An anti-malware organization has called on Apple to beef up its Safari Web browser to protect users from exploits that could let attackers download malicious code to a Mac or Windows user's desktop.

Stopbadware.org, a group founded by Google, Chinese computer maker Lenovo Group, and Sun Microsystems, on Monday asked Apple to reconsider its refusal to address the flaw as a security problem.

"StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is," Stopbadware.org said in an appeal posted to its Web site.

[ See related stories: "Apple's Safari browser likened to malware" and "Apple dismisses Safari download issue." ]

The group's concern centered around an issue made public a week ago by Nitesh Dhanjani, a security researcher and the co-author of the book "Network Security Tools." In a post to his own blog last week, Dhanjani spelled out what he called a "carpet bomb" attack possible via Safari.

According to Dhanjani, attackers could take advantage of the fact that Safari lacks an option to require a user's permission to download a file. Those attackers, Dhanjani claimed, could populate a malicious site with rogue code that in turn would automatically litter a user's desktop with malware.

Although Dhanjani praised Apple's security team for its rapid response to his queries, he also noted that the Cupertino, Calif.-based computer and consumer electronics maker passed on updating Safari to lock out such attacks.

After he suggested that Apple add a setting to Safari that could be toggled to ask the user before downloads are allowed, Dhanjani said he received this reply from the company's security group: "... the ability to have a preference to 'Ask me before downloading anything' is a good suggestion. We can file that as an enhancement request for the Safari team."

However, the issue is not a security problem, said Apple. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads."

Other browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, include options that prompt users before initiating downloads of some or all file types.

"Assuming Nitesh's analysis is accurate, 'unwanted downloads,' as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file," argued Stopbadware.org.

The group has rebuked Apple before. In March, when Apple started using its software update utility to push Safari 3.1 to Windows users, Stopbadware.org first noted the move, then later said that, following its usual practice, it had notified Apple it would soon issue a "badware" alert for the company's Software Update.

The day before Stopbadware.org was set to release that alert, Apple modified how the updater offered Safari 3.1, separating updates for already-installed programs from offers to install new software.

Apple did not reply to a request for comment on its security team's decision against adding a user-approval option to Safari.

Computerworld is an InfoWorld affiliate.

Like Facebook before it, MySpace is having to take corrective steps to curb spam from applications built by external developers using its new application development platform.

In a posting to the official MySpace Developers blog on Tuesday, MySpace president Tom Anderson announced changes to the application guidelines intended to prevent developers from building self-promotional features into their applications that result in intrusive and deceitful behavior, such as generating unsolicited messages to other users or tricking application users into approving such actions.

"The main thrust of these changes is to limit app communications that are based on incentivizing or tricking users. To be clear, the purpose of these changes is to emphasize to developers that their focus should be on creating great apps that users will want to tell each other about. The best viral software is software you can't live without. Unfortunately, for some developers, the focus has been on how to come up with the best methods of viral distribution," Anderson wrote.

The problem isn't new. Facebook has had to deal with it since launching its own developer platform a year ago. For sites like MySpace and Facebook, the main goal of allowing external developers to create applications for their sites is to enrich their users' experience with software that the companies don't have the time, interest, or resources to develop on their own. But if some of these applications become an annoyance to members, then they defeat the purpose of the developer programs by harming instead of enhancing the user experience.

In a complementary post, a MySpace official provided more details about the guideline changes, including:

-- It's now forbidden to offer members incentives for promoting applications via messages, comments, and other forms of communication.-- The applications must be very explicit in explaining an application's communication capabilities.

"Every single developer should take a look at the guidelines as soon as possible. We are enforcing these new guidelines as of today for newly developed applications," the posting reads.

For applications that are already live on MySpace, developers have two weeks -- until June 3 -- to make their applications compliant with these new communication guidelines.

MySpace opened up its developer platform in February and its applications gallery, in test mode, in March.

The U.S. electrical grid remains vulnerable to cyberattacks that could cripple the economy, and the organization responsible for regulating electrical suppliers doesn't appear to be serious about fixing the problems, some U.S. lawmakers said Wednesday.

