21st > December > 2004 Archive

Labour's Zombie Army clinches ID card vote for Clarke

Britain's compulsory ID card scheme won a large majority in a Commons vote last night, with 385 MPs voting for and 93 against. The opposition consisted of all 55 Liberal Democrats, 19 Labour and nine Tories, but although the latter two figures are lower than might have been expected, 173 MPs were either absent or abstained, meaning that the numbers opposing could grow as the Bill passes through committee stage. Short of a mass revolt by Labour's zombie army, however, the chances of Labour's massive majority being overturned in the Commons are nil.* The Zombie Army persuaded itself to vote for an illegal war on the basis of manifestly absurd claims, and has already squared voting away much of our freedoms with its conscience, so there seems little obstruction to it giving away the rest of them. Tory opposition is more plausible, because although the party has offered support to the ID scheme, shadow home affairs spokesman David Davis has demanded changes in the Bill, and yesterday said that "if it hasn’t changed at all, I think we will make a judgment which is pretty sceptical of it." That however places the Tories in a difficult position. Davis himself, and a large section of the party, is against ID cards, but support was given first because leader Michael Howard personally favours them, and second because of the perceived need not to be seen as weak on crime, terror, security and general repression in the run-up to the election. The timetable for the Bill is brisk, with the committee stage due to finish on 27th January, while there are currently suggestions that Tony Blair might call a snap general election in February. Presuming that the Government has negligible concern over whether or not the scheme works, is feasible or is effective, but is entirely concerned about winning the election at any price (on balance, we think these are reasonable presumptions), then the plan will be to force the Tories into the position of a loud awkward squad. So no concessions, the possibility of an immediate election left dangling, and Howard facing an embarrassing climb-down or fissure in his own party. Although there will be no doubt be intelligent contributions by MPs who've actually read and understood the Bill at this stage, and the Liberals at least will form a coherent opposition, the greatest chances of derailment lie in the House of Lords. An early election would however destroy what chances the Bill has of getting onto the statute book before the campaign, and produce more time for public opinion to turn against it. This, as we are regularly told by optimistic campaigners (and Peter Lilly MP just last night), is what happened in Australia, and although survey results do regularly produce a bottom line of a public that will at least accept ID cards, a closer reading makes it clear that there are many things about the scheme they dislike (cost, having to tell the Government when you move house, being fined for not telling the Government, etc), and many more things they'd dislike if they only knew about it. The Government's arguments yesterday were essentially more of the same, with Charles Clarke largely repeating his spin from yesterday's Times. Here he trotted out the Government's prized 'fact' that 30 per cent of terrorists use false IDs, and the other one that identity fraud costs the UK £1.3 billion a year. It turns out that the Home Office declines to go into detail on what the 30 per cent consists of for 'security reasons', so they're just plain not going to tell us how few terror incidents in the UK have been perpetrated by people who would actually have had UK ID cards (hint: the Provisional IRA wouldn't, because they could just be Irish). The Home Office does however confess that ID-related benefit fraud amounts to £50 million a year, and it's obvious that the £1.3 billion isn't addressed by the ID scheme because (as it's currently presented) it doesn't have the slightest effect on the current major sources of identity fraud (e.g. cardholder not present, Internet transactions). Peter Lilly came up with a useful piece of number-crunching on benefit fraud, noting that the cost of terminals to the Department of Work and Pensions would be at least £1 billion, in order to save that £50 million. Other financial 'benefits' of the scheme are even more difficult to identify, and given that favourable numbers would have been published in the Bill's Regulatory Impact Assessment if the Government actually had any, it seems pretty clear it doesn't. Enhancing his novel argument that identity cards are in fact a wondrous benefit and a "profoundly civil libertarian measure", Clarke yesterday burbled: "Opening a bank account, going abroad on holiday, claiming a benefit, buying goods on credit, renting a video - the possession of a clear, unequivocal and unique form of identity will offer significant benefits of a variety of different types." Good, isn't it? Now, consider what happens when you use your ID card for each of these things. At each stage, your identity is checked and your whereabouts and doings logged in the audit trail that exists to 'protect your privacy'. This audit trail will not of course be available to anyone bar your good self and the police and security services and all of the other agencies the Government proposes to allow to access it. In enthusing about the scheme and its possibilities, Clarke is really telling us what's profoundly wrong about it, and why it should be stopped. We'll return to the debate later, when we've had a chance to go through the proceedings in more detail. ® * We were taken with a report in yesterday's Guardian citing research that showed the Zombie Army, "usually caricatured as compliant stooges terrified of defying the whip, are turning on the government in unprecedented numbers." Claimed researcher Philip Cowley: "It is astonishing that Lord Butler got it so wrong. The real story is the growing independence and quality of British MPs." As he can apparently see things that we cannot, we can only gasp at the wisdom of Mr Cowley. Related stories Clarke takes charge of Blunkett's Fear Agenda Tories come out in support of UK ID card scheme Think tank survey claims 81% support UK ID cards
John Lettice, 21 Dec 2004

Nvidia to pitch NV48 at ATI's R520

Nvidia will launch against ATI's next-generation high-end graphics chip, the R520, in Q2 2005. So claim sources from among Taiwan's graphics card manufacturer community, cited by DigiTimes. They also allege that the part, codenamed NV48, will be fabbed by TSMC at 110nm, and not by IBM. The sources claim the move is a result of yields the Taiwanese foundry has achieved with the GeForce 6200 and 6600 chips. The shift from one manufacturing partner to another may account for the rumours that Nvidia had cancelled NV48. Certainly, the NV48 had been expected to appear late this year, according to Nvidia roadmaps doing the rounds back in July. However, back then, the NV48 and its PCI Express-native sibling, the NV48e, appeared little more than tweaked GeForce 6800 cores, so it's possible the Q2 2005 part is different, despite taking the NV48 name. Whatever features NV48 offers, it is likely to go head-to-head with ATI's R520, not only its first DirectX 9 Shader Model 3.0 GPU but the first of its graphics chips to be fabbed at 90nm. It will probably be the first GPU to support GDDR 4, too, according to recent reports, which claim ATI has now completed the chip's design. ® Related stories Nvidia apes ATI to revive mid-1990s AGP feature PCI Express 2.0 to double bandwidth Nvidia nabs PS3 graphics contract Nvidia signs Intel bus licence deal ATI tapes out 90nm R5xx chip Nvidia roadmap said to tout AGP at high-end well into 2005
Tony Smith, 21 Dec 2004

