8th > July > 2002 Archive

Chapter 11 looms For WorldCom

WorldCom Inc is trying to bash out a massive debt-for-equity swap with its bondholders, as the company battles to survive. Wall Street Journal reported sources close to the talks as saying Friday that holders of $26bn of bonds are talking to WorldCom management over the potential deal, which would be executed under the protection of Chapter 11. The carrier, which revealed two weeks ago it inaccurately booked $3.8bn over the last five quarters, owes its creditors $32.8bn, the majority of which is due its bondholders. The company has up to $5.75bn in debt repayments due in the next year, reports said. Any swap of debt for equity would allow the company to function as a regular business, unburdened by the huge debt, but would likely leave WorldCom common shareholders with next to nothing. The company says it is still talking to its banks, which it owes some of the debt, to figure out additional funding. Having learned lessons from the Enron Corp scandal, regulators are currently all over WorldCom. The beleaguered carrier is currently being investigated by the Securities and Exchange Commission, Congress, and the US Justice Department, over allegations of fraud. The company fired its CFO following the uncovering of the accounting errors. © ComputerWire
ComputerWire, 08 Jul 2002

KPN favorite to acquire KPNQwest

Bankrupt carrier KPNQwest NV is expected to be bought by its former parent Dutch telecoms incumbent Royal KPN NV for around 20m euros ($19.6m), after all the other bidders lost interest in the operation. The level of the bid will be a bitter disappointment to the banks that were owed 220m euros ($215.6m) when KPNQwest went bankrupt in May. But while 40 potential bidders expressed an interest in the operation, their enthusiasm faded when they had a closer look at the books. KPN is only interested in the KQ network, which covers the fiber-optic rings in the Netherlands, Germany France and the UK. It excludes the 10,000km Ebone IP backbone network, which was switched off last week after funds to keep it operational ran out and no bidder emerged. This is expected to be sold eventually for a nominal amount. A separate bidding process is under for the central European network. KPNQwest was set up in 1998 as a joint venture between Royal KPN NV and Qwest Communications International Inc. KPN contributed 2,100 miles of network, transatlantic capacity and cash while Qwest has contributed the resources of EUnet, a European commercial internet service provider with nearly 84,000 customers and operations in 14 countries, transatlantic capacity and cash. A period of hectic expansion followed but fierce competition and the level of its debt left it unable to survive current conditions in the industry. © ComputerWire
ComputerWire, 08 Jul 2002

HP to squeeze Asian Suppliers

Fears that the merger of Compaq Computer Corp with Hewlett-Packard Co would spark a bloody rationalization of the company's Far Eastern supply chain appear to be unfounded, according to reports in the local media. However, HP's decision to retain most of its and Compaq's existing relationships electronic service manufacturers in Taiwan, Singapore and Korea may simply be part of the Palo Alto, California-based company's plan to embroil them in a bidding war for future contracts. According to a Dow Jones newswire report, HP's stated goal of realizing $2.5bn of post-merger cost savings could rely greatly on pruning back its EMS bill. So, even if Asian EMS companies manage to hang on to HP's business, it will almost certainly be at the cost of slimmed down margins. "The profit margins from [new] HP orders should be thinner than before, and thinner than others," Tony Tseng, downstream electronics analyst at Merrill Lynch in Taipei told Dow Jones on Friday. If correct, Tseng's analysis of the situation spells hard times ahead for Asian EMS companies, and particularly for those in Taiwan. Last year Compaq and HP together spent $14.5bn with Taiwanese companies, accounting for more than 10% of Taiwan's $123bn of exports. HP executives have said that its existing suppliers will all have an equal chance of retaining HP's favor, but they have not been shy of stating that the selection process will be "rigorous". © ComputerWire
ComputerWire, 08 Jul 2002

IBM to integrate DB2 with Visual Studio.NET

IBM Corp has announced that it has joined Microsoft Corp's Visual Studio.NET Integration Program (VSIP) to provide tighter integration between DB2 and .NET. The idea is that "support for VSIP will enable developers to leverage the power of DB2 combined with the benefits of the Microsoft .NET Framework for application development", reducing the time and cost taken to develop and deploy applications. The announcement seems curiously content-free, however. It is not really news: Microsoft chief architect Bill Gates revealed that DB2 would be enabled for Visual Studio.NET when the latter was launched in February. Nor does IBM commit to a date for actually shipping any software - usually a sign that plenty of work remains to be done. Either IBM has belatedly decided to announce its membership of VSIP four months after the event, or Gates jumped the gun in his San Francisco speech. At least IBM has taken the bold step of signing up for VSIP, which is more than can be said of its database rivals Oracle and Sybase. Illustrating the delicate balance of interests that drives such decisions, it was Microsoft that recently did the work of integrating Oracle more closely with .NET, rather than the other way around. While Microsoft is positioning Visual Studio.NET as the development environment of choice, IBM is aiming to do the same thing for DB2 in the database world. Presumably both think the integration is in their own interests. Of the 90 or so VSIP members listed by Microsoft, only a handful are big players like IBM. Compaq's membership has no doubt been inherited by HP; others include Computer Associates, Compuware, Fujitsu, Intel, Mercury Interactive, Rational and SAP. Membership costs an affordable $10,000 per year for a three-year contract. At the technical level, VSIP offers members the chance to hook their own products into .NET in exactly the same way as Microsoft's own programming languages such as Visual Basic and Visual C Sharp. This is done through Component Object Model (COM) based software components called VSPackages, which can only be obtained through VSIP. © ComputerWire
ComputerWire, 08 Jul 2002

