24th > January > 2003 Archive

Tech firms gather to fight Hollings copy controls

A new lobbying outfit called the Alliance for Digital Progress is preparing to fight against legislation calling for government-designed and mandated technology to prevent digital piracy, such as that being peddled by US Senator Fritz "Hollywood" Hollings (Democrat, South Carolina). The organization brings together some fairly disparate participants, for example the Business Software Alliance on one hand and DigitalConsumer.org on the other. A number of heavyweight industry players like Microsoft, HP and Cisco are also involved. The new Alliance pitches its mission as defending the rights of consumers, always a bit of a red-flag slogan. During a Washington press conference Thursday, Alliance President Fred McClure kept to a fairly tight and not terribly informative script, delivered with a fine voice and characteristics pleasantly reminiscent of a southern Baptist preacher. The Alliance promises to oppose all legislation that might put Uncle Sam in a position to choose anti-piracy schemes for consumers. It's not clear that the Alliance is prepared to fight government mandates or government enforcement of industry-sponsored anti-piracy schemes, however. We tried twice, unsuccessfully, to pin McClure down on a commitment to exclusively market-driven solutions, but he only reiterated his bullet points. It was a pleasure listening to him speak, nevertheless. El Reg: "When you assure me that you're opposed to government-designed and mandated control features, you leave me wondering how you would respond to government-mandated schemes that originate by consensus in the private sector." McClure: "We are supportive of private-sector industry-to-industry collaborative efforts to find solutions that work in the marketplace, to deal with what we've seen is a big problem: digital privacy. Assuming that at the end of the day, those sorts of solutions are found, then that may be a different situation; and I'm not sure that it would be one that government would be mandating. We doubt the ability of government to design and mandate the kind of technology that is not going to result in us sort of stopping dead our tracks the progress that we're beginning to experience in this digital age. It would hurt consumers, hurt the economy, it would create a new environment where we'd have a stationary target for hackers to just [inaudible] right in and completely destroy the efforts that have taken place. The quick-fix, legislative/regulatory mandate in a mode of replacing marketplace solutions is what we worry about." There's another two paragraphs of worry about how the consumer is never going to get the content they want via the distribution models they prefer if the government gets into the business of deciding how to protect digital content. But we didn't get an answer to our question. El Reg: "Can I follow up? ... Are you prepared to say that you would always resist a government-mandated protection scheme regardless of where it has originated, and keep it strictly market driven? We got another long and creative reply, but no clear assurance of a strict commitment to market solutions. We have to assume that for now, the group is at least open to government mandates and government enforcement of anti-piracy technology so long as Uncle Sam isn't the one designing it. If Hollywood and Silicon Valley ever manage to agree on a standard or a group of standards, presumably these could be mandated and enforced with the Alliance's blessing. We also wondered if the Alliance would use its judgment in opposing legislation, and indeed, copy-protection schemes, that might infringe on a consumer's right to fair use. McClure repeatedly insisted that he "would not comment on the scope of copyright law," which fairly well shut down any discussion of the nuanced but crucial distinction between copying, which is a privilege affirmed by the 1984 Sony decision, and piracy, which is a crime. Meanwhile, Motion Picture Ass. of America (MPAA) President Jack Valenti continues to call for the Hollings solution, most likely as a worst-case-scenario threat to the tech sector, with which he hopes to bully them into seeing more things his way. While we were unable to get an adequate sense of that the Alliance is really about during the press conference, we remain confident that it can't be half as bad as what the MPAA is about. And considering its politically multicultural membership, if this new coalition holds together long term, it will be a rather good sign. ®
Thomas C Greene, 24 Jan 2003

Fujitsu, Intel to develop Itanium Servers

The Itanium platform gets a boost today as Intel Corp and Japanese server market Fujitsu Ltd announce a strategic alliance to develop "mainframe-class" servers based on Intel's 32-bit Xeon and 64-bit Itanium processors, writes Timothy Prickett Morgan The enterprise servers borrow heavily from the experience of Fujitsu and its partner and co-marketer, Germany's Siemens AG, in creating the PrimePower line of Sparc-compatible RISC/Unix servers. They will run a beefed-up version of Linux and will eventually scale to 128-way machines by 2005 using the "Montecito" dual-core Itanium chips from Intel. The Intel-Fujitsu alliance will also create enterprise-class servers using the 32-bit Xeon chips, and while details are sketchy, it looks like they will not scale to these heights, perhaps topping out at 32 processors, maybe 64 processors. Both Xeon and Itanium machines created by the Intel-Fujitsu alliance will be sold by Fujitsu in Japan, Fujitsu Siemens in Europe, and Fujitsu Technology Solutions in North America. They will initially run Linux, but Jack Hirano, director of communications for Fujitsu America, says that the project will also create Windows variants of the machines. The future Xeon and Itanium servers will be developed alongside existing Primergy Intel-based machines that are in the works from Fujitsu and Siemens. The exact specifications of the machines are not available, but the largest Xeon machines (probably a 32-way running a kicker to the current "Gallatin" Pentium 4 Xeon MP chip) will ship at the end of 2004 and the 128-way Itanium machine will ship in 2005. Exactly how much technology will be borrowed from the PrimePower line is unclear, but Richard Dracott, group director of enterprise computing at Intel, says that the future product line will span the categories and capabilities of the Sparc-based PrimePower line. While Intel is obviously happy about the endorsement that this deal gives to its Xeon and Itanium chips for enterprise computing, Fujitsu and Siemens clearly wanted to get something else out of the deal besides enthusiasm, and while financial details were not announced, what seems clear from the limited information is that Intel is rolling up its sleeves and helping out with the substantial amount of hardware and software work that will be required to make Linux scale to 128 processors. Moreover, in the chess game that is the server business, it will not be surprising to see Microsoft Corp kick in some engineers and/or money to see the project's Windows aspirations reach their targets. With Unisys being essentially the only high-end server maker that has products that scale to 32 processors supporting Windows Datacenter Server (IBM and HP are working on 32-way and 64-way machines), Microsoft needs to foment innovation if its own aspirations in the datacenter to be turned into reality, and then, money. Building big iron is relatively easy for Fujitsu, and Intel knows how to make chips to plug into servers. A lot of the effort these two will be putting into the future machines is making Linux scale. SGI, which announced a 64-way Linux supercomputer a few weeks ago, put a lot of work into extending Linux and making it work efficiently on its shared memory, parallel machines. While Red Hat Linux will run out of the box on the 64-way SGI Altix 3000 machines, if you want it to run really well, you have to buy all the rejiggered Linux code that SGI has created and which is not being put back into the open source community by SGI. It is hard to believe that Fujitsu and Intel, having done work that differentiates the Fujitsu and Siemens platforms running Linux, are going to put that work back into the Linux community. Dracott says that while no decisions about IP have been made, a model that is similar to SGI's way of doing things is likely. Moreover, it is hard to imagine that IBM, HP, or Dell, if it ever delivers a 32-way or larger server, will behave much differently. Fujitsu and Siemens' exact plans for supporting Windows on the future Xeon and Itanium machines are even less clear at this point, but Hirano confirmed that it was in the works. Datacenter Server 2003 seems like an obvious candidate for any machine that comes out at the end of 2004 using Xeon processors. What happens on the Itanium machines is dependent on how well or poorly Microsoft and its partners support Itanium. © ComputerWire
ComputerWire, 24 Jan 2003

