Lisa Evans

Led by the late Michael Jackson and the vampire-driven "Twilight" series, Yahoo's Top 10 Searches for 2009 show that penny-pinching consumers are escaping to the Web "to pursue news and their guilty pleasures," according to a Yahoo search trend analyst. Rounding out Yahoo's top ten this year were, in consecutive order, Naruto, American Idol, Kim Kardashian, NASCAR, and Runescape. World Wrestling Entertainment (WWE) came in third on this year's list of Top 10 Overall Searches for 2009, rising celebrity Megan Fox landed in fourth place, and Britney Spears came in fifth. To me, the celebrity orientation of this year's Internet searches seems almost reminiscent of how, during the Great Depression, people found their escapes in movie magazines and lavish musical entertainment But Vera Chen, a Yahoo Search trend analyst, also acknowledges that during the current deep recession, "with economic uncertainty looming, people looked for ways to find stability by searching the Web." Accordingly, Yahoo's "Top 10 Economy-Related Searches for 2009" include coupons, Stimulus Plan, student loans, and foreclosures, for example.

Thus, Yahoo has also put together a list of the Top 10 Mobile Searches for 2009. Some members of the overall Top 10 list - such as Megan Fox and Michael Jackson - also made the mobile list, although others - including WWE and Kim Kardashian - did not. As many of us already know, however, sales of mobile devices stood out as one big bright spot on 2009's bleak economic canvas. "Mobile devices emerged as essential and indispensable to the lives of many Americans," according to a Yahoo press release. Those searching the Web from their mobile phones were also particularly interested in Lady Gaga, the NFL, and - not at all surprisingly - Mobile Games. For one thing, maybe consumers will be able to forego some of their searches for coupons and the like. What will Yahoo's Top 10 list look like for the year 2010? Hopefully, the economy will have turned the corner a bit.

The European Commission has signed an agreement with the online music industry designed to improve consumers' access to online music across the 27-nation European Union, it said Tuesday. The agreement they reached sets out general principles that will underpin the online distribution of music in the future, leading to "improved online music opportunities for European consumers," the participants said in a joint statement. "European consumers want and deserve better online music offerings," Kroes said in a statement, describing the agreement as evidence of "real progress in this direction." This is the first time players involved in the distribution of music have agreed on "a common roadmap," she said. Online music retailers including Amazon.com and Apple, Finnish mobile phone giant Nokia, royalty rights collecting societies, consumer groups and the record labels EMI and Universal Music Group struck the deal with E.U. Commissioner for competition Neelie Kroes.

Apple is optimistic that over the coming year it will be able to make its iTunes online music store available in countries where it doesn't operate at present, the Commission said. The biggest obstacle to creating a fully functioning online marketplace for music until now has been the reluctance of collecting societies to do away with their traditional approach to the European market, which involved each one maintaining a monopoly over rights collection in its national territory. Meanwhile, EMI expects to sign non-exclusive digital licensing agreements with two of the most obstinate collecting societies in Europe - SACEM of France and Spain's SGAE, the Commission said. The Internet's ability to reach across borders makes it harder for online stores to restrict sales to customers in a particular territory.

The Internet Corporation for Assigned Names and Numbers (ICANN) has reached a new agreement with the U.S. Department of Commerce allowing the nonprofit greater independence, while giving more countries oversight of the organization. The DOC will continue to be involved in ICANN's Governmental Advisory Committee, but the new agreement recognizes ICANN as a global "private-sector led organization." The new agreement is a "huge moment not just for ICANN but for the Internet," said Paul Levins, vice president at ICANN. "This really vital resource was being overseen by one government." The U.S. government will have "one seat at the table" for the three-year reviews, ICANN CEO Rod Beckstrom said in a video on the organization's site. "What it really means is we're going global," he said. "All the reviews and all the work done will be submitted for public comment to the world. The new agreement, called an Affirmation of Commitments, sets up reviews of ICANN's performance every three years, with members of ICANN advisory committees, the Department of Commerce (DOC), independent experts and others serving on the review teams. But there's no separate or unique or separate reporting to the United States government.