Phone Java to get Summer facelift

Sun Microsystems Inc is set to launch a major upgrade to the phone variant of its Java 2 Micro Edition (J2ME) specification featuring a standardized application delivery method and server-side application invocation alongside improved security, multimedia and networking features. The specification, known as MIDP (mobile information device profile) 2.0, is scheduled for release in late summer with the first devices using the technology expected to hit the shelves by the end of the year. The over-the-air (OTA) provisioning and "midlet push" feature allowing servers to remotely invoke applications on a device look especially significant. The OTA feature should allow greater interoperability between devices and the so-called J2ME application "vending machines" developed by vendors such as 4thpass Inc and Pixo Inc. This should, in turn, help the roll-out and uptake of J2ME devices and applications. While few details of the midlet push feature are currently available, the ability to invoke device side applications from a server will no doubt prove useful as web services start to proliferate. For now, however, Sun - through the Java Community Process (JCP) - has not added support for XML-based web services protocols, said Andy Bush, new technologies manager for Sun UK. Among the other enhancements in MIDP 2.0 are a number of features intended to improve the attractiveness of J2ME as both a business and consumer technology. Business-oriented features include support for secure sockets layer (SSL) and signing of applications. Meanwhile, on the consumer side, MIDP now supports advanced phone features such as 3D graphics, sprites and polyphonic sound, reinforcing the technology's credentials as an emerging gaming platform. In terms of networking, MIDP will no support TCP/IP and UDP in addition to the HTTP transport protocol. Bush expects development tools vendors such as Metrowerks Inc and Sun itself to launch updated toolkits for the spec, which is fully backwards compatible with MIDP 1.0, almost immediately the spec is released, probably in late summer. MIDP 2.0-enabled devices are expected by the end of the year. © ComputerWire
ComputerWire, 08 Jul 2002
DVD it in many colours

Intel Announces Itanium 2 Chips

Intel launches the "McKinley" Itanium 2 processor today. It hopes to set itself on a profitable path of dominance in the market for processors for relatively expensive midrange and enterprise server servers, much as it accomplished in the PC market by the late 1980s, and in the entry server market in the mid-1990s, Timothy Prickett Morgan writes>i>. The first-generation "Merced" Itanium chips were years late, under-performing, and widely mocked by the RISC/Unix vendors who still control the server market - except for certain high-performance clusters and specialized web applications like data encryption. The second generation of 64-bit Itanium processors, which are about six months later coming to market than Intel and its partners had hoped, have enough credibility in the market that just about all the RISC/Unix vendors have suddenly become more forthright about their processor roadmaps than they would normally be. This is no accident. The remaining server vendors who sell machines which do not use Intel processors want to show that they are committed to their processors even if, in many cases, these vendors also hope to make a killing selling McKinley machines. Intel makes no bones about its intentions when it comes to the server market. Plainly and boldly put, Intel wants to drive the server makers out of the chip design and fabrication business so they will port their architectures and operating systems to the Itanium chips. Intel already accounts, by the latest reckoning of analysts of International Data Corp, for more than 88% of total server shipments worldwide because of the fact that entry servers using one or two processors still make up the bulk of server shipments each year. Intel also has a fairly good share of four-way servers, and vendors who use Intel's high-end Pentium III Xeon and Pentium 4 Xeon processors sell thousands of eight-way servers a year. The Intel architecture - which is not entirely under Intel's control, but which is being enhanced by various chipset vendors and server markers - has also been extended into 16-way and larger servers by Unisys Corp, IBM Corp, NEC Corp, and Bull. And others like Hewlett-Packard Co are working on their own high-end servers using Pentium 4 Xeon and Itanium 2 processors. All of the major server vendors share in Intel's vision of dominance, and are ironically (some might say fatalistically) the vehicle with which Intel will attain its dominance of the top end of the server business. Intel can count on the economics of its high-volume chip fabs to keep the pressure on those vendors who will design and/or make their own server processors, and it can also count on the drug dealer's logic - if I don't sell Itanium machines against my own servers, someone else will - to keep all but the most stubborn and idealistic vendors from endorsing Itanium, regardless of whatever technical inferiorities Itanium might have compared to RISC/Unix or proprietary alternatives. The server architecture that offers the best price/performance and the widest software support will win in the midrange and enterprise space over the long haul. Of the $49bn a year that companies spend on the core electronics complexes in all types and sizes of servers, IA-32 processors already account for $25bn. Intel is gunning for that other $24bn that is dominated by RISC/Unix products and proprietary machines, and history would seem to suggest that within a decade, if Intel can improve its Itanium designs so they are consistently less expensive than RISC/Unix alternatives and deliver comparable performance, there is no reason to believe that Itanium won't relegate other architectures to the dust bin. These are two very, very large ifs, which is why many server vendors, stung by delays in their own processors as well as those from Intel, are playing both sides of the street for as long as they can. There's too much money to be made selling RISC/Unix products today to stop, and there is too much money to lose by not selling Itanium machines starting now and perhaps in very high volumes in a year or two to not commit to doing it now. (Unless you are Dell Computer Corp, which is bizarrely taking a wait-and-see attitude and is not announcing any products or plans for the Itanium 2 chips today at the McKinley launch.) The good thing about McKinley machines is that future Itanium processors will plug into machines that support McKinley chips and which are rolled out over the course of the summer. This was not the case with the Merced machines, which were a separate product unto themselves. But knowing that the Madison, Deerfield, and Montecito Itanium chips will plug into McKinley boxes next year and the year after should help ease the sales process to server buyers who were correctly skeptical about the prospects for Merced machines. Intel will roll out its own "Tiger" four-way servers, based on the E8870 chipset (formerly known as the i870 chipset) alongside the McKinley chips, and ServerWorks, IBM, HP, Unisys, NEC, and others are expected to divulge their own chipsets for McKinley and future Itanium processors. The Itanium 2 processor will be available in three different configurations. A 900MHz version of the chip with 1.5MB of on-chip L3 cache will sell for $1,338. In all the time that everyone has been talking about Itanium 2, no one has even mentioned that a 900MHz version would be available. The 1GHz version of the chip with 1.5MB of L3 cache costs nearly twice as much at $2,247. This pricing difference and the advent of the 900MHz clock speed would seem to suggest that Intel is having trouble getting decent yields on the 1GHz McKinley at this point in its product ramp up. The 1GHz version of the chip with 3MB of L3 cache costs $4,226, which is a little bit less than RISC/Unix vendors charge in their homegrown processors for entry and midrange servers. As Intel can ramp up production quantities for Itaniums and the clock speed on those chips, those prices will inevitably drop hard and fast, like a boom. © ComputerWire
ComputerWire, 08 Jul 2002

