14th > February > 2003 Archive

Make Love To Your IT Manager on Valentine's Day

Microsoft is appealing to computer users to save their IT Managers' heartache this Valentine's Day by...being vigilant and guarding against computer viruses. It does this through a press notice titled: Microsoft Launches Nationwide Appeal to UK Businesses: "Make Love To Your IT Manager this Valentine's Day". Unfortunately the attached notice fails to live up to this headline (how could it?). And no it isn't an injunction to initiate bacchanalian orgies in the server room. Instead we get the annual advice to be wary of unsolicited - possibly viral - messages posing as lovers' greetings. How disappointing. The threat that MS highlights is real enough, as the Love Bug virus, and the greeting cards scam show. Disguising viral code is messages of lurve has become a very common trick. So let's be careful out there. Some more St. Valentine PR stunts Virgin Mobile offers us a survey saying the person British males would most like to have "text sex" with is Kylie Minogue. Cameron Diaz and Britney Spears also have plenty of text appeal to men, the survey found. Women quizzed during the survey rated Robbie Williams as Britain's sexiest text prospect, with Brad and George Clooney also popular choices among women for a spot of flirty text messaging. This enjoyable nonsense about text sex fantasies allows Virgin plug a charity Valentine's Day Ball, and mention Britons send more than 50 million text messages a day! Oh matron! Meanwhile the "anticipated surge in network traffic caused by Valentine's Day gift purchases" calls for more robust networking infrastructures, we're told. Yes, you've guessed it, this comes as a plug for Israeli application switching vendor Radware. Sounds like just the right present for Kay Hammond, the dot com founder who gained notoriety by running an auction for her hand in marriage last year. Last we heard, Kay was still single... ® Related Stories Web wife jilted on the auction block All the World Cup news that's not fit to print The Valentine's Day virus massacre Guerrilla marketing tactics spawn viral fears Getting sexual with Virgin textual Slashdot editor proposes on front page Lover's Guide at a PC near you>
John Leyden, 14 Feb 2003

Nintendo games seized in Chinese piracy raids

Authorities in southern China have recovered around 300,000 counterfeit Nintendo games in factory raids, including copies of the recent released Pokemon Sapphire and Ruby for the Game Boy Advance. This latest batch of raids - on factories in the Guangdong province, which borders the notorious piracy hotbed of Hong Kong - marks one of the most successful operations ever against Nintendo pirates. Last year over a million counterfeit Nintendo games were recovered over the course of 135 raids. Nintendo estimates that it lost around $649 million worth of sales last year through counterfeiting of its products, much of which takes place in China. The company has traditionally been heavily targeted by organised pirates, although it's not thought that any piracy groups have yet managed to duplicate GameCube discs successfully - choosing instead to focus on the significantly easier to duplicate GBA cartridges. © zgamesindustry.biz
gamesindustry.biz, 14 Feb 2003

