14th > November > 2001 Archive

MS ‘Security Framework’ is another .NET vulnerability

In late October 2001, Microsoft's Security Manager Scott Culp published a missive calling for 'responsible disclosure' of security vulnerability information on the Internet, claiming it was because of the public availability of such information that major Internet security problems or cyber-terrorist events could occur. His commentary was well-received by large commercial companies and security vendors, and panned by nearly everyone else. During his discourse, Culp joined today's sensational security bandwagon by coining the term "information anarchy" to indicate what would happen without 'responsible security discussions' in controlled environments away from where cyber-criminals may learn some new trick to cause electronic mischief or mayhem. First we have the White House (the most powerful government in the world) seeking to prevent an "Electronic Pearl Harbor" by any number of government initiatives. Now we have Microsoft (the most powerful monopoly in the electronic world) seeking to prevent "Information Anarchy" through any number of corporate initiatives. Perhaps "Information Anarchy" is a term intended to imply that information really doesn't want to be free, or can't be free and safe (thus attacking the legitimacy of the open source software movement) and must be therefore restricted through invasive software, policies, or law? Or is Culp simply trying to get a term into the New Hacker's Dictionary? In his missive touching on several recent (and nearly exclusively Microsoft-based) security incidents, Culp noted that "the relationship between information anarchy and the recent spate of worms is undeniable. Every one of these worms exploited vulnerabilities for which step-by-step exploit instructions had been widely published. But the evidence is more conclusive than that. Not only do the worms exploit the same vulnerabilities, they do so using the same techniques as were published - in some cases even going so far as to use the same file names and identical exploit code. This is not a coincidence. Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons." (The intent of how such information is used - for attack or defense - never occurred to him, it seems.) In other words, Microsoft is saying "Please don't publish anything about security flaws you find in our products. All this does is spread viruses, and makes us and our products look flawed, exploitable, and bad." Or, as George Orwell once wrote, "your ignorance is our strength." Culp declined to address the truisms that any networked Windows machine is inherently vulnerable, more so than most other operating systems (regardless of price or vendor) and that the only secure Microsoft software is what's still shrink-wrapped in the warehouse. History shows that Microsoft's products are the largest deployed operating system in the world, running systems from home computers to defense systems and various critical infrastructures. These are the same products that are proven insecure, unstable, and dangerous on a monthly basis, and cause well-known analysts to voice grave warnings over continued blind dependence on Microsoft products. The first warning came in a 1998 Computerworld article where Paul Strassman of the National Defense University in Washington, DC, rightly observed that: Microsoft's dominance in operating systems represents a new threat to the national security of our information-based society. The government is trying hard to contain the expanding power of Microsoft by antitrust litigation that would prove present harm to consumers. That's insufficient. The government also should address the risks from information warfare attacks on a largely homogeneous systems management environment. Inevitably, infoterrorists and criminals will take advantage of flaws in the gigantic Microsoft operating systems that are on their way to becoming the engines for running most of our information infrastructure....An all-encompassing operating system bares itself to hostile exploitation of paralyzing security flaws. The presence of a fatal defect is unavoidable, as the complexity of Microsoft systems expands to bizarre proportions with each new release. It's the search for such a fault that occupies the minds of some of the brightest computer experts. Finding a crack through which one could induce mayhem with only a few keystrokes would be worth a great deal of money, especially when supporting an act of terrorism....No agricultural expert would suggest that only one crop, using the identical seed strain, be planted in Kansas, Ohio, Illinois and Iowa. "Monocultures," as biologists call them, are just too vulnerable to pests, disease and an unprecedented combination of ecological conditions. The Irish potato famine, for example, was caused by reliance on a single strain of potato. Strassman's comments were incorporated into my 2000 missive "Microsoft: A Proven Danger to National Security" and recently echoed in Oliver Morton's December 2001 Wired article where he states that our de facto standardization on Microsoft products has the very real potential to be a national -- or international -- security issue, not simply an anti-trust one. Given its track record, one has to wonder if the company is genuinely concerned with addressing software security or simply trying to convince the world that its products are secure enough for the public to entrust their private data to Microsoft's .NET system, the software monopoly's new business model. As it stands now, nobody in their right mind would use .NET or rely on Microsoft Passport for any significantly-important services, and that's probably driving their out-of-the-blue emphasis on security. After all, the company's image as purveyors of secure, reliable software is lackluster at best, given the almost-comical nature and frequency of their security bulletins. As to its ability to serve as a reliable data services provider - the basis of the .NET strategy - we must remember the monopoly suffered a humiliating network outage across its entire line of Internet properties earlier this year through a network architecture oversight that any second-year engineering student knows about. Not a very good way to entice new customers to join its as-yet-undetermined-but-definitely-proprietary .NET gravy train the company is staking its future on. Microsoft is using the security hysteria resulting from September 11 to market its newfound security ideas and conducting a pre-emptive marketing strike in the perfect medium for its message to take root in and grow with corporate America. What remote cave were they living in for the past six years that security suddenly appears so critical for them to address? Security expert Simple Nomad correctly observes that "economically and politically this is a great time to start this [program] from Microsoft's perspective. Under the guise of preventing cyber-terrorism, anyone who opposes this is considered 'un-American.'" During a security conference this week in Mountain View, California, Microsoft's Security Manager Scott Culp released an overview of the firm's plans for dealing with security information that expanded on his October missive to the internet community. His briefing outlined a Microsoft Security Framework to allegedly facilitate more responsible security interaction and vendor involvement in resolving problems. This is accomplished by creating yet another vendor-biased "club" to try and restrict the discussion of vulnerability information away from the public and the evil lurking around every hub, router, and switch on the Internet. Charter membership in this club are Microsoft, and the major security software vendors Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems. (It should be noted that despite public statements to the contrary, some of these firms have and continue to employ "black hat" hackers to research and develop their security products used in large enterprises.) What's ironic is that Microsoft is reinventing the wheel and taking existing work in the field and warping it to fit its own proprietary image. Rain Forest Puppy's RFPolicy on vulnerability disclosure has floated around security circles for quite some time and more than adequately addresses how responsible disclosure can be accomplished. Yet nobody seems to care about this existing document. Is it because a "hacker" wrote it and if it doesn't bear the author's Real Firstname Lastname, or come from a commercial entity, it can't be trusted or deemed adequate? Once again, industry is looking to create the illusion of real security, but enacting the farthest thing from it. The CERT/CC did a similar thing earlier this year regarding how it released vulnerability information to the public, and even TruSecure's self-monikered "Surgeon General" Russ Cooper floated a similar "Vulnerability Club" concept with the intention of moving the discussion of vulnerabilities out of the public eye. On the CERT/CC action, recognized security consultant and pundit Brian Martin notes that "when CERT finally manages to release an advisory, it is vague and offers no technical details about the vulnerability. This prevents some administrators from being able to mitigate the risk with an efficient and effective solution. Essentially, it forces administrators to make drastic changes to their network, break necessary functionality, wait for a patch that may be weeks away, or audit tens of thousands of lines of source code to find out exactly where the problem is and if it truly affects them. Administrators are further burdened with trying to convince management or developers of the necessity for downtime without any facts to justify it." According to Culp's PowerPoint slides, a long-term objective is for the MS Security Framework to be embraced by a "critical mass" within the computer community. In other words, Microsoft Windows customers, the largest and most 'critical mass' of computer users that matters to them. Members of this Microsoft Security Framework will pledge to insure their tools are limited "only for lawful purposes." Culp proposes that members would take steps to restrict the use of (for example) a network vulnerability scanner to a set of hard-coded target IP addresses or develop restrictive licenses or product distribution channels. A totally useless concept. This does nothing to address the many freeware, shareware, or non-Framework companies that develop security and network administration products, not to mention hacking or intentionally misusing legitimately-licensed software. Not to mention, anyone that's had to re-acquire an ISS network scanning key for a new address range at their company knows this is more trouble than it's worth. There is also a danger to smaller security firms here. It's possible for large, diversified security software vendors (many with their own professional services business units) to exploit information gleaned from "per-use, per-site software licensing" to generate new business by approaching the firm whose IP address range is being scanned by the their software and undercut the smaller firm's bid for that same work. (Talk about knowing your competition!) Reporting and discussion of vulnerability information is restricted to members during a grace period, however that does not apply to disclosing information with law enforcement, infrastructure protection entities, or "other communities in which enforceable frameworks exist to deter onward uncontrolled distribution." This is a direct attack on the proven value of public access, full-disclosure lists like BUGTRAQ and VULN-DEV, free community resources that have proven useful to the security community on several occasions. We know that the 'infrastructure protection entities' Culp mentions is the FBI's National Infrastructure Protection Center (NIPC) and their information-sharing programs are lackluster at best, providing little if any useful information to even authorized users In short, trust us, we know what you need to know; we'll tell you what you need to know, as long as we think you should know it. Just trust us! Elias Levy, security expert and former moderator of the BUGTRAQ list considers this Framework is akin to developing an "Information Cartel" with the result of improving the image of software vendors by withholding potentially embarrassing information that could adversely-impact sales. Simple Nomad also noted that the controversial Digital Millennium Copyright Act (DMCA) could be invoked by Microsoft and target independent researchers and non-Framework members publishing vulnerability information about its products, just as Adobe did this past summer. In this case, the company would join Adobe in using law and criminal procedure as poor replacements for quality control and effective software testing. Perhaps by joining the Framework, you are immune from DMCA liability provided you only report your vulnerabilities to Microsoft? Will security researchers be forced to join the Framework or be litigated out of business? If the discussion of security vulnerabilities is restricted to such "clubs" and "cartels" only the criminals/hackers/terrorists will be discussing them outside of such circles via e-mail lists, forums, and conferences. One conspiracy theorist even posited that by keeping such knowledge exclusively in the hands of large companies with deep pockets, such vendors would be free to exploit them at will for assorted purposes. Sounds a bit like the loony "if we outlaw guns, only criminals will own them" argument, doesn't it? eEye Security was criticized by major vendors for publishing vulnerability and exploit information about the Code Red worm plaguing Microsoft-based Web servers this past summer, even thought it was the first company to provide free, useful public information (no marketing strings attached) with the technical details of this latest security problem. Many system administrators used this information to monitor their networks and take preventive steps to monitor and protect their systems well in advance of Microsoft, CERT, or NIPC acknowledging and addressing this particular exploit (one of a recurring series of should-have-been-already-addressed Web server buffer overflow exploits.) Yet EEye was vilified and called irresponsible for releasing "too much information" that could help mischievous folks launch further attacks based on this exploit code that was now public. As we're seeing in the post-September 11th world, information is a two-edged sword that can both help and hurt people. Only human arrogance would assume that hurtful information must be controlled from the general public. This is a rehash of the old argument that cDc's Back Orifice was a freeware and dangerous hacker tool, but that an identical commercial product from Microsoft, Symantec, or other vendors was acceptable for network administrators. It's not the source of the product or information, it's how such is used that makes the difference. One only has to remember the I-LOVE-YOU fiasco from last year. Remember the NIPC warning on the subject? Its first message was absolutely incredible and totally irresponsible for an entity with its given mission. Four hours later, the message was updated with more useful information, but by that time, the security forums and lists were already abuzz with people reporting the virus signature, propagation methods, publishing temporary fixes, and attempting to reverse-engineer the thing to investigate it. Under Microsoft's Framework, the preferred method of dealing with this is to keep folks in the dark and only issue the barest shred of useful information, if they chose to release it at all. Something somewhere, at some time, is going to attack you. Beyond that, we can't tell you more because we either don't know or don't want to give anyone any ideas. Trust us, we will get back to you as soon as possible. As I wrote earlier this year, community efforts to restrict the open discussion of vulnerability information is akin to fiddling while the electronic Rome burns. Many system administrators would rather know immediately of potential problems or exploits affecting their systems, not be at-risk for thirty-plus days while vendors decide if, when, or how to address the problem. Without ongoing, immediate public discussion free from corporate spin control, the Internet community is placed at serious risk by being deliberately kept in the dark. With operating systems, vendors know customers are at their mercy; a company is not going to run out and change operating systems and applications without prolonged management discussion. Thus, most folks can't simply address the problem themselves; they are dependent on the vendor to provide assistance. According to a recent Register article, security researcher Marc Slemko published a finding demonstrating that millions of Microsoft Passport users were open to an attack that could have revealed extremely sensitive personal and financial data. In the spirit of community service and awareness, Slemko published the exploit to the Net. (Microsoft Passport is a centralized single-sign on service for network servers and websites, the center of its vaunted and still nebulous .NET strategy.) Microsoft immediately disabled Passport services until a workaround could be implemented. However, some critics argue that had MS handled it according to their new disclosure regime, all of those customers would have remained open to attack for up to a month - if not more - entirely unaware that their personal information was in serious danger. Yet this is the plan Microsoft is proposing in its Framework. Again, customer ignorance is Microsoft's strength. The software monopoly also announced that in light of several self-inflicted incidents of shoddy quality-assurance testing, it was reviewing how its software patch distribution program could be improved It seems the company has a record of releasing patches that break systems when applied, thus causing more problems and headaches for administrators. We've seen numerous occasions where Microsoft released a 'patch to a patch to a patch' because things kept breaking with each new fix. The implication is that if you're really concerned about a vulnerability report, under the Microsoft Framework, your options are to wait until the vendor blesses the report and offers remediation instructions, or disconnect your network from the Internet, thus shutting your business down. Knowing that the results of applying many of Microsoft's patches are worse than the problems they're being released to fix in the first place, the poor system administrator truly is in a Catch-22 situation. On the question of corporate responsibility, let's examine how Apple Computer recently handled a very embarrassing and potentially serious software problem, albeit not a security one. The company released a major release of its popular MP3 player iTunes on a Saturday evening. When a major bug was found later that night, not only did the company immediately remove the installer from its website, fix the bug and made available a revised application (properly labeled 2.0.1) within 24 hours. More strikingly, Apple admitted responsibility for their developer's mistake in configuring the software installer and offered to reimburse victims the price of Norton disk restoration software or the cost of DriveSavers recovery service for anyone who lost data to the bug. All this occurred over a weekend, too. Would this ever happen to Windows users? Microsoft has never worked a security issue this quickly or accepted public responsibility for being anything other than a self-proclaimed 'great software company.' Any problems that occur with their software are the user's fault, and if they [users] lose data, well, they should have had made a backup first, even if they were simply installing a word processor. Microsoft is by far the most notorious in their vulnerability announcements, legalese, and cover-their-tail security alerts. They never accepted responsibility or admitted they were a monopoly, despite the findings of a federal court, either. Instead, they introduce this new high-and-mighty, allegedly-moral, definitely-proprietary approach to security that's designed more to improve its public image and prepare its .NET marketplace than anything else, using recent world interest in anything security to imply the need for such initiatives, interest, and compliance. Releasing better products would go a long way in preventing the constant patch triage that Microsoft admins face on a weekly basis. The problem is not the periodic misuse of vulnerability information in the public domain, but the delusional position of Microsoft that their products aren't to blame for these recurring, high-profile security incidents. Novices can write code to exploit Microsoft products because Microsoft makes it so easy for them to do. If the software monopoly effectively addressed the underlying root causes of its software problems instead of merely treating each symptom as it was reported, today's novices would not have historical blueprints to learn from in building new attacks that exploit similar historical vulnerabilities in Microsoft's products. Code Red was not a "new" exploit but the latest in a series of buffer overflow problems affecting IIS for years. Full disclosure forums serve as a community resource and a much-needed check-and-balance against the profit-motivated interests of vendors preferring that its customers blindly continue purchasing and supporting its line of products, blissfully unaware of the potential dangers they are susceptible to each time they boot up or log on. Absent this objective and freely available mechanism, the internet community is at the mercy of the corporations to decide how, when, or if a given security problem will be addressed. The scientist who creates the cancer-fighting gene (a good thing) could also use that knowledge to develop tailored genetic weapons (a bad thing)....It's not about responsible disclosure, it's about vendor accountability, quality assurance, and this loony, misguided belief that security through obscurity works. © 2001 InfoWarrior.org, all rights reserved. Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities. Related Stories MS throttles research to conceal SW bugs MS Passport cracked with Hotmail MS to force IT-security censorship
Richard Forno, 14 Nov 2001