Redmond retirement ratchet spells doom for Win2k

Windows 2000 has been given nine months to live, as far as OEMs are concerned, and Microsoft is pressuring the PC companies to stop offering dual install Win2k/WinXP systems immediately. Microsoft operating systems magically become more expensive and difficult to obtain as soon as there's a new rev out, but so long as the previous version is still available on new PCs via OEMs, business customers have a relatively simple way to stick with their current OS, rather than having to do an expensive rollout of the replacement. The demise of dual install, which makes it easier and cheaper for OEMs to cater for customers in this position, will make life harder for everybody but Microsoft, and of itself will make the PC companies more inclined to drop Win2k. And as their contracts won't allow them to sell Win2k as of April 2003, well, there's less and less point in wriggling, isn't there, folks? The moves will have an immediate impact on upgrade strategies and costs, and by a miraculous coincidence Microsoft's widely-hated Licensing 6.0 becomes The Law at the end of this month. So, you're an IT manager with a major installation standardised on Win2k, you haven't decided whether to go for Licensing 6.0 yet, what are your options? The supply of OEM Win2k machines is going to dry up soon, and you can probably reckon on those still available up until next April becoming more expensive and difficult to obtain. After April you will have to install Win2k on new machines yourself, and you'll have to source the Win2k licences from somewhere other than your OEM. You can still do this via the "downgrade" options in Microsoft licensing deals (whereby you pay for the current product and have rights to install the old one of your choice) but, um, don't you think it would probably be cheaper if you did this via Licensing 6.0? Gotcha... The alternative that doesn't involve signing up for the revolution (you didn't really think your board would let you do that anyway, did you?) is to buy the OS separately at inflated prices, prepare your own standard disk images (watch out for the licensing police though, if they all wind up with the same registration ID) and throw away the XP licences you've had to buy from the OEM. Which is what you did with NT 4.0 for a long time anyway, so you know the ropes, you end up paying Microsoft double-plus for the privilege of not upgrading when Microsoft says jump. Of course, if you sign up for Licensing 6.0 now then you'll get all the upgrades you don't want to go with so early free for the period of the licence, so you won't have to pay double-plus. But... as several readers have already pointed out to us, if the next rev of Windows, Longhorn is somewhere between the middle distance/never (which is really what 2004-5 amounts to), then there aren't going to be major OS upgrades in the foreseeable future. We're unsure which way round that gotcha goes, but for the corporate buyers being a Microsoft customer usually goes pretty like the old cowboy movies. Whether it's the lieutenant or the sargeant who shouts "Indians!", it's always the sargeant who gets the arrow in the chest. So go figure, you'll pay (and you will, you will) for free arrows in the chest. ®
John Lettice, 08 Jul 2002

First legal Linux program runs on Xbox

The first Linux program to run legally on Xbox has been released, says the Xbox Linux Project. It is not clear to us what the program, which was created without the Xbox SDK, actually does, and just maybe all it does is put Tux on the Xbox screen, but still, it's progress. The Xbox Linux Project aims to overcome the best-laid plans of Microsoft's licensing Stasi by developing a version of Linux which you can get running on an Xbox without having to go to jail afterwards, and as we reported last week, it's dangling a $200,000 reward in the quest for success by the end of this year. We note from the discussion thread over at our good friends from /. that some people seem to think this a shocking waste of effort. But "Tsk!", we cry. Where on earth would the software business be today without the pointless, even frivolous, expenditure of effort? Some of you people out there are getting old, and by George, we know we are... ®
John Lettice, 08 Jul 2002

eBay buys PayPal

eBay is to buy Paypal, for $1.5bn in stock. That's sorted then, or it will be when the deal closes at the end of the year. PayPal conducted its IPO in February - four months ago. Surely the point of that exercise was not to sell up so soon? All that expense could have been avoided by going for the trade sale in the first place. But the capital markets are dead, and PayPal needs eBay - It became the world's biggest web micropayments platform on the back of an exclusive deal with eBay. and 60 per cent of its turnover derives from this auction marketplace. This exclusivity ended earlier this year, and eBay hoovered up stock in Billpoint, a rival payments provider. eBay will now phase out Billpoint at some point. eBay reckons it can save operational costs by combining the two companies - earnings will be immediately accretive on a pro-forma basis (i.e. with the merger costs stripped out). The company also becomes substantially bigger by gaining control of the online payment system. PayPal's Q2 turnover is expected to come in at $53-$54m, while eBay's Q2 revenues, announced today, were $266m. GAAP net income was $54.3m on sales up 46 per cent on the same period last year. eBay attributes the growth to the accelerating pace of US transactions. eBay points to the market opportunities presented by the rest of PayPal's business, but post-acquisition, PayPal's non-eBay turnover may well fall. Its new owner intends to phase out business with gambling sites - 'regulatory uncertainty' is the rationale. PayPal is a tad controversial - it's got jaw-dropping Ts&Cs and it's not very friendly to people outside the US. Also, there are occasional foul-ups, and several states want much closer scrutiny - if PayPal looks like a bank and acts like a bank, then it should be regulated like a bank. ® Related stories PayPal's first day pop The return of the Internet IPO - PayPal shares soar PayPal rules the P2P e-payment waves
Drew Cullen, 08 Jul 2002

