Here's a quick true or false quiz on Internet privacy. See how you do:

• It's legal for companies to sell information collected about you online without your consent.
• Deleting your cookies is enough to prevent companies from tracking you online.
• A court order is required for a company to monitor your personal communications online, including e-mail.

Only the first statement is true; the rest are false. If you got all of them right, congratulations. But many of us could use a little education about the state of our online privacy, according to a recent survey conducted by the Consumer Reports National Research Center. For example, 43 percent of those surveyed  incorrectly believed a court order is necessary to monitor personal communications online, and 15 percent believed incorrectly that if they don't want to be tracked online all they need to do is delete their cookies.

The study also showed how willing—or not—Internet users are to allow their personal information to be used by online companies.

• More than two-thirds said they don't mind providing personal information to a Web site in order to use the site.
• At the same time, they don’t want their personal information tracked; more than three-quarters said that such tracking would be harmful to them.
• Fifty-three percent were uncomfortable with the idea of a company using the content of their e-mails and browsing history to send relevant ads, even when the information gathered wasn't personally identifiable.
• Survey respondents also strongly believed Internet companies should ask their permission before using their personal information, and that an opt-out feature should be required whenever their online behavior is tracked.

The bottom line: People want more control over what’s happening to their personal information online. For more on privacy guidelines that Consumers Union believes companies should implement, go to Consumer Reports WebWatch. To learn more about protecting yourself online, take a look at our Guide to Online Security.

—Donna Tapellini

Our latest survey of online consumers shows that roughly 1 in 13 households have disclosed personal information to an e-mail scammer.

Cyber criminals are pretty good at creating phony e-mails that look like they came from a bank or other reputable institution.

How good are you at telling the fake from the real? Now you can find out, with our free, interactive phishing test.

Here's how it works:

We show you a dozen e-mails we've actually received and you tell us whether you think each is fake or genuine. (We've put both types into the mix.) After you respond, we tell you whether you're right or wrong, and why.

Running totals show you how many you've guessed correctly and how many you've missed.

How many of the 12 do you think you can get right? Find out at our free Online Security Guide.

Scroll down to Phishing Trip and click on Go phish.

—Jeff Fox

Yesterday, at a meeting with online reporters in Washington, DC, Secretary of Homeland Security Michael Chertoff acknowledged that government needs to make major changes in the way it manages confidential information if it is to prevent leaks of sensitive data. (The event was held on the occasion of Cyber Security Awareness Month.

Just how problematic that management now is was exposed by our latest report on identity theft. We found that at least 44 million consumers' records had been lost or exposed by federal, state, and local government over the past three years. In one glaring example from 2007, the Transportation Safety Security Administration (part of the Department of Homeland Security) had lost a hard drive containing 100,000 records of personnel data.

"Part of what we need to do is we need to change from a model in which your assets are controlled by your, for example, Social Security number, which is a very weak way to control your assets," Chertoff told me and six other journalists who cover online security, "to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn't kept in a database."

Did you know that October is National Cyber Security Awareness Month? A number of organizations, including ConsumerReports.org, are joining forces to help promote safe computing practices and educate consumers about the threats of online fraud and identity theft. (For more information, click on the image at right to go to the National Cyber Security Alliance's web site, StaySafeOnline.org.)

As part of the effort, we've created a new, free Online Security Guide, which includes the following features:

• Reports on viruses, spyware, phishing e-mails, ID theft, and kids safety online.
• Results from a new consumer survey on auction fraud by ConsumerWebWatch, the Internet integrity division of Consumers Union, the non-profit publisher of Consumer Reports.
• Free advice, including: 7 Online Blunders to Avoid, 19 tips to stay safe online, and our 2008 State of the Net findings.
• Software Ratings: Security Suites and Anti-phishing toolbars (available to subscribers only).
• An entertaining, educational musical video about e-mail phishing from ConsumerWebWatch.
• A quiz that tests your ability to tell fake e-mails from real ones.
• Links to our discussion forums where you can discuss with others about online security and privacy issues.

In the next few days, and throughout October, we’ll provide more details and news related to Cyber Security Awareness Month on our Electronics Blog and Online Security Blog.

—Jeff Fox

Republican vice-president candidate Sarah Palin learned a lesson that many of us often forget: The Web isn't safe.

