Adobe is working on an update to its Flash Player software that will address a widespread vulnerability found on hundreds of thousands of Web sites.
The issue, first reported in December by Google researcher Rich Cannings, allows attackers to use buggy Shockwave Flash (.swf) files in order to attack Web surfers. Using what is known as a cross-site scripting attack, criminals could create fake phishing pages or, much worse, gain access to online banking sessions or Web accounts of victims in some situations.
After Cannings went public with his findings, Adobe and other software vendors fixed their development tools so they would no longer create the vulnerable Flash files, but there are still more than 500,000 of these files posted on different sites on the Internet, according to Cannings.
Because of the amount of work it would take to clean up the mess, Cannings had been encouraging Adobe to make changes to its Player software that would nullify these cross-site scripting attacks.
This fix is being developed and will be available "soon," said Adobe spokesman Matt Rozen in an e-mail message.
Security experts say that Adobe's chief problem now is to work out a way of fixing this bug without making it hard for users to view older Flash files.
In an interview on Friday, Cannings said that some of Adobe's early approaches to this problem had "broken" existing Flash files in the player, but that a satisfactory fix was technically possible. If Adobe could convince browser-makers to make some changes as well, it might simplify things, he added.
Three months after he went public with the problem, Cannings estimates that more than 10,000 Web sites remain vulnerable to this attack.
Sunday, March 30, 2008
Researchers: GSM mobile security on the ropes
The security of the most widely used standard in the world for transmitting mobile phone calls is dangerously flawed, putting privacy and data at risk, two researchers warned at the Black Hat conference in Europe on Friday.
Researchers David Hulton and Steve Muller showed at Black Hat in the U.S. last month how it was possible to break the encryption on a GSM (Global System for Mobile Communications) call in about 30 minutes using relatively inexpensive off-the-shelf equipment and software tools. The hack means they could listen in on phone calls from distances of up to 20 miles (32 kilometers) or farther away.
They're still refining their technique, which involves cracking the A5/1 stream cipher, an algorithm used to encrypt conversations. In about another month, they'll be able to crack about 95 percent of the traffic on GSM networks in 30 minutes or faster with more advanced hardware.
Their research has been motivated in part by the absence of a more secure encryption method despite years of warnings about GSM.
"Ultimately we are hoping that the mobile operators actually initiate a move to secure their networks," Muller said. "They've had about 10 years, and they haven't done it. In my opinion, there is only one language that they speak: that's called revenue. As soon as they lose the revenue, they will actually change."
Since 1991 when GSM networks debuted, the integrity of their security has declined as researchers probed. In 1998, the A5/1 and the A5/2, a weaker stream cipher, were broken.
Commercial interception equipment is available now to eavesdrop on calls, which can cost up to US$1 million. Hulton and Muller were game for a challenge and wanted to do it more cheaply.
For around $700 they bought a Universal Software Radio Peripheral, which can pick up any kind of frequency up to 3GHz. They modified the software to pick up GSM signals broadcast from base stations. They compared those with signals picked up by a Nokia 3310 phone, which had a software feature that allowed for a revealing peek inside how GSM works.
Hulton and Muller studied how a GSM phone authenticates with a base station and sets up an encrypted call. They then built a machine with lots of memory that uses Field-Programmable Gate Arrays, high-powered hardware used for intensive calculations, in order to crack the call's encryption.
And now they're planning to commercialize the technique, although Hulton said they will vet buyers. He said they haven't had any feedback from operators on their research.
Muller warned that faster attacks on GSM will likely emerge, making it more imperative that the mobile industry finds a solution.
"We started [this project] because everyone said we couldn't do it," Muller said. "Attacks will always get better, they'll never get worse."
Researchers David Hulton and Steve Muller showed at Black Hat in the U.S. last month how it was possible to break the encryption on a GSM (Global System for Mobile Communications) call in about 30 minutes using relatively inexpensive off-the-shelf equipment and software tools. The hack means they could listen in on phone calls from distances of up to 20 miles (32 kilometers) or farther away.
They're still refining their technique, which involves cracking the A5/1 stream cipher, an algorithm used to encrypt conversations. In about another month, they'll be able to crack about 95 percent of the traffic on GSM networks in 30 minutes or faster with more advanced hardware.
Their research has been motivated in part by the absence of a more secure encryption method despite years of warnings about GSM.
"Ultimately we are hoping that the mobile operators actually initiate a move to secure their networks," Muller said. "They've had about 10 years, and they haven't done it. In my opinion, there is only one language that they speak: that's called revenue. As soon as they lose the revenue, they will actually change."
Since 1991 when GSM networks debuted, the integrity of their security has declined as researchers probed. In 1998, the A5/1 and the A5/2, a weaker stream cipher, were broken.
Commercial interception equipment is available now to eavesdrop on calls, which can cost up to US$1 million. Hulton and Muller were game for a challenge and wanted to do it more cheaply.
For around $700 they bought a Universal Software Radio Peripheral, which can pick up any kind of frequency up to 3GHz. They modified the software to pick up GSM signals broadcast from base stations. They compared those with signals picked up by a Nokia 3310 phone, which had a software feature that allowed for a revealing peek inside how GSM works.
Hulton and Muller studied how a GSM phone authenticates with a base station and sets up an encrypted call. They then built a machine with lots of memory that uses Field-Programmable Gate Arrays, high-powered hardware used for intensive calculations, in order to crack the call's encryption.
And now they're planning to commercialize the technique, although Hulton said they will vet buyers. He said they haven't had any feedback from operators on their research.
Muller warned that faster attacks on GSM will likely emerge, making it more imperative that the mobile industry finds a solution.
"We started [this project] because everyone said we couldn't do it," Muller said. "Attacks will always get better, they'll never get worse."
EC opens in-depth probe of Nokia-Navteq deal
Fears that Nokia, the world's biggest mobile phone manufacturer, might muscle out rivals in the burgeoning market for GPS navigation devices, the European Commission has opened an in-depth investigation of the Finnish company's plans to acquire Navteq, an American producer of digital maps, the regulator said Friday.
Navteq is one of two producers of digital maps that cover all of Europe -- the other is Dutch firm Tele Atlas, itself part of an ongoing in-depth merger investigation by the Commission.
"The Commission's initial market investigation has indicated that the proposed merger raises serious doubts with regards to vertical competition concerns," the Commission said in a statement.
In light of the duopoly in the market for navigable digital maps and Nokia's strong position on the market for mobile handsets, the deal might "lead to a significant impediment of competition," it said.
The Commission has until Aug. 8 to reach a conclusion about the deal.
Meanwhile the separate probe of TomTom, a Dutch firm hoping to acquire Tele Atlas, has been extended to May 21, after the regulator and the companies agreed more time would be useful, Commission spokesman on competition issues, Jonathan Todd, said Friday in an interview.
The market for satellite navigation devices, which has emerged over the past five years, is undergoing rapid consolidation.
Garmin, in the U.S., tried to acquire Tele Atlas last year but withdrew its offer after being outbid by TomTom.
Garmin, meanwhile, struck a deal with Navteq, giving the device maker access to Navteq's maps until 2015.
Navteq is one of two producers of digital maps that cover all of Europe -- the other is Dutch firm Tele Atlas, itself part of an ongoing in-depth merger investigation by the Commission.
"The Commission's initial market investigation has indicated that the proposed merger raises serious doubts with regards to vertical competition concerns," the Commission said in a statement.
In light of the duopoly in the market for navigable digital maps and Nokia's strong position on the market for mobile handsets, the deal might "lead to a significant impediment of competition," it said.
The Commission has until Aug. 8 to reach a conclusion about the deal.
Meanwhile the separate probe of TomTom, a Dutch firm hoping to acquire Tele Atlas, has been extended to May 21, after the regulator and the companies agreed more time would be useful, Commission spokesman on competition issues, Jonathan Todd, said Friday in an interview.
The market for satellite navigation devices, which has emerged over the past five years, is undergoing rapid consolidation.
Garmin, in the U.S., tried to acquire Tele Atlas last year but withdrew its offer after being outbid by TomTom.
Garmin, meanwhile, struck a deal with Navteq, giving the device maker access to Navteq's maps until 2015.
Votes roll in for ballot on OOXML standard
Ballots are rolling in for the final ballot to decide whether the International Organization for Standardization (ISO) adopts a file format based on Microsoft's Office Open XML (OOXML) as an international standard. Countries previously against adoption or abstaining, such as the Czech Republic, Denmark and Finland, are now voting in favor.
In the ballot, due to close on Saturday, 87 national standards bodies will have a chance to vote on adoption of OOXML as an international standard for office documents.
ISO already has one standard for office documents, OpenDocument Format (ODF), which has the backing of many of Microsoft's rivals, including IBM and Sun Microsystems. ODF is the native document format in a number of applications, including Sun's StarOffice, IBM's Lotus Symphony and the open-source application OpenOffice.org.
That corporate rivalry has made for an often-acrimonious voting process, as the technical committees advising national standards bodies typically include representatives from many of these companies.
ISO held a first ballot on adoption of OOXML last September, but the format failed to win approval from enough countries. ISO rules require that standards bodies voting against adoption of a draft standard give technical reasons for their disapproval. ISO then organizes a meeting to improve the draft in light of those comments, after which the countries that took part in the original vote have a month to examine the revised draft and decide whether to change their vote.
For OOXML, the ballot resolution meeting took place in Geneva at the end of February, and standards bodies have until Saturday to inform ISO if they wish to change their vote.
To become a standard, OOXML requires approval from three-quarters of all countries voting, and approval from two-thirds of "participating" or "P-member" countries. In September, it missed both targets, with 74 percent support overall and just 53 percent among the more powerful P-members.
Some countries have been swayed by the changes made to the draft.
Denmark announced Friday that it will now vote in favor, rather than against, while the Czech Republic announced a similar decision earlier in the week. Both are P-members.
Cuba, on the other hand, announced that it is now against, while Kenya, a P-member, has decided to abstain.
Finland, another P-member, is also now in favor. The national standards body SFS abstained in September, but changed its vote on Thursday after a five-hour meeting.
The debate was heated, said Juha Vartiainen, a technical adviser at SFS, with around 40 experts taking part in the discussion.
"There was strong opposition, but not so strong as last time," he said.
The tradition at SFS meetings is to reach a consensus rather than to vote on matters such as this, he said.
"We didn't fully reach it, but after five hours the chair made the decision," he said.
While Finnish software company representatives at the meeting remained entrenched in their positions, representatives of central and local government, who also have a voice, were persuaded that the Geneva meeting had improved the draft standard enough to approve it.
"It was mainly government bodies and communities that are for it, that was the big change," said Vartiainen.
(Additional reporting by Brenda Zulu in Lusaka, Zambia, and Rebecca Wanjiku in Nairobi, Kenya.)
In the ballot, due to close on Saturday, 87 national standards bodies will have a chance to vote on adoption of OOXML as an international standard for office documents.
ISO already has one standard for office documents, OpenDocument Format (ODF), which has the backing of many of Microsoft's rivals, including IBM and Sun Microsystems. ODF is the native document format in a number of applications, including Sun's StarOffice, IBM's Lotus Symphony and the open-source application OpenOffice.org.
That corporate rivalry has made for an often-acrimonious voting process, as the technical committees advising national standards bodies typically include representatives from many of these companies.
ISO held a first ballot on adoption of OOXML last September, but the format failed to win approval from enough countries. ISO rules require that standards bodies voting against adoption of a draft standard give technical reasons for their disapproval. ISO then organizes a meeting to improve the draft in light of those comments, after which the countries that took part in the original vote have a month to examine the revised draft and decide whether to change their vote.
For OOXML, the ballot resolution meeting took place in Geneva at the end of February, and standards bodies have until Saturday to inform ISO if they wish to change their vote.
To become a standard, OOXML requires approval from three-quarters of all countries voting, and approval from two-thirds of "participating" or "P-member" countries. In September, it missed both targets, with 74 percent support overall and just 53 percent among the more powerful P-members.
Some countries have been swayed by the changes made to the draft.
Denmark announced Friday that it will now vote in favor, rather than against, while the Czech Republic announced a similar decision earlier in the week. Both are P-members.
Cuba, on the other hand, announced that it is now against, while Kenya, a P-member, has decided to abstain.
Finland, another P-member, is also now in favor. The national standards body SFS abstained in September, but changed its vote on Thursday after a five-hour meeting.
The debate was heated, said Juha Vartiainen, a technical adviser at SFS, with around 40 experts taking part in the discussion.
"There was strong opposition, but not so strong as last time," he said.
The tradition at SFS meetings is to reach a consensus rather than to vote on matters such as this, he said.
"We didn't fully reach it, but after five hours the chair made the decision," he said.
While Finnish software company representatives at the meeting remained entrenched in their positions, representatives of central and local government, who also have a voice, were persuaded that the Geneva meeting had improved the draft standard enough to approve it.
"It was mainly government bodies and communities that are for it, that was the big change," said Vartiainen.
(Additional reporting by Brenda Zulu in Lusaka, Zambia, and Rebecca Wanjiku in Nairobi, Kenya.)
FTC settles with TJX, LexisNexis
The U.S. Federal Trade Commission has settled data-breach complaints against retailer TJX and data broker Reed Elsevier, requiring both companies to establish comprehensive information security programs and submit to biennial data security audits over the next 20 years.
The settlements, announced Thursday, also require the companies to identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place. The settlements don't include fines because the FTC doesn't have authority to levy civil fines in violations of the FTC Act, which prohibits unfair business practices. The FTC has asked Congress for the ability to seek civil fines under the FTC Act, an agency spokeswoman said.
The settlement with TJX, which owns T.J. Maxx, Marshalls and other retailers, comes in response to a data breach that exposed more than 45 million customer credit and debit cards. The company reported the 2005 breach in January 2007, and some banks have alleged that the number of cards affected is 94 million.
Reed Elsevier and subsidiaries LexisNexis and Seisint announced in March 2005 that hackers had stolen passwords, names, addresses, Social Security and drivers license numbers of about 32,000 customers. Since then, the number of compromised customers has risen to 316,000.
The FTC has brought a total of 20 complaints against companies that had data breaches. "By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," FTC Chairman Deborah Platt Majoras said in a statement. "Information security is a priority for the FTC, as it should be for every business in America."
The agency charged that TJX stored and transmitted personal information in clear text, did not use "readily available" security measures to limit wireless access to its networks, did not use strong passwords and did not use security measures such as firewalls.
The FTC charged that Reed Elsevier allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases containing sensitive personal information such as drivers license numbers and Social Security numbers.
Identity thieves exploited these security failures, and used the information to activate credit cards and open new accounts, the FTC said.
The FTC charged that the company failed to make Seisint user credentials hard to guess, failed to periodically change user credentials, and failed to suspend credentials after a number of unsuccessfully log-in attempts. The company also allowed Seisint customers to store credentials on cookies on their computers, permitted users to share credentials, did not adequately address vulnerabilities in Seisint's Web applications and computer network and did not implement "simple, low-cost and readily available" defense against attacks, the FTC said.
LexisNexis, which acquired Seisint in 2005, has "resolved the issues identified by the FTC," the company said in a statement. The company is "committed to maintaining the enhanced security safeguards that we put in place following the acquisition."
A TJX spokeswoman wasn't immediately available for comment. The company settled several class-action lawsuits related to the breach in September, with some customers getting free credit monitoring and credit insurance and another group getting one or two US$30 vouchers.
"TJX has worked diligently with some of the world's best computer security firms to further enhance our computer security," Carol Meyrowitz, the company's president and CEO, said in a statement last month. "We have also continued to work with law enforcement and government agencies and very much want to see the cyber criminals who attacked our computer system brought to justice."
The settlements, announced Thursday, also require the companies to identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place. The settlements don't include fines because the FTC doesn't have authority to levy civil fines in violations of the FTC Act, which prohibits unfair business practices. The FTC has asked Congress for the ability to seek civil fines under the FTC Act, an agency spokeswoman said.
The settlement with TJX, which owns T.J. Maxx, Marshalls and other retailers, comes in response to a data breach that exposed more than 45 million customer credit and debit cards. The company reported the 2005 breach in January 2007, and some banks have alleged that the number of cards affected is 94 million.
Reed Elsevier and subsidiaries LexisNexis and Seisint announced in March 2005 that hackers had stolen passwords, names, addresses, Social Security and drivers license numbers of about 32,000 customers. Since then, the number of compromised customers has risen to 316,000.
The FTC has brought a total of 20 complaints against companies that had data breaches. "By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," FTC Chairman Deborah Platt Majoras said in a statement. "Information security is a priority for the FTC, as it should be for every business in America."
The agency charged that TJX stored and transmitted personal information in clear text, did not use "readily available" security measures to limit wireless access to its networks, did not use strong passwords and did not use security measures such as firewalls.
The FTC charged that Reed Elsevier allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases containing sensitive personal information such as drivers license numbers and Social Security numbers.
Identity thieves exploited these security failures, and used the information to activate credit cards and open new accounts, the FTC said.
