usage.

According to reports, Toronto-based operator Rogers Communications already allows its customers to link multiple devices to a single data plan.

According to the company’ Web site, customers can link their devices to one service plan at a monthly charge of 15 to 20 Canadian dollars (US$14.9 to US$19.9). Rogers Communications’ voice and data plans start from 55 Canadian dollars (US$54.7).

Metered billing more suitable
One analyst believes that while some customers may prefer a universal data plan, subsidized devices remain more attractive to others.

In an e-mail interview with ZDNet Asia, ABI Research’s senior analyst Mark Beccue said subsidized devices have a strong appeal and customers may not be willing to give up the cost savings for the simplicity of a universal data plan.

Thus, mobile operators that are able to provide a broad portfolio of subsidized devices as well as a universal data plan will resonate with users, Beccue said.

That said, the analyst believes metered, pay-as-you-go billing may suit a significant portion of consumers.

“For example, it is possible that a carrier can offer a plan that detects when a subscriber is in an underutilized cell site, and offer discounted pricing for a limited time [to entice the user] to use the device while the consumer is in that location,” he explained. “Or, there can be a service plan in which the subscriber has the capability to toggle data speed in real-time, with cheaper pricing for slower speeds and higher pricing for faster speed.”

These scenarios are possible for mobile operators that have IP Multimedia Subsystem (IMS) networks with centralized subscriber databases, sophisticated policy management infrastructure and advanced billing systems, he said.

According to Marc Einstein, Asia-Pacific industry manager for ICT practice at Frost & Sullivan, there is a short-term solution for users looking to reduce their number of data plans but whose mobile operator do not offer a universal data plan or pay-as-you-go billing models. They can use a Mi-Fi device to turn their 3G connection into a mobile Wi-Fi hotspot, which can then be used to provide wireless access to multiple devices, Einstein said.

Delay in BWA deployment will cost Indian telcos

Months after broadband wireless access spectrum (BWA) was distributed in India, operators have yet to decide which platform to build on and the delay cost them US$2 million a day, warns a WiMax Forum official.

“It has been nearly six months since the BWA spectrum was allocated to the players but there is no clarity over which technology the operators would be going for,” Declan Byrne, director of marketing at WiMax Forum, told ZDNet Asia in a phone interview.

The India government in July allotted 20MHz spectrum, to be used for BWA services deployment, to six operators: Infotel Broadband, Bharti Airtel, AIrcel, Tikona Digital, Qualcomm and Augure.

Much of the debate has revolved around WiMax and LTE. The latter has strong industry support globally including operators, chipset vendors and equipment suppliers, but is not yet commercially available, with mainstream adoption expected only in 2012.

In comparison, WiMax is available today. Not surprisingly, WiMax Forum is hoping India will swing its way.

Byrne said: “If our technology is selected, the service can be operational in two weeks.” He noted that the forum has communicated the benefits of WiMax at all levels in India–be it operators, vendors or the government. “All of them know the tradeoffs,” he said.

WiMax Forum views India as an important market because of its low penetration rates and, hence, growth potential. There are currently only 7 million broadband connections in the country, which has the world’s second-largest population.

“The telecom operators who have won the spectrum tell us that it is a complicated and big decision,” Byrne acknowledged. He noted, however, that the overall cost of any delay in BWA deployments would cost operators US$2 million a day.

“We are distressed with things,” he said. “We also want the government to be technology-neutral.”

Earlier this month, Mukesh Ambani-owned Reliance Infotel conducted an LTE field-trial at its Navi Mumbai campus via a partnership with Ericsson. The Indian operator is the only player to hold a nationwide BWA license.

“There is no questioning the fact that what Infotel plans to do will have a huge bearing on the market,” Byrne said.

A spokesperson for Reliance Industries said in a statement: “This LTE trial not only demonstrated the superiority of LTE-TDD technology but it also strengthened our confidence in the timely availability of the LTE ecosystem in India with Ericsson’s global deployment expertise. This is an important milestone for Indian telecom industry in showcasing LTE performance on a live network.”

WiMax has significant support from state-owned BSNL, which has installed nearly 1,000 base stations across various Indian states. By the end of 2011, BSNL plans to have 5,000 base stations.

Swati Prasad is a freelance IT writer based in India.

Leaked accessory hints WebOS tablet is near

The pieces seem to be falling into place for Hewlett-Packard’s first WebOS-based tablet.

Executives have confirmed several times that there will be a touch-screen tablet featuring Palm’s mobile operating system (OS) released sometime between January and March next year, though little else is known about it. HP has trademarked “PalmPad” and an exec has even publicly referred to an upcoming tablet as such, but it’s not clear that will be the product’s actual name once it starts shipping to customers.

Engadget got its hands on an internal HP slide last Friday that shows not a tablet, but what is purported to be the Bluetooth keyboard accessory for the WebOS tablet.

On its own, sure, it’s not that exciting, but whomever sent the slide along also said that the design and styling of the keyboard are reflective of the look and feel of the tablet. Word is that the tablet will have “no hard buttons” on the front, and it is referred to internally as “Topaz”.

Another piece of WebOS info was also included: HP is apparently planning something “like a Pre” with no physical keyboard aimed at teenagers for AT&T, Sprint, and Verizon. Phones with virtual keyboards, as we know, do pretty fantastic sales. But HP should probably talk to their friends at Microsoft about the perils of selling phones aimed at teens.

This article was first published as a blog post on CNET News.

eBay sets up mobile commerce push

eBay’s plans this week to buy over its erstwhile mobile app developer, Critical Path Software, will place the Web marketplace operator in a good position to take advantage of the growing mobile commerce industry.

Craig Skinner, senior consultant at Ovum, noted that Critical Path had been working with eBay over the past two years, producing the Internet vendor’s mobile apps and Web portals such as StubHub, Shopping.com and eBay’s Apple iPhone app. With this in mind, the analyst said, the acquisition was about “in-housing and integrating mobile development talent”. Details of the merger were undisclosed.

Skinner explained: “Critical Path has been concentrated on [Apple] iOS development, and this will give eBay an opportunity to apply these development skills across other [mobile] platforms where their current mobile apps are not as well developed.”

He added that the acquisition will stand eBay in good stead, as the mobile commerce industry is expected to continue developing strongly over the next few years. This growth is primarily because “technology is no longer the barrier” with today’s fast, responsive 3G wireless networks and an abundance of highly functional mobile devices with easy-to-use interfaces, he said. To this end, mobile customers have become accustomed to making mobile purchases, particularly of apps as well as in-app content purchases, he noted.

Skinner predicted that the next growth area for mobile commerce will look at integrating mobile payment technology that can be used on-the-go. He cited shopping apps that allow users to scan the barcode of an item, make an online price comparison and complete the purchase using their mobile device, as an example of the next frontier for mobile commerce.

In a press statement, eBay said Critical Path’s “proven development capabilities” will play an integral role in enabling the Internet company to accelerate improvements to its customers’ mobile experience.

Mark Carges, CTO and senior vice president for global products at eBay Marketplaces, said in the release: “We’re very serious about innovating in mobile commerce, and this acquisition underscores our commitment to bringing the very best and brightest in the field to eBay.”

Carges added that integrating Critical Path into the wider organization will be a “big win” for mobile shoppers, with the promise to “make shopping and selling anywhere, anytime, for almost anything, even better”.

ZDNet Asia’s sister site, CNET News, earlier reported that the acquisition is one of several eBay made this year. In June, the Web vendor bought RedLaser, a developer of an iOS app that enables iPhones to scan barcodes to compare products and prices. eBay earlier in December also picked up Milo, a shopping service that ties online and offline shopping activities.

The company’s subsidiary payment service provider, PayPal, had also identified the mobile commerce market as a growth area.

In a July interview, Laura Chambers, senior director of PayPal Mobile, told ZDNet Asia that the company had released its Mobile Payment Library application programming interface (API) to simplify payment processes for mobile users.

Chambers also pointed out that the Asia-Pacific region, in particular, is a market that PayPal wants to be heavily involved in. Citing figures from research firm Informa, she said the region accounted for US$24 billion of the global US$30 billion mobile commerce market in 2009. The region’s contribution is expected to rise to US$139 billion in 2012.

RIM: Earnings show we’re still in the game

Research in Motion (RIM) beat Wall Street’s estimates for the third quarter, showing that the maker of the Blackberry is far from being a has-been in the smartphone game.

For the quarter ending Nov. 27, the company reported net profit of US$911.1 million, or US$1.74 per share, on revenue of US$5.49 billion. Wall Street had been expecting earnings of US$1.64 per share on revenue of US$5.4 billion. (Statement, Preview)

The company said the 82 percent of the revenue came from devices, while 15 percent was attributed to services. The company shipped about 14.2 million devices and added about 5.1 million net new subscribers in the quarter, taking the subscriber account base to over 55 million. Analysts had been expecting 5.2 million new subscribers.

Read more of “RIM: Earnings show we’re still in the game” at ZDNet.

Mobile developers should adopt balanced test policy

Application testing has taken on added importance as more mobile apps enter the enterprise arena. However, shortening deadlines for app delivery and easier app programming interfaces (APIs) will increase the likelihood of human errors during testing processes, observed security experts, who recommend a balanced testing workflow that includes manual and automated testing.

Ronnie Ng, senior manager of systems engineering at Symantec Singapore, noted that as more mobile platform providers introduce easy-to-use APIs to entice developers to sign up, such efforts have also made it easier and less time-consuming for hackers to write malicious codes that attack mobile apps.

In addition, enterprise developers face a shortening app delivery timeframe, which may result in flaws creeping into the app coding and testing process, Ng said in an e-mail interview.

Paul Oliveria, technical marketing researcher at Trend Micro, elaborated on the testing environments for two popular smartphone platforms–Apple’s iOS and Google’s Android operating system.

He told ZDNet Asia that Cupertino has outlawed most third-party APIs, thereby, making its app review process more stringent. And since documented APIs provided by Apple are, in most cases, secured, the majority of apps published on its App Store are usually safe for use, Oliveria said.

Additionally, apps running on iOS does not “touch” any internal part of the mobile device’s OS and operates solely within its own run-time environment, which makes iOS apps more secure, he noted.

This is not the case for the Android app ecosystem, though, he said. He pointed out that developers who pay US$25 to join the Android developer program will be able to submit any application instantly.

Oliveria said: “There is no review process from Google for the submitted app before it gets published.

“Even though Android has a sandbox-like environment [like the iOS], the openness of the OS and app review process provide a very unsecure situation whereby the app may become a source of threat or for hackers to breach the app more easily,” he said.

He added that Trend Micro in 2010 had discovered four malware-like apps that were submitted to the Android Market. Google also removed 50 suspicious-looking apps from its app store last December after determining they had used the names of various banks without prior permission.

According to Raja Neravati, senior vice president of software testing company AppLabs, such risks underscore the need, once apps are published, for app store operators to be responsible for and to ensure that apps are safe for use.

Neravati noted that while an app is built by the developer, a security breach found in an app is a “collective responsibility” of stakeholders such as the network provider, phone maker and mobile app provider.

Furthermore, once the service provider verifies and certifies the app before it is published, it is then the service provider’s responsibility to find a resolution if loopholes are found and exploited, he said.

Follow best practices for app testing
Ng noted that while there are unique challenges today when it comes to mobile app testing, developers will have to consider a strategy that balances tradeoffs between cost, quality and time-to-market.

Due to the “high margin of human error”, he said developers should rely on automated testingthroughout the initial stages of coding, as well as run stringent security screenings regularly to detect any potential vulnerabilities in the app. That said, manual testing should not be avoided altogether, but used at the end of the coding process as an operational test, he advised.

Ng also called on organizations that have or are planning to develop mobile apps to plan their testing strategy across both manual and automated testing approaches, and consider outsourcing to dedicated software testing companies, where necessary.

“Outsourcing to [third-party security] vendors that operate an independent testing practice may be a viable option to manage the expertise, scalability, security and quality assurance requirements for mobile apps,” he said.

Oliveria also encouraged developers to follow industry standard, secure coding practices from the start of the development process. These include, for example, ensuring that the programming code is not vulnerable to buffer overflows or format sting attacks, as well as testing all inputs to the application rigorously, he stated.

Furthermore, Neravati added that simulating the app on the network and hacking the app on data transmission and data transparency would also be good to surface any inherent programming flaws.

Optimism (for now) over RIM earnings

Research in Motion reports its fiscal third quarter earnings Thursday and analysts are tripping over themselves to be optimistic–or at least hedge their gloomy long-term outlook. International growth is expected to carry the quarter for RIM as observers look ahead to the launch of the PlayBook tablet.

Wall Street is expecting earnings of US$1.64 a share on revenue of US$5.4 billion. Analysts have been gradually becoming more optimistic about RIM based on its QNX operating system, which will power the PlayBook. Until the PlayBook arrives, RIM is expected to thrive with international sales and an enterprise upgrade cycle.

A sampling of a few prognostications about RIM’s third quarter:

  • Morgan Stanley analyst Ehud Gelblum says RIM will report a strong quarter shipping 14.4 million devices, up 19 percent from the second quarter. The US$99 Torch cut inventory levels and boosted sales.
  • Scott Sutherland, an analyst at Wedbush, said RIM’s quarter will be better than expected. “While we have continued concerns over enterprise stickiness, erosion in enterprise messaging and thus margins as well as market share losses, we expect this to be offset by international growth, new phones, introduction of the PlayBook, and stock buyback,” said Sutherland.
  • FBN Securities analyst Michael Burton says RIM is “not dead yet”. Burton said the consensus view is that this is RIM’s “final good quarter before it dies at the hands of Android and Apple.” Burton has his doubts about RIM too, but upgraded the stock. Short-term momentum, the PlayBook and new product launches mean “it’s a little too early to call the time of death on RIM”.

Read more of “Research in Motion earnings: Optimism abounds (for now)” at ZDNet.

US Appeals court: Feds need warrants for e-mail

U.S. police must obtain search warrants before perusing Internet users’ e-mail records, a federal appeals court ruled Tuesday in a landmark decision that struck down part of a 1986 law allowing warrantless access.

In case involving a penile-enhancement entrepreneur convicted of fraud and other crimes, the Sixth Circuit Court of Appeals said that the practice of warrantless access to e-mail messages violates the Fourth Amendment, which prohibits “unreasonable” searches and seizures.

“Given the fundamental similarities between e-mail and traditional forms of communication, it would defy common sense to afford e-mails lesser Fourth Amendment protection,” the court ruled in an 3-0 opinion written by Judge Danny Boggs, a Reagan appointee.

The court affirmed the conviction of Steven Warshak, who was charged with defrauding customers of his “natural male enhancement” pills, but sent his case back to a lower court for a new sentence. Warshak remains liable for a US$44 million money laundering judgment as well.

“The most significant thing from our perspective and that of the victims is that they upheld all the convictions against Mr. Warshak and that they affirmed the US$400 million-plus forfeiture order,” a spokesman for the U.S. Attorney’s office in Ohio, which prosecuted this case, told ZDNet Asia’s sister site CNET.

Warshak owned Berkeley Premium Nutraceuticals, a mail order company that in 2001 launched Enzyte, which claimed, in the delicate words of the court, “to increase the size of a man’s erection”. Enzyte was a remarkable success: by the end of 2004, Berkeley employed 1,500 people and rang up about US$250 million in annual sales.

Today’s decision striking down part of the 1986 Stored Communications Act rebuffs arguments made by the U.S. Department of Justice, which insisted the law was constitutional. In a brief filed during an earlier phase of the case, prosecutors argued that the Fourth Amendment doesn’t apply because “compelled disclosure of e-mail is permissible under most providers’ terms of service'”.

Since 1986, the general rule has been that police could obtain Americans’ e-mail messages up to 180 days old only with a warrant. Older messages, however, could be accessed with an administrative subpoena or what’s known as a 2703(d) order, both of which lack a warrant’s probable cause requirement.

The Stored Communications Act–which created the 2703(d) orders–was enacted at a time when e-mail was the domain of a small number of academics and business customers. Telephone modems, BBSs, and UUCP links were used in that pre-Internet era that was defined by computers like the black-and-white Macintosh Plus and services like H&R Block’s CompuServe.

Since then, the Sixth Circuit ruled, technological life has changed dramatically:

Since the advent of e-mail, the telephone call and the letter have waned in importance, and an explosion of Internet-based communication has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away. Lovers exchange sweet nothings, and businessmen swap ambitious plans, all with the click of a mouse button. Commerce has also taken hold in e-mail. Online purchases are often documented in e-mail accounts, and e-mail is frequently used to remind patients and clients of imminent appointments. In short, “account” is an apt word for the conglomeration of stored messages that comprises an e-mail account, as it provides an account of its owner’s life. By obtaining access to someone’s e-mail, government agents gain the ability to peer deeply into his activities.

Even though the law is unconstitutional, the court concluded, Warshak’s conviction should be upheld because police relied “in good faith” on their interpretation of the surveillance law. (In a concurring opinion, Judge Damon Keith, a Clinton appointee, wrote he was troubled by the Justice Department’s “back-door wiretapping” procedures in this case, but agreed with the decision to uphold the conviction.)

Orin Kerr, a law professor at George Washington University who has written extensively about electronic surveillance, called today’s decision “correct” and “quite persuasive”.l

Kevin Bankston, an attorney at the Electronic Frontier Foundation who wrote an amicus brief in this case, called it a key decision because it’s the “only federal appellate decision currently on the books that squarely rules on this critically important privacy issue.”

This article was first published as a blog post on CNET News.

Swedish appeal delays Assange’s release

Swedish authorities have decided to appeal against a judge’s decision to grant bail to Wikileaks editor Julian Assange, who faces extradition to Sweden for questioning on sex-crimes charges.

The lodging of the appeal came on Tuesday, just hours after the bail decision in City of Westminster Magistrates Court in London.

Assange, who has been held for a week at Wandsworth Prison during the legal battle, will remain in custody there until the appeal hearing in high court. That hearing is expected to take place before Friday.

Read more of “Swedish appeal delays Assange’s release” at ZDNet UK.

E-govt services to see ‘dramatic change’

SINGAPORE–Governments around the world would like to move from their legacy infrastructure to more effective, unified IT systems yet many are ill-equipped to do so, said a senior Microsoft executive.

Craig Shank, associate general counsel of Microsoft Corporation, explained that many of today’s e-government portals and backend systems are a digital implementation of their paper-based predecessors. While this leap into the digital age has resulted in a slightly more efficient mode of communicating with citizens, it is still not a “transformative” system, he added.

Furthermore, the public sector is facing a similar data deluge that its private sector counterparts are experiencing. These two factors are impeding the timely access of relevant data to citizens, the executive pointed out to ZDNet Asia at the sidelines of a technology forum held here Tuesday.

Shank’s observation reiterates the fact that citizens perceive governments to be unresponsive online. According to an earlier survey conducted by the U.K.-based Economist Intelligence Unit, businesses and citizens point the finger to unresponsive public officials as the reason for the slow adoption of e-government services.

While acknowledging that there’s “quite a bit of work to be done”, Shank expressed confidence that the world will see a “dramatic change” in the way e-government services are delivered in the future. To achieve this, though, all parties involved ought to be looking into issues such as specific interoperability between existing and new IT systems as well as the re-architecting and redeveloping of new systems to achieve transformation, he added.

For instance, new technologies must respect legacy systems, particularly the data that sits in existing databases.  To address this challenge, the Microsoft executive recommended “some level of capability” that can cut horizontally across multiple government systems to access the various silos of information.

He cited how the Portuguese government merged four identity systems into one as a positive example. The exercise involved the project partner taking the original Linux, mainframe and Windows server systems to build a horizontal layer that was able to access data in all the systems. With this unification, citizens can now, for example, use their driving licenses to access health care services, he stated.

“That’s the kind of [transformation] we can anticipate seeing going forward,” Shank observed.

Asked if emerging markets are less receptive toward such IT transformation, Shank disagreed. He pointed out that besides Asian countries, Latin America, for one, is very keen on harnessing innovation for the future.

“[However,] I think each market has its own specific sets of challenges that it will have to deal with, and there isn’t a single solution,” he surmised.

As with most technological advances, there is no fixed timeframe but he advised that it will be a journey that spans beyond 5 or 10 years.

Cloudy prospects
Another area of interest for governments is cloud computing, the associate general counsel noted. For the public sector, such a deployment will increase efficiencies, provide cost savings and become a driver to make IT systems more heterogeneous and nimble, Shank said.

However, challenges surrounding data storage location, access, jurisdiction, law enforcement, privacy rights and security issues are pressing matters that no one has answers to, he noted.

“Today, there is the possibility that one can be trapped in an absolute impossible situation with cloud computing, where data responsibilities of its stored location is in direct conflict with the data responsibilities where the services are being developed,” Shank observed.

He did add that Microsoft is actively engaging governments in the region on these challenges, but there are certain “hurdles” that will have to be ironed out before governments jump on to the cloud bandwagon.

Microsoft and Nokia ally over Office in cloud

With Android smartphones and Apple’s iPhone making inroads into the enterprise, Nokia is not the first name that comes to mind when you think of smartphones for business, even though it remains the world’s largest seller of mobiles. The company is trying to improve its corporate credentials by adding key enterprise features to Symbian^3 business phones, based on Microsoft services.

As Nokia prepares to launch the E7 slider Qwerty smartphone that replaces the Nokia E90 Communicator as its flagship business device and showcases the new Symbian^3 operating system–and the first Microsoft business tools–ZDNet Asia’s sister site ZDNet UK talked to Ilari Nurmi, the Nokia vice president responsible for business smartphones and business mobility strategy.

We asked him to explain what Nokia’s pact with Microsoft means for Symbian business users, what is on the roadmap for next year and whether the agreement still makes sense nowWindows Phone 7 is here.

