2nd > January > 2004 Archive

Defences lacking at social network sites

Services like LiveJournal and Tribe are poised to be the next big thing on the Web in 2004, but their security and privacy practices are more like 1997, writes Annalee Newitz. Brad Fitzpatrick is president of LiveJournal.com, a social discovery Web site where over 1.5 million users post diary entries they want to share with friends. Although members post extremely sensitive information in their journals -- everything from their plans to commit suicide or sabotage their boss to their latest sexual adventures -- Fitzpatrick admits that security on his site isn't a priority. On the initial login page, LiveJournal members send their passwords in the clear. "We're hoping to change that in the next month," Fitzpatrick said. "But site performance is our highest priority, and SSL is a pain." Jack (not his real name) is an LJ user whose account was compromised. He isn't sure how it happened, but one day he logged in and discovered a huge portion of his journal entries had been deleted. The attacker didn't stop there -- she or he also plundered his friends' "locked" entries (visible only to other friends) and reposted extremely private exchanges as public entries in Jack's journal. Although he quickly changed his password and fixed the problem, the damage was done. "My friends were really upset and the bad feelings persist," he said. One friend feared that she might lose her job when a private entry about problems with her supervisor was made public on Jack's journal. "It's still cached on Google," he explained, "although it would probably be hard for most people to find unless they knew all the details." Security measures are equally weak on social discovery Web site Tribe.net, whose member base has swollen to 65,000 since it launched six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs." As security professionals know, there are any number of ways to defeat unique session IDs. Jeff Williams, CEO of Aspect Security, works on Web applications security issues for large financial, health and government institutions. He explained that Tribe.net's refusal to use SSL means that "the session ID, which is included in the URL, will be logged on any proxy. Or you can capture it off the wire with dsniff. If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy." Cross-site scripting could be another problem. Martino says Tribe does "tag scrubbing" to protect against people embedding hostile scripts on their posts to the site. But security pros say an attacker might be able to target specific members by sending a specially crafted URL that direct them to a form with hidden tags designed to suck up their cookies. Williams explained that "XSS is amazingly widespread. Plus, XSS vulnerabilities are easy to discover and exploit." The Open Web Application Security Project, where Williams also works, ranks cross-site scripting number four on its list of the top ten web application vulnerabilities. "We try hard to [protect against XSS attacks], but there's always something new," said Fitzpatrick. "The only solution would be to lose link tags, and that's not a good solution." Security consultant and Nmap author Fyodor speculated that social discovery sites are also vulnerable to a class of attack that is familiar to anyone who uses eBay: "You can trick a user into divulging their username/password by sending them to a fake login page you control. For example, you could send an email, forged as coming from Tribe, which says they need to agree to a new ToS or their account will be deactivated. Then you give them a URL that is cloaked to appear authoritative for Tribe but really could be modified to go to the attacker's password capture page." What makes these attacks novel in the context of a social discovery site isn't how they are deployed, but why. What does an attacker have to gain by spoofing the identity of a member of Tribe or LinkedIn? What kinds of damage can be done by hacking into a LiveJournal account? The answer has to do with the public's growing dependence on social reputation systems. As we come closer to quantifying reputation, the identities we use in online communities begin to have real-world value. A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity." LiveJournal's abuse manager Mark Ferrell said he receives at least five reports of ID hijacking per day. By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass. The Social Defense Model But social discovery site owners and users say they have foolproof protection against identity spoofing: the communities themselves. Call it the social defense model. These sites are using the connections between members to defend against technical and social attacks. The more articulated a social network gets, the harder it is to pretend to be a member of it for personal gain. Online communities can launch counter-attacks that resemble virtual community policing. When a spammer created a fake profile on Tribe and used it to post junk messages, reports Tribe moderator Liz Warner, "People used social pressure to quash [it]." After seeing the first junk post, Tribe members quickly alerted moderators, who deleted the spammer's account in just half an hour. Konstantin Guericke, co-founder of LinkedIn, explained that his business-oriented site protects its members from spoofing by creating an environment that forces people to deploy authentication methods similar to those used in face-to-face meetings. You can't just randomly send messages to people ala Friendster. To gain access to another site member, LinkedIn requires you to contact someone you both know for an introduction. Thus, a third party has to vouch for you and confirm that you are who you say you are. It's like identity escrow, with all the benefits and pitfalls such a system implies. According to Danah Boyd, a graduate student who studies social networks at UC Berkeley's School of Information Management and Systems, people have gamed LinkedIn by setting up fake accounts for their business competitors and watching to see who approaches them with deals. "Of course, the problem is when the real person goes online and notices," she said. "You can't fake somebody being there for very long." Guericke agreed. "The social network is your strongest weapon," he said. "If you try to find a technical solution [to identity spoofing], you'll step on the social feedback mechanism." LiveJournal has spawned some of the most vicious identity-spoofing attacks. Ferrell said most of these attacks couldn't be prevented by technical means: "People have had a boyfriend or somebody who knew their password and that person takes over their account." While these attacks may be hurtful to the individuals involved, community protection against them is as simple as common sense. It's relatively easy for members to figure out that someone's account has been compromised when they start posting nasty comments about themselves. Of course, sometimes an LJ attack is more subtle. By gaining access to someone's account, as LJ user Jack discovered, an attacker becomes privy to the "private" posts of friends. Ultimately, there is little defense against these social attacks, just as there is no way to stem the tide of gossip in the real world. Matthew Ringel, a longtime LJ user, wrote via email, "If I had a dollar for every time a friend in a social group accidentally 'leaked' some information about an LJ posting to someone who wasn't in the friends filter for it, I'd be typing this on a new laptop. There's no technical solution for gossip." Real attackers, however, couldn't care less about gossip: they want to take whatever is most valuable on these sites. And there's the rub. Shirky says nobody is quite sure what makes these sites valuable, although VCs recently plunked down millions to get pieces of Friendster, Tribe and LinkedIn. But, according to Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet. Citing Lawrence Lessig's idea that code equals law, Shirky argued, "Actually, it turns out that code is only sometimes law. The software is not as valuable who uses it." When it comes to locking down social discovery Web sites, one might make a similar claim. Secure code on these sites may not be nearly as important as the community policing them. Nevertheless, site owners cannot expect users to create value for sites where security is held in flagrant disregard. "It would be great if these sites were compliant with the OWASP Top Ten," laughed Williams, "but it's hard to imagine, given that so many online banking and ecommerce sites don't do it." It may be unrealistic to suggest social discovery sites adhere to OWASP's stringent security guidelines. But perhaps users should be given the option to login over SSL. Copyright © 2004, Annalee Newitz is a writer in San Francisco who lives at www.techsploitation.com.
SecurityFocus, 02 Jan 2004

Bosses tell staff to hang up when driving

Seven in ten small businesses plan to impose a blanket ban on staff using mobile phones for business purposes while driving, according to new research. The survey, conducted by vehicle management firm FleetLine, found that half of those quizzed said that they would even try to ban employees from using their mobiles while driving in their leisure time. It has been illegal since December to use a mobile phone (unless it's hands-free) while driving, with the government promising £1,000 fines for those who ignore the ban. Small haulage firms could be hardest hit by the legislation, with drivers of vans and lorries facing a £2,500 if they continue to use their mobiles. Significantly, businesses which encourage staff to use mobiles without a hands-free kit while driving will also be liable to prosecution. However, the police are expected to impose a ‘period of grace’ until February so drivers can get used to the new rules. The FleetLine study found that 95 per cent of respondents were aware of the new rules and supported them, but 20 per cent of small firms admitted to having no policy on the use of mobile phones while driving on business. Many small businesses feel that imposing a blanket ban will avoid any confusion over grey areas in the legislation, according David Harnett, director of FleetLine. “It’s important that businesses provide clear and explicit guidance to their employees in the form of a policy that is widely communicated. “It should be made clear that drivers who choose to make or receive calls against the policies will be subject to the normal police investigation processes and be subject to disciplinary action,” he said. Copyright © 2004,
Startups.co.uk, 02 Jan 2004

Net pedants savage The Return of the King

We're obliged to movie monitors Movie Mistakes for updating us today on the terrifying catalogue of errors which plague the latest LOTR epic The Return of the King. This motley crew of net pedants recently trashed Matrix Revolutions for the greater good of humanity. Were it not for their latest and seasonal piece of charity, we would be none the wiser as to the earth-shattering fact that "You can see a severely wounded King Theoden lying partially under his horse on the Pelennor Fields after being attacked by the Witch King. The length of his legs are out of proportion, since you can see his waist above the horse's back, and a large part of his lower leg underneath the horse's belly". Or "As Eowyn is hovering over her uncle just before his death, she has a black smudge over her right eye. In the last shot of the scene, the smudge is gone". What the site fails to mention, however, is what is really wrong with the entire trilogy, viz. lines such as: "The sky is red. There has been much killing this night," and endless shots of bloody hobbits running along New Zealand mountain tops. Enough, we say, enough. ® Next week: Movie Mistakes deconstructs 15-second TV washing powder advert with damning litany of 364 continuity and plot errors.
Lester Haines, 02 Jan 2004

