Oracle database flaw deemed serious, could expose data

CSO by Antone Gonsalves

Some Oracle databases have what experts say is a serious flaw in the login system that a hacker can use to retrieve and change stored data.

The flaw, in Oracle Database 11g Releases 1 and 2Ã'Â leaves the token that is provided by the server before authentication is completed open to a brute-force attack, said Esteban Martinez Fayo, the Application Security researcher that discovered the flaw. If successful, an attacker can gain access to the database.

"An authentication bypass is quite serious," Kevin Mitnick, a well-known white-hat hacker and founder of Mitnick Security Consulting, said in an email. "Basically, an attacker can get to the data stored in the database, and even change it."

The vulnerability stems from the way the authentication protocol protects session keys. When a client connects to the database server, a session key is sent with a salt. Because this happens before the authentication process is finished, a hacker working remotely can link the key to a specific password hash.

"Once the attacker has a session key and a salt, the attacker can perform a brute-force attack on the session key by trying millions of passwords per second until the correct one is found," Fayo toldÃ'Â Kaspersky Lab'sÃ'Â Threatpost blog.Ã'Â

Because the hack occurs before authentication is done, no login failure is recorded in the server, so a person can gain access without triggering an abnormal event.

[See also: Database security - At rest, but not at risk]

Oracle, which did not respond to a request for comment, patched the flaw in the latest upgrade of the authentication protocol, version 12. However, the company is not planning a patch for the flawed version, 11.1, Fayo said. Even with the upgrade, database administrators have to configure the server to only allow the new version of the protocol.

Because the fix requires an upgrade, the vulnerability will hound some Oracle customers for years, said Justin Clarke, a security researcher at Cylance.

"There are many large companies and critical infrastructure agencies which cannot afford the time or risk to upgrade all their Oracle clients and servers," Clarke said. "I can say with near certainty that we will see this vulnerability as long as Oracle 11g remains in use."

Previous flaws in Oracle's authentication protocol have been a well-kept secret in the security industry, Clarke said. "It's great to see that issues like this are being discussed publicly, and I hope that this helps serve as a wake-up call for Oracle and its users to dig deeper and assess the actual strength of systems."

Brent Huston, chief executive of security testing company MicroSolved, said even if a company prevents Internet access to a vulnerable database, the data is still at risk of an attack from the inside.

"Oracle's choice to lock this patch to an upgrade really forces the hand of those organizations with longer technology refresh periods and puts a lot of strain on the trust relationships they have with Oracle as a vendor," Huston said in an email.

Because of the vulnerability, customers that haven't upgraded their databases will have to implement some form of protection, particularly if they are subject to oversight by regulators, Huston said.

Fayo discovered the vulnerability after noticing that the client and server handled logins with incorrect passwords differently. A closer examination led to the discovery.

Fayo discussed the vulnerability Thursday at the Ekoparty Security Conference.

Oracle has battled with database flaws in the past. In January, InfoWorld uncovered a manual method to change the system change number (SCN), which could break the database. The SCN is a kind of time stamp for every transaction. If a database reaches its transaction limit, it could stop working properly.

Read more about application security in CSOonline's Application Security section.

Read more »

Apple seeks another $707 million in damages from Samsung

Sep 22, 2012 11:24 am | IDG News Service

A California jury may have awarded Apple more than US$1 billion in damages in late August when it triumphed over Samsung in a hard-fought case over smartphone and tablet patents, but the iPhone maker is coming back for more: late on Friday it asked for additional damages of $707 million.

The request includes an enhanced award of $535 million for willful violation of Apple's designs and patents, as well as about $172 million in supplemental damages based on the fact that the original damages were calculated on Samsung's sales through June 30. Apple wants the supplemental amount to cover the periodfrom July 1 through the date when the case is resolved, which it estimated as December 31, 2012.

In its filing with the U.S. District Court for the Northern District of California Apple also said that if the court decides to review the damage award based on a challenge from Samsung, it also wants an additional $155.8 million for five infringing products where the jury awarded less than the minimum amount calculated by Samsung's damages expert.

Apple also wants either a new trial or amended judgments finding that the iPad and iPad2 design is protected and is infringed by Samsung's Galaxy Tab 10.1, and that a wide range of Samsung phonesinfringe on Apple patents or trade dress.

