18th > March > 2002 Archive

Sorenson advances on video codec market

While Sorenson Media Inc may not be the best-known video software company out there, pretty soon its codecs are likely to be playable on more desktops than those from Microsoft Corp and RealNetworks Inc. When Macromedia Inc started shipping Flash Player 6 on Friday, it came with 70k of decompression code, custom-built by Sorenson for the company. Developers will be able to use Flash MX, also released Friday, to build streaming video directly into their Flash interfaces. "We have actually hit paydirt with this deal," said Sorenson VP of sales and marketing Ed McGarr. "Pretty much the de facto standard video format is going to be Flash, and we're the video codec behind Flash." Macromedia claims to have a 98% penetration of worldwide desktops for Flash, some 434 million potential users. This number is quite a lot larger than the 250 million worldwide desktops that have a RealNetworks media player installed. For Sorenson, the instant audience is hoped to translate into sales of its development tools. Flash MX comes with basic video creation software, but encourages upgrading, for $299, to Sorenson's professional edition toolkit. McGarr said that if only half of Flash's 1.2 million developers pay up for Sorenson's Squeeze, which allows contains extra video manipulation features including two-pass variable bit rate encoding and some high-end filters, he'll be quite happy. Looking forward, Macromedia' expansion into post-PC devices could make Sorenson's codec even more widely used. Macromedia has spent the last year or so striking bundling deals for its player with set-top and handheld device manufacturers. Last week, the company announced a deal to have Flash Player 5 bundled with all forthcoming Nokia Corp 9200-series PDA/phones, where, admittedly, RealNetworks's software will have a stronger presence, and hinted that the relationship could be expanded in future. © ComputerWire.com. All rights reserved.
ComputerWire, 18 Mar 2002

Microsoft secures Passport while lobbying interest groups

Microsoft will take first its steps towards delivering a federated version of Passport this year, releasing tools enabling developers to build Kerberos protocols into the online security system ahead of a full product release in 2003, Gavin Clarke writes. The company told Computerwire it planned a series of Software Development Kits (SDKs) to implement the network authentication protocol into Passport later this year. A full version of Passport, built on Kerberos, is expected next year. "The road to Kerberos in Passport is being fleshed out. It will be next year before we see a fully Kerberos-capable model," said Microsoft's recently appointed .NET policy and regulatory affairs manager, John Noakes. He was unable to say when the SDKs will become available. The executive spoke as he embarked on a campaign to lobby powerful consumer and business groups over Microsoft's track record on software security and data protection. Noakes has met the Confederation of British Industry (CBI) and will soon meet the Consumers Association, the UK's best-known consumer lobby group. Microsoft revealed its lobbying strategy in January. The company is anxious to redress its poor reputation over security and data protection. Microsoft wants to ensure Windows, Internet Explorer and Passport overcome this, and are considered in major government initiatives and business projects. Noakes said early discussions had indicated lack of knowledge about software like Passport, and some criticisms were poorly informed. "I have to start at the beginning to explain what Passport is and what it does. When people are in full possession of the full facts there isn't as much negative sentiment," he said. The CBI is vital in helping Microsoft. The organization relies on members to formulate responses to European Union and UK government regulations. Microsoft, a CBI member, hopes it can clean its track record and then position itself as a participant in CBI activities relevant to software and security. A CBI spokesperson indicated Microsoft's approach could prove successful. "It was a two-way, beneficial meeting on how the CBI can get Microsoft involved as a member on various security issues coming up," she said. The spokesperson was unable to say what security issues would be tackled in future. Noakes will receive a rough reception at the Consumers' Association, though, where concerns center on potential for mis-use of personal data in Passport. Alan Stevens, the Consumer Association's head of digital services, said Microsoft may have to agree to financially compensate consumers whose personal information is abused or hacked. "I'd like to know what they use the data for and what the security systems are wrapped around it. There's no absolute security. There's always the fear and concern that someone with the appropriate skills can hack it," Stevens said. The Consumers' Association is also hostile to what it believes are abuses by Microsoft of its desktop monopoly. Stevens said Microsoft must work closely with consumers on product development and delivery cycles, reducing bugs in its software. He claimed Microsoft has exploited its market strength to force upgrades on consumers. "The main problem is the way Microsoft rushes products to the market to get more money in the till," he said. © ComputerWire.com. All rights reserved.
ComputerWire, 18 Mar 2002