AOL and HP Sign Instant Messaging partnership

Hewlett-Packard Co this week became one of the first companies to announce the integration of America Online Inc's AOL Instant Messenger service into its enterprise messaging line of products. AOL's Enterprise AIM Services, announced late last year, allow enterprises to manage IM communications that are carried on the AIM networks. A software gateway allows messages to be filtered, logged and, in future, secured. HP becomes an Enterprise AIM Certified Partner, which will allow HP Services to build applications for enterprises based on the AIM Enterprise Gateway and the Private Domain Service, which allows users to administer their own IM namespaces. &computerwire;
ComputerWire, 24 Jan 2003

Cost of securing Windows Server 2003? Nearly $200m

Microsoft Corp has spent the best part of $200m securing Windows Server 2003, its next major operating system, under the company's year-old Trustworthy Computing initiative, writes Gavin Clarke. Mike Nash, corporate vice president of Microsoft's security business unit, said yesterday the money was spent re-designing and reviewing Windows code in an attempt to lock-out hackers, stop viruses and ensure system resilience. Speaking at Microsoft's Silicon Valley campus before an open audience, Nash said these changes were made as a result of Bill Gate's highly publicized Trustworthy Computing initiative, launched in January 2002. Reviewing lessons Microsoft learned during the first 12-months of Trustworthy Computing, Nash said the company had undertaken cultural changes in addition to altering the way it builds products. Eleven thousand engineers were re-trained to program for security, and individuals are now assigned ownership of modules to track responsibility for development and testing. The company learned Windows could become vulnerable through the actions of a feature not necessarily associated with security, such as the ISAPI server in Windows 2000. "One of the things we learned at Microsoft is [Trustworthy Computing] involves a change of culture," he said. "One of the goals of Trustworthy Computing is to close the gap between the goal of innovation and the need for reliability." Nash classified the four key tenets of Trustworthy Computing as: security - making software secure from attack; privacy - protecting customer information and giving users the ability to control their own data; reliability - dependability of software; and business integrity - Microsoft dealing openly with customers. Nash said Microsoft spent $200m on "internal processes" such as re-training and re-working the company's mechanism for delivering security bulletins. The money was primarily spent on Windows Server 2003, he later told ComputerWire, even though Microsoft has used elements of the initiative in Visual Studio.NET, Windows XP Service Pack (SP) 1 and Windows 2000 SP 4. As such, Nash predicted, the first public effects of Trustworthy Computing will be felt by customers this year, with Windows Server 2003. "The first year of Trustworthy Computing's primary focus was the issues where we could reduce customers' pain," he said. "2002 will bear fruit in 2003, as Windows Server 2003 becomes available." Windows Server 2003 is scheduled to launch on April 24. Windows Server 2003 will see more than 20 features such as Internet Information Services (IIS) that come "turned-on" out of the box in the current product, "switched-off". Leaving these features turned-on places the obligation on users to disable them, many of who don't and who leave a back door open to hackers, viruses and systems instabilities such as buffer over-runs. Nash claimed 95% of system breaches are the result of misconfiguration by users. Nash added Internet Explorer's out-of-the box functionality would also be limited. "A lot of work has gone into turning things off," Nash said. Additional security has been added to the operating system. The Windows PKI has been enhanced, there is greater control of role-based authorization and greater documentation of security features and changes for users to read. Looking ahead, Nash predicted improvements would ensure Windows Server 2003 becomes the "foundation" of Microsoft's future operating systems. "There will be a security push for Longhorn and versions of Windows after Longhorn." However, Nash ruled out inclusion of Microsoft's proposed Palladium chip-based security mechanism for any immediate versions of Windows, such as Longhorn. "There are some important things we have to do to improve the experience prior to availability of Palladium, so we can talk of Palladium as something of a security banner for the long-term," he said. © ComputerWire
ComputerWire, 24 Jan 2003

Cisco sues Huawei over IP ‘theft’