The new agreement won praise from critics who have complained that the U.S. governmenthas had too much control over ICANN, which manages the Internet's DNS (domain name system). The new agreement should allow ICANN to become more open and accountable to users worldwide, said Viviane Reding, the European Union's commissioner for information society and media. All the reporting is to the world; that's the real change." The new agreement was announced Wednesday, the same day that an 11-year series of memorandums of understanding between ICANN and the DOC expired. The new agreement ends "unilateral" review of ICANN by the DOC and sets up independent review panels, she said in a statement. "I welcome the U.S. administration's decision to adapt ICANN's key role in internet governance to the reality of the 21st century and of a globalized world," Reding said in her statement. "If effectively and transparently implemented, this reform can find broad acceptance among civil society, businesses and governments alike." The challenge, she said, will be to make ICANN's Governmental Advisory Committee more effective, as it has a major role in appointing the review panels. "Independence and accountability for ICANN now look much better on paper," she said. "Let's work together to ensure that they also work in practice." The new agreement commits ICANN to a "multi-stakeholder, private sector led, bottom-up policy development model for DNS technical coordination." It also requires ICANN to "adhere to transparent and accountable budgeting processes, fact-based policy development, cross-community deliberations, and responsive consultation procedures that provide detailed explanations of the basis for decisions." ICANN will publish annual reports that measure the organization's progress and it will provide a "thorough and reasoned explanation of decisions taken, the rationale thereof and the sources of data and information" on which it relied. The Internet Society, a nonprofit organization focused Internet-related standards, education, and policy, also praised the new agreement, saying it emphasizes ICANN's obligation to "act in the public interest as the steward of a vital shared global resource." The new agreement doesn't change the DOC's contract with ICANN to perform the functions of the Internet Assigned Numbers Authority (IANA), which is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. While the expiration of the old agreement with the DOC "threatened to open an accountability gap" for ICANN, the new agreement should resolve that concern, added Steve DelBianco, executive director of e-commerce trade group NetChoice. "The Commerce Department has crafted an arrangement here that delivers what the global Internet community has clamored for: permanent accountability mechanisms to guide ICANN in the post-transition world," he said. "These reviews should help ICANN stay focused on security, choice and consumer trust, with an added emphasis on interests of global Internet users - especially those who can't yet use their native language in domain names or e-mail addresses."" The new agreement addresses an issue that's been missing at ICANN, "a balanced way to bring all governments into the oversight process alongside private sector stakeholders, with a sharpened focus on security and serving global internet users," he added. The DOC, in the new agreement, also doesn't endorse ICANN's efforts to allow an unlimited number of new generic top-level domains, such as .food or .basketball.

The controversial plan has met resistance from trademark owners, who say they'd have to register for dozens of new Web sites to protect their brands. "Nothing in this document is an expression of support by DOC of any specific plan or proposal for the implementation of new generic top level domain names or is an expression by DOC of a view that the potential consumer benefits of new gTLDs outweigh the potential costs," the new agreement said.

It's been 10 years since the Apache Software Foundation hung out its feather, creating what has become a series of communities filled with focused project entrepreneurs working on a laundry list of innovative efforts, one of which landed in the White House just a few weeks ago. In its 10 years, ASF has become a shining example of the power of open source development and the group, now with 65 projects operating under its banner, shows no signs of slowing down. The application that now runs the White House Web site is Drupal, but its underpinnings, the Lucene search service, is pure Apache Software Foundation (ASF), an all-volunteer membership that now exceeds 300 people, including some of the most respected talent in the open source community.

Just four years ago, the number of ASF projects stood at 25. ASF will celebrate its 10th anniversary at this week's ApacheCon conference even though the official anniversary date is in June. "I think [ASF] has shown to be successful in that there is a lot of good software that comes out of Apache that is widely used," said Doug Cutting, a member of the ASF board of directors, and the creator of the Lucene project. "We lead by example. In addition, there are 33 projects in the Apache Incubator, and more than two dozen codebases being explored in the Apache Labs. That is something we aspire to do." Cutting's leadership examples include three ASF projects – Lucene, Hadoop and Nutch. It all operates within the Foundation, which is actually a membership-based non-profit corporation registered in Delaware. Unlike other open source organizations, before Apache hosts a project it has to be given to the ASF, which ultimately controls the intellectual property of all its projects. From its beginnings with 21 members and the Apache HTTP Server, still the most popular Web servers in use, the foundation has forged a set of principles that continue to drive it today.

But the projects themselves run as semi-autonomous units within ASF, which provides members with legal protection from suits directed at foundation projects. He says more people are building software today and calling it open source, "but if you look closely they are aiming for vendor lock-in." ASF's structure and strategy avoids that result, Cutting says. "Today, our model is getting stronger and that is bringing more projects into Apache." Cutting says the future should hold more of the same. "We are not seeking to rock the boat and reinvent Apache, but we will continue to guide and scale the Foundation." That effort is one of the tests for ASF as it moves into its second decade. "Part of the design challenge is to build a scalable Foundation that does not require a lot of management," he says. "We don't want a big heavy bureaucracy." While the board works on the future of ASF, Cutting sees the innovation part of the Foundation taking care of itself."Technically what the future brings is anyone's bet," Cutting says. "But I think the future holds room for more and more software that is open source and more and more that is Apache style open source and more and more that is within the Apache Software Foundation." Follow John Fontana on Twitter. New members are by invite only, voted upon by existing members, and prove their value by contributing to a project or projects at the Foundation, which describes itself as a meritocracy. "We build software on its merits, which is a pretty great model," Cutting says. "Hopefully we set a tone, but we don't force the Apache Way on other projects." Cutting says the focus on building software and letting people do what they want to do with it is one of the important roles that ASF plays in the open source movement today.

