Yesterday, at a meeting with online reporters in Washington, DC, Secretary of Homeland Security Michael Chertoff acknowledged that government needs to make major changes in the way it manages confidential information if it is to prevent leaks of sensitive data. (The event was held on the occasion of Cyber Security Awareness Month.

Just how problematic that management now is was exposed by our latest report on identity theft. We found that at least 44 million consumers' records had been lost or exposed by federal, state, and local government over the past three years. In one glaring example from 2007, the Transportation Safety Security Administration (part of the Department of Homeland Security) had lost a hard drive containing 100,000 records of personnel data.

"Part of what we need to do is we need to change from a model in which your assets are controlled by your, for example, Social Security number, which is a very weak way to control your assets," Chertoff told me and six other journalists who cover online security, "to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn't kept in a database."

Did you know that October is National Cyber Security Awareness Month? A number of organizations, including ConsumerReports.org, are joining forces to help promote safe computing practices and educate consumers about the threats of online fraud and identity theft. (For more information, click on the image at right to go to the National Cyber Security Alliance's web site, StaySafeOnline.org.)

As part of the effort, we've created a new, free Online Security Guide, which includes the following features:

• Reports on viruses, spyware, phishing e-mails, ID theft, and kids safety online.
• Results from a new consumer survey on auction fraud by ConsumerWebWatch, the Internet integrity division of Consumers Union, the non-profit publisher of Consumer Reports.
• Free advice, including: 7 Online Blunders to Avoid, 19 tips to stay safe online, and our 2008 State of the Net findings.
• Software Ratings: Security Suites and Anti-phishing toolbars (available to subscribers only).
• An entertaining, educational musical video about e-mail phishing from ConsumerWebWatch.
• A quiz that tests your ability to tell fake e-mails from real ones.
• Links to our discussion forums where you can discuss with others about online security and privacy issues.

In the next few days, and throughout October, we’ll provide more details and news related to Cyber Security Awareness Month on our Electronics Blog and Online Security Blog.

—Jeff Fox

Republican vice-president candidate Sarah Palin learned a lesson that many of us often forget: The Web isn't safe.

A hacker was able to get into Governor Palin's Yahoo Mail account through the "reset password" feature, which allows users to retrieve or change their login password if the user can confirm their identity with personal information—their birthday, spouse's name, etc. As some news outlets have reported, Palin's cyber-attacker was able to easily fool Yahoo by finding such information about the politician online.

But a word of warning: Celebrities and politicians aren't the only ones who are vulnerable to such hacker tricks. With an increasing number of people posting personal information on Web sites such as Facebook, MySpace and blogs, nearly anyone can fall victim to such online account hijacks. One security expert noted how he used such trickery on a friend (with permission) to successfully gain access to that person's e-mail—and many other online services, such as that person's bank accounts. (Read his account, "How I Stole Someone’s Identity," on Scientific American.)

To avoid becoming a victim like Sarah Palin, follow these simple tips:

Robbers of old hit up banks because, obviously, that's where the money was. Today's cyberthieves are no different, so financial institutions' Web sites have high security requirements.

Yet three engineers at the University of Michigan found plenty of flaws in banks' online security. One alarming result of their study concerns how banks present log-in pages to users. The study (available if you have Adobe Acrobat installed.) looked at the state of 214 U.S.-based financial institutions in 2006, and found that 47 percent of those banks ask users to log in on non-SSL pages. (SSL pages can be distinguished from others because they have an https address and a picture of a lock in the lower bar of the Web page.) That means a cybercriminal could hijack the page and cause the log-in data to be sent elsewhere.

Another notable problem cited was the offer by 31 percent of the institutions to send statements and other sensitive information via e-mail. The danger: Most users don't have secure e-mail.

The study pointed out other security flaws, including "breaks in the chain of trust," where an initial web page is secure but the user is forwarded without notice to an insecure page; posting contact information and security advice on insecure pages, which gives an attacker a chance to forge the page and provide incorrect contact information; and inadequate requirements for strong passwords.