Insight shuts German ops

Insight Enterprises is shutting down in Germany. The IT mail order giant is to focus its European operations entirely around the UK, where it recently bought Action Computer Supplies. Insight is to shut Germany by the end of the year, and the Tempe, Arizona reseller will take an unspecified charge in Q4 to account for closure costs. It set up in the country in December 1998, buying Computerprofis Computersysteme, a $50m t/o reseller based near Frankfurt. Insight paid $6 million in cash and $2.4 million in stock. A profit-related performance commitment for five years was also agreed, but as the German op is historically lossmaking - Insight says - there is unlikely to be a nasty surprise here for shareholders. Insight set up in the UK also in 1998, through the acquisition of Choice, a fast-growing but financially stricken mail order reseller based in Notts. Following the takeover of Action Computer Supplies for £27m cash in October this year, Insight claims that it is the UK's fifth biggest reseller and the country's biggest IT mail-order business. ® Related Stories Insight completes Action takeover Insight into German market
Drew Cullen, 14 Nov 2001

Hermit is dead

Hermit, our beloved forum moderator, has died. R. Don Martin lived in Oregon and was one of the first contributors to The Register forum - we liked his style, and Reg co-founder Mike Magee asked him to moderate. Which he did (and latterly with The Inquirer forum too) with grace and wit. Hermit was nearly 70 and suffered from emphysema. We shall miss him. ®
Drew Cullen, 14 Nov 2001