ZDNet UK: With Windows Phone 7, Microsoft is a competitor to Nokia. Why does it make sense for Nokia to work with Microsoft? What are you actually working on together?
Nurmi: Our basic mobility strategy is to bring to market the best business smartphones for professionals. A cornerstone in our strategy is that we build the products so they work seamlessly with enterprise infrastructure, so we do a lot of work with companies like IBM and Microsoft and Cisco to make sure the products work together well.

Read more of “Microsoft and Nokia ally over Office in cloud” at ZDNet UK.

Report: Apple, Google to bid for Nortel mobile IP

Two of the biggest names in mobile are reportedly participating in the land grab for the patents belonging to bankrupt telcom firm Nortel.

Reuters quotes unnamed sources in a story published last week detailing how the auction currently underway for the intellectual property assets of the former Canadian giant is expected to draw the interest of Apple, Google, and others, including perhaps Motorola and Research In Motion.

Nortel filed for bankruptcy protection in June 2009, and has roughly 4,000 patents that are calculated to be worth more than US$1 billion collectively. The rumor is that the patents have been divided into six groups by category, and cover everything from mobile phones, PCs, wireless infrastructure, networking, Web-based advertising, and voice technology. Reuters’ source says Apple, Motorola, and RIM are probably most interested in the IP-related to LTE (Long-Term Evolution), the 4G wireless technology many carriers are in the process of rolling out now.

The auction actually began seven months ago, but final bids are due soon.

That Apple and Google are involved isn’t a surprise: they’ve got a lot of cash to play with. But why bother purchasing patents? For one, it’s a potential source of revenue if they sell licenses to the patents after they acquire them. But mostly it’s for legal protection. Almost every major player in the mobile world is embroiled in one patent-related lawsuit or another right now. Just in the past year, Microsoft, Motorola, HTC, Apple, Google, Nokia have sued or are being sued over some mobile software or smartphone intellectual property.

This article was first published as a blog post on CNET News.

Mobile VoIP apps don’t have enterprise appeal yet

Mobile VoIP apps may promise to slash users’ phone bills, but the lack of security, patchy performance and need for constant wireless broadband access mean that it will take time before enterprise users consider adopting the technology, said analysts.

Shirleen Kok, general manager of market research firm GfK Singapore, said mobile VoIP (Voice-over-Internet Protocol) apps such as Viber offer free local and international calls for users via 3G or Wi-Fi networks, which is a good cost-cutting option. However, their reliance on data, wireless networks and hardware specifications make them a less appealing option over the traditional bundled minutes offered by telcos, which both consumer and enterprise users are familiar with, she pointed out.

“Given that the prices of voice calling bundled with a data plan offered by [Singapore’s] three operators are affordable, it is expected that adoption of smartphones and subscription of these plans will continue to increase,” she added in an e-mail.

Sherrie Huang, research manager of unified communications and collaborations at IDC Asia-Pacific’s practice group, went on to add to Kok’s perspective. She said that while these apps will probably not have significant growth in the enterprise space at this stage, they may still serve a purpose for consumers who require free calls without expectations of high voice quality.

Besides call quality, enterprises will require the reliability and security for their voice services as well as features such as call forwarding and voice mail, among others. So far, these features can only be provided by enterprise service providers or carriers that know how to manage the backend network well, she said.

“Mobile VoIP will require high mobile data network SLAs (service level agreements) on bandwidth and [latency], which is very hard for app developers to [access] or manage,” Huang noted in her e-mail.

Carving a mobile VoIP niche
Viber, an iOS-based mobile VoIP app introduced to consumers last week, is not the first of its kind, acknowledged a company spokesperson.

That said, Efrat Cohen, who oversees Viber’s media relations, told ZDNet Asia in an e-mail that the app is the first mobile app to be “modeled after an actual phone”. This means that instead of users having to create an account with the developer and managing a “buddy list” of fellow users, Viber automatically identifies the people within one’s contact list who have downloaded the app, and users can start calling Viber contacts immediately, she noted.

“Basically, the standout benefit is that users don’t need to have the app open to receive a call as it is always on, and calling with Viber is like using a regular iPhone dial pad and contact list,” she added. The app’s performance will also improve over time, she promised.

In comparison, rival VoIP provider Skype’s mobile app requires users to add their friends to their contact list. In addiiton, both parties must be signed in to the app at the same time before one can make a call to the other, Cohen pointed out.

The Skype spokesperson ZDNet Asia interviewed declined to respond directly to Viber’s value proposition. Instead, she stated that the company has been available on both 3G and Wi-Fi networks through its Skype app, which straddles across iOS, Android, BlackBerry and Symbianmobile platforms “for some time now”.

Furthermore, she noted that many of Skype’s enterprise users not only run its software on their desktop PCs, but also on their mobile devices, too. This allows them to stay connected with business associates on the move and to make free Skype-to-Skype calls or low-cost calls to landlines and other mobile phones that do not support the Skype app, added the spokesperson.

“The business market is important to Skype and we are focused on addressing it,” the spokesperson stated. She backed this up, citing internal research which revealed that about 37 percent of Skype users reported they used Skype for business purposes in the first quarter of 2010.

Viber’s Cohen said the company’s first release of its app is targeted primarily at the consumer market. However, it sees the potential and added benefit of entering the enterprise space, and it intends to do so “in the future”.

“Phenomenal” growth expected
Both mobile VoIP providers’ enthusiasm for the enterprise space lends credence to IDC’s observation that there will be “phenomenal” growth in mobile VoIP in the future, particularly through replacing IP phones in developed markets, said Huang.

She added that one of the research firm’s 2011 predictions is the “death of the IP phone”, as smartphones, tablets and video functions marginalize investments in IP telephony. In turn, the price and demand for IP telephony will fall after 2012, the analyst reckoned.

Huang balanced her prediction, however, by pointing out that carriers, aided by regulators, will put up a fight to protect their voice business from being eroded by VoIP vendors. For instance, countries such as China have denied IT vendors the permission to set up VoIP and mobile VoIP services locally, she said.

Additionally, in the enterprise space, mobile app developers will have to convince carriers to enter into close strategic partnerships in order to integrate their software with the backend mobile network, the analyst stated. Only then will the developers be able to ensure high SLAs and reliability needed to satisfy enterprise customers, Huang noted.

RIM’s Playbook the linchpin of a 10-year plan

SAN FRANCISCO–Research In Motion co-CEO Mike Lazaridis hopes the company’s investment in its QNX software will carry the venerable smartphone company for the next decade.

Lazardis showed off the first fruits of that investment, the Playbook tablet, to attendees here at D: Dive Into Mobile on Tuesday. RIM has taken the tablet–expected to arrive in the first quarter of 2011–for several test drives over the past few months but hoped to wow the Silicon Valley mobile elite with the QNX software on which it’s betting the future of the company.

There’s little doubt that RIM has lost a bit of respect along the Left Coast; although RIM is the largest tech company in Canada and a significant market share player around the world, as Lazaridis reminded hosts Walt Mossberg and Kara Swisher multiple times, it’s seen as a laggard against what Apple and Google have done with the iOS and Android operating systems. The CEO didn’t exactly refute that analysis but suggested that by designing an operating system with a tablet first and foremost in mind, it might actually be able to get the drop on its South Bay competitors.

Lazaridis also made some interesting comments regarding the application of the old “megahertz myth” from the PC wars to the smartphone market, declaring that smartphones are on the cusp of a similar transition in which fast single-core processors are simply too hot and too power-hungry for future mobile devices. His competitor, Google’s Andy Rubin, showed off an unannounced tablet geared for dual-core mobile processors on the first day of the conference, and based on Lazaridis’ comments RIM believes that such a transition is imminent in the mobile space.

“All these pieces are coming together to set up BlackBerry for next decade,” Lazaridis said. It’s not clear whether he convinced anyone that RIM should be back in the favor of the digerati, but left a clear impression that RIM isn’t ceding any ground in the race to build a mobile stronghold.

This article was first published as a blog post on CNET News.

Nokia rallies against Android, iOS onslaught

Streamlining its development roadmap and improving its app store experience for users and developers are positive moves for Finnish phone maker Nokia. But these may not be enough to rein in its industry competitors, particularly the iPhone and smartphones based on Google’s Android mobile operating system (OS), analysts argue.

Nick Dillon, analyst of devices and platform at Ovum, acknowledged that Nokia has recently made moves to strengthen its application offerings by improving its app distribution platform, Ovi Store. The Finnish outfit has also  introduced operator billing for purchases, as well as simplified its app development roadmap by standardizing it on Qt. That said, he noted that the phone maker “still has some work to do to catch up with the likes of Apple and [Google’s] Android“.

He pointed out that it was Cupertino that took the lead in taking mobile app development, discovery, distribution and monetization mainstream. Other handset manufacturers, including Nokia, have been playing catch-up since, he added.

App store race hots up
With regard to the earlier announcement by Nokia that its Ovi Store achieved 3 million downloads per day for the month of November, Dillon said this figure is likely to be “some way behind” both Apple’s iOS and Android platforms. Furthermore, he pointed out that the 3 million figure does not just reflect application downloads, but includes other downloads such as ringtones, themes and wallpapers.

In comparison, he said Apple reported 10 million application downloads per day from its App Store, while Research in Motion (RIM) last week announced that 2 million apps were being downloaded per day from its App World store. And though Android has not reported any specific figures, the Ovum analyst reckons that it is “likely to be not far behind Apple and catching up”.

That said, Dillon stressed that the focus should not be solely on the number of apps available and downloaded, as these are not necessarily the most important measure of the success of an app store. “The quality of apps available, how regularly certain apps are used, and how long these stay on a user’s phone are probably more important metrics, though these [statistics] are clearly more difficult to [compile],” he added.

When quizzed, Kasey Farrar, global communications manager and head of media and content promotion communications at Nokia, told ZDNet Asia it is important to note the rate of growth that the Ovi Store is witnessing. He revealed that since its announcement of 3 million downloads at the end of November, the company has seen another 500,000 downloads per day added.

This is driven, in part, by the introduction of its newer smartphone devices such as the Symbian-based N8 device, he said in his e-mail.

“[User] engagement is higher in new devices such as our N8, which means that [download] numbers will only grow once the full range of our new Symbian smartphones hit consumers’ hands,” Farrar said.

Better handsets, more apps promised
Outlining the company’s strategy to help put Nokia back on top of the smartphone heap, he explained that Nokia plans to strengthen its product portfolio to cater to the different consumer requirements and across multiple price points. At the same time, it will continue to grow its developer ecosystem to offer a better user interface and exciting, relevant content through the Ovi Store. “One cannot succeed without the other,” he added.

Zooming in on Nokia’s efforts to engage developers, Farrar pointed out that more than 400,000 developers had signed up for Forum Nokia–a dedicated portal for its mobile developer community–in the past 12 months.

Earlier, Niklas Savander, executive vice president and general manager of markets at Nokia, told ZDNet Asia that the company has inked partnership agreements with 91 telcos in 27 markets to introduce operator billing mechanisms in these markets’ Ovi Stores. He explained that as not everyone is comfortable with using their credit cards to pay for mobile apps, such a move will help Nokia garner more consumers and, in turn, more app downloads, which will then entice developers to sign up with its platform.

Gartner’s principal research analyst, Shalini Verma, noted that fostering good relations with carriers could be beneficial to the company’s renaissance. She said mobile operators’ more favorable stance toward the Finnish firm could also be from its perceived lack of threat compared with Apple’s App Store and Google’s Android Market.

“Nokia is still the world’s largest mobile device vendor…and it has opportunities to offer mobile applications and services to both the low-end mobile and smartphone user groups,” she added.

“Knockout” MeeGo handset needed
In September, the company unified its software development platform based on the Qt SDK (software development kit), to allow developers to write an app that will work on both Symbian and MeeGo Oses. This will help reduce development time and cost of porting apps between both platforms, Nokia’s Farrar noted.

Ovum’s Dillon said that moving to Qt is a “smart move” for the Finnish company as it “future-proofs” developers’ investments.

That said, he pointed out that since there are no MeeGo devices in the market today, the ability to run apps on the OS has “very little appeal for developers right now”.

“While the N8 is an important handset for Nokia, it will be absolutely crucial for the company to launch a knockout device running MeeGo in 2011, as this will not only show the market that [the company] is still capable of competing at the top, but also giving developers a compelling reason to develop on Qt,” Dillon stated.

Chinese handset maker ZTE sees UK sales surge

Chinese technology giant ZTE is making inroads into the U.K. market, with sales of dongles and handsets at least doubling in the past year.

According to ZTE’s figures, the company now has 60 percent of the British mobile broadband dongle market, up from just 30 percent in 2009. It also has 8 percent of the handset market, up from 3 percent in 2009. In terms of handsets and dongles combined, ZTE sold four million units this year, in contrast to only 1.5 million last year.

The Shenzen-based company, a direct competitor to Huawei, typically sells mobile phones in the U.K. under operator branding. However, in July it launched its first own-branded handset for the U.K. market: the ZTE Racer, a 99 pound (US$156.67) Android smartphone.

Read more of “Chinese handset maker ZTE sees UK sales surge” at ZDNet UK.

Windows Phone developers to get paid a bit sooner

There’s some good news for developers who have not yet gotten paid for their app sales as part of the new Windows Phone Marketplace: payday is coming a little sooner than the company had first announced.

Instead of getting that money sometime in February, Microsoft has moved up its first round of developer payouts to the fourth week of January. Thus far, developers have been unable to cash in on software that has been on sale since late October, while Microsoft has worked to get its payment system up and running.

After this first round of payments is out, Microsoft says it will be sending them every month. Payouts will also include sales of apps and games from both its Windows Mobile 6.X and Windows Phone 7 marketplaces.

This morning, Microsoft also rolled out a counterpart to the sales process in the form of a reporting tool that gives developers a detailed view of how their applications are performing on the marketplace. This breaks down how many downloads their apps have received, and whether those were paid or unpaid, as well as what country the buyer was from. No word yet on whether these will be updated more than once a day.

In a blog post announcing some of the additions, Todd Brix, who is Microsoft’s senior director of mobile, said the company has also been listening to criticisms over its App Hub registration process, which is how developers sign up to publish applications to Microsoft’s Windows Phone Marketplace.

“We’ve heard you loud and clear that the registration and submission process hasn’t been ideal and has been frustrating to too many developers,” Brix said. “In response, we’ve made a number of fixes and enhancements throughout the process over the last two months, including a number of new improvements available today.”

Brix also said that 91 percent of applications that get submitted to Microsoft are certified and published within two days, and that 86 percent of the 1,000 or so developers who join the program have an account ready to use in 10 days. So far that’s tallied up to 18,000 registered developers.

Microsoft’s Windows Phone 7 marketplace now has close to 4,000 applications, up from a little more than 1,000 at the platform’s launch in late October.

This article was first published as a blog post on CNET News.

Latest Software news

Posted: December 9, 2010 in Software

Google wakes up to new photo reality

commentary Google is showing some signs it understands how photography is changing on the Net.

In the olden days, people posted batches of digital photos on the Web in photo albums their friends would look at occasionally. Often half the point of uploading the shots was getting them to a place like Snapfish or Shutterfly that could create prints.

Picasa Web Albums, Google’s photo-sharing site, was born in this era. Now, though, photos are becoming an in-the-moment part of people’s online social lives, notably with Net-connected smartphones and Facebook sharing with friends. Picasa Web Albums–never a product that advanced at blazing speed–is beginning to adapt to this era. Perhaps Google’s success with its Android operating system has made the company more aware of just how far the world has moved from the shoebox-of-prints-in-the-closet days.

First up is a more social interface to Picasa Web Albums that shows what your contacts on the site are up to. Google has struggled for a couple years now to build social connections into its products, nevertheless falling ever further behind Facebook in the area, but this change could help people branch out.

Yahoo’s Flickr, of course, has had social connections built in from the start with groups, comments, and sharing, and Yahoo has been trying to promote those aspects by spotlighting this activity at log-in. But here, too, Facebook’s key asset–the active participation of many of your social connections–is a more powerful draw when it comes to using photos to stay in the loop. Also, Facebook can share text, but Picasa and Flickr really don’t do well for sharing anything besides photos or videos.

Second for Picasa Web Albums is a photo and video price break. The site previously was free to use for up to 1GB of data, but that amount of space could quickly be gobbled up, especially with videos.

The new pricing means photos smaller than 800 pixels on a side or videos shorter than 15 minutes don’t count toward the 1GB freebie limit. Given the dropping cost of storage, it’s a reasonable way to lower a barrier that might keep people from using Picasa. (Buying more storage space costs US$5 a year for 20GB, but other sizes are available too–US$50 annually for 200GB or US$4,096 for 16 terabytes, for example.)

Most new smartphones take shots more than 800 pixels on an edge, though, so until “share a smaller version” becomes a common option, people might still be reluctant to build Picasa into their online daily lives.

Last is the addition of Picasa Web Albums photos to people’s Google Profile. People often care how they appear and don’t care to express that with just a little thumbnail; but more to the point, this change makes the Profiles page a more fleshed-out hub for whatever online social activity Google plans to launch next.

Business intelligence going mobile

SINGAPORE–Enterprise adoption of mobile devices is opening up a new front for business intelligence (BI), which is no longer a tool restricted to middle-management executives, according to Shankar Ganapathy, global vice president for MicroStrategy Asia-Pacific.

He told ZDNet Asia at a briefing here Thursday that as more executives and sales professionals use tablets for work and to access corporate data, an increasing number will request for additional tools compatible with the mobile platforms to help push decision-making.

The evolving trend in mobility has transformed the BI market, Ganapathy said. “One of the impact of mobile BI is that with the advent of the Apple iPad, in particular, many of our larger customers arm their senior executives with the device, which means they need to interact with the analytics that the departments are pushing.”

Hence, upper or c-level management is now able to have BI visibility, which traditionally was provided by mid-level management, he explained.

Customer-facing executives are also looking at ways to collate data more quickly.

Ganapathy noted: “Take the insurance vertical, for example, where agents need to gather information about customer preferences and products before a customer meeting, and currently there is little opportunity for them to do so. Mobile solutions will enable this process.”

In the long-term, BI tools will also be increasingly integrated with near-field communications (NFC), he said.

Ganapathy explained:”NFC-enabled mobile phones will be able to pick up information from a NFC chip, and this will allow us to capture real-time information on customer loyalty, item performance and so on, to benefit retail businesses.”

This data can then be broken down and analyzed quickly, giving retailers a clearer picture on customer profiles and preferences, he added.

While NFC development is still moving at a snail’s pace, Ganapathy believes the convergence of NFC and BI offers much opportunity that MicroStrategy can front. He added that the company is looking to work with “the very few [NFC] devices in the market” such as Google’s Nexus.

The growing adoption of mobile devices has opened up enterprises to a slew of unstructured data which he said MicroStrategy’s offerings are capable of analyzing. “With the advent of mobile technology, the source of unstructured data is going to be more significant,” he said, noting that companies will be looking at best-of-breed products to filter and capture data from such platforms.

Advantages of pure-play BI
MicroStrategy is betting on its position as the “only pure-play provider of BI” left in the market as its competitive advantage.

Ganapathy said: “BI has gone from being a business-critical element to becoming mission-critical, as it’s increasingly used to determine how a company looks at business outline, bottomline and revenue streams based on cost and efficiencies.”

With these requirements from the enterprise community, he said it is important that a market player, which is still focused purely on the business of data analytics, is able to provide the right tools for enterprises. “That is why pure-play and best-of-breed for BI is very significant in the market today,” he added.

MicroStrategy’s competitors in today’s BI market are formed through acquisitions, where IBM, Microsoft, Oracle and SAP account for two-thirds of the US$6 billion industry.

Nasdaq-listed MicroStrategy’s US$460 million business is built on direct and partner channels. Ganapathy revealed that at least 30 percent of their business in this region is served through partners. In Singapore, partners–which include SingTel’s NCS (previously known as National Computer Systems)–make up half the pie.

iOS 4.3 arrives ahead of schedule

Apple Thursday released its iOS 4.3 software ahead of schedule.

The software, which was originally set to be released on Friday to coincide with the launch of the iPad 2, went out to users as an update from within Apple’s iTunes software this morning.

Among the new features are support for Wi-Fi hot spots on GSM iPhones, video streaming through Apple’s AirPlay technology, iTunes Home Sharing, and improved JavaScript performance in Safari. iPad users also get a new option within the settings menu that lets them turn the iPad’s side switch into either a mute switch or a screen orientation lock–functionality the company had changed with the release of iOS 4.2.

iOS 4.3 was unveiled during the iPad 2 press briefing earlier this month, though developers got their hands on the first beta of the software in January. Apple released a Gold Master copy of the software just last week.

The new software is the first iOS update to leave out the iPhone 3G from the list of devices that Apple will support. Joining the 3G in devices that won’t be eligible for the update include the original iPhone, as well as the first- and second-generation iPod Touch.

Along with iOS 4.3 for iOS devices, the Apple TV received a software update today that adds Major League Baseball’s MLB.TV streaming service, as well as the National Basketball Association’s League Pass. Both subscription services work in a similar fashion to Netflix, with users entering in their existing account credentials to gain access. That update only goes out to users with the latest version of Apple TV.

Microsoft’s mobile fortunes tied to app developers

PopCap Games doesn’t usually race to be among the first to develop for a new platform of any sort, be it a console or a mobile operating system. But the company is breaking from its tradition and working hard on porting its popular Plants vs. Zombies game to Microsoft’s Windows Phone 7 platform.

“With Microsoft and Windows Phone 7 we saw a strategic opportunity,” said Garth Chouteau, vice president of public relations for PopCap.

Before you scoff, don’t think the developers at Popcap have blown a gasket. Chouteau said that even though there isn’t yet a large installed base of Windows Phone 7 devices on the market, he expects that there will be…in time. Microsoft has good relationships with developers, has historically worked well with them, and it’s built a gaming ecosystem for its Xbox games, which could be important for Popcap’s gaming audience.