According to the study, 76 percent of the sites exhibited at least one of those security problems, 68 percent had two or more, and 10 percent had all five.

We're hoping that at least some of the sites studied have by now improved their security practices. Meanwhile, you should follow your own list of safe online practices. Take a look at our September cover story, "7 Online Blunders," to find out how to avoid identity theft. For more information about online and computer safety, see our "Special section: Cyber-Insecurity" on ConsumerReports.org. To find the security software you'll need to protect yourself online, check out our latest Ratings of security suites and antiphishing tools. (Ratings are available to subscribers only.)

—Donna Tapellini

With its exclusive U.S. broadcasting rights, NBC will televise a whopping 1,400 hours of the 2008 Summer Olympics Games from Beijing to American homes. HDTV owners will see some stunning moments—from tonight's opening ceremonies to the closing ceremonies 17 days later—in crystal clarity on their TVs. (To ensure that you enjoy world class viewing, see our recent post, "HDTV: Adjust the picture for best quality.")

But there are only so many hours in the day, so who can watch it all? And even NBC's thousands of hours of broadcasts won't capture every minute of the 28 Olympic events spread over 31 separate venues in China.

My recourse? Turn to technology. Specifically:

Electronic-book (or e-book) readers, including the Amazon Kindle and Sony Reader, use an electronic "ink" (or e-Ink) display to reproduce text. (The image at right shows a sample of the e-Ink technology. You can click on it for a closer look.) You move through a book by pressing a button to pull the next page from the device's electronic memory. Current versions are imperfect, but in recent weeks a leading print magazine; you, our readers; and several design and media experts have convinced me to follow this fascinating technology more closely.

The print magazine is Esquire, which announced that its September issue will appear on newsstands with a battery-powered e-ink cover. Meanwhile, our test observations on the Kindle continue to draw readers and comments some eight months after we posted them. Our tests and your comments reflect a mixed verdict, highlighting many disadvantages as well as some pluses. Our take on the second-generation Sony Reader was similarly ambivalent.

But several lectures I've attended in the past week or so argue that flaws are inevitable when products break significant new ground—as these devices clearly do, being more legible and more portable than past e-books. Last week, while attending Stanford University's Stanford Professional Publishing Course, I heard professor Paul Saffo urge magazine editors to embrace the Kindle and its ilk, in spite of their flaws. Another instructor, renowned product designer Bill Moggridge, told me the Kindle has streamlined his research process by allowing him to electronically highlight passages in books and download those excerpts to his computer, saving him hours of transcription time.

Here at Consumer Reports, we recently enjoyed a lecture from Bo Sacks, an expert on so-called Electronically Coordinated Information Distribution, who predicts that e-books will command a growing share of the print market. That will happen, he says, as the devices improve and as the downsides of printed paper continue—notably its escalating cost and its long-term environmental issues.

—Paul Reynolds

If you're planning any air travel in the near future, you might find yourself surfing while you fly. American Airlines is one of several carriers planning to offer Wi-Fi in the sky with a broadband Internet service called Gogo.  The service will be implemented on some of its transcontinental Boeing planes. Other airlines are also implementing or planning to launch their own services.

American's Wi-Fi will be available for $12.95 on flights longer than three hours. Passengers with their own Wi-Fi-enabled devices will be able to access the Internet using Aircell's Gogo technology, which communicates with cellular towers on the ground via three antennae on the plane's exterior. Your laptop or other mobile device connects via several wireless access points within the cabin. American says Gogo is also compatible with most corporate VPNs and e-mail.

JetBlue is offering a test of limited Wi-Fi capabilities on what it calls the BetaBlue plane, a Wi-Fi-equipped Airbus 320. The service is free, but limited. You can access e-mail from services like Yahoo, Gmail, Hotmail, and AOL; use your Blackberry; send instant messages; and, in case you've just got to buy the latest bestseller from 30,000 feet up, shop at Amazon.com.