Worm blocks access to The Register

Having trouble accessing The Register lately? It may not be your crap porn filter, or the ebone shutdown spilling over into DNS error reports at several ISPs. You may need deworming. For virus writers have created a worm which, among other tricks, blocks access to El Reg. The Gunsan is a mass-mailing worm which infects local drives and network shares. On infected machines, it opens a backdoor that allows a cracker to control the computer using IRC. Gunsan has spread modestly since its discovery late last month. It deletes files needed by antivirus and firewall products (including all files that contain mcafee, softice, numega, antivirus, anti-virus, win32dasm, sophos, catsclaw, claw95, lockdown, symantec, firewall, virusscan, virus-scan, fprot, f-prot, zone labs, or atguard in their path). Gunsan only affects Windows PCs and can cause system instability by deleting important system files. The worm also alters the \%Windows\Hosts file, which contains DNS configuration information, and modifies it so that the names of AV Web sites - and The Register - so that they are resolved to the address of the local computer. It's the first worm we're aware of that stops infected users reading the Register. Gunsan spreads by sending itself along with another e-mail message to all e-mail addresses it collects on the infected machine. Infected messages normally come with a subject header containing a single space character and an infected attachment 'Test.exe'. Users are advised to update their antivirus software to detect the worm and to resist the temptation to open unsolicited email attachments. Bootnote And in entirely unrelated news, a Cambridge, UK company called Mathworks has developed a new electronic horsewhip - called The Register. This "has been developed to allay growing criticism over cruelty to animals in racing. The whip has sensors in its tip that can measure and record each blow, with MathWorks MATLAB technology reading the electronic signals." A couple of readers have asked us if this is a tribute to the UK's most popular IT website. We don't think so, but if it is, it's a bloody weird one. We recently came across a sex site called PronPost which is carrying an ad for Reg Recruitment because, the webmaster explains "i like the register... just thought i'd send some traffic your way ;)". Every little helps. ® External Links Write up of Gunsan by Symantec
John Leyden, 08 Jul 2002
attachment_email_clip

EU calls for open source e-government

A report published by the European Commission is encouraging EU governments to share open source software resources as a way to cut down on e-government costs. According to the study, "Pooling Open Source Software", which was financed by the Commission's Interchange of Data between Administrations (IDA) programme, a kind of software clearing house should be created in Europe in which various administrations could "donate" software for re-use. What's more, the Commission said that such a facility, which would concentrate on applications specific to the needs of the public sector, would also encourage different governments and administrations to re-create already successful e-government services. With the cost of e-government soaring in Europe, estimated to increase by 28 percent to EUR6.6 billion this year, sharing software could help save money as well, the report said. Taking into account the cost that would be involved in localisation, the Commission said "sharing these e-government tools could lead to across-the-board improvements in efficiency of the European public sector." "Good practice is built on proven solutions that work," added Enterprise and Information Society Commissioner Erkki Liikanen. "Software and concrete applications that work in practice are an important element of these. They could be usefully used as a source of inspiration for member states to develop good and interactive public services in the future." Alongside its suggestion that e-government software should be issued under an open source licence, the study also said that a software pooling facility should be made available to EU members which would provide quality guarantees and help resolve questions of liability. These are some of the main issues that inhibit the sharing of e-government developments already, the report claimed. "A step-wise implementation of the facility is however recommended, since sharing competence and good practices is more urgent than sharing software," the European Commission said. "More than simply providing software, the pooling facility should thus make available expertise and help create a community of developers, users and policy makers, providing opportunities for increased cooperation, notably in software development and testing." Such a policy could spell good news for Ireland and its e-government programmes, which are consistently ranked as some of the best in Europe and in the world. Last month Ireland's e-government services topped the poll in a European Union benchmarking exercise, for the second time, scoring a total of 84.72 percent, well above the average score of 54.25 percent. The Interchange of Data Between Administration (IDA) programme, the division of the European Commission behind the new report, was created by the European Commission, and is revised each year, as a way to help governments across the EU connect their "back offices" as well as their public facing e-government services Last month, many of the recommendations in the study were broadly welcomed at a specialist hearing held in Brussels, the commission said. For more information on the report or the IDA programme, visit the organisation's Web site. © ENN
ElectricNews.net, 08 Jul 2002

UKBetting buys Sports.com's gamblers

UKBetting has swooped on the gambling operations of stricken sports site, Sports.com. It's paying £670K - £100K in cash and the rest in assumed debt ( of 'no more' than £570K) - for SCG Enterprises, the bookmaking arm of Sports.com. At the same time, Sportsline.com, a one-time major investor in Sports.com, today announced that it had terminated its agreement to license the sports.com domain name to Sports.com and is to sell the URL to an unnamed third party. This sounds like breaker's yard time for Sports.com, in administration since May 31. Through SCG, UKBetting gains 24,000 accounts, of which 9,000 are active - i.e. have placed a bet in the last three months. Most gambling on sports.com is football-related, complementing UKBetting's existing business. Post-acquisition, UKBetting will have more than 100,000 gambling accounts on its books. The company has been heavily acquisitive in recent months, buying TeamTalk.com for £13.7m and two UK sports sites, Sportal and SportingLife.com, bought for £1 and £2, respectively. reg; Related stories Sports.com goes titsup.com
Drew Cullen, 08 Jul 2002