What’s more, Microsoft has recently struck a deal with Nokia, the leading handset maker in the world, to put its operating system on all future smartphones designed by Nokia. All this gives Popcap and other developers plenty of reason to view Microsoft as an important mobile operating system platform.

“We think it will be a popular mobile platform,” he said. “And we like to have our games available in every appropriate place where our customers prefer to play.”

When Microsoft decided to scrap its earlier mobile operating system to develop its revamped Windows Phone 7 platform, released in October, the software giant’s goal was modest: simply getting back in the game. And if mobile developer interest is any indication, Microsoft has achieved that.

The company is already signing up big names to the platform, such as Rovio, which developed the popular game Angry Birds. Getting A-list apps is akin to scoring a Nordstrom or Macy’s as an anchor store at a mall. It gives people a reason to come to that particular mobile platform, because they know they can get apps they’ve heard of or tried on other platforms.

There’s other evidence that Windows Phone 7 is gaining traction among developers. The company Urban Airship, which helps develops mobile applications for some 7,000 brands, surveyed its customers early in 2011 to get a sense of their priorities in the coming year. According to that survey, which was done in January before Microsoft announced it would partner with Nokia, nearly 25 percent of its brand customers said they were planning to develop mobile applications for Windows Phone 7 in 2011. This is up from only 5.9 percent who actually said they developed apps for Windows Phone 7 in 2010.

But even though Windows Phone 7 is on the radar screen for many brands and developers, Apple’s iOS and Google’s Android development continue to dominate–by far–the world of mobile developers. According to Urban Airship’s survey, 99.5 percent of brands last year developed apps for Apple’s iOS and about 44 percent developed apps for Google’s Android platform. In 2011, 90.5 percent of brands surveyed said they had plans to develop for iOS and about 74 percent said they planned to develop apps for Android.

Still, for a company that was all but forgotten in the mobile market a little over a year ago, growing interest from developers has to be taken as some glimmer of good news. And indeed it is at Microsoft.

“We have already had a lot of success so far,” said Brandon Watson, director of developer experience for Windows Phone 7 at Microsoft. “Developers are making money. Some people may try to compare us to existing platforms. But you have to consider where we’ve come from in just a few short months.”

Indeed, Microsoft only has about 9,000 apps in its Marketplace compared with Apple’s 350,000 plus apps in the Apple App Store. But Watson said that Microsoft is adding at least 100 new apps a day, and it has already registered more than 32,000 app developers to create applications for its platform.

Quality vs. Quantity
The number and quality of mobile apps on any smartphone platform is absolutely critical in terms of attracting customers for devices. Smartphones today are less about voice communications and almost entirely all about apps and what people can do with these devices.

“Whether you’re an operating system developer or you make mobile handsets or tablets or you’re a connected-car manufacturer, what differentiates your product from someone else’s are the apps and software,” said Andrew Ianni, founder and president of AppNation, a conference and event company focused on the business app economy. “That is why all these companies are courting developers. It’s why a thriving app marketplace is so critical. If these companies don’t have that, then they’re out of the conversation.”

Microsoft understands the importance of the developer community in terms of the overall success of Windows Phone 7. And the company has devoted a significant amount of resources to getting developers on board with the platform.

“Honestly, it’s the only thing that matters,” Watson said. “That means we must give developers what they need to develop for our platform. And if we don’t, we lose.”

Many large to medium-size app developers are putting Windows Phone 7 on their roadmaps because they see the potential in the platform.

Todd Berman, CTO and vice president of engineering for the streaming media company Rdio, said that his company felt compelled to be a Windows Phone 7 launch partner because based on Microsoft’s history of working with developers and pushing into markets it feels are important, it will eventually have a sizable customer base.

“Our customers need to be able to use our service on whatever device they want whether that’s a phone or a desktop or a tablet,” Berman said. “So it’s important for us to be on those devices. Microsoft is one of the more interesting players because of its ability to be in a lot of spaces.”

But some developers are not ready to take the plunge into WP7 development just yet. For many, it’s a chicken and egg problem. App developers have a finite amount of resources, and it’s more lucrative for them target the platforms with the most users, which to date has been Apple’s iOS platform.

“Collectively, I think app developers are taking a wait and see approach,” Ianni said. “The developer community is impressed with the OS. It’s reasonably easy to develop for, but there hasn’t been a mass movement to develop for it yet because developers are still waiting for the tipping point in terms of device sales.”

This is where Microsoft’s deal with Nokia could help. Nokia announced last month that it will scrap its existing Symbian OS and base all future Nokia phones on Windows Phone 7. Even though Nokia has been losing market share over the past several quarters, the Finnish device maker still sells more mobile handsets than any other manufacturer.

“The deal between Microsoft and Nokia validated our original decision to support the WP7 platform,” Berman said. “Nokia is still synonymous with cell phones. And they are the pre-eminent mobile hardware maker out there.”

But it will take time for Microsoft to see the fruits of the Nokia deal. The first Nokia Windows Phone 7 device isn’t expected to hit the market until late this year. And handsets won’t ship in volume until sometime in 2012.

For smaller developers, this time line is too long to make Windows Phone 7 a priority. For example, FlatPack Interactive, which currently holds the No. 8 spot for paid apps in Apple’s App Store with its game BallFallDown Deluxe, is not yet considering developing for Windows Phone 7. Currently, BallFallDown Deluxe is only available for the iPad. Paul Zimmer, founder of FlatPack Interactive, hopes to port the company’s existing game to Android tablets soon. And he said the company also plans to develop new games for Apple’s iPhone and Android smartphones as soon as it can free up resources.

“Given where we are in our business right now, Windows Phone 7 isn’t even on our radar,” Zimmer said. “Honestly, for something that won’t have a reasonable installed base for a year, it’s just not realistic for us. We could be out of business by then.”

The race for third place
While it’s clear now that developers must develop apps for iOS and Android, the decision of which platform to address next is still up in the air for many. Research In Motion‘s BlackBerry platform still has a large installed base. But developers complain that it’s a difficult platform to develop for. Meanwhile, Hewlett-Packard’s WebOS, which the company bought from Palm, is great software to develop for, but has a very small installed base.

To ensure that its platform is the “third OS”, Microsoft has offered developers incentives to build apps for Windows Phone 7.

“There are rumors going around that Microsoft is throwing big bags of money at developers,” he said. “I’m not sure if this rumor originated from the same place as leprechauns sitting at the end of the rainbow with a big pot of gold. But that’s not really how it works.”

Watson said there are deals that have been struck that involve monetary assistance for developers, but there are also marketing incentives that will help promote the apps in the Microsoft Marketplace. There is also technical assistance and help in merchandising apps in the Marketplace. And there will even be times when Microsoft seeks an exclusive for an app.

“We are figuring out what works and how to engage with developers so that they can be successful,” he said. “We want to make them rich and famous. Microsoft can only be a success if our partners make money.”

Watson wouldn’t talk about specific deals struck with particular app developers, but he said the depth of engagement with developers varies. For example, the most successful app developers will get one-on-one interaction with Microsoft. The company will ensure there are sufficient monetary and technical resources to build the app. Because this is such an intensive process, Microsoft can’t do this with every app developer. But he said that Rovio, the developer of Angry Birds, would likely fall into this category.

To scale the incentive program globally to include thousands and tens of thousands of app developers, Microsoft offers events for technical training. It also help developers better merchandise and market their apps. Microsoft carves out spots in the Marketplace to promote certain apps, which is huge especially for lesser name apps.

Google’s Android platform, which is now the No. 1 mobile OS in the U.S., according to ComScore, had similar problems attracting new developers in its early days. But once big carriers, such as Verizon Wireless started pushing the platform as an alternative to AT&T’s exclusive iPhone in the U.S., the Android platform gained steam. And as more Android devices were sold, more app developers created applications for these devices.

“It’s hard sometimes to get the snowball rolling,” said Ianni. “But once it gets going, then it’s a virtuous circle that keeps building and feeding off each other. Android is in the middle of it now. Apple was there two years ago. And Microsoft could find itself there as well down the road.”

Microsoft tweaks Windows Phone policy, touts trials

Microsoft announced Tuesday a handful of tweaks and changes to its Windows Phone Marketplace, many of which promise to make it easier for developers to publish in the now five-month-old digital storefront. The company also provided a look into the purchasing behavior of users, saying that nearly 1 in 10 downloads of a trial for an app or a game results in a sale.

One of the biggest changes centers around application distribution and publishing. Microsoft announced plans to launch a new Global Publisher Program, aimed at helping developers get their games in more markets.

“This program will enable developers worldwide to work with a Global Publisher to submit apps to the Windows Phone Marketplace,” Todd Brix, Microsoft’s senior director of mobile said in a post on the Windows Phone Developer blog. “Developers from countries and regions all over the world can now submit apps and games to the Windows Phone Marketplace.”

That system, Brix explained, would have developers providing publishers with their applications, who would then submit them to the Marketplace and set the price. These publishers would also be responsible for ensuring the applications made it through Microsoft’s certification process.

The Global Publisher program is joined by a handful of policy changes, one being an acknowledgement and clarification of developers’ use of open-source licensed tools in their games and applications.

“The Marketplace Application Provider Agreement (APA) already permits applications under the BSD, MIT, Apache Software License 2.0, and Microsoft Public License,” Brix said. “We plan to update the APA shortly to clarify that we also permit applications under the Eclipse Public License, the Mozilla Public License, and other, similar licenses, and we continue to explore the possibility of accommodating additional OSS licenses.”

Last month a clause in the APA had come under fire for promising to ban any apps licensed under the GNU GPL v3, GNU Affero GPL v3, and GNU Lesser General Public License v3. Microsoft had responded by saying that the policy document was continuously being revised, and that the company would be “exploring the possibility of modifying it to accommodate additional open-source-based applications in upcoming revisions.”

Other policy changes include a move to raise the limit of complementary app certifications that are offered for nonpaid applications from 5 to 100, as well as a change that makes leaving contact information for application support an optional affair. Brix explained that the mandatory inclusion option had slowed down the certification process.

Along with the update on the license, Brix said the company has seen great success with the implementation of trials for games and applications. These let users download and use a paid application before buying it, and have resulted in both higher total download numbers than applications without the feature, and higher sales.

“Nearly 1 out of 10 trial apps downloaded convert to a purchase and generate 10 times more revenue, on average, than paid apps that don’t include trial functionality,” Brix said. Those who make the jump from trial to a sale also do it in short order. “More than half of trial downloads that convert to a sale do so within one day, and most of those within 2 hours,” Brix continued.

The trial feature has proved to be one of the big differentiators among the mobile app marketplaces. Google offers refunds for applications on the Android Market, but there is currently no mechanism to download a paid app without first plunking down a payment. Apple’s approach thus far has been to allow free applications to offer full functionality through in-app purchase.

Brix also shared some preliminary results from developers using the company’s Ad Control platform, which lets developers stick advertising in their applications. Brix says 95 percent of apps with ads on the Windows Phone Marketplace are using Ad Control, and that ad impressions have gone up 400 percent in less than three months.

The Windows Phone marketplace now sits at 9,000 applications, and 32,000 registered developers who just began getting payments for their applications at the end of January. Microsoft has not yet disclosed the total amount of those payments. As a refresher on the platform’s momentum, below is our graph of the number of developers and applications, as announced by the company since launch. Worth taking into account are that both numbers are likely to shoot up as Microsoft’s strategic partnership with Nokia progresses.

Adobe continues the Flash fight with 10.3 beta

Revving the Flash Player development engine as fast as possible, Adobe Systems has issued a beta of version 10.3 that lets programmers use a variety of new audio tools.

Those audio possibilities could be very useful for those writing Net-based voice communication software. Features include canceling noise and echoes, detecting when a person has started or stopped speaking, and correcting microphone volume levels to even out speech loudness, Flash product manager Thibault Imbert said in a blog post.

More broadly, though, the software embodies Adobe’s push to keep Flash competitive. The browser plug-in is, if not fighting for its life, in a much less secure position than in years past when programmers could safely assume virtually all browsers had the plug-in installed.

Even as Adobe seeks to make Flash–and a close relative, AIR–a foundation for software that runs on a wide variety of computing devices, the technology faces two big challenges. First are mobile devices, which can lack the processing horsepower and memory to handle Flash and which in the case of Apple’s iOS bans Flash altogether. Second is a maturing suite of Web standards that increasingly can handle many programming tasks that previously required Flash–including on those mobile devices that lack Flash.

Adobe tries Web standards, too
Adobe is hedging its Flash bets by embracing those Web standards. Perhaps the best example is Adobe Wallaby, which rewrites Flash elements to use Web standards including HTML (Hypertext Markup Language, the language to describe Web pages), CSS (Cascading Style Sheets, used for formatting and increasingly advanced animations), and JavaScript (the language of Web-based programs that’s a cousin to Flash’s ActionScript). Adobe is billing the technology in part as a way for Flash programmers to reach iOS devices.

“Adobe’s job is to help you solve problems, not to get hung up on one technology vs. another,” said John Nack, a principal product manager at Adobe who focuses on mobile-device apps, in a blog post today.

But Adobe continues to push Flash hard, too.

Flash Player 10.3 is the third significant point release to Flash Player 10, and its arrival reflects a growing trend in online software development toward smaller, more frequent releases. Google’s Chrome browser, with a six-week cycle, is perhaps the fastest, but Mozilla is moving to a quarterly release cycle with Firefox. The general idea is that online software distribution lets software developers get new features into users’ hands sooner rather than waiting for large updates with a long list of changes.

Version 10.1 was a long time in the making; its most notable feature was that it ran on higher-end Android phones and not just personal computers. With the mobile transition under way, Adobe now seems to be working through a backlog of smaller but significant features it wanted to add. Flash Player 10.2 brought more efficient video through a feature called Stage Video that uses hardware acceleration.

With the arrival of HTML5’s built-in video abilities, online video is a particular competitive battleground for Flash, which for years had the market largely to itself. Here, Adobe is continuing its sales pitch of offering higher-level features useful to those in the business–in this case by building in some online analytics features of Adobe’s Omniture acquisition.

“Media Measurement for Flash allows companies to get real-time, aggregated reporting of how their video content is distributed, what the audience reach is, and how much video is played,” Imbert said of the analytics technology.

Flash 11: 3D and 64-bit
Meanwhile, for Flash programmers in the avant garde, Adobe last week issued preview version of Flash 11 with 3D graphics called Molehill. The Molehill interface is a big deal for Flash, which has a stronghold in online gaming but which faces competition from an emerging Web standard called WebGL.

Developers are starting to kick the Molehill tires. Lee Brimelow, an Adobe Flash platform evangelist, shared a list of Molehill demos yesterday.

Also coming with Flash Player 11 will be 64-bit support, an update that follows the release of several 64-bit browsers–notably Apple’s Safari.

“Now, you may be thinking, what! No 64-bit version!” said Imbert in a personal blog post. “64-bit is coming for the next major version of the Flash Player, so please wait a little more time, I know it is painful, but this is for the good! Next major version will be killer.”

64-bit software can handle vastly larger tracts of memory than 32-bit software, which is limited to 4GB, and 64-bit operating systems have become ordinary when it comes to Linux, Mac OS X, and Windows. The large memory address space isn’t terribly important for browsers today, though, so 64-bit Flash isn’t at the top of Adobe’s priority list.

Adobe can’t wait forever, though. 64-bit computing can improve some performance–Safari’s Nitro JavaScript engine, for example–and it’s difficult at best to use a 32-bit plug-in with a 64-bit browser.

Closer to the here and now, though, is Flash Player 10.3. Along with the audio controls, it comes with a control panel that runs on a person’s machine. It’s integrated with the regular Windows, Mac OS X, or Linux control panel rather than the present mechanism that uses a Web site. The control panel brings “streamlined controls for managing [users’] Flash Player privacy, security, and storage settings,” Imbert said.

And in a separate control panel change, Flash Player can integrate with a browser’s control panel to let people control settings there, too. That can help address the “evercookie” problem, in which a person tries to delete a browser’s regular cookies but fails because duplicates can be stored using Flash.

Finally, the new version integrates with Mac OS X’s built-in notification system when it comes time for a software update.

The Flash Player 10.3 beta will is designed for mobile phones as well as personal computers, Imbert said. Programmers who want to try the new features of 10.3 should note that they’re available in the Flash Player 11 preview version, too.

Faster JavaScript gets Google Chrome 10 spotlight

Google released Chrome 10 today, endowing its browser with faster JavaScript, password synchronization, a revamped preferences system–but no new Chrome logo. Chrome is available for Windows, Mac, and Linux.

Google announced Chrome 10‘s stable release on its blog but refrained from mentioning its product number. That’s in line with the company’s effort to focus on features rather than version numbers, which it calls mere milestones. Google tries to get new versions into users’ hands as rapidly as possible and currently passes a new milestone about once every six weeks.

JavaScript is the programming language used to write Web-based programs, and it’s steadily gaining in importance. That’s because programmers are now using it to write full-featured Web applications such as Gmail and Google Docs, not just Web pages, and faster JavaScript enables more features and a faster interface.

Chrome 10 comes with the “Crankshaft” version of the V8 browser engine that Google pegs as 66 percent faster than the unnamed version in Chrome 9 as measured with Google’s V8 Benchmark suite. That’s a major speed boost, but be aware there are many other attributes of browser performance, and one of the biggest–hardware acceleration–will hit prime time with the imminent release of Mozilla’s Firefox 4 and Microsoft’s IE9.

Chrome 10 gets some hardware acceleration, though, when it comes to playing videos, said Chrome team member Jason Kersey in a blog post.

Browsers usually get new features, but, unusually, Chrome had one removed: H.264 video is gone. Google said Chrome 10 would support Google’s own VP8 video encoding, which it offers royalty-free in an attempt to unencumber Web video from patent licensing barriers that come with the widely used H.264. For those who are attached to the codec, Microsoft offers an H.264 Chrome plug-in for Windows 7 users.

Chrome already had Adobe’s Flash Player built in, but Chrome 10 also puts Flash in a protective sandbox to confine security problems to a walled-off area of memory. Also in the security department are 23 security fixes discovered through Google’s Chrome bounty program and ranging in severity from low to high.

One seemingly minor but actually pretty useful change in Chrome 10 is a revamped configuration system. Instead of a pop-up dialog box that must be dealt with then closed, the new settings show in a browser tab.

The first advantage of the approach is that there’s more room to show what’s going on. The second is that you can leave the settings open while using other tabs–for example while reading Web sites that are offering advice on what to do. A third is that you can save specific Web addresses for a configuration setting, which Google believes could make remote tech support easier because you can simply e-mail somebody a URL rather than tell them how to drill down through a number of settings. Finally, a feature that comes along for the ride is that the configuration page comes with a search box to locate particular features directly.

‘Social biz’ uprising drives big data analytics

SINGAPORE–The inevitable shift by businesses to become more social is fueling demand for big data analytics, say IBM executives, who note that the phenomenon is significant in Southeast Asia where social media consumption is growing rapidly.

According to Nigel Beck, vice president of business development for social software at IBM, business processes are undergoing a pervasive change today with the rise of “social business”. This calls for organizations to “find customers with problems instead of customers finding [them] with problems”, Beck said.

Such social businesses create the means for people and information to “find each other”, are transparent or provide open access to information, and are nimble as they are able to quickly adjust course, he added. The IBMer was speaking to ZDNet Asia on the sidelines of the IBM LotusSphere and Information on Demand event here Tuesday.

To equip social businesses, Big Blue has embedded social capabilities in analytics tools as well as included predictive analytics into social collaboration products, said John Mullins, Asean business unit executive for collaboration solutions at IBM Software Group, who sat in on the same interview.

That would enable, for example, an airline to identify a customer who has blogged about a negative experience with its service, and correct that unpleasant encounter via its contact center, said Singapore-based Mullins.

Bernard Spang, director of strategy and marketing for database software systems at IBM’s software group, noted that the explosion in both structured and unstructured data has driven organizations to look at business analytics as a strategic focus area. He said companies are trying to achieve better business outcomes with the rising amounts of machine- and human-generated data including information from sensors, blogs and tweets.

To that end, IBM has brought together capabilities under big data analytics that address the volume, variety and velocity of information, Spang said, adding that the vendor is combining various analytic technologies instead of offering analytic silos.

“The more info you can bring together and analyze, the better you see the market situation, the better you can understand your customers to grow the business,” he said.

SEA a social media hotbed
According to Mullins, Southeast Asia is leading the world in terms of social networking with Indonesia ranked as the second-largest Facebook market globally and the Philippines boasting the biggest year-on-year growth of Facebook users.

A comScore report in August also revealed that Indonesia had the world’s highest Twitter penetration, while a TNS survey in October pointed to Malaysians as the world’s heaviest users of social networking sites.

Consumers in the region, Mullins said, are “already sold on the social message” and it is only a matter of time before enterprises become more social. In Singapore, which is seen as a technology leader in the region, a broader set of organizations, beyond just early adopters, have already embraced the use of social media, he added.

At the end of the day, insights from social networking sites can provide a more complete picture of a consumer, noted Mullins. In some parts of the world, the information available on these sites may be more accurate than citizen data held by governments, he pointed out.

Opera launches mobile appstore

Opera Software has launched its own mobile appstore which stocks apps that run on various mobile platforms including Android and BlackBerry devices. The company also unveils a new portal to help developers publish apps on the new storefront.

In a press statement Tuesday, the Web browser maker said its Opera Mobile Store is accessible to users of its mobile browsers–Opera Mini and Opera Mobile–as well as mobile browsers from other makers.

Built and delivered using Appia’s storefront commerce technology, the appstore carries apps that run on various mobile platforms in more than 200 countries, including Google Android, Research in Motion’s (RIM) BlackBerry, Nokia Symbian and Java.

