While all eyes are on Congress to see whether they will resolve the credit crunch by bailing out banks and other financial institutions from their own greed, another money bill, the Research and Development Tax Credit moved one step closer to passage on Friday. However, the deal is not yet closed.

In the latest news, the House of Representatives and Senate both passed a two-year extension to the Tax Credit that is fully offset, meaning it will be retroactive for 2008 and expire in December 2009. That is the good news.

The bad news is the same extension was added to two separate bills, one in the Senate and one in the House, and as we went to press, neither body was compromising on how to budget for the credit.

According to a spokesperson for the R&D Credit Association, Representative Steny Hoyer (D-Md.), House leader, said the House will not accept the Senate bill.

Part of the problem is that each version of the tax credit extension appears in a separate bill, one from the Senate and one from the House, meaning a conference committee cannot be used to resolve the differences.

As reported by InfoWorld last week, the tax credit, which in high tech goes mainly to paying salaries for workers doing R&D, lapsed last December.

The Information Technology Association of America, a lobbying group for the high-tech industry, estimates that more than 106,000 jobs would have either been lost or not created and almost $14 billion in potential revenue lost due to the Congressional failure to reinstate the credit for 2008.

The question is will the 110th Congress adjourn before the differences are worked out.

Online application company Zoho Tuesday unveiled a new marketplace it says will allow users to buy and sell business applications and resell its Zoho Creator tool for building online database applications.

The company said it is looking for the new Zoho Marketplace to create a community where buyers and sellers of applications built using Zoho Creator can find one another and negotiate prices, Zoho said.

Creator developers can build custom Web-based applications based on specifications submitted by marketplace members, or they can build ready-made applications and post them for broad distribution, the company added.

Zoho, which has made its name in online office productivity applications, also launched a new Zoho Creator Partner Program aimed at encouraging resellers, consultants, developers, and other users to distribute end user applications and resell Creator itself.

Zoho Tuesday also announced Creator 3.0, with added support for custom HTML pages and mashups, Zoho said. The new version will allow users to build custom HTML pages by embedding code in HTML to create dynamic HTML pages; users also can embed forms, views, and other widgets, Zoho said. The new version will also let users combine data from external Web sites via Web APIs to build mashups, Zoho said.

"Zoho Creator 3.0 epitomizes our mission on the web — give our customers powerful applications that are simple to use," said Raju Vegesna, Zoho evangelist, in a statement. "Zoho Creator is an ideal solution for people who are not developers, but who still want to create their own 'situated applications.' These small, situation-specific applications are often needed immediately, on the fly, and Zoho Creator eliminates lengthy development cycles to deliver solutions in minutes."

Michael Arrington, a blogger at TechCrunch, noted that while Zoho's online office productivity tools have long competed head-on with Google, its new offerings also put it into competition with Salesforce.com's AppExchange marketplace for third-party applications.

He added that Zoho claims that more than 100,000 applications have already been built on its Creator platform, most of which are available to all users. "Those applications are not being moved over to the Marketplace automatically, but developers will have the option to do so, and either charge for the apps or give them away for free. Zoho is giving 100 percent of the fees to developers," Arrington said.

He also noted that General Electric announced at the Office 2.0 conference earlier this month that it will use Zoho applications on their 400,000 desktops. Zoho was selected over rival Google, he added.

Zoho Creator 3.0 is available now and offers a variety of pricing plans, including personal and business editions that are free for an unlimited number of users (personal edition) or for the first five users (business edition). Additional business plans provide bolstered security through SSL scripting, rebranding, data backup, non-branded embedding, and additional storage.

With the imminent release of Silverlight 2.0, developers and Web designers, particularly those already working in Microsoft IT environments, will have the first viable alternative technology to Adobe Flash for building rich Internet applications, analysts and developers said.

Microsoft first released Silverlight, a cross-browser runtime for Web-based multimedia and 3D applications, about a year ago. However, the development of the 1.0 version, like many new Microsoft products, was rushed, and not even close to the vision the company had for the product.

[ Check out the InfoWorld Test Center review of Silverlight 1.0 ]

"[Silverlight] 1.0 was a stop-gap measure — they were late to market and wanted to get something out there early after Adobe had done an amazing success [with Flash]," said Al Hilwa, an application development software program director for research firm IDC. But Silverlight 2.0 "is the real deal — they've put out architecturally what they've always wanted to do," he said.