Later this year, Virgin America will begin testing Wi-Fi as well, with the goal of offering it across its fleet by 2009. In addition to using your own carry-on devices, Virgin will let you access the Internet using seatback video touchscreens. Lufthansa says it will also roll out a program next year.

The spate of new on-high Wi-Fi comes a couple of years after Boeing pulled the plug on Connexions, its in-flight wireless broadband service. That program reportedly failed after the company was unable to get enough paying customers.

If you've been on a flight that offers Wi-Fi, share your experience with us. Was it worth the price (if you had to pay)? Would you be satisfied with a free service that offered limited access? Or do you think the wild blue yonder should remain Internet-free?

—Donna Tapellini

Given still-stratospheric gas prices, I decided to test drive a few Web sites that promise to help you find the lowest gas prices in your area. Our colleagues in the Cars franchise listed several such sites a few months ago when regular unleaded cost "only" $3 per gallon.

Comparison shopping online is faster than cruising the neighborhood for a bargain, and you won't be burning any gas. But it's useful only if online prices are accurate and there are significant variations among local stations.

As a reality check, I drove around my north New Jersey neighborhood recently, jotting down credit card prices for regular unleaded at 15 stations. (Disclaimer: Approximately one gallon of regular unleaded gasoline was consumed in the production of this blog post.) The highest price I saw for regular was $4.06 and the lowest was $3.89 (for credit cards; cash prices were a bit lower at a few stations). If that seems like a bargain compared to your neck of the woods, it's because New Jersey has some of the lowest gas prices on either coast.

If you drive 12,000 miles a year (the national average) and get 24.3 mpg (the average we found in a random nationwide survey last month), buying the cheapest gas would save you about $84 a year—nothing to get excited about, though it's a psychological boost to pay even a little less for gas these days. And if you drive more than average or have a less fuel-efficient vehicle, your savings could be greater.

After my station tour, I went to four free Web sites to see whether their price listings were accurate: GasPriceWatch.com, MapQuest, MSN Autos, and NewJerseyGasPrices; (associated with the national site, GasBuddy). These sites display interactive maps that show the price at each station's geographical location, and they usually tell you how recently each price was updated. MapQuest and MSN get their price information from Oil Price Information Service (OPIS), which tracks more than 90,000 retail gasoline prices daily. GasPriceWatch and GasBuddy get them from volunteer “spotters.”

It took me more than a year to shoot 488 photos and less than a second to lose them—purely by accident, when I unwittingly reformatted the memory card in my point-and-shoot camera.

These were photos I wanted to keep, capturing memories of my first trip to Yosemite, family and friends, even the before-and-after pictures of my kitchen renovation. But I foolishly ignored two commonsense pieces of advice every digital camera user should follow:

• Don't use your memory card for permanent storage. It's arguably the least robust, most vulnerable storage device you can use for archiving your pictures. Download images you want to save to your computer, an external hard drive, or a CD.
• Even if you don't peruse your camera's user manual cover to cover, at least crack it open to get some idea of how to use your camera’s controls and menus.

I shamefacedly admit that I did neither. While I printed out a bunch of pix, e-mailed others, and put a fair number up on a photo-sharing Website, close to half the shots existed only on the CompactFlash card that never left my camera.

I was recently in Brussels attending some meetings with members of International Consumer Research & Testing, a consortium of consumer organizations of which Consumers Union is a member. I planned to spend two days on my own after the meetings, in the medieval town of Bruges, an hour's train trip from Brussels. While on a train platform in north Brussels, I was victimized by a team of robbers who skillfully distracted me and snatched my laptop bag. Among other items, it contained my laptop, cell phone, iPod Touch MP3 player, noise-canceling headphones, and a few USB thumb drives. All gone.

While such an incident could well ruin more than just a trip, some personal practices and quick actions prevented that from happening in my case. Here's what I recommend you do if your personal electronics  items are stolen on the road, with notes on what I did:

Change passwords. Fortunately, I had not put my financial files or account data on any of the stolen storage devices. I have no need to carry that info when traveling, so it resides only at home.

