11th > April > 2002 Archive

Eight new IIS security holes exposed

There are eight new security stuff-ups affecting various editions of Microsoft IIS (Internet Information Server), the most serious of which will enable an attacker to take over the system, MS revealed today. If you're wondering why you haven't heard about them before, chalk it up to Trustworthy Computing, a Redmond policy which leaves everyone exposed to attack until MS is satisfied with its patches and spills the beans. We prefer to know these things as soon as possible so we can look into temporary workarounds and shutter the window of opportunity straight away, but MS is clearly opposed to that approach. (One workaround we rather like is called Apache, but we digress....) Before we get into the gory details, we have to mention that we've received anecdotal reports that some of the MS patches have been breaking some of the machines they're installed on. So do test them before integrating them into critical systems. If you've installed one of the patches, I'd like to hear from you whether your experience was good or bad, in hopes of confirming the problem or, alternatively, putting the rumor down. And now for a brief roundup. First up, a buffer overflow involving chunked encoding with the ASP (Active Server Page) ISAPI filter. This can be exploited to crash or run arbitrary code on the machine. Essentially, an attacker can cause IIS to miscalculate incoming data and so allocate undersized buffers. There's a good writeup and a sample exploit by eEye, which discovered it, posted here. Affects IIS 4.0 and 5.0. Next, a mysterious one which Microsoft claims to have discovered and which it says "is related to the preceding one, but which lies elsewhere within the ASP data transfer mechanism." Whatever it is, it appears it can be exploited much like the chunk encoding flaw above, and affects IIS 4.0, 5.0 and 5.1. We have another buffer overflow involving HTTP header processing, in which an attacker can spoof delimiter checking and persuade IIS that delimiting characters are present when they're not. Thus a malicious URL with bogus HTTP header field values can overstuff the buffers created to process them. Affects IIS 4.0, 5.0 and 5.1. And we have yet another buffer overflow, this time caused by a bad safety check for server-side includes, which MS caught. It's possible for an invalid and very long file name to pass the include safety check, resulting in a file name bigger than its intended buffer, and obviously a buffer overflow. Affects IIS 4.0, 5.0 and 5.1. We have one more, this time involving the HTR ISAPI extension in which malformed .htr file requests can cause a heap overflow. According to MS, an attacker can "cause [IIS] to temporarily stop providing Web services or, in very unusual cases, could gain control of the server." According to @Stake's Dave Aitel, who discovered it, "this heap overflow can be used to execute arbitrary machine code. In the default installation, this results in remote execution in the IUSR_machine security context." The difference in these two accounts is a matter of emphasis. In any case an attacker wouldn't get administrator privileges directly from exploiting it, but the ability to run arbitrary code means he wouldn't have terribly far to go. The relevant @Stake advisory contains a few details left out of the MS bulletin, and is worth reading. Aitel has also developed a free tool called Spike which finds the HTR and ISAPI overflow vulns, available here. Affects IIS 4.0 and 5.0. For a change of pace, we've got a denial of service vulnerability involving the way an ISAPI filter included in FrontPage Server Extensions and ASP.NET generates a errors when a request is received containing a URL exceeding the maximum length set by the filter. IIS attempts to process the URL while returning an error message, resulting in an access violation which causes it to crash. Affects IIS 4.0, 5.0, and 5.1 We've got another denial of service vulnerability where an attacker can establish an FTP session in which a status request can interfere with normal error reporting, causing an access violation. This can crash both FTP and HTTP services. Affects IIS 4.0, 5.0 and 5.1. And last but not least, we've got three CSS (Cross-Site Scripting) vulnerabilities, which MS has lumped together thus: "One involving the results page that?s returned when searching the IIS Help Files, one involving HTTP error pages; and one involving the error message that?s returned to advise that a requested URL has been redirected." "All of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site?s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker?s." If you'd like to know what that means, you can check out a Web page by Thor Larholm which tells you a few things MS neglects. Such things as how CSS allows for "stealing cookies from any IIS site, cross-domain scripting to any IIS site, hijacking Hotmail and Passport accounts, elevating privileges through ActiveX components, hijacking the MSN Messenger client, etc." Affects IIS 4.0, 5.0 and 5.1. The Microsoft bulletin, from which much of the above has been drawn, is located here. It also contains links to the three patches MS has released, with cautions, caveats and useful advice. And don't forget to check out the IIS lockdown tool, and the URL Scanning tool which MS provides free. ®
Thomas C Greene, 11 Apr 2002