Reg hack ‘helps’ CNN with bare knuckle boxing probe

Ok, the game's up - I've been rumbled. For the last five months the staff at Vulture Central have been wondering why on earth a man whose duties consist almost entirely of supervising Indonesian children at the Cash'n'Carrion Reg merchandising warehouse would occasionally lapse into a fit of uncontrollable chuckling. Now I must come clean. Last November, myself and former Reg hack Kieren McCarthy launched The Rockall Times - a weekly satirical spin on the world's news based entirely on Rockall, the world's liveliest volcanic outcrop. Of course, I was foolish to believe that this extra-mural activity would go unnoticed. But perhaps if I hadn't forwarded an email we received from someone at turner.com, owners of CNN, to Reg editor Drew Cullen, I might have got away with it. Sadly not. I have, however, escaped disciplinary action and have further been instructed to share this particularly entertaining correspondence with Reg readers. The background is this: We recently ran a piece entitled Doc KO's women's bare-knuckle challenge. Entertaining stuff, and all very tongue-in-cheek. Nobody, surely, could take take such errant nonsense seriously? Well, CNN could: Hi there. I am a researcher on CNN's current affairs programme 'Inside Europe'. We are currently putting together a piece on bare knuckle boxing and I was hoping you could give me some leads. I read your article 'Doc KO's women's bare-knuckle challenge' I was hoping that you would give me the telephone nos. of Sharon Pikey and Lisa Greyhound. Or maybe you could pass my number onto them and get them to contact me? I was also wondering, do you know where and when bare-knuckle fights take place in Oxford? Someone told me that a Christian group organise such events, have you heard anything to that effect? Or can you get me in touch with people who would have such information? I know it's asking a lot, but I would really appreciate your help on this! I make no comment. Now, if you'll excuse me, I note that the seven-year-olds who sew the labels into the Reg polo shirts are talking among themselves again.... ®
Lester Haines, 18 Mar 2002

All of McAfee, why don't you take…

Network Associates wants to buy the 25 per cent of McAfee.com it doesn't already own, in a stock deal worth approx. $208.2 million This values McAfee.com at $18.64 per share, or about 20 per cent more than their closing price of $15.54. The aim of the acquisition is to remove confusion over Network Associates business units and to streamline Network Associates operations, NAI chief executive George Samenuk. In January McAfee.com reported Q4 revenues of $18.6 million up $6.5 million from the same period the year before. Net income for the fourth quarter of 2001 was $904,000. McAfee's revenue for the full year, during which it made a loss of $854,000 as it expanded its business, was $62.0 million. A quarter of a million people signed up to McAfee.com over the quarter, giving it a paid subscriber base of 1,345,000 people, the firm said. Network Associates is focusing on anti-virus, help desk and networking monitoring tools after abandoning its ambitions to offer a complete security and systems management suite. The downturn in the tech economy forced NAI to restructure its operations and focus on the most profitable parts of its business, spurring it seek buyers for its PGP desktop encryption and Gauntlet firewall product lines. NAI sold gauntlet to Secure Computing in February but it has found it much harder to find a buyer for its well-regarded PGP desktop encryption suite. Earlier this month, Network Associates wrote to customers informing them that it was ceasing development on PGP Desktop. While promising to honour existing support contracts, it said no bugfixes or updates would be issued. ® Related stories PGP deep-freezed - NAI shrugs How we can save PGP - Zimmermann NAI sells firewall business Anti-Virus's control fetish NY sues NAI so you can say McAfee sucks Viral outbreaks leave vendors in clover McAfee.com launches in the UK
John Leyden, 18 Mar 2002