Russians punt $40m space honeymoon

Those of a romantic bent and a generously-proportioned wallet might like to consider the possibility of a honeymoon in space. The Russian Rosaviakosmos space agency and US outfit Space Adventures are offering newly-weds the chance to celebrate their love in a zero-gravity, $40m trip-of-a-lifetime to the International Space Station. The package includes eight months' training and a white-knuckle post-nuptial rollercoaster blast aboard a Soyuz space craft. Since eight months is longer than the duration of the avaerage marriage these days, we can't see there being many takers. Of course, many might like the idea of actually tying the knot among the stars, but that's also a non-starter since the Russians have apparently banned marriage in space. Why? we haven't the foggiest idea. It's a bit like prohibiting share trading for those who might have access to a time machine or participation in the football Premiership by cyborgs with 22nd-century ball-handling capabilities, should they ever come onto the transfer market. What's more, Rosaviakosmos cannot even confirm that intergalactic sex will be permitted - which would certainly be the first question any potential honeymooners would ask. Add stringent checks to confirm that candidates "don't have bad habits, money from illegal sources and don't belong to any terrorist organisation," as a spokesman put it, and you've pretty well taken all of the fun out of space tourism. Still, anyone who has made $40m legally and who fancies exceeding even the Maldives as a honeymoon location can reserve tickets now for the 2004-5 space tourist season. Just bear in mind you may not need the "Do not Disturb" sign. ®
Lester Haines, 02 Jan 2004

Kev Warwick cyberkiddie no closer to activation

Although he's been a bit quiet of late, it's good to see that Kevin "Captain Cyborg" Warwick continues to generate the sort of coverage his ground-breaking work deserves. The abduction and murder of Soham schoolgirls Jessica Chapman and Holly Wells prompted the visionary boffin to offer the chance to microchip a child, although the plan never came to fruition. Eleven-year-old Danielle Duval's parent were apparently convinced by Warwick to allow their daughter to be tagged with a chip which would send a signal via her mobile allowing her to be pinpointed on an electronic map. Fifteen months later and Danielle is still waiting for her abduction-busting device. "We never heard nothing more about it," "says Mrs Duval, who is clearly not fully acquainted with Warwick's bandwagon-jumping initiatives which rarely amount to more than a few column miles. In fact, the proposal was roundly condemned by children's charities and other organisations, which forced Captain Cyborg to back down. "I was perceived to be an ogre trying to do nasty things to children. The opposition to it made me think that ethically, this is something not deemed to be appropriate," he laments. It is particularly sad that such ethics are preventing the good prof from applying his talents to this emotive issue, since every week he "gets someone e-mailing me to ask if I can do something for their child". Of course, Warwick is not the only person suggesting that tagging of kids is the solution to such terrible threats to their well-being. Various solutions are mooted, including GPS-based systems allowing parents to track their offspring to within a few feet. RFID may also offer a way forward...or not... if No Tags, the site for "UK consumers against the pervasive use of RFID" is to be believed. No Tags' Chris McDermott notes that "chip implants would be of little use in tracking a missing child as readers only have a limited range". McDermott is right, and here's his sobering conclusion about the real prospects of such technology: "Let's face it, all such a chip would do in cases like Soham is allow the police to trace the bodies more quickly. No technology would have saved those girls." ® Related stories Cap Cyborg to chip 11 year old in wake of UK child killings Kid-chipper Cap Cyborg reported to police, social services Subdermal RFID chip provokes furore
Lester Haines, 02 Jan 2004

Nigerian 419ers surface in Baghdad

There appear to be no depths to which Nigerian 419ers will not go in order to feed their lust for riches beyond the wildest dreams of avarice. Indeed, they are now masquerading as coalition troops stationed in Baghdad who claim to have unearthed one of Saddam's treasure hordes. It's sort of like "Kelly's Heroes" but relocated to Lagos and the the sun-kissed banks of the Tigris. Still, it looks like a good business opportunity for someone with an immediate need for huge amounts of ready cash. Your own haulage company would probably be handy, too, judging by the proposal: HELLO DEARLY, We are teams of American coalition troops writing from Baghdad Iraq! We are urgently seeking for your willingness to secure the below consignments as shown in the attached photos! The goods were captured here in Baghdad, abandoned in one of the Saddam Hussein's Treasure House. However, the contents of the box are Gold Bars, Gold coins and huge amount of fund in the sealed boxes! At moment, we are intending to ship these goods outside Iraq for safekeeping on our behalf but due to law and restriction order, we are unable to transport these goods to AMERICA .We hereby seek for your assistance to recieve the box in Europe. We are offering you 25% of the entire goods either in cash or in value. Therefore, we will appreciate your effort to get back to us via email confirming your interest to assist us receive the consignment. As soon as we receive your positive reply, we shall furnish you with further details. Please, note, this issue must be handled with utmost confidentiality as to avoid publicity! Yours truly. Capt. STELLA .A (Team Leader) Anyone interested in taking up Captain Stella's offer should forward their credentials and full details of their bank accounts (including sample signatures, etc.) to us at El Reg and we will ensure that they are delivered to the relevant military authorities. We will keep you fully posted on any further dictators/bullion/gold coins unearthed in palaces or small holes in the ground, and any business opportunities which may arise from such discoveries. ®
Lester Haines, 02 Jan 2004

David Blunkett bombs on celebrity Mastermind

Home Secretary David Blunkett - he of the compulsory ID card scheme - has well and truly established his credentials with a disastrous performance on celebrity Mastermind. Blunkett scored a miserable eleven, notching up just two correct answers in the general knowledge section. Presumably, one of these was a firm "yes" to the poser "Will UK citizens be obliged to carry ID cards whether they like it or not?" Our Dave did rather better on his specialist subject - Harry Potter - but was soundly thrashed by ex-Eastenders star Shaun Williamson. Even TV gastro-personality Antony Worrall Thompson was able to pip the bumbling Blunkett to the post. Those who would like confirmation that the country is indeed in safe hands can watch the home secretary's humiliation on Boxing Day on BBC2. We cannot at present confirm that the programme will show a disconsolate Blunkett offering "Pass" to the question: "Are there any weapons of mass destruction in Iraq?" ®
Lester Haines, 02 Jan 2004

