9th > January > 2002 Archive

‘Punish software makers for bad security’ – NAS

Congress should make it easier to punish companies that produce insecure software that puts business and consumers at risk, a panel assembled by the prestigious National Academy of Sciences (NAS) said Tuesday. "Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge," the NAS' computer and telecommunications board wrote in a draft report on the nation's computer-security systems in the wake of Sept. 11. "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches." Mandatory crime reporting and stricter liability are hardly new ideas: many computer-security specialists have recommended such measures for years. But the fact that they are being uttered by members of an NAS panel suggests the once-fringe ideas are more mainstream, and may gain urgency as decision-makers ponder, for example, what might have happened had terrorists launched an effective cyber attack simultaneous with the hijackings of Sept. 11. "A lot of security experts are starting to feel that way," said Marcus Ranum, chief technical officer of NFR Inc.and moderator of the Firewall Wizards email list. One member of his list recently "posted a long rant about how the vendors are dropping the ball. Then again, there's more than enough blame to go around." But new liability laws would run counter to legislation that has sought to reduce liability over the past few years. In 1999, Congress passed legislation that absolved companies from being sued over disclosures related to their preparation for the so-called Y2K bug. Legislators have also been amenable to widening protections extended under the Freedom of Information Act, so that companies can rest assured that security problems they have on their networks will not be exposed if they tell the government about them. Technology companies have naturally steered clear of laws that could increase their liability, and even devising liability standards would be difficult, says Mark Rasch, vice president of cyberlaw for security firm Predictive Systems Inc. in Reston, Va. What, he asks, rhetorically, should be the security standard for a game of Solitaire? More to the point, he says, is the question why so many companies buy products that are not up to the job. "Why punish someone for insecure products when there is a secure product [the customer] did not buy?," he asks. "Do we want to have a national law that imposes or warrants a certain level of security on all computers?" A more educated market, Rasch says, would do much to improve security. "Let's face it, Detroit railed against seat belts railed against airbags for years, but they really didn't take off until consumers demanded them." For all the criticism of vendors, the NAS panel finds fault elsewhere, too. Mainstream businesses, the panel writes, have failed to take security seriously. In the future, security administrators will need more money and more clout to keep networks safe from terrorists and criminals, the report says. In addition ordinary workers will need to be trained in good security and have the tools necessary for it on their own computers, according to the report. Finally, government needs to clean up its own, often pitiful, record in computer security, while funding more research and development to protect computers everywhere, according to the report. The market cannot respond to national imperatives when so many security products are designed for basic business, the NAS concludes. © 2001 SecurityFocus.com, all rights reserved.
Ann Harrison, 09 Jan 2002

AOL buddy-hole fix has backdoor

A member of w00w00, the security enthusiasts who first reported the AOL Instant Messenger (AIM) games request vulnerability, has alerted users that a fix the group recommends has its own backdoor. Apparently, the AIM Filter by Robbie Saunders which w00w00 had recommended is infected, group member Jordan Ritter disclosed on the Bugtraq mailing list late Tuesday. "At the time, Robbie Saunders' AIM Filter seemed like a nice temporary solution. Unfortunately, it instead produces cash-paid click-throughs over time intervals and contains backdoor code combined with basic obfuscation to divulge system information and launch several Web browsers to porn sites," Ritter wrote. "We only took the time to verify that it blocked the attack, since an analysis of AIM filter wasn't our priority. Mea culpa." w00w00 has since devised a clean version of AIM Filter. Meanwhile, Saunders says on his Web site that the advisory is overstated. "The filter enables the user on the screen name 'robbieiship' to use two admin commands: 1) get your IP and build number [in case I should feel like reporting you to your ISP]; 2) shut down your AIM Filter and open five embarrassing Web sites [in case you mess with my friends]." "The cash-paid click-throughs are because I need money and they only go in once (when you open the filter) and not on time intervals like w00w00 claims." A subsequent post to Bugtraq by w00w00 member Tim Yardley supports part of this claim, but not all of it. "The query user packet would send a message to Robbie Saunders with the IP address of your machine. The DC [direct connection?] packet would open four Web browsers to various porn sites." "The DC loop packet would send the DC packet in a message over and over, until length of 7900 was reached (max transmission size I guess). On connect, the software would connect to two different sites using Robbie's click ID (to generate money for him). There was also a timer that did this same thing." So there we have two slightly different accounts, but general consensus that AIM FIlter isn't a terribly dangerous thing, if not terribly polite. As for those who installed AIM Filter, so far as we know at the moment, removing it is all that's required to defeat it. We will of course follow up if anything further emerges. ® Related Stories AIM gives up control of Windows machines AOL bungs buddy-list security hole
Thomas C Greene, 09 Jan 2002

