Apple replaced their home page with links to relief organizations. Awesome.

Word around the 'net from ThinkSecret is that Apple is planning on introducing a $500 iMac at MacWorld Expo next month.

The theory is that Apple wants to leverage its newfound popularity derived from iPod sales to sell computers. It seems to me that is Apple wanted to take advantage of its iPod "halo effect", it would want to make money off the computers its sells, not lose money.

Engadget reports that thieves targeting cellphone retailers made cameraphone videos of their heists. When police arrested the thieves for one crime, they found documentary evidence of all the group's other crimes.

If you're in the market for bug tracking or web site content management software, Fog Creek is donating 50% of its revenues for the next week to Oxfam, providing relief to victims of the Sumatran tsunami.

I'm a big fan of FogBugz, it powers our project bug tracking and customer support backend. Highly reccommended.

Michael Howard's safe browsing code just got easier to use: a reader created a shell extension that wraps the code. Just right click the application you'll be using and select "Launch Safer...". Now there's no excuse to browse with administrator-level privileges.

Artisan Bread of Whitstable, Kent, complains that construction of a 3G wireless tower will harm the quality of its "cosmic bread".

Makes me wonder what keeping my cell phone in my pants pocket is doing.

OK, it has nothing to do with Wi-Fi or computer security, but it's still interesting: a complex systems theorist at my alma mater applied statistical physics to understand movement of books on the Amazon bestsellers list. What he found was that large increases in sales volume followed "exogenous shocks", such as a positive review in a major newspaper.

I think I found this most interesting because it mirrors the behavior of the Corriente website: we normally move along with a steady stream of visitors until we get a spike in traffic due to a mention on a prominent news site. Now we've got a name for it — "Hey, the website is getting an exogenous shock!"

...then why doesn't Microsoft do it?

Peter Torr opens up a can of worms with an article questioning the security of FireFox, the increasingly popular alternative to Internet Explorer. What makes the whole thing so juicy is that Peter works for none other than Microsoft.

I agree with his point that software vendors must digitally sign their executable. After all, it's not hard — we do it for every Windows executable we ship. And it's not expensive — our Thawte digital certificate cost us $200. If the FireFox guys can afford a two page spread in the New York Times, certainly they can afford a code signing certificate.

Where Peter goes wrong is with this comment:

So why isn't this the default in Internet Explorer? The fact that the Internet Explorer executable itself is signed is nice, but the fact that Internet Explorer then turns around and allows downloads of anything and everything is the real problem.

As somebody who makes his living patching the security holes in Wi-Fi, I'm totally aware of what can go wrong with a Wi-Fi deployment. This Boston Herald article gets it mostly wrong. Basically, a woman in Virginia claims her bank account was cleaned out by someone who cracked her home Wi-Fi network (the article also calls it a phishing attack, which is something completely different).

Even the most insecure Wi-Fi network will not be vulnerable to this kind of attack: no bank that I've ever seen allows a user to access their accounts without an SSL connection, which encrypts data at the transport layer (see this Webopedia article for a discussion of the 7 network layers). Wi-Fi encryption (i.e., WEP, TKIP, AES) happens at the data link layer, so even if there is weak or no encryption at all on the Wi-Fi network, the banking information is still protected. What's more, even if this woman's loss was a result of a phishing attack, that's something to which Wi-Fi networks are no more vulnerable than wired networks.

In its defense, the article does eventually reach these same conclusions, but the the title more than enough hyperbole.

Secunia describes a flaw in Internet Explorer 6 that allows spoofing of HTTPS-secured web sites. The problem results from an error in the DHTML Edit ActiveX control that allows an attacker to overwrite the contents of the URL field, making a malicious site appear as if it is a secure, credible site (e.g., http://www.evildoer.com appears in the URL bar as https://www.paypal.com).

Secunia claims the problem exists on all versions of XP, including SP2. Their demonstration page failed on my fully patched XP SP2 system, though. If this flaw is exploitable in the real world, it has the potential to be very dangerous.

In an effort to test the efficacy of their own security, police at Charles de Gaulle Airport slipped some plastic explosive into an unsuspecting traveller's luggage. Problem is, now they can't find it.

The explosive is apparently harmless without a detonator, and chances are the unlucky traveller got home, couldn't figure out what the heck the chunk of clay was doing in their bag and threw it out. As the article points out, the real problem is going to come the next time they go through airport security (at least, at an airport with better security than de Gaulle): trace amounts of plastic explosives can set off detectors and get them flagged as terrorists.

Brilliant security, folks.

The name doesn't mean anything to me either, but The Register has an article describing a grid of circuitry capable of blocking Wi-Fi radio waves. The grid can be applied to windows and selectively tuned to block various radio frequencies. Unfortunately, windows aren't the only avenue of escape for radio waves, so this may not be as promising as it sounds.

Wi-Fi Networking News covers the case of the crackers that broke into Lowe's insecure Wi-Fi network. The ringleader received a nine year sentence. Ouch.