Opera added that the appstore can be customized according to a user’s device, operating system, local language and currency. In addition, Opera Mini and Opera Mobile users will be able to access the appstore via a speed-dial link in their respective browsers.

During its soft launch last month, the appstore was visited by more than 15 million users from 200 countries and saw over 700,000 downloads per day.

In conjunction with the launch, Opera also unveiled the Opera Publisher Portal to help developers publish their apps on the new appstore.

“The launch of the Opera Mobile Store supports Opera’s core belief in an open, cross-platform mobile Internet experience by providing Opera users with an integrated storefront of mobile applications” Mahi de Silva, Opera’s executive vice president of consumer mobile, said in the statement.

Today’s launch puts Opera in a growing list of third-party appstore operators including Taiwanese handset maker HTC, e-commerce giant Amazon as well as mobile operators such as M1 and SingTel in Singapore.

Researcher finds serious Android Market bug

Google has fixed a bug in the Android Market that could have allowed attackers to distribute malicious apps to gain control of devices.

“Since the Android Web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim’s phone simply by tricking them into clicking a malicious link (either on their desktop or phone),” Jon Oberheide, co-founder and chief technology officer at Duo Security (formerly Scio Security), wrote in a blog post on Monday. “The exploit works universally across all Android devices, versions, and architectures.”

Oberheide described the XSS vulnerability as “low-hanging fruit” and said he was surprised no one had discovered it before. Such bugs are very common in Web sites.

The Android Market allows people to remotely install new apps on to their Android smartphones while browsing the site on their desktop computers.

“While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector. Any XSS vulnerabilities in the Web market allow an attacker to force your browser into making a ‘Post’ request that triggers an app installation to your phone,” Oberheide wrote. “Since there is no on-device prompt or confirmation for these ‘Install_Asset’ requests pushed to your phone, an attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone. The malicious app delivered to the victim’s phone can use any and all Android permissions, allowing for all sorts of evil behavior.”

Google should include a feature that prompts the owner of the phone to confirm via the device the download of any app rather than just allowing them to be remotely installed, Oberheide said in a phone interview with CNET. The Android Market is “not inherently insecure but there is a danger when you start pairing up your desktop computer to your Google account and your mobile device,” he said.

Oberheide said he informed Google about the bug in mid-February and that it fixed it a week or so ago.

He bemoaned the fact that after he had reported the bug to Google and been paid US$1,337 as reward, he learned that he could have made US$15,000 if he had entered it and won in the Zero-Day Initiative’s Pwn2Own contest at the CanSecWest security conference this week.

Asked to comment on the matter, a Google representative said: “We enjoy rewarding high-quality Web application security research via our vulnerability reward program. More information can be found here.”

The news of the XSS bug comes on the heels of Google announcing last weekend that it had pulled about 58 malicious apps from the Android Market and would remotely wipe them from the approximately 260,000 Android devices that had downloaded them.

Researchers at mobile security provider Lookout also released more details on the malware, dubbed DroidDream, because a string of code that used that term in the software. The malware was configured only to run between 11 p.m. and 8 a.m., when a device owner would likely be asleep or have the phone off, Lookout said in a blog post.

The post describes the malware as a “zombie agent” that gains root permissions and then waits and silently installs a second app that sends information about the device to an outside server.

“When the malware gets on your phone it basically issues a blank check for additional apps to be downloaded,” Lookout Chief Technology Officer Kevin Mahaffey said in an interview today. “The sky is the limit in terms of what it could have done because the malware had (complete system administrator) root access.”

The free version of Lookout can be used to scan the device to see if it has been infected with the malware. Lookout advises people not to do a factory reset on the device as that may not rid it entirely of the malware. Google’s remote “kill switch” will take care of that.

Rumors of Apple retail nixing boxed software persist

Building on reports from a month ago that Apple was planning to drastically scale back on boxed software at its retail stores, a new report claims that such a plan will include other computer peripherals as well.

The reasoning behind the move, as explained by ZDNet Asia’s sister site CNET contributor Jim Dalrymple on his personal blog The Loop, is that Apple plans to expand its personalized in-store setup service. This is the one that has Apple Retail Store employees helping new Mac, iPad, and iPod buyers get their new hardware up and running following their purchases.

To make room for these one-on-one sessions, something’s got to go, which is where the removal of software boxes from the storefront comes into place. Echoing a report by MacRumors from February, Dalrymple says that boxed software–mainly games–will get the boot from some Apple store shelves and stockrooms. Things like printers, scanners, and hard drives are also likely to be stricken from store floors and demo spaces, though they could end up staying in store stock rooms to be made available for an on-the-spot purchase, the report claims.

These changes are said to be affecting “about 80 percent” of Apple’s retail stores once they go into place, leaving the other 20 percent (likely the large stores with plenty of space) unaffected. The changes could also play into making extra room for support and training that make up a part of Apple’s recently announced Joint Venture support service that will serve small-business customers with two-hour training workshops.

Adobe releases tablet publishing tool

Adobe Systems on Monday released the Enterprise Edition of its Digital Publishing Suite, a tool for creating interactive publications on tablets–and for making Adobe more relevant in an age of new computing devices.

The software integrates with Adobe’s existing Creative Suite applications such as InDesign to let designers produce digital publications for Apple’s iPad, RIM’s PlayBook, Motorola’s Xoom, and Samsung’s Galaxy Tab lines of Android-based tablets. It also dovetails with digital distribution systems, including Apple’s App Store Subscriptions and Google One Pass. And it comes with analytics services from Adobe’s Omniture acquisition so that publishers can track details about how people use the digital publications.

Among 150 titles using Adobe’s technology are National Geographic, Vogue, Consumer Reports, Marines Magazine, Backpacker, Autotrends, The New Yorker, Outside, and Wired. Publishers include Bonnier, Conde Nast, Globo Media Group, and Martha Stewart Living Omnimedia.

Adobe is a major power when it comes to selling software for personal computers, but it’s working to adapt to the new era of smaller, more-mobile devices. It has basic Photoshop versions for iPhone and Android phones and offers the Adobe Ideas app for sketching on iPads. The company is also working on more elaborate software for tablets, including an Adobe Journal technology demonstration app for drawing and sketching on Android devices.

Journal includes a variety of drawing devices, Photoshop-like features for adding graphical elements to a drawing, and tools for panning, zooming, and moving among different pages. It’s based on Adobe’s cross-platform AIR software foundation, meaning that Journal could likely be ported to other operating systems–even iPads, using an Adobe packaging system that turns AIR apps into native apps.

In contrast, the Digital Publishing Suite isn’t for ordinary consumers with tablets, but rather for businesses trying to reach those consumers. The version released today is for large publishers; for smaller outfits, Adobe’s Professional Edition is due to ship late in the second quarter, Adobe said.

Also at that time, Adobe plans to release the Folio Producer Service, which will let publishers directly upload content from InDesign, Adobe’s software for design and layout.

Pricing of the Enterprise Edition depends on a custom quote from Adobe based on access to services for creating and distributing publications, Adobe said in a blog post.

CRM players should tap social demand

Customer relationship management (CRM) services providers will find a lucrative market in offering social media components to companies in the telecommunications, travel and tourism, and public sector industries, says Ovum.

In its report released last week, the analyst firm noted that 57 percent of telcos, 54 percent of travel and tourism companies, and 45 percent of public sector organizations are demanding social media elements in their CRM strategies. This indicates “much promise” for CRM outsourcing service providers.

“There is certainly demand for social media CRM services that outsourcers can take advantage of, particularly in the travel and tourism and telecoms sectors,” Ovum’s analyst, Peter Ryan, said in the report.

Social media monitoring, customer service and business development were identified as the top functions CRM outsourcers should provide to help grow their business and revenue.

Ryan said these CRM services providers should reinforce their relationships with existing clients by offering a new service, adding that they face a challenge of creating a profitable business model from offering social media services.

There is currently a lot of “confusion among vendors on how to charge for these services”, he explained, with most choosing to deliver their services on a per time-unit or per transaction model. The Ovum analyst noted that as the social CRM market matures, pricing models will need to evolve to ensure the highest possible margins.

Social media use among consumers has experienced an exponential growth, where companies and marketers are choosing to engage consumers through Facebook and other social media platforms, according to a February research conducted by Firefly Millward Brown.

A previous ZDNet Asia report also revealed that contact centers are increasingly looking to monitor social chatter to track customer feedback and improve customer service.

Google issues Android anti-fragmentation tool

Google has made good on a promise to release technology it hopes will curtail Android’s fragmentation problem, a complication for programmers who want their software to run on diverse devices.

Last week, the company released a “Fragment” library for older versions of Android. The library is built into the Honeycomb version of Android, offering new tools to sidestep issues like different screen sizes more easily for those using the brand-new Android 3.0. That version of the OS appears on Motorola’s new Android-based Xoom tablet and will arriving on other tablets.

Now, though, the Fragment interface will be useful for older Android devices that currently dominate the market. The library can be built into applications so that programmers can use the Fragment application programming interface (API) even if it’s not in the operating system directly.

“Today we’ve released a static library that exposes the same Fragments API (as well as the new LoaderManager and a few other classes) so that applications compatible with Android 1.6 or later can use fragments to create tablet-compatible user interfaces,” said Xavier Ducrohet, technical leader for the Android software developer kit, in a blog post last week.

Google announced the Fragment API in February.

“For developers starting work on tablet-oriented applications designed for Android 3.0, the new Fragment API is useful for many design situations that arise from the larger screen. Reasonable use of fragments should also make it easier to adjust the resulting application’s UI to new devices in the future as needed–for phones, TVs, or wherever Android appears,” Dianne Hackborn, a Google Android programmer, said in a blog post about the interface.

Rise of the 99-cent Kindle e-book

commentary Not long ago I did a story about how e-book piracy was accelerating and that publishers should be concerned. But while piracy is certainly an issue, there’s something else lurking out there that may be a bigger problem: e-book price erosion. Or put another way, the blogification of the book industry.

Now, I know what you’re saying: that’s great news. These publishers have been gouging us with ridiculous pricing for digital files that cost next to nothing to produce (in terms of material costs) and finally we’re starting to see lots of deals out there. But it’s a bit more complicated than that.

How we got here
First, a little history. Just last year, the magic price point for a lot of indie (self-published) authors was US$2.99. Why US$2.99? Well, if you price your e-book at US$2.99 or higher, you get a 70 percent royalty from Amazon when using its Kindle Direct system, or 65 percent from Barnes & Noble when using its PubIt self-publishing platform. That means that if you set your price to US$2.99, you make around US$2 on each copy you sell, which is damn good, especially if you sell a lot of copies, which certain indie authors do.

But if you drop below US$2.99, you end up with a 35 percent royalty. That’s a big difference, but it’s still better than what you get on an e-book from a traditional publisher (25 percent of the net sale, which comes out to around 17.5 percent of the price of the book). Still, you’d think that most people would choose to go for the 70 percent royalty.

Most of them used to. But then something happened on the the way to the check-out cart. Some authors started saying, “Screw it, I’m not selling that much at US$2.99, I’ll just go to 99 cents and see what happens.” And bam, some of these books took off. And some really took off.

Case study: “Fifth Avenue”
Christopher Smith, who wrote the novel “Fifth Avenue,” priced his novel at US$2.99 when he launched it last October. He says that with some social media outreach–he did an iPad and a Kindle giveaway for those who tweeted about the book–and little else, the book quickly reached the Amazon Top 100 and peaked at No. 4. After the initial rise, Smith then decided to drop the price of the book to 99 cents to maintain his ranking in the top 100, which is key to generating sales.

Thanks to some controversy over gay sex scenes in the book that touched off heated discussions in Amazon’s Kindle message boards, Smith says “Fifth Avenue” remained in the Top 100 for three months and also has done well on Amazon’s U.K. Kindle Store. His sales, he says, are in the “six figures”, and he’s now represented by an “A-list” agent, Matt Bialer at Sanford J. Greenburger.

“When I went to 99 cents, I was going for longevity,” Smith says. Later, when he was firmly planted in the Top 100, he started playing with pricing and listed the book back at US$2.99. For every US$2.99 book he sold on the Kindle, he needed to sell six books at 99 cents to make the same amount of money. While he drifted downward on the best-seller list, if he priced at US$2.99, he says he was making significantly more money.

“To keep the book on the list as long as possible, I’d just switch it back to 99 cents and it would quickly climb the list again,” Smith says. “Rinse and repeat. This went on for months.”

The App Store effect: Price drops
In some sense, what’s happening in the Kindle Store is what’s already happened in Apple’s iPhone App Store, where developers have been forced to lower their prices to 99 cents to compete (recently, Angry Birds’ maker Rovio told fellow developers to get used to pricing their apps at 99 cents). The price erosion isn’t that great yet on the Kindle; there are still plenty of US$9.99 and higher e-books out there from traditional publishers. And many of them still sell very, very well. But with so many more e-readers and iPads out there, the market has grown large enough–like the iPhone market did–that you can actually make decent money at 99 cents, particularly if you crack the Top 100.

You’d think that even at a low price, people might have some reservations about buying a self-published e-book with no “professional” reviews on them and reader reviews that aren’t exactly screened (it’s no secret that many authors get friends to seed their books with user reviews). But apparently not. Arguably, then, like apps, e-books have turned a lot of people into cheapskates or, to put it more politely, serial bargain hunters.

Whether people ultimately end up reading these cheap books–or just collecting them–is open to debate (some argue that because people have invested a reasonable sum of money in buying a book, there’s less urgency to read it). But Smith says his experience contradicts that notion. He says he’s received a “massive amount of fan mail,” as well as “hate mail from conservative groups” who want a warning label put on his book for those aforementioned gay sex scenes.

The new pricing sweet spot
Just how many 99-cent e-books are in the Kindle Store’s Top 100 on Amazon? Well, at the time of this writing, I counted 17 e-books priced at a dollar or less on the list. If you take away the game titles, newspapers, and magazines that are on the list, you’re looking at the 99-cent e-book making up slightly more than 20 percent of the list. In some cases, authors like John Locke have multiple 99-cent best sellers (read one and think it’s good, you buy the rest, right?) and other extraordinarily successful indie authors like Amanda Hocking have a mix of 99-cent and US$2.99 best sellers. In fact, these cheap indie titles may be even more popular than they appear, since they often aren’t included in mainstream best-seller lists like that of The New York Times.

As for the Nook, Barnes & Noble is somewhat new to the self-publishing game with its PubIt platform, but more indie authors are starting to bring their books to the Nook, which has a 25 percent share of the e-book market in the U.S., according to Barnes & Noble CEO William Lynch. (Sites like Smashwords allow you to publish to multiple e-book platforms, including Apple’s iBookstore, in one shot and only take a tiny cut of your profits). In a recent e-mail to the press, Barnes & Noble noted that 35 titles in its top 200 were from indie authors.

Whither publishers?
None of this bodes well for the publishing industry. Why? Well, 99 cents and US$2.99 works for self-published authors, but it’s probably not going to cut it for traditional publishers or the authors who sign on with them. The exodus won’t happen right away, but you’re seeing such established authors as Seth Godin hiring their own editors and graphic designers and creating what are essentially their own “imprints” or publishing companies through Amazon’s newly launched Powered by Amazon program.

Amazon also has its Amazon Encore program that identifies breakout self-published books and helps market those books and authors to readers. To take advantage of much higher royalty rates and Amazon’s incredibly powerful promotional tools, more authors will undoubtedly take this route, as Amazon’s book selling continues to grow as more bookstores go out of business. The speed with which Amazon can bring books to market is also appealing. The gestation period for an Amazon Encore book (yes, Amazon, too, has hired its own editors and graphic designers) can be much shorter than a traditionally published book, which usually takes around a year to come to market after a manuscript is turned in.

As someone who’s gone from self-publishing to traditional publishing, I’m in the unusual position of wanting to defend both. While many of these 99-cent books simply can’t find an audience if priced higher and won’t attract the interest of traditional publishers no matter how many copies are sold (because traditional publishers know they can’t sell those books at higher prices), I certainly appreciate the more democratic, free-market nature of the Kindle, which has provided a way for overlooked, talented writers to get noticed and be evaluated directly by readers rather than a phalanx of gatekeepers who are looking at excuses to say no rather than yes.

Of course, there are plenty of e-books priced at 99 cents that don’t get any traction at all and Smith, like others (JA Konrath, for example), maintains that an e-book has to be really good to sell. Not only does that mean it has to be well written and offer a compelling story (or subject in the case of a nonfiction book), but it should be professionally edited and copy edited. It’s also crucial for the author to hire a graphic designer who’s well versed in designing book covers.

While there’s certainly a lot of truth to that, I’d argue that if you have a good cover and are able to come up with just a bit of creative marketing, at 99 cents–and lowered reader expectations–you can get away with your book being “good enough.” And in fact, like the rise of blogging, volume and speed may end up being more important than top-notch quality (so much the better if your books happen to be spectacularly written page-turners).

Smith likes to mention that his success helped lead to a blurb from Stephen King, who is his neighbor in Maine. That’s a nice marketing tool to put on your Amazon page, but it’s interesting to note that King didn’t actually make a comment about the book.

“Put me down as an enthusiastic Christopher Smith fan,” King said. “Smith is a cultural genius.”

Stephen King is smart enough to know the writing is on the wall. Will publishers?

WebGL 1.0 is done. Where’s Microsoft?

Brace yourself for the 3D Web. At least, if you use Firefox, Chrome, Opera, or Safari. Those are the browsers that support–though sometimes only in developer-preview editions–a technology called WebGL. And today, the Khronos Group standardizing the graphics interface announced that WebGL 1.0 is finished.

Although WebGL has significant momentum, its prospects are significantly hampered by Microsoft’s lack of enthusiasm. When I’ve asked Microsoft its feelings about it, the company expressed a preference for “using existing standards to build 3D today”, pointing as an example to the Sky Beautiful demo site.

Granted, Microsoft has bit off a lot trying to modernize Internet Explorer with IE9, but WebGL is arguably a pretty important piece of the Web technology platform. Perhaps some reluctance can be explained by the fact that WebGL is based on the OpenGL graphics interface used on Mac OS X, Windows, iOS, and Android and that competes with Microsoft’s DirectX.

If there’s enough interest among Web developers, though–and those developers long have shown a fondness for IE alternatives–Microsoft could conclude that WebGL support is as important as other Web technologies such as Scalable Vector Graphics that only now are top priorities. WebGL is one of a suite of developing Web technologies that are gaining clout as a foundation for Web-based applications.

Jay Sullivan, Mozilla’s vice president of products, thinks there’s enough browser support already to attract programmers. “Between Firefox and Chrome, people will build stuff,” he said in an interview.

And WebGL has some compelling possibilities. Microsoft’s own Fish IE Tank demo, used to show off IE9’s hardware acceleration, runs vastly faster in a Jeff Muizelaar’s Fish IE demo rewritten to use WebGL–although not using its 3D features.

And Facebook sees WebGL’s performance advantages for its nascent JSGameBench speed test. “Implement WebGL!” pleads Facebook’s Bruce Rogers in a blog post about WebGL’s benefits. “WebGL powerfully expands the design space available to Web developers and is not just for 3D content. Don’t force developers and users to abandon their browser of choice in order to experience great Web content.”

WebGL no doubt will enable Web developers to put annoying rotating cubes on their sites. But there are plenty of serious uses for the interface as well.

For example, the hardware-accelerated 3D graphics of WebGL are well suited to many games–not necessarily top-end first-person shooters, but certainly for maze exploration, rollercoaster rides, and races. Also, WebGL is good for bringing a 3D element to Google or Bing maps.

WebGL, though, is a very low-level interface many programmers can’t be expected to master, especially in the sometimes lightweight world of casual online gaming. Happily, libraries are sprouting up to automate its usage.

“There is already a thriving middleware ecosystem around WebGL to provide a wide diversity of Web developers the ability to easily create compelling 3D content for WebGL-enabled browsers,” Khronos said. “These tools include: C3DL, CopperLicht , EnergizeGL, GammaJS, GLGE, GTW, O3D, OSG.JS, SceneJS, SpiderGL, TDL, Three.js and X3DOM.”

Some big competition for WebGL comes from Adobe Systems’ Flash, which already is a major force in online gaming. Flash has lacked true 3D support, but that’s changing. In the last week, Adobe released a preview version of Molehill, its 3D programming interface, in a Flash Player 11 “incubator build.”

And like WebGL, Molehill is accompanied by higher-level libraries and is useful for more than just 3D.

“The power of Molehill does not stop [at] 3D,” said Thibault Imbert, a product manager for Flash runtimes, on the Molehill announcement. “You should think about it as a new rendering engine tied to the GPU [graphics processing unit]. If you architect your application, Web site, or game correctly (by using classic techniques to leverage the GPU) you will be able to use Molehill in many situations, [including] 2D on GPU.”

Another challenge will be reaching mobile browsers. It’s coming though, as shown with work in the mobile version of Firefox, for example. With Android and iOS also supporting OpenGL ES 2.0, it should be mostly a matter of time before those influential operating systems’ mobile browsers add the feature.

With WebGL version 1.0 released, though, and companies like mobile-phone chipmaker Qualcomm endorsing it, WebGL comes with a greater assurance of stability and support. Now it’s up to allies and developers to build WebGL a full-fledged programming ecosystem.

E-book companies raided over EU antitrust concerns

European authorities have raided the offices of e-book companies over antitrust suspicions.

The unannounced inspections were carried out on Tuesday in “several member states”, the European Commission said in a brief statement on Wednesday. The Commission would not say who was inspected or where in the EU the inspections took place.

It did say, however, that it had “reason to believe that the e-book companies concerned may have violated EU antitrust rules that prohibit cartels and other restrictive business practices”.

Read more of “E-book companies raided over EU antitrust concerns” at ZDNet UK.