Centrica buys iomart broadband ops

Scottish ISP iomart has sold its broadband business to Centrica for £2 million. The company's support centre in Stornoway, 40 staff and 2,750 customers will be transferred to Centrica as part of the deal. In return Centrica - which trades under the brands of the AA, British Gas/Scottish Gas, Goldfish and One.Tel - picks up a business with estimated revenues of £1.9 million last year against losses of £1.6 million. iomart is expected to use the cash to accelerate development and marketing of its NetIntelligence security product. No-one from the company was available for comment by press time but in a statement iomart CEO Angus MacSween said; "This completes the withdrawal of iomart from telco and infrastructure related products and facilitates focus on the new strategy concentrating on the NetIntelligence suite of products." In May iomart flogged its customer-facing dial-up ISP Madasafish to an unnamed buyer. ® Related Story Iomart sells Madasafish
Tim Richardson, 09 Jan 2002

User fury as Sun puts x86 Solaris to sleep

Sun is putting the Intel version of its Solaris Unix OS in the deep freeze, citing support and development costs as the reason. There won't be an x86 version of Solaris version 9 this year, but Sun will support existing versions for seven years, Solaris marketing director Graham Lovell told IDGyesterday. More charitably - or gullibly if you're being cruel - CNet interpreted the same news as a "delay". But as you know, the body's metabolism can be fatally impaired by spending too long in the cold, and no version 9 this year effectively means the end of Solaris on x86. It's been maintained at great expense over the past nine years, and only last October was refreshed with USB support, for example. But Sun has only ever seen a miniscule market share as a reward, and of course precisely no downstream hardware revenue, because Sun doesn't sell Intel servers. And the expenses keeps piling up. Just ask Be, Inc. There are more chips and chipsets to support than ever before, and Foster, and the SMT Foster, and AMD's Athlon XP, and Athlon SMP and Sledgehammers either here or on their way. However, users on the busy Solaris on Intel mailing lists were not happy bunnies last night, pointing out that the x86 version maintains mindshare and offers a cheap way to bring new recruits into the Sun fold. "You've killed the dream, Sun. New admins *DON'T* have a way to learn about Sun on the cheap," wrote one user. "Mindshare is a terrible thing to waste," punned another. "It's expensive to develop, hard to measure and difficult to correlate to earnings, yet very important to long term success. This will be the biggest casualty if Solaris x86 is abandoned." And there's already a "Save Solaris on x86" page up and running. Or at least there was, until somebody interfered with it. We'll repost the link when it's fixed. Last post, First post! All in all, it's a minor historic decision by Sun as it leaves no proprietary Unix left in active development on Intel hardware. SCO's OpenServer has been in maintenance mode for some years, and the best parts of its UnixWare OS seemed to fall out of the removal van over the Sierras, as the OS made its journey from Santa Cruz to Utah, en route to its new owners Caldera. They hardly ever mention it now. So if you want a Unix on x86, you have a choice between the free BSDs or Linux. Slashdotters rejoice. We just hate to see any good, cheap and well-supported OS bite the dust. ® Related Links The Solaris on Intel mailing list Sun's Solaris for Intel home page The great Solaris on Intel FAQ
Andrew Orlowski, 09 Jan 2002