Microsoft returns to form with InfoPath

Microsoft has unveiled a new XML-based product for the Office group which allows users build dynamic forms to share with clients and colleagues. InfoPath, formerly codenamed XDocs, is a client application that combines traditional word processing programs with the data-capture capabilities of a forms package. Based on XML, InfoPath will supposedly also enable this data to be re-used within teams, across a business or by outside parties. Microsoft demonstrated the software's capabilities at a recent US healthcare conference. The software giant showed how InfoPath forms can be used to route data using the Clinical Document Architecture (CDA) format, an XML standard adopted by health care organisations to exchange data. InfoPath, Microsoft said, can save its forms in CDA compliant format, which in turn can be read by back-end systems such as hospitals, Web services, portals or document-management software. For instance, a doctor filling out an InfoPath-made diagnosis form could pull information from an external database to pinpoint the medication covered by the patient's insurance, check for potential interactions by polling the patient's file, and submit the order to the patient's pharmacy. According to Microsoft, the product should also appeal to businesses because it will let workers with no real knowledge of XML to create rich-data forms to record, store and retrieve information more efficiently. "InfoPath enables business to gather more than just raw data. They can enter additional details to provide the data with context," remarked John Vail, director of the information work categories team at Microsoft. "So rather than looking simply at a big spike or drop in sales for a particular region, for example, you can collect data that provides more of an explanation for why your sales have been affected, so you can mine, re-use and analyse your data more effectively." However, using InfoPath may not be suited to all organisations. According to the Chief Technical Officer of Irish integration firm Propylon, Sean McGrath, InfoPath will not automatically allow users to exchange data within and outside of their enterprise. "Just because InfoPath is based on XML does not mean that there will be a seamless exchange of information. Groups of users will either have to have the InfoPath tool set or agree to use a standardised XML language. Getting that kind of agreement when several parties are involved can often be difficult," said McGrath. Microsoft's lead product manager for the information worker productivity group, Dan Leach, said in a recent Information Week interview that this issue was not a major concern because InfoPath also supports ADO (ActiveX Data Object), which will allow organisations not using XML to benefit from the new application. Despite this possible restriction, McGrath believes that InfoPath will be a success. "It will make it easier to develop interactive forms, which up to now has been a lot harder than was necessary," he remarked. Microsoft's backing of InfoPath is also likely to hamper the adoption of the World Wide Web Consortium's XForms 1.0 standard. According to the consortium, XForms allows authors to choose from the mark-up language of their choice -- XHTML, SVG or XML, when developing forms that can be viewed on a variety of devices. Pricing for InfoPath has yet to be released and Microsoft has still to confirm whether it will be bundled with the next version of Office, Office 11, although this is expected to be the case. © ENN
ElectricNews.net, 14 Feb 2003

Reg is UK's No.1 IT news site – official

It's official: The Register is the UK's No.1 UK IT Media website. Q4 2002 figures from industry monitors Hitwise confirm that the Runaway Reg lassoed the lion's share of UK readers in this category between October and December 2002. Hitwise monitors the daily Internet usage of more than 7.6 million UK internet users to provide website rankings in over 150 industry categories. Their figures prove what legions of loyal El Reg readers already know; but after this brief fanfare of trumpets, rest assured that there will be no resting on laurels at Vulture Central. Our commitment is to continue to deliver the best IT news and analysis on the Web. Remember, you read it here first. ®
Team Register, 14 Feb 2003

Jedis reach the stars in UK census

More than 390,000 people in the UK claim to follow the Jedi way, according to the 2001 Census. The figures revealed that 0.7 per cent of the UK population gave their official religion as Jedi, following a massive campaign to try and get it recognised. At the time the issue caused a jolly great deal of fuss as deadly serious civil servants tried to comprehend the wave of interest. Even now, officials are describing the inclusion of Jedi as a religion as "not a serious answer". Of course, they won't be saying that when some "death star" parks itself in the Earth's orbit. Anyhow, Jedi hotspots in the UK include Brighton and Hove (6,480), Manchester (5,476) and Wandsworth (5,024). The "Force" does not appear to be strong in Merthyr Tydfil, Blaenau Gwent and Wear Valley. ® Related Story In Jedi We Trust Jedi Knights achieve official recognition as a religion UK Jedi get green light May the false declaration be with you
Tim Richardson, 14 Feb 2003