Munich asks ministers to drop EU patent vote

The vote on the European Directive on software patents has, at the last minute, been moved to the afternoon session on the Agricultural and Fisheries Commission's meeting. The vote is now scheduled for around 3pm, Brussels time. The change in schedule follows a statement (pdf, in German) from the Mayor of Munich, calling on Germany's minister to have the directive taken off the agenda altogether. Mayor Christian Ude said he can see no reason for the Council to proceed with such haste. "After the multitude of concerns raised by all sides of politics, of small and medium enterprises and of many developers of free software, a further discussion about the directive proposal and not a nodding-off in the non-expert Council of Agriculture and Fisheries had been expected. I have today approached minister Künast to inform her of these expectations," he said. Florian Mueller of campaign group NoSoftwarePatents said: "It shows that the city of Munich would really prefer a software patent-free environment for its Linux migration project. Frankly, it would be an unprecedented event if anyone stood up today and asked for software patents to taken off the agenda, but it's possible that the Dutch government [is simply taking] its chances even though various countries are unhappy." According to Mueller, the rescheduling is probably for administrative reasons, but it is possible that the directive is so politically unstable, that more time was given to allow for more behind-the-scenes discussion of the vote. The directive is now on the afternoon agenda for the council. It will be preceded by a vote on the adoption of a Regulation of the European Parliament and of the Council laying down requirements for feed hygiene. ® Related stories EU fish ministers to vote on software patents No more debate on EU patents directive draft Software patents: the UK Patent Office pleads its case
Lucy Sherriff, 21 Dec 2004

Germany bans 'Intel only' IT tenders

Germany has modified its IT procurement policies in a bid to end projects being put out to tender with Intel processors as a pre-requisite. The move follows the European Commission's call for an end to such limitations within IT contracts. The EC even went as far as to threaten legal action against European Union member states that failed to make appropriate changes to their procurement policies. That threat, made in April 2004, was the result of an investigation of procurement policies in Germany, Italy, the Netherlands, Belgium, France, Austria and Finland. At the time, only Germany and Italy were told to make policy changes. The EC's probe was inspired by complaints from AMD that some government contracts were specifying Intel CPUs - in violation of European procurement regulations and the free movement of goods. In many cases, the phrase 'Intel CPUs' had been simply used as shorthand for 'x86 processors' or to imply a certain level of performance, rather than to register favouring that vendor, though the outcome is much the same. Germany's new rules - like those of other countries that have followed the EC's advice - will focus on platforms and benchmark metrics rather than such flabby generalisations. Germany's new procurement rules can be read here (PDF). It's important to remember, however, that Intel itself has never been alleged to be party to such favouritism, even though it may ultimately have been a beneficiary. German has taken its time to change its policies. Since the EU's April warning, Italy, Sweden, Belgium, and France have all formally adjusted their own policies to prevent them favouring any particular processor manufacturer. France did so in May 2004, though it's interesting that in October 2004, the EC felt the need to tell the country that it must offer more evidence that the amended policy is being adhered to. Sweden, the Netherlands and Finland were also asked to provide such information. Separately, Russia's deputy minister for Economic Development and Trade, Andrei Sharonov, has issued a similar call for vendor-neutral IT procurement within the Russian Federation, according to AMD. ® Related stories EC widens Intel-only contracts probe France bans Intel-only IT contracts
Tony Smith, 21 Dec 2004

Security holes that run deep

A couple of months ago, Toby Beaumont reported an ASP.NET vulnerability that, depending on the server configuration, allowed anyone to completely bypass user authentication and access protected files. Microsoft quickly provided a fix and the issue passed without much fanfare, mostly because the flaw wasn't widely exploited, and consequently many people failed to recognize just how serious this attack vector could be. For nearly a decade, as the freedom of the Internet gave way to anarchy, IIS was the target of countless file access and canonicalization exploits. But Microsoft responded with an aggressive overhaul that resulted in IIS 6, a Web server that is surprisingly secure, even with a default installation. In fact, they did such a great job that IIS security has since become a boring topic. Although ASP.NET has had some problems, it too has held up fairly well. But this last flaw revealed that ASP.NET has the potential for serious vulnerabilities. It's not the vulnerability itself that concerned me, but what this vulnerability told us about the foundations of ASP.NET file access. In a way, it reminds me of the USA PATRIOT Act, passed in response to the terrorist attacks of September 11th, 2001. Despite concerns over privacy and the potential for abuse, the new law has not personally affected anyone I know. Nevertheless, it still troubles me, because it messes with fundamentals without anyone completely understanding the future impact of these changes. We really cannot anticipate what problems we might encounter, especially when this law is combined with other future laws. If you never mess with basic civil liberties in the first place, you never have to worry about these complexities in the future. That is why this ASP.NET issue concerns me. This isn't politics, but I see basic rules broken that might lead to complex future issues. Poor Posture The specific flaw Beaumont found was deceptively simple: by using a backslash instead of a forward slash you could access secure ASP.NET resources that normally required authentication. So, if accessing www.example.net/secure/private.aspx is supposed to require authentication, anyone who wants to could still access the file by entering the URL as www.example.net/secure\private.aspx (or using %5C instead of the backslash in IE). Even if you set NTFS permissions to block anonymous users from accessing the file, ASP.NET still allowed access. As simple as it was to exploit, the existence of the bug told us a lot about ASP.NET's basic security posture -- none of it good: ASP.NET was not always using NTFS permissions to enforce file access. You can fool ASP.NET by disguising the file path. ASP.NET did not properly filter URL requests. ASP.NET authentication fails open rather than failing closed. It turns out that the problem was not with ASP.NET's authentication code, it was an authorization issue. Authentication validates a user's identity, but authorization is what determines if authentication needs to take place. On a typical website, some resources are available to everyone while other resources are only available to authenticated users. The ASP.NET authorization code determines if the resource requires authentication or not by checking the configuration file of the current application, and looking for rules that match the requested URL. If the URL does not match any of those rules, it checks the configuration of the parent application for a match. If it still finds no match, it continues up to each parent application until it reaches the machine configuration. By default, the machine configuration allows anyone to access anything without authentication. This means that if you can disguise a URL so that it doesn't match any rule, you will eventually end up at the default rule that says there is no need to authenticate you to access this file. In other words, if ASP.NET thinks everyone is authorized to access the file, it won't bother running its authentication code to see if a particular user is authorized to have access. ASP.NET opens the file with the security context of the ASP.NET machine account (ASPNET), unless you specifically configure the application to use impersonation. Therefore it completely bypasses any NTFS permissions you might have set on the file. While there were certain limitations that prevented widespread exploitation of this particular vulnerability, the fact that it was even possible should have been an alarming announcement. The fact that they did not follow such basic best practices brings into question what other vulnerabilities might exist. Sure, there might never be another serious ASP.NET vulnerability; and if there are any, they might never be publicly known. But that really doesn't matter, because that's not the point. The point is that you must code defensively and follow best practices from the beginning even if there are no foreseeable weaknesses with your code. I give the IIS and ASP.NET team much credit for what they have accomplished so far, but we are all facing a new standard. I'd like to see them compile a list of specific best practices that they will never, ever break. Stuff like saying they will always filter URLs, or they will always fail closed. And then I'd like to see them publish this list to demonstrate their willingness to stick to these rules. This obviously isn't just a Microsoft problem, we could all certainly learn from this lesson. But that doesn't mean Microsoft can't take the lead in tackling this problem. Whether you are talking about politics or programming, the concept is the same: follow best practices. Copyright © 2004, Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress). Related stories MS plugs weak XP firewall Five important fixes in MS December patch batch Probably the simplest phishing trick in the world
Mark Burnett, 21 Dec 2004