NAI ups bid for McAfee.com

Network Associates Inc's attempt to acquire McAfee.com Corp looks to be back on after the enterprise security vendor upped its offer by 15.6%. Santa Clara, California-based Network Associates originally offered 0.675 of a Network Associates share for each McAfee share, a value that McAfee's special committee of the board described as "financially inadequate". The acquisition attempt was subsequently delayed as Network Associates announced that its past accounting procedures were under investigation by the Securities and Exchange Commission, but is now back on after the company upped the offer to 0.78 of a Network Associates share for every McAfee share. The offer is being made directly to McAfee shareholders, and as such does not require the backing of the consumer anti-virus service provider; nevertheless McAfee's rejection of the previous offer put Network Associate's plans in jeopardy. The new offer is more to McAfee.com's liking and its board of directors has recommended that shareholders accept the offer. Network Associates already owns 75% of McAfee, but is looking to reacquire the 25% it spun off via a 1999 initial public offering. The company is trying to reduce confusion in the marketplace caused by its own McAfee-branded consumer retail products and enterprise anti-virus products and services, and McAfee.com's consumer-focused web-based anti-virus services. Meanwhile, McAfee.com reported its results for the first quarter ending March 31. Sales were up 46% to $18.8m. Net income was $5.5m, compared to a $2.8m loss last year. On a proforma basis, the company made a net profit of $3.9m, compared to a $1.4m loss last year.
ComputerWire, 11 Apr 2002

BT plans mobility services push

BT Group Plc yesterday said it plans to raise 180m pounds ($258.5m) in new revenue from wireless services in 2004, including 30m pounds ($43m) from the UK's first public access wireless LAN service. The announcement underlines that last year's spin-off of the UK incumbent's mobile network to mmO2 Plc did not signify its exit from wireless communication services, which remain a key growth area for the BT Retail services business. At BT Group's London headquarters yesterday, BT Retail CEO Pierre Danon said that BT will in June relaunch itself as a "mobility service provider" in partnership with mmO2. Danon said mobility service, with its emphasis on data communications solutions for corporate customers, is an ideal fit with BT Retail's strategic goal of realizing "profitable higher single-digit growth" over the next several years. Earlier this week, BT Group CEO Ben Verwaayen charged BT Retail with finding half of the 6% increase in group sales in the next 24 months. According to Danon, this means that with Retail's existing core business facing essentially flat growth prospects, and negative price pressures, his business must generate 1.5bn pounds ($2.2bn) from new business. About 700m pounds ($1bn) of this is expected to come from "non-telco" related business, which Danon yesterday declined to discuss, while some 825m pounds ($1.2bn) is earmarked to stem from new broadband business (to be announced later this month) and the new mobile services. Although BT said yesterday it will begin a two-phase roll-out of mobility services this summer, it can already claim to be a UK market leader in Wireless, being responsible for around 47% of mmO2's handset sales, while mmO2 itself claims to be the UK handset market leader, accounting for 43% of total sales. It also claims to be a market leader in ISP infrastructure services, a position Danon said leaves BT well-positioned to benefit from the growing proportion of ISP business set to be driven by wireless applications services. BT has signed an exclusive three-year agreement to resell mmO2 air time in the UK, and will start this summer with packages based around "office mobility" and selected vertical markets, such as vehicle tracking. In the office mobility space, Danon said BT "could not be more aligned with Microsoft's vision" of mobile access to data services, while in the vertical market spaces, BT is pursuing partnerships with application vendors and systems integrators, including Siebel Systems and Accenture. Later next year, BT said it will extend its mobility services portfolio, embracing "enriched" office services, voice convergence, and additional vertical market systems. © ComputerWire.com. All rights reserved.
ComputerWire, 11 Apr 2002

Microsoft mobilises, as partners back .NET

Microsoft Corp has accelerated its drive to make SQL Server central to .NET for enterprises, announcing software providing information notifications to mobile devices in addition to desktop-based systems. Redmond, Washington-based Microsoft's partners have also announced .NET versions of products or .NET-ready versions of their current services. These include Akami Technologies Inc, ComponentSource Inc and FrontRange Solutions Inc. Appearing at Microsoft's TechEd 2002 conference in New Orleans, Louisiana, Akami announced a .NET version of its EdgeSuite, ComponentSource adopted .NET Alerts for its public and private marketplaces, and FrontRange demonstrated the next version of its customer relationship management (CRM) software built on .NET. Microsoft used partners' support as evidence of what it called "huge momentum" around the .NET platform, officially launched just two months ago. Microsoft launched Visual Studio.NET and .Net Framework at VS Live! in San Francisco, California. Microsoft announced two products it hopes will further industry momentum. SQL Server CE 2.0 Notification Services, for mobile devices, and SQL Server 2000 Notification Services. These services provide SQL Server developers with ability to deploy and manage short messages such as sports scores. Notification Services supports deployment of such notifications as Short Message Service (SMS), Simple Mail Transfer Protocol (SMTP), Windows .Net Alerts for MSN and MSN Messenger. Notification Services should be generally released in the summer. The company also launched its first commercially available Simple Object Access Protocol (SOAP) and XML web service, MapPoint.NET. This is a program for mapping and location based-basd services for use by ISVs, carriers and portals. MapPoint supports the ability to embed maps, calculate driving directions, and do proximity searches. © ComputerWire.com. All rights reserved.
ComputerWire, 11 Apr 2002
Broken CD with wrench

