24th > January > 2002 Archive

Ebay hacking case gets weird

A day of hearings Wednesday at a federal court in San Jose, Calif. ended with accused Ebay hacker Jerome Heckenkamp re-hiring his attorney, and the government accusing the 22-year-old computer expert of secretly accessing the Internet in violation his pre-trial release conditions. Heckenkamp has been in custody since Friday, when he fired lawyer Jennifer Granick and persuaded U.S. magistrate Patricia Trumble to rescind the $50,000 in bail posted by a friend a year ago, in order to relieve his friend from the financial burden of the bond. In a jailhouse interview Tuesday, Heckenkamp told SecurityFocus that his self-arrest was also prompted by frustration over the slow pace of his case, and court-ordered release conditions that restricted his movement and barred him from using the Internet. "I just realized what's going on, and what's going to continue to go on," said Heckenkamp. Throughout a remarkable ninety-minute hearing Wednesday morning, Heckenkamp appeared unwavering in his determination to personally take over his defense against a slew of computer crime charges in two federal jurisdictions. The accused hacker stood perfectly still at the courtroom podium and evenly rejected the most strongly-worded advice from Granick and Trumble. From the bench, Trumble pointedly quizzed the imprisoned computer expert on his knowledge of federal criminal procedure and rules of evidence, emphasized his lack of experience in criminal law, and generally painted a bleak picture of a future in which he takes his case to trial without assistance from an attorney. "Ten years in federal prison would make you about thirty when you got out," Trumble said from the bench. Heckenkamp remained undeterred. "This is my case," he said. "And I have to do what I can to win... I think I'm the best person to do that." Trumble eventually ruled that Heckenkamp could represent himself, and adjourned the hearing until the afternoon, intending to hear Heckenkamp on his request to be released from custody without posting bail. Computers Searched But when U.S. Marshals brought Heckenkamp back into the courtroom at 3:00 p.m., he had changed his mind. After meeting with attorney Granick in the courthouse's prisoner holding area, the accused hacker decided to stick with his lawyer after all, just as suddenly as he decided to fire her last Friday. "I believe that, after talking with my attorney Jennifer, we can both play an active role in my defense," he told the magistrate. Granick, who serves as clinical director of the Center for Internet and Society at Stanford Law School, wasn't present for the afternoon appearance, but confirmed in an interview that she was back on the case. "I think he thought there were things he could only do representing himself," said Granick. "And he realized in the hearing that he was wrong." Heckenkamp's change of heart wasn't the only surprise. Prosecutor Ross Nadel declared that a search of Heckenkamp's home computers by the court's Pre-Trial Services division, which oversees defendants on bail, turned up evidence that Heckenkamp had accessed the Internet, in violation of his release conditions. The search, Nadel said, was carried out with the help of the FBI. The prosecutor said he planned to ask that Heckenkamp be kept in jail pending trial, currently scheduled to begin in March. He also requested that Trumble issue an emergency order allowing the government to immediately seize Heckenkamp's computers from his San Jose home. "Those computers need to be preserved, so that any evidence on those computers can be preserved," said Nadel. Trumble declined to issue such an order, and instead instructed Pre-Trial Services to submit the correct paperwork for property seizure. Heckenkamp protested the entire exchange, telling the magistrate that his home computer contains confidential information regarding his defense. Further, he said, there were no legal grounds to search it after he'd been taken into custody. At the conclusion of the Wednesday hearing, Heckenkamp also learned that his bail money had not yet been "exonerated," i.e., returned to the friend who posted it, because the San Diego federal court where he faces some of his charges had not yet signed off. Heckenkamp argued that because the bail hadn't been returned, he should be released, rather than spending another night at Santa Clara County Jail. "I believe all my rights are being violated here," Heckenkamp said. "If bail has not been exonerated, I should not be taken into custody." Trumble demurred, and said she would take up the issue when hearings continue Thursday, and Heckenkamp returns to court with Granick. A former network engineer at Los Alamos National Labs in New Mexico, Heckenkamp lost his job in January, 2001, when prosecutors charged him with defacing eBay under the hacker handle MagicFX, and accused him of penetrating computers belonging to Lycos, Exodus Communications, Juniper Networks, E-Trade Group and Cygnus Support Solutions. Heckenkamp says he's innocent on all counts. © 2001 SecurityFocus.com, all rights reserved. Related Stories Accused eBay hacker volunteered for jail Nuke plant worker faces hacking charges
Kevin Poulsen, 24 Jan 2002