New Linux support policies are ominous

Opinion Red Hat and Mandrake are cutting support for older versions of their Linux distributions... The results will be a security nightmare for the Internet, says Jon Lasser. Open source opponents have for years warned, "You get what you pay for." Now some Linux distributors are planning to make good on that threat. Red Hat and Mandrake's recently-announced revised support policies might spell the end of the free ride for many companies using Linux. The policies are straightforward: Red Hat will support their regular distributions for twelve months from initial release. Red Hat's venerable version 6.2 will be retired on March 31st along with version 7.0. Versions 7.1 through 8.0 will expire on December 31st. After the expiration date, security patches will be provided at Red Hat's discretion only. Mandrake's new policy is similar, though a little more confusing: Mandrake will support "desktop components" of any new distribution for twelve months, and they'll support "base" components, including the kernel and Apache, for eighteen months. Which category the other packages fall into remains to be seen. Mandrake 7.2 and 8.0's desktop components are immediately unsupported, while their base components will be supported until March 31st. Mandrake will drop support for 8.1, both desktop and base packages, as of March 31st as well. Version 9.0's end-of-life dates are September 30th and March 31st of next year. How you interpret these announcements depends on what hats you wear: I didn't know whether I should, laugh, cry, or cheer. As a systems administrator, my first reaction was definitely to cry. Vendor-provided security patches are, unfortunately, the lifeblood of distribution support. Without well-integrated and well-tested patches, maintaining a Unix server takes a lot more work: you have to track every installed package on your system and rebuild necessary subsystems whenever a patch is released. Though users of commercial Unix distributions have been doing this for years, users attracted to Linux's relative ease of use and maintenance frequently don't have the technical skills to keep up while not falling behind on other important tasks. Without these vendor-provided patches, most Linux users -- and even many professional system administrators -- will have trouble keeping their systems safe. Twelve or eighteen months is nothing in the life of a production server. In many shops it can take more than six months to certify an application for use. In such an environment the install-test-release cycle would be constant. Furthermore, servers are often hard to update: permissible downtimes may be rare, and co-located servers are even more difficult to handle. Two Weeks Notice On the bright side, at least Red Hat and Mandrake have policies that will allow me to plan, or to make other arrangements. I still have a bad taste in my mouth from the Debian 2.1 support debacle. On September 14th, 2000, the Debian project announced that, as of September 30th, support for Debian 2.1 would be dropped entirely. Two weeks notice is simply not enough time to do even minimal testing before updating a production server doing anything more complicated than serving static Web pages. Furthermore, Debian 2.2 had been released on August 14th -- only one month earlier. I know that Red Hat and Mandrake have important reasons to limit support for older operating systems: first, open-source software has an unfortunate tendency to live forever -- many users are still relying on versions of Red Hat even older than 6.2, and supporting these primordial distributions is expensive. The QA and build machines need to be supported, and developers must be diverted from more forward-looking tasks. Given that Linux distributors make little money supporting these older releases, dropping patches must seem like a no-brainer from their point of view. And to their credit, both companies have different rules for "server-class" products: Red Hat will support their Advanced Server for five years, and Mandrake's policy states that server software will be supported for "no less than twenty-four months." Red Hat and Mandrake are clearly banking on support contracts and installations of their advanced server products to generate revenue. It's not unreasonable to expect people who want commercial quality support to pay for it. But as an advocate for better computer security, I'm nearly panic-stricken over this move. In the short term, at least, this will be a big negative for practical security on the Internet. Old software doesn't go away just because it's no longer supported, and with network operating systems the consequences could be drastic. Those systems will be sitting ducks for vulnerability scanners, and the size of distributed denial-of-service networks may grow exponentially as a result. Silver Lining? After all, many users have come to rely on the auto-update mechanisms provided by vendors, such as Red Hat's up2date tool. When Red Hat's support for 7.3 goes away, tens of thousands of users will have no automated way to apply third-party security patches to the base OS. As an open-source advocate, I must say this problem is also an opportunity. We have a large base of commonly used open source applications, and we now have to develop support mechanisms that do not rely on a single commercial vendor. Although up2date is closely tied to Red Hat's proprietary Red Hat Network support offering, an up2date server clone is under development. Its feature set is rather limited at present, but Red Hat's new support policy will undoubtedly drive many users to run their own patch servers. Another tool that could be used is Connectiva's port of Debian's apt package management front-end to Red Hat's RPM format. Running an apt repository is not difficult and provides an excellent mechanism for continued security updates. All that is necessary is continued community support for the orphaned distributions, in the form of well-managed projects that follow security updates for core OS components, and then build and extensively test new packages on the target platform. If you think that this sounds like an opportunity for third-party support vendors, you're right about that, too. I suspect that Tummy.com's KRUD distribution which provides monthly updates to a Red Hat-based system, will gain quite a number of customers. I know of at least one other vendor who is considering a Red Hat support offering including packages for older Red Hat versions. Open source proponents have long claimed that our community can provide better support than any commercial vendor can. Now we'll have to prove it. © SecurityFocus Online Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
Jon Lasser, 14 Feb 2003