Coca Cola fizzes on DB2 savings

Coca-Cola Bottling Consolidated (CCBC) was not only able to realize cost savings when it moved from Oracle to IBM DB2 database, it also saw further savings in storage and improvements in lead time, according to company executives.

In an interview with ZDNet Asia, Thomas DeJuneas, manager of enterprise systems, information systems and services at the U.S.-based bottling company, said cost saving was the primary reason the company switched to DB2. It predicted savings of US$750,000 over five years based on estimates from not having to purchase Oracle’s new licenses and maintenance, he added.

CCBC produces, distributes and markets bottled and canned beverage products sold under The Coca-Cola Company.

The company also saw savings from lower storage requirements. Andrew Juarex, CCBC’s lead systems specialist of information systems and services, said its DB2 deployment yielded an immediate 40 percent reduction in storage space. “The initial compression brought our database from about 1TB to about 650GB,” he said, adding that with DB2 compression, the company’s data volume growth decelerated.

“With this compression, we were able to slow down how fast our database was growing. Before, with Oracle, we were growing at 35GB per month. After the move, our growth was 15Gb per month,” Juarex added.

After going live with the new system, he said administrators who were on night shift noticed a speedy change to batch jobs related to the company’s supply chain processes. This, DeJuneas added, helped improve lead times as DB2 shortened the batch job process from 90 minutes to 30 minutes.

The Charlotte-based executives were in Singapore last week on IBM’s invitation as a customer reference to local companies.

DB2 move prompted by SAP upgrade
CCBC’s journey to DB2 began in 2008 when the company needed to upgrade its SAP R/3 Enterprise system to SAP ERP 6.0 which, DeJuneas revealed, would have required the company to upgrade its existing Oracle database and purchase new Oracle licenses.

Juarex noted that SAP applications run only on selected database, namely, Oracle, Microsoft SQL server and DB2. He added that The Coca-Cola Company inks licensing deals on behalf of its subsidiaries but was unable to renegotiate a new agreement with Oracle based on the previous contract terms.

DeJuneas said The Coca-Cola Company had signed a deal with SAP and IBM to acquire DB2 licenses which was more attractive in terms of cost, compared to Oracle licensing fees. “Even though we didn’t have DB2 experience in-house, the dollar savings [from the IBM deal] was something to look at,” he said.

With few customer references to check with, Juarex said the company did its own research and used Oracle as a benchmark to assess the feasibility of moving to DB2. “We already know what Oracle can do for us. So we wanted to know if IBM-DB2 could match up,” he said.

After a two-month test period, he found that DB2 was able to offer the same functionality as an Oracle system. With the cost savings in mind, the company made the switch, he added.

Prior to the migration, Juarex revealed that his knowledge of Oracle databases spanned 12 years and he had no skills in DB2. However, IBM offered two-class training that was designed specifically for administrators schooled in Oracle database, he said. This, alongside a five-day training class with SAP and the two-month testing period, were “enough” for CCBC to get through the deployment, he said.

The migration to DB2 took eight months, said DeJuneas.

Juarex noted that all SAP applications are optimized to run on DB2. In comparison, DeJuneas said it would take about two months for new SAP applications to be optimized for Oracle database.

Juarex added that Oracle’s move into the ERP space through various acquisitions has put the software vendor in direct competition with SAP. While the latter cannot afford to ignore support for Oracle databases, it has been beefing up its partnership with other database companies, specifically by optimizing its products on IBM systems, he said.

Google Apps plug-in injects the cloud into Office

The cloud is coming to Microsoft Office–and it’s powered by Google.

Google’s latest effort to lure business customers away from Microsoft Office to Google Apps comes in the form of a plug-in for Word, Excel and PowerPoint. The plug-in essentially syncs Office files with an online counterpart that lives in Google Docs, which allows users to always see the most recent version of a file, whether they’re viewing it in a browser, in an Office app or even on a mobile device.

That means no more e-mailing a Word document between multiple people, only to be confused about which is the most recent. It means being able to see, in real time, as your colleague updates the sales figures in your spreadsheet–while you’re working on it. It means being able to literally drop an image into your colleague’s PowerPoint presentation.

Read more of “Google Apps plug-in injects the cloud into Office, slow venom into Microsoft” at ZDNet.

40 percent of new Angry Birds buyers doing in-app purchase

SAN FRANCISCO–It’s no secret Rovio has made a small fortune off its sales of Angry Birds on the App Store (and other platforms), but there had been some question about the success of its dabbling in the in-app purchase market.

That question was answered this afternoon by Rovio’s “mighty eagle” Peter Vesterbacka at the Game Developers Conference here. In a talk outlining the company’s efforts to build the Angry Birds franchise beyond its humble beginnings, Vesterbacka announced that 40 percent of new Angry Birds buyers had purchased the 99-cent “mighty eagle” add-on, which lets users skip a level they’re stuck on by unleashing a powered-up bird.

Vesterbacka did not go into detail on how those numbers trickled down to users that had purchased the game since its release, but suffice to say that the company has been pleased. That success, he said, hinged on making add-on game content that had a wide appeal. “It’s bad if you make products that 2 [percent] to 3 percent of your mobile fans want to buy,” Vesterbacka said.

Other tidbits revealed during the talk were that Rovio had sold more than 2 million of its plush toys. Vesterbacka described that as “a good start”, while saying that it was only the beginning of the company’s plans to expand the franchise.

Vesterbacka also talked up the upcoming sequel to Angry Birds, which is a tie-in with the upcoming Fox film Rio. “We didn’t want to sell out,” Vesterbacka said of the partnership. In the lead up to that choice, Vesterbacka had described some of the offers from other studios as “weird”.

“We got approached by different Hollywood studios, and they wanted to do all kinds of weird promotions, and lots of them were not very…let’s say they didn’t jive with the brand,” Vesterbacka said.

Being a developers conference, Vesterbacka also urged game makers not to give up in the face of not having a smash out success, citing that Angry Birds had actually been Rovio’s 52nd game. “The previous 51 games, those were also great games for the devices at that time, but of course the devices at that time were pretty limited,” Vesterbacka said. “If you look at the early J2ME/Brew games, the experiences were not amazing.”

There was also a particularly awkward moment in the question-and-answer part of the presentation when Vesterbacka was asked what physics engine Rovio had used. “Box2D,” Vesterbacka replied. The question asker turned out to be the creator of the open-source physics engine and asked whether the company would be giving him credit in Angry Birds. Vesterbacka encouraged the gentleman to come see him after the talk, as well as for other attendees to introduce themselves before asking their question.

How Microsoft made Kinect work around the globe

SAN FRANCISCO–The wave is one of the most universal ways of saying hello or drawing attention, but how do you create an entire language of gestures that people know, make sure they work with your specialized camera system, then make it work around the world?

Microsoft faced that problem while developing the Kinect, which the company discussed today during a session here at this year’s Game Developers Conference, which kicks off in earnest on Wednesday.

On hand was Kate Edwards, who is a geocultural content strategist for Englobe, a company that specializes in geopolitical and cartographic consultation. Edwards briefly outlined how Microsoft had been challenged with trying to make sure Kinect games were not going to offend other cultures where those games might end up.

Edwards said that while there were many ways to express the same thing, there were specific nuances for each culture that could get game makers in hot water if they accidentally crossed a line. To make sure that didn’t happen, the company analyzed image captures of game movements that users were supposed to emulate, and spotted such problematic items based on where the game would be shipping.

Once identified, the company would find a suitable replacement for such gestures, as had to be done for the launch title Dance Central, which has users stringing together lines of dance moves. Edwards said one of the easiest changes to make was with the hands, whereas the more difficult ones had to do with full body movements, which often played into a particular dance, or flow of the dance movements.

Also discussed during the session was localizing games for various languages, which was no small undertaking. As Microsoft international program manager Yumiko Murphy explained during the same session, the company had to come up with alternate words for each voice command, then code them into the game so that users would not have to go out of their way to learn new commands. This proved to be considerably extensive with Kinectimals, a game that has users training virtual jungle cats with hand gestures and their voice.

To train the system for that game, Microsoft gathered 10 boys and 10 girls ages 6 to 12, as well as five men and five women from ages 18 to 50 to speak each command two to three times. After that, Microsoft would go through the lexicon of commands to make sure no two commands were too similar, then set four males and four females to run through them to make sure they could be identified by the system. Keep in mind this would be repeated in each of the various localized markets where the title was being launched.

Two other problems in localizing games during the run up to Kinect’s release were secrecy and space. Microsoft localization program manager Lief Thompson described that time as a dramatic challenge for the company. Microsoft had originally set out to let third parties do testing of the platform for their game localization, but ran into problems trying to make sure they could keep the development units in a secured location that was out of public view. Since Kinect wasn’t out, Microsoft needed to make sure that facilities where it was being tested were not just under lock and key, but under 24-7 watch by security personnel, and safe from photography.

Microsoft also ran into trouble with space. Kinect just took up too much play space at 40 to 50 square feet. The solution for both issues was to keep the test units on Microsoft’s campuses both in Redmond, Wash., and in the company’s offices in Dublin and Tokyo. Tokyo in particular had to create three new test bays so that it could localize five of the launch titles to Japanese, Korean, and traditional Chinese.

“We were running short on time, and well into June of last year we were digging into every nook and cranny Microsoft had,” Thompson said.

China Unicom to take on Apple, Google with OS

China Unicom, one of China’s three largest wireless operators, plans to introduce its own mobile operating system to compete head-to-head with Apple’s iPhone and Google’s Android OS in China.

The Wall Street Journal reported Monday that the wireless operator, which is building a third-generation wireless network that competes with China Mobile and China Telecom, is developing a new mobile OS brand known as “WoPhone”.

The new operating system is based on Linux, and it’s geared toward mobile handsets and tablets. Companies that plan to build devices using the new OS include China’s ZTE, Huawei Technologies, and TCL. South Korea’s Samsung Electronics, U.S.-based Motorola, and Taiwan’s HTC are also building devices using the new OS, China Unicom’s parent company, China United Network Communications Group, said in a statement.

The company said in its statement that it hopes the new software will help the company develop 3G wireless devices more rapidly, thus getting them into the market more quickly. This is important because the Chinese 3G wireless market is just heating up with the major carriers battling for new 3G subscribers.

China Unicom has a long way to go in terms of winning new customers and trails behind larger players, such as China Mobile. As of January, China Unicom had 169.7 million mobile subscribers, including 15.5 million 3G customers. Meanwhile China Mobile had 589.3 million subscribers, including 22.6 million 3G customers.

Late last year, China Unicom launched WoStore, a mobile-application storefront that it said would support “all open smartphone platforms.”

Apple’s iOS and Google’s Android operating systems are starting to gain market share in China. But they are not as prevalent as they are in other markets, such as the U.S. or Europe.

In China, Nokia’s Symbian platform still garners the greatest market share in the smartphone market with 60.1 percent of all smartphones, according to Analysys International, a Beijing-based market research firm. Windows Mobile has the second highest market share with 13.1 percent. Google Android is third with 10.7 percent of the market. And Apple’s iOS has about 5.4 percent.

Other wireless operators in China have also said they’d build their own operating systems for wireless devices. China Mobile launched its Android-based OS called “Ophone” in 2009, but the platform hasn’t been a hit with customers.

A China Unicom spokesman told The Wall Street Journal that the China Unicom WoPhone platform will not be based on Android. But he declined to comment on whether that is because of Google’s dispute with China’s government last year. Google moved its search servers to Hong Kong from mainland China because it was worried about hacking and censorship.

E-mail innovator pitches self-deleting e-mails

MOUNTAIN VIEW, Calif.–Joshua Baer, CEO of the e-mail company OtherInBox, agitated for a new addition to e-mail standards at the Inbox Love e-mail conference last week. He’s proposing a standard that would let e-mail messages carry with them the date of their own irrelevance.

E-mails could use the the “x-expires” header to tell the receiving in-box that they become outdated after a certain absolute date, or a certain time relative to when they’re sent or received. Baer says this idea has been “bouncing around” for 10 years, but he’s learned, “the best way to get a standard adopted is to work with individual companies first, and make it a de facto standard.” That’s what he’s trying to do here.

This concept could help keep users’ e-mail boxes cleaner and more relevant. Offers for discounts on Valentines’ Day flowers could automatically vanish on Feb. 15. Companies that blast out time-limited coupons (Groupon, LivingSocial) could serve users better by removing expired offers from in-boxes.

Other messages that become unnecessary after a period of time, such as notifications of activity in groups, shipping notices from online retailers, or system alerts (like mailbox-full alerts, one hopes), that often clutter up in-boxes could clean themselves out.

Baer hopes that the audience members at this conference, all of whom are in the e-mail business, start supporting his proposal. In the meantime, he says, his own e-mail organizing service (which I use and recommend) will start watching for and honoring expiration flags in e-mails it processes.

Microsoft Answers to rework look, reputation tools

Microsoft plans to roll out a redesign of its Answers site, which gives users a place to seek unofficial tech support on Microsoft products and services.

As part of the redesign, Microsoft says it’s now easier to find answers through both an improved search tool and a new layout that puts its various product directories in a clearer order.

Along with the new look, Microsoft is also overhauling the site’s reputation system, which is how its members are rewarded for answering other users’ questions. The new one awards authoring answers, as well as marking other people’s answers as helpful. Microsoft says the existing user reputation system, which had made use of points that went towards an aggregate rating (in the form of medals), will be no more.

Even though that point and medal system is going away, other existing ratings information about the posts is not, according to a Microsoft representative with whom ZDNet Asia’s sister site CNET spoke. “To ensure a smooth transition, we will be migrating existing users and the existing information about their posts (those marked as answered and helpful posts) to the new reputation system so that users who have provided helpful posts in the past will already have some reputation in the new system,” the representative said.

In other words, some longtime users with a high rating may be chagrined to find their insignia gone, but their answers will continue to get highlighted on pages, and their profiles will reflect that information.

Fujitsu’s global cloud launches in Aus

Fujitsu announced the Australian and New Zealand launch of its global cloud last week, the first region outside of Japan to be turned on for the worldwide service.

The global cloud will run in Tier III data centers around the world on Fujitsu kit and a Fujitsu version of the Xen hypervisor, and provides multinationals with a global standardised ICT infrastructure. It will also allow local companies to take advantage of international cloud resources if they so choose.

Only one Australian data center will be hosting the Fujitsu cloud, so although the service offers backup and data replication, it won’t offer a local failover service, according to Fujitsu general executive director solutions and cloud services, Cameron McNaught. However, there’s the option to failover to Singapore if desired and if the right customer came along, Fujitsu would consider putting a second global hub in Australia, he said. The service was built on 16 storage area networks, McNaught said, so that multiple storage area networks could be lost and the cloud would still be available.

Fujitsu had already been offering a local cloud service via a partnership with VMware, CA, Cisco, Symantec and Microsoft in two Sydney data centers, catering to concerns about data sovereignty from sectors such as finance and government.

“Local cloud meets the needs of our customers today,” McNaught said. “The global cloud sets the foundation for the next two to three years.”

The global cloud will be the focus of most of Fujitsu’s research and development, according to McNaught.

The company also plans to provide the Azure platform in Australia via a partnership with Microsoft sometime this year, he said.

According to McNaught, the different platforms were necessary to give customers what they needed.

“One platform was never going to [cover] it all,” he said.

The Australian roll-out of the global cloud will be followed by launches in Singapore, USA, UK and Germany.

When asked about why Australia was second in line for the global cloud roll-out, McNaught said it was due partly to where Australia was and partly to its market.

“The time zone’s a great benefit for a pilot,” he said, adding that the “depth and breadth” of Fujitsu’s client portfolio in the country was also responsible.

McNaught said it had spent 14 months in-house building and testing the platforms from the ground up. The global cloud service uses a portal that allows users to adjust their cloud services via drag and drop, changing capacity and usage in real time.

He said that Fujitsu would never compete with Amazon on brand for cloud services, but that it would be on par for price and would add extra features and functionality.

It will be the “same underlying tech” with “better service”, he said.

Another Sydney data center is planned for Western Sydney, according to McNaught. It will be 9000 square meters, with a possible 6000-square-metre expansion–the biggest in NSW, the executive said.

Firefox 4’s last beta?

Mozilla has begun to wind down work on the next generation of its Firefox browser.

The latest release of Firefox 4 beta 12 has a few improvements to how Firefox 4 handles Flash and more stable overall performance.

One visual change has been to move hover-over links to the bottom of the window, rather than place them in the location bar as was done in the previous beta. Along with the changes to Flash handling and stability, Mozilla said in its release notes for Firefox 4 beta 12 that the browser now has better integration of add-ons with hardware acceleration support.

The company hopes that this beta will be the last, according to an updated roadmap. The release of the twelfth beta indicates that all the hard-blocker bugs, the highest-priority problems with the in-development browser, have been fixed. Barring major problems with the remaining bugs, users can expect a release candidate soon.

Google Apps plug-in injects the cloud into Office

The cloud is coming to Microsoft Office–and it’s powered by Google.

Google’s latest effort to lure business customers away from Microsoft Office to Google Apps comes in the form of a plug-in for Word, Excel and PowerPoint. The plug-in essentially syncs Office files with an online counterpart that lives in Google Docs, which allows users to always see the most recent version of a file, whether they’re viewing it in a browser, in an Office app or even on a mobile device.

That means no more e-mailing a Word document between multiple people, only to be confused about which is the most recent. It means being able to see, in real time, as your colleague updates the sales figures in your spreadsheet–while you’re working on it. It means being able to literally drop an image into your colleague’s PowerPoint presentation.

Read more of “Google Apps plug-in injects the cloud into Office, slow venom into Microsoft” at ZDNet.

Cisco axes corporate cloud e-mail

Cisco has decided to discontinue its Cisco Mail software-as-a-service product, saying customers are now interested in social collaboration and stand-alone e-mail.

Cisco Mail, which was originally launched as WebEx Mail, will be phased out to allow customers to move to alternatives, Debra Chrapaty, the company’s collaboration software general manager, said in a blog post on Tuesday.

“The product has been well received, but we’ve since learned that customers have come to view their e-mail as a mature and commoditized tool versus a long-term differentiated element of their collaboration strategy,” Chrapaty said. “We’ve also heard that customers are eager to embrace emerging collaboration tools such as social software and video.”

Read more of “Cisco axes corporate cloud email” at ZDNet UK.

Firefox 4 inches closer to release despite delays

The release candidate of Firefox 4 could be just days away despite widespread reports of delays, according to the community manager for Firefox.

The release, which had originally been scheduled for October last year but was subsequently delayed until February 2011, could be just around the corner according to a post on Twitter from Asa Dotzler, head of community for Firefox marketing projects. “From what I can tell, there are only 7 unwritten patches standing between Firefox 4 and hundreds of millions of users,” he wrote.

Last week, Christian Legnitto, the Firefox release manager at Mozilla, confirmed that the release schedule had slipped as beta 11 still had outstanding bugs. Developers have delayed building the twelfth beta until bugs that remained in the eleventh had been resolved.

Read more of “Firefox 4 inches closer to release despite delays” at ZDNet UK.

Microsoft announces plans for Kinect SDK

Microsoft announced plans to release a software development kit for its Kinect game motion controller later this spring.

In a move that was widely rumored, Microsoft said the Kinect for Windows SDK will allow third-party developers to create software titles that use a Kinect motion sensor plugged directly into a Windows PC. This noncommercial “starter version” SDK will give users access to deep Kinect system information such as audio, system application-programming interfaces, and direct control of the Kinect sensor, Microsoft said. The company also plans to release a commercial version at a later date.

“Microsoft’s investments in natural user interfaces are vital to our long-term vision of creating computers that are intuitive to use and able to do far more for us,” Craig Mundie, Microsoft’s chief research and strategy officer, said in the company’s announcement. “The fruits of these research investments are manifesting across many of our products, Kinect for Xbox 360 among them.”

Since its official launch last November, hackers have found all sorts of creative ways to put the sensor bar’s 3D imaging capabilities to good use. Among them: tweaks that turn the sensor bar into a 3D camera, allow for multitouch photo manipulation without the need for a touch screen, and make it possible to create midair 3D doodles.

Microsoft initially reacted negatively to these “hacks,” but then it seemed to warm up to the idea, explaining that the Kinect was designed to be an open platform. In response to a US$3,000 challenge last year by the open source hardware outfit Adafruit Industries to come up with a hardware hack of the Kinect, Microsoft had said it did not “condone” such behavior.

When asked at this year’s Consumer Electronics Show whether Microsoft would allow the ability to plug a Kinect into a PC, CEO Steve Ballmer said the company would formally support it at the right time, although his timing was a little vague.

Sony’s Qriocity aims to put Connect, iTunes behind

Sony wants to take back digital music from Apple.

The creator of the Walkman says it is ready to challenge iTunes, forge ahead into music streaming, and also put its doomed prior attempts to build iTunes-killers behind it.

Today, Sony unveiled a new cloud music service in the United States that will play songs on a mix of Sony devices, such as the PlayStation3, Bravia TVs and Blu-ray Disc Home Theater system, as well as a range of Sony’s portable devices. The service is called “Music Unlimited powered by Qriocity”, and hopefully the service is less clunky than the name.

For US$10 a month, Qriocity subscribers get access to music from fall four record labels and 6 million tracks. Music will be streamed from Sony’s servers to devices so users don’t have to worry about clogging hard drives and Sony won’t have to worry about building any complicated software platforms (we’ll get back to that). Qriocity scans a user’s hard drive and then provides access to songs from their media libraries, including Apple’s iTunes.

Qriocity, which Sony first touted at the IFA electronics show last September, has all the standard bells and whistles for music services today, such as a song recommendation engine. What it doesn’t have is the ability to enable users to listen while unconnected from the Web. How could the maker of the Walkman, one of the great portable music devices of all time, disregard mobile like that?