We need your help in preparing an upcoming report for Consumer Reports and ConsumerReports.org about staying safe online. We're looking for tips to help consumers avoid become a victim of viruses, spyware, or cybercriminals. We're not looking for obvious advice, such as "don't click on e-mail attachments" or "always run antivirus software." Rather, we’d like to hear about things online consumers often overlook, or don't know, when going online. (It can include anything from hardware to software to the consumer's own behavior.)

For each tip, please describe the mistake itself plus its consequences.

If you've suffered a loss yourself online, whether to your computer, wallet, privacy, or something else, we'd also like to hear about the mistake that led to that loss, how you resolved your problem (if you did), and how other consumers can avoid a similar experience. Please be as precise as possible.

Please let us know if you're willing to be interviewed for this article, plus whether you're willing to be photographed.

Don't forget to tell us how to contact you.

Note: Your response to this request won't be published anywhere, including this blog. If we interview you, your story may appear in the finished article. If you prefer to respond directly by e-mail, send your response to Security@cro.consumer.org.

Thanks for your help.

—Donna Tapellini

You might know this kid. He's as young as 12 or 13, not all that popular in school. He spends a lot of time online. You figure he's playing World of Warcraft, constantly refining his MySpace pages, or maybe hanging out in Habbo, a virtual world popular with kids. But he may also be wreaking havoc on social networking sites, selling a veritable supermarket full of his own malware, and creating packages of phishing tools.

"These kids are obsessed with phishing," said Chris Boyd, director of malware research for Facetime Communications during a presentation at the RSA Conference, here in San Francisco. They don't see phishing as a problem, Boyd says, because they typically start out stealing large numbers of MySpace pages, then move on to stealing a few PayPal accounts—but for a lot more money.

Today's young hackers consider themselves stars of the cyberworld, not aware or not caring that what they're doing is illegal. "For these kids, it's a game, a hacker version of American Idol," Boyd said. "But the TV show they're really on is America's Most Wanted."

I'm attending the RSA Conference in San Francisco—billed as the "world's largest security conference and expo"—where security software maker Symantec today revealed a few of the latest online threats, and U.S. Department of Homeland Security Secretary Michael Chertoff offered a few insights into what the federal government is doing to protect U.S. cyberspace.

The biggest threat to your personal data, according to Symantec, comes from the loss of laptops, hard drives, and USB drives, which accounted for 57 percent of the data loss outlined in the company's latest Internet Security Threat Report, released today. In addition, 70 percent of the malicious code unleashed in the last six months of 2007 was meant to steal confidential information. Finally, the creation of malicious software is now outpacing the creation of "good" programs, said Steve Trilling, vice president of Symantec Research Labs.

All this stolen information ends up in an underground marketplace that works just like a legitimate economy, Trilling said. Stolen eBay accounts go for about $8, e-mail passwords for $30, credit cards for as little as 40 cents, and bank accounts for up to $1,000 or so, depending on how much money is in the account. Interestingly, the virtual world is one of the most lucrative. A stolen World of Warcraft account can be worth 100 times more than a credit card.

I hate passwords. Or more correctly, I hate how many passwords, PINs and security codes/answers I have to remember.

There are passwords and access codes to get into my home and office computers; my cell phone; my work and personal e-mail accounts; my home, office and cell phone voicemails; my online bank accounts; my wireless home network equipment; my accounts with Web sites such as ConsumerReports.org and this blog...

Maybe that's why I was very interested in the Lenovo IdeaPad Y510, one of the latest notebooks Consumer Reports is testing for our upcoming laptop computer Ratings update. Its most unique feature: It uses your face as the key to personal computer security.

The IdeaPad uses VeriFace, a "facial recognition" program installed in the IdeaPad.  Put simply: You register yourself (and anyone else that you want to have access to the laptop) by letting the software "scan in" the faces in front of the built-in, 1.3-megapixel webcam. Those facial images can then be associated with logins—to a Windows Vista "user" account, for example. That way if you've set the Lenovo to "lock" after a period of inactivity, getting back in is as simple as facing the webcam at the top of the IdeaPad's 15.4-inch LCD screen. This facial recognition scheme can also be used to log you into your Web-based e-mail and other accounts that normally require you to type in a user name and password.