MS Product Support worthy successors to Donne & Milton

You've got to hand it to Microsoft Product Support Services - when it comes to fluidity of prose they'd certainly give Donne or Milton a run for their money. Indeed, try this worthy successor to the classic "No man is an island, entire of itself", found in Microsoft Knowledge Base Article 325331: A Connection Manager Connection Does Not Connect After Being Disconnected Breathtaking. But what, you might ask, has provoked this magnificent linguistic flourish? Brace yourselves: After you disconnect from a virtual private network (VPN) connection that was created by using Connection Manager, you cannot connect again if you are not a member of the local Administrators group. This behavior affects connections that dial the Internet and then create a VPN connection. In the Network Connections window, the icon shows that the connection is in the Disconnecting state. Terrifying. But before you start running around like headless chickens panic buying gasmasks and taping up your basement windows, rest assured that MS has dealt with this potentially life-threatening glitch: Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1. Phew. Bootnote Those readers who wish to see just how far MS has pushed back the envelope of English can read the original in all its glory here.
Lester Haines, 14 Feb 2003

Orange launches flat rate GPRS billing for business

Orange yesterday announced a flat rate GPRS business pricing package, designed to help drive the adoption of high speed mobile data services across the UK. The mobile operator says offering flat-rate means businesses know exactly how much their bills will be each month, and that the approach will provide savings over current GPRS tariffs because Orange customers can average out the allowance of data usage across their entire workforce, accommodating both high and low users. In conjunction with the new pricing structure, Orange is launching Office Freedom, a service tailored to mobile workers who need to access business email on the move. The flat-rate pricing also applies to Orange's Wirefree server, Internet or Intranet access and leased line GPRS access packages. For Orange Office Freedom (which provides wirefree email access to Microsoft and Lotus Notes) the all inclusive flat rate price has been set at £30 per user per month. Orange Wirefree Server (mobile access to Microsoft Outlook) will cost £25 per user per month. GPRS Business Internet costs £45 per user per month. Pricing for GPRS Business LAN depends on the bandwidth provided, but again is priced on a flat rate basis. For a 128K leased line, for example, GPRS costs £2,800 per month, regardless of the number of users or data transferred. All these GPRS tariffs are based on a fair usage policy. However, this usage is averaged out across all end users in an organisation so there's less likely to be problems. Orange also says it won't cap people, but will talk to customers about the level of package they're on if they regularly exceed the usage limit over a sustained period. By 2005, Orange hopes that a quarter of its revenues will come from mobile data services. News of Orange's plans to make GPRS packages more attractive to businesses comes as a report by Credit Suisse pour cold water on the success, thus far, of Orange much-anticipated SPV smartphone. Credit Suisse writes: "Orange took a view in late 2002 that the Microsoft-powered SPV with its advanced features would be a tangible advantage. However, the device appears to still suffer software teething problems and only 40,000 have been sold. "While Microsoft-powered devices may become ubiquitous, we think there remains a risk that the SPV as a mover may be a white elephant for the operator." Ouch. ® Related Stories Orange to launch flat rate GPRS mobile Internet access (consumer World Cup promo) MS seeks malware, bust phones after SPV security crack Orange plans SPV bugfixes, and developer info for Q1 Orange, not MS, is SPV smartphone app-breaker in chief HTC, T-Mobile to launch Orange-like MS smartphone GPRS access for Windows laptops (review)
John Leyden, 14 Feb 2003