IBM mulls earlier launch for iSeries Regattas

IBM debuted midrange versions of its pSeries "Regatta" Power4 servers this week, and the rumor making the rounds in the iSeries community has it that IBM may move up its iSeries Regatta announcements, too, Timothy Prickett Morgan writes. The new pSeries 670, which wasn't expected to debut until October, has four, eight, or 16 Power4 processing cores. This machine may provide a clue about what the so-called iSeries Model 52L, Model 52M, and Model 52H Regatta servers will look like. In addition to the new baby Regatta pSeries servers, which are expected to start shipping on April 26, IBM cranked up the clocks on the S-Star processors in certain models in its pSeries 620 and pSeries 660 families of machines. These machines, which currently use 450MHz Pulsar, 500MHz I-Star, and 600MHz and 668MHz S-Star processors with either 2MB or 4MB of L2 cache memory, will now be equipped with the 750MHz S-Star chips, which have 8MB of L2 cache. The 750MHz S-Stars, the fastest 64-bit uniprocessor chips that IBM makes, made their debut in the eight-way pSeries 660-6M1 last fall. The pSeries 670 uses a mix of single-core and dual-core Power4s running at 1.1GHz to create four-way, eight-way, and 16-way SMP servers. These machines span the performance of the current pSeries midrange line, which is based on S-Star processors and ranges from the pSeries 620 up to the pSeries 680. It looks like the 16-way version of the pSeries 670 uses eight dual-core Power4 chips. The four-way pSeries 670 uses four single-core Power4 (recycled half-duds, effectively). The eight-way uses four dual- core Power4 chips. The only reason anyone cares about the core count is that L2 and L3 cache is allocated on a per-chip basis (not per core). The entry pSeries 670 machines see a 5% to 7% bump in processing power because a single core gets all the L2 and L3 cache memory to itself, say my sources. A 16-way pSeries 670, a 16-way pSeries 690, and a 32-way pSeries 690 Regatta server all support 16 logical partitions; exactly why only 16 partitions are supported on these machines is unclear. The four-way pSeries 670 supports four partitions, and the eight-way supports eight partitions. Partitions are allocated based on the number of cores, but AIX currently only handles a maximum of 16 at the moment. It will very soon be 32, to match the number of processors, and soon after that IBM will offer the fractional partitioning in AIX that is already available on the iSeries line. For those of you who track code-names, my guess is that all of these pSeries 670 machines are the so-called "Regatta-M" servers (with M standing for "medium" or "midrange," depending on who you ask), and that the four-way and eight-way machines have dual-core Power4 chips. The pSeries 690, or Regatta-H server (with H standing for "high-end" or "heavy"), was announced last October and started shipping in December. These machines use 1.3 GHz Power4 processors with two cores each to create a 16-way and 32-way commercial enterprise server. Special eight-way and 16-way versions of the Power4 dual-core chips are used to create server nodes for high-performance computing, or HPC, supercomputer clusters. The Regatta-L machines (with L standing for "light" or "low end") will probably debut later this year or early next year, and will very likely offer uniprocessor, two-way, and four-way configurations using stripped-down, single-core Power4s. The Regatta-L, Regatta-M, and Regatta-H servers are probably very similar to the iSeries Regatta machine that will debut sometime this year, apparently as the iSeries Models 52L, 52M, and 52H. Low-end iSeries customers, knowing that a new architecture of servers was coming down the pike, have apparently expressed a desire to know that the Model 270 machines they buy today will be upgradeable to future iSeries machines. In mid-February, IBM announced to customers that in the second half of 2002 it would offer an upgrade to Model 270 customers. IBM's statement was pretty vague, and I concluded that it seemed very likely that IBM would roll out Model 270 servers using its 668MHz and 750MHz S-Star processors. I didn't know it at the time, but what IBM was telling its sales reps and business partners was that it would offer upgrades from the Model 270 into a future eServer product. In IBMese, that means a whole new machine, and it also means that the odds are that the Model 270 will be upgradeable to the iSeries Regatta-L servers, which may be called the Model 52L. None of this means that faster S-Star Model 270s won't be announced as well. The main reason anyone should care whether any iSeries is an S-Star or Power4 box is that the Power4s have more sophisticated partitioning, resiliency, and diagnostic features built into their electronics, not to mention higher clock speed, more bandwidth, and bigger memories. Dollar for dollar and CPW for CPW, customers should prefer a Power4 server over an S-Star server, provided they don't mind being on the bleeding edge. Having gone through all of that, here's the juicy bit: There are apparently some rumblings in the Somers, New York, and Rochester, Minnesota, offices of IBM's MidMarket Server Division about exactly when to announce the iSeries Regattas. If IBM can move up the pSeries 670 announcement by five months, odds are that it is getting enough yields on the Power4 chips to move up the iSeries Regatta announcements, too. The last hard data I heard about the iSeries Regatta and OS/400 V5R2 announcement is that it is coming on July 23, but this might have changed already. IBM has long-since frozen development on OS/400 V5R2, the version of OS/400 that was slated for the Regattas, and has finished several builds of the operating system with substantial patches woven into it. OS/400 V5R2 does not appear to be ready, while the iSeries Regatta hardware does. If OS/400 V5R1 can be equipped with PTFs that allow it to run on the Regatta hardware, which is almost certainly the case, IBM might decide to do an iSeries Regatta hardware announcement in May or June and leave OS/400 V5R2 until later in the year, when it is also expected to deliver its Domino 6 messaging, collaboration, and workflow middleware. © 2002 Midrange Server, Inc. All Rights Reserved
ComputerWire, 11 Apr 2002