Antitrust legal beagles suing MS and DoJ

Antitrust watchdog group the American Antitrust Institute (AAI) will hold a press conference Thursday to announce details of a lawsuit they intend to file against Microsoft and the US Department of Justice, Reuters reports. According to the group, both parties have held meetings and exchanged memos which have not been fully disclosed in court documents. But according to US law, all such cross-party communications must be detailed, though MS has produced only a brief sketch, leading to the suspicion that some back-channel hustling has been concealed. "The AAI believes both Microsoft and the DOJ have deliberately avoided the disclosure requirements of the Tunney Act process or offered incomplete or misleading information," the group says. They may be onto something here. It does seem improbable that the DoJ could have come up with a settlement so warmly accommodating of Microsoft without considerable coaching from Redmond. We'll bring you further details of this intriguing situation as they become available. ®
Thomas C Greene, 24 Jan 2002

Labels ask time-out in Napster battle

Something seems amiss in the Recording industry's copyright battle with Napster, as the labels have sought and been granted a 30-day time-out in the action, the Associated Press reports. According to the report, the labels will seek a settlement during the cease-fire. "Only Capitol Records and Virgin Records America didn't join in the request to US District Judge Marilyn Hall Patel," the wire service says. The industry has not yet commented on the unusual turn of events, but one is tempted to wonder if the plaintiffs have lost confidence in their case. They certainly were full of studly arrogance last year when they ostentatiously disdained Napster's $1 billion bribe to let it live. But since the damage has been done, it's hard to imagine Napster coughing up a sum like that today, as it's been re-jiggering itself as a copyright-friendly subscription service with backing from Media heavyweight BMG, and is, it maintains, nearly ready to re-launch itself. One also has to wonder if the DoJ's recent interest in the antitrust implications of the music industry's licensing practices could have anything to do with Wednesday's development. No doubt Recording Ass. of America President Hillary Rosen will explain it all to us very soon. We look forward to hearing more about this unique victory for the sanctity of copyright. ®
Thomas C Greene, 24 Jan 2002
Broken CD with wrench

Woz goes wireless – by stealth

Steve Wozniak is launching a new wireless technology venture. For anyone who understands Apple co-founder Wozniak's pivotal role in the birth of the modern computer industry, this should be interesting news. However, neither Wozniak nor the venture capital firms backing the company, called Wheels of Zeus (wOz), are saying anything about the technology that underpins the venture, writes Dan Jones. Instead, the company appears to be following in the footsteps of 'Ginger/IT' inventor Dean Kamen, who found himself the centre of a media feeding frenzy last year. Before Kamen's product was even launched, several IT luminaries were quoted saying it was the greatest thing since sliced bread. As it turned out, IT was perhaps only the greatest thing since cheese slices, for the Segway, as it is called, is just a couple of steps up the evolutionary ladder from the electric scooter. It is interesting to note that wireless device vendor Danger Research Inc, which is backed by Mobius Venture Capital, one of the companies funding wOz, found itself at the centre of a similar media buzz while it was still in stealth mode last year. Wozniak is on Danger Research's board. However, Greg Galanos, managing director at Mobius, is keen to disassociate wOz from the Segway media circus. "I don't think we've made any statements about this changing the world," he told ComputerWire. Indeed, the people involved have made virtually no concrete statements about what the company's products will do. "wOz is designing new consumer electronics wireless products that will have universal appeal among consumers and corporations alike," said Steve Wozniak, in a statement. "Recent advances in global positioning software (GPS) systems and antenna technology coupled with the declining cost of processing power and two-way networking make the possibilities for new devices and services really exciting." Galanos said that the products will combine GPS with wireless LAN networking technology. These products will "help everyday people track everyday things," according to the press blurb. This almost suggests that the company is planning to produce something along the lines of wireless tags or badges that can be located on a WLAN network. However, it's probably best not to try and second guess Steve Wozniak, who has consistently proved his flair for delivering left field computing breakthroughs. WOz has scored $6m in funding from Mobius, Draper Fisher Jurvetson and Palo Alto Investors. Galanos said that this will be enough money to enable the company to prove the technology works and produce prototypes. "It has the genetics of a proper start-up, not a bubble company," Galanos said. wOz will officially launch in the second quarter of this year. © Computerwire.com. All rights reserved. Related stories Steve Wozniak's smartphone venture
ComputerWire, 24 Jan 2002

