20th > February > 2003 Archive

e-Govt not solving ‘digital divide’, says NAO

The UK Government needs to do more to prevent the "digital divide" widening still further, according to the National Audit Office (NAO). In particular, it warns that older people could be left behind as the Government presses ahead with plans to wire up government services and departments. A report, due to be presented to MPs today, finds that many government departments and agencies are taking steps to make their Web sites more 'user friendly', especially for older people. However, it points out that these improvements aren't up to scratch with many government Web sites still not using design features that would make it easier for older people to use them. And following a review of some 65 Web sites - all of which were found lacking - the Office of the e-Envoy has now begun work to make them more useable. The NAO also reckons more needs to be done to encourage older people to use government e-services if those services are to provide value for money. In a statement the head of the NAO, Sir John Bourn, said: "Older people are major users of public services but, as a section of society, are far less likely to access those services electronically. "If government is to take full advantage of the potential of technology, it must make sure its e-services are accessible to all and work to avoid a 'digital divide'. "More older people would be willing to use new technologies if they saw the benefit to them of doing so," he said. The government expects to invest some £6bn in e-services by March 2006 to ensure that all of its services are available electronically. The report points out that while steps have been taken to encourage people to use e-services, it needs to be more proactive to tackle the dangers of a "digital divide". ®
Tim Richardson, 20 Feb 2003

Future fuzzier for Mac, Linux as MS buys Connectix tech

Linux fell off the roadmap yesterday when Microsoft announced it had bought Connectix's virtual machine technology, and in characteristic style pitched it as meaning that existing Windows users would now be able to upgrade faster to new versions by running old windows virtually on new Windows. Products differently-purposed from Connectix's Virtual PC for Windows would therefore seem to us to stand in some considerable peril, particularly as there is at least a suggestion that Microsoft plans to roll the technology into the operating system. Connectix currently runs on two basic host platforms, Mac and windows, and allows you to run various other operating systems on those platforms. Virtual PC for Mac is intended largely to allow Mac users to run windows applications, while the PC variant enables a bunch of other stuff, including Linux - read up on it while you still can - and OS/2. In addition, the company has Virtual Server in the works, and this is probably one of the more important reasons for Microsoft spending its pennies. Says MS: "Virtual Server addresses customer demand for an application migration solution based on virtualization and supported by Microsoft. In addition, it provides significant cost efficiencies by consolidating multiple Windows NT 4.0 servers and their applications onto a single Windows Server system. The Virtual Server product is undergoing beta testing and is expected to be released before the end of 2003." We're quite taken with this as a solution to the problem of pesky customers who just won't migrate from NT. Now, instead of stamping around bitching, they install Windows 2000 Server and then install all their old NT server licences on the same huge box. Are we overly suspicious in thinking it might - for mysterious reasons - turn out only to work on the 2003 edition? Whatever, the licensing Ts & Cs should prove interesting, and we look forward to seeing them. One of the supporting soundbites from Microsoft partners, which the marketing people seem to have given up on and just called Supporting Industry Quotes this time, may be ominous for the non-Windows (i.e. Mac) varieties. "We are pleased that Microsoft is incorporating this capability into its operating system, and we look forward to leveraging it to create additional value for our consolidation clients," says Wayne Carpenter of Unisys. If this is really true, then it becomes first and foremost a Windows technology, and the Mac products move into the legacy department, with their air supplies increasingly vulnerable. The product roadmap currently offered isn't likely to inspire confidence either. "Microsoft will continue the development of virtual machine solutions from Connectix and will integrate them into the Windows and Mac product portfolios." Which is a 'don't worry' message to Mac users, but we caution them to worry anyway. "During the transition period, Connectix will continue to sell and support Virtal PC for Windows, Virtual PC for Mac and Virtual PC for OS/2 products through its current distribution channel partners. Virtual Server will be available as a preview release on the Microsoft Web site April 15." The length of the transition period is unspecified, and we think the message to take away is that Connectix has a specific deadline to stop selling these, after which...? It is commendable that Microsoft has relatively recently been able to bring itself to use the O word, but time is a great healer. No such luck with the L word, but its absence from the roadmap quite possibly doesn't make a whole lot of difference. We can't help noticing that the "Buy Now" panel seems absent from the Connectix for Linux page, and a cursory glance leads us to believe the channel is not exactly stuffed with copies. So we'd conclude that the Connectix-Red Hat deal of a couple of years ago has quietly passed away, and that any Virtual PC users wanting Linux are just having to figure out how to install it themselves. Pity though, because being able to buy an OS pack to go with the software is obviously a pretty easy way to try out a new OS, and also a pretty good reason for Microsoft not to think it a good idea in the case of Linux. Does Microsoft's acquisition of virtual machine technology have any other relevance? Well, what about Xbox? Microsoft hasn't managed to displace PS2, and once upon a time Connectix had Sony emulation technology. Of course, in a related take the money and run, Connectix sold the Virtual Game Station to Sony and talked of nebulous joint ventures. We don't know what happened to them, we don't know what if any games technology Connectix still has, or still has Sony's permission to have. But we expect Sony's lawyers are busily poring over dusty old agreements at this very moment... ®
John Lettice, 20 Feb 2003

Give your code a Kick Start with IT-Minds

This week's offer from Reg associate IT-minds.com is a cool 30 per cent off a range of Kick Start guides. The books offer practical and useful code examples and quick, concise explanations for new and emerging topics, such as ASP.NET, Struts, Tomcat and EJB. Turn to almost any page in a Kick Start book and you'll find an apposite nugget of valuable information. All these Kick Start books are available from IT-minds.com at £17.85 - a saving of 30 per cent: ASP.NET Kick Start Struts Kick Start Tomcat Kick Start BEA WebLogic Kick Start EJB 2.1 Kick Start Jax: Java APIs for XML Kick Start JSTL: JSP Standard Tag Library Kick Start You can also get a 30 per cent discount on the following books this week: Principles of the Business Rule Approach Absolute Beginners Guide to Corel Wordperfect 10 Absolute Beginners Guide to Microsoft Excel 2002
Team Register, 20 Feb 2003