Tiscali lobs LLU brickbats at EU

European Union reforms designed to extend the availability of ADSL and consumer choice through Local Loop Unbundling are failing. That's the stark conclusion of Renato Soru, chief executive of Tiscali, who plans to tell a Brussels meeting today that Local Loop Unbundling (LLU) legislation has failed to create healthy competition between new entrants and incumbent carriers. Soru argues that it is too expensive for competitive carriers to install their own hardware in exchanges, a necessary part of LLU. Tiscali, which has laid 40,000km of fibre optic cables in Western Europe, wants the EU to do more to free up the wholesale market. "Local loop unbundling doesn't make economic sense," Soru told the FT. "It will cause a lot of disasters in this industry." Last month, BT complained that LLU unbundling cost it "million of pounds" of infrastructure work despite only limited demand. In February, BT announced that there were 200 unbundled phone lines in Britain. BT's criticism can be seen as a reflection of fears that its prized asset is been taken out of its control, but complaints from the likes of Tiscali might prove harder to dismiss. The European Commission, however, remains unmoved by these criticism and maintains that LLU is a needed to give consumers a wider choice of broadband services. The telecomms sector has been particularly hard hit by the current economic downturn, and there are calls to relax regulations because of these financial pressures or to allow freer competition. Describing EU regulations as a "bottleneck for broadband investment", Telekom Austria CEO Heinz Sundt warns that the current regime is failing to encourage innovation and investment in broadband infrastructure, which will leave Europe lagging behind the US. "To achieve this the EU's strategy should be to regulate those markets where competition does not exist and phase-out regulation where competition works well," said Sundt. Specifically Sundt believes that regulation governing interconnection charges - FL-LRAIC pricing rule (Forward Looking Long Run Average Incremental Costs) - is wrong because it allows new entrants to offer the same series as incumbents without having to invest in building infrastructures. However the FT reports that EU competition commissioner, Mario Monti, is unlikely to relax competition regulations, despite these lobbying efforts by carriers. ® Related Stories Easynet flies LLU flag LLU hits 200 milestone Bulldog calls for LLU cost cuts Britain avoids LLU crisis Local loop charges below EU average, says Oftel
John Leyden, 08 Jul 2002

Cracking MS SQL Server passwords

The inner workings of the undocumented pwdencrypt() hash function in Microsoft SQL Server have been revealed in a paper by security researcher David Litchfield of Next Generation Security Software (NGSS). pwdencrypt() creates the user's password hash, which is stored in the main database. Litchfield begins by observing that when it's applied to the same input (foo), it will produce different hashes at different times, from which he reckons, assuming the worst, that the salt must be time sensitive in some way. Salting is normally done to prevent collisions and to strengthen hashes against dictionary attacks. In other words, if a hash weren't salted, it would be easy to encrypt dictionary words using numerous hash functions and run the hashes against ones found in someone else's pass file. Obviously, the less we can determine about how the salt is generated, the stronger the hash becomes. Unfortunately, we now know from Litchfield's simple experiment that SQL Server is using some manner of time-dependent scheme for salt generation. That's more than we ought to know, as we'll see. His next observation is that the time function does not result in a truly random number, which is further bad news. "The time () C function is called and used as a seed passed to the srand() function. srand() sets a start point to be used for producing a series of (pseudo) random numbers. Once srand is seeded the rand() function is called to produce a pseudo random number. This number is an integer; however SQL Server converts this to a short and sets it aside. Let's call this number SN1. The rand() function is called again producing another pseudo random integer which, again, is converted into a short. Let's call this number SN2. SN1 and SN2 are joined to produce an integer SN1:SN2 to produce a salt. This salt is then used to obscure the password." The user's password is converted to unicode with the salt tacked on the end, and this is used to produce a hash with SHA. The same salt is added to the password when a user attempts to log in, and the resulting hash is compared to the one on record. If they match, access is granted. Unfortunately, Litchfield says, "the password is then converted to its upper case form, the [same] salt tacked onto the end and another SHA hash is produced." The hash is produced twice, against the case-sensitive password and again against the uppercase form. The uppercase 'version' is obviously a good deal easier to crack; and once we know it, finding the case-sensitive version is child's play. Indeed, there's little point in using case-sensitive passwords on your system if the crypto scheme is going to create hashes from the uppercase version, using the same salt, and then store them. Case-sensitive passwords are an improvement only so long as we're kept in the dark about their uppercase companions. So with that in mind Litchfield ends his paper with a little command-line app which will run a dictionary attack to find the uppercase password for you. The rest of it, any fool can handle. Thus security through obscurity fails again. ® Related Link NGSS paper
Thomas C Greene, 08 Jul 2002

Bloodbath in W.Europe PC market

PC sales in Europe's seven biggest economies slumped maybe as much as 10 per cent in the first half of the year, according to market research firm Context. And it ain't going to get any better in the second half, with "the cost associated with Microsoft's new licensing system is diverting funds away from hardware purchases". Context also notes that large business spending is still "extremely cautious, with many major accounts deferring purchases even longer and choosing to upgrade equipment rather than replace it". First half Sales overall may not be quite so bad as the headline figure suggests - Context tracks only sales through the indirect channel - and that means no Dell and under-reporting of white-box system builders. But that's small cheer to the likes of HP/Compaq, IBM and Fujitsu Siemens. Context has assembled provisional figures only for June, so the figures below are all for the first five months of the year, and they are compared with the same period in 2001. Desktop sales were down 14 per cent, mobile sales were down 0.3 per cent, shored up by buoyant retail sales, server sales slumped seven per cent. Business sales fell 13.2 per cent, with desktop sales to business down 16.2 per cent. Mobile PC sales to this sector were down 6.1 per cent. According to Context, small and medium businesses are showing increasing acceptance of white box system builders. More bad news for the A-brand PC vendors. The retail sector did better than business, almost entirely on the back of "unprecedented demand for low-cost, desktop processor powered notebooks". Sales were down 2.9 per cent overall, but June was a terrible month, with consumers more keen on buying AV equipment to watch the World Cup than shelling out for PC. Retail desktop PC sales were down 10.2 per cent, but this average is flattered by shipments January which recorded a flat year-on-year performance. ®
Drew Cullen, 08 Jul 2002

