18th > April > 2003 Archive

.NOT now, please: vacuuming MS renames products

It's only branding, but sometimes small details tells us a lot. Microsoft has completed the transition from .NET to .NOT by giving its server and office product families a fresh lick of paint and new names. In January, Microsoft announced it would downplay the brand. So the indiscriminate use of the .NET brand is no more. Last year Microsoft was fined by the city of New York for spraying graffiti logos of the MSN butterfly on Manhattan sidewalks, and whoever it is who has been going around the Redmond campus spraying .NET on every Microsoft product too, has now been told to put down the can. From now on, the servers will be known as the "Windows Server System". Asked about the name change at the PR section of Microsoft's site, Paul Flessner emits a sudden cloud of gwana gwana:- "By aligning the new brand with the server platform, we are clarifying that our long-term server business and technology strategy starts with Windows Server at the foundation. With this new brand, we are emphasizing to our customers and industry partners the business value of a top-to-bottom integrated server infrastructure," he says. That's a long-winded way of saying that servers are best described as "servers", and not some amorphous blob of language, runtime, or webservices: .NET clearly meant a lot of things to a lot of people at Redmond, but very little to the outside world. However a better explanation for the change was gleaned by Network World's John Fontana, who quotes Microsoft's Barry Goffe thus:- "We've been inconsistent about what is in and what is out of that lineup. We've done a lot of things seemingly in a vacuum." A remarkable statement. Dereferencing the .NET pointer reveals its value to be NULL. But there's more. Office also gains the "system" tag, and from now on will be known as "Office System 2003". So Microsoft is a systems company. Someone should tell IBM, Sun, Apple, HP and EMC: these are systems companies too, in the traditional, vertically integrated sense. Microsoft is a horizontal company in that it doesn't tie its software to its own hardware, except in two cases: the Xbox, which is simply a PC running in Ring 0 (kernel mode), and smartphones, where nobody wants to make Microsoft phones, so it must do so it itself. But as we said at the beginning. This is only branding.® Related Story MS dumps .NET tag in latest Windows Server name change
Andrew Orlowski, 18 Apr 2003

Office workers give away passwords for a cheap pen

Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today. The second annual survey into office scruples, conducted by the people organising this month's InfoSecurity Europe 2003 conference, found that office workers have learnt very little about IT security in the past year. If anything, people are even more lax about security than they were a year ago, the survey found. Ninety per cent of office workers at London's Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year. Men were slightly more likely to reveal their password with 95 per cent of blokes, compared to 85 per cent of women quizzed, prepared to hand over their password on request. The survey also found the majority of workers (80 per cent) would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them. If workers came across a file containing everyone's salary details, 75 per cent of workers thought they would be unable to resist looking at it, again up from 61 per cent in 2002. A further 38 per cent said they would also pass the information around the office. Naughty. Social engineering The survey was undertaken by the organisers of Infosecurity Europe 2003 in a quest to find out how security conscious workers are with company information stored on computers. Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password. If they initially refused they were asked which category their password fell into and then asked a further question to find out the password. Another 15 per cent were then prepared to give over their passwords, after the most rudimentary of social engineering tricks were applied. One interviewee said, "I am the CEO, I will not give you my password - it could compromise my company's information". A good start, but then the company boss blew it. He later said that his password was his daughter's name. What is your daughters name, the interviewer cheekily asked. He replied without thinking: "Tasmin". D'oh. Unsavoury emails Of the 152 office workers surveyed many explained the origin of their passwords. The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent). Two thirds of workers have given their password to a colleague (the same as last year) and three quarters knew their co-workers passwords. In addition to using their password to gain access to their company information two thirds of workers use the same password for everything, including their personal banking, website access, etc. This makes them more vulnerable to financial fraud, personal data loss or even identity theft, the InfoSecurity team notes. Meanwhile, two thirds of workers admitted they had emailed colleagues illicit, unsavoury pictures or "dirty jokes", up slightly from 62 per cent in 2002. Men were twice as likely to indulge in this activity, with 91 per cent of men sending unsavoury emails, compared to only 40 per cent of women. InfoSecurity's organisers say this behaviour could expose their employer to expensive litigation for sexual discrimination, low morale and might even be viewed as allowing bullying. Tamar Beck, Director of InfoSecurity Europe 2003, said: "Employees are sometimes just naïve, poorly trained or are not made aware of the security risk. Employers therefore need to create a culture of protecting their information and reputation with policies on information security backed up with training to support the security technology". ® Related stories Small.biz crap at security (redux) BOFH: How dangerous are your users? Would you trade your password for chocolate? Brits are crap at password security Passwords are passport to theft Is password-lending a cybercrime?
John Leyden, 18 Apr 2003