Reader flak brings down flying car

LettersLetters Letters Thanks very much to all those readers who wrote to correct a shameful error in yesterday's Wright Brothers' centenary provokes aviation speculationfest. Andrew Wren outlines the case for the prosecution: No doubt I'm the 439th plane geek to point this out, but Boeing canned the Sonic Cruiser last year in favour of the 7E7. It's a normal airliner, but (try to contain your excitement) marginally more efficient. Joy. Joy indeed. The full spec of this groundbreaking aircraft can be found here. Boeing outlines the benefits of its innovative design thus: "The 7E7 base airplane and stretch airplane will carry 200-250 passengers in tri-class configurations on routes between 7,800 and 8,300 nautical miles (14,500 to 15,400 kilometers) respectively. A third 7E7 family member, the shorter-range 7E7 will accommodate nearly 300 passengers in a two-class configuration and be optimized for routes of 3,500 nautical miles (6,500 km). "In addition to bringing big-jet ranges to mid-size airplanes, the 7E7 will provide airlines with unmatched fuel efficiency, resulting in exceptional environmental performance. The airplane will use 20 percent less fuel for comparable missions than any other wide body airplane. It will also travel at speeds similar to today’s fastest wide bodies, Mach 0.85. Customers will enjoy forty- to sixty-percent more cargo revenue capacity." Excitement beyond endurance, to be sure. What we clearly need is a viable flying car, and right now. Sadly, readers seem only too eager to shoot this dream from the skies. Dave Loveluck reckons the human factor may be the fantasy's undoing: With regard to flying cars, the idea scares the living daylights out of me. Why? I find most drivers today, especially in the States, devote less than 10% of their cranial matter to the subject at hand - driving. The very thought of 98% of the drivers flying around with a cup of coffee in one hand, a mobile phone in the other, reading a newspaper or applying make-up/suckling their new-born what-have-you fills me with no desire to join the flying masses. It is bad enough on the roads. How long will it be before the average lard-bucket decides that a flying car is just to passe, and that the real machine is a flying SUV, preferable a tamed military-looking over-indulgence! Dave finds an ally in Don del Grande, who entertainingly outlines an aerial disaster scenario: Isn't it obvious why there aren't any flying cars (besides the urban-legendary "JATO engine car" embedded in one of any number of cliff faces, depending on who is telling the story)? What happens nowadays when Joe Lunchpail and Sally Soapopera go out for a leisurely drive, only to discover that neither one of them managed to fill the fuel tank, and the engine sputters to a halt in the middle of nowhere? A bit of namecalling, a cellphone call, an astonished look at what the rescue truck charges for a gallon of fuel, and they're back on their way. Now, what happens when the engine cuts out at altitude? To paraphrase a Monty Python sketch, "notice how the cars do not so much fly as plummet." So tell me, what insurance company would be insane enough to offer "flying car insurance" at anything resembling a rate that the average driver could afford? Yes, we'll concede that fully comprehensive cover for a flying Ford Mondeo could be a bit steep. Of course, that's just the beginning of your troubles, according to Chris: Well, while you're waiting for your flying car to land on your lawn, may I suggest you spend the time getting a pilot's license? Unless the flying car manufacturers pull off something impressive, you'll need one just to get if off the ground.. oh, and don't forget the red tape with the CAA, log your flight plan with your controller airport, etc, etc, ad nausium. Or, put another way, short of a complete rebuild of the entire aviation industry, don't expect to be able to have anything like car-like freedom even if you do ever get a flying car... So, practicalities aside, it'll be the circling black helicopters of the aviation industry which finally force the flying car permanently back into its hangar. Here's why, according to Craig Taylor: Want a flying car sooner? Send a donation to Moller! Seriously, a little thought will show why we don't yet have a flying car, even though the basic technology drivers have been around for at least 10 years (graphite composites, "fly by wire", high power/weight engines). The question is; How can Boeing, GM, NASA or any other rich, established organization make any money or political points designing and building it? Boeing is in the business of building great big planes that sell for tens (or hundreds!) of millions of dollars. They will not compete against themselves by placing about half of their future passengers on small, low cost "air taxies". And they just aren't in the mass production business. Also, look what happened to the small aircraft makers (at least in the US) over the last 20 years once the tort lawyers found out that juries are ignorant and think all companies are "made of money". Also, the major airlines, who are the natural customers for these big passenger jets, think the whole idea of personal aircraft is heresy. They LIKE hub and spoke. I can imagine a not-so-subtile boycot of the aircraft manufacturer who dared to fund such a project. That seems to just about cover it. Rather pathetically, though, I am still keeping one eye on the driveway this morning in the forlorne hope that an enormous truck bearing my flying car will disgorge its magnificent cargo in time for a Xmas Day spin around/above the block. And while we all live in hope of a happier future free of these earthbound shackles, here's a provocative aviation endnote from Dr David G. Lovering: But the Wright bros. weren't the first as any Brasilian will tell you! Santos duMont. Indeed, and he's got a Rio airport named after him to prove it. Happy Xmas. ®
Lester Haines, 02 Jan 2004

Am I Patched Or Not?

LetterLetter A reader writes: Maybe I'm just behind the times - it's quite possible, since I rarely boot into Microsoft Windows, but I just downloaded the latest (9!) Critical Updates for Win2K, of which one caught my eye: Microsoft Security Bulletin MS02-050 Certificate Validation Flaw Could Enable Identity Spoofing (Q329115) Technical description: The original version of this bulletin was released on 05 September 2002. Microsoft re-issued this security bulletin on November 11, 2003 to advise on the availability of an updated Microsoft Windows 2000 Service Pack 4 (SP4) security patch. This revised security patch corrects a regression that may occur during the installation of Microsoft Internet Explorer 6.0 Service Pack 1 on Windows 2000 SP4. This regression removes the update that is discussed in this bulletin and that is provided as part of Windows 2000 SP4. Customers who are using Windows 2000 SP4 and then installed Internet Explorer 6.0 Service Pack 1 should apply the updated Windows 2000 SP4 security patch to help protect from this vulnerability. On 09 September 2002, we updated the bulletin to advise customers that a Microsoft-issued digital certificate, used to sign device drivers, did not meet the stricter validation standards established by the patch. As a result, customers who installed the patch could see unexpected error messages when installing new hardware, or in some cases might be unable to install new hardware altogether. On 20 November 2002, we released an updated version of the patch that not only eliminates this problem, but also eliminates a newly discovered variant of the original vulnerability. I'm fscked if I can follow all this - am I patched or not? If I admin 100 workstations, are they patched or not? Have previous patches f*cked my current "clean" install? I have no idea. Fortunately for me, I run a single W2k laptop, and only ever use W2k on it for dialup (Solaris x86 doesn't support the WinModem, haven't get got JDS (SuSE SLEC-based) to work with it either) so I only need MS when connected to the internet - surely a harmless thing? I'm sysadmin for a 14-person firm, one fool uses Windows, everyone elses uses Solaris_x86 and/or Linux. Most of us have these crappy Dell laptops with a WinModem, though, so onsite this week I had to use my Windows partition just to dial up. I'm so thankful I don't have to support Windows users any more - we all have to use Windows on those occasions we need onsite dialup, but that is (hopefully) rare. I realise that most of your readers are Windows admins - my heart bleeds for them. I have so much grief keeping a single laptop working - and we all have to do this individually, costing God only knows how much time - and what level of reliability? Cheers, One disgruntled (but enforced) Win2k user Steve Parker So dear readers. Is Steve Patched or is he Not? ®
Andrew Orlowski, 02 Jan 2004

US judges blast music labels' attack on ISPs and users

A US federal appeals court has dealt the RIAA a long awaited kick to the groin in its pursuit of file swappers, saying the music label lobby group can no longer force Internet providers to turn over their customers names. The Friday ruling from a three-judge panel hearing the case for the Court of Appeals in the District of Columbia is likely to slow down the RIAA (Recording Industry Association of America) hunt for file swappers. The judges have blocked the pigopolist mob from being able to subpoena users' names from ISPs. This decision overturns a district court ruling earlier this year that ordered Verizon to give up the goods on its customers. "We conclude . . . as Verizon contends, a subpoena may be issued only to an ISP engaged in storing on its servers material that is infringing or the subject of infringing activity," the court wrote. The court noted that it's the actual users that store and trade files - not the ISP. It then backed Verizon's argument that the ISP has no power to remove infringing material stored by users or even to identify the infringing material itself. The RIAA, of course, contends that blocking a user's access to the Internet would solve the infringement problem, giving customers no way to trade files. The court, however, again sided with Verizon here, saying an individual's access to copyrighted songs and to the Internet are two different matters all together. The judges were harsh at times in the opinion, calling some of the RIAA's arguments silly and largely saying the RIAA has no merits for its case. We bring you the closing of the statement in full, as it truly gets to the heart of the matter and delivers a serious blow to broad applications of the DMCA. "We are not unsympathetic either to the RIAA's concern regarding the widespread infringement of its members' copyrights, or to the need for legal tools to protect those rights. It is not the province of the courts, however, to rewrite the DMCA in order to make it fit a new and unforseen internet architecture, no matter how damaging that development has been to the music industry or threatens being to the motion picture and software industries. The plight of copyrightholders must be addressed in the first instance by the Congress; only the Congress has the constitutional authority and the institutional ability to accommodate fully the varied permutations of competing interests that are inevitably implicated by such new technology. "The stakes are large for the music, motion picture, and software industries and their role in fostering technological innovation and our popular culture. It is not surprising, therefore, that even as this case was being argued, committees of the Congress were considering how best to deal with the threat to copyrights posed by P2P file sharing schemes." Sometimes the threats of government intervention in technology matters can be frightening. It's rare that the old guard trained to move slow can wrap its head around quickly moving subjects. But in a battle between the government and a music label lobby group, the Feds should win. What was Verizon's take on the matter? "Today's ruling is an important victory for Internet users and all consumers. The court has knocked down a dangerous procedure that threatens Americans' traditional legal guarantees and violates their constitutional rights," said Sarah Deutsch, associate general counsel at Verizon. "This decision removes the threat of a radical, new subpoena process that empowers copyright holders or anyone merely claiming to be a copyright holder to obtain personal information about Internet users by simply filing a one-page form with a court clerk. This harmful procedure exposes anyone who uses the Internet to potential predators, scam artists and crooks -- including identity thieves and stalkers." The RIAA can still sue song swappers but must go through the more costly process of filing individual "John Doe" lawsuits against the anonymous traders. These lawsuits would be required to obtain the person's identity. Under the ISP subpoena process the RIAA had been using, it needed only pay a small fee - less than $100 - to obtain user info from a county clerk. ® See the decision here in PDF.
Ashlee Vance, 02 Jan 2004

Apple to sell software downloads?

