DefCon 16 will be held August 8-10 at the Riviera Hotel in Las Vegas.

Contestants will be given a sample set of viruses and malicious code that they must modify and then upload through the contest portal. Once accepted, the sample will be sent through a number of leading antivirus engines (perhaps using VirusTotal.com to provide real time test results). The first team or individual who manages to evade all the antivirus engines wins that round. The organizers promise that each round will increase in complexity.

Reverse engineering and code analysis is fun.
Not all antivirus is equal and poorly performing antivirus vendors should be called out.
Signature-based antivirus products can be easily circumvented.
It’s easier to modify malicious software than it is to write signature protection for it. Signature-based antivirus is dead. Antivirus is just part of the larger picture, you need patching, firewalling and sound security policies to remain virus free.

But Dave Marcus, security research and communications manager at McAfee Avert Labs, said: “Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will be stolen from users as a result of the new techniques and evasions that are created? Security research should center around bettering detection not evasion.”

The goal of the Race to Zero is simple: obfuscate a malicious code so that it evades well-known antivirus engines.

A new contest to be held at this year’s DefCon in Las Vegas in August hopes to prove that signature-based antivirus is dead, a move that one leading antivirus researcher says is “not a good idea.”

On the contest site, organizers list six reasons for hosting this event:

8-inch screen
800×600 resolution
1GB internal memory
Auto on/off function
Auto photo resize
SD/MMC/MS/XD card reader, USB memory slot

10-inch screen
1024×600 resolution
64MB internal memory
Auto-rotation function
802.11b/g wireless photo frame
Rechargeable battery
SD/MMC/MS/XD card reader, USB memory slot
InfoLink free information service (news, weather, stocks, USA Today) Frame Channel service that gets more than 400 channels of news, sports, cartoons, and more

Each of the models feature Samsung’s Starlight Touch Controls, which integrate the onscreen display (OSD) and disappear from the bezel after 10 seconds of inactivity. The two Wi-Fi enabled frames, the SPF-85V and SPF-105V are optimized for use with Windows Live Spaces for photo sharing. Also, these two frames come with Samsung’s InfoLink feature, which offers the ability to receive RSS feeds from USA Today and Frame Channel.

Samsung SPF-105V

Samsung SPF-85V

10-inch screen Rechargeable battery 1024×600 resolution
1GB internal memory
Auto photo resize
Rechargeable battery
SD/MMC/MS/XD card reader, USB memory slot

Apparently I’m slowly moving into the minority on this. On Wednesday, Samsung announced four new digital photo frames.

Samsung SPF-105P

The 8-inch SPF-85V: save this one for the small, cute pics.

8-inch screen
Built-in wireless feature optimized for use with Windows Live
800×600 high resolution
64MB internal memory
Auto-rotation function
802.11b/g wireless photo frame
Rechargeable battery
SD/MMC/MS/XD card reader, USB memory slot
InfoLink free information service (news, weather, stocks, USA Today) Frame Channel service that gets more than 400 channels of news, sports, cartoons, and more

(Credit:
Samsung )

The SPF-85H and the SPF-85V will be available September 1 for an estimated price of $129.99 and $199.99 respectively. The SPF-105P will be released on October 1 for $199.99. The SPF-105V is slated for November 1 for $289.99.

Actually, I don’t think I’m at the point morally. I mean come on, I don’t think I could sleep at night after spending $200 on a picture frame. Digital or not.

Digital photo frames. You love ‘em, I love ‘em. Well, actually I’ve only ever seen one in use before and that one was broken. Call me old-fashioned (or just old) but I guess I’m just not at the point financially where I can justify the price.

Disclosure: I’m paid as a technology policy fellow by the Electronic Privacy Information Center, a public interest group that has repeatedly criticized Google for its privacy policies. Furthermore, I interned for Google in 2006, and have received a $5,000 fellowship from the company, both in 2006 and 2007.

Search terms

Luckily, someone else has taken steps to fill the search privacy gap left by Google.com. A Texas man named Daniel Brandt has created a Google-powered privacy-preserving search engine: Scroogle.org.

A more technical explanation of this is as follows: Google embeds the search terms that the user issued into the Web URL of the search response page. That is, an example search URL will look like http://www.google.com/search?q=security+blogs
. This is known as a HTTP GET request. When a user clicks on one of the search results on that page, the Web site owner will be told the exact address of the referring Web site. Due to the fact that Google embeds the search terms in its results URL, the Web site owner learns which terms lead a user to their page.