Lindows.com announces $799 Lindows sub notebook

The $799 subnotebook is the latest price breakthrough from Lindows.com CEO Michael Robertson, and as with the previous effort (the multimedia mini PC,) the spec can more than hold its own, with or without Lindows as the OS. Robertson, we feel, has a happy knack of figuring out how to source product at a keen price, spec them reasonably then package and sell at a 'breakthrough' point. Lindows sort of comes tagging along behind this, rather than being immediately and obviously necessary. It possibly provides differentiation that couldn't be achieved if these were merely Windows machines, and it keeps the outfits involved a little distanced from knife-fights with Wintel (although Lindows has one with Microsoft anyway), but how necessary is it? An interesting notion to kick around. If this were merely a company knocking out cheap Windows PCs (for the sake of argument, let's call it iDOT), then probably people would shrug, figure it's just another cheap PC, and wander off. But cheap Lindows PC brings in the 'look at me, pluckily challenging The Beast' factor - so it is necessary, really. Perversely, we at The Register remain spec-focussed anyway. As you can see here, for your $799 you get a 2.9 pound machine with a 933Mhz Via C3 CPU, 256Mb RAM, 20Gb hard disk, two USB 2, Firewire, 12.1in TFT and an Ethernet adapter. Note that CD/DVD etc is external and optional, so the price is maybe not quite as keen as it looks, but depending on what you wanted it for, you quite possibly wouldn't want to buy these anyway. Which might be handy, as we note iDOT doesn't seem to have priced up any options for the machines yet. As with the multimedia min-PC, the Via connection is worth noting. The mini-PC uses C3 and Via miniITX board*, while the subnotebook is one of the few using the C3 you'll be able to get hold of. The C3 range might sound like a pretty sensible option for ultralight notebooks, but getting it into big name brands in the face of Chipzilla is obviously tough. So there are going to be pricing and stroking advantages for customers who give it prominence, or even house room. And something else we're sure Michael knows all about already, but we think we ought to lob in. Via has a Tablet PC reference design, and a Lindows Tablet might well be a logical next step. So maybe you read it here next. ® * It does seem to exhibit a price shave too far, however. There seems to be one Via miniITX permutation that has TV out as optional, not standard, and this appears to use it. Without the option. Which does not seem totally bright for a living room PC.
John Lettice, 20 Feb 2003

Schoolgirl turns tables on email credit card fraudster

A Nottingham schoolgirl managed to turn the tables on a cracker who'd pinched her father's credit card details by tricking him into revealing his identity online. This week Nottinghamshire police praised Danielle Athi for helping them track down a teenager computer criminal who'd plundered an estimated £2,000 through Internet-related credit card fraud. The Nottingham Evening Post reports that police had been searching for months to identify Gafferboy, whose stock in trade was breaking into computers and stealing confidential details using a Trojan horse virus. Through Danielle's actions Gafferboy has been identified a teenage cracker, Andrew Edgar, who was sentenced to a community service order by a Scottish court earlier this week. Trickster tricked The story begins back in August 2000 when Edgar [AKA Gafferboy] first made contact with Danielle, then only 12, in an Internet chat room. The pair exchanged emails before Gafferboy sent young Danielle a "photo" of himself by email. In fact the email contained a Trojan horse virus, which compromised the Athi family's home computer. A month later, Danielle's father Ravi was shocked to receive a bank statement containing a number of fraudulent transactions. Det Sgt Harry Parsonage, of the Notts Police hi-tech crime unit, told the Nottingham Evening Post: "He [Edgar] searched through the computer and found Mr Athi's credit card details and used them to make 15 different transactions, mainly in the US." Police were frustrated in their investigation by "elaborate steps" taken by the cracker to conceal his identity and cover his tracks. Police asked the Athi family to get back in touch if Gafferboy tried to contact them again. Some hope, you might have thought. But in 2001 Gafferboy began flirting with Danielle again. Wise to his tricks, this time, she turned the tables on the youth by setting him a trap. We'll let the Nottingham Evening Post pick up the story: The West Bridgford schoolgirl sent him a quiz - much like those that appear in any teen magazine - saying she wanted to get to know him better. Her questions included asking him his favourite colour, his favourite pop group... and then "what's your name?". When 15-year-old Edgar replied back with a full list of answers - even volunteering his mobile phone number - little did he suspect the game would soon be up. It was a case of the conned conning the conman. Indeed. "I really wanted to get him for what he had done," said Danielle, now 15, told the paper. "I wanted to find out his name so I thought of a star sign quiz as an excuse," she said. "I told him I wanted to see if we matched up. I was laughing when he e-mailed me back with all his details. He gave his name, address and even his mobile phone, which I had not asked for." Danielle passed on this information to the police who were able to track him down to Moffat, near Dumfries in Scotland, through the email address he used to flirt with the young Nottingham girl. Det Sgt Parsonage praised Danielle for helping them track down Edgar's identity. Quite why Notts police weren't able to track Edgar down in the first place isn't explained in the article, which also omits mention of some of the other dangers that arise for teenager girls in using chat rooms. Leaving that to one side, the Athis family believe Edgar was duped because he forgot who his previous victims were. Father-of-four Mr Athi, a computer engineer from the West Bridgford area of Nottingham, said: "Edgar lived in two worlds. In one he was this devious hacker stealing from people. And in the other he was living his normal childhood meeting people on the Internet. "He had been in touch with so many people that he forgot who he had double-crossed. "I couldn't believe he was only 15 at the time. When you're talking about stealing thousands of pounds you imagine some experienced criminal, not a child." Bang to rights Edgar was arrested in June 2001, and his computer (which provided evidence of his crimes) seized. Using stolen credit card information, Edgar had set up a cracker Website (hackersonline.net, since taken down) containing tips for fellow crims and stolen details of 60 credit card accounts. At Dumfries Sheriff's Court, this Tuesday Edgar pleaded guilty to seven charges of obtaining Internet services worth nearly £2,000 through credit card fraud. Three of the charges relate to fraudulent transactions of £710 ran up on Ravi Athi's credit card account. The court accepted Edgar's not guilty plea to 35 Computer Misuse Act charges. Sheriff Kenneth Barr sentenced Edgar, now 18, and a first offender, to 100 hours' community service. Danielle, who's interesting in studying media studies (and may make a good investigative journalist, we reckon), is spending a lot less time on the family PC these days following her unfortunate experiences at the hands of Edgar. "I don't use chat rooms anymore. I have lost interest," she told Nottingham Evening Post. ® External Links The Questions That Caught A Hacker, by the Nottingham Evening Post
John Leyden, 20 Feb 2003