A hacker was able to get into Governor Palin's Yahoo Mail account through the "reset password" feature, which allows users to retrieve or change their login password if the user can confirm their identity with personal information—their birthday, spouse's name, etc. As some news outlets have reported, Palin's cyber-attacker was able to easily fool Yahoo by finding such information about the politician online.

But a word of warning: Celebrities and politicians aren't the only ones who are vulnerable to such hacker tricks. With an increasing number of people posting personal information on Web sites such as Facebook, MySpace and blogs, nearly anyone can fall victim to such online account hijacks. One security expert noted how he used such trickery on a friend (with permission) to successfully gain access to that person's e-mail—and many other online services, such as that person's bank accounts. (Read his account, "How I Stole Someone’s Identity," on Scientific American.)

To avoid becoming a victim like Sarah Palin, follow these simple tips:

Beware: There's a rash of cyberspace attackers trying to plant a "bot" or some other sort of malware on your PC. They've graduated from email-based exploits to the use of "Web 2.0" social networking sites to do their dirty work. Twitter is the most recent example. Here's how it works:

Logging into Twitter, you get a request, maybe in a foreign language, to "follow" another user. But the sender's real intent is to get you to click on an enticing web link in the message, purportedly to view a photo or video. You click on it, and a message pops up telling you that you need a "Flash update" to view the video, with a convenient web link to the file. You run the self-installing file, which... you guessed it, installs a malware program on your PC.

This kind of attack isn't new. What's novel, and what changes the demographic, is the "vector" being a social-networking site. We strongly recommend everyone practice—and promote to others who may not understand the danger—the safe computing practices we outline in our cyber-security section.

We'd add that you should be aware of new "social engineering" tricks like this one, that cloak malware payloads inside a process that seems innocent, but ends in that most perilous of actions: your approving installation of malware.

—Dean Gallea

A few days ago, news broke that a computer worm had hitched a ride on the International Space Station by stowing away on the astronauts’ laptops, which were reportedly unprotected by antivirus software.

The worm, Gammima.AG, which replicates itself and steals passwords to online games, was discovered about a year ago and isn’t considered high-risk.

Still, if the astronaut has followed the advice in our 7 Online Blunders report, namely to make sure you’ve got activated and updated security software on your computer, Gammima.AG would never had made it out of earth’s biosphere.

So no matter where you take your laptop (or desktop), make sure it has security software properly installed and running.

—Jeff Fox

Robbers of old hit up banks because, obviously, that's where the money was. Today's cyberthieves are no different, so financial institutions' Web sites have high security requirements.

Yet three engineers at the University of Michigan found plenty of flaws in banks' online security. One alarming result of their study concerns how banks present log-in pages to users. The study (available if you have Adobe Acrobat installed.) looked at the state of 214 U.S.-based financial institutions in 2006, and found that 47 percent of those banks ask users to log in on non-SSL pages. (SSL pages can be distinguished from others because they have an https address and a picture of a lock in the lower bar of the Web page.) That means a cybercriminal could hijack the page and cause the log-in data to be sent elsewhere.

Another notable problem cited was the offer by 31 percent of the institutions to send statements and other sensitive information via e-mail. The danger: Most users don't have secure e-mail.

The study pointed out other security flaws, including "breaks in the chain of trust," where an initial web page is secure but the user is forwarded without notice to an insecure page; posting contact information and security advice on insecure pages, which gives an attacker a chance to forge the page and provide incorrect contact information; and inadequate requirements for strong passwords.

According to the study, 76 percent of the sites exhibited at least one of those security problems, 68 percent had two or more, and 10 percent had all five.

We're hoping that at least some of the sites studied have by now improved their security practices. Meanwhile, you should follow your own list of safe online practices. Take a look at our September cover story, "7 Online Blunders," to find out how to avoid identity theft. For more information about online and computer safety, see our "Special section: Cyber-Insecurity" on ConsumerReports.org. To find the security software you'll need to protect yourself online, check out our latest Ratings of security suites and antiphishing tools. (Ratings are available to subscribers only.)

—Donna Tapellini

For you, a Bluetooth headset offers a safe way to use your cell phone hands-free in the car. For cyberthieves, it's just another security gap waiting to be exploited.

The U.S. CERT (that’s the government's Computer Emergency Readiness Team) just issued a list of tips to help you use Bluetooth devices more securely. Nothing too difficult, and in fact it's mostly common-sense advice.

Two practices stand out. First, disable your Bluetooth device when you're not using it. And when you do enable it, use it only in hidden, or "not discoverable", mode .