Namco woos Sega

Japanese publisher Namco has publicly proposed a merger with rival Sega, calling on the former platform holder to reopen merger talks rather than proceeding with its currently planned merge with gambling machine manufacturer Sammy. According to the Japanese financial press, Namco has proposed a deal which would see the two companies merging early in 2004, with Sega being the surviving entity on the stock markets. A merger between the two would create the fifth largest publisher in Japan, with annual sales of around 350 billion Yen (€2.7 billion) - representing a 10 per cent share of the home videogame market, and a 30 per cent share of the smaller arcade game market. The aggressive move by Namco of making these merger talks public is seen by some commentators as proof that all is indeed not well with Sega's currently planned merger with Sammy, which is due to take effect in October. Although this merger would give Sega a very secure financial base, it has seen significant opposition from investors, and is thought to be opposed by some senior board members as well. Namco's play appears to be based on making the news of a possible Sega merger public in order to gauge investor and analyst opinion; and so far the response has been largely positive, with shares in both Namco and Sega making gains on the Tokyo stock exchange today following the news. In contrast, the news of the Sammy merger pushed shares of both Sega and Sammy to record lows. Sega said it is looking at Namco's proposal but no has not set a deadline for a decision. The initial round of merger talks between the two companies began last year, but were suspended at Sega's request. Earlier this month, two comparably sized Japanese publishers, Square and Enix, completed their merger plans and became a single entity, in a move which was broadly welcomed by investors and market commentators alike. Closer to home, Sega Europe has commented that the ongoing merger talks in Japan have no impact on its business, with operations remaining unaffected.
gamesindustry.biz, 18 Apr 2003

IT services head offshore

The battle lines have been drawn, with tier-one providers such as IBM Global Services, CSC, EDS and CGEY all gearing up to grow their own units in India. With price competition driving the move, many of these companies are being forced to build their offshore businesses or risk a reduced ability to win major projects. The shift to offshore provision has made a dramatic impact on the profitability and revenue streams of western providers. During the quarter ended December 2002, for example, established offshore provider Infosys Technologies generated a net margin of 26% with revenue up 45%, compared with western tier-one provider EDS, which for the same period made a net margin of just 6.5% on revenue down 5.1%. Many of the tier-one IT services companies are planning offensives on the Indian market, where several aim to grow three-fold over the next couple of years. Cap Gemini Ernst & Young (CGEY) is aiming to increase its headcount from 600 to between 1,500 and 2,000 in India by the end of 2003; EDS is targeting growth from 900 to around 5,000 employees by 2004; and CSC plans to add 1,400 software engineers and two new development centers to its 700-strong operation in India over the next two years. Accenture employs approximately 1,000 staff in India, although it has not yet formally announced its strategy in the market. IBM GS has the largest presence following its $3.5 billion acquisition of PwC Consulting last year. It employs some 4,700 staff in India, and expects to grow this number to about 10,000 by the end of this year. Meanwhile, CGEY is currently working on about 40 projects in India for western clients. These projects include development work around ERP, Siebel CRM, application management, infrastructure management, and nine SAP projects, and also include project management for five major oil companies where it is developing bespoke SAP and JD Edwards applications. Severe price competition has been at the heart of the shift in focus, with offshore developers lowering the cost of delivering application development, systems integration, support, and business process outsourcing projects, to clients. This has had a major effect on the ability of western tier-one players to win application development and integration projects, which have either been pulled altogether or handed to offshore rivals. © Datamonitor is offering Reg readers some of its technology research FOC. Check it out here.
Datamonitor, 18 Apr 2003