U.S. Rep. James Langevin and other members of the House of Representatives Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology questioned whether the North American Electric Reliability Corp. (NERC), an electric industry group tasked with ensuring electric reliability, is doing its job.

NERC officials last October painted a "misleading" and rosy picture of the U.S. electric system's readiness for cyber attacks, said Langevin, a Rhode Island Democrat and chairman of the subcommittee. But Langevin has "little confidence" that the U.S. electrical grid has fully addressed the so-called Aurora vulnerability, a cyberattack aimed at shutting down electric utilities' generators or other equipment, he said.

"I still do not get the sense that we are addressing cybersecurity with the seriousness that it deserves," Langevin added. "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security of this import. If NERC doesn't start getting serious about national security, it may be time to find a new electric reliability organization."

The U.S. and Canadian governments have given NERC authority to ensure the reliability of the electric grid. Last October, a NERC official told Congress that utilities covering 75 percent of the U.S. power grid were taking actions to fix Aurora vulnerabilities first identified by the U.S. Department of Homeland Security in 2006.

But the U.S. Government Accountability Office (GAO) released a report on Wednesday identifying numerous cybervulnerabilities at the Tennessee Valley Authority (TVA), the nation's largest public power company. The GAO issued 92 recommendations to the TVA, which supplies power to 8.7 million U.S. residents in Tennessee and parts of six other states.

"The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks," the GAO report said.

On the TVA's control systems networks, firewalls were inadequately configured or bypassed, passwords were ineffectively implemented, and servers and workstations lacked key patches and effective virus protection, said Greg Wilshusen, director of information security issues at the GAO. "Until TVA fully implements these security program activities, it risks a disruption of its operations as the result of a cyberincident," Wilshusen said.

TVA's corporate network had some of the same vulnerabilities, including a lack of key software patches, limited security configurations, and an intrusion-detection system with "significant limitations," the report said.

The TVA had already been working to fix the problems when the GAO investigation happened, said William McCollum Jr., chief operating officer of the TVA. The power supplier has addressed several of the issues identified by the GAO, McCollum said, and the TVA would address most of the problems by the end of the year. But McCollum could not give lawmakers a definite date when all the issues would be fixed.

NERC, with help from the Federal Energy Regulatory Commission, is implementing cybersecurity requirements that come online in July, instead of the advisories it had authority to issue in the past, said Richard Sergel, NERC's president and CEO.

Sergel pledged to push cybersecurity issues with electric utilities and paint a clearer picture of problems before Congress. "The responsibility to be clear [about problems] is ours," he said.

Good news for those of you who have been following the XML office document standards battle. Microsoft Wednesday announced that Office 2007 will support ODF (Open Document Format), the document standard used by OpenOffice.org and other open source productivity suites, with the release of Microsoft Office 2007 Service Pack 2, due sometime in early 2009.

Even more surprising, however, was the corollary to the announcement. While the Office programmer bees are busy buzzing away at ODF, OOXML (Office Open XML) is being put on the back burner. Don't expect Office to support a fully ISO-compliant version of OOXML until the next major release of the suite, currently codenamed Office 14, release date unknown.

Exactly why Microsoft is backpedaling its support for OOXML is not known. But open standards maven Andy Updegrove blogs that it may have something to do with Microsoft's current regulatory troubles in Europe and with the standards bodies that now govern OOXML. It appears likely that Microsoft actually can't implement a fully-compliant version of the standard just yet.

Instead, according to reports, users of Office 2007 Service Pack 2 will have the option to make ODF the default file format for word processing, spreadsheet, and presentation documents, the same way they can choose Office 2003 or several other formats. Office users can already import and export ODF files using third-party filters, but it doesn't make sense when only a small number of users have installed the filters or even know that they exist. Having support for ODF "baked in" to the Office suite will mean that everyone will be able to save and access these files with no extra effort.

Any way you slice it, this is a big step toward shaking off Microsoft's dominance of the office software market and ensuring that we can all preserve our files for years to come.

PC World is an InfoWorld affiliate.