Siemens demos Series 60 phone, open sources Symbian

Siemens has unveiled its first Series 60 phone, and as you might have expected it looks rather Nokia 7650-ish. Siemens however hopefully describes it as "an instant design classic," extolling the virtues of its "unique keypad arrangement," which uses strips of keys down either side of the screen instead of a normal keypad. This is clearly the bit that's going to make people says hmmmmm.... But take a look and see what you think. As a unit, it looks quite groovy, but those keys? Hmmm.... The justification is to give it a sleek shape and to shift "the large, 64K color high-resolution screen into the center of the device without compromising overall size as the SX1 only weighs 110 grams." So it skips the 7650's chunkiness and retracting keypad, but uniqueness is not always a virtue; there may be good reason why nobody else is doing it. There's a lot of stuff in it, nevertheless. Triband GSM, joystick type device, video player, camcorder, music player, FM radio, Series 60 and Java game support, better display than the Nokia, and a memory expansion slot. That could be enough to see off the Nokia 3650, which funnily enough also goes for a weird keyboard layout. Siemens is not apparently following Nokia's market segmentation approach, and is pitching it as a 'work hard, play hard' phone. Nokia scolded The Reg after we bought the 7650, telling us we were supposed to buy the forthcoming business version. Ho hum. But Siemens may not quite have grasped the nature of Symbian, if the press release is anything to go on: "Built on the open-source Symbian platform..." it burbles. Or perhaps Siemens knows something we don't. Update: Clearly Symbian has gone open source without telling anybody, because it currently says exactly the same thing on the Symbian site. They wouldn't put that up there if it wasn't true, would they? Updated some more: Now the Symbian site release says "Built on the open platform Symbian OS..." Good work, Symbian bunnies - now all you have to do is remember to read it before you post it... ®
John Lettice, 20 Feb 2003

Flying to the US? Give US.gov all your personal data

The European Commission has tamely agreed to airlines handing over personal details of all passengers flying to the US, in the name of 'homeland security.' These details could include all sorts of stuff the airline happens to have on record for you, including credit card numbers, phone numbers, special dietary requirements, and any other comments it has entered on the Passenger Name Record (PNR). Naturally all of this other stuff filling the optional fields on the PNR is not what the US requires, but one could reasonably doubt whether a government currently hooked on mass profiling could possibly bring itself to throw it away. The primary objective of the system, which was implemented as part of the US Enhanced Border Security and Visa Entry Act of 2002, is for information on passengers flying to the US to be made available to the US authorities by 15 minutes after departure, and for information to be supplied for the return leg 15 minutes before. So they can basically figure out who's on the plane, run checks on them, spot likely terrorists, have bags ready for illegals. Actually, if the system works as specified then it should mean you can just walk off the plane (unless you're a terrorist or an illegal) and straight onto the street, rather than joining an hour-long tailback at LAX immigration. We fear, however, that this will somehow not happen in real life. There are problems with the Commission's decision not just because of what's happening to all the information the US doesn't require, but is going to get anyway, but also with what's happening to the information, full stop. Europe theoretically has firm laws governing collection of personal data, and restrictions on the export of personal data to countries whose law does not match European standards. US law most certainly does not do this, but Europe's law has nevertheless been subverted by a series of US-EU fudges. What protection is there for the data covered by the latest agreement? The Commission feels that the US assurances are "sufficient." If you look here, you'll see there's a requirement for law enforcement agencies to share information through an interoperable database and for a further ratchet - "change requirements for the Visa Waiver Program (VWP) to specify that participating countries must incorporate biometrics that meet international standards in their passports by October 26, 2004." So next year the US will require biometrics too. Granted, as you may have spotted from the URL, the context here is Chinese aliens, specifically students, but it's all part of the same big picture. The "electronic tracking system to be established by INS [Immigration and Naturalisation Service]" is actually the system using PNRs. But what about "provide for closer monitoring... establish... a transitional program that will track students and exchange visitors" until it's up and running? More, please, on the INS student-tracking system, dear readers. Does it wear raincoats? At time of writing the lead newslink at the US Customs site was to an AP report taking a fairly positive line on the deal. It's "transitional," says the Commission, until there's permanent legislation agreed at the European end. This however massively understates the nature of the row that preceded the deal. Without it, airlines not submitting the information would have been in breach of US law, while airlines submitting it would have been in breach of EU law. A somewhat less positive story in the Guardian says the US threatened to stop flights altogether. On the one hand just laughing would seem an adequate response to such a threat, but on the other, if neither side had climbed down, then it wouldn't actually have been possible for flights to take off. So the threat was there, and given that the US just did it and demanded compliance (as s so often the case) maybe that counts as threatening. Anyway, US immigration starts getting your credit card details and any comments the airline might have on you (from kibbitzing at check-in terminal screens, we note these can be quite hurtful), and sharing it with whoever, as of March 5th. US citizens probably won't need to worry, as they probably have all of this stuff on you already. Non-EU and non-US citizens, probably ditto. Further details, plus the full US manifest requirements, are available at Statewatch. We're still waiting for the triumphant Commission press release. ®
John Lettice, 20 Feb 2003

UK crack down on prescription drug ads on the Web

The Government is set to target the UK Internet industry in a bid to crack-down on sites illegally advertising and selling prescription medicines such as the male anti-impotence drug Viagra. In effect, the whole of the UK Internet industry is being warned to comply with the existing law concerning the advertising and sale of prescription-only medicine or face legal action. MSN UK has already taken steps to ensure that it complies with the law. In a statement Robin Kellett, MSN UK search manager said: "We have recently investigated the legality of advertising prescription-only medicines on the MSN UK Web site. "We have found that Section 50.12 of the British Code of Advertising Practices prohibits advertising prescription-only medicines to the general public. "So, given that MSN is a popular Web site which appeals to the general public, we have taken the decision to remove these forms of advertising from our site," he said. The Medicines Control Agency (MCA) - which ensures that all medicines on the UK market meet appropriate standards - is due to launch its campaign shortly. It receives around 10 to 15 allegations a month concerning Web sites and prescription-only drugs. Most of the complaints relate to sites based outside the UK and so international cooperation is needed to deal with these cases. So far, though, it has managed to close down six sites with the help of ISPs, and secured a further three prosecutions. ®
Tim Richardson, 20 Feb 2003

