The Droid X will ship with Android 2.1, which will be updated to so-called Froyo, or Android 2.2, later. That means that it initially won’t have Flash Player 10.1, the latest version of that software that became available this week for Android 2.2. Onlookers had hoped the Droid X would come with Android 2.2.

The Droid X smartphone.
The phone will become available July 15 and will get Android 2.2 and Flash Player 10.1 later in the summer, Verizon said. It will retail for $199 after a $100 rebate.

The phone has a large 4.3-inch screen, bigger than most and matching the HTC HD2, a Windows Mobile phone. It will come with a Blockbuster application that lets users download full-length feature films and, because the phone has an HDMI port, watch the movies on other devices like TVs. Users will also be able to rent movies from Blockbuster to watch on the phone or other devices.

The phone has an 8-megapixel camera and can capture high-definition video. It has a 1Ghz processor and can accommodate as much as 40GB of memory, including expanded memory.

The Droid X doesn’t come with a physical keyboard and will ship with Swype, software that offers a new way of typing on on-screen keyboards without having to lift up the finger.

Users will be required to sign up for a $29.99-per-month data plan for unlimited access. They can opt to pay an additional $20 a month for a hotspot service that lets other devices, like a PC, connect to the phone for Internet access. The hotspot service is limited to 2GB of data usage.

Any Verizon customer whose contract is up any time this year can buy the phone for the subsidized $199 price.

Speaking at the event to unveil the phone, Google’s Andy Rubin, vice president of engineering, said that the company is now selling 160,000 Android-powered devices each day and that the Android Market has 65,000 third-party applications.

He also officially announced that today Google has open sourced Android 2.2, making it available for handset makers to use. The software has already been pushed out to some review units of the Nexus One phone.

Google CEO Eric Schmidt made a surprise appearance at the event, where he promoted the benefits of Google’s back-end cloud applications on mobile phones. Behind phones like the Droid X are “massively parallel supercomputers that do the computations” for services like voice translation, he said. But he also said that it takes powerful hardware and networks to deliver the capabilities available in such a device.

“It’s not surprising that they’re targeting Facebook,” said Kevin Haley, a director on Symantec’s security response team. “Facebook has, what, 200 million-plus users? The bad guys always go where’s there’s a lot of people.”

The newest Facebook attacks resemble previous phishing rounds in their tactics: A compromised account sends a malicious link to friends. That link leads to a site that mimics the legitimate log-in page. But users duped into entering their usernames and passwords are likely giving away more than just their Facebook credentials, said Haley.
“Certainly this isn’t new,” he said, “but we think that what you’re seeing is an attempt to shake out every last dollar they can get.”

The criminals are operating on the assumption that the Facebook password they acquire from any given user has a good chance of being the same password that person uses on other sites, such as online shopping services or even bank accounts.

“Get one password for the right person and it’s like having their wallet handed over,” Symantec researcher Marian Merritt in the post to Symantec’s security response blog said on Friday.

Although Symantec has no statistics on the percentage of users who rely on just a single password for multiple online services or activities — Haley called the evidence “anecdotal” — it’s an assumption that both criminals and researchers make. “When you talk to users, that’s what they tell you they do,” he said.

Facebook has acknowledged the attack, and said it has reset passwords of compromised accounts and eliminated the phishing messages when it has found them.

“It’s not like this is some great new virus technology,” Haley said, noting that the newest attacks are unlike worm-based attempts to infect Facebook accounts with the Koobface worm. This is straight con job. “Cons have been known from the beginning of time,” Haley continued. “But now we’re seeing them coming a little faster and more furious.”

The problem with social sites like Facebook is that they portray a certain level of trust — others are “friends,” after all, Haley added — and while users’ may be wary of clicking on links delivered via traditional e-mail, they haven’t yet made the same connection to social networking.

“People are very wary of e-mail [phishing attacks]. They’ve begun to catch on,” said Haley. “But they don’t have their antenna up when it comes to social networking.”

Symantec’s Merritt urged users to use more caution before clicking on links, to double-check the site’s URL and to use more, and more complex, passwords.

But Haley is pessimistic that the advice would sink in anytime soon. “It’s a progression,” he said, referring to the learning curve users go through before they realize they need to take care of their identities in a new online technology or type of service.

Even then, it’s a never-ending fight. “If there’s a way to figure out a new way to attack, the bad guys will do it,” Haley concluded.

