An obscure backroom deal that took place in Washington DC last Fall - unreported by the specialist music press, then dismissed as insignificant after extensive coverage here at The Register - could yet be the undoing of the Recording Industry Association of America. At stake is the RIAA's right to set punitive royalty terms for webcasters - royalties that terrestrial analog radio stations don't have to pay. But lurking in the background is the RIAA's legitimacy to police copyright terms for online, digital music. In the closing stages of the Napster trial, even Judge Patel questioned whether the RIAA had a right to perpetuate its distribution monopoly into the digital age. Being unable to pursue its valuable copyright claims on electronic music would reduce the RIAA from being one of the richest and most powerful lobby groups into a museum piece. But Perry Narancic, attorney for the Webcaster Alliance which this week threatened to file a suit alleging anti-competitive actions by the RIAA, stesses that this is early days. "This is not a class action on behalf of 10,000 small webcasters," he told us. The Webcaster Alliance was born out of the acrimonious deal, reported here (see 96 pc of Net Radio' to close after backroom deal screws grassroots 'casters ) No suit has yet been filed. Narancic explains that under Section 16 of the Clayton Act a trade association has right to injunctive relief. Also under examination is the RIAA's claim to negotiate sound recording royalites, which he argues may fall foul of Sections 1 and 2 of the Sherman Antitrust Act, regarding monopolization claims. Why does he feel confident that the Webcaster Alliance could succeed where Napster had failed? Narancic says that the tradition of judicial conservatism effectively tied Judge Patel's hands in the Napster hearings. "We believe RIAA and members control 85 to 90 per cent of the dominant market for music. They're seeking to eliminate a distribution channel that is absolutely vital to competing music from independents," he argues. "Music has a very difficult time getting exposure through traditional means. And yet the regulatory barriers are very low - Internet radio is a great way to distribute music in a convenient fashion." Raising the barrier to entry cuts off the air supply to thousands of smaller webcasters. So what happened last Fall? Webcaster were astonished when a bill, HR.5469 hit the floor of the House. An earlier version was expected to be a simple affair which called for a moratorium for royalty payments: a six-month cooling off period. But instead the 28-page bill bound webcasters of a certain size into quite detailed rates and terms. The revised bill, which gave interested parties only minutes to digest the new terms, was the result of a shotgun compromise between the RIAA and a group of breakaway webcasters, who styled themselves the "Voice of Webcasters". The thirteen, later eight, webcasters who signed up to the terms of HR.5469 had been under intense pressure from high-ranking Senator James Sensenbrenner, Chairman of the House Judiciary Committee. According to those present, Sensenbrenner - anxious for a result and under pressure from the AFL-CIO - threatened to use his own staff to set the terms. In November, Senator Jesse Helms - under pressure from the religious broadcasters - introduced a third, revised version of HR.5469. The Webcaster Alliance now argues that the backroom deal was anticompetitive. At the core of the argument is how streaming media stations should pay performance royalties. All legitimate radio stations pay publishing royalties to the songwriter direct which are collected by BMI and ASCAP (unless the songwriter doesn't belong to these organizations or choose to waive the royalty). Under the DMCA, the RIAA is entitled to collect performance royalties too, which, unusually, terrestrial stations in the United States are not required to pay. The RIAA argues that a streamed broadcast equates to a reproduction, not broadcast, even though most streams are well below the quality of CDs, and stream ripping software is itself illegal under the DMCA. But as Kevin Shively of Beethoven.com, who withdrew his endorsement from the VoW deal, told us last October, outside the USA the performance royalties rarely exceeds the publishing royalties. "There's no way a station needs to pay a multiple of songwriter royalties," he says. "And in some cases proposed it reaches double digits." "We're counting on the financial and moral support of the public," Alliance attorney Narancic told us this week. The Webcaster Alliance reported with scorn to comments made by John Simson, Executive Director of the RIAA's royalty collection arm SoundExchange in The Register this week, which characterized the 300-strong Webcaster Alliance as an organization of hobbyists. Most of the 300 members are for-profit or non-profit organizations, said Alliance president Ann Gabriel. "For John Simson to classify our members as 'hobbiests' - members who have taken the time to form corporations and other legal entities so they can provide services to streaming media enthusiasts is laughable,"she said. "I consider SoundExchange the 'unincorporated division' of the RIAA to be more of a hobby than any type of operation our Webcaster Alliance members are conducting right now." "The RIAA is a public relations nightmare unto itself," adds Narancic. This, you already know. ® Related Stories - chronological [the deal] '96 pc of Net Radio' to close after backroom deal screws grassroots 'casters RIAA-backed webcast bill 'a disaster for the US' 'RIAA-written' Net radio bill served to Senate Civil disobedience promised after net radio royalty bill falls [the recriminations] New Alliance for webcasters Webcast relief defers Day of Judgement RIAA engineered webcast split - former exec [compromise relief legislation] Helms explains webcasting deal Bush signs Webcast Act RIAA agrees webcasting rates... with non-webcasting AOL, Microsoft AOL Time Warner takes grip of net radio RIAA faces antitrust suit