The FTC charged that the company failed to make Seisint user credentials hard to guess, failed to periodically change user credentials, and failed to suspend credentials after a number of unsuccessfully log-in attempts. The company also allowed Seisint customers to store credentials on cookies on their computers, permitted users to share credentials, did not adequately address vulnerabilities in Seisint's Web applications and computer network and did not implement "simple, low-cost and readily available" defense against attacks, the FTC said.
LexisNexis, which acquired Seisint in 2005, has "resolved the issues identified by the FTC," the company said in a statement. The company is "committed to maintaining the enhanced security safeguards that we put in place following the acquisition."
A TJX spokeswoman wasn't immediately available for comment. The company settled several class-action lawsuits related to the breach in September, with some customers getting free credit monitoring and credit insurance and another group getting one or two US$30 vouchers.
"TJX has worked diligently with some of the world's best computer security firms to further enhance our computer security," Carol Meyrowitz, the company's president and CEO, said in a statement last month. "We have also continued to work with law enforcement and government agencies and very much want to see the cyber criminals who attacked our computer system brought to justice."
Microsoft renames CRM Live to 'CRM Online'
Microsoft is changing the name of its on-demand CRM (customer relationship management) offering to Microsoft Dynamics CRM Online, according to a company official.
The product was previously called CRM Live.
Brad Wilson, general manager of Microsoft Dynamics CRM, said in an e-mailed statement that the name change is meant to separate Microsoft's consumer lines from its offerings for businesses.
"In recent months, Microsoft has launched the new Online brand, with tremendous investment in and focus around on-demand technology for business users," the statement reads in part. "Whereas the Live brand is focused on consumers and small businesses, the Online brand is fully aligned with our existing Dynamics CRM strategy of delivering outstanding solutions for small businesses, midsized companies, and large enterprises."
"This is simply a name change; there is no change to the product release dates, target markets, channel strategy, or pricing," he added.
More than 500 early-access customers are using CRM Online and the product will be launched broadly across the U.S. and Canada in the second quarter, according to Wilson.
The product was previously called CRM Live.
Brad Wilson, general manager of Microsoft Dynamics CRM, said in an e-mailed statement that the name change is meant to separate Microsoft's consumer lines from its offerings for businesses.
"In recent months, Microsoft has launched the new Online brand, with tremendous investment in and focus around on-demand technology for business users," the statement reads in part. "Whereas the Live brand is focused on consumers and small businesses, the Online brand is fully aligned with our existing Dynamics CRM strategy of delivering outstanding solutions for small businesses, midsized companies, and large enterprises."
"This is simply a name change; there is no change to the product release dates, target markets, channel strategy, or pricing," he added.
More than 500 early-access customers are using CRM Online and the product will be launched broadly across the U.S. and Canada in the second quarter, according to Wilson.
Comcast/BitTorrent agreement raises questions
Thursday's announcement that Comcast and BitTorrent will work together to solve network management problems won praise from some quarters, including members of the U.S. Federal Communications Commission, but some net neutrality advocates said the deal doesn't diminish the need for new government rules.
Comcast, the largest cable provider in the U.S., announced it would work with peer-to-peer vendor BitTorrent on ways to better manage network traffic as many users trade high-bandwidth files. Comcast has come under fire for slowing some BitTorrent traffic; some consumer and digital rights groups have said Comcast's behavior, revealed in an Associated Press investigation last October, shows the need for Congress or the FCC to approve net neutrality rules.
The two companies said they will work together, and engage the broader Internet community, on new ways to manage network traffic during peak times. Comcast also said it will migrate to a network management technique that is protocol-agnostic by the end of the year.
FCC Chairman Kevin Martin said he was pleased that Comcast has "reversed course and agreed that it is not a reasonable network management practice to arbitrarily block certain applications on its network."
Martin also praised Comcast for working with BitTorrent. But he expressed some reservations.
"I am concerned, though, that Comcast has not made clear when they will stop this discriminatory practice," he said in a statement. "It appears this practice will continue throughout the country until the end of the year and in some markets, even longer. While it may take time to implement its preferred new traffic management technique, it is not at all obvious why Comcast couldn't stop its current practice of arbitrarily blocking its broadband customers from using certain applications."
Martin called on Comcast to provide its broadband customers and the FCC with a date when it plans to stop slowing BitTorrent traffic.
FCC member Jonathan Adelstein, a Democrat, praised the agreement but said the FCC will need to see more details of the deal. He also urged the "broader Internet community" to engage in similar dialogue.
FCC member Robert McDowell, like Martin a Republican, was more forthcoming with his praise. "Consumers will be the ultimate beneficiaries of this agreement," he said in a statement. "As I have said for a long time, it is precisely this kind of private sector solution that has been the bedrock of Internet governance since its inception. Today's announcement obviates the need for any further government intrusion into this matter."
Several consumer and digital rights groups disagreed with McDowell.
Comcast's agreement with BitTorrent has no bearing on net neutrality complaints now before the FCC, said Gigi Sohn, president of Public Knowledge, one of the groups calling for the FCC to pass net neutrality rules. Sohn called Comcast's agreement "irrelevant" to the complaints before the commission.
"The FCC has the responsibility to protect the rights of consumers against discriminatory network management practices," Sohn said in an e-mail. "Any future agreements in the private sector do not change that reality, particularly if the companies involved reach agreements that work specifically with some technologies or network companies and not with others. Any arrangements made now would not cover any future developments in blocking, throttling or filtering that any other companies may use."
Internet users still need strong net neutrality protections, added Nicholas Reville, executive director of the Participatory Culture Foundation, a nonprofit that distributes the open-source BitTorrent application Miro.
"Comcast can see that public demands for net neutrality protections are growing -- this announcement is a transparent attempt to distract from that debate," Reville said in an e-mail. "The announcement from Comcast and BitTorrent Inc. has absolutely nothing to do with the need for net neutrality protections and BitTorrent Inc. certainly does not speak for other torrent technology companies."
But Bret Swanson, a senior fellow at conservative think tank the Progress and Freedom Foundation (PFF), called the agreement a "huge win for common sense and for a healthy, growing Internet."
"We at PFF have been arguing for years that the Internet is a fast-moving realm of changing technology and content," he wrote in a blog post. "We advised that Washington should not wade into this dynamic arena with static rules that are likely to be misguided, and sure to be outdated even before they go into effect."
Comcast, the largest cable provider in the U.S., announced it would work with peer-to-peer vendor BitTorrent on ways to better manage network traffic as many users trade high-bandwidth files. Comcast has come under fire for slowing some BitTorrent traffic; some consumer and digital rights groups have said Comcast's behavior, revealed in an Associated Press investigation last October, shows the need for Congress or the FCC to approve net neutrality rules.
The two companies said they will work together, and engage the broader Internet community, on new ways to manage network traffic during peak times. Comcast also said it will migrate to a network management technique that is protocol-agnostic by the end of the year.
FCC Chairman Kevin Martin said he was pleased that Comcast has "reversed course and agreed that it is not a reasonable network management practice to arbitrarily block certain applications on its network."
Martin also praised Comcast for working with BitTorrent. But he expressed some reservations.
"I am concerned, though, that Comcast has not made clear when they will stop this discriminatory practice," he said in a statement. "It appears this practice will continue throughout the country until the end of the year and in some markets, even longer. While it may take time to implement its preferred new traffic management technique, it is not at all obvious why Comcast couldn't stop its current practice of arbitrarily blocking its broadband customers from using certain applications."
Martin called on Comcast to provide its broadband customers and the FCC with a date when it plans to stop slowing BitTorrent traffic.
FCC member Jonathan Adelstein, a Democrat, praised the agreement but said the FCC will need to see more details of the deal. He also urged the "broader Internet community" to engage in similar dialogue.
FCC member Robert McDowell, like Martin a Republican, was more forthcoming with his praise. "Consumers will be the ultimate beneficiaries of this agreement," he said in a statement. "As I have said for a long time, it is precisely this kind of private sector solution that has been the bedrock of Internet governance since its inception. Today's announcement obviates the need for any further government intrusion into this matter."
Several consumer and digital rights groups disagreed with McDowell.
Comcast's agreement with BitTorrent has no bearing on net neutrality complaints now before the FCC, said Gigi Sohn, president of Public Knowledge, one of the groups calling for the FCC to pass net neutrality rules. Sohn called Comcast's agreement "irrelevant" to the complaints before the commission.
"The FCC has the responsibility to protect the rights of consumers against discriminatory network management practices," Sohn said in an e-mail. "Any future agreements in the private sector do not change that reality, particularly if the companies involved reach agreements that work specifically with some technologies or network companies and not with others. Any arrangements made now would not cover any future developments in blocking, throttling or filtering that any other companies may use."
Internet users still need strong net neutrality protections, added Nicholas Reville, executive director of the Participatory Culture Foundation, a nonprofit that distributes the open-source BitTorrent application Miro.
"Comcast can see that public demands for net neutrality protections are growing -- this announcement is a transparent attempt to distract from that debate," Reville said in an e-mail. "The announcement from Comcast and BitTorrent Inc. has absolutely nothing to do with the need for net neutrality protections and BitTorrent Inc. certainly does not speak for other torrent technology companies."
But Bret Swanson, a senior fellow at conservative think tank the Progress and Freedom Foundation (PFF), called the agreement a "huge win for common sense and for a healthy, growing Internet."
"We at PFF have been arguing for years that the Internet is a fast-moving realm of changing technology and content," he wrote in a blog post. "We advised that Washington should not wade into this dynamic arena with static rules that are likely to be misguided, and sure to be outdated even before they go into effect."
Study sees Microsoft brand in sharp decline
Microsoft's brand power has been in sharp decline over the past four years, an indication the company is losing credibility and mindshare with U.S. business users, according to a recent study by market research firm CoreBrand.
According to the CoreBrand Power 100 2007 study, which polled about 12,000 U.S. business decision-makers, Microsoft dropped from number 12 in the ranking of the most powerful U.S. company brands in 2004 to number 59 last year. In 1996, the company ranked number 1 in brand power among 1,200 top companies in about 50 industries, said James Gregory, CEO of CoreBrand.
CoreBrand measures brand power using four criteria. It first rates the familiarity of a company's brand. Once a company has a certain level of familiarity, they are ranked according to three "attributes of favorability": overall reputation, perception of management and investment potential, Gregory said. While Microsoft's brand is still eminently recognizable, the company is declining in all three favorable attributes, he said.
Gregory said that a decline in and of itself is not indicative that a company is losing its mindshare or reputation among customers. However, what's significant in Microsoft's case is that the decline has been consistent over a number of years, and has plunged dramatically in a brief time.
"When you see something decline with increasing velocity, it's a concern," he said.
Among its peers in the category of Computers, Peripherals and Computer Software, Microsoft is second to IBM in brand power, with Toshiba a close third, Gregory said. If Microsoft's downward trend continues, Toshiba could pass it in brand power next year, he said.
Gregory could only speculate as to why Microsoft's reputation has been declining, since his firm does not ask people that specific question. He said the "underwhelming" response to Windows Vista might be one reason, and Apple's clever "I'm a Mac, I'm a PC" advertising campaign -- which paints Windows in an unfavorable light -- may be another.
IBM suffered a "much faster and more severe" decline in brand power in the early 1990s, Gregory said, and it took them 10 years to rebuild the brand's reputation. To stage a similar turnaround, Microsoft must have a clearer vision of the direction in which the company is headed and put forth leaders that people can trust to articulate that vision, he said.
Microsoft, which has been diversifying its business beyond packaged software in the past several years, has struggled to articulate how the many facets of its business -- software, entertainment and online among them -- show a cohesive business plan. The company has been trying to clarify at least one of those strategies -- its online advertising business -- with new services and a bid to purchase Yahoo. However, Gregory suggested it may take more than that to raise the perception of its brand.
According to the CoreBrand Power 100 2007 study, which polled about 12,000 U.S. business decision-makers, Microsoft dropped from number 12 in the ranking of the most powerful U.S. company brands in 2004 to number 59 last year. In 1996, the company ranked number 1 in brand power among 1,200 top companies in about 50 industries, said James Gregory, CEO of CoreBrand.
CoreBrand measures brand power using four criteria. It first rates the familiarity of a company's brand. Once a company has a certain level of familiarity, they are ranked according to three "attributes of favorability": overall reputation, perception of management and investment potential, Gregory said. While Microsoft's brand is still eminently recognizable, the company is declining in all three favorable attributes, he said.
Gregory said that a decline in and of itself is not indicative that a company is losing its mindshare or reputation among customers. However, what's significant in Microsoft's case is that the decline has been consistent over a number of years, and has plunged dramatically in a brief time.
"When you see something decline with increasing velocity, it's a concern," he said.
Among its peers in the category of Computers, Peripherals and Computer Software, Microsoft is second to IBM in brand power, with Toshiba a close third, Gregory said. If Microsoft's downward trend continues, Toshiba could pass it in brand power next year, he said.
Gregory could only speculate as to why Microsoft's reputation has been declining, since his firm does not ask people that specific question. He said the "underwhelming" response to Windows Vista might be one reason, and Apple's clever "I'm a Mac, I'm a PC" advertising campaign -- which paints Windows in an unfavorable light -- may be another.
IBM suffered a "much faster and more severe" decline in brand power in the early 1990s, Gregory said, and it took them 10 years to rebuild the brand's reputation. To stage a similar turnaround, Microsoft must have a clearer vision of the direction in which the company is headed and put forth leaders that people can trust to articulate that vision, he said.
Microsoft, which has been diversifying its business beyond packaged software in the past several years, has struggled to articulate how the many facets of its business -- software, entertainment and online among them -- show a cohesive business plan. The company has been trying to clarify at least one of those strategies -- its online advertising business -- with new services and a bid to purchase Yahoo. However, Gregory suggested it may take more than that to raise the perception of its brand.
TomTom says Tele Atlas merger held up by EU investigation
TomTom's acquisition of mapping company Tele Atlas has dragged on longer than expected, held up by an investigation by the European Union's antitrust authority, which must approve the merger. TomTom has extended its offer for another two months.
The European Commission announced in late November that it would examine whether TomTom acquiring Tele Atlas would have an adverse effect on competition in the market for GPS navigation devices, saying it expected to complete its investigation by April 17.
However, on Thursday TomTom said it now expected that investigation would not be complete until May 21, and announced it would extend its offer for Tele Atlas until May 30.
Despite the delay, TomTom and Tele Atlas said they remain confident that the Commission will approve the deal.
TomTom initially offered €2 billion (US$3.2 billion) for Tele Atlas in July, raising its offer to €2.9 billion in November after a rival bid of €2.3 billion from navigation device maker Garmin. Meanwhile, Tele Atlas's main rival in the mapping business, NavTeq, had been snapped up for US$8.1 billion by Nokia, which is increasingly incorporating GPS receivers into its mobile phones.
Although TomTom and Tele Atlas are in different markets -- TomTom makes navigation devices and Tele Atlas supplies mapping data -- many of TomTom's competitors rely on information from Tele Atlas, which has few competitors. The Commission expressed concern that the price of navigation devices could rise if TomTom were to control the price its competitors paid for mapping data.
Upon receiving word of the timetable for the Commission's inquiry, TomTom extended its tender offer for Tele Atlas's shares until March 31, assuming the investigation would be completed by then.
As the deadline approached with no end to the investigation in sight, though, TomTom was forced to extend its tender offer. TomTom said it may extend the offer again if the Commission has still not reached a decision by May 30.
The European Commission announced in late November that it would examine whether TomTom acquiring Tele Atlas would have an adverse effect on competition in the market for GPS navigation devices, saying it expected to complete its investigation by April 17.
However, on Thursday TomTom said it now expected that investigation would not be complete until May 21, and announced it would extend its offer for Tele Atlas until May 30.
Despite the delay, TomTom and Tele Atlas said they remain confident that the Commission will approve the deal.
TomTom initially offered €2 billion (US$3.2 billion) for Tele Atlas in July, raising its offer to €2.9 billion in November after a rival bid of €2.3 billion from navigation device maker Garmin. Meanwhile, Tele Atlas's main rival in the mapping business, NavTeq, had been snapped up for US$8.1 billion by Nokia, which is increasingly incorporating GPS receivers into its mobile phones.
Although TomTom and Tele Atlas are in different markets -- TomTom makes navigation devices and Tele Atlas supplies mapping data -- many of TomTom's competitors rely on information from Tele Atlas, which has few competitors. The Commission expressed concern that the price of navigation devices could rise if TomTom were to control the price its competitors paid for mapping data.
Upon receiving word of the timetable for the Commission's inquiry, TomTom extended its tender offer for Tele Atlas's shares until March 31, assuming the investigation would be completed by then.
As the deadline approached with no end to the investigation in sight, though, TomTom was forced to extend its tender offer. TomTom said it may extend the offer again if the Commission has still not reached a decision by May 30.
Analyst: Money will fuel mobile spying programs
Spying programs for mobile phones are likely to grow in sophistication and stealth as the business around selling the tools grows, according to a mobile analyst at the Black Hat conference on Friday.
Many of the spy programs on the market are powerful, but aren't very sophisticated code, said Jarno Niemela, a senior antivirus researchers for Finnish security vendor F-Secure, which makes security products for PCs and mobile phones.