Unfortunately, this isn’t the first flub-up we’ve seen when it comes to seemingly dumb data mistakes by major government agencies. In fact, there have been several winners since just last year. Here, then, are our top four government data blunders of recent months, starting with this week’s National Archives revelation.

4. The National Archives’ Hard Drive Disappearance

The National Archives’ hard drive contained an “as yet unknown” amount of data, the office says. Home addresses and Social Security numbers are believed to be a part of the information. Some reports even suggest personal details about one of Al Gore’s daughters could be included, as could details about Secret Service security procedures used during the Clinton years.

The thing’s apparently been missing since April, even though it was just announced today. Most flummoxing, though, is the fact that quoted officials say it may have been “accidentally misplaced.” Right — because a government hard drive with this type of data doesn’t deserve, I don’t know, maybe just an extra shred of caution when it comes to its handling.

Welcome to the list, National Archives.

3. The TSA’s Lost-Then-Found Fumble

The Transportation Security Administration: protectors of our skies; guard gates of our…well, gates. Surely, an agency charged with keeping airports safe would know a thing or two about security. Right?

Not necessarily. Time to rewind back to last summer, when the TSA announced one of its checkpoint laptops from the San Francisco airport was missing. The PC was used to control a “fast-pass” security prescreening program and held unencrypted personal info on 33,000 passengers.

The media was notified, a full investigation was launched, and the prescreening program was sent into partial lockdown. A week later, the TSA found the laptop — wait for it — in its own office. Top-notch.

The TSA also, by the way, lost an external hard drive with employee data in 2007 and “maybe” mailed about 1200 former workers’ Social Security numbers and birth dates to random people a year before that.

2. The U.S. Military’s eBay Embarrassment

MEMO: Do not sell old hard drives containing sensitive military information on eBay. *

* What a U.S. military contractor evidently forgot to send out.

Throw this one into the “how not to manage security” file: Just this month, security researchers announced they’d located launch procedures for a U.S. missile air defense system on a hard drive bought off eBay. The drive, reports indicated, had detailed information about a system used to shoot down missiles in Iraq, along with security policies, facility blueprints, and the always popular list of employee Social Security numbers.

The drive has been tied to Lockheed Martin, which developed the aforementioned defense system. In its defense, though, other drives bought off eBay in the same sweep were found to contain bank medical records, business plans, and detailed information about bank accounts, among other things. So at least it has some company in the “d’oh!” department.

1. The U.K.’s Vanishing Disks. And Hard Drives. And Memory Sticks. And Computers.

Impressive as those feats are, there’s little question the U.K. takes the cake when it comes to dumb data mistakes over the past months. The nation’s top government number crunchers probably can’t even keep count of stupid slip-ups that have plagued various agencies. There were the lost laptops (45,000 citizens’ information exposed; 30,000 of them never notified), the lost CDs (3,000 workers’ data disappeared; information all unencrypted), the lost drivers’ data (3 million Department of Transport files misplaced), the lost military laptop (620,000 recruits’ info exposed), and the lost prison system memory stick (84,000 prisoners’ information set free). And that’s just the tip of the idiotic iceberg.

The BBC estimates the U.K. government fumbled about 4 million people’s personal information within a single year, from mid-2007 to mid-2008. It’s not just the small stuff, either: The government apparently was losing computers at a rate of one PC per week for a while, too, some analyses suggested.

TechARP.com, a Malaysian Web site that correctly named the ship date of Internet Explorer 8 earlier this year and leaked details of an upcoming free Windows 7 upgrade program for users who buy Vista PCs after July 1, said that Microsoft will publicly announce prices for Windows 7 in mid-June.

Although Microsoft has detailed the Windows 7 versions it will ship later this year, it has not set prices or a launch date for Vista’s successor.

A report last week by CNET cited a Dell product director as saying that the average price of Windows 7 would be higher than Vista, but did not go into specifics. “In tough economic times, I think it’s naive to believe that you can increase your prices on average and then still see a stronger swell than if you held prices flat or even lowered them,” Darrel Ward, director of product management for Dell’s business client product group, told CNET. “I can tell you that the licensing tiers at retail are more expensive than they were for Vista.”

According to TechARP, Microsoft set Windows 7 pricing for computer makers such as Dell several weeks ago. By now, Microsoft has also informed major retailers of the Windows 7 prices.

One analyst didn’t have any idea what Microsoft will charge for Windows 7, but was sure of one thing: Continuing economic problems put a very big monkey wrench in Microsoft’s plans. “It’s such a strange time that it’s hard to even speculate on prices,” said Michael Cherry, an analyst with Directions on Microsoft. “Everything has such a different feel to it because of the economic climate.”

