28th > August > 2002 Archive

Nortel axes 7,000 jobs

Nortel is to axe a further 7,000 jobs amid warnings that it will once again miss its revenue target.The company blamed the job cuts on the depressed telco sector, and in particular, on further reductions in spending by service providers in the US. But that will bring little comfort to those hit by this latest round of belt tightening by the telecoms equipment manufacturer. In Q2 Nortel reported revenues of $2.77bn and expected revenues for Q3 to remain "essentially flat". Yesterday, it revised down its forecast warning that it would miss its revenue target by around 10 per cent. The restructuring should be completed by the end of Q4, at which time Nortel will employ around 35,000, less than half the number of staff it had at the beginning of 2000. This latest round of job cuts comes on top of the 3,000 redundancies announced in April. Said Frank Dunn, Nortel president and chief exec: "We continue to see reductions in near term spending plans by service providers especially in the United States." "...the market environment continues to be challenging with lower spending levels than previously expected and a more prolonged industry transition." Nortel maintains it that will return to profitability by the end of June 2003. ® Related Story Nortel reports narrowed losses
Tim Richardson, 28 Aug 2002

HP, Dell ditch MS Works for WordPerfect

Hewlett-Packard is to pre-install Corel's WordPerfect suite on its consumer PCs, a blow to market leader Microsoft. Previously Hewlett-Packard provided Microsoft Works, a reduced version of its productivity suite Microsoft Office, to consumers who purchased new computers. But this week the company said that WordPerfect will now be installed on all HP Pavilion desktop PCs sold in North America from September onwards. The pre-installed Corel software is also a slimmed-down version of the company's WordPerfect Office 2002 suite. The move follows the decision by Dell earlier this month to replace Microsoft Works with Corel's WordPerfect productivity software. WordPerfect 10 and Quattro Pro 10 will be pre-loaded on the Dell Dimension 2300 desktops and on Dell's Inspiron 2600 notebook computer systems starting in September. These systems will be available in North America. WordPerfect 10 and Quattro Pro 10 are also currently available on the SmartStep 200N and 250N notebook computers from Dell. The news should provide badly needed revenues to Corel. The firm had been suffering from losses, slow growth and a lack of direction. Its shares, which traded at USD30 in December 1999, have been halved since the start of 2002 to USD0.89 on Monday in New York. Corel stock has not traded over USD1 since 17 June and the company has received a de-listing warning from the Nasdaq. In its second quarter of fiscal 2002, Corel had flat revenues of USD30.8 million and reported a net loss of USD6.3 million, or USD0.07 per share, meeting consensus estimates but twice as high as last year's losses. Despite its woes, there are two determining factors that have been cited as the primary reasons for the switch from Microsoft products to Corel products. Most importantly, Corel's WordPerfect software is thought to be cheaper than Microsoft's competing Works suite. At a time when both consumers and technology firms are looking to trim costs by any means possible, the lower cost of WordPerfect is an enticing incentive for PC makers. Additionally, Corel is thought to be benefiting from Microsoft's legal troubles. During the recent anti-trust hearings in Washington, PC makers said that Microsoft had been abusing its monopoly in operating systems and productivity tools, and in particular the way it licensed its products to PC makers. Subsequently, Microsoft's anti-trust problems have resulted in more open competition for the pre-installed PC software market. In the last financial year Microsoft generated USD9.6 billion of its total USD28 billion of revenues from desktop software. Microsoft currently has more than 90 percent of the office productivity software market. © ENN.
ElectricNews.net, 28 Aug 2002

ISOC says will not see any .org Revenue

The Internet Society yesterday said that, should it be selected to run the .org domain name registry, no revenue from name registrations will make it to its own coffers. The international non-profit, which promotes internet use in society, said a separate legal entity, the Public Interest Registry will get the money. "There will be no intermingling of funds between PIR and ISOC," spokesperson Julie Williams said. "PIR will be a separate legal entity and isolated from ISOC financially; it will have a separate Board and distinctly separate operations... [PIR] will carry out the registry functions and will have no financial dependence on ISOC, and vice versa." It initially appeared from ISOC's marketing material that funds from registrations in .org (estimated to be roughly $15m per year at current registration levels) would be used to fund ISOC programs. The organization has recently been facing a cash crunch and it was thought .org could help subsidize its work. "ISOC has had some financial challenges the last few years, but we are actually in better financial shape now than we have been," Williams said. "If ISOC were to go under, it would not affect PIR and the registry operation at all since it's a completely separate and self-sustaining entity." However, it remains uncertain whether ISOC will be selected by the Internet Corp for Assigned Names and Numbers (ICANN) to run the domain. The organization's application ranked below others in two analyses of the bidders, and the methodology of a third analysis that ranked it highly has been called into question. The other frontrunners are Neustar Inc (which runs .biz and .us) and Global Name Registry Ltd (which runs .name). The decision is expected to be made before the end of September, and the .org domain will transition to the winner from VeriSign Inc, which currently operates it, before the end of the year. © ComputerWire
ComputerWire, 28 Aug 2002

SCO and Co. shore up UnitedLinux

Efforts to shore up the UnitedLinux effort continued yesterday, with big names joining SCO Group Inc to preach against fragmentation of the open source operating system, Gavin Clarke writes. Lindon, Utah-based SCO wheeled out Computer Associates International Inc, Hewlett-Packard Co, IBM Corp and Intel Corp to argue UnitedLinux's case at SCO's GeoForum conference in Las Vegas, Nevada. The theme: UnitedLinux will attract multinational customers who want a truly worldwide Linux distribution. UnitedLinux's core is destined to be built on technology from Conectiva SA, SuSE AG, TurboLinux Inc and SCO Group. A first version of the OS is due in the fourth quarter, and version 2.0 is expected in the third or fourth quarter of 2003. In bringing out the big guns, SCO sought to distance UnitedLinux from recent bad publicity and growing concern over the initiative's long-term viability. TurboLinux recently sold its Linux business to Software Research Associates, causing jitters. SCO has palmed off its in-house Linux development to SuSE, with 30 Caldera International engineers changing company. SCO this week also dumped its Caldera name and resurrected products and branding of the old Santa Cruz Operation. SuSE, meanwhile, has seen a number of senior executive changes during the last two years. SCO product manager and member of the UnitedLinux board Andy Nagel said yesterday's roll call demonstrates growing support. "The message is clear: the hardware vendors are behind this initiative. Resellers can close a deal and they will have the hardware." Nagel conceded the greatest difficulty has been in attracting ISVs. "Software vendors are going to take more work. We are going to be big on software vendors in coming months," he said. Once reason for ISV reluctance could be perceived clash between the need for both Linux Standard Base (LSB) and UnitedLinux. UnitedLinux will be certified to the LSB for application portability. Pure ISVs were represented yesterday by Computer Associates. Nagel said UnitedLinux provides ISVs a binary standard to write against. "It's possible that at the edge [of a distribution] you may find behavior that isn't covered [by LSB]," Nagel said. He added Connectiva, SuSE AG, TurboLinux and SCO would differentiate distributions against each other by offering additional applications on top of the operating system. In SCO's case this may be Volution systems management. Nagel attempted to further speak-up UnitedLinux, stressing Software Research Associates has given its commitment to continue TurboLinux's support. The four companies have pledged both engineering resources and cash to drive UnitedLinux although Nagel refused to reveal how much money each vendor is contributing. He added UnitedLinux could drive harder once a general manager is hired - interviews have been concluded and an appointment is expected - and an advisory board is appointed to set future direction and strategy. He claimed UnitedLinux would become so strong that even Red Hat Corp would join. Red Hat is the most notable UnitedLinux absentee and - while Nagel claimed the door is open to future discussion - there remains an uneasy tension. "As the initiative continues to build it's going to be harder, and harder and harder to answer the question 'why not'?" He said Red Hat would become compelled to join as UnitedLinux's market share grows. Computer Associates, HP, IBM and articulated their reasons for backing UnitedLinux. Pat Byers, IBM program director, said UnitedLinux means her company can offer two distributions - Red Hat and UnitedLinux - instead of four. "Having a dual strategy is going to be fantastic for a lot of companies like IBM. We can consolidate our requirements and certification and get to market faster," she said. Rick Becker, HP operating system alliances and software vice president, backed IBM. He added the combination of four distributions with presences in North America, South America, Europe and Asia simplifies support. "Our customers have asked us for a common distribution worldwide. They want localization and support - they want to be able to call support in their time zone," he said. "Our goal is to increase UnitedLinux as another enterprise platform," said Computer Associates divisional vice president of strategic business alliances Al Burstiner. IBM believes SCO's 16,000-strong North American reseller community will help the company sell IBM servers into small and medium sized businesses. SCO is renowned for its strong reseller and partner network, specialized in verticals. "We need [SCO resellers]... to get in the small and medium business space," Byers said. © ComputerWire
ComputerWire, 28 Aug 2002

Worldwide server revenue drops 13% in Q2

Worldwide revenue for server hardware dropped 13% in the second quarter, compared to the same period last year, according to the latest figures from Gartner Inc's Dataquest unit. Revenue for servers was $10.1bn during the second quarter, down from $11.6bn in the same period last year. According to Gartner, revenue for the top four vendors shrank year-on-year, with only Sun Microsystems Inc and Dell Computer Corp's market shares increasing. According to the figures, IBM Corp led the market with 29.6% of total revenue. IBM's market share increased from 27.9% in the same quarter last year, even though revenue decreased to $2.99bn from $3.24bn. Hewlett-Packard Co grabbed second spot with 24.7% of total revenue. The Palo Alto, California-based company's market share was down from 27.4% in the same period last year, while its server revenue dropped to $2.49bn, from $3.18bn in the same quarter of 2001. While Santa Clara, California-based Sun's market share increased from 16.6% to 18.4% over the year, its revenue actually dropped from $1.93bn to $1.86bn. Round Rock, Texas-based Dell's market share increased to 7.2% from 6.5% in the second quarter of 2001, while revenue dropped from $754m to $727m. © ComputerWire
ComputerWire, 28 Aug 2002

A whisper of a hint of a light at the end of the IT spending tunnel

Research from Aberdeen Group has hinted at a recovery in IT spending, after user firms said they were planning to increase their spending in the second half of the year. A survey of Aberdeen's user advisory panel indicates that IT executives planned to increase spending by nearly 4% over the next six months. This compares to a forecast decline of 1.4% in February of this year. Additionally, the Boston, Massachusetts-based market analysis and positioning firm's research also found that year-on-year revenues among the top 20 IT suppliers declined only 3.5% in the second quarter of 2002, which represented the best performance of the last five quarters. It is too early to say whether the market has turned a corner, or merely swerved temporarily. Even though some IT vendors are registering nominal growth in certain sectors, the IT market as a whole is not displaying any sustained positive growth. Perhaps a plausible explanation is that the market has hit 'rock bottom', and is now bouncing upwards, giving the impression of the start of a sustained recovery. But ComputerWire believes that it will be well into 2003 and even 2004 before the market returns to double-digit growth. For the time being, the findings of Aberdeen's research essentially mirrors the overall state of an economy that is slowly, but erratically, clawing its way towards the light at the end of the tunnel. © ComputerWire
ComputerWire, 28 Aug 2002