EU MS probe: hearings next month, verdict early 2002

European Commission hearings into Microsoft's conduct in Europe are to go ahead in late December, it was confirmed yesterday. Delphic as (almost) always, competition commissioner Mario Monti skated round the little matter of the DoJ's baseball bat turning into a daffodil, and said it was "too early to state to what extent the proposed US settlement satisfied all of the concerns in our statement of objections [i.e., the rap sheet]." Monti fanciers might read into that a near confirmation that the settlement is not going to satisfy all of Mario's concerns, and that more give will be required. The statement of objections leaked to the WSJ last month, so we know that the Commission is accusing Microsoft of trying to use its Windows monopoly in order to dominate the server market, and of illegal bundling. The US settlement terms tackle (a most inappropriate word, under the circumstances) these issues via licensing of MS communications protocols and the introduction of a facility for users and OEMs to remove bundled/integrated software. That ability won't be likely to be available until well into the second half of 2002, so it won't have any great impact on the XP rollout, and it won't immediately satisfy the Commission concerns, which are at least notionally over Windows 2000. The status or non-status of a Commission investigation into XP remains murky. Microsoft actually asked it for questions about the OS back in May, these were submitted, answers were given. The Commission has simply commented that it is not at present investigating XP - but there seems an inevitable logic to it wanting to do something about XP while it's dealing with the Microsoft matter. Microsoft is due to hand in its homework, its response to the statement of objections, this week, and the hearings - just before Christmas - are the next stage. Then it gets interesting for Microsoft, if not quite as a spectator sport. The Commission will come to a decision after the new year, and that, essentially will be that. No long procedural wrangles, no labyrinthine appeals processes, whatever the Commission decides will be the verdict and sentence, and Monti can take Microsoft out and shoot it if he likes. It's more probable however that more concessions will be required and that Microsoft will feel able to accept them. The trick then will be for us to figure out how effectively the European deal addresses the European concerns, and how many loopholes Microsoft has managed to retain. It is, in the words of the man himself, "too early to state." ® Related stories: All you ever wanted to know about the DoJ's Windows cave in Will MS cut a deal with Europe over WinXP? Leaked EU papers signal guilty verdict, vast fine for MS
John Lettice, 14 Nov 2001

Mac OS X 10.1 updated

Apple has posted Mac OS X 10.1.1 - the latest update to the Mac maker's Unix-based operating system, and the reason we all had to run the Software Update and Installer upgrade the other week. OS X 10.1.1 is downloaded via System Preferences' Software Update pane. Last week's Installer Update 1.0 must be installed first. According to Apple, 10.1.1 "delivers improvements for many USB and FireWire devices, including support for additional digital cameras, and overall improvements to CD and DVD Burning. "The update includes enhancements to AFP, SMB and WebDAV networking, updates to the Finder and Mail applications, as well as improved support for printing. "In addition, hardware accelerated video mirroring has been enabled for the new PowerBook G4." The download weighs in at 14.4MB. Apple has also posted AirPort 2.0 software, having launched the major update to its wireless networking system yesterday. ® Related Stories Apple extends AirPort To be or not to 802.11b Proxim favours Mac OS X over 9
Tony Smith, 14 Nov 2001

Infineon, Toshiba merger on the rocks?

Infineon's interest in Taiwanese memory makers is a sign that its proposed merger with Toshiba's DRAM division may now never take place, a source close to the two companies' talks claims. Infineon and Toshiba had planned to have a draft merger agreement completed by the end of October, the source said, according to an EBN report, but that stage was never reached. Why? Because Infineon wants Toshiba's Flash memory operation too, but the Japanese giant is unwilling to hand it over. Infineon's insistence on preserving its healthy cash position is also impeding discussions, Ulrich Schumacher, chief executive, told the FT yesterday. "The problem is getting a guarantee (from Toshiba) that whatever the market does in the next one and a half years will have no impact on my cash level." Without agreement on this, merger talks are unlikely to last beyond the end of the year, he said. The two groups have been in talks since the summer on folding their D-Ram businesses in a joint venture where Infineon would hold a large majority stake. D-Rams are commodity memory chips used mainly in personal computers. Without a breakthrough, Mr Schumacher said the talks were unlikely to extend beyond the end of the year Infineon's move to court a number of Taiwanese memory makers may be motivated by an acceptance that the Toshiba deal isn't going to happen. Then again, it could also be an attempt to put pressure on Toshiba to meet Infineon's demands. Infineon wins either way. If it gets Toshiba's Flash and DRAM operations, it's happy. Equally, if it doesn't but it buys up a couple of Taiwanese players instead, it's still in a better position to capitalise on a recovery in the memory market - whenever that happens. ® Related Infineon Stories Infineon loss widens on DRAM slump Infineon wants a DRAM foursome Related DRAM Recovery Stories DRAM bounces back (maybe) DRAM prices rise Related Link EBN: Toshiba/Infineon DRAM merger fading fast
Tony Smith, 14 Nov 2001

Intel launches ‘blade’ Pentium III

Intel unveiled its Ultra-low Voltage Pentium III server processor this week, as anticipated. The 700MHz chip, which we've reported on before, in the run-up to Comdex and in our Intel Server Roadmap, is a 0.13 micron Tualatin PIII, primarily aimed at the notebook market. But like Transmeta's portable-oriented Crusoes, the ULV PIII is equally applicable to very high-density servers, so Intel has decided to punt the chip in that direction too. Well, it can't have Transmeta nibbling away at its market-share, can it? No, it can't, and hence yesterday's launch. The chip contains 512KB of L2 cache, like other Tualatins, and operates at between 0.95V and 1.1V. ® Related Stories Intel chooses Comdex to debut low-voltage server Tualatins Intel's Server Roadmap
Tony Smith, 14 Nov 2001

Casio cans 17% of workers

Casio will slash 3,000 jobs worldwide, 17 per cent of the workforce, by March, due to slow sales and poor profits. This follows the 1,000 jobs culled in the six months to September. Casio posted a group net loss of 4.21 billion yen ($34.51 million) for the first half on sales of 204 billion yen ($1.67 billion). It made a net profit of 2.8 billion yen ($22.95 million) a year earlier. The company expects a loss of 3.7 billion yen ($30.33 million) and sales of 404 billion yen ($3.31 billion) in the year to March 31, 2002. This is down from a net profit of 6.55 billion yen ($53.7 million) in 2000/01. Revenue from word processors, audio and other consumer products fell 4.3 per cent to 64 billion yen in the first half. According to Gartner Dataquest, Casio grabbed 5.6 per cent of third-quarter global PDA shipments. These have fallen by just under ten per cent, from 2.81 million units in Q2 to 2.54 million. Casio's watch sales dropped 10.4 per cent in the first half. Digital cameras, mobile phones and office equipment helped boost overall electronics equipment sales 1.5 per cent to 156 billion yen. ® Related Story PocketPC sales slide
Robert Blincoe, 14 Nov 2001

WinXP sales press releases fly off shelves

WinXP is flying off the shelves. Again, apparently. The US version of the Microsoft press release saying so went out last Friday, and yesterday the localised UK model turned up in the Reg email. Over here it is indeed flying off the shelves, but flying at the same velocity as it was in the US last Friday, rather than the increased one unveiled by Bill himself on Sunday. Figures from NPD Intelect suggest the numbers they first thought of may be closer to reality. XP did 300,000 retail copies in its first three days, compared with the 200,000 WinME did and the 400,000 Win98 did. It may still be possible that Bill's claims of it being the best selling software product ever and clocking up twice the previous best level for a Windows product are true; Bill was talking about the first two weeks rather than the first three days, but one has one's doubts. We note also that the flying off the shelves release grabs a quick snippet from NPD: "According to NPD INTELECT, total retail software sales have climbed more than 50 percent in the week following the launch of Windows XP." Indeedie-doody. But there's a little bit of context from the company that for some reason is not mentioned in the release: "'A huge promotional effort from Microsoft really drove sales of Windows XP in the first few days,' said Steve Koenig, software analyst for NPD INTELECT. 'At some retailers, you needed a wheelbarrow to carry away all the free hardware and software products being offered with a purchase of XP. Offers like these convinced several fence-sitters to go ahead and make the move to the new OS.'" Wheelbarrows obstructing the aisles may indeed explain why retailers are having trouble keeping shelves stocked with XP, thank you Steve. Back in the UK localised copy we have Colin Middlemiss of Time Computers admitting a "significant rise" in sales, and that the company has "seen almost 30% of sales coming from replacement buyers who see Windows XP as a must have upgrade." How he can tell this about 30 per cent of buyers Colin doesn't say, but as Time's current UK ad campaign is pushing XP like crazy, and the Time site offers XP preloads on all but four entry level desktops, a high XP component in current sales levels would seem eminently explicable. Lastly, we note with some dismay a familiar name down at the bottom of the rentaquote section. Chap called Rob Wait, who seems to be worldwide business manager for HP's Consumer Business Organization. "HP PCs plus Windows XP mean an energised market with higher initial sales than expected, decreased customer support calls, and an improved PC experience overall for customers," says Rob. We knew a Rob Wait once. He worked for Zenith, moved to Paris around the time of the Zenith warehouse fire there that the insurers got so suspicious about (we assure you Rob was nowhere near the warehouse at the time), then he switched over to HP. At HP they moved him away from press-facing work, so from our point of view he vanished without trace. But a quick Google of Rob Wait reveals he's been leaving traces in one particular place we seldom look at. On and on, the Microsoft press releases quoting him as being enthusiastic about this, that and the next thing roll. As we almost always fall asleep before we get to the rentaquote section, we'd no way of knowing this until now. And it's worse than that. Remember when WinXP RTMed? Six ringwraiths from the PC industry were given special golden disks, prestigeous luggage and despatched by helicopter to their respective factories? Yes, that's right. As quoted by Reuters at the time Rob Wait said: "We are extremely excited today to be picking up this suitcase, because with this case and this gold disk, we are reclaiming the PC industry mojo." Yup, our old drinking buddy's a ringwraith. ® Related stories: Huge Windows XP sales save the world
John Lettice, 14 Nov 2001