Rambus profits up

Rambus, the controversial designer of fast memory chips, produced profits of $6.7m for Q2, ended March 31 (Q1 $6.2m and Q2, 2001 $8m) on sales down five per cent sequentially, and 25 per cent down on Q2, last year. It was a good quarter for RDRAM commission, with royalties up 23 per cent sequentially. However, the increase in profits comes down mainly to lower operating expenses, especially with reduced litigation costs. Operating costs in the March quarter were $2.5m less than the previous quarter, with legal fees running at $1.6m (Q2 $4.5m). Operating expenses in Q3 were $14.8m, compared with $17.3m in Q2 and $20.4m for the same period in 2001. ®
Drew Cullen, 11 Apr 2002

EB UK waves through name change

Electronic Boutique UK shareholders yesterday approved the name change of the company to THE GAME GROUP PLC. The name change takes effect within three working days, and all EBUK stores will get a GAME makeover. Electronics Boutique announced its intention to change its name in January this year. It owns the Game name through acquisition - Game was a rival UK games software chain, acquired in 1999. Last week, EBUK announced its intention to see if it could legally terminate a services agreement with Electronics Boutique Inc., of America, which sees the company pay one per cent of turnover to its US namesake. ®
Drew Cullen, 11 Apr 2002

MS pulls the plugs on Hailstorm, pending rethink

Hailstorm, one of the cornerstones of Microsoft's .NET "bet the company" strategy, is no more - at least in the most ambitious of its advertised forms. As initially envisaged .NET was about Microsoft producing the systems that would allow delivery of services across to Internet to individuals, and Hailstorm, subsequently rechristened .NET My Services, was intended to allow consumers to access a range of services based on their own particular identity, anytime anywhere. But Microsoft has been unable to convince any of the providers of such services that it makes sense to do this via Microsoft. Consumers haven't resisted it, they haven't yet had the opportunity to do so, but banks, credit card companies and the like just don't want to know. According to a report by the New York Times' estimable John Markoff, Microsoft admits that the consumer end of Hailstorm is for the moment no more; general manager Charles Fitzgerald is even induced to come up with an intellectual quote: "We're sort of in the Hegelian synthesis of figuring out where the products go once they've encountered the reality of the marketplace." That translates, we think, as 'Amex et al told us to take a hike, so now we're going to have think of a new strategy." Compare and contrast, if you will, with what Steve Ballmer had to say in an Infoworld interview in the middle of last year: "HailStorm, as announced, is very end-user focused. The schema that we talked about are very much oriented toward the end-user. There could well end up being other schema that we introduce targeted at other audiences. Certainly, we will have a set of schema that we target at the small-business customer, for example. There's no announced plan and I'm not trying to announce any plans now. But certainly as you think of people who try to build b-to-b scenarios, there will be some schema to help integrate the world for end-users that is standardized and available in the cloud." That's what they've just killed off. It's not clear how much of the resistance was down to worries about security and placing valuable customer data in the hands of a single company, and how much was simply large consumer companies deciding they weren't going to let Microsoft steal their lunches. Naturally, those refusing to play because of the latter are still likely to claim it was because of the former. For the moment, Fitzgerald indicates that Microsoft is considering a much more limited implementation of the technology, selling it packaged to businesses. This makes sense, but represents another significant reduction in the scope of .NET. Earlier this year, you'll recall, Microsoft switched the security defaults in the .NET Framework in a move that backed away from consumer/internet and towards corporate/network. Effectively, the great 'anytime, anywhere, bet-the-company .NET adventure' is being progressively downscaled to something that looks more and more like a traditional set of software products. Despite the fact that Microsoft is progressively abandoning the bits of the bet-the-company plan (Passport gets it next?), we confidently expect it not to go into Chapter 11, and that the marketing machine in a couple of years time will still be telling us how wonderfully successful it's all been anyway. ®
John Lettice, 11 Apr 2002