Cyber cops & security orgs: DIRTy, stupid and out of control

The DIRT filesThe DIRT files A number of what one would hope to call professional computer security and cyber law-enforcement figures in England, Australia, South America and Asia appear to have been duped by DIRT Trojan marketer Francis Edward "Frank" Jones, according to documents obtained by The Register. A second load of Codex Data Systems correspondence has been released, including contract paperwork in various stages of maturity. We don't know how much has been finally signed, sealed and delivered; but we can infer that the people named below have at least contemplated co-marketing deals with the hustler Jones. Many of them are in high-profile positions of responsibility and trust in the areas of computer security and law enforcement. It makes one wonder if anyone in these fields can ever be trusted. For background on the insidious Trojan Jones is misrepresenting as a crime-fighting tool, and Jones' criminal background, see our previous coverage here and here. First up we have a proposal for marketing DIRT to government spooks, industrial spies and private security firms in the United Kingdom with Dr Kevin A. O'Brien, a Senior Policy Analyst with RAND Europe, and Information Assurance Advisory Council (IAAC) Chief Operating Officer. According to a document dated 24 September 1998, O'Brien was "contemplating being involved in some or all aspects of [Codex's] creation, development, production or sale of intellectual property," in his capacity then as a representative of the Hussar International Research Group, "a virtual organization of professional research analysts based throughout the world. The prime research interests of the Hussar Group are issues of contemporary international security, in all of its aspects." The group, which now appears to have been disbanded or absorbed by a larger entity (in part by RAND, obviously), belonged to the Matrix GDSN (Global Decision Support Network). The Matrix describes itself as "an international network of specialist organizations providing business intelligence, knowledge management, risk assessment and technology evaluation services to future-oriented organizations throughout the world. "Our global resources include intelligence professionals, analysts, and systems designers with collective capability that rivals many intelligence agencies." As for IAAC, it describes itself as "a private sector led and government supported forum that brings together corporate leaders public policy makers law enforcement and the research community to address the challenges of information infrastructure protection. IAAC is developing policy recommendations for government and corporate leaders at the highest levels." Dr. O'Brien may be found at: RAND Europe (Cambridge) 36 Regent Street Cambridge CB2 1PG United Kingdom tel: +44(0)1223-353329 obrien@rand.org Information Assurance Advisory Council 36 Regent Street Cambridge CB2 1DB United Kingdom tel: +44 (0)1223 307711 In Australia we have World Systems Resource (WSR), a discount (used) enterprise computing vendor supplying equipment from HP, SUN, Cisco, Compaq, IBM and EMC. A February, 2000 document indicates that the company was seeking a non-exclusive deal as a DIRT reseller in the Australian cyber-cop/securocrat market. World Systems Resource is located at: Unit 8, 92a Mona Vale Road, Mona Vale, New South Wales 2103 Australia tel: (02) 9979 1455 Covering all of South America in one stroke, we have Mr Ramon Ignacio Izaguirre, who appears to have entertained a 17 March, 2002 agreement to distribute the DIRT Trojan to cops and securocrats throughout the land. Jones praises Izaguirre for his "expertise in marketing to the government, law enforcement and military sector in Argentina and South America," and offers him exclusive rights to market it throughout the region. Izaguirre also appears to operate a company called Segurama, which is involved in security. He may be found at: 1624 Bdo. Irigoyen Street, Buenos Aires 1138, Argentina tel: 54-11 4300-7539 And last, but not least, we have Mr Unho "Tiger" Choi in South Korea, who appears to have entertained a 24 February 2001 deal to get the DIRT circulating among eager government spooks and ambitious industrial spies in his home country. He's also a trusted member of the local CERT. Choi is affiliated with the Korean CERT-CC Computer Emergency Response Team Coordination Center, which, just as in the US and elsewhere, is an arm of the government. More properly, CERT-CC/Korea is run by the Korea Information Security Agency (KISA), which in turn is run by the Ministry of Information and Communication. Our "Tiger" is also affiliated with KISA. And he seems to have his own consulting business on the side as well. He skips about quite a lot, but should be available for comment at one of these locations: Unho "Tiger" Choi Network and Security Consulting, Inc. 1329-4 Woonam Building, 15th Floor Seocho-dong, Seocho-gu Seoul, South Korea cell: 82-17-263-3433 Korea Information Security Agency (KISA); Information Security Technology Division 78, Karak dong, Songpa-Gu, Seoul 138-160, Korea tel: 82-2-4055-114 CERTCC-KR Senior Members of Technical Staff, CERTCC-KR 5F, Seocho-Donga Tower Bldg, 1321-6 Seocho Dong, Seocho-gu, Seoul,Korea,137-070 tiger@certcc.or.kr tel: 82-2-3488-4122 cell: 017-263-3433 And lest we forget, our friend Jones may be found at: Codex Data Systems, Inc. 143 Main Street Nanuet, New York 10954 and/or 167 Route 304 Bardonia, New York 10954 tel: 845-627-0011 tel: 914-627-0011
Thomas C Greene, 18 Mar 2002

EU closes AOL UK VAT loophole (but not yet)

AOL will have to start charging UK customers VAT - from July 1, 2003, bringing it into line with British ISP rivals. The change follows a policy review conducted by HM Customs & Excise, the British government arm responsible for VAT ruling and collection. Currently, AOL UK is treated as a content provider domiciled outside the European Union, and therefore not subject to VAT, unlike UK competitors, which are treated as telecoms providers (and therefore subject to VAT). This ruling is estimated by Freeserve, the UK's biggest ISP, to save AOL £30m a year, and gives its rival a huge unfair competitive advantage. In a Business Brief, published on March 14, HM Customs largely appears to endorse this viewpoint. But the authority argues that "differences in the current VAT treatment of such packages are a direct function of existing EC provisions, which fail specifically to cover packages of Internet service and content. "A lasting, fair and clear approach, whereby all Internet service packages supplied by UK and non-EC ISPs are taxed in a similar way can only, in Customs' view, be successfully achieved through material changes to the relevant EC VAT rules." Such a change is underway with changes on treatment of VAT contained in the EU's new e-commerce directive, HM Customs says. This will see the determination of VAT charging on certain services - "including digitalised products, and so content provision" - move from reference to the location of the supplier to reference to the location of the consumer. The upshot is that the ecommerce directive, a very controversial ruling - especially with the US government and US-domiciled online retailers, catches AOL UK on the content provision front. So what now? There will be a level playing field for all ISPs operating in the UK, but only from July 1, 2003. Will this note be enough to fend off legal action from Freeserve, which has applied for a judicial review of HM Customs' treatment of AOL? Considering that AOL will stand to profit to the tune of £40m until the ecommerce directive comes into force, we suspect that Freeserve will continue to argue its case in court that HM Customs is wrong. ®
Drew Cullen, 18 Mar 2002