After vague statements over the last weeks about internal investments that will allow it to compete in search without Yahoo, Microsoft on Wednesday laid out more of its vision for improving on its current "underdog" position in search.

While describing some new search technologies from Microsoft and some future ideas, executives were also cautious to repeat that theirs is a long-term vision that may take a while to spell success for the company. They spoke during an annual get-together for advertisers, this year hosted on Microsoft's campus in Redmond, Washington.

"I have to say, it's kind of fun to be the underdog," Microsoft Chairman Bill Gates confessed. The company has put an unusual effort toward building the team that's working on search, he said. "We've done more on this to build a great team then on any effort I can remember," he said.

Users should expect to see new features every six months from Microsoft's search group, he said. "We have a long-term commitment," Gates said. The company is willing to experiment, he said.

Wednesday's launch of Cashback represents the latest new feature. When Web users search for a product on Live.com, results may feature a Cashback tag. If users end up buying a product with the tag, they'll receive money back.

Microsoft expects that the concept will create a whole new business model, though it also expects that it might take some time for it to shake up the industry. "We understand this is a journey. When you change the user experience or business model, it takes time to percolate through to behavior changes," said Satya Nadella, senior vice president of the search, portal and advertising platform group at Microsoft.

Gates pointed out how Cashback is different than existing search advertising methods. "In search, when you get those ads, in a sense you don't get anything back in return," he said. That compares to other media like TV or radio, where in exchange for advertisements, viewers and listeners get content.

Cashback "gives you a reason why you should use a particular search," he said.

Over 700 merchants, including eBay, Barnes and Noble, Sears, Circuit City, Home Depot, Zappos.com, Overstock.com, and Kmart have signed up to advertise as part of the Cashback program. "That confirms there is this opportunity for change," Gates said.

Microsoft also showed off search features in beta release based on the company's recent acquisition of Farecast. When Internet users search on Live.com for flights, results will include information collected by Farecast that predict when a traveler can get the best deal on a flight. Microsoft has also used that technology to now offer similar information to people looking for hotel deals.

In addition, Microsoft showed off innovations it has made in video search as well. When users search for videos on Live.com, they see a page of videos and, on the right hand column, options for refining the search. They'll also see a list of other related videos that might interest them. In addition, users can hover over the video with their mouse and the video starts to play. Gates showed off the results for a video search for Tiger Woods in Live.com and compared it to a Google video result for the same topic.

"Make no mistake, we're about having the best search, the best results, so people want to use it for quality alone but also some of these innovations in the business model will excite and drive that," Gates said.

Still, he cautioned that the software required to drive the innovations that Microsoft envisions could take many years and billions of dollars to develop, he said.

While the effort to show off new search capabilities at Microsoft seemed to correlate with the company's recent decision to pull its acquisition offer for Yahoo, none of the executives referred to the ongoing discussions with its search rival. Neither Gates nor Nadella took questions from the conference attendees.

AT&T announced Wednesday that it is on track to complete its 3G mobile broadband network by the end of June, thus becoming the first U.S. carrier to fully deploy High-Speed Packet Acces (HSPA) technology over its network.

HSPA is a mobile broadband technology that is comprised of two wireless broadband protocols, known as HSDPA (High Speed Downlink Packet Access) and HPUSA (High Speed Uplink Packet Access), that operate on 3G mobile devices. AT&T's HSPA network currently delivers data download speeds of up to 1.4Mbps and upload speeds of up to 800Kbps. Currently, AT&T's HSPA services are available in around 275 markets in the United States, and the company says  they will be available in 350 U.S. markets by year-end.

AT&T will offer its 3G services to all customers who have HSPA-enabled handsets and laptops, including any laptop with a LaptopConnect wireless modem. The company says 75 percent of its currently available handsets are 3G-capable and that it plans to release more 3G smartphones throughout the year. Some analysts have speculated that AT&T and Apple will release the first 3G-capable iPhone sometime this summer.