You can get other Bluetooth security tips and learn more about setting up a good password for your Bluetooth and other devices at the U. S. CERT site:

http://www.us-cert.gov/cas/tips/ST05-015.html

—Donna Tapellini

E-mails claiming to be from UPS could download dangerous malware onto your computer. The mail warns you that a shipment you're awaiting from UPS has been delayed, and it contains an attachment that you’re asked to open.

The e-mail is not from UPS, which says it rarely includes attachments in its communications to customers. Open the attachment and you end up with dangerous malware, according to security software publishers McAfee and Symantec. The malware connects your computer to a Russian domain, downloads a rootkit, and allows the attacker to take control of your computer. 

If you receive this scam e-mail, don’t open the attachment, and let UPS know at customerservice@ups.com.

—Donna Tapellini

Add a new danger to the many already lurking online: Open up the wrong music or video file and you could reveal all your passwords to Russian cyber-crooks.

The risk was discovered by researchers at San Jose, Calif.-based security firm Secure Computing. Here's how it works. Joe ComputerUser buys an illegal copy of a software program and heads online to get the verification code that will unlock the pirated software. That’s when a Trojan is downloaded onto Joe’s computer. The same Trojan might also be picked up from a file-sharing site, like Kazaa, that lets consumers exchange music and other content.

Joe doesn't know it, but that Trojan is infecting all his MP3 (music) and WAV (video) files. Then, Joe shares one of those files with a friend, who tries to play it. When he does, he gets a pop-up that says he has to download a "codec" (a compression/decompression algorithm) in order to play the file. Joe's buddy, excited to listen to the song Joe shared with him, doesn't think twice and allows the download. He doesn't know it, but he's been infected with malware that steals all his passwords and sends them to the Russian crime network mentioned above.

This particular Trojan is notable, says Christoph Alme, team lead for the Secure Computing’s antimalware research labs, because it infects existing files, such as Joe's own MP3s, that then serve to pass on the malware.

As nasty as this Trojan is, you can easily avoid it. Don't buy pirated software or download illegal music. And if a friend innocently sends you an MP3 or WAV file that says you need to download or install something in order to play it, deep-six the file instead. Above all, don't forget to make sure your security software is updated and running properly. Alme says most security-software providers are already wise to this new exploit.

—Donna Tapellini

At this year's Computers, Freedom and Privacy conference in New Haven, Conn., the room was packed for a May 22 workshop on new challenges posed by spyware. A proliferation of spyware used by stalkers, identity thieves and even spouses in acrimonious divorce cases recently prompted the Electronic Privacy Information Center to file a complaint with the Federal Trade Commission. (You can see a copy of EPIC's complaint with the FCC here if you have Adobe Acrobat installed.) The sales pitches EPIC's Guilherme Roschke described at the workshop were eye-opening to say the least.  Consider this one for a spyware package being advertised for $89.95:

"Do you need to find out what someone is doing online? Is your spouse, child or friend hiding secrets from you? If so Remote-Spy is the perfect solution for anyone that needs this information quickly and secretly. Now you can use the same software professionals use to find out the information you need in total privacy."

The spyware programs are promoted as being capable of spying on email and instant messages, recording websites visited, browsing files stored on the target's computer and capturing all keystrokes typed. Many of them can be installed remotely via Trojan horse e-mail attacks. When I asked Roschke how victims are tricked into opening e-mails that launch the spyware, he replied: "Puppies and flowers." E-greeting cards with such warm and fuzzy visual images are among the lures spyware programs provide to entice the person being targeted to inadvertently install programs which then do their dirty work invisibly.

We need your help in preparing an upcoming report for Consumer Reports and ConsumerReports.org about staying safe online. We're looking for tips to help consumers avoid become a victim of viruses, spyware, or cybercriminals. We're not looking for obvious advice, such as "don't click on e-mail attachments" or "always run antivirus software." Rather, we’d like to hear about things online consumers often overlook, or don't know, when going online. (It can include anything from hardware to software to the consumer's own behavior.)

For each tip, please describe the mistake itself plus its consequences.

If you've suffered a loss yourself online, whether to your computer, wallet, privacy, or something else, we'd also like to hear about the mistake that led to that loss, how you resolved your problem (if you did), and how other consumers can avoid a similar experience. Please be as precise as possible.

Please let us know if you're willing to be interviewed for this article, plus whether you're willing to be photographed.

Don't forget to tell us how to contact you.