NTT researchers predict 10Gbps wireless

NTT Corp, Japan's incumbent telco, claims to have raised the ceiling on wireless bandwidth, after achieving a peak data transfer rate of 2.5Gbps in laboratory trials. The previous highest wireless transfer rate was 1Gbps, but NTT's researchers believe they can ultimately take wireless communications up to 10Gbps. Given that wireless equipment manufacturers are struggling to build equipment that can realize 2.5Mbps, and fixed-wire equipment makers are struggling to sell switches that already support 10Gbps of sustained capacity, pushing wireless to these dizzy heights might seem a little superfluous. However, even if there is no immediate need for gigabit wireless links, NTT's researchers are at least exploring technology that uses spectrum that has so far not been utilized by anything else. In a world where radio spectrum is becoming increasingly congested, that alone might be a reason why NTT's efforts could well pay dividends in future. For instance, the 2.4GHz and 5GHz radio bands, spectrum previously used largely for background telemetry and monitoring tasks is quickly being occupied by IEEE 802.11x WLANs and Bluetooth interconnect links. Further up the scale, wireless local loop technology is colonizing the 20GHz and 40GHz bands, the new Wireless 1394 home multi-media standard will operate at 60GHz, and automotive navigation and in-motion information systems are targeting the 76GHz band. Probably the only reason higher bandwidths have not been exploited is that until now electronic gear hasn't been up to driving signals at frequencies that are starting to approach the optical spectrum. NTT's solution has been to harness new electronic and optical technologies to access the empty 120GHz radio band. Optical systems are used to generate the original signal which is passed, using amplitude modulation to a 300GHz photodiode, which creates an electrical signal that is passed to a direct slot antenna. The key to the whole process is the 300GHz photodiode, which harnesses optical technology, in this case the Lithium Niobate substrate originally designed for light switching, to the business of generating an electrical signal. Inevitably, there is great deal to do before NTT's 120GHz wireless technology becomes commercially viable. At the moment, for instance, the sustained 1.25Gbps signal generated in the laboratory has a range of just 50cm. But as spectrum becomes ever scarcer over the next several decades, the motivation to refine this technology will undoubtedly intensify. © Computerwire.com. All rights reserved.
ComputerWire, 24 Jan 2002

