22nd > March > 2004 Archive

EC – MS talks failed ‘over Longhorn fears’

Fears over Longhorn, Microsoft's next big version of Windows, were responsible for last week's collapse of settlement talks with the European Commission, the FT claims. Brussels is concerned that Microsoft will bundle even more features into Longhorn and thereby exclude even more competitors. The EC is already investigating Windows XP. Longhorn is due for release in 2006. The Commission will reveal its punishments of Microsoft for past anti-competitive behaviour on Wednesday, 24 March. This is expected to include restrictions on future conduct imposed against the firm. Member states are meeting today to decide on how a big a fine to impose. Die Welt predicts a fine of €200m as part of the settlement. Microsoft is almost certain to appeal. In somewhat connected news, Nebraska is reviving its case against the software giant under its consumer protection laws. The state's supreme court ruled in favour of two Nebraskans suing Microsoft for using its monopoly position to overcharge for software. ® Related stories EC backs down on MS (a little) EC warms to Microsoft Europe's MS sanctions to be wide-ranging, long-taking
John Oates, 22 Mar 2004

Oi! Yob! Blunkett wants your mobile

David Blunkett, the increasingly angry home secretary, is calling for "lifestyle punishments" to shape Britain into a less violent society. He wants the power to confiscate mobile phones and ban people from football matches. He is also wants to counter the "increasing portrayal of violence" on television. Which sounds like censorship. The home secretary believes "lifestyle punishments" such as a mobile phone ban will be a more effective deterrent than traditional punishments. Blunkett met culture secretary Tessa Jowell but she rejected his proposals as "unenforceable" and a breach of human rights, according to the Sunday Times. One unhappy source at the Home Office told the paper: "These proposals are disproportionate, unenforceable and criminalising and do not go to the heart of the cause of these problems. But Blunkett will not be deterred.” Perhaps luckily for mobile phone-owning yobs (i.e. all of them) Blunkett is currently busy trying to get cabinet support for compulsory identity cards. ® Related stories I'd recognise that ear, anywhere Blunkett appoints police IT supremo David Blunkett bombs on celebrity Mastermind
John Oates, 22 Mar 2004

Blunkett ready to force through compulsory ID for UK

Leaked cabinet letters reveal that British Home Secretary David Blunkett is readying the terror card to accelerate the introduction of a compulsory ID system. Blunkett secured cabinet agreement for enabling legislation last autumn, but at the price of making the scheme voluntary for the moment, with the final decision on compulsion being reserved until "later this decade." Just days after this decision was announced, however, Blunkett stood before Parliament describing a scheme whose timescale and inevitability looked strangely unchanged. Faced with Blunkett's absolute determination to ramrod a scheme through, backed by Prime minister Blair's support, the Cabinet opponents seem to amount to little more than a clutch of powerless bleaters. The latest leak, to yesterday's Sunday Times, is more of the same. Cabinet members Jack Straw, Alistair Darling, Paul Boateng and Pat Hewitt have written to Deputy Prime Minister John Prescott protesting that draft legislation on ID cards to be published before Easter will allow the scheme to be made compulsory on a simple vote of Parliament. The objectors had apparently left the previous Cabinet wrangles with the view that there would be further discussion, and probably a further bill, before compulsory ID was introduced. But the current draft, which Cabinet members have been given early sight of, would appear to be the compulsory ID card legislation already, with an on-switch for flipping as soon as Blunkett thinks he can get away with it. According to foreign secretary Jack Straw's letter (quoted in The Guardian, "I do not have the minutes of our discussions to hand, but my recollection is the same as Patricia [Hewitt]'s ... a bill of this kind would be seen to be focused on the introduction of a compulsory ID scheme." Well indeed. But Blunkett's intentions were made abundantly clear last November. He (and indeed Tony Blair) see compulsory ID as inevitable, and he has put together legislation based on this premise, and will no doubt insist if questioned that the draft is fully in line with the Cabinet's views. Then on the next major terrorist atrocity, an outraged Parliament will make the cards compulsory, after the level of balanced debate it customarily deploys in such circumstances (i.e., none). Blunkett is unshakably convinced that ID cards will effectively combat terror, crime and illegal immigration, and is equally unshakably convinced that he is the voice of the people on this. On the second he's probably right, but on the first he's utterly wrong. It will however likely take another Great British Government IT Disaster to prove this to the people, and David will be gone from the Home Office (please Lord, out rather than up) long before that one works through the system. ®
John Lettice, 22 Mar 2004

Sony, Ericsson plan move to block Nokia majority at Symbian

Sony and Ericsson are working to stop Nokia gaining more than a 50 per cent share in the Symbian consortium, Ericsson CEO Carl-Henric Svanberg tells today's Financial Times. Ericsson, which currently has 17.5 per cent, and Sony, which through Sony-Ericsson has 1.5 per cent, will 'act as a team' to raise their own shareholding, but Svanberg said that Nokia's share would rise to 46.7 per cent, and the combined Sony and Ericsson stake to 27.6 per cent, if all shareholders exercised their pre-emption rights. So Svanberg is not simply talking about Ericsson increasing its stake to keep Symbian independent, but about getting everybody else, including Samsung, Siemens and Panasonic, to act together. If Nokia's acquisition of Psion stake goes ahead without action from others, then Nokia will have 63.3 per cent. None of the other shareholders, Ericsson included, have any reason yet to state their intentions, as the pre-emption process won't actually commence until (or indeed, if) all regulatory authorities approve the sale to Nokia. Just keeping Nokia a little under 50 per cent may not however be enough. With the exit of Psion it is the largest shareholder by a long chalk in what was originally intended to be an ever-growing consortium, and proportionately it's at least arguable that the company has too big a stake already. Symbian would look a lot more convincing if none of Psion's stake was going to Nokia, and it was going entirely to two or more other companies instead. But then it would still have to tell us what its plan is, if it's not now going to IPO, of course. ® Related stories UI Wars: Sony loves Symbian - grits teeth Psion gets green light for Symbian sale to Nokia MS, Linux, board battles - Psion boss lists the threats to Symbian Related Products Check out all the latest phones in The Reg mobile store
John Lettice, 22 Mar 2004

Baltimore fights attempted coup

One-time e-security giant Baltimore Technologies has called an attempt by its biggest shareholder to take control of the board of directors "opportunistic". The Irish technology company, which is now a cash shell after months of asset selling, has hit back at Acquisitor Holdings after the investment company proposed that Baltimore's entire board of directors be replaced. Aquisitor had blasted the current Baltimore board, saying it was responsible for the company's "disastrous" financial performance, and it is nominating two alternative candidates for the jobs of Baltimore chairman and CEO. Bermuda-based Acquisitor, which owns about 10.1 per cent of Baltimore, has called for an Extraordinary General Meeting to be held, at which the group will put forward David Buchler and Duncan Soukup for the jobs of Baltimore chairman and CEO respectively. Buchler is the founder of Buchler Phillips and most recently he held the job of chairman of Kroll Europe. Soukup, meanwhile, is the deputy chairman of Acquisitor Holdings. "This move is opportunistic in seeking to secure control of the company and its assets, without paying a premium to shareholders by making a formal offer for the company," Baltimore said in a firmly-worded response. "The timing of this notice is disruptive to the process already well underway which will see it present proposals for Baltimore's future to shareholders at the time of the company's financial results announcement on 31 March 2004." Indeed, Baltimore, led by Executive Chairman Bijan Khezri, has undergone a painful sell-off process over the last year that culminated in the sale of its main PKI business in late 2003. The firm now consists of little more than cash, property and a handful of small services units. On 31 March, when the firm's full year results are released, the former e-security company will announce what it plans to do next. Its choices consist of liquidation and a return of cash to shareholders, the acquisition of another firm, or a combination of the two. Though the company said that this announcement would still go ahead, the company will be forced to call an EGM in the next 21 days. "Baltimore Technologies was once a FTSE 100 constituent with a market capitalisation of more than £5bn but today is a cash shell with a recent market value of some £20m, having lost 97 per cent of its value," Acquisitor said in its argument for a new board, adding that it is worried that the current board will squander any remaining shareholder value. "As Baltimore Technologies' largest shareholder we have reviewed the past performance of Baltimore Technologies and are of the opinion that the current board are in large part responsible for the oversight of more than £1bn in trading losses," Soukup said in a statement. "Their involvement and association in the company's past disastrous dealings leave us with no choice but to requisition an EGM to clear the air and give Baltimore Technologies shareholders the confidence that their interests are being served properly." © ENN
ElectricNews.net, 22 Mar 2004