Getting realistic in the war on hackers

OpinionOpinion Give up on the notion that computer security can be improved by putting more people in prison, argues Jon Lasser, SecurityFocus columnist. The war on hackers is failing for the same reason the war on drugs failed: Most individuals can control themselves, but there is a substantial group of people for whom no legal penalties will be enough to discourage their behavior. The temptation to try and "beat the system" that is often felt by hackers and crackers, and even just regular computer users, can be enormous. People will succumb to the temptation to pirate copyrighted material, to disable copy protection on software, and to try and break into other people's computer systems. Meanwhile, the costs associated with the war on hackers are unreasonable: the PATRIOT act, the DMCA and similar bills now working their way through state legislatures will cause irreparable harm to the rights of all Americans -- and those costs alone likely exceed the benefits offered by these laws. That's why I think it's time to adopt a "harm reduction" approach to computer security. Traditionally, harm reduction is a strategy applied to illegal drug use, as an alternative to an unwinnable war on drugs. It's an approach that acknowledges the reality of drug abuse, and seeks to reduce the dangers posed by those drugs, both to the users and to society at large. For example, the spread of HIV and hepatitis is one serious consequence of drug abuse. A harm reduction approach implements needle exchange programs to limit the spread of disease. It also treats drug addiction as a medical rather than legal problem, acknowledging that people have flaws. Let's make the same concession in computer security: People will never be perfect, and software will never be perfect. So how can we reduce the harm caused to our information security by crackers? In my last column, I proposed several harm reduction strategies, including writing in safer programming languages and using tools like Immunix's StackGuard. Since then, several readers have steered me towards ProPolice, an extension of the StackGuard system that can be integrated into a Linux or BSD system. OpenBSD 3.3, slated to be formally released on May 1st, integrates this and several other strong technologies to guard against buffer overflows. Virtual Servers OpenBSD also uses chroot more widely. Chroot is a method of keeping an application in a small portion of the filesystem. Though not originally designed for use as a security technique --- it was written to make the BSD install process work more smoothly --- network daemons can run as an unprivileged user in a part of the directory tree that limits access to critical files. If a cracker gains remote access through a chrooted daemon, it is difficult (though not impossible) to gain control of the rest of the system. Web servers, name servers, and database servers can all be chrooted with relative ease. However, few Linux and Unix installations do so by default. Using chroot is not difficult, and will reduce the risk to your system from running network daemons. (Of course, if you don't need that particular daemon, it's better to simply turn it off.) A step far beyond chroot is to run a virtual private server using User-Mode Linux (UML). User-mode Linux runs a separate Linux kernel as an individual process on a running Linux system, and can use a specially-formatted file as a complete file system. If a hacker breaks into a Sendmail daemon running on a User-Mode Linux system and acquires root privileges, then that hacker controls only the virtual private server and the single file system on which it is being run. UML can be somewhat tricky to set up and configure properly, and trickier still to manage well: if you're running a bunch of UML instances on a single system, installing system patches can be tricky. However, each virtual server can be easily reinstalled remotely with little to no risk of rendering the server unbootable. Hackers who have broken into a UML server can be carefully tracked and monitored. For this reason, as well as due to the ease of reinstallation, people running honeypots often use UML. Again, it may be possible to "break out" of a UML process and gain control of the host system, but this is an order of magnitude more difficult than breaking out of a chrooted jail. It is difficult enough that only the most experienced crackers are likely to be able to do so. Because the partition file can be backed up or mounted outside of the system, and because a system can run an arbitrary number of UML processes, a reinstall can occur very rapidly following an intrusion into the system. Chroot and UML will not stop hackers from breaking into systems. However, they will reduce the damage a hacker can do following a break-in. They can also make it easier to recover following an intrusion. All this without damaging the civil liberties of all Americans. © Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
Jon Lasser, 18 Apr 2003