Motorola v70: good looking, but not compelling

ReviewReview The Motorola v70 is a startling new phone with a brushed titanium look finish, aimed at the fashion conscious user. The most striking thing about it is its unique rotating mechanism. The sliding front panel revolves through 360 degrees to reveal a flattened keypad. At 93x45x16mm, it's super sleek, and feels good to hold. It’s impressively light at under 80g, which is something of an engineering feat in metal. No price has been set but when this phone hits the shops later in the year we expect it to be as expensive as it looks. The rotating front panel works well because when it's opened out, it’s the right length to reach your from ear to your mouth, yet the display is still visible when the phone is closed. In October 1993 What Mobile interviewed Frank Nuovo, Nokia’s head of industrial design, and he talked about phones becoming jewellery. As we were reviewing phones that weighed half a kilo and were resplendent in cheap grey plastic, this seemed a bit of a joke. Now that the v70 is here and Nokia has announced it’s to develop a line of mobile phones crossed with jewellery, it doesn’t seem so starry-eyed. Swivelling the front panel slider answers an incoming call. It's just about possible to do it one-handed, but rather tricky and uncomfortable. The buttons are well spaced, but small, and not ideal for large hands. The v70 looks even cooler when open as the keypad has a bright blue backlight. The screen is a reversed LCD, giving white text on a black background. It’s dramatic but hard to read. There are just two lines of text plus labels for the soft keys and icons to show battery and signal. Talktime is quoted at three hours and standby at 120 hours which is impressive for such a light phone. The software is much like the v66, two soft keys and a central menu button. The v70 is a GPRS WAP phone. Like its v60 and v66 siblings it doesn’t have an infra-red port but does have a USB cable option. Omitting infra-red, particularly GPRS phones, always seems strange as is pretty cheap to add. More baffling is the decision to make the v70 dual-band, rather than triple-band, which will limit the appeal of the phone to globetrotting users. An aspect of the user interface that works well is a selection of beeps that tell you when you have done something, a bit like the Dolmansaxlil training computer in the Hitchhikers guide to the galaxy. Cute peeps don’t hide the horrors of the iTAP predictive text that Motorola uses. In general this is not a phone you want to use for text messaging. The screen and buttons are too small and it’s not easy to work out how to do things like capitalize text. There is no user dictionary for iTap. You can re-order items in the main menu but not move things from submenus to the main menu. So while it is possible to move ‘messages’ to be the first thing you see when you press the menu key, this still takes you to a menu where ‘call voicemail’ is first and you then have to scroll to ‘write message’. In an ideal world you would be able to make ‘write message’ the first thing on the first menu—or for choice, you’d forget about the menu system and have a dedicated text messaging button that brought up an empty screen to type into. The ring tone composer is quite good. There is full control of the notes over three octaves with rests and speed, but tones can’t be downloaded or assigned to individuals. There is no support for many features that are already becmoing commonplace—enhanced messaging, polyphonic ring tones and a colour screen. As a rule Motorola has been better at good-looking design and reliable performance (not always in the same phone) than in compelling applications. This continues to be true of the v70. Technologically it points the way but what it lacks is the kind of feature that makes a user addicted to the phone. © What Mobile. All rights reserved.
Simon Rockman, 18 Mar 2002

Nvidia intros DDR333 support for nForce

CeBITCeBIT Nvidia is to introduce support for DDR333 fast memory with the 615-D and the 620-D, the latest members of the nForce chipset family. Both products will launch "within 60 days", according to Drew Henry, general manager, of Nvidia's platform processors division. Speaking at CeBIT, Henry pointed to nForce's 128-bit DDR memory architecture, and its tight integration with the graphic system. This differentiates nForce from most system architectures, "which generally don't improve much with (better) memory performance," he said. The nForce platform is designed for the AMD Athlon family of CPUs, and incorporates AMD's hypertransport fast I/O standard in its products. Samsung, described by Nvidia, as its "memory partner", is running a tech demo of a machine featuring an nForce chipset using DDR400-supporting DIMMs on one of its many booths at CeBIT. This delivers 20 per cent more performance than the DDR333 version, according to Henry. nForce product incorporating DDR400 support will launch "maybe the second half of this year, maybe next year," he said. ®
Drew Cullen, 18 Mar 2002

Nvidia hit with securities fraud suit

Nvidia has been slapped with a class action suit alleging securities fraud. Leading the charge is legal rottweiler Cohen, Milstein, Hausfeld & Toll, a class action specialist based in Washington DC. The law firm alleges that Nvidia officers misled shareholders between Feb 15, 2000 and Feb 14, 2002, and it it is seeking people who bought Nvidia stock during this period to join a class action suit. The deadline is April 22, 2002. "In order to overstate revenues in its financial statements, NVIDIA violated Generally Accepted Accounting Principles and SEC rules by engaging in an improper scheme. As a result of defendants' misleading statements and accounting improprieties during the Class Period, the price of NVIDIA common stock traded at artificially inflated prices," it says in a statement. The suit was filed on March 14 in the United States District Court for the Northern District of California. Nvidia and "certain of its officers and directors' are accused of violations of the Securities Exchange Act of 1934.
Drew Cullen, 18 Mar 2002