Excite to exit UK unless buyer found

Excite UK is on the verge of becoming part of dotcom history if a buyer can't be found in the next month. Forty-eight staff could be staring at a bleak New Year following the decision by BTopenworld and Excite@Home to pull out of the joint venture and find a buyer for the portal. Both partners have been looking for someone to take on the standalone portal business for the last month or so, but have met with little joy. Excite UK's employees have been told that if no buyer is found then the business will close at the end of the year. The move to sell up follows BTopenworld's decision to focus its activities on providing Internet access under a single brand, and Excite@Home's decision to focus on broadband products and services as it goes through Chapter 11 proceedings, both companies said in a statement. Rebecca Miskin, MD of Excite UK, said: "As one of The UK's early media portals, Excite UK has built an impressive, personalised portal service supported by a dedicated team of employees. "It is unfortunate that the global downturn in media advertising has negatively affected Excite UK's financial performance. "Based on this and the short time period in which to identify a buyer, I have to acknowledge the possibility of closure of Excite UK," she said. In June, The Register reported that Excite would pull-out of the UK by the end of the year. Insiders said that Excite had wanted to pull out in the summer when it culled its operations in France, Germany and Spain, but had been prevented from doing so due to contractual obligations. ® Last Friday Internet infrastructure services outfit, InfoSpace Inc agreed to buy certain media assets of Excite@Home in the US for 10 million. The deal is subject to approval of the bankruptcy court. ®
Tim Richardson, 14 Nov 2001

Future is bright for UK IT staff

Demand for UK IT staff will grow 12 per cent over the next two years, according to a National Computing Centre (NCC) survey. Demand for development and support staff will be even greater - with 15 per cent growth over the same period To be precise, this "demand" is actually an estimate of the future requirements of 490 organisations polled by the NCC. And figures are down slightly on last year - when growth forecasts were pegged at 13 per cent of IT staff in general, and 17 per cent for development and support staff in particular. The use of contractors is continuing to fall from its peak immediately prior to the start of the new millennium. The overall ratio of contractopr staff in-post fell this year from 16 per cent to nine per cent - around the same level as contractor activity in the early 1990s. At the same time the "perceived shortage" of IT development and support staff fell from 8.3 per cent of staff in-post last year to 6.3 per cent this year. According to the NCC, this "goes hand in hand with the dip in demand and signals that the specific skills shortage is being tackled". Nevertheless, considering the current state of play of the UK economy, the figures should be encouraging for anyone who works in IT. So what are the hot skills? Top of the employers' wishlist are those for Internet or intranet applications and e-commerce. Specific Internet and intranet technologies, notably Java and XML, were cited by a large number of respondents. Significant numbers of respondents are looking for skills in Windows 2000. The findings form part of the NCC's twentieth national survey of UK IT salaries and issues. ®
Drew Cullen, 14 Nov 2001

EU wages war on cookie monster

The European Parliament has accepted a proposal that would make it unlawful to place cookies on a user's PC without their permission. MEPs yesterday voted in favour of the cookie-crumbling amendment to a draft directive about the processing of personal data and privacy on the Net. The move is likely to prove controversial because many firms rely on cookies to determine the operation of their sites, track the behaviour of users and make sites easier to use. The Interactive Advertising Bureau, which represents UK Internet marketers, has vowed to lobby MEPs to get the proposal dropped before the directive comes back to the European Parliament for its second reading. The directive also deals with the vexed question of how to control unsolicited commercial email, better known as spam. After months of debate, MEPs have voted in favour (299 to 219 votes) of the "national choice" amendment which gives member states the right to choose between opt-out or opt-in for email marketing messages. An opt-in regime (where a senders has to first get permission to send messages from a recipient) has been proposed for SMS messages, with opt-out applying only if the customer is already a client of the company which sends them. Anti-spam campaigners wanted a firm directive insisting on opt-in whereas internet marketers tend to favour an opt-out regime, so neither is likely to be pleased with the compromise. ® External links Second report on the proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector Related stories Is this the end for Web bugs and dodgy cookies? EU says 'oui' to spam UK govt wants to decide own spam policy Junk mail costs lives
John Leyden, 14 Nov 2001

How WinXP can make non-MS files invisible

Updated again:Updated again: Windows XP's search system includes a bizarre feature that appears to exclude files with non-Microsoft file extensions, under some conditions. It is however so odd that it's surely got to be a bug, rather than monkey business. But you could go as far as saying it's one of those MS things that inconvenience other companies if they don't do things the new way we're doing them in Redmond. But in this case, it's largely just a minor inconvenience, albeit one that can easily baffle users, and did this one. Here's how you can verify it. Go to an XP directory where you know you've got files with both Microsoft and non-Microsoft extensions. Search for *.doc, or another Microsoft extension of your choice and will show up. Search for a non-Microsoft extension in the same way, and it'll show up too. Obviously. Now, search by the extension and also for a string that you know is going to be in the file. For documents, "the" or "and" would be a pretty good bet, for C++ files (*.cpp) you're inevitably going to get a "for". You still find the file with the Microsoft extension, but magically, it can't find the one with the non-Microsoft extension. Thanks to the reader who pointed us at this one. He checked with *.java and *.wpd, and we've just checked it with *.ddf (Musicmatch) and *.js (Javascript). But does it apply to every non-MS extension, and if so, why? Later We've a lot of mail coming in about this one. Changing associations and extensions seems not to change the result. Change a .txt file to a .cpp while maintaining the Notepad association doesn't make it findable. Associating a .isu file with Notepad does not make it findable, changing its extension to .txt still does not make it findable. And it doesn't seem to be anything to do with the capabilities of the indexing service, because that is switched off on the machine we're trying it on. Or is it? In Windows 2000 the search defaulted to treating everything as .txt, so it'd crunch through everything it didn't understand. WinXP (our thanks to Alex Fein and the reader who pointed us at his explanation) doesn't default to .txt, and ignores everything it doesn't have a filter for. This, clearly, is nothing to do with whether you've got the index service switched on or off, because on the machine we're using here the service has never been switched on in the first place. So that thought was a red herring, and with hindsight a dumb thing to think in the first place. XP has its own batch of Microsoft filters that install with the software, and Office XP comes with a few more. If search finds a file extension it doesn't have a filter for, then it skips the file. Developers who need the search system to be able to search inside their files therefore now have to produce filters for them, or to register them with one of the Microsoft filters. This doesn't as far as we can see, explain how you can change the extension of a file with no filter for it to .txt, change its association to Notepad for good measure, and still not be able to find it. So there's surely something more in there, but it does seem to be related to filters. Ah, but we seem to be there now. Thanks to Ami for telling us: "The filters are probably invoked based on file-association, but ignore files that either don't have the correct extension or don't match the format (most file formats have a 'magic' number at the beginning that confirms the format is what the user says it is)." Gotcha, we think. Why did Microsoft make the switch? Skipping huge MP3s that don't need to be searched in would speed things up considerably, and if you were using the index system, keep the index size down. Alex Feinman has a fuller explanation here, plus a routine that will change the behaviour if you want to do so. ®
John Lettice, 14 Nov 2001