mmO2 signs 10-yr deal with IBM

mmO2 - aka BT Cellnet - has turned to IBM to sort out its customer services operation in a deal worth £50 million in the first year. The mobile telco has signed a ten-year outsourcing agreement with Big Blur to build customer and business support services. The first phase of the agreement with IBM Global Services covers the integration of existing systems, including the Genie Mobile service, during the coming year. It's understood that no jobs will be lost as part of the agreement. Elsewhere, shares in mmO2 - or BT Cellnet if you prefer - slipped in morning trading following yesterday's announcement that BT is to re-enter the wireless market. It seems analysts are still unclear how this re-entry by mmO2's former parent will affect the future of this recently spun-off business. By mid-morning shares in mmO2 were down 5.25p (8.6 per cent) at 55.75p. ® Related Stories BT plans mobility services push BT to intro public 802.11 WLANs in UK
Tim Richardson, 11 Apr 2002

How modular is Windows?

Is a stripped down version of Windows possible? In the Unsettling States' version of the antitrust trial (the full, unexpurgated version, as opposed to the DoJ's Antitrust Lite) Princeton University professor Andrew Appel argued this week that it is, basing his opinion on the existence of Windows XP Embedded. XP Embedded is designed for use in cash registers, slot machines, ticket machines and the like, does not include Internet Explorer, and is described by Microsoft as "modular." From this, Appel extrapolates that XP Embedded's ability to have components removed and Microsoft's description of it as modular means that Windows XP itself must be modular. "I am of the opinion that the code underlying Microsoft's software platform products is most likely written in modular fashion... the modules serving to support Microsoft's middleware should be removable without causing disruption to the functionality of the remaining operating system." This is however something of a leap of faith, because Microsoft's definition of words like modular and componentised is actually pretty limited. Modular means you can pull bits out and or disable them (which could be as prosaic as meaning it won't drive a printer), while componentised means modular, more or less. So you can forget any dreams you had about component-based plug and play operating systems. XP Embedded itself doesn't count as this, and although XP Embedded is a relation of XP itself, the latter will have sufficient differences and dependencies for it to be pretty tricky to disentangle at least some of the components. That does not mean that Microsoft has not, as the Court of Appeals found, illegally commingled code in Windows, nor does it mean it shouldn't be compelled to pull them apart. Nor indeed does it mean that it wouldn't be a good idea if Windows was a proper modular, componentised OS. But it isn't. ®
John Lettice, 11 Apr 2002

Yahoo! increases! Q1! revenue!

Yahoo! Inc remains chipper about the future despite posting yet another quarterly loss. Publishing Q1 results for the three months ended March 31 Yahoo! reported that revenues had grown from $180 million in 2001 to just shy of $193 million this year. The monster Internet portal reported a net loss for Q1 of $53.6 million - up from $11.5 million during the same period last year. Looking ahead, Yahoo! reckons that its decision to start charging for certain services - such as some email services - and relying less on ad revenue is beginning to pay off. Said Susan Decker, CFO, at Yahoo!: "Our first quarter results show momentum and progress toward our goal to maximize long-term free cash flow. "This quarter also demonstrated the growing success of our monetization strategy, to draw increased value from our enormous consumer base and find new ways to drive financial value." Yahoo! anticipates "strong, profitable growth in 2002" with Q2 revenues expected to come in somewhere between $205 and $225 million, and between $870 and $910 million for the full year 2002, she added. EBITDA (earnings before interest, taxes, etc) is expected to be between $23 and $33 million for the second quarter 2002 and between $105 and $130 million for the full year 2002. Which is nice. ® Related Story Yahoo! charges! for! email! services!
Tim Richardson, 11 Apr 2002

Monitoring reduces security risks

Counterpane today released statistics to back its claim that customers of its monitoring services are far less likely to have their networks penetrated. In the first quarter of 2002, Counterpane monitored approx. 200 networks worldwide and processed 31 billion network events. The company's analysts investigated 57,000 separate security incidents, of which 55 per cent turned out to be false positives, 27 per cent were authorised customer activity, and 18 per cent were actual attacks. The attacks consisted of unauthorised scans, denial of service attacks, probes, attacks on a third party or attempts to otherwise compromise a network. Of these 10,000 attacks, only six resulted in a penetration of Counterpane customers systems and none of these assaults resulted in financial loss, according to the company. The FBI recently reported that, in general, one per cent of all Internet attacks are successful. Counterpane has also released details of the types of attacks it blocked successful. These include a FTP brute force attack to access an airline's HR data server. Counterpane tracked the attack and identified the source IP addresses for the attack, which allowed the airline to catch a rogue employee red-handed and terminate his employment. In another instance, Counterpane discovered that an unauthorised Morpheus server on a customer network was acting as a denial of service zombie. Once this was identified the server was taken off the Internet. Counterpane also provides clients with a heads-up of attack trends it notices from its monitoring, and early warning of major virus or worm outbreaks. ® Related Stories Cost of IT security breaches doubles - FBI Security patch approach is failing IDS users swamped with false alerts
John Leyden, 11 Apr 2002