IBM outsources Netvista PC production

IBM, the creator of the industry standard PC, is to stop making desktop computers, handing over production of Netvistas in US and Europe to Sanmina-SCI. The OEM deal is worth $5bn over three years to Sanmina-SCI, a specialist electronics contract manufacturer, which is paying an undisclosed sum for IBM's Netvista manufacturing business, based in North Carolina and Greenock, Scotland. Nine hundred workers from NC and 80 from Greenock will transfer on the same salaries to Sanmina SCI. IBM says the deal ensures that the company will make significant cost savings, while continuing to offer a full-line up of PC products and services. So what does this mean? First, it puts paid to the persistent rumours that IBM is to exit the desktop PC business. After all, it is committed to spending $5 billion over three years on its new desktop PC supplier. If Sanmina-SCI can build PCs cheaper than IBM, then IBM can compete harder on price for corporate desktop PC accounts. If nothing else, the Netvista PC line is a useful weapon in IBM's arsenal of tech services and products for the corporate market. Today, IBM told staff by email that it was to stop selling PCs direct by telephone to small and medium-sized businesses in the UK, Germany, Sweden and France. Telesales staff are to be redeployed to handle calls from enterprise customers, while small businesses will now be referred to IBM channel partners. You can read more at ZDNET UK, which got the scoop. ® ®
Drew Cullen, 09 Jan 2002

Fujitsu Siemens to pre-load Tiscali on PCs

Fujitsu Siemens will pre-load Tiscali Internet access on all consumer PCs in the 14 European countries in which the ISP operates. Financial terms are undisclosed. The deal also includes the creation of value added bundled services, such as Voice over IP solutions, unified or instant messaging, music and entertainment services. Last August, Tiscali acquired Tiny Online Ltd - the ISP of Tiny Computers - for euro 13 million (£8 million) in cash. As part of the deal Tiny Computers and Tiscali have inked a long-term distribution agreement in which Tiscali becomes the retailer's exclusive ISP. ® Related stories Peter Gabriel powers Tiscali music downloads Tiscali to break-even in Q4 Tiscali UK delays broadband satellite roll-out until 2002 Tiscali accounts slip leaves punters disconnected Tiscali bids adieu to LineOne, LibertySurf and WorldOnline Tiscali confirms Tiny Online buy-out
John Leyden, 09 Jan 2002

Mobile phone thefts hit kids

School kids are five times more likely to be victims of mobile phone thefts than adults, according to a Home Office report. However, in many cases it is younger people who are responsible for the thefts, according to the report Mobile Phone Theft. Although it claims it is impossible to say exactly how many mobile phones are being nicked it estimates that 700,000 were stolen last year. It also claims that mobile phone are involved in more than a one in four of all robberies. Three years ago mobile phones accounted for less than one in ten of robberies. While the Government works with the mobile phone industry to tackle the problem it has warned mobile phone users to be more responsible. It's urged them to make a note of the IMEI number (a unique 15-digit serial number which can be accessed by keying *#06# into most phones or looking behind the battery of your phone) and report it to the police if it's stolen. It also suggested users avoid using phones in public. However, it's the news that children are at the centre of this crime wave that has really shocked politicians. Urging children to be more careful Home Office Minister John Denham said: "I want to make sure that these children don't become the latest victims in a disturbing new robbery trend." And when it all seemed to be going so well. In 2000 the British Medical Journal reported that kids were giving up cigarettes in favour of mobile phones. With this latest scare some people are worried kids might stub out their phones and turn to fags instead. ® Related Story Kids give up fags for mobiles
Tim Richardson, 09 Jan 2002