Cisco Systems Inc accused Chinese telecoms equipment vendor Huawei Technologies Co Ltd of unlawful copying of Cisco's intellectual property in a lawsuit filed in the Eastern District of Texas yesterday. The suit was filed against Huawei Technologies as well as its subsidiaries Huawei America Inc and FutureWei Technologies Inc. Cisco claimed that Shenzhen, China-based Huawei "unlawfully copied and misappropriated Cisco's IOS software including source code." Cisco also claimed the Chinese company copied Cisco documentation and other copyrighted materials. Amongst other claims, San Jose, California-based Cisco said portions of its IOS source code found its way into Huawei's operating system for its Quidway routers and switches. Cisco claimed the Huawei OS included text strings, files names and bugs that were identical with Cisco's IOS source code. The suit alleges that Huawei is infringing at least five Cisco patents. Cisco said its suit sought remedies to prevent the continued misappropriation of its IP by Huawei as well as damages. Huawei was not available to comment. © ComputerWire
ComputerWire, 24 Jan 2003

Compuware sues Moody's over rating

Compuware Corp has added weight to its argument that Moody's Investment Services in August 2002 unfairly downgraded its debt, by publishing figures for its third quarter 2003 that said cash flow from operations was almost $85m. The software development, testing and management vendor filed suit on Wednesday against Moody's over the analyst firm's downgrading of Compuware's debt status by two notches from "Baa2" to "Ba1", a reduction from investment grade to junk status. Compuware's allegations of a conflict of interest at Moody's center on the question of whether an analyst providing debt-rating services to one company should also be allowed to offer debt-rating services to a company that has a link to that company. In March and June 2002, Compuware initiated legal proceedings against IBM Corp, seeking damages based on a variety of claims including copyright infringement. Compuware claims in its suit against Moody's that at the time that Compuware was taking action against IBM, Moody's was involved in performing credit ratings for IBM. "Given the litigation between Compuware and IBM, no analyst or employee of Moody's performing credit rating services for IBM should have been in any way involved in developing a credit rating for Compuware," Compuware's suit states. But the legal suit also claims that regardless of any alleged conflict of interest, the downgrade was not justified. "Given the fact that Compuware at the time of the downgrade had over $475m in cash equivalents and liquid investments, that Compuware was expected to generate free cash flow for fiscal 2003, that the credit facility matured in August of 2003 and that Compuware had borrowed no amounts against the credit facility, Moody's downgrade of Compuware's credit rating with respect to the bank facility had no factual basis," it said. In its results announcement yesterday Compuware showed cash and cash equivalents of $301.7m, up from $81m, in the same period a year ago, while investments came to $127.8m, down slightly from investments of $138.4m in the year-ago period. Total current assets came in just over $1bn, while total current liabilities came to $468m. It was not all good news for the company, however. Third-quarter revenue came to $333.1m, compared to $453.8m in the third quarter of the previous fiscal year. Net income was $25.4m compared to $29.8m in the same quarter of fiscal 2002. "While it's not the greatest market for technology, we believe that Compuware will begin to grow again in the coming fiscal year," said Compuware chairman and CEO Peter Karmanos. "We experienced some growth in our distributed products revenue and good cash flow from operations during the quarter. Distributed products license revenue grew nearly 27% from the second to the third quarter and cash flow from operations was almost $85m," he said. "In spite of market conditions, we remain focused on the growth of our distributed products like OptimalJ and Vantage, and other key initiatives such as our Near Shore Development Center and our CARS offering." Karmanos added: "We believe we remain well-positioned to grow the company. Our ability to stay profitable and debt-free enhances our ability to produce competitive offerings that deliver the productivity and value customers are demanding." On Wednesday a Moody's spokesperson said that the company hadn't seen the lawsuit from Compuware and would reserve comment until it did. Yesterday a Moody's spokesperson said that the company had "no further comments at this point." © ComputerWire
ComputerWire, 24 Jan 2003

Fujitsu wins £650m UK Post Office deal

In BriefIn Brief Fujitsu Services Ltd, the company formerly known as ICL, has won the £650m, seven-year deal to manage the Post Office's computer systems. Which is nice. But not winning the contract would have been a big setback, as - FSL has managed the Post Offices 'puters under a similar contract since 1996. ®
Drew Cullen, 24 Jan 2003

Voila! Workspot Linux is instant and portable ‘magic’