HP hits Q3 targets, shoots for same in Q4

Carly Fiorina, chairman and CEO of Hewlett Packard Co, is probably not breathing a huge sigh of relief now that the merged HP and Compaq has hit the financial targets that the company set for its fiscal third quarter of 2002, Timothy Prickett Morgan writes. After all, HP saw revenues decline by 11% to $16.5bn and posted a $2.5bn loss, thanks in large measure to a $1.6bn restructuring charge and $1.4bn in merger-related costs. This is not a lot of fun. But it sure beats not hitting the financial targets that the top brass sets, which is something that Fiorina experienced when she first took the helm of HP a few years ago. No matter what excuse HP might have had in this trying time in the IT market, Fiorina would be under fire today if HP had not hit its targets. "Throughout our first 100 days, we've kept our eye on the ball," Fiorina said yesterday in a conference call with Wall Street analysts. "We're hitting all our integration milestones and are on track to meet our second-half targets. The top 50 contracts we won in the quarter totaled $2bn in new long-term revenue, and we exit the quarter with almost $12bn in cash and equivalents. While we have more work ahead, given the tough economy and a major integration, we did well." She also said that HP had only $8.1bn in debt, most of which is associated with its captive financing arm. Like other vendors in tough times, HP talks to Wall Street in pro forma results that remove the effects of inventory write-downs, acquisition and restructuring charges, legal fees, and a whole slew of things that make financial results messy. Just for the record, HP posted pro forma earnings from operations of $533m in the quarter, up from $352m for the combined HP and Compaq in the third fiscal quarter of 2001, and had pro forma earnings of $420m or 14 cents a share, up 31% from the $320m or 11 cents a share a year ago. While there is some credence to the idea that you have to look at how a company's core business is performing in isolation from the tumult caused by mergers, acquisitions, and charges, the fact remains that HP lost 67 cents a share in the quarter according to accepted accounting principles. Such losses are real, and they affect how companies behave and how their customers, competitors and credit rating agencies treat them. Fiorina said that HP had made 4,740 cuts to the payroll in fiscal Q3, which ended July 31, and that another 1,760 employees had been given pink slips in August already, which means that the company is on track to remove 10,000 people from the payroll by October 31, the fiscal year end for HP. HP had 153,500 employees at the beginning of the third quarter. HP's president and chief operating officer, Michael Capellas, gave a breakdown of HP's revenues by segment. The core Imaging and Printing group posted revenues in Q3 of $4.7bn, up 10% from $4.3bn in the same quarter last year. Thanks to the announcement of new imaging products with lots of features that are being snapped up by customers, this group saw earnings from operations rocket up to $813m, up from $343m in last year's fiscal third quarter. HP is in the midst of a several month rollout of some 50 new printing and imaging products, part of a $1.2bn investment HP has made in this area to take on Lexmark, Canon, Kodak, and other competitors. Sales of the PhotoSmart photo printers more than doubled in the quarter, all-in-one printer sales were up 59%, and LaserJet revenues were up 14%. Sales of imaging and printing supplies were up 19%. Sales in the Personal Systems unit were down 20% year over year to $4.8bn, and HP posted a loss from operations of $198m (which was better than the $372m loss from operations in the same quarter last year for the combined HP-Compaq). Capellas said that consumer PC spending was down 21% and that corporate PC buying was down by 15%, but because direct PC sales improve profits, he was encouraged by the fact that 18% of the company's PCs were sold directly to customers in the quarter; drilling down, he said that 26% of PCs sold in the Americas were done on a direct basis and that 53% of commercial PC sales in the U.S. were direct to customers. HP's losses were quite a bit worse in the Enterprise Systems group, which saw its earnings from operations go from a slim $17m on sales of $4.8bn of servers, storage and related software in Q3 2001 to a loss of $422m in this year's third quarter on sales of $3.8bn. Capellas conceded that it is in this area that HP faces the most integration challenges, but as he correctly points out, has the greatest chances of attaining synergies and profits if it can convince customers that the combined roadmaps HP has created for its many server lines dovetail with their own long-term strategies. He also said that part of the 22% decline in revenues in the Enterprise Systems unit was undoubtedly the result of customers evaluating its roadmaps. But it is also true that companies are shifting to low-cost servers and away from big ticket, high profit Unix machines that have been the flagships of the Compaq and HP server lines before the merger in these tough economic times. In the Business Critical Server unit, which is comprised of PA-RISC, AlphaServer, and Tandem machinery, sales were off 31% in the quarter due to the weakness in the telecoms and financial services markets that are big buyers of Unix servers and in Japan, which is seeing its economy soften further. He also said that HP's Unix business was historically strong in Europe, and that the weakening European economy was impacting server sales and lengthening sales cycles. That said, unit shipments of the high-end Superdome PA-RISC servers were up 9% in the quarter. Sales of Intel-based servers in the Industry Standard Server unit were off 18% in the quarter, and even with the retiring of the NetServer line, HP reckons that it only lost one point of market share in the quarter. Storage sales were off 15%, which HP said was significantly better than the 31% decline in sales that rival EMC Corp posted in the same period. "Clearly, these results are unacceptable," said Capellas, indicating that HP would be chopping costs in this organization to bring it in line. But later in the call he seemed to think HP had the problem under control. "I do think we will see a rebound in our Unix business in Q4 and we will gain share in industry standard servers. I am not going to predict profitability, but you will see improvement in the current quarter and in the next quarter." Revenues in its services segment were off 7% to $3bn, driven down by declining demand for consulting and integration services and a modest decline in maintenance fees, which seems to be as much a result of the depressed sales levels in the past two years in the server market as it is caused by customers retiring old kit and consolidating onto fewer servers. Companies also appear to be cutting corners on IT spending by cutting back on services levels for the computers. Still, the services unit was able to pull in $275mn in earnings from operations, down from $384m for the combined companies a year ago. HP's financing arm made up the remaining $510m in revenues and a loss of $24m before taxes. As always, Wall Street wants to use blue chip companies like HP as a barometer for the economy at large, and analysts pressed HP's top brass to be prognosticators. Chairman Fiorina, like other executives at IT companies, didn't take the bait. "We are not economists, and we have difficulty predicting the future. Many of us had been hoping for a rebound in IT spending in the second half of calendar 2002, and this is clearly not happening." HP's chief financial officer, Bob Wayman, said that the company is anticipating that revenues would be up somewhere between 4% and 6% in the fiscal fourth quarter and that gross margins would hold more or less steady in the 25% to 26% range even with intense price competition, a mix of less expensive printers, declining Enterprise Systems sales, and other factors because of the cost cutting and synergies that are the driving force and the result of the HP-Compaq merger. "The bottom line is that there are a lot of variables impacting our results going forward, some which we can control and some which we cannot. That said, we are happy with consensus estimates." And that, presumably, is about as good as anyone can expect in the IT market these days. © ComputerWire
ComputerWire, 28 Aug 2002

KaZaA poisoned with salted files?

Is there a conspiracy to flood the KaZaA file-sharing network with bad files? In recent weeks, several Reg readers have told us of a growing pattern of 'looped', incomplete MP3 files (posing as full tracks) being offered for download on KaZaA.com. In other instances, songs are intentionally misnamed. One reader had to download 63 tracks, and then sort through the salted and mislabelled files in order to successfully download all the songs from an album containing 12 songs. A spokesperson for Sharman Networks, the firm behind the KaZaA service, told us it's had few complaints about the issue, nor has there been a disruption of the KaZaA Media Desktop software. Although there are some posts about the problem on bulletin boards and on Usenet the issue is better described as an irritant rather than something more serious. That said, some people feel strongly about the issue, and conspiracy theories are circulating that the Recording Industry Ass. Of America (RIAA), is trying to cause KaZaA to "implode with bad files". The antipathy of the RIAA is well documented through numerous lawsuits and attempts to sponsor bills which would legalise hacking attacks by copyright holders against P2P. Those laws haven't passed yet; and this, combined with our distrust of conspiracy theories, leads us elsewhere in the hunt for the P2P Saboteur. It's a pissed-off rock star what's to blame. Our money is on Elton John, but others point the finger at Radiohead's Thom Yorke. Managing high speed servers passes the time between TV appearances, after all. ® Related Stories Worm spreads through KaZaA network, again Copyright vigilantes ride P2P shotgun Altnet wakes up as worm spreads through KaZaA KaZaA collapses under Rambo-style lawsuits KaZaA ruled perfectly legal
John Leyden, 28 Aug 2002

Felt-tip marker hack for copy-protect CDs ‘completely neutralized’

Israel-based Midbar Tech announced yesterday that 10 million CDs using its Cactus Data Shield technology have been released in Japan, bringing the total number of music CDs using the controversial copy-protection utility to about 30 million. Coincidentally, a Japanese entrepreneur is credited with the 1962 invention of the versatile writing instrument called the fibre- or felt-tip pen. Marjie Hadad, Midbar spokesperson, said the CDs, which implement the CDS-200 protection scheme, will play on computers - unlike previous CDs released with Midbar's CDS-100 technology, which caused myriad difficulties for PC users who attempted to play purchased CDs in their computers' CD-ROM drives, as well as in DVD players and car CD drives. Windows users had the fewest problems; by installing a special utility included on the copy-protected CDs their PCs were able to play the music. The copy-protection technology works by using "proprietary electronic circuits and software algorithms" to alter the data on the CD, making it unreadable by CD-copying software. Midbar says that while the data is altered, the audio quality remains "perfect." The last spate of copy-protected CDs spurred some down-home ingenuity, producing a deliciously simple method of circumventing the technology which aims to prevent CD owners from making any copies, including those for personal use only. The method involves the use of a black felt-tip marker pen, with the ink carefully applied to a specific portion of the CD in order to "prevent the prevention." But Hadad says that won't work anymore. "Though the felt tip marker issue was never considered a universal hack, Midbar did add a feature in the last version of the CDS-200 that completely neutralizes even the remote possibility of its success." Midbar's Web site promotes three different levels of copy protection. Its CDS-100 release is apparently purposely designed to prevent any kind of computer playback. This release has been reported to cause severe problems with Macintosh computers - some users reported that the CDs utilizing CDS-100 copy protection caused CD drives to lock up, rendering the drawer unopenable and the computer itself unbootable (although some sources say Midbar's effect on Macs was not so extreme). Bug or feature? You decide. The CDS-200 release allows playback, and although as Hadad says, it is not intended to allow a felt-tip hack, a grassroots effort will surely soon be underway to test that claim. Japan's Pentel, Inc., once known as the Japan Stationery Company, is credited with the invention of the felt-tip marker back in the mid-60's, and a company representive assured us that production levels are more than adequate to cover any increased demand as a result of the millions of copy-protected CDs flooding the market. CDS-300, scheduled for release some time in 2002, will work with downloadable music services, to prevent data streams from being copied by the user. Among the companies in Japan using the Cactus Data Shield technology are Toshiba, Pioneer, and Memory-Tech. © Newsforge.com. Related link CD Warning labels in use Eurorights.org has compiled this instructive list, as part of its "Corrupt Disc - Inferior Audio" campaign. Related story Marker pens, sticky tape crack music CD protection
Tina Gasperson, 28 Aug 2002

Lamo bumped from NBC after hacking them

How did a mediagenic hacker like Adrian Lamo get himself bumped last week from a scheduled appearance on the NBC Nightly News with Tom Brokaw? Perhaps with his impromptu on-camera intrusion into the peacock network's own computers. The vagabond hacker known for his drifter lifestyle and his public forays into large and poorly-secured corporate intranets sat down at a Washington D.C. Kinko's laptop station earlier this month with a freelance NBC news producer to show-off his particular style of hacking -- the 21-year-old typically uses little more than an ordinary browser, possessing an eerie knack for finding undocumented Web servers and open proxies at large organizations. That method has gotten Lamo deep into the electronic infrastructures of such companies as troubled telecom giant Worldcom, Internet portal Yahoo, and most recently the New York Times, where last February he exploited lax security to tap a database of 3,000 Times op-ed contributors, culling such tidbits of information as Robert Redford's social-security number, and former president Jimmy Carter's home phone number. But unlike most intruders, Lamo eventually goes public with his discoveries, and offers to help those he's hacked tighten their security pro bono -- an offer that's been accepted by several of his corporate targets. So far Lamo's managed to avoid prosecution, though federal officials in New York are believed to be investigating him for the Times hack. Lamo says NBC was taping him at Kinko's while he demonstrated security holes in a telecommunications company's systems, when the interviewer asked him if he'd be successful hacking NBC. Five minutes and one guessed password later and Lamo was surfing the television network's private messaging system and an affiliate scheduling application that included internal memos and information on advertising rates. Screen shots of the hack provided by Lamo and reviewed by SecurityFocus Online include a page from an NBC vendor database with the network's trademark "living color" peacock and the warning, "All information contained on this Web site is to be held in the strictest confidence," in all capital letters. "It was a very full service system," recalls Lamo. The videotaped intrusion was rushed onto the NBC Nightly News schedule, where it was slated to run last Thursday. But it was abruptly yanked off the schedule at the last minute. NBC News' spokesperson didn't return repeated phone calls on the segment, but a source close to the production, speaking on condition of anonymity, says network lawyers pulled the plug on the Lamo package out of concern that NBC might have acted improperly in filming the hacker committing computer crimes for the sake of the camera. Legal Pitfalls? The hacker says he wasn't coerced into doing anything illegal, and that he'd have likely wound up at the same Kinko's cracking corporate networks even without the camera crew -- an assertion that few who've met Lamo would dispute. But former federal computer crime prosecutor Matt Yarbrough, now an attorney with Fish & Richardson, says NBC's barristers did the right thing anyway, given broad federal conspiracy and computer crime laws. "If I was their lawyer, I'd be concerned if they were sitting there filming it," says Yarbrough. But the attorney adds that spiking the story may not entirely solve the problem. "Arguably, the crime has already taken place whether they air it or not." It's not entirely clear what that crime would be. Other journalists (including this reporter) have observed lawbreaking for the purpose of reporting on it, and Lamo's intrusion into NBC's systems may not have been illegal to begin with, since the producer arguably gave Lamo permission to proceed. As for the telecom company, "It's not aiding and abetting a crime just because you had an appointment to get together and be shown," says Jennifer Granick, director of the Center for Internet and Society at Stanford Law School. "Apparently, he already has access to these systems, so it was something he was able to do, and was inclined to do, and the reporter was just watching... Being witness to somebody else breaking the law is not itself a violation." But Kelly McBride, an ethics instructor at the Poynter Institute, a journalism research center, calls the taping "borderline lawbreaking," and says NBC News should have checked with their legal department before shooting, and found another way to tell the story if necessary. "If the journalistic motivation is to show the public how easy it is or how vulnerable we all are... it's a good story and it's one of holding powerful people accountable," says McBride. "Maybe they should have just talked to the lawyers first. It's not like this is so urgent that they have to get it on the air, it's not the Pentagon Papers. ... A little front end work to identify the pitfalls would have made it a good story." For his part, Lamo, who's not known for shrinking from controversy, charges the network with a failure of courage. "I can understand where they're coming from," says Lamo, in a telephone interview from somewhere on the East Coast. "But I like to think that in their place I'd take more of a risk." © 2002 SecurityFocus.com, all rights reserved.
Kevin Poulsen, 28 Aug 2002