Dancing at the Microsoft Palladium

LettersLetters Re: MS to micro-manage your computer MS DRM OS, retagged 'secure OS' to ship with Longhorn? Why Intel loves Palladium More on AMD and Palladium MS Palladium protects IT vendors, not you - paper European antitrust chief concerned over MS Palladium Palladium tech up for discussion, says MS security chief This was a very nice article, with a balanced point of view, but it made no mention of one other player in the DRM game that could be significant. "[Palladium] will live or die by user acceptance"...but this is America, where campaign financing and legalized bribery of public officials are one and the same. Fritz "The Mouseketeer" Hollings (D, Disney) has attempted in the past to make such a DRM scheme mandatory to protect the media industries. He failed once with an absurd bill that would have made DRM mandatory in all electronic devices (yes, even your toaster must not be allowed to inadvertently make pirate copies of the latest pop hit), but Sen. Hollings has also been known to use self-compromise, by which I mean that he submits an absurdly extremist bill so that his next bill, a "compromise" that contains what he really wanted in the first place, would seem quite reasonable in comparison. His next bill, I would guess, would be the much less controversial option of mandating that Palladium be turned on as default, and that it stay on. After all, the technology would already exist to protect our poor, beleaguered media oligopolies, who currently only make money hand over five loosely closed fingers instead of hand over fist; shouldn't we ensure that that technology is used to SAVE them?!? All in all, I see an exquisite little dance (well, as little as you can get with elephantine corporate entities) going on, with the dancers each apparently knowing their steps without having to consult one another. The dance goes like this: The RIAA and MPAA send the invitations for the dance party by campaign financing Senator Hollings to get them some mandatory DRM legislation. Senator Hollings begins the dance by demanding absurdist levels of DRM management, thus clearing the floor for the other dancers. Microsoft takes advantage of this to present a move that gives them the dual benefits of improving their security (and image) as well as providing a DRM compliant OS. Senator Hollings then sidesteps over to a more reasonable proposal: if a complete electronic DRM gestapo is unfeasible, how about just in computers? They're the most dangerous ones, after all, and the means are already in place. Microsoft happily flips the DRM switch to on, then waves about its "Get out of Jail Free" card (aka the Son of CBDTPA) and can honestly say "It's not our fault, we were going to let the consumers decide, honest!" The RIAA and MPAA campaign finance Sen. Hollings until he can afford to buy out his opponent in the next election, which might otherwise go a bit bad for him. The consumers (aka almost everybody else) that make up the dance floor will continue feebly begging for the dancers not to aim for their crotches while dancing. The pleas will be ignored...but you can be sure the dancers will have cleats for the next dance. And if Sen. Hollings fails to get his compromise bill into place, MS loses nothing; they still have their patented DRM OS that will probably be more secure than previous offerings, and they can try to sell it to the public like they originally announced. Much good karma, little bad. Do I doubt the sincerity of MS' security division's desire to finally make good? Not really. They don't have to be aware of the overall dance as long as they make sure that their leg doesn't inadvertently kick one of their dance partners or step on the wrong foot. With luck, DRM may die from massive outrage before Sen. Hollings can ram it down our throats, but I'm not counting on it. Despite all its flaws and some blatant unconstitutionality, the DMCA was passed and still has not been struck down, and I see a dim future for us when the Son of the CBDTPA reaches the floor. Again, kudos on the informative article, Jon "Shimatta" Baxter ®
Andrew Orlowski, 08 Jul 2002

EC disposal rules whack small PC builders

In coming months, the member countries of the EU will enact waste disposal laws conforming with the European Commission's Waste from Electrical and Electronic (WEEE) directive. The new regime, coupled with more disposal regulations coming down the line will hit smaller PC makers hardest, according to Gartner. Waste disposal will "raise production costs, reduce margins and accelerate consolidation among midtier and small European PC vendors". Barriers to entry in the European PC market will be significantly raised, handing an advantage to the likes of HP, Dell, IBM, Apple and Sony which already have recycling and refurb programmes in place. This could have an effect upon US PC manufacturers which annually export up to $6bn in consumer electronics. "If these manufacturers can’t — or won’t — comply with the directives, that export number could drop significantly," Gartner says. Of course, they'll comply. And of course, the US will -footdragging state by footdragging state - eventually follow suit with producer pays waste disposal legislation. And of course, PC prices will eventually go up to pay for the additional cost. But who pays for waste disposal now? Overwhelmingly, it's the taxpayer mopping up the mess as obsolete computers are dumped into the municipal waste stream. So no more subsidy for manufacturers and their customers - eventually. Producer pay comes in a year or two - after the WEEE legislation comes into force, during which taxpayers will face higher waste management costs. So what about the poor little system builder. Gartner argues that companies will need sufficient scale to collect and dispose of waste cost-effectively. We disagree: there are plenty of specialist waste disposal, or asset management companies, as they prefer to call themselves which will handle electronics disposal on behalf of manufacturers/ system builders. With WEEE rules in place, they might even make some money for a change. Gartner's argument about scale reminds us of the fuss when the EC enacted EMC (electro-magnetic compatibility) compliance laws. The burden was supposed to be so harsh that small system builders would go bust. Did they? Well yes they did, but not because of this. Instead, the component makers, such as Intel, did the EMC-compliance work for them. About the WEEE Directive Over a period of several years (the timetable depends upon the country), the EU intends to: a: remove as many 'obsolete' computers as possible from the municipal waste stream b: dramatically improve recycling and refurbishment take-up c: make producers/polluters pay for their safe disposal. A second waste directive coming into force in 2008 will see more restrictive hazardous waste rules applied to "lead, mercury, and cadmium, as well as for chemicals such as flame retardants that show in circuit boards and plastic covers", Gartner says in its research note. Currently the lead in computer monitors is the only part of a PC which is classified as hazardous waste.
Drew Cullen, 08 Jul 2002

