ZenNews adds some weight to RSS news feeds

Zensify has a bone to pick with the way mobile devices make you read the news. That's all well and good, says Zensify chief technology officer Tom Campbell, but it doesn't provide much in the way of context-which stories are important and which ones people are talking about. Most RSS apps for the iPhone give you a chronological list of headlines, with the most recently posted stories listed first. Enter ZenNews, the latest iPhone app from Zensify.

It also incorporates the Twitter micro-blogging service to boost the weighting of stories that users are tweeting about. The app not only aggregates news headlines, but relies on analytics technology to highlight stories that are likely of greatest importance to the user. "It's a way to make news discovery more accessible to a mass market," Campbell told Macworld. "With a few swipes of your thumb, you can discover what's news and what people are tweeting about." ZenNews uses the same technology as the company's Zensify social network aggregator to pull stories from its source list, index them, and weight them. All of this happens in real time, so the stories that appear on ZenNews can change from moment to moment. A visual cloud tag of topics, where more heavily weighted stories get prominent play. The result?

You can drill down through the tag cloud as well-if a tag has more than five stories, a tap brings up a second group of tags associated with that story. Zensify believes that the abstract should give users enough of an overview for each story, but you can tap on the abstract to read the full version in an embedded browser. Tapping the "obama" tag, for example, calls up tags like "nobel," "orleans," and "pakistan." ZenNews also offers a list view that provides a headline and abstract of each story tag. Buttons within the browser let you share the story by Twitter or e-mail. Swiping from side to side takes you from the aggregated view of the ZenNews page to the tag clouds for the individual sources. ZenNews ships with 12 sources, including the BBC, New York Times, Washington Post, Al Jazeera, and others.

That gives users a chance to compare the coverage of a story from source to source, Campbell says. (Al Jazeera has precious little to say about Thursday evening's Phillies-Dodgers game, for example.) The developer promises to add three other sources to ZenNews-The Australian, China View, and Ha'Aretz. In addition to viewing stories by source, you can also sort by category. But users who want to add their own news feeds are out of luck, at least with this version. "We wanted an application that you didn't have to configure out of the box," said Campbell, adding that some customization could be introduced in future updates. ZenNews offers 13 categories in all, from Art to World news. Ultimately, Zensify plans to use the features showcased in consumer apps like ZenNews to build custom business-to-business products that deliver business intelligence about a company's products, industry, and competitors. ZenNews is a free App Store download that runs on any iPhone or iPod touch with the iPhone 2.1 software update.

Microsoft passes its first SAML 2.0 interoperability test

Microsoft's federated identity platform passed its first SAML 2.0 interoperability test with favorable marks, signaling the end to the vendor's standoff against the protocol. 11 security companies to watch The eight-week, multivendor interoperability workout conducted by the Liberty Alliance and the Kantara Initiative also resulted in passing marks for two other first-time entrants – SAP and Siemens. Results were announced Wednesday. "The Liberty Interoperable testing was a great opportunity to verify that Active Directory Federation Services (AD FS) 2.0 is interoperable with others' SAML 2.0 implementations. Return testers Entrust, IBM, Novell and Ping Identity also passed. This should give our customers confidence that their federation deployments using ADFS will 'just work,'" says Conrad Bayer, product unit manager for federated identity at Microsoft.

The company previously supported the SAML token, but never the transport profiles of the protocol. "It is significant that Microsoft participated given their previous stance on the SAML protocol," says Gerry Gebel, an analyst with the Burton Group. "For the first product version that supports SAML, they have covered the core bases." Microsoft's interoperability testing focused on SAML's Service Provider Lite, Identity Provider Lite and eGovernment profiles. In the past, Microsoft has been dismissive of the Security Assertion Markup Language (SAML), a standard protocol for exchanging authentication and authorization data between and among security checkpoints, preferring the WS-Federation and other protocols it helped develop. The company says it plans to support other SAML profiles based on demand. In addition, it was the first test to include an international group to test the eGovernment SAML 2.0 profile v1.5. The test featured the United States, New Zealand and Denmark. "The fact that we were able to put so many new implementations through a full matrix, rigorous interoperability test speaks to the maturity of the SAML 2 protocol," says Brett McDowell, executive director of the Kantara Initiative. "And it is not just implementation; there is a tremendous amount of deployments." "Full matrix" testing means all participants must test against each other. The interoperability event featured the largest group of participants ever for the testing, which has been run twice previously.

The test was conducted over the Internet from points around the globe using real-world scenarios between service providers and identity providers as defined by the SAML 2.0 specification. ADFS 2.0 is part of a larger identity platform that includes Windows Identity Foundation and Windows Cardspace. Microsoft participated in the testing with Active Directory Federation Services 2.0 (formerly code-named Geneva), which is slated to ship later this year. Microsoft said earlier this year it would have SAML 2.0 certification before it released Geneva. ADFS 2.0 provides identity information and serves as a Security Token Service (STS), a transformation engine that is key to Microsoft's identity architecture. The SAML profiles ADFS 2.0 supports cover the core features of federation.