EA to buy 20% of Ubisoft - report

Electronic Arts is to buy a big chunk of Ubisoft, paying $85-100m for a 20 per cent stake in the French games publisher. So says today's Wall Street Journal, though neither company has yet to comment formally on the claim. Earlier this year, EA CEO Larry Probst forecast the games industry would see further consolidation over the next three to five years, though at the time - May 2004 - he was quick to point out that EA wasn't going to be a big buyer of companies. If the deal with Ubisoft goes ahead, it would appear that Probst has changed his mind. In August 2004, UK publisher Eidos confirmed that it is in talks with one or more other publishers about a possible merger or acquisition of Eidos' business. Curiously, Ubisoft was one of the names most frequently bandied about when Eidos' plan was made public, though the publisher itself has sternly refused to name names. Ubisoft's president, Yves Guillemot, has expressed an interest in acquiring Eidos, but that was a couple of years ago. Consolidation of the games publishing business will surely attract the closer attention of the world's trade regulators - indeed, any deal between EA and Ubisoft will need to win US government approval before it can go ahead. However, with regulators on both sides of the Atlantic approving the merger of Sony and BMG earlier this year, taking the number of major recording companies from five to four, games publishers no doubt feel they have some way to go before regulators will begin to worry that too much market power is being placed in too few hands. ® Related stories Eidos does due diligence on would-be buyers Graphics patent holder sues Sony, MS, Nintendo Game makers hit with graphics patent violation suit Harry Potter games outfit loses its magic Eidos plunges into red Eidos confirms takeover talks EA swallows Criterion Software Eidos issues profit warning Eidos snaps up IO Interactive
Tony Smith, 21 Dec 2004

Rogue pharmacies still thriving

Pills peddlers, selling medicines with "no prior prescription required", are still thriving on the net, leaving thousands of patients at risk. They often use web sites without proper contact details; let you fill in flimsy online questionnaires to justify the prescriptions; hire spammers or hail products such as "Generic Viagra". In case it escaped your attention: the original Viagra patent in the U.S. will not expire until 2012, so what you get is by definition a counterfeit product or worse: some Viagra pills are known to contain lactose as an ingredient. Others have up to 400 times the maximum recommended active ingredient, which may impress the ladies, but makes it a dangerous product. According to Pfizer about 350,000 web sites (!) sell fake Viagra or send you to a site that does. And that's just Viagra... A Cleveland Plain Dealer reporter recently purchased several prescription medications online. This is what he got: bogus prescriptions written by a 'doctor' in Georgia, a state that prohibits prescribing drugs "solely by electronic means." (The doctor in question had no idea how his name wound up on a bottle of Didrex.) Medications without any dosage information, and without advisories about side effects or possible interactions with other drugs. Shipments in crude packaging with no documentation and no receipt, from companies that pretend to be in Canada or the US, but in reality serve as a middleman for medications shipped from Asia, where just about anything can be concocted. More importantly, the reporter's credit card number was used (without his knowledge) to pay off somebody's traffic tickets in Ft. Lauderdale, Florida. Understaffed pharmacy boards say they barely have enough the resources to inspect traditional pharmacies, let alone online rogue pharmacies, but experts agree that something should be done: At least 14 deaths and overdoses have been directly linked to drugs obtained over the Internet. ® Related stories Pfizer sues online pharmacies E-pharmacies guilty of blatant disregard for health e-Pharmacy sites offer risky prescription
Jan Libbenga, 21 Dec 2004

Unions back Lucent pay deal

Workers at Lucent have agreed to a new pay and conditions settlement that will, union officials say, give them greater job security. Two unions - the Communications Workers of America (CWA) and the International Brotherhood of Electrical Workers (IBEW) - have ratified the deal which runs until 2012. Some 3,400 installers, technicians and other workers at the telecoms equipment manufacturer will see their wages rise 16 per cent over the next seven years along with an increase in pension entitlements. Workers will also receive a one-off $1,000 "ratification bonus". Said CWA union boss Ralph Maly: "Lucent's financial situation made it imperative that we find a solution that would help ensure the survival of health care coverage for our members and retirees." The agreement also provides for a no-layoff guarantee for installers and opens up new job opportunities within installation. Which is nice. ® Related stories Lucent posts full-year profits Lucent raises sales outlook Ex-Lucent boss could face bribe charges
Tim Richardson, 21 Dec 2004