Of course, this wasn't a simple case of logging on and using Lowe's bandwidth to check their email; the crackers installed software to sniff out credit card numbers, a serious crime. As Glenn writes, "The Wi-Fi access wasn’t really the point in the case at all, just their means of detected entry." The insecure Wi-Fi network just made the job of the crackers that much easier.

What a shocker, Jakob Nielsen discovers that web surfers hate pop-ups and other irritating ads. It would seem that supply and demand would take care of the problem, but somebody must be clicking on the ads because they just won't go away.

One choice user comment from the article regarding an audio ad: "IF ANYTHING COULD BE WORSE THAN POP-UPS, THIS IS IT. I HATE THIS AD. HATE HATE HATE." My feelings exactly.

SecurityFocus has a detailed report on the latest WEP attack results. The tools they tested were able to crack 128 bit WEP keys in a matter of minutes. If you're not yet using WPA security (even pre-shared key) on your Wi-Fi network, it's time to change.

The Inquirer covers tools for hacking the Linksys WRT54G access point. Installing third-party firmware (including firmware you compile yourself), you can add many new features, including QoS, an SSH server, VLANs, more extensive firewall options, and many others. One of the most useful features is the ability to change the power of the antenna; Linksys ships with it set to 28 mW, with new firmware it is user adjustable up to 251 mW.

I've got a WRT54G at home with the SveaSoft firmware installed and the antenna cranked up to 50 mW. It provides a noticeable increase in range over the stock configuration. Beware of cranking the power up too high — too much power distorts the signal and can actually cause worse performance.

For about $60 and a little work on your part you can put together an access point with just about all the features of the big boys.

Payment News is reporting that Citibank is offering a free iPod to customers that open a new EZ checking account. I can't find any info on the Citibank website, or I would have already opened a new account myself.

Verizon doesn't offer the Treo 650 (although if they buy Sprint, they will), but one intrepid Treo owner claims to have hacked his Sprint Treo 650 to work with the Verizon network. I'm skeptical, but if this is real, it's a cool hack.

Engadget noticed that Sprint is offering the Treo 600 and its successor the Treo 650 at the same price. Huh?

Bruce Schneier has put together a collection of best practices for safe personal computing.

We just posted a new preview release of Elektron. This release fixes a few bugs; see the release notes included in the download for detailed information.

Wi-Fi planet confirms my own anecdotal experiences: Wi-Fi equipment makers traditionally associated with the SOHO market are making inroads into larger businesses. A new survey found that 32% of the business IT administrators surveyed said they have deployed equipment by Linksys, with respondents also citing deployment of Netgear, D-Link, and Belkin equipment.

It makes perfect sense to see this happening: very few organizations need the advanced features available in enterprise-specific gear, and the SOHO equipment is extremely cost effective. The Linksys WRT-54G goes for about $60 these days; at that price it's cheaper to keep a closet full or pre-configured spare access points ready to replace any problematic access point than to have your IT guy spend an hour debugging the problem.

We've got some free exhibit hall passes to next month's MacWorld Expo in San Francisco. If you haven't registered already and you're interested in saving 40 bucks, send an email to macworld@corriente.net with your name and mailing address (we won't keep your personal info after we send you the pass). If you request a pass on or before December 10, we'll send you the priority code you need to use to register online and receive your badge in the mail - avoid the painfully long lines at Moscone!

And while you're at MacWorld, stop by the Networking Pavilion and say hi; we're in booth 849.

John Howard reports that Windows Server 2003 SP1 is now available for download. Many security-related enhancements included, such a souped-up firewall.

Similarity: both companies involved in the wireless networking spce.

Difference: Cisco spends $650,000 to have Santana play their holiday party; Corriente kicks in a couple of bucks for pizza.

eWeek performed tests of both Sprint's and T-Mobile's data networks. There results match my own experiences: Sprint gives usable, although not blindingly fast, performance, while T-Mobile (which uses the Cingular network here in the Bay Area) was basically useless. When I had a Sony Ericsson T68i with T-Mobile, a 200 byte WAP page could take minutes to load. With my Sprint Treo 600, web surfing is a breeze.

Mac Developers: Apple DTS has posted a new technote chock full of great Mac OS X debugging tips. It consolidates for the first time various debugging apocrypha and incantations. If you are doing any development under Mac OS X, it is a must-read.

David Cohen, co-founder of the Wi-Fi Alliance trade group, says businesses should start deploying Wi-Fi now that earlier security problems have been addressed. As a Wi-Fi product vendor (a product that is a key component of addressing said security problems), I wholeheartedly agree.

Over at InfoWorld, the point is made that all the Wi-Fi security technology in the world does you no good if you don't turn it on.

FierceWiFi lists ReefEdge as one of the top 15 wireless startups of 2004, but Om Malik disagrees.

Well, it's actually been available for a week now, but the first announcements went out today. Welcome new users!

We're really looking forward to getting feedback, so please, please, please, let us know what you think!

D-Link, in conjunction with Pronto, has introduced a turn-key hotspot solution. D-Link provides the hardware, Pronto provides the service that allows the operator to charge for access. At $500, it's relatively inexpensive, but the question is, does it cost less overall to simply charge nothing and reap the goodwill benefits?.