"The ability to quickly upload large files from a laptop is no longer a luxury; it's a necessity," says Kris Rinne, the senior vice president of architecture and planning for AT&T's wireless operations. "By fully deploying HSUPA across our 3G footprint, we not only meet the current needs of our customers but also lay the path for our continued evolution to even fast wireless broadband capabilities."

AT&T views its full HSPA deployment as the next logical step in its eventual progression to deploying the 4G  LTE (Long Term Evolution) technology that is expected to first have devices on the market in 2010. LTE and HSPA are both variations of UMTS that was developed by the Third Generation Partnership Project (3GPP) to mobile broadband services for GSM devices.

AT&T first began  deploying its 3G network and services in 2004 when it rolled out a 220Kbps -- 320Kbps Wideband Code Division Multiple Access service to four U.S. markets. Between 2005 and 2008, the company has invested nearly $20 billion in network upgrades that have helped transition its wireless network to 3G services.

In separate announcements Wednesday, Qualcomm said it has invested in vendor ip.access, which develops femtocell and picocell products and the Femto Forum announced a partnership with the GSM Association, along with an agreement on how to integrate into mobile networks via broadband.

"This shows there is acceleration in the interest in femto cells, the industry is shaping up. It was embryonic a year ago, but now it has turned into a real concept, and real products are emerging," said Stephen Mallinson, CEO of ip.access. Financial terms of Qualcomm's investment were not disclosed.

Femtocells are small base stations for wireless home broadband. They improve indoor coverage and increase capacity. When a user is making calls and surfing the Web with a phone or laptop equipped with wireless broadband signals are sent via the femto cell and a fixed broadband connection.

The funding deal with Qualcomm will help ip.access roll out products, according to Mallinson.

"Qualcomm has access to people we might find it more difficult to get access to, likewise we can talk about where the femto industry is going, and I think that could be valuable to them," Mallinson said.

Cisco Systems, Intel, and Motorola have also invested in ip.access.

Interoperability is key for femto cells to become successful in the mass market, and the Femto Forum-related announcements are aimed at that goal.

"Interoperability is our bread and butter, ensuring a full range of services at home. You don't want an error message when you swap to your femto cell," said David Pringle, spokesman at GSM Association.

It's also important for the technology to work from day one because if consumers don't have a good experience it will affect the image of femto cells, Pringle said.

"There is a balancing act here between bringing the technology to the market fast and ensuring it works properly," said Pringle.

The Femto Forum is also adding AT&T, China Telecom, Nortel, SK Telecom, Sprint Nextel, and T-Mobile to its member roster.

Both ip.access and the GSM Association expect to see their first commercial services launch toward the end of the year, but big volumes will happen next year, according to Mallinson.

Without mentioning the name Yahoo, Microsoft took more than a day to even allude to its deal making with the search company at its yearly advertising conference in Redmond, Wash.

"There's not a single company I'd say, 'Hey, here's the one company we'd go acquire,'" said Kevin Johnson, president of Microsoft's platform and services group, in response to a question about what types of companies Microsoft might acquire in the advertising market.

[ Follow the Microsoft-Yahoo saga in our special report. ]

Microsoft has done a value-chain analysis and decided to invest in research and development and organic growth in some areas and combine that with assets it has acquired, primarily small companies. "Our focus is bringing together the assets we've created in the organization, combined with assets we acquire, to create a world-class advertising platform," he said.

A half-day of presentations on Wednesday will finish off the conference, which started on Tuesday. Advertising executives attend the yearly event for an update on trends and technologies.

While during the conference Microsoft has outlined its existing capabilities and its vision for offering advertising across devices including Xbox, mobile phones, and PCs, it hasn't broached the subject of its ongoing discussions with Yahoo. After recently pulling its bid for Yahoo after four months of negotiations, Microsoft over the weekend said it had reinitiated talks with Yahoo, this time about possibly buying just a piece of the company.

Microsoft chairman Bill Gates is scheduled to speak on Wednesday, when he may comment on the company's Cashback offering launched earlier in the day. The service offers consumers a rebate on purchases made via shopping features offered through its Live Search service.

It was just over a year ago that Microsoft dropped a bombshell of a claim: users of Linux and open source software were unwittingly violating as many as 235 Microsoft software patents.