Moody's downgrades Gateway credit status

Moody's has downgraded its credit assessment of Gateway to junk status, following worse than expected Q4 sales reported by the pan-US PC maker. Gateway has been demoted to Ba-3 from Baa-1, meaning that the company is now below investment grade. This should have no material effect on Gateway, which still has plenty of cash in the bank. But, Moody's assessment does reflect increasing concern in the investment community over Gateway, which appears to be losing share in its core US retail PC market. On Monday, the company said it would make a profit - bar one-offs and special items. However sales were only $1.16 billion, well below US analyst forecasts of $1.39bn for Q4, and 15 per cent below Gateway's own internal targets. Rival manufacturers appear to have done rather better in Q4, with a surge in consumer PC sales in the US in December. Fuelled by low-interest deals, US PC sales through the retail sector jumped 101 per cent each week after Thanksgiving, according to investment bank Salomon Smith Barney. This compares with rises of 40-60 per cent a week in the run up to Christmas 2000, a truly terrible period for the US PC industry. ®
Drew Cullen, 09 Jan 2002

DRAM recovery means higher PC prices -Time

The modest rebound in memory prices will mean higher prices for home PCs, according to Time Computers. The consumer PC maker is to issue a warning on all advertising that will pass this on to home buyers. The company reckons that on charging £49 more on 512MB systems at the end of next week, and - maybe - another £49 at the end of January. The sub-text, of course, is that people who buy now, can avoid the price rise. Time and other PC manufacturers are keen to avoid controversy, as new prices will be higher than those quoted in the most recent editions of newsstand PC magazines. Mesh today also released a statement on the Consumer Watch section of PC Advisor's web site, reproduced in part here. "In the past, prices have generally gone up before Christmas (due to increase demand) and then come back down in the first couple of weeks in January. This time however, prices have just kept on increasing. MESH have absorbed as much of the increase as possible - but prices are now at such a point where we must pass on part of the increase to the consumer. Customers who ring up to order are being told clearly that there is an issue and - in the majority of cases - they understand the situation and accept the small increase." Contract DRAM prices have risen more than 50 per cent since December, while spot market SDRAM prices have also jumped, with demand from PC manufacturers rising three-fold in December and DRAM makers, reining in production. ® Related story SDRAM spot rise won't last - unless...
Drew Cullen, 09 Jan 2002

UK to follow broadband lead of S Korea – Hewitt

There's confusion today over whether Britain should follow South Korea and use Government money to finance the deployment of broadband. Today's FT reports that trade and industry secretary Patricia Hewitt "made the case for heavy government investment in high-speed internet infrastructure", while visiting South Korea. At the same time, she warned that "extra public funding would be hard to secure" adding that broadband would have to "take its place in a list of competing priorities alongside things like health and transport". So which is it to be - Government money or not? Despite several requests for clarification, the DTI failed to respond by press time. Ms Hewitt also urged BT and the UK's cable operators to "follow the example of their Korean counterparts by cutting prices and aggressively marketing services", according to the FT. But a spokesman for BT replied: "Every time we try and cut prices we get investigated by the regulator." South Korea tops the OECD's league table for broadband. Britain doesn't. ® Related Story UK is still broadband laggard - OECD UK is broadband laggard - OECD
Tim Richardson, 09 Jan 2002

One.Tel to rebrand iomart DSL service

Discount telco One.Tel believes it will be a major ADSL provider within the next five years following Centrica's £2 million acquisition of iomart's broadband business. One.Tel, part of Centrica Telecommunications, will rebrand the iomart service in the next couple of months. According to Centrica Telecommunications MD, Ian El-Mokadem, One.Tel's 110,000 Internet users will be among the first to be offered broadband. But will One.Tel use the vast resource of Centrica - parent to household-name brands including the AA and British Gas - to takes on the likes of BTopenworld and promote its new broadband business? "We're not going to throw large sums of money at it, if there's no return," Mr El-Mokadem told The Register. "We won't go for broke at all costs. "The again, we don't tend to just dip our toe in the market either," he said. "Over the next five years we will become a significant player in this market." Instead, it's a matter of timing. Like others, One.Tel believes broadband is set to take off, but issues such as pricing, service quality and availability are still an impediment to take-up. The acquisition of iomart's business and expertise gives One.Tel a relatively low-cost toe hold in the broadband marketplace without having to start from scratch. And when Centrica decides the time is right and puts its full weight behind this business, it might well prove to be a match for BT. ® Related Story Centrica buys iomart broadband ops
Tim Richardson, 09 Jan 2002