Workspot. is an online Linux desktop. You go there in any browser (java-enabled is better), login, and start up Red Hat Linux within that browser. It is so cool, I really want it to be something that people go for. I want it to succeed. I'm not so sure it can - but the guy who runs things at Workspot is a believer. He's reaching out to newbies, collaborators, and "mobile people." CEO Greg Bryant started Workspot just before the dot-com boom got big. He wanted it to be a "Hotmail-like web service" that instead of just providing email, provided a complete Linux workstation that could be accessed from any Internet-enabled computer. Workspot got caught up in the boom and attracted the attention of investors. They began providing remotely-hosted applications "solutions," calling themselves an Open Source "applications service provider." But their heart was still with the basics - Workspot as a standalone, portable, remotedly hosted Linux workstation. With the decline in funds that came when the boom busted, Bryant and company were forced to go back to those basics, and so now we have a production release of Workspot available for a $9.95 monthly subscription fee. "We've spent a great deal of time and energy putting together a project that may help convert the general public to GNU/Linux on the desktop," says Bryant. "This is a serious effort, we're proud of it, we think it's magic." Bryant says that the underlying premise with Workspot is that, if the majority of computer users had an online demo of the Linux desktop, they "would be willing to convert," and the domination of proprietary software companies would end. With a newbie market that encompasses "half a billion" people who have Internet connectivity but don't yet run Linux, Bryant says, "I hope they don't all come at once." The newbs will like it, says Bryant, because "It's a normal user account, so someone can use it for e-mail and mobile work, and see if it's comfortable for day-to-day use." As for collaborators, "If techie friends want to help guide someone through GNU/Linux applications, Workspot has a remote collaborative feature that lets users see each other's desktops." Bryant shares a scenario. "Three people, working at three different companies, want to work on a small project together. They get three Workspots, and they start to show each other their current work on their desktops, while they use chat & e-mail to communicate, and webdav to transfer files. No new machines required, and they keep stuff off of their corporate hard drives. It's a GNU-ish version of what WebEx does, I suppose. And -they- have 6,000 customers." As for the mobile users, Bryant is sure that, given the popularity of webmail, at least a segment of that market would also be interested in having an online desktop. "I know many people who 'program-on-the-side,' or who need to have an Open Office or a Gimp available to them in a pinch -- they're travelling light. Sysdmins need it so they can ssh into their work machines, no matter what PC they have at hand," he says. Bryant says that although Workspot doesn't have any subscribers yet, the company has plans to initiate an affiliate program. "When surfers click through an affiliate site (one like, let's say, GnuCash's) and register, that site gets 25% of the registration fee. Since many of these projects are already showcased on Workspot, I think this is a sensible and useful way to generate income." Bryant also dreams of setting up micropayments for new applications or for custom configurations, whereby he says, open source programmers would be able to earn a living. "And they'd get better feedback from users, leading to faster UI improvements," he says. So, how does Workspot work within the confines of the GNU General Public License? "Well, I'll start with source code. We have no desire to hide code," says Bryant. "If we make changes to anything under GPL, we put it up on http://www.workspot.org. "VNC gets distributed to users, so this is required under GPL. But if we make a change to, say, Nautilus, we'll post the changes, even though we don't have to -- we're making-believe that GPL has a 'public performance' clause, which I believe it should. Websites don't generally distribute code, so GPL is pretty weak against the privatization of GPL'd web products [unless they're used by millions, like apache]. "The source for everything else you see is available online elsewhere. The glue we've packaged it all together with wouldn't interest people yet -- but we'll divide it up usefully and distribute it under GPL later, with an added public performance clause. "The use of our servers isn't source code distribution -- and so isn't covered by GPL. It's simply 'use of services.' Hypothetically, if someone gives out their login, against our contract, it would be a breach of contract. But that's just temporary: and unenforced. What I really want is a physical contraint -- just one VNC connection per user. We're implementing that now. Only because, if they want more connections, that means more bandwidth, and that will cost us more money, so the user should have to pay extra for it." Bryant says that the desktop sessions are not encrypted, and admits that Workspot is not really secure, yet. But he says it is "really hard to snoop. If I was learning or evaluating GNU/Linux applications, or even using them for small jobs, I personally wouldn't care much that some powerful-super-spy-hacker could see it. It's like going for a testdrive -- a semi-public kind of thing. "But for those moments of privacy, there are several encrypted VNC solutions we're evaluating and implementing this quarter. Once encryption is implemented, people will probably start to see it as a mobile identity. Ximian Evolution on Workspot beats the Hotmail interface -any- day!" Bryant admits that the target market hasn't quite been convinced yet. "...Our biggest hurdle is just getting people to understand it. Techies do, but until we become a showcase for sub-stable software, which we're planning, it would be kind of a luxury for them to subscribe. Normal people, who'd like to try GNU out, or have it around occasionally, don't really get it, because it's such an unusual beast." We tried Workspot out and found it fun and interesting. Basically, you surf to workspot.com, login and start your desktop, within the browser. There's also an option to run Workspot straight from vnc, which is supposed to enhance the responsiveness, but for most people, running it from within the browser is easiest. Just make sure you have java installed and enabled. The GNOME desktop quickly appears, and everything is just as it normally is in the Linux desktop. I had a noticeable lag but it wasn't enough to make the system unusable or even unenjoyable. Your mileage may vary, depending on the amount of RAM and bandwidth you have available. You get the standard apps - Gimp, OpenOffice.org, games, emacs, etc. I ran Gaim with no problem, but xchat didn't work. There's no sound, and printing is not possible at this point. Neither Evolution nor Kmail were able to connect for me through Workspot. I wouldn't recommend using mail services on Workspot anyway, since it is unsecure. It is bizarre surfing the 'Net on a browser within a browser, but completely possible. Again, ignoring the fact that it's redundant, I wouldn't do it if it means logging in anywhere. If you have open source software you'd like to install on your Workspot account, feel free as long as it doesn't have to be system-wide. Understandably, you don't get any root access here. Just for fun, I thought I'd see if I could get java installed and then LimeWire. Downloading java was fun - 17mb in about 4 seconds. But there were glitches in unpacking the file that I couldn't investigate because, no root access. It's just not convenient. Not to mention that java is either not installed on the system or it is just not included in the path (though a cursory look through the /usr directories didn't turn up any java). Probably not a huge deal, unless you want to run java-based applications or you visit any sites with java applets. If you have Windows friends who want to try out this "insta-Linux" it would probably be worth it to kick down $9.95 for a month's trial. Bryant says its good for programmers too, says he finds himself often with Internet access but without his programming tools, and Workspot comes in handy for that. © Newsforge.com
Tina Gasperson, 24 Jan 2003