Read more »

Microsoft patches critical Flash bugs in Windows 8

Sep 22, 2012 09:51 am | Computerworld

Updates IE10's integrated Flash Player with fixes to block ongoing hacker attacks 

by Gregg Keizer

Microsoft on Friday updated Flash on Windows 8 to protect IE10 users from attacks that may have started months ago.

More than a week before, Microsoft had backed away from an earlier position that held it would not patch Flash until late October. Instead, the company promised to update the media player "shortly."

Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company mimicked Google's Chrome by building the software into IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."

But the Redmond, Wash. developer ran into trouble from the get-go. Although Adobe shipped a pair of security updates in August that patched eight vulnerabilities, Windows 8 RTM, the finished code that began reaching users that same month, lacked those fixes.

One of the eight Flash bugs has been exploited by hackers, perhaps for months. An elite hacker gangknown for finding and leveraging unpatched vulnerabilities has been among those hijacking Windows PCs with the flaw.

Friday's Flash update will be offered to Windows 8 RTM, and to the final public beta, Windows 8 Release Preview. That sneak peak, which users downloaded free of charge, does not expire until Jan. 31, 2013.

Computerworld confirmed that the update boosted IE10's Flash Player to version 11.3.374.7 on Windows 8 RTM. On Friday, Adobe confirmed that that edition contained the patches for the eight vulnerabilities it patched Aug. 14 and Aug. 21.

Yunsun Wee, director of Microsoft's Trustworthy Computing team, also clarified how the company will treat future Flash updates for IE10 in Windows 8.

"On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing," pledged Wee.

Her reference to an Adobe quarterly Flash schedule was odd; although Adobe tries to adhere to an regular cadence for Adobe Reader -- not always successfully -- it has never set something similar for Flash Player.

Thus far during 2012, in fact, Adobe has issued seven Flash updates: One in February; two in March; one each in May and June; and two in August. If Adobe is adopting a quarterly patch process for Flash Player, it has kept that under wraps.

Wee also admitted that Microsoft will need to deliver "out-of-band" updates -- those outside its usual monthly Patch Tuesday -- to keep IE10's and Windows 8's Flash in sync with the Flash plug-ins Adobe maintains for other browsers.

"When the threat landscape requires action outside of Adobe's normal update cadence, ...we will issue updates outside of our regular monthly security bulletin release," Wee said in a Friday post to the Microsoft Security Response Center's blog.

Those out-of-band Flash updates could quickly pile up. If Windows 8 had been available from the start of 2012, in the best circumstances Microsoft would still have had to deliver emergency Flash updates in February, March and August.

Even then, Microsoft would have had to hustle to work the other four Flash updates into its next Patch Tuesday: In one instance, Flash was updated on Patch Tuesday, while in two others, Microsoft would have had just four days to prepare. The fourth Flash update was released eight days before the next Patch Tuesday.

More information on the Flash Update to IE10 and Windows 8 can be found in Microsoft's security advisory.

Windows 8 users can obtain the Flash update via the Windows Update service, as well as through the enterprise-grade WSUS (Windows Server Update Services).

Microsoft's made good on a Sept. 11 promise to patch Windows 8's baked-in Flash Player.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Read more »

Anonymous spokesman's YouTube meltdown led to arrest

Sep 21, 2012 09:24 am | CSO

by Taylor Armerding

If anybody was surprised at the arrest in Dallas last week of Barrett Brown, self-described sometimespokesman for the hacktivist group Anonymous, it should not have been Brown himself.

He practically invited it. A three-part, 43-plus minute rant posted on YouTube on Sept. 11 and 12 included a threat to "shoot ... and kill" any armed government officials who sought to arrest him -- "especially the FBI."

"Dallas Sheriff's Department spokeswoman Carmen Castro told The Dallas Morning News Brown was arrested Wednesday night and 'released over to the FBI' in the morning," UPI.com reported last week.

Very few in the security community would comment on the arrest for the record, most saying they did not want the headache of becoming a target of Anonymous.

One of the few who did was Robert Stacy McCain, who wrote on his website, The Other McCain, that "a lot of the Anonymous people never trusted Barrett Brown, regarding him as an untrustworthy egomaniacal fame-seeker trying to cash in."

