The launch of Microsoft Surface marks the beginning of a new technology category and a user-interface revolution. Surface, Microsoft’s first surface computer, provides effortless interaction with digital content through natural hand gestures, touch and physical objects. Surface computing breaks down traditional barriers between people and technology, changing the way people interact with all kinds of everyday information — from photos to maps to menus.

We will offer on this site regularly updated versions of the media kit, which includes press releases, background material and images. Please visit frequently to receive the latest news and information about Microsoft Surface.

Internet Explorer 7 has been available for over a year now, and yet its marketshare continues to struggle, relative to the dominance IE 6 enjoyed. Microsoft's own IE Blog paints a rosier picture, but more importantly, it informs us about some new changes to MS's latest browser.

For starters, IE 7 will no longer require a Windows Genuine Advantage validation check for download or install. You can just download away from the Microsoft's Internet Explorer page or use Automatic Updates.

The Windows XP version of IE7 has been tweaked a bit, too. The menu bar defaults to being visible instead of hidden, the "first run" and online tours have been updated, and the MSI installer has streamlined installation for network admins and enterprise customers.

These aren't big changes, to be sure. The biggest deal is clearly the removal of the WGA check. It certainly begs the question: Where is the next Internet Explorer? When is it coming, and what features should we expect? Microsoft has been especially quiet on the subject.

France is hoping to shut down spammers more quickly through a system that makes it easier for users to notify ISPs (Internet service providers) when unsolicited e-mails are coming from their network.

The French government funded the development of an open-source toolbar for Microsoft Corp.'s Outlook and Mozilla Corp.'s Thunderbird e-mail programs that people can use to report suspected spam, said John Graham-Cumming, an Englishman who built the software for the project, called Signal Spam. See article.

While it is a novel idea it as other solutions lacks understanding of two of the root problems. One of the biggest problems with this approach is it assumes that end users have any idea at all what they are doing. We are a web host and commonly see our users forward all the mail from their domain to their ISP email account. When they mark something as spam using an approach like this they typically end up reporting their own email server.

The last issue is with regard to spoofing the source email address. Until someone comes up with a viable solution to truly determine a source to determine if it is valid all these approaches are flawed from the start.

When eBay (EBAY) bought Skype Technologies for $2.6 billion in late 2005, few could fathom why the online auction company saw so much in a money-losing Internet phone service. Two years later, eBay is admitting it made a mistake.

On Oct. 1, eBay confirmed that it overpaid for Skype—by nearly $1 billion—and that the popular Web-calling business has not performed up to the rosy forecasts set back in 2005. In announcing a $1.43 billion charge against profits, eBay also revealed a broad management reshuffle in which Skype co-founders Niklas Zennström and Janus Friis will be leaving their posts.

About a half-billion dollars of the charge is for a payment to Zennström, Friis, and other early Skype investors. Although it might sound like a plump farewell present, that payout is well short of the $1.7 billion those shareholders stood to receive from eBay if Skype had met the targets for users, revenue, and profits set in the 2005 buyout agreement.

Considering Skype's rapid growth since the acquisition, it can't be an encouraging sign that its founders and early investors are cashing out well before the clock has run out on the original performance goals. When eBay bought Skype, it agreed to pay Skype shareholders as much as $1.7 billion extra if Skype met certain user growth and financial targets in 2008 and 2009. In accepting $530 million, those investors agreed to forgo any future payments, suggesting that none were likely. eBay plans to record that payment, plus $900 million more, as an impairment charge recorded in the third quarter.

The Internet Explorer Developer Toolbar provides several features for exploring and understanding Web pages. These features enable you to:

Explore and modify the document object model (DOM) of a Web page.
Locate and select specific elements on a Web page through a variety of techniques.
Selectively disable Internet Explorer settings.
View HTML object class names, ID's, and details such as link paths, tab index values, and access keys.
Outline tables, table cells, images, or selected tags.
Validate HTML, CSS, WAI, and RSS web feed links.
Display image dimensions, file sizes, path information, and alternate (ALT) text.
Immediately resize the browser window to a new resolution.
Selectively clear the browser cache and saved cookies.
Choose from all objects or those associated with a given domain.
Display a fully featured design ruler to help accurately align and measure objects on your pages.
Find the style rules used to set specific style values on an element.
View the formatted and syntax colored source of HTML and CSS.

The Developer Toolbar can be pinned to the Internet Explorer browser window or floated separately. Get it here!