But there is increasing evidence that money from selling the tools will create a stronger incentive for more accomplished programmers to get into the game, which could make the programs harder to detect, Niemela said.
Niemela said his prediction follows what has happened with the malware writers in the PC market. Many hackers are now in the business of selling easy-to-use tools to less technical hackers rather than hacking into PCs themselves.
One of the latest tools on the market is Mobile SpySuite, which Niemela believes is the first spy tool generator for mobiles. It sells for US$12,500 and would let a hacker custom-build a spy tool aimed at several models of Nokia phones, Niemela said.
The number of mobile spyware programs pales in comparison to the number of such programs available for PCs. However, mobile spying programs are harder to track, since security companies such as F-Secure don't see as many samples circulating on the Internet as they do of malicious software for PCs.
Anecdotal evidence has emerged that enterprises may be increasingly encountering mobile spyware on their fleets of phones. The clues have come from companies that are relatively cagey when talking about what they have seen.
"There have been certain cases of corporate customers asking very detailed questions about spy tools and not mentioning why they need the information," Niemela said.
Some of the more well-known spy programs are Neo-cal land FlexiSpy. Neo-call is capable of secretely forwarding SMS (Short Message Service) text messages to another phone, transmitting a list of phone numbers called, and logging keystrokes. FlexiSpy has a neat, Web-based interface that shows details of call times, numbers and SMSes, and it can even use a phone's GPS (Global Positioning System) receiver to pinpoint the victim's location.
Hackers usually need to have access to the phone itself to install the software. And OS manufacturers such as Symbian have enabled security features such as application signing, which is intended to prevent rogue programs from being installed on a phone.
Most rogue spying programs leave traces on the phone, and analysis tools can be used to check a phone's processes and file system to see if something is there that shouldn't be, Niemela said.
But there are ways that less technical users can get a hint they've been hacked. One simple clue is if a colleague of the victim knows something that they shouldn't, Niemela said.
Also, mobile spying programs have to transmit their data. If the spy program sends data over GPRS (General Packet Radio Service), the network operator will demand payment. "As long as it has to use a paid channel, it can not escape the operator's bill," Niemela said.
Another way is to replace the phone's SIM card with one that allows for real-time monitoring. SMSes can then be sent to the phone, which in many countries are free to receive. If the monitoring reveals outgoing data traffic after SMSes are received, the phone could be hacked. It's also possible to check if the GPRS connection icon lights up after a message is received, Niemela said.
Niemela offered some defenses against mobile spyware: Keep the OS up to date, as manufacturers are usually working to counter new devious software. The use of a mobile antivirus program is also prudent, he said. People should also use password protection to block access if someone gets a hold of the device.
Administrators can also regularly "flash" phones to wipe off malware, as well as ensuring that phones only install signed applications.
And when the phone is out of a person's hands, another option is to put the device in a tamper-proof container. But "for most people, this is way too James Bond," Niemela said.
Many of the spy programs on the market are powerful, but aren't very sophisticated code, said Jarno Niemela, a senior antivirus researchers for Finnish security vendor F-Secure, which makes security products for PCs and mobile phones.
But there is increasing evidence that money from selling the tools will create a stronger incentive for more accomplished programmers to get into the game, which could make the programs harder to detect, Niemela said.
Niemela said his prediction follows what has happened with the malware writers in the PC market. Many hackers are now in the business of selling easy-to-use tools to less technical hackers rather than hacking into PCs themselves.
One of the latest tools on the market is Mobile SpySuite, which Niemela believes is the first spy tool generator for mobiles. It sells for US$12,500 and would let a hacker custom-build a spy tool aimed at several models of Nokia phones, Niemela said.
The number of mobile spyware programs pales in comparison to the number of such programs available for PCs. However, mobile spying programs are harder to track, since security companies such as F-Secure don't see as many samples circulating on the Internet as they do of malicious software for PCs.
Anecdotal evidence has emerged that enterprises may be increasingly encountering mobile spyware on their fleets of phones. The clues have come from companies that are relatively cagey when talking about what they have seen.
"There have been certain cases of corporate customers asking very detailed questions about spy tools and not mentioning why they need the information," Niemela said.
Some of the more well-known spy programs are Neo-cal land FlexiSpy. Neo-call is capable of secretely forwarding SMS (Short Message Service) text messages to another phone, transmitting a list of phone numbers called, and logging keystrokes. FlexiSpy has a neat, Web-based interface that shows details of call times, numbers and SMSes, and it can even use a phone's GPS (Global Positioning System) receiver to pinpoint the victim's location.
Hackers usually need to have access to the phone itself to install the software. And OS manufacturers such as Symbian have enabled security features such as application signing, which is intended to prevent rogue programs from being installed on a phone.
Most rogue spying programs leave traces on the phone, and analysis tools can be used to check a phone's processes and file system to see if something is there that shouldn't be, Niemela said.
But there are ways that less technical users can get a hint they've been hacked. One simple clue is if a colleague of the victim knows something that they shouldn't, Niemela said.
Also, mobile spying programs have to transmit their data. If the spy program sends data over GPRS (General Packet Radio Service), the network operator will demand payment. "As long as it has to use a paid channel, it can not escape the operator's bill," Niemela said.
Another way is to replace the phone's SIM card with one that allows for real-time monitoring. SMSes can then be sent to the phone, which in many countries are free to receive. If the monitoring reveals outgoing data traffic after SMSes are received, the phone could be hacked. It's also possible to check if the GPRS connection icon lights up after a message is received, Niemela said.
Niemela offered some defenses against mobile spyware: Keep the OS up to date, as manufacturers are usually working to counter new devious software. The use of a mobile antivirus program is also prudent, he said. People should also use password protection to block access if someone gets a hold of the device.
Administrators can also regularly "flash" phones to wipe off malware, as well as ensuring that phones only install signed applications.
And when the phone is out of a person's hands, another option is to put the device in a tamper-proof container. But "for most people, this is way too James Bond," Niemela said.
NTT DoCoMo takes a step towards bio-sensing cell phones
Researchers in Japan have demonstrated one part of an envisaged molecular level system that might one day enable cell phones to keep a regular watch on their owners' health.
NTT DoCoMo hopes some future cell phones will contain "DNA chips," devices capable of analyzing molecules from the user's body, to provide a warning about a possible virus, high-levels of stress or other factors that might affect health.
But for the DNA chips to get the samples required, the molecules to be analysed must be transported into the phone from the user's body. This is where the latest research in so-called "molecular communications" comes in.
The work carried out by NTT DoCoMo and researchers at The University of Tokyo proved the feasibility of transporting a specific molecule between two set points using chemically-engineered motor proteins, said Shuichiro Ichikoshi, a spokesman for NTT DoCoMo in Tokyo.
Motor proteins are typically found in muscles and nerve cells and in the research they were depositied on a glass substrate in the chip to create paths to the DNA-chip. When a molecule arrives via the user's sweat the motor proteins transport it to the sensors for analysis.
The entire process requires no electrical or mechanical input or control so can work on its own.
The development is just one piece of the research required before such a system can be commercialized. NTT DoCoMo's Ichikoshi expects the entire system to be feasible in a laboratory about five years from now and not ready for commercial use for perhaps another five years after that.
NTT DoCoMo, which is more usually concerned with transporting of digital data across its cellular network, has been working on molecular communications for some time and previous research involved a program with the University of California.
NTT DoCoMo hopes some future cell phones will contain "DNA chips," devices capable of analyzing molecules from the user's body, to provide a warning about a possible virus, high-levels of stress or other factors that might affect health.
But for the DNA chips to get the samples required, the molecules to be analysed must be transported into the phone from the user's body. This is where the latest research in so-called "molecular communications" comes in.
The work carried out by NTT DoCoMo and researchers at The University of Tokyo proved the feasibility of transporting a specific molecule between two set points using chemically-engineered motor proteins, said Shuichiro Ichikoshi, a spokesman for NTT DoCoMo in Tokyo.
Motor proteins are typically found in muscles and nerve cells and in the research they were depositied on a glass substrate in the chip to create paths to the DNA-chip. When a molecule arrives via the user's sweat the motor proteins transport it to the sensors for analysis.
The entire process requires no electrical or mechanical input or control so can work on its own.
The development is just one piece of the research required before such a system can be commercialized. NTT DoCoMo's Ichikoshi expects the entire system to be feasible in a laboratory about five years from now and not ready for commercial use for perhaps another five years after that.
NTT DoCoMo, which is more usually concerned with transporting of digital data across its cellular network, has been working on molecular communications for some time and previous research involved a program with the University of California.
Google: Web sites slow to fix serious Flash flaws
Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher.
Google Security Engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.
Cannings estimates that more than 10,000 Web sites are still affected by the issue.
Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.
The bug was in other Flash development tools too, but Adobe and others quickly patched their software after Cannings disclosed his findings. The problem is that Flash files created before the fix can still trigger the issue.
Google dealt with its old buggy files by moving all Flash animation to Web servers that used numerical Internet Protocol addresses rather than the Google.com domain. This made the cross-site scripting attack impossible on the Google.com Web site. Engineers there didn't even try to repair the buggy Flash files because it's "such a pain" to fix them, Cannings said. He spoke during a talk at the CanSecWest security conference and in a follow-up interview.
But for many companies, moving Flash animation to a different domain may not be an option. They are faced with rewriting their Flash files -- an expensive job that is often outsourced to contractors by companies' sales or marketing departments.
With Web site management also frequently outsourced, it's just not practical for many companies to fix the issue the same way as Google, according to Dan Hubbard, vice president of security research with Websense, a content-filtering vendor.
But that doesn't mean that everyone is ignoring the issue. Fearing that their customer accounts could be compromised by this type of attack, banks are cleaning up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh my God this is a big problem.' "
Hackers are not exploiting cross-site scripting bugs in a widespread way right now. In fact, Cannings believes that these flaws have been over-hyped in recent months. For Web sites like Google that contain sensitive customer information, they are a very serious problem, but they are not as critical as, say, remote-code execution flaws that would allow unauthorized software to run on a victim's PC, he said.
Still, if the Flash issue is ever going to be addressed in a widespread fashion, it's unlikely that anyone other than Adobe could really solve it, Cannings said. Although it would be a massive technical challenge, changes could be made to Adobe Flash Player software that would make these cross-site scripting attacks impossible, Cannings said.
"I think Adobe should step up and fix it," he said.
Google Security Engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.
Cannings estimates that more than 10,000 Web sites are still affected by the issue.
Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.
The bug was in other Flash development tools too, but Adobe and others quickly patched their software after Cannings disclosed his findings. The problem is that Flash files created before the fix can still trigger the issue.
Google dealt with its old buggy files by moving all Flash animation to Web servers that used numerical Internet Protocol addresses rather than the Google.com domain. This made the cross-site scripting attack impossible on the Google.com Web site. Engineers there didn't even try to repair the buggy Flash files because it's "such a pain" to fix them, Cannings said. He spoke during a talk at the CanSecWest security conference and in a follow-up interview.
But for many companies, moving Flash animation to a different domain may not be an option. They are faced with rewriting their Flash files -- an expensive job that is often outsourced to contractors by companies' sales or marketing departments.
With Web site management also frequently outsourced, it's just not practical for many companies to fix the issue the same way as Google, according to Dan Hubbard, vice president of security research with Websense, a content-filtering vendor.
But that doesn't mean that everyone is ignoring the issue. Fearing that their customer accounts could be compromised by this type of attack, banks are cleaning up vulnerable Flash files, Cannings said. "I had a few banks tell me, 'Oh my God this is a big problem.' "
Hackers are not exploiting cross-site scripting bugs in a widespread way right now. In fact, Cannings believes that these flaws have been over-hyped in recent months. For Web sites like Google that contain sensitive customer information, they are a very serious problem, but they are not as critical as, say, remote-code execution flaws that would allow unauthorized software to run on a victim's PC, he said.
Still, if the Flash issue is ever going to be addressed in a widespread fashion, it's unlikely that anyone other than Adobe could really solve it, Cannings said. Although it would be a massive technical challenge, changes could be made to Adobe Flash Player software that would make these cross-site scripting attacks impossible, Cannings said.
"I think Adobe should step up and fix it," he said.
Gone in 2 minutes: Mac gets hacked first in contest
It may be the quickest $10,000 Charlie Miller ever earned.
He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.
Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack.
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.
Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.
He was the first contestant to attempt an attack on any of the systems.
Miller was quickly given a nondisclosure agreement to sign and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.
Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple's Safari browser.
Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.
Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.
By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.
Miller's $10,000 payday may sound sweet, but it's not the most Miller has been paid for his work. In 2005, he earned $50,000 for a Linux bug he delivered to an unnamed government agency.
Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.
Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.
Shane Macaulay, who was Dai Zovi's co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.
But it was all in vain.
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.
Forslof said that a number of "high quality" researchers have said that they will attempt to hack the machines on Friday, the last day of the conference.
She expects both systems to be hacked on Friday, when contest rules will be further eased, and hackers will be able to attack popular third-party software that can be installed on the systems. "I don't think we'll have to take any home," she said.
He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.
Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack.
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.
Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.
He was the first contestant to attempt an attack on any of the systems.
Miller was quickly given a nondisclosure agreement to sign and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.
Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple's Safari browser.
Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.
Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.
By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.
Miller's $10,000 payday may sound sweet, but it's not the most Miller has been paid for his work. In 2005, he earned $50,000 for a Linux bug he delivered to an unnamed government agency.
Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.
Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.
Shane Macaulay, who was Dai Zovi's co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.
But it was all in vain.
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.
Forslof said that a number of "high quality" researchers have said that they will attempt to hack the machines on Friday, the last day of the conference.
She expects both systems to be hacked on Friday, when contest rules will be further eased, and hackers will be able to attack popular third-party software that can be installed on the systems. "I don't think we'll have to take any home," she said.
Oracle buying Web app test tools from Empirix
Fresh off a strong third-quarter earnings report, Oracle announced Thursday that it has agreed to acquire a set of Web application testing products from Empirix for an undisclosed sum.
Oracle plans to make Empirix's e-TEST suite "a core component" of its Enterprise Manager product.
Empirix, based in Bedford, Massachusetts, will retain control of the business until the agreement is finalized, according to Oracle. The company also makes testing products for Voice over Internet Protocol (VoIP) and IP multimedia subsystems (IMS).
"The acquisition of e-TEST suite is expected to strengthen Oracle Enterprise Manager with application load and functional testing technology, and enable Oracle to provide comprehensive application management life cycle solutions," said Leng Leng Tan, vice president of applications and systems management for Oracle, in a prepared letter to customers.
In other documents made available on Thursday, Oracle said e-TEST suite is "proven" and being used by more than 685 customers in industries such as financial services, insurance and manufacturing.
E-TEST suite components include e-Manager Enterprise, for developing and organizing test processes; e-Tester, for building test scripts; and e-Load, for load and performance testing of Web applications.
Empirix products are "highly compatible" with Oracle's, and hundreds of its customers have used them successfully, Oracle said.
Michael Cote, an analyst with Redmonk, said he was not familiar with Empirix but suggested Oracle's pending purchase may hint at a bigger-picture strategy.
"All I can say is that the IT management world is keeping their eye on Oracle to become a bigger player in IT management," he said Thursday. "So far, Oracle is focused on providing management for Oracle stuff -- which there's plenty of to worry about -- but stuff like this could expand them out more into general performance testing and monitoring."
Empirix has more than 350 employees worldwide, according to its Web site. Its Web application-testing employees "have significant domain experience in application testing" and "will be an integral part of the applications and systems management business within Oracle," Oracle said.
Oracle plans to make Empirix's e-TEST suite "a core component" of its Enterprise Manager product.
Empirix, based in Bedford, Massachusetts, will retain control of the business until the agreement is finalized, according to Oracle. The company also makes testing products for Voice over Internet Protocol (VoIP) and IP multimedia subsystems (IMS).
"The acquisition of e-TEST suite is expected to strengthen Oracle Enterprise Manager with application load and functional testing technology, and enable Oracle to provide comprehensive application management life cycle solutions," said Leng Leng Tan, vice president of applications and systems management for Oracle, in a prepared letter to customers.
In other documents made available on Thursday, Oracle said e-TEST suite is "proven" and being used by more than 685 customers in industries such as financial services, insurance and manufacturing.
E-TEST suite components include e-Manager Enterprise, for developing and organizing test processes; e-Tester, for building test scripts; and e-Load, for load and performance testing of Web applications.
Empirix products are "highly compatible" with Oracle's, and hundreds of its customers have used them successfully, Oracle said.
Michael Cote, an analyst with Redmonk, said he was not familiar with Empirix but suggested Oracle's pending purchase may hint at a bigger-picture strategy.
"All I can say is that the IT management world is keeping their eye on Oracle to become a bigger player in IT management," he said Thursday. "So far, Oracle is focused on providing management for Oracle stuff -- which there's plenty of to worry about -- but stuff like this could expand them out more into general performance testing and monitoring."
Empirix has more than 350 employees worldwide, according to its Web site. Its Web application-testing employees "have significant domain experience in application testing" and "will be an integral part of the applications and systems management business within Oracle," Oracle said.