A new Trojan is turning Windows PCs into porn and spam relays, possibly as a means of harvesting credit card details, researcher Richard M. Smith has discovered. At first it was suspected that the Trojan installs a Web server on the victim's machine from which the porn is served, but research by LURHQ indicates that it sets up a proxy which forwards the porn and x-rated spam and so keeps the originating server hidden. Machines hosting the Trojan are not harmed in any way, but spam recipients who check out the porn on offer may become victims of fraud if they sign up for access using their credit cards. The overall purpose appears to be establishing a semi-anonymous, distributed hosting scheme for malicious sites or for material that might invite retaliation from a Web host or the authorities, such as warez or child porn. Only about two thousand home machines have been infected, but among them is a high proportion of AOL subscribers, implying that it may be spread via instant messaging. According to LURHQ it is easy to detect and defeat. First, remove this registry key: Software\Microsoft\Windows\CurrentVersion\Run\Login Service = wingate.exe Then reboot the computer and remove this file: %windir%\system32\wingate.exe. The spam ads direct users to Russian porn sites chiefly, sometimes using servers that were involved in a recent Paypal scam, Smith notes. ® Related Stories Rise of the Spam Zombies Trojan defence clears man of child porn charges What's the difference between a viral attack and a scan? Windows Root kits a stealthy threat Mindjail worms way through IRC Fizzer stealth worm spreads via KaZaA
Credit card fraud "power users" with programming skills and no fear are making it easier for newbies to break into white collar crime, according to a report from the Honeynet Research Alliance this week. The report draws on data gathered earlier this year when a fraudster looking for a random host to put between himself and IRC wound up cracking a research honeypot maintained by students and faculty at Azusa Pacific University, as part of a loosely affiliated gaggle of deliberately hackable hosts and networks organized around the non-profit Honeynet Project. Researchers secretly monitored the intruder as he joined an IRC channel on DALnet dedicated to obtaining, verifying and swapping credit card numbers, along with matching names, addresses, and everything else a good carder needs to begin ordering goods and services illicitly. From early April to mid-May they watched the intruder move through a dozen chat rooms with names like "#ccinfo," "#ccpower," and "#virgincc." They also joined some of the channels themselves. They found a surprisingly open and helpful community of credit card thieves, where experienced fraudsters offered advice to newcomers, and stolen credit cards were given away freely to neophytes -- at least, in small amounts. "They weren't trying to hide this at all, it was just completely out in the open," says Patrick McCarty, an undergraduate at the university, and a co-author of the report. "You'd think they would want to keep a lower profile." Carding Commands The researchers were also impressed by the level of automation that a handful of sophisticated carders brought to the scene. Fraud-oriented IRC bots made the channels more than just a communications medium. Carders could type in commands like "!chk" to verify that a credit card number is correct, and "!bank" to identify the bank that issued a particular card. Daring fraudsters looking to get credit card numbers directly from a vulnerable e-commerce site could avail themselves of the "!cardable" command, which returns the URL for sites known to be vulnerable to attack. For more help, the "!exploit" command yielded URLs that a beginner could cut-and-paste into their browser to exploit known application-level Web server attacks. If they weren't up for cracking a host personally, the "!cc" command dispensed a single stolen credit card number from a database. "Users need master only a series of custom IRC commands to carry out many key activities of credit card / identity theft," the report found. One command, "!cclimit," even produces the spending limit on a particular card number, according to the report. Where that information comes from is unclear; the report's authors believe some of the bots are interfacing in real time with credit card company databases. "That's what we're particularly interested in," says McCarty. "They seem to have an automated system for doing that." The Research Alliance's monitoring also produced logs of corrupt merchants offering to sell large quantities of card numbers for a percentage of the take, though the report concluded that bulk transfers were handled in private chats, or outside of IRC. The channels named in the report have since been shutdown by DALnet, says McCarty. "We've turned a substantial amount of data over to the FBI," he adds. © SecurityFocus Related stories Trojan serves porn off home PCs, not many dead Chip and PIN: not enough to beat card fraud California enacts full disclosure security breach law Joe Public blames banks for credit card fraud Credit card firms 'profit from Net fraud' Schoolgirl turns tables on email credit card fraudster