Internet anonymity for Linux newbies

One of the most attractive things about Linux is the number of installation options one is presented with and how tempting it is to customize. But for a newbie, in terms of Web security and PC hygiene, that's also the worst thing about it. The fact is, Windows is easier than Linux for a casual user to make fairly secure, whereas Linux is easier than Windows for a power user to make very secure. For most home PC users, fairly secure is perfectly adequate, and that's what we'll be concentrating on below. In a week or two I'll get into details for power users, but for now I'm going to concentrate on a particular presumed reader: a home user who's fairly new to the Linux desktop, who's using a packaged distro, and who's not intimately familiar with PC security -- a 'recovering Windows user', let's say. Fortunately, Linux is a wise investment; you already have, or can easily find for free, virtually everything you need to make it secure. There's no need to buy hundreds of dollars' worth of security utilities and services, though you do need to learn how to use what you've got. But before we get to the Internet security matters promised in the headline, we have some housecleaning to do. Options up the butt For those just getting started with Linux, it's easy to end up with a number of unnecessary services and daemons running, some (not all) of which may make your box less secure. You've got IRC servers, telnet servers, print servers, font servers, mail servers, remote admin servers, Web servers, FTP servers, you name it. The installation options can be overwhelming; and if you're new to all this, it's a safe bet that you've got a few things going that you're not even aware of. The first thing I'd recommend is running a security scanner like SAINT or Nessus, which are typically packaged free with many distros, against localhost. This can reveal a number of things you never imagined you had available on your machine. Most distros also have some sort of GUI control interface which will make it reasonably easy to turn off what you don't need. With SuSE, the distro I prefer, this is called the 'runlevel editor', available via the YaST2 control center. It likely has the same or a similar name in the distro you're using. Alternatively you can have a look at /etc/init.d and peruse a list of what's being loaded (just make sure you know exactly what these scripts do before you start editing or deleting). Shutting off unnecessary services is the most basic first step in tightening up your machine, so take a good look at what you've got, and get rid of the extraneous nonsense. If you don't know what something is, Google on it and get hip. Users are safer One simple thing you can do to avoid remote compromises is to stay off the Net when you're in the root account. Running IM and IRC clients as root is positively self destructive. Ditto for opening mail attachments and HTML mail as root. By choosing Linux you've already made yourself a lot less likely to get infected by a worm or virus or a malicious script than a Windows user, so be sure to maximize that advantage. Do all your on-line business from a user account, and save the root account for off-line tweaking and tinkering. Of course this discipline means little if your file permissions are sloppy. There are lots of commands you can issue from the shell which are relevant here, but since we're assuming a relative newbie, we'll try to avoid too much of that. For those interested in what's possible from the command line, I recommend the book "Linux in a Nutshell" (pun apparently intended) from O'Reilly Publishing. It's an excellent desk reference of shell commands. Of course, just by typing a command followed by --help you'll get the same information, but it is nice to have it all compiled in a handy hardcopy form. There are a couple of ways you can set permissions with the GUI and save yourself a lot of repetitive typing. One is to use Krusader or Nautilus and simply right-click on a directory, and go to 'properties'. If you're root, you can make sure that user a can't access user b's files. But don't go wild here: there are numerous directories, config files, executables, etc., that users need access to for Linux to run properly. If you're at a loss to select which directories and files need strict permissions and which don't, then your distro probably has some sort of interface with a menu of pre-set rules which you can choose from and apply globally as root. This will usually be called something like 'security settings', and the options will usually be named something like 'easy, secure and paranoid'. 'Secure' is probably as far as you need to go. Chances are this will forbid root logins except via the command line, so it's best to get all your tinkering done beforehand in the root GUI account, where things are more familiar to recovering Windoze users. After that, you'll have to open a shell or supply the root password to the distro's 'control center' from your user account. This is definitely the right way to run a Linux machine so long as you're basically satisfied with how it's set up. In many households, several people may have user accounts on the same box. Consider carefully whether these people are friends, or mere flatmates and acquaintances. If you're using a machine you don't own, then you have to ask yourself whether or not you trust the owner. If you don't trust root personally, then don't use his kit for anything you wouldn't document and publish freely. Root knows everything you do on his machine. Worse, and far more likely, he may be a well-meaning idiot who maintains a totally insecure machine connected 24/7 to the Net. Conversely, if you are root and the box is shared, make sure you trust the people using it. Giving a user account to someone you're sketchy about is a security risk, much like leaving them in your office or bedroom unsupervised. They may know more than you about how to compromise a machine from within, which is a lot easier than compromising it from without. The best thing to do with a shared machine is to encrypt files you want to keep private. So get familiar with GnuPG. Just remember that root has access to your private and public keys, and can run a keystroke logger on the box and get your crypto passphrase. So as I said, if you don't trust root, don't use his machine for anything private. Period. Is he a mere acquaintance? Is he a loyal little soldier of your employer? Then screw him. Crypto is useless in that situation. Ditto for all computer equipment you use at work, in public libraries, or Internet cafes. On the other hand, if you're the machine's owner and you trust your users, or you're a user and you trust the owner, then you should encrypt, though you must be careful to choose a strong passphrase: a nice, long one combining upper and lower-case letters, numbers and special characters. Use a phrase that's easy to remember but extremely difficult to guess or bruteforce. I recommend using a short, grammatically-valid sentence that makes no sense, like 'sleazy bricks applaud sideways'. Now misspell some of the words and substitute characters in a way that's easy to remember, so it looks something like this: 'sl33Z1E bR1@k$ apPL4ud s!d3w^yz'. Note that we've substituted numbers and special characters that, at least vaguely, resemble the letters they're standing in for to make it easier to memorize. You should also make a backup of your GPG keys and revocation certs, and store that on removable media in a safe place. It's also a good idea to submit your public key and, if ever necessary, your revocation cert, to a keyserver. If you don't know what I'm talking about, then follow that GnuPG link above and start reading. This is a good thing, and it's free. Use it. Your account passwords, especially the root password, should be long and hard, and you should use MD5 encryption for them and set a time of ten or fifteen seconds between unsuccessul logins to prevent brute force and dictionary attacks (you'll find these options in the 'security settings' interface). Don't use a root password of fewer than ten characters, and always combine upper and lower-case letters, numbers and special characters. But since there are a number of ways into any machine, the most important thing of all is your crypto passphrase. Put the time and effort into devising and memorizing one which, like our example, is very troublesome to crack. And make sure you have strict file permissions on the .gnupg directories. Only root and the specific relevant users should have access. Hygiene Every computer collects files the way a kitchen drawer collects junk. Over time, many of these become irrelevant, yet they may contain information one would like to keep private. A good rule of thumb is, never encrypt when you can wipe. The last thing you need is a directory full of useless, irrelevant files. This only makes it more time-consuming to manage sensibly the ones you do need. Go through your personal files regularly and use a proper wipe utility to erase the ones you no longer need. Understand that deleting is nothing; to get rid of a file you have to wipe it. Those files you wish to archive should be encrypted and copied to a separate directory or removable media, and their originals wiped. The easiest way to do a proper wipe is using Krusader or Nautilus and selecting 'shred' instead of 'delete'. Another notorious junk collector is the Linux swap partition, a holdover from the days when RAM was expensive and difficult to buy in fat chunks. It's possible to encrypt it, but probably a bit over the top for a primer like this and certainly a performance damper. A simpler approach is to do away with it. I'm running a 2.4.18 kernel with 512MB of RAM and no swap partition, and I can't detect any performance hit. Indeed, if anything the system runs better than it did. If you can afford it, and nowadays it's easy, I recommend strapping on extra RAM and just not swapping memory to disk. You never know what's going to end up there, or how long it's going to remain. Crypto programs are supposed to protect memory blocks used and not swap them out. So what? Are you absolutely certain there's no way the designers the program you're using could have made some obscure mistake which in turn could leave traces of crucial data in the swap file? I didn't think so. The IP battle zone Now you've purged your Linux box of unnecessary daemons, you've set your file permissions sensibly, you're working happily from a user account, and you've got encryption protecting your digital sanctum sanctorum. It's time to protect yourself from worms and rootkits and malicious sites and evil scripts and the on-line pestilence of kiddiots trying to break into your box and Web merchants who couldn't secure a bowling ball much less your personal data on their lame II$ machine and nosey Feds and incompetent ISPs and so-called 'Trust Authorities' who have idiotically sold digital certs to hackers. Maybe you should buy a hardware firewall, or an Intrusion Detection System (IDS), or an e-mail virus scanner, or an anonymous proxy service? Or maybe you should just use your head and stop worrying. Here's how: There are two things you need to have, and two things you need to do. The first thing you need to have is a packet filter, otherwise known as a firewall. Well, you've got one: in the 2.2.x kernel it's called ipchains and in the 2.4.x kernel iptables. The frontends are called Bastille on Mandrake (which adjusts other security options as well) and SuSE Firewall-2 on, what else, SuSE. (Most everyone can use Bastille, by the way.) I don't play with Dead Rat, so you guys will have to figure out what yours is called. Now configure it and shut off everything unless you're running a server (and if you're a newbie you really shouldn't be doing that just yet). The next thing you need to have is a proxy. Quite simply, a proxy is a remote machine through which you connect to the Net, which forwards your IP traffic, and which you then appear to be originating from. When you contact a Web site via an anonymous proxy, it's the proxy's IP which shows in their logs. There are huge lists of free public proxies you can use, but most will be dead by the time you find them. Just Google on 'free proxy list' and you'll find them easily, for what that's worth. I like a Socks proxy when I can get one because they're non-caching and a lot of IP clients support them. But they're very hard to find and they never last long. Once they start getting popular the admins always figure out why their bandwidth use is going through the roof and pass-protect them. Bastards. On the other hand, HTTP Proxies can be chained for additional Web anonymity. This is accomplished by constructing a URL thus and copying it into your browser's address field: http://firstproxy:portnumber/http://secondproxy:portnumber/ http://thirdproxy:portnumber/http://www.destination.com There are no spaces in the above configuration. This can be done in addition to any proxy you've loaded in your browser normally with its setup options. Take a look at this older article, related to Windows, in which finding and using proxies is elaborated. The information is fairly general, and may well be of value to a Linux user. Because public proxies are uncertain, this is one area where spending a bit of money may be worthwhile. Anonymizer.com has a proxy service which uses SSH tunneling, which, unlike most security services, is IMHO worth the investment. Here's how it works: you use SSH (Secure Shell) to log in to Anonymizer's proxy server. This means that your ISP can't sniff your traffic to the proxy effectively because it will be encrypted. Once you're on the proxy, everything you send and receive from it will be anonymous. Only Anonymizer.com will be able to associate you with the data you've sent and fetched. That's not perfect, but it's not bad. They have a serious financial interest in protecting your anonymity. I would assume that they'd only respond to a court order signed by a judge. If they blow that, and it gets out, they'll be out of business in a haeartbeat. Unfortunately, they have little in the way of Linux support available, but through trial and error I've managed to use this service successfully. You can forward ports to the Anonymizer proxy and use SSH tunneling for your HTTP, FTP, POP and SMTP clients. The way to log in is by busting out a root shell, logging in as root, and typing [ssh -2 -L 80:cyberpass.net:80 -L 25:smtp.yourmail.com:25 -L 110:pop.yourmail.com:110 cyberpass.net -l yourpass] where yourpass is your pw on the Anonymizer proxy at cyberpass.net. Now you need to set up your e-mail client and browser to use these forwarded ports. For the browser, in proxy settings, enter a proxy of localhost and a port of 80 for HTTP and FTP. In your FTP client, do the same. In your mail client, in 'network', enter localhost and port 25 for SMTP and localhost and port 110 for POP. Now you should be cool. Ah, but as for your IRC client, pray. You can select an HTTP proxy, but it probably will fail. My favorite Linux IRC client is Xchat, but it returns the error, 'proxy traversal failed' when i use it in conjunction with the Anonymizer HTTP proxy. I e-mailed the x-chat guy z@xchat.org and/or zed@xchat.org asking for insight, but he or she neglected to reply. Perhaps you should email them too and ask what's up. On the other hand, ICQ seems to have no problem with this, if you're using Gaim, for example. IRC will fail, but ICQ will accept the proxy. That's a good thing -- not a perfect thing, but a good thing. Once you've got this proxy set up and running with SSH and port forwarding, you can use your browser with the Anonymizer Web proxy and their anonymous e-mail for an extra layer of distance from the Net. I've been using the service for several days now, and I like it. That's all I'm saying. Whether you should too is not my call. There's one item causing me some concern which I must reveal. While surfing the Net with an SSH connection to the Anonymizer proxy at cyberpass.net, with Java and JavaScript disabled in my browser, but not using the Anonymizer Web proxy, I found that ShieldsUp at grc.com and its mighty nanoprobes were able to get my true IP address because there's no SSL support so far as I know. For browsing I can always use the Anonymizer Web proxy, fine. But for the rest of my services I want to know that the SSH proxy alone is secure. After experimenting with it for a few days, I'm not confident that it is. Nevertheless, I like it. I just don't trust it completely, and neither should you. So much for the two things you need to have. Now let's discuss the two things you need to do. The first thing you need to do is disable Java and JavaScript in your browser, and HTML rendering in your e-mail client. Unlike Windows, Linux makes this easy. It will leave you safe from a vast number of malicious scripts. From time to time it will be necessary to enable Java and Javascript for access to certain Web sites. Turn it on when you need it, and turn it off when you're finished. Think of it as a tax on your Internet security. Always keep it off unless you need it, or use a Web proxy which supports it. The second thing you need to do is shut off your modem when your box is not in active Internet service. There are reasons why you might want to leave the machine running 24/7, all right; but there's no reason to leave it connected to the Net when you go away on holiday. We satirized the PathLock Internet timer; but that doesn't mean there's no reason to disconnect from the WibblyWobbly when it's of no use to you. Make it a habit. As for your browser, run it tight. Don't allow Java and JavaScript except where necessary; don't allow the browser to save form-data; don't allow it to save passwords to important sites like your bank. Wipe your cookies, browser cache, URL history and typed URLs regularly. Never add a child-porn BBS to your bookmarks. Get my drift? Paranoia without anxiety It's healthy to be paranoid, but grossly unhealthy and quite unnecessary to be riddled with anxiety. By using common sense and layers of protection, you can make yourself an unattractive target. By being paranoid in a healthy way, I mean quite simply that you must never trust anything. I definitely don't mean 'be afraid'. There's a whole anti-virus and computer-security indu$try devoted to frightening you with constant reference to imminent threats to your on-line privacy and integrity. It's very much in their financial interest that you be frightened at all times and that new threats surface regularly to revive that profitable public-anxiety as older threats fade into memory. Who gives a shit about Melissa? Phear nimda... And all the while, the word these parasites throw around most often is 'trust'. I'll pay fifty dollars US (no shit) to the first Reg reader who forwards me an unedited press release from a security vendor in which the word 'trust' is absent. But here's the truth -- the kernel of the security industry's filthy little secret: the only reason you're vulnerable is because you trust. So for God's sake stop doing it. Don't trust your firewall; don't trust your proxy; don't trust crypto; don't trust SSL or SSH; don't trust your software vendor; don't trust files you get from anywhere, including your friends and 'official' download sites; don't trust patches; don't trust your file-wipe utility. Hell, don't trust me. Trust only what you're absolutely certain of. In the past month or two we've seen a back-doored version of SSH; we've seen that SSL, universally trusted for secure Web transactions, is vulnerable; we've seen a PGP plugin for Outlook that coughs up your passphrase, not due to a flaw in the algorithm or cryptosystem, but because the application is susceptible to a buffer overflow. We've also seen a man-in-the-middle attack against PGP and GPG. You've got three layers there, algorithm, cryptosystem and application, any one of which might be broken in any number of ways. Do you know how to spot a flaw in a complex piece of software like that? I didn't think so. And then of course there are key loggers, packet sniffers, Trojans, rootkits, and the 0-day remote exploits which only a handful of people know about and for which there are no patches, and for which there may never be any patches. Stop the insanity By all means use security utilities, but never trust them fully. Layer them, apply common sense, and always assume that no matter what you do, there will always be several ways to compromise your privacy and security. The whole game is to leave the smallest footprint possible on the Web, never to trust other people's equipment, and to make your box a pain in the neck to crack so that ninety-five per cent of attackers will simply move on to one of the millions of easier targets hooked up out there. But be assured that nothing will make a compromise impossible except keeping your computer in a locked, heavy-duty vault with no Internet access, which of course is no fun at all. But to compute and to surf the Web without anxiety, there's an easy answer: simply refuse to trust your machine, any network whether local or remote, any security device or service, any crypto scheme, any Draconian laws against hacking, any ridiculous claims of 'Trustworthy Computing', any shiny digital certificate, any 'Trust Authority', any local client, or any remote host with any scrap of data you simply can't afford to lose control of. Now you're paranoid in a healthy way, and blissfully free from anxiety. Your computer, his network server, their shopping cart -- these things aren't the digital equivalent of bank vaults. So don't listen to the marketing-department drivel about how 'secure' these things can be made. Never -- absolutely never -- treat these things as if they were the digital equivalent of bank vaults, and move on and enjoy your life. You'll find that the air smells fresher, that food tastes better, and that you wake every day with more energy and confidence than you've had in years. If you're sensible and cautious, applying the common-sense suggestions we've just considered, the odds against getting compromised will be very much in your favor. But just remember that, regardless of the odds, it's mad to wager something you can't afford to lose. Your credit-card number is no big deal: your total liability is fifty bucks and you can get a new one in a week or so. Your credit card number, Social Security number, name, date of birth and address packaged all together is a far greater worry, so never give out more information than absolutely necessary to complete a transaction. Never allow merchant sites to store such information. If they insist on it, do business elsewhere. Don't let your browser save form-data, or passwords to important Web sites like your bank. Use a packet-filter and a proxy. Wipe your browser history, URL history, page cache and cookies regularly. If your browser doesn't make all of those steps easy for you, use a different one. You've got the power of the Penguin behind you; you've got alternatives. Shop around for a good browser. Personally, I like Mozilla. That doesn't mean you have to. On a laptop, don't save any logins or passwords, not even to your ISP or POP or SMTP accounts. Enter them all manually. Don't bother with encryption; there's no need for it because you should assume that the box is going to be lost or stolen at some point. Never put anything on it which you can't afford to lose or permit someone else to see. Think of it as a Manila folder worth a couple of thousand dollars. That's about how secure it is, about how universally useful it is, and about how tempting it is to thieves; so for God's sake, don't treat it like a portable safe. It's nothing of the sort. Here again, the security indu$try is likely to do you far more harm than good if you trust in their laptop 'phone home' schemes and data scrambling technology. When the box finally grows legs, the company has got your money, and some repulsive little sneak-thief has got your machine. Guess what that makes you? That diary of your years as a junkie; that map to the 'rainy-day' cash you buried in the back yard; those early, fumbling moments of sexual exploration with your first cousin -- keep that sort of thing in your head, or on hard-copy in a bank's deposit safe, but never on any digital medium or device. Unless, of course, you wish to share it with the world. Trust nothing, fear nothing. Now tighten up that machine, get on-line, and relax and enjoy the ride. ®
Thomas C Greene, 28 Aug 2002
Broken CD with wrench