Acquisitions, overseas sales boost Oracle earnings
Oracle said Wednesday that its third-quarter revenues were up 21 percent to US$5.3 billion compared to the same quarter last year, defying the widespread malaise in the U.S. economy.
Earnings per share grew 30 percent to $.26 per share compared to the same quarter in 2007. Net income for the quarter, which ended February 28, rose 30 percent to $1.3 billion.
Total software revenues grew 21 percent to $4.2 billion, with new license revenue for databases and middleware up by 20 percent, and for applications by 7 percent. Service revenues rose 21 percent to $1.1 billion over the same period in 2007.
Excluding one-time charges, net income was up 22 percent to $1.6 billion and earnings per share grew 23 percent to $.30, Oracle said.
"I think in the context of the economy we delivered a good quarter," said Oracle's president, Charles Phillips, during a conference call. "We've been through this before and we know how to adjust. It is an [economic] environment that favors large, stable providers."
He and other company executives predicted that Oracle's fortunes would improve in its next earnings report.
"A lot of people have annual buying cycles around our Q4," Phillips said. "Customers think they're going to get a better deal if they wait until Q4."
Oracle has been on a high-dollar buying spree for the past few years, most notably its recent $8.5 billion bid for middleware rival BEA Systems.
Some have suggested that the acquisition strategy would help shield Oracle from revenue losses. In addition, like rival IBM, a significant portion of Oracle's revenue comes from overseas sales, meaning it can weather tough economic conditions stateside and also benefit from the ongoing weakness in the dollar.
Roughly half of the company's Q3 revenues came from outside the U.S. Revenue in the Americas stood at $2.7 billion, with $1.87 billion coming from Europe, the Middle East and Africa (EMEA), and $771 million in Asia-Pacific.
CEO Larry Ellison said the pending acquisition and subsequent integration of BEA and its product line should go smoothly compared to past integrations.
"It's a shorter process because both BEA and Oracle develop middleware according to industry standards. It's very easy for us to consolidate the products," he said. "The integration of BEA should happen more quickly, both on the selling side and on the development side, than any of our other acquisitions."
The 7 percent increase in Oracle's application revenue should be viewed in the proper context, Ellison argued. "We just had a very strong quarter a year ago," he said. That makes the most recent quarter's growth look small by comparison, he said. "We think our Q3 applications business was quite good," Ellison said.
Shares of Oracle fell about $1.81 to $19.13 in after-hours trading.
Earnings per share grew 30 percent to $.26 per share compared to the same quarter in 2007. Net income for the quarter, which ended February 28, rose 30 percent to $1.3 billion.
Total software revenues grew 21 percent to $4.2 billion, with new license revenue for databases and middleware up by 20 percent, and for applications by 7 percent. Service revenues rose 21 percent to $1.1 billion over the same period in 2007.
Excluding one-time charges, net income was up 22 percent to $1.6 billion and earnings per share grew 23 percent to $.30, Oracle said.
"I think in the context of the economy we delivered a good quarter," said Oracle's president, Charles Phillips, during a conference call. "We've been through this before and we know how to adjust. It is an [economic] environment that favors large, stable providers."
He and other company executives predicted that Oracle's fortunes would improve in its next earnings report.
"A lot of people have annual buying cycles around our Q4," Phillips said. "Customers think they're going to get a better deal if they wait until Q4."
Oracle has been on a high-dollar buying spree for the past few years, most notably its recent $8.5 billion bid for middleware rival BEA Systems.
Some have suggested that the acquisition strategy would help shield Oracle from revenue losses. In addition, like rival IBM, a significant portion of Oracle's revenue comes from overseas sales, meaning it can weather tough economic conditions stateside and also benefit from the ongoing weakness in the dollar.
Roughly half of the company's Q3 revenues came from outside the U.S. Revenue in the Americas stood at $2.7 billion, with $1.87 billion coming from Europe, the Middle East and Africa (EMEA), and $771 million in Asia-Pacific.
CEO Larry Ellison said the pending acquisition and subsequent integration of BEA and its product line should go smoothly compared to past integrations.
"It's a shorter process because both BEA and Oracle develop middleware according to industry standards. It's very easy for us to consolidate the products," he said. "The integration of BEA should happen more quickly, both on the selling side and on the development side, than any of our other acquisitions."
The 7 percent increase in Oracle's application revenue should be viewed in the proper context, Ellison argued. "We just had a very strong quarter a year ago," he said. That makes the most recent quarter's growth look small by comparison, he said. "We think our Q3 applications business was quite good," Ellison said.
Shares of Oracle fell about $1.81 to $19.13 in after-hours trading.
Google's paid search growth soft again in February
For the second straight month, a comScore report suggests that Google's revenue engine is slowing down, highlighting again the perils of the company's overwhelming dependence on a single type of online advertising to fuel its business.
The report is available only to comScore clients, but a comScore spokesman said that its findings are accurately rendered in a note authored Wednesday by Citigroup analysts Mark Mahaney and James Samford.
A key takeaway from the Citigroup analysts: In February, clicks on Google's U.S. search ads grew only 3.1 percent year-on-year. Considering that February had 29 days, the growth rate would probably have been flat without the extra day, Mahaney and Samford wrote.
Coupled with a 0.3 percent year-on-year decline in January, also per comScore, a trend is emerging that Google's pay-per-click (PPC) ad business may be losing steam, after powering the search giant to mindblowing levels of revenue and profit growth for years.
While the news is of concern mostly to investors, it is also of interest for companies investing in Google's enterprise software products, like the fee-based version of the Google Apps suite and the Google Search Appliance. This is because the robust growth of Google's PPC ad business is what has allowed the company in recent years to fund its endeavors in enterprise search and hosted collaboration and communication suites. Should the PPC business slow down significantly, it will be interesting to see how that may affect Google's investment in its enterprise software unit, which generates a small percentage of the company's revenue.
Unfortunately for Google, it lacks a complementary revenue stream at the moment, despite years of actively trying to diversify into other forms of online ads, like banner ads, and into offline ads, like magazine, radio and TV advertising. Google still depends almost entirely on the PPC text ads it delivers along with its search results and in third-party partner sites.
Citigroup has been expecting a paid clicks growth of about 20 percent year-on-year for Google in the first quarter. "So if the comScore data is accurate and holds for Q1, and if it is representative of Google’s global trends -- not just U.S. -- then it could imply risk to Q1 estimates," the analysts wrote.
Google executives, aware that the company is long overdue for diversifying its revenue mix, are promising concrete results this year and in 2009 in display advertising, such as banners, now that the DoubleClick acquisition has been finalized.
In November, Yahoo ranked first in the U.S. in display ad impressions with a 19 percent share, followed by News Corp.'s Fox Interactive at 16.3 percent, while Microsoft came in third with 6.7 percent, according to comScore. Google took seventh place with 1 percent.
In midafternoon trading on Thursday, Google shares were down 2.8 percent to US$445.36, about $300 below the 52-week high.
When comScore issued its paid clicks report for January, which also included the fact that Google's paid clicks had suffered a 7 percent sequential decline from December, Google officials tried to put a positive spin on the news. They said the decline was due in large part to the company's initiative to improve the quality of ads' delivery, meaning that with more precise ad targeting, users had to click on fewer ads.
On Thursday, Google declined to comment about comScore's February report.
The report is available only to comScore clients, but a comScore spokesman said that its findings are accurately rendered in a note authored Wednesday by Citigroup analysts Mark Mahaney and James Samford.
A key takeaway from the Citigroup analysts: In February, clicks on Google's U.S. search ads grew only 3.1 percent year-on-year. Considering that February had 29 days, the growth rate would probably have been flat without the extra day, Mahaney and Samford wrote.
Coupled with a 0.3 percent year-on-year decline in January, also per comScore, a trend is emerging that Google's pay-per-click (PPC) ad business may be losing steam, after powering the search giant to mindblowing levels of revenue and profit growth for years.
While the news is of concern mostly to investors, it is also of interest for companies investing in Google's enterprise software products, like the fee-based version of the Google Apps suite and the Google Search Appliance. This is because the robust growth of Google's PPC ad business is what has allowed the company in recent years to fund its endeavors in enterprise search and hosted collaboration and communication suites. Should the PPC business slow down significantly, it will be interesting to see how that may affect Google's investment in its enterprise software unit, which generates a small percentage of the company's revenue.
Unfortunately for Google, it lacks a complementary revenue stream at the moment, despite years of actively trying to diversify into other forms of online ads, like banner ads, and into offline ads, like magazine, radio and TV advertising. Google still depends almost entirely on the PPC text ads it delivers along with its search results and in third-party partner sites.
Citigroup has been expecting a paid clicks growth of about 20 percent year-on-year for Google in the first quarter. "So if the comScore data is accurate and holds for Q1, and if it is representative of Google’s global trends -- not just U.S. -- then it could imply risk to Q1 estimates," the analysts wrote.
Google executives, aware that the company is long overdue for diversifying its revenue mix, are promising concrete results this year and in 2009 in display advertising, such as banners, now that the DoubleClick acquisition has been finalized.
In November, Yahoo ranked first in the U.S. in display ad impressions with a 19 percent share, followed by News Corp.'s Fox Interactive at 16.3 percent, while Microsoft came in third with 6.7 percent, according to comScore. Google took seventh place with 1 percent.
In midafternoon trading on Thursday, Google shares were down 2.8 percent to US$445.36, about $300 below the 52-week high.
When comScore issued its paid clicks report for January, which also included the fact that Google's paid clicks had suffered a 7 percent sequential decline from December, Google officials tried to put a positive spin on the news. They said the decline was due in large part to the company's initiative to improve the quality of ads' delivery, meaning that with more precise ad targeting, users had to click on fewer ads.
On Thursday, Google declined to comment about comScore's February report.
Beleaguered BitTorrent search engine shuts down
Expensive legal battles have caused TorrentSpy, the search engine for the BitTorrent file-sharing service, to shut down.
A note on the home page of TorrentSpy's Web site said it is shutting down "not due to any court order or agreement," but because of a team decision.
TorrentSpy has spent the past two years and hundreds of thousands of dollars "defending the rights of our users and ourselves" in a legal climate that was "hostile" to torrent files, according to the note, which is attributed to the TorrentSpy team.
"Ultimately the Court demanded actions that in our view were inconsistent with our privacy policy, traditional court rules, and International law; therefore, we now feel compelled to provide the ultimate method of privacy protection for our users -- permanent shutdown," the team said.
TorrentSpy was a search engine that helped visitors find torrent files on the Web. Torrent files are often music or movie files stored in an easily shared file format. The search engine came under legal fire from the entertainment industry, which in general does not want licensed content to be distributed royalty-free.
In December, the Motion Picture Association of America (MPAA) won a copyright infringement case against TorrentSpy that it had filed in 2006. TorrentSpy argued that its site doesn't contain any copyrighted works or links to copyrighted works, does not promote copyright infringement and can't be held liable for the actions of visitors once they leave its Web site. The site lost its case because the court ruled it had tampered with evidence.
A note on the home page of TorrentSpy's Web site said it is shutting down "not due to any court order or agreement," but because of a team decision.
TorrentSpy has spent the past two years and hundreds of thousands of dollars "defending the rights of our users and ourselves" in a legal climate that was "hostile" to torrent files, according to the note, which is attributed to the TorrentSpy team.
"Ultimately the Court demanded actions that in our view were inconsistent with our privacy policy, traditional court rules, and International law; therefore, we now feel compelled to provide the ultimate method of privacy protection for our users -- permanent shutdown," the team said.
TorrentSpy was a search engine that helped visitors find torrent files on the Web. Torrent files are often music or movie files stored in an easily shared file format. The search engine came under legal fire from the entertainment industry, which in general does not want licensed content to be distributed royalty-free.
In December, the Motion Picture Association of America (MPAA) won a copyright infringement case against TorrentSpy that it had filed in 2006. TorrentSpy argued that its site doesn't contain any copyrighted works or links to copyrighted works, does not promote copyright infringement and can't be held liable for the actions of visitors once they leave its Web site. The site lost its case because the court ruled it had tampered with evidence.
Beleaguered BitTorrent search engine shuts down
Expensive legal battles have caused TorrentSpy, the search engine for the BitTorrent file-sharing service, to shut down.
A note on the home page of TorrentSpy's Web site said it is shutting down "not due to any court order or agreement," but because of a team decision.
TorrentSpy has spent the past two years and hundreds of thousands of dollars "defending the rights of our users and ourselves" in a legal climate that was "hostile" to torrent files, according to the note, which is attributed to the TorrentSpy team.
"Ultimately the Court demanded actions that in our view were inconsistent with our privacy policy, traditional court rules, and International law; therefore, we now feel compelled to provide the ultimate method of privacy protection for our users -- permanent shutdown," the team said.
TorrentSpy was a search engine that helped visitors find torrent files on the Web. Torrent files are often music or movie files stored in an easily shared file format. The search engine came under legal fire from the entertainment industry, which in general does not want licensed content to be distributed royalty-free.
In December, the Motion Picture Association of America (MPAA) won a copyright infringement case against TorrentSpy that it had filed in 2006. TorrentSpy argued that its site doesn't contain any copyrighted works or links to copyrighted works, does not promote copyright infringement and can't be held liable for the actions of visitors once they leave its Web site. The site lost its case because the court ruled it had tampered with evidence.
A note on the home page of TorrentSpy's Web site said it is shutting down "not due to any court order or agreement," but because of a team decision.
TorrentSpy has spent the past two years and hundreds of thousands of dollars "defending the rights of our users and ourselves" in a legal climate that was "hostile" to torrent files, according to the note, which is attributed to the TorrentSpy team.
"Ultimately the Court demanded actions that in our view were inconsistent with our privacy policy, traditional court rules, and International law; therefore, we now feel compelled to provide the ultimate method of privacy protection for our users -- permanent shutdown," the team said.
TorrentSpy was a search engine that helped visitors find torrent files on the Web. Torrent files are often music or movie files stored in an easily shared file format. The search engine came under legal fire from the entertainment industry, which in general does not want licensed content to be distributed royalty-free.
In December, the Motion Picture Association of America (MPAA) won a copyright infringement case against TorrentSpy that it had filed in 2006. TorrentSpy argued that its site doesn't contain any copyrighted works or links to copyrighted works, does not promote copyright infringement and can't be held liable for the actions of visitors once they leave its Web site. The site lost its case because the court ruled it had tampered with evidence.
Microsoft vs. Apple: Who patches 0-days faster?
Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.
Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.
They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.
What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.
"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."
It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.
For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or external ones. Otherwise the vendor has to hurry to create a patch, but that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.
Apple only started patching 0-day vulnerabilities in late 2003, Frei said.
"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."
Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.
Curiously, both vendors' abilities to have 0-day patches ready at disclosure seemed to dip in the six months before a major product release. That trend was most pronounced in 2004 and 2005. Frei theorized that the buildup to big software releases took away software engineering resources.
Andrew Cushman, director of Microsoft's Security and Research, said he couldn't pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a rash of vulnerabilities pop up in its Office products that it did not get advance notice of, which may have contributed to a higher percentage of unpatched publicly disclosed bugs.
However, the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"
"This is independent academic research," Frei replied.
Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.
They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.
What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.
"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."
It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.
For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or external ones. Otherwise the vendor has to hurry to create a patch, but that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.
Apple only started patching 0-day vulnerabilities in late 2003, Frei said.
"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."
Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.
Curiously, both vendors' abilities to have 0-day patches ready at disclosure seemed to dip in the six months before a major product release. That trend was most pronounced in 2004 and 2005. Frei theorized that the buildup to big software releases took away software engineering resources.
Andrew Cushman, director of Microsoft's Security and Research, said he couldn't pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a rash of vulnerabilities pop up in its Office products that it did not get advance notice of, which may have contributed to a higher percentage of unpatched publicly disclosed bugs.
However, the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"
"This is independent academic research," Frei replied.
YouTube rolls out usage analytics
YouTube account holders will now be able to access usage statistics for the videos they upload, such as where viewers are geographically located and how they found the clips.
The feature, called YouTube Insight, had been in high demand from partners that use the video-sharing site to market their products and services and, as such, want detailed metrics to determine the efficacy of their YouTube campaigns.
The announcement, made early Thursday, wasn't a complete surprise. Earlier this month, YouTube sales team manager Brian Cusack said that the Google unit was planning to provide its members with more data about video viewership.
"YouTube has enormous amounts of data, but not great reporting on that data yet," Cusack said during a keynote speech at the eRetailer Summit in Miami.
Now, marketers will have a better understanding of clips' reach and effectiveness at boosting brand awareness and sales, according to YouTube.
"With YouTube Insight, we've turned YouTube into one of the world's largest focus groups. Insight will help advertisers optimize their marketing efforts, determine how successful they were, and discover previously unknown marketing opportunities," an official YouTube blog posting reads.
The metrics will also give a better understanding of clips' popularity and viewership to people who upload videos for fun without commercial or marketing purposes.