Website downtime cost UK plc £565m last year

Web site downtime cost UK businesses more £565 million in 2001 and is set to cost even more this year. A study by analysts Yankee Group, commissioned by hosting firm Worldport, estimates the direct cost of Web site downtime will reach £715 million this year, 26 per cent up on last year. Factor in other indirect costs, such as loss of reputation, lost future sales and the cost of storing unsold goods, the overall bill will likely to run into - ooh - billions, Yankee reckons. The major causes of Web site downtime are both technical - such as power outages, network failure, application problems and lax security - and human - such as inadequate staffing and monitoring or a lack of recovery planning, according to Yankee. These causes are magnified in-house, according to the report, which recommends firms to consider external hosting in order to build more robust Web infrastructures. ® Related stories BT.com is BT.gone BOFHs to blame for LAN downtime after all Top 10 reasons for LAN downtime Yahoo! Hit! By! Power! Outage! Too much security is holding back ecommerce Network downtime costs planet $1.6 trillion Dell site dragged back up after unplanned downtime Outage hits Amazon sites
John Leyden, 18 Mar 2002

Super DIRT Trojan to infect indiscriminately

The DIRT filesThe DIRT files Our friend Frank Jones of Codex Data Systems has been busy with a number of projects associated with his loathsome DIRT Trojan, most notably one which seeks to distribute the infection indiscriminately. Cryptome's John Young has posted an HTML version of Jones' PowerPoint slide show, and from this we gather that Jones either has, or is struggling to develop, a super-malicious strain of his little viral toy. The latest incarnation is called HOPE, for "Harnessing the Omnipotent Power of the Electron." It sounds positively Biblical, but it's a mere h4x0r kiddie project which involves setting up a malicious Web site to infect all visitors indiscriminately, and to exploit the infection as victims spread it to their e-mail and IM contacts. Everyone infected will of course yield remote access to their computers via the DIRT Trojan. Jones recommends its use in combating terrorists, pedos and drug traffickers, and for employee monitoring. It's also perfectly suited to industrial espionage. Just set up a Web site which will interest your competitors, and infect them with the DIRT Trojan. How cool is that? It could also be effective for mass government surveillance in less enlightened countries. One thing it would be absolutely useless for, of course, is legitimate law enforcement. But that doesn't concern our Jones. He's happily bottom-feeding off LEAs and securocrats in countries where civil rights are weak, and off corrupt and/or stupid LEAs and securocrats here in the civilized world. ® Related Stories Cyber cops & security orgs: DIRTy, stupid and out of control Law-enforcement DIRT Trojan released Reg duped by crime-busting D.I.R.T Trojan
Thomas C Greene, 18 Mar 2002

Microsoft's Mira – take smart display, maim, serve

It sounds like a great idea - a dinky little LCD display unit you can just pick up and wander around the house with, while at the same time having access to all your stuff on the PC. But the trouble is that the more you look at Microsoft's Mira, the more the device's nagging contradictions and limitations jump up and bite you. The Register missed both Bullhorn Ballmer and Mira at CeBIT, but this afternoon was lucky enough to pick up the Mira roadshow on its own as it swung through London on the return leg. There are essentially two answers to the Mira 'what is it' question; probably the original, and sensible, answer is that as flat panel displays become more common, wouldn't it be nice to be able to just pick the screen up and use it to work in another room? Yes it would, and the add-on cost of the electronics to do this won't make a vast impact on the price of an LCD unit, so you might as well do it. The second, far less satisfactory answer however stems straight from the execution of the first - this here 'screen' you can carry around with you is in essence a Windows CE device which could, if you wanted, participate on a network in its own right, run Terminal Server sessions from your PC, communicate with other similar devices on the network... Except you can't. 'Good grief,' thinks the Microsoft licensing department when it sees the spec. 'This is a thin client, a Network Computer, we must put a stop to this.' 'Good grief,' thinks the OEM sales department. 'This will cannibalise our PC sales. We must put a stop to it.' So it isn't, and it doesn't. For now, anyway. You do indeed probably have an ARM in there, it is indeed going to be running CE, and it is indeed the case (as it says in the handout) that Windows CE.NET is the "foundation for Mira-enabled display devices, with support for 802.11 wireless networking, instant on, accelerated graphics, multiple CPU support, and the Remote Desktop Protocol client." But it's maimed. As shipped (during the second half of this year) Miras will simply provide a wireless screen for the PC you're logged into (you can set up separate logons), you can't use them as independent devices, you can't use Mira software to use other CE devices to run your PC in Mira mode, and you can't have multiple Miras logging onto one PC at the same time. As all of us round these parts know, there are no technical reasons why this could not be done, just licensing ones. The Microsoft reps today talked unconvincingly of lack of demand in the home at the moment, then spoiled it by admitting that a multi-user capability is being mooted for Mira 2, scheduled for late 2003. They also, equally unconvincingly, described Mira as being specifically for the home, while the Tablet PC is the device that's appropriate for business. OK, scenario one, home. Say you can get this dinky little device that's light, fashionable, and you can use an 802.11 connection to surf the web, check your mail, do a little light work (either pecking at the on-screen keyboard or using an extension one)... For the little ones, the price tag will be around $500, so are you interested or not? Does it make sense to buy a couple of these for a home multi-user system, rather than everybody having to have a PC? And of course if you could just wander into a public 802.11 zone and use it to surf, that'd make it even more attractive, wouldn't it? On the other hand, does it make sense to spend $500 for a secondary display you can use while lounging in bed, or $800 for a primary display that you can unplug from the desktop machine and do likewise with? Note that for licensing reasons (not Microsoft's, this time) you can't watch DVDs while in remote wireless mode, so you can forget that obvious application when weighing up the pros and cons. Scenario two, business. At $500, even in its current form it makes a kind of sense for people to have one, especially as they're each going to have their own work PC anyway. You walk around the office and you've always got your PC available, and you can use the same device for your home PC - a no-brainer, even without access to public 802.11 networks. But in business you're not supposed to think dinky little device, $500, no-brainer; you're supposed to think Tablet PC, $2,000 high-spec next generation portable equivalent. And you're supposed to think Terminal Server licensing when it comes to thin clients. So is it hackable? Almost certainly, and considering how attractive the smaller units are (Philips does a groovy one, while the LG unit, although small, has a strangely brick-like heft to it)), the idea of turning it into a proper CE machine or shoving Linux on it is more than a little compelling. And even has potential for triggering the long overdue overthrow of the PC-centric world. Does Mira work as is? Well, yes and no. The little ones are clearly very neat. But they're eight or ten inch, so they're really secondary monitors, not devices that can also do service as primary displays. You can pick up the bigger ones Microsoft is currently showing and walk around with them, but really you're not going to want to. Even if you thought in terms of an ultra-thin, ultra-light (which these are not) 15in display, it's still going to be too a large piece of real estate for you to carry it around casually, and anything smaller than that just won't do duty as a standard desktop display. So really, Microsoft needs the hackers to save it from itself by turning this into a proper product. ®
John Lettice, 18 Mar 2002