Oracle cleans up pricing act

We popped over to Oracle's Web site today to take a gander at the Software Investment Guide, designed by the database giant to clarify its arcane pricing. We were directed to the following url http://www.oracle.com/corporate/pricing, which yields nothing more than a 404 error message. No, it's not a database problem, or first day nerves - the company says it will put the guide on the Web on the week beginning September 2. So why the press release now? We must then take the company at its word when it says: "By releasing this Software Investment Guide, Oracle becomes the only major software vendor to provide comprehensive guidelines regarding its global software pricing and licensing." If you are an enterprise software company, getting criticised for pricing policies goes with the territory. And with reason. Time and again enterprise software licensing rules seem to draw upon seigneural rights for their inspiration, as opposed to anything so mundane as a contract drawn between equals. The most aggressive software company of all, CA, created a reign of terror with customers, whenever it bought a new software company - which was often. Its salesforce deployed an iron fist in an iron glove when it came to contract enforcement, particularly if companies exceeded their per-seat arrangements. But that was then:now we have a kinder, gentler, cuddlier, pro forma accounting CA. Microsoft has always been kind and gentle, but it too is learning the ways of a proper enterprise software company. And that means making the customer pay until the pips squeak. There's a new game in town, Licensing 6.0, with plenty of heckling from the sidelines. But few will bet on Microsoft losing, when it owns the field, the goal-posts and the rule book. And Oracle? Larry Ellison, the squillionaire founder of the company, still needs stock options to get out of bed of a morning. Someone's got to pay. And that someone has got to be the customer. Unfortunately, the company run by the world's richest underdog/folk hero/fighter pilot/über yachtsman has this year come under intense scrutiny for its imaginative pricing policies. In March, Meta Group argued that Oracle users should take legal action to block the database giant from renegotiating some license fees. Oracle fought back, asserting that Meta's complaint concerned just a very small number of customers which had been incorrectly licensed. But the same month Gartner accused Oracle of "forcing customers to choose the most expensive licensing option, attempting to pre-sell more licenses than customers need and forcing customers to pay more than is necessary for data sourced into a data warehouse from an Oracle database". The research firm advised clients to "get two proposals from Oracle based on per-user and per-processor licensing, perform their own audits to validate Oracle claims, seek immediate legal and purchasing advice about the legality of any extra Oracle charges, and if possible renegotiate contracts with the company". OK, so they're analysts. Much more serious damage was done to the database firms reputation in April, when the Great Oracle California Gold Rush became public. Oracle had signed a 10-year contract worth $93m with the California state government. This deal, signed without ever going to competitive tender, was supposed to save money. In actualité, the California tax payers were - correction, would have been - screwed to the tune of tens of millions of dollars for charges based on unfeasibly high volume-usage projections. The Great Oracle California Gold Rush was big, big news in the US: the lesson that Oracle appears to have drawn from the debacle is to be kind and gentle with the customers. In public anyway. The Software Investment Guide is a small start. It is always helpful for customers to know what they are paying before they are paying for it. (Clarity does not necessarily mean lower costs - Oracle firmed up prices with the introduction of online price lists in December 1999, removing most of the ability of the salesforce to negotiate on price, according to this ZDNET article.) Customers can always go elsewhere - even with very big databases. Oracle is no longer the only mega-database player in town as a resurgent IBM peddles DB2 for all its worth. According to Gartner, IBM regained the lead in the enterprise database market for the first time in several years, with a market share of 34.6 per cent to Oracle's 32 per cent. Oracle disputes these figures. ® Related stories Sue Ellison, analyst tells Oracle users Oracle disputes analyst criticisms of overcharging Gartner warns of 'inappropriate' Oracle sales tactics Microsoft: breaking with licensing tradition
Drew Cullen, 28 Aug 2002

Canada preps Internet snoopers charter

The Canadian Government has published proposals to increase law enforcement powers to monitor the country's citizens online. A consultation document published last weekend by the Canadian Department of Justice contains proposals that would compel ISPs to hand over the names and addresses of customers to the police on request, curtailing rights to remain anonymous online. Changes in Canada's Criminal Code widen police search powers, require ISPs to retain customer Web logs for up to six months and (less controversially) to outlaw possession of computer viruses are also proposed. There's also a blueprint for how ISPs should make their networks wiretap friendly, paving the way for legislation along the lines of Britain's much criticised Regulation of Investigatory Powers Act or Communications Assistance for Law Enforcement Act in the US. Under the proposals, ISPs and mobile operators would be forced to shoulder the bill of having black box interception equipment installed on their networks. Ostensibly the changes bring Canada's laws into line with provisions adopted by The Council of Europe Convention on Cyber-Crime, which (due to Canada's status as a permanent observer) it feels obliged to adopt. Critics doubt the necessity of this or whether it would bring any benefits in fighting crime. On the face of it the proposals look like the standard law enforcement Internet powers wish list, which is been re-packaged throughout the Western world as a way of fighting terrorism post-September 11. Comments on the Canadian DoJ's Lawful Access consultation document can be sent to la-al@justice.gc.ca by November 15. Laws based on the proposals are expected to follow by early next year, so now might be the best time to put in your two cents worth. Aloutte, je te plumerai So will Canadians fight back? Yesterday's sensational story about Kerry the Goose, reveals heartening evidence that some people from this fine country are prepared to take pot-shots at Big Brother surveillance. Kerry, a Brent goose, was fitted with a £3,000 electronic transmitter to chart her migration across the Atlantic via satellite. After travelling 4,500 miles from a Wildlife Trust in Gloucestershire, England she turned up not at mating grounds - but in an Inuit's hunter's freezer on Canada's remote Cornwallis Island. (OK, so it's summer, but do the residents of northern Canada need freezers?) The BBC has more details of this wild goose chase. ®
John Leyden, 28 Aug 2002