"This is not a case of some accidental, unknowing infringement," Horacio Gutierrez, Microsoft's vice president of intellectual property and licensing, told Fortune magazine at the time. "There is an overwhelming number of patents being infringed."

Since then, critics say Microsoft has played the "good cop, bad cop" routine with the open source camp.

For example, promising not to sue customers of eight vendors that had signed cross-licensing deals with Microsoft for potential open source-related violations? Good cop. But continuing to refuse to publicly reveal what those alleged patent violations are? Bad cop.

Here's another: Announcing in March that open source developers will now be able to use hundreds of Microsoft software protocols without a license for noncommercial use? Good cop. CEO Steve Ballmer telling customers of licensing holdout Red Hat last October that they "have an obligation to compensate" Microsoft for IP violations? Bad, bad cop.

Gutierrez, interviewed late last week, says Microsoft's hot-and-cold engagement with the open source community is neither "intentional" nor "inherently contradictory."

"We spend $7 billion a year on research, development and cranking out innovations," he said. "We need to protect our innovations against people who infringe upon them."

But legal eagles in the open source camp argue that Microsoft's moves, even its ostensibly positive ones, have done little to bolster its patent claim.

"Claiming you have IP that folks are infringing isn't the same thing as proving it," wrote Pamela Jones, author of the open source legal blog Groklaw.net, in an e-mail. "I think they [Microsoft] are in a weaker position *because* they did the [cross-licensing] deals. It makes them look needy, like they can't make it any more without Linux."

"The [legal] threat [to open source] is no greater" today than a year ago, wrote Mark Radcliffe, a lawyer with DLA Piper's Silicon Valley office and the general counsel of the Open Source Initiative, which oversees the approval of open source software licenses, in an e-mail.

Take Redmond's attempts to persuade vendors to sign cross-licensing deals that include protection from potential open source patent lawsuits by Microsoft.

Besides Novell and Fuji-Xerox, which both had signed deals before PatentGate, other cross-licensees include Asian consumer electronics makers Samsung Electronics, Kyocera-Mita, and LG Electronics, and a trio of smaller Linux makers including Xandros and its Scalix subsidiary, TurboLinux, and Linspire.

The number of patent signees remains at 8.

In an interview last week, Gutierrez said that cross-licensing is vital because "customers don't want to buy an IP problem."

Moreover, it sets the necessary groundwork so that Microsoft and its partners can comfortably work together to make their respective products interoperate.

"Good fences make for good neighbors," he said. "This is not a religious issue, but a very practical one."

But critics claim cross-licensing is a sneaky attempt to get open source vendors to de facto admit that their software does violate Microsoft patents. Not that they think it actually bolsters Microsoft's case.

"The signing of cross licenses does not mean that the patents are valid," Radcliffe wrote. For instance, licenses can be signed "for a variety of commercial reasons to reduce risk" or to give one Linux vendor a perceived edge in the market.

Jones is more blunt. "I am not aware of any relevant Microsoft patents that have been court-tested. That would be the only way to strengthen Microsoft's claim that there is anything actually infringing," she wrote. "All they have proved is that some will cave rather than find out in court."

The last Linux patent protection deal Microsoft inked was more than half a year ago, October's deal with TurboLinux.

But Gutierrez promised more cross-licensing/patent protection deals soon. There are "ongoing discussions with U.S. software makers," he said. "They just can't be timed from a PR perspective."

Gutierrez thinks even a vocal holdout like Red Hat will eventually come around, once they "recognize that there are opportunities that they are missing out, as customers are increasingly demanding vendors come together and tackle interoperability challenges together," he said.

Red Hat did not reply to a request for comment. But Groklaw's Jones is skeptical.

"The world wants openness and interoperability, up to a point," she wrote. "I don't know anybody who wants to interoperate with Vista."

Moreover, "Red Hat is making money at least in part because it *didn't* sell out to Microsoft, in my opinion," she continued "Even if they [Microsoft] had a valid patent, going after Red Hat is like threatening to kill Dorothy's little dog Toto. You can't do it and have people like you."