By default, all Google searches as well as e-mail sent and read via Gmail are transmitted in the open, over an unencrypted session. What that means, is that the data can be seen by anyone with access to the network–anyone else using the Wi-Fi connection at Starbucks, your Internet service provider, or any government agency that has tapped the Internet backbone.

A switch to this more privacy-protecting method of Web data submission, known as a HTTP POST, would be a trivial change for Google’s engineers. Furthermore, it wouldn’t lead to any additional data processing resources for its vast number of servers. For Google, such a change would cost the company essentially nothing yet it would give its customers an immediate increase in privacy.

Searches, exposed.

While the company offers encrypted Web mail, it does not do the same for searches. Currently, there is no way to keep your search terms secret from those who might be watching the network. Could the company offer this? Sure, but it has chosen not to. Primarily, because of cost.

Unfortunately, encryption is expensive, at least in terms of computing power. Turning SSL on by default for the millions of Gmail users would mean that Google would have to dedicate more computers to the service. Those computers cost money. A Google spokesperson confirmed this, telling me that “we have not made SSL the default due to capacity and latency issues.”

Google should change its policies with regard to SSL and e-mail. At the very least, it should mention the secure Web mail option and provide a link on the main Gmail log-in page. This information is currently hidden in one of the help pages. In an ideal world, Gmail would enable SSL by default.

Imagine a normal search situation. A user will visit Google.com, type in a few words, “security blogs,” perhaps, and click on the search button. From the search results page, a user will click on a link, taking them to www.some-website.com. Due to the way that Google has designed its search engine, Web site owners are given the search terms that brought each Web surfer to their site.

Google could very easily stop including the search terms in the URL and thus stop passing on the search terms to the Web sites that users click on from a Google results page. It could do so by requesting that the user’s browser send the terms to a Google server in a more discrete way. Many Web sites do this, especially those dealing with private information. Amazon.com and other e-commerce sites do not transmit the customer’s credit card information by sending it in the URL–even on a SSL-encrypted Web session. To do so would needlessly endanger the user.

Encrypted mail

What Daniel’s site shows, is that privacy preserving search is possible. While Scroogle doesn’t show any ads, if Google offered this service, they could still make a buck on it. Imagine that–making money, while not being evil.

While I personally think this is a load of rubbish, I’m going to give them the benefit of the doubt today, because I want to focus on a different issue. Namely, that Google could take a few easy steps in other areas to protect customers from the prying eyes of AT&T, the NSA, or the pervert next door reading your e-mails sent over a wireless network.

Google has made a shrewd business decision: Those users who care enough about their privacy to read the company’s FAQ can get a bit of protection for their e-mail, while those users who presumably don’t care, are left exposed to hackers and snoops.

Scroogle submits search queries to Google on a user’s behalf, scrapes the results, and displays them to the user. Scroogle’s search data policies are fantastic: no cookies, no search-term records and all access logs are deleted within 48 hours. The site uses HTTP POST requests by default, which helps to keep the search terms a secret between the user and the search engine. Furthermore, for those users willing to put up with the 1- or 2-second delay required to initiate an SSL connection, encrypted searches are available to users via https://ssl.scroogle.org/.

The only downside to such a change, would be the loss of information for Web masters. Companies would like to know which search terms drew a customer to their Web site, especially if that visit resulted in a sale. While no doubt useful for marketers, this is not something they deserve to know. Furthermore, Google’s responsibility is to the users with the eyeballs. At the very least, if a firm wants to know what people are searching for–let it buy an advertisement from Google. Right now, Google gives this data away to every Web site owner, for free.

Public interest groups, academics and members of the press have hammered Google for its lax privacy policies. The criticism has mostly focused on the log deletion practices and browser cookie policies at the search giant. Google claims that search quality and user privacy are a zero-sum game: deleting log data makes it more difficult to improve search results. Perhaps the company is right. However, there are several other pro-privacy steps that Google could take to significantly protect its customers–which it has not done, and continues to reject.

These high-profile Googlers make the case that user privacy and search quality are a zero sum game: deleting logs to protect customer privacy makes it far more difficult to provide a good search experience.

All Web browsers support the SSL encryption standard. Google even offers encrypted access to Gmail users, if they know to ask for it. Users simply need to visit https://www.gmail.com, and their e-mail entire session will be safe from prying eyes.