Internet virgin faces police probe

Rosie Reid, the Bristol University student who tried to auction her viriginity online, is facing a police investigation after having sex with the highest bidder. Avon and Somerset police are investigating if Reid is guilty of soliciting. A London man paid £8,400 by banker's draft to sleep with the lesbian student. Reid, who had never had sex with a man, originally tried to sell her virginity on eBay before moving the offer to her own site. She wanted the money to help pay her tuition costs. 18-year old Reid believes her actions will spark a debate on student finance. She told the News of the World the experience was "very uncomfortable but over quite quickly". The man involved is a 44-year old divorced father of two. He is a BT engineer and lives in south east London, according to reports. ® Related stories Lesbian pregnant using web-sourced sperm MSWord 2000 'offensive to lesbians,' says rock star Lesbian sperm bank site proves popular
John Oates, 22 Mar 2004

Stopping the enemy at the gate

Over the past few years, security vulnerabilities have spiralled, writes Bloor Research analyst Fran Howarth. The CERT Co-ordination Centre, a federally-funded R&D centre operated by the Carnegie Mellon University in the US, publishes statistics of security vulnerabilities that are reported to it on an annual basis. In 1995, just 171 such incidences were brought to its attention; by 2003, that figure had risen to 3,784. This increase in vulnerabilities is causing many companies headaches: there are just too many patches to install; users are often not adhering to policy; fast-spreading worms can create havoc in corporate networks; automated hacking tools are spreading in use; and corporates are increasingly demanding 24/7 connectivity. Security vulnerabilities can be caused by hackers, worms and viruses attempting to exploit vulnerabilities in systems - and not only have the number of such attacks increased, but also their severity. Technology vendor Microsoft states that, whereas it previously had a timeframe of weeks to provide a patch for a system vulnerability that a hacker has exposed, it now has just a matter of hours to fix the problem. And the problem does not stop there - the SQL Slammer worm unleashed recently exploited a vulnerability for which Microsoft had already created a patch and then went on to infect more than 120,000 within days of being released, as well as disabling a network of ATM machines. To defend against such attacks, companies are realising that a managed firewall alone does not provide adequate levels of security for business. Rather, they are looking for a complete security approach that includes a firewall, correctly set routers, anti-virus products, security policy, high-speed processors and solutions for preventing intruders. Intrusion prevention systems (IPS) are not really a new technology, but are more an evolution from existing security technologies, including intrusion detection systems (IDS). IDSs are actually electronic surveillance products that monitor traffic patterns and compare them against known attacks. In a way similar to anti-virus products, they use signatures to recognise traffic patterns, but those signatures must be kept up to date and upgraded when new attacks are identified. Problems with IDSs include their inability to read encrypted traffic and, with switches being increasingly deployed on networks, the extent of traffic that each IDS can monitor. As a result, companies will be obliged to vastly increase the number of IDSs deployed in order to monitor traffic on all sectors of the network. They are also plagued by the high number of false positives that are generated as they monitor traffic looking for suspicious activity. Where IPS products come into their own is when automated remediation capabilities are added to the IDS products in use to proactively block attacks before any damage is done. IPSs do this by analysing packets of information within normal network traffic, stopping any traffic from entering the network that shows signs of suspicious activity. In this way, they act rather like deadbolts, preventing unauthorised access to a company's applications. Within the emerging IPS market, there are two main categories of available products: host-based IPSs and network-based IPSs. Host-based IPSs Host-based IPSs protect servers and workstations via software agents that are placed between applications and the operating system's kernel. Based on predetermined rules that are set by an organisation based upon known attacks, they intercept system activity and either allow traffic through or block it, dependent on whether or not it conforms to the rules set. Such activities can include net network connection requests, attempts to read or write to memory, or access to specific applications. Whilst IDSs can only protect against known attacks, host-based IPSs may be used to monitor the environment around applications, such as file locations and Registry settings, to look for types of attacks that are unknown and for which no signature of 'acceptable behaviour' has yet been written. However, there are many downsides to host-based IPSs. Since they must be deployed on every server that is to be protected from attack, they are costly to implement and cumbersome to maintain. They must also be constantly updated to ensure that signatures have been written for all known attacks, including new worms, viruses and other vulnerabilities as they become known. Also, since they are installed on individual parts of the network, they cannot be used to prevent an organisation-wide attack aimed at the network in general, such as a denial of service attack. Other problems are that they may block legitimate traffic if a signature has not been developed for a particular type of activity that was previously unknown. Also, since they must be installed on particular parts of the network that a company wishes to protect, they are not particularly effective at preventing attacks originating inside a network - something of particular concern to organisations. Network-based IPSs Network-based IPSs - sometimes known as inline IPSs - work like a typical firewall in that they are designed to prevent a network from being attacked. They intercept all network traffic, scanning it for suspicious activity and either blocking it or passing it along. Different network-based IPSs use different techniques, from scanning signatures to look for suspicious strings of bytes to looking for protocol anomalies by detecting where a packet of data is trying to perform a command not normally permitted by its data transmission protocol. Some systems will search for suspicious activity, such as a hacker trying to enter through an open port, and will send a specially coded and tagged response - which will also identify the hacker should they try to repeat the attack. Another particular feature of such IPSs is that they can be used to scrub packets of information, rewriting the offending packet so that it will not be able to carry out its attack. This can be performed without the attackers knowledge, enabling a company to tag activity and gather evidence against a particular attacker. Since network-based IPSs sit inline, all data packets crossing the network will need to pass through them, making them more effective than host-based IPSs for preventing attacks originating inside an organisation. However, this fact that all network traffic must pass through the IPS means that implementation of such a system may negatively impact the network's performance. As a result, some organisations are moving towards the use of appliances that support gigabit speeds, rather than software. Both hardware and software inline IPS devices are available on the market. There is also the danger that legitimate traffic that is not recognised may be blocked - potentially shutting down a customer connection and losing a company business. The future of IPSs Since IPSs are a relatively new technology, it is not yet certain how it will evolve. Some commentators are looking to next-generation firewall products that allow deep inspection of data packets. One of the reasons for this is that the IPSs on the market today require a great deal of effort in configuring and updating policies and signatures, leading many to doubt their usefulness. The goal for organisations is to implement a single technology that acts as a gateway to the organisation, applying security policies and protecting networks and applications from any attacks. © IT-Analysis.com
IT-Analysis, 22 Mar 2004