YouTube Insight doesn't collect or display personally identifiable information on viewers, but rather provides uploaders with aggregated data on viewers' geographic location and on the time and day when clips were viewed, a Google spokesman said via e-mail. Google will "soon" turn a feature to let uploaders discover how viewers found a clip, such as via a Google search, browsing YouTube's "related videos" suggestions or clicking on an e-mail or Web site link, he said.
The feature, called YouTube Insight, had been in high demand from partners that use the video-sharing site to market their products and services and, as such, want detailed metrics to determine the efficacy of their YouTube campaigns.
The announcement, made early Thursday, wasn't a complete surprise. Earlier this month, YouTube sales team manager Brian Cusack said that the Google unit was planning to provide its members with more data about video viewership.
"YouTube has enormous amounts of data, but not great reporting on that data yet," Cusack said during a keynote speech at the eRetailer Summit in Miami.
Now, marketers will have a better understanding of clips' reach and effectiveness at boosting brand awareness and sales, according to YouTube.
"With YouTube Insight, we've turned YouTube into one of the world's largest focus groups. Insight will help advertisers optimize their marketing efforts, determine how successful they were, and discover previously unknown marketing opportunities," an official YouTube blog posting reads.
The metrics will also give a better understanding of clips' popularity and viewership to people who upload videos for fun without commercial or marketing purposes.
YouTube Insight doesn't collect or display personally identifiable information on viewers, but rather provides uploaders with aggregated data on viewers' geographic location and on the time and day when clips were viewed, a Google spokesman said via e-mail. Google will "soon" turn a feature to let uploaders discover how viewers found a clip, such as via a Google search, browsing YouTube's "related videos" suggestions or clicking on an e-mail or Web site link, he said.
Waste Management sues SAP over ERP implementation
The trash-disposal giant Waste Management is suing SAP, saying top SAP executives participated in a fraudulent sales scheme that resulted in a failed ERP (enterprise resource planning) implementation.
Waste Management said it is seeking recovery of more than US$100 million in project expenses, as well as "the savings and benefits that the SAP software was promised to deliver to Waste Management."
An SAP spokesman said via e-mail Thursday that "as a matter of policy SAP does not comment on ongoing litigation."
In 2005, Waste Management was looking for a new revenue management system, according to a company statement. "SAP proposed its Waste and Recycling product and claimed it was a tested, working solution that had been developed with the needs of Waste Management in mind," the Waste Management statement reads in part.
SAP promised that the software could be fully implemented throughout all of Waste Management within 18 months, according to the statement.
"From the beginning, SAP assured Waste Management that its software was an 'out-of-the-box' solution that would meet Waste Management's needs without any customization or enhancements," the statement reads. "Unfortunately, Waste Management ultimately learned that these representations were not true."
Waste Management said product demonstrations by SAP prior to the deal employed "'fake software environments, even though these demonstrations were represented to be the actual software."
Waste Management's original complaint, filed in Harris County, Texas district court, said senior SAP executives, including SAP Americas' president and CEO, Bill McDermott, participated in the "rigged and manipulated" demos.
The company filed suit against SAP Americas and SAP AG on March 20 after "months of discussions with SAP and a recent consensual, three-day mediation that SAP ended after day two," according to the statement.
The action followed a lengthy initial courtship and falling out between the companies, detailed at length in Waste Management's court filing.
SAP officials held meetings with the company throughout the summer and fall of 2005, according to the complaint. Shai Agassi, a former executive board member, was among the SAP executives present at one meeting on June 17, 2005, in Walldorf, Germany, according to the complaint.
"At that meeting, SAP AG executives and engineers represented that the software was a mature solution and conducted a demonstration consisting of what they represented was the actual SAP Waste and Recycling software," the complaint states. The company later discovered that the software was a "mock-up version of that software intended to deceive Waste Management," according to the complaint. SAP has admitted to this in "internal documents," the complaint states.
SAP also demonstrated the "fake software" at subsequent sales presentations, according to the complaint.
Waste Management ultimately signed a sales pact with SAP on Oct. 3, 2005, according to the court filing.
"Almost immediately following execution of the agreements, the SAP implementation team discovered significant 'gaps' between the software's functionality and Waste Management's business requirements," it states.
"Waste Management has discovered that these gaps were already known to the product development team in Germany even before the SLA was signed. Instead of admitting what it knew at the time -- that the software lacked basic functionality to run Waste Management's business -- SAP undertook an elaborate fraud to perpetuate the original fraud and to recover additional money from Waste Management."
Members of SAP's implementation team blamed Waste Management for the functional gaps and submitted change orders requiring that Waste Management pay for fixing them, according to the complaint.
In addition, the complaint alleges, SAP originally promised that a pilot phase in New Mexico would be up and running by Dec. 15, 2006, "but it is not even close to being completed today."
Eventually, SAP conducted a "Solutions Review" and by summer 2007 determined the software was not an "enterprise solution" for Waste Management's needs, according to the complaint.
SAP said that if Waste Management wished to have the software implemented on a companywide basis, it would have to "start over" and agree to let SAP build a new version of the product with an updated version of its enterprise application platform, according to the complaint.
"SAP's 2007 proposal is precisely the kind of risky, expensive and time-consuming project that Waste Management rejected from other companies two years earlier," the complaint states. "Indeed, the development project that SAP proposed would drastically lengthen the implementation timetable from the original December 2007 end-date to an end-date sometime in 2010 without any assurance of success."
A Waste Management spokeswoman said the company would have no comment beyond the statement and complaint.
Waste Management said it is seeking recovery of more than US$100 million in project expenses, as well as "the savings and benefits that the SAP software was promised to deliver to Waste Management."
An SAP spokesman said via e-mail Thursday that "as a matter of policy SAP does not comment on ongoing litigation."
In 2005, Waste Management was looking for a new revenue management system, according to a company statement. "SAP proposed its Waste and Recycling product and claimed it was a tested, working solution that had been developed with the needs of Waste Management in mind," the Waste Management statement reads in part.
SAP promised that the software could be fully implemented throughout all of Waste Management within 18 months, according to the statement.
"From the beginning, SAP assured Waste Management that its software was an 'out-of-the-box' solution that would meet Waste Management's needs without any customization or enhancements," the statement reads. "Unfortunately, Waste Management ultimately learned that these representations were not true."
Waste Management said product demonstrations by SAP prior to the deal employed "'fake software environments, even though these demonstrations were represented to be the actual software."
Waste Management's original complaint, filed in Harris County, Texas district court, said senior SAP executives, including SAP Americas' president and CEO, Bill McDermott, participated in the "rigged and manipulated" demos.
The company filed suit against SAP Americas and SAP AG on March 20 after "months of discussions with SAP and a recent consensual, three-day mediation that SAP ended after day two," according to the statement.
The action followed a lengthy initial courtship and falling out between the companies, detailed at length in Waste Management's court filing.
SAP officials held meetings with the company throughout the summer and fall of 2005, according to the complaint. Shai Agassi, a former executive board member, was among the SAP executives present at one meeting on June 17, 2005, in Walldorf, Germany, according to the complaint.
"At that meeting, SAP AG executives and engineers represented that the software was a mature solution and conducted a demonstration consisting of what they represented was the actual SAP Waste and Recycling software," the complaint states. The company later discovered that the software was a "mock-up version of that software intended to deceive Waste Management," according to the complaint. SAP has admitted to this in "internal documents," the complaint states.
SAP also demonstrated the "fake software" at subsequent sales presentations, according to the complaint.
Waste Management ultimately signed a sales pact with SAP on Oct. 3, 2005, according to the court filing.
"Almost immediately following execution of the agreements, the SAP implementation team discovered significant 'gaps' between the software's functionality and Waste Management's business requirements," it states.
"Waste Management has discovered that these gaps were already known to the product development team in Germany even before the SLA was signed. Instead of admitting what it knew at the time -- that the software lacked basic functionality to run Waste Management's business -- SAP undertook an elaborate fraud to perpetuate the original fraud and to recover additional money from Waste Management."
Members of SAP's implementation team blamed Waste Management for the functional gaps and submitted change orders requiring that Waste Management pay for fixing them, according to the complaint.
In addition, the complaint alleges, SAP originally promised that a pilot phase in New Mexico would be up and running by Dec. 15, 2006, "but it is not even close to being completed today."
Eventually, SAP conducted a "Solutions Review" and by summer 2007 determined the software was not an "enterprise solution" for Waste Management's needs, according to the complaint.
SAP said that if Waste Management wished to have the software implemented on a companywide basis, it would have to "start over" and agree to let SAP build a new version of the product with an updated version of its enterprise application platform, according to the complaint.
"SAP's 2007 proposal is precisely the kind of risky, expensive and time-consuming project that Waste Management rejected from other companies two years earlier," the complaint states. "Indeed, the development project that SAP proposed would drastically lengthen the implementation timetable from the original December 2007 end-date to an end-date sometime in 2010 without any assurance of success."
A Waste Management spokeswoman said the company would have no comment beyond the statement and complaint.
Monday, March 24, 2008
X Prize Foundation offers $10M for 100 mpg, green automobile
An insurance company and a non-profit group Thursday announced plans to give away US$10 million to the team that designs, builds and brings to market the most viable and efficient vehicle that can get 100 miles per gallon.
Progressive Insurance and the X PRIZE Foundation jointly made the announcement at the New York International Auto Show.
The international competition, called the Progressive Automotive X Prize, was launched to help break the world's addiction to oil and stem the effects of climate change, according to the X Prize Foundation, a non-profit group that sponsors contests encouraging innovation.
The foundation billed the contest as independent and technology-neutral, open to teams from around the world that can design green vehicles that people want to buy, and that meet market needs for price, size, capability, safety and performance.
"The Progressive Automotive X PRIZE is a call to action to promote and inspire innovation," said Peter H. Diamandis, chairman and CEO of the X PRIZE Foundation, in a statement. "The environmentally friendly cars created as a result of this competition will affect everyone who drives in ways we can't even imagine today."
The foundation said that so far, more than 60 teams from nine countries have signed a Letter of Intent to compete. Four teams and their vehicles were on hand at the auto show during the announcement Thursday.
"Development of a super-efficient car would be a major step forward in the fight against global warming, and it would help us reach our goal of cutting greenhouse gas emissions in New York City by 30% by 2030," said New York City Mayor Michael Bloomberg, who attended the press conference Thursday. "The Progressive Automotive X PRIZE is an excellent example of how the private sector can spur solutions to our most complex challenges."
The foundation will be accepting applications for the competition until mid-year.
Teams and their plans will be examined for safety, cost, business plans and production feasibility. The teams that are accepted into the competition will race their vehicles across the U.S. in various legs in 2009 and 2010. Overall performance will be rated, along with emissions standards and their placement in the races.
Host cities for the races will be announced "soon", according to the X Prize Foundation.
In 2004, the X PRIZE Foundation awarded a $10 million prize in a global competition to design a private suborbital spacecraft.
Progressive Insurance and the X PRIZE Foundation jointly made the announcement at the New York International Auto Show.
The international competition, called the Progressive Automotive X Prize, was launched to help break the world's addiction to oil and stem the effects of climate change, according to the X Prize Foundation, a non-profit group that sponsors contests encouraging innovation.
The foundation billed the contest as independent and technology-neutral, open to teams from around the world that can design green vehicles that people want to buy, and that meet market needs for price, size, capability, safety and performance.
"The Progressive Automotive X PRIZE is a call to action to promote and inspire innovation," said Peter H. Diamandis, chairman and CEO of the X PRIZE Foundation, in a statement. "The environmentally friendly cars created as a result of this competition will affect everyone who drives in ways we can't even imagine today."
The foundation said that so far, more than 60 teams from nine countries have signed a Letter of Intent to compete. Four teams and their vehicles were on hand at the auto show during the announcement Thursday.
"Development of a super-efficient car would be a major step forward in the fight against global warming, and it would help us reach our goal of cutting greenhouse gas emissions in New York City by 30% by 2030," said New York City Mayor Michael Bloomberg, who attended the press conference Thursday. "The Progressive Automotive X PRIZE is an excellent example of how the private sector can spur solutions to our most complex challenges."
The foundation will be accepting applications for the competition until mid-year.
Teams and their plans will be examined for safety, cost, business plans and production feasibility. The teams that are accepted into the competition will race their vehicles across the U.S. in various legs in 2009 and 2010. Overall performance will be rated, along with emissions standards and their placement in the races.
Host cities for the races will be announced "soon", according to the X Prize Foundation.
In 2004, the X PRIZE Foundation awarded a $10 million prize in a global competition to design a private suborbital spacecraft.
OpenOffice 3.0 promises to bash Office
Microsoft's Office suite could have plausible challenger on the desktop for the first time since Lotus gave up trying to take on Redmond a decade ago.
With developers struggling to get OpenOffice 2.4 out the door, details are emerging of the features users have to look forward to in the upcoming bullet point release, version 3.0.
A sneak peek on a developer blog OpenOffice Ninja shows a new and easier-to-understand start screen featuring the main applications, and overhauls of the Writer application to better compete with Microsoft's Word. That application can now display pages side by side, allows notes to be added in the margins of copy a la Word, while the Calc spreadsheet also features a large number of small tweaks to improve usability.
The suite will be able to cope seamlessly with Office 2007's XML-based file formats, though the blogger notes that the current development skeleton manages this with mediocre results.
Thus far the Sun-sponsored OpenOffice suite has remained an outsider, used mostly by open source enthusiasts or just those too tight to pay the high price ticket of Office. Despite offering a usable alternative to Office, it has made no noticeable impression on its sales figures.
One element that will remain missing is a rival to Microsoft's industry standard email app, outlook.
"For years, there have been talks of including Mozilla's Thunderbird and Lightning (calendar) application with OpenOffice.org. However, not much has come of it yet. Perhaps with the financial resources of the new Mozilla Messaging Corporation, the Mozilla Calendar will get the boost it needs," says the author.
It's also apparent that OpenOffice 3.0 appears to be modelled on a layout one generation behind Microsoft's Fluent interface, which admittedly not everyone has taken to .
Others maintain that the whole model of deskbound productivity applications is obsolete, foreseeing a future in which businesses and individuals instead use lightweight online applications such as Google's Docs . It is likely, however, that all models will flourish in their own way-- desktop behemoths such as Office, alternatives such as OpenOffice, and online apps -- being embraced by users for different purposes.
With developers struggling to get OpenOffice 2.4 out the door, details are emerging of the features users have to look forward to in the upcoming bullet point release, version 3.0.
A sneak peek on a developer blog OpenOffice Ninja shows a new and easier-to-understand start screen featuring the main applications, and overhauls of the Writer application to better compete with Microsoft's Word. That application can now display pages side by side, allows notes to be added in the margins of copy a la Word, while the Calc spreadsheet also features a large number of small tweaks to improve usability.
The suite will be able to cope seamlessly with Office 2007's XML-based file formats, though the blogger notes that the current development skeleton manages this with mediocre results.
Thus far the Sun-sponsored OpenOffice suite has remained an outsider, used mostly by open source enthusiasts or just those too tight to pay the high price ticket of Office. Despite offering a usable alternative to Office, it has made no noticeable impression on its sales figures.
One element that will remain missing is a rival to Microsoft's industry standard email app, outlook.
"For years, there have been talks of including Mozilla's Thunderbird and Lightning (calendar) application with OpenOffice.org. However, not much has come of it yet. Perhaps with the financial resources of the new Mozilla Messaging Corporation, the Mozilla Calendar will get the boost it needs," says the author.
It's also apparent that OpenOffice 3.0 appears to be modelled on a layout one generation behind Microsoft's Fluent interface, which admittedly not everyone has taken to .
Others maintain that the whole model of deskbound productivity applications is obsolete, foreseeing a future in which businesses and individuals instead use lightweight online applications such as Google's Docs . It is likely, however, that all models will flourish in their own way-- desktop behemoths such as Office, alternatives such as OpenOffice, and online apps -- being embraced by users for different purposes.
Sony charges $50 to remove laptop bloatware
Sony is offering to remove some of the trial software it crams onto the hard disks of new laptops -- for a fee.
Buyers of the configure-to-order versions of its Vaio TZ2000 and Vaio TZ2500 laptops can opt to have Sony remove the some of its own applications, in addition to trial software and games.
The "Fresh Start" option, billed as a software optimization, costs US$49.99, and is only available to customers choosing to pay an additional $100 to upgrade the operating system to Windows Vista Business from the Windows Vista Home Premium edition offered as standard.
PC manufacturers are often paid by software publishers to include such trial versions on the computers they ship. Bloatware, as it is often called, poses problems for businesses because it reduces system performance and available hard disk space, makes it harder to maintain a consistent software image across PCs from different sources and may introduce additional security vulnerabilities or -- in the case of games -- unwanted distractions for workers.
Dell was one of the first PC manufacturers to offer to remove bloatware. Last July it introduced Vostro, a range of PCs for small businesses designed to be simpler to manage. Everex followed suit a week later, saying it would eliminate bloatware from a $300 desktop machine for consumers.