You can review how the Lenovo IdeaPad works by watching our video using the player embedded in this post.

As with other biometric-based security devices (such as fingerprint scanners), VeriFace worked well and wasn't spoofed by simple trickery. But this 007-type approach to PC security wasn't completely flawless. (Hint: Those who wear hats and reflective glasses or typically use their laptops in badly-lit places might have second thoughts about facial recognition security.) And VeriFace still requires typed-in passwords as a back-up means of access—which means it is no less vulnerable to hackers and code-cracking software.

We're still testing the Lenovo IdeaPad and will include it in our Ratings of laptop computers soon on ConsumerReports.org. But one shortcoming that was obvious to me and other testers: Its LCD screen reflected light—a lot. Under our video studio's bright lights, the screen acted like a mirror. Perhaps that's so you can better examine your face before telling the Lenovo's VeriFace software, "I'm ready for my close-up."

—Paul Eng

As our annual State of the Net survey has shown for the past several years, the insecurity of online consumers is a severe national problem that affects nearly everyone and costs American consumers billions of dollars annually.

Coverage of this important subject has become an integral part of our electronics content, both in print and online. While we will continue reporting on Internet threats of all types, and testing the key products and services that help you protect yourself online, this year we will begin to do even more.

Cell-phone spam still trails computer spam, with the typical cell-phone user receiving at most a few spam text messages per year rather than the thousands that may bombard their computer-based e-mail accounts. But in some ways, cell spam is more annoying. It can cause your phone to ring or vibrate at inopportune times and possibly cost you money—typically 10 to 25 cents per message if you don't have a text-messaging plan.

Since 2005, the CAN-SPAM Act (Controlling the Assault on Non-Solicited Pornography and Marketing) has prohibited commercial e-mail and text messages to be sent to cell phones without "express prior authorization." Unfortunately, the law leaves commercial entities lots of loopholes. For example, it doesn't prevent your carrier or its partners from sending you upgrade offers or account notices. Also, non-commercial organizations such as charities and political campaigns can shoot you all the messages they want on your dime.

If tax season is here, can IRS e-mail scams be far behind? Here's a tempting one making the rounds: An e-mail that looks like it's from the IRS tells you the agency has "determined that you are eligible to receive a tax refund of $746.35." All it takes to get that cash is a simple click on a link to "access the form for your tax refund."

If you get one of these, don't start planning that vacation yet, and definitely do not click on the link or fill out the form. The IRS doesn't send unsolicited e-mails about tax refunds or any other matter. What you've actually received is not an opportunity to claim hundreds of unexpected dollars. It's a phishing scam designed to load malicious software onto your system and collect personal information for use in identity theft schemes.

This and other scams that use refunds from the IRS as bait are more prevalent than ever. Meanwhile, even newer scams are showing up surrounding the recent Federal tax rebate, according to Paula Greve, director of Web security research for Secure Computing.

In fact, Greve notes, there has been a 3,000 percent year-over-year increase in phishing attacks and malicious Web sites targeting the IRS, with more such attacks in January 2008 alone than in the first six months of 2007 combined. Close to 600 IP addresses sending e-mail purporting to be from the IRS have already been tracked, and Greve expects that number to increase.

Most of the news coverage regarding the "digital transition" has been about television, which is switching to all-digital broadcasts on February 17, 2009. But some cell-phone users and other wireless subscribers face another type of digital transition—and in just a few days. On February 18, an FCC law requiring cellular carriers to provide analog service to subscribers and roamers expires. That means some older analog phones, alarm systems, and OnStar emergency services will no longer work.