Intel confirms Pentium model numbers

UpdateUpdate Intel has apparently confirmed that it is indeed going to replace its current clock frequency-based chip naming scheme with one centring on model numbers. To date, claims that such a move is in the offing have come from sources within companies who buy processors from the chip giant. But according to a Reuters report, Intel admitted as much itself late last week. The report doesn't, however, mention just who said so. Last week, it emerged that Intel has decided to rename its 90nm processors as 300, 500 and 700-series chips. Taiwanese manufacturer sources suggested those numbers applied to the desktop Celeron, desktop Pentium 4 and mobile Pentium M lines, respectively. The latest report suggests - more logically, we have to admit - that the three series numbers will be applied to the desktop Celeron, desktop Pentium 4 and desktop Pentium 4 Extreme Edition, respectively. Possibly not coincidentally, as a number of Reg readers have pointed out, car maker BMW ranges its powerful, luxurious vehicles along very similar lines, with 3, 5, 6 and 7 series autos. Intel's idea is to provide a number which better shows relative processor performance, taking into account other features, such as cache sizes, frontside bus speeds, architectural elements like HyperThreading, as well as clock speed. The 90nm Pentium M processor, 'Dothan', is expected to be the first chip to feature the new nomenclature. The Pentium M family has long offered comparable performance to its desktop siblings but at much lower clock frequencies. It's not clear from the Reuters report what its number will be. However, Japanese web site PC Watch suggest Dothan will also carry the '700' tag - the 2GHz version will be rated as a '755', for example, the 1.7GHz part as '735'. That suggests that desktop model numbers are not intended to be compared directly to their mobile equivalents. Or will Dothan indeed perform comparably to the cache-loaded P4EE? ® Related Stories Intel Dothan to be called 'Pentium M 700' Intel 'to adopt performance ratings'
Tony Smith, 22 Mar 2004

Nintendo UK launches £10m voucher promo

Nintendo is planning an Easter promotion which will see purchasers of a new GameCube or Game Boy Advance console during April getting a free £250 book of vouchers redeemable against a variety of Nintendo and third-party products. Included in the vouchers is a £20 discount against another Nintendo console, along with individual discount vouchers for key Nintendo software products and reduced price ticket offers for UK attractions like Alton Towers and Thorpe Park. The promotion, which runs from 2 April through to 25 April - covering the entire Easter holiday period - will be supported by a major advertising campaign throughout the month, covering national press, online and radio outlets as well as a wide range of new in-store POS material. "This £10m giveaway offers consumers incredible discounts redeemable against a variety of products and activities," explained Nintendo's UK head of marketing, Dawn Paine. "With hardware, software and reduced ticket offers for popular attractions like Alton Towers and Thorpe Park, Nintendo fans will have plenty to keep them occupied this Easter." Nintendo will be hoping that the promotion will help them to retain the momentum that the GameCube built up over the Christmas period, which has seen the console performing significantly better in the past couple of quarters than in the same period a year ago. However, there's legitimate concern over the future software line-up for the console, which is looking relatively sparse despite promised software support from the likes of Namco (Tales of Symphonia, Baten Kaitos) and Konami (Metal Gear Solid: Twin Snakes). It's expected that Nintendo will unveil a new range of first-party GameCube titles at E3 this year to address this concern. Copyright © 2004, GamesIndustry.biz
gamesindustry.biz, 22 Mar 2004

Eco-friendly mice and granite PCs

CeBITCeBIT If you love the smell of timber in the morning, then Swedish company Swedx may have just the thing for you. The company unveiled its new range of wooden mice at CeBIT, where you can enjoy them in Hall 21 (stand 56) until Wednesday. Every mouse is lovingly crafted from one piece of wood - including the buttons - but somehow the company has managed to squeeze in all the essential electronics. Swedx offers both optical USB (the XM1-series) and Optical Wireless (the XMW1-series) mice. The company started manufacturing back in 1995, but it wasn't until 2000 that Swedx began hewing TFT-LCD monitor cases from solid wood. Later came keyboards and mice. All products are made of three types of wood: ash from the US, beech from Germany and sapele from Africa. The company says that people are tired of plastic and want "to return to the real thing". Punters seem to like the company's products because they're eco-friendly - at present Swedx is selling 3,000 of its wooden monitors every month, particularly in Spain and Luxembourg. However, Swedx is not the only outfit deploying the block plane and spokeshave. German company Holzkantor, which roughly translates as "Wooden office", also imports American wood to make PC housings. They even do a stone version - a mixture of natural minerals and acrylic. Extremely silly? Maybe not. If a stone TV is good enough for the Flintstones, then why not consider a reconstituted granite PC for that must-have Bedrock chic? ®
Jan Libbenga, 22 Mar 2004

Hynix, STMicro plot Chinese DRAM JV

Hynix and STMicroelectronics are negotiating on the creating of a joint venture that will see the two memory makers build a DRAM plant in China, representatives of the South Korean manufacturer said this past Friday. Little is known about the plan, other than it will churn out Flash memory in addition to DRAM. The two companies began working together last year. In April 2003, the duo announced they would co-operate on a single entry into the NAND Flash market. The Chinese plant has benefits for both companies. For a start, it provides access to the emerging domestic market and would potentially attract the 11 per cent rebate on the 17 per cent sales tax the Chinese government currently levies on semiconductor products. Imports do not qualify for the rebate. That rebate is currently being challenged by the US government, which has filed an official complaint with the World Trade Organisation (WTO). For Hynix in particular, the plant provides a way around the punitive import tariffs both the European Union and the US have imposed on its memory products. In the US, Hynix has its own memory plant that is not subject to the import duty, but the Chinese JV plant would at the very least provide an alternative market for Hynix products and at best allow the company to bypass the EU's duty. The South Korean government is also seeking the WTO's redress against the US and EU tariffs. ® Related Stories US asks WTO to rule on China's chip tax South Korea appeals to WTO over Hynix DRAM tariffs US hits Hynix with 45% DRAM duty Europe slaps 33% duty on Hynix DRAM imports
Tony Smith, 22 Mar 2004

Carphone Warehouse in free call offer

The Carphone Warehouse - the UK's biggest mobile phone retailer - is expected to offer free local calls to its fixed-line customers in a move that could lead to a major shake up in the UK's telephony market. Details of the new US-style tariff are expected to be announced on Thursday but it's understood that the cost of offering free local calls is to be offset by revenues generated by national, international and mobile calls. At this stage it's not known if there will be any strings attached to the free local calls offer. According to the Sunday Times, The Carphone Warehouse is also expected to announce that its TalkTalk fixed line service now has 400,000 punters and that the company is now aiming at bagging a million customers. No one at The Carphone Warehouse was available for comment at the time of writing. A spokesman for BT, which has around 20m fixed line punters and around 70 per cent market share, didn't seem too concerned about the threat. "The UK has a very competitive telecoms market - and lots of them choose BT. 65,000 people came back to BT last month," he said. Earlier this month The Carphone Warehouse announced that it is to bring its own brand of discount telephony services to consumers in Spain following the €11.5m (£7.68m) acquisition of alternative fixed-line telco Xtra Telecom. The residential service is to be modelled on The Carphone Warehouse's TalkTalk service in the UK and should be up and running in Spain within the next six months. ® Related Stories Carphone Warehouse buys Spanish telco Carphone Warehouse to create 1,000 jobs BT, Carphone Warehouse: accusations fly Telco price war breaks out We're cheaper than BT - Carphone
Tim Richardson, 22 Mar 2004