The office may start to sound like a fun place with the development by an Australian university of laughter-recognition software. SoundHunter was developed by computer scientists at Monash University in Melbourne to make it easier for employees to log on to computers in a network, New Scientist reports. The software recognises a person's voice or laughter and logs that person on to the nearest computer on a network. According to New Scientist the voice or laughter is picked up with microphones on each computer and the individual is located by "intelligent agents," or pieces of computer code programmed to move through the network from computer to computer. The agents travel to the computer from where the person's voice is loudest. In addition to voice or laughter recognition, the agents listen for footsteps to determine if a person is moving around the office, and by doing so track their movement to ascertain the direction in which they're going. Using this process, the agents can log users on as far as two computers ahead in the direction in which the user is moving, according to Monash University researcher Arkady Zalslavksy. It is debatable if this form of voice recognition will takeoff and how comfortable people would feel laughing into a computer. Another major problem is that the program cannot accurately distinguish between people. However, Zalslavksy said the prototype shows that it is possible to marry sound recognition with intelligent agent technology. SoundHunter, and voice recognition in general, is part of biometrics, or the use of technology to recognise human biological characteristics, physical or verbal, including voice, fingerprints, irises, retinas and faces. With the heightened security awareness that came after September 11th, the use of face and iris recognition technology in airports, which had for the most part been confined to labs and Hollywood movies, was seen as a potential net to catch terrorists. While the technology has proven to insufficient for wide scale roll out, innovation within the sector is said to be rapid and the most significant recent development is the use of biometrics in passports. The EU agreed in early July to embed chips containing biometric data in passports. It has provided €140 million in funding for a feasibility study. The information is to be contained in fingerprints and retinal scans in the passport. This form of data presentation on passports is expected to reduce counterfeiting and fraud. BT's research division BTExtact has developed a prototype of a biometric passport, which features information on a chip, with a hologram of the persons face on the same page of the passport. In making to move to biometrics in passports, Europe is bound by a deadline set out by the US government. Countries whose citizens have visa-free travel to the US must issue passports with biometric identifiers no later than 26 October 2004. In Ireland, on 21 July the European Biometric Forum will be held at Media Lab Europe in Dublin. International figures will come to speak at the forum on various aspects of the biometrics including Marek Rejman Green of BTExact, Russ Neumann of the Office of Science and Technology at the White House and Jason Kim of the Korean Information Security Agency. © ENN Related Stories EU backs biometric passports RSA gets into fingerprints Grampian police trial facial biometrics ID theft: a $1bn a year crime Americans give thumbs up to biometrics
More information about the rather publicity-shy Phantom console has been unveiled, revealing that the system is indeed a Windows PC designed to download PC games securely over a broadband connection. A lengthy article on tech news site Newsforge suppliers considerable detail about the system and its business model. The latter focuses entirely on delivering existing content over secure channels rather than promoting development of exclusive content for the system. At least $25 million of venture capital has been pumped into the project and its creator, Infinium Labs; the end result appears to be essentially a Windows XP PC with no CD or floppy drive, running an assortment of proprietary software to provide encryption for data on the hard drive and secure downloading of content across broadband networks. According to Newsforge, no final specification or price point for the system has yet been set - but a $400 price point is currently being mooted, and the suggestion is that the PC in the Phantom box will be in the 2GHz performance range, more than enough to handle most modern PC games capably. The Phantom business model sees Infinium maintaining a library of games which are available secure over broadband to those who have bought or are renting the console. To this end the company claims to have attracted interest from over 500 game publishers - although no details of