BT reforms broadband registration scheme

BT has lowered the number of registrations needed for some exchanges to be converted to broadband in a bid to speed up the roll-out of ADSL in the UK. For instance, Holmer Green in Buckinghamshire has had its trigger level reduced from 700 to 250, and since it has already passed this threshold, is now set to be converted to DSL. In all, BT has reduced the threshold for 388 exchanges and also set trigger levels for a further 87 areas. The thresholds are part of BT's broadband demand registration scheme, which is designed to map pockets of broadband demand across the country currently without DSL. If sufficient demand can be plotted through people registering their interest, then BT is happy to convert the exchange to broadband. BT originally set some very high thresholds claiming that this number of people was needed to justify the investment. However, it now claims that a review of the economics (such as the price of kit coming down) of providing ADSL at local exchanges means that it can lower the number of people needed to make the investment viable. In a statement Paul Reynolds, BT Wholesale chief executive, said: "The registration scheme has helped us guide investment in broadband to match demand. Our growing experience of the actual work involved now allows us to be confident in lowering many of the demand levels at which we will upgrade exchanges for broadband." Last month BT eliminated a layer of clunky bureaucracy from its much-criticised ADSL pre-registration scheme by removing the need for 75 per cent of registrations to be confirmed. The move was a victory for common sense and means that BT will upgrade an exchange as soon as it hits its trigger level. BT has so far converted 13 exchanges to DSL thanks to this scheme with work underway at a further 58. Two-thirds of households (1,132 exchanges) are now connected to a DSL-enabled exchange. ® Related Story BT improves ADSL demand trigger process
Tim Richardson, 24 Jan 2003

NTL sacks ‘hacker’ for ‘gross misconduct’

NTL has sacked one of its employees for "gross misconduct" after he hacked into the independent customer forum ntlhell.co.uk. The hack - which included sending the members of ntlhell.co.uk a derogatory email - took place on New Year's Eve. The incident was traced back to someone working at NTL using one of the company's computers. Last week, an un-named employee was suspended from the cableco following a three-week internal investigation. Yesterday, that individual was dismissed. They have five days to appeal the company's decision. Those behind ntlhell.co.uk had written to NTL asking that no one should lose their job over the incident. But in a statement NTL said: "Following the hacking of an ntlhell.co.uk user forum which took place on 31st Dec 2002, NTL has conducted a thorough investigation and identified the employee concerned. "The employee has been dismissed on grounds of gross misconduct. The employee has five working days in which to consider whether or not to appeal. It is not appropriate that NTL discloses the name or identity of the employee." ® Related Story NTL suspends employee over ntlhell.co.uk hack NTL in alleged hack probe
Tim Richardson, 24 Jan 2003

CodeCon to trailblaze emerging tech

The very first CodeCon held last February was one of the highlights of the year. Take a bunch of cool stuff that some underemployed programmers have been working on in their spare time on distributed computing and cryptography problems, and throw them into Jamie Zawinski's DNA Lounge nightclub for three days. Charge a low admission fee - that other underemployed programmers can afford, stipulate working demos and no bullshit - and see what happens. Well, what happened was, amongst other things, the public debut of Peek-A-Booty, real-life crypto confessionals! and much work that has become pretty voguish now: such as Mesh networking and swarm downloads. The agenda for CodeCon 2003 has just been published and it's vastly expanded in scope, while retaining a unique and distinctive flavor. For example, IBM's Almaden labs will showcase an internal project, "YouServe" which sounds like a massive distributed web publishing system. You'll also learn how to steganographically conceal text in application binaries, and how to "hack the RF spectrum with Free Software and Hardware" and veteran Internet security Paul Lambert will be demonstrating "Ping as a covert encrypted signaling channel" (uh, look out!). Three I'm particularly looking forward to are: Brandon Wiley (of FreeNet)'s Tristero project, a set of components for peer-to-peer webcasting that independent media and pirate radio stations, for example, can use A demo of an iTunes Rendezvous proxy that indexes and shares other iTunes libraries (Steve Jobs demonstrated iTunes Rendezvous cross-plays last May, but the feature hasn't appeared, perhaps RIAA'd to death); A neural metadata search for P2P systems. More about why that is so very interesting, nearer the event CodeCon isn't morphing into DefCon, but it isn't a conference for expense-account suits, either. Co-founder Len Sassaman told us, "It is true that you won't find vacuous marketing droids at CodeCon. Half of the conference's appeal is that the people who attend have brains, and are in the trenches of new technology. With CodeCon, we try to select the most interesting, novel advances in "useful" computer science, and anticipate what will have the greatest affect on the field. "Naturally, this attracts a very high caliber of attendee. If you are a developer of new technology, you will surrounded by your peers, and you won't have to overhear Bob over in sales trying to push snake-oil on another marketing person from another company who is too clueless to know he doesn't need Bob's goods." "In other words, we're not like other 'emerging developments' conferences." It also starts at a sensible hour (i.e., midday). CodeCon runs from February 22-24 at the Club NV nightclub, and you can read full details here. ®
Andrew Orlowski, 24 Jan 2003

UK.gov poised for climb-down on ID cards?