The farce of federal cybersecurity

Over the past several years, various Washington entities, from the General Accounting Office to assorted Congressional committees, conducted surveys and issued reports on the state of the federal government's information security posture. In each case, with few exceptions, the findings range from the scathing to the downright embarrassing, and remain essentially unchanged since the mid-1990s. Like any other issue involving government oversight, this process has become an annual Washington tradition - the reports are released; there's back-and-forth blather in Congress about how we need "to do more" to secure our federal networks; agency leaders and CIOs are called to testify on the Hill; some more blather, and perhaps a piece of legislation is introduced and dies before reaching the floor; and then the issue recedes into digital memory until next year's survey results are released - and the process begins anew, with little or nothing really changing. It's no different than our annual visit to the dentist. We know he's going to admonish us to brush more and cut out the sweets, and we know that we're going to be embarrassed or uncomfortable as he tells us this to our face and makes notes in our patient file, but we endure it year after year, because it's something we have to do for good oral hygiene. Of course, we ignore his advice because it's inconvenient and, besides, candy is a tastier snack than celery. This seems to be the approach taken by the majority of the federal government when dealing with the security of federal information systems. As you can see in the following articles going back to the late 1990s, there's much bad news and many prescriptions for improving things, but the patient refuses to cooperate... and the dentist is powerless (in this case, unwilling) to force him to change his ways: Fed agencies' networks at risk 24 September 1998 Network security weaknesses in the 24 largest U.S. government agencies, including the Internal Revenue Service and the Defense Department, put critical government operations and data at "great risk of fraud, misuse, and disruption," according to the investigative arm of Congress. Study: Government Web sites weak on privacy, security 12 September 2000 U.S. government Web sites and computer systems are failing to ensure adequate privacy and security, according to reports issued by the General Accounting Office. The reports strongly suggest that the federal government has not gone far enough to protect information submitted to the Web sites of its various agencies or in defending information systems from predators. The GAO's privacy study used the Federal Trade Commission's methodology for judging commercial sites as a yardstick for assessing the government's Web efforts. The FTC's fair information guidelines say that Web sites should post a privacy notice before collecting information from consumers, let consumers opt out of disclosing information, let consumers review information before submitting it, and provide adequate security to prevent unauthorized usage. Report raps FAA for continued security lapses 27 September 2000 Despite its efforts to remedy serious security problems outlined in a government study this summer, the Federal Aviation Administration is still failing to protect its critical computer systems, including those used for air traffic control, according to a new government report on computer security released today. The report by the General Accounting Office was released and discussed at a hearing before the House Science Committee to investigate continuing computer security lapses at the FAA and how these lapses could affect travelers, the committee said in a statement. U.S. agencies flunking in tech security 9 November 2001 Government agencies have some chronic problems with their computer security, according to testimony at a congressional hearing Friday. A subcommittee of the House Committee on Government Reform issued a set of grades - mostly failing - to government agencies regarding how well they are protected against hackers, terrorists and other miscreants. "There's no significant relationship between the percent of (an agency's) IT spending on security and the security performance of that agency," Mark Forman, associate director for information technology and e-government at the Office of Management and Budget, said at the hearing. Study: Feds Have Not Identified Vulnerable IT Assets 2 April 2003 More than four years after a receiving a presidential directive to determine if their networks were vulnerable to terrorist attacks, at least four federal agencies have not completed the processes of identifying critical agency assets and assessing their vulnerabilities, according to a General Accounting Office report released Wednesday. The GAO report, ordered by the House Energy and Commerce Committee to measure the pace of the critical infrastructure protection efforts of the agencies under the committee's purview, examined the Department of Energy, the Department of Health and Human Services, the Department of Commerce and the Environmental Protection Agency. "The agencies still have not completed the fundamental step of identifying their critical infrastructure assets and the operational dependencies of these vital assets on other public and private assets," the report states. "Once these assets and dependencies are identified, further steps will be necessary, such as conducting or updating vulnerability assessments, managing identified vulnerabilities, and ensuring that these assets are appropriately considered in planning for the continuity of essential agency operations." U.S. Gov't Computers Get Barely Passing Grade 11 December 2003 Acknowledging that there is considerable work to be done, Adam H. Putnam (R-Fl), chairman of the U.S. House of Representatives Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, reported that the federal government's computer security has improved from a failing grade in 2002 to a passing grade in 2003. "The Federal Government should be the standard bearer when it comes to information security. Unfortunately, today's report card indicates anything but that. The Federal Government — overall — scored a D. While that's an improvement over last year's F, it's nothing to be proud of and much more must be done to secure our government computer networks," said Putnam. House Panel Slams Federal IT Security 17 March 2004 Federal agencies aren't doing enough to secure their network systems, even as documented cyber-attacks against the U.S. government continue to dramatically rise, U.S. Rep. Adam Putnam (R-FL) said Thursday. Putnam pointed to the federal agencies' overall security grade of "D" issued in December and a General Accounting Office (GAO) study released Thursday reporting 1.4 million cyber-security attacks launched against government agencies and departments in 2003. The report said there were 489,890 attacks in 2002. In some cases, these reports show marked improvements in specific offices or sub-agencies of the federal government, and those success stories should be made known both to the American people (as a sign that there are clueful security people making a difference in their agencies) and throughout the federal government as a helpful roadmap to improve security practices elsewhere. Unfortunately, these few truly noteworthy success stories are seldom reported by the mainstream press because good news doesn't pull in the ratings the way gloom, doom, and old-fashioned Washington finger-pointing does. Like the much-vaunted but ineffective "certification and accreditation" process required for government and military systems, these annual assessments are an exercise in bureaucratic idleness designed to "address" but not "resolve" security problems in any meaningful fashion. After several years, the logic seems to be "why fix the problem when talking about it keeps us (and our contractors) employed?" As a result, and contrary to popular belief and rhetoric, security for federal systems has been reduced to a check-box on our government's annual to-do list - as long as federal enterprise leaders can prove that work is being done on the matter, that's perfectly acceptable, it seems, because in federal security circles, "activity" (e.g., certification and accreditation) has been confused with "progress" (e.g., actually fixing things) and "job security" has been confused with "effective security". Agency leaders confirming this with Congress each year generally can avoid anything stronger than a verbal reprimand about their job performance, no matter how dismal security really is back home. This solution is favored by politicians and agency heads who can avoid responsibility for fixing today's problems simply by deferring them into the future. In other words, the favored remedy for federal security problems is more talk, long-term research, meaningless reports, industry courting, and less real action in the here-and-now - all with the unspoken goal of maintaining the status quo and avoiding any responsibility whatsoever for today's many problems. The 2002 White House National Cybersecurity Strategy comes to mind as an example of this politically-safe and traditional approach to America's cybersecurity needs, however flawed it may be. Indeed, billions of dollars are allocated for new commissions,  long-term research on the "next" type of threats to our networks, continued "certification and accreditation" activities,  and pondering the next-generation of security technologies (e.g., "activity") but there's little if anything spent on resolving the many problems that plague federal networks on a daily, if not hourly basis (e.g., "progress") to improve security today. To make matters worse, Congress seems more interested in having sensational authors and profit-seeking industry executives testifying on the matter - and espousing their special interests - than in a serious dialogue with well-known technologists who can provide rational thoughts on how to improve security effectively drawn from their ongoing real-world operational involvement with the IT security community and firsthand understanding of the threats, vulnerabilities, and risks of the digital age. This contributes to a general level of ignorance and hypocricy in Congress and the federal government when making and enforcing federal (or national) cybersecurity policy. Or, as my network security friend ruefully notes about the wisdom of Congressional oversight in this area: "You have a basically clueless congressman whose own governmental body is one of the absolute worst offenders, infosec-wise, who has the gall to give us an F in security. I don't think [Congressman] Adam Putnam (R-FL and chairman of a House subcommittee conducting federal cybersecurity oversight) would know a secure system if it bit him in his rear....of course, he and his cronies have conveniently made Congress exempt from the examinations they so righteously pound the rest of us with every year." (Ironically, this is the same fellow proposing the government mandate computer security standards for the private sector last year.) In the government's defense, however, such regular assessments are a useful tool to grade the management effectiveness of a federal CIO in exercising a significant part of their job description, but only if its findings are acted upon in a meaningful, lasting way. Specifically, and most importantly, this means holding senior agency leaders responsible for their agency's information security posture - or lack thereof. If the security of federal systems is as important an issue as we're led to believe, there is no reason (other than political) why an agency technology executive or CIO should still be employed if there is not a marked improvement in his agency's information security over a prolonged period of time. Simply giving such leaders (or their supervisors, usually the agency head) an annual reprimand is a joke - absent any meaningful punitive sanction for failing to secure their networks adequately, there's no incentive for these executive-level folks to do anything more than continue confusing "activity" with "progress" and "job security" with "effective security" - thus perpetuating indefinately this federally-funded, frustrating, and dangerous cycle of inaction and ineffective security. In most cases, keeping such people employed is a clear demonstration that mediocrity is the accepted standard for federal computer security practices. We continue to forget that no amount of gee-whiz GSA-certified technology or turnkey professional security certification programs will replace demonstrated career-based competence and common sense in those charged with overseeing the security of our most critical national or corporate networks - and that deferring today's unresolved problems into the future, while convenient,  is an unacceptable course of action. Perhaps before spending more to fix recurring technology problems, we try fixing the people responsible for repeatedly tolerating such problems in the first place. Technical engineers and systems administrators can be fired for poor job performance - it's about time that enterprise IT leaders get held to the same standards of job performance as well. Granted, popular enterprise technology is nowhere as secure as it should be, but today's federal cybersecurity woes result more from flawed technology management practices than flawed technology. To that end, we need to foster and reward  innovative, effective management processes in the federal computer security arena and terminate the current technology management and oversight philosophy that tolerates and rewards idleness and mediocrity while doing little to actually eliminate them. The standards for acceptable cybersecurity are known: it's time to start holding the people in charge accountable to them. Richard Forno is a Washington, DC-based security consultant and author.  During the 1990s, he worked information security at the US House of Representatives when Congress first became 'wired' and started examining technology security issues. His home in cyberspace is at http://www.infowarrior.org.
Richard Forno, 22 Mar 2004