Radcliffe argues that the heterogeneity of products -- that is, Microsoft and open source software -- in most corporate networks, which Redmond asserts leads to increased demand for interoperability, also immunizes open source vendors from Microsoft's legal threat.

"Most Linux users are not concerned about this threat," wrote Radcliffe. "Since they are also Microsoft clients, they believe it is unlikely that Microsoft will sue their own customers. We have not seen a significant shift from the 'licensed' Linux vendors to the 'unlicensed' ones."

Todd Weiss contributed to this story.  Computerworld is an InfoWorld affiliate.

Cisco CEO John Chambers says the company's future depends on technologies that enable human collaboration.

"We build our culture at Cisco around catching market transitions," Chambers said Tuesday during a keynote address on Web 2.0 and collaboration at Forrester Research's IT Forum in Las Vegas. Cisco's moves in Web 2.0, from its TelePresence video conferencing technology to the acquisition of WebEx, are steps toward making sure Cisco doesn't get upstaged by more innovative competitors.

"It isn't just about growth, it's about survival," Chambers said. "Market transitions are built on catching them right, and if you miss them it's almost impossible to recover."

Chambers also talked about how collaboration efforts within Cisco almost failed. An effective Web 2.0 strategy has to be spearheaded by a CEO, but leadership also has to give up some power to make it work, he noted.

"The hard part about collaboration is we don't like change," Chambers said. "Nor did my organization and nor did I. I love command and control and I'm pretty good at it. 65,000 people, I say turn right, we turn right. I very rarely have to say it twice. That's not the future. It's the ability of groups to think together, to combine knowledge and experience."

The first two years of collaboration in Cisco were "miserable," Chambers said, noting that when he first thought about Web 2.0 he was interested mainly in telepresence and simple forms of collaboration.

One of Chambers' 30-year-old employees told him "you've got to quit talking about just telepresence with collaboration. You've got to really say how all these tools, the blogging capabilities, the wikis etc. really tie together into an architectural approach."

It got better. "Now it's almost viral at Cisco," Chambers said. "It took me making some changes. About 20 percent of my leadership did not make it through this."

Chambers got so excited talking about collaboration that he started roaming through the crowd of several hundred people. He discussed Cisco's unified communications strategy, of letting users collaborate with any device, and how telepresence will be seamlessly integrated with other technologies like blogging and wikis. (Compare unified communications products.) He previewed some cool technology that's right out of Star Trek. "Within a very short time we will be able to do holograms with this type of technology, so you can literally beam people into a room and have a conversation virtually," Chambers said. "We already demonstrated that in India." 

Chambers' preferred methods of communicating, he said, are text messages and video. Beyond collaborating internally, Chambers said he's doing more virtual meetings. He already travels physically to many countries throughout the year, but with telepresence he said he will double the number of customers he speaks with while doing half his customary travel.

Voice and video are the keys to collaboration among people who aren't physically near each other, he said. Chambers used to think telepresence was 90 percent as effective as an in-person meeting. Now, he said, he thinks it's even better than an in-person meeting because of tools that let him easily share data and presentations with people on the other end of the conversation.

"For me, it's a lot like 'Scottie, beam me up,'" Chambers said. "What is missing is integrating it with a lot more tools, which we're going to attempt to do. You'll see that it will capture the imagination of what's possible."

Chambers' optimistic view of the future has people collaborating from anywhere, using any device in any mode they want. Virtually nothing will be confined to one physical location, and networks will no longer be "device-sensitive."

"We'll talk about everything in the future, in my opinion, as a service," he said. "Not just software-as-a-service, but ... processing power as a service, storage as a service, bandwidth as a service."

While opening the doors to more effective collaboration, Web 2.0 has brought with it a number of security headaches. Point products solving specific problems won't be enough, Chambers said. A holistic approach that views security as an architecture rather than a set of individual technologies is what's needed, he said.

"There is no such thing as a secure datacenter or secure network," he said. "There's just degrees of security where you're going to be one or two steps ahead of the bad guys."

Network World is an InfoWorld affiliate.