Do-it-yourself Internet anonymity

Along with the recent government hysteria over terrorists, we've seen legislative measures and 'emergency powers' inviting law-enforcement agencies worldwide to conduct Internet surveillance on an unprecedented scale. But because the state-of-the-art of electronic dragnets makes it difficult if not impossible to exclude the comings and goings of innocent citizens, we thought this a good time to run down the basic techniques for ordinary, law-abiding folk to come and go anonymously on the Net, and keep their private business private. How do you make a truly anonymous post to a newsgroup or a BBS? How do you keep the Web sites you visit a secret? How do you send e-mail and ensure that its contents can't be read by someone who intercepts it? How do you chat anonymously? We'll invoke our foil, Windows addict Harry Homeowner, and lay it out in terms the average user can profit from, though with hopes that even you power users might learn a thing or two in the process. Proxies These are your first line of defense, so let's start with them. Proxies provide a useful layer of mediation between your machine and the Internet. There are several types, but Web proxies and Socks proxies are the two most relevant to our purposes. Grossly oversimplified, a proxy is a remote machine which you connect through to the Net, which forwards your IP traffic, and which you then appear to be originating from. When you contact a Web site via an anonymous proxy, it's the proxy's IP which shows in their logs. You can use either Web or Socks proxies with your browser, and Socks proxies with other Net clients to obscure your IP from prying eyes. But you do have to choose them with care. Socks proxies are the best, general-purpose proxies. This is so because Socks are non-caching, which means, for example, that there won't be a record of the Web pages you fetched while connecting through one, except on your own machine -- and this you can fix rather easily (more on that in 'Browser Settings'). It also means they're slow, but if you want anonymity, you shouldn't quibble. But older versions of Internet Explorer and Netscape don't support Socks. What to do? You can upgrade, but I prefer an older browser with fewer 'features', which I equate with fewer security leaks (though these should be patched regularly, of course). Rather than upgrade, you can download an application called SocksCap, and use it to 'socksify' any IP client you use. It will work with browsers, e-mail clients, telnet, SSH, chat clients, even your l4me e-mail bomber. Test it; socksify your e-mail client and send a message from one of your accounts to another. Check the header. Is the originating IP your proxy? If so, your e-mail now appears to originate from the proxy's IP. This can be extremely useful, as we'll see below. Useful but not foolproof. Of course the proxy machine's admin can easily learn that you connected to it after perusing his logs, so a proxy doesn't actually conceal you; it just adds a layer between you and whatever you're contacting on the Net. This layer can be thick or thin, depending on where the proxy machine is physically located. If your proxy is located in a country unlikely to cooperate with requests for their logs from foreign officials, or a country where your mother tongue is rarely spoken, it can be, in practical terms if not theoretical terms, quite an effective layer of protection. It's easy to determine a proxy's country of origin with the $20.00 Patrick Project DNS utility, which will resolve IPs to addresses and vice versa, and a good deal more to boot. You cheapskates out there can go to SamSpade.org and do it all for free. Now you know how to determine your proxy's location. The more exotic the better: Korea is better than Japan; Thailand is better than Korea; Indonesia is better than Thailand; Papua New Guinea is pure gold. Kenya is better than Morocco; Ghana is better than Kenya; Guinea is better than Ghana; Burkina Faso is pure gold. You get the picture. Now you need to test the proxy for anonymity. Some of them can leak appalling amounts of information, like your true IP, for example. There are several environmental variables checkers on line which will tell you just what information your proxy is leaking to the world, and a nice links page to a heap of them is located at Proxys4all.com. And what do env checkers tell you? The chief variables you need to know about are: REMOTE_ADDR: Your apparent IP, which should be the proxy. If not, use another proxy. REMOTE_HOST: Your apparent address, which should resolve to the proxy IP. or better yet not be resolvable at all. If it resolves to you, use another proxy. HTTP_X_FORWARDED_FOR: Sometimes your true IP is revealed -- get another proxy. HTTP_USER_AGENT: Your browser type -- unimportant. FORWARDED: Reveals the fact that you're using a proxy; not fatal, but better if blank. VIA: Reveals the fact that you're using a proxy; not fatal, but better if blank. CLIENT_IP: Sometimes your IP is revealed -- use another proxy. HTTP_FROM: Sometimes your IP is revealed -- use another proxy. You can use a free application called ProxyHunter to scan ranges of IPs and find your own proxies. These you can evaluate, determining location and anonymity according to the guidelines above. A scan such as this is non-invasive and non-destructive, but it's still possible one may get a nastygram from one's ISP for performing them. Socks proxies are located on port 1080, so you'll want to use that in most searches with ProxyHunter. HTTP proxies on ports 80, 3128 and 8080 are useful, and can be loaded directly into your browser, but they're not quite as secure. You can load a good Socks in your chat clients like IRC and ICQ; and with SocksCap you can run your telnet and e-mail clients and browser through one as well. For even more anonymous surfing, you can give yourself an added measure of security by connecting to a Web proxy like Anonymizer through a Socks (or even a decent HTTP proxy). Feel free to e-mail me if you can't figure all this stuff out -- but please, I beg you, give it a fair go on your own first. I'm a humble news reporter, not a help desk. When you find a Socks proxy with ProxyHunter, or by perusing the many public Web sites where they're listed, and you get satisfactory results from the env check, and your proxy is located on some God-forsaken corner of the Earth, then you've acquired a decent layer of protection. Congratulations. But that's far from the whole shebang. Anonymous dialups Whenever you dial in to an Internet connection, your ISP can determine your phone number with caller ID. This information is recorded, and can be turned over to nosy Feds on request with an administrative subpoena, which doesn't require a judge's approval. If you've got a regular ISP account billed to a credit card, your ISP knows perfectly well who and where you are, so concealing your phone number from them is hardly an obstacle to associating you with your Net activity. In much of Europe, the telco is the ISP, so the possibility of making anonymous dial-ups is remote. In that case, all I can suggest is trying to find a data-capable pay-as-you-go mobile phone, and of course paying cash for it. If you're asked your name, lie. If you're asked for ID, leave. However, there are free ISPs like NetZero on which you can register with totally fictitious personal information, and to which you can connect with caller ID disabled. This isn't a solution in itself, but combined with the judicious use of good proxies, it can add a second layer of anonymity to your comings and goings. It can make you a bit more difficult to identify. These ISPs don't allow you much free surfing time -- usually something like ten hours a month; and they feed adverts to you and they're slow (made slower still by proxy use); but they can be a superb means of connecting when you need to be even more anonymous than usual, such as when you make a controversial post to a newsgroup or BBS, or send a sensitive e-mail. Get your ducks in a row: first, go to an Internet cafe or a library. If they require identification, go elsewhere. When you find a public place where you can surf anonymously, set up an account with NetZero using fictitious personal information. Even better, go through a Web proxy while you're at it. Record your login, password, and a dialup number convenient for your home location. Now go home, and disable caller ID (contact your phone company for instructions), and dial in to your new fictitious account. And always dial in with caller ID disabled. Finally, use an anonymous Socks proxy with your e-mail client for newsgroups, and a Socks along with a Web proxy for BBS posts. Theoretically, you can still be traced because the phone company knows what you're up to; but unless you're under active surveillance by the Feds, you can safely gamble that no one from NetZero is ever going to peg you. You're getting very close to effective anonymity, and you still haven't gone beyond what our friend Harry Homeowner can handle. There are other things you can do with this caller-ID-off+Netzero+Socks+Web-proxy setup. You can, for example, open a Web-based e-mail account with fictitious personal information and send and receive anonymously, so long as you set up your NetZero account properly, and always connect to it with caller ID disabled, always use a Socks with your browser, and/or always use a Web proxy. You've got ten hours a month. Spend them wisely, and you can surf almost anywhere or post almost anything on line with no repercussions. But what if your e-mail is intercepted by something hideous like the FBI's packet sniffer Carnivore? Unless you stupidly identify yourself in your mail, you're almost certain not to be identified -- but you still may not want the contents read by anyone but the intended recipient. You don't have to be a criminal to desire privacy, much as the Feds like to pretend otherwise. Crypto Now this is funny. If you use a nice, free crypto program like PGP, you can easily encrypt your e-mail. Just follow the instructions -- there's really nothing to it. The problem here is that the Feds, if they happen to be watching, can gather that you sent an encrypted message to Recipient X, a fact which you may not wish them to know. If you follow the scheme above, you can send a message anonymously via a Web-based account. But unless I'm missing something, you can't use PGP to encrypt Web-based e-mail messages. So how do you have your cake and eat it too? It's quite simple: you create an encrypted text file and attach it to your Web-based anonymous e-mail, or copy it into the message body. Now all the Feds can determine is that Recipient X got an e-mail message with an encrypted body or an attachment from Monica_Lewinski666@hotmail.com or whatever. Easy peasy, even for our Harry. Browser settings Proxy or not, your browser can leak ghastly amounts of information about you. Fortunately, tightening it up is easy when you know what to do. Since our Harry almost certainly uses MS Internet Explorer, we'll deal with that, though Netscape users should find this information easy to apply to their own setups. Get into Tools/Internet Options. Set 'days to keep pages in history' to zero. Go to Tools/Internet Options/Security. Go to 'Custom Level' and disable 'Download unsigned ActiveX Controls' and 'Initialize and script ActiveX Controls not marked safe for scripting'; set 'Java permissions' to 'High Safety'; disable 'Meta Refresh'; disable 'Launching programs and files in an IFRAME'; set 'Software Channel permissions' to 'High Safety', disable 'Userdata persistence'; disable 'Active scripting', 'Allow paste operations via script', and 'scripting of Java applets'. Accept session cookies but not stored cookies. Never use in-line auto-complete, and never allow Windows to save any of your passwords. Now go to Tools/Internet Options/Advanced and clear 'Enable Profile Assistant', select 'Do not save encrypted pages to disk', clear 'Enable page hit counting', and select 'Empty Temporary Internet Files folder when browser is closed'. That should about do it. While you're about it, pop over to Control Panel/Network and ensure that File and Printer sharing are disabled. Spyware While you're on the job, never do anything with your company's computer that you wouldn't want your Grandmother to know about. Spyware is ubiquitous in the work place. Don't even mess with a company-issued laptop, which may well contain 'remote administration' features which will enable a company admin to connect to it. If you want to be anonymous, use your own equipment. If you're using anyone else's hardware, assume that anonymity is impossible. You can get a fab program for detecting Trojans called The Cleaner for $30.00 from Moosoft. A number of Trojans fail to be detected by the fine products of the popular anti-virus companies, in spite of their powerful suggestions to the contrary. Moosoft picks up most of them. Most software firewalls are notoriously bad at stopping, or even notifying you, when a malicious program sends data out from your machine. An application like The Cleaner can go a long way towards assuring you that no such contaminant exists on your box. PC Hygiene There's a crucial difference between deleting a file and wiping it. A deletion leaves a file's entire contents on your disk, until the space it occupied happens to be overwritten by a subsequent file. In the mean time, the data can be recovered with forensic techniques. A proper wipe, on the other hand, overwrites that space immediately so the file's contents can't be recovered. Utilities capable of this include BCWipe, Norton Wipeinfo, Evidence Eraser, and PGP. The only certain way to keep your machine free of incriminating files and alien malware is to wipe your HDD periodically and clean-install your OS from original media while preserving those files and progies you can't do without. If you're serious about anonymity and file preservation, then you'll cough up the $200.00 or so needed to maintain two HDDs, because nothing beats a spare, non-removable magnetic storage device; and nothing beats a true file wipe, which is the only insurance against forensic probing. This is how I do it -- and I do it frequently: I have two HDDs in my Windows box. When I get ready to wipe my primary, I've already done an fdisk and format /u and a thorough 'government wipe' on the secondary using Norton Wipeinfo. I simply copy all the files and progies I wish to preserve onto that thoroughly-wiped secondary disk. I then switch the primary and secondary, and install Windows from original media onto the wiped disk, from which I'll boot. I install Norton Utilities, naturally. I then fdisk and format /u the former primary and do a thorough 'government wipe' using Norton Wipeinfo. Thus it's ready, and spotless, whenever I need it. I tend to do this every two or three months, depending on what I've been up to. As soon as I get a sense that my current primary contains material I'd rather not preserve for posterity, I repeat the process. With two HDDs, it all takes about forty-five minutes. With this method you wipe not only your files, but your registry and swap file too. Forensics, as it's normally practiced, becomes futile. If this seems too extreme, a utility called the Evidence Eliminator Eliminator (E3) by Radsoft (not to be confused with Robin Hood Software's lame 'Evidence Eliminator') will wipe a good many of your messes and excesses for a cool $80.00. It's considerably cheaper than a spare HDD, and pretty thorough. It doesn't merely delete files, it wipes them properly. To add to its effectiveness, you can use a proper file wipe utility like BCWipe or Norton Wipeinfo to eliminate your swap file, where a good deal of what you've been up to is stored. The file is in your C:\ directory and is named Win386.swp. One final item; whenever you clean-install your OS and apps, always use an alias for yourself and your machine. MS Word, for example, includes user info in your documents. So make sure this info is not specific to you. And never send any MS Office document to any destination when you're concerned about privacy. Just copy the contents into a text editor like Notepad and send the .txt file, or copy and paste it into the body of an e-mail. Follow these basic guidelines, and you'll be quite safe, though not perfectly safe. It's a bit like copulation -- there are quite effective birth control methods, but the only way to be absolutely certain you won't ever get pregnant is not to do the deed. But that's no fun. And neither is never using a computer. So practice safe computing and stop fretting. As with the pill, the odds are immensely in your favor. So smile, relax, and enjoy. ® Personal note In an 18 October article entitled SafeWeb ain't all that I'd promised to post this follow-up in a week's time. Unfortunately a family emergency intervened, and subsequent news demanded my attention. My apologies to those who've been waiting. -- tcg
Thomas C Greene, 14 Nov 2001