Internet logs nail fetus snatcher

A grotesque crime in which a pregnant woman was murdered and her fetus snatched and adopted by another has been solved quickly, thanks to the enormous amount of electronic evidence the murderer left behind. Lisa Montgomery, 36, of Melvern, Kansas arranged the fatal meeting with her victim, Bobbie Jo Stinnett, 23, via e-mail and instant messaging. The late Stinnett was a dog breeder, and Montgomery approached her on line with the pretext of wishing to buy a puppy. Stinnett invited Montgomery to her Skidmore, Missouri house, where Montgomery strangled her, performed an impromptu Caesarian, and stole the fetus. After murdering Stinnett and stealing her fetus, Montgomery drove to Topeka, Kansas and rang her husband, telling him that she'd given birth. Why the husband was not suspicious has not been explained. Montgomery was apparently none too savvy about the techniques of covering one's tracks online, and leaked prodigious amounts of data. While she did have the foresight to use an alias for her emails to Stinnett, she connected from her house without any precautions, and appears to have posted a message to Stinnett on a board where her IP address was logged. Stinnett's computer provided enough evidence for police to zero in on Montgomery within a day. It was trivial to trace Montgomery's IP address to her house, where police found the stolen infant, pretty much blowing any non-insanity defence Montgomery might have hoped to mount. The premature infant, named Victoria, is reported to be healthy and has since been re-united with her father. ® Related stories Online baby muncher is an artist Web paedophile jailed for four years NSW police email child abuse pics to school heads
Thomas C Greene, 21 Dec 2004
SGI logo hardware close-up

Iomega unveils 400GB, Firewire 800 drive

Iomega has started shipping external hard drives that incorporate a Firewire 800 interface, the storage specialist announced today. The launch also adds a 400GB unit to the top end of the company's desktop hard drive line. Available in three capacities - 400GB, 250GB and 160GB - the external units also sport more commonplace Firewire 400 and USB 2.0 interfaces. The disks themselves spin at 7200rpm. Each drive can be mounted horizontally, for drive stacking, or vertically. Iomega bundles its own Automatic Backup software for Windows users, along with Dantz Retrospect Express for Mac owners. The latter constituency will be those most interested in the 800MBps Firewire port, a feature Apple has been incorporating into its high-end desktops and notebooks for some time. The three new drives are available now in the US for $199 (160GB), $279 (250GB) and $429 (400GB), respectively. There's no word yet on European pricing and availability. ® Related stories Removable disks back from the dead Iomega waves goodbye to 145 staff Iomega readies wireless SOHO NAS kit Iomega drops 'Son of Clik' as losses swell Iomega dresses up NAS device Iomega ships 160GB back-up hard drive
Tony Smith, 21 Dec 2004

European court to rule on MS sanctions

Microsoft will hear tomorrow whether or not it has been successful in the first stage of its appeal against that antitrust sanctions imposed upon it by the European Competition Commission. Back in March, the Commission ruled that Microsoft had abused its monopoly. It imposed a fine of almost $650m, and instructed the company to publish details of its Application Programming Interfaces (APIs) and provide a version of Windows without Windows Media Player. Microsoft wants these penalties suspended while it makes its appeal. Microsoft's detractors, including the Commission, argue that if the sanctions are suspended, the damage will have been done to MS' competitors in whatever time the appeal process takes to complete. In effect, Microsoft will have won, even if it goes on to lose its appeal. Judge Bo Vesterdorf, president of the Court of First Instance, Europe's second highest court, is expected to announce his decision tomorrow (Wednesday). The phrasing of his report will be finely dissected, whichever way he rules, as any implied criticism of the Commission's ruling could lend credence to Microsoft's appeal. To rule in Microsoft's favour, Vesterdorf must decide that the company has an "urgent need for suspension" and that its interests outweigh those of the public. Carlos Piana, a lawyer representing the Free Software Foundation in the case against Microsoft, said" "Every day that passes makes it harder for the market to benefit from the commission's decision," Business Week reports. ® Related stories Novell, CCIA evidence may be tossed out in MS EC case MS latest: Nokia quits trade group in disgust Why MS paid Novell half a billion bucks today
Lucy Sherriff, 21 Dec 2004

Sony denies plasma TV pull-out

Sony has denied allegations that it is planning to pull out of the plasma display TV market in a bid to cuts costs and improve profitability. "We will continue production and sales of plasma televisions," the Japanese electronics giant said today in a statement. That contradicts a report in the Nihon Keizai Shimbun earlier this week. The paper said Sony would shortly cease plasma TV production in Ichinomiya, Japan; Wuxi, China; Barcelona; and Pittsburgh. Instead of punching out plasma TVs, the four sites would produce LCD and rear-projection models instead. Sony's statement today certainly notes a shift in that direction: "Regarding our flat television business, we will continue to focus on LCD and rear-projection televisions," the company said. However, it claimed that that shift of emphasis would not be to the exclusion of plasma TV technology. The announcement comes a week after Samsung showed off what it claims is the world's largest plasma TV, a 255cm (102in) monster display more than 2m across. Earlier last week, Sony and Samsung entered into a broad patent cross-licensing deal, although the terms of the agreement do not cover certain display-oriented technologies such as TFT LCD and OLED (Organic Light-Emitting Diode) systems. Ditto Sony's Digital Reality Creation image enhancement engine for hi-definition TVs, and Samsung's Digital Natural Image Engine, also a digital TV video processing system. Sony's TV division lost ¥6.1bn ($58.64m) in the three months to 30 September. ® Related stories Samsung shows 2.5m monster monitor Sony, Samsung agree to share toys UK prof pioneers new LCD screen system LG, Matsushita trade lawsuits in PDP patent clash Intel 'ends' chip digital TV tech work
Tony Smith, 21 Dec 2004