Silverlight 2.0's final release is imminent. Insiders said it could be available in a few weeks. The first release candidate for developers is already available on the Web.

It may be fair to say that Microsoft moved faster with Silverlight than it ever has to get a product in shape as a viable competitor to already-established technology. In this case, that's obviously Flash, which has enjoyed great success for years as the predominant technology for adding high-impact multimedia applications and graphics to Web sites. It was this early trend that spurred the current development of more complex Web-based and business applications that make the user experience as important as stability, security, or general performance.

Though it's no match across the board for the more mature Flash technology yet, people who have used early versions of Silverlight 2.0 said Microsoft indeed has made great strides with the technology.

However, developers should not be misled into thinking that Silverlight is meant to be a "Flash killer," warned Christopher Smith, president of Aquent Graphics Institute, a Boston training and staffing firm that works with developers and designers using Adobe and Microsoft development software.

"I don't think Microsoft is trying to go after the hard-core Flash people," he said.

Instead, Microsoft is "offering an option for designers and developers who want to build an interactive front end that will tie into their existing Microsoft infrastructure and platform," Smith said.

For that goal, developers said that Silverlight 2.0 and its companion tools – the Expression toolset, and in particular, Expression Blend — actually have an advantage or two over Flash for companies and developers that already use Microsoft infrastructure.

Fred Gerantabee, a training manager and instructor at Aquent who has used Flash for 11 years and also is now using Silverlight, said that because of this tie-in, Silverlight is a better runtime than Flash for data-intensive applications.

"From a data-integration perspective, Silverlight is powerful out of the gate because it uses this back end that has been proven for users," he said. "If you're in a Microsoft environment, which a lot of people are, Silverlight's capabilities [in this respect] will excel."

On the other hand, "Flash was not originally designed to be a data-intensive, application-building environment — it became that through user demand," Gerantabee said. Because of this, in his opinion it still has weaknesses to Silverlight in this area, he said, acknowledging that "there are Flash developers who would disagree" with this assessment.

Another advantage for Microsoft developers is the integration of the .Net framework into Silverlight 2.0, so developers can use C# or Visual Basic to build Silverlight applications, said Jonathan Wetzel, a developer for startup ZocDoc in New York. ZocDoc, which has a Microsoft-based IT environment, has a Web site for people in the New York area to set up appointments with health-care providers.

.Net developers who may have little to no experience in designing multimedia applications can easily use Silverlight to do so because they can leverage a familiar development language and environment, Wetzel said. "It's a much easier transition," he said.

Aside from the advantages Silverlight has as a Microsoft technology, the company also has added at least one feature into Expression Blend — a companion tool for generating Silverlight applications — that trumps what a developer currently can do in the Flash development environment, Gerantabee said. That feature is "handoff timeline," he said.

Historically in Flash, if a designer is creating two isolated animations that need to follow each other sequentially in an application, if the timelines of those applications don't exactly line up, the transition between them won't be smooth without "a tremendous amount of programming," Gerantabee said.

However, Microsoft has built into Blend a feature that will automatically calculate that transition in Silverlight, he said. "If you have a number of different storyboards and you switch [between them], it actually calculates the position for you — it takes over from one animation and picks up another," Gerantabee said.

For all of its strengths, however, Adobe need not be worried that Silverlight will be displacing Flash anytime soon, as Adobe's proven technology still has significant advantages from a design perspective, developers said.

"Flash has more years on Silverlight in terms of authoring tools and there are things from a design perspective that it can do that Silverlight can't do," Gerantabee said.

"People still say when it comes to 3-D handling or animation handling Flash is superior environment," Hilwa concurred. "In terms of existing features for high-definition video, Flash still has the advantage."

However, Hilwa thinks it may not be the technology features that will have the most long-term impact on long-term adoption of both technologies — it will be support from independent software vendors and the strength of each company's marketing rather than "pure technical merit."

The infamous Gpcode "ransomware" virus  that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack — and probably earlier attacks in 2006 and 2007 – using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.

The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private "master" key and must therefore be genuine.

Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the United States, which pointed to the fact that Gpcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines.

Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.

To date, it is not clear what if any action the authorities plan to take.

For its part, Kaspersky Lab confirmed that it had been contact with a dozen victims from Russia, Hungary, and Slovakia, at whose populations the program appears to have been primarily aimed. Gpcode has since struck further afield, hitting a medical institution in Cuba and, unconfirmed rumors claim, government offices in the United States.

Gpcode has appeared in a number of variants since 2006, each using ever-stronger encryption. The program's approach is direct and frightening. Once on a system, it sets about encrypting all data files it finds with any one of 143 file extension types, rendering them inaccessible. Victims are then told they can recover the files by paying a ransom to the author, reachable through a Yahoo e-mail account.

The innovation of the latest Gpcode attack was that it generated keys to the RC4 stream cipher using 1,024-bit RSA, a much higher bit length than previous versions, which made it, to all practical intents and purposes, uncrackable.

Luckily, on this occasion, Gpcode's author had made a number of more basic programming errors that allowed researchers to construct a method for recovering files. It turned out that while encrypting data, the original files had been "deleted" using the Windows file system. This meant that although invisible to the operating system, the files were still on the disk and could be recovered using available tools.

One thing Gpcode has made clear is that technology alone can't now defend against this type of malware. Once on an undefended PC, reversing its effects depends on having access to the private RSA key, and that means tracking down the author.

According to Kaspersky, stopping ransomware-based malware in the future will require more effective law enforcement, the use of forensic software analysis to tie suspects to their malevolent creations, and possibly building restrictions into the Windows cryptographic software libraries used to create Gpcode itself.

Despite its frightening reputation, ransomware is still, thankfully, a rare phenomenon. There are various theories as to why this is the case, ranging from the complexity of the software itself to the difficulty of setting up a reliable channel through which to accept "ransom" payments from victims. Other, easier types of malware might just be more profitable to criminals.

Techworld is an InfoWorld affiliate.

Two Princeton University academics have found a type of coding flaw on several prominent Web sites that could jeopardize personal data and in one alarming case, drain a bank account.

The type of flaw, called CSRF (cross-site request forgery), allows an attacker to perform actions on a Web site on behalf of a victim who is already logged into the site.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

CSRF flaws have largely been ignored by Web developers due to a lack of knowledge, wrote William Zeller and Edward Felten, who authored a research paper on their findings.

The flaw was found on the Web sites of The New York Times; ING Direct, a U.S. savings bank; Google's YouTube; and MetaFilter, a blogging site.

To exploit a CSRF flaw, an attacker has to create a special Web page and lure a victim to the page. The malicious Web site is coded to send a cross-site request through the victim's browser onto another site.

Unfortunately the programming language that underpins the Internet, HTML, makes it easy to do two types of requests, both of which can be used for CSRF attacks, the authors wrote.

That fact points to how Web developers are pushing the programming envelope to design Web services but sometimes with unintended consequences.

"The root cause of CSRF and similar vulnerabilities probably lies in the complexities of today's Web protocols and the gradual evolution of the Web from a data presentation facility to a platform for interactive services," according to the paper.

Some Web sites set a session identifier, a piece of information stored in a cookie, or a data file within the browser, when a person logs onto the site. The session identifier is checked, for example, throughout an online purchase, to verify that the browser engaged in the transaction.

During a CSRF attack, the hacker's request is passed through the victim's browser. The Web site checks the session identifier, but the site cannot check to ensure that the request came from the right person.

The CSRF problem on The New York Times' Web site, according to the research paper, allows an attacker to obtain the e-mail address of the user who is logged into the site. That address could then potentially be spammed.

The newspaper's Web site has a tool that lets logged-in users e-mail a story to someone else. If visited by the victim, the hacker's Web site automatically sends a command through the victim's browser to send an e-mail from the paper's Web site. If the destination e-mail address is the same as the hacker's, the victim's e-mail address will be revealed.

As of Sept. 24, the flaw had not been fixed, although the authors wrote they notified the newspaper in September 2007.

ING's problem had more alarming consequences. Zeller and Felten wrote the CSRF flaw allowed an additional account to be created on behalf of a victim. Also, an attacker could transfer a victim's money into their own account. ING has since fixed the problem, they wrote.