Unlike TV broadcasters, cellular carriers aren't being forced to drop analog service. Rather, they're now allowed to discontinue analog service if they already blanket their cellular geographic service areas (CGSAs) with digital coverage. You won't be blindsided by the change. Carriers have to give their analog customers adequate warning. Here's the 411 on who's affected, and what they can do about it:

Cell-phone users. The expired law primarily affects some analog customers of Verizon, Alltel, AT&T, US Cellular, and Dobson (and other companies that market their services as "Cellular One"). Fortunately, it's only customers who have older, analog-only phones—not the newer digital phones with analog backup. You can tell your phone is analog if it's more than 5 years old, or if it doesn't have the ability to access the Web or handle text messages. Customers of SprintNextel and T-Mobile, whose networks are already entirely digital, should not be affected by the change. Rural subscribers to regional analog carriers shouldn't be inconvenienced either, though their phones may no longer be able to roam in areas serviced by digital-network carriers.

After years of simply selling movies, iTunes last month added the option to rent them. The service adds a welcome and relatively painless way to view films on your iPod, iPhone, or computer—though the service does have a few minor annoyances. After renting and viewing on a number of computers and players, here’s what we liked and disliked about the new service:

HIGHS

It's less costly than buying. If you're like me, you’ve resisted movie-watching via iTunes because you don't want to pay $9.99 apiece to own films that you'll likely watch only once, especially given the restricted size of computer and iPod screens. The rental costs—$3.99 for new releases, $2.99 for catalog titles—are in line with those for pay-per-view offerings from satellite or cable companies. Apple says selection will also be comparable by the end of February, when it promises more than 1,000 titles.

Decent picture quality. We viewed movies on a laptop and desktop, two iPods (a Touch and a Nano), and an iPhone. They looked good on all platforms—bright, clear, and surprisingly sharp. Unsurprisingly, it was hardest to appreciate that quality, and the movies themselves, on the tiny Nano screen, though the images were still surprisingly watchable.

If you've noticed fewer popup ads while Web surfing, it's probably more than just your anti-popup software doing its job.  So-called "nuisance adware," popups and home-page hijackers that annoy but don't usually harm your computer, has been vanquished, though not totally eliminated.

That was one of my main takeaways from attending last week's fourth annual public workshop held by the Anti-spyware Coalition, a group of software companies, academics, and consumer groups united in the effort to control spyware and other online threats. Held in the shadow of the US Capitol in Washington, DC, the workshop's subtitle was, "What's worked, what's left, and what's coming."

Some of the reasons for the downfall of nuisance adware include new state anti-spyware laws, aggressive high-profile prosecutions of perpetrators, and a growing reluctance by high-profile makers of consumer products and services to inflict further damage on their brands by advertising in a medium (adware) that one workshop speaker characterized as "a lousy consumer experience."

But this success has come at a price, the conference attendees found out. While some adware purveyors have changed their practices for the better to stay on the good side of the law, others have gone underground, to a market position some speakers called "the dark side" by adopting even more egregious technologies borrowed from virus writers, hackers, and other online miscreants.

Following a keynote by FTC Commissioner Jonathan Leibowitz, conference panels discussed such topics as Is Spyware Dead?, Can Investigators Stay Ahead of the Bad Guys? and Education: What Works and What Doesn't? Speakers included experts from major anti-malware vendors like McAfee and Lavasoft, government officials, security professionals, and academics.

Best Buy tells us that one of its Insignia brand digital picture frames has been contaminated by a virus. The only model involved is a 10.4-inch frame bearing the number NS-DPF10A. If you're downloading photos by connecting this frame directly to your computer, you may be putting your system at risk. Owners should contact the company by calling 877-467-4289. Best Buy will help you determine whether your frame is affected and will let you know how to proceed if it is. The model, which was sold over the holiday season, has been discontinued and is no longer available for purchase from Best Buy.

The virus is not a new strain, so if your system is protected by antivirus software, it should catch and isolate the infection. In addition, if you're loading photos using a memory card, the virus can't be passed along that way, according to a Best Buy spokesperson.