A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages, according to security researchers. The messages, which come bearing subject lines such as "Facebook Password Reset Confirmation," include a file attachment that supposedly contains the new password. The attack, which began Monday afternoon, according to e-mail security vendor Cloudmark, targets Facebook users with a spoofed message that claims recipients' Facebook passwords have been reset as a security measure. In fact, the attached .zip file includes a Trojan downloader, dubbed "Bredlab" by some antivirus companies, "Bredolab" by others.

At least 8% of the users who have received one of the fake messages have tagged it as legitimate, going to the trouble of pulling the message from their junk folder - where Cloudmark has placed it - because they think it's real, Tomasello said. The downloader grabs a variety of malware from hacker servers, including fake security software , or "scareware," and installs attack code and rogue antivirus applications on the compromised PCs. Multiple security companies, including Symantec, Trend Micro, MX Lab and Websense, have put out warnings about the attack campaign. "This variant of Bredolab connects to a Russian domain and the infected machine is most likely becoming part of a Bredolab botnet," said Shunichi Imano, a security researcher at Symantec, in a post to the firm's security blog . Jamie Tomasello, Cloudmark's abuse operations manager, said today that her company alone has detected nearly three-quarters of a million phony Facebook messages since Monday, and nearly 250,000 in the last 24 hours. "Our count continues to go up, and is at about 735,000 now," said Tomasello. "It's a pretty high volume." According to Tomasello, both desktop clients and ISPs that use Cloudmark to filter potentially malicious mail have reported receiving the fake Facebook e-mail. Cloudmark has no data on how many users were actually duped into opening the .zip file and running the enclosed .exe that installs Bredolab, however. "The numbers are equal to or higher than other Facebook malware or phishing campaigns," Tomasello claimed. Because of its huge base - last month Facebook said it had more than 300 million users - the site is a frequent target for hackers and identity thieves. She said that Cloudmark is currently revising that 8% estimate upwards.

Last March, for example, the Koobface worm made the rounds on Facebook, as well as other social networking sites such as MySpace and Friendster, infecting large numbers of users. Facebook did not respond to a request for comment on the attacks, or to questions what it is doing, or can do, to stymie the campaign or warn its users.

Microsoft today patched 15 vulnerabilities in Windows, Windows Server, Excel and Word, including one that will probably be exploited quickly by hackers. The 15 flaws fixed in Tuesday's six security updates were less than half the record 34 Microsoft patched last month in 13 separate bulletins. None affect Windows 7, the company's newest operating system. Of today's 15 bugs, three were tagged "critical" by Microsoft, while the remaining 12 were labeled as "important," the next-lowest rating in the company's four-step severity scoring system.

That update, which was ranked critical, affects all still-supported editions of Windows with the exception of Windows 7 and its server sibling, Windows Server 2008 R2. "The Windows kernel vulnerability is going to take the cake," said Andrew Storms, director of security operations at nCircle Network Security. "The attack vector can be driven through Internet Explorer, and this is one of those instances where the user won't be notified or prompted. Experts agreed that users should focus on MS09-065 first and foremost. This is absolutely a drive-by attack scenario." Richie Lai, the director of vulnerability research at security company Qualys, agreed. "Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver." Both Storms and Lai were referring to the one bug marked critical in MS09-065, which actually patched a trio of vulnerabilities. EOT fonts, however, can also be used in Word and PowerPoint documents. According to Microsoft, the Windows kernel improperly parses Embedded OpenType (EOT) fonts, which are a compact form of fonts designed for use on Web pages. Hackers could also launch attacks by attaching Word or PowerPoint documents to e-mail messages, then duping users into opening those documents.