Apple's scheme to turn its operating system into a commercial opportunity appears at long last to be coming to fruition. Mac OS X 10.3, aka Panther, has software purchasing options programmed into Software Update, Apple's patch provision system, Mac Rumours reports. Within the program's code includes text to support an offer to allow Mac users to buy software using Apple's 1-Click e-commerce technology. Other text offers discounts on software purchases to subscribes of .Mac, Apple's once-free, now fee'd online service. It's not clear whether Apple plans to sell third-party products this way, or even whether it intends to use the facility at all. However, every incarnation of Mac OS X from the Public Beta through to 10.2 has featured a variety of purchasing-oriented links built into the OS. For example, the Apple menu originally had a 'Buy Mac OS X Software...' option, now simply 'Mac OS X Software...' Both connect to Apple's web site at the address http://www.apple.com/macsox/get which currently redirects to Apple's repository of downloadable Mac OS X software. Previous incarnations of the Cocoa programming framework's Font panel had links marked 'Buy fonts...', though this too appears to have been deprecated in Panther. However, iTunes still has its 'Shop for iTunes Products' File menu item. iPhoto and iMovie have similar menu entries. Whether Apple reckons the time is right for such a move or not, it's a logical follow on the selling music downloads. Many users are happy downloading software updates that weigh in at tens or hundreds of megabytes - even those without broadband connections. Providing applications, games and utilities this way isn't much different and an obvious adjunct to the boxed product Apple already offers via its online store. ®
Tony Smith, 02 Jan 2004

Amazon pays libel damages again over Northern Ireland book

Amazon.com has publicly apologised for distributing a book that contained a series of false allegations about killings in Northern Ireland. Seven retired police officers won the apology - and undisclosed damages - after Amazon distributed the book The Committee: Political Assassination in Northern Ireland by Sean McPhilemy. The book contained allegations about a plot by loyalists to murder Irish Catholics. The book was never distributed in UK bookshops, but was made available online through Amazon UK. According to reports, many of the allegations contained in the book have since been discredited and recognised as being libellous. The Committee has landed Amazon in trouble before. In 1999, David Trimble, Nobel Peace Prize winner and leading Unionist politician, sued Amazon successfully over The Committee. Showing extremely poor judgement, Amazon withdrew the book for sale from its UK site, directing readers instead to buy the book from Amazon.com, where it was freely available. The company at the time presented its action as a commitment to free speech. And in an unfortunate adminstrative cock-up, Amazon.com started selling The Committee again on its site, after paying Trimble damages. Worse, reader reviews recounted the libellous allegations. Trimble once more went to court, winning damages for a second time in 2002. No one at Amazon was available for comment at the time of writing. ®
Tim Richardson, 02 Jan 2004

DVD Jon wins again

An appeals court in Oslo today upheld Jon Lech Johansen's earlier acquittal on all counts of alleged copyright violations, the Norwegian daily newspaper Aftenposten reports. Johansen, 20, was alleged to have broken the law by writing and publishing a DVD descrambling program, DeCSS, so that he could watch films he owned on a Linux PC. It earned him the nickname DVD Jon. The case began three years ago when he was charged by the Norwegian Economic Crime Unit and had to appear in court. The Norwegian prosecutors were acting largely on the behest of the Motion Picture Association of America (MPAA). They sought a suspended jail term and a fine of NOK 20,000 (about €3,000). In January this year, a lower court had ruled that Johansen had done nothing illegal when he helped to crack the DVD copy protection code back in 1999 and then explained on his website how he had done it. The prosecutors appealed the verdict. Today's verdict wasn't expected until early January. But the appeals court (Borgarting Lagmannsrett) didn't see any need to wait with its decision. That means the lower court's decision will stand. A supreme court case is still possible, but very unlikely. The MPAA says it is disappointed with the Norwegian court's decision not to convict Jon Johansen: "The actions of serial hackers such as Mr Johansen are damaging to honest consumers everywhere. While the ruling does not affect laws outside of Norway, we believe this decision encourages circumvention of copyright that threatens consumer choice and employment in the film and television industries. "It remains to be seen if the Norwegian Supreme Court will have the opportunity to decide whether the prosecution's interpretation of the law was correct, the Motion Picture Associaton says. "If the present decision is the courts' final word on the matter, we hope that Norwegian legislature will move quickly to implement the WIPO (World Intellectual Property Organisation) Copyright Treaty to correct this apparent weakness in Norwegian law." ®
Jan Libbenga, 02 Jan 2004

Jane Doe ruling limits effect of RIAA legal defeat

On Friday, the DC federal appeals court ruled that the recording industry's efforts to subpoena the names and addresses of ISP Verizon's customers who were using P2P file-sharing networks to download and upload copyrighted music were unlawful. However, the decision rests on a narrow reading of the federal Digital Millennium Copyright Act (DMCA), and likely will have little long-term impact on the file sharing debate. In fact, at the same time the DC court was narrowing the ability to get discovery of anonymous users of the Internet, a court in Connecticut reinforced a private company's right to determine the identity of a person who anonymously criticized the company in e-mail. The rulings both go to the core of that most cherished and reviled privilege of online life: anonymity. Anonymity is a wonderful thing. Early American patriots like John Jay, Alexander Hamilton and James Madison routinely published under pseudonyms - such as drafting the Federalist papers under the name 'Publius'. Ben Franklin and others had long been publishing not only political diatribes but also editorials and comments about issues of the day (like the role of women in society) under fictitious names - and even fictitious genders. Anonymity can help frame important issues apart from the author of the article, and can permit the author to feel free to express controversial ideas or reveal sensitive information in the public interest without fear of retribution. Who, in January of 2003, would have felt free to criticize Saddam Hussein's regime from inside Baghdad or Tikrit? Who would criticize Kim Jong Il inside North Korea? Indeed, the US Supreme Court has struck down laws that mandated that ballot initiative petitioners place their names on such petitions, extolling the virtues of anonymous political speech. Such anonymous speech can topple repressive regimes, and encourage mass peaceful protest. Anonymity is also a horrible thing. It allows sexual deviants, perverts, paedophiles and stalkers to lurk in the dark recesses of the Internet. It allows virus writers, purveyors of malicious code, hackers, crackers and attackers to destroy files and disrupt legitimate business and social enterprises without real fear of justice. It permits, and perhaps encourages, irresponsible speech - fraud, deception, defamation, slander, and incitement to violence. It can be used as a tool for hate groups of all political persuasions to incite fear and hatred. It can be used to fraudulently manipulate stock prices for personal financial gain, cause personal ruin, and promote unsafe and untested products (like male enhancements, etc.) In can be used to harass, annoy, and flood mail boxes worldwide. Without knowledge of the author of an electronic communication, it becomes difficult to evaluate its bias and bona fides. The Verizon Decision A few years ago, under pressure from copyright holders (eg. software companies, recording and motion picture companies) the US Congress passed the Digital Millennium Copyright Act. Some of the provisions of the DMA prohibited the distribution of technologies that could be used to "circumvent" technological measures designed to protect copyrighted works (eg. copy protections). At the time, Congress was concerned about pirated works appearing on the Internet through web-accessible BBSs, newsgroups and web sites. A "pirate" could place a single copyrighted work on a web site, and permit hundreds of thousands of people to download the work. In writing the DMCA, Congress recognized that the ISP that was hosting the site with the infringing work bore some limited responsibility for contributing to the infringement - it was, after all, their customer that was infringing, using their storage space and bandwidth. So Congress struck a compromise with the ISPs: if the copyright holder certified that they owned the copyright, and that the use of the work was infringing and not authorized, the ISP had to remove access to the infringing material. In return, the ISP was granted immunity in the event that the removal was improper, and was granted immunity for contributing to the infringement, unless there was some other connection between the ISP and the infringer. Another provision of the DMCA permitted copyright holders to obtain discovery from the ISPs about the identity of the poster. It was the application of this provision that the DC Court considered in the P2P setting. Under normal law, a plaintiff would file a lawsuit against an offending party (eg. the copyright infringer) and then use the court system to get subpoenas or court orders for information relevant to the lawsuit. The DMCA turns that on its head: copyright holders, simply by asserting the ownership of a copyright and an infringement by a particular anonymous user, can demand that the clerk of the court issue an order to the ISP to pony up the names, addresses and IP history information of their subscribers, with no lawsuit pending. Indeed, the lower court in the Verizon case ruled that such subpoenas were not even court orders - they were mere ministerial acts by a clerk, and as such were beyond the review of the courts. But the appellate court last week realized that P2P was different from the kind of "post and download" infringement Congress sought to deal with in the DMCA. The court recognized that, at the time DMCA was passed, nobody anticipated P2P. The concept of "taking down" offending materials did not really apply to these networks. Sure, you can disable all Internet access by users of P2P networks, or you might disable the ports that are most frequently used for P2P, but this remedy goes far beyond simply removing infringing materials. The infringing materials do not exist on the ISP's servers: they are on the customer's machine. Moreover, the subpoena for information is more akin to asking an ISP for the identity of a person who visited a website to download an offending article, rather than to determine the identity of the person who is hosting it. This, the court ruled, Congress did not explicitly authorize. But before we declare victory for P2P users, it's worth looking at another court decision that came down the same day, which seems to provide the RIAA with a roadmap for getting at downloaders' identities anyway. Jane Doe At the same time the DC Appeals court was struggling with anonymous music fans, a Superior Court in Connecticut was struggling with an anonymous e-mailer to a French company, La Societe Metro Cash & Carry France. Apparently this e-mailer sent electronic communications to many of the company's employees questioning the wisdom and abilities of corporate officers. La Societe Metro sued in France under French defamation law, and also filed a discovery lawsuit against Time Warner (the ISP from which the e-mail originated) in Connecticut. The French company wanted the ISP to give up the subscriber information. After discussing the history of anonymous speech, and the First Amendment rights to post material on the Internet, the Connecticut court ordered Time Warner to reveal the subscriber information, finding that the French company had shown a prima facie case of defamation, and that the subscriber information was relevant. Interesting in this case was the fact that the ISP fought the subpoena at all. In most cases, ISPs will reveal this information to all comers with a facially valid court order, and is under no obligation to even inform the subscriber that the information has been sought or disclosed. Indeed, while subscriber agreements typically announce that such information will not be disclosed absent a subpoena, it does not require that the subpoena be legally valid - or tested - and imposes no obligation on the ISP to challenge the validity of the subpoena. Again, if information exists, it is likely to be discovered and disclosed. The Connecticut court went on to conclude that the identity of Jane Doe (the e-mailer) was relevant to the defamation proceeding, and therefore that Time Warner had to reveal it to the French company. This provides a road map to the RIAA. While (absent a successful appeal) they may no longer issue hundreds of blanket DMCA subpoenas - at least in the District of Columbia - they can file hundreds of blanket 'John Doe' copyright infringement lawsuits and then issue hundreds of ordinary civil subpoenas. Or, they can go to Congress and have the DMCA amended to specifically include P2P networks. So while the court ruling may slow the RIAA, there are many other arrows in their quiver. SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. Copyright © 2003,
Mark Rasch, 02 Jan 2004