Cisco Networking specials for less

Reg offerReg offer This week we've got a huge selection of titles from Cisco Press. Whether you're on the Cisco Networking Academy Program, installing a Wireless LAN or just starting out with TCP/IP, we've got guides to cover it all, and they're all reduced by 30%. TCP/IP First-Step RRP £21.99 - Reg price - £15.39 - Saving £6.60 (30%) This book explores TCP/IP in a reader-friendly manner that does not presume an existing base of knowledge. The reader is introduced to the concept of packetized data transfer, open networking, reference models, and standards bodies. Optimizing Applications on Cisco Networks RRP £39.99 - Reg price - £27.99 - Saving £12.00 (30%) Improve the delivery of services on your existing network with Application Performance Management (APM) Building MPLS-Based Broadband Access VPNs RRP £42.99 - Reg price - £30.09 - Saving £12.90 (30%) Master the design and management of MPLS-Based Broadband Access VPNs to maximize client performance 802.11 Wireless Network Site Surveying and Installation RRP £39.99 - Reg price - £27.99 - Saving £12.00 (30%) Perform expert site surveys, select the right equipment, and install your 802.11 wireless network with this comprehensive guide. Cisco Wireless LAN Security RRP £39.99 - Reg price - £27.99 - Saving £12.00 (30%) Secure your Wireless Local Area Network with guidance from experts at Cisco Systems® CCIE Routing and Switching Flash Cards and Exam Practice Pack (CCIE Self-Study) RRP £50.99 - Reg price - £35.69 - Saving £15.30 (30%) The CCIE Routing and Switching Flash Cards and Exam Practice Pack serve as a late-stage preparation tool for the written exam component of the CCIE certification. CCSP CSI Exam Certification Guide RRP £39.99 - Reg price - £27.99 - Saving £12.00 (30%) CCSP CSI Exam Certification Guide (CCSP Self-Study) is designed for IT and security professionals who are pursuing the Cisco CCSP security certification track and preparing to take the CSI 642-541 exam. CCNP 3 RRP £26.99 - Reg price - £18.89 - Saving £8.10 (30%) The only Cisco-authorized textbook to be used in conjunction with the CCNP 3 Multilayer Switching course within the Networking Academy CCNP 4 RRP £26.99 - Reg price - £18.89 - Saving £8.10 (30%) The only Cisco authorized textbook for the CCNP 4 Network Troubleshooting course in the Networking Academy CCDP Self-Study RRP £50.99 - Reg price - £35.69 - Saving £15.30 (30%) Learn CCDP ARCH 642-871 concepts with the Cisco authorized self-study book for CCDP foundation learning The perfect gift for family, friends or even yourself. Absolute Beginner's Guide to Online Dating RRP £13.99 - Reg price - £9.79 - Saving £4.20 (30%) No need to rely on fate or karma - this book helps readers find a match based on compatible desires, values, beliefs, and attitudes. Poker Night RRP £9.99 - Reg price - £6.99 - Saving £3.00 (30%) Know When to Hold `Em, Fold `Em and Everything In-Between with Brady’s Handy Poker Resource. Leo Laporte's 2005 Mac Gadget Guide RRP £17.99 - Reg price - £12.59 - Saving £5.40 (30%) Take your Mac to the limit and BEYOND. Special Edition Using Microsoft Windows XP Home RRP £31.99 - Reg price - £22.39 - Saving £9.60 (30%) Faster, stronger, better than it was before - this is the only Windows XP book readers will ever need. Don't worry about missing your weekly fix of hot titles from the Reg Bookstore over the festive period. Just follow the links below for key titles at exclusive discounts: The Reg Bestsellers Last week at The Reg Great new releases This weeks book bag See you in 2005 when we'll be offering you the opportunity to get the year off to a magnificent start.
Team Register, 21 Dec 2004

Skype ties up with C&W

Skype has inked new call-termination agreements with Cable & Wireless and Luxembourg's B3G Telecom Technologies. The Internet telephony outfit already has such deals in place with the likes of iBasis, Level3 and Teleglobe, who now provide global termination services for its SkypeOut service, which lets users make calls to landlines and mobiles. The deals with C&W and B3G Telecom not only expands the number of carriers suppoting Skype but also "enhances the level of service globally". Apparently. The Voice over Internet Protocol (VoIP) outfit has also signed up UK-based money service Moneybookers to help carry out online payments for its SkypeOut service. Elsewhere, C&W and EDS have won a three-year contract worth £2.1m to run a Virtual Private Network (VPN) for brewer Scottish Courage. As part of the deal, 66 of Scottish Courage's manufacturing, distribution and sales sites will be shunted onto a single data network, cutting the brewer's annual communications bill in half, the company claimed. More importantly, a spokesman for the brewer said: "The system should make it easier for us to keep the beer flowing this Christmas." ® Related stories Wanadoo.fr staff strike over 'buggy' VoIP service IBM wins £500m Lloyds TSB VoIP gig Callserve WLTM partner with VoIP, GSOH etc.
Tim Richardson, 21 Dec 2004

Cisco pays $65m for Protego

Cisco yesterday announced a deal to acquire security start-up Protego Networks for approximately $65m in cash. Protego's line of security monitoring and threat management appliances will be used to bolster Cisco's security portfolio. Cisco said the "ability of Protego's products to detect, correlate and mitigate threats in the network extends Cisco's Self-Defending Network initiative". According to a statement, Protego's appliances combine traditional security event-monitoring with added features to help firms manage security incidents. "By combining network intelligence, an understanding of network topology and automated mitigation capabilities, Protego's products help companies to readily and accurately identify and eliminate network attacks while maintaining network compliance," Cisco said. The acquisition is subject to various standard closing conditions and is expected to close by the end of January 2005. Post acquisition, Portego's 38 employees will be integrated into Cisco's Security Technology Group. Protego Networks is Cisco's fourth security related acquisition this year following the purchases of 'network bouncer' firm Perfigo, network monitoring firm NetSolve and anti-DDoS firm Riverhead Networks. Cisco's buying spree has also extended into other areas of technolgy, most recently with the $34m purchase of network routing software firm BCN Systems earlier this month. ® Related stories Cisco buys 'network bouncer' firm Perfigo Cisco buys anti-DDoS firm Cisco beefs up IOS security Juniper security push
John Leyden, 21 Dec 2004