[See also: Anonymous had bad month, but no less 'reliable']

"He did a TV interview with Michael Isikoff of NBC and announced a book deal with Gregg Housh, and did all of this while promoting himself as the official spokesman for Anonymous, whose members are ... well, anonymous, and with good reason, because the cops would very much like to put a lot of them in prison," McCain wrote.

McCain wrote that after the FBI raided Brown in March, but did not arrest him, other members of Anonymous suspected he might be cooperating with the agency. Of the latest video, he wrote: "Being a paranoid conspiracy theorist is not illegal, and Brown's tinfoil-hat rantings about (various enemies) were just so much noise. But his threats to 'destroy' FBI agent Robert Smith? Yeah, the feds don't take that kind of talk lightly."

Joel Harding, a retired military intelligence officer and information operations expert, would say only that, "Anyone who threatens the FBI, I question their judgment."

And their desire to avoid that possibility was validated by last week's posting by Anonymous offshoot Anti-Sec of a text file on Pastie containing the names, street addresses, credit card numbers and other information of what appears to be a random series of 13 government employees around the country, ranging from military service personnel to a Department of Justice employee.

TPM reported that it had "verified that several of the phone numbers and other information contained in the text file were authentic and spoke with several victims of the hack, who were not previously aware that their information had been posted online and were confused as to why they were being targeted, having no knowledge of Brown or his arrest."

But behind the relative anonymity of comments on the YouTube video page were some critics who were a bit more outspoken. Noting Brown's semi-coherent monologue, sometimes featuring manic, table-pounding obscenities and other times uncontrollable giggling, a viewer called "Vicious Latina" observed, "This is your brain on drugs."

Brown acknowledged several times during the video his addiction to opiates, including heroin, and at one point called himself a "weird junkie."

But his major theme was that he was a victim of criminal actions by the FBI and various collaborators, and was going to take revenge in kind. He catalogued a list of grievances against the agency and various alleged informants who he claimed have been involved in a "criminal conspiracy" that has put his and members of his family's lives in danger.

Then, in an escalating series of threats, Brown first said of FBI agent Robert Smith that he would "ruin his life and look into his [expletive] kids." Brown said it would all be legal because, "Aaron Barr did the same thing [to me] and he didn't get raided for it."

Barr is a former CEO of HBGary Federal, a now-defunct firm whose email account was hacked by Anonymous in February.

Brown said he had worked with "several Mexican Anons" about a year ago in an operation called OpCartel, which he said led to speculation that he might be killed by Los Zetas, a violent criminal drug syndicate in Mexico.

After Los Zetas kidnapped a member of Anonymous, Brown claimed he had the names of 75 Zeta collaborators, which he threatened to release to the press unless the Anonymous member was set free.

In the video, Brown accused FBI informants, some of whom he said were ex-military, or military contractors, of posting pictures and the addresses of houses where he used to live, with taglines saying, "this is for the Zetas."

Jay Leiderman, an attorney at the Ventura, Calif. Law firm Leiderman Devine LLP, who has represented Brown in the past, said while he had not seen the images of Brown's residences, his understanding was that they were "out there," thanks to FBI collaborators including the former LulzSec leader "Sabu," whose name is Hector Xavier Monsegur, and who had reportedly been cooperating with the FBI after his arrest in the summer of 2011.

At some point, Brown said, his actual address was posted, again with the suggestion that it was to help Los Zetas find him. In response, he said he was concerned that Los Zetas might show up at his house posing as U.S. government or FBI officials.

"As such," he said, "any armed officials of the U.S. government, particularly the FBI, will be regarded as Zeta assassin squads. They know that I'm armed, that I come from a military family, that I was taught to shoot ... I will shoot all of them and kill them if they come, because they are involved in a criminal conspiracy and I have reason to fear for my life."

Some viewers in the comments section treated that claim with scorn. "Adrian Katterfelto" wrote, "Los Zetas have no interest in Barrett Brown. He's not a threat to them. He's not even a blip on their radar. If they had wanted him dead, we wouldn't be watching this video. Or it would be a very different kind of video. And they wouldn't need to send someone up from Mexico either, because they're already here."

But Brown had supporters as well. "Asilentfire" wrote, "What's [expletive] is how these comments try to make him look like the enemy, when we need to WAKE UP and see that he is on our side fighting for our freedoms. Can't you people see that our last line of defense against a total NWO takeover is being silenced?"