Customers opting for Sony's Fresh Start will miss out on software including Microsoft Works SE 9.0 bundled with a 60-day trial version of Microsoft Office, Sony's Vaio Creation Suite Photo Software bundled with a 30-day trial version of Corel Paint Shop Pro; the Click to Disc video editor; WinDVD, and a free edition of QuickBooks Simple Start that can only track 20 customers.
Sony justifies the $49.99 fee by saying it covers removal of the unwanted software before shipment -- although selecting the option appears to have no consequences on the estimated shipping date.
Although Sony has other laptops with configure-to-order options, including the FZ, SZ, AR and CR ranges, none of those are available with Fresh Start.
Buyers of the configure-to-order versions of its Vaio TZ2000 and Vaio TZ2500 laptops can opt to have Sony remove the some of its own applications, in addition to trial software and games.
The "Fresh Start" option, billed as a software optimization, costs US$49.99, and is only available to customers choosing to pay an additional $100 to upgrade the operating system to Windows Vista Business from the Windows Vista Home Premium edition offered as standard.
PC manufacturers are often paid by software publishers to include such trial versions on the computers they ship. Bloatware, as it is often called, poses problems for businesses because it reduces system performance and available hard disk space, makes it harder to maintain a consistent software image across PCs from different sources and may introduce additional security vulnerabilities or -- in the case of games -- unwanted distractions for workers.
Dell was one of the first PC manufacturers to offer to remove bloatware. Last July it introduced Vostro, a range of PCs for small businesses designed to be simpler to manage. Everex followed suit a week later, saying it would eliminate bloatware from a $300 desktop machine for consumers.
Customers opting for Sony's Fresh Start will miss out on software including Microsoft Works SE 9.0 bundled with a 60-day trial version of Microsoft Office, Sony's Vaio Creation Suite Photo Software bundled with a 30-day trial version of Corel Paint Shop Pro; the Click to Disc video editor; WinDVD, and a free edition of QuickBooks Simple Start that can only track 20 customers.
Sony justifies the $49.99 fee by saying it covers removal of the unwanted software before shipment -- although selecting the option appears to have no consequences on the estimated shipping date.
Although Sony has other laptops with configure-to-order options, including the FZ, SZ, AR and CR ranges, none of those are available with Fresh Start.
India rejects Office Open XML again
A technical committee in India has rejected Microsoft's Office Open XML file format as a standard.
In the meeting of the Bureau of Indian Standards (BIS) technical committee Thursday, 13 members voted against the standard, while five members, including some outsourcing companies, and the National Association of Software and Service Companies (Nasscom) voted for making Open XML a standard.
Nasscom is in favor of multiple standards, including Open XML and ODF (Open Document Format), the association said in a statement. It added that technology neutrality and competition will lead to falling prices of IT products.
The technical committee was constituted by the Bureau of Indian Standards (BIS), India's national standards body, after moves by Microsoft and other organizations to make Open XML a standard of the International Organization for Standardization (ISO).
BIS is a founder member of ISO, and represents India at the ISO.
The BIS committee had voted in August against making Office Open XML a standard, although some participants said at the time that Open XML may be again reconsidered as a standard by the technical committee and BIS after Microsoft makes the required changes to the document format.
The India vote comes ahead of a March 29 deadline for ISO members to reconsider their votes if they wished.
While disappointed by the decision of the BIS committee, Microsoft said Thursday that it was however encouraged by the support of IT industry players like Nasscom, Tata Consultancy Services, Wipro and Infosys who voted in favor of Open XML becoming an ISO standard.
In the meeting of the Bureau of Indian Standards (BIS) technical committee Thursday, 13 members voted against the standard, while five members, including some outsourcing companies, and the National Association of Software and Service Companies (Nasscom) voted for making Open XML a standard.
Nasscom is in favor of multiple standards, including Open XML and ODF (Open Document Format), the association said in a statement. It added that technology neutrality and competition will lead to falling prices of IT products.
The technical committee was constituted by the Bureau of Indian Standards (BIS), India's national standards body, after moves by Microsoft and other organizations to make Open XML a standard of the International Organization for Standardization (ISO).
BIS is a founder member of ISO, and represents India at the ISO.
The BIS committee had voted in August against making Office Open XML a standard, although some participants said at the time that Open XML may be again reconsidered as a standard by the technical committee and BIS after Microsoft makes the required changes to the document format.
The India vote comes ahead of a March 29 deadline for ISO members to reconsider their votes if they wished.
While disappointed by the decision of the BIS committee, Microsoft said Thursday that it was however encouraged by the support of IT industry players like Nasscom, Tata Consultancy Services, Wipro and Infosys who voted in favor of Open XML becoming an ISO standard.
Multicore boom needs new developer skills
More than charity lies behind Microsoft and Intel's announcement this week that they will donate US$20 million to a pair of U.S. colleges in the hope of spurring advances in parallel, or multicore, programming research, as a Microsoft research scientist readily acknowledged.
"There is a worldwide shortage of people experienced in parallel computing experience, for sure," said Dan Reed, director of scalable and multicore computing at Microsoft. "One of the collateral reasons is to raise awareness in the academic community, because that's where the next generation of developers will come from."
While for years, ever-higher clock speeds almost guaranteed that application code would run faster and faster, the rules are different for the multicore processors of today.
The difference has been compared to a sports car and a school bus. While the first is capable of blazing speed, the other moves more slowly but can move far more people at once.
The problem is, simply adding more cores to a computer's CPU doesn't increase the speed or power of conventional application code, as a recent Forrester Research report notes.
"To gain performance from quad-core processors and prepare for the denser multicore CPUs that will follow, application developers need to write code that can automatically fork multiple simultaneous threads of execution (multithreading) as well as manage thread assignments, synchronize parallel work, and manage shared data to prevent concurrency issues associated with multithreaded code," the authors wrote.
In other words, complex work is required to fill all those seats on the bus.
And the quad-core processors common today will soon give way to radically more advanced designs, Forrester notes. "Expect x86 servers with as many as 64 processor cores in 2009 and desktops with that many by 2012."
The situation has had chip makers and major software vendors making broad-based efforts to raise awareness of both the promise and challenges of programming for multiple cores.
TopCoder, a software development company that invites its membership to work on various aspects of a project through competitions, just began a series of special contests, along with chipmaker AMD, that focuses on multithreading.
Mike Lydon, TopCoder's chief technology officer, said multicore programming remains the province of an elite few. "What we've seen from the skill set perspective is, it varies quite a bit," he said. "As you would expect, the high-end developers are familiar with threading. After that it drops off pretty quickly."
"It's surprising to me because multithreading programming isn't new," he added. Indeed, one instructional article available on a Microsoft's MSDN Web site dates to 1993.
"I think it stems primarily from the collegiate level," Lydon said. "I've heard very little about colleges teaching multithreaded programming, but I would think and hope that it's changing very quickly."
However, Forrester's report suggests the urgency isn't being felt across the board. It notes that major operating systems and most middleware products are already prepared for multithreaded operation and for "near term" multicore processors, and that corporate development shops may look to ISVs (independent software vendors) to solve the problem through development tools and platforms that can better handle multicore-related tasks.
But Microsoft's Reed believes that multithreading over time will become "part of the skill set of every professional software developer."
In the meantime, most of the parallel computing resources available now don't necessarily hide the complexity of coding for multiple threads. "Development pros have options today, but most of them are low-level language extensions and libraries," Forrester said.
For example, in February AMD open-sourced more than 3,200 software routines under a project called Framewave, which it said will help coders build multithreaded applications for x86-type processors.
"Libraries can't provide a complete answer, but we see these as iterative steps," said Margaret Lewis, director of commercial solutions and software strategy at AMD. "There's things that you can do today as you're waiting for those [more advanced] tools that can increase the multi-threadedness of your applications," she said.
There are some higher-level products already on the market, such as the platform sold by RapidMind, which takes single-threaded C++ code and then, through an abstraction layer, "parallelizes" it across a number of cores.
However, it would be "fairly idealistic" to think that better tools alone will be enough, Lydon argued. "When you actually get into the points in code where you're going to leverage performance by spawning multiple threads, it takes a human mind to see where the benefits could take place."
"There is a worldwide shortage of people experienced in parallel computing experience, for sure," said Dan Reed, director of scalable and multicore computing at Microsoft. "One of the collateral reasons is to raise awareness in the academic community, because that's where the next generation of developers will come from."
While for years, ever-higher clock speeds almost guaranteed that application code would run faster and faster, the rules are different for the multicore processors of today.
The difference has been compared to a sports car and a school bus. While the first is capable of blazing speed, the other moves more slowly but can move far more people at once.
The problem is, simply adding more cores to a computer's CPU doesn't increase the speed or power of conventional application code, as a recent Forrester Research report notes.
"To gain performance from quad-core processors and prepare for the denser multicore CPUs that will follow, application developers need to write code that can automatically fork multiple simultaneous threads of execution (multithreading) as well as manage thread assignments, synchronize parallel work, and manage shared data to prevent concurrency issues associated with multithreaded code," the authors wrote.
In other words, complex work is required to fill all those seats on the bus.
And the quad-core processors common today will soon give way to radically more advanced designs, Forrester notes. "Expect x86 servers with as many as 64 processor cores in 2009 and desktops with that many by 2012."
The situation has had chip makers and major software vendors making broad-based efforts to raise awareness of both the promise and challenges of programming for multiple cores.
TopCoder, a software development company that invites its membership to work on various aspects of a project through competitions, just began a series of special contests, along with chipmaker AMD, that focuses on multithreading.
Mike Lydon, TopCoder's chief technology officer, said multicore programming remains the province of an elite few. "What we've seen from the skill set perspective is, it varies quite a bit," he said. "As you would expect, the high-end developers are familiar with threading. After that it drops off pretty quickly."
"It's surprising to me because multithreading programming isn't new," he added. Indeed, one instructional article available on a Microsoft's MSDN Web site dates to 1993.
"I think it stems primarily from the collegiate level," Lydon said. "I've heard very little about colleges teaching multithreaded programming, but I would think and hope that it's changing very quickly."
However, Forrester's report suggests the urgency isn't being felt across the board. It notes that major operating systems and most middleware products are already prepared for multithreaded operation and for "near term" multicore processors, and that corporate development shops may look to ISVs (independent software vendors) to solve the problem through development tools and platforms that can better handle multicore-related tasks.
But Microsoft's Reed believes that multithreading over time will become "part of the skill set of every professional software developer."
In the meantime, most of the parallel computing resources available now don't necessarily hide the complexity of coding for multiple threads. "Development pros have options today, but most of them are low-level language extensions and libraries," Forrester said.
For example, in February AMD open-sourced more than 3,200 software routines under a project called Framewave, which it said will help coders build multithreaded applications for x86-type processors.
"Libraries can't provide a complete answer, but we see these as iterative steps," said Margaret Lewis, director of commercial solutions and software strategy at AMD. "There's things that you can do today as you're waiting for those [more advanced] tools that can increase the multi-threadedness of your applications," she said.
There are some higher-level products already on the market, such as the platform sold by RapidMind, which takes single-threaded C++ code and then, through an abstraction layer, "parallelizes" it across a number of cores.
However, it would be "fairly idealistic" to think that better tools alone will be enough, Lydon argued. "When you actually get into the points in code where you're going to leverage performance by spawning multiple threads, it takes a human mind to see where the benefits could take place."
Security chief quits OLPC amid restructuring
A drastic internal restructuring underway at the One Laptop Per Child Project has caused a director of security to resign from the nonprofit effort.
Citing differences with OLPC's aims and shift of focus, Director of Security Architecture Ivan Krstic resigned from his post three weeks ago, Krstic revealed in a blog entry this week.
"I cannot subscribe to the organization's new aims or structure in good faith, nor can I reconcile them with my personal ethic. Having exhausted other options, three weeks ago I resigned my post at OLPC," Krstic said.
The MIT Technology Review named Krstic one of the world's top innovators under the age of 35 for his work on the OLPC security platform, Bitfrost.
In an interview with BusinessWeek in early March, OLPC Chairman Nicholas Negroponte said OLPC was operating "almost like a terrorist group, doing almost impossible things," and that the organization needed to be managed "more like Microsoft."
Negroponte said OLPC was searching for a new CEO and reorganizing departments into four operating units -- technology, deployment, market development, and fundraising and administration.
Calling OLPC "more a second home than a workplace," Krstic said he had been asked to stop working with OLPC President of Software and Content Walter Bender, whom he highly respected. "I was to report instead to a manager with no technical or engineering background who was put in charge of all OLPC technology," Krstic said.
OLPC did not respond to a request for comment Thursday. The group has been dogged by problems since it launched the effort to develop a US$100 XO laptop for children in developing countries three years ago. It has struggled to realize the ambitious vision, facing delays, rising costs and reduced orders.
In January, OLPC lost Chief Technology Officer Mary Lou Jepsen, who started an organization to commercialize parts of the OLPC's technology, including the screen and battery. A few days later, Intel said it was quitting OLPC after the nonprofit insisted that Intel abandon its effort to develop and distribute Classmate PC, a rival low-cost laptop. OLPC later said that it would welcome Intel back to the effort.
Citing differences with OLPC's aims and shift of focus, Director of Security Architecture Ivan Krstic resigned from his post three weeks ago, Krstic revealed in a blog entry this week.
"I cannot subscribe to the organization's new aims or structure in good faith, nor can I reconcile them with my personal ethic. Having exhausted other options, three weeks ago I resigned my post at OLPC," Krstic said.
The MIT Technology Review named Krstic one of the world's top innovators under the age of 35 for his work on the OLPC security platform, Bitfrost.
In an interview with BusinessWeek in early March, OLPC Chairman Nicholas Negroponte said OLPC was operating "almost like a terrorist group, doing almost impossible things," and that the organization needed to be managed "more like Microsoft."
Negroponte said OLPC was searching for a new CEO and reorganizing departments into four operating units -- technology, deployment, market development, and fundraising and administration.
Calling OLPC "more a second home than a workplace," Krstic said he had been asked to stop working with OLPC President of Software and Content Walter Bender, whom he highly respected. "I was to report instead to a manager with no technical or engineering background who was put in charge of all OLPC technology," Krstic said.
OLPC did not respond to a request for comment Thursday. The group has been dogged by problems since it launched the effort to develop a US$100 XO laptop for children in developing countries three years ago. It has struggled to realize the ambitious vision, facing delays, rising costs and reduced orders.
In January, OLPC lost Chief Technology Officer Mary Lou Jepsen, who started an organization to commercialize parts of the OLPC's technology, including the screen and battery. A few days later, Intel said it was quitting OLPC after the nonprofit insisted that Intel abandon its effort to develop and distribute Classmate PC, a rival low-cost laptop. OLPC later said that it would welcome Intel back to the effort.
Elitegroup announces Eee PC rival with HSDPA
Taiwan's Elitegroup Computer Systems (ECS) has revealed plans to launch a low-cost laptop to compete against Asustek's Eee PC, but which uses 3G (third-generation mobile telecommunications) networks to keep users connected wirelessly.
Elitegroup plans to allow users to choose from several versions of the Simply Smart ECS G10IL laptop family. The top-end model comes with a 10.2-inch screen and takes advantage of tri-band mobile phone networks to keep users connected to the Internet wirelessly with HSDPA and HSUPA (High Speed Downlink/Uplink Packet Access). The technology ensures users can tap into mobile broadband from just about anywhere mobile phone coverage is offered.
The G10IL also connects to Wi-Fi networks, carries a 56 kbps analog modem on board for wireline Internet connections, supports Bluetooth wireless and comes with a four-in-one card reader.
The laptop family in general will run on Intel's Atom microprocessor paired with an Intel 945 GSE chipset. Users will have a choice of machines running Microsoft Windows XP or a Linux OS, as well as a smaller screen size of 8.2-inches. The laptops can take up to 2G bytes of DRAM (dynamic RAM), but the company does not specify how much will come with each model. Hard disk drives and solid state drives will both be offered for storage, and batteries with either four-cells or six-cells.
Pricing will depend on the configuration of the laptop, and has not been set yet.
The company could not be reached immediately for comment on when the laptops might be for sale.
Asustek started the trend toward low-cost laptops by launching its Eee PC to great fanfare and projecting sales of as many as 5 million units this year.
Elitegroup plans to allow users to choose from several versions of the Simply Smart ECS G10IL laptop family. The top-end model comes with a 10.2-inch screen and takes advantage of tri-band mobile phone networks to keep users connected to the Internet wirelessly with HSDPA and HSUPA (High Speed Downlink/Uplink Packet Access). The technology ensures users can tap into mobile broadband from just about anywhere mobile phone coverage is offered.
The G10IL also connects to Wi-Fi networks, carries a 56 kbps analog modem on board for wireline Internet connections, supports Bluetooth wireless and comes with a four-in-one card reader.
The laptop family in general will run on Intel's Atom microprocessor paired with an Intel 945 GSE chipset. Users will have a choice of machines running Microsoft Windows XP or a Linux OS, as well as a smaller screen size of 8.2-inches. The laptops can take up to 2G bytes of DRAM (dynamic RAM), but the company does not specify how much will come with each model. Hard disk drives and solid state drives will both be offered for storage, and batteries with either four-cells or six-cells.