Auto makers to create car-to-car WLAN by 2006

Car makers BMW, Audi, Daimler Chrysler, Volkswagen, Renault and Fiat have won a German government grant to help develop the basis for a standard method for car-to-car wireless data. The money will be used by Network on Wheels (NOW), a project run out of the University of Mannheim with the participation of Karlsruhe Technical University. NOW is funded in part by the German 'Ministry for R&D'; the Car2Car Communication Consortium, a non-profit organisation founded by said vehicle manufacturers; Siemens; NEC; and the Fraunhofer Institute, itself better known as the home of the MP3 format. NOW is focusing on 802.11 technology and IPv6 to develop "inter-vehicle communication based on ad hoc networking principles". Essentially, it's exploring ways that moving vehicles can automatically set up temporary links with other cars, bikes and trucks in the vicinity, and share traffic information. With routing capabilities, the whole thing could become a huge 'automobile Internet', with vehicles warning each other - and their drivers - about slow-downs, bad weather, accidents and other road problems. NOW's work will feed into the Consortium's effort to create Continuous Communications Air Interface for Long and Medium Range (CALM) - this vehicle-to-vehicle network. The Consortium is keen that a standard be defined for CALM-style networks, allowing manufacturers to differentiate without the risk of building (potentially dangerous) incompatibilities into the system. It sees CALM as a kind of automotive answer to the way GSM and GPRS came to be defined as Europe's mobile telephony standards. It's all very clever, of course, and impressive from a technological standpoint. However, alongside the rewards there's a risk to personal liberties, as the potential is once again opened for government and law-enforcement agencies to track vehicle movement. Something we'll undoubtedly be forced to swallow on the grounds it allegedly makes terrorism less likely. Along with the ID cards, phone taps, satellite tracking, CCTV cameras et al that are supposedly keeping us safe. CALM also ties into the European Commission's eSafety Programme, itself geared toward a 50 per cent reduction in road fatalities by 2010. The Consortium plans to build its first prototype by mid-2005, with more advanced prototypes for field trials coming late Q1 2006. The final CALM specification is scheduled to arrive at the end of that year. ® Related stories Car self-destructs in assassination bid Speeding motorist says aliens to blame Reg hack in daring Gambia charity dash Reg road tests the BioNav in-car nav wonder Hydrogen-powered cars creep forward Segway LLC imagines futuristic four-wheeled vehicle Man in satanic Renault terror ordeal PalmOne preps Bluetooth GPS bundle Mitac's Mio preps next-gen GPS PocketPC MS smart phones gain in-car nav kit Wi-Fi finds no space on the forecourt Parking your car the wireless way Texaco pumps Wi-Fi into 100 garages
Tony Smith, 21 Dec 2004

Poland halts software patent directive

Against all expectations, the final vote on the European software patents directive was postponed this afternoon. The Polish Minister of Science and Information Technology, Wlodzimierz Marcinski, made a special journey to Brussels to demand that the directive be dropped from the agenda. According to the FFII (Foundation for a Free Information Infrastructure), Mr Marcinski felt the trip to Brussels was neccessary because of the pressure Poland's permanent representatives were under to accept the draft as it was. The decision has been welcomed by anti-patent campaigners, who said Mr. Marcinski should be praised for his courage. James Heald, a spokesman for the FFII, said: "The fact that the unilateral declarations of concerns by member states contained more text than the actual directive itself only accentuated the proposed text's woeful lack of support and lack of democratic legitimacy." Equally, the decision has been roundly condemned by EICTA, the European tech industry's trade body. Director General Mark MacGann warned that without passing the directive, Europe risked "being caught up in a negative spiral where other regions of the world can take advantage of European investment in innovation, while European companies are weakened in their home market". What the delay means for the directive now is uncertain. Poland's minister asked for time to prepare a "constructive declaration" on the directive. Several countries support this position, having changed their stance since the vote on the text in May. Germany has already issued a statement saying that the compromise text has "room for improvement" It is possible that the Luxembourg presidency will take a different approach and allow more discussion of the content of the draft, but the draft could just as easily show up on the agenda of the next meeting of the Council of ministers.® Related stories Munich asks ministers to drop EU patent vote EU fish ministers to vote on software patents No more debate on EU patents directive draft
Lucy Sherriff, 21 Dec 2004

ABN Amro slashes IT workforce

IT workers will be hit particularly hard by proposed job cuts at ABN Amro. A quarter - 1,200 out of 5,000 full time IT workers at the bank - will lose their jobs over the next 18 months under a proposed restructuring plan. The 1,200 lost IT jobs (achieved through consolidation, partial outsourcing and offshoring) make up a total of 2,850 jobs the Dutch-based bank is hoping to shed as part of plans to save €770m per year from 2007 onwards. "Depending on the extent to which we choose outsourcing as a solution for certain activities, we anticipate that an additional number of staff will be transferred to other employers in the future," the bank said. ABN Amro also intends to lose 1,100 jobs at its investment banking and corporate lending business, which along with IT will bear the brunt of the job cuts. In the group as a whole around 3 per cent of workers will be forced to look for work elsewhere. ABN Amro will take a one-off charge of €530m this year in implementing these cuts. The company says its profit forecast is unaffected by its job cuts announcement. The bank began telling staff about the likely impact of the cuts last week. The restructuring is designed to stem a decline in operating profit at the bank that is been felt across the banking industry. Deutsche Bank AG and Credit Suisse Group also announced job cuts earlier this month, Bloomberg reports. A drop in US mortgage revenues due to higher interest rates has compounded the problems ABN Amro faces in a difficult market, it adds. ® Related stories Barclays to cut IT staff Co-op IT staff to strike over SCC outsourcing gig IBM wins $5bn JP Morgan outsourcing deal Offshoring inevitable, so get over it
John Leyden, 21 Dec 2004