Palm ‘mulled Linux’ for next-gen OS

ExclusiveExclusive Palm Inc was considering Linux as the foundation of the next-generation PalmOS as recently as last spring, sources tell us. Palm eventually acquired Be Inc's development team last August, but internal discussions on the viability of a Linux-based handheld OS were taking place up to fifteen months ago. These were squashed by the lawyers, who concluded that Palm couldn't reconcile the GPL with the in-house view of intellectual property. "Palm had a Not Invented Here syndrome in spades," a former staffer tells us, and the company spent much of 2000 in a funk, indecisiveness reigned over what should succeed PalmOS. Late in 1999 Palm and Symbian had agreed to base the next-generation PalmOS on Symbian's kernel, promising developers new APIs within months, but the discussions went nowhere. (Going open source doesn't necessarily compromise one's IP: as Mozilla demonstrates. And both Sharp and Samsung have marketed Linux-based PDAs/phones). But with the board reluctant to pursue the Symbian partnership, throughout 2000 Palm discussed the alternatives. "5.0 then was random stupid tweakings in a development branch that was allegedly 'experimental', and 6.0 involved interminable meetings where staff discussed Linux, other embedded systems,". Staff say that management failed to provide technical leadership - and many of the discussions got mired in issues such as endian issues ("mostly a triviality", says our source) and whether the next-gen OS would need a modern memory management unit (MMU). This confirms comments made by Palm's then CTO Bill Maggs to us at Comdex in late 2000, when he was adamant that Palm didn't need modern memory management. An astonishing claim we then thought. "Surely any idiot can see the answer in the 21st Century is 'duh, yes!'", says our source. Maggs quit Palm two months later, and wouldn't reply to our request for comment. In August Palm decided new blood was needed, and bought Be Inc's engineering team. Palm isn't using the cut-down embedded version BeOS, BeIA, which was targetted at the NatSemi x86 system on a chip, but a ground-up OS for ARM. Despite withstanding the challenge of a better-funded competitor fielding more capable devices, Palm's technical indecision contributed to the departure of CEO Carl Yankowski only weeks after the Be purchase. "Palm's problem wasn't a lack of Programmer-Gods, it was just the Red Queen's problem: too much to do and not enough engineers." In fairness, both Microsoft and Symbian have had their share of problems, with both companies tweaking their business models amidst constant reshuffles. As we exclusively reported last year, Symbian quietly dropped the prescriptive 'DFRD' approach to licensees in favor of an approach. This saw licensees get access to the source code; and Symbian pulled out of designing UIs altogether as Nokia took the lead in creating the Series 60 "platform", which runs on top of the Symbian kernel. (Siemens is the first major licensee). In February founder and CEO Colly Myers resigned. Microsoft has revised its PDA division and roadmap frequently, too, with Steve Ballmer taking charge last year, and subsequent PDA reorgs causing much angst amongst Pocket PC supporters. You see, we treat all disasters equally fairly. But we wondered if we hadn't been too mean to Palm as it reeled around for a viable future OS roadmap. "You once wrote [here] that 'so badly had Palm neglected its engineering obligation under Yankowski, that only recently we were thinking of sponsoring a Black Hawk Down-style rescue mission to pluck the beleaguered engineers out of the Black Hole....' That feels a lot more like what it was like to work there than anything else I've read," says a former staffer. Glad to be of service. It's classic Chaos Theory in practice: a butterfly flaps its wings in Santa Clara (or London, or Seattle), and eventually a tsunami of crap arrives in our inbox.®
Andrew Orlowski, 08 Jul 2002

Bugs delay flagship MS phone

The Sendo Z100 has been delayed again, with a spokesperson for Sendo citing integration issues as the cause. The Z100 was originally slated to ship last autumn [Feb 01 prediction], then delayed to first quarter of this year [Nov 01 prediction] - which we said here might be a touch optimistic - was subsequently delayed to June [March 02 prediction]. The latest prediction sees it coming in during "September/October", a spokesperson told us today, although industry sources have been briefed that it's most definitely now a Q4 product. "Everything about the form-factor is new - it's testing, testing, testing," explained a Sendo spokesperson. An email sent to Sendo developers last week said SDKs had been delayed for "legal reasons". But sources speak of much finger-pointing between Microsoft, which provides the Smartphone 2002 OS (aka Stinker) for the phone, and hardware manufacturer Sendo, which also provides software applications and the JavaVM. One reason, we've argued here at El Reg, why that the phone business isn't like the PC business is because integration involves much more than simply bunging a CD in the post to Dell. (See "Make a Phone, if you think you're hard enough", here. Although it's a relatively new start-up, Sendo isn't short of very able engineers who know how to integrate software into phones very well, thank you: the company's core employees acquired hundreds of man years of experience at Philips. Sendo officially denied that delays to the Z100 would cause a roadmap pile-up, and wouldn't comment on the phone's successor. Industry sources say the follow-up device, which was due to ship six months after Z100, is "about half the size, and very nice". That leaves the Z100 with a small, and shrinking, window of opportunity. ® Related Stories Microsoft dispatches phone OEMs to knife Bluetooth
Andrew Orlowski, 08 Jul 2002