Baltimore sells content security business

Baltimore Technologies has secured a much needed cash lifeline with the sale of its content security business to UK software firm Clearswift Corporation for £20.5 million. The deal represents a tiny fraction of the £692 million Baltimore paid for Content Technologies at the height of the stock market boom in 2000. It will receive £12 million in cash, £2.5 million in loan notes and the remainder as shares in Clearswift. The sale is subject to Baltimore shareholder approval to be sought at an Extraordinary General Meeting in March. As Baltimore now admits, there was little link between its core public key infrastructure (or as it now prefers to call it authentication and authorisation solutions) and content security. Recognising this, Baltimore's executives decided to dispose of this business when it was forced to restructure its business last year. Dwindling cash reserves and disappointing sales of its core PKI technology have forced Baltimore to take a scythe to its business, after a string of disappointing financial results that have been accompanied to heavy job losses. Around 1,400 people worked for Baltimore at the start of the year but this will be cut to 470 by the second quarter of next year. Meanwhile Baltimore's share price has collapsed. Baltimore now believes it has enough working capital for at least the next 12 months. ® External links Baltimore's statement on the disposition Related Stories Baltimore struggles to sell unit Founder sues Baltimore for dissing him Baltimore board votes in pay cuts Baltimore appoints new chief as revenues decline Baltimore unveils lifeboat plan as 220 crew drowned More jobs to go at Baltimore Baltimore CEO quits Baltimore slashes 250 jobs as losses grow Baltimore denies it's in takeover talks with CA Baltimore Technologies faces takeover action
John Leyden, 24 Jan 2002

Zetnet rescues Cloud Nine

Zetnet has confirmed that it has acquired the customer base of troubled ISP Cloud Nine. A statement on its Web site reads: "As of 24th January, customers of Cloud Nine Communications Ltd will be serviced by Zetnet following a successful agreement between the two companies regarding the transfer of customer contracts to Zetnet." Zetnet has moved quickly to publish support details on its Web site and insists that helping its new customers get back in operation is its main priority. Jon Earnshaw, sales & marketing director at Zetnet told The Register: "We've swung all our resources to looking after these customers." He admitted that the task ahead remained difficult but he was adamant that his company was "one hundred per cent focused" on the task ahead. While Zetnet faces the daunting task of moving around 2,500 customers to its service, the row over their treatment by Cloud Nine continues to rumble on. Forum postings on ISPReview reveal the extent of frustrations experienced by Cloud Nine customers. Many claim that they have been kept in the dark over the last week, inaction that has merely compounded the ISP's problems. Others are more sympathetic concerning the security attack that brought Cloud Nine to its knees. In a statement, Cloud Nine apologised for its "shortcomings" and also moved, once again, to quash rumours that the decision to shut the ISP was due to financial pressures. It said: "Cloud Nine would like to apologise to all our customers for the disruption to our services caused by the recent denial of service activity. This activity was of such magnitude and viciousness that we took the decision that we could not continue to operate our Internet services with the resources we had available. "We must deny any rumours that any of this is down to financial reasons. Cloud Nine was a solvent company, cash flow positive with cash in the bank," it said. ® Related News Zetnet tipped for Cloud Nine rescue Cloud Nine buy-out not yet confirmed Cloud Nine blown away, blames hack attack
Tim Richardson, 24 Jan 2002

Myth of storage security savaged

Storage security will become an "imperative" this year as the adoption of Internet technologies undermines the comforting notion that storage networks are safe from hacker attacks. In an analysis of storage security, the Yankee Group concludes that security will become an essential aspect of deployment strategies as users expand disaster recovery planning or roll out storage networks that mix multiple network protocols. Yankee is seeking to dispel the impression that dedicated, Fibre Channel storage networks are "closed" networks i.e. not subject to security breaches. As mixed IP-Fibre Channel storage networks or IP storage networks become deployed security will be even more important, the research house argues. "Customers have used a combination of zoning and LUN masking to segregate how users and servers connect to SANs, but both methods still can offer holes to hackers by being difficult to configure and manage as the number of network nodes increases," Yankee analyst Jamie Gruener writes. "The emergence of IP-based storage networks will increase the need for specific storage security policies, due to increased complexity of managing these mixed networks." Vendors have announced products which protect the integrity of data through software management tools, at the storage array levels, within the storage network switch, and in dedicated function storage security processors. Brocade, the largest storage networking vendor, has promised to deliver new security features through its Fabric OS management software. Emerging firms are also carving a niche. For example, FalconStor is offering key-based encryption as part of its virtualisation software and NetOctave, an IP chip vendor, has launched a security processor designed specifically for the storage market. Yankee adds a caveat to this by saying there isn't a standard way to solve the storage security problem and the market hasn't got beyond the delivery of point products. Storage vendors need to take an active role in promoting storage security best practices and technologies - or risk a backlash, Yankee warns. Gruener said: "Without adequate strategies to help customers deal with the emerging storage security problem, vendors will likely be susceptible to customer scrutiny in the longer term as the level of complexity and exposure for breaches increases." ® Related Stories Brocade flips 2Gbps FC switch Compaq top of the SAN tree Sayanora to SAN Squabbles Cisco enters storage market Storage is dead dull, right?
John Leyden, 24 Jan 2002