There have been many questions about timing issues with AMD dual core. It seems that AMD is certainly working to address many of them with XP and 2003 server with these tools offered at the AMD site. Learn More

SYMPTOMS

Full Article

A vulnerability in Ask.com's toolbar for Internet Explorer could allow an attacker to take control of a person's computer, according to security advisories.

The problem concerns a buffer overflow flaw in the toolbar and involves an ActiveX control, according to an advisory posted by security vendor Secunia APS, which rated the problem as "highly critical," its second most severe rating. It affects version 4.0.2 of the toolbar and possibly others.

Proof-of-concept exploit code for the vulnerability has been publicly posted on other disclosure forums, with a person named "Joey Mengele" credited with finding the flaw. Ask.com officials contacted in London were not immediately available to comment.

The Ask.com toolbar sits below the address bar and can perform a variety of category-specific searches, such as weather information, stock quotes or search a person's desktop, as well as Web searching.

As of Tuesday afternoon local time, WabiSabi Labi Ltd., a Swiss company that specializes in selling vulnerability information, was still auctioning the Ask.com toolbar problem for a minimum of $705, although no bids were listed.

WabiSabi Labi's auctioning of security vulnerabilities has caused a stir among security analysts who believe software companies should be discreetly notified of vulnerabilities and allowed to patch the software so as to not put users in danger. The company maintains security researchers should be rewarded for their work.

The geographical regions are as follows:

REGION 1 -- USA, Canada
REGION 2 -- Japan, Europe, South Africa, Middle East, Greenland
REGION 3 -- S.Korea, Taiwan, Hong Kong, Parts of South East Asia
REGION 4 -- Australia, New Zealand, Latin America (including Mexico)
REGION 5 -- Eastern Europe, Russia, India, Africa
REGION 6 -- China
REGION 7 -- Reserved for Unspecified Special Use
REGION 8 -- Persevered for Cruise Ships, Airlines, etc...
REGION 0 or REGION ALL -- Discs are uncoded and can be played Worldwide, however, PAL discs must be played in a PAL-compatible unit and NTSC discs must be played in an NTSC-compatible unit.

DVDs encoded for regions other than Region 1 cannot be played on a region 1 DVD player, also, players marketed for other regions cannot play region 1-stamped DVDs

Secure Notepad

Secure Notepad is a Notepad replacement that is (almost) identical to the original, but offers several additional security features. In addition to saving files with the standard .txt extension, you can choose the .etxt format, which allows you to encrypt your file with a password and additional key file. Furthermore, the program includes a handy fade-out feature that automatically fades the content of a text file to plain white if the Notepad window is not active.

Get It Here

The 8.0.2 update fixes the following two issues on both the Macintosh and Windows platforms.

SQL injections in web applications

The update updates server-side code generated by Dreamweaver to protect databases against SQL Injection.

Active content

The update fixes a problem with the code generated by Dreamweaver when it inserts active content such as a Flash file in a web page. In the latest versions of Internet Explorer, the generated code by Dreamweaver does not allow users to interact with the active content unless they click it. The update fixes the code generated by Dreamweaver so that users don’t have to click the active content. The update also provides a way to repair the code of existing pages with active content.

Learn More

ActiveServers, Inc. to Distribute SmarterTools Software

Markus Hahn of Coder's Lagoon offers this bit of freeware. We have put it through its paces and confirm it does a fantasic job. It makes a great free drive wipe tool as well.

One powerful file encryption and security tool for the Windows platform. As the successor of highly successful BFA97, Blowfish Advanced CS offers a bunch of new and improved features which are:

• Blowfish, Twofish, AES, RC4, TDES, Serpent, CAST
• Strong key support, handling and cryptography
• Fast: encrypts megabytes of data per second
• Data compression using LZSS, deflate and BZIP2
• Secure wiping of files and clearing of empty disk space
• Comfortable user interface with built-in file browser
• Easy working with encrypted files
• Complete integration into Windows Explorer
• Automation of daily routines by using job files
• Dozens of options to finetune the application
• Small: fits on half of the space of a floppy disk!
• Trustworthy: the complete source code is available
• Quick language switch (German and English)
• Runs on all Win32 versions, from 95 to Vista
• Personal Edition without any restrictions!

Check out the FAQ page, if you have further questions. You might want to read the change notes to get information about the latest features and fixes. Or just look at a screenshot.