Note: Your response to this request won't be published anywhere, including this blog. If we interview you, your story may appear in the finished article. If you prefer to respond directly by e-mail, send your response to Security@cro.consumer.org.

Thanks for your help.

—Donna Tapellini

You might know this kid. He's as young as 12 or 13, not all that popular in school. He spends a lot of time online. You figure he's playing World of Warcraft, constantly refining his MySpace pages, or maybe hanging out in Habbo, a virtual world popular with kids. But he may also be wreaking havoc on social networking sites, selling a veritable supermarket full of his own malware, and creating packages of phishing tools.

"These kids are obsessed with phishing," said Chris Boyd, director of malware research for Facetime Communications during a presentation at the RSA Conference, here in San Francisco. They don't see phishing as a problem, Boyd says, because they typically start out stealing large numbers of MySpace pages, then move on to stealing a few PayPal accounts—but for a lot more money.

Today's young hackers consider themselves stars of the cyberworld, not aware or not caring that what they're doing is illegal. "For these kids, it's a game, a hacker version of American Idol," Boyd said. "But the TV show they're really on is America's Most Wanted."

Ira Winkler looks like a guy with a lot on his mind. And rightly so. After all, he helped orchestrate a hack of a power company, at the request of the company itself, which wanted to test its defenses. It took Winkler, who is president of the Internet Security Advisors Group, and his team just a day to break in. If he'd wanted to, he could potentially have turned out the lights on the power company's customers—or worse, since this company ran a nuclear reactor.

Obviously, the company's defenses did not hold up well. What was most striking was how easy it was for Winkler and his team to break in. One step in accomplishing the task involved tricking employees into clicking on an e-mail that downloaded malicious code onto their work computers.

"There is a major storm brewing that is receiving insufficient attention from the government," Winkler said.

I hate passwords. Or more correctly, I hate how many passwords, PINs and security codes/answers I have to remember.

There are passwords and access codes to get into my home and office computers; my cell phone; my work and personal e-mail accounts; my home, office and cell phone voicemails; my online bank accounts; my wireless home network equipment; my accounts with Web sites such as ConsumerReports.org and this blog...

Maybe that's why I was very interested in the Lenovo IdeaPad Y510, one of the latest notebooks Consumer Reports is testing for our upcoming laptop computer Ratings update. Its most unique feature: It uses your face as the key to personal computer security.

The IdeaPad uses VeriFace, a "facial recognition" program installed in the IdeaPad.  Put simply: You register yourself (and anyone else that you want to have access to the laptop) by letting the software "scan in" the faces in front of the built-in, 1.3-megapixel webcam. Those facial images can then be associated with logins—to a Windows Vista "user" account, for example. That way if you've set the Lenovo to "lock" after a period of inactivity, getting back in is as simple as facing the webcam at the top of the IdeaPad's 15.4-inch LCD screen. This facial recognition scheme can also be used to log you into your Web-based e-mail and other accounts that normally require you to type in a user name and password.

You can review how the Lenovo IdeaPad works by watching our video using the player embedded in this post.

As with other biometric-based security devices (such as fingerprint scanners), VeriFace worked well and wasn't spoofed by simple trickery. But this 007-type approach to PC security wasn't completely flawless. (Hint: Those who wear hats and reflective glasses or typically use their laptops in badly-lit places might have second thoughts about facial recognition security.) And VeriFace still requires typed-in passwords as a back-up means of access—which means it is no less vulnerable to hackers and code-cracking software.

We're still testing the Lenovo IdeaPad and will include it in our Ratings of laptop computers soon on ConsumerReports.org. But one shortcoming that was obvious to me and other testers: Its LCD screen reflected light—a lot. Under our video studio's bright lights, the screen acted like a mirror. Perhaps that's so you can better examine your face before telling the Lenovo's VeriFace software, "I'm ready for my close-up."

—Paul Eng

As our annual State of the Net survey has shown for the past several years, the insecurity of online consumers is a severe national problem that affects nearly everyone and costs American consumers billions of dollars annually.

Coverage of this important subject has become an integral part of our electronics content, both in print and online. While we will continue reporting on Internet threats of all types, and testing the key products and services that help you protect yourself online, this year we will begin to do even more.

Cell-phone spam still trails computer spam, with the typical cell-phone user receiving at most a few spam text messages per year rather than the thousands that may bombard their computer-based e-mail accounts. But in some ways, cell spam is more annoying. It can cause your phone to ring or vibrate at inopportune times and possibly cost you money—typically 10 to 25 cents per message if you don't have a text-messaging plan.