Former Orange person charged with voucher theft

A man is to appear at Teesside Crown Court next month charged with fraudulently obtaining more than £9,000 in mobile phone vouchers while working at Orange's call centre in Darlington. The man from Yorkshire was granted unconditional bail by magistrates in Darlington, according to a report by the Northern Echo. ® ®
Tim Richardson, 14 Feb 2003

Legal action mulled over NTL BB cap

Angry NTL customers are considering legal action over the cableco's decision to cap its broadband service. The Register understands that lawyers are currently examining the possibilities of setting up a "group action" against the cableco. The fact that a legal team is mulling court action shows the depth of feeling among customers and is a sure sign that the row over the 1 Gig/day capping is unlikely to fade away quietly. A week after NTL sneaked out news that it is to cap its broadband service, it still remains unclear whether there has been any sizeable protest against the cableco. According to those behind the Don't-pay-NTL protest site some customers have been distributing leaflets in supermarkets and other areas warning people about NTL's broadband cap. It's also understood that the BBC's consumer affair programme, Watchdog, is on NTL's scent. And The Register is aware that some people have cancelled their subscriptions today, although at this stage it's still unknown whether such planned protests have had any major impact on the cableco. ® Related Story Users call for anti-NTL protest NTL seeks to clarify 1GB/day broadband cap NTL implies 1GB/day broadband cap
Tim Richardson, 14 Feb 2003

Locust preps GPRS salvation plan

The founder of Locust has devised a cunning plan to save the popular text messaging community, following Orange's decision to withdraw support for the service at the end of March. In 2001 Orange announced it was dropping its Talk 60 Text 1500 tariff, which let organisations send large numbers of text messages for only £60 a month. This was bad news for Locust because it meant that members would have to pay for every text they received. The change put the future of the six-year old mobile community in jeopardy. However, following pressure from members and Locust's founder Jon Anderson, Orange agreed to continue supporting the service with the help of the mobile phone company's R&D unit, OrangeImagineering. In a deal cut in December 2001, OrangeImagineering agreed to support Locust while working on joint research in online mobile communities. Locust members thought the deal had secured its long-term future. So they were shocked by news last week that OrangeImagineering was to sever the relationship from the end of March. According to Orange, OrangeImagineering stepped in always on the understanding that this was to be a short-term arrangement. The firm strongly denies accusations that it had supported Locust only for as long as it took to set up rival services. Alternative futures Be that as it may, Locust has been left looking for alternative ways to deliver text messages. With the lack of support for 'WAP push' message delivery on UK networks, Locust founder Jon Anderson began looking to a system based around GPRS. A recent poll of the Locust community showing that 50 per cent of users have a GPRS handset suggests this approach is viable. Earlier this week Anderson announced a deal with Fastext that has the potential of allowing the restructure the Locust community around GPRS. Although the Fastxt platform currently runs only on Symbian- enabled mobile phones, such as the Nokia 7650, the idea has potential. It is possible to send and receive messages, even if you don't have a Symbian phone, as Anderson explains in a message to users. "Fastxt is a least-cost router for mobile messaging. When you send a text message via Fastxt, rather than go via your talk plan, the message is relayed via GPRS and delivered by Fastxt to the other party. If the receiver is also a Fastxt user, the message is delivered over GPRS, with a significant cost saving," Anderson writes. "At the moment you need a Symbian enabled phone, but the software is also being developed to run on many of the other new phones. If you don't have a Symbian phone, you can still use Locust via the WAP / GPRS gateway and via the PC control panel and the AOL or MSN instant messenger links. This is just a way to get all the features of SMS, only without using SMS." The Fastxt service costs £5.99 per month, in a package which includes 100 SMS messages per month. Locust used to charge a flat rate of £3 per month. "While I transition to a GPRS business model, the service is currently free and the text messaging component will work up until the 31st March," Anderson tells us. "I'm encouraging as many people as possible to try it out," he adds. So far, the feedback is largely positive though some subscribers say that the service will be of no further use to them if Locust ceases to be available via SMS. Anderson argues Locust's future is not through SMS. "Text messaging is now too expensive. The rates for bulk and customer SMS have risen consistently over the last few years. This ultimately makes Locust unviable through SMS," he told us. ® Related Stories Orange pulls support for Locust - again Become a wireless ISP: for £300 Orange to increase SMS charges Orange kills Locust
John Leyden, 14 Feb 2003

