George Ayotte

Video game rental service Gamefly launched its GameCenter App in the App Store Thursday. While the app doesn't allow users play the games themselves, it does serve as a pocket library for gaming information, as well as a quick way to research, rent, and buy games. "We designed GameCenter to provide iPhone and iPod touch users with a complete one-stop destination for video game information," said Sean Spector, GameFly's co-founder and SVP of business development and content. This free application gives iPhone and iPod touch users access to data on over 5,000 video games, as well as news, videos, screen shots, release dates, user reviews, and cheats.

The current version of the GameCenter app features news and information for several platforms including the PC, PS2, PS3, Wii, Xbox 360, Nintendo DS, and PSP. So far, there are no Mac or iPhone tabs, but Spector says the company may address this in future updates. The GameCenter app is designed to be easily navigable. The tabs can be customized through the game's settings tab, so you only get the news and information you want. Tapping the Games tab will give you a list of platforms on the top. When you tap on a game title, you are directed to the game's individual page that gives the user a game description, game specs, game controls, cheats and codes, and the ability to rent the game through GameFly. By tapping a platform name you can immediately view the most popular games complete with images, user rating, and release dates.

The most helpful user reviews are also highlighted on the game's page next to reviews from GameFly's partner IGN. The News tab can also be sorted by platform and the individual stories can be expanded to full screen. The developers clearly intended for the user to be able to perform everything in the app, from viewing videos embedded in news stories to renting or buying games to sharing game news and information with your friends. Stories are fed to the GameCenter App through leading games sites including Shacknews.com. You can share GameCenter content via in-app Facebook, Twitter, and e-mail. While the scale of the information contained on the app is definitely useful for gamers, and is much more intuitive than your average gaming site on the mobile platform, the app will perhaps be most appreciated by existing GameFly members. You can also invite friends to download the app themselves.

To encourage the use of the GameFly rental service, anyone who downloads the app is also granted access to a fifteen-day free GameFly membership. For a free app, GameFly's GameCenter has a remarkably large amount of information and is definitely worth a look.

Extreme Networks this week unveiled an extension to its edge switching portfolio with three new modules for its BlackDiamond 8800 chassis. The modules include a redundant management switch module (MSM), a 24-port Gigabit Ethernet fiber module, and a 48-port Gigabit Ethernet 1000Base-T card. The modules transform the chassis into the BlackDiamond 8500-series, a wiring closet switch optimized for automating the discovery and service provisioning of devices at the edge of the enterprise network, and enabling resiliency and security.

The MSM is called the 8500-MSM24. It features eight optional 1G/10G ports for connection to a redundant MSM and other switches. The 24-port fiber card is called the 8500-G24X-e. The Gigabit Ethernet ports are small form-factor pluggable transceivers. The MSM is the brains of the switch, running Extreme's XOS operating system and handling the provisioning of network access, security, service levels and failover procedures. The 48-port 1000Base-T card is called the 8500-G48T-e. It features RJ45 interfaces. This is designed to protect chassis investments and ensure consistent operation and management from edge to core. The modules fit into the BlackDiamond 8810/8806 chassis and use the same power supplies, fan trays, accessories and ExtremeXOS operating system as that switch.

The BlackDiamond 8500 will go up against Cisco's Catalyst 4506 and 4506E switches, and HP's ProCurve 5400zl. The BlackDiamond 8500-series modules will be available this quarter. Extreme claims twice the per slot switching capacity - 48Gbps vs. 24Gbps – at lower cost: $25,965 in a 144 Gigabit Ethernet port configuration vs. $26,292 for HP, and between $33,000 and $40,000 for Cisco. The MSM has a list price of $4,995. The 24-port Gigabit fiber module has a list price of $6,995, and the 48-port Gigabit Base-T module has a list price of $3,995.

Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC. Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail. The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC . "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network.

The latter two are major U.S. Internet service providers. "As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them." Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users. Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live blog . Microsoft posted an online form where users who have been locked out of their accounts can verify their identity and reclaim control, and also pointed users to a support page from October 2008 that spells out steps users can take if they think their accounts have been hijacked. Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC. "Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services." Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their usernames and passwords. After a slump earlier this year, phishing attacks are on the upswing, according to the Anti-Phishing Working Group (APWG). Its most recent data - for the first half of 2009 ( download PDF ) - noted that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since the industry association started keeping records. Yesterday, Dave Jevans, the chairman of APWG, called the Hotmail phishing attack one of the largest ever, but cautioned that the usernames and passwords may have been harvested over several months, and not by a single, defined attack.

Top Chinese e-commerce site Alibaba.com aims to announce an Indian joint venture this year as the company expands its global footprint, it said Friday. A deal in India, where Alibaba.com recently surpassed 1 million registered members, would be the latest in the site's efforts to grow abroad. "I've got a lot of confidence in India," said Jack Ma, CEO of Alibaba Group, the parent company of Alibaba.com. Alibaba.com is in talks with an Indian reseller about forming a joint venture, CEO David Wei told reporters at a briefing.