Symantec explains its ‘we spotted Slammer’ claim

Symantec finally stepped in last night to clarify its handling of the discovery of the prolific SQL Slammer worm. Last week Symantec raised hackles in the security community by claiming that it discovered the prolific worm "hours before it began rapidly propagating". The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss. Actually, as we intimated in a previous article, this was a case of inflated marketing claims disguising a more complicated sequence of events, rather than a serious lapse of ethics. Well-established practices among AV vendors call for virus samples (or information on attacks) to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible. If Symantec's analysts had developed an accurate picture of impending cyber- apocalypse - but withheld that information from the wider world for hours - then its behaviour would quite rightly be criticised as irresponsible. But that's not what happened, as Vincent Weafer, senior director at Symantec Security Response in Santa Monica, California, explained to us last night. Here's the sequence of events, according to Symantec: 2200 (approx) PST, Friday, January 24: Firewall sensors detect numerous connection attempts on port 1434, Symantec's DeepSight Threat Management System generates automated alert to customers. 2300 (approx) PST Friday, January 24: First third-party posts on the phenomenon to BugTraq. 0000 PST, Saturday, January 25: Intrusion Detection System (IDS) sensors light up (worm is spreading prolifically). Details become more concrete and Symantec moves its alert status from medium to high-risk range. 0200 PST, Saturday, January 25: First public Web alerts providing detailed information on Slammer, IDS signature updates and suggestions on mitigation strategies. So what Symantec sent out to its DeepSight early alert warning system customers initially was only "raw information", according to Weafer, certainly not more well defined alerts regarding an ongoing (very serious) attack. Weafer defends Symantec's press release as promoting the benefits of early alerts but said he "recognised the confusion" caused by Symantec's failure to differentiate between early alerts and attack information in its PR blurb. "At first we only knew it was a network anomaly, but starting around midnight we knew it was an attack," he told us. Looking back, Symantec believes Slammer began spreading around 9.30pm (2130) PST and reached saturation at around 10pm (2200) PST. The "general peak" of the attack occurred within a three-hour time window, according to Weafer. Although a widely quoted analysis by Silicon Defence and the University of Berkeley suggests Slammer spread more rapidly than this, there's therefore general agreement here about the onset of its spread - 9.30pm PST or 5.30am (GMT). Weafer goes on to explain Symantec's general handling of serious Internet attacks. "Although our first, and primary responsibility, is to our customers we continue to believe in sharing information on attacks," he told us. Slammer, the first Warhol worm (famous in 15 minutes), calls for a major industry rethink on how security firms deal with a new generation of fast-spreading Internet worms, Weafer believes. "We've never dealt with anything before that spread at the same speed as Slammer and we're still discussing its propagation on mailing lists. With the emergence of blended threats, like Nimda and Code Red, in 2001 we introduced wireless alerting. "With the compressed timeframe in which something like Slammer can spread, we need to look again at how we can get accurate information out there as soon as possible," he added. ® External Link CERT advisory on SQL Server (Slammer) worm Related Stories Security experts duped by Slammer 'jihad' rot Slammer: Why security benefits from proof of concept code Korean Net users blame MS for Slammer carnage ATMs, ISPs hit by Slammer worm spread MS struggles to contain the Slammer worm SQL worm slams the Net 'Secure by design', claims MS op-ed ad Out of the Slammer
John Leyden, 20 Feb 2003

World's first 419 revenge killing?

The Czech Republic may have become the scene of the first 419-fraud revenge killing. Michael Lekara Wayid, 50, Nigeria's consul in the Czech Republic, was shot dead at the embassy yesterday morning. The embassy's 37-year-old receptionist was shot in the hand during the melee which began after a suspect opened fire after visiting the embassy to discuss an unspecified business matter yesterday morning. A 72-year-old Czech man was arrested at the scene on suspicion of murder, the BBC reports. Unconfirmed, and thus far sketchy reports, suggest the unnamed suspect was a victim of a 419 (AKA advanced fee) fraud. The scam called 419, after the relevant section of Nigeria's criminal code, begins with offers of sums beyond the dreams of avarice in exchange for use of a Western bank account. It's not about raising a bank account, though. Those foolish enough to respond to the scheme soon find there's a host of problems in moving the money, which is supposedly held with in a secret safety deposit safe or similar. Various fees and bribes are requested from the victim. The scam, and the sums being paid out, escalates until an attempt is made to coax the victim to travel abroad to another country, where he's vulnerable, and where the police don't care. Once there fraudsters attempt to bilk their victim for yet more cash. A variation on this theme is to hold aforesaid victim hostage until large sums of money are handed over. In 2001, a Nigerian gang lured a British businessman to South Africa and then held him for ransom. He escaped only because he was allowed to make a phone call and was able to alert his wife by speaking in his native Polish. The scam is explained in greater detail on the Nigeria - the 419 Coalition Web site and on another anti-419 fraud site, which warns people have been "kidnapped and even murdered" in furtherance of the fraud. ® Related Stories Nigerian 419 fraudster baiting - Olympic sport? Woman falls for Nigerian scam, steals $2.1m from law firm
John Leyden, 20 Feb 2003

Lincolnshire gets £7m EU grant for BB

Lincolnshire County Council (LCC) has won a £7m grant from the EU to help subsidise broadband in the county. The money - which needs to be matched by LCC - should help around 3,000 rural businesses get hooked up to high-speed Net access. The project builds on the investment of a broadband network currently used exclusively for Lincolnshire's schools and public sector organisations. The council wants to use the cash to develop a five-year programme to ensure rural businesses also have access to high-speed Internet technology. Broadband services to businesses are expected to start in late 2003 once a tendering process has been completed. David Bowles, chief exec of LCC, said: "The county is now very confident about attracting broadband service providers because it is creating a ready-made market for their products." While the EU is happy to hand out cash to worthy causes, it seems not is all well among the Eurocrats. Today's FT reports that there's a spot of bother between competition commissioner, Mario Monti, and the man responsible for telecoms, Erkki Liikanen. It seems Monti has written to Liikanen telling him that despite two years of liberalisation incumbent telcos still dominate Net access. And he claims that at the current pace of progress it would take the EU 28 years to reach the same level of competition as the US. Hitting back, Liikanen told Monti that he should take action against the telcos if he thought they were acting anti-competitively. Splendid. So while these two squabble ordinary Joes are still expected to pay through the nose for a service they may - or may not - be able to get. Bravo. ®
Tim Richardson, 20 Feb 2003