The UK government's plan for an "entitlement" (aka ID card) may be undergoing serious revision and downscaling, reports BBC news. Home Office Minister Lord Falconer, who in December was pitching the scheme in glowing terms, and claiming the British public favoured it, seems to have been preparing for a swift retreat. Falconer has always struck The Register as the bloke who walks behind with the shovel, and the highly-spun December announcement seemed to us to fall into this category. He was advancing for Home Secretary David Blunkett to test the waters, and over the past few weeks it may have transpired that they're just a little too chilly right now. The government has been running a consultation exercise on entitlement cards, which are intended to facilitate secure interaction with government services, but which would inevitably be applied in a far wider range of circumstances, for almost six months now, and it is due to finish at the end of this month. Falconer's claims of support were based on a laughably low response rate, but more recently campaigners, including Stand.org.uk and Privacy International have most assuredly tipped the scales decisively in the other direction. The Home Office is still quoting 2,000 responses, breaking down two to one in favour, but as Privacy International and Stand say they've submitted 7,000, massively against the scheme, this clearly cannot be, and uk.gov will shortly be forced to confess that people don't want ID cards after all. Not, of course, that 7,000 can be seen as exactly a victory for democracy. It's certainly better than the government can do under its own steam, but it's the sort of number that might swing a medium marginal constituency in a national election, rather than anything that could possibly be said to reflect the opinions of the entire electorate. After considering first, the lamentable failure of its own consultation exercise and, second, the fact that a handful of pressure groups have been the dominant factor in the result, the government might care to ask itself a couple of questions. First, mightn't it be getting a little ahead of itself in its schemes to get Britain online? (We think it's a safe bet to say most of the government's own responses were postal.) And second, does it seriously believe the majority of the citizenry is actually interested in interacting with it on a general basis, as opposed to just using the internet to interact with government when it provides a faster and more convenient way of doing whatever it is they have to do (e.g. pay taxes)? Third, given that on the odd occasion when the Great British Public does react in large numbers it's when it really doesn't like something, mightn't it have got itself more democratically buried if it hadn't spun the consultation, and had made a serious effort to tell the public about it? As for the specifics of this particular consultation, Falconer is now making questioning noises about weighing the scheme's advantages against risks to privacy, human rights and social values, while Jonathan Bamford of the Office of the Information Commissioner asks, "Do we risk changing the fabric of our society so that the highest level of identification becomes the norm for the most mundane of services?" That one's actually the killer - if everybody's got one, then every service, public and private, is going to demand it, and as it's an ID that potentially joins up every piece of information they all have on you, it would indeed massively change the fabric of British society. Which is probably something that would wake the electorate up, if they knew. ®
John Lettice, 24 Jan 2003

Amazon posts profit

Amazon's decision to scrap shipping costs for orders over $25 appears to have been a hit with punters. Reporting Q4 figures Amazon.com notched up a profit of $3m in Q4 2002, down from $5m during the same period in 2001. Net sales for the quarter skipped in at a record $1.429bn up 28 per cent compared to $1.115bn posted in Q4 2001. The spike in numbers coincides with the popular holiday season when book and CD buying is at its peak. And because of the apparent success of waiving shipping for orders over $25 Amazon is to extend this to a year-round offer. Said chief Amazonian Jeff Bezos: "On top of the five price cuts we've made over the past 18 months, we're announcing today that we've decided to make Free Super Saver Shipping on orders over $25 a full-time, year-round offer. "We're at a tipping point. Customers are now shopping at Amazon.com as much for our lower prices as for our selection and convenience," he said. Sales at Amazon's international operations - in the UK, Germany, France and Japan - grew 76 per cent to $461m in Q4. Looking ahead, Amazon reckons Q1 2003 net sales are expected to roll in somewhere between $1.025bn and $1.075bn, a growth of around 21 - 27 per cent. ®
Tim Richardson, 24 Jan 2003

Virgin.net in Leeds Castle blunder

There were red-faces at Virgin.net today after a vulture-eyed Reg reader spotted a curious picture accompanying a city guide to Leeds. The city guide, as it happens, coincided with those destinations served by Virgin Trains, another one of Sir Richard Branson's enterprises. Snag is, one of the pictures was of Leeds Castle, a former palace of Henry VIII and...around 250 miles south of the West Yorkshire city. For Leeds Castle is near the village of Leeds in Kent. Leeds, on Virgin's train route, is in West Yorkshire. The images on Virgin.net's site have been removed. ®
Team Register, 24 Jan 2003

‘Missing’ Barclays Web site mystery solved

Here's a funny one. Yesterday, we received a stack of emails from readers who swore blind that Barclays' Web site had disappeared. "Nah," we said, "nuffin' rong dis end." Barclays PR bunnies also told us that they were unwaware of any problems. Anyhow, it seems there was an incident. Cue this statement from Nominet. "Nominet has confirmed that a small number of .co.uk domain names were temporarily off-line on Thursday. This was as a result of an ISP doing some housekeeping, which unfortunately generated some errors. "As soon as it became aware of the situation, Nominet took immediate steps to help the ISP get the affected web sites up and running as soon as possible in order to minimise downtime and disruption. "Nominet has been working very closely with the ISP concerned to resolve the situation," it said. And the ISP? Here's a brief message from WorldCom. "On the 23 January 2003, WorldCom identified a customer DNS issue. WorldCom engineers have been working with the Global Domain Name Registrar to correct the problem and restore service as soon as possible. For many customers service has been restored and the WorldCom engineering team is working to restore service to those customers still affected." WorldCom won't say which customers were affected, but when we asked about Barclays, admitted that this was one that was hit by the incident. There you go. Mystery solved. ®
Tim Richardson, 24 Jan 2003

UK WHOIS service suspended after rogue attack

Nominet UK was forced to suspend its WHOIS service last night after a rogue attempt to copy the entire registry of .uk domains. Spammers are thought to be behind attempts to copy the WHOIS database, attempts which started last week. Last night, though, the attack was so severe that Nominet - the national Registry for all domain names ending .uk - had no choice but to suspend the service. The service was suspended at 11.00pm and re-started at 7.45am this morning. The attack appears to have originated from outside the UK and Nominet has already made attempts to try and stop those responsible from continuing with the action. In a statement Nominet said: "Late yesterday evening, as a result of a distributed and high volume data mining attempt, we were forced to temporarily suspend our public WHOIS service. The service has since been re-started. "We believe that there is a very persistent person/organisation attempting to gain a detailed copy of the .uk register. This attempt began last week, but increased efforts last night resulted in us needing to take more severe action than previously necessary. "The data mining attempt operates by systematically querying the WHOIS server using whatever WHOIS proxies they can find. The queries normally take place overnight (GMT) with sometimes hundreds of proxies being commandeered simultaneously for this purpose. "We apologise to anyone inconvenienced by these events, but trust that members will understand the importance of protecting the .uk register," it said. Nominet is currently seeking legal advice but is prepared to suspend the WHOIS service again if attacks resume. In a similar event in the late 1990s, Nominet obtained a High Court injunction to prevent someone from copying its registry of domain names. ®
Tim Richardson, 24 Jan 2003