Since 2005, the CAN-SPAM Act (Controlling the Assault on Non-Solicited Pornography and Marketing) has prohibited commercial e-mail and text messages to be sent to cell phones without "express prior authorization." Unfortunately, the law leaves commercial entities lots of loopholes. For example, it doesn't prevent your carrier or its partners from sending you upgrade offers or account notices. Also, non-commercial organizations such as charities and political campaigns can shoot you all the messages they want on your dime.

If tax season is here, can IRS e-mail scams be far behind? Here's a tempting one making the rounds: An e-mail that looks like it's from the IRS tells you the agency has "determined that you are eligible to receive a tax refund of $746.35." All it takes to get that cash is a simple click on a link to "access the form for your tax refund."

If you get one of these, don't start planning that vacation yet, and definitely do not click on the link or fill out the form. The IRS doesn't send unsolicited e-mails about tax refunds or any other matter. What you've actually received is not an opportunity to claim hundreds of unexpected dollars. It's a phishing scam designed to load malicious software onto your system and collect personal information for use in identity theft schemes.

This and other scams that use refunds from the IRS as bait are more prevalent than ever. Meanwhile, even newer scams are showing up surrounding the recent Federal tax rebate, according to Paula Greve, director of Web security research for Secure Computing.

In fact, Greve notes, there has been a 3,000 percent year-over-year increase in phishing attacks and malicious Web sites targeting the IRS, with more such attacks in January 2008 alone than in the first six months of 2007 combined. Close to 600 IP addresses sending e-mail purporting to be from the IRS have already been tracked, and Greve expects that number to increase.

If you've noticed fewer popup ads while Web surfing, it's probably more than just your anti-popup software doing its job.  So-called "nuisance adware," popups and home-page hijackers that annoy but don't usually harm your computer, has been vanquished, though not totally eliminated.

That was one of my main takeaways from attending last week's fourth annual public workshop held by the Anti-spyware Coalition, a group of software companies, academics, and consumer groups united in the effort to control spyware and other online threats. Held in the shadow of the US Capitol in Washington, DC, the workshop's subtitle was, "What's worked, what's left, and what's coming."

Some of the reasons for the downfall of nuisance adware include new state anti-spyware laws, aggressive high-profile prosecutions of perpetrators, and a growing reluctance by high-profile makers of consumer products and services to inflict further damage on their brands by advertising in a medium (adware) that one workshop speaker characterized as "a lousy consumer experience."

But this success has come at a price, the conference attendees found out. While some adware purveyors have changed their practices for the better to stay on the good side of the law, others have gone underground, to a market position some speakers called "the dark side" by adopting even more egregious technologies borrowed from virus writers, hackers, and other online miscreants.

Following a keynote by FTC Commissioner Jonathan Leibowitz, conference panels discussed such topics as Is Spyware Dead?, Can Investigators Stay Ahead of the Bad Guys? and Education: What Works and What Doesn't? Speakers included experts from major anti-malware vendors like McAfee and Lavasoft, government officials, security professionals, and academics.

Best Buy tells us that one of its Insignia brand digital picture frames has been contaminated by a virus. The only model involved is a 10.4-inch frame bearing the number NS-DPF10A. If you're downloading photos by connecting this frame directly to your computer, you may be putting your system at risk. Owners should contact the company by calling 877-467-4289. Best Buy will help you determine whether your frame is affected and will let you know how to proceed if it is. The model, which was sold over the holiday season, has been discontinued and is no longer available for purchase from Best Buy.

The virus is not a new strain, so if your system is protected by antivirus software, it should catch and isolate the infection. In addition, if you're loading photos using a memory card, the virus can't be passed along that way, according to a Best Buy spokesperson.

So far, the company has received about two dozen calls concerning this issue. Best Buy is still investigating the cause of the infection. If you have another model of Insignia frame, and notice that your antivirus software is picking up viruses when you connect the frame to your computer, call Best Buy and let them know. Continue checking the Insignia home page at http://www.insignia-products.com/default.aspx for further developments.

And for additional computer safety tips, including Consumer Reports' Ratings of the best computer security software and online protection tools, check out our online cyber-security center.

—Donna Tapellini

With Mac sales up, and many new users coming to the platform, will malware writers begin to seek fresh targets? I asked the chief technologists at security companies Intego and McAfee what they saw as the primary threats to the Mac platform, both today and looking ahead.