If you want to give it a try, please download the installer:

Blowfish Advanced CS - Installer
(908 kB)

MD5: e1 40 82 3e ec 62 34 0f 1b 5f 3c b4 0e 63 ca 1f

For users who don't need or want an installer, who like to save some download time or who face problems with the regular installer here's the compact ZIP file version. Please follow the steps in README.TXT (or LIESMICH.TXT for German users):

Blowfish Advanced CS - Files Only
(614 kB)

MD5: 65 ed 16 da b0 96 4f 9b d8 6b 62 bd 5a 00 ab d9

The complete source code of Blowfish Advanced CS is available under the Apache 2.0 License. The application itself is written in Delphi and C/C++. Please check out the included BUILDING.TXT file for details about how to built, and LICENSE.TXT for the legal aspects.

Blowfish Advanced CS - Sourcecode
(1013 kB)

MD5: fb fb 6f 7e 5f 33 c8 60 42 e8 57 4f f3 72 22 99

The MPack toolkit has received a fair amount of media attention causing it to become one of the most desired Web browser exploit toolkits in the underground hacker scene. The original author was selling the MPack toolkit for $1000 USD, including a year of free support, and additional exploit modules for around $100 USD. Personally like the quote from the author when asked; Do you feel sorry for the people whose machines are infected by an attack? Well, I feel that we are just a factory producing ammunition. Now there is some logic for you!

However, considering the toolkit is written in a script language, it is easy to redistribute and modify. The toolkit is being sold by others now for as low as $150 USD. That is a whopping 85% off. Talk about clearance sale. The sellers likely didn't even need to buy it themselves, but rather probably found some of the multiple Web sites that did not employ standard Web site protections, allowing them to download the whole kit for free.

How it works is clearly outlined and Trend Micro does at least offer a method of discovery. What is odd with all the press about this organized criminal approach to fraud and thieft is governments, security firms, and anti virus companies of the world are doing very little. Now that the cat is out of the bag the variants will be haunting the world making the internet totally infested with poor ignorant users. As the list of variants grows each with its own twist on the base. What is at the core besides ignorance, is the social engineering part of this type of threat.

More details and articles on the topic. EWeek, Microsoft, BBC, Wikipedia

There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call  'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.

Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:

A short time ago, analyzing  a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, it was found one of these websites. It was discovered that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:

There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar. The web sites where they promote themselves use to be very eye-catching, here you can see some examples:

http://fantasticdollars.com/
http://iframe911.com/
http://www.iframebiz.com/
http://loads.cc/

What seems to be the solid theme throughout this whole deal is that most of the Trojan Variants are based on a kit called Mpack.

Growing up in rural Lacrosse, Wash., Robert Moore reached adolescence and discovered he was a high school misfit. Suffering from several ailments, including narcolepsy, Moore skipped playing sports, the normal path to small-town popularity.

He moved to Spokane, graduated from North Central High School and became skilled enough to land several jobs, including a project for one firm needing anti-spam software.

In 2005, a Florida man, Edwin Pena, found Moore's site and asked him to create a tool for detecting certain types of network computers that worked with a new technology, Voice over Internet Protocol, or VoIP.

About a year later, FBI agents showed up at Moore's north Spokane home and arrested him, charging him with federal wire fraud and computer hacking. They also arrested Pena in Miami. Pena, 25, jumped bail and fled the country and is believed to be living in South America.

Moore, now 23, was nabbed because he designed the software tools Pena used to bilk Internet phone companies of more than $1 million in unpaid VoIP phone charges.

Next month, Moore will begin serving two years in a federal prison at a site not yet revealed. The New Jersey federal judge who sentenced him also ordered Moore to pay $152,000 in restitution to victims of the scheme.

The case created international attention. It marked the first large-scale hacking of the VoIP system. Moore used his 12 home computers to find vulnerable network doorways, called ports.

He pleaded guilty to the charges, acknowledging his role but saying he was just a provider of information that Pena misused for personal gain.

"What I did was totally wrong, and I have to pay for it," Moore said. "But Edwin was the guy who stole the minutes and resold them. All I did was find passwords for (network computers) that he wanted to use."

Many who wrote about or discussed the VoIP break-in said Moore's use of fairly unsophisticated tools, coupled with some special software he designed, pointed out major security holes in many corporate networks.

Secure Computing back in June first reported, attackers are using a fake video link on the site to initiate infection with the Trojan, which bombards victims with porn adware, before installing data-stealing code.

To make matters worse, the only defence against such attacks on the popular video-hosting website is the diligence of YouTube's security personnel, who can remove attacks as soon as they find them. However, according to Secure Computing's Paul Henry, this gives the malware distributors a window of opportunity of at least a few hours.