Anti-Sec, in its retaliatory posting, led with: "Barrett Brown, our controversial hated/loved friend (doesnt matter what kind of [expletive] he does, he's still one of us) seems to have been v&'d ... again."

"Hhahahaha. then try to come and convince us that FBI is not mad as hell at us. remember there's always another behind behind the behind. if u dont want to trust us, it's ok, you shouldn't. but dont be dumb and at least to not realise something here is kinda fishy currently. (tip: prepare yourself to hear anonymous is linked to al-qaeda or something). so well, we think Barrett deserves at least we bring some kind of retaliation for this FBI (expletive) against him," Anti-Sec wrote.

[See also: SOPA, PIPA, Anonymous - Can I have a little hope?]

Brown also issued an ultimatum to the FBI to return a laptop and other property taken from him during the raid in early March, in which the agency searched both his apartment and his mother's home, where he was staying at the time. Brown said the FBI also took his mother's laptop.

Brown was not charged in connection with that raid, and he demanded that his property be returned within two weeks or he would "release some stuff that's on there, and they don't know what I have access to that I have copies of that's on there."

Jay Leiderman said that since the laptop had been seized pursuant to a warrant, it would take approval by the court to have it released. Leiderman said Brown is still in custody since his arrest last week, pending trial.

Brown also demanded an apology from Smith and an alleged informant, both for taking his property and for "threatening my [expletive] mother with obstruction of justice."

However, Brown's arrest last week was apparently without incident. That will crimp, or at least delay, another threat he made.

He said Agent Smith had referred to him during the March raid as "the bad guy." So, he said, he would prove it in the coming months, "using the court system, using the media, using my group Project PM which has always been, secretly to some extent, created for the purpose of wiping out this (expletive) government and certain media institutions, and through other means at my disposal, some of which are known, some of which are known to a few and some of which are still secret."

Leiderman, while he is not representing Brown in the current case, said he doesn't think the threats Brown made on the video were serious. He said it was "fair" to conclude that Brown may have been under the influence of some of his admitted addictions.

"I wish they had stepped back a bit and thought about it, before going in with guns blazing," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Read more »

Researchers hack iPhone, steal data

Sep 21, 2012 09:24 am | CSO

by Antone Gonsalves

Researchers have broken into an iPhone 4S running the latest version of Apple iOS, making it possible to exploit the same vulnerability in the iPhone 5 that is set for release on Friday.

The white-hat hackers Joost Pol and Daan Keuper showed how they were able to steal contacts, browsing history, photos and videos to win $30,000 in the mobile Pwn2Own contest Wednesday at EUSecWest in Amsterdam, IT World reports.

Because the hacked iPhone was running a developer version of iOS 6, it's likely the same vulnerability could be used to break into an iPhone 5 or the latest iPad and iPod Touch devices.

The WebKit browser exploit took only a few weeks to make, the researchers told IT World. Using the malicious code in a website would enable a cybercriminal to bypass the security mechanisms in Safari to gain access to the phone's data.

WebKit is a layout engine used by browsers to render Web pages. The open source technology is used in the Safari Web browser in iOS and in Google's Chrome, which recently became the default browser for Android.

[See also: 5 policy questions for mobile device security]

The Dutch researchers are not the first penetrate the iPhone's defenses through WebKit, said Chenxi Wang, an analyst for Forrester Research. Hackers typically target WebKit because Apple does not use a number of standard security practices in using the engine.

Apple has not said why, but it could be related to phone performance and battery life. In addition, Apple doesn't vet code executed on the browser, like it does apps before allowing them to be offered to iPhone users.

"This opens doors to remote exploitation," Wang said. "But to [Apple's] credit, we haven't seen a lot of that going on, which is actually quite impressive."

Wang does not believe the risk of the latest vulnerability is very high. That's because a cybercriminal would have to find a way to get iPhone users to a compromised site. A hacker could inject malicious code into a popular Web site, but this would also be difficult.

"It's certainly possible and certainly is a threat, but I don't see it becoming a massively popular way of attacking iPhone users," he said.

The Dutch researchers held back some of the details of their work, in order to prevent giving cybercriminals a hacking roadmap to the iPhone.

"Apple will have to come up with an update and then people need to upgrade as fast as possible," Pol toldIT World.