Click here for great IT book offers

Vulture Central has teamed up with IT-minds.com, part of the mighty Pearson empire, to bring you some top deals on computer books. Eagle-eyed readers will already have spotted the link on our new 'Register Services' menu bar. As a Register reader, you are entitled to a 10 per cent discount on any book from Pearson's Education's enormous catalogue. All you have to do is order from this link. And each fortnight we're offering a 20 per cent discount on a featured title. We're kicking off our Book of the Two Weeks with Scott Mueller's. This is the "de facto standard PC hardware tome used by more PC professionals and hobbyists than any other book of its kind". Usually it costs £43.23, but we can do you a deal for £34.58. Bargain. ®
Lester Haines, 24 Jan 2002

Buy DVDs and games abroad – and break the law

British consumers will be on the wrong side of the law for the first time if they buy overseas DVDs or computer games 'unauthorised' for the UK and play them on their PCs at home. This is the major implication of a ruling in the High Court yesterday over the sale in the UK of 'mod-chips' for the Sony Playstation. Channel Technology, the British supplier of Messiah Playstation mod-chips, was found liable under the Copyright and Patents Act 1988, by supplying a way around Sony's copyright protection mechanisms. Sony last month won an injunction to stop the company from selling or marketing PS mod-chips. While not disputing the facts, Channel Technology argued that the mod-chip "was not 'specifically' designed to circumvent the copy-protection mechanism of the PS2 console, but also dealt with defeating the region control aspect of the same protection, and thus allowed arguably legal functions such as the use of imported games". Judge Jacob disagreed. Although extremely sceptical of Sony's claims, he ruled, according to Channel Technology's paraphrased account, that: "Sony licensed games for the territory that they were issued, the licensing of these games did not allow for their use in other territories, therefore whether they were imported for private and domestic use by personal purchase for instance via the internet, or purchased abroad on holiday, they were not allowed by Sony to be played outside of the licensed territory, this argument should be upheld." In effect this makes it illegal to play computer games and DVDs purchased from abroad, Channel Technology argues - correctly in our view. However, there is tension between Jacob's ruling and explicit rights granted to UK consumers through the Sale of Good Act (SGA) and the Unfair Contract Terms Act (UCTA). But until a consumer, or a group of consumers, challenges Jacob's ruling, the rights of copyright holders will take precedence. In effect, the UK's Copyright and Patents Act 1988 gives copyright holders more power than America's highly controversial Digital Millennium Copyright Act (DMCA), because there are no exceptions, as Martin Keegan, of the UK-based Campaign for Digital Rights points out. He expresses concern at yesterday's ruling. "Anti-circumvention law takes the balance in copyright law out of the hands of Parliament and the judges, and places it in the hands of technologists working for major media conglomerates. "The music industry is being hit hard by unauthorised copying. They're using technology to restrict that copying, and the law protects this technology. However, there are no legal safeguards against abuse of copy-control technology; the technology can and is being used to prevent legally sanctioned use of material." ® Related stories Sony turns courts on PS mod-chip makers Sony is killing Playstation mod-chips
Drew Cullen, 24 Jan 2002