Alibaba.com is a platform for small and medium businesses to trade everything from lumber and clothes to iPods and PC components. Alibaba.com already works with Indian publishing company Infomedia 18, its likely joint venture partner, to promote its platform in the country. Its main member base is in China, but the site also has 9.5 million registered users in other countries and facilitates many cross-border trades. The site also has a joint venture in Japan and recently launched a major U.S. advertising campaign to attract more users there. Ma said Alibaba knows it needs to "do something" in Latin America as well. Ma and other top Alibaba executives visited the U.S. early this year for meetings with potential partners including Amazon.com, eBay and Google.

When asked if the company would also seek to expand in Eastern Europe, Ma said, "I will be there." Alibaba will not hold a majority stake in joint ventures it forms, instead taking a share similar to the 35 percent it has in its Japan operation. "Our global strategy means partner with local people," Ma said. "We want partners and we want partners to control their business." Users place total orders of more than US$200 million each day on the Alibaba.com international platform, Wei said. About 50 percent of those orders go to Chinese exporters, he said.

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason.

Apple has fixed the problem for Safari for Macs. Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time." The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to. Black Hat's most notorious incidents: a quiz "Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Current versions of Safari for Mac, Firefox and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders. In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks.

For instance, someone might register www.hacker.com. In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. An attacker could exploit the weakness by setting up a man-in-the-middle attack and intercepting requests from vulnerable browsers to set up SSL connections. Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

If the attacking server picks off a request to bestbank.com, it could respond with an authenticated x.509 certificate from bestbank.com\0hacker.com. The user who has requested a session with bestbank would naturally assume the connection established was to bestbank. The vulnerable browser would interpret the certificate as being authorized for bestbank.com and set up a secure session with the attacking server. Once the link is made, the malicious server can ask for passwords and user identifications that the attackers can exploit to break into users' bestbank accounts and manipulate funds, for example, Marlinspike says. These certificates use an asterisk as the sub-domain followed by a null character followed by a registered root domain. In some cases attackers can create what Marlinspike calls wildcard certificates that will authenticate any domain name.

A vulnerable browser that initiated an SSL session with bestbank.com would interpret a certificate marked *\0hacker.com as coming from bestbank.com because it would automatically accept the * as legitimate for any root domain. Such a wildcard will match any domain, he says. This is due to "an idiosyncrasy in the way Network Security Services (NSS) matches wildcards," Marlinspike says in a paper detailing the attack. The differences between what users see on their screens when they hit the site they are aiming for and when they hit an attacker's mock site can be subtle. A Microsoft spokesperson says Internet Explorer 8 highlights domains to make them more visually obvious, printed in black while the rest of the URL is gray. "Internet Explorer 8's improved address bar helps users more easily ensure that they provide personal information only to sites they trust," a Microsoft spokesperson said in an e-mail. The URLs in the browser would reveal that the wrong site has been reached, but many users don't check for that, Marlinspike says.

Marlinspike says the null character vulnerability is not limited to browsers. "[P]lenty of non-Web browsers are also vulnerable. Outlook, for example, uses SSL to protect your login/password when communicating over SMTP and POP3/IMAP. There are probably countless other Windows-based SSL VPNs, chat clients, etc. that are all vulnerable as well" he said in an e-mail.

India's auction of 3G and WiMax licenses is now scheduled to be held in December, according to a notice on the Web site of the country's Department of Telecommunications. Bidding for 3G licenses will start Dec 7, with the WiMax auction scheduled to start two days after the 3G auction is complete, according to the notice. The auction was originally scheduled for January of this year, but was postponed after disagreement within the government on the minimum cost of the licenses. Both Indian and foreign companies are allowed to bid for the licenses, but foreign companies will have to set up joint ventures with Indian investors to run services in the country.

The Ministry of Communications will license four slots for 3G in each of India's 22 service areas, with a fifth slot reserved for two government-run telecommunications companies. A group of ministers, set up to resolve the dispute over pricing the licenses, has named Indian rupees 250 billion (US$5 billion) as the minimum revenue from the auction of the 3G and WiMax licenses in the country, India's Minister of Communications, A. Raja said last month. A telecommunications company bidding for 3G licenses in all 22 circles will have to pay at least Indian rupees 35 billion, according to the new minimum pricing proposed by the Indian government. Two companies, Bharat Sanchar Nigam Ltd. and Mahanagar Telephone Nigam Ltd., were allotted 3G spectrum ahead of the auction, and have started offering services. By the pricing announced last year, they would have to pay about rupees 20 billion. The government said last year that these companies would have to pay license fees equal to the highest bid in each service area.

The final date for applications from bidders is Nov 13.