Child porn suspect suicide tally hits 32

Thirty-two of the men arrested during UK child porn investigation Operation Ore have committed suicide, police said yesterday. The men were reportedly unable to cope with the shame of their arrests. The revelation has prompted calls that anyone arrested for such offenses be granted anonymity until they are proven to be guilty. However, the Home Office says it sees no need to change the law. Operation Ore began in the UK around two years ago when the FBI turned over the details of 7,200 British child porn suspects to UK police. The details came from the subscriber lists of an American child porn aggregator, which provided access to 300 child porn sites in exchange for £21 per month. A total of 3,729 of the men on the list have now been arrested. Of these, around 1,600 have been charged and a further 1,200 convicted. Rock star Pete Townsend was one of those named on the list. He admitted to subscribing to the service but maintained that he was doing research for a book on the subject. He told The Daily Mail that the shame of the arrest nearly drove him to suicide. "If I had had a gun, I would have shot myself," he said. The Association of Chief Police Officers (ACPO) said that it did its best to handle allegations of involvement in child pornography as sensitively as possible, but that it would not be deterred from enforcing the law. Assistant Chief Constable Stuart Hyde, spokesman for ACPO, commented: "These are very, very emotive, difficult cases to investigate, and for those caught up in it, the embarrassment and shame can be very high. But we cannot turn a blind eye to these sort of offences." ® Related stories NSW police email child abuse pics to school heads Child porn navy doctor keeps job IT industry urged to fight online child abuse Web paedophile jailed for four years
Lucy Sherriff, 21 Dec 2004

Botnets, phishing and spyware

2004 in review2004 in review The year 2004 in internet security will probably be best remembered as the year the profit motive became a primary driver for the creation of computer viruses. 2004 also saw several high-profile arrests, making it one of the most successful years in the fight against cybercrime with a number of high profile arrests. Home PCs became the front line in the fight between cybercriminals and defenders as the growing use of networks of compromised machines (botnets) to send out spam or in DDoS attacks became a major security headache. Windows XP SP2, touted as Microsoft's most important advance in computer security, made its debut - the jury is still out on SP2's efficacy in defending agains botnets. During 2004 the number of known viruses passed the 100,000 mark, according to F-secure, the anti-virus firm. War of the worms 2004 began with a battle between the creators of three email worms - Bagle, MyDoom and NetSky - for the control of virus-infected Windows PCs. Many variants of MyDoom, which first appeared in January, launched distributed denial-of-service attacks against the likes of SCO, Microsoft and the RIAA - with mixed results. The prolific Bagle strain was thought to be a straightforward mail mailing worm when it first appeared in January. But it soon became apparent that both MyDoom and Bagle established a backdoor on infected machines that turned PCs into spam proxies. Each email worm used variants of the Mitglieder proxy Trojan to achieve this. In February NetSky came onto the scene; it removed Bagle and MyDoom from infected Windows PCs. NetSky triggered an "arms race" between virus writing camps with the creation of multiple variants of all three worms, many of which disparaged authors from the rival camps. This viral bunfight only ended with the May arrest of German teenager Sven Jaschan, who readily confessed to creating the first versions of NetSky and a prolific internet worm called Sasser. Sasser, took advantage of a serious Windows vulnerability involving a buffer overrun in Windows' Local Security Authority Subsystem Service, to spread widely in early May. Sasser was launched just 18 days after Microsoft issued a fix for the flaw it exploited. Like NetSky, Sasser was designed to wipe MyDoom and Bagle off infected PCs - a misguided effort with disastrous side-effects. Its aggressive scanning and capacity to cause unpatched machines to become unstable caused all sorts of grief. The operations of Sampo, Finland's third largest bank, WestPac and RailCorp in Australia, the UK coastguard and the European Commission in Brussels all had significant problems because of Sasser. Dragnet German police arrested Jaschan six days after the release of Sasser, following a tip-off obtained via Microsoft's Anti-Virus Reward Programme. When the snitches (Jaschan's fellow students) became suspects themselves, the promised $250,000 reward was witheld. None of this affected the spread of the worms Jaschan created, of course, and NetSky-P went on to become the most prolific virus of 2004. On the same weekend Jaschan was arrested, police in the southern German state of Baden-Wuerttemberg arrested a 21-year-old man on suspicion of creating variants of the Agobot (AKA Phatbot) Trojans. Not much has been heard of this suspect - known only as Alex G. But the case against him could provide valuable insights into the trade in compromised PCs. Hundreds of versions of Agobot have been created and its use is intimately linked with the creation of botnets. Police across the world mounted high profile cybercrime investigations in 2004. In the US, the Secret Service shut down groups (carderplanet and shadowcrew) alleged to have traded stolen credit card numbers online. In July, three men suspected of masterminding a cyber-extortion racket targeting online bookies were arrested in a joint operation between the UK's National Hi-Tech Crime Unit and its counterparts in the Russian Federation. The trio, who investigators reckon netted hundreds of thousands of pounds from the shakedowns, were picked up in a series of raids both in St Petersburg, and in the Saratov and Stavropol regions in southwest Russia. Extortion is not the only motive for DDoS attacks. In August six men were charged by the Californian courts over the first case involving the use of sophisticated denial of service attacks directed against business rivals. Jay Echouafni, chief exec of Orbit Communication Corporation in Massachusetts, along with a business partner allegedly hired computer hackers in Arizona, Louisiana, Ohio, and the UK to launch computer attacks against Orbit online competitors. Echouafni skipped bail and has become a fugitive from justice. December brought the successful end to a Scotland Yard-led inquiry into the use of the Randex Trojan in the creation of botnets. Elsewhere in 2004 Australian 419 email scammer Nick Marinellis was jailed for four years; Brazilian police made more than 50 arrests for Trojan phishing and the UK's NHTCU made several phishing-related arrests. Once upon a time, Virus writers were motivated by notoriety, but now the profit motive is more important. The use of keylogging Trojans in phishing scams is one way they can make money. Selling access to botnets - networks of compromised PCs - is another potential money-spinner, as is spyware. Gone phishin’ Scam emails that form the basis of phishing attacks often pose as 'security check' emails from well-known businesses. These messages attempt to trick users into handing over their account details and passwords to bogus sites. The collected details are used for credit card fraud and identity theft. First seen more than a year ago, phishing emails are becoming increasingly sophisticated. The Anti-Phishing Working Group analysts reckon fraudsters are using automated tools and botnets to ramp up attacks. The customers of UK banks were the frequent target of phishing attacks. NatWest even suspended its online banking service to give it time to cope with one assault. In response, the banking industry came together with police to advise customers on how to avoid falling victim to the scam. A UK government initiative to promote internet security among consumers and SMEs - dubbed Project Endurance - is due to launch next year. SP2 comin’ at ya Microsoft's main attempts to improving internet security this year came with the shipment of Windows XP Service Pack in August. Principal additions with Windows XP SP2 include: Windows Security Centre; automatically turning on Windows Firewall; and browsing enhancements to Internet Explorer (providing far more control of ActiveX controls, for example). Less mentioned, butmore important, is revamped memory protection to prevent buffer overruns, the perennial source of so many security problems. SP2 also gave users up to date versions of IE and Outlook Express. Our reviewers weren't impressed, describing SP2 as a "missed opportunity" to improve consumer security. Two attacks this year drove home the need for improved security in Internet Explorer. June's Download.Ject exploit and November's use of an IFRAME exploit in IE laid users of Internet Explorer open to spyware or viral infestation simply by visiting trusted websites. The IFRAME exploit was blocked by SP2, and a patch Microsoft issued for earlier Windows builds in December, but even the Download.Ject exploit prompted security clearing house CERT to advise users to consider using alternative browsers for security reasons. Meanwhile the release of Firefox in November gave IE some serious competition. In announcing the feature set of SP2 at the RSA Conference in February, Bill Gates also lent Microsoft's support to the battle against email spam. The spam tsunami showed no signs of letting up this year. Around 80 per cent of all email is spam – and most of it is sent through infected home computers. Prosecutions have been brought under the US's CAN-SPAM Act but its doubtful it will prove to be much of a deterrent. Spamming is simply too profitable. Mobile menace exaggerated, for now This year saw the first viruses to affect mobiles, though none made a big splash. June saw the appearance of Cabir, the first virus to hit Symbian-based Bluetooth phones. November brought the Skulls Trojan, which made smartphone feature of Symbian Series 60 phones inoperable. Neither piece of malware spread widely and, in practice, users would have to agree to accepting infection for anything untoward to happen. The last 12 months also saw the arrival of a proof-of-concept PocketPC virus called Duts, closely followed by Brador, the first backdoor for PocketPC devices. As mobile device become more common - and their internal operation better understood - more serious threats are likely to emerge. Every new technology innovation brings with it new types of risks. The launch of a desktop search tool from Google has spawned numerous articles about perceived security risks. But 2005 will likely to be dominated by Windows threats and the trial of virus authors arrested this year, such as Svan Jaschan. Until then, Merry Christmas and safe surfing. ® Related stories The strange death of the mass mailing virus Who would you like to attack today? Rise of the Botnets Who would you like to attack today? Zombie PCs spew out 80% of spam Phatbot arrest throws open trade in zombie PCs
John Leyden, 21 Dec 2004