Over 130,000 searches per day are made through the Scroogle site, 10 percent of which use SSL. In an e-mail conversation, Daniel told me that his “ultimate goal is for Scroogle to survive long enough
so that the public sector gets the idea that all major search
engines should be treated like public utilities.”

Over the last few months, a number of Google’s engineers have issued public statements on the company’s public policy blog to defend its much criticized log data retention policies. The company claims that the data can be used to hunt down malware, to catch people defrauding its advertising system, and can be used to improve search results.

Now the other side of the coin: I’ve used CheckPoint’s ZoneAlarm firewall–both the free and pro versions–for many years, and on many different PCs. The program would occasionally prevent a legitimate program from performing some operation, but on those rare instances I merely shut the firewall down long enough to complete the task, and then turned it back on. No problem.

Until this morning, that is. I spent four hours trying to update a Web site via ftp, only to be told that access to my ISP’s ftp server was denied. I tried using the WS_FTP Pro ftp program, Windows Explorer,
Firefox, and even a WYSIWYG Web editor, but nothing could get through to the server. I could access the remote system on another PC on my network, but I wanted to avoid having to move the files in question to that PC to complete the transfer. Just last week I had ftp’ed some files without a problem.

After several calls to my blameless ISP, a tech suggested that I uninstall ZoneAlarm. Not just shut it down (which I had already tried), but completely uninstall the app. This struck me as somewhat extreme, but after spending so much time trying to figure out the glitch, I thought it was worth a try. And what do you know: as soon as ZoneAlarm was off the system, I could access the ftp server without a hitch.

I suppose I could try to figure out why ZoneAlarm all of a sudden threw a monkey wrench into my server access, but it’s quicker and simpler to rely on another free firewall. My ISP’s tech guy said he trusted the firewall built into XP, which he claims Microsoft has improved tremendously. But its protection is one way: it doesn’t monitor traffic from the PC to the Internet, just stuff inbound. Instead, I loaded the free Comodo Firewall Pro, which also scans your system for viruses, spyware, and other threats. Since I use a remote-access service to log into this PC while on the road, I chose to review requests for incoming connections rather than to block them automatically, which means I’ll have to click through a few more pop-ups. But for me this is a small price to pay for the added convenience of remote access.

After you install the Comodo firewall it starts to train itself.

Customize your firewall's ftp access using these settings in the free Comodo Firewall Pro.

So what did my morning in tech-support hell teach me? First, that my ISP’s tech support staff is worth their weight in gold (even if I did assume at first that it was all their fault). Second, that I’m glad there’s a myriad of free options when it comes to PC security software. Third, that things change quickly in the computer world, and it doesn’t pay to be glued to your assumptions. And fourth, if a program encounters a problem accessing the Internet, check for a conflict with your security software before you get on the horn to your ISP’s tech support.

Tomorrow: tweak Windows XP for optimum performance.

Get a snapshot of your system security on the Comodo Firewall Pro's summary page.

After you install the program and reboot, Comodo “learns” your system, running through the standard processes and services. It also learns as you open your browser and other network-connecting applications for the first time. Once its training is complete, you can click the Comodo icon in the system tray to view your blocked and allowed connections, as well as other traffic data. You also get a snapshot of your running applications, and your choice of five security and alert-frequency settings.

About five years ago I installed the family version of Symantec’s Norton Internet Security software on one of my PCs, rendering the machine unusable. Not only couldn’t I get any access to the Internet, it was impossible to uninstall the program. I ended up having to reinstall the operating system and all my applications–except Norton Internet Security. At the time I said I would never again install a Symantec security program on any PC, but about a year ago I bought a PC that came with 90 days of Norton 360, and the program won me over. When the free trial period was over I even coughed up $80 for a year’s subscription. Apart from the frequent nags about my need to back up (I prefer to use my own manual backup strategy), I’m happy with the Norton 360.

The steam-powered mark to beat was 127 mph, set in 1906 by Fred Marriott, driving that Stanley Steamer at Daytona Beach, Fla. (According to the FIA, the overall World Land Speed Record is 763 mph, a supersonic speed reached in 1997 by a jet-powered car, the ThrustSSC.)

Photos: Steam Car team eyes record

Tuesday’s achievement still awaits official confirmation from the certifying agency, the Federation Internationale de l’Automobile.

(Credit:
The British Steam Car Challenge)

The Stanley Steamer may have finally been dethroned.