So far, the company has received about two dozen calls concerning this issue. Best Buy is still investigating the cause of the infection. If you have another model of Insignia frame, and notice that your antivirus software is picking up viruses when you connect the frame to your computer, call Best Buy and let them know. Continue checking the Insignia home page at http://www.insignia-products.com/default.aspx for further developments.

And for additional computer safety tips, including Consumer Reports' Ratings of the best computer security software and online protection tools, check out our online cyber-security center.

—Donna Tapellini

Besides printers, scanners, and networked storage solutions, which you always expect to find at Macworld, the focus this year seemed to have shifted towards new 3rd-party peripherals revolving around iPhone. Dozens of new headset, headphones, and docking options have recently become available to support Apple's new flagship product.

Macally, a long time provider of Mac peripherals, offered Tune Pro and FlexTune. Designed for the iPod, TunePro is an audio minisystem with a flat-panel appearance and includes an alarm clock—perfect for the nightstand; FlexTune is a small but very versatile charger and speaker set for both iPod and iPhone. What was interesting about the latter was the way the speakers could slide laterally so the iPhone could be rotated to landscape mode for video viewing, to minimize the device's footprint on an office desk.

Skullcandy offers creative designs that appeal most to a younger crowd. They recently introduced the iPhone FMJ headset. They also offer full-featured wireless headphones. Most of their prices are under $100, except for the high-end phones, which retail for $169.95.

Ultimate Ears offered four models of high-quality headsets for iPods and iPhones: the Custom, the Triple.fi, the Super.fi, and the Metro.fi for the style conscious.

I briefly stopped by Xtreme Mac as well, and saw a wide variety of good-sounding, aesthetically-pleasing docking stations, speakers, and clock radios, most notably the Luna X2 and the Tango X2. They also offered nearly a dozen varieties of cases, pouches and protective covers for iPods and iPhones.

One of the more interesting presentations I attended was from Altec Lansing, who said their new T612 iPhone dock and speaker system (Click on the image at left for a closer look.) is the first to be "Apple certified", meaning Apple agrees to sell them in Apple stores. Apparently such certification is difficult to attain, as Apple has very tight engineering standards regarding specific emissions and GSM shielding. Capable of both desk and wall mount, the sound is very rich and clean. It is also backward compatible with dockable iPods.

Some MacWorld miscellany, beginning with four operating-system/software entries:

Improvements to MS Office. I said earlier in the week I'd say something about the new MS Office 2008. The features are more or less in parity with the Office 2007 product that's been out for a year, now. Entourage plays better with Exchange Server, to address concerns about corporate distribution, and I was assured by the lead developer for Word08 that the "Normal" file, a file that holds all of your custom stylesheets translates fully from older versions. The only other thing to note here is that with Office08, virtually every major Mac application suite has made the transition to Universal Binary code base and is Intel-native. That means there's no longer any need for Rosetta, the built-in code translator between G5 Mac processors and Intel Windows processors.

A new Windows on Mac option. Another interesting entry in the "virtualization" competition comes from Codeweavers, who were demoing their "Crossover" product. Crossover allows someone who wants to switch to Mac and still protect their Windows software investment to actually install and run their legacy Windows programs natively in OS X; no virtual disk image or Windows OS is required. The downside is that this capability has to be customized by Codeweavers for each legacy Windows application. Consequently, the company has concentrated on a limited list of only the most used Windows apps to date, like MS Office, Access, Visio, etc. (You'll find the list of supported apps at http://www.codeweavers.com/compatibility/.) The result is very fast and responsive. If you use those apps, this could be of real value.

With Mac sales up, and many new users coming to the platform, will malware writers begin to seek fresh targets? I asked the chief technologists at security companies Intego and McAfee what they saw as the primary threats to the Mac platform, both today and looking ahead.

While both agreed that Mac OS X is solid when it comes to security, they also fear that malware attacks on the Mac are inevitable—it's just a matter of when.