Speed in plugging the hole is key to reducing risk, said Peter Bybee, president and chief executive of cloud security provider Security On-Demand.

"Whether you're likely to be attacked depends on how long the gap will be between when Apple fixes the problem and attackers repeat the researcher's success," Bybee said. "Just because the exploit is shared only with the vendor doesn't mean that it won't get out into the open market. There was enough detail in how they found the exploit and used it that it could be replicated by an experienced malware creator."

Other participants in the hacker contest demonstrated breaking into the Samsung Galaxy S3 via its near field communication (NFC) technology. The researchers from security company MWR Labs were able to beam an exploit from one Galaxy S3 to another.

Once the malicious app is installed in the receiving phone, a hacker would have full access to the phone's data, Tyrone Erasmus, a security researcher at MWR told IT World. The app runs in the background, making it invisible to the phone's user.

The exploit targets a vulnerability in the document viewer application that comes as a default app in the Galaxy S2, S3 and some HTC phones. The flaw enables a hacker to steal text messages, emails, contact information and other data.

The researchers said the vulnerability, which also exists in the Galaxy S2, could be exploited by malware sent via email, the MWR team said. The researchers also won $30,000 for the hack.

Zero Data Initiative by Hewlett-Packard's DVLabs organized the competition. DVLabs will send details of the hacks to Apple and Samsung, respectively.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Read more »

Google faces hefty fine from European Union antitrust authority

Sep 21, 2012 08:45 am | IDG News Service

Microsoft also needs to honor commitments it has made in an unrelated antitrust settlement, says the EU competition watchdog

by Jennifer Baker

Europe's competition watchdog is considering formal proceedings against Google over antitrust complaints about the way it promotes its own services in search results, potentially exposing the company to a fine of 10 percent of its global turnover.

Talks with the Internet giant about concessions it will make to settle the case are still dragging on, European Union Competition Commissioner Joaquin Almunia said in New York on Thursday.

Google offered some concessions to the European Commission in July, but the Commission has not yet circulated these to competitors to get a sense of how the remedies might work in practice. Alumnia said he has ordered Commission staff "to engage into technical discussions with Google in order to assess in-depth the solutions presented." But he warned that if these are found lacking, he would be "obliged to continue with our formal proceedings".

If the Commission found Google guilty of breaking E.U. competition rules, it could restrict Google's business activities in Europe and fine the company up to 10 percent of its annual global revenue (US$37.9 billion last year).

Google is accused of using its search service to direct users to its own services and to reduce the visibility of competing websites and services. The complaints were first lodged by French search engine eJustice.fr and the U.K.-based Foundem in 2010. But 14 other companies have since followed their lead. The Commission extended the case into a full investigation to determine whether Google unfairly penalizes rivals in November last year.

There are also allegations that Google may have copied travel and restaurant reviews from competing sites without their permission and that its contractual restrictions may prevent advertisers from moving their online campaigns to rival search engines.

Almunia also took a hard line on an unrelated Microsoft antitrust case, in which the company was recently caught not applying a remedy it had agreed to.

To close an investigation of abuses of its dominance in the operating system market to gain browser market share, in 2009 the company promised to offer Windows users a choice screen allowing them to easily select their preferred web browser.

"This remedy was very effective while it was implemented," said Almunia. But Microsoft did not include the choice screen with the version of Windows released in February 2011.

The Commissioner said that while he finds "commitments offered by the companies themselves are a good way to solve competition problems, as an alternative to lengthy proceedings, the policy can work only if they translate their words into action."

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.

Read more »

London iPhone 5 buyers disagree on need for LTE, but look forward to bigger screen

Sep 21, 2012 07:56 am | IDG News Service

No-one seems concerned about the lack of support for NFC

by Mikael Ricknäs

The iPhone 5's bigger screen was the big draw among people waiting in line for the new model, while opinions are split over whether to sign up for an LTE subscription or not.

As in many cities across the world, lines had formed outside the Apple Stores on Regent Street in London and opposite the Opéra in Paris, with people waiting to get their hands on the iPhone 5, which has a 4-inch screen, a faster processor and LTE connectivity.

There are about ten countries in Europe where iPhone 5 buyers will be able to take advantage of LTE. In the U.K. a commercial LTE network will soon be launched by operator EE, a joint venture between T-Mobile and Orange.