US military shuns BSD for hopping landmines

The research wing of the United States military, DARPA, has abruptly terminated funding for an OpenBSD project, leaving dozens of open source programmers in the lurch. DARPA funds hundreds of loopy research projects, some of which are sinister pork-barrel boondoggles, such as the Total Information Awareness panopticon project, but some of them become socially useful technologies, such as the Internet. So in the process, the tax dollars thrown downstream can provide a net gain. One of these grants was the funding for POSSE, a $2m sponsorship for the University of Pennsylvania to produce a hacker-hardened operating system for standard PCs. According to OpenBSD project leader Theo de Raadt, funding has been cancelled. "We have a hackathon planned for Calgary, Canada for two weeks from now," one participant mailed us. "60 hackers are coming. plane tickets are bought, and conference facilities are reserved, People are buying their own plane tickets. DARPA funding was providing hotel and conference facilites so people could work. At the last minute, DARPA has pulled out. "Perhaps We'll be housing people in tents and feeding them moosemeat so they can hack." Another observed: "OpenBSD has made some serious gains in security recently--and it was already starting from a high level. For example, they have made the stack non-executable and made the default compiler provide propolice/SSP code, the W ^ X memory permissions system, and substantial improvements to the pf host firewall system, which now gives most commercial firewalls a run for their money. "It's likely that the POSSE program contributed to this project, and the accomplishments of its audits of OpenSSL are well-known (especially to those of us who have been upgrading and patching OpenSSL in light of those accomplishments). Now Theo has been known to get very dramatic at what ICBM-experts call the "ascent phase" of a missile's trajectory. Defense Shield experts surmise that there are two stages at which an incoming ICBM can be intercepted: when it's lifting off, and when it's about to drop on your city. Many experts argue that the optimal interception is at the ascent phase. Which is often, in our experience, where Theo throws a wobbler. However, in this case his dramatics appear to be fully justified. "I wonder if DARPA will fund something else in POSSE's place..." asks mailing list contributor Michael Sinatra. But Michael - we already know what DARPA is funding in its place. It gives $30,000 more dollars to the amazing idea of "self-healing, self-hopping landmines", which we covered here. It may not, we admit, be a hacker-hardened mainstream OS, but check the Flash animation - replete with polyphonic sound effects, Mission Impossible-style typewriter and winking Chess knight (you must watch to the end to see the winking knight) - and tell us if that isn't $30,000 well spent. ® Related Stories The self-healing, self-hopping landmine Total Poindexter Awareness: essential information US gov's 'ultimate database' run by a felon Total Poindexter Awareness tech spooks - a Who's Who
Andrew Orlowski, 18 Apr 2003

Bored and confused by the PC Internet – world turns to phones

A Pew Research report published yesterday makes sober reading for techno-utopians. It reveals that Internet usage in the US has stalled. Half of the population doesn't want the Internet and doesn't care less about what it might be missing. "Missing out on the most popular movement of the 1990s didn't seem to bother the unwired survey respondents. More than half of those surveyed said they don't want Internet access or don't need it," reports the Washington Post in a neat precis. I can't imagine how this will play with The Second Superpower - the imaginary world that exists in the minds of a small handfull of Blog-lobbyists. Cost, and the intimidating experience of PC technology are cited as reasons by Net-refuseniks. Shockingly, many of the poor and disadvantaged took pride in preferring other forms of information, socialization and entertainment to wrestling with Windows viruses or closing one popup window after another. But what a contrast this makes with Japan, which as The Guardian reports in an extensive, must-read feature, wireless technology is a smash hit. Cheap, popular phones reach the parts that the lumbering, PC-centric Western tech can't reach. In Japan, The Guardian reports, the phone "is killing the conventional internet. While business users still like to use the PC for email, the younger generation is forgoing the desktop PC for the mobile phone." Phones are used for shopping, for news, but most of all for communication. Social software in the truest sense. The low cost and ubiquity of phones brings wireless technology to all parts of what is, admittedly, already a very egalitarian society. Which is why you hear so little talk of a "digital divide" in Japan. These small computers are very personal indeed: for all the talk we've heard about "wearable" technology, the only technology more wearable than a phone is a chip implant. We must make a few caveats. The Pew report is a snapshot of a point in time. Today's net-savvy affluent kids will age, and the number of Net users may eventually become a plurality. And when content creation and experience matters, the personal computer remains a remarkably versatile tool. And of course, Japanese culture is unique. But it isn't so unique as to be exclusive. Phones with "Shopping" buttons are becoming increasingly common in Asia. Socialization of technology is very important - it's the last thing theorists and lobbyists and ideologues seem to understand. Pie charts and PowerPoints are little help, here. The great commercial imperative, everywhere it seems, except the USA, is on the "last yard" - luring phone users to useful services. Many have failed, but the dialog between punter and technology provider is refining itself gradually, with personal phone technology very much the arena where big money is won or lost. This may come as a shock to some. It shouldn't. "A lot of cyber-idealists thought the Net was becoming our new common space. That hasn't happened. Nasty teenagers, spammers and greedy corporatists have made common turf on the Net either too expensive, hostile or annoying for most people to spend much time on," wrote a poster on Kuro5hin this week. But here in the US, techno utopians are in full-cry, once again, with a well-heeled lobby demanding deregulation of the wireless spectrum "to bring the Internet to the masses"; oblivious to the fact that elsewhere in the world, it's already happened. Giving renewed vigor to the WiFi/deregulation lobbyists are Microsoft and Intel, who have failed to make the transition. (Rather unfairly, perhaps, in Intel's case because its XScale platform is technically excellent. Then again, it might not be Intel's fault that no one wants to make Intel phones. That in itself is another story). A case in point A long weekend beckons and as I'm on a savings binge, I must forgo a trip into Northern California's beautiful countryside. Which is a shame, as I like pines and eucalyptus and fresh air. So I'm going to the park instead, to catch up on some reading. I'm well behind. There's a Russian poet called Mayakovsky, who I'd never heard of until this week: a surrealist and futurist who was both punished and praised by Stalin. And David Sedaris, who is funnier than a one inch hospital, and a book of short lit crit by Amis Jr., much of which is from the days before he aged into a pompous ass. And best of all, the new William Gibson which I'm reading slower and slower because I know the end is coming, and it has been such a real sensual pleasure to be in his hands, that I'm trying to prolong the experience as long as I possibly can. I'll certainly be taking my P800, because I like talking to people: either directly, or via an IM client (which in this case is called TipicME, but it does give you all the main IM services, so your friends are right there in your hand). In theory I can reach the whole Internet via the Opera browser, and it may be hard to resist my daily dose of Robot Wisdom and Cryptome - which are two unfailingly good pointers to great reading, but other than that, I may not miss the Internet at all. And when you're in the park - hey, there's always the possibility of charming a bewitching stranger. (Flirting is quite the par - and not a sign of moral degeneracy) The moral is: my iBook stays at home. Content is indeed king, and most of the content isn't on the Internet. And what Internet we have that's useful, I can take with me. It's now in a phone. ®
Andrew Orlowski, 18 Apr 2003