Quantum wages ad war on Imation

Quantum, rendered impotent by the courts to stop Imation from selling its third party DLTtape media, is now trying advertising to persuade the public to not buy its rival's products. Quantum launched a marketing campaign yesterday which "encourages end-users to look for the DLTtape logo when buying DLTtape media to ensure compatibility, performance and interchangeability." Last month, Imation secured the right to sell its Black Watch cartridges for use with DLTtape drives. The Black Watch cartridges, are not certified by Quantum, and so cannot bear a DLTtape logo - the highlight of Quantum's marketing campaign. Imation is undaunted, and in its press release makes much mention of how the media is 'Imation certified' - if you want something doing properly, do it yourself. The moves are part of a tit for tat spat between the two companies. Earlier, Imation slapped a lawsuit on Quantum for violations of the Sherman Antitrust Act. In turn, Quantum filed a court order to stop Imation from selling its unqualified tape media for use in DLTtape drives, which was denied, although Imation is obliged to pay royalties on the media to Quantum, the brand owner. Quantum's ad campaign, "When failure is not an option", presents an SDLTtape cartridge as the hero in various situations where product reliability, etc., are crucial. ® Related Links Quantum's Ad Campaign Press Release Imation's Black Watch Product Brochure Imation's Black Watch Press Release Related Story Quantum 1: Imation 1 Quantum counter-sues Imation Imation sues Quantum for Antitrust
James Watson, 14 Nov 2001

Wayback Machine restores Ye Olde Web

And a big fat welcome to the Wayback Machine, a collection of ten billion Web pages frozen in time, which opened its doors a couple of weeks ago to the public. The Wayback Machine has collected Web pages since 1996. Unfortunately some contain libels and sensitive material since removed by their owners, New Scientist reports. In the UK, there is currently an important test case in the Court of Appeal between The Times and Russian Businessman Grigori Loutchansky over retroactive deletion of (libellous) archive material. To do so would be "to airbrush history in a manner worthy of Stalin's Soviet Union" if website archives were forced to delete material, The Times argues. We'll let News International and the Wayback Machine's operators worry about the libel implications. In the meantime, check out the early design efforts of your favourite companies, from when the Web was an altogether kinder, gentler less flashy place. And to get you started here are three from our neck of the woods: CNET ZDNET The Register If you have any trouble getting in be patient, the Wayback Machine advises. "Warning: Service intermittent. We apologize for not anticipating the usage this service is receiving. We are working on adding servers, but this process will take weeks. Again, we apologize." ®
Drew Cullen, 14 Nov 2001

Casio to ship Linux, Transmeta laptop

Casio is to ship its Linux-based, Transmeta-powered Cassiopeia Fiva sub-notebook on 21 November. The Fiva MPC-216XL contains a 600MHz Crusoe TM5600 processor. Its operating system comes from Transmeta too - it's Midori Linux, the OS distribution the chip maker began developing early on (under the name Mobile Linux) and released to the open source world as Midori in March this year. Alas Casio is concerned that there isn't sufficient demand for a Linux-based sub-notebook in Japan, so it's bundling Windows XP Home Edition too. Interestingly, though, users select which operating system they want to boot into by toggling a physical "Change Over" switch in the Fiva's body. Flip it to A Mode and you get XP; set it to B Mode and you get Linux. The Fiva MPC-216XL will be priced at ¥140,000 ($1159). The A5-sized machine is just under an inch thick and weighs just under a kilogram. Inside the case is a 15GB hard drive and 128MB of RAM, expandable to a massive 256MB. The notebook sports built-in 100Mbps Ethernet, 56Kbps modem, USB and IEEE 1394 ports. There's an external monitor connector, too, and the built-in LCD is an 8.4in 800x600 TFT model. There is a CompactFlash card slot, plus a CardBus port. Battery life, Casio claims, comes in at five hours per charge. ® Related Stories Casio cans 17% of workers Transmeta ships, renames Mobile Linux
Tony Smith, 14 Nov 2001

Linux fans ‘hack’ Windows XP advert

UpdatedUpdated British Linux users have begun to tell the wider world what they think about Microsoft's Windows XP. Their weapon: the spray can. Register reader Martin Jenkins spotted this defaced XP ad on the A38 in Bristol. Do we have the start of a culture jamming trend here? This site has a nice piccy of another XP ad cunningly defaced in East London. ® Related Story Culture jammers spoof WTO site
Tony Smith, 14 Nov 2001

HP kit sales down 31 per cent

Hewlett Packard's Q4 profits have beaten Wall Street expectations but are $481m down from a year earlier. The company earned $361 million, down $842 million in Q4 a year ago. Sales fell to $10.9 billion from $13.3 billion - the expectation had been for HP to turnover $9.9 billion in the period. Net profit, including a $282m pre-tax restructuring charge for shedding staff, and other extraordinary items, bombed to $100 million, from $930 million in the quarter a year earlier. Chief exec Carly Fiorina's positive spin is : "Results were driven by excellent execution in imaging and printing and good performance in services. While overall computing systems results remain weak, we saw improvement in certain segments including storage and PCs." For the year, HP reported earnings per share of 89 cents on sales of $45.2 billion. In fiscal 2000, the company had annual earnings per share of $1.74 on revenues of $48.8 billion. HP's computing systems business - which includes workstations, desktops, notebooks, mobile devices, UNIX and PC servers, storage and software - saw sales drop 31 per cent year on year, and just one per cent on the last quarter. PC server sales slumped 44 per cent from last year, and 11 per cent on Q3. Commercial desktop revenues declined by 39 per cent year on year, 11 per cent sequentially. Consumer PC revenues grew 23 per cent on Q3, but were down 37 per cent year-over-year. The home PC business broke even worldwide and even managed to generate profits in North America. Notebook sales grew 10 per cent on Q3 business, but dropped 12 per cent on last Q4. For the fourth quarter, UNIX server revenue was down 30 per cent year on year, and 11 per cent sequentially. The business remained profitable. HP said it had shed 4,000 of the 6,000 workers it planned to eliminate by 31 October. The remaining 2000 will go in the first half of fiscal 2002. ® Related Stories Get Walter! Hewlett Jr. smeared to save Compaq merger Packard family naysays Compaq merger HPaQ must die - major investor Worker 'rigged' HP Superdome benchmarks
Robert Blincoe, 14 Nov 2001

VIA cuts 40% off profit prediction

VIA's profit this year will total less than two-thirds of what it had previously forecast, the chipset company admitted today. Blaming the no-show of the recovery in the PC market that it had anticipated, VIA said it will earn some NT$5 billion ($145 million) this year - down 40 per cent on the NT$8.4 billion it forecast earlier this year that it would make. Earnings per share will fall from NT$8.80 to NT$5.30, the company said. And VIA doesn't expect the market to improve any time soon. In an interview with Bloomberg, VIA's director of finance and accounting, Miller Chen, said: "The PC environment is not so good. It's not as strong as we predicted in the second quarter." The bottom line is that VIA is selling fewer chipsets than it had anticipated it would. The events of 11 September and the broader economic climate may well have had an impact on demand for the company's products, but we'd also add Intel's legal action to the list. Intel is suing VIA over the chipset maker's Pentium 4-oriented P4X266 part. Intel claims VIA has no right to use P4 bus technology in the chipset and has launched intellectual property violation lawsuits against it. VIA has countersued, claiming Intel's behaviour is anti-competitive and citing alleged violations of its own patents. Whatever the merits of its case, Intel's lawsuit has at least persuaded major motherboard manufacturers to steer clear of VIA's chipset. Instead, many are turning to SIS, which does have a P4 bus licence. SIS sources say it will ship 500,000 645 chipsets between mid-November at the end of the year, ensuring it will beat its previous target of 900,000 for the quarter by 50 per cent. In response, VIA launched its own-brand motherboard line based on its own chipset. Last month, the company said these mobos would add NT$550 million to its November sales. Given Chen's comments today that seems unlikely to happen. And indeed, sources cited by DigiTimes suggest that it won't as VIA targets third-parties first and its own mobo division second. ®
Tony Smith, 14 Nov 2001