ADFS lets companies extend Active Directory to create single sign-on between local network resources and cloud services. The issue was noted in a report by the Drummond Group, which conducted the testing, and centered on long URL values mostly when encryption was enabled during specific operations. It wasn't all smooth sailing for Microsoft, however, as some participants reported problems using Internet Explorer 6.0 and 7.0 for SAML single sign-on, which is primarily a Web browser action. Internet Explorer does not accept URLs longer than 2,083 characters. Microsoft tested against IE 8 and Firefox 3.5.2. While Microsoft's participation was an important milestone for the advancement of SAML, McDowell says the current testing is significant on other fronts.

Testers got around the issue by using other browsers. The test marks a transition with the Kantara Initiative now taking over future tests. The level of cooperation between governments will serve as a model for other industries, he says. The group will adopt the Liberty Alliance testing methods and expand the scope of tests to include other protocols in addition to SAML. And it will build off the eGovernment profile testing as new profiles for other vertical markets, including healthcare and telecommunications, are developed. "Having countries come together and agree on a deployment profile, that is not to be understated," McDowell says. In addition, next year Kantara will pick two other protocols to test from a list made up of WS-Security, Information Card, Identity Metasystem Interoperability, OAuth and XRD. Kantara also will take cues from Project Concordia and eventually begin to test cross-protocol interoperability.

Follow John on Twitter. The next Kantara interoperability test is slated for next year.

Google Makes It Easier for News Sites to Opt-out

In what will be seen as a concession to media baron Rupert Murdoch, Google has made it easier for news sites-such as those Murdoch controls-to opt-out of Google News. Murdoch has previously threatened to take News Corp. content, including the Times of London, and the Australian, off Google when at some point in the future they become paid sites. Where they used to have to fill out an online form to opt-out of Google's news aggregation site, publishers will soon have a means to opt-out or set other options automatically, using a small file placed on their sites.

His Wall Street Journal and Barron's are already largely subscription-based. As for the aggregators, "these people are not investing in journalism," Murdoch said. "They're feeding off the hard-earned efforts and investments of others." "To be impolite, it's theft," he added. On Tuesday, Murdoch told a U.S. Federal Trade Commission hearing that "there is no such thing as free news" and reiterated his statement that News Corp. sites would move to a paid model. His remarks targeting Google prompted Huffington Post founder Arianna Huffington to respond that "aggregation is part of the Web's DNA" and that old media needs to "get real." Murdoch has also reportedly been in talks with Microsoft that would result is News Corp. content being removed from Google and enhanced on Microsoft's Bing, which would pay News Corp. a fee in return for exclusivity. Google, which also attended the FTC meeting, made its announcement Tuesday in a blog post outlining extensions to the Robots Exclusion Protocol, already used to prevent Google and other search engines from indexing Web sites.

Recent reports, however, say the talks have been overplayed in the media. The extensions will give publishers control over how their sites are treated by Google News. "Now, with the news-specific crawler, if a publisher wants to opt out of Google News, they don't even have to contact us - they can put instructions just for user-agent Googlebot-News in the same robots.txt file they have today," wrote Google's Josh Cohen in the post. They'll also be able to apply the full range of REP directives just to Google News. Robots.txt is a small file that developers can place in the root directory of their Web sites that contain the Robots Exclusion Protocol commands. "In addition, once this change is fully in place, it will allow publishers to do more than just allow/disallow access to Google News. Want to block images from Google News, but not from Web Search? Want to include snippets in Google News, but not in Web Search?

Go ahead. Feel free. It's not likely most users will notice any difference as a result of the change, unless a large number of publishers decide to abandon Google News and the estimated 1 billion clicks-a-month it generates for participating publishers (including PC World) "Most people put their content on the web because they want it to be found, so very few choose to exclude their material from Google. All this will soon be possible with the same standard protocol that is REP," Cohen added. But we respect publishers' wishes.

We're excited about this change and will start rolling it out today," Cohen said in concluding his post announcing the change. If publishers don't want their websites to appear in web search results or in Google News, we want to give them easy ways to remove it. David Coursey has been writing about technology products and companies for more than 25 years. He tweets as @techinciter and may be contacted via his Web site.

Hijacked Web sites attack visitors

Here's the scenario: Attackers compromise a major brand's Web site. The issue goes unnoticed until it's exposed publicly. But instead of stealing customer records, the attacker installs malware that infects the computers of thousands of visitors to the site. Such attacks are a common occurrence, but most fly under the radar because the users never know that a trusted Web site infected them, says Brian Dye, senior director of product management at Symantec Corp.