Some customers can't wait for the speed boost. "Faster is always better. My broadband at home is only 7Mbps and this should be a least three times as fast," said Aamir Karmali.

EE is the only U.K. operator that will offer LTE, and others buyers don't think it's worth switching operators for faster speeds.

"I am on O2, and I am not swapping just to get 4G ... I don't need it, O2's network is fast enough when you are actually connected to the network," said Matthew Taylor.

Taylor isn't alone in sticking with his current operator: "I am not getting LTE straight away, because I am on Vodafone," said James Smith

The two buyers were also indifferent to other aspects of the iPhone 5's design.

The phone's new connector means old accessories will need an adaptor but, said Taylor, "The things I have use Bluetooth, so I am not affected by that."

Smith sees no need for NFC, a short-range radio technology used for payments and transit ticketing that Apple decided not to include on the iPhone 5. "You can just use your card," Smith said.

For some people, LTE isn't even an option. Anthony Fitch, the first to exit the Paris store with an iPhone 5, hoped to be able to use LTE in Italy sometime next year. He, though, felt that Apple should have added NFC to the iPhone 5.

Outside the store in London, Costas from Greece said that LTE will launch in his country next year, but he won't be an early adopter: "I really don't care, because there isn't much need for the higher speeds."

The larger screen seemed to be a bigger draw.

"Compared to Samsung's phones, I think it is about time that Apple increased the screen size," said Karmali.

In London, the queuing experience was ruined by a large group of people that tried to cut the line in the middle of the night, and they weren't properly dealt with by security, according to Karmali.

Not everyone queuing was there to get a phone for themselves. Just around the corner from the store in Paris several people were spotted handing over their Apple bags in return for cash from a man with a wad of ¬50 notes.

The global launch of Apple's iPhone 5 began early Friday morning in Australia when stores in the country opened their doors at 8 a.m. Besides Australia, France and U.K., the iPhone 5 also becomes available in the U.S., Canada, Germany, Hong Kong, Japan and Singapore on Friday.

On Sept. 28, the new iPhone will go on sale in 22 more countries, including New Zealand and European countries including Italy, where Fitch lives. He said it had been worth camping out in the cold since Wednesday night in order to get the phone a few days early.

Peter Sayer, in Paris, contributed to this report.

Send news tips and comments to mikael_ricknas@idg.com

Read more »

BlackBerry service failure hits Europe one year after major outage

Sep 21, 2012 07:21 am | Computerworld

RIM apologizes, says it's working on a fix 

by Matt Hamblen

Research in Motion's BlackBerry users in Europe, the Middle East and Africa are experiencing service problems today, and RIM said in a statement that it is working to resolve the problem.

RIM apologized, but didn't have information on when the problems might be resolved.

The problem has left thousands of BlackBerry users without access to email or BlackBerry Messenger, according to the Inquirer in the UK.

The problem developed a year after Blackberry outages were felt on several continents. It also occurred on the same day that Apple's new iPhone 5 goes on sale.

More to come.

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen or subscribe to Matt's RSS feed. His email address is mhamblen@computerworld.com.

See more by Matt Hamblen on Computerworld.com.

Read more about mobile/wireless in Computerworld's Mobile/Wireless Topic Center.

Read more »

Google pulls the plug on its free music service for China

Sep 21, 2012 06:50 am | IDG News Service

Google said in a blog post the service's popularity failed to meet expectations

by Michael Kan

Google is shutting a Chinese music search service that offered free licensed music downloads because it wasn't popular enough, the company said Friday.

The announcement came in a blog posting from senior engineering director Boon-Lock Yeo, who said the company was shutting down the service in order to focus on improving more influential Google products.

Google launched its free music service in China in 2009 as a way to compete with rival Baidu, which offered a similar service that made it easy for users to locate free MP3 downloads.

To provide the free music, the service relied on links to licensed downloads from the Google-funded Top100.cn, a Chinese online music provider that has signed licensing deals with various labels across the world.

But despite the partnership, Yeo said in his blog, "the product's influence never quite reached as high as our expectations for it. Therefore, we have decided to transfer its resources to other products."

Google's popularity in the country has waned ever since 2010, when the company pulled the plug on its China-based search engine following disputes with the government over censorship and hacking concerns. As part of that shutdown, new services such as Google Play were never launched in China, while the few remaining services there, such as the company's music search, were left to continue to operate.