Kodak discount camera fiasco

The latest internet fiasco involving Kodak.com taking orders for discount cameras at £100, realising their mistake and then cancelling those orders, leaves customers stranded in a legal minefield. Clearly, on-line retailers have still not learnt the lesson that they must set out clearly their terms of business. The Kodak terms contradict themselves in a number of areas. Are they selling the cameras themselves, or are they selling as agent for a third party supplier? When is the contract with the consumer made? What authority does the agent who operates the site have when it sells at the wrong price? Who is liable to perform the contract? Kodak argue that they have not accepted the orders placed with them by customers who visited the site at www.Kodak.com and placed orders for digital cameras at £100 advertised on the site and gave their credit card details by way of payment. Kodak say that this is the same as bringing the goods to the till in a shop. No contract is made, they say, until the shop keeper has rung up the price and received payment. This analogy, however, is not correct in this case. Kodak have issued an order confirmation which operates as a receipt which the customer is asked to retain for warranty service. Most consumers would believe, having received such an acknowledgement from the site, having placed their order and given their credit card details and been told that the £100 will be charged to their card, that their purchase has been made. Terms on the site do not make it clear that this does not represent confirmation that the purchase has been made and it would be very suprising if a court were to say that no contract yet existed. The £100 price tag Kodak say was a mistake. If a contract was made, Kodak can set aside the contract on the basis of mistake only if they can show that the customer knew the price quoted was a mistake. This will depend on what was in each customer's mind at the time. It was clearly a good offer but then Kodak advertised it as a "special deal". Is the £100 price, as compared to the price it is believed Kodak intended (namely over £300) that big a difference to make a customer realise it was a mistake? The Internet is awash with special offers. Digital cameras are often a frequent subject of promotions. Kodak are going to find it difficult to prove that the customers must have realised that the price quoted was a mistake, which they must do to avoid honouring the contract. But if a contract does exist, who is it with? On the same terms, Kodak say that the contract is with the supplier and not with them, but in the same clause tells the consumer that the supplier is its agent. If the latter is the case, the contract is with Kodak. Even if Kodak were operating as agent for the supplier, named on the terms as Link Networks Limited of Edinburgh, are Link bound by a contract made by their agent? Link could say that they had never authorised Kodak to sell cameras at £100. In other words, if Kodak had exceeded their authority would Link be bound? Where does this place the consumer? While the full name and address of Link Networks Limited is given in the terms and conditions issued by Kodak on their site, most consumers would not have thought that purchasing a Kodak camera from the Kodak site would in fact entail them entering into a contract with an entirely different party. Indeed, many of the terms used in the explanation of the terms on the Kodak site strongly infer that Kodak itself will perform the contract. It even commits Kodak to providing substitute products if those ordered were not available. Link Network Limited is a company registered in Scotland with company number SC167675 and the registered office is given as Nether Road, Galashiels, TA1 3HE. Interestingly, the principal business of that company is described as "agent". But Kodak would say they are principal and Kodak are the agent in this case. While this causes obvious problems for the consumer, Kodak may find that they have breached the Consumer Protection (Distance Selling) Regulations 2000. S.7(a)(i) states that a company shall provide the consumer with the identity of the supplier. The confusion caused by Kodak's terms and conditions means that it is tricky for the consumer to tell who the supplier really is. Given the confusion that has been created, consumers may have to bring proceedings against both to enforce performance of the contract. But what Kodak company have they been dealing with? Consumers are always advised only to deal on-line with sites which identify the owner of the site. Kodak's site gives Kodak Limited as being the copyright owner of the site, though this is not necessarily the same thing. Enquirers to the helpline at Kodak were given Eastman Kodak Limited as the name of the company trading on the site. The website at Kodak.co.uk has a page that refers to Kodak Limited and its marketing of products, though this does not say that it is the company operating the site. Communications from the site in connection with orders for the cameras simply refer to Kodak and, contrary to the Business Names Act 1985 s.4(1) and s.349(1) of the Companies Act 1985, fails to include details of the full company name so the customer is still in the dark as to which Kodak company he has been dealing with. Pursuant to s.351(1) of the Companies Act 1985, companies must also include details of their place and number of registration and their registered office address.® Michael Archer is a partner at Beale and Company, a London law firm.
Michael Archer, 09 Jan 2002

Hush – do you want to store a secret?