Newmedia agency cleared of spreading worm

UpdatedUpdated Subscribers to a mailing list on news about 20th Century Fox received an unwelcome release yesterday when they were sent a copy of the Klez-E worm. The infection-bearing email appeared to come from fox-news@lists.foresight.co.uk, prompting Reg readers to conclude that some breach of security at the new media agency was responsible for the spread of the pathogen. Although a techie at Foresight told us earlier today that the worm was sent out after vandals broke into a Linux server that was used to run the list up until February 2000, this turns out to be incorrect. Further investigation by Foresight of its Internet logs reveals it did not send out any virus. Foresight uses email screening services from Star Internet which means any virus coming from its email server would be blocked before reaching any of the 30,000 people on the list, which is now run by 20th Century Fox - not Foresight. Klez-E, a damaging worm which normally spreads by email, has the ability to spoof the destination it comes from, AV experts at Sophos confirm. It seems the virus infected the Windows box of a user who had fox-news@lists.foresight.co.uk in his Outlook contact list, and it then spread itself to other addresses in that user's email address book. It did this with Foresight's email address in the 'From' field, so the worm appeared to come from Foresight's servers even though its systems remained free of infection. Fiendishly nasty things, these viruses... ® Related Stories Undead virus infects the dim-witted Klez-E worm triggers today
John Leyden, 11 Apr 2002

ARM tools up for killer phone app – 3D games

ARM announcements tend to vary on a scale from dull to impenetrable, and today's - detailing a 3D graphics collaboration between ARM, Imagination Technologies and Superscape, is no exception. We'd categorise it as understandable but not very exciting. But it just so happens that The Register spent some time with Mike Grant of Superscape and Steve Evans of ARM at GSM World the other month, so we're in a position to realise that this not very exciting release is in fact about the killer app for mobile phones. It's games, of course. Sure, Superscape's Swerve 3D can be used to produce cuter, easier on the eye menu systems for the next generation of colour screen mobiles, but people aren't going to be sufficiently impressed by 3D buttons to pay extra money for them, and extra money is what the service providers are in desperate need of obtaining. So it works like this. Superscape's Swerve 3D is an enabling software technology consisting of client, author and applications software, while Imagination produces the PowerVR MBX graphics core. These get integrated into an SoC ARM system, meaning you've got a complete 3D package that allows you to put "high performance modern 3D and video graphics" onto a phone handset. Which of course means games. Speaking to Grant of Superscape The Register was amused to discover that he'd started out where we did on the Sinclair Spectrum, and nigh on 20 years later here we are again. As with Amiga, the 80s games crew are set to make a comeback in the mobile arena. Mobile phone technology now, with a decent sized colour screen and a couple of control buttons either side, allows you to produce an acceptable arcade quality game so long as you've got the graphics side properly together, which is what ARM is doing now. And it is the killer app, so far. People producing apps for 2.5 and 3G handsets may have other suggestions, but you really only see the glint in their eyes, and their voices really only get confident, when they start on games. The model the service providers are most interested in, according to Grant, is coin-op rather than retail software, and you can understand that. If the market can be persuaded that the phone in the pocket is in fact a virtual arcade machine, then they'll stump up a dollar per play. That's better money than a $40/£40 outright software package sale, and is anyway in line with their services business model, whereas just selling a box and walking away is not. Will it work? Kids spending more of their money on SMS has been blamed by at least one confectionary company for a downturn in sales, and if the games are good enough kids are perfectly capable of spending even more of their money on pocket coin-op. Unwatchful parents won't be best-pleased about this, and if it gets bad enough the phone companies will come in for a lot of unhelpful publicity, but it will go some way to bridging that 3G revenue gap. One thing we - slightly puzzled - asked ARM's Steve Evans about this. If it is possible to put decent 3D, arcade quality graphics into a pocket device with limited battery capabilities, then was it not inevitable that the nVidias of this world with their on-card fans and heatsinks would be in dire trouble? He smiled, shook his head and said it was rather more likely that the ARMs of this world would end up doing deals with the nVidias of this world. ®
John Lettice, 11 Apr 2002

Europe elbows Internet content ‘blocking’

The European Parliament has voted overwhelmingly to oppose the use of "blocking" as a way of regulating content on the Internet. The vote (460 in favour, 0 against and 3 abstentions) this morning means that ISPs will not be forced to restrict access to Web sites. Instead, they have been given the green light to continue with self-regulation. Today's decision has been welcomed by Louisa Gosling, President of the European Internet Services Providers Association (EuroISPA), as a "forward looking and informed decision". Said Ms Gosling: "We are also very pleased that the Parliament has come out strongly against blocking, which is not only a technically disastrous solution, but also raises significant free speech and democratic concerns." She added that blocking is "technically difficult, democratically questionable and undoubtedly inefficient" and believes that there are far better ways to deal with content issues, such as using special hotlines and ratings systems. ®
Tim Richardson, 11 Apr 2002