Vegas commission probes vice hacks

The only hint that Larry Duke Reubel is 63-years-old is his slow step as he ambles to the witness chair and takes a seat behind the microphone. Once seated he looks fifteen years younger. He's dapper in a sports coat and a black shirt buttoned to the top, the overhead florescent lights glint off his gold watch, which matches his earring and peroxide hair. In the hearing room in this anonymous Las Vegas office building there's a trace of weariness etched into Reubel's sunburned face, as he recounts his story of a high-flying life in the adult entertainment industry -- driven slowly and inexorably into the ground by hackers. Watching from across the room is Eddie Munoz, 43, the plaintiff in the case, who summoned Reubel from Ogden, Utah to testify here. Piled against the wall nearest Munoz is a mountain of plastic document bins stuffed with hundreds of filings, news articles, trouble tickets, police reports, and four thousand pages of call logs from Munoz's business. It's a monument to his tenacity; it's taken Munoz ten years to get this hearing in front of the Public Utilities Commission of Nevada (PUC) -- the regulatory body that oversees the state's electric, gas, water and telecommunications companies. The PUC is where utilities come to request rate increases or ask for permission to offer a new service. But in this unprecedented hearing that began last week, and continues through Tuesday, the commission is taking a hard look at a bizarre complaint that's bubbled up from this town's nocturnal fringe economy again and again for the past ten years, from outcall service operators, bail bondsman and private eyes: that Vegas' telecommunications infrastructure is secretly controlled by super hackers working for a few powerful players in the vice biz; mobbed-up cyberpunk puppet masters pulling strings right under the nose of the local phone company. That phone company, Sprint of Nevada, is effectively on trial here, accused by Munoz and his allies of turning a blind eye to the abuse. Commissioner Adriana Escobar Chanos, one of three PUC commissioners appointed by Nevada's governor, is judge and jury in these proceedings; eventually, likely months from now, she'll make a recommendation to the full commission based on what she sees, hears and reads. She's guided by the PUC staff, which has its own lawyer and investigator in the room, and by three advisors on her panel. If Munoz prevails, the commission could impose monetary fines and sanctions on Sprint. Reubel is one of the alleged victims, and his story typifies the complaints. Until he gave up four years ago, Reubel published Show World West, an advertisement magazine distributed by hand to thousands of passing tourists up and down Las Vegas Boulevard each day. Like the other papers, glossy cards and printed magazines competing for eyeballs on the Strip, Reubel's publication was all about sex, spotlighting a bevy of in-room "entertainers" -- blonds, brunettes, redheads -- each of them only a phone call and a few hundred dollars away from visiting the hotel room of some randy tourist looking for a private dance. Reubel got a piece of every call, and for years business was brisk. "Then, all of a sudden, the phones stopped ringing," says Reubel, gravel in his voice. "There's no reason for the phones to stop ringing." The Long Nothing The quiet phones are a common thread described by all the alleged victims. Sometimes calls appear to be tapped by competitors, other times they're diverted outright. More often, they're simply blocked, and the caller receives dead air or a circuit-busy signal. A 1996 report by a private investigator describes a test call he placed from the Monte Carlo hotel to the "Perfect Bodies" outcall service -- an alleged victim of the scheme. "The phone rang 4 times, there was a pause of short duration then a sound similar to rushing air, then a tone and a long nothing." In 1998, word of the supposed scheme reached mobsters affiliated with the Gambino crime family, according to an FBI affidavit, and six of them were snared by an undercover investigation as they tried to muscle in on the phone racket. Throughout it all, Sprint of Nevada, the incumbent local exchange carrier, has denied any culpability. Now, sitting catty-corner from Reubel in the hearing room, dressed in business suits, are three representatives of Sprint, which fought tooth and nail to prevent the hearing from taking place: Scott Collins from the regulatory affairs department, Ann Pongracz, Sprint's general counsel, and outside counsel Patrick Riley, who handles Reubel's cross examination with the aplomb of an experienced corporate litigator. "Going over your testimony, you seem to blame Sprint for the loss of your business," Riley says, with mock bewilderment. "Is that correct?" "They're providing a service to me, and they're not providing the security they should," Reubel replies. "So, yes." Riley counters by carefully outlining all the steps the phone company took to investigate Reubel's complaint when he first raised it in 1995: Sprint made test calls to Reubel's numbers, and they all went through. They ran a script at their switching control center that periodically checked his lines for covert call-forwarding, never finding any. They examined his lines for physical taps, and there were none. "Doesn't it look like Sprint went to an awful lot of trouble to investigate your complaint?," Riley asks reasonably. Reubel smiles without humor, leans into the microphone and speaks slowly. "I was making a quarter million dollars a year. I'm making ten dollars an hour now. Whatever they did, it wasn't enough." And so it goes, with a procession of Munoz's witnesses sharing their own tales of ruin. Former "Perfect Bodies" operator Hilda Brauer, gray-haired and matronly, peers over her glasses and testifies that the entertainers she dispatched to Vegas hotel rooms often found women from a particular competing service already there -- as though the competitor was listening in. One of the women even "trick-rolled" a client -- stole from him -- leaving Brauer holding the bag. Former bail bondman Peter Vilencia says he effectively caught the call burglars in the act, but was still powerless to stop them "I personally called my own phone number and got connected to other bail bonds companies," says Vilencia. "I feel this hearing is justified, and something needs to be done to correct the problem." Finally, Munoz begins his testimony. Like Reubel, Munoz is a publisher. He owns nearly half of the five hundred licensed news racks on the Strip, which he crams with stacks of the