Tiscali to break-even in Q4

Italian Internet giant Tiscali is on track to break-even in the next quarter, the company reported today. This will be some feat if it succeeds, in light of the major restructuring that has taken place at the company over the last year or so. Barely a month goes by when the Italian group doesn't snap up some European ISP or other before integrating it into its ever-expanding Internet empire. The pace of Tiscali's growth has been breathtaking at times, not least for the resulting job losses that are a result of many of its acquisitions. Earlier this year around 300 jobs were lost in the UK alone following the integration of World Online, LibertySurf and LineOne. However, the company claims that the integration of different companies into a single company under the same Tiscali brand, and adopting the same technologies throughout Europe, is "progressing rapidly". And it reports that the integration of Web sites into a single Tiscali portal for all of Europe has been completed. The company reported that Q3 revenues were up 260 per cent at E190.1 million (£116.46 million) compared to the same period last year and 15 per cent higher than in Q2. A significant slice of this revenue - E121.7 million (£74.56 million) - came from access charges. EBITDA (earnings before interest etc) losses fell 29 per cent on the previous quarter to 44.8 million (£27.44 million). Importantly, though, Tiscali says it is "on target to reach EBITDA break-even in 4Q01". The company claims that the combination of price increases, the migration of Internet traffic to its own IP network and the re-negotiation of existing contracts, have all helped it to within sight of achieving break-even operating EBITDA in the final quarter of this year. As of the end of September the European ISP had 7.56 million active users accounting for 130 million minutes of daily Internet traffic in September 2001. ® Related Story Tiscali UK confirms cull Tiscali narrows losses, ups revenues
Tim Richardson, 14 Nov 2001

Sneak Intel DDR preview

As predicted, Intel's DDR-supporting chipset, 845D, made a sneak preview at Comdex yesterday. Chinese PC maker Legend showed off its QDI P2D-A motherboard based on the chipset. Legend's board was shown running a P4 1.6GHz and 128MB DDR SDRAM. It will shipping worldwide from December for about $140, a spokesperson told PC World. Intel currently has two chipsets available, the 850 and 845, supporting Rambus' RDRAM and regular SDRAM respectively. Due to an agreement with Rambus, it has not been able to officially launch a DDR-based product before the end of 2001. Intel says it will ship the part at pretty much the same price as the current, PC133-based 845. That, coupled with its own admission that supplies of the 845 are likely to be very tight through November, suggests the company is moving quickly to shift the market's attention away from the single-rate SDRAM product to its double data rate successor. It has been hinting for some time that it would ship the 845D to motherboard manufacturers this quarter, but hold off the part's official launch until early next year. VIA, SiS and Acer all have motherboards supporting P4 chips and DDR memory. ® Related Stories Intel gears up to phase in DDR 845D chipset next month Rambus unveils 6.4GBps, 3.2GHz next-gen RDRAM Intel countersues VIA - again
James Watson, 14 Nov 2001

Imagine a world without Java

Microsoft's attempt to beat Java into extinction could take some time, as this wee anecdote shows. The Norwood, Massachusetts-based software asset management firm Corporate Software, a key Microsoft partner, is running an online seminar on Visual Studio .NET today. It's hosted by Sam Henry, technical product manager for Visual Studio. Unfortunately to register you need a Java-based browser. Which, if you're running Windows XP out of the box, or have upgraded to Internet Explorer 6.0, leaves you out in the cold. You can of course download a Java-compatible VM, but that's not really how the .NET vision should work. The seminar can be found here, and a JavaLobby discussion here. It's a footnote, for sure, but an indication of the task that the .NET strategy faces in creating a world without Java. ®
Andrew Orlowski, 14 Nov 2001

Sony, Fujitsu bash Transmeta

Sony and Fujitsu have had to reschedule the launch of at least five new notebook computers - and it's all Transmeta's fault, the two companies said today. Both companies have released Crusoe-based machines before, most notably Sony's Vaio C1 Picturebook sub-notebook. Sony planned to offer a faster version this week, but the portable will now ship mid-January. Sony didn't say which Crusoe it planned to use, but the smart money has to be on the 1GHz TM5800. This part isn't due until Q1 2002, if Transmeta's previous guidance is anything to go by although the company has only just begun shipping slower versions,. The C1 currently uses a 667MHz TM5600. Fujitsu, meanwhile, has delayed the introduction of four FMV-Biblo LOOX notebooks from this week to mid-December. It too said it had made the decision because Transmeta couldn't get it sufficient chips in time. Heaven knows Transmeta needs to get the TM5800 out pronto. With Q3 sales down 52 per cent to a mere $5 million, it needs to start selling chips before the money really runs out. Quite apart from the revenue, there's all the goodwill the company is sucking out of its customers. To lose either the Sony or Fujitsu design wins to Intel would be a severe blow to Transmeta. There's no sign that either company will drop Crusoe, but its not hard to imagine either or them opting instead for low-power 0.13 micron mobile Pentium III chips. Fujitsu's new, mid-December release date suggests Transmeta is either shipping TM5800s to both companies or has pledged to do so very shortly. If it has made that promise, we hope it keeps the pledge - it can't afford to have either Fujitsu or Sony delay product launches a second time. ® Related Stories Casio to ship Linux, Transmeta laptop next week Transmeta Q3 revenue plummets 52% on Q2 Transmeta CEO replaced after seven months Transmeta announces 1GHz integrated graphics Crusoe 6000
Tony Smith, 14 Nov 2001

Sony frets over PS2 (and XBox)

Sony is feeling the heat of competition breathing down its neck. Kunitake Ando, Sony’s president and COO, has told the FT that the presence of Xbox on the market could shorten console lifecycles. In other words Ando fears that the more powerful Xbox, which actually retails for the same price as PlayStation 2 in the States, will force Sony to manufacture the PlayStation 3 ahead of schedule. Ando also uses the opportunity to take a pop at Nintendo, drawing attention to the disappointing sales of its new console in Japan. Currently, Sony’s console is the only one on the market in the USA, but as of next week it will have two competitors to deal with. The PS2 has an awesome catalogue of titles, though (and not content with that, Konami has mysteriously decided to launch Metal Gear Solid 2 one day after the US Xbox launch). The news that Sony feels PS3 production may need to be ramped up sooner is slightly confusing, because the company isn't used to backing away from current formats as soon as something else hits the market. That was Sega's MO, and the last thing we want is Sony repeating this mistake. If it's so worried about market share slipping through its fingers, why not hack another $100 off the price of PS2? Don't forget, while we pay £199, American consumers still having to pay $299 – a shade over £200 at current exchange rates. Under normal circumstances we would expect to pay as many pounds as the American pay dollars. Sony isn't exactly giving itself every break, which is why this PS3 message seems somewhat confused. The truth is, Sony may not be losing much money on PS2 units at the moment, but with another $100 off the price it would be, and in order to get PS3 production online early (which Ando-san believes his company may need to do) it needs to recoup a lot of iinvestment in chip manufacturing. Perhaps now it's regretting its decision not to farm out console production to another firm, as Microsoft have done with Xbox... If Sony is in this position, it's a no-winner. The company cannot afford to drop the price of PlayStation 2 because it needs to recoup costs. But neither can it afford to let Microsoft steal their market share by undercutting them in the near future. So which is worse? Losing the ability to construct PlayStation 3 in time to deal with an Xbox successor (HomeStation is still happening, as far as we know), or losing market share? It's an unenviable position to be in. But we think that Microsoft has the greatest fight on its hands. MS has no previous success in the games console sector upon which to base promotions, few if any killer applications (Jet Set Radio Future isn't even out yet, so forget that), and it is opting for the higher price of $299. With things the way they are now, Sony's next move may decide whether Xbox is a success or a failure. © Eurogamer.net. All rights reserved. Related Story FT: Sony chief says Xbox threatens 'life cycle'
Eurogamer.net, 14 Nov 2001

C&W in £1.5bn share buy back

Shares in alternative British telecoms carrier Cable & Wireless nudged up following confirmation that it will buy-back up to 15 per cent of its shares and issue a special dividend to investors. News of the £1.5 billion offer had been widely expected as shareholders put pressure C&W to return some of the £4.1 billion in cash it has sloshing about. Publishing its results for the six months to the end of September, the company said that revenue in Cable & Wireless Global - which delivers IP and data solutions to business customers in the UK, US, Continental Europe and Japan - was down five per cent on the same period last year. Revenues from its large corporate customers grew by 11 per cent. But revenue from service providers - which includes telecoms and Internet companies - sank eight per cent, reflecting the financial difficulties of many companies in this sector. Group revenue slipped from £4.43 billion in H1 2000 to £3.31 billion in the first six months of this year. Pre-tax profit before exceptional items was £83 million, down form £537 million on last year. Graham Wallace, Chief Executive Cable and Wireless plc, said: "The strength of our balance sheet is a real competitive advantage in these turbulent times. "We continue to implement our strategy, reduce the cost base and capital expenditure and position the group for profitable growth," he said. By late afternoon shares were up 19.5p (5.64 per cent) at 365.5p. ®
Tim Richardson, 14 Nov 2001