It is a backdoor designed to give the attacker remote control over a compromised computer. It changes essential system settings and modifies certain files. Zlob starts automatically on every Windows startup and stays hidden in background. It waits for remote connections and allows the attacker to download and install additional software, execute certain commands and manage the entire system. Zlob can be very dangerous. Use antivirus and spyware removal tools in order to get rid of this parasite. Some of Zlobs versions pretend to be video codecs to attract people.

Kill processes:
msmsgs.exe pmsngr.exe kdqrn.exe 02.exe kdvhv.exe kdoaf.exe kdkwb.exe kdkat.exe kdlfk.exe kdefp.exe

Delete registry values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RegSvr32=%System%\msmsgs.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe,msmsgs.exe
HKCU\Software\Internet Security\
HKCU\Software\HQvideo

Delete files:
msmsgs.exe isaddon.dll isamini.exe pmsngr.exe Programs\\Media-Codec\\ecodec.exe kdqrn.exe Temp\\02.exe kdvhv.exe Temp\\nsq3.tmp\\modern-header.bmp Temp\\nsq3.tmp\\nsExec.dll kdoaf.exe kdkwb.exe System\\kdkat.exe System\\kdlfk.exe System\\kdefp.exe

Almost 36 hours after a software problem caused widespread outages in eBay Inc.'s Skype service, engineers continue to work to fully restore this extremely popular Internet telephony and instant messaging service, while many business users deal with work disruptions.

Although steady progress was made throughout the day Friday, the problem, which has affected millions of Skype users, hasn't been fully fixed,

At midnight GMT Friday, an official provided the latest update on Skype's Heartbeat blog, saying that the sign-on problems have been resolved, but that the instant messaging presence and chat may take a few more hours to be fully operational for all.

"If you are one of the minority who may still be experiencing problems, please be patient. You do not need to adjust or restart your computer. Skype will start working for you very soon," wrote Villu Arak [cq]. "We will issue a further update when we know that Skype is functioning normally, or if there is further material news."

"The outage has had quite a profound effect on my working day, and has meant spending time setting up other chat clients and networking with colleagues via alternative means," Michael Pick, a freelance blogger and social media consultant, wrote in an e-mail interview Friday.

The partner event registration page of the Microsoft UK events website, has been defaced by a hacker who managed to discover and exploit a web application vulnerability in one of the parameters used by the form on the website, which could previously be accessed at:

http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offline]

The hacker, known by the name "rEmOtEr", managed to deface Microsoft’s page by taking advantage of an SQL Injection vulnerability in one of the parameters used by the form that was embedded in the URL of the page. This particular parameter was not being filtered, thus it allowed the hacker to pass any type of crafted code directly to the database being used by this form.

Full Article

Enable the Display of File Extensions in Vista:

1. Open a folder or open explorer
2. Click the Layout button (to the left of the Views button) as shown in the picture below.

3. Click Folder Options
4. Click the View tab
5. Uncheck Hide extensions for known file types
6. Click OK

Ok Backup just sucks in Vista so let's get a method to get a handle on things for free.

SyncToy 1.4 for Windows Vista is available as a free download from the Microsoft Download Center. The easy to use, customizable application helps you copy, move, rename, and delete files between folders and computers.

There are files from all kinds of sources that we want to store and manage. Files are created by our digital cameras, e-mail, cell phones, portable media players, camcorders, PDAs, and laptops. Increasingly, computer users are using different folders, drives, and even different computers (such as a laptop and a desktop) to store, manage, retrieve and view files. Yet managing hundreds or thousands of files is still largely a manual operation. In some cases it is necessary to regularly get copies of files from another location to add to primary location; in other cases there is a need to keep two storage locations exactly in sync. Some users manage files manually, dragging and dropping from one place to another and keeping track of whether the locations are synchronized in their heads. Other users may use two or more applications to provide this functionality.

Now there is an easier way. SyncToy, a free PowerToy for Microsoft Windows Vista, is an easy to use, highly customizable program that helps users to do the heavy lifting involved with the copying, moving, and synchronization of different directories. Most common operations can be performed with just a few clicks of the mouse, and additional customization is available without additional complexity. SyncToy can manage multiple sets of folders at the same time; it can combine files from two folders in one case, and mimic renames and deletes in another case. Unlike other applications, SyncToy actually keeps track of renames to files and will make sure those changes get carried over to the synchronized folder.