Las Vegas Informer -- twelve gritty newsprint pages advertising in-room entertainers. Ten years ago, the ads would result in fifteen or twenty outcalls a night; now, it's more like one or two, and Munoz is having trouble paying his bills. His phone problems are similar to the others' -- callers from outside Vegas, or from payphones and cell phones, get through, he says, but hotel callers frequently get false busy signals, or reach silence, driving them into the arms of competing services. He filed his first complaint with the PUC in 1994. It took two more complaints and an abortive federal writ before the commission staff launched an investigation, which led them a year ago to recommend this full hearing. Munoz testifies that he's stayed in business this long by selling ad space to competitors, and by employing his own crude countermeasures against his invisible adversaries. "What I've learned to do in order to survive this phone problem is continuously change the numbers, continuously change locations, because after a while they don't ring any more," he says. Munoz isn't his own best advocate. Commissioner Escobar Chanos frequently has to admonish him for his long rambling answers under cross examination. He often alludes to his personal theory on the nature and methodology of his enemies, which, like a piece of gum stuck to the bottom of a shoe, seems to pick up bits and pieces of everything he walks through. These days it ties together the New Jersey mafia, corrupt phone company employees, a telco billing company in Los Angeles, several hackers, and a 1999 takeover robbery at a southwest Vegas Sprint office, in which masked gunmen made off with 233 telephone line cards. The only documented tests that have been conducted weigh against Munoz's complaint. When AT&T called his lines from Vegas hotels in 1997, the calls went through without incident. In August of 2001, a PUC staffer made several test calls from a Vegas hotel with the same results. And in November of 2000, at the direction of the PUC, Sprint ran three days of test calls from five different Las Vegas hotels. Of 205 calls, all but 23 went through, and none were diverted to competitors. Further investigation of the 23 incomplete calls turned up innocent explanations. The Phone Cop Munoz believes that test was compromised, and the hackers cleverly arranged for him to receive the test calls, while still blocking the other hotels. In fact, a switch report he subpoenaed from Sprint includes some mysterious entries during the test period -- a dozen calls were placed from hotels not involved in the test, and most of them had a duration of "0 seconds." But it's hard not to wonder how a phenomenon capable of crippling Munoz's business could be so difficult to reproduce. It's against that backdrop that the PUC staff -- the only players in the room without their own chips in the game -- have adopted the position that Munoz hasn't proven his case, and that no fines or other sanctions should be imposed on Sprint. But if staffers are skeptical of Munoz's complaint, they're equally incredulous over Sprint's assertion that the phone company takes computer security seriously. PUC staff attorney Louise Uttinger summoned a witness of her own to the hearing -- former Vegas phone cop Larry Hill, who, up until his retirement in 2000, was in charge of investigations involving "Sprint's various internal systems" in Las Vegas, according to a company affidavit. The gaunt and grizzled Hill is a former NYPD captain, and he testifies like a pro, giving short quick answers and volunteering little. "I remember investigating many cases of this nature," Hill says. "We would generally check to see that all the programming on the complainant's line was in order... We determined in every case that there was no unauthorized call-forwarding." Under cross examination by Uttinger and Munoz's attorney Peter Alpert, Hill testifies that when he retired from the company all of his files on those cases disappeared. He also says that nobody was hired to replace him when he left. Perhaps there was no need: in his twelve years with Sprint, Hill never once saw a hacker in the company's network. "To my knowledge there's no way that a computer hacker could get into our systems," says Hill. If Sprint of Nevada is hack-proof, the achievement would make it a rarity among regional phone companies. But a report written by a technical consultant hired by the PUC staff concluded otherwise. "[W]hile I have encountered several capable Sprint employees, each an excellent specialist, some have clearly never considered the presence of a sophisticated hacker, the kind routinely found on the Internet nowadays," wrote Ron Bardarson, a former system administrator at a Reno ISP. "Additionally, I have not yet encountered anyone thinking about 'breaking into your own system,' which is the best way to improve a system's security. If such a person exists, I cannot help wondering why she/he is not a witness in this docket." Bardarson says he discovered what appears to be computer security weakness in Sprint's infrastructure. He's not the only one. As SecurityFocus Online reported last year, former hacker Kevin Mitnick claims extensive penetrations into Sprint's Las Vegas systems from approximately 1992 until his February, 1995 arrest -- smack dab in the middle of the call diversion complaints. Mitnick's access gave him the power to monitor or reprogram any phone line in town. Following that story, Munoz retained Mitnick as a technical consultant in his case, only to give him up later. Munoz says Mitnick wanted to run too many pointless tests; Mitnick says Munoz stiffed him and a partner for thousands of dollars in fees and expenses. Citing Bardarson's findings and Mitnick's statements, the PUC staff is recommending that the commission open a new investigatory docket to explore Sprint's security issues, and to force the company to undergo security audits, and report back to the PUC annually on the results. If the commission follows that recommendation it will set a remarkable precedent -- regardless of its action on Munoz's complaint. At a time when official Washington is emphasizing the link between the United States' "critical infrastructures" and national security, it may be a state regulatory body more accustomed to tariffs than cyber terrorists that first takes on oversight of an infrastructure provider's network security. And all because a ragtag lineup of lost and struggling peddlers of vice wouldn't fade quietly into the neon glow of the Las Vegas night. © 2002 SecurityFocus.com, all rights reserved.
Kevin Poulsen, 18 Mar 2002