.uk.co killed by Colombian judge

The second-level domain .uk.co through which domain company Net Registrar sold alternative Web addresses to UK businesses has been told by the High Court of Colombia that it has no continued rights on the domain. But Net Registrar managing director Robert Fox has told us he plans to appeal against the "bizarre" decision and win back his business. In a decision made on Monday but not released until yesterday, the Colombian High Court refused to grant Net Registrar an injunction against the current owner of the top-level .co domain - the University of the Andes in Bogota - after the university unexpectedly shut it down on Monday. In the decision, according to Mr Fox, the judge ruled that there was "no real damage done" by the university's actions and that "any damage done could easily be repaired". This is patently not true since none of the 8,000 businesses that have paid Net Registrar £15 for a two-year domain are able to view their site or receive any email from it. "We can only say that we are not in possession of the full facts behind the matter," Net Registrar commented in an official statement to its customers. However Net Registrar has accepted that the university was within its rights to terminate their contract having given them two months notice. What it cannot understand is why. Mr Fox revealed to us the details of his contract with the university, in which the univerity received a percentage of each domain sold. This percentage increased over time to a staggering 50 per cent by December 2002, he told us. On 12 December 2002, the university officially informed Net Registrar it planned to terminate the contract. Two days later, it said it would draw up a new contract - this time under English rather than Colombian law. On 18 December, a new contract arrived that Net Registrar was unable to sign. According to Mr Fox, the new contract included several clauses that would be suicidal for him to put his name to. One was that the university would have the right to turn off the domain zone supplying all Net Registrar's customers at any time. A second insisted that Net Registrar indemnify the university for any claims that would result from this action. And a third one put a gagging order on Net Registrar that would make it unable to talk about or discuss any element of the new contract. Furious, Mr Fox contacted the university who persuaded him the contract was up for negotiation. However, he told us, as the deadline for termination drew near it was clear that the university would not budge from the unsignable contract. Then, on Monday 17 February, the university turned off the entire .uk.co domain without notice. Mr Fox says he has "no idea" why the university followed such a "draconian" route, insisting that the business relationship between the two had always been cordial. What further complicates matters is that the university has been forced by the Colombian government to hand over control of the domain to it by December 2003 after the university's attempt to sell it off for £20 million plus a cut of the profits infuriated many Colombians and sparked several lawsuits. Asked if he felt the university was attempting to steal his business from under his nose, Mr Fox was unsure. The university is fully capable of putting all the .uk.co domains online from its own servers in an instant, he explained, and making everybody (except himself) happy. What is likely is that the university (and the Colombian government) are concerned about becoming liable for lost business from those companies - including Amazon and Priceline - that have seen their websites disappear. Mr Fox appreciates that since he sold domains for a two-year period yet is unable to provide that service, he may be caught up in legal wrangles himself, although he says he believes his terms and conditions cover such an eventuality. Although, he adds, he really doesn't want to start throwing them back at angry customers. In its statement to customers, Net Registrar revealed it had negotiated not only with the London solicitors hired by the university but also with the university direct, the Colombian Ministry of Communications (the forthcoming new owner of .co) and ICANN - but all were unwilling to intervene. With no specific dates for hearings or any certainty that Net Registrar will win the domain back, it has instead advised its customers to buy domains elsewhere and set up their websites in another area of the Internet. ® Related Stories .uk.co domain wiped off face of Internet Colombia makes bid for domain domination
Kieren McCarthy, 20 Feb 2003

Grey IT broking worth $40bn a year

The global grey market for IT goods is worth $40bn a year, resulting in lost vendor profits of $5bn a year, a KPMG study reveals. To the Anti-Gray Market Alliance which, we assume, commissioned the KPMG study, the grey market is defined as: "Branded products diverted from authorized distribution channels or imported into another country without a manufacturer's consent." To us, the KPMG figures suggests that customers are paying $5bn a year less than would otherwise have been possible, and that market forces have encouraged a useful mechanism to overcome restrictive distribution practices and to offload excess inventory. But no: apparently, 60 per cent of end-users pay the same amount as sourcing from official channels. And they get a lot more headaches. According to the KPMG study, products "traveling through the gray market pose risks to customers, including the sale of obsolete, damaged or counterfeit parts and products delivered without warranty and support.... "Consumers who experience quality problems with gray market products in turn, blame manufacturers for product failures, potentially decreasing the value of the Original Equipment Manufacturers' (OEMs) brands. Here's a quote from Marie Myers, AGMA chairman. "Without utilizing the proper channels and distributors, consumers take the risk of purchasing damaged or products without warranties -- this not only hurts the consumer, but can threaten a company's reputation with customers and investors." So who is to blame for all this pain? KPMG points the fingers at rogue disties and brokers who "obtain product to sell to the gray market by violating distribution agreements, misrepresenting customer identity in special discount programs, or using fraudulent documentation". To the tune of $40bn a year? Give us a break. It is difficult to see how such big business could be achieved without the active collusion of manufacturers and "official" disties. ® Related stories Vendors seek grey market whistleblowers Vendors beat up on grey market This is what Microsoft said about grey imports in 1998
Drew Cullen, 20 Feb 2003

Get a hot date on KaZaA!