any sign-ups have been announced yet. Core to this model is the security systems employed by the console; if Infinium can indeed offer PC games over a completely secure channel, that's an attractive proposition to publishers who are currently resigned to very high rates of piracy of their PC titles. But it remains to be seen if Phantom can gain a foothold in the marketplace. The system will clearly still suffer from major problems that afflict the PC with regard to compatibility and stability, something which those used to console games may not accept. Wisely, Infinium doesn't seem to be targeting the platform at the console heartland occupied by the Xbox and the PS2, but is instead seemingly aiming at an older and more family-oriented demographic; however, those within that demographic are quite likely to want a fully-functional PC, rather than a cut-down PC that can only play games. Phantom is certainly an interesting project, and the enthusiasm of Infinium founder Tim Roberts is very clear from his comments to Newsforge. However, the console manufacturers are unlikely to be greatly troubled by this venture, and we maintain our viewpoint that the ultimate victor here is Microsoft, who far from seeing Infinium as a competitor, will be receiving a license fee for Windows XP from every Phantom device sold. © gamesindustry.biz Two articles from gamesindustry.biz US startup plans new console launch for November US startup plans new console launch for November
'Tread carefully as technology stocks rise from the ashes' This quote from a recent Sunday Telegraph article makes two obvious but critical points, writes Bob McDowall of Bloor Research. Technology stocks are some of the major price gainers on the world stock exchanges in recent weeks; the second point questions the amount of confidence that may be placed by investors in technology stocks - memories of the late 1990's stock market boom, where technology stocks boomed louder than most and performed worse than most echoes the proverb "empty vessels make the most noise." The fundamentals behind the rise require some further explanation. While there is no doubt that most technology stocks are cyclical in nature, in that corporations gear up their technology investment on the back of expansion of their core business, technology like all machinery needs replacing and upgrading periodically. We are probably approaching one of those replacement cycles, even if economic expansion mode is another year or eighteen months away. Nevertheless, there is a so-called re-rating/re-evaluation of the sector by the investment community both because the sector suffered from excessive downgrading after the boom and because the market does anticipate recovery. Both the institutions, which are entrusted to invest funds in the technology sector, and the technology sector itself, have lessons to learn in the next technology boom, before investors will regain underlying confidence. The technology sector needs to: Ensure product, services and performance forecasts and announcements are realistic. During the last technology boom, much of the sector became hostage to the marketing and public relations hype, which conveyed little of substance about the verifiable achievements and progress of the enterprises, their products and services, other than a permanent sense of perpetual optimism. No doubt the chastening failures and disappointments of the past four years will result in a more mature, realistic, sober approach to announcements and forecasts for the services. subject its products and service to more extensive independent evaluation and comparative analysis and publish such reports, as a means of providing greater transparency to their sales and marketing messages. Slow down delivery to market and provide more thorough review testing. Some of the largest firms such as Microsoft already recognise that they have rushed products and services to market under the increasingly discredited maxim of "first mover advantage." This results in muddled and frequent upgrades. There are no longer term benefits to such strategies. Reputations suffer. For the future the technology sector will find itself subject to regulatory control in the guise of consumer protection or financial regulation, as relevant to the technology products and services, are not more robustly and thoroughly tested prior to sale, delivery and implementation. Establish greater community/industry responsibility. In a very young and competitive industry, it maybe forgotten that it is in the collective interest of the industry to develop and maintain integrity and reputation. More mature sectors recognise this, even though they may be competitors. This is for the greater good, and can drive out the less scrupulous members of he industry. Generally, the major firms have to take the lead. The financial institutions, entrusted with investment of funds in the sector, are already experiencing changes to rules and regulations governing the organisational and reporting structures, as well as the conduct of their in-house analytical resource, but they may be reminded of the following: Ensure they have a deep understanding of the products and services from which the technology companies derive or plan to derive their revenues. In a highly technical sector, without this background understanding and support to their analysis, the investment research is of very dubious quality and value. Provide more comparative research and analysis. In an industry where there is a plethora of new products and services, it does help the investment decision process to have relevant technical and financial comparisons, despite the sensitivity of the industry to such exercises. © IT-Analysis.com