Get it Here:

US federal agents are reaching out to computer hackers for help fighting crime and terrorism as a tug-of-war between privacy and public safety continues on the Web.

The National Security Agency (NSA), the department of defence and the FBI were among the spy, military and police agencies represented at DefCon, an international gathering of hackers in Las Vegas.

Lawyers from the foundation are spearheading litigation accusing the NSA of illegally snooping on e-mail and telephone communications. NSA vulnerability analysis chief Tony Sager gave a talk at DefCon, saying the agency was increasingly sharing information with the public in the hope computer wizards wherever they may be become allies in cyber security.

Hacker Roger Dingledine is working on an "anonymity network" called Tor that bounces Internet traffic off "about a thousand" computer servers to thwart tracking who is doing what online.

"The NSA spent decades trying to do things themselves and that didn't work. I'm happy they realise other people can help," he said.

Dateline NBC associate producer Michelle Madigan was heckled and derided as she ran from DefCon, the world's largest computer hackers conference, and raced away in a car.

"They sent a moderately attractive young lady with a purse cam whose mission was to first capture someone on film admitting to a felony, which is really not cool, and second to catch a fed on film," said DefCon spokesman "Priest."

"She was basically trying to do a slam piece."

Federal agents openly, and covertly, mingle with hackers at the conference, which features a panel discussion titled "Meet the Fed."

"This is the Switzerland of hacking, neutral ground on which hackers and feds meet with a common goal of making computers safer," said Priest.

Dateline did not respond to AFP requests for comment but issued a general statement saying it does not discuss reporting tactics.

Priest and DefCon founder Jeff Moss, whose hacker name is Dark Tangent, lured Madigan to a packed conference room by putting out word they were going to have hackers finger federal agents in a game called "spot the fed."

After she was in the audience, it was announced the game was actually "spot the undercover reporter."

Without naming Madigan, Moss condemned her stealth tactics from a stage. Boos and jeers erupted from hundreds of hackers, one calling for her to be tarred and feathered.

Madigan shoved aside a DefCon "goon," one of the volunteers working at the event, and dashed from the room as the mob called for her to be booted from the premises.

Apple has issued three batches of software updates and fixes for its popular iPhone, Mac OS X operating system and the Safari 3.03 browser beta.

The iPhone fixes address a pair of Safari-related vulnerabilities that came up almost immediately after the phone's release, plus three more that were not disclosed.

A security firm called Independent Security Experts (ISE) first uncovered iPhone vulnerabilities last month and informed Apple of its findings. ISE planned to demonstrate what it found at the Black Hat security conference this week in Las Vegas.

Two of the fixes address cross-site scripting problems, one by preventing JavaScript in remote Web pages from modifying pages outside of their domain, the other by fixing an HTTP injection issue in XMLHttpRequest. Apple credited Richard Moore of Westpoint Ltd. for reporting the issue.

Apple credited the ISE crew for pointing out a heap buffer overflow problem in the Perl Compatible Regular Expressions (PCRE) library, while Apple thanked Tomohito Yoshino, of Business Architects, for reporting an error in the International Domain Name (IDN) that allows for fake URL addresses in fonts that contain look-alike characters.

Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.

This year she brought a new pill and a few more tricks to take Vista to task. "I'm going to talk about Vista kernel protection and why it doesn't work," Rutkowska boldly declared to the overflow crowd.

She then read a quote from Microsoft's Vista documentation that stated that even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.

"There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.

She then displayed two examples, both from video drivers companies, to prove her point. In her view both the ATI Catalyst driver and the NVIDIA nTune Driver are bad in that they could be used as an attack vector to circumvent Vista kernel protection.

With the NVIDIA driver, Rutkowska alleged that the driver was able to read and write registers without any additional checks.

"The whole problem in NVIDIA is that the driver doesn't do the proper checks and can do a write for an arbitrary registry."

To add further insult to injury, the target machine doesn't even need to have the bad driver on the system in order for the attacker to use it as an attack vector.

"The attacker could just include it as part of their own rootkit and then use it to exploit Vista," Rutkowska said. "It doesn't matter whether it's a popular driver or not. We can bring it to the target system and exploit it." Full Article

Root Servers.

The root name server operators do not determine the content of the root zone file. The file is edited by the IANA according to a process described on the IANA web site. The root name server operators publish the file as received from the IANA. See: http://www.iana.org/root-management.htm

No Internet traffic passes through the root name servers at all. They have nothing to do with routing, note the difference in spelling. Name servers just answer queries from other parts of the DNS.