Flaw leaves door open for Trojan contamination

Linux developers were warned yesterday of a potentially devastating flaw affecting Concurrent Versions System (CVS) software widely used by the open source community. CVS, a version control and collaboration system often used in open-source software development projects, is commonly configured to allow public, anonymous, read-only access via the Internet. A "double-free" vulnerability in the Concurrent Versions System (CVS) server means that such limited public access is enough for a skilled, remote attacker "to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service", according to an advisory by security clearing house CERT. Very nasty. Through this vuln an attacker who is able to compromise a CVS server can contaminate source-code repositories with Trojan code. Fortunately, a scan of the CERT advisory reveals fixes from major Linux disties are already available. Which is just as well: after a succession of Trojanised software distributions last year the last thing we need is another such incident. ® Related Stories Popular packet sniffing packages contaminated by Trojan Trojanized Sendmail distro circulated Sendmail Trojan looks familiar OpenSSH trojaned! How you hack into Microsoft: a step by step guide External Links Advisory by CERT and Stefan Esser of German security outfit e-matters, who discovered the vulnerability.
John Leyden, 24 Jan 2003

MS to hire 1,500 sales team to win more server revenue

Microsoft's business customers should brace themselves - the company is attempting to compensate for slowing retail sales of software by pushing sales of bigger ticket items such as network and database software. Historically the company has made most of its profits from the Windows PC 'tax' and from Office sales, and has found server software sales uphill work; but financial imperatives mean this has got to change. One could of course muse that here we have a company that's making so much money that it was recently forced to introduce dividends in order to find something to do with it, and that maybe it would make sense if it didn't have such monstrous profit margins, and didn't therefore face the hassle of having to figure out what to do with it, then the subsequent hassle of figuring out how it can get even more money in order to have to figure... But no, you're right, it doesn't work that way, and we're talking the shareholder expectations treadmill here. Chief financial hamster, John Connors, was on it at an analysts meeting in New York today, and revealed that the company will be hiring a 1,500 strong quota-based sales team to push server and database software. Microsoft has corporate and government operations already, so presumably the new hires will address a rather broader base than the current efforts, and are being seen as helping Microsoft compete more effectively with the sales forces of the likes of Oracle and IBM. Will it succeed? Actually, we'd like to hear more about the remuneration packages intended for these people; traditionally, Microsoft is notoriously cheap, overly reliant on options, and this is not an approach likely to attract the grasping piranha the Is and Os of this world use to leech huge quantities of dough from big business. But it's still feasible for a less skilled set of desperados to beat extra licence revenue out of existing Microsoft shops, so Connor might be onto a winner here anyway. ®
John Lettice, 24 Jan 2003

IPv6 Task Force UK works on five-year plan

A task force has been formed in the UK to promote wider adoption of IPv6, the next generation Internet protocol. The IPv6 Task Force UK, which held its first public meeting at University College London last week, aims to produce a roadmap for IPv6 deployment in the UK. It also wants educate end users and service providers about the technology and to work with government to shape public policy on the deployment of next-generation Net technologies. IPv6 is designed to replace the current Internet Protocol IPv4, which has a maximum address space for 4.3 billion. In practice, allocation and management inefficiencies mean that much fewer addresses are available for use, so the transition to IPv6 must happen before the increasing number of mobile devices and suchlike eats too far into the address space available with IPv4. IPv6 features better support for next generation Internet services and applications on mobile, wideband and multi-media networks. Also, the security architecture of IPv6 is superior - bringing another advantage for the deployment of the protocol. According to Christian de Larrinaga, Director of the IPv6 Task Force UK, IPv6 deployment in the UK is very much the exception rather than the norm. Most IPv6 networks in the UK to date are confined to research networks. Awareness has to be built about the importance of IPv6, and a convincing business case put forward to ISPs to speed deployment of the technology, IPv6 Task Force UK says. ISPs should deploy dual stack (IPv6 + IPv4) networks and upgrade routers to deploy the technology from the ground up. IPv6 has advantages for technologies such as 3G mobiles, P2P networks, streaming media, IP telephony and home networks. However few software apps specific to IPv6 have been written, because of the lack of IPv6 networks. "It's something of a chicken and egg situation," de Larrinaga concedes. IPv4 commonly applies Network Address Translation so that all the devices behind a firewall present the same IP address to untrusted networks. This approach has disadvantages for next generation mobile phone technologies like Session Initiation Protocol and as more such shortcomings become apparent, the case to embrace IPv6 will become all the stronger, de Larrinaga argues. Many countries are starting to deploy IPv6 including UK's major trading partners and competitors, hence the need for the UK's Internet industry to act or risk getting left behind. de Larrinaga reckons the move to IPv6 will be gradual rather than a "big bang" and will happen as end users find a need to run applications to run IPv6. Widespread IPv6 deployment will probably take five years, he suggests. The Task Force is an independent locally self-funded activity associated with leading IPv6 experts and organisations globally, including the European Union IPv6 Task Force Phase II programme. ® External Links The UK IPv6 Task Force (which has fittingly placed most of the proceedings from its first meeting on the Web) Related Stories Commission calls for Euro push on IPv6 Cisco takes IPv6 closer to the mainstream LINX upgrades for soaring UK Net traffic
John Leyden, 24 Jan 2003