In a way, Cherry said, he feels sorry for Microsoft. “Unfortunately, just when they’ve finally gotten a good Window product, a lot of consumers and businesses are sitting on their wallets,” he said.

What Microsoft may face, Cherry said, is apathy, no matter how many of the problems posed by Vista are solved by Windows 7. “When companies finish their evaluation of Windows 7, and decide that it’s technically feasible, then it has to go into the hopper with all the rest of the IT projects, where it has to be balanced against all the things that IT has to do.”

During tough times, when IT is being asked to do more with less, and consumers are holding on to their money, Cherry thinks it’s likely that a new operating system, especially one like Windows 7 that is essentially a stability and performance upgrade from Vista, will get shoved down, or even off, buyers’ to-do lists.

TechARP also claimed that Microsoft will be taking stock today with its biggest PC partners to find out whether they’re ready for the public launch of Windows 7. “It is expected that Microsoft will finalize [its] launch plans after these discussions,” the site said.

While Microsoft has only said that it will have Windows 7 ready in time for the 2009 holiday selling season, comparisons with launches of Windows XP and Vista put public availability at somewhere between October 11 and Nov. 4.

Imagine a software package that can stream just about any show to your Xbox 360, PlayStation 3, or, soon, Wii. Netflix? No problem. Major-network TV shows? Yep. Obscure stuff from Adult Swim? You name it, you can watch it. All you need is a PC and an Internet connection in the same house.

A little explanation: For years I had a pretty sweet setup. I crafted a media center PC, loaded with digital tuners, that serves as the hub in my house. It records all my shows, and it spits out whatever I want to watch over my home network to my Xboxes. Simple, clean, effective.

But over the past few months, I’ve found myself watching more of my shows online–be it on Hulu.com or countless other online sites (the legit ones, of course). I’ve already been weaning myself off of conventional TV viewing. But how do I clear the last hurdle–getting shows from that wacky Internet to a TV in my house–without piling on additional costs or ludicrous cable service charges?

That’s when I decided to give PlayOn a try. This software was in beta until late 2008, but it’s now live–and with enough kinks worked out, it’s at least worth the free 14-day trial download. First, the hardware check. Do you have:

Windows XP or Vista?
A 3.2GHz or better Pentium 4, a 2.0GHz or better Pentium M, or any multicore x86 processor?
512MB RAM?
4GB to 5GB of space on the same hard drive where Windows is installed?
Hey, I think that describes a spare laptop I bought two years ago!

Experts have struggled to tackle it, and they do not know who controls it or why it was created. But on Wednesday the virus, dubbed Conficker, will “call home” to its creator to seek new instructions. No one knows what will happen next.

“The biggest mystery about Conficker is why? What exactly is it that these bad guys are planning to do with it?” said Mikko Hypponen of the Finnish computer security company F-Secure.

In the past year, the virus has spread to computers in schools, hospitals and government departments. It has got into the defense forces of Britain, Germany and France, grounding the French Navy’s fighter jets for a time.

Microsoft has offered $250,000 for information about Conficker’s creator. An alliance of leading computer security experts and Internet governance groups has been set up to help to deal with the problem.

According to Jon DeVaan, the senior vice president responsible for Windows’ architecture and core components, the company changed User Account Control (UAC) in Windows 7 because data showed that users got ticked off when they were asked to deal with more than two UAC prompts in a day.

Responding to mounting criticism of the changes Microsoft has made to UAC for its still-in-development Windows 7, DeVaan said that the company studied how people reacted to the security feature, which debuted in 2007 with Windows Vista.

“In making our choice for the default setting for the Windows 7 beta, we monitored the behavior of two groups of regular people,” said DeVaan in a long entry to a company blog. “Half were set to ‘Notify me only when …’ and half to ‘Always Notify.’ We analyzed the results and attitudes of these people to inform our choice.”

The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. “If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer,” DeVaan said.

That, in turn, led Microsoft to boost the number of UAC settings in Windows 7. In Vista, users could either turn UAC off or leave it on; Windows 7 adds “Notify me only when programs try to make changes to my computer,” and uses that as the default.

And therein lies the rub.

Some users and developers have questioned the default setting. Last week, a pair of Windows bloggers, Rafael Rivera and Long Zheng, published a simple proof-of-concept script that demonstrates how hackers can easily disable UAC entirely without the user being the wiser. Their recommendation is to reset Windows 7′s UAC to the highest level of warning, “Always notify me when,” which is essentially mimics the behavior of the security feature in Vista.