While both agreed that Mac OS X is solid when it comes to security, they also fear that malware attacks on the Mac are inevitable—it's just a matter of when.

According to George Heron, the chief scientist at McAfee, 35% of the malware currently threatening computer users has been discovered in the past two years. In 2002, there were about 100 new detections a week. By 2007, that number had skyrocketed to 2000-plus. That's probably because the profile of cyber-criminals has changed. It's not about impressing your fellow geeks with your virus-writing prowess anymore. Today, money rules in the cyber-underworld, with malware going after financial information, credit cards, and bank accounts. Large, well-organized, highly sophisticated hackers design spam and phishing scams on a massive scale, largely operating out of China, Brazil, Russia, and the Middle East, according to Heron. More Macs in the marketplace means a growing profit opportunity in a highly profitable industry that steals billions worldwide.

Intego's Jack Nahan told me that the biggest threats to Mac users going forward are phishing, trojans, and ID theft. The two most interesting and insidious to date have been a scam where the user is invited to download a supposedly friendly new piece of anti-virus shareware called "Macsweeper" (it installs a trojan), and a "screen scraper" app that comes off the Web and never resides locally. It just copies whatever is on the user's screen (including banking information) and returns it to the scammer.

For more information on how to protect your computer (Mac or PC) and your information while online, check out these free resources on ConsumerReports.org:

• Cyber-security Central
• Best ways to stay safe online
• Best security software

And if you subscribe to ConsumerReports.org, you'll have access to:

• CR's latest Ratings of security software suites
• CR's latest Ratings of antivirus software
• CR's latest Ratings of antispyware software
• CR's latest Ratings of antispam software

—Thomas A. Olson

A Consumer Reports colleague (Joyce Ward) and I met privately with Apple reps Tuesday afternoon for a personalized demonstration of the MacBook Air and other products. It was fun to take a closer look at these new offerings, even if just for a short time.

They say the MacBook weighs three pounds, but it honestly didn't feel even that heavy when I held it in my hand—it seemed lighter somehow. The screen was bright, the keyboard a joy to touch, and the trackpad "touch" software had specific settings for one-, two-, and three-finger operation. One finger can click, drag, or double-click. Two fingers flip, rotate, magnify, or minimize images or web pages by using a "pinching" motion. Three fingers let you "slide" from page to page, image to image. This software utility is currently fully compatible only with the Leopard Finder, Safari Web browser (seen on a Windows XP machine at left), and most of Apple's "iApps." Expect third-party support in the future.

Of course, one of the first things that came to mind when seeing the MacBook Air was, "How's this battery deal gonna work?" In case you hadn't heard, the battery in the MacBook Air is not user-replaceable. As a long-time traveling laptop user, that worries me. I always found having the occasional spare battery to be a good thing, especially on those extra-long excursions.

Apple insists its batteries are absolute state of the art, hold a charge very well, and have a very long life. (The 17-inch MacBook Pro's battery lasted 5.25 hours in our latest tests.) Nevertheless, Apple will try to ease your worries with a Battery Replacement Program: Bring your MacBook Air to the nearest Apple store, and the techs will replace the battery (while disposing of the old one in an environmentally responsible manner). Total cost: $129, the same as a new battery you would replace yourself in other models. In addition, more and more airlines today offer laptop power ports on their planes, and both Apple and third parties sell adapters. So as time goes on, the need for having all that extra battery power handy is becoming less necessary. (It was unclear whether this Apple store program was a "while you wait" service, or a "drop it off and pick it back up tomorrow" sort of thing. Time will tell.)

Apple's goal with the MacBook Air was to design a sleek laptop without most of the tradeoffs associated with ultra-portables. The full 13.3-inch backlit LED screen with 1280 x 800 widescreen resolution bears this out, as does the standard MacBook keyboard and an oversize trackpad that supports the one-, two-, and three-finger multi-touch technology used on the iPod Touch and iPhone. Nevertheless, for power users, there are some tradeoffs: There's only one USB port, no Firewire, no DVD, and the custom battery.

Which led to my next question for the Apple folks:  What if you're on the road, your Time Capsule (seen at right) is at home, and your system has a meltdown? Low odds, mind you, but there it is, coming from a geek who can't be too paranoid. They recommended two solutions. The first, of course, is to carry that $99 external DVD drive and your install disk with you. Another possibility is to install, from that disk, a copy of the Remote Disk application on someone else's Mac (or PC!) with a wireless card. Then you can piggy-back on their CD drive and run the installer to restore your hard disk. Clever, but all you're doing is imposing on a friend's good will—sooner or later you'll have to connect to some physical media to restore your system.