25m use DSL worldwide

More than 25 million homes and businesses around the world are hooked up to DSL, according to the latest stats from analysts Point Topic. The figures show that the global take-up of DSL grew by 7 million (36 per cent) in the six months to the end of June despite ongoing industry and economic uncertainty. Asia Pacific continues to lead the market with four out of ten of all the world's DSL subscribers, followed by North America with 26 per cent of global subscribers and Western Europe (25 per cent). In South Korea, a quarter of all phone lines are hooked up to DSL, making it the number one broadband nation in the world and the place where broadband is truly a mass-market service. It's followed by Taiwan (11 per cent penetration), Hong Kong (10 per cent) and Belgium (8 per cent). Canada comes in at number five, Germany at seven and the US at 17. The UK fails to make the top 20. Said Tim Johnson of Point Topic: "These figures show that there continues to be a robust demand for broadband. Even in the midst of economic slowdown and telecoms crisis, DSL rollout is still going ahead at a high rate." ®
Tim Richardson, 28 Aug 2002

ADSL registration cheats don't prosper

Broadband cheats have been warned not to fiddle BT Wholesale's broadband pre-registration system. The scheme - launched earlier this summer - allows people to register their interest in broadband even if they live or work in an area currently not wired up for ADSL. The theory is that if enough people register their interest (around a third of the UK is unable to access ADSL) BT will upgrade their exchange for broadband enabling them to hook up to high-speed Net access. However, it seems some people have artificially inflated the figures by adding names and addresses from the phone book in a bid to get their exchanges upgraded in double-quick time. ADSLGuide reports that exchanges at Todmorden, West Yorkshire and Westhoughton, near Bolton, have had their numbers reduced following an investigation by BT Wholesale. It seems those monitoring the pre-registration scheme became suspicious when they noticed large jumps in the numbers of people registering their interest in ADSL. However, even if these bogus entries had gone through and the exchanges had met the trigger point for upgrade, three quarters of those who registered would still have to make a firm order within six weeks before BT would splash the cash and DSL-enable the exchange. A spokesman for BT said: "The scheme only works if registrations are turned into firm orders." ®
Tim Richardson, 28 Aug 2002

UK clamps down on IT work permits

Tech workers from overseas will find it harder to obtain UK work permits, following the government's decision to remove all IT jobs from its shortage occupation list. The change to so-called Tier One Fast Track Visas (FTV) takes effect on September 1. Work Permits (UK), the government agency responsible for awarding work visas, said it made the change following a meeting of representatives on the ITCE sector panel on August 21. The panel took soundings on the state of the IT job market and unanimously agreed to end tier one applications. It will reconsider its decision in three months time. Overseas workers can still apply for permits under Tier 2 regs, but this involves a resident labour test. In effect, applicants will need to demonstrate skill of a high order. To say that IT contractor organisations and web sites are pleased is an understatement. Gerry Mclaughlin, MD of NamesFacesPlaces.com, a vociferous opponent of FTV, described Work Permit (UK)'s decision as "sensationally good news for contractors and all IT folk". According to Mclaughlin, between 30-50 per cent of the UK's 100,000 contractors are out of work. Hmm, we have seen self fill-in web surveys compiled by the Professional Contractors Group (PCG), among others, which claim such a level of unemployment, but it seems extraordinarily high to us. Anyway back to Gerry's figures, compiled with a little help from Contractor UK. Around 10% of the UK’s permanent IT labour force was laid off last year, he says, equating to around 30,000 IT employees and the the same number of contractors. Around 37,000 Fast Track Visa workers have been given these tier-1 Work Permits in the past 3 years. According to ContractorUK.co.uk the Government issued 15,888 FTVs - to IT workers, we presume - in the last 12 months, compared with 21,000 for the previous two years. ®
Drew Cullen, 28 Aug 2002

Einstein fends off Reality Distortion Field

Ever since the launch of the G4 line, Apple has used the phrase "faster than light" to describe the new CPU. Until yesterday, that is. Following the publication of this satirical piece, Apple changed the blurb for its new dual-processor PowerMacs from this to this... [You can click on each thumbnail to enlarge.] We'd have preferred a hybrid: Faster than Soup!", but for now, this must do. Apple readers have explained how the company began to use this absurd description. "The inital 500MHz G4 cranked a theorical 2.7 Gigaflops, so each instruction takes less than 1/2,700,000,000 seconds to process. The speed of light is 300,000 km/s, therefore light travels 11.1 cm during each instruction cycle... Now, how far back do you sit from your monitor? More than that I hope. So while the computer computes, the light from your monitor does not reach your eyes, hence their 'faster than light' claim. Silly but cute." explains JF Paradis. Alternatively:- " Electrons normally travel through wire (and silicon) at roughly 1/3 the speed of light. But in a processor the electron stream is split into multiple paths so that various parts of the chip can be doing different things at the same time. This means that the total distance by traveled by electrons per unit time is in fact much much greater than the speed of light. QED." Thanks to Peter Beery. Several of you wrote to correct our interpretation of the Special Theory that "to travel faster than light requires an infinite amount of energy" " No it doesn't. It states that to accelerate to the speed of light requires an infinite amount of energy, he mentions nothing about travelling faster than the speed of light, he just implies that for this to be possible the object wanting to travel at this speed would have to be created already travelling at that speed...." writes Rob Walter. John Bridges made the same point. " The idea would be that if they could get the pulse to race around faster than light, then they could keep distant parts of the chip in tighter sync. For the details of what kind of conditions they need to create for that do a search for "anomalous dispersion". This would be useful for clocks, but useless if you wanted to actually move information around. For instance sending bits to and from memory is, as far as our physics can tell, limited in speed by Einstein." adds Ben Tilly Scott Friedland is amongst several who think we taking liberties. Well of course we were. But the fact is, he writes:- " Quantium motion is the typical motion of all particles through space. It is comprised of a series of descrete instantious (or effectively instant) jumps from one position in space to another. The events which appear to be FTL are actually situations were one or more quantium jumps are superlarge - big enough to measured in our world - instead a few particle diameters a few inches or a few feet - they are both allows under relativity and instant. This doesn't violate Einstein, rather it makes use of an exception that he himself noted - e.g. the theory of relativity is about normal (e.g. small) quantium motion at high speeds, not about the quantium motion. "This situation more closely resembles what Einstein was describing in his theories. It is a major turn in quantum physics - a whole generation of theoretical thinking is going out the window. Or, to put it another way, one which Einstein would have liked, if a tree falls in the forest it does make a sound. And, the state of the cat is independent of the observer. "Einstein said that faster than light motion is impossible, he also said the instant motion isn't covered under his theory. Both have been observed." The funniest observation came from North Carolina:- " You mention that Apple's faster-than-light speeds would allow time travel," writes J Greenberg of Winston Salem, NC. " Perhaps that's their corporate strategy for dealing with Moto's ongoing violation of Moore's law?" " Using my new 'faster than light' Dual Ghz PowerMac G4, I was able to have already read this article a day early. Excellent writing! And I can tell you the stuff you are going to write for tomorrow is absolutely fantastic!!" Bob - flattery will get you anywhere. However Apple still has ambitions to rewrite physics, however, as Simon Linsey pointed out. This page contains the phrase:- "Combined with a new system controller, L3 Cache, DDR-SDRAM and Mac OS X Jaguar, the dual Power PC G4 chips in every new Power Mac G4 seem to bend the space-time continuum [our emphasis] to deliver results almost before you ask. For Walt Mossberg, the space-time continuum bends into ecstatic shapes with every Apple Computer he gets sent to review. But the rest of us just have to close our eyes ... and dream. ®
Andrew Orlowski, 28 Aug 2002

Win2k SP3, the ‘snooper’ licence, and the workaround

We've had quite a few emails from Windows 2000 Service Pack refuseniks who propose not to go anywhere near SP3 on the grounds that the installation insists you agree to the new-look Microsoft 'snooper's charter' supplementary licence in order to apply it. The critical clauses seem to be becoming standard for Microsoft products, and although they can be presented as helpful/necessary for updates, they could also be used for DRM purposes, and provide cover for more widespread snooping. Naturally, you wouldn't expect a trustworthy company like Microsoft to abuse the rights it's unilaterally giving itself by deigning to fix the product it's already sold you under less onerous terms, would you? Have a think about it while you read through these two paragraphs: "By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you. "* The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer." And you can see the Windows Update end of the deal if you look here, provided of course you haven't already used the IE-hiding capabilities of SP3. If you have, no matter, it says it's collecting: "Operating-system version number and Product Identification number, Internet Explorer version number, Version numbers of other software, Plug and Play ID numbers of hardware devices." What though, can you do about this? Well, you can join the refuseniks and carry on at SP2 level, hoping that you won't get pranged by a supplementary EULA through some vital security update or because some future product declines to run without SP3. But refusenikery does ultimately lead to abandoning Windows, presuming that new products will have similar or worse licence agreements, and presuming you don't propose to run Win2k SP2 for the rest of your life. Or you could just install SP3 and console yourself with the thought that the legal enforcement of a shotgun EULA via a Service Pack would be even more impossible than the enforcement of the original EULA. Software licence agreements in general are shot through with ridicululous plop that the vendors would have trouble making stick, and as has been argued round here before, some parts of them are even illegal. Or you could just install SP3 without agreeing to the supplementary EULA. How do you do that? We're glad you asked. Ordinarily we try not to get to close to encouraging or helping people to crack software, but we think this case is a tad different. As we said earlier, SP3 is to a great extent an exercise in fixing bugs in something you have already bought, and it is an outrageous imposition (OK, we didn't say that earlier) for Microsoft to seize more rights for itself as a condition of those fixes being applied. A helpful tipster directed us to a cute product called Enabler, which you will find here. Enabler is one of a number of handy things on this worthy site, and seems to do quite a number of handy things itself. But what it does that's important from the point of view of people wanting to install SP3 is allow you to click OK after you've checked "I do not agree" to the supplemental EULA. Note that you use it at your own risk, don't blame us if, etc (insert draconian Register EULA here). This, seeing you're in too much of a hurry to read the instructions, is how you do it. Run Enabler, then start the SP3 install. Click on "I don't agree" when you get there. The OK box is grey, right? OK, go to Enabler, and scroll down until you get to the entry for Windows 2000 Service Pack 3 Setup Wizard. Double click on it, expand the tree then go to the entry that says &Next> (Button). Right click on this, and click on Enable. Now return to the SP3 Wizard, and you'll magically find you can click on Next even though I do not agree is checked. Wonderful, isn't it? And as far as we can figure out you're not doing anything wrong either. Well, not much. It does say above the supplementary EULA that to continue with setup, "you must accept the agreement." So Microsoft's lawyers could argue that you're not licensed to use SP3 because you haven't agreed. Which is approximately the same territory as the wording in the WinXP EULA which says you're not licensed if you don't activate it in the approved way (so you could have paid for the product, but by using a workaround for product activation you'd be invalidating your licence anyway). Microsoft's lawyers are not going to come after you for warezing a service pack, and we doubt very much they'd come after you for installing a copy of WinXP without agreeing the licence (NB we don't know if Enabler would allow you to do this, and we're not about to reinstall XP again today just to find out). So you're probably in the clear anyway? Well, not exactly, because if you've installed a Microsoft product without agreeing to Microsoft helping itself to data from your machine, then legally speaking it's your move. You may be in breach of your licence agreement, but Microsoft will be helping itself to this information anyway despite your not having given it permission to do so. So you're going to have to sue. Good luck. ®
John Lettice, 28 Aug 2002

MS yanks free Web TTFs

Font abusers have spoiled a good thing and caused Microsoft to end free downloads of their TrueType fonts for the Web, the company says. An announcement and discussion thread at OSNews prompted a more in-depth story from ExtremeTech, which quotes a Redmond rep fretting that MS has "found that the downloads were being abused -- repackaged, modified and shipped with commercial products in violation of the EULA." The un-named rep points out that most people who want the fonts already have them. Thus the only people likely to be affected are those moving for the first time to certain free-software solutions which the new MS licensing regime may be making more attractive than they've previously been. The MS TTFs have been used widely by open-source users to improve the appearance of fonts under X, which isn't the best, truth be told (not that this would ever lure me back to the Mothership). While building FreeType it's possible to enable anti-aliasing for TTFs, which makes them very pretty indeed -- far nicer than any open-source fonts I've ever used. Many Linux distros have a utility for downloading the fonts from MS, but these no longer work. So what's a tuxer to do? Well I just happen to have a Windows image on my slave HDD (I need to verify worms, viruses and malicious scripts from time to time, after all), so I installed them on my Linux drive from the fonts directory there. If that's not convenient, it shouldn't be too long before several dozen archives appear on the Web, or some enterprising coder hacks out a little import application that will extract them from your friend's Windows CD (hint). Ultimately, this is probably all for the best. While it's undoubtedly irritating to see a much-appreciated resource coldly and suddenly withdrawn by the Beast merely to make alternatives to its licensing extortion less attractive, it's high time that the open-source community got serious about developing some really handsome fonts. A bit of warning certainly would have been appreciated so that plans might have been laid; but no one can rely on something merely granted, or expect the Beast to refrain from any behavior it reckons might disrupt open-source development. ®
Thomas C Greene, 28 Aug 2002