Because Windows 7 and Windows Server 2008 R2 were not affected by the MS09-065 update, Storms and Lai assumed that Microsoft caught the bug before it wrapped up the final code, or release to manufacturing (RTM) build, of the operating system, and is only now getting around to plugging the holes in Windows 2000, XP and Vista, as well as Server 2003 and Server 2008. "Windows 7 Release Candidate [RC] is probably vulnerable," said Storms, citing Microsoft's policy of not providing security updates for preview versions of an operating system when the final has been released. "That's why you don't see Microsoft patching Windows 7 RC or Beta," said Storms. "For anyone still running RC, they should take heed and upgrade to the RTM." But while Storms speculated that Microsoft knew the EOT font flaw was a security issue - and waited until now to patch older Windows - Lai thought that Microsoft didn't realize until recently that it was also a security vulnerability in editions prior to Windows 7. "I think they fixed this bug as part of the code sanitization during [Windows 7's] development cycle. In lieu of patching the problem, users can easily block the most likely attacks by disabling IE's support for embedded fonts. "That's a low-impact mitigation," Lai said. "The worst that could happen is that some sites might look ugly." His advice would still leave PCs open to attack via malicious Word or PowerPoint documents, a point Microsoft also made in the vulnerability's write-up. It was actually only publicly disclosed recently, and then they patched it in other Windows." Microsoft acknowledged that information about the EOT vulnerability had gone public before today's patch. "While the initial report was provided through responsible disclosure, the vulnerability was later disclosed publicly by a separate party," stated the accompanying advisory. Microsoft also issued critical updates for Vista and Server 2008 , as well as for Windows 2000 Server. Storms expects to see attackers jump on the EOT vulnerability. "This is the one to watch in the coming weeks, not only because of its novelty, but also because it can be exploited through IE, which is the easy route, as well as through Word and PowerPoint documents," he said.

On the latter, which harbors a bug in its implementation of the License Logging Server , a tool originally designed to help customers manage Server Client Access Licenses (CAL), Storms urged users of that aged operating system to apply the patch pronto, even though the machines are probably well-protected. "Windows 2000 Server has the logging server enabled by default, but those systems are likely behind multiple firewalls, and people running [Windows 2000 Server] are pretty cognizant of the fact that it's an older version and will act accordingly." Excel and Word also received patches today. This month's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services. Eight vulnerabilities were addressed in Excel in MS09-067 and one in Word with MS09-068 . Both updates also affected the Mac editions, Office 2004 and Office 2008. "These are the kind of file format vulnerabilities we've seen many times before," said Storms, noting in a follow-up instant message that the bugs are in the older, binary file formats, not in the newer XML-based formats that Microsoft debuted in Office 2007 for Windows and Office 2008 for Mac.

Sybase is extending its Afaria mobile-device management platform and database software to the Apple iPhone, taking advantage of new enterprise features in Version 3.1 of the iPhone's software to give IT departments more control and capabilities on the popular handset. Going on sale in the middle of this month, Sybase's Afaria 6.5 will finally give administrators the kinds of controls they have had previously for mobile platforms such as Symbian, Microsoft Windows Mobile 6.1, Research In Motion BlackBerry and PalmOS. Apple's recent iPhone 3.1 release added the capability to lock down certain settings on a device so the user can't change them using the phone's configuration utility, said Mark Jordan, senior product manager for Afaria. Though many enterprise employees bring iPhones into the office and rely on them for personal communications, the device originally caught on as a consumer gadget for music, Web browsing and entertainment applications, and has only gradually made inroads as a workplace tool. That allowed Sybase to give enterprise IT departments the power to do things such as block applications, define the required password strength and lock down Wi-Fi and VPN (virtual private network) settings.

With the new Afaria, enterprises can make and change settings on employees' iPhones over the air based on overall policies for certain departments, job descriptions and other criteria. Administrators can now establish a trusted relationship between Afaria and the employee's phone using a certificate, he said. Among other capabilities, they can also require device authentication for access to a corporate directory and set up compliance reporting on the employee's use of the phone. Also on Tuesday, it announced tools for the Sybase SQL Anywhere database to be used for synchronization of data between an iPhone application and a back-end database. Sybase announced Afaria's iPhone capabilities on Tuesday at the iPhone Developer Summit in Santa Clara, California.

Using SQL Anywhere, internal developers and software vendors can build in bi-directional synchronization between an on-device app and relational databases including Sybase, Oracle, SQL Server, DB2 and MySQL. This frees employees from having to depend on the cellular data connection to get work done while on the road, Jordan said. Also on Tuesday, the company's Sybase 365 subsidiary introduced a turnkey system for mobile banking on the iPhone. There is a beta test program now open for SQL Anywhere for iPhone. With it, banks can allow their customers to check balances, transfer funds among accounts, securely communicate with bank representatives, find branches and automatically dial the bank, Jordan said. The Sybase mBanking 365 iPhone platform is available now and is already deployed by BBVA Compass as the BBVA Compass Mobile application.