MS co-founder funds hunt for ET

Microsoft co-founder Paul Allen has donated $13.5m to the SETI institute to fund construction of a scalable, multi-use radio telescope array. Allen said he was excited to be involved in seeking basic answers to fundamental questions about the universe and "what other civilizations may exist elsewhere". The first phase of the Allen Telescope Array (ATA) will consist of 32, 6.1m dishes, and will have the most antennae of any observation platform in the cm wavelength range. Scientists will be able to start making observations as soon as this phase - the ATA-32 - is complete. According to an announcement on the SETI home page, the ATA-32 will look toward the galactic anti-center to detect primordial deuterium, study dark matter in nearby dwarf galaxies, generate maps of molecular clouds, and conduct a SETI survey of the inner galaxy. Dr. Jill Tarter, director of the center for SETI research at the Institute, said that being able to make observations around the clock was a "dream come true for any astronomer". She added that it would be especially exciting for the astronomers at the SETI institue, as they have been "constrained by limited time on other large centimeter wavelength telescopes". The second phase will add a further 174 dishes, and when the array is completed later in the decade, it will have 350 dishes scanning the skies. ®
Lucy Sherriff, 22 Mar 2004

Recordstore offers MP3 and WMA tracks

Recordstore.co.uk, the online music and merchandise retailer, will this month give artists the opportunity to sell their own music downloads, Apple iTunes Music Store-style. Recordstore has a online retail outlet and also acts as a UK ecommerce fulfilment arm for Sony, Warner and Universal, and sundry artists. So when, say, a punter orders a copy of the latest record from Robbie Williams' web site, the sale is made and fulfilled by Recordstore. Its new download service is, for now, targeted at artists and labels with which it already has a business relationship. Recordstore customers get to flog a la carte tracks in DRM-free MP3, DRM-enabled Windows Media 9 format or both. Downloaded tracks count toward the Official Charts Company's download chart, which will be merged into the OCC's singles chart later this year. Recordstore has signed DX3 (aka Digital Domain Distribution) to store and deliver the songs. DX3 was one of the first European companies to offer digital downloads, signing EMI in November 2000. The better-known European digital music distributor, OD2 (aka On Demand Distribution), signed up EMI round the same time. Last November Entertainment UK subsidiary, the Woolworths Group subsidiary, selected DX3 as its digital distribution partner. DX3 supplies Woolies' Streets Online e-tail operation with digital downloads at 99p a pop. The site offers tracks from EMI and indie companies Beggars Banquet and XL Recordings. Six months on, it is still touted as a 'beta' site. Recordstore said its partnership with DX3 was not exclusive and noted that it would add other distribution companies to its list in due course. ® Related stories Sony music download service to launch in June Apple notches up 50m music downloads Jobs: Apple will not meet 100m song download goal Wippit preps 'EasyJet-style' music download scheme Wippit adds 10,000 BMG tracks to catalogue Virgin to open music download service EMI picks partners for Euro digital music trial
Tony Smith, 22 Mar 2004
cable

IBM ships ‘mandatory’ ThinkPad HDD patch

IBM has issued a "mandatory" software update for ThinkPad notebooks equipped with Hitachi-manufactured hard drives. According the company's support web site, the firmware update fixes what it describes as "early reliability issues in some drives". The patch is pitched at ThinkPad R50, R50p, T41 and T41p models with Hitachi Travelstar 7200rpm 60GB hard drives. IBM says that the patch should be applied to these machines irrespective of where in the world they were purchased. The drives in question have model number HTS726060M9AT00 with ASM part number 92P6550 and FRU part number 92P6551. The Read Me file also mentions drive model number HTS5480xxM9AT00. Windows' Device Manager should reveal the appropriate make and model number of the hard drive. ® Related Stories Review: ThinkPad T41p Hitachi ships 400GB whopper Hitachi creates dedicated notebook 7200rpm HDD
Tony Smith, 22 Mar 2004

AOL attacks spamvertisers

AOL is blocking sites advertised in spam messages. The policy, which began earlier this year, is designed to remove the rationale for sending spam messages by making it impossible for AOL members to access spamvertised sites. "Essentially, we have vastly improved AOL's ability to restrict identified spammers' sites from being accessed by our members online," company spokesman Nicholas J. Graham told The Washington Post. Many in the anti-spam debate have advocated going after sites advertised by spam as well as the people who send it out, but the approach is not without its problems. AOL says it chooses what sites to block based on complaints from its members. But what if spammers mentions sites in their email they don't like (e.g. Spamhaus), simply to get them blocked? Some lawyers dislike AOL's paternalistic approach but Graham countered that the policy had helped reduce the amount of junk mail sent to AOL members. On 20 February junk mailers attempted to send 2.6 billion spam messages to AOL members. That figure had dropped dramatically to 1.9 billion on 17 March even though overall spam levels have remained around the 60 per cent mark. ® Related Stories Big US ISPs set legal attack dogs on big, bad spammers AOL and Earthlink chase spammers through the courts We're just innocent techies, say accused spammers
John Leyden, 22 Mar 2004

Axe falls on Ebookers jobs

Ebookers - the online travel outfit - is to cut jobs as part of a "significant" restructuring programme to cut overheads. Staff are being told of the plans today, although the full extent of the job cuts will not be made public until May when the company reports its next round of financials. As part of the restructuring, Ebookers is to standardise its website and systems technologies and dispose of nine retail outlets. It also plans to remove "duplicate functions and delayer management following our reorganised business structure" and to cut staff as the operation strives to make its business more efficient. In a statement Ebookers said: "We are announcing a reorganisation and cost restructuring of the company following the installation of new technologies and successful internet conversion of offline acquisitions to the internet. This includes some reduction in headcount." News of the "significant cost reduction programme" coincided with the publication of financial results for 2003. Although turnover was up 109 per cent to £67m from £32m in 2002 the company also increased pre-tax losses from £12.3m to £14.9m. Chairman Dinesh Dhamija remained upbeat insisting that 2003 ended strongly despite being a tough year hit by the Iraq war, the SARS epidemic and a very hot European summer persuading would-be long-haul travellers to stay at home. "Said Mr Dhamija: "The success of our internet strategy means that we can announce today a significant cost reduction programme that will further improve the efficiency of the company. We look forward to continued strong growth for the year." In a separate announcement Ebookers announced plans to raise $200m (£108m) in the US to fund further expansion of the company. ® Related Stories Ebookers chief defends offshoring ebookers looks to India for cost savings
Tim Richardson, 22 Mar 2004

TW, MS deny AOL buyout dialogue

Both AOL and Microsoft have denied reports that the pair are engaged in buyout talks. The New York Post on Friday said that Time Warner has held talks with Microsoft concerning the sale of its Internet division, AOL, to the giant software outfit. However, an AOL spokesperson has been quoted as saying that the story is "entirely inaccurate". Last week the same paper reported that Time Warner's banker, Goldman Sachs, is working on a series of proposals concerning the future of AOL. Options include flogging the business, floating it, or engaging in a "significant restructuring". The proposals are due to be discussed by senior execs next month at a board meeting. Speculation about the future of AOL follows news that the number of AOL punters in the US fell by 2.2m last year. ® Related Stories AOL future uncertain - report AOL warns of falling revs as punters flee service
Tim Richardson, 22 Mar 2004