WLAN security still dismal – survey

The security of London's wireless networks remains pitifully slack. The second annual survey of WLAN security revealed the number of wireless networks deployed in businesses across London has grown 300 per cent in the past year. However the increased popularity of wireless networks hasn't been matched by realisation of the importance of extending proper security policies to WLANs. The RSA- commissioned survey suggests that London businesses are becoming even more vulnerable to malicious hacking because of slack WLAN security. Possible risks include: Computer eavesdropping on company secrets Network disruption Launching denial of service attacks using the cover of the unsuspecting company, With a hand-held scanner, researchers were able to pick up information from company wireless networks by simply driving around the streets of London. The research identified that 63 per cent of the networks surveyed were left on default configuration, which clearly identifying the company owning the data and where it was coming from. The overall security picture has barely changed from last year when, using the same methodology, researchers found 67 percent of London companies surveyed left their wireless networks poorly secured against potential attack. Tim Pickard, strategic marketing director, RSA Security says: "We have seen a proliferation of the use of wireless networks around London, but the steps taken to secure these networks are still woefully inadequate." "The research shows that many organisations are now at least encrypting their company data by securing wireless networks with virtual private networks but the problem has shifted to other areas." Among the problems highlighted by the survey are: Failure to effectively encrypt data travelling across wireless networks. Equipment left in default configurations. Insufficiently secured wireless network access points, potentially allowing crackers to set up rogue access points to capture company information. Failure to secure data on wireless enabled laptops. Independent security consultant Phil Cracknell, who wrote the report, comments: "Researchers stuck to the strict letter of the law in carrying out this survey and did not access any specific data but others clearly may not. "Hackers could easily use this access to conduct cyber crime or to launch hacking attacks on other companies with complete anonymity."®
John Leyden, 14 Feb 2003

CA clears way for CleverPath 4.5

Press releases are supposed to be nice, simple introductions into whatever a company is doing next, that the man on the Clapham Omnibus can read and understand, writes Phil Howard. Imagine my perplexity therefore, when Computer Associates issued a press release on February 4 entitled CA announces CleverPath "Information in Action", which I totally failed to understand. CA defines what it means by "Information in Action" - as "a next-generation blueprint for enterprise business intelligence that transcends traditional content portals to enable high-value analysis and decision-making capabilities across enterprise information assets and business processes". Not only does one get the impression that some punctuation might be missing but one also has to ask: what does it mean? What, actually, does it tell you? I think the answer is clear: absolutely nothing. Subsequently, the press release explains (huh!) that "Information in Action" is based upon "CA's unique Information Delivery Maturity Model, which identifies four progressive stages in the evolution of information delivery systems". Aha, now we're getting somewhere. Well, actually, no. Just when you thought that they were going to explain this thing by means of the "Information Delivery Maturity Model" (whatever that is), they promptly change the subject. Who wrote this anyway? As you can tell, I was less than impressed with this press release. So, as a public duty, I have been to see Computer Associates to find out what this is all about. And, actually, what the company has to say is quite sensible. As surmised, it is based on the (unexplained) Maturity Model. What this is in practice is a view of the degree of maturity of enterprise portal users. Most companies start off in the position that they simply have a glut of data and that they are wasting their time getting to the data that they want to see. This is what CA calls Level 1 maturity. It's hardly rocket science to correct the problem, because the data is all there, access to it just needs to be organised. The next stage of maturity (Level 2) goes beyond data to information. Users don't just want access to raw data but they want to refine, analyse and sort their data using business intelligence and content management tools from within their portal environment. Level 3 moves a stage further, beyond data and then information, to relevance. So the key thing here is that information is presented only to those users who need it, and not to those who do not. Finally, level 4 includes the automation of repeatable actions within the portal, for example when alerts are triggered or exceptions flagged. Now, doesn't that make sense? And it's not really hard to explain. So why couldn't CA do that? Anyway, enough carping - well, almost enough - what the press release also doesn't tell you is that the UK launch of the new products (see below) is 19th February, not the date on the actual press release. To return to business: the gist of the press release is that the company has announced the availability of CleverPath Portal release 4.5, CleverPath Aion Business Rules Expert 9.5, and a number of new options for the portal including collaborative, advanced access control and dashboard capabilities. However, what is not mentioned is that CA reckons that it is the only portal vendor which can provide solutions at all the levels within the Maturity Model and that it is the only company that can easily migrate customers from one level to the next. Actually, this isn't quite true. Software for Level 4 support is only alpha code right now, but the prospect of automating business rules tied to event monitoring from within the portal will be attractive to advanced users. CA has a good story to tell here: it's a shame that it was ruined by its press release. © IT-Analysis.com. Phil Howard's biog is here.
IT-Analysis, 14 Feb 2003