File swappers can now become wife swappers, courtesy of KaZaA's new dating channel. The service is to incorporate content from American Singles, a website owned by Matchnet PLC. You get free profiles, but you have to pay if you want to make contact. Which will save you falling in love with a music-industry salted file. KaZaA claims 70 million active users worldwide. We guess that the majority will be youngish men, so it should be a good pick-up joint for geek gays. We trust KaZaA will introduce some P2P aspect of the dating service - Hey, you got great taste in music, let's meet up. On second thoughts this could be an invitation to stalkers. ®
Drew Cullen, 20 Feb 2003

NTL demo mars UK Net Oscars

Four people have turned up outside the UK's prestigious Internet Awards in London tonight to protest about NTL's cap on its broadband service. The plucky group of protesters was barred from entering the hotel but instead targeted those people turning up to the glitzy event by handing out leaflets condemning the cableco's move. One of the protesters braving the cold night told The Register: "We will not give up our fight." Those behind the protest plan to present a petition of nearly 3,900 signatures to both NTL executives and the UK Government's e-minister, Steven Timms, concerning the cap. One vulture-eyed onlooker told The Register: They're determined, but polite." ® Related Story Net awards targeted as NTL cap row enters another week
Tim Richardson, 20 Feb 2003
Broken CD with wrench

Open Source security manual and training for ethical hacking

The Open Source Security Testing Methodology Manual (OSSTMM) has become an international open standard, according to its creator, Pete Herzog. It is used by large organizations like the U.S. Treasury Department, Home Depot, Verisign, and IBM, although Herzog says that he has a hard time getting entities that use the manual to talk much about it. Herzog has been in professional security since 1997 when he got involved with IBM's Europe-based Emergency Response Service. Today he heads up the Institute for Security and Open Methodologies (ISECOM) in order to provide Open Source security tools and information via the Internet. Herzog also describes it as an open, non-profit think tank for developing new open standards and methodologies in security. "The main problem I have is that nobody has to tell me if they use the OSSTMM," due to its Open Source nature, says Herzog. "I have been asked by a person at the U.S. Navy SPAWAR division about its inclusion in their Posture Assessment document. I also have also some comments from the U.S. Airforce and Army -- the biggest downloaders of the manual based on web traffic." IBM's Ethical Hacking team has the OSSTMM in its knowledge database, says Herzog, and they are considering sponsoring a workshop based on the manual. The Intense School, a company that provides "boot camp"-like IT certification courses, uses the manual in its Hacking Boot Camp, described as " program that brings together the hacker's mind and a professional security testing methodology-the OSSTMM." "Overall, I have to say we are everywhere and nowhere," Herzog says. "We are still a small-time operation that mixes contributors with peer-reviewers and editors." In fact, even though people pop up with suggestions and contributions now and then, the entire operation is mostly a one man show, according to Herzog. "I developed the manual, accepted feedback and commentary, opened it up for people to use it, and I update it. Some people submit more than others but it's still me who ends up doing all the work. I have a few editors who help fix it up but really the whole OSSTMM comes down to me including the submissions and doing the reseach and lab work to expand the missing areas." Herzog says the OSSTMM was born after he scribbled some notes on a napkin during a train commute. "When I got off the train and met my wife, I told her I figured out something big. After I explained it to her we decided the best thing to do was to scratch together the idea and publish it on the Internet so everyone can use it. I had no idea how it would be received." Now the manual is about to be released in a 3.0 version, and Herzog has developed a training course based on the OSSTMM. "Since the manual only tells the what, when, and where of security testing," says Herzog, "the course will provide the how and why." Herzog created an international peer review of both the manual and the training materials. The course provides the information a "security testing professional must know to be a practical, resourceful ethical hacker and penetration tester," he adds. Herzog's says his training will offer course materials for free, provided that would-be instructors attend a week-long "Train the Trainers" course that is designed to "ensure proper instruction." "We create a partnership between all trainers, who openly share marketing and event materials with each other," says Herzog. "The fee for the course is to pay for the resources only - the trainer, network, tests, materials, and classroom - and to suport the Hacker High School program." The Hacker High School program, also developed by Herzog, gives students access to a test network set up expressly to allow hacking attempts as a learning device. "The event teaches Internet legalities and ethics to high school students," says Herzog. "Basically, we applied the community effort of open source to training and it seems to be working." Herzog says that the 3.0 version of the manual is to be released any day now, and a worldwide network of partners for administering the certification. For more information, visit the ISECOM website. © Newsforge.com
Tina Gasperson, 20 Feb 2003

Nintendo seeks US trade sanctions to fight piracy

Following the seizure of over a quarter of a million pirated Game Boy Advance software units in China last month, Nintendo of America is lobbying for trade sanctions to help it bring organised large-scale piracy under control. The company's efforts are particularly aimed at China, Paraguay and Mexico, which it says are the main sources of pirate materials. According to Nintendo, these huge counterfeiting operations cost it $650 million in lost sales last year. The manufacture of pirated games - particularly for cartridge-based systems like the Game Boy Advance - is huge business in China, with over a million units of software being confiscated there last year from 135 separate facilities. Paraguay is seen as a key shipment point for the distribution of pirated games in the western hemisphere, while Mexico is targeted for its lax attitude to the sale of pirate software. It has been claimed that the pirate software market may be financing terrorism, with US news sources in recent years suggesting links between Paraguayan counterfeiting operations and Middle Eastern terrorist group Hezbollah. Almost 4.5 million units of fake Nintendo software have been seized in Paraguay since a bilateral trade agreement was signed in 1998. Interestingly, Nintendo also lists the European Union among the regions in which it is concerned for its intellectual property rights, alongside Chile, Hong Kong, South Korea, Taiwan and Venezuela. We're not sure whether this is a genuine concern over piracy, or simple posturing over the thriving European grey import market, which Nintendo would very much like to see shut down. © gamesindustry.biz Related story Nintendo games seized in Chinese piracy raids
gamesindustry.biz, 20 Feb 2003

CDT attacks anti child-porn law

A US civil liberties group has attacked an anti child pornography law because it potentially blocks access to legal sites. The Center for Democracy and Technology (CDT) said that a recent Pennsylvania law that forces ISPs to block access to numerous Web sites without adequate court oversight was unconstitutional. The law force ISPs with Pennsylvanian customers to block subscribers from at least 420 Web sites around the world which supposedly contain illegal photographs. Failure to comply with this law can result in a $5,000 fine. However, CDT has argued that because ISPs must block Web sites based on their Internet Protocol (IP) address, sites that are completely unrelated to child pornography could also end up being blocked. This is because most Internet Web sites share their IP addresses with many other unrelated Web sites, said CDT. Indeed, a study by Harvard University researcher, Benjamin Edelman, released on Thursday found that 85 percent of Web addresses ending in .com., .net, or .org share their IP addresses with at least 50 other Web sites. As such, commented CDT, the law is an unconstitutional restriction on free speech and amounts to punishing everybody in an apartment block because of one tenant's activities. "Child pornography is abhorrent and cannot be tolerated in a civilised society, but the Pennsylvania ISP law attempts to fight child pornography through means that are unconstitutional and technically flawed," said CDT Associate Director Alan Davidson in a statement. "This law does little to punish the producers of child pornography, but blocking sites that are not pornographic will have serious ramifications for free expression and the stability of the Internet." Only once has an Internet provider challenged the law, which was introduced in 2002. WorldCom said that while it found child pornography to be repugnant, the introduction of filters on behalf of Pennsylvania citizens would affect all their subscribers in North America from visiting thousands of Web sites "completely unrelated in content and ownership" as the illegal material. The Pennsylvanian Attorney General, Mike Fisher, has defended the law as an effective method of blocking access to Internet-based child pornography. "It has worked in nearly every case," a spokesman for Fisher told Associated Press. The spokesperson added that in cases where an illegal Web site shares an IP address with an innocent site, the authorities contact the ISP and orders them under threat of legal action to pinpoint and shut down the illegal pornographic site. © Newsforge.com
ElectricNews.net, 20 Feb 2003
Cat 5 cable