BT sniffs at broadband in the sewer

BT has shrugged aside news that it faces competition from a new company laying fibre optic cables along London's sewers. Urband - a joint venture between Thames Water and 186k, the telecoms business of Lattice Group – has already layed cable in the sewers around London's Docklands area. This year it expects to wire up the City, London's West End, Victoria, Hammersmith and Westminster, to provide wholesale broadband using cable that is both rodent-proof and water resistant. Providing a wholesale service which - it says - will appeal to telcos, telehotels, and service providers, Urband claims it will provide a "true alternative to BT for 'last mile' connectivity". Urband chief exec Roger Wilson said: "London is one of the world's major business centres, but its communications infrastructure currently falls far short of providing the capacity that businesses really need. "Despite extensive digging since telecoms liberalisation began, BT's legacy network remains, for many businesses, the only option for true 'last mile' access in the capital." However, BT gave a lukewarm response to the idea of running fibre optic cable in the sewers. "We always welcome competition," said a spokesman. "But London already has broadband coming out of its ears and they are entering an already competitive market," he sniffed. ®
Tim Richardson, 24 Jan 2002

Hackers crash online regal Dutch chat

UpdatedUpdated An online chat with the heir to the Dutch throne was abandoned after hackers launched a denial of service attack. The interactive event was expected to attract a few thousand people at most, but received three billion hits as soon as Crown Prince Willem-Alexander and fiancee Maxima Zorreguieta went online. PC screens froze and, with little other choice left, the event was cancelled, today’s Daily Telegraph reports. A political motive was initially suspected in early reports (including ours) of the attack. Maxima Zorreguieta's father was Jorge Zorreguieta, a minister in Argentina Junta of 1976-83 during who's rule an estimated 10,000 people "disappeared". It now seems the attack was directed in order to embarrass KPN, the Dutch carrier. Dutch newspaper, De Telegraaf has reported that the attack was claimed by the "Down Under Crew" (DUC), a hacking group based in the Netherlands. One of DUC's members told the newspaper that there was no political agenda, but rather that the attack was directed at KPN and was meant to "teach it a lesson". Before the chat, KPN (which is resented for recently raising the price of ADSL in the Netherlands by 25 percent) claimed that everything would go well and there would be enough bandwidth available to service all parties interested. This raised hackles among the hacking community. A DUC member claimed they used 3,000 computers in the DDoS attack of a total of 10,000 hacked machines available to them, De Telegraaf reports. Another theory (backed up by the idea that 3 billion requests would seem to be a questionably high figure) is that KPN’s systems failed and it blaming hackers as an excuse. The marriage takes place on February 2.®
John Leyden, 24 Jan 2002

Digital certificates for UK pathology results

The electronic transmission of patient's pathology results from labs to doctor's surgeries in the UK is to be protected using digital certificates from ViaCode, Royal Mail's encryption business. ViaCode digital certificates will protect the integrity, accuracy and confidentiality of patient information of the NHS Information Authority's (NHSIA's) national pathology messaging service. The system has been in trail for some weeks and is been made available to doctor's surgeries. Patrick O'Neill, a spokesman for Royal Mail, told us pathology results from blood tests and the like has been done through the mail but the new system offers a far speedier alternative. "Some doctors have rightly been cautious about Internet technology but we believe the service is complementary to what they want to do. As they see how it works, and understand that messages are kept secure, we believe GPs will become more comfortable with the technology," he said. Message integrity, along with confidentiality, was a key concern in setting up the system. Linda Ellis, a spokeswoman for NHSIA, said: "You can imagine the horrific consequences of treating a patient on the basis of a blood sugar result that has gained or lost a zero in transmission when two could be too low and 20 too high." ViaCode encryption, which uses 128-bit cryptography and certificates only issued after rigorous identity checks, meet the strict security protocols required by the British Medical Association. Technology vendor Entrust selected ViaCode to supply a managed certificate authority service working in conjunction with the NHS EDIFACT messaging service along with 210 pathology laboratories and 9,000 health practices. Using ViaCode the NHSIA have saved on the initial certificate technology start up costs and outsourced messaging security to a trusted provider, avoiding the need to dedicate its own sys admins to the project. ® Related Stories Royal E-Mail backs security service with £100K bond NHS email system up the spout Doctors forced to use Hotmail for confidential medical records Health sector ISP attacked by hospital staff Novell flies high with Lufthansa
John Leyden, 24 Jan 2002

