By Michael Santo
Editor-in-Chief, RealTechNews

I wrote about “clickjacking” earlier. While the discoverers had promised to remain mum because the flaw affected an Adobe product (which turned out to be Flash), on Tuesday Israeli researcher Guy Aharonovsky posted a proof-of-concept (PoC) of clickjacking and Flash. Since the cat was already out-of-the-bag, Adobe told the researchers (Robert Hansen and Jeremiah Grossman) to go for it.

Aharonovsky’s demonstration used clickjacking tactics to reset Adobe’s Flash privacy settings, and turn on the computer’s webcam and microphone for remote spying. Serious stuff.

Adobe’s already posted an advisory for the issue, though, with a workaround, while promisiing a fix before the end of October.

To prevent this potential issue, customers can change their Flash Player settings as follows:

1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2. Select the “Always deny” button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

Hansen has posted a list of 12 different clickjacking scenarios on his blog. He poked at Aharonovsky somewhat, saying the PoC was a “careless disclosure.” He also said:

First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them. That’s why we had to come up with a new term for it - like the term or not.

Only two of the scenarios have been fixed so far. As I indicated earlier, however, users of Firefox can use the NoScript extension as protection. And the latest releases of the product now include a new feature: ClearClick anti-Clickjacking technology which disables user interaction with partially obstructed or not clearly visible embedded objects.

As I said earlier, it’s not an extension I’d ask the general public to use, but for those who are willing to put up with the extra work, it’s great protection, until the browser developers come up with a proper fix.

By Michael Santo
Editor-in-Chief, RealTechNews

A study conducted by Wakefield Research for the Wi-Fi Alliance (go figure) indicates that college students now feel that wi-fi is nearly indispensible for their coursework.

The most unbelievable finding of the survey was that nearly 1/2 of respondents said they would give up beer before giving up wi-fi. Oh, come on!

Edgar Figueroa, executive director of the Wi-Fi Alliance, the global trade organization representing the Wi-Fi industry said:

“Wi-Fi has become a universal expectation among college students, and their attitudes towards technology are a good indicator of broad changes underway in how we as a society learn, work and communicate. Young adults expect access to information with unprecedented immediacy. Whether they are chasing a detail that will help them look smart in the middle of a class discussion, or are looking up a new friend on the Internet within minutes of meeting them - Wi-Fi enables the flexibility and freedom to access information from just about anywhere.”

Some of the findings from the study:

• 90% of U.S. college students in the United States say Wi-Fi access is as essential to education as classrooms and computers.

• Nearly 60% say they wouldn’t go to a college that doesn’t have free Wi-Fi

• 79% said that without Wi-Fi access, college would be a lot harder.

• 55% of undergraduates log inat coffee shops and restaurants

• 47 % of undergraduates login in parks

• 24% of undergraduates login in their cars

• 48% would give up beer before giving up Wi-Fi, if forced to choose (I find this hard to believe)

• 72% would rather wear their school rival’s team colors for a day than give up Wi-Fi

• 44% used Wi-Fi to get a head start on an assignment before a class was finished.

• More than half have checked Facebook or MySpace and sent or received e-mail while using their laptop in class.

• Just under half sent instant messages to a friend during class.

• The availability of Wi-Fi influences students’ choice of coffee shop (52%), bookstore (42%), and restaurant (33%).

A total of 501 U.S. college students from both large and small schools were given the survey in September. The sampling variation in the survey is plus or minus 4.3 percentage points.

By Michael Santo
Editor-in-Chief, RealTechNews

Whether or not Apple has already reached its target of 10 million iPhones sold by the end of 2008, it’s already reached another pretty amazing stat, particularly for a higher priced phone: according to the NPD Group, the iPhone is now the second highest-selling mobile phone. Not smartphone, mobile phone. #1 was the Motorola Razr V3.

Not only that, and far better for AT&T, 30% of iPhone 3G buyers switched from other carriers to AT&T during the period of June to August 2008. Of those “switchers,” 47% switched from Verizon Wireless, another 24% switched from T-Mobile, and 19% switched from Sprint.

In the NPD’s Monday press release, Ross Rubin, director of industry analysis for The NPD Group said:

“The launch of the lower-priced iPhone 3G was a boon to overall consumer smartphone sales. While the original iPhone also helped win customers for AT&T, the faster network speeds of the iPhone 3G has proven more appealing to customers that already had access to a 3G network.”