SQL Server developers face huge royalty bills. How many, how much?

A Washington court ruling could see SQL Server developers liable for millions of dollars in licensing fees. The judgment concerns a contract dispute between Timeline Inc. and Microsoft, over three patents relating to datamarts. In Microsoft's interpretration of its licence with Timeline, published in a press release in July 1999, "all users of Microsoft SQL Server 7, Office 2000 and other Microsoft products that utilize this type of technology are unencumbered by Timeline's patents." Timeline disagreed. The Washington Court of Appeal judgement plumped for the company. The company reckons that some SQL Server developers could face bills in the millions of dollars. The "damages they face may be material to Timeline's future financial results," Charles Osenbaugh, Timeline's president and CEO. In a curious press release announcing the judgment, Osenbaugh appears to be threatening legal action against some SQL Server developers, "particularly those Microsoft customers who relied on Microsoft's assurances, failed to investigate them thoroughly, and knowingly continued to provide material steps in an Infringing Combination. These infringers, if any, may face treble damages for the entire three and one-half years the case was tied up in the courts. Microsoft is not a law firm. Relying on its advice should not constitute acting in good faith; which is the required defense to treble damages for failure to investigate and honor patents once on notice of their existence." Blimey. Timeline also raises the spectre that SQL Server developers affected by the ruling could seek to sue Microsoft for damages. So Microsoft signed a crap contract. Surely it can find some prior art to challenge Timeline's patents? But what is Microsoft to do? It's not saying yet, but it appears to be a little confused according to the very different comments made by spokesman Jim Desler to IDG News Service and CNET. Here is what he told IDG. "It's important to note that Timeline has a history throughout this case of presenting issues to create uncertainty among our customers." For Version 1.01 let's hop over to CNET News.com. Microsoft spokesman Jim Desler said companies that use SQL Server without adding customized code would already be covered by the licensing agreement and therefore would not be affected by last week's order. Desler said even companies that add their own customized code would not see an impact if their code is not related to Timeline's patents. "Under the terms of the order, which were agreed upon by Timeline and Microsoft, even customers that add code could fall within the protection of the license between Timeline and Microsoft," Desler said. Really? Check out what Timeline has to say: as the company has not yet published its press release on the web site, we reproduce it below in full, exhausting detail. ® Microsoft Vs. Timeline Final Judgment Affirms Timeline Patent Rights; SQL Server Users Could Face `Staggering' Damages Business Editors BELLEVUE, Wash.--(BUSINESS WIRE)--Feb. 19, 2003--Timeline, Inc. (OTCBB:TMLN) announced that the Superior Court of King County has entered its Final Judgment in Microsoft Corporation vs. Timeline, Inc. which confirms that the agreement between Microsoft (MSFT) and Timeline contains substantial limitations on Microsoft's ability to sublicense Timeline's patents. The judgment implements the previously announced ruling by the Washington Court of Appeals. It confirms Microsoft's ability to sublicense its patent license to its customers is limited. SQL Server developers who create a new product by adding code in an "Infringing Combination" (as defined below) must obtain their own patent license. The exact language of the judgment and a definition of Infringing Combination are included at the end of this release. A description of the patented technology is available at www.tmln.com/press.htm. The Findings in this case have far-reaching consequences, due to the potential damages Microsoft customers face, in spite of the assurances Microsoft previously provided. Timeline management has consistently testified that, while this issue may eventually involve millions of dollars, it will only impact a segment of software developers using SQL Server. The trial court, ironically, found Microsoft's witnesses more credible than Timeline's on this issue; specifically the potential impact of the patents on users of SQL Server. Consequently, the Superior Court found that if the proposal, which the License Agreement was intended to memorialize, was as Timeline contended, then "...every Microsoft customer, including ISVs, VARs, and corporate end users, who wished to customize SQL Server by adding code or product to meet the specific needs of users would have been required to purchase a license from Timeline to do so. Given the basic design and intended purpose and use of SQL Server ... the potential economic benefit to Timeline would have been staggering. ...(That economic benefit would be) from the future sale of licenses to essentially all of Microsoft's SQL Server customers." In confirming Timeline's contract interpretation, the Court of Appeals did not change the Superior Court's finding that the "potential economic benefit to Timeline would have been staggering." The Court of Appeals did note that, for whatever reason, Microsoft now finds the "...agreement is not commercially reasonable...". But the court rightly pointed out "...it is not the duty of the courts to correct what may be bad bargains, but to enforce an agreement as written." Microsoft's Tactics Microsoft itself proposed the limited license rights ultimately agreed upon in exchange for a substantial reduction in proposed license fees. Testimony during litigation disclosed that when Timeline first approached Microsoft about its patent infringement exposure, Timeline made alternative licensing proposals. Each alternative provided a different level of license protection. Microsoft further testified that shortly after signing the contract, it started to receive critical feedback from its customers for having negotiated patent license coverage for its own trademarked products while providing lesser rights for users of Microsoft platforms. Microsoft produced a statement from one such customer that "...Microsoft clearly negotiated a settlement that leaves all developers out in the cold." At some point, Microsoft decided the need for its customers to procure separate patent licenses for their part of an Infringing Combination was extremely detrimental to Microsoft's business. Rather than returning to the negotiating table, however, Microsoft chose to attack Timeline. Microsoft filed suit asking the court to allow it to ignore the language in its patent license with Timeline; specifically the limitation the parties had negotiated on sublicensing. Three and one-half years later, the resulting Final Judgment affirms the validity of the original agreement. During this three and one-half year period, Microsoft bought Timeline's largest competitor and aggressively developed many applications based upon data mart technologies. It also acquired Timeline's then largest international distributor. These activities give Microsoft a family of products and an enhanced distribution channel to directly compete with Timeline products and those of many of its other SQL Server development partners, a capacity it did not have when it started this long, drawn-out legal battle. Most troubling was a false press release issued in July 1999. Microsoft's press release, distributed to the international financial and trade press, stated in part: "The (Timeline patent) license ensures that all users of Microsoft SQL Server 7, Office 2000 and other Microsoft products that utilize this type of technology are unencumbered by Timeline's patents." It would be hard for Microsoft to claim it did not know or should have known its statement was false. The Court of Appeals held: "Try as we might, it is 'impossible' to reconcile the wording of ...