How to defang Win2k SP3's auto updating

Last week we told you how to install Windows 2000 Service Pack 3 without having to agree to Microsoft's all-new 'we can steal your stuff but we're not going to, honest' supplementary licence. We accepted at the time, of course, that the exercise was essentially frivolous, in that you'd probably be in breach of your licence agreement anyway if you circumvented the new Ts & Cs, and because just circumventing it wouldn't do anything to block the activities you objected to. But hey, you could feel good about yourself, even if nobody else knew and you had no proof that you'd actually stood up and been counted (by yourself) for not checking that 'agree.' Naturally, we've had some queries from the more rational section of the readership who don't particularly care what they agree to, but do care about being snooped on and/or having some maniac updating their machine without so much as a by your leave. So, for the benefit of these holdouts, here's how you stop the features added by SP3 doing their business. Go to Start, then run services.msc. You can also do this via Control Panel, Administrative Tools, Services. Find Automatic Updates, and change startup type to disabled. Then run gpedit.msc, the group policy editor. Go to User Configuration, Administrative Templates, Windows Components, Windows Update. On a fresh installation with SP3 applied this will show up as not configured, and somewhat counter-intuitively, in order to remove access to Windows Update, you enable it. Notice in passing that it's tagged Remove access to use all Windows Update "featues," which we presume is one they can fix in SP4. The explanation is as follows: "If you enable this setting, all Windows Update features will be removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com and from the Windows Update hyperlink on the Start menu and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy also prevents Device Manager from automatically installing driver updates from the Windows Update Web site." In English, this means you'll have to seek out patches and security fixes yourself, and install them by hand. But you don't mind that, do you? Back in Services, you may also want to switch Background Intelligent Transfer Service to disabled. Its default seems to be manual, but if it did get started you might not necessarily like it, as the explanation indicates: "Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled." By browsing through Services and Group Policy you'll find several other things to get paranoid about (e.g. remote registry manipulation). Fiddle with these if you like, we didn't tell you to, so don't blame us if you break something. Lastly, go to the Start menu, right click on Windows Update, and delete it. Yes, you're sure. OK, as far as we can figure out you're now all set. Incidentally, business users will frequently find they don't have to agree the new licence terms anyway. If SP3 is applied as part of a slipstreamed install, which is a pretty common procedure in business, then the new licence isn't installed either. We think this is a clerical error rather than Redmond leniency. ®
John Lettice, 28 Aug 2002

Why computer fonts are so valuable

LettersLetters Recently I posted an article lamenting MS' sudden withdrawal of its previously free TrueType fonts for the Web, and complaining that this leaves *nix users in a lurch for truly handsome fonts to use in X. Shortly thereafter Reg reader Mick Dimmick sent me an excellent e-mail memo describing just how difficult and time-consuming it is to create a superior font, and perhaps offering justification for the Beast's decision. And if not, it certainly shows what open-source coders are now faced with. ® Bear in mind that by copying the fonts from your Windows folder you will, as usual, be breaking the terms of the license. Producing a font is a huge amount of work -- and there are (or can be) copyrights involved at two levels. In the US, there is no copyright in the actual outlines of the letters -- this is a deliberate exception to copyright law in the United States, intended to promote free press, I believe. However, in the UK and Europe, the actual design of the characters (the typeface) has copyright. In all countries, the digital program that reproduces the typeface is considered copyright material. This means that in the US you can produce a new font file containing another person's character designs, and still claim copyright in that file. Designing a typeface is extremely hard work. It can take days or months to draw out (sometimes by hand, although a number of professional typographers now draw their outlines directly into Macromedia Fontographer, the most popular program for producing fonts) all the outlines, producing a consistent whole. Digitisations of handwriting typically take less time. Then it's common to refine the curves and try to minimise the number of points used in each glyph (a typographer's term for a particular character shape; more than one glyph may be mapped to each code point). Minimising the number of points tends to reduce the size of the font file and increase the rendering speed. The number of glyphs needed is often more than people expect, too. A basic ISO-8859-1 character set (for US, Canada, Australia, New Zealand and Western Europe) contains around 220 glyphs. About another 100 or so are required for Central Europe, more are required for the Baltic countries, Cyrillic for Russia, Serbia and other Slavic countries and a number more for Greek. Admittedly a lot of those are basic Roman characters with diacritics (accents) but the exact positioning of the diacritic can be tricky -- and it can sometimes modify the basic character shape. Chinese, Japanese and Korean become a whole new ballgame -- there are thousands of glyphs. Times New Roman does not include Far East, Hebrew, Arabic, or South Asian glyphs. The very best fonts incorporate different shapes of characters in the same font (many glyphs per code point). Macintosh and Windows offer facilities for developers to discover the additional glyphs available (things like baseline numerals, swash capitals, proper small capitals, additional fractions) and to include them in the output. Highly professional desktop publishing tools often make these available. Once it's all laid out consistently, the next stage is to hint. Good hinting is mainly why the Microsoft fonts are so desirable. The purpose of hinting is to deliberately distort the design of the characters at given resolutions (given as 'pixels per em', where the 'em' is generally the width of the 'M' character -- it's the basic design width of the typeface) so that they produce readable and, ideally, pleasing bitmaps. Producing a good TrueType hinting program is also very difficult. Apparently, when designing the Tahoma font for Windows CE devices, Matthew Carter (the designer) drew out the bitmaps for particular sizes of the font, and Microsoft hinted the font so that those bitmaps were achieved. Unsurprisingly, the best tools are also not cheap - Fontographer costs around $350 (obviously plus any sales tax). Microsoft do provide a tool for assisting with hint programs for free. Most of the fonts which come with Windows and Macintosh, and those in Microsoft's web fonts pack, are/were licensed from other type foundries. Times New Roman is licensed from Monotype, who originally completed the design for the Times in 1932. Arial is also a Monotype license (although it appears to be a modification of one of Monotype's other designs to make it more interchangeable with Helvetica). Tahoma, Verdana, Trebuchet and Comic Sans were all commissioned by Microsoft for various purposes. In each case, they represent a large tranche of work, which, unsurprisingly, the designers want to get paid for - because they're professional designers. And the licenses from the foundries are very explicit - for sale and use with a copy of a Windows operating system only. I suspect that the font pack was withdrawn because Microsoft couldn't guarantee -- and weren't guaranteeing -- that the fonts were only being downloaded and used by licensed users. I'm currently typing this in Bigelow & Holmes' Lucida Console, a derivative of their Lucida Sans Typewriter specifically designed to look good on computer consoles. Now, admittedly, there are some designers/foundries which make their fonts available truly free -- not shareware, and not licensed only to particular operating systems. But they're few and far between -- and they tend not to deal in body fonts, but only in stylistic and headline fonts. A body font needs to be readable above almost all other criteria, while a display font (headline font) can be (almost) as outlandish as the designer likes. But generally, fonts cost -- I'm looking at MyFonts.com, and Times New Roman costs $21 per face -- that is, the Roman (upright) face costs $21, the italic a further $21, etc -- for PostScript fonts containing only English and Western European glyphs. It's interesting that a $139 license of Windows XP Home Edition contains fonts that would probably cost several hundred pounds if purchased separately, isn't it? My personal opinion is that professional typographers are unlikely to produce high quality fonts without financial reward -- and the most popular faces are of course owned by professional type foundries. -- Mike Dimmick
Thomas C Greene, 28 Aug 2002

02 touts games arcade for mobile phones

02, the mobile phone network, launches the UK's first commercial Java games service for phones on Sunday (Sept 1). O2 Games Arcade includes Atari classics such as Asteroids and Breakout plus more modern games such as Men in Black II, Racing Fever and Popstar. It is 'free' to UK customers (with the right handsets) for one month from 1 to 30 September. Suitable handsets include the already-available Java-enabled Nokia 3410 and the Siemens M50 (available from 1 October), with further devices (many with colour screens) expected to go on sale before Christmas. The service is to be available to both post and pre-paid O2 subscribers. Before 30 September, users are charged a download fee of around 30p. Thereafter, games will be charged on an 'event basis' (similar to ringtones) costing around £1.50 per game, plus any necessary download charges. Downloaded games will remain active on customers handsets for at least 30 days and can be played as often as liked during that period. After September, around three new games a month will be added to the O2 games arcade. The service will launch across the other O2 territories (Germany, Ireland and the Netherlands) from October. 02 is launching itself into one of the few next generation mobile services confidently expected to succeed in the short term. Forrester Research predicts that, in three years, 45 per cent of mobile subscribers in Europe will regularly pay to play games on their mobile. Meanwhile, Ovum forecasts that global spending on mobile games will total €4.4 billion by 2006. O2's own research shows strong demand for the games it is offering amongst teenagers. SMS games (driven by The World Cup, Big Brother 3 and the like) generate four million games-related text messages per month over O2's UK network, and the mobile operator hopes bringing pictures, colour, sound and what it describes as an "arcade feel" to mobile gaming will prove to be an even greater money spinner. The company is working with a number of game suppliers and developers, including Motorola, THQ, Digital Bridges, Macrospace, MR. Goodliving, Sumea, Picofun and iFone to offer games from the likes of Atari. O2 hopes its online application developer communities (including 9,000 people registered to sourceO2) will develop future games. ®
John Leyden, 28 Aug 2002

PGP is back!

Phil Zimmermann's PGP is back in the hands of an independent company, after Network Associates agreed to sell the technology it mothballed back in March to a start-up specially created to market PGP. Jon Callas, the former PGP chief scientist, becomes the CTO of the new company, PGP Corporation. Will Price, former Director of Engineering at NAI, becomes VP of engineering. The good news is that the Windows XP and Mac OS X versions of version 8.0 of the excellent PGP Desktop, which were ready when Network Associates canned the division, will now ship in the fourth quarter, according to a company statement. The existing Windows and Mac OS products will be available through the online company store, which appears to be having teething difficulties right now. "We raised $14 million in this challenging economic climate from two top venture capital firms because they believe in the marketplace and in our ability to provide innovative solutions for our present and future customers. We are dedicated to making PGP products so simple they will be used everywhere," said new CEO Phillip Dunkelberger in a statement. Cryptographers will be celebrating the good news in traditional fashion - by firing their guns into the air. ® Related Links The all-new PGP Corporation Europeans can buy it here Related Stories Zimmermann calls for NAI to free PGP PGP dies of neglect - your alternatives How we can save PGP - Zimmermann PGP deep-freezed - NAI shrugs
Andrew Orlowski, 28 Aug 2002

Popular MS download has mysterious vuln

A certain remote root vulnerability in a Microsoft application called File Transfer Manager (FTM), a gimmick for developers, beta testers and volume license addicts (i.e., most of their corporate customers) alike, is not serious and there's almost no chance that some wily blackhat has used it against you. Honestly, you're safe because "Microsoft believes that only a small number of customers actually are at risk." Redmond's FTM is used by beta testers, MSDN members, clients of the Microsoft Volume Licensing Service, and participants in "a small number of other Microsoft programs" to download software from "certain Microsoft sites." "The FTM is only distributed through these programs, but not every member has installed it. Even among customers who have installed it, not all are at risk, as only certain versions contain the vulnerability," the company says. It's the classic MS security-bulletin formula: "The vulnerability is 'important' (never 'dangerous'); you have nothing to fear and no reason to regret trusting us; we have no intention of apologizing for it or even explaining it adequately; now go get your patch, shut up, and be grateful nothing bad has happened." Only this alert went out via e-mail, exclusively to people registered in one of those few MS programs [and I thank the fifteen or twenty of you who promptly forwarded it to me], rather than being broadcast widely to catch the 'certain number' of users whose originally registered e-mail no longer works. Finally, MS thanks Ukrainian researcher Andrew Tereschenko "for identifying the security vulnerability and working with us as we developed a solution." Some truth Actually, Tereschenko has something to add: several interesting details MS decided you'd be better off not knowing. First, we learn that the FTM ActiveX control is susceptible to a buffer overflow while parsing input strings passed via a script to the 'Persist' function. "One of confirmed scenarios is a long (>12Kb) string used as 'TS=' (TransferSession?) value." he writes. "Since the control is signed by Microsoft and marked as safe for scripting it's possible for any Web site to install it (with little warning, or without warning if a user trusts MSFT)." He says the distribution is "medium-high, not a 'small number of customers,'" as MS claims. Secondly, the FTM ActiveX control can download or upload files to or from any local directory via a schedule list without any user interaction. This can be done by setting "TGT=" and "TGN=" params during call to "Persist" function, he says. FTM versions prior to 4.0, which MS urges on users as a fix, are susceptible to a man-in-the-middle attack. The attack is currently unconfirmed because MS has since updated its servers, but there's no reason to believe it wasn't used before then, and there's no guarantee it still cant be used if victims haven't updated their own FTM version. Tereschenko recommends that all users search for TransferMgr.exe inside "%SYSTEMROOT%\Downloaded Program Files" and follow the instructions MS has laid out if the file is found. ®
Thomas C Greene, 28 Aug 2002

The Stuckist Net – what is your post-Palladium future?