Hush Communications has introduced an online service for secure personal storage based on encryption technology. Called HushDrive, the service is delivered through online storage services firm Xdrive and provides a facility that enables users to securely upload, download, and access their files from anywhere, at anytime using Internet-ready devices. Firms such as FreeDrive, which generates revenues from advertising, offer similar services without charging users; HushDrive differentiates itself by offering a more secure service featuring strong encryption. Up to 25MB in data, protected by Hush's 2048-bit maximum strength encryption, can be stored online with HushDrive. Xdrive has added a managed PKI component to its storage offering using the Hush Software Developers Kit (SDK). The SDK allows developers to link front end applications with secure backend delivery and, more importantly, provides a low-cost outsourcing option for key pair management services. Premium HushMail users, pay $2.49 per month for 25MB for secure storage while other users will be charged $2.99 per month to use HushDrive. A set up fee of $19.99 has been waived for an introductory period, which will run until the end of the month. A business offering of the service, which features the ability to share data between trusted users, is in development. ® Related stories Bridge built between HushMail and PGP users FreeDrive renews reason for service switch off
John Leyden, 09 Jan 2002

iPlanet security flaws unmasked

A pair of vulnerabilities on widely-used Web server software from iPlanet has been uncovered. In the more serious case Netscape Enterprise Server 3.x and iPlanet Web Server 4.x, running on the Windows operating system, can be subjected to a denial of service attack. Hackers would need only to enter a simple browser command in order to cause a vulnerable server to crash. For the technique to work Web publishing needs to be enabled but since this is fairly common the problem is quiet serious for those that running versions of the affected software on an NT platform. An estimated 30 per cent of Netscape and iPlanet Web servers run on NT. An advisory explaining the steps to take to fix the problem, which involves disabling the ?wp-html-rend command, can be found here. The second vulnerability, which affects wider varieties of Netscape Enterprise Server and iPlanet Web Server, could allow an attacker to make repeated authentication attempts if a server is configured to use HTTP basic authentication. This is not a severe weakness, because other security mechanisms (such as using client certificates) should be in place. However it may allow attackers to perform brute force password cracking on a site which has no authentication pages and, as such, represents an unexpected avenue of attack. This bug affects Netscape Enterprise Server 2.x and 3.x as well as iPlanet Web Server 4.x and 6.x on Solaris, AIX, Digital Unix, HP-UX, IRIX, SunOS, Windows NT, Windows 2000 and Linux. The vulnerability represents a security configuration and iPlanet has produced an advisory detailing the steps admins can take here. Security firm ProCheckUp, which discovered both bugs, say the bugs collectively affect iPlanet Web servers commonly used in e-commerce or banking sites. But they are less serious than recent flaws uncovered in Microsoft IIS. "These [iPlanet bugs] are not root level exploits so they are not nearly as bad as Microsoft bugs, which have resulted in the exposure of credit card details," said Richard Brain, ProCheckUp's technical director. "At worst you could temporarily shut down a Web site with these bugs. It's more an annoyance factor than anything," he added. ® External links DoS risk for iPlanet (CERT note) CERT note on brute force attack vulnerability Advisory by ProCheckUp
John Leyden, 09 Jan 2002