Audit trail dogs DVD+RW drive manufacturers

Numerous readers have contacted us pointing out that we were overly kind to DVDR+W drive manufacturers yesterday when we said they didn't seem to have specifically advertised that their products would be upgradable to be able to write DVD+R media. Well actually, yes they did. Packaging for the Philips DVDRW 208 specifically boasts that "this Ultimate [now presumably penultimate] recording solution also makes CD-RW and CD-R as well," and archives "up to 4.7GB on DVDR+W or DVD+R discs." The DVD+RW alliance also ran a FAQ on the subject up until September of last year, at which point it was "disappeared": "Q10: How easy will it be for the consumer to incorporate DVD+R technology into their DVD+RW products? "A10. The upgrade program interface will be intuitive and easy to use. With a few simple clicks, consumers will be able to add DVD+R capabilities to their DVD+RW drives. Philips and HP will make the DVD+R software upgrade DVD+available this fall." This was not replaced until January of this year, when the following appeared: "Q1. What's the truth, does DVD+RW offer write once capability or not? I've seen individual companies answer this differently. "A1: The DVD+RW Alliance includes a specification for DVD+R. This is an extension of the DVD+RW format. This is a company-specific decision on the timing for products with write once capabilities. Current products do not provide this functionality, however, we anticipate that the majority of the DVD+RW products will offer write once capabilities in 2002." DVDplusRW.org forum participant VideoMann also tells us: "Members of the DVDplusRW.org are willing to provide picture and other written proof that indeed these first generation drives were sold to the public not only in the U.S. and U.K. but in a world market as being able to write to DVD+R discs. The HP websites for Spain, Ireland, and the Netherlands had such claims but were taken down as the company begun to change their position of what these drives were capable of doing." HP itself published the 17th May 2001 press release on its own site, quoting VP and GM, personal storage solutions, John Spofford as saying: "With rewritable CD technology, consumers preferred a choice between rewritable discs and those that can be written only once, for permanent storage. "Given this, the DVD+RW Alliance will support a write-once DVD+R capability that allows consumers to safely archive their scanned documents, presentations, home videos, and photos." Note that this alone doesn't specifically commit him to shipping a firmware upgrade for existing models, but as this release has now been deleted from the HP site, leaving only the headline in the index, you do kind of get the impression the company maybe thinks it has something to hide. Although so far nobody seems to be offering any kind of formal upgrade or money back scheme, at least one member of DVDplusRW.org claims to have had a refund from HP, and the company apparently has a team manning the phones in the US (650-857- 7177) fielding calls from complainants. Dealing with persistent complainants on a case-by-case basis is of course going to be a lot cheaper and less embarrassing than having to deal with a mass recall, but we'd be the last to suggest that this is what's going on. Of course, any manufacturer who did say its product would be able to write DVD+Rs does not now have a leg to stand on. Our Philips packaging, by the way, was kindly forwarded to us by a TV producer who says he's waiting for the class action before he pulls the trigger - Philips, you have been warned. ® Related stories: DVD+RW drives in shock 'no upgrade' situation
John Lettice, 11 Apr 2002

UK plc ignorant of RIP Act

Awareness of the Government's Regulation of Investigatory Powers Act (RIPA) remains low among UK businesses and ISPs more than a year after the controversial legislation became law. A survey of 100 senior managers in UK companies and 100 ISPs by law firm Nabarro Nathanson found 86 per cent of businesses and an even more surprising 61 per cent of ISPs were unaware of RIPA. The survey also reveals uncertainty among ISPs about how much they will have to spend to comply with the legislation, and highlights that many ISPs are considering moving at least part of their operations abroad because of RIPA. Of those businesses aware of the Act, which became law in November 2000, half were not aware that it contained provisions that would permit government agencies to compel organisations to reveal private keys which would unlock encrypted information in their possession. A code of practice for the seizure of keys has been repeatedly delayed, however Nabarro Nathanson advises its high time that firms begin formulating plans about how they will deal with the Act. RIPA means firms need to review their policies and review contracts of employment deal with the legislation. Dai Davis, a consultant lawyer at Nabarro Nathanson, said because that the Act applies to individuals and not companies this could create a conflict of interest when the authorities request employees private keys held by their employer. This "inconsistency" means sys admins, who might be served with notices, would have to seek external legal advice, but could not ask supervisors about taking that advice. The RIP Act only allows those receiving notices to contact lawyers, and that in very limited circumstances. "Under RIPA, where an in-house lawyer is consulted, it would appear that the in-house lawyer would be conflicted out from giving advice to giving advice to the recipient of the notice served under the Act," said Davis. Firms need to place procedures in place which would allow staff access to external legal advice, he added. Britain's RIP Act, which is designed to regulate the monitoring of electronic communications by police and the intelligence services, has been condemned by critics as a snoopers charter. It is designed to allow the authorities to crack down on the illegal use of the Internet by terrorists, perverts and organised criminals but its opponents argue the legislation is seriously flawed. ® External links Stand.org - campaign site with extensive background (and criticisms) on the RIP Act Related Stories RIPA Code of Practice goes out to public consultation RIP Bill - full coverage up to July 2000 Criminal Law Review tears strips off RIP Act Spooks cock snooks at RIP oversight RIP not a problem thanks to police stupidity Email snooping row kicks off again Email snooping code of practice delayed Employer snooping code: don't eavesdrop on staff
John Leyden, 11 Apr 2002