Although DeVaan stopped short of saying Microsoft would not modify the default setting for UAC in Windows, he hinted that it would stick to its guns. “We are very happy with the positive feedback we have received about UAC,” he said today.

That confirms what a company spokesman said yesterday, that Microsoft would not roll back UAC to the more persistent prompting found in Vista. “No, Microsoft has not reverted Windows 7 UAC’s behavior to mimic Windows Vista,” the spokesman said when asked to clarify a fix the company said it has made to another reported problem in UAC.
John Pescatore, an analyst at Gartner Inc., said he wouldn’t fault Microsoft for making the change and sticking to it. “UAC in Vista was universally hated,” he said. In fact, Microsoft’s biggest operating system rival, Apple Inc., used that dislike to poke fun at Vista in its television advertising campaign.

“From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get ‘click fatigue,’” Pescatore continued, referring to users who grow tired of answering prompts, or give those prompts short shrift. “Everyone hated it.”

By toning down UAC, Microsoft is making Windows behave more like Apple’s Mac OS X, said Pescatore. Mac OS X prompts users for an administrative password for some tasks, primarily before allowing a program’s to install. “What Microsoft’s doing here is not far from what the Macintosh does,” he said.

Rivera, however, took exception to DeVaan’s reasoning about why Microsoft doesn’t consider the UAC problem a security vulnerability. “I’m concerned Microsoft is relying too heavily on external security mechanisms in Windows 7,” he said via instant messaging Thursday. “With UAC weaker in Windows 7, I feel as if we’ve regressed back to having only a single layer of security. Once a border application becomes comprised by Windows 7-targeted malware, it’s game over.”

DeVaan, on the other hand, dismissed the concerns of Rivera, Zheng and others, saying that the default setting of UAC does not constitute a “security vulnerability” because “the reports have not shown a way for malware to get onto the machine in the first place without express consent.” He then went on to argue that UAC is not a “security boundary” in Windows.

But in an interview yesterday about problems with UAC’s “auto-elevate” — the technique Microsoft used to decrease the number of prompts — Rivera said: “I understand ‘something else’ has to be breached,” he said. “I hear Microsoft loud and clear here. The problem I have is that in Windows 7, a user can have malware that can break its [standard user] confinement to do administrative-level damage to the machine.”

Firms, including Microsoft Corp., Symantec Corp. and VeriSign Inc., have joined ICANN, the nonprofit group that manages the Internet Domain Name System, to preemptively register and remove from circulation the Internet addresses that the worm’s controllers use to maintain their hold on infected machines, said Gerry Egan, director of product management in Symantec’s security response group.

Separately, Microsoft has offered a $250,000 reward for information that results in the arrest and conviction of the hackers who created and launched the worm.

Although Microsoft launched its hacker bounty program in 2003, it has rarely used the $5 million it set aside at the time. The last time it offered a reward was in 2004, when it posted a quarter-million-dollar bounty on the maker of the Sasser worm. A German teenager was arrested in May 2004 and charged with creating Sasser. The following year, Microsoft paid out the reward to two people who helped identify the hacker.

Perhaps not coincidentally, security researchers — including those at Symantec — have recently drawn comparisons between Sasser and Downadup, which also goes by the name “Conficker.” Much of those comparisons relate to the size of the current attack, as well as the fact that the worm targets a wide-scale Microsoft vulnerability.

To stymie Downadup, the coalition plans to either pre-register or remove from circulation as many of the 250 different domains that the worm uses as possible, said Egan. “We’re working with the domain registrars to take them out,” he said. “It’s a combination of registering the domains and removing them from circulation.”

Once it has infected a PC, Downadup generates a list of 250 possible domains — the list changes daily — selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. Symantec and other security vendors, including Helsinki, Finland-based F-Secure Corp., have been preemptively registering some of those domains for weeks. They have then monitored the domains to get an idea of the worm’s back-end processes and to track its spread.
Symantec has used that approach to gauge the current strength of the worm. According to Egan, over the last five days, Symantec has monitored an average of 453,000 different IP addresses infected a day with Downadup.a, the original November version, and 1.74 million more IP addresses infected a day with Downadup.b, the more virulent variant that debuted in late December 2008.

Together, the two versions have infected an average of nearly 2.2 million PCs daily.