A small analyst firm has issued a massive warning to HP customers considering a move off of PA-RISC-based servers and onto Intel's Itanic-powered systems, saying some users may be in for a painful migration. Clabby Analytics has burrowed down into the nitty-gritty aspects of a move to Intel's 64bit Itanium chip and concluded that customers with custom code may suffer from abandoning PA-RISC. They key challenge to custom coders stems from the difference between Itanic's fledging EPIC architecture and more mature RISC architectures, the group argues. In addition, the firm suggests it may not be wise for anyone to move to Itanic at all. "The primary difference in RISC and EPIC architectures is where the logic exists for deciding how to execute parallelized tasks," Clabby Analytics wrote. "In RISC, the compiler presents instructions to the processor and the processor figures out how to best parallelize the processing of those instructions. In EPIC, the compiler takes on the parallelization assignment - and uses the processor for execution. "Why is this important? Because HP customers who are considering a move to Itanium/EPIC architecture need to understand that HP is asking them to process applications in a completely new manner - one that poses certain migration issues when porting applications (and one that relies heavily on compiler technology to successfully effect software migration)." The analysts go on to point out the obvious. Itanic has had all the attraction of New Coke. The chip is being picked up at a snail's pace despite performing well on benchmarks. Customers appear more comfortable sticking with mature options such as IBM's Power, Sun Microsystems' UltraSPARC and HP's own PA-RISC and Alpha processors. All of these chips have myriad applications available for them, and users know how they will perform. Where does this leave HP's customers who are to move off of PA-RISC and Alpha and onto Itanic in the next couple of years? For HP, Clabby has a difficult answer. "HP users may find that, as long as they to go through a platform migration, they might be better off moving to a more 'established/proven/stable' architecture." The future of Itanic and HP's server business depends on a successful migration off of PA-RISC chips, and the analyst firm's remarks don't inspire much confidence. HP users should also have particular concern about how their custom code running on HP-UX and PA-RISC will perform on Itanic. Clabby charges that HP has yet to prove that users can expect to see similar performance out of their apps when running on the new chip. A lot of work needs to be done to tune code for Itanic, and many users may not have the time or EPIC know how to get the job done. Even with ISVs doing the grunt work, the situation for packaged apps may not be much better. "Intel claims to have about 300 packaged applications ported to Itanium 2," Clabby wrote. "This contrasts with tens-of-thousands of packaged applications that already run on Power and UltraSPRC platforms. What this infers is that HP users who want to migrate from Alpha, MIPS, or PA-RISC-based servers may have to wait until their ISVs port and tune packaged applications to the new Itanium EPIC architecture. Choosing Itanium could lead to long wait periods for various enterprise packages applications to become available on EPIC." If you're not concerned yet, Clabby has a few more reasons to make PA-RISC users nervous. The firm claims that HP has a poor track record of executing on its professional services strategy in the enterprise space. HP simply may not have enough expertise in the fledging Itanic architecture to help everyone out. In addition, HP has been slashing its hardware workforce at pace since acquiring Compaq. With 25 percent of the enterprise group gone, the firm asks "where are all of the people HP will need to assist its customers in redesigning applications, restructuring databases and redeploying systems going to come from?" Oh come on, Clabby. Why all the fuss? With the launch of the third-generation Itanic chip - Madison - last month, HP gave users a clear message as to why it will succeed. "Itanium will win the market. HP will win with Integrity," the company said. HP's new Integrity brand applies to its vast array of Itanic systems that stretch from workstations up to 64 processor boxes. HP has bet the farm on Itanic, Clabby. It will not let the company go down in flames just because EPIC is a bit of pain. Right? ® Related Link Analyst piece in PDF Related Stories Intel's Tanglewood pumped full of DEC Alpha goodness IBM steps over HP to take benchmark lead HP greets Madison with Integrity Madison puts on its floaties but can it swim? Dell gives Itanium a second chance Dell 14, IBM 0 - quarterly Itanic sales revealed