Once China's second largest search provider, Google has now fallen to fourth place, overtaken by other local companies, according to Internet analytics site CNZZ.com. Google's market share is at 5 percent, while Baidu's is 74 percent.

Top100.cn, which is only accessible in China, still continues to operate in the country, with Google its largest shareholder. The company, however, expects the shutdown will have a major impact on its user base, 70 percent of which come from Google's music search.

"It's regrettable, and we feel sorry about the shutdown," said Gary Chen, CEO for Top100.cn.

The company initially had high hopes for Google's music service, which when launched exceeded Top100.cn's expectations for user numbers and advertising revenue. At the same time, the service was also important in pioneering a new business model for online music, at a time when most users in China were downloading pirated songs over the Internet.

"This was the first licensed music service in China," Chen said. "We were very excited that Google wanted to build a music search service that could completely change China's music piracy landscape."

But since 2010, Top100.cn.'s site has declined in popularity, which Chen attributes to the shutdown of Google's China-based search engine.

"We gave a lot of suggestions to Google," he said, noting that online music business was a politically safer option for the search giant to invest in. "There are also a lot of cases of companies using music to expand. Baidu has its MP3 search, Apple has its iPod and iTunes. They all used music to build up their services," Chen said.

One of the suggestions Chen recommended included Google offering an Android-based music service for China. But despite the input from Top100.cn, Google never changed its strategy, Chen said, and instead has decided to focus its resources on other products.

With the loss of Google's music search, Top100.cn plans on shifting gears and focusing on areas like China's mobile Internet space. But despite the company's struggles, Chen said Top100.cn and Google helped stop online music piracy in China by providing an alternative business model. Last year, Baidu alsobegan paying record companies to offer licensed music, after years of facing criticism for hosting links to pirated songs.

"More sites are providing licensed music downloads now. It's because we started this project, that this happened," Chen said.

Read more »

China's Alibaba is spinning off its Aliyun OS into a seperate business unit

Sep 21, 2012 02:58 am | IDG News Service

China's Alibaba bolsters its own mobile OS with $200M investment 

by Michael Kan

Days after feuding with Google over its mobile operating system, Alibaba Group said on Thursday it would spin off its Aliyun OS into a separate business unit, and invest US$200 million to back the new venture.

The announcement came from Alibaba Group's CEO Jack Ma in an internal email that was leaked to the media. Alibaba declined to comment, but a source familiar with the matter confirmed its veracity.

The Aliyun OS, developed and originally operated by an Alibaba Group subsidiary called Alibaba Cloud Computing, will now be run as a separate business unit with its own president and chief technology officer. The $200 million investment will go towards improving the Aliyun OS's talent base, technology and infrastructure.

In the email, Ma said the move was being made to secure the "healthy growth" of the OS and implement the company's next step in its wireless strategy.

The Aliyun OS, a Linux-based mobile operating system, was first launched last year as a way to bring more Alibaba-powered Internet services to users and provide a new mobile ecosystem for China.

Last week, however, the operating system met stiff resistance from Google when the search giant accused the Aliyun OS of being an Android variant incompatible with the rest of the Android ecosystem. Caught in the dispute was PC maker Acer, which had originally planned to launch a smartphone using the Aliyun OS, but later decided to cancel its release.

Analysts expect Alibaba's dispute with Google could prevent bigger-name smartphone vendors from using the Aliyun OS. Currently only two local Chinese handset vendors have built handsets using the Aliyun OS as Android continues to dominate China's smartphone market, now with an 81 percent share, according to research firm Canalys.

Alibaba's investment in the Aliyun OS, however, signals that the company has major plans for its mobile operating system. Last year, Alibaba spun off a shopping search engine and a retail e-commerce site into separate companies as a way to help them expand their reach in China.

Jonathan Lu, Alibaba's chief data officer, will lead the new Aliyun OS unit as president. In his duties, Lu will be meeting with hardware vendors to secure business for the Aliyun OS, said a source familiar with the matter.

Increasingly, Alibaba and other Internet firms in China are expanding in the country's mobile Internet space, as mobile phones have become the most popular way for users in China go online. Retail e-commerce sites under Alibaba expect revenues from mobile shopping to explode in the coming years.

Read more »