IT grads face ‘grim’ future

IT graduates face a "grim" future as the UK's jobs market continues to show little sign of improvement. A report by specialist publishers, GTI, does not make chirpy reading for IT grads looking to enter the world of work. Says its Graduate Trends Survey 2003/4: "This year sees once again the nightmare scenario of thousands of well-qualified IT graduates looking forward to an uncertain future that they could not have imagined when they started their degrees three or four years ago." According to the report, there are more graduates chasing fewer vacancies, with the average number of vacancies, and the actual number on offer, falling further. One measly crumb of comfort is that the rate of decline has slowed. Even those lucky enough to find work face a tough time, with the average starting salary falling from £24,764 to £24,000. Overall, GTI reckons there is "no real sign of confidence returning to the sector" and predicts that the average number of vacancies is set to fall again next year. "This year's survey results continue to make grim reading but a touch less grim than last year," said the report. ®
Tim Richardson, 02 Jan 2004

PalmSource forecasts Q3 breakeven

Palm OS owner PalmSource yesterday reported revenues of $16.8 million for Q2 2004, its first fiscal quarter as company in its own right. That figure marks a 13 per cent increase over the same period last year, at which point PalmSource was operating as an independent business within Palm, now renamed PalmOne following last October's split with PalmSource. However, the gain wasn't enough to turn the company around. Quite the reverse: it lost $9.1 million (89 cents a share) during the quarter, which ended on 28 November, compared to an $8.3 million loss this time last year. PalmSource's margins stand at 94 per cent, up from 81 per cent last year. During Q2, license and royalty revenues increased by 14 per cent to $15.5 million. Looking ahead, PalmSource said it expects revenues to grow during Q3 to reach between $20 million and $22 million. It also expects its loss to shrink - we'd hope so, given those margins - to $2 million and possibly even to zero. ® Related Story PalmOne makes Q1 loss
Tony Smith, 02 Jan 2004

Sage buys ACCPAC for $110m

Sage is to buy ACCPAC, the accounting software arm of CA, for $110m. The Newcastle, UK vendor said its new acquisition will help its US subsidiary, Best Software, grow SME market share in North America, Australia and South Africa. ACCPAC brings to the party 600 employees, 540,000 customers and 7,000 dealers worldwide. According to Sage there is very little overlap with Best's 6,600 strong dealer channel. Sage claims 1.8 million customers in North America. ACCPAC also brings revenues of approx. $90m and an annual operating profit of $10m (after charges), according to its results for the year ended March 31. ACCPAC has not sit comfortably within CA for a long time. The enterprise software vendor says it has tested the investment waters twice to float its subsidiary, and twice it has been spurned by investors. It put ACCPAC up for sale in July 2003. The divestment to Sage is expected to complete in February, 2004. According to ACCPAC, its revenue for the year ended March 31, 2003 was $88.7m, and its operating profit was $10.3m (after adding back charges for the amortization of purchased goodwill). Its net assets at March 31, 2003 were $8.2m. ®
Drew Cullen, 02 Jan 2004

SCO pesters Fortune 1000 for money (again)

The SCO Group has sent another letter to Fortune 1000 companies, requesting that they stop using Linux, or reach an agreement with the Utah company over what it claims are copyright "binary interfaces". "Any part of any Linux file that includes the copyrighted binary interface code must be removed," according to the demand. The SCO Group identifies a number of files which, once machine-specific versions are discounted, boil down to simply four header files. The files signal.h, ioctl.h, errno.h, stat.h and ctype.h contain copyright infringing code. These files, according to SCO, "must carry USL / SCO copyright notices and may not be used in any GPL distribution, inasmuch as the affirmative consent of the copyright holder has not been obtained, and will not be obtained, for such a distribution under the GPL." However the header files contain simple error codes essential to the operation of any Unix-like operating system. In a response to the Linux kernel mailing list, here, Linus Torvalds explains the derivation of some of the Linux error numbers. But why trust Torvalds when we can have SCO's word for it? SCO spokesman Blake Stowell previously denied that the binary interfaces contain what the SCO Group claims is infringing code. "This code is under the GPL and it re-implements publicly documented interfaces. We do not have an issue with the Linux ABI modules," he told Mozillazine's Mike Angelo earlier this year (thanks to Groklaw). Which seems to be fairly definitive. Meanwhile SCO's legal costs continue to wipe out its hard earned profit. SCOX reported a loss of $1.6 million for the quarter on sales of $24.3 million, after excluding a $9 million charge for legal fees. It would have posted a $7.4 million profit otherwise. ®
Andrew Orlowski, 02 Jan 2004

Mythic sues Microsoft over Mythica

Microsoft was sued again this week. Game developer Mythic Entertainment has accused the Beast of Redmond of infringing its trademark and engaging in unfair competition. This past Friday Mythic filed a complaint with the US District Court for Eastern Virginia. It claims that Microsoft's up-coming online multiplayer role-playing game Mythica infringes on its name and trademark. Mythic itself specialises in... er... online multiplayer game. Mythic's Dark Age of Camelot is a "massively multi-player online roleplaying game based on Arthurian legends, Norse mythology and Celtic lore." A key Mythica inspiration is "Norse mythology". Given Microsoft's sensitivity to brand names that come close to its own - Lindows most obviously, for which it is sueing the company behind that Linux distro - we're surprised it could make such a gaffe. However it managed it, it's going to have to pay up, if Mythic gets its way. The games company wants a permanent injunction against Microsoft banning it from using the Mythica name - and it wants unspecified financial damages and legal fees. Mythic claims it asked Microsoft to change the name of the game, but Microsoft refused. Obviously that 'a' makes all the difference, as the 'l' in Lindows so clearly doesn't. ®
Tony Smith, 02 Jan 2004

Euro Q4 sales boom points to record Xmas notebook sales

Christmas 2003 may be shaping up as a boom time for notebook sales, with early figures suggesting high demand for portable PCs, market watcher Context has said. According to Context research, UK retailers and mail order suppliers sold 31 per cent more notebooks in November than they did in the same month last year. For the UK, France and Germany, sales rose 20 per cent over the same period. That said, October was a better month, with notebook sales rising 32.4 per cent year-on-year across those three territories. By contrast, x86 server sales were up just 8.6 per cent and desktop sales were down 12.5 per cent, Context said. Whether December will follow November's dip and show a lower year-on-year gain, or rises back toward October's figure remains to be seen. In Europe's top seven economies, Fujitsu-Siemens led the October boom, with units sold by the channel up 187 per cent on October 2002's sales. Acer followed with sales up 128 per cent, while HP sales increased 42 per cent over the same period. However, HP was sill the market leader during the period, with 23.1 per cent of the channel sales. Acer followed with 18.6 per cent. ®
Tony Smith, 02 Jan 2004