Board member sues ICANN

ICANN board member Karl Auerbach is suing the organization in order to gain access to corporate records. "Directors are in charge and need to have access," he told The Register today. The suit has been filed by Auerbach's attorney and is backed by the Electronic Frontier Foundation. Auerbach says he has been prevented from exercising his responsibility as a director of a public benefit corporation under Californian law by examining the secretive organization's machinations. Auerbach cites several gagging orders, in the form of Non Disclosure Agreements and other obligations, raised by board chair Stuart Lynn. However he points out that existing company law already prevents him from using the information obtains irresponsibly:- "What Stuart Lynn fails to recognize is that I have an obligation under law to protect that confidentiality … if I violate that I'm breaking non-profit legislation" Efforts to reach a compromise have failed, he told us. Auerbach raised the matter shortly after he was elected to the board in 2000, and we covered them in some detail at the time here. "I look at them pumping way too much money into the travel, and into the law firm, and it's my business judgement that they're not getting value for money," he told us. Auerbach has also been denied access on conflict of interest matters. ICANN told us that no one would be available for comment until the head of PR returns from Accra, Ghana where the board met last week. ® Related Stories ICANN abolishes Net democracy - but Esther steps in ICANN Special: New legal hurdles (Part 2)
Andrew Orlowski, 18 Mar 2002

Taking the piss is banned in South Carolina

Taking the piss from online vendors is officially banned in the South Carolina, following a Supreme Court (yes, Supreme Court!) ruling. In 1999, the state of South Carolina passed a law making the sale of (human, we guess) urine online verboten, to the dismay of local online bladder merchant Kenneth Curtis. He has sold his urine, through Privacy Protection Services, since 1996. The piss purveyor guarantees the samples, costing $69 a shot, are drug free and throws in a small pouch, tubing and something called a "warming packet" with each sale. Bargain. Mr. Curtis's customers are of course interested mainly in procuring the piss for fooling at-work-drug tests. So what, Curtis says - he's not responsible for how people take the piss, and besides the tests are often unconstitutional, anyway. So he took the South Carolina piss prohibition - first time offenders can get up to three years jail! - to appeal to the Supreme Court. He fell at the first hurdle - the Supreme Court declined to hear the case. Curtis has done the sensible thing and moved his business to North Carolina. ® You wanna know more about warming packets? Designed to easily be concealed on the body the kits are complete with chemically reactive supplemental heat sources and temperature monitoring system that insures proper acceptance temperature is maintained (Proper temperature is a critical element for acceptance at any testing site). You can use our kit in a natural urinating position, unisex (male or female), and you cannot be detected even if directly observed. Each kit contains a small reservoir pouch (about the size of a pack of cigarettes) that has a small diameter tube that can be routed to the genital area. The tube has a fitted silent quick release flow/stop clip that makes dispensing easy and natural. The kit can be stored indefinitely or kept at the ready in case of random type testing. These complete kits provide everything you need for (2) urine testing procedures.
Drew Cullen, 18 Mar 2002