Botnet used to boost online gaming scores

ExclusiveExclusive Teenagers convicted last week of setting up a huge network of compromised Windows PCs used it to gain an unfair advantage in online gaming - not to send spam. Detective Sergeant Steve Santorelli, of Scotland Yard's Computer Crime Unit, said the two principal suspects were members of a gaming clan which used illicit access to an estimated 30,000 PCs to generate clicks and therefore gain more points in a game called Outwar. Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs." The case began earlier this year with a tip-off from Germany c't magazine to Scotland Yard's Computer Crime Unit that virus writers in the UK were selling the IP addresses of PCs infected with Trojans to would-be spammers. Subsequent investigations by Scotland Yard along with Federal Bureau of Investigation and the Royal Canadian Mounted Police assisted by Microsoft identified a number of suspects: two in the US, one in Canada and one in the UK. The main suspects responsible for the botnet were in the UK and Canada. They were both aged fifteen at the time of the offences and can't be named for legal reasons. The UK suspect last week received a six month "referral order" from South Cheshire juvenile court in Crewe. The Canadian suspect was arrested in May 2004 and subsequently sentenced to nine months probation. Now that all legal proceedings are concluded, investigators are free to talk about the particulars of the case for the first time refuting early reports that the botnet was used to distribute spam. Det. Sgt. Santorelli explained: "At the time of the arrest of the UK suspect, some 9,500 clients were logged into the IRC server that was controlling the botnet. Due to the dynamic nature of the network, in that machines would have been logging in and out throughout the day as they were booted up and shut down by their legitimate users, we estimate that the total number of infected machines was at least 30,000 and probably more during the lifetime of this particular botnet. This botnet was not used for any particularly nefarious purpose but it shows how law enforcement, industry and other organisations are working together to combat these networks of infected machines." ® Related stories Teenage British Trojan distributor escapes jail Rise of the Botnets Telenor takes down 'massive' botnet Property tycoon buys fantasy island
John Leyden, 21 Dec 2004

Santy worm defaces thousands of sites

A worm which attacks web servers running the popular phpBB discussion forum software to deface vulnerable systems spread widely across the net today. The Santy worm searches for vulnerable forum sites using Google. When a suitable target is found, Santy uses a remote exploit to gain access and deface it before resuming its scanning activity. Content on defaced sites is replaced by the following text string. "This site is defaced!!!" NeverEverNoSanity Apart from defacing infected sites with this text, the worm has no payload. It will not infect PC used to view infected sites. F-Secure, the Finnish anti-virus firmm estimates there more than one million sites use the vulnerable phpBB software, of which tens of thousands have already been defaced. Users of phpBB are advised to update to version 2.0.11. ® Related stories Bofra exploit tied to 'massive botnet' Son of Code Red is born IIS worm made to packet Whitehouse.gov Nokia prefers Python to Perl for smartphone scripting Your Perl and PHP problems solved
John Leyden, 21 Dec 2004