Egan declined to say whether the group would be able to completely disable the worm’s control mechanism, but said the consortium’s formation does not mean that researchers have new information about what malicious tasks the infected PCs might be told to perform. “We have no indication of its purpose as of yet,” he said.

Even so, Symantec sounded worried.

“The millions of systems infected by Downadup pose a risk to Internet users as well as to the infrastructure of the Internet,” the company said in a long post to its security blog. “Under the control of attackers, the millions of infected systems could be used to launch distributed denial-of-service attacks against specific users or organizations, crippling their ability to function on the Internet. Additionally, the infected systems could be used to deploy further threats, such as seeding a new worm that targets a more recent or undisclosed vulnerability.”

Last month, Microsoft refreshed its Malicious Software Removal Tool (MSRT), an anti-malware utility that cleans infected Windows PCs, with a signature for Downadup. Microsoft rarely reacts with a new MSRT signature as fast as it did in January.

The company has not responded to a questions about how many PCs the MSRT has scrubbed of Downadup.

While Downadup uses several attack strategies — including using USB storage devices, such as flash drives, to spread — one of its primary infection vectors is by exploiting a Microsoft vulnerability that the company patched with an “out-of-cycle” update in late October 2008.

The lawsuit, submitted to a Seattle federal court last Wednesday, stems from the $59.25 fee that a California woman was charged in mid-2008 when she bought a Lenovo laptop and downgraded from Vista to XP.

“Microsoft does not charge or receive any additional royalty if a customer exercises those [downgrade] rights,” said Microsoft spokesman David Bowermaster in an e-mail late last week. “Some customers may choose or need to obtain media or installation services from third parties to install the downgrade version.”

In fact, it’s computer makers, not Microsoft per se, who charge users the additional fees for downgrading a new PC from Vista to XP at the factory. Dell Inc., for example, adds an extra $20 to the price to downgrade a PC.

Microsoft, however, may profit from the way it structures downgrade rights. Only buyers of PCs with pre-installed editions of Vista Business and Vista Ultimate can downgrade, and then only to Windows XP Professional. All three editions are higher-priced versions of their respective lines, a fact that the lawsuit mentioned in passing.

“Customers have been forced to purchase the most expensive version of [Windows XP] in order to ‘downgrade’ from the Windows Vista operating system,” the complaint read.

That was the cause of some confusion last year, when Dell Inc. was accused of gouging customers by charging $150 to downgrade a new computer to XP. Dell, however, countered that although it did charge $20 to install XP on the machine, as well as to cover the cost of the additional media, the bulk — $120 of the $150 — was the price of upgrading the PC from the standard Home Premium to the more expensive Business edition.

Microsoft does not offer downgrade rights with its Vista Home Premium, the most popular of Vista’s editions.

“Microsoft mandates that customers who want to downgrade to XP must purchase the license to Vista Business or Vista Ultimate,” said Dell spokesman David Frink last December. “[That's] typically about a $130 premium, though some retail outlets charge more.”

“Downgrade” describes the Windows licensing rights that Microsoft gives users, who are allowed under some circumstances to replace newer versions of Windows with an older edition without having to pay for another license. The practice became popular last year when users, unhappy with Vista’s performance on the new PCs they bought, instead sought ways to run the leaner XP.

The lawsuit, filed by Los Angeles resident Emma Alvarado, charged Microsoft with multiple violations of Washington state’s unfair business practices and consumer protection laws through its policy of barring computer makers from continuing to offer XP on new PCs after Vista’s early-2007 launch. She claimed Microsoft’s practice resulted in customers paying more for XP than they otherwise would. “They have been forced to pay substantially more to acquire the Windows XP operating system than they would have to pay in a competitive marketplace,” the suit said.

Alvarado also named 100 “John Doe” co-defendants. “[They] are the persons, firms and corporations who have participated with Microsoft in the wrongdoings complained of and performed acts and made statements in furtherance thereof,” the lawsuit read. “The Doe Defendants acts as co-conspirators and aided and abetted, or participated with, Microsoft in the commission of wrongful acts.”

Bowermaster claimed that Microsoft had no downgrade program as such. “Microsoft does not have a downgrade program. It does offer downgrade rights as part of some Windows Vista licenses, including Windows Vista Business purchased through the OEM channel.” That, however, belies the fact that Microsoft has regularly offered downgrade rights to users. When it released Windows XP in 2001, it allowed people who had XP licenses to downgrade to Windows 2000, Windows NT 4.0 or Windows 98, according to Gartner analyst Michael Silver.