UK.biz leaves door open to hackers

One in three of UK corporates has suffered hacking attempts on their websites over the last year. A survey out today reveals that hackers are becoming more successful at punching holes through flimsy corporate defences. Four per cent of the 1,000 companies surveyed said their systems had been penetrated in the last 12 months, the Department of Trade and Industry's 2004 Information Security Breaches Survey reveals. This is four times higher than that recorded in the previous survey, two years ago (in other words, 40, as opposed to 10 victims). Three quarters of businesses which reported system penetration in the 2004 study rated it as their worst security incident of the year (worse than, for example, virus infections), with more than a third describing the impact as 'very serious'. The time spent on investigating attacks and carrying our remediation work was much more costly than any service disruption caused by Internet attack. Despite increasing network security incidents, businesses are largely satisfied with the effectiveness of defences: 72 per cent express confidence in their ability to detect or prevent security breaches. But this may be misplaced - many organisations do not test their network security. The telephone survey of some 1,000 companies found that firewalls were the main line of defence against hackers for most companies. Three quarters of corporates used firewalls but for half the companies surveyed this was their only defence against crackers. Larger companies were more likely to use intrusion detection (electronic burglar alarm) software as a supplementary security measure. Around half of all businesses have their websites hosted externally, relying solely on their ISP for security. Many companies had no idea what defences their ISPs had against attack. Andrew Beard, services director for PricewaterhouseCoopers, which conducted the survey for the DTI, said the findings point to a "real concern that businesses without the right monitoring and intrusion prevention processes in place may have a false level of comfort. Scanning and hacking activity may not be detected until it is too late to react." These are among preliminary findings from the 2004 Department of Trade and Industry's Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers. The full results of the survey will be launched at InfoSecurity Europe in London, 27-29 April. ® Related stories E-crime costs UK business billions Blaster beats up British business UK firms flop in the data back-up department UK plc reamed online UK plc leaves door open to hackers - report External Links DTI Information Security Breaches Survey home page
John Leyden, 22 Mar 2004

Mean Fiddler flogs music downloads

The Mean Fiddler, Britain's biggest live music organiser, is hopping onto the digital music download bandwagon. It will launch a UK-oriented service next month, ahead of roll-outs in the rest of Europe, the US and Asia. The company has formed a subsidiary, Mean Fiddler Media (MFM), to run the service, which will provide one-off downloads and mobile phone ringtones. Interestingly, it says it is close to signing a deal with Sony, whose own download service, Connect, is due to launch in the UK. Some would-be digital music market players claim that Sony is proving resistant to moves to license its music catalogue, ahead of Connect's debut. MFM has already licensed tracks from Bertelsmann Music Group (BMG), Warner and Virgin's V2 label. It expects to have licensing agreements with EMI, Sony and Universal in place by launch time. Mean Fiddler is best known as a London live music venue, but the company also owns a range of locations across the city, including the Borderline, the Jazz Café and the Astoria. And it is big organiser of music festivals, including Reading. ® Related stories Major labels' CD e-tail partner preps download service Sony music download service to launch in June Apple notches up 50m music downloads Wippit preps 'EasyJet-style' music download scheme Virgin to open music download service
Tony Smith, 22 Mar 2004

Poweroid 1204 silent PC

ReviewReview Usually the beige box that houses all your PC components is the least remarkable part of a system, but not so with the Poweroid 1204. This is the first PC to hit the shores of the UK based on the Zalman TNN 500A. So why is this case so special? Well, for starters it's not beige, but much more importantly, it is completely noiseless, writes Lars-Göran Nilsson. The silent operation has been achieved using some very unique construction methods, as even the sides of the case act as large heatsinks. Internally the design is also very different, and Zalman has fitted a custom-made fan-less power supply. But the most impressive aspect of the TNN 500A is the heatpipe configuration used to cool the processor and graphics card. Heatpipes have been used in laptops for a good few years now and are designed to dissipate heat by transferring it away from the areas generating it. As far as the TNN 500A is concerned, the heat is transported from the CPU and graphics card to the sides of the case, which, due to its construction acts as a massive heatsink and dissipates the heat out in to the surrounding room. You might wonder why this hasn't been done before and the easy explanation is that it's a very expensive and complicated solution. The TNN 500A on its own is expected to cost over £815 inc VAT, which is very expensive for a PC case. But for those that want a near inaudible PC this is the way forward and one of the only options available. The nosiest components fitted are the two optical drives and the hard disk. Even though Poweroid has used one of the new Western Digital hard drives with fluid dynamic bearings to reduce noise further, you can still hear it, but only faintly. Poweroid hasn't stopped here though, as the hard drive is mounted in a special cradle that prevents any operational vibrations from spoiling the silence. The TNN 500A is no looker; in fact it's more reminiscent of a small pedestal server than your average PC case, especially as you can move it around the room on its four wheels. These can be retracted in favor for four massive rubber stands that are designed to remove any vibration noise from the PC onto the surface it's standing on. There are even two large carry handles on the top if you want to pick the whole unit up. It is a shame that Zalman hasn't managed to add some kind of cover panel around the drive bays as it looks quite messy when you open the front door. Behind the door you'll find two USB 2.0 ports as well as power and reset buttons. There's even a third button that allows you to switch on a set of blue LEDs that light up the inside of the TNN 500A. Unfortunately, the LEDs are not bright enough to illuminate the whole of the case internals and it seems like a curious addition that adds to the cost of an already expensive solution. The 1204 looks quite messy inside, too, but with the design limitations and the long heatpipes, it would be very hard to make it tidy internally. But tidy internals are less of an issue with this case, since there is no airflow that can be obstructed and thus reduce system cooling. As the TNN 500A has a door at the front and back, all cables are routed through special openings below and above these. There are four in the bottom and four in the top at both the front and the back so you'll have plenty of access for all sorts of cabling. The TNN 500A is the type of case you build once and then leave it alone, as it takes quite a lot of effort to open it and change any of the components inside. One of the sides can be opened by removing six allen bolts, but access is still fairly limited compared with modern ATX cases. During our weeklong test the system never seemed to get especially hot, apart from the hard drive, but this is common with today's high-end drives and shouldn't be of any concern. Due to the way the TNN 500A has been designed to act as a giant heatsink the outside does get warm, but never hot to the touch. However, it's worth noting that good ventilation is needed around this case to get the heat away from it, so you don't want it pushed into a corner. Poweroid has done a good job configuring the 1204 and for your money you get an Asus P4C800 Deluxe motherboard, a 3.2GHz Pentium 4 processor and 1GB of PC3200 memory. This is a very good base specification, but due to limitations in the current implementation of the TNN 500A you're limited in your choice of graphics card. Because of this Poweroid has fitted a Gainward Geforce FX5700 Ultra Golden Sample graphics card which is fine for all but the hardcore gamers out there. The Gainward card offers D-SUB and DVI outputs as well as S-Video out. A massive 250GB Western Digital hard drive with the aforementioned fluid dynamic bearings is the main storage drive, with an LG 4081B super multi DVD writer as the main back-up device and a 16x Sony DVD-ROM drive to boot. A Creative SoundBlaster Audigy ZS 7.1 soundcard with Firewire and a 56Kbps modem has also been fitted. But Poweroid doesn't supply any speakers, keyboard, mouse or monitor at the price listed above. The 1204 is a very fast machine due to the components used, but I can't pin-point the target market that Poweroid is aiming this specific configuration at, but as this is a demo system that is meant to show off the TNN 500A more than the components I won't dwell on this too much. This is a product that is very hard to sum up, as it is horrendously expensive, even taking the high specifications into account. But for those that need a computer that makes almost no noise this is an ideal solution. In environments like sound recording studios, a machine like this one would be highly desirable. The TNN 500A is the first of its kind and a revolution in quiet computing, but how successful it will be only time can tell. Hopefully Zalman will develop a version of the TNN 500A that is more accessible and affordable to the mass market, as it's a great concept, and everyone would love to have a truly quiet PC. With regards to the Poweroid 1204 there is little to fault this system as it has been designed to show off the TNN 500A, but at £1879 inc VAT it's a little outside most peoples' budget. Poweroid provides custom made solutions based on the TNN 500A, so if you want a truly silent PC, you can have one built to your own specifications. Verdict The Zalman TNN 500A is a huge leap towards the noiseless PC and Poweroid can build you any system you want inside one of these boxes. With the complete removal of cooling fans it is truly a ground breaking product. Let's hope that Zalman can somehow get the price down. Poweroid 1204 Rating 80% Price £1879 More info The Poweroid web site Visit The Reg's Review Channel for more hardware coverage Copyright © 2004, Trusted Reviews
Trusted Reviews, 22 Mar 2004