On MetaFile's Web site, a hacker could obtain a person's password. On YouTube, an attack could add videos to a user's "favorites" and send arbitrary messages on a user's behalf, among other actions. On both sites, the CSRF problems have been fixed.

Luckily, CSRF flaws are easy to find and easy to fix, which the authors give technical detail on in their paper. They've also created a Firefox add-on that defends against certain kinds of CSRF attacks.

Toshiba showed off a prototype of its fast-charging SCiB battery designed for laptops on Tuesday, but said the technology is still a ways off from making its way into computers.

SCiB, or Super Charge Ion Batteries, are designed to recharge to 90 percent capacity within 10 minutes, and will last longer and endure more recharge cycles than current lithium-ion batteries.

SCiB are also safer and will not explode when crushed, as lithium batteries may, Toshiba said. This is because SCiB batteries use a material with a higher level of thermal stability and are designed with safeguards against short circuits or overheating.

SCiB batteries can endure 5,000 to 6,000 recharge cycles, compared to around 500 cycles for standard lithium-ion batteries, according to a Toshiba executive manning the company's booth at the Ceatec exhibition in Chiba, Japan.

At the show, Toshiba showed a prototype SCiB battery installed in a Dynabook laptop. The laptop was matched against a similar machine with a lithium-ion battery in a demonstration of the SCiB's rapid charging capability.

SCiB batteries were introduced last year, with the first versions designed for industrial applications. The batteries will also find their way into a Cannondale electric bicycle, the Schwinn Tailwind, that will go on sale in the U.S. and Europe next year.

Toshiba did not say when SCiB laptop batteries will hit the market.

A version of Lotus Notes from IBM is at last available for Apple's iPhone as a free download from the App Store, allowing users to check their Notes e-mail and view their calendar and contacts, IBM announced.

The iNotes Ultralite download comes with IBM's Lotus Notes software 8.0.2, which is designed to offer better performance than earlier versions and uses 20 percent less memory. The App Store version also offers an update of Lotus Symphony, the free alternative to Microsoft Office for preparing documents, spreadsheets, and presentations. According to IBM, the newer version of Symphony provides improved compatibility with Office.

[ See InfoWorld's guide on how to make the new iPhone work in your business. ]

Once the App Store download is completed, IBM iNotes can be accessed via the iPhone's Safari browser. Users can also add the Lotus Mobile Connect VPN for better security.

IBM named two customers that have tested and used iNotes Ultralite — Vladimore Jones, a marketing communications company in Greenwood Village, Colo.; and ABData Information Technology Consulting and Engineering in Zurich.

Curtis Pogue, a systems administrator at Vladimir Jones, said he is testing iNotes on about 10 iPhones. "If this works well, and with the cost of iPhones dropping, I can see more use in the future," he said. "The ability to get everything from calendar to contacts in real time would be a huge advantage."

The company now requires iPhone users to sync the calendar and contacts data through a cable.

Pogue said he would eventually like to see Notes as a native iPhone application instead of a Web application. "You could replicate as needed and not have a constant connection," he explained.

In contrast, Jason Michels, the lead system engineer for Notes at Aurora Health Care in Milwaukee, is glad iNotes is a Web-based application, since it doesn't require installing back-end servers, which can be "prohibitively expensive" to support.

"iNotes is really exciting," he said. "You just take the Safari browser on that iPhone and put in a URL and connect." He said there are already dozens of iPhone users in his company, and "they are coming out of the woodwork all the time."

While Notes is still behind Exchange in popularity with business e-mail users, IBM claimed strong sales of Notes and Domino over 15 consecutive quarters — and a 21 percent increase in sales in the second quarter, compared with the same quarter a year ago.

About 140 million licensed users rely on Notes worldwide, IBM said, with more than half of the world's 100 largest corporations on the platform.

Well before the iPhone 3G went on sale in July, Apple described it as business-ready, primarily because of the addition of Exchange support.

In March, IBM officials said they were working on Notes support for the iPhone. That same month, Sybase iAnywhere said it was adding support for Notes from the iPhone through its Information Anywhere Suite.

Computerworld is an InfoWorld affiliate.