The British Steam Car spouts off as it gets ready to make a run at a 103-year-old land speed record.

After holding onto its land speed record for 103 years, the homegrown Stanley automobile from the early days of motoring has been overtaken by a late-model import. The British Steam Car team said Tuesday that, earlier in the day, in the two runs required to be considered for the record, the Steam Car averaged 139.843 mph over a measured mile.

In each of its runs, the Steam Car, driven by Charles Burnett III, actually traveled more than 6 miles on a dry lake bed at Edwards Air Force Base, Calif. On either side of the measured mile, it requires a 2.5-mile stretch for acceleration and deceleration. In going for the record, the vehicle had to make the second run within an hour of the first–the steam team says it made the turnaround Tuesday in 52 minutes.

Charles Burnett III behind the wheel of the Steam Car.

The British Steam Car, a project 10 years in the making, is no jet, but it does have its share of modern trappings, including carbon-fiber construction. The 3-ton, 25-foot-long vehicle has 12 boilers, and its steam gets superheated to 400 degrees Celsius before being injected into the turbine.

(Credit:
The British Steam Car Challenge)

Update: As astute reader ZephyrVolta points out, the Apple Store is currently running a special on refurbished 8GB Nano players (again, 4th-gen): $99 shipped. They carry the same one-year warranty as new models, and they’re available in all colors. Much better deal, IMHO!

The catch? You have just one color option: yellow. (Don’t worry, guys: It’s a manly looking yellow.) J&R does carry all the other Nano colors, but they’re priced at $139.99.

J&R’s price on the current-generation 8GB iPod Nano: $124.99. Amazingly, that’s for a new unit, not a refurb. And there’s not a rebate in sight.

Find more deals, coupon codes, and bargains on CNET’s Shopper.com.

Whatever the case, J&R says it has limited availability of these spiffy, yellow Nanos, so if you want in on the deal, click fast.

Save it for a rainy day. (Plenty of those to go around.)
Get Michael Jackson’s “Thriller” for $9.99 and remember the guy for what he did best.
Get an unlocked 3G wireless modem card for your laptop for $19.99 (today only).
Get 5 hours of classical adagios from Amazon MP3 for $2.99.
Buy one Jamba Juice smoothie, get another one free. Man, I wish there was a Jamba Juice by my house.

Apple’s price on the current-generation 8GB
iPod Nano: $149.

Instead, I thought I’d list a few things you can do with the $25 (er, almost $25) you stand to save:

There’s probably not much I can say about the Nano that you don’t already know. And I’ve embedded CNET’s First Look video if you want a quick overview.

Clicking on “Help -> Check For Updates” told me that the latest version was 1.0.12. Nothing about version 1.5, 2, or the just-released 3. Likewise, when Firefox 2 users check for updates, they are only told about the latest go-round for version 2, nothing about version 3.

Update June 26, 2008: According an article today at arstechnica, “…Mozilla told us that they have not finalized the schedule for when Firefox 3 will be made available to Firefox 2 users through the update channel, but they suspect that it will happen within the next two or three months.”

Is the failure to look up the version ladder a bug or a conscious design decision? Either way, there are, no doubt, computer users that never got the memo, people still running Firefox version 1.0.12 or 1.5.x, thinking they have the latest and greatest.

Self-updating Firefox from version 2 to version 3 now, would be a mistake. While a new version is new, the decision to upgrade should not be automated. However, at some point Mozilla will stop maintaining version 2, a condition techies refer to as “end of life”. Here’s hoping that when version 2 hits EOL (the mandatory TLA) that the update checking is a bit more self-aware.

See a summary of all my Defensive Computing postings.

In general, the way Firefox self-updates is very well done. This is born out in the stats below, an excerpt from a website activity report showing, for this month, how many hits the site experienced from people using Firefox version 2.x. As you can see, the vast amount of Firefox 2 users are using the latest edition, 2.0.0.14.

Whether all that’s enough to supplant Northern California is not something I know how to estimate…

This is still a leading-edge trend. But Silicon Valley won’t always be the center of the universe. If you talk to VCs, they’ll agree with that.

You argue that China is “winning the tech race.” But it seems like the more mature companies in China have followed American business models, and this innovative generation of companies is still very young. In what sense is China “winning?”