Next up in our interview session was the "Time Capsule" wireless backup solution. Security was my main worry with this product, so I asked our Apple reps: Should I be concerned with potential man-in-the-middle attacks when wirelessly backing up your hard drive? Not necessarily. Time Capsule is essentially a full Airport Extreme base station (a fancy term for "wireless router") combined with a server-class hard drive. It supports all the wireless security protocols found in any other wireless router, including WPA and WPA2. That was the answer I was looking for, but it was still unclear how simple that would be to set up for the uninitiated. It's not normally much fun for those who do it for a living. All that wireless security is well and good, but sometimes to an old school guy like myself, there's nothing more secure than a good honest wire, and fortunately for me, Time Capsule has three gigabit-Ethernet ports included. (See image at left.) But of course, that does me no good with the MacBook Air, which has not a single Ethernet port built-in.

—Thomas A. Olson

Your new computer finally arrived. Everything’s up and running, and you feel safe as you surf the 'Net, because you know the system came loaded with a free trial for a well-known security package. But are you really protected?

There’s a good chance that you’re not. A new survey by security-software publisher McAfee and the National Cyber Security Alliance (NCSA), released on October 1 to launch National Cyber Security Awareness Month, turned up a notable disconnect between most users’ perception and the reality when it comes to their computer's security.

Consider this: 87 percent of those surveyed said they use antivirus software. But in fact, on 48 percent of the computers scanned as part of the survey, the antivirus software was not up to date. The respondents thought they were protected, but they were actually all too vulnerable because an antivirus that's not up to date is ineffective. The problem spans other types of security software, too. For example, while 81 percent of those surveyed had a firewall installed on their computer to block hackers, only 64 percent had activated it.

Related information:

• Consumer Reports Cyber-Security Center
• Best ways to stay safe online
• Best-rated online security software suites
• U.S. Federal Trade Commission's OnGuard Online Web site

To borrow from an old public-service announcement: It's 10 o'clock, do you know where—online—your children are? If the answer is, "Romping around on social-networking sites," it's time for you to take some action.

Millions of minors post all sorts of personal information on social networking sites like MySpace. Sadly, such sites have become virtual playgrounds for adult sexual predators, too, placing a new responsibility of the shoulders of already-overworked parents: safeguarding their kids who go online.

What makes sites like MySpace so risky is that predators can develop long-term relationships with several children simultaneously. "They'll contact the youth repetitively for up to six months," Dr. Sharon Cooper, CEO of Developmental and Forensic Pediatrics in Fort Bragg, N.C., told me. The predators usually present themselves as about 20 years old, an appealing age to younger children, according to Dr. Cooper. They talk to the child so frequently and for such a long period of time that by the time they propose meeting, the children don't see the predator as a stranger. "They see them as people who understand them better than their own parents," she says.

Related reports:

• Social networks: Kids at risk 
• Net threats: Why online is still risky 
• Best online security software 
• Consumer Reports on cyber-security

When it comes to online security, some key threats are getting better and yet remain serious problems. Take spam, for example.

Jeff Fox, Consumer Reports’ Technology Editor, is today presenting evidence to the Spam Summit, a Federal Trade Commission event on this ongoing Net menace. (Note: The link will take you directly to the FTC's Web site for the summit.) Drawing on findings from the 2007 Consumer Reports State of the Net report, which includes a nationally representative survey of U.S. Web users, Jeff’s paper offers both hope and alarm about the spam scourge.

Spam is easing, our survey found. The proportion of spam recipients who said half or more of their e-mail was spam dipped below 50 percent for the first time since our survey began  in 2004. Also, fewer people reported clicking on links in spam or replying to it. (Click on the image on the left to see our findings.) And the use of spam blockers and firewalls is more widespread.

But spammers are still making sales from their messages and ensnaring people with phishing scams, in which bogus e-mails and Web sites induce people to disclose information about their financial accounts. Based on our survey, we estimate that 650,000 Americans made such a purchase in the month before the survey. And the proportion of Web users who are responding to phishing messages has remained steady. (Click on the image on the right for a closer look at our findings.)