Barrysworld is back… sort of

Earlier today, we asked if online gaming community Barrysworld, now known as Game.net and due to be shut down by parent company Game Plc next month, could once again rise Phoenix-like from the ashes, as it did three years ago. We were doubtful. And wrong, we're pleased to say. Co-founders Tony and Ben - aka 'TedTheDog' and 'DBs' - have gone back to their roots and founded FreddysHouse, a non-commercial online gaming community in the mould of Barrysworld. "This time it will be volunteers and donations only, no suits, no commercialism, no ludicrous expectations, just a home for a community if it wants one," writes TedTheDog on the new site. "You won't be marketed with stuff, we have nothing to sell, we're just a group of gamers now running this purely as a hobby, just like the good old days. We may ask for help sometimes, but it will as gamer to gamer." In short, it's going back to its (Barrysworld) roots as a fan-run site. Why the name change? "Game have kindly offered us the use of the Barrysworld name, but we've decided to start again," said TedTheDog. "Clean sweep kind of thing." Not to mention the fact that "'Freddys House' was Barrysworld's original name about eight or nine years ago". Gentlemen, we salute you, and we wish you luck. And now, the last one to the SPNKR-88 is a wuss... ® Related Story Pioneer UK online gaming service fragged
Tony Smith, 02 Jan 2004

Orange takes steps to block mobile spam

For those who haven't registered with the Telephone Preference Service - offered by the Direct Marketing Association in the UK - "cold calling" by sales offices can be a real nuisance - but text-spam can be downright expensive. The more honest ones, says Orange, are at least up-front about the fact that they are going to cost you money: VIP Ticket: Congratulations U can claim 2 VIP row A 2 C Blu in Concert in November or Blu gift Guaranteed. Call XXXXXXXXXXX to claim Ts&Cs www.xxxxxxxxxx.co.uk £3.75max. is one example. However, recently, a series of trick texts have been received by mobile users, pretending to be voice-mail alerts. The callback number given is a 'local call' (prefaced by 0870) number. But if you call that, you're given the bait ("You've won the lottery!") and an expensive premium-rate 09xx phone number to call. The cost of this is not mentioned. The premium-rate regulator, ICSTIS, can close down scams of this sort; but as quickly as one 09xx number is blocked, the scammers move to another. And it seems that some of the operators of the 0870 numbers are ignoring the Telephone Preference Service people altogether. Now, Orange has set up a new service whereby if you get unwelcome text spam, you can forward it to Orange directly, and they'll deal with it. Forward any spam messages to 7726 free of charge from your Orange phone. And (Orange adds) "if you receive a spam text message, you can also report it by calling ICSTIS free on 0800 500 212 (open from 9am to 4pm Monday to Friday) or by sending an email to ICSTIS direct. The TPS site tells how to register with telephone preference service - and they are pretty effective at stopping illegitimate traders. Copyright © 2003, NewsWireless.net Recent NewsWireless Stories "Secret investor" puts capital into LocustWorld for Mesh expansion The mountains of Mesh sweep down to the Wi-Fi sea
Guy Kewney, 02 Jan 2004
Click here for the full BOFH range

BOFH and the Boss' space problems

Episode 32Episode 32 BOFH 2003: Episode 32 Some days just nothing goes according to plan... The Boss is on the prowl for office space, and as usual we're being targetted simply because we have the appearance of consuming a reasonable amount of space. "It's not like you USE the tape safes," the Boss blurts, on the defensive. "The tapes are just sitting in piles in the computer room floor." "Those tapes currently required by the tape library, yes," I respond, "but the OTHER tapes, the long-term archives, the non-current series, are all in the tape safes." "So what's all this stuff?" he cries, pointing at row upon row of tapes sitting on shelves in the tape room. "Scratch tapes, see!" >BZZZZERT!< The PFY responds, erasing the first volume of last night's financials back-up. "We keep the scratch tapes on this shelf because it's easier to get to when we need some for a project," I explain carefully. "So how do they get in the tape safe then?" "We put them in when we take them out of the tape library," the PFY lies. "And when we put some tapes in, we take oldest series of tapes currently in the safe out, to be used in the tape series which are written after the current series is written." The Boss' vacant expression bears witness to his lack of understanding of the complexities of multiple tape series. "We keep some tapes in the safe and some out of the safe," I explain, kindly. "Otherwise we'd need a couple more safes." "Well can't we move them in here and free up the tape safe room?" "Well firstly, they'd take up half the room, secondly the floor needs to be reinforced as there are four tape safes and they weigh - with tapes - approximately three-quarters of a ton each, and lastly, they take up so much room we'd have to get them moved to allow large equipment like the PABX to be delivered into the computer suite. Oh, and they're too big to get out of the doorway." "Well how the hell did they get in here then?" "They were built into the room once the floor had been reinforced, apparently." "We could widen the doorways to get them out. AND we could put them in the basement - which wouldn't need reinforcing, has HEAPs of spare room, and would free up a room!" he gasps. "I don't think that's such a good idea - there's no access except via this room, and that would mean a secur--" "Nonsense! We could whack a door through the other side - or just rebuild this doorway after the tape safes are gone. It's perfectly secure! And with the tape safes gone we could relocate the whole helpdesk there." !!! "Ah I REALLY don't thi--" "No, my mind's made up! We'll use that room. I take it you can organise someone to move the tape safes to the basement?" Nggggggragh! Now I'm no elitist - well, actually I am, but that's beside the point - but I do NOT want to spend my life being bothered by the helldesk with every one of their inane enquiries every minute of the day. There is no way it can be allowed to happen. . . . I get into the office after lunch and find out that there's no stopping the Boss. A large gaping hole greets us from where the tape safe room door used to be, courtesy of one of the building cowboys the company use for minor alterations. I know it's them by the jagged approximation of a rectangle which has been circular sawed into the wall - halfway through the light switch on the other side of the wall. Professional! Scant minutes later, a wadge of fatblokes from the safe moving company arrive, and begin hoisting the safe onto their heavy duty creeper... ...which, once they get into Mission Control, puts it's castor wheels through the floorboards. "Not to worry!" one of the fatblokes chirps. "We'll put steel plates under it till we get it to the frieght elevator." Desperate times, desperate measures. I give the PFY some instructions, then leave to supervise the tape safe's installation - knowing only too well that it'll end up with its door facing the wall. "Bloody heavy, this," one of the fatblokes says, making polite conversation while waiting for the freight lift. "What's in it, plumbing supplies?" "No idea." "What do you mean?" "Well when I got here I found that there keys for all the tape safes but that one, so we've never used it. The only reason we've kept it is because it's too bloody difficult to move." "So it's you're lucky day then?" he burbles. "About to be, yes!" >ding<

I give the fatblokes a hand pushing as the doors open, and even - out of the goodness of my heart - grab one to help him keep his balance as the safe topples down the lift shaft >CRASH<

"BUGGER ME!" the fatbloke shouts. "Where's the bloody lift?" "Ah, here it comes now" I mention, pulling him back from the open doorway as the empty lift sails past. "Mind your head! Yes, the freight elevator's a bit of a death trap, so it's probably lucky that we weren't in it." I hear a much smaller >CRASH< from below as the remote controlled lift fails to get to B2, due to the newly installed shaft obstruction. The PFY, bless him, isn't one to be put off and continues to attempt with repeated crashes echoing up the shaft while I put up the hazard tape like a good safety conscious employee. A much nearer crash occur minutes later as the Boss rolls in looking rather red. "SKIP THE BLOODY EXCUSES!" he blurts. "I KNOW IT WAS YOU WHO SABOTAGED THE LIFT, AND I'M GETTING THE LIFT COMPANY IN TO PROVE IT! AND IF YOU THINK THAT THIS WILL DO ANYTHING BUT DELAY THE HELPDESK MOVE, YOU'VE GOT ANOTHER TH-- WAOOOOH!" >CRASH!< >BZZZZZERT<

"BUGGER ME!" the head fatbloke says as the boss trips on one of the holes in the floor and falls into the gutted lightswitch. "This place is a bloody deathtrap!" "It is if it's managed properly, yes, but that was a complete accident," I'm forced to admit. "Beautifully executed though. Any of you blokes know mouth-to-mouth." "I do!" one of the more generous fatblokes says. "Can you give it a crack once I pop the breaker?" I ask prying open the distribution board. "Sure." Some days everything just goes like clockwork. ® BOFH: The whole shebang The Compleat BOFH Archives 95-99 BOFH is copyright © 1995-2003, Simon Travaglia. Don't mess with his rights.
Simon Travaglia, 02 Jan 2004