"Your paintings are stuck, you are stuck! Stuck! Stuck! Stuck!" - Tracey Emin [to Billy Childish]. The copyright holders who dominate the entertainment oligopolies in the United States could risk ceding the nation's technological lead, once and forever. How so? Well, we now see that the Pigopolists intend to restrict the open protocols of the Internet. If there was any doubt, it should finally have been dispelled on Friday, as Thomas C Greene reported in Media giants demand ISPs block Web sites. We heard it coming two years ago when a Sony executive let on rather more than he should have, promising to block the packets:- "We will develop technology that transcends the individual user. We will firewall Napster at source - we will block it at your cable company, we will block it at your phone company, we will block it at your [ISP]. We will firewall it at your PC," he said. Three months later we exposed the first attempt to copy control OpenPC hardware - CPRM - plans which now seem quite tender now, following the proposed Hollings Act and Microsoft's Palladium. Sony's plans are succeeding splendidly. Explaining his position on a European TCPA last week, Bill Thompson said he'd arrived at the conclusion that a Fritz-chipped, lock-down Palladium was inevitable, as it had Microsoft and Intel on board as willing executioners. I think he's being optimistic. I can envisage multiple TCPAs: the Disney/Wintel version being the first. Quite certainly, a Chinese TCPA will follow, when they discover how useful it is to monitor individual computer users so precisely. TCPAs might not fall across continental boundaries, either. So although Bill's argument was couched as a breakaway, it's really the US computer industry that's making the first break. His is the first European reaction. The computer industry, in an alliance with the entertainment pigopolists is simply filling a vacuum that's been left by people unwilling to engage on a political level. They'd rather be coding, or warchalking, or, heck, doing anything except face the imminent lock-down. (How many articles about warchalking have you read in the last month, compared to articles supporting the real legislation on offer to limit Pigopolist power? Priorities, please ladies and gentlemen.) Now, I actually side with the constitutionalists here - today's DMCA and the courts may one day strike down potential Fritz bills. But by the time that happens, the freedom of changing your graphics card or upgrading your CPU will be a distant memory. The US PC industry is attempting to lock down the PC that's been an open platform ever since Compaq reverse engineered the IBM PC BIOS, and the fledgling cloners turned their noses at Big Blue's MCA bus. And the Internet protocols have, we've always been open since the mid-1970s. Many people at Intel don't like it - Andy Grove has spoken out against it quite eloquently - but if it means losing Intel's dominant position in the United States, or the huge Chinese market of the future, then Intel will Fritz it's chips for anyone who asks. But with the Internet's key routers, and top level domain name registry files physically hosted in the United States, with phasers set to stun, what are the rest of us - stuck with our antiquated regard for open protocols, open source, open PC hardware - to do? How the Stuckist Internet? We'll call ourselves Stuckists. We like open hardware, and we like routers that don't care about the packets that run through them. We'd like to be stuck there. Where will we be in a world of Multiple TCPAs? Well, the first obstacle will be hardware. There's a ready alternative in Linux, which would thrive in such conditions, but Stuckists will need processors. They could clone x86, or license a non-Intel instruction set such as ARM cheaply, or SPARC for no cost at all. That's the easy part. Manufacturing requires huge capital investment And who delivers the bandwidth? Well, if your needs are local, use your Stuckist PC primarily for communication and not for Hollywood-generated content, it's not going to be a problem. While replacing the TLDs with alternative root systems simply requires political consensus Dragging domain names into the issue might seem odd - but it's an instrument of control. Now this might look like a formidable set of obstacles, until your consider two countries that would welcome this as an opportunity: the world's biggest democracy, and the world's most populous country. Both have far more to gain from fuelling a Stuckist Internet than they might by following the Disney/Palladium path. Lamenting the lack of innovation in US manufacturing (it's a Western issue) John C Dvorak wrote: "Over the years we've always been told that the American edge was our inventiveness. But we can't be inventive if there is no necessity. And there is no necessity when there's no competition and everyone is feeding from the same Chinese manufacturing trough." But it's much worse that that. China has the oldest engineering tradition in the world, but most importantly, ensures that many of the manufacturing deals it has struck with Western technology companies have specified intellectual property transfers. It's rather keen on Linux. India also produces excellent engineers, has many English speakers, and is rather keen on Linux too. Both would see this as an opportunity to lead, rather than follow. China's ambitions are the same as Korea and Japan's twenty years ago: they have no intention to serve a low-tech sweatshop for the west. Is this where the post-Palladium technology industry will be centred? I trust Andy Grove will be lobbying hard with this scenario, to ensure that America's technology lead - which it takes for granted today - doesn't go the way of its automobile industry. Finally, remember that the thirst for communication technologies to be open is very strong indeed. But it doesn't always turn out like that. Radio was for several years a two-way communications system, then it became a broadcasting medium, and now ClearChannels own two thirds of all radio stations in the USA. There's a radio ham underground, of course. But are software libre developers, cypherpunks and the rest of us Stuckists destined for the same fate? Hoping and wishing, Candide-like for the best, that TCPA will just go away, isn't really an option. Tell me what you think of the Stuckist Internet. ® Related Stories Bill Thompson answers critics Media giants demand ISPs block Web sites Exemptions exempted in Europe's DMCA Damn the Constitution: Europe must take back the Web The MeatSpace Mailbag
Andrew Orlowski, 28 Aug 2002

Exemptions exempted in Europe's DMCA

The European equivalent DMCA is a done deal, but the implementation of opt-outs could make all the difference in each EU member state. And the United Kingdom is missing out. Section 5.2 of the EU Copyright Directive provides a long list intended to protect cryptographers and academics, and preserve some notional 'fair use' for press and satirists, amongst others. But the UK draft, published last week, has some key omissions. "The Government has given us several but not all of the optional ones," says Julian Midgely, spokesman for the Campaign for Digital Rights. The opt-outs are important: cryptographer Dmitri Sklyarov could not have been prosecuted under the EUCD for revealing details of Adobe's eBook encryption, but his employer Elcomsoft, most probably would have been liable for distributing software to bypass the crypto. Midgely thinks the most onerous requirement is to ask the Secretary of State for access to these exemptions. "It's quite common for an academic to play several samples of music to a class. He or she will now need to write the Secretary of State for permission for each sample, if the music is encrypted. It's ludicrous." The EUCD also makes "providing a service" illegal, which would ensnare academics and publishers too. However, it's not too late to point these out, ever so politely, to the British Patent Office, and start building momentum for a rewrite. The UK draft can be found here, and the consultation process here The battle was lost last year, with the entertainment lobby dominating the argument. Although it's less draconian, slightly, than the DMCA, it rather puts pay to the notion that Europeans are rather better and fighting the Pigopolists than the US, simply because the cheese is better here. (Which it is). Related Link Campaign for Digital Rights
Andrew Orlowski, 28 Aug 2002

Media giants demand ISPs block Web sites

They've sued Napster and Scour into submission; realizing that this is expensive, they've bought numerous Congressional lapdogs to force the DoJ to become their personal 'Copyright 911' so that challenges to their production and distribution monopoly can be hounded down and eliminated at the taxpayer's expense rather than their own; they've lobbied Congress to impose DRM controls on virtually all media and virtually all devices, including your computer; and now, for a final assault on human dignity, the Recording Industry Ass. of America has sued for the right to determine which Web sites you and I will be permitted to visit. Taking a page from the book of totalitarian regimes, the media industry is suing major ISPs, demanding that the foundations of a Chinese-style Great Firewall be laid to protect their precious copyrights, Reuters reports. At issue is the Listen4ever site, which the RIAA whinges is beyond their influence. According to the wire service, the industry hasn't been able to figure out who owns the offending site, and is stymied in its efforts to take action against it. It is therefore necessary for the thieving, rotten little people of the United States to have their Internet access regulated. Of course the Listen4ever site has already moved. Thus it will be necessary to chase it down and amend the complaint. And if one site is banned, then any number of sites can be. And that, more than anything, is the power the RIAA is salivating over. Call this a test case. If it succeeds, the door will be opened for continuing and capricious Internet censorship by an international communications cartel. Defendants include such heavyweights as AT&T, Sprint and UUNET. Plaintiffs include Vivendi, Sony, Bertelsmann and Warner Bros, a possession of AOL Time Warner. AOL hasn't been named in the suit, perhaps because they've already volunteered to comply, being joined at the hip, as they are, to a media behemoth. ®
Thomas C Greene, 28 Aug 2002

Sun Solaris pants on fire – official

Almost three months ago those nice people at Sun offered a free DVD of Solaris for Intel or Sparc. But as the weeks rolled by and silence (apart from spam from Sun) reigned, descriptive phrases involving words like "duplicitous", "bastards", "mouth" and "trousers" increasingly sprang to the lips of that fine collection of freeloaders which constitutes The Register's readership. Well now it's official that Sun's pants are on fire, and we're not going to get our free DVD of Solaris 8 for Intel. We've yet to hear from anybody who actually has received this fabled beast, but a wave of 'only kidding' emails went out last night, including (sigh) the one to The Register. This latter is particularly irritating because - as usual - we'd taken the precaution of signing up for the offer before we told you lot. So if we didn't get one, well, one has one's doubts about the whole deal. After the offer ran we received information that suggested it had been designed to test the waters as regards demand for Solaris for Intel, and subsequently Solaris 9 for Intel was reinstated. Sun's 'go away' missive however suggests that some eccentric kind of reverse demand management is afoot now - it's a most excellent piece of foot-shooting that really does start to warm your heart as regards Microsoft. ("Hey Scott, we've figured out why we haven't been able to beat Gates - people don't hate us enough!") "Thank you for your interest in the Solaris[TM] Operating Environment," it says here. "As stated in the giveaway offer, quantities were limited and offered on a first-come-first-served basis. Unfortunately, even after doubling our original quantities, demand exceeded supplies and we will not be able to send you the Solaris Operating Environment DVD that you requested." Actually, it is our strong recollection that, having successfully registered for the offer, we got the strong impression that we had made the cut, and the offer's subsequent closure due to 'overwhelming demand' did kind of support that conclusion. But apparently Sun wasn't actually counting entries, or was using a severely broken database to do so. It continues: "The good new is you can still get a copy of the Solaris 8 or 9 Operating Environment - without paying a license fee - through the Free Solaris[SM] Binary License Program." Which gives you "the choice of either downloading Solaris software or purchasing it for just the cost of media and shipping." And here's the sting, Intel-using formerly would-be Solaris supporters: "While there is a nominal charge for downloading Solaris 8 SPARC[R] and Intel Platform Editions, we've made the Solaris 9 SPARC Platform Edition available as a free download!" So there you go - Solaris 9 is free, but you can't get it for Intel yet, and given Sun's wondrous strategic planning, you can't be sure it'll be free when you can get it anyway. So if you want Solaris you have to go for 8, pay for it ($20), and wait a very long time while the vast beast downloads (which is one of the reasons you wanted it on DVD in the first place). Plus you'll no doubt have to fill in another one of Sun's wretched registration forms. Sun has succeeded in gaining the interest of large numbers of people who might be interested in Solaris for Intel, and then systematically pissed them off. It is a masterpiece of marketing, no? ® Related stories: Sun offers free Solaris 8/9 OE on DVD Sun to reprieve Solaris 9 for Intel?
John Lettice, 28 Aug 2002

EU to force ISPs and telcos to retain data for one year

European Union proposals on data retention would compel telecom firms to keep customer email logs, details of internet usage and phone call records for at least a year. That's the gist of proposals leaked via civil liberties group Statewatch, which says the plans increase law enforcement powers without adequate civil liberties safeguards. In the name of tackling "terrorism" the EU's Justice and Home Affairs Minister decided last September that law enforcement agencies needed to have access to all traffic data (phone-calls, mobile calls, emails, faxes and internet usage) for the purpose of criminal investigations in general. The data would not include the contents of messages - only the timing, source and destination of communications. A 1997 EC Directive on privacy in telecommunications, which said that traffic data could only be retained for billing purposes prior to its erasure, stood in the way of this ambition. A deal agreed between the Council (the 15 governments) and the two largest parties in the European Parliament (PPE, conservative and PSE, Socialist groups) pulled the teeth from the 1997 directive on privacy. The obligation to erase data was removed and this enabled governments to adopt laws for data retention if national parliaments agreed. However document leaked to Statewatch show EU governments always intended to introduce a law to bind all member states to adopt data retention. This draft Framework Decision says that data should be retained for 12 to 24 months in order for law enforcement agencies to have access to it. Records would only become available to law enforcement agencies after judicial approval, though Statewatch expresses grave doubts about this and argues that the proposals are the 'thin end of the wedge'. Tony Bunyan, Statewatch editor, said that the framework furthers a move from targeted police surveillance powers to "potentially universal surveillance". "The right to privacy in our communications - e-mails, phone-calls, faxes and mobile phones - was a hard-won right which has now been taken away. Under the guise of fighting "terrorism" everyone's communications are to be placed under surveillance, he said. "Gone too under the draft Framework Decision are basic rights of data protection, proper rules of procedure, scrutiny by supervisory bodies and judical review." On August 14, the Danish Presidency put out to all EU governments a "Questionnaire on traffic data retention" for completion and return "preferably by e-mail" by Monday 9 September, which will form the basis of further EU action. ® Related Stories MEPs vote for Big Brother European Parliament poised to cave in on Internet privacy? World leaders use terror card to watch all of us. Forever Spam out, cookies tolerated, data retention remains: EU External Links Statewatch's analysis of the draft Framework decision (and links to other documents)
John Leyden, 28 Aug 2002