Symantec PR bunnies score Slammer own goal

Symantec says it discovered the prolific Slammer worm "hours before it began rapidly propagating". The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss. Wired takes Symantec to task for this apparent lapse in ethics. Symantec spokesman Yunsun Wee told Wired that it issued an alert about Slammer to its early warning list subscribers "at approximately 9pm PST on Friday, January 24." News of the worm began to filter onto security mailing lists at 10pm PST, the magazine reports. Well-established practices among AV vendors call for virus samples to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible. But did Symantec really sit on the problem? The company's claims are inconsistent: a Silicon Defence analysis shows that Slammer infected more than 90 per cent of vulnerable hosts within 10 minutes. This analysis is supported by first-person accounts of telecom security experts contacted by us, as well as security consultant Robert Graham's excellent review of the spread of the worm. So we think this is more a case of Symantec shooting itself in the foot with inflated marketing claims for its early warning service rather than anything more sinister. If it knew about Slammer before everyone else (which is questionable) then we doubt it knew it was anything like as vicious as it turned out to be. At least we hope so, but without been able to discuss the sequence of events or Symantec's wider alerting policy with anyone from the company its hard to know for sure. Despite numerous calls to Symantec today the best its UK staffers could do was to point us towards its press release. Pathetic. Promises that its US team would be in touch came to nothing, but once they get in touch we'll be sure to update this story with what the company has to say. ® External Link CERT advisory on SQL Server (Slammer) worm Related Stories Security experts duped by Slammer 'jihad' rot Slammer: Why security benefits from proof of concept code Korean Net users blame MS for Slammer carnage ATMs, ISPs hit by Slammer worm spread MS struggles to contain the Slammer worm SQL worm slams the Net 'Secure by design', claims MS op-ed ad Out of the Slammer
John Leyden, 14 Feb 2003

Spam Arrest denies sending spam

Anti-spam outfit Spam Arrest uses opt-out marketing practices which look - just like spam! Users who wish to send a message to Spam Arrest's customers must enter a keyword, as part of the sender-verification scheme. This ensures a person - and not a spam programme - is sending a message. When email senders do this they automatically get an unsolicited message which pitches Spam Arrest's services. There's no warning notice that this will happen, certainly not in Spam Arrest's FAQ. The issue has been taken up in Declan McCullagh's Politech mailing list. Spam Arrest defends its practices, which it says are ethical. It argues that marketing messages have a valid return, a clear subject line and a functioning opt-out link. It states that the opt-out link is safe and "the only sure way to remove your address from receiving future spam arrest promotions." But isn't this exactly the claim spammers themselves often make in trying to entice people to confirm spam email has been received? ®
John Leyden, 14 Feb 2003