Toshiba e800 Pocket PC

ReviewReview Toshiba has built itself a reputation for producing highly serviceable, well put together PDAs with a serious leaning towards the business user. This is not to say that Toshiba ignores consumers, but rather that it sways product design and marketing towards the corporate sector, writes Sandra Vogel. This market focus is in part why Toshiba has had a consistent policy of introducing hardware-identical versions of devices with either Bluetooth or Wi-Fi integrated: the corporate customer can then choose which wireless mode best suits them without compromising on other features. Toshiba has followed the same strategy with the e800, which comes in Bluetooth and 802.11b wireless varieties. I am looking at the Bluetooth version here, but it is the same price as the Wi-Fi version, and the only other differences between the two are a slight weight hike for the Wi-Fi model (198g as opposed to 195g), and some wireless-appropriate software differences. When you see the e800 advertised as supporting Voice over IP it is the Wi-Fi version to which that claim applies, and to take advantage of it you will need a separate subscription to a service provider. Two things stuck me as soon as I lifted the e800 from its box: the stylish blue casing, which is eye catching and makes a change from the very samey colouring of most PDAs, and the slightly large size of the hardware. The size is due to a screen which measures a massive four inches diagonally. I am among the group of PDA users who have often wished for a larger screen - and here it is. The screen quite obviously requires a larger than usual casing in which to live, and both pockets and hands will notice the few extra millimetres all round. But Toshiba has taken the opportunity to do something very clever with the extra screen space - pop in a graphics adaptor with its very own 2MB of SRAM, and give users the option of driving the screen at 640 x 480 pixels. To get to this resolution you use a software switch that sits on the start menu. Selecting it causes a soft reset and a few seconds of waiting. To get back to standard 240 x 320 you again go through a soft reset. The high resolution display is a bit of a mixed bag. The standard Pocket PC applications don't support the it, and nor, actually does much else. Toshiba provides the ClearVue Suite from Westtek, which allows you to look at, but not work with, Word, Excel and PowerPoint documents and a range of image formats. Reading Word documents without scrolling horizontally requires them to be rendered to a very small font indeed - it's not advisable to do this for long periods and some people will find it simply too hard on they eye to bother with at all. It's also irritating that you need to effectively soft reset every time you want to switch resolutions. Finally, in standard 240 x 320 the display looks rather blocky due to relatively large pixel size. In short, I wasn't actually as impressed by the high resolution as I had expected to be. I can see, though, that with increased application support, landscape viewing modes, and good WLAN access to web and other content, that this feature could one day become something very useful indeed. Of course there is more to this Pocket PC than its screen. The processor, an Intel PXA 263, runs at 400MHz, marking out the e800 as top of the range. There is a massive amount of on board memory. 128MB of RAM is supplemented by 32MB of user-accessible Flash ROM. This is becoming pretty much the standard for higher end Pocket PCs, so it's not surprising to see Toshiba use this configuration here. There are expansion slots for both CompactFlash and SD cards, both of which sit in the top edge of the casing. A release button for the Compact Flash card slot saves on the need to prize cards out with finger nails and is a welcome feature. Another nice touch is the Hold button on the left of the casing, which effectively locks the other buttons so they can't accidentally be pressed. A scroll wheel is also on the left of the casing, where it is well positioned for thumb access. Bluetooth functioned well on test, and I have no complaints. It can be activated by tapping an on-screen icon, and can be disabled using a tiny switch on the bottom edge of the casing. The 'battery off' switch is positioned right next to this, and even though it is protected by a rubber cover, I can't help wondering about the danger of accidentally flicking it instead of the Bluetooth switch by mistake. Beneath the screen sits a panel of buttons. The usual four application shortcuts nestle around a large lozenge-shaped navigation button in whose centre lies a select button. The four outer buttons have second functions for moving between audio media when the on-screen controls for Windows Media Player aren't visible. The e800 software bundle includes two voice control applications: Toshiba Text to Speech for Pocket PC and Voice Commands. The former reads .txt documents in a computer generated (American) voice. It works, but I am not sure I'd want to listen to it all that often. The latter provides voice control for applications and try as I might I couldn't get it to work, so can't comment on its effectiveness. Battery life is quoted as ten hours. I ran a constant mix of MP3s with the screen set on standard resolution and permanently at its mid brightness level, and got four and a quarter hours of sound and a total of five hours 45 minutres of life. This is not too bad at all for a PDA - few break the magic six hour barrier. The battery itself is removable, so you could carry a spare. Verdict The e800 is a good Pocket PC with some very strong specifications for a relatively high but not exorbitant price. In time, as applications begin to support it, the large, high resolution screen could become a real boon too. But in the immediate term, the range of applications that do take advantage of this feature is slim, and the disadvantages mean that I am not quite convinced it's worth having yet. Toshiba e800 Rating 80% Price £399 excluding VAT/$599 More info The e800 web site Buy the Toshiba e800 Bluetooth model or the Wi-Fi version from the Reg Mobile Store Related Reviews Navman GPS 4400 Bluetooth navigator Dell Axim x3i Asus A620BT PalmOne Tungsten T3 Visit The Reg's Review Channel for more hardware coverage
Trusted Reviews, 02 Jan 2004

Boingo expands hotel WLAN coverage

Boingo has added a further 200 sites to its aggregated network of Wi-Fi hotspots courtesy of a tie-in with Arescom, a supplier of in-room Internet and entertainment systems for hotels. The extra sites will not only be made available to Boingo subscribers but to the company's wholesale partners, it said. Arescom's in-room service is currently available in 200 US hotels, a figure the company hopes to grow to 1000 by the end of 2005. Meanwhile, Boingo also said it will work with service provision software supplier Motive to offer software that makes it easier for wholesalers to roll out Wi-Fi and broadband installations by simplifying the end-user PC set-up process. ®
Tony Smith, 02 Jan 2004

MP fingered for ‘Net Villain’ award

One of the UK's most Net-savvy MPs is in the running for the tongue-in-cheek-mixed-with-more-than-a-hint-of-venom 'Internet Villain' award this year. Anti-spam campaigner Derek Wyatt is on the shortlist for the Internet Villain award, for "lowering [the] level of informed debate on the Internet generally and spam in particular". But he's up against some tough competition, with the Recording Industry Association of America's decision to "threaten to involve a 12-year-old girl in a court action". Then there's the Broadband Stakeholders' Group (BSG), "for being beset by a minority of interests, achieving little with their Government funding and not appropriately representing the true broadband industry". And last year's winner, the Home Office, voted Internet Villain 2002 "for the Anti-Terrorism, Crime and Security Act and demonstrating a lack of responsiveness to the Internet industry's concerns about data retention", is a challenger this year, too. Last, but by no means least, is Verisign, for its "presumption that they own the Internet, and [for] the domain name system hijacking scandal". The Internet Hero category is altogether more fluffy. Among the nominee is eminister Stephen Timms MP "for the enthusiasm he demonstrates in his role". Sheesh. Other categories for this year's Internet Services Providers Association (ISPA UK) awards - including best ISP - are due to be announced shortly. The awards will be presented on 19 February. ®
Tim Richardson, 02 Jan 2004

Spammers not deterred by Can Spam Act

As expected, spammers don't seem too impressed with the US Can Spam Act, which was enforced on January 1. Nor have they changed their tactics. The US Can Spam Act attempts to regulate rather than ban the practice of spamming, but it outlaws so-called fraudulent spam, where spammers use open relays/proxies to send their messages. Falsified email headers can now also be punished with prison terms, as can sending sexually-oriented email which is not properly labelled. However, many spam gangs pretend to operate offshore to get around laws, and they continue to do so, by the looks of it. The NANAS sightings newsgroup (a large collection of spam, updated continuously) doesn’t contain one spam message that is CAN SPAM compliant. "At best," Steve Linford, director of antispam organisation Spamhaus, says, "Can Spam will convert small amounts of illegal spammers over to spamming legally, until they can see how ineffective enforcement is." However, Spamhaus plans to fight back. Yesterday, it released its Exploits Block List (XBL), a real-time DNS-based database of IP addresses of illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, and other types of trojan-horse exploits utilized by spammers. This list is designed to sit alongside the Spamhaus Block List (SBL), which blocks incoming spam from direct spam sources. The combination of SBL and XBL enables ISPs to safely reject a high volume of incoming spam outright, Spamhaus says. The Spamhaus Block List was widely adopted in 2003 by major banks, airlines and industries to whom e-mail delivery integrity is vital. Last month the number of mail users protected by the SBL surpassed 200 million. ®
Jan Libbenga, 02 Jan 2004