Sony’s answer to that is “wait and see”. Qriocity is just the start. This time around, Sony’s strategy to taking on iTunes is to first focus on the home. When it comes to music, that is an underserved area, Tim Schaaff, president of Sony Network entertainment told ZDNet Asia’s sister site CNET.

In addition to relying on a streaming service, a feature that Apple hasn’t offered yet but is expected to get into, Sony has built Qriocity on the PlayStation Network, an established digital marketplace.

“The PlayStation Network has been in the marketplace since 2006,” Schaaff said,” and has been growing customers for four years. There are 70 million accounts worldwide… It is has gaming, music, movies and all kinds of e-commerce. It is a stable business, and rather than starting from scratch, we decided to leverage that.”

Is iTunes vulnerable?
That’s a much different direction than the one Sony chose for the doomed music service, Connect. In that case, Sony tried to go toe-to-toe with Apple by creating an iTunes-like media hub, and Connect became one of digital music’s all-time great Titanic stories. The effort was marked by internal bickering and turf battles, the kind of dysfunction between Sony’s content, hardware and software divisions that the company has been noted for in the Internet age.

Connect was stillborn on release, brought down by software glitches.

Sony tried to save face by keeping the service around a couple more years, before finally shutting it down.How will Sony fare better this time against iTunes? Apple’s music service now has an almost decade-long record of thumping challengers, including MTV, Virgin, Microsoft, Yahoo, AOL and MySpace. 

For starters, Qriocity is a service closely linked to Sony’s hardware, and the company has 350 million Internet-connected devices out in the wild now, Schaaff said. That means the company can enlist a legion of merchants, who sell Sony products, to help Qriocity “tell its story”, he said.

Another important factor is Sony’s timing, which, Schaaff argues, is spot on. iTunes has never appeared more vulnerable than now, said Schaaff, who once ran Apple’s QuickTime division.

The iTunes software has become an almost unbearable drain on computer power. More importantly, the public seems to have lost interest in buying downloads. Schaaff also thinks Sony is a different company than it was in 2005 when the Connect program was begun.

“I think the conditions here today are extremely different,” said Schaaff who wasn’t at Sony during the Connect debacle. “We all have the same goal and we have the full support of [Sony CEO Howard Stringer], who has given us the resources we need.”

“Maybe,” Schaaff added, “Connect taught us some important lessons.”

EU common patent system gets green light

The European Parliament has given its consent to an EU-wide patent system to be set up under “enhanced cooperation” rules, despite previous objections from Italy and Spain.

The decision means that patents filed under the single system will apply in all participating EU countries. This frees businesses from the need to file individual patents in each country, which significantly increases the cost of filing patents in the European Union.

“Currently, national patents can co-exist alongside a European patent–issued by the European Patent Office, a non-EU body–but the system is complex and expensive: a European patent can be 10 times more expensive than a comparable US patent,” the European Parliament said in a statement on Tuesday.

Read more of “MEPs give green light to common patent system” at ZDNet UK.

‘Hurt Locker’ lawyers launch US-wide copyright fight

After several setbacks, Dunlap, Grubb & Weaver, the law firm that last year filed copyright suits against thousands of accused illegal file sharers on behalf of independent filmmakers, has made good on promises to push on with the cases.

Dunlap has begun to refile lawsuits across the United States against people accused last year of pirating movies via peer-to-peer networks. To do that, Dunlap established a network of lawyers who are licensed to operate in different federal districts.

Dunlap, which also works under the name U.S. Copyright Group, made headlines last year by suing thousands in a federal court in Washington, D.C., on behalf of the makers of such films as “Far Cry” and “The Hurt Locker”, last year’s Oscar winner for Best Picture. The Washington court, however, appeared hostile to Dunlap’s strategy of filing against thousands of people from outside that jurisdiction. That’s when Dunlap changed strategy.

In the case of “Far Cry”, a film based on the popular video game, Dunlap told ZDNet ASia’s sister site CNET that lawyers working with the firm have filed complaints on behalf of the filmmakers in Massachusetts, Colorado, Minnesota and West Virginia.

“Filing in Florida in about 10 minutes,” Thomas Dunlap, one of the firm’s founders, e-mailed today. “I am driving to courthouse now, should have cases already in Illinois. We will file in California, Texas, Washington, and Oregon in the next two weeks.”

Dunlap has also begun filing lawsuits against named individuals. Records show that he filed suits in the U.S. District Court for the Southern District of West Virginia against Linaka Stein and Gina Morrison, residents of West Virginia, and Richard Ball of Virginia.

Dunlap typically offers an accused person a chance to settle out of court for a sum between US$1,500 and US$3,000. Dunlap has always said he would file lawsuits against those who refused to settle. But there were those who had their doubts. Dunlap appeared to drag his feet about starting the potentially expensive and years-long process of winning a copyright judgment against someone.

The case of Jammie Thomas-Rasset, the Minnesota mother accused by the music industry of illegal file sharing, is an example of how hard a process it can be to pursue a copyright judgment. The Thomas-Rasset case has cost the major labels millions of dollars in legal fees and the case continues to drag on.

Dunlap doesn’t appear to be bluffing anymore. His firm shows no signs of letting up.

A half-dozen people have contacted CNET since Tuesday about receiving notices from their Internet service providers informing them that Dunlap had subpoenaed their names and other information about them. Before filing a suit against someone, copyright owners must first acquire a person’s identity from his or her ISP.

Dunlap’s lawsuits gave rise to a wave of antipiracy litigation last year. Attorneys in West Virginia, Texas and California began using Dunlap’s legal strategy as a template. The porn sector was the most passionate in pursuing these cases. But the adult-filmmakers have run into trouble. A federal judge in Texas recently “severed” thousands of defendants from copyright suits filed by attorney Evan Stone on behalf of 11 copyright owners, most of them porn studios, according to a report in Ars Technica.

In 13 of Stone’s 16 suits, only a single defendant remains.

The judge in the case ruled that there wasn’t enough binding the defendants together to name them in one suit. Stone argues that the defendants “were improperly severed”. He said that to use BitTorrent, people must work together to share files.

“This isn’t over,” Stone told CNET. “There are numerous other tools for obtaining the names and addresses of pirates and we’re not going to stop until justice is served.”

In West Virginia, a federal court came to a similar conclusion as the Texas judge. Attorney Ken Ford had filed against thousands of people on behalf of adult-film studios but most of the defendants were also severed from those suits. The Electronic Frontier Foundation, which has led the opposition against these suits, say that they rob defendants of the ability to defend themselves? How can a individual tell their story when they’re lumped together with so many people?

Motorola Mobility buys 3LM to spur enterprise uptake

Motorola Mobility–the mobile arm of Motorola–has announced that it completed a deal at the end of last year to acquire Three Laws Mobility for an undisclosed sum, the company said on Monday.

Motorola hopes that the purchase of Three Laws Mobility, better known as 3LM–which makes enterprise security software and device management products for Android handsets–will help speed up the deployment of Android devices in enterprise and governmental environments.

“The 3LM technology addresses ease-of-use, cost-of-management and security concerns for IT managers and chief information officers by making Android devices more manageable within corporate environments,” Motorola Mobility said in a statement.

Read more of “Motorola Mobility buys 3LM to spur enterprise uptake” at ZDNet UK.

At Yahoo, contextual content key for mobile devices

BARCELONA, Spain–In a mobile world, size shouldn’t matter, but context should.

That was the message from Yahoo CEO Carol Bartz as she demoed the company’s new Livestand service at the Mobile World Congress 2011 here Wednesday.

Livestand, announced last week, aggregates and personalizes all types of content for users and optimizes it for every type of device. Dubbed a “digital newsstand”, it serves up stories, information and ads based on a person’s interest and eliminates the need for publishers to create multiple versions of content for different devices.

For mobile devices, where small screen size spoils the display of content created for the PC, relevance is particularly important, Bartz said.

“The screen sizes are going to be all over the place,” she said. “The whole concept is publish once and have it available on any device.”

She demonstrated Livestand on an iPad. In contrast to Yahoo’s regular Web site which is cluttered with text, images and ads, the Livestand interface looked clean and simple. Tailored to a specific Yahoo employee helping with the demo, the site showed modules that included a surfing magazine, surf and weather forecasts, a surfboard buyer’s guide and news about sports.

Livestand automatically personalizes the content based on machine learning and human editorial oversight, which Bartz called the “secret sauce”.

Friends can share content with each other on Livestand and exchange comments on it via Facebook and Twitter.

“We at Yahoo consider that advertising is also great content,” Bartz said as the demo showed a Nike video and a sports watch ad. Later in the demo a friend’s comment popped up in real time related to the ad.

In a question-and-answer session after Bartz and three other technology CEOs gave their vision of the future of mobile computer, Intel’s Paul Otellini said there would be Intel-powered smartphones out later this year.

Meanwhile, Cisco’s John Chambers said video would be a focus for mobile in the near future, requiring service providers to beef up their network performance and management capabilities.

And SoftBank’s Masayoshi Son proudly discussed how his company’s US$20 billion purchase of Vodafone Japan in 2006 is paying off now, fueled by data demand over smartphones. But at the time he was called crazy for the move, the share price dropped, and the company lost US$1 billion every year for four years, he said. Since then mobile data traffic has grown 30 times, he said.

“People started saying mobile is no longer profitable and so on,” he said. “It was a risky bet…[but] sometimes craziness gives a good return.”

“Mobile carriers are becoming dumb pipes,” he added. “That’s the depressing reality.”

Microsoft’s on-demand CRM tool lacking but still competitive

Given that the on-demand customer relationship management (CRM) market is still evolving and nascent, Microsoft’s recently launched Dynamics CRM 2011 Online offering is expected to face competition from existing players such as Salesforce.com and Oracle.

Phil Hassey, founder of research firm CapioIT, said the market for on-demand CRM is “far from being saturated and mature” and there is “definitely an opportunity” for vendors such as Microsoft to compete strongly in this space.

The analyst said in an e-mail that while Redmond’s CRM product is “slightly lagging in key areas” compared with existing offerings from rivals such as Salesforce.com and Oracle, its differentiator is in the integration with Microsoft’s other products and deployment options.

Hassey said: “For loyal Microsoft customers, the use of Microsoft software rather than Salesforce.com, for example, is a significant step for them. The one significant differentiation for Microsoft, compared with Salesforce.com, is the opportunity for an on-premise [deployment].”

“Microsoft still bases its CRM on PCs and laptops, with the Outlook client model that’s older than the Web.” 

— Peter Coffee
Salesforce.com

Sam Higgins, research director at ICT research and advisory firm Longhaus, agreed.

In an e-mail interview, he noted that Dynamics CRM’s integration with Office 365, formerly branded as Business Productivity Online Suite (BPOS), will continue to ensure Microsoft a place in customers’ vendor selection process.

“This latest release [of Dynamics CRM] from Microsoft will keep organizations that want to adopt a lean vendor approach to solutions very happy,” said Higgins.

Dynamics CRM 2011 Online was launched on Jan. 18 but only the SaaS product hosted by Microsoft was made available. The on-premise and third-party hosted versions will only be commercially available on Feb. 28, according to Microsoft, which said the time gap was needed to conduct extra tests to ensure the new offerings will work outside of the company’s data centers.

The option to deploy the CRM product on-premise, on-demand or via third-party hosting sites will be a key advantage for the software vendor, said Adrian Johnston, Microsoft’s Dynamics Asia general manager.

He told ZDNet Asia in a phone interview that while Salesforce.com offers its CRM suite only as a third-party hosted option, Microsoft is able to offer its product on a hosted platform as well as through on-premise, internal deployments and software-as-a-service (SaaS).

Elaborating on rival Oracle’s Siebel CRM offering, which mirrors Redmond’s deployment options, Johnston noted that the competing product runs on different code bases when deployed on-premise and over a cloud, putting Oracle in a disadvantage.

Thus, customers that want to pilot the software on-premise or through SaaS within a specific market, before deploying it across multiple markets, for example, cannot do so “easily” using Oracle’s products compared to Microsoft’s, he said.

Oracle was unable to reply to ZDNet Asia’s questions at time of post.

Higgins said price will also be a key sway factor, pointing to Microsoft’s “aggressive approach to cloud pricing”. The analyst noted that customers that may have found the pricing of both Salesforce.com and Oracle to be out of their reach, Redmond’s offering will be “highly attractive”.

As part of Dynamics CRM 2011 Online’s initial launch, Microsoft said it cut the software price-tag from US$44 to US34 per user per month. Last December, it also announced that companies–with 15 to 250 employees–migrating from rival platforms will be given US$200 for every user involved in the move.

“We expect that not only will this increase the adoption of Dynamics CRM but, in some cases, we’ll see migration away from Salesforce.com,” Higgins noted. He added that some customers see the SaaS vendor as “over-complicating” its business model by moving from a CRM vendor to a platform-as-a-service operator.

Quizzed on this, Peter Coffee, vice president and head of platform research at Salesforce.com, disagreed. He told ZDNet Asia in an e-mail that its customers “love the power” they get from the Force.com platform, which is at the heart of all its applications.

The ease-of-use on the platform to tailor “rich applications” according to customers’ needs, mostly with “clicks rather than code”, also brings in more employees onto the platform and encourages company-wide collaboration, Coffee added. “The proven, trusted Force.com platform lets ‘citizen developers’ in business units create and deploy collaborative custom apps quickly without buying hardware or installing software. Our PaaS offering is the ultimate Salesforce CRM feature.”

He also dismissed Microsoft’s first foray into cloud-based CRM, saying that it is a “snapshot of history”.

“Microsoft still bases its CRM on PCs and laptops, with the Outlook client model that’s older than the Web. Microsoft is giving its customers a snapshot of history, not a real-time app for today’s social, mobile and open world,” he said.

Microsoft can fend off mobile, cloud competition

Competing vendors have been intensifying their efforts to claim a portion of the enterprise software pie long dominated by Microsoft, with Google and Oracle betting on mobile and cloud computing to advance their cause. Analysts reckon Redmond is doing well to defend its turf but say the software giant will need to find ways to better monetize its existing Windows and Office products.

Duncan Jones, principal analyst of sourcing and vendor management at Forrester Research, noted that because of its long-term dominance over the PC market, Microsoft was unable to react quickly to “real competition” from cloud-based vendors. As such, he said rivals Google and Oracle have been touting their Web-based office productivity tools and operating systems (OSes) to try and wrest market share from the market leader.

Google, for instance, announced in October last year that it is riding on telco partnerships to better penetrate the enterprise market. It added that Google Apps had been deployed to 3 million business users and over 30 million end-users. Dave Girourd, president of Google’s enterprise division, even suggested in November 2009 that firms can get rid of Microsoft’s Office in a year’s time.

That scenario, though, has yet to materialize.

Meanwhile, Oracle unveiled its Cloud 1.0 product–a cloud-based version of its OpenOffice product that it inherited from its Sun Microsystems acquisition–in December last year which targeted Web and mobile users.

However, Jones said these alternative offerings will not “truly rival” Redmond’s Office suite, noting in an e-mail interview that Office’s dominant position “looks unlikely” to be under threat any time soon.

According to Microsoft Asia-Pacific COO Andrew Pickup, the company will respond to these cloud-based competitors with its free, online-based Office Web Apps, which will be rolled out to users next month.

Pickup told ZDNet Asia in an e-mail: “Consider that in just over six months after [the beta version of] Office Web Apps were introduced, more than 30 million people used it to view, edit and share Office documents from anywhere. The Office Web Apps are a key piece of Microsoft’s overall cloud strategy, and we are very pleased with the speed and efficiency by which we are able to offer it to the entire world.”

Windows slow to mobile fight
Microsoft’s Windows OS business, however, might come under more pressure from Google to further transform. Bloomberg had reported in January that a shortfall in Windows revenue in Redmond’s second-quarter revenue results dampened the company’s better-than-expected overall market performance.

Tony Ursillo, an analyst at Loomis Sayles & Co., said in the report: “The stock has gotten very little credit for it because the market is worried about the continued erosion of the Windows franchise and the potential erosion of the Office franchise.”

Microsoft CFO Peter Klein added that the company did see a “small impact” from tablets and other types of computing devices, though it was “not material”.

Archrival Google has a significantly stronger presence in the mobile computing space with its Android mobile OS. Research firm Canalys unveiled the platform’s dominance when it reported this month that shipment of Android-powered smartphones overtook Symbian-based devices in the fourth quarter of 2010.

Furthermore, the Android 3.0 Honeycomb OS is also prepped to corner the tablet device segment as vendors such as Motorola and Samsung, among others, are in the midst of releasing devices powered by the latest iteration of the Google mobile OS.

Its Chrome OS browser-based system, which is aimed at migrating enterprises from on-premise, client-based deployments to a purely cloud-based one, is also seen as another potential threat to Redmond’s Windows OS and server business.

However, Matt Healey, program director of software and services at IDC Asia-Pacific, reckoned that while it is “a bit late” into the game, Microsoft is heading in the right direction.

“Its announcement that the next version of Windows will run on ARM-based processors was a good step forward,” Healey explained in his e-mail. “It enables them to participate in the growing [mobile computing] market.”

The software vendor is aiming to create smaller, thinner Windows tablets with better battery life, according to a Bloomberg report.

Pickup also cited the Windows Phone 7 OS as a platform that is aimed at placing Microsoft strongly in the mobile arena. He noted that as consumers are doing more work on mobile devices, the Windows Phone 7 software is developed to help them do more in fewer steps.

Combined with Office, the platform offers “greater productivity than we’ve seen on smartphones before”, he added.

According to Forrester’s Jones, Microsoft’s licensing practices will stand well amid the mobile computing trend, which the analyst said was “no threat to Office at all”.

He noted that the software vendor sells Office licenses according to per device, and not per user. So, as personal productivity tasks extend to mobile devices, this would mean more revenue for the software giant as companies will have to buy licenses for multiple devices, he added.

Battling against customer inertia
The “real threat” to Microsoft’s Office and Windows business lines, instead, is that consumers are so content with the current product that they see no need to keep upgrading.

Elaborating, Jones said Microsoft is caught between serving its retail and business customers. For the former, Redmond aims for a big release every few years to stimulate new sales, like it saw with the launch of Windows 7 in December 2009 and later with Office 2010.

In comparison, enterprise customers want more functionality for their software in between large, disruptive upgrades, so Microsoft will have to find a way to ensure steady revenue streams, the analyst said.

Office 365, formerly branded as Business Productivity Online Standard (BPOS), is therefore important to Microsoft for two reasons, Jones surmised. Depending on the plan customers sign up for, the software suite would include both the free and full-functioned Office product with other features such as SharePoint, Exchange Online and Office Communications Online. This will allow users with multiple devices to just pay once, he said.

Microsoft can then release updates to these products more frequently and in smaller increments to justify a regular revenue stream from its business customers, he noted.

“Google [and other potential rivals] aren’t nearly as big a threat [to Microsoft] as inertia is,” Jones said.

Schmidt: HTML5 to drive app development

BARCELONA–The latest revision of the HTML programming language will likely become a standard for building applications running on both the mobile and desktop platforms, benefiting the developer community, says Google CEO Eric Schmidt.

In his keynote address here Tuesday at the Mobile World Congress, Schmidt said: “It looks to me like HTML5 will eventually become a way almost all applications are built, including those on new phones. There are some features missing but it’s getting there.”

HTML5 took 20 years to be established due to the need for the underlying Web standard to aggregate its capability and evolve onto the proprietary Apple Mac and Microsoft Windows API (application programming interface), he explained.

Lacking social media coherence

There was “nothing new” in Eric Schmidt’s address at the Mobile World Congress, and the Google CEO did not say how the company plans to monetize its social media offerings, according to Eden Zoller, principal analyst at Ovum.

Schmidt’s keynote, he observed, was “big on vision and quotes, but low on any exciting announcements”, save for a demo of a new video editing service for tablets which did not work.

“There was a nod to cloud services, but nothing new,” said Zoller. “There was also no mention of how Google will or could bring coherence to its currently fragmented social media strategy, a weak spot in Google’s armory, especially given the importance of social media as an advertising platform.”

“Given Google’s push on mobile location based services, it seems a lost opportunity not to leverage this in ways that exploit social commerce, an advertising revenue that Schmidt acknowledged was important,” he added.

With all operating vendors, including those with proprietary API, adding in HTML5 standards on their systems, he said there is now “every reason to believe that eventually–meaning some years from now”, many applications will ride on HTML5 in a mobile and non-mobile form.

Resolving Android fragmentation
Schmidt, who will be stepping down as Google CEO in April, went on to discuss the company’s efforts in addressing the fragmentation of its Android mobile platform as well as the progress of the Chrome OS.

He acknowledged that fragmentation is an issue for Android programmers who want their apps to run smoothly on multiple devices. He said Google attempts to establish minimum functionality guidelines based on the Open Handset Alliance specifications, to allow for common applications in new Android-powered devices.

He added that the company’s anti-fragmentation clause instructs phonemakers to track the platform’s API and include mandatory Android interfaces.

Schmidt believes the Android Market will also provide the “carrot” to entice developers to upgrade their apps to support changes to the platform and not deviate too far to avoid having their apps dropped from the appstore.

He added that operators will not want to operate in an environment that is fragmented, and this would further motivate device makers to update new Android releases on their phones–specifically, Android 2.3, also called Gingerbread. He said the new release will help smooth over differences.

“We’ve released Gingerbread, which in a month or two everybody will upgrade to,” Schmidt said. “At that point, everybody will be on a common platform which should address a lot of your concerns.”

Elaborating on Chrome, he noted that the OS is currently targeted at netbooks and devices with keyboards. He added that there are no plans yet to merge Android and Chrome, but the company is “working overtime” to achieve this.

“I learnt a long time ago: Don’t force technology to merge when it’s not ready,” he said.

Intel unveils MeeGo tablet interface

Intel has shown off a developer preview of the tablet user interface for its MeeGo Linux operating system at Mobile World Congress in Barcelona.