Cisco buys behaviour blocker

In BriefIn Brief Cisco Systems is to acquire security firm Okena in a $154 million all-stock deal. Okena's technology takes a behaviour-based approach to blocking malicious activity on servers or desktops. The technology is positioned as a complementary addition to traditional signature-based anti-virus software. According to Cisco, Okena's software aggregates and extends multiple endpoint security functions - Host-based Intrusion Detection (HIDS), distributed firewall, malicious code protection and operating system lockdown - in a single package. The acquisition is expected to close in Q3, when Okena's 52 employees will join Cisco's Virtual Private Network and Security Business Unit Cisco expects to take a one-time charge of less than $0.01 per share in acquiring Okena. ®
John Leyden, 24 Jan 2003

'Practical TCP/IP' at 30 per cent off

To kick off the new year in style, Register associate IT-minds.com is bringing you a huge discount on Practical TCP/IP - the only book you'll need to follow to ensure that your networks work. Based on years of practical experience, this hands-on guide explains the principles of networking, and the TCP/IP protocols in depth. Covering both Linux and Windows, Practical TCP/IP is applicable to just about any network. "It does exactly what is says on the box - and more. This book builds up a picture of how and (more important) why an IP network should be administered. Perhaps its most distinguishing feature is its scope. Because this book gives the full, end-to-end operational detail, it is ideal for anyone who is concerned with delivering and supporting real services. "This book adds to the current reference bank by illustrating IP networks rather than just explaining them." Mark Norris, Telecomms Consultant and author. You can also benefit from a 30 per cent discount on the following books this week: Practical TCP/IP Multimedia Databases Thinking in Java Security in Computing Mac OS X Unleashed Special Edition Using MS .NET Enterprise Server J2EE Web Component Developer Exam Cram 2 Struts kick Start Sams Teach Yourself PHP and MYSQL & Apache MS SQL Server Unleashed And don't forget you can still get ALL other books from IT-minds.com at a 20 per cent discount! ®
Lester Haines, 24 Jan 2003

Your Privacy and The Register

The Register is owned and operated by Situation Publishing Limited Situation Publishing Limited Unit 1 Portland Street Trading Estate 14 Portland Street Southport PR8 1LJ
Team Register, 24 Jan 2003

UK distie fights Cisco injunction

A Shropshire distie is threatening to report Cisco to the DTI for uncompetitive behaviour after the networking giant's lawyers began moves to stop it selling kit from Chinese equipment manufacturer Huawei. Spot Distribution's robust response comes after receiving a "cease and desist" letter from Cisco for distributing Huawei products that allegedly copy Cisco's intellectual property. In a parallel move, Cisco yesterday announced it had filed a law suit in Texas alleging that Huawei "unlawfully copied and misappropriated Cisco's IOS software, including source code, copied Cisco documentation and other copyrighted materials, and infringed numerous Cisco patents." Cisco accusations against Huawei are unusually detailed. Amongst other things, it alleges the operating system used by Huawei's Quidway routers and switches "contains a number of text strings, file names, and bugs that are identical to those found in Cisco's IOS source code". Spot Distribution claims Cisco's actions against it and Huawei are unfounded. Huawei has not stolen Cisco's technology, it says, arguing that the networking giant is running scared of its competition. In a statement issued today, George (Georgina) Wellings, a director at Spot Distribution, stated: "On inspecting the Huawei manuals we have in stock, it appears that Spot Distribution Ltd has no case to answer." "We hope this attempt to prevent the distribution of Huawei products is not just the result of a major manufacturer running scared of the competition." Casting herself in the role of David (Davina?) against Cisco's Goliath, Wellings is reaching for her slingshot. "It is our intention to refer this matter to the Office of Fair Trading and DTI to ensure there has been no attempt to act in an anti-competitive manner," she added. We wanted to discuss the legal basis of this unorthodox move with Spot Distribution (along with other matters), but no directors were available for comment at the time of going to press. ® Related Stories Cisco sues Huawei over IP 'theft' Conspiracy to create 'Cisco of China'
John Leyden, 24 Jan 2003

DoD offering admin privileges on .mil Web sites

Care to register a .mil Web site of your own for free? The DoD has gone out of its way to make it a snap. An unbelievably badly-protected admin interface welcomes you to register whatever domain you please (http://Rotten.mil anyone?), or edit anything they've already got. The interface is so ludicrously unprotected that it's been cached by Google and fails to mention that you must be authorized to muck about with it. Incredibly, default passwords are cheerfully provided on the page. Following an anonymous tip from an observant Reg reader, we've encountered the page in question in the Google cache, and after a bit of our own poking about have also discovered an equally unprotected (and Google-cached) admin interface encouraging us to add a new user, like ourselves, say, which requires no authentication. All you have to do is find that page and you can set yourself up with a user account, manage your new .mil Web site, fiddle about with other people's .mil Web sites, and generally make an incredible nuisance of yourself. We are, of course, straining against every natural, journalistic impulse in our beings by neglecting to mention any useful search strings with which to find it. Another unprotected and cached page, this one discovered by our tipster, lists traffic to a major DoD Web site by URL/IP address. This worries us because it may list .mil sites and networked DoD machines that are not public, not hotlinked anywhere, and which might contain (or be networked with other machines that contain) sensitive data. Merely knowing that all those URLs and IP addys are valid and owned by DoD would give a significant advantage to attackers by narrowing their target area dramatically. We have e-mailed the person who manages these sites - twice in fact - but so far have not been graced with a reply. We were hoping that they might be inclined to fix this mess quickly so that we could safely include the details in our report. Unfortunately we have to withhold them until we're confident that these security snafus are under control. Ironically, US Defense Secretary Donald Rumsfeld recently ordered DoD to purge military Web sites of information that might benefit evildoers. That's all well and good, but it might behoove the DoD to stop offering them admin privileges first. ®
Thomas C Greene, 24 Jan 2003