Macclesfield centre of universe: official

UK boffins are planning to join forces with artists to create a scale "model" of our solar system. The one to 15 million representation of the planets - called Spaced Out (website under construction) - will place Earth in Macclesfield, Saturn in Lancaster and Halley's Comet in London. Poor old Pluto is destined for Fort William in Scotland, while Uranus will be enjoying the Georgian architecture and hot springs of Bath. Mercifully for Cheshire's Jodrell Bank Observatory, the heavenly bodies will not themselves be reproduced to scale, but rather as artistic interpretations. Jodrell Bank is to host the Sun, and it's unlikely that our own star would - even at one to 15m - fit comfortably in the carpark. Our own calculations suggest a diameter of 100 metres, which an awful lot of papier mache and orange paint. Chief project boffin Dr Nigel Marshall said: "It [The project] will unite art, science and technology. The models will be sculptures or artistic representations. For example, we're not expecting the model of the Sun to be a yellow sphere with dots on it - it's going to be rather more interpretation. "Someone has even suggested that Mars could be an old red sea mine - Mars was the god of war, the mine would be the same colour as the planet and the surface would be rusty iron, just like the surface of Mars." Spaced Out is due to launch during Science Week 2005 and in the meantime the organisers are looking for funding and educational partners. ® Bootnote Yes, we know that the Earth revolves around the Sun, but who can deny Macclesfield its one shining moment of glory? And regarding the diameter of the Sun - that's the best we could do in two with an abacus and the back of a fag packet. Please forward outraged corrections to the relevant authority: in this case Lucy "I went to College" Sherriff. Thankyou.
Lester Haines, 22 Mar 2004

UK web hosts spurn illegal content

Just one per cent of illegal online content reported to the Internet Watch Foundation (IWF) is hosted within the UK. In contrast, more than half (55 per cent) of child abuse content is hosted in the US while 23 per cent of illegal content is traced to Russia. The industry-funded organisation claims that its approach to stemming the availability of illegal content on the Net has helped minimise the availability of child abuse images online. In its 2003 Annual Report the IWF said that less than 1 per cent of potentially illegal content was hosted by UK ISPs, down from 18 per cent back in 1997. The amount of child abuse content traced to Europe is down from 19 per cent to 6 per cent, said the IWF. Convinced that the UK's approach to tackling illegal content online is one that works, the IWF has said it would "welcome further international cooperation and consensus on replication the UK model overseas". Part of this is down to UK ISPs that remove potentially illegal content as soon as they are told of the problem by the industry watchdog. This industry-wide cooperation is also backed the IWF's ability to transfer intelligence and information to law enforcement officials so that they can investigate illegal content. Despite the improvement to the UK's position, the IWF still reported that the number of reports it receives concerning potentially illegal content was up 9 per cent to 20,000 last year. By 2005 it predicts that it could be handling some 27,000 reports of illegal content. Said eminister, Stephen Timms: "The IWF has contributed to a dramatic reduction in potentially illegal content in Britain since its inception in 1996. We continue to support its work across international borders by urging other countries to follow this very successful model." ® Related Stories Clerk stashes 20m porn pics Net fuelled killer's necrophiliac lust
Tim Richardson, 22 Mar 2004

NEC demos Big Brother biometric phonebooth

CeBITCeBIT : NEC's biometric team has developed a facial recognition algorithm they claim can match a captured image with a database with better accuracy than ever before. It uses "geodesic illumination basis" or GIB descriptors as registered data. These are calculated from a 3D facial scan and negates factors - such as lighting and pose - that hinder traditional 2D with 2D comparisons. It does require that the person has been specially photographed in their 3D photobooth. The technology is still in the prototype stage of developement, but NEC's initial test figures suggest the algorithm is 96.5 per cent accurate. Not good enough to stand alone for positive identifications, perhaps, but good enough to provide a shortlist of candidates for a person to check. "Really, we're adding to the testing now," commented Alwin Gruenwald, a spokesman for the company, referring to the visitors to his CeBIT stand who had volunteered to be scanned by the booth. The way it works is actually very neat: you sit in the booth and the machine takes four pictures of you, scrolling shadow lines up and down your face. These contour lines give the machine data about the 3D structure of your face, which it uses to build a mesh model of you. It then wraps your skin back around the mesh, and hey presto, a 3D model of your face which can be viewed from any angle. Because it is a three dimensional image, it has more points or reference to compare possible matches than a two dimensional one, so should be more accurate. NEC says that the system can handle weight gain and loss, but aging is still a problem. For the systems to keep working at the quoted accuracy rate, people would need to get new facial scans every five to six years. ®
Lucy Sherriff, 22 Mar 2004

Scripting flaws threaten Norton software

Symantec has released a fix for a pair of potentially troublesome flaws that create a mechanism to turn its Norton security software packages against their owners. The vulnerabilities have not yet been coded into script-kiddie-friendly packages and Symantec is not aware of any malicious exploitation. But there's no reason for complacency about the "high risk" flaws. The flaws include a buffer overrun vulnerability in Norton AntiSpam 2004 and a remote command execution vulnerability in Symantec's flagship Norton Internet Security 2004 security suite (Professional and regular). Both vulnerabilities involve ActiveX components which have been marked as safe for scripting. Security tools firm NGSSoftware, which discovered the flaws, warns: "As the objects have been marked as safe for scripting, they will bypass most of the security settings for Internet Explorer and Outlook/Outlook Express, and will therefore be run automatically." By tricking users of the affected products into visiting a maliciously-constructed website (perhaps via a spam email) a hacker could execute arbitrary code on a user's PC by calling one of the two flawed objects. Patches for both Symantec Norton Internet Security and Symantec Norton AntiSpam 2004 are available via Symantec LiveUpdate, the vendor's automatic updating facility. Norton AntiSpam 2004 is sold seperately and as part of Norton Internet Security. Symantec's advisory can be found here. ® Related story Flaw means virus could disable Norton Anti-Virus Symantec undeletes mail deletion bug Buggy software on the rise (Norton AntiSpam glitch)
John Leyden, 22 Mar 2004