Episode 13Episode 13 BOFH 2003: Episode 13 Picture if you will a computer room, late at night.. Late, late at night... Almost morning, in fact.... All lights - bar several system status indication lamps - are off..... Suddenly a lamp, previously glowing Blue, changes (hereafter) to Orange....... Seconds later an SNMP trap, delivered by the system concerned is received by the Services Monitoring Facility server........... Seconds after that, a dial tone, followed by a series of DTMF tones is heard echoing through the machine room. And again............... Approximately one minute later, in the bedroom of a geekily furnished studio flat in South London, a pager beeps shrilly ................................................. A figure partially emerges from the Fleur-de-Lis bedspread to focus on the pager in question........................................ THE WELL-OILED MACHINE OF TRIPLE-TIME, AFTER-HOURS CALLOUT IS IN MOTION!!!! . . . "But I didn't get paged!" The PFY cries in response to The Boss's annoyed questioning as I roll in at 9 the same morning. "Mind you, that could have been because I dropped the pager on the way home and it broke!" The PFY holds up a pager that, whilst bearing the hallmarks of being repeatedly struck by the heel of a shoe, must have been damaged in the manner he said... "I did mention the need of some form of backup to the pager in case of situations like this - or pager unreliability due to congested telco networks," I ad lib. "I'm not buying a bloody satellite phone for you to run up astronomical bills on!" The Boss snaps, cutting my plan off at the pass. "Anyway, this isn't getting the Finance Server up!" "The Finance Server IS up!" I say, looking on the Services Monitor. "It's just dropped a power supply" "Then how come I got messaged?" he snaps, flashing us a look at the message on his phone. "You said you must be notified of any major problems - and you know how I don't like to ask questions." "That's not major!" he snaps. "It is if it happens twice!" I reason. "Look, I only want to be notified when the machine goes down!" "OK, that's easily sorted out," I respond helpfully. "And get that power supply fixed!" He snaps. "Running all the way to the phone!" The PFY blurts, poking in the Hardware Support number. Three hours later "I thought I told you I only want to be paged when the server goes down!" the Boss seethes, crashing into Mission Control. "Yes?" "Well?" "Oh! The server's gone down, see?" I say, pointing at a red icon on the services display. "You're joking!" The Boss blurts. "But it's got redundant power supplies!" "Indeed it has, but they don't work when one's dead and the other is outside the machine..." "I thought the machines could work without interruption?" "They can, but unfortunately our engineer can't. The PFY asked him if he wanted a coffee, which must have confused 'LEFT' and 'RIGHT' in his brain. So he pulled the wrong supply out. I was going to check before he did it - but as you know, I don't like to ask questions..." "RIGHT!" The Boss shouts as he storms off to his office. Ten minutes later The Boss informs us that the engineer concerned is on his way back to the office and the senior engineer has been dispatched to us. ... "..a real bastard," I say to The PFY, finishing my description of the engineer in question. "The sort of person who gives helpful tips to your boss like how the dangling cables you have are a workplace hazard and how he couldn't help noticing that you're using root for day-to-day work - and how insecure that is.." "Really?" "Oh yes. An out and out brownnoser. A cleft presser of the First Order. AND he notes all his tips and observations on his report and files it with his office. THEN, next time something happens, they dig through it for a reason to void the maintenance agreement." "Really?" "Oh yes. He's the guy they send to punish people. AND, he makes a point of coming in and advising you through what he's doing, every step of the way." "Arse Covering?" the PFY asks. "Partly, but mainly to punish you for not issuing him a permanent swipe card to access the room night and day. So he wanders in and out of the machine room to make you keep getting up to let him in." Our conversation is interrupted by the arrival of the man himself, complete with titanium toolkit. "So where is it?" he asks. "In the machine room," I respond. "OK, can you give me a card to get in and out?" And so it begins... Ten minutes later... "Just about to install the new power supply," he says, once the computer room door has latched shut. "Good." "And could someone let me into the machine room, as I don't have a c.." "Sure," The PFY says cheerfully Ten minutes later... "New power supply installed, I'm just going to box up the old one >click< and fill in my form." "Uh-huh". "Oh, could you let me back into the..." "Sure," The PFY seethes. . . . Looking back, I think it was probably the trip back to collect his toolkit that broke The PFY. The repeated trips in and out to let us know he was about to power the system on, check the hot plugability was working, then confirming it was all working, boxing up the old power supply, borrowing a pen to label the old power supply 'faulty', packing up to go, etc, must have slowly eroded his patience. The phonecall from the Maintenance Company asking if we'd seen their engineer was the first thing I knew about it. Then there was The PFY's new titanium tool kit. I don't like to ask questions... ® BOFH: The whole shebang The Compleat BOFH Archives 95-99 Get BOFH Books here BOFH is copyright © 1995-2003, Simon Travaglia. Don't mess with his rights.