At the same time on Monday, the company also addressed Nokia’s withdrawal from the long-term development of MeeGo for mobile phones, with software and services chief Renee James saying the company was “disappointed” with its Finnish partner.

The user interface (UI) is based on dynamic panels and does not resemble the netbook variant of MeeGo–the only version to be shown off so far on a mobile computing device. The tablet UI was demonstrated by Intel’s systems software chief Doug Fisher, who said it was “centralized around the user…rather than applications”.

Read more of “Intel unveils MeeGo tablet interface” at ZDNet UK.

Adobe: Flash shipped on 20 million handsets

Flash Player 10.1 has been installed on more than 20 million handsets in the six months since its launch, Adobe has said, as it outlined its plans for its mobile runtimes.

Adobe, which has seen Flash banned from iPhones and iPads by Apple chief executive Steve Jobs, talked about its plans for Flash and AIR at the Mobile World Congress trade show in Barcelona on Monday. Anup Murarka, Adobe’s director of technology strategy and partner development, said that the company is pleased with Flash’s mobile growth.

“There’s been over 100 percent year-on-year growth in the amount of video streamed by Flash, with over 120 petabytes a month used by both desktop and mobile,” Murarka told ZDNet Asia’s sister site ZDNet UK in a phone briefing.

Read more of “Adobe: Flash shipped on 20 million handsets” at ZDNet UK.

Apple overhauling iPhone notification system?

To cap off last week’s chock-full of Apple-related rumors, we now have this: is Apple about to acquire a company in the process of giving its iOS notifications system a major makeover?

Apple blog Cult of Mac says it’s hearing exactly that from a source, who is not named. The company Apple is allegedly buying isn’t confirmed in the report, but is said to be “small” and currently has an application available for sale in the iOS App Store.

Now that would describe about a thousand companies. But there aren’t that many that do slick notification apps. Cult of Mac has zeroed in on App Remix, the company that makes the app called Boxcar.

Boxcar pools all of your social media feeds and delivers your notifications from each into one app. App Remix’s CEO apparently had “no comment” on Cult of Mac’s query as to whether Apple plans on making the company an offer.

Apple’s own notification system isn’t regarded as the most stellar implementation. The original iPhone actually shipped without any real push notification system for third-party apps. It took Apple three iterations of the iPhone’s software before it found a system it liked.

But the system employed in Palm’s original Pre smartphone featuring WebOS is still roundly praised as the best in the business. Hewlett-Packard (HP), of course, owns WebOS now and recently introduced the software on several new phones and a tablet.

The man who invented the WebOS notification system, Rich Dellinger, actually quit Palm just after the HP acquisition last year to return to his former employer, Apple. The rumor mill heated up then that iOS’ notifications were in for a big change, but nothing more has come of that–at least not yet.

Apple updates its iOS software on a yearly basis, usually in June, and there’s a preview event usually around March to see what will be in the next version, in this case iOS 5. It’s possible we could see a new push notification process included in the next big software update for the iPhone, iPod Touch, and iPad.

Will mobile vertical apps be compelling?

Applications for specific industries are on the cusp of a new wave–with the rise of smartphone usage, many vertical apps are becoming linked to the mobile phone or beginning to resemble a mobile app. Experts, however, say such apps need specific requirements to be viable.

In a blog post last year discussing the possibility of customizing one’s car with apps, CNBC correspondent Phil LeBeau cited examples such as downloading an app for a car to make a certain sound when the engine is started.

A separate article on EzineArticles.com noted that cars are being fitted with technologies that for instance, allow drivers to check e-mail messages and social media updates while on the road.

Some experts ZDNet Asia contacted say vertical apps are not a fad, but cautioned on their sustainability.

Ovum’s senior consultant Craig Skinner said in an e-mail interview that apps for verticals such as health and government are also well-positioned for strong development and usage.

According to him, some of the healthcare apps that are being developed or already in use include patient information access and health monitoring, which in some cases connect to external monitoring devices to measure blood sugar levels or heart rate. Such information is then fed back to the local healthcare provider.

Other “innovative” vertical apps include maintenance reporting apps for citizens to report about local issues that need repairs or maintenance work, as well as reminders for estate payments and library due dates, he said.

Similarly, Ashwin Palaparthi, vice president of innovation at AppLabs, thinks that micropayment apps for financial services will see long-term sustainable success.

However, Saverio Romeo, Frost and Sullivan’s senior industry analyst for ICT, expressed skepticism on the viability of vertical-specific apps.

“Do developers make substantial revenues from this model?” he questioned, pointing out that while some apps are profitable, many others are not. Due to this reason, it is “not safe to say” that app development will be sustainable in the long run, he added in an e-mail.

Romeo also cast doubts over some types of apps. While he called apps for transportation “interesting”, he said those that cater to the publishing, fashion, and tourism industries are driven by the growing popularity of tablets.

First-time success critical
According to AppLabs’ Palaparthi, “first time success” is a critical factor for apps to thrive. “If any newly launched mobile application has glitches in its first release, consumers will never touch it again, no matter the usage of the application.

“So, there is every chance for properly tested apps to become a huge success and…[achieve] long-term adoption,” he said in an e-mail.

Frost & Sullivan’s Romeo explained that the “unseen” ecosystem and mechanics behind an app, such as distribution platforms and compatibility of devices, are more crucial for sustainability.

“There is not much evidence that allows us to say that greater adoption will happen [in a particular industry] rather than in another industry,” he said. “The stores are a distribution tool of content and engagement with customers and the various industries will use it.”

Trends associated with mobile Web and cloud computing will also affect adoption, he added.

Ovum’s Skinner added that for apps to enjoy widespread usage, there must be “large multiplier factors across organizational boundaries that align well with scale advantages”, instead of the traditional one-to-one sales and support processes.

Wide coverage with iOS and Android
Given that Apple’s iOS and Google’s Android are currently the most popular, Skinner said developers developing mobile vertical apps will be concentrating on these two mobile operating systems.

“These platforms allow easy distribution and installation of the apps and provide a wide coverage of the market,” he noted. “While there are other platforms still covering a reasonable share of the devices, they are not attracting the same level of attention from the developer community.”

Romeo said greater uniformity should be the way forward, as there are currently too many platforms in the market. He said this can be done through various approaches, such as cooperation among the different players or moving toward the mobile Web.

When quizzed if the app developer market can start to evolve into a lucrative industry, he expressed reservations, but agreed that apps moving into vertical industries are an interesting development.

Skinner, on the other hand, felt that the app industry is growing rapidly.

“The value of the app comes from the additional sales that it facilitates, rather than from the revenue of the actual sale of the application.”

Yahoo launches tablet-focused ‘digital newsstand’

Yahoo announced a product Friday called “Livestand”, an app for tablet and mobile devices that will start as a personalized browsing tool for Yahoo-owned content and, in the future, possibly external content as well. Powering it is technology that Yahoo envisions as a way for both publishers and advertisers to easily reach tablet and smartphone users.

At launch, Livestand will feature content from Yahoo Sports, Yahoo News, Flickr, celebrity gossip site OMG, and the Yahoo Contributor Network (fueled by media from Associated Content, the freelance clearinghouse that Yahoo acquired last year). The content will be customized based on user preference, as well as time of the day and location–say, local news and weather reports. Advertisements, according to a release, will be “magazine-style”. Livestand will first be available as Android and iPad tablet apps in the next few months, followed by a browser-based version and smartphone apps.

Livestand will also be the centerpiece of a talk that CEO Carol Bartz, whose attempt to turn around the flagging tech company has been heavily criticized, will make at the Mobile World Congress conference in Barcelona later this month.

Last fall, Yahoo partnered with coffee chain Starbucks on a tablet-optimized landing page accessible only from Starbucks stores and powered by Yahoo content and technology. Livestand, with its local targeting and slick interface, has somewhat of the same feel. Tablet-based publications have been all the rage since the debut of the iPad a year ago, with recent months seeing the emergence of tablet-only news publications like News Corp.’s The Daily and lifestyle magazines like Virgin Group’s Project. But what Yahoo has built, and is initially fueling with its own content, is a visual news reader–a concept that has been popularized by the likes of Flipboard, a start-up that turns RSS feeds and Twitter streams into a magazine-like interface.

The real test for this new product will be whether additional content partners–say, magazine publishers and newspapers–choose to jump on board when Yahoo opens the gates.

Google seeks to unlock Android 3.0 hardware power

An interface coming with the forthcoming Honeycomb version of Android will open up a new ability for programmers who want to tap into hardware power unlocked by low-level programming.

The new interface is called Renderscript, said R. Jason Sams, an Android performance and graphics programmer at Google. He didn’t say so in so many words, but the goal for the feature has to be better games on Android. It’s a broader feature, though: it’s used in Honeycomb’s YouTube and Books apps.

“The target audience is the set of developers looking to maximize the performance of their applications and are comfortable working closer to the metal to achieve this,” Sams said in a blog post Thursday. “The target use is for performance-critical code segments where the needs exceed the abilities of the existing APIs.”

To that end, Renderscript exposes two hardware-accelerated interfaces, one for rendering 3D graphics and one for for power-efficient computing operations. To use it, Renderscript relies on a variant of the C99 version of the C programming language. And the Renderscript plumbing that comes along with Honeycomb, aka Android 3.0, makes the decisions about whether to run the computing jobs on regular or graphics processors.

The Native Developer Kit Google offers for Android already lets programmers directly access low-level hardware features. Renderscript has an important difference, though: it’s cross-platform. Instead of coming with software coded just for a specific chip, it comes with scripts that are compiled into an intermediate format that is then translated for a specific device only when it runs.

One example of Renderscript in action is a physics simulation of 900 particles below interacting with each other and simulated gravity from a tilting Honeycomb tablet with a dual-core processor.

HP dangles developer carrot with WebOS PCs

Sometimes it’s easier to compete by giving the world no option but to deal with you. By declaring its intention to use WebOS in its biggest selling and most well-known product line, Hewlett-Packard (HP) is doing just that.

Almost two hours into an event ostensibly scheduled to reveal HP’s new smartphones along with the TouchPad tablet, HP Executive Vice President Todd Bradley dropped a bit of a stunner. HP has long said since acquiring Palm that it planned to use WebOS in a variety of devices, but until today few realized it intended to drive the software into its PC lineup.

“I’m excited to announce our plans to bring the WebOS to the device that has the biggest reach of all: the personal computer,” Bradley said. And with that, many in the tech industry stopped wondering whether the TouchPad was really good enough to compete with the iPad and started wondering about how the world has been changed.

Already this year Microsoft has announced that Windows will run on ARM chips, which power the mobile world. And now HP is willing to risk alienating one of its oldest and closest partners by emphasizing its own software in hopes of creating a world in which software developers have no choice but to put WebOS near the top of their to-do lists.

If we were talking about just smartphones and tablets, it’s not clear consumers and developers saw enough Wednesday to take such a step. Even after the event, vital details about the newest generation of WebOS smartphones and the company’s first tablet are still glaringly scarce.

Perhaps most importantly, we have no idea how much the Veer, Pre 3, and TouchPad will cost. And besides that, shipping dates for the products were very vague, listed by the season rather than by the month and likely to arrive after next-generation products from Apple and from Google partners start to hit stores.

But HP has one very strong ace in the hole: the world’s most popular PC brand. If HP does manage to ship PCs in volume with WebOS, those software developers will suddenly have a huge potential market to address with their applications. HP sold nearly 63 million PCs during 2010.

Of course, such a switch won’t happen overnight and almost certainly won’t involve numbers on that large a scale for quite some time, if ever. In a brief interview after HP’s event, Phil McKinney, vice president and chief technology officer for HP’s personal systems group, said it’s likely that the first WebOS-based PCs will run WebOS atop Windows 7. He didn’t rule out the prospect of WebOS-only PCs, but he had nothing in the way of even basic details to share.

All the hedging aside, the announcement sends a clear signal. As Fortune’s Michael Copeland pointed out, HP doesn’t think it needs to rely on Microsoft to sell PCs anymore.

Microsoft was polite in response to HP’s event. “HP is a valued Microsoft partner, and we continue to work closely with them on many new products that bring great experiences to our mutual customers,” the company said in a statement.

However, it was obvious after HP bought Palm for $1.2 billion that it was moving away from Microsoft’s mobile operating system road map. It just wasn’t as clear that HP was prepared to slight Microsoft when it came to both companies’ flagship products as well, and no matter what combination HP chooses to use of WebOS and Windows 7 on its PCs, few would be surprised if it promoted its own software rather prominently.

And that, in turn, may encourage more and more people to think about alternative PCs running WebOS that aren’t quite tablets but don’t look like your father’s desktop tower either. An easy example would be HP’s Touchsmart PC, which one could easily see running WebOS as a kitchen-counter computer or in the lobby of a design firm.

If it all works out, HP will have given software developers millions of reasons to take it seriously. To be clear, this is not a long-term strategy: PC growth is anemic, smartphones are already outshipping PCs, and tablet growth is expected by most people in this industry to soar over the next few years.

HP will have to be competitive in smartphones and tablets to remain a force in the personal computing market, and its development teams in those categories need to pick up the pace to even stay abreast of Apple and Google. Still, it will be hard for competitors to match HP’s potential reach across the world’s computing markets if WebOS tablets, smartphones, and PCs prove popular.

At some point there will no longer be enough software development energy to support six different mobile operating systems. If Nokia really does throw in the towel later this week and embrace Windows Phone 7, we’ll be down to five.

WebOS has been an underdog in this fight for quite some time. But developers understand volume, and WebOS PCs could represent quite a lot of that.

Flash 10.2 arrives with more efficient video

Adobe Systems released Flash Player 10.2 on Wednesday, bringing a technology called Stage Video designed to be easier on computing devices’ processors and therefore batteries.

Tom Nguyen, product manager for Flash platform runtimes, offered this glowing account for the Flash Player 10.2 announcement:

Stage Video lets websites take advantage of full hardware acceleration of the entire video pipeline…Stage Video hardware acceleration means that Flash Player can play even higher quality video while using dramatically less processing power, giving users a better experience, greater performance, and longer battery life. In our testing across supported systems, we’ve found it’s up to 34 times more efficient.

Put another way, Flash Player using Stage Video can effortlessly play beautiful 1080p HD video with just 1 to 15 percent CPU usage on a common Mac or Windows computer…Many millions of additional PCs, from Netbooks to desktops, can now become slick HD home theaters on the Web.

CPU usage during video has been a particular sore spot with Flash, in particular with Apple Chief Executive Steve Jobs lambasting Flash video as battery-sucking software. Stage Video, among other things, uses hardware acceleration to combine (“composite”, in technical terms) video with other elements such as text or graphics–think subtitles, pop-up ads, and player controls. (Adobe already added hardware-assisted decoding of H.264 video in Flash Player 10.1.)

Web developers need to update their software to use the new Stage Video interface; Flash evangelist Lee Brimelow offers a tutorial for those interested in how to do so. Google already has for its Flash-based player at YouTube, Adobe said.

Speaking of hardware acceleration, Flash Player 10.2 also takes advantage of that ability in Microsoft’s Internet Explorer 9 for higher performance and smoother compositing. It also comes with the ability to show full-screen video on one monitor in a dual-monitor setup.

Flash faces a host of challenges beyond power consumption. Also on the list are a variety of competing Web standards in varying degrees of maturity and the fact that Flash Player is a rarity on mobile phones.

The Flash Player 10.2 plug-in can be downloaded from Adobe’s download site, but things are somewhat different for users of Google’s Chrome browser. Google builds Flash Player directly into Chrome and it issued a new stable version 9.0.597.94 and developer version 10.0.648.45 with Flash Player 10.2; the new versions download automatically and are installed upon restarting the browser.

Manufacturers get Windows 7 service pack

Microsoft said today that it had sent the first service pack for Windows 7 and Windows Server 2008 R2 to original equipment manufacturers, with a consumer release to follow later this month.

The news comes several weeks after Microsoft’s Russian Windows localization team had reported the update as being finalized from its first and only release candidate, and released to manufacturers.

Microsoft says the update will go out to consumers through Windows Update on Feb. 22. TechNet subscribers and Microsoft’s volume license customers will get their hands on it a week earlier, on Feb. 16.

SP1 includes an updated version of Microsoft’s remote desktop client, alongside a round of hot fixes, and dynamic memory support for Hyper-V in Windows Server 2008 R2.

On the company’s server team blog, Michael Kleef, who is a senior technical product manager on the team, said that the dynamic memory feature alone has made a dramatic increase in machine density within the company’s testing:

Dynamic Memory lets you increase virtual machine density with the resources you already have–without sacrificing performance or scalability. In our lab testing, with Windows 7 SP1 as the guest operating system in a Virtual Desktop Infrastructure (VDI) scenario, we have seen a 40 percent increase in density from Windows Server 2008 R2 RTM to SP1. We achieved this increase simply by enabling Dynamic Memory.

Kleef goes on to praise the new RemoteFX technology that’s included with SP1, which virtualizes the graphical processing unit on the server instead of on local hardware. This means thin-client machines can run more graphically intensive applications on hardware that wouldn’t otherwise support it, which as a side effect can cut down on electricity used by those machines.

“Together, these technologies will drive down the end-point cost and reduce end-point power consumption to as little as a few watts,” Kleef said.

Microsoft rolled out the first beta of SP1 back in July, with its first and only release candidate appearing in late October.

S’pore startup aims to be ‘Robin Hood’ to app developers

Singapore startup MobileApps.com is eyeing a share of the apps marketplace pie by positioning itself as a multi-platform app wholesale market, allowing developers to take home 95 percent of each app sold and promising to improve the app discovery process, according to the company’s co-founder.

Alvin Koay, co-founder and CEO of MobileApps.com, said that there are app marketplaces “popping up all over the place” today trying to make money off the ongoing app craze. To differentiate its Web site, which is named after the company, it is looking to become the “Robin Hood” for app developers, he told ZDNet Asia in a phone interview.

MobileApps.com was incorporated in Singapore in December 2010, although its office is currently based in Malaysia to “lower operating costs”.

To live up to its “Robin Hood” tag, Koay identified two main thrusts to its marketing strategy: Increasing developers’ share of the revenue as well as improving the app discovery process, which would aid the download process for users. The app marketplace would also be platform-agnostic and bring together apps that run on various operating systems such as Apple’s iOS, Google’s Android and Microsoft’s Windows Phone 7, for example, he said.

Developers earn more
According to Koay, developers who publish their apps on MobileApps.com would receive 95 percent cut of the revenue. This compares favorably with other notable app stores such as Apple’s App Store, Google’s Android Market and Research In Motion’s BlackBerry App World, all of which allocate only 70 percent of proceeds to developers, he noted.

He explained that the 5 percent MobileApps.com pockets from each app sale is used primarily to cover administrative and credit card processing costs.

To monetize the business, MobileApps.com will be relying on its proprietary algorithm, Koay said. The algorithm will be able to recommend apps that are specific to, for example, industries, country and audience.

In turn, the algorithm is incorporated into a “smart widget” that will be made available for free to all Web publishers, which will subsequently get a cut of the advertising fees generated from app developers who publish their apps within the widget, he added.

Elaborating, he said that the advertising model will be CPM-based (cost per thousand impressions) although developers currently do not need to pay for page views (PVs). Revenue will be generated when developers “jostle for positions” on the widget, which is paginated. Developers who pay more will be placed prominently on the front page of the widget, he explained.

“We believe that the market will correct itself and developers will see the value in paying for better placement in our widget, thus increasing our advertising revenue,” said Koay.

Web publishers will get 60 percent to 70 percent of the advertising fees paid by developers while MobileApps.com will take the remaining 30 percent to 40 percent, the CEO said.

To encourage take-up and build awareness of its brand among prominent Web sites and bloggers, Web publishers that place the widget on their sites will receive 100 percent of the advertising fees collected for the first three months, he added.

Solving app discovery challenge
MobileApps.com is also starting to talk to Android and iPhone blog sites and online communities about its widget, and Koay expressed confidence that the company’s offering will take off.

“We will be providing free, targeted content for Web publishers to put up on their site and they will be paid for it–it’s a win-win situation for site operators and bloggers,” he said.

The entrepreneur also hopes the advertising of apps via the widget on various online communities, will solve the app discovery problem that persists in many existing app markets today.

Furthermore, MobileApps.com is looking to localized content to grow its presence within selected markets. Koay said it has partners in Japan and Jordan to “replicate” its app marketplace, and is in the midst of looking for partners in South Korea and China.

In Jordan, for instance, he said its partner is translating existing apps into Arabic and is actively fostering an active developer community there, too.

Both the widget and app marketplace are not yet available but Koay is expecting the widget to be launched in a month’s time. MobileApps.com is still looking to populate the marketplace and once there is a critical mass of apps available for consumers, it will be made public too, he added.

“We know that we have to create something special in order to stand out from the rest of our competitors and we believe that with our business strategy of giving developers a bigger cut of the revenue and improving app discovery, we will disrupt the current app market model and make our mark,” said Koay.

Chrome OS delay a ‘good marketing decision’

Instead of pitching another operating system (OS) into the nascent mobile computing space dominated by its Android OS and Apple’s iOS, Google’s decision to delay the launch of Chrome OS-powered devices has been lauded by analysts.

Matthew Cheung, principal analyst at Gartner, said that compared to 18 months ago when traditional PC makers were constantly talking up netbooks and how the form factor was all the rage, today’s consumers demand tablet devices manufactured by both PC and mobile phone makers alike. To capitalize on this, Google has unveiled its tablet-optimized Android OS 3.0, codenamed Honeycomb, to corner this market, he noted in an e-mail.

He also reckoned this trend of computing mobility and connectivity via tablets will continue for some time yet, which means the delayed launch of Chrome OS-based devices is a “good market decision” and not a negative sign.

Chrome OS is a browser-based system that does not tax the device in terms of battery life, allows for extremely fast boot-up times and provides security with no local data or locally installed applications. Google had pushed back its projected launch date for the OS from late-2010 to mid-2011.