Close encounters of the viral kind

Viral outbreaks became more frequent and expensive last year, according to a study by security testing outfit ICSA Labs released today. Almost one in three (30 per cent) of 300 organisations surveyed by ICSA Labs reported a serious virus outbreak last year, compared to 15 per cent in 2002. ICSA Labs defines a serious virus outbreak (or "virus disaster" as it calls it) as one where 25 or more PCs/servers become infected at the same time by the same virus. Disaster recovery costs increased by 23 per cent in 2003 to reach approximately £55,000 ($100,000) per organisation per virus disaster, according to ICSA Labs' 9th annual Virus Prevalence Survey. The survey recorded more than 2.7 million virus encounters among the sample group of 300 last year. The group (collectively responsible for managing almost one million desktops, servers and perimeter gateways) experienced a rate of 108 virus infections per 1,000 machines per month during the year, up from 105 infections in 2002 and just 10 infections in 1996. August 2003 - thanks to Blaster, Nachi and Mimail variants - was the worst month for these calamities, accounting for 42 per cent of the major outbreaks reported. January 2003 - when Slammer and the first SoBig hit PCs worldwide - was another bad month. New virus types, file sharing and new replication vectors are blamed for rising infection rates. And matters show little sign of improving thus far this year. "The re-emergence of 'outbreak events' and the success of mass mailers in early 2004 illustrates that organizations are not making enough progress in their defence against malicious code," said Larry Bridwell, content security programs manager at ICSA Labs and author of the survey. "Organizations must take a more proactive stance in securing their networks and educating their employees, vendors must make more secure software, and anti-virus vendors must make more effective heuristic applications if 2004 is to be different." ® Related stories UK.biz leaves door open to hackers Blaster beats up British business Malicious code threats celebrate bumper 2003
John Leyden, 22 Mar 2004

Cisco buys anti-DDoS firm

Cisco is beefing up its denial of service defences through the $39m cash purchase of Riverhead Networks. Distributed Denial of Service (DDoS) attacks are designed to cripple websites by flooding their servers with maliciously-created, useless traffic. Cisco is buying Riverhead to act as the belt to its braces, filling in the gaps missed by Cisco Security Agent, its host-based intrusion prevention software, which is meant to keep a website functioning under sustained hacker attack. Riverhead's network-based threat prevention technology analyses traffic flows for protocol compliance and divergence from normal traffic patterns and behaviour. This info supplies the means to quickly detect and block malicious traffic without affecting legitimate business transactions. Riverhead was founded in 2000 and has 44 employees. It competes against vendors such as TippingPoint, Mazu Networks, Top Layer and Arbor Networks. Arbor is backed financially by Cisco, but may have to consider a new exit strategy, now that its benefactor is engaged to a major rival. The acquisition is subject to the usual closing conditions and is expected to close in Cisco's Q3 2004. Riverhead will then become part of Cisco's Internet switching business unit. ® Related stories Cisco combats network worms Cisco buys behaviour blocker When firewalls and intrusion detection just aren't enough Vendors sharpen tools to thwart DoS attacks
John Leyden, 22 Mar 2004

Build your own iSCSI SAN server

The cost of shared storage is coming down, thanks to DataCore which this week announced software called SANmelody which turns a Windows server into a SAN storage server. Significantly, it offers iSCSI as standard, as well as offering optional Fibre Channel support. Any other server that supports iSCSI can then draw upon disk storage attached via SANmelody. DataCore product manager Chris Lentz compares SANmelody to EMC's Clariion CX200 but says that it makes Storage Area Networks (SANs) a whole lot cheaper: SANmelody starts at under $1200, and is also available as a free 21-day trial. "SAN does not necessarily imply Fibre Channel. We are talking about the ability to access storage at the block level over 100Mbit Ethernet," he adds. "For the last year, the factor holding iSCSI back has been the lack of iSCSI targets [storage servers]. The exciting feature for small business is this is an iSCSI target that can turn anything into iSCSI storage - Serial-ATA, IDE, etc. It's also capable of mixing iSCSI and Fibre Channel." This is not the same as NAS or Microsoft's Windows Storage Server, he says. To the application program, block-level storage looks like a local disk drive, and is well suited to database applications among others. "For example, it could be for Microsoft Exchange or SQL Server, or for internal data storage applications," Lentz adds. "When you run out of storage you can use this instead of buying more direct-attached disk or a bigger server. Or you can use it as an iSCSI target for mirroring your data within the network." The mirroring feature is one of several optional extras for SANmelody. Others include data replication, automatic storage provisioning, and point-in-time snapshots for backup. There is a management snap-in for Microsoft's MMC too. DataCore doesn't have the brand recognition of an EMC or IBM, but it is known these days, thanks to its SANsymphony software which virtualises SANs and can be used for tasks such as data replication or migration. Lentz notes that a SANmelody server could be part of the SAN managed by SANsymphony, with its disk blocks aggregated into the whole. DataCore will sell SANmelody through a website, and also through resellers who will bundle it with a server and storage to make a complete subsystem: Transtec, a big storage specialist and system builder based in Germany, has already started shipping 'Powered by DataCore' disk servers. ®
Bryan Betts, 22 Mar 2004

Why infrastructure is not a dirty word

There used to be a time when "infrastructure" was a dirty word in IT circles. It seemed every independent software vendor in this sector was loath to be associated with the moniker, preferring instead to be seen as an "applications" or "solutions" provider that sat higher up the value chain. But, like most things in IT, things have now come full circle... Once again, infrastructure is all the rage, and many vendors don't seem to mind as being branded as such. For instance, recent announcements from Ascential Software and Informatica unashamedly position both companies as pure infrastructure providers. Nicholas Carr's (unnecessarily) controversial May 2003 Harvard Business Review article: "IT Doesn't Matter", effectively boils down to a simple argument: "If we're all using the same IT systems, where's my competitive business edge coming from?" Admittedly, Carr has a good point that relates specifically to the industry's rampant use of similar pre-packaged IT systems and applications. After all, if I'm running a business off exactly the same metrics and reports as my nearest competitor, where's the value? But should this argument be applied to IT infrastructure? Infrastructure is a term deeply rooted in construction. It is commonly used to define physical structures that form the foundation for further development. For instance, infrastructures such as waterworks, electric power, telecommunications, railway tracks, and oil and gas pipelines, all act as a foundation for higher-value services: swimming pools, appliances, long-distance telephony, high-speed rail services, and petrol pumps. Things are no different in the IT world. Messaging backbones, data and application integration, storage, network communications, and so on all provide the essential physical infrastructures for the everyday functioning of businesses. But having these infrastructures in place is also a necessary prerequisite for the types of long and short-term competitive advantage that is promised by IT investment; it's the "price to play" for companies. Strategic advantages It is true that infrastructure in itself does not confer long-term strategic advantage. If it did, the industry would be building that infrastructure rather than buying it on the open market. Take, for example, data warehousing infrastructures that provide the plumbing to move, integrate, transform, and analyze data along from point of capture to point of use. Rarely do we see top companies attributing their business success to this infrastructure layer. Rather, what confers strategic competitive advantage is how that data is used in decision-making processes. In other words, infrastructure alone doesn't solve unique business problems. Implementing the most unique metadata-driven integration backplane for capturing customer data will not automatically stop customer churn, nor will installing a super-fast messaging network facilitate knowledge sharing. Foundation for added value... However, the value of infrastructure should not be underestimated. Ultimately it provides the necessary foundation for building bigger, better, and more valuable things. The real advantage of having a robust, well-designed infrastructure in place is that it allows companies to focus on IT innovation where it really matters: at the business level, and how it can more effectively use its data at critical customer-facing junctures across the enterprise. When a CIO says: "I have a $20m IT budget but no money", this usually means the money is being targeted at implementing new, or overhauling old, infrastructure. But once this infrastructure is in place, it frees up IT resources for more valuable revenue-generating IT initiatives. Getting the "right" infrastructure in place isn't easy and many companies are still struggling to find the right architecture and vendor. Infrastructure decisions are always important and companies are treading wearily these days. After all, how often does a company rip and replace its messaging or data integration backbone? Clearly, infrastructure remains a big-spender market, easily outstripping enterprise software applications. About 40 per cent of the global IT budget is expected to go to pure integration infrastructure. Do the calculations and it is more than the gross domestic product of many developed European nations. Little wonder then that IT vendors are once again happy to be associated with the term. Source: ComputerWire/Datamonitor Related Research Mobile Enterprise Infrastructure IT Infrastructure Strategy in European Financial Services Infrastructure Outsourcing in North American FS Web Services II:Managing the future
Datamonitor, 22 Mar 2004