According to George Heron, the chief scientist at McAfee, 35% of the malware currently threatening computer users has been discovered in the past two years. In 2002, there were about 100 new detections a week. By 2007, that number had skyrocketed to 2000-plus. That's probably because the profile of cyber-criminals has changed. It's not about impressing your fellow geeks with your virus-writing prowess anymore. Today, money rules in the cyber-underworld, with malware going after financial information, credit cards, and bank accounts. Large, well-organized, highly sophisticated hackers design spam and phishing scams on a massive scale, largely operating out of China, Brazil, Russia, and the Middle East, according to Heron. More Macs in the marketplace means a growing profit opportunity in a highly profitable industry that steals billions worldwide.

Intego's Jack Nahan told me that the biggest threats to Mac users going forward are phishing, trojans, and ID theft. The two most interesting and insidious to date have been a scam where the user is invited to download a supposedly friendly new piece of anti-virus shareware called "Macsweeper" (it installs a trojan), and a "screen scraper" app that comes off the Web and never resides locally. It just copies whatever is on the user's screen (including banking information) and returns it to the scammer.

For more information on how to protect your computer (Mac or PC) and your information while online, check out these free resources on ConsumerReports.org:

• Cyber-security Central
• Best ways to stay safe online
• Best security software

And if you subscribe to ConsumerReports.org, you'll have access to:

• CR's latest Ratings of security software suites
• CR's latest Ratings of antivirus software
• CR's latest Ratings of antispyware software
• CR's latest Ratings of antispam software

—Thomas A. Olson

A Consumer Reports colleague (Joyce Ward) and I met privately with Apple reps Tuesday afternoon for a personalized demonstration of the MacBook Air and other products. It was fun to take a closer look at these new offerings, even if just for a short time.

They say the MacBook weighs three pounds, but it honestly didn't feel even that heavy when I held it in my hand—it seemed lighter somehow. The screen was bright, the keyboard a joy to touch, and the trackpad "touch" software had specific settings for one-, two-, and three-finger operation. One finger can click, drag, or double-click. Two fingers flip, rotate, magnify, or minimize images or web pages by using a "pinching" motion. Three fingers let you "slide" from page to page, image to image. This software utility is currently fully compatible only with the Leopard Finder, Safari Web browser (seen on a Windows XP machine at left), and most of Apple's "iApps." Expect third-party support in the future.

Of course, one of the first things that came to mind when seeing the MacBook Air was, "How's this battery deal gonna work?" In case you hadn't heard, the battery in the MacBook Air is not user-replaceable. As a long-time traveling laptop user, that worries me. I always found having the occasional spare battery to be a good thing, especially on those extra-long excursions.

Apple insists its batteries are absolute state of the art, hold a charge very well, and have a very long life. (The 17-inch MacBook Pro's battery lasted 5.25 hours in our latest tests.) Nevertheless, Apple will try to ease your worries with a Battery Replacement Program: Bring your MacBook Air to the nearest Apple store, and the techs will replace the battery (while disposing of the old one in an environmentally responsible manner). Total cost: $129, the same as a new battery you would replace yourself in other models. In addition, more and more airlines today offer laptop power ports on their planes, and both Apple and third parties sell adapters. So as time goes on, the need for having all that extra battery power handy is becoming less necessary. (It was unclear whether this Apple store program was a "while you wait" service, or a "drop it off and pick it back up tomorrow" sort of thing. Time will tell.)

Apple's goal with the MacBook Air was to design a sleek laptop without most of the tradeoffs associated with ultra-portables. The full 13.3-inch backlit LED screen with 1280 x 800 widescreen resolution bears this out, as does the standard MacBook keyboard and an oversize trackpad that supports the one-, two-, and three-finger multi-touch technology used on the iPod Touch and iPhone. Nevertheless, for power users, there are some tradeoffs: There's only one USB port, no Firewire, no DVD, and the custom battery.

Which led to my next question for the Apple folks:  What if you're on the road, your Time Capsule (seen at right) is at home, and your system has a meltdown? Low odds, mind you, but there it is, coming from a geek who can't be too paranoid. They recommended two solutions. The first, of course, is to carry that $99 external DVD drive and yo