The Linux-AMD AGP bug – who's to blame?

After arranging a tete a tete between two representatives of the Linux kernel team and AMD, Gentoo founder Daniel Robbins has drawn some initial conclusions on the bug affecting Linux users on AMD Athlon AGP systems. Daniel concludes that neither side is guilty; that it isn't an AMD bug, more a feature; but he also recommends that kernel hackers find a new problem to this particular situation. It appears that the GART (Graphics Address Remapping Table) which feeds the AGP card with system memory isn't cache coherent. Although both Linux (and apparently Windows 2000) expect it to be. That's an drastic oversimplification of Daniel's postings on the Gentoo front page this morning and his explanation on the kernel mailing list. The GART lays out memory for the AGP card in a contiguous block, but the real memory that's being addressed. of course, lies all over the place - having been paged out in 4k blocks from main system memory. Intel added 4MB pages, and the temporary workaround for both Linux and Windows 2000 is to disable the 4MB page option. AMD concludes:- "Our conclusion is that the operating system is creating coherency problems within the system by creating cacheable translation to AGP GART-mapped physical memory... When the cache-line eviction occurs the stale data written to physical memory has fatal side effects." With our limited knowledge of PC hardware architecture - and we trust Register readers can explain this one for us - we can't quite see how that relates to the 4k/4MB page size option. Why can't a simple flush clear the cache, we wonder? Let us know. Nevertheless disabling 4MB pages appears to do the trick, all agree. There's a birds eye view of where the GART fits in to the scheme of things at Anandtechhere.® Related Story AMD chip bug snares Linux users
Andrew Orlowski, 24 Jan 2002

Too many Updates already, users tell The Beast

Research commissioned internally by Microsoft amongst its corporate users has highlighted an unexpected gripe, sources tell The Register. The number one Windows bugbear, is that there are too many updates. Not just to the OS (annual revisions of Windows mean that a newer version is ready by the time a large organisation completes the role out of the current product) but private research reveals that the Update mechanism is out of control, with users unable to prevent individual staff downloading the latest Media Player, for example, unless they block access at the corporate firewall. However Microsoft is taking steps to tweak the Update function. Individual corporate users won't be able to update their workstations from Microsoft servers. By default, Windows Update will look for a copy on a domain controller of the sys admin's choice. The Beast is also expected to announce, to great fanfare, that it's consolidating updates into major releases, with longer intervals between issues, say sources. The revised Update mechanism is also an attempt to address the avalanche of minor security patches which administrators are obliged to install, given Microsoft's problems. "The patch treadmill doesn't work," Bruce Schneier concluded in July. This research caused some consternation, we hear, because product managers had worked under the assumption that Looking Busy showed they took security seriously. Given the level of corporate dissastisfaction in the big Windows shops, Windows Update is due to get an overhaul before Longhorn - the next major revision of Windows XP. What we don't know - and it's unlikely a decision has even been made at Redmond - is whether Microsoft will use Windows updates as a carrot to induce home users to sign-up for its subscription licenses. Right now, the Windows Update revision will only applies to business users, many of whom are already covered by subscription-style licenses. ® Related Stories MS Windows Update suffers multi-day outage Windows Update glitches wider, deeper? Security patch approach is failing
Andrew Orlowski, 24 Jan 2002