Sheesh, I think they should have a study to determine how many people were screaming over the lousy 3G service, but anyway …

Further, the report stated that the average price of a smartphone sold between June and August 2008 was $174, down 26% from $236 during the same period last year.

And from June to August 2008, the top four best-selling smartphones based on unit-sales to consumers were:

1. Apple iPhone 3G
2. RIM Blackberry Curve
3. RIM Blackberry Pearl
4. Palm Centro

By Michael Santo
Editor-in-Chief, RealTechNews

A joint project between the Apple Finance Board (AFB) and Investor Village’s AAPL Sanity board has been tracking the IMEI numbers from as many iPhone 3Gs as possible, placing the results in a Google Docs spreadsheet, in an attempt to judge how many have been manufactured (note: not sold).

At the 2007 Macworld event, Steve Jobs predicted that Apple would manufacture 10 million iPhones by the end of 2008. Based on the current numbers at the AFB project, at least two analysts have concluded that Apple’s already reached that mark.

The IMEI number is used to identify a GSM phone to a network. It’s not unique to the iPhone, in case you were wondering. It’s a 15-digit number (14 + a check digit), and within it are two 6-digit sequences of numbers. The first is the TAC, or Type Allocation code (which signifies a “build,” while the second is unique to each individual iPhone produced in that “build.” Thus, at least for the iPhone, one million iPhones can be registered to a specific TAC.

The latest IMEI data point recorded in the spreadsheet is 9,190,680 — an 8GB Black iPhone recorded as manufactured on September 29 and sold on October 5. Now, based on the fact that we know that coming into its Q4 (Q3 calendar), Apple had already sold 2.42 million first-generation iPhones, they’ve already topped 10 million.

And even if somehow that’s off by a large amount, this being October, they will beat their target date for 10 million iPhones by nearly 3 months.

That said, it hasn’t halted the slide of Apple stock during the financial turmoil surrounding Wall Street. With some news stories saying that Americans are holding off on purchases, that’s an obvious negative for a company with sales mostly in the discretionary spending category.

We’ll see what their Q4 earnings and future outlook is.

By Michael Santo
Editor-in-Chief, RealTechNews

The SEC has announced an investigation after a fake report indicating that Steve Jobs had suffered a major heart attack caused Apple (AAPL) stock to drop 10%. The report first appeared on CNN’s iReport citizen journalism site, which describes itself as a source of “Unedited. Unfiltered. News.”

CNN says it is cooperating with the investigation, giving the SEC what information it has about johntw. While most likely this will be limited to an IP address and an email address, it’s quite possible the SEC will catch the peson.

CNN has a disclaimer on the iReport site:

The views and content on this site are solely those of the iReport.com contributors. CNN makes no guarantees about the content or the coverage on iReport.com!

The report, since removed, said:

Steve Jobs was rushed to the ER just a few hours ago after suffering a major heart attack. I have an insider who tells me that paramedics were called after Steve claimed to be suffering from severe chest pains and shortness of breath. My source has opted to remain anonymous, but he is quite reliable. I haven’t seen anything about this anywhere else yet, and as of right now, I have no further information, so I thought this would be a good place to start. If anyone else has more information, please share it.

CNN issued the following statement:

iReport.com is an entirely user-generated site where the content is determined by the community. Content that does not comply with Community Guidelines will be removed. After the content in question was uploaded to iReport.com, the community brought it to our attention. Based on our Terms of Use that govern user behavior on iReport.com, the fraudulent content was removed from the site and the user’s account was disabled.

This highlights the major flow of citizen journalism: anyone can post to these sites, and how do you know just who is trustworthy and, at least to a point, profession. So much of the “news” on these sites is junk or spam. Some sites (e.g., Huliq) do not publish stories from users until an editor has “approved” them.

CNN has no such policy. Of course, bloggers in general can post anything they want, including obviously false stories — out-and-out lies — that people who fail to think take as true, particularly in the political sector.

The timing of the post was particularly noteworthy, being just prior to the market open on Friday. Apple stock has been in a steep slide since the middle of August, despite the company’s continued stellar performance, due to concerns about the economy’s dismal outlook.

By Michael Santo
Editor-in-Chief, RealTechNews

Microsoft has caved in to OEMs again.