Venture capitalists used to say they’d never invest outside a 30-mile radius of their offices. Now VC firms like Sequoia Capital, Kleiner Perkins Caufield & Byers, and Accel Partners are all focused on China. Virtually all of the major venture capital firms in the U.S. have teams and funds there. It’s been a huge shift. And for every startup that’s funded in China, there’s a startup that’s not funded somewhere else.

If, on the other hand, we’re talking about raw development that speaks the language of science–equipment meeting international standards, biotech, energy innovation, etc.–then the market is not a problem, and I suspect the flood of skilled developers in China will indeed fuel a wave of innovation.

I haven’t read the book, but there is certainly a dose of reality in her assessment. What I wonder is whether the innovation will not be split into two types: language-dependent, and what I might call “pure technology.”

Well, you have to consider the time frame. It’s going to be years before it becomes very pronounced, but China is slowly emerging as the next Silicon Valley.

Forbes.com asked her to explain her ideas in an interview:

For innovations in the tradition of Google, Amazon, and Web 2.0 applications, the translatability of applications or the size of the market supported by a given language is key. Chinese firms depending on a Chinese-reading audience will depend on the continued explosion of Chinese Internet usage and a huge surge in willingness to spend online. If these trends slow or reach a plateau, VC may not be so enamored with China-based ventures.

Journalist Rebecca Fannin argues in her new book, Silicon Dragon, that China will gradually emerge as the world’s center of innovation, supplanting Silicon Valley for venture capital and exciting technology.

Getting legal clearance for samples and covers can be a real problem. For samples, if the copyright owner of the sampled song discovers you’ve used it without permission, they can sue to receive a portion of the proceeds–even if the sample’s unrecognizable. Even getting permission doesn’t always save you, as the Beastie Boys discovered. An article in a recent issue of SSA explores the issue in detail and concurs with Beck’s assessement in 2005 that the legal issues with sampling will basically kill the practice in mainstream commercial music.

Fortunately, some enterprising souls took it upon themselves to release 500 copies of the original verison on “white label” vinyl. As Animal Collective member Geologist explains, white labels are a common way that techno and hip-hop artists release music with uncleared samples–because there’s no information about the artists or manufacturers on the label, there’s nobody to sue. Plus, the releases are usually in such small volume that it wouldn’t be worth the rights-owner’s time to sue anyway.

Covers generally require permission from the publisher, and some songs are never allowed to be covered–apparently, Bob Dylan’s “Highway 61 Revisited” is one of them, although that hasn’t stopped plenty of bar bands from trying.

But I was under the impression that parody is free game. There’s legal precedent in a case called Campbell v. Acuff-Rose Music, in which rappers 2 Live Crew were sued by the publishers of “Oh Pretty Woman” for their parody cover version. The case went to the Supreme Court, and 2 Live Crew won. But even if they won, the risk of lawsuits (and plain old bad blood) is big enough that parodists are wise to ask permission–as Weird Al Yankovic does for every song he covers.

It doesn’t sound like parody to me, but rather a kind of sweet-hearted reinterpretation. If you want to hear for yourself, a streaming version is available here (at least today…it may be gone tomorrow). The borrowed lyrics start around 2:30.

Who you gonna sue?

The 2.8-pound minilaptop’s white case toes the design line established by the Asus Eee PC, Acer Aspire One, and others. So it’s no surprise that the NC10’s configuration is fairly typical as well, with a 1.6GHz Intel Atom N270 processor, 1GB of 800MHz RAM (upgradeable to 2GB), and Windows XP, plus a large, 160GB hard drive. (With computers as with apartments, a lot of storage is always welcome.) The 10.2-inch screen features the expected 1,024×600-pixel resolution. Connection options include 802.11b/g Wi-Fi and integrated Bluetooth. Around the case there are a 1.3-megapixel Webcam, VGA-out, Ethernet, three USB 2.0 ports, headphone and microphone jacks, and a 3-in-1 memory card reader.

Of particular interest is the NC10’s six-cell battery, which we’d expect to last 5 hours or more (according to the company, it will provide up to 8 hours of battery life). We’re also curious to spend more time with the Netbook’s keyboard, which is 89 percent of full size. On most Netbooks, the keyboard feels cramped at first but eventually seems workable for pounding out a few e-mails at the coffee shop.

At $499, the Samsung NC10 is priced on the high end for a Netbook, though not quite as costly as the similarly configured Lenovo IdeaPad S10. The Samsung NC10 will be available by mid-November at such online retailers as NewEgg, Buy.com, CDW, and Amazon.

(Credit:
Michelle Thatcher)