(the agreement) with Microsoft's proposed construction." (emphasis added) "We know there were no less than 14 'privileged' communications involving legal counsel in conjunction with the issuance of the press release. Consequently, we seriously doubt anything about the wording or its intended effect was accidental," said Charles Osenbaugh, Timeline's President and CEO. "Why Microsoft would mislead its own customers, arguably inducing them to act in a manner potentially to their great detriment, was initially very difficult for us to understand," Osenbaugh continued. "We assumed Microsoft simply felt that someone would successfully challenge the Timeline patents or that Timeline would capitulate before Microsoft's statement came back to haunt it. And Microsoft openly supported a number of third parties who unsuccessfully challenged the validity of the Timeline patents. "But, in hindsight and even though Timeline won the litigation, we must admit Microsoft's approach apparently worked for it. The monies spent on legal fees were inconsequential to them. Between the litigation and the false press release, Microsoft effectively froze Timeline out of leveraging its patent-protected niche in the SQL Server market for over 3 1/2 years. This time period was long enough for Microsoft to launch its now openly stated strategy to become dominant in the ERP and Analytics software market historically serviced by its own customers." Final Judgment Consequences For any SQL Server users that provide material steps of an Infringing Combination, the consequences of the Final Judgment are important. Particularly those Microsoft customers who relied on Microsoft's assurances, failed to investigate them thoroughly, and knowingly continued to provide material steps in an Infringing Combination. These infringers, if any, may face treble damages for the entire three and one-half years the case was tied up in the courts. Microsoft is not a law firm. Relying on its advice should not constitute acting in good faith; which is the required defense to treble damages for failure to investigate and honor patents once on notice of their existence. "We believe a significant number of SQL Server developers and users will be affected and that the damages they face may be material to Timeline's future financial results," said Osenbaugh. "We cannot, however, make any realistic estimate or forecast. There is a high risk and possible high cost involved in any patent enforcement effort. Furthermore, any patent, while applied for in good faith, may be challenged." The number of SQL Server users who ultimately need a patent license from Timeline may be none, some (as Timeline assumes), or essentially all users as Microsoft led the court to believe. "What can be confirmed is that Microsoft always has been, and will continue to be, bound by its written agreements regarding Timeline's intellectual property rights. That, in and of itself, is a major victory!" Osenbaugh stated. "And Microsoft does have some loose ends it needs to clean up in light of the Judgment. Under penalty of perjury, Microsoft represented in court that the patent license as signed between the two companies may cause widespread, even devastating hardship to its customers," Osenbaugh continued. "Yet, no specific mention of the case, to our knowledge, has been made in Microsoft's Securities and Exchange Commission filings. This omission is particularly troublesome since the decision of the Court of Appeals was in March 2002. We have great difficulty seeing how Microsoft can remain silent in its SEC filings. Silence certifies the litigation results are not material to Microsoft, which is contrary to the court's finding on the same specific issue based upon evidence submitted by Microsoft itself." Furthermore, several SQL Server developers are openly discussing their beliefs that Microsoft should be liable for any damages they face for having relied upon Microsoft's prior false statement; specifically that Microsoft would 'ensure' they were 'unencumbered' by the Timeline patents. "If Microsoft does not want to pay for a broader license, it owes a duty to its customers and investors to clearly define the limitations on Microsoft's ability to sublicense Timeline's patents and outline its indemnification policy, if any, for those who relied upon its prior statement. Furthermore, Microsoft should honor its agreement to facilitate our efforts to properly enforce Timeline's intellectual property rights with Microsoft customers," Osenbaugh concluded. Language of the Court Rulings The Final Judgment reads, in part, as follows: Under the Agreement between Microsoft and Timeline, Microsoft's right to sublicense third parties to add code to or combine software with a Microsoft Licensed Product is limited as follows: If a Microsoft Licensee adds code to or combines software with a Microsoft Licensed Product and the added code or software is a material part of one of the claims of Timeline's Licensed Patents and the resulting combination infringes that claim of the Timeline Licensed Patent, the Licensee has exceeded the scope of Microsoft's sublicensing rights under the Agreement; provided that, if a Microsoft Licensee adds code to or combines software with the Licensed Product that is not a material part of a claim of one of Timeline's Licensed Patents, the Licensee has not exceeded the scope of Microsoft's sublicensing rights under the Agreement, even if the resulting combination would otherwise infringe a claim of one of Timeline's Licensed Patents. Details on Timeline's Patent Technology Microsoft cannot sublicense any non-Microsoft product that provides a material step in an infringement of a Timeline patent claim for use in conjunction with Microsoft-licensed platforms that provide the remaining step(s) of such infringement (an Infringing Combination). Timeline's US Patent # 5,802,511; US Patent # 6,023,694; and US Patent # 6,026,392 (herein collectively the '511 patents) have been termed pioneer patents in the design and use of data marts and data warehouses. The '511 patents can apply to stand alone software products or combinations of software products. Of particular focus at this time are products used in conjunction with Microsoft SQL Server 7.0 or after. All Microsoft products stand-alone are licensed. But developers must separately look to whether a combination of products infringes all the elements of a valid claim of a Timeline patent. If the non-Microsoft code or product provides at least one of the material steps in such infringement, it is not covered by Microsoft's license. The user, licensee, licensor, or manufacturer must secure its own license or stop any further use of that product. Details of Timeline's patented technology are available for review on Timeline's website at www.tmln.com/press.htm.
Drew Cullen, 20 Feb 2003