But word can get out, leaving the Web site's customers feeling betrayed, and seriously damaging a brand's reputation. When his company tracks down the source of such infections, it often quietly notifies the Web site owner. Attackers, often organized crime rings, gain entry using techniques such as cross-site scripting, SQL injection and remote file-inclusion attacks, then install malicious code on the Web server that lets them get access to the end users doing business with the site. "They're co-opting machines that can be part of botnets that send phishing e-mail, that are landing sites for traffic diversion and that host malware," says Frederick Felman, chief marketing officer at MarkMonitor. That possibility is one of Lynn Goodendorf's biggest worries as global head of data privacy at InterContinental Hotels Group. "I worry about attacks that use a combination of malware and botnets," she says, adding that she has watched this type of activity increase steadily over the past two years. "That's very scary," says Goodendorf. But because the business's Web site isn't directly affected, the administrators of most infected Web sites don't even know it's happening. Most victims haven't associated such attacks with the Web sites that inadvertently infected them.

The latest versions of Microsoft's Internet Explorer browser and Google's search engine detect sites infected with malware, issue a warning and block access to the site. "To me, this is serious online brand damage," says Garter analyst John Pescatore, and it can be disastrous for small and midsize businesses that totally depend on search engine traffic. But that may be changing. The next frontier, says Dye, may be attackers who use these types of exploits against the Web sites of high-profile brands and then publicize - or threaten to publicize - what happened. But Pescatore sees a more fundamental problem: rushing through Web site updates and ignoring development best practices designed promote security. Preventing attacks like SQL injections requires using enterprise-class security tools, such as intrusion-prevention and -detection systems, with a focus on behavioral analysis to spot attacks, Dye says.

Most organizations follow formal processes for major upgrades, but not for the constant "tinkering" that takes place. The result: Vulnerabilities creep into the code. "Security groups often are forced to put Web application firewalls in front of Web servers to shield [these] vulnerabilities from attack," says Pescatore.

Five Tips to Shop Black Friday and Cyber Monday Securely

This Friday is Black Friday-officially kicking off the 2009 holiday shopping season. Here are five tips to help you shop online securely. 1. Start with the Basics. Online attackers and malware developers know how to capitalize on current events, and the rush to find great holiday bargains offers a prime opportunity to exploit eager shoppers.

I realize that it seems redundant and cliché, but the first step in protecting yourself and your computer this holiday season is to make sure your computer is patched and secure . Make sure you have applied any applicable patches and updates for your operating system and Web browser in particular. Erin Earley, from Swedish anti-spyware company Lavasoft, says "Look for the padlock icon or a URL that starts with https://. That means your transaction is encrypted." When you are shopping at big name sites like BestBuy.com or Target.com there is less need for concern. Also, ensure you have antivirus and antispyware protection installed and running and that they are up to date. 2. Shop on Secure Sites. However, the quest for holiday bargains often extends beyond major retail chains to more obscure sites. 3. Control Your Credit. If you follow the first tip you will greatly decrease the chances of this happening, but some shoppers are still apprehensive.

One of the biggest concerns with online shopping is the possibility of an attacker intercepting your credit card details and maxing out your credit. There are a couple of alternatives you can use to shop online and protect your credit at the same time. Fred Touchette, a senior security analyst with AppRiver points out that one of the most popular holiday scams is to lure consumers with fake holiday bargains. Lavasoft's Earley suggests "If you're hesitant to enter your credit card details online, consider using a separate credit card, or use an "e-card" solution that gives you the ability to create a temporary card number to be used just once or with a spending limit." 4. Fake Holiday Bargains. Attackers are especially likely to focus on the most popular and hard-to-find items since those are more likely to catch the attention of desperate consumers.

He suggests that you "always do your research. Touchette says the fake product scams are typically promoted via spam email. If you don't recognize a company, don't order anything from them until you're sure they really exist." 5. Bank / PayPal Phishing. Attackers know this and know how to capitalize on it. With the huge spike in shopping for the holiday season its almost a sure thing that you've made a purchase with a credit card somewhere-either online or in real life at a brick and mortar retail establishment.

AppRiver lists both bank phishing attacks and PayPal (or eBay) phishing attacks on its list of the top holiday shopping scams. Touchette further recommends "Avoid following links that are provided for you in an email, especially if you are unsure of the sender. Watch out for poor spelling or grammar-signs that virtually ensure the message is fake, and remember that your financial institution will never ask you for personal information, account information, or passwords via email. A frequent trick from spammers during the holidays is a link to a fake eBay or PayPal log-in page. Black Friday has been stretched into Black November and retailers look like they will be aggressively promoting holiday bargains throughout the holiday season-not just this Friday. Rather than follow links in emails, type it directly into your browser." I don't know if its just me, but it seems that holiday shopping has reached a frenzy early this year.

Follow these tips to make sure your online holiday shopping goes smoothly and you can enjoy your holidays in peace. Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page.