Waiting for right moment
“The delay of Chrome OS-enabled PCs will make the platform more relevant to the market [once it is launched] but is not detrimental to its long-term objective,” Cheung said.

Daryl Chiam, senior analyst at Canalys, concurred. In a phone interview, he told ZDNet Asia that Chrome OS has “a lot of work to do” to live up to its hype. A seamless user experience that syncs between one’s online and offline world, in particular, needs to be nailed down before the platform is released, which could be why Google delayed its launch, he speculated.

Furthermore, he cited the fragmented Android app ecosystem where there are multiple app marketplaces as a cautionary tale for Chrome OS. Chiam said that while there are some people who like the openness and choice afforded by the open Android ecosystem, most users prefer to flock to a de facto app store with a simple-to-understand payment model.

Developers, too, would be more prepared to develop for Chrome OS once Google improves on its Checkout payment mechanism, he noted.

Google appears to be heading in that direction, as its Chrome Web Store released in December 2010 is currently the only platform serving up Chrome OS-based Web apps.

The search giant has, in the meantime, made available a number of Chrome OS-powered notebooks to companies and individual users that had been accepted into its pilot program to generate interest and momentum.

Identifying Chrome’s potential
Yet, Chrome OS is not without its naysayers. An earlier report by ZDNet Asia’s sister site CNET called into question the relevance of devices powered by Chrome OS in the hardware scene of 2011. According to the report, the tablet device is here to stay and device makers focused on challenging Apple’s primacy in the tablet market are committed to adopting Android, not Chrome, as its main operating system.

Malik Kamal-Saadi, principal analyst at Informa Telecoms & Media, however, begged to differ. He said in an e-mail that Chrome OS “has never been meant for mobile devices but designed to compete with existing desktop OSes and to work atop advanced CPUs”.

Like Cheung, Kamal-Saadi noted that Honeycomb is the OS Google is using to target the portable multimedia devices such as tablets and smartbooks, which in turn eliminates the need for Chrome OS in this market segment.

Chrome OS, meanwhile, could potentially be a good contender to Microsoft Windows and Apple’s Mac OS X in the notebook and netbook arenas, he noted. Both Redmond and Cupertino’s offerings are desktop-centric OSes that “does not have connectivity in their DNA” and the majority of apps developed for these OSes are native while Web apps are browser-based and make use of plug-ins to access hardware resources, the analyst added.

On the other hand, Google’s browser-based framework is designed to provide natural support to the connected Web environment today’s consumers live in, Kamal-Saadi said.

“As computing is increasingly evolving toward the cloud, [the] Web and connectivity will become essential in the way apps are designed and distributed,” he noted. “This trend will make legacy OSes [such as Windows and Mac OS X] less successful…[while] Chrome OS is well-positioned to fight in this new environment.”

The analyst also acknowledged that the Web as a development environment and cloud computing are still in their “embryonic development stage”, which allows Google plenty of time to tweak and improve its Chrome OS to align the platform with market developments. Chrome OS, predicted Kamal-Saadi, will “unlikely be ready for market adoption before 2012”.

At its end, Microsoft is not taking the threat Chrome OS could pose to its existing Windows business lightly. In January, Microsoft CEO Steve Ballmer announced that the next version of Windows will be available on ARM chip architecture.

ARM-based chips are used in the majority of mobile devices such as Apple’s iPad and various smartphones, and Redmond’s decision to adopt the architecture signals its intentions to compete strongly in the mobile computing space in the near future.

Microsoft to make Outlook easier to touch

A Microsoft job posting has provided clues into Microsoft’s strategy to make its Office Web applications more friendly to touch-screen devices.

A listing that went up over the weekend for a software development engineer touts some of the successes of Microsoft’s Outlook Web App (OWA), saying it has “made a huge difference in the daily lives of millions of users all over the world” but that the company is looking for someone to take OWA to “the next level” with a “next generation” client. That client would be for both the desktop and “the latest mobile and slate devices”, the listing said.

OWA can currently be accessed via standard Web browsers but lacks some finger-friendly UI tweaks and gesture identifiers that competitors have packed into their mobile HTML clients. Google and Yahoo in particular have put out two-pane Web e-mail sites that work on devices like Apple’s iPad without the need for a native client application. Microsoft does something similar with its Hotmail service by offering users a simplified version of their in-boxes, but the company has not brought such changes to the latest version of OWA.

Along with the discussion about making OWA work better across devices, the listing goes into some detail about plans to help people “manage meetings, appointments, and tasks”. All three of those items are addressed in the current version of Microsoft’s Outlook platform, however this would suggest that Microsoft is at work on alternate means for those tasks to be handled–be it inside the app, or by way of a new standalone application in the same vein as the company’s Lync communications platform.

That Microsoft would be aiming to make its own Web services more friendly to as many platforms as possible should not be a surprise to anyone, especially given the last several years of product launches. Besides talking up the importance of HTML5 as part of the latest version of Internet Explorer, the company has attempted to make the Web-based versions of its Office applications work on as many browsers as possible, including Google’s Chrome, which had originally been left off the list of compatible browsers.

As for when we’ll actually get a look at this reworked version of OWA–that detail remains a bit fuzzy. While the company has said it’s currently at work on the next major version of the Office software suite, OWA also plays an important part in Microsoft’s Office 365 strategy. Part of the appeal for that offering is that users can get the latest versions of Office applications that are hosted by Microsoft, versus local deployments. If some of the changes are simply under the hood, there’s the potential for them to end up in 365 ahead of any future versions of its desktop sibling.

Microsoft’s job posting was first picked up by blog Winrumors, earlier Tuesday.

This article was first published as a blog post on CNET News.

Firefox beta to Web: ‘Do Not Track’

Firefox 4 beta 11 has landed a useful security feature for people who are sick of “stalkertizements,” those cookie-based ads that use your browsing history to target ads at your perceived tastes.

The new “Do Not Track” feature in Firefox 4 beta 11 for Windows, Mac, and Linux sends out a header that tells Web sites that you want to opt out of behavioral tracking, though Mozilla cautions in a blog post that it will take some time for sites and advertisers to respond to the header.

The feature can be toggled via a check box in the Advanced tab of Firefox’s Options window.

Mozilla privacy lead Alex Fowler said that the engineers decided to base the feature in the header sent from the browser because it’s something that all Web pages read as they load. A blacklist or cookie-based solution would be harder to implement across different browsers. He acknowledged that successful implementation of “Do Not Track” also depends on advertisers and site owners respecting that incoming header.

He added that the initial stages of a legislative fix are under way as at least one member of Congress–Rep. Jackie Speier (D-Calif.)–plans to introduce a bill ordering the Federal Trade Commission to create a “Do Not Track” program for advertisers. However, a second bill also being proposed does not include the “Do Not Track” option. Both might have a hard time passing in today’s antiprivacy climate, although a bill with “Do Not Track” would be the harder sell because of its stronger privacy controls.

Mozilla security and privacy engineer Sid Stamm has documented the technical implementation of “Do Not Track.”

Other changes in Firefox 4 beta 11–which Mozilla hopes will be the penultimate Firefox 4 beta–include moving connection status messages to a small overlay window, re-enabling WebGL on Linux, disabling automatic switching to offline mode when no network connection is detected, and a redesign of the default about:home page.

Android Gingerbread to get Open NFC support

Inside Secure plans to deliver a version of its open-source, near-field communication API tailored to Android 2.3 operating system — code-named Gingerbread — before the end of February.

Open NFC 4.2 will offer hardware manufacturers, wireless operators and software developers an easy way to implement near-field communication (NFC) functionality across a range of Android 2.3 Gingerbread handsets, the semiconductor and software company said on Monday.

“Open NFC relies on a separate, very thin and easily adaptable hardware-abstraction software layer, which accounts for a very small percentage of the total stack code,” said Philippe Martineau, who heads up NFC for Inside Secure. “[This means] that the Open NFC software stack can be easily leveraged for different NFC chip hardware.”

Read more of “Android Gingerbread to get Open NFC support” at ZDNet UK.

Mozilla on fire in bid to outfox rivals

Mozilla has a new plan for Firefox in 2011: Turn the crank faster.

The organization is set to deliver Firefox 4 in coming weeks. And according to a draft Firefox roadmap, Mike Beltzner, Mozilla‘s director of Firefox, proposed releasing versions 5, 6, and 7 in 2011, too. This fast-release ethos, pioneered in the browser world by Google’s Chrome, means smaller changes arrive more frequently.

For comparison, Firefox 1 arrived in 2004, Firefox 2 in 2006, Firefox 3 in 2008, with Firefox 4 slipping past a hoped-for 2010 ship date and likely to slip past another date set for the end of February.

The faster schedule is designed to make Firefox more competitive by getting new features into users’ hands faster. According to Beltzner:

We succeeded in re-energizing the browser market, creating competition and innovation which benefits Web application developers and users alike. This newly competitive market has presented challenges for the continued success of Firefox, and in 2011 we must ensure that we can deliver a product that is compelling to users in order to continue to be able to demonstrate our vision for the Web. To do this we must:

  • • provide a browser that is stable and responsive,
  • • build a product for modern desktop and mobile hardware,
  • • provide a simple set of features and experiences to help users get the most out of the Web,
  • • support Web technologies that are desired most by application developers and users,
  • • deliver those technology improvements quickly to our user base.

It’s not easy turning the crank faster, though.

“Changing the way we ship products will require the re-evaluation of many assumptions and a large shift in the way we think about the size of a ‘major’ release,” Beltzner said. “The criteria for inclusion should be no regressions [new bugs], well understood effects for users, and completion in time for a planned release vehicle.”

Firefox’s share of worldwide browser usage has remained largely flat, with Chrome and Safari steadily picking up usage in recent months. Chrome, which often serves as a vehicle for Google to promote favored new technologies, moved last year from a quarterly release cycle to an even faster one with twice that pace.

Microsoft gives Windows Phone devs copy, paste

The slow march toward the public release of Microsoft’s first update to its Windows Phone 7 system software is one step closer to fruition.

At the top of the PPCGeeks Podcast last week, Brandon Watson, who is Microsoft’s director of developer relations, announced that the company today would be seeding a new version of the Windows Phone Developer Tools to registered Windows Phone 7 developers.

Included in the update are things like the long-awaited copy and paste feature, and a performance improvement for application load times. The tools give developers a chance to test their applications for compatibility, but also signal that the update is closer to getting into the hands of end users.

During the podcast, Watson also said that the Developer Tools software was on track to pass a million downloads since its introduction at last year’s Mix conference. That’s no small feat considering Microsoft’s most recent tally of registered phone developers was north of 24,000.

Microsoft still has yet to nail down a specific date for a consumer release of the software upgrade. During a phone interview with ZDNet Asia’s sister site CNET, Greg Sullivan, senior product manager for Windows Phone 7 was still going with the within “the next few months” estimate the company had provided at CES.

This article was first published as a blog post on CNET News.

Office Web Apps to go worldwide in March

Microsoft says that by next month, users worldwide will be able to get their hands on the free, online version of its Office suite.

In a post on the Office Blog earlier this week, the company said that it had expanded Office Web Apps availability in 150 new countries including Mexico, India, Israel and Saudi Arabia, and that by next month it will hit “all remaining markets in Central and South America”.

The free service, which contains Web-based versions of Word, Excel, PowerPoint, and OneNote, was launched by Microsoft in June of last year. Microsoft says that 30 million people are now using it.

Besides creating documents through the Office component of Windows Live, Office Web Apps exist on Facebook through Docs.com, as well as with some recent integration that use the hosted productivity tools to open up attachments. That same functionality is also built into Hotmail, where it was seeing 500 percent growth (month by month) in use, according to stats Microsoft released late last year.

Office Web Apps is just the latest in a series of Microsoft’s Web properties to vie for the important “worldwide” moniker. The last one was Windows Live Messenger, which this week expanded its Facebook chat connector to all markets.

EMC launches free edition of Greenplum database

EMC on Tuesday rolled out an open source community edition of its Greenplum data warehousing software. The free version is aimed at bringing more developers into the data warehousing fold.

Scott Yara, vice president of EMC’s data computing products division, said the community edition of the Greenplum database could turn “10s of thousands of downloads” into “100,000s of thousands”. “There’s an opportunity here to grow the analytics community,” said Yara.

The game plan for EMC is pretty obvious: Put Greenplum software in as many hands as possible. If Greenplum can build a vibrant data warehousing app ecosystem it could become a standard platform. Yara added that Greenplum has historically focused on high-end data warehousing, but the community of developers needs to be larger and should reach out to data scientists and other IT pros.

Read more of “EMC launches free edition of Greenplum database” at ZDNet.

Chemistry add-in for Word goes open-source

Microsoft today announced that its chemistry add-in for Word is now freely available for download and tweaking by the open-source community.

The tool, which was released in beta form in March of last year and has since been downloaded 250,000 times, lets users create and modify chemical information inside of Word 2007 and 2010. This includes chemical formulas, labels, and 2D structures that can more easily be worked on than with Word’s standard formatting tools.

Also known as Chem4Word, the add-in was developed through a partnership between Microsoft Research and three professors at the University of Cambridge. As part of the move to a v1 release, Microsoft has handed over the project to The Outercurve Foundation, which is putting it in its Research Accelerators Gallery where open-source community members can make changes to it.

“By shifting the project to the Foundation, we are encouraging scientists around the globe to engage, contribute, enhance, and support the original authors on this project,” Outercurve’s executive director Paula Hunter said in a blog post on the group’s site. “They have done some heavy lifting, but I am sure will welcome new collaborators,” she said.

Since the move to Outercurve’s gallery, project collaborators are already planning to bring 3D functionality to the tool, along with vector graphics rendering, and improved performance.

Users who want to grab the add-in can find it here.

Twitter buttons disappear from Gawker redesign

When blog network Gawker Media announced last year that it would be completely redesigning its portfolio of media properties–which include Gizmodo, Jalopnik, Jezebel, and the namesake Gawker.com–it created a wave of banter in the media industry. With only one story fully highlighted on the front page and a frame serving up alternate stories’ headlines, Gawker honcho Nick Denton is steering the company into a theoretical post-blog age.

But, when the redesign went live on several Gawker properties Tuesday, there were still a few surprises to the notably tablet-friendly experience. For one, Gawker sites have now completely eliminated the buttons that let readers share a headline on Twitter or StumbleUpon, winnowing the options down to Facebook alone.

Facebook is “by far the biggest social source of traffic for us,” Denton told the New York Observer via e-mail, adding that he found the smattering of other buttons to be cluttery. “These sites festooned with social media buttons–they look like primitive tribesmen clutching pathetically onto shiny baubles they believe to the symbols of modernity,” he added to the Observer.

Denton is a proud contrarian, but even his critics admit he’s been spot-on correct on occasion–like launching the original Gawker Media titles in the first place long before most people had ever heard of a blog.

It probably isn’t necessary to take a single publisher’s removal of Twitter buttons from its sites as a sign that Twitter’s shelf life has been shaved down, but it’s an interesting glance at one company’s belief in what drives traffic and what doesn’t–and perhaps what it believes its priority audiences are more likely to be using.

For Facebook, it’s a nice minor victory. The social-networking site has been plotting to creep further into the world of mainstream digital media, like Monday’s revelation that it will be launching a new product for third-party publishers that want Facebook-powered comments.

Analytics, mobility strengthen SAP’s APAC standing

German software vendor SAP is turning to its analytics, CRM (customer relationship management) and mobility products to enhance its growth in the Asia-Pacific region which, together with Latin America, are driving the company’s growth, reveals a company executive.

Stephen Watts, president of SAP Asia-Pacific and Japan, identified the three offerings as key to the company’s value proposition to customers, particularly in this region. Analytics, in particular, is clocking the “fastest growth” in SAP’s fourth quarter earnings report, he said in an interview Tuesday with ZDNet Asia.

Watts noted that the company’s in-memory high-performance analytic appliance is garnering strong interest globally as well as in the region. This interest spans all vertical industries, he added, as companies are trying to come to grips with their burgeoning data and the appliance is touted to streamline datacenter sprawl and provide “real-time” data analysis for all employees, as and when they need it.

With the inclusion of mobility in analytics, companies are now able to “untether” their workforce from their desks and push business-critical information to their mobile devices, regardless of the hardware manufacturers.

Watts said: “Mobility offerings should never be a vendor-driven decision but a customer-driven one.”

Furthermore, he noted that as more Asian companies look for top-line growth, establishing closer interactions and relationships with their customers will emerge as a key priority. To this end, he said SAP’s CRM products have seen growing demand.

Hiring and retaining talent are also ongoing challenges enterprises in the region have to face, he noted, adding that this is driving demand for the vendor’s human capital management tools.

Asia key growth driver
Asked if Asia will lead all regions in terms of growth for the company, Watts said the region, together with Latin America, will play key roles in driving SAP forward.

Citing revenue and growth figures specific to Asia-Pacific, he expressed confidence in the future and said the company’s reputation remains strong here.

According to Watts, SAP’s software and software-related services revenue for the fourth quarter 2010 grew 26 percent to 495 million euros (US$674.59 million), while total revenue saw a 23 percent growth to 574 million euros (US$782.25 million).

In comparison, globally, the company’s software revenue grew 35 percent to 1.5 billion euros (US$2.04 billion) over the same period, while its software and software-related services revenue rose 20 percent, SAP said.

Watts said fourth-quarter 2010 software sales was the company’s “biggest quarter in its history”, indicating that customers in the region are still looking to SAP to accelerate their business processes despite the company’s recent legal problems with rival Oracle.

SAP in December was ordered to pay US$1.3 billion plus interest to Oracle for copyright infringement committed by a third-party maintenance company, TomorrowNow, that it had acquired in 2005. The German software vendor will not contest the lawsuit but is planning to go to court to reduce the amount of penalties awarded, which it has said is “disproportionate and wrong”.

“The lawsuit and verdict has no impact on the market we play in,” Watts said. “We have already made provisions within our finances to pay the full penalty of US$1.3 billion, plus interest, and we’re not going to get worse in subsequent quarters.”

NPD: Windows Phone 7 off to a slow start

While Microsoft has already let us in on the number of Windows Phone 7 handsets it’s sold to carriers and OEMs worldwide, the bigger picture–as in how many consumers have actually made purchases–has been left up to research firms and retailer surveys. New numbers released by the NPD Group bring that picture into focus.

Windows Phone 7 gained 2 percent of the United States smartphone market during the last three months of 2010, NPD said in a research report that covers unit sales during that time. That’s compared to Android’s 9 percent growth over the previous quarter, bringing it to 53 percent of sales; Apple’s iOS, which went down 4 percent to 19 percent; and RIM’s 2 percent drop down to 19 percent.

One rather important detail to note here is that Microsoft’s Windows Phone 7 wasn’t launched until the end of October in the United Kingdom, Australia, and some Asian markets, and in early November in North America. This means its two months of sales went up against more established competitors that were counted for all three months. One of those established platforms ended up being Windows Mobile–Windows Phone 7’s predecessor–which NPD says actually eclipsed Windows Phone 7 in terms of its market share during the same time period.

“Despite buy-one-get-one promotions at both AT&T and T-Mobile, the Windows Phone 7 OS claimed less market share than its predecessor, Windows Mobile, for which handsets are still available at all four major U.S. carriers,” Ross Rubin, executive director of industry analysis for NPD, said in a statement. Rubin added that Windows Phone 7’s launch share for the quarter had been lower than Android or Palm’s WebOS, according to the company’s Mobile Phone Track reports.

As for how much that share was, NPD said that Windows Mobile sat at 4 percent of the consumer market during the quarter, compared to 7 percent from the year before.

Later this year, Microsoft plans to offer a CDMA version of Windows Phone 7, which will make the new platform available on all the major carriers. As it stands right now, the device has been available only to carriers that make use of GSM technology. At CES, Microsoft said it was still on track to deliver a release of the software that would work with CDMA networks by the first half of 2011.

Author Jane McGonigal explains why ‘reality is broken’

newsmaker Until a couple of years ago, the idea that games could make people’s lives better was heresy. Everyone knew that games were a massive waste of time and that, if anything, they were harming those who played them the most.

But then word began to spread of new research that showed just the opposite: that games, and playing games, could have a positive impact on people. And while there was still plenty of skepticism, the woman behind the research, well-known game designer Jane McGonigal, began to attract a lot of attention with her new claims. Especially the idea that game designers might just be the very people that had the best chance of positively impacting the most lives.

Over the years, McGonigal’s work has received more and more attention. She first came on the scene as one of the people behind the hit alternate-reality game I Love Bees and soon began earning notoriety for the projects she herself designed–Tombstone Hold’em; World without Oil, which tasked players with imagining scenarios in a post-peak oil world; The Lost Ring, which was commissioned for the 2008 Beijing Olympics and introduced a “lost” Olympic sport to thousands across the globe; Superstruct, which asked players to come up with solutions to the kinds of massive problems that could threaten the future of our species; and more.

Along the way, she became a research director at the Institute for the Future. And now, McGonigal has published her first book, a big-picture tome called “Reality is Broken“, which takes the research she had been talking about and implementing in her games, and in keynote addresses from SXSWi to the Game Developers Conference to TED, and beyond, and uses it to make the argument the whole world can see, that games can make the world a better place.

One of the most prolific game designers around, McGonigal usually tries to help other people, or at least get other people to think, with her projects. But she has also turned her work inward–when she suffered a debilitating head injury in 2009, she ended up designing a game called Superbetter that she now credits with being instrumental in her recovery.

Yesterday, McGonigal sat down for a 45 Minutes on IM interview to discuss her new book, the millions of work-years humans have spent on World of Warcraft, her oldest games, and nail polish.

Q: First of all, congratulations on the book. Maybe you could start by summing up for those who haven’t seen the book why “reality is broken”.