Google calls time on AIMSearch prank

Google's legal department has put a stop to a subversive web prank that makes a point about our loss of Internet privacy. The delicious URL has been circulating privately for the past fortnight. The website is a détournement of the Google features page, only with the intriguing addition that Google now hosts five years' worth of searchable AOL chat logs. Or as the page explains:- "In November of 2001 AOL Time Warner, responding to a subpoena from Attorney General John Ashcroft, made available to the Justice Department a complete archive of all private conversations held over AOL Instant Messenger (AIM). Through the power of the Freedom of Information Act (FOIA), Google was able to obtain a copy of this entire logfile, totaling over 2 terabytes of conversations previously thought to be private." "This unique resource provides insight into the minds of potential anti-American terrorists, cheating spouses, and countless computer neophytes." AIM in a nutshell, then. In the best Situationist tradition, the prank is followed to its logical conclusion with a real, ahem, searchable database of the "logs", which you can find here. And it works, too. You'll need to type in two AIM user Ids - although any two strings appear to get you into the logs. But you'll need to hurry. Not surprisingly, Google has objected to the cheeky appropriation of its trademark, and the site hoster has agreed to comply to its request to remove site by January 14th. We notice that already the "Google" logo has been altered to "Googol". Credit for the prank, we can reveal, goes to one Brian Del Vecchio, a network systems engineer (and former lead at Ascend), who conceived the idea. And we doubt if we'll see a funnier site all year. It's a slick and effortless response to our loss of privacy, our voyeurism, and the ease with which recent wiretapping legislation has ploughed through the constitution. Pretty much a neat summary of the zeitgeist. And like the best engineering it's so gracefully constructed you don't see the joins. Catch it before if comes down. ® Related Stories The Google Underpants Winners are... A Walk Through Usenet memory lane The Google attack engine Detourn of the screw… (external link)
Andrew Orlowski, 09 Jan 2002

WWW patent threat lawyers are not talking

The law firm representing web patent opportunist UDTL put out a press release today ... to say it won't talk to press. Merchant & Gould, a Minneapolis-based law firm, has been sending generic letters to developers who use the W3C's RDF (Resource Description Framework) claiming that their software which processes RDF content infringes two patents filed by UDTL. UDTL, or "UFIL Unified Data Technologies" is a private sideline of one Babak Ahmadi, who filed the patents Patents #5,684,985 and #6,092,077 in 1994 and 1998 respectively. But Ahmadi has got some big money backing for his speculation, in the shape of bailiffs PEARL or Patent Enforcement and Royalties Ltd. PEARL sponsors patent infringement litigation in return for a part-stake in the claim, and a share of the spoils. "PEARL intends to generate strong, long-term growth of its cash flow through reinvestment of its revenues into ever-greater numbers of patents. It plans to distribute any large cash recoveries to shareholders through a generous dividend plan," according to its mission statement. And PEARL appears to value its investment in Ahmadi's web patents highly: as highly as its investment in a hair dryer safety mechanism, according to a rather out-of-date page on its website. We called Ahmadi, but a voicemail message says he's out of town. (Although we know he isn't.) We asked Merchant & Gould attorney Dan McDonald if he was aware that UDTL was a only one-man operation, but he referred us to today's new press release; the law firm is only taking queries from potential licensees. But these may be thin on the ground, according to experts. "It's fishy," says Bruce Perens. "It looks like it's restating the basics of computing and creating new names for them," he told us. "There are very complicated names here for some very simple things. And the prior art cited in the patent is very very poor." And prior art is where Ahmadi's claim stumbles, according to regulars on the W3C's RDF mailing list, who've cited a host of examples dating back to the early1980s. Today, the Merchant & Gould press release said UDTL was offering "licensing agreements or other joint busoiness opportunities. "At this time UTDL, PEARL and Merchant & Gould are not conducting interviews." But if Mr Ahmadi would care to contact The Register, we'd very much like to discuss his claim. ® The Ahmadi Patents Patent 5,684,985 Patent 6,092,077 Related Stories Berners Lee: WWW royalties considered harmful Apple patents perturb PNG programmers Web standards schism 'terrible' - W3C patent policy boss We'll fork the Web to keep it Free - Perens Tempers cool in Pay-to-Play Web row
Andrew Orlowski, 09 Jan 2002