Dell thumps HP

Dell has reclaimed its title as PC seller extraordinaire. The Texas-based PC shop knocked Hewlett-Packard out of the top spot for worldwide PC sales in the first quarter of 2003, IDC said. The two companies have jostled for the top spot since HP acquired Compaq last year. Overall, vendors shipped out 34.6 million PCs , which gives a 2.1 per cent rise over the same quarter last year. Laptops continued to take more of the overall market, helping Toshiba grab the number 5 ranking worldwide and in the U.S. "The debut of Toshiba in the top 5 heralds the era of mobile computing," said Roger Kay, director of Client Computing at IDC in a statement. Didn't the era of mobile computing already seem heralded? It announced itself long ago and now progresses with vigor. I digress. Asia Pacific continued to be the hottest market with 10 percent shipment growth year-on-year. The U.S. and EMEA made small gains. McDell dominated the U.S. market, enjoying 23.7 percent growth to capture 31.8 percent of all shipments. HP followed with 19.5 of the market, IBM with 4.8 percent, Gateway with 4.3 percent and Toshiba with 3.2 percent. In case you are keeping track, the merged HP/Compaq lost 0.8 points of market share. Dell holds 17.3 percent of the worldwide market on 24.7 percent growth. The merged HP fell from taking 17.1 percent of the market in Q1 2002 down to 15.8 percent this quarter. IBM made slights gains to take 5.4 percent share, Fujitsu-Siemens held 4.8 percent and Toshiba held 3.7 percent. ®
Ashlee Vance, 18 Apr 2003

CNN kills Castro early

Castro did make a wonderful Queen Consort, didn't he? Or maybe it was his role as the U.K.'s favorite grandmother that tickled your heart. Some of you might not recall these more tender moments from Fidel's past, when he served the British Royal Family. To help jog your memory, CNN this week dropped an early copy of its obituary for the Cuban leader onto its Web site, along with confused biographies on various other world figures that have not passed into the hereafter just yet. It seems a few test pages made their way into the public domain when Fark readers discovered them in a Google search. The Smoking Gun has saved the obits on Castro, Bob Hope, Pope John Paul II, Nelson Mandela, Dick Cheney, Ronald Reagan and Gerald Ford. A quotation heading Ford's obituary said, "I'm a Ford, not a Lincoln." Ford may want to place a few calls to AOL Time Warner HQ and see what can be done about that memorable line before his time comes. The obituaries are works in progress to be sure and are all based on this tribute to the Queen Mum. It's for this reason that Castro finds himself in Buckingham Palace, and the Pope finds the intimate details of his marriage, divorce and love of racing exposed on the world's leading source for news. Ronald Reagan's page has neared completion, and the CNN designers seemed fond of their work. Quotations from Dutch's life are scattered throughout the mock-ups so much so that Castro's past is marred by tales of the lifeguard, athlete, movie star, governor and president. CNN spokespeople described the premature obit postings as being a result of human error, which is like saying nothing at all. ®
Ashlee Vance, 18 Apr 2003