Pricing will depend on the configuration of the laptop, and has not been set yet.
The company could not be reached immediately for comment on when the laptops might be for sale.
Asustek started the trend toward low-cost laptops by launching its Eee PC to great fanfare and projecting sales of as many as 5 million units this year.
Saturday, March 22, 2008
Wireless auction yields mixed results for consumers
The completion of the 700MHz wireless spectrum auction on Thursday should bring more choice and new types of services for end users, although the results were not as rosy as some observers had hoped for.
For the first time in such an auction, the FCC required winners of some of the spectrum to allow any phone and any application to run on their new networks. These "open access" terms mean that end users should be able to choose from a wider selection of devices, along with new types of Web 2.0 services to run on them.
The change affects mainly Verizon, which won almost all of the licenses that must follow the open access rules. Google entered the auction but did not win any licenses, although its participation was seen by many as way to promote the open access requirement, rather than as an attempt to become a network operator.
Verizon and AT&T, another big winner, will most likely use the spectrum to offer high-speed data services -- either mobile or fixed line -- which would provide an alternative to cable or DSL (Digital Subscriber Line) Internet services. The networks will probably use the new LTE (Long Term Evolution) cellular technology. Trials could begin by the end of next year, although broad availability probably won't come until 2010 or 2011, said Bill Ho, an analyst with Current Analysis.
The new networks are unlikely to deliver cheaper services for users as some had hoped, however, at least not for a while. The operators will need to pay off the billions of dollars they pledged for the spectrum, in addition to the investment in the new networks. "It won't be cheap right off the bat," said Ho. "At some point there will be mainstream adoption, and then the price goes down."
Nor did the auction result in completely new types of companies entering the wireless market, which had been another possibility when the auctions were announced. Some said they expected all along that the incumbent operators would dominate.
"The whole thing was set up from them beginning for [the incumbents] to win all the licenses," said Vince McBride, who won just two licenses at the auction, covering only a small geographic area. The big winners in the auction picked up hundreds of licenses.
A former mail carrier, McBride has been trying his luck at FCC auctions since 1996. He said new rules for the auction favored large companies with deep pockets. For example, the FCC shortened the amount of time that the winners would have to build their networks. "All that did was prevent small businesses from coming in. They were scared of the build-out requirements," he said.
Still, the open access rules lead some to call the auction a success. In a blog post, Google called it a victory for end users.
"Consumers soon should begin enjoying new, Internet-like freedom to get the most out of their mobile phones and other wireless devices," wrote Richard Whitt, Washington telecom and media counsel for Google, and Joseph Faber, corporate counsel.
Many insiders didn't expect that Google would bid to win in the auction, even though it entered the contest. "It would have been foolish on their part to try to run a network," said Nadine Manjaro, a senior analyst with ABI Research. "It's not their core competency."
Google has developed its own mobile phone software platform, called Android, and stands to benefit from the open access rules in any case.
"They're trying to become bigger and looking at means to expand their advertising into other areas beside the PC without incurring the cost," Manjaro said. "They accomplished that. They got the networks opened up."
The high price the operators paid for the spectrum may also have an upside, since they may have to come up with innovative services to recoup their costs, she said. "They'll have to be more creative to pay for these networks,"
One potential casualty could be the rural telephone companies. That's because the 700MHz spectrum is ideal for supporting services across long distances. That means the operators may use it as an easier and cheaper way to deliver DSL-like service to rural areas -- where rural telephone companies have a lock on the market today, Manjaro said.
For the first time in such an auction, the FCC required winners of some of the spectrum to allow any phone and any application to run on their new networks. These "open access" terms mean that end users should be able to choose from a wider selection of devices, along with new types of Web 2.0 services to run on them.
The change affects mainly Verizon, which won almost all of the licenses that must follow the open access rules. Google entered the auction but did not win any licenses, although its participation was seen by many as way to promote the open access requirement, rather than as an attempt to become a network operator.
Verizon and AT&T, another big winner, will most likely use the spectrum to offer high-speed data services -- either mobile or fixed line -- which would provide an alternative to cable or DSL (Digital Subscriber Line) Internet services. The networks will probably use the new LTE (Long Term Evolution) cellular technology. Trials could begin by the end of next year, although broad availability probably won't come until 2010 or 2011, said Bill Ho, an analyst with Current Analysis.
The new networks are unlikely to deliver cheaper services for users as some had hoped, however, at least not for a while. The operators will need to pay off the billions of dollars they pledged for the spectrum, in addition to the investment in the new networks. "It won't be cheap right off the bat," said Ho. "At some point there will be mainstream adoption, and then the price goes down."
Nor did the auction result in completely new types of companies entering the wireless market, which had been another possibility when the auctions were announced. Some said they expected all along that the incumbent operators would dominate.
"The whole thing was set up from them beginning for [the incumbents] to win all the licenses," said Vince McBride, who won just two licenses at the auction, covering only a small geographic area. The big winners in the auction picked up hundreds of licenses.
A former mail carrier, McBride has been trying his luck at FCC auctions since 1996. He said new rules for the auction favored large companies with deep pockets. For example, the FCC shortened the amount of time that the winners would have to build their networks. "All that did was prevent small businesses from coming in. They were scared of the build-out requirements," he said.
Still, the open access rules lead some to call the auction a success. In a blog post, Google called it a victory for end users.
"Consumers soon should begin enjoying new, Internet-like freedom to get the most out of their mobile phones and other wireless devices," wrote Richard Whitt, Washington telecom and media counsel for Google, and Joseph Faber, corporate counsel.
Many insiders didn't expect that Google would bid to win in the auction, even though it entered the contest. "It would have been foolish on their part to try to run a network," said Nadine Manjaro, a senior analyst with ABI Research. "It's not their core competency."
Google has developed its own mobile phone software platform, called Android, and stands to benefit from the open access rules in any case.
"They're trying to become bigger and looking at means to expand their advertising into other areas beside the PC without incurring the cost," Manjaro said. "They accomplished that. They got the networks opened up."
The high price the operators paid for the spectrum may also have an upside, since they may have to come up with innovative services to recoup their costs, she said. "They'll have to be more creative to pay for these networks,"
One potential casualty could be the rural telephone companies. That's because the 700MHz spectrum is ideal for supporting services across long distances. That means the operators may use it as an easier and cheaper way to deliver DSL-like service to rural areas -- where rural telephone companies have a lock on the market today, Manjaro said.
Bugs found in Kerberos
The MIT developers of the Kerberos authentication system have released patches for several serious security holes, which could allow remote attackers to obtain sensitive information, shut down a system or execute malicious code.
The first problem is with the Kerberos Key Distribution Center (KDC) and involves the way the KDC handles incoming krb4 requests. The problem can be exploited to crash the KDC server, execute malicious code or disclose memory, according to MIT.
The second problem is in the way the KDC sends responses for krb4 requests, which can be exploited to disclose potentially sensitive stack memory via a specially crafted krb4 request.
Exploitation for these first two bugs requires that krb4 support is enabled in the KDC; it is disabled by default in newer versions. These bugs affect Kerberos 5 versions 1.6.3 and earlier.
The third bug is in the Kerberos RPC library when handling open file descriptors. Under certain conditions, an attacker could send an overly large number of RPC connections, causing a memory corruption and allowing the execution of malicious code.
This bug affects Kerberos 5 versions 1.2.2 to 1.3 and 1.4 through 1.6.3, according to MIT.
Independent security firm Secunia gave the bugs a "highly critical" ranking.
The first problem is with the Kerberos Key Distribution Center (KDC) and involves the way the KDC handles incoming krb4 requests. The problem can be exploited to crash the KDC server, execute malicious code or disclose memory, according to MIT.
The second problem is in the way the KDC sends responses for krb4 requests, which can be exploited to disclose potentially sensitive stack memory via a specially crafted krb4 request.
Exploitation for these first two bugs requires that krb4 support is enabled in the KDC; it is disabled by default in newer versions. These bugs affect Kerberos 5 versions 1.6.3 and earlier.
The third bug is in the Kerberos RPC library when handling open file descriptors. Under certain conditions, an attacker could send an overly large number of RPC connections, causing a memory corruption and allowing the execution of malicious code.
This bug affects Kerberos 5 versions 1.2.2 to 1.3 and 1.4 through 1.6.3, according to MIT.
Independent security firm Secunia gave the bugs a "highly critical" ranking.
Microsoft acquires security company Komoku
Microsoft hopes to beef up its security capabilities with the acquisition of Komoku, a developer of rootkit detection products, announced on Thursday.
Financial terms of the deal were not disclosed.
Microsoft plans to add Komoku's technology into its Forefront and Windows Live OneCare products. Forefront is Microsoft's suite of enterprise security software that includes malware protection for PCs, security tools for Exchange and SharePoint servers, and gateways that secure remote access to corporate data.
OneCare is a package of security software for PC users that scans for viruses and spyware, backs up files and helps with network management.
Komoku, a Maryland company founded in 2004, develops products that detect rootkits, malicious software that can take control of a computer in a way that often evades detection by other antimalware software. The company has served organizations with high security requirements, such as the Department of Homeland Security, the Department of Defense and the Defense Advanced Research Projects Agency.
As part of the deal, Microsoft will hire William A. Arbaugh, the president and CTO of Komoku, who is also an associate professor of computer science at the University of Maryland. He spent many years working at the National Security Agency where he did research in information security and networking.
Microsoft's statement said that the majority of Komoku's staff will join Microsoft's Access and Security Division. Komoku's simple Web site calls the company a small business and lists three workers, including Arbaugh.
Microsoft doesn't plan to keep the Komoku name or product line. The deal was completed on Wednesday.
Financial terms of the deal were not disclosed.
Microsoft plans to add Komoku's technology into its Forefront and Windows Live OneCare products. Forefront is Microsoft's suite of enterprise security software that includes malware protection for PCs, security tools for Exchange and SharePoint servers, and gateways that secure remote access to corporate data.
OneCare is a package of security software for PC users that scans for viruses and spyware, backs up files and helps with network management.
Komoku, a Maryland company founded in 2004, develops products that detect rootkits, malicious software that can take control of a computer in a way that often evades detection by other antimalware software. The company has served organizations with high security requirements, such as the Department of Homeland Security, the Department of Defense and the Defense Advanced Research Projects Agency.
As part of the deal, Microsoft will hire William A. Arbaugh, the president and CTO of Komoku, who is also an associate professor of computer science at the University of Maryland. He spent many years working at the National Security Agency where he did research in information security and networking.
Microsoft's statement said that the majority of Komoku's staff will join Microsoft's Access and Security Division. Komoku's simple Web site calls the company a small business and lists three workers, including Arbaugh.
Microsoft doesn't plan to keep the Komoku name or product line. The deal was completed on Wednesday.
Deal to buy 3Com falls apart
Bain Capital Partners and China's Huawei Technologies have abandoned their bid to buy U.S. networking firm 3Com because of security concerns by the U.S. government, Bain said.
The companies said last month that the proposed purchase of 3Com was on hold because of security concerns at the U.S. Committee on Foreign Investment in the United States (CFIUS), but they announced Thursday that the deal was terminated because CFIUS intended to take action to prohibit the sale, Bain said in a press release.
Bain, based in Boston, would have controlled an 83.5 percent stake in 3Com, with China's Huawei getting the remainder. But some critics, including U.S. Representative Thaddeus McCotter, a Michigan Republican, had raised concerns that Huawei has strong ties to the Chinese government.
The U.S. Department of Defense uses 3Com intrusion detection products, and Chinese hackers have targeted the agency, McCotter said in an October speech.
Bain and Huawei announced in September that they intended to buy 3Com for US $2.2 billion. They voluntarily filed a notice with CFIUS.
The companies have withdrawn their request for approval "because CFIUS made clear that it intended to take action to prohibit the proposed transaction," Bain said in a press release.
A CFIUS representative didn't immediately respond to a request for comments.
Bain made several alternative proposals to 3Com that it believed "could have satisfied the concerns raised by CFIUS,” Bain added in the press release. But the two sides were unable to come up with an agreement.
A 3Com spokesman wasn't immediately available to comment. As late as Wednesday, 3Com had announced that it intended to proceed with a shareholder meeting, scheduled for Friday, in which shareholders would decide whether to accept the Bain offer.
The companies said last month that the proposed purchase of 3Com was on hold because of security concerns at the U.S. Committee on Foreign Investment in the United States (CFIUS), but they announced Thursday that the deal was terminated because CFIUS intended to take action to prohibit the sale, Bain said in a press release.
Bain, based in Boston, would have controlled an 83.5 percent stake in 3Com, with China's Huawei getting the remainder. But some critics, including U.S. Representative Thaddeus McCotter, a Michigan Republican, had raised concerns that Huawei has strong ties to the Chinese government.
The U.S. Department of Defense uses 3Com intrusion detection products, and Chinese hackers have targeted the agency, McCotter said in an October speech.
Bain and Huawei announced in September that they intended to buy 3Com for US $2.2 billion. They voluntarily filed a notice with CFIUS.
The companies have withdrawn their request for approval "because CFIUS made clear that it intended to take action to prohibit the proposed transaction," Bain said in a press release.
A CFIUS representative didn't immediately respond to a request for comments.
Bain made several alternative proposals to 3Com that it believed "could have satisfied the concerns raised by CFIUS,” Bain added in the press release. But the two sides were unable to come up with an agreement.
A 3Com spokesman wasn't immediately available to comment. As late as Wednesday, 3Com had announced that it intended to proceed with a shareholder meeting, scheduled for Friday, in which shareholders would decide whether to accept the Bain offer.
Qualcomm can't hold off injunction in Broadcom suit
In the latest of many legal setbacks for Qualcomm, a federal court has turned down the company's request to postpone an injunction against sales of some of its mobile-phone chips.
The injunction was ordered late last year after a lower court found that Qualcomm violated three Broadcom patents. Qualcomm is appealing the case and requested a stay of the injunction while it goes through that process. On Tuesday, the U.S. Court of Appeals for the Federal Circuit, in Washington, D.C., rejected that request. As a result, the injunction is in immediate effect, according to Broadcom, although Qualcomm is allowed to keep selling certain infringing products until Jan. 31, 2009.
Cellular pioneer Qualcomm, based in San Diego, is embroiled in a series of legal disputes with Broadcom, a relative newcomer to the mobile processor market based in nearby Irvine, California. In this case, Broadcom sued Qualcomm in May 2005 in the U.S. District Court for the Central District of California and won the case last May, when a jury awarded it US$19.6 million in damages. The district court judge entered the injunction on Dec. 31.
"We are gratified that the U.S. Court of Appeals rejected Qualcomm's motion for a stay, leaving in force the injunction against Qualcomm's infringement issued by the U.S. District Court in Santa Ana," Broadcom said in a statement attributed to David Dull, senior vice president of business affairs and general counsel.
"Although our motion for a stay was denied, the Federal Circuit has recognized the need for speedy resolution of the many issues raised by the verdict and remedy in this case, and has therefore granted Qualcomm’s motion for an expedited schedule for briefings and oral argument," Qualcomm said in a statement.
According to Broadcom, the three patents cover technology for improved video performance in mobile phones, for accessing more than one network at a time and for "push-to-talk" capability. The push-to-talk technology is used in Qualcomm's QChat, a system Sprint Nextel is counting on to extend the walkie-talkie capability popularized on Nextel's legacy iDEN network to its larger CDMA (Code-Division Multiple Access) service.
Sprint had moved to intervene on Qualcomm's side in the district court but was turned down last August. On Tuesday, the appeals court rejected Sprint's appeal of that decision. The carrier filed its appeal too late, the appeals court said.
The injunction was ordered late last year after a lower court found that Qualcomm violated three Broadcom patents. Qualcomm is appealing the case and requested a stay of the injunction while it goes through that process. On Tuesday, the U.S. Court of Appeals for the Federal Circuit, in Washington, D.C., rejected that request. As a result, the injunction is in immediate effect, according to Broadcom, although Qualcomm is allowed to keep selling certain infringing products until Jan. 31, 2009.
Cellular pioneer Qualcomm, based in San Diego, is embroiled in a series of legal disputes with Broadcom, a relative newcomer to the mobile processor market based in nearby Irvine, California. In this case, Broadcom sued Qualcomm in May 2005 in the U.S. District Court for the Central District of California and won the case last May, when a jury awarded it US$19.6 million in damages. The district court judge entered the injunction on Dec. 31.
"We are gratified that the U.S. Court of Appeals rejected Qualcomm's motion for a stay, leaving in force the injunction against Qualcomm's infringement issued by the U.S. District Court in Santa Ana," Broadcom said in a statement attributed to David Dull, senior vice president of business affairs and general counsel.
"Although our motion for a stay was denied, the Federal Circuit has recognized the need for speedy resolution of the many issues raised by the verdict and remedy in this case, and has therefore granted Qualcomm’s motion for an expedited schedule for briefings and oral argument," Qualcomm said in a statement.
According to Broadcom, the three patents cover technology for improved video performance in mobile phones, for accessing more than one network at a time and for "push-to-talk" capability. The push-to-talk technology is used in Qualcomm's QChat, a system Sprint Nextel is counting on to extend the walkie-talkie capability popularized on Nextel's legacy iDEN network to its larger CDMA (Code-Division Multiple Access) service.