Show us the bugs – users want full disclosure

End-users overwhelmingly support the full disclosure of security vulnerabilities, according to a recent survey by analysts Hurwitz Group, which demonstrates widespread frustration about vendor responsiveness to security issues. Based on interviews with more than 300 software security professionals, the report shows that end users overwhelmingly support full disclosure - announcing security vulnerabilities as soon as they are discovered. The end users surveyed for the report are clearly angry that vendors are releasing insecure applications, and then not responding when flaws are detected, Hurwtiz reports. "They see full disclosure in public forums and in the press as the only way to force vendors to respond to vulnerabilities caused by poorly written and insecure code. In fact, end users overwhelmingly support full disclosure even if it means exposing security flaws within their organisation that could have a negative impact on their company," it writes. The research also shows that most end users want the information published and many want it published immediately. A full 39 per cent of respondents said that vulnerabilities should be disclosed upon discovery, with another 28 per cent wanting disclosure within one week. The study undermines attempts by vendors, most notably Microsoft, to create a charter for the "responsible disclosure" of information of security vulnerabilities which would restrict the release of information about bugs. According to this line of thinking, disclosure should be delayed by up 30 days to give software vendors time to patch a system. To openly discuss exploits of software bugs is leading to "information anarchy" and undermining Internet security, according to Microsoft. Three out of four security software professionals disagree, Hurwitz finds. The study indicates a mounting frustration with users about security problems - and the general quality - of computer software. Users may soon seek to use the law to punish software vendors for these problems, Hurwitz suggests. In the past, end users have had limited legal options, since product liability laws currently protect software vendors, but this may soon end, Hurwitz believes. "Companies are so angry that they are now willing to take vendors to court," said Pete Lindstrom, Director of Security Strategies at Hurwitz Group. "I think we will soon see test cases in the courts to try to develop some requirements and standards for vendors. It will be interesting to see whether those cases will be successful, and whether standards will ultimately solve the problem for end users." ® Related Stories Setback for security through obscurity scheme MS 'Security Framework' is another .NET vulnerability External Links Who's Liable for Security Bugs? Stuck Between a Rock and a Hard Place with Full Disclosure, report by Hurwitz Group
John Leyden, 08 Jul 2002

MS ‘retires’ corporate Windows Update in favour of SUS

According to the date on the relevant pages, Microsoft started talking about SUS (Software Update Services) on 20th June, but it's only today we've had the press release from the UK arm. Granted, it might have been announced somewhere else during the past couple of weeks, but it doesn't seem to have made it to the main press release pile at microsoft.com. Which is a pity, because it says here "Formerly known as Corporate Windows Update or Federated Windows Update, SUS is a security patch management tool targeted at small to medium sized enterprises..." So corporate Windows update is dead, right? As regular readers will recall, The Register regularly gnaws away at the mismatch between Microsoft's drive for direct contact with individual users and the corporate sector's desire to manage its own users, and corporate Windows update was central to this. With SP1 for WinXP Microsoft will be checking validity of licences before permitting the service pack to install, but as we pointed out a little earlier this doesn't matter a great deal while corporate Windows update exists. IT management in major businesses wants to download the updates itself and decide whether or not users should get them, and it does it (did it) via corporate Windows update. Which is also where you'd go if you wanted to download the software and install it yourself, rather than depend on Microsoft deciding what you needed, and whether you were legal/eligible. Which is a long-winded way of pointing out that SUS, what corporate Windows update did next, is important. If you go to the site formerly known as Corporate Windows Update, which you will find here, you will find it has "been retired." The text looks like it's designed to lead you to believe it was retired in March, but that's not what it says, and although we at The Register are particularly unobservant and dozy by the standards of cutting-edge journalists, we're pretty certain we'd have noticed it said that when we last visited last in, er, early June. Down at the bottom it now (didn't say this in June either) directs you to SUS, the corporate Windows Update replacement. Pop over to SUS (main page here) and you'll find something that presents itself somewhere in the middle ground between the old corporate service and the automated, Microsoft-to-client Windows Update service. IT managers can use SUS as a kind of entry level automated critical update system, and they can set privileges for individual clients and decide on how they get the updates rolled out, but they've got to do it the Microsoft way, there's a degradation in the amount of control they have, and inertia will surely lead to control being slowly but surely abdicated to Redmond. If you look at Choosing a Security Update Management Solution (and friends, when was it Windows updates became solely about security updates?) then you'll see Microsoft is presenting a choice between Windows Update (non-corporate), SUS, and SMS. So presentationally at least, corporate Windows update is dead. But it's possible it's not quite dead. You can still follow the link from the old corporate Windows update site to the Windows Update Catalog (so long as you're running Win2k or XP of course - Win9x is in the pipeline, NT is probably never) and download patches and install them by hand. For how long, we know not. But for XP, we note that all of the critical updates have posted dates of 25th June, while the most recent one was actually issued on 10th February. So "update" is maybe not the right word, and we'd guess this isn't long for the world either. ® * We can't help noticing that the URLs of the pages we're checking have /windows2000/ in them, which tends to suggest the possibility that people checking with Windows XP might read something slightly (or even wildly) different. We've no idea. The Register can proudly state that it doesn't have a single XP machine in use (well OK, just the one, for the kids to play games on, and it's in a different country today anyway), so we must restrain our paranoia. But if any XP users find markedly different results, do let us know.
John Lettice, 08 Jul 2002