Starbuck's sells free WiFi access

If they can sell burnt, ruined coffee at premium prices, why not wireless Web access one could have for free? So goes the reasoning behind Starbucks' decision to offer WiFi at $30.00 a month in Portland, Oregon's Pioneer Square, where free access is already provided by grassroots outfit Personal Telco. According to this item in The Oregonian, Starbuck's is muscling in on the same channel already taken by PT, with the result that users of both services are enjoying degraded performance -- only those going through Starbuck's are enjoying it at a premium price. The company is using T-Mobile, a VoiceStream outfit, as their provider. Those who desire access outside the downtown 'WiFi free zone' are welcome to shell out $50.00 a month for coverage in airports and other Starbuck's stores. As the turf war warms up, we have to wonder if PT can give away what a slick marketing illusionist like Starbuck's can sell. If they can make billions hustling the worst coffee I've ever tasted outside institutional settings, well, no doubt this initiative will go quite nicely. ®
Thomas C Greene, 28 Aug 2002

Sony, Apple make phone dream team

Speculation that Apple is planning to launch a smartphone has been revived by John Markoff in the New York Times. This isn't what we're hearing at all - but it hasn't stopped analysts taking the Rorschasch blot test and drawing some wild conclusions: '"When you connect the dots, you end up at a phone," said Charles Wolf, a financial analyst who follows Apple for Needham & Company'", records the Times. No, the future points to close collaboration between SonyEricsson and Apple, with a slim outside chance of Apple rebadging one particular SonyEricsson device. But we'll explain how we arrive at this conclusion. Sliced and diced The business basis behind the speculation is sound - Jobs himself sees the standalone PDA being subsumed into the phone. And recent tectonic shifts in the handset business have made the business much more open. Firstly the biggest handset companies agreed to base future smartphones on a common OS, drawn from Psion. They haven't all put their eggs in this basket, with Nokia the keenest on this Symbian platform, but it's increasing in significance. Last year saw Motorola, Ericsson and others license their radio stacks to third parties, and the three prime hardware platforms for smartphones - leader Texas Instruments (with its OMAP) and wannabees Motorola and Intel license radio stacks with their hardware. And finally, Nokia, in a dramatic move which redefined the Finnish giant as a "software company", has licensed user interfaces and other goodies, signing Siemens and Matsushita for its Series 60 UI. Meanwhile Motorola has licensed the Symbian UIQ "Thin Quartz" user interface, honed by SonyEricsson, for its 3G phone. All this means that entering the market is much easier than a decade ago, when Apple's Newton project drained the company of billions of dollars of R&D. But does this make it a white box PC business? Of course not: integrating all these pieces and testing a device to pass regulatory tests is far from trivial, as we explained here: see the second half of Wintel - the next generation's horoscope. Eye candy In any case, why would Apple need to market its own device, when a device, bearing all the hallmarks of the best Apple and Sony product design and innovation, is waiting in the wings? We refer to the SonyEricsson P800, which struck us with its Aquaesque eye candy (that's Thin Quartz). (See our hands-on here and screenshots here). Jobs recently invited SonyEricsson's chairman to demonstrate the device at MacWorld Expo, and at the WorldWide Developer Conference disclosed that Apple had introduced a new common address book format specifically to make it easier to communicate with PDAs and smartphones. Word from SonyEricsson is that the admiration is reciprocated, and that the handset manufacturer sees Apple compatibility as a high priority. Recent hardware prototypes for the device - which is due in Q3 in Europe and Q4 in the United States, suggest the project is coming along nicely. We were able to exchange files via Bluetooth and play MPEG4 video recorded on the Nokia on the SonyEricsson. Apple's strategy is as a "hub", and it will only make clients where it can benefit the Mac strategically, such as the iPod: where there's no similar product on the market, and where the design costs aren't too high. Neither of these factors suggests Apple will become a handset manufacturer any day soon. Of the three scenarios on offer: Apple starts from scratch licensing and integrating the components; Apple co-operates with SonyEricsson and other vendors; Apple tweaks and refits an existing model, such as the P800, the second looks the most likely. Promoting compatibility with the growing number of Symbian smartphones would mean that Apple would make partners, not competitors, out of Nokia and Motorola - and that would surely be biting off more than it would want to chew. ® Related Stories GUI wars return: Motorola, Sony Ericsson tie-up Nokia claims Matsushita scalp for Series 60 Hands on with the PDA-killer Sony P800 The quest for the killer mobile app - beyond UIs, browsers Smartphone roadmaps for 2002
Andrew Orlowski, 28 Aug 2002

SonyEricsson cuts Linux P800 fee to zero

SonyEricsson hopes to mollify developers who've discovered that writing native C++ applications for the much-hyped P800 can carry a hefty fee. The move favors the savvy rather than savant: determined Linux developers should be able to get in for nothing. Over the summer SonyEricsson has been offering a P800 Software Developer Kit which features a beta of the UIQ software development kit bundled with MetroWerks CodeWarrior - for a cool $995. And this has proved a stumbling block for software libre developers who want to build applications on Linux. The GNUpoc project allows the Windows-based libraries to be used in the WINE environment, and with only a little bash, perl and WINE former Symbian engineer Alfred Heggestad, who maintains the project, was able to port his Commodore 64 emulator to the Nokia 9210. "The obstacle isn't technical - it's purely price," Heggestad told us. GNUpoc doesn't support the Symbian emulator, so binaries must be debugged on the device. So this is pretty hard core. SonyEricsson seems to have heard the angst, however. After first denying that the fee raised an unreasonable barrier to entry - it includes a year's support - SonyEricsson put us through to Ulf Wretling, who says that the UIQ SDK will within a few days be available free of charge, allowing Haggestad and other Linux developers to target the P800. (Developers will find the bundled Symbian 7.0 SDK in there too - that's only one download, not two, as we originally suggested.) "We're opening it up," he promised. The early seeding had targeted upscale professional developers who could afford the bundle, he said. Heggestad said he looked forward to the release of the free SDKs and didn't expect any technical issues that would prevent GNUpoc targeting the P800. We're not sure where this leaves the CodeWarrior package: $995 still looks a steep price for the pleasure of using an integrated development environment and the emulator. By contrast, Nokia gives its SDKs away for free. And the 'Code To Cash' competition for the P800 SonyEricsson launched yesterday has infuriated Register reader Dan Houghton, who correctly points out that far being "Code To Cash" - referring to the $3,000 worth of bounty on offer as a prize - it's more "Cash To Code". Applicants need to pay $500 for a "Basic Developer Support" fee covering all SonyEricsson technologies in order to enter. "The launch of the P800 must be one of the more anticipated geek events in recent history," writes reader Tom Adshead (who we trust is not a thesp) reflecting the unusual level of interest in this device in our postbag. But is SonyEricsson exploiting this? History tells us that the cheaper the tools, the more applications, so we wouldn't be surprised to see a new "lower tier" introduced at some point soon. For now, determined Linux programmers could have snagged the best deal of all. ® Related Stories Sony, Apple make phone dream team GUI wars return: Motorola, Sony Ericsson tie-up
Andrew Orlowski, 28 Aug 2002

Why the new MS licensing Ts & Cs are important

We've found Fred Langa absolutely hysterical for years, so we're pleased to see we've finally been able - however unintentionally - to repay our debt to the Great Man. We are, apparently, hysterical, yellow-tinted, inflammatory, and publish (amongst, he concedes, better stuff) embarrasingly shallow rants. We wouldn't ordinarily trouble you with the maunderings of some overpaid boat-anchor, but Fred, by getting it absolutely wrong, illustrates why it's vital that people are aware of the steady ratcheting upwards of Microsoft's (and indeed the software industry's in general) licensing terms and conditions, and why it is important to worry about them. Fred, who in this area falls into the category of one of Lenin's "useful idiots,"* does not see Microsoft's new standard software licence, which authorises "Microsoft or its designated agent" to access information about your computer, and to "use this information solely to improve our products or to provide customized services or technologies to you," as a problem or a significant change in what the company has been doing already. Just legal butt-covering, you can always switch it off, says Fred, poo-pooing our suggestion that Microsoft is giving itself admin rights over your computer. Which does make this wording a little tricky to figure out: "You agree that in order to protect the integrity of content and software protected by digital rights management ('Secure Content'), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update." The content/DRM-related terms and conditions Microsoft is currently experimenting (we hope that's the right word) with seem notably more savage than the new standard Windows licences, but the point here is that terms and conditions are changing, little by little, and although you can currently switch the nasties off, most people won't, because they won't know about them, and it will become progressively harder to switch them off anyway, or indeed to operate in a world where services from Microsoft and friends more and more expect them to be switched on. As regards Windows Update, it has been becoming more and more difficult to track down patches and fixes and install them by hand, and some of the ones you can get hold of now come with interesting little presents from Microsoft like the excerpt above, with its intriguing redefinition of security update. Whose security? Yours, or theirs? The time will come when you will not be able to obtain fixes to the product you have already paid for without being forced to agree to whatever new terms the software industry, its attorneys and its paying customers currently find convenient. Sure, now, you can just say no (sometimes), but the likely widespread tacit acceptance of new terms and conditions, and people saying "don't worry" in the public prints, are very useful factors indeed for the industry. Things change slowly, your rights are slowly eroded, nobody bar a few ranting maniacs shouts about it, then a year or two down the line we get to the next step. It's just a little one, oh, just a tad of legal butt-covering, people huff, not much different from what they were doing before anyway. And so, on to the next step. That's why it's important to know, to worry and - while you can - to resist. ® * Essentially, VI meant by this fellow travellers who supported the hidden agenda without spotting it, or indeed its consequences for themselves. Related stories: How to defang Win2k SP3's auto updating Win2k SP3, the 'snooper' licence, and the workaround
John Lettice, 28 Aug 2002

Intel goes CMP, only it doesn't

History is written by the winners - the last man standing. But you have to admire the power of marketing dollars - and a complicit mass media - to lend a hand. When Intel launched the first processor to employ simultaneous multi-threading, (SMT, or virtual processors), it created the name HyperThreading for this technique. SMT had not happened, and did not happen. Even though it had not been happening since well before the term was coined in 1995. Yesterday Intel disclosed some interesting details about its research into CMP, cellular multiprocessing; or put more simply, putting two cores on a die. But it's also introduced a new marketing term to describe this: "core hopping". "Symmetric multiprocessing chips, such as IBM's Power 4 and presumably chips with core hopping, essentially squeeze two equal processors into a single piece of silicon, so that the chip provides the same computing power as a dual processor server," reports CNET. The 'presumably' is valuable here. As in "presumably, this man knows what he's talking about, because he has pointy ears and is wearing a stethoscope." ('Presumably' is a valuable addition to any journalist's arsenal. I wonder what I can presume next. That Bill Gates is a woman? That the USA has standardized on dollar coins, so I don't have to spend 10 minutes at BART stations exchanging crinkly facsimiles of the first president with the ticket machine? That I can sing?) Multicore processors might be a good thing, Intel tells us, in which case there's a page on its website that urgently needs to be revised, as it says they're a bad thing, and still uses the forbidden term:- "However, a CMP chip is significantly larger than the size of a single-core chip and therefore more expensive to manufacture; moreover, it does not begin to address the die size and power considerations," according to the February edition of the Intel Technology Journal, which you can read here. But as a public service we'll pre-empt the next discovery from Intel Labs, as seen through the lens of marketing speak. "Yes, you see - all along we've been working on these hyper-programmable flabba-chips. HPFCs. Only we know what they are. We were flabber-gasted when we invented them - so our scientists gave them a name ... flabba!" And so shall FPGAs become HPFCs. Bootnote: Only Intel can save us from the RIAA. We hope it will, but are preparing for the worst. ® Related Stories Apple chip breakthrough confounds physicists Einstein fends of Reality Distortion Field
Andrew Orlowski, 28 Aug 2002