Give your password to complete strangers? No problem…

When it comes to password security UK office workers are extremely lax, according to an unscientific survey of commuters at a busy London train station. Two thirds of those quizzed were seemed perfectly happy to hand over their company passwords to complete strangers - which must make those in charge of IT security shudder in disbelief. The survey, which comes ahead of a security conference, also found that the most commonly used password is the word "password". The survey of 150 people at Victoria Station in London also found that the majority of workers would forward unsavoury material to co-workers, download confidential material on leaving, give passwords to friends and colleagues, and were willing to pass friends competitive information. Scruples - someone's heard of it. ®
Tim Richardson, 11 Apr 2002

Win-XP Search Assistant silently downloads files

Just over a week ago, while searching for a file on a Windows-XP machine, I was surprised to see the Search Assistant attempting to activate my Internet connection. It puzzled me because I wasn't searching the Internet, only my local drive. I was busy with other things at the time, but I made a mental note to look into it soon, which I promptly forgot to do. This morning, Reg reader Jody Melbourne rattled my cage, fresh from having made the same discovery. He'd noticed that the Assistant was establishing a connection with a machine at Microsoft. "I did not give Microsoft permission to know what files I am searching for on my local hard-drive," Jody wrote. Indeed, and neither had I. So I connected an XP box to my ISP, started a packet sniffer, and launched the Search Assistant. Sure enough, it immediately connected to http://sa.windows.com/ and fetched a number of files. But it didn't attempt to send any data to the site, beyond comparing my locally-stored versions of those files to the ones on the server. But when I performed an Internet search, the Assistant sent my search terms to the Microsoft site, and also dropped a session cookie on my machine. Phoning home? One of the files the Assistant fetches is the MS Search Companion privacy statement. This is done for P3P compliance. According to the statement, MS doesn't collect information about local searches. "No information is ever collected by Search Companion when you search your local system, LAN, or intranet for any reason." I certainly didn't pick up anything to contradict that. But there is some obvious collecting when SA is used to search the Internet. "When you search the Internet using the Search Companion, the following information is collected regarding your use of the service: your IP address, the text of your Internet search query, grammatical information about the query, the list of tasks which the Search Companion Web service recommends, and any tasks you select from the recommendation list." "Search Companion does not record your choice of Internet search engine, and does not collect or request any personal or demographic information. Information collected by the Search Companion cannot be used to identify you individually, and is never used in conjunction with other data sources that may contain personal data." Hopefully there aren't too many loopholes in that, though I rather think the user's IP can be considered personally identifying. However, MS tells us that the policy statement is out of date. IPs were logged for testing purposes during the XP beta period; but since the product launch, there has been no IP logging. In addition to the privacy statement, the remaining files fetched are XSL (Extensible Stylesheet Language) stylesheets: transform.xsl balloon.xsl prevectr.xsl vector.xsl boolean.xsl pretrans.xsl transform.xsl Users curious to know exactly what they contain can quite easily locate them on their local machine and have a peek. According to MS, they're simply used to maintain up-to-date associations between file extensions and file types, to make searching more productive. I'm not acquainted with XSL, so I'm in no position to affirm that or to argue with it, but I'd be pleased to hear from readers who can shed additional light on the subject. For now it appears that there's nothing here for users to worry about. But there is a question about MS playing fast and loose with people's Internet connections. Certainly, the minute one ventures onto the Web, one starts bleeding information all over the place, fetching images and ads and taking cookies from secondary and tertiary sources too numerous to mention. But when we run an application for some local business like a file search, we don't expect it to connect silently to the Net, even for a good reason. When we discover something like this, it feels like someone else is in control of our computer, and that is definitely not a good feeling. If Trustworthy Computing is going to mean anything, it's going to have to mean that actions like file downloads aren't going to happen without the user's knowledge and consent. A simple popup asking if one wants the latest XSL files with the options to decline, to be asked each time, or to grant permission to go ahead without further consultation is all that would be needed. ® Related Story Small MS DVD privacy invasion, not many dead
Thomas C Greene, 11 Apr 2002