You probably know that the “Downgrade Rights” policy available to OEMs allows them to supply a Windows XP system image CD along with the computer, if you buy either Windows Vista Business or Windows Vista Ultimate. Some, such as Dell, will even “pre-downgrade” your system before shipping, saving you the manual labor. This was scheduled to disappear as of January 31st, 2009. But Microsoft has bowed to pressure, and now says the policy will continue until July 31st of 2009.

In an emailed statement, Microsoft said:

“As more customers make the move to Windows Vista, we want to make sure that they are making that transition with confidence and that it is as smooth as possible. Providing downgrade media for a few more months is part of that commitment, as is the Windows Vista Small Business Assurance program, which provides one-on-one, customized support for our small-business customers.”

And they said it with a smile, albeit forced, right?

However, the Jan. 31st date as the last day for system builder to be able to purchase Windows XP licenses to install on the machines they assemble still exists. It has not changed, Microsoft added.

Windows XP followed Bill Gates into semi-retirement at the end of June. Sice then only installs on netops and netbooks, those for companies with Volume License Agreements, and the “Downgrade Rights” policy — along with pre-existing stock of retail copies of Windows XP — have allowed Windows XP to continue “to live.”

With the extension, however, Microsoft finds itself in a strange position. With the possible exception of just a few months, it is continue to sell a predecessor to their current OS nearly until the time their newer OS (Windows 7) launches.

This might even allow companies to completely skip Windows Vista, something Microsoft CEO Steve Ballmer said might be the “natural course” of upgrades. At a conference before France’s CIGREF on Thursday, he noted that, and even made (perhaps?) a Freudian slip.

The one thing I am not saying to people they should do is run out and upgrade all of their old PCs today, because I think there’s more of a natural flow. If you’re prepared to do it, you should do it — I would say you should get ready to do it with XP – or sorry, with Vista, but then depending on the timing you might wait for Windows 7.

By Michael Santo
Editor-in-Chief, RealTechNews

A false report on CNN’s new social news site, iReport, caused Apple stock to plummet on Friday morning. The site allows users to post unvetted, unfiltered stories, and a report of a massive heart attack suffered by Steve Jobs caused the drop (as you can see above).

Apple spokeswoman Katie Cotton said, plain and simple:

“It is not true.”

This was a major failure on the part of CNN’s new site, which is still in beta, but it’s also likely to call into question “citizen journalism” period. iReport allows content to appear immediately on that site, and report deemed newsworthy are then posted on the iReport page on CNN.com. This story has since been removed. It read:

Steve Jobs was rushed to the ER just a few hours ago after suffering a major heart attack. I have an insider who tells me that paramedics were called after Steve claimed to be suffering from severe chest pains and shortness of breath. My source has opted to remain anonymous, but he is quite reliable. I haven’t seen anything about this anywhere else yet, and as of right now, I have no further information, so I thought this would be a good place to start. If anyone else has more information, please share it.

Steve Jobs’ health has been the source of much investor and analyst concern since he appeared rather gaunt and ill at WWDC in June. Jobs’ has suffered from pancreatic cancer in the past.

Still, Jobs has been good-humored about it, going so far as to post the following slide (below) during the recent Apple “Let’s Rock” event.

And it appears that rumors of this heart attack have been greatly exaggerated, as well.

What is interesting is that this reporter (and I wouldn’t be surprised if he disappears from the site soon) has no history of iReports (now that the story has been pulled down, anyway). The drop in stock made for a nice price point to jump in. The story’s timing was perfect: 6 AM PDT, just prior to market open.

Due to this, I would be surprised if there wasn’t an SEC investigation. Hang onto that IP address info, CNN! Apple stock has since recovered.

By Michael Santo
Editor-in-Chief, RealTechNews

Shades of the “Great Firewall of China.” But rather than blocking of outbound Internet access to certain, er, sites China would prefer its populace to avoid, what has been found is monitoring of Skype usage.

A report (.PDF) by researchers at Citizen Lab, a research group that focuses on politics and the Internet at the University of Toronto, has the following major findings:

• The full text chat messages of TOM-Skype users, along with Skype users who havecommunicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting information is uploaded and stored on servers in China.

• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

• Analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The investigation revealed found eight servers that are part of the TOM-Skype surveillance network. Researchers also found one server hosting a special version of TOM-Skype designed for use in cybercafes. Given this, researchers asked the following question:

To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens?

Cooperation by U.S. corporations with the Chinese government has been highlighted previously, including the infamous incident in which Yahoo! turned over data to China, which resulted in the jailing of a Chinese dissident.

More