Sprint had moved to intervene on Qualcomm's side in the district court but was turned down last August. On Tuesday, the appeals court rejected Sprint's appeal of that decision. The carrier filed its appeal too late, the appeals court said.
Verizon Wireless wins huge block of 700MHz spectrum
Verizon Wireless has won a nationwide block of spectrum that could be used to create a wireless data network, the U.S. Federal Communications Commission announced Thursday.
Verizon was the winning bidder in the 22MHz band of spectrum called the C block in the FCC's 700MHz auction, which concluded Tuesday. The company bid US$4.7 billion for the spectrum, which covers nearly all of the U.S., while the high bids on the entire 700MHz auction totalled nearly $19.6 billion.
The FCC put so-called open-access provisions on the C block, meaning Verizon must allow outside devices such as mobile handsets from other carriers and must allow users to run outside applications on the network. Verizon originally filed a lawsuit against the FCC's open access rules, but dropped out while trade group the CTIA continued with the lawsuit.
Google, which had expressed interest in the C block, did not win any of the C block licenses.
Verizon said it was "very pleased" with the auction results. "Specifically, we were successful in achieving the spectrum depth we need to continue to grow our business and data revenues, to preserve our reputation as the nation's most reliable wireless network, and to continue to lead in data services and help us satisfy the next wave of services and consumer electronics devices," the company said in a statement.
Among the other winners in the 700MHz auction was AT&T, which won spectrum covering the metropolitan areas of New York, Philadelphia, Detroit, Dallas, Boston, San Francisco, Washington, D.C. and dozens of other large cities. Qualcomm won spectrum covering New York City, Philadelphia, Boston, Los Angeles and other areas.
Public Knowledge and Free Press, groups that had pushed for the open-access rules, gave mixed reactions to the auction's results.
"We are not surprised" at the auction's results, said Art Brodsky, Public Knowledge's spokesman. "We look forward to the company working within the letter and the spirit of the open access policies the commission approved," he added."Perhaps they could even persuade CTIA to drop their court challenge to the auction."
The spectrum auction raised more than the $10 billion budgeted by the U.S. Congress, but failed to provide a public safety network and failed to create a new wireless competitor to cable and telecom-based broadband providers, said Ben Scott, policy director of Free Press.
"The auction also failed to produce a much-needed competitor to the phone and cable giants," Scott said in an e-mail. "Since Verizon -- winner of the C Block -- is already a dominant provider of DSL, the prospect of a genuine third pipe from the wireless world is now slim to none."
On Thursday, the FCC voted to de-link the so-called D block from the rest of the auction results. The D block was a 10MHz block that was to be paired with another 10MHz controlled by public safety agencies, and the winning bidder would have been required to build a nationwide voice and data network to serve both public safety and commercial needs. But the FCC failed to receive its $1.33 billion minimum bid for the D block, with the lone $472 million bid coming from Qualcomm.
The FCC has no plans to immediately re-auction the D block, a spokeswoman said. Instead, the agency "will consider its options for how to license this spectrum in the future," the FCC said in a news release.
Many members of Congress pushed for a public safety network after emergency responders couldn't communicate with each other during the Sept. 11 terrorist attacks and more recent disasters. Police and fire departments in neighboring cities often use different communication devices on different blocks of spectrum.
Many telecom experts see the 700MHz spectrum, which U.S. television stations are required to abandon by February 2009, as optimal for long-range wireless broadband services. Wireless signals in the 700MHz band travel three to four times farther and penetrate obstacles such as buildings more easily than wireless signals in higher spectrum bands.
Other auction winners included Triad 700, a Silicon Valley startup, which won spectrum covering Alaska, Puerto Rico, eastern Maryland and northwestern Pennsylvania. Frontier Wireless, a Colorado-based subsidiary of EchoStar Communications, and Cavalier Wireless, which has bid in past FCC auctions, won several licenses in small cities and rural areas.
Verizon was the winning bidder in the 22MHz band of spectrum called the C block in the FCC's 700MHz auction, which concluded Tuesday. The company bid US$4.7 billion for the spectrum, which covers nearly all of the U.S., while the high bids on the entire 700MHz auction totalled nearly $19.6 billion.
The FCC put so-called open-access provisions on the C block, meaning Verizon must allow outside devices such as mobile handsets from other carriers and must allow users to run outside applications on the network. Verizon originally filed a lawsuit against the FCC's open access rules, but dropped out while trade group the CTIA continued with the lawsuit.
Google, which had expressed interest in the C block, did not win any of the C block licenses.
Verizon said it was "very pleased" with the auction results. "Specifically, we were successful in achieving the spectrum depth we need to continue to grow our business and data revenues, to preserve our reputation as the nation's most reliable wireless network, and to continue to lead in data services and help us satisfy the next wave of services and consumer electronics devices," the company said in a statement.
Among the other winners in the 700MHz auction was AT&T, which won spectrum covering the metropolitan areas of New York, Philadelphia, Detroit, Dallas, Boston, San Francisco, Washington, D.C. and dozens of other large cities. Qualcomm won spectrum covering New York City, Philadelphia, Boston, Los Angeles and other areas.
Public Knowledge and Free Press, groups that had pushed for the open-access rules, gave mixed reactions to the auction's results.
"We are not surprised" at the auction's results, said Art Brodsky, Public Knowledge's spokesman. "We look forward to the company working within the letter and the spirit of the open access policies the commission approved," he added."Perhaps they could even persuade CTIA to drop their court challenge to the auction."
The spectrum auction raised more than the $10 billion budgeted by the U.S. Congress, but failed to provide a public safety network and failed to create a new wireless competitor to cable and telecom-based broadband providers, said Ben Scott, policy director of Free Press.
"The auction also failed to produce a much-needed competitor to the phone and cable giants," Scott said in an e-mail. "Since Verizon -- winner of the C Block -- is already a dominant provider of DSL, the prospect of a genuine third pipe from the wireless world is now slim to none."
On Thursday, the FCC voted to de-link the so-called D block from the rest of the auction results. The D block was a 10MHz block that was to be paired with another 10MHz controlled by public safety agencies, and the winning bidder would have been required to build a nationwide voice and data network to serve both public safety and commercial needs. But the FCC failed to receive its $1.33 billion minimum bid for the D block, with the lone $472 million bid coming from Qualcomm.
The FCC has no plans to immediately re-auction the D block, a spokeswoman said. Instead, the agency "will consider its options for how to license this spectrum in the future," the FCC said in a news release.
Many members of Congress pushed for a public safety network after emergency responders couldn't communicate with each other during the Sept. 11 terrorist attacks and more recent disasters. Police and fire departments in neighboring cities often use different communication devices on different blocks of spectrum.
Many telecom experts see the 700MHz spectrum, which U.S. television stations are required to abandon by February 2009, as optimal for long-range wireless broadband services. Wireless signals in the 700MHz band travel three to four times farther and penetrate obstacles such as buildings more easily than wireless signals in higher spectrum bands.
Other auction winners included Triad 700, a Silicon Valley startup, which won spectrum covering Alaska, Puerto Rico, eastern Maryland and northwestern Pennsylvania. Frontier Wireless, a Colorado-based subsidiary of EchoStar Communications, and Cavalier Wireless, which has bid in past FCC auctions, won several licenses in small cities and rural areas.
Protecting endpoint devices
Small and mid-sized businesses (SMBs) are keenly aware of the need to protect their endpoints from exposure. Endpoint devices that are vital to business operations -- like servers, laptops, and desktops -- are increasingly being targeted by attacks designed to compromise and steal company data. And even as these threats are becoming more sophisticated and targeted toward endpoint devices, end users are demanding increased flexibility and access into the network (remote, VPN, web-based, telecommuting, use of unmanaged devices). When you add regulatory compliance mandates to the equation, SMBs are finding they must scramble to implement, monitor, and enforce controls that protect endpoint devices.
How can SMBs protect themselves and their customers? The following five tips for securing endpoints will help build a strong defense against the increasing stream on attacks and threats:
1. Use layered security: Deploy defense-in-depth strategies for employees and other end users, including an integrated endpoint security solution and security patch updates. Antivirus definitions and intrusion prevention signatures must be updated regularly, and all desktops, laptops, and servers should also be updated with the necessary security patches from the operating system vendor. Consider deploying a personal firewall to help control network traffic to the endpoint device. Also, make sure to enable the security settings on Web browsers and disable file sharing.
Additionally, teach users to develop strong passwords with at least eight characters and a combination of numbers, letters, and special characters. Change all passwords every 45-60 days to make it more difficult for intruders to access your data.
2. Implement a network access control solution: All network-connected computers and inbound/outbound traffic should be monitored for signs of unauthorized entry and malicious activity. Ensure that any infected computers are removed from the network and disinfected as soon as possible. Also, create and enforce policies that identify and restrict applications that can access the network.
To ensure they have the latest protection, SMB's should apply operating system and security software updates and patches as soon as they are released and all browsers should be upgraded to the latest versions.
3. Stay informed: Several companies publish reports that help define the threat landscape for SMBs. These reports can be found on the various companys' websites or through online searches. This is a great way to stay informed about the threat landscape so you know what you're up against.
Spam is the leading source of malware entering networks today. Spam not only diminishes productivity, it also puts a strain on storage and bandwidth requirements. Deploy antispam technologies at the mail gateway to proactively protect your environment.
4. Don't forget physical security: There are a number of routine physical security tactics SMB employees can use to help strengthen their companies' security defenses. These include using the screen-locking feature when away from the computer, shutting the computer off when done for the day, locking laptops with a cable, not leaving passwords written down, and being mindful of physical security of PDAs and handheld devices, which are a popular target of thieves.
5. Back up data: For any number of reasons -- disaster, human error, hardware failure, etc. -- your IT system could be brought down. It is critical to back up important data regularly and store extra copies of this data offsite. Since tapes containing confidential customer or business data may be lost or stolen in transit, encrypting those backup stores is a good idea.
A well-executed endpoint protection strategy provides companies with the confidence that their corporate assets are protected and their business infrastructure is secure. By following these five tips companies can build a strong defense against these sophisticated and targeted attacks.
How can SMBs protect themselves and their customers? The following five tips for securing endpoints will help build a strong defense against the increasing stream on attacks and threats:
1. Use layered security: Deploy defense-in-depth strategies for employees and other end users, including an integrated endpoint security solution and security patch updates. Antivirus definitions and intrusion prevention signatures must be updated regularly, and all desktops, laptops, and servers should also be updated with the necessary security patches from the operating system vendor. Consider deploying a personal firewall to help control network traffic to the endpoint device. Also, make sure to enable the security settings on Web browsers and disable file sharing.
Additionally, teach users to develop strong passwords with at least eight characters and a combination of numbers, letters, and special characters. Change all passwords every 45-60 days to make it more difficult for intruders to access your data.
2. Implement a network access control solution: All network-connected computers and inbound/outbound traffic should be monitored for signs of unauthorized entry and malicious activity. Ensure that any infected computers are removed from the network and disinfected as soon as possible. Also, create and enforce policies that identify and restrict applications that can access the network.
To ensure they have the latest protection, SMB's should apply operating system and security software updates and patches as soon as they are released and all browsers should be upgraded to the latest versions.
3. Stay informed: Several companies publish reports that help define the threat landscape for SMBs. These reports can be found on the various companys' websites or through online searches. This is a great way to stay informed about the threat landscape so you know what you're up against.
Spam is the leading source of malware entering networks today. Spam not only diminishes productivity, it also puts a strain on storage and bandwidth requirements. Deploy antispam technologies at the mail gateway to proactively protect your environment.
4. Don't forget physical security: There are a number of routine physical security tactics SMB employees can use to help strengthen their companies' security defenses. These include using the screen-locking feature when away from the computer, shutting the computer off when done for the day, locking laptops with a cable, not leaving passwords written down, and being mindful of physical security of PDAs and handheld devices, which are a popular target of thieves.
5. Back up data: For any number of reasons -- disaster, human error, hardware failure, etc. -- your IT system could be brought down. It is critical to back up important data regularly and store extra copies of this data offsite. Since tapes containing confidential customer or business data may be lost or stolen in transit, encrypting those backup stores is a good idea.
A well-executed endpoint protection strategy provides companies with the confidence that their corporate assets are protected and their business infrastructure is secure. By following these five tips companies can build a strong defense against these sophisticated and targeted attacks.
Software group files lawsuits against eight eBay sellers
The Software & Information Industry Association (SIIA) has filed eight new lawsuits against eBay-based software sellers, alleging that they are selling counterfeit products.
The lawsuits, announced Thursday, come in addition to nine lawsuits the trade group filed against eBay sellers in February. The SIIA has filed more than 25 lawsuits against eBay sellers in the last two years, and has reached several settlements, said Scott Bain, SIIA's litigation counsel.
The most recent lawsuits were filed in U.S. District Court for the Northern District of California on behalf of Adobe Systems. The lawsuits accuse eBay sellers in Arizona, Texas, Pennsylvania, New Jersey, California, Connecticut and Florida with selling illegal copies of Adobe PhotoShop CS3 and other software.
SIIA officials have said that the trade group has approached eBay about ways to cut down on the sale of counterfeit software, but eBay has rejected the trade group's ideas. The SIIA has asked eBay to end one-day and buy-it-now auctions of software, but eBay has not agreed. EBay has also rejected a SIIA banner advertisement aimed at educating customers, said Keith Kupferschmid, senior vice president of the trade group's antipiracy division.
SIIA has estimated that about 90 percent of software sold on eBay is illegal, Kupferschmid said.
The 17 lawsuits in the last two months represent SIIA's "most aggressive campaign yet" to go after online auction sales of counterfeit software, Bain said. "Unsuspecting consumers and legitimate software sellers pay a steep price when software pirates are allowed to operate freely on auction sites," he added.
EBay has taken steps to limit sales of counterfeit software, said Nichola Sharpe, a company spokeswoman. EBay has put volume restrictions on software sellers, and it has eliminated one-day and most three-day auctions, she said. It also requires sellers to verify themselves through PayPal, and it has had its VERO (Verified Rights Owner) program in place since 1989, she said.
VERO allows rights owners to contact eBay and have items removed from auction listings. There are millions of items sold on eBay, and the auction site can't verify the authenticity of each item, Sharpe said. "We can't be the experts on what's fake or not," she added. "We're not the experts on counterfeits."
When SIIA files lawsuits against an eBay seller, it doesn't typically contact the buyers of the software, although the trade group runs a periodic program where customers who have purchased counterfeit software can turn it in for a rebate, Bain said.
Customers using auction sites to buy software should be wary, he advised. "They need to look at the source ... and look at the price," he said. "If you're paying $100 for $700 Adobe PhotoShop software, the odds are not good that you're getting legitimate software."
The lawsuits, announced Thursday, come in addition to nine lawsuits the trade group filed against eBay sellers in February. The SIIA has filed more than 25 lawsuits against eBay sellers in the last two years, and has reached several settlements, said Scott Bain, SIIA's litigation counsel.
The most recent lawsuits were filed in U.S. District Court for the Northern District of California on behalf of Adobe Systems. The lawsuits accuse eBay sellers in Arizona, Texas, Pennsylvania, New Jersey, California, Connecticut and Florida with selling illegal copies of Adobe PhotoShop CS3 and other software.
SIIA officials have said that the trade group has approached eBay about ways to cut down on the sale of counterfeit software, but eBay has rejected the trade group's ideas. The SIIA has asked eBay to end one-day and buy-it-now auctions of software, but eBay has not agreed. EBay has also rejected a SIIA banner advertisement aimed at educating customers, said Keith Kupferschmid, senior vice president of the trade group's antipiracy division.
SIIA has estimated that about 90 percent of software sold on eBay is illegal, Kupferschmid said.
The 17 lawsuits in the last two months represent SIIA's "most aggressive campaign yet" to go after online auction sales of counterfeit software, Bain said. "Unsuspecting consumers and legitimate software sellers pay a steep price when software pirates are allowed to operate freely on auction sites," he added.
EBay has taken steps to limit sales of counterfeit software, said Nichola Sharpe, a company spokeswoman. EBay has put volume restrictions on software sellers, and it has eliminated one-day and most three-day auctions, she said. It also requires sellers to verify themselves through PayPal, and it has had its VERO (Verified Rights Owner) program in place since 1989, she said.
VERO allows rights owners to contact eBay and have items removed from auction listings. There are millions of items sold on eBay, and the auction site can't verify the authenticity of each item, Sharpe said. "We can't be the experts on what's fake or not," she added. "We're not the experts on counterfeits."
When SIIA files lawsuits against an eBay seller, it doesn't typically contact the buyers of the software, although the trade group runs a periodic program where customers who have purchased counterfeit software can turn it in for a rebate, Bain said.
Customers using auction sites to buy software should be wary, he advised. "They need to look at the source ... and look at the price," he said. "If you're paying $100 for $700 Adobe PhotoShop software, the odds are not good that you're getting legitimate software."
Subscribe to:
Posts (Atom)