BT trims rural BB wholesale prices

BT is cutting wholesale prices for ISPs running rural ADSL broadband services. The aim is to encourage the conversion to ADSL broadband of 600 small exchanges which have no trigger target set under BT’s broadband demand registration scheme - In other words, in areas where BT currently deems ADSL commercially unviable. In July 2003, BT introduced a new service, called ADSL Exchange Activate, to enable rural community-minded ISPs to set up services for up to 30 users. The telco talks about a successful trial involving eight exchange areas, but we wonder what the take-up for Exchange Active has been since then, considering the hefty upfront payment required. This will now cost the ISP £25,000 in upfront payment, down from £45,000, for 30 users over three years. However the ISPs must now also pay connection and monthly line rental charges at "the prevailing rate" for BT IPStream Home 500. This is £13 per month, says Reg reader Richard Wilson, who helpfully supplies the arithmetic. Rental charges are 30 customers x 36 months x £13 = £14,040. Connection charges are 30 customers x £50 = £1500. Total cost of equivalent to the old product = £25,000 + £14,040 + £1500 = £40,540. So the price cut is just under £4,500 - around £10 per cent - and there's less drag on the cashflow. Is it enough? Additional blocks of 30 users will cost ISPs £10,000 upfront, down from £30,000. ® Related story Ofcom frees radio spectrum for rural broadband
Drew Cullen, 02 Jan 2004

Court slams HP Israel ID card bid

HP has lost a potentially lucrative bid to become the major supplier of smart identity cards in Israel after a court tossed out the company's proposal, saying it did no adhere to local laws. The Jerusalem District Court on Thursday blocked HP's deal with the Interior ministry estimated to be worth between $22 million to $44 million. The court sided with rivals EDS Israel, IBM Israel and Beeri Printers, which had lost out on the contract, reports Ha'aretz. Two main points of contention for the court were that HP had picked a smart card manufacturer that was not one of the company's subcontractors and that the card maker was based outside of Israel. "The tender's winner did not fulfill the minimal criteria, including in that it suggested a card producer that is not a subcontractor, that it presented an inappropriate standard mark, appended a qualified and unclear declaration from its insurer, and proposed a card producer that is controlled by a foreign country," wrote the vice president of the Jerusalem District Court, Moussia Arad. Israel first started taking bids for its first smart ID card rollout in late November of 2001 and eventually had 11 offers to consider, according to Ha'aretz. Other reports note that HP has already put up a substantial investment in developing the project. The loss of the deal will likely result in large delays rolling the smart cards out. This is a security concern, as officials are trying to improve on easily forged laminated ID cards. The smart ID card business has become a major point of interest for IBM, HP, Sun Microsystems and others, as governments look to update their technology and strengthen authentication systems. ®
Ashlee Vance, 02 Jan 2004

Music sales are on the mend

Despite launching a legal assault against its customer base, the recording industry appears to be benefitting from increasing music sales once again. While 2003 music sales were flat overall, the record labels enjoyed a healthy spike in the fourth quarter, hinting that the industry doom and gloom so often suggested by the RIAA (Recording Industry Association of America) may be fading. Recent data from Nielsen SoundScan shows that an improving economy is having a positive effect on the music biz. In 2003, total music shipments slipped but 0.8 percent when compared to 2002. Sales also fell slightly by 3.6 percent year-on-year. In the fourth quarter, however, unit shipments surged 10.5 percent compared to 2002 with sales also rising 4.3 percent. Along with the strong quarter, the music industry saw success in various areas for the entire year. Music video sales jumped 78.5 percent in 2003, and DVD music video sales rose 104.5 percent year-on-year. Since June of this year, 19.2 million songs have also been purchased in online stores. So where does this leave us? The recording industry will likely point to its file trader lawsuit campaign as reason for the uptick in sales at year end. While plausible, this does not seem the most likely of explanations. The pigopolists have been fighting all year to shut down music trading services and to punish song swappers but with fairly modest success. If file trading was really at the heart of a three year slump in sales, one might expect a far more dramatic change in the data following an entire year of legal scares. Instead, music sales seems to be following larger economic trends. Imagine that. U.S. economic reports released in December showed that consumer spending is strong, incomes are rising and job prospects appear far better than at the start of 2003. From July to September, the U.S. economy grew at an annual rate of 8.2 percent, according to the Commerce Department. The government also reported that personal consumption spending rose by 0.4 percent in November, as incomes rose by 0.5 percent. It should come as no surprise to see music sales improving hand-in-hand with the lot of consumers. A healthy 2004 will likely leave the music labels with little to complain about, but it's doubtful that an uptick in sales would be enough to call off the swine herd now. Once you've launched a full scale attack against consumers, it's hard to pull back. Even if they pay your bills. ®
Ashlee Vance, 02 Jan 2004

Sun and IBM to lead 64-bit boom – analyst

Sun Microsystems and IBM are the two hardware vendors best positioned to capitalize on a second 64-bit computing rush, according to one of the industry's most optimistic analyst firms. A major shift from Intel's 32-bit processors to x86-64-bit chips from both Intel and AMD is about to occur, and Sun and IBM are set to outpace both HP and Dell as customers upgrade to the beefier chips, said American Technology Research (ATR). In addition, the analyst firm once again picked AMD as the near term winner in the march to x86-64-bit processors given Opteron's jump on the mystery chip Intel is said to have in store. "We are convinced that the overall importance of this upgrade can't be overstated," writes Mark Stahlman, an analyst at American Technology Research. "The upgrade to 64-bits is the sort of a phenomenon that only occurs once every 15 years. . . Since this upgrade compels a re-building of much of the installed base of both hardware and software, it is likely to open up considerable opportunity for additional market growth as well as share shifts." "Specifically regarding the rapid adoption of x86-64 products in 2004/05, we believe that those vendors who have most aggressively embraced this market are likely to have the opportunity for share gains. In particular, we note that Sun Microsystems and IBM are the most aggressive and best positioned server vendors in this emerging x86-64 market. Lastly, we expect that AMD's lead over Intel is potentially an opportunity for considerable upside." ATR is somewhat unique among analyst firms in its unrelenting optimism for a rapid surge in 64-bit computing sales. It's also one of the few firms to dangle a buy rating for Sun shares. So is ATR right to be such a renegade? In the near term, backing Sun and IBM in 64-bit computing seems like a no brainer. The two companies along with HP have dominated the 64-bit RISC server market, splitting tens of billions in revenue between them. Of these three companies Sun and IBM appear as the two best aligned to ride early x86-64-bit success. On paper, Sun is the biggest backer of AMD's x86-64-bit chip. The company plans to roll out a fleet of AMD workstations and serves next year with both Linux and Solaris x86 as operating system options. This lets Sun profit from the popularity of Linux while possibly helping it pave the way for Solaris to be the Unix OS of choice for Opteron SMPs. IBM is also backing Opteron with a server aimed at the high performance computing market. With its own Power products, Opteron and Itanium systems, IBM has set itself up to profit from any surge in 64-bit server sales. This leaves HP as the odd man out. The company has put all of its weight behind the slow selling Itanium processor from Intel. HP is asking all of its Alpha and PA-RISC customers to overhaul their hardware and software infrastructures by shifting to Itanium's EPIC instruction set. In addition, its tight relationship with Intel around Itanium likely means HP will be the last major vendor to ship an Opteron product - doing so only if the future of Itanic is as grim as its present state. If Intel ships a x86-64-bit chip next year, as ATR predicts, the situation won't improve much for HP. Customers will have to choose between Itanium systems or the x86-64-bit kit. It will be tough for HP to guide customers to one product over another. HP is also more dependent on Microsoft than either Sun or IBM, and Redmond continues to delay the release of a x86-64-bit operating system suitable for the low end server market. ATR has divided the enterprise computing market up into three different "teams" to show how it thinks the next couple of years will break down. "We detect the building of 'teams' in which vendors enter into complex inter-company alliances - sharing customer data, jointly developing products, collaborating on designs and standards - with the intent of maximizing the overall market share for their team," the firm writes. The Blue team is captained by IBM with Cisco, AMD and Sony throwing in their lots. The Red team consists of Microsoft, Intel, HP and Dell, and the Green team has Sun and Oracle on its side. These relationships seem fairly obvious given past ties between the companies, but the point is that a type of consolidation is going on in which the vendors will need to rely on each other more than ever. Should 64-bit computing take off in the next couple of years as ATR suggests, the Red team will have a lot of work to do. HP is the only player in that group with any kind of 64-bit track record, and it's throwing away past success for a future gamble. ®
Ashlee Vance, 02 Jan 2004