What to do? Jeff recommends a continued effort to educate Web users, since some of the good news from our survey (fewer clicks on links, for example) proves that education can help. He also advocates steps to boost the effectiveness of the federal CAN-SPAM Act, which has given law enforcers new tools to use against spammers. The FTC also needs adequate resources to take full advantage of the U.S. Safe Web Act, which allows that agency more authority to work internationally to protect consumers. For their part, software manufacturers need to design firewalls that clearly identify name a product that is attempting outgoing communications, rather than using a hard-to-identify file name. In addition, Microsoft needs to fix its Vista firewall. (See our previous post on Window Vista's flawed firewall.)

We’ll have more on spam and other threats--both good news and bad, problems and solutions--in the State of the Net 2007 report, and in its accompanying Ratings report on software to protect against viruses, spyware, and spam. Both reports will post to ConsumerReports.org in early August.

In the meantime, you can find out more helpful information about how to protect your computer and your personal information by visiting our special cyber-security section and our Ratings of computer security software programs.

-- Paul Reynolds

If you’ve installed Vista on your PC or are planning to do so, it’s important to update your security software as well. In fact, if you have a current subscription to security software, check your vendor’s Web site to make sure there is a Vista version currently available—not all the security-software vendors have Vista software ready.

Although Vista is being touted as a more secure operating system, you still need to take additional steps to protect your data. For starters, you don’t get antivirus software with Vista. The antispyware bundled free with it, Windows Defender (we tested the beta version last summer), did not score as well as other programs.

Different providers are using different methods to help their subscribers keep up to date. In addition, how you do so will depend on whether you’ve bought a new PC with Vista installed or upgraded your old computer with Vista. Keep in mind that if you bought a new PC and want to transfer a subscription from your older system, you’ll probably have to remove the software from the old PC first, and you’ll most likely need a key number to get the new version. If you’re upgrading a current PC to Vista, some vendors, including Symantec, recommend updating your security software before you switch to Vista.

Here’s the latest from a sampling of security-software providers:

BitDefender
BitDefender Antivirus 10, Antivirus Plus 10, and Internet Security 10 are all Vista-compatible and free to current subscribers. Check the site at http://promo.bitdefender.com/vista.php.

Computer Associates
The only CA product currently Vista-ready is its antivirus software. Antispam should be available mid-February, and others will follow during the month of March. Check the CA Web site at http://home3.ca.com/stcontent/vistaready/index.aspx for the latest additions and update instructions.

F-Secure
F-Secure currently has beta versions available for its Internet security suite as well as its antivirus software. Final products will be available online in May and in stores in June. Subscribers will be eligible for free upgrades. For more info, go to http://www.f-secure.com/vista/consumers/.

Kaspersky
Kaspersky’s Anti-Virus and Internet Security are both available for Vista. Current subscribers can download them free at http://usa.kaspersky.com/vista/.

McAfee
You need to be a subscriber of the 2007 version of any McAfee software if you want to run it on Vista. Upgrades to the Vista-compatible versions are free to current subscribers.

If you’re a McAfee user who bought a new Vista PC, uninstall the McAfee software from your old system if you want to use it on your new one. Then log on (using the e-mail address and password you set up when you originally bought the software) to http://us.mcafee.com/root/myaccount.asp to download a Vista version for your new system.

For McAfee subscribers who upgrade their existing system to Vista, McAfee software will automatically upgrade to a Vista-compatible version. The exception: subscribers who manually install McAfee updates will have to download the Vista upgrade themselves.

Symantec
Norton Internet Security 2006/2007, Norton AntiVirus 2006/2007, and Norton Confidential are all available for Vista. The Symantec site at http://www.symantec.com/home_homeoffice/themes/vista/compatibility.jsp has more information on Vista-compatible products.

Users who subscribe to the 2007 versions of Internet Security and AntiVirus should uninstall the old Norton software and download the trialware from Symantec’s Web site. You’ll need your product key (available in your Norton Account, the CD-ROM sleeve, or the confirmation e-mail if purchased online). The trialware will automatically be converted to an activated product with your remaining subscription. If you have the 2006 versions of those products, go to www.symantec.com/07upgrade for an assisted upgrade.

Trend Micro
Trend Micro Internet Security 2007 (formerly PC-cillin), Trend Micro AntiVirus plus AntiSpyware 2007, and Trend Micro HouseCall all work with Vista. If you are currently subscribed to Trend Micro Internet Security PC-cillin 2005/2006/2007, go to