The root name servers do not store all the information in the DNS. Storing all the information in one place would be totally infeasible today. This is exactly why the DNS was developed as a distributed database. So if you register thatnewdomain.org the root zone file will not change and the root name servers will not give different answers. The ORG zone file will be changed.

The root name servers are not queried every time you browse the web or send mail. Information is cached in the DNS. Your computer will query a caching DNS server to resolve domain names. A well behaved DNS server needs to query the root name servers only once every 48 hours for each particular TLD.

In the meantime it can resolve names for that TLD without involvement of the root name servers. Because of this caching almost all DNS queries are answered without involvement of the root name servers.

The Public-Root Servers are strategically deployed around the globe. They support a global network of domain name servers that provide access to all known, non-colliding, and operational Top-Level Domains Some of their locations

In 2005 the current 12 organisations providing root name service at 13 unique IPv4 addresses. They were:

A - VeriSign Global Registry Services
B - University of Southern California - Information Sciences Institute
C - Cogent Communications
D - University of Maryland
E - NASA Ames Research Center
F - Internet Systems Consortium, Inc.
G - U.S. DOD Network Information Center
H - U.S. Army Research Lab
I - Autonomica/NORDUnet
J - VeriSign Global Registry Services
K - RIPE NCC
L - ICANN
M - WIDE Project

IBM Corp. will stop selling the BlackIce PC Protection security suite, a product that came under its wing after buying Internet Security Systems (ISS) a year ago for US$1.3 billion.

The company will stop selling BlackIce on Sept. 19, and end technical support for the product, which is just for PCs running Windows, on Sept. 29, 2008, according to ISS.

IBM said its ISS division would no longer offer desktop or server protection software for the consumer market, but also noted that the company still has security software suitable for small businesses.

After the ISS acquisition users expressed concern about how IBM would continue to sell the company's stand-alone products. ISS focuses on network security products and managed security services, selling intrusion prevention and detection systems and security appliances.

Last year, AOL said it was giving away its e-mail accounts, software and other features to users as it moved to an advertising-focused business model.

Overall revenue at AOL was $1.3 billion in the second quarter of 2007, which ended June 30, down 38% from the same quarter in 2006. Advertising revenue increased 16% to $522 million, up from the $449 million in the same quarter of 2006, but down from the 40% increases the company had reported in the last four quarters, according to the statement. AOL's operating income climbed 9% to $360 million. At the end of June, AOL had 10.9 million U.S. subscribers, a 59% drop from the 26.7 million subscribers it had in September 2002.

In the company's earnings call, Time Warner Chairman and CEO Richard Parsons said the parent company no longer thinks that AOL's advertising business will grow "at or above" the rate of growth of other U.S. Internet companies. AOL is in trouble," said Rob Enderle, an analyst at San Jose-based Enderle Group. "The market they exist in is fairly robust, and they shouldn't be showing the significant declines that they're showing."

However, Enderle said changing AOL's model was probably the right thing to do because if it hadn't, the company would have been out of business by now.

As reported by John Schwartz in today's New York Times (registration required), security firm Independent Security Evaluators has demonstrated an attack that lets a hostile Web page take full control of an iPhone and capture a user's personal data. Although there is no indication that the vulnerability is being exploited in the wild, computer scientist Steven M. Bellovin of Columbia University is quoted as saying "it looks like a very genuine hack." (You can watch a video demonstration of the attack here.)

Bellovin points out that this sort of attack is inevitable as operating systems on phones get more and more computer-like. The iPhone runs a version of Mac's OS X operating system, though Apple has been extremely stingy with details on just which pieces of OS X are included. It's not clear whether the iPhone attack, which exploits a vulnerability in the Safari browser, might also work against Macs.

To date, attacks against phones have been relatively rare and not very damaging. The Symbian operating system, which is little used in the U.S. but is popular on European and Asian handsets from Nokia and Sony Ericsson, has probably been hit the hardest. I have not heard of any successful attacks on Research in Motion's BlackBerrys. And hackers have only struck a couple of glancing blows on Microsoft's Windows Mobile software, though the threat is taken seriously enough that you can now get protective software for your smartphone from Symantec and others.

Apple likely will move to plug the hole with a patch that can be downloaded to iPhones. But this incident is a clear sign that the cat and mouse game between security experts and hackers that has long been a part of life in the world of personal computers is going to become commonplace in phones too.