Report to your local army recruitment centre immediately

A spoof army call-up text message has been banned by advertising watchdogs because of the distress it could cause. Computer games company Eidos, of Lara Croft fame, used the text message to plug its latest PC game Commandos 2. The message read "Please report to your local army recruitment centre immediately for your 2nd tour of duty. Commandos 2 on PC, It's More Real Than Real Life - out today from Eidos". A former member of the British Army made the complaint to the Advertising Standards Authority (ASA). He feared it was a real call-up, and thought the message could cause undue distress to people at a time when there is a war against terrorism. Eidos has said it was meant to be a joke and apologised for any distress caused by the insensitivity of the text message. It gave its assurance that it would not repeat the campaign. But why would it need to. The advert has done its job. Computer games companies are no strangers to making shock advertising, and the publicity garnered from a ban is often better than the original campaign. Here are some other notorious examples of games companies getting a lot of publicity and a small wrap on the knuckles for their campaigns: Bags of dripping offal were sent to various journalists to publicise Doom II. Chanel suits were ruined, the police got involved, and the stunt was awarded second place in the Evening Standard's Hall of Shame that year. The poster campaign for Virgin Interactive Entertainment's Command & Conquer showed pictures of major despots and genocidal maniacs, calling them previous high scorers of the game. Alongside Hitler and Stalin was Jacques Chirac, the French President who'd just overseen some nuclear testing in the Pacific. The ad was banned, and an international incident was narrowly averted. Images of semi-naked women are often used to sell things. But with zero subtlety and imagination a company called Gametek used a picture of model Jo Guest clamping a box of Battlecruiser 3000AD between her legs to promote the game. The tag line was 'She really wants it'. The ASA didn't. ®
Robert Blincoe, 14 Nov 2001

HP puts 3000 MPE warhorse out to grass

HP has announced end of support dates for its range of e3000 servers and their associated upgrade kits, as well as the MPE/iX operating system. Help for most of the product lines will be closed in five years (December 31, 2006, to be precise). A-, N-, K-, E- and T-class e3000 servers are all listed in the announcement. Support for some E-class (or 9x8 servers) will end in December 2004, while some T-class (or 99x servers) help lines will be cut off as early as next March. (See HP's server discontinuation site for full details, updated today.) On the operating system side, MPE/iX 6.5 will be culled from the company's price list in August 2002 (version 6.0 was dropped in February), although versions 7.0 and 7.5 look like they will survive until November 2003. Support for version 6.0 ends in October next year, while 6.5 will end in December 2003. Both 7.0 and 7.5's help will die out in December 2006. The 3000 series server was launched in 1972 and has seen numerous upgrades and changes over the nearly three decades since. The company will focus its attention on its 9000-series of Unix servers and NetServer line of Intel-based servers. In HP's just-released financial results, its computing systems business - which includes workstations, desktops, notebooks, mobile devices, UNIX and PC servers, storage and software - saw sales drop 31 per cent year on year, and just one per cent on the last quarter. UNIX server revenue was down 30 per cent year on year, and 11 per cent sequentially for the fourth quarter, although the unit remained profitable. ® Related Link HP e3000 Business Server News Related Stories HP kit sales down 31 per cent Worker 'rigged' HP Superdome benchmarks
James Watson, 14 Nov 2001

Norton AV update rings false alarm bells

Two security software houses have rounded on Symantec, after their products were wrongly said to be infected with Nimda. The false alarms rang for Installshield and F-Prot Antivirus for Windows, and were caused by poorly written virus definition updates to Symantec's Norton Anti-Virus. Frisk Software, the Icelandic developer of F-Prot Antivirus, has responded to the false implication that its product was infected by W32.Nimda.enc(dr) with a terse statement criticising Symantec's quality assurance. Erlendur Thorsteinsson, product manager for F-Prot, told us the problem arose because of faulty definitions issued by Symantec on November 9. The latest virus definition files, which came out on November 12, are free from the problem and Symantec users are been encouraged to update their protection. Earlier this month over-sensitivity in the automatic detection of viruses (or heuristics) included within Norton Anti-Virus resulted in a false alert that the MSN.co.uk Web site was infected with a Trojan. ® External links InstallShield advisory on the issue (which gives advice to users on what to do if key files have been quarantined or deleted in response to the false alert) Frisk Software's advisory Related stories MSN.co.uk virus alert is false alarm Sophos rebuffs virus-spreading charge Symantec users risk redirection to hacker sites Firms hit in Nimda mutant outbreak Nimda worm tails off Teenage Mutant Nimda email rides the Code Red worm
John Leyden, 14 Nov 2001

Intel to offer Springdale DDR 2 chipset in 2003

Intel has committed itself to DDR 2 SDRAM technology and will support the specification mid-to-late 2003, according to Japanese site PC Watch. We're not entirely sure of PC Watch's source - (s)he appears to be close to standards-setter JEDEC, but our translation isn't great. If the source's claims are accurate, Intel will support DDR 2 with Springdale and Springdale-G, two Pentium 4-oriented chipsets the company will launch in Q3 2003. Various other sources claim that Intel effectively committed itself to DDR 2 in September. For some time, Intel has led the top five companies to promote something called the Advanced DRAM Technology standard. ADT isn't quite DDR 2, but it's close enough, and the two may well be brought together soon in an interim JEDEC spec, the PC Watch article speculates. DDR 2 could even displace Rambus RDRAM as Intel's preferred high-performance memory technology, according to the report. JEDEC issued the preliminary DDR 2 specification last summer. Chip makers can begin developing memory chips based on the spec, but full-scale production is unlikely to kick in before Q2 2003. Given the timing, the arrival of a DDR 2 chipset from Intel in Q3 2003 isn't unfeasible. The so-called DDR II spec describes a 1.8V device running at up to 533MHz - coincidentally (perhaps) the next Pentium 4 frontside bus speed. The spec also covers enhanced DDR I modes at 400MHz and 533MHz for 3.3GBps and 4.3GBps throughput and dubbed PC3200 and PC4300, respectively. Of course, even if PC Watch's source has provided a genuine Intel roadmap, Q3 2003 is a long way off. There's plenty of time between then and now for Intel to change its mind, depending on the uptake of DDR 2 and what Rambus comes out with in the meantime. Is it accurate? As PC Watch appears to have redrawn the roadmap - to avoid copyright issues, presumably - it's difficult to be sure, but the other information contained on the site's chart tallies with what we know from other sources. ® Related Story Preliminary DDR II spec set Related Link PC Watch: Intel will support DDR 2 in 2003 with Springdale (in Japanese)
Tony Smith, 14 Nov 2001

Xbox lands

Microsoft's advance in the world of gaming consoles begins officially just after midnight when its Xbox product goes on sale in America. New York's Toys "R" Us in Times Square will be the place where eager gamers can converge to start snapping them up. Nintendo is set to launch its rival console, the GameCube, in North America on Sunday. Microsoft's console costs $299. For those who don't want to interrupt their sleep patterns for the launch festivities, a list of brick and click retailers is available here. Europe will only see the box arriving in March, with an anticipated retail price of £299 (titles expected to sell for $44.99). UK gamers can test the console earlier through Microsoft's Xbox Xperience roadshow. Some of the major titles being punted for the platform include Halo, Dead or Alive 3 and Oddworld: Munch's Oddysee (see a full list here). ® Related Stories Sony frets over PS2 (and Xbox) Leaked MS mail reveals WinXP, Xbox launch spin plans MS confirms Xbox disk downgrade Related Link Xbox Official Site
James Watson, 14 Nov 2001

Compaq cavalry rescues Linux clusters

In May, Compaq said it would GPL its NSC, or Non Stop Clusters code. This is the code that SCO licensed and co-developed as UnixWare Non Stop Clusters. Compaq announced two projects - The CI Project (for the infrastructure) and SSI, and Bruce Walker's seven man team in Los Angeles has been making progress. High Availability clustering can extend Linux from its current role in network plumbling and edge tasks, such as web serving, into the heart of the business running database and TP jobs. Compaq's intervention is timely. At the Cluster File Systems Birds-of-a-Feather session at LinuxWorld in August, Peter Braam described how significant the Compaq SSI could prove: "The various Linux HA Projects have fragmented really badly," he said. "It's almost all proprietary, and here with one blow is a pretty comprehensive applications platform: Oracle can failover from node to node. "Compaq SSI has a huge amount of high quality code: which is not only extremely high performance but all the pieces you need to do the cluster completely." You can find an HTML presentation by Walker here with a PowerPoint version of the slides here[276k]. Walker's involvement with the code predates Compaq. It's in its fifth generation now, with its origins in the Locus system which began life at UCLA in 1979, he told us in August. Along the way the ideas were implemented in a clustered kernel for IBM, in Intel's Paragon machine, and clustered Compaq PS/2s. After a couple of years close work with Tandem, the latter acquired the group in 1996, shortly before Q bought Tandem. Earlier this year SCO's new owners Caldera decided that maintaining two UnixWare kernels, one with NSC and one without, was too expensive. But that removed an important obstacle to the code being released under a software libre license. What else? Oh yes, the topical bit: SourceForge has unveiled a new section of the site, a "Cluster Foundry", for the two projects and related Linux cluster work, which you can find here. ® Related Links Cluster Infrastructure for Linux - SourceForge Single System Image Clusters for Linux - SourceForge Related Stories SCO UnixWare NSC
Andrew Orlowski, 14 Nov 2001