StratVantage – The News – 01/30/02

Just Some Short Ones

This time, we’ve got several shorter articles on topics of interest.

  • Memory Goes 3D: Thomson Multimedia announced it will use three dimensional write-once memory from Matrix Memory in memory cards that can be used to store digital photos or music.Matrix Memory’s patented technology allows them to build 3-dimensional memory by stacking memory arrays vertically, like towers of blocks. The resulting structure can store data for more than 100 years. The technique promises even higher memory density in the future as Matrix adds more layers onto the same chip.

    Using existing technology, you can already plug a half a gigabyte of memory into the same PC slot that used to hold 36MB or 64MB.Things will really get interesting when you can plug a terabyte in the same slot. (Don’t worry. Software developers will find a way to fill all that memory.)

    I’ve written before about carbon nanotube memory and Nantero, which has a patented process for producing it. If commercialized, this technology will leave silicon-based techniques, like Matrix’s, in the dust. So even an innovation like the Matrix card could have a short shelf life.Although the Matrix cards plug into cameras, Thomson is working on card readers that will allow consumers to view digital photos on a television as well as in cameras and computers, said David Geise, Thomson’s vice president of accessories products. Plus, the cards will cost about $10, which is less than a third of the price of similar flash memory cards. The advantage of flash memory, however, is that you can erase and rerecord data on them, unlike the Matrix cards, which record the data permanently.
    News.com

  • Cute Intel: The CIA’s own technology “accelerator”, In-Q-Tel, is getting more and more involved in technologies that can process massive amounts of data and highlight potential terrorist activities. In-Q-Tel (the Q honors James Bond’s gadget master) was started by the CIA in 1999 to find new technologies that might be useful to the Agency’s mission. It’s not the biggest VC in the world, with about $30 million a year to invest, but post-9/11 it has shown increasing interest in technologies that can make connections in massive amounts of information. For example, search engine Northern Light has teamed with In-Q-Tel to develop an advanced multilingual search system that will crawl Web sites identified by classification experts, create a database of relevant information and employ Northern Light’s multiple-factor relevance ranking algorithm to order the results.The CIA is also experimenting with data analysis software used by some casinos that tracks gambling cheaters. The Company will use the software to detect suspected terrorists and their associates when they make airline, hotel or rental-car reservations.The software, developed by Systems Research & Development Inc. (SRD), searches major computerized reservations and global distribution systems looking for non-obvious relationships. SRD said it can check a passenger’s name, address, phone number and other identifying information against those of suspected terrorists. The largest prototype examines data from 4,000 sources with information on about 1 million people.

    If this sort of application doesn’t make you shiver, consider other potential uses, such as finding tax cheats, or contributors to unpopular causes, or people critical of government policies.
    CNN

  • Faster Wireless: Intersil Corporation has announced the first chip set designed to support the IEEE 802.11g draft standard. Big deal, you say? Well 802.11g is way faster than 802.11b, AKA Wi-Fi, which pokes along at a measly 11Mbps.The new chip set, operating in the 2.4 Ghz band, will enable data transmission speeds of up to 54Mbps. That’s more than half the speed of the fastest widely-deployed wireline LANs, which run at 100Mbps, and 1,024 times as fast as a 56Kbps modem. As if that’s not enough, the new chip sets will have a 30 percent range advantage over similarly speedy 802.11a systems and will consume less power.

    This technology will first be seen in PC Card-based systems for laptops, but it won’t be too long before the chip set is built into more-portable devices, like PDAs and cell phones. Lest we get too excited, the new standard is still a short-range connectivity solution; coverage is likely to be about 100 feet vs. 300 feet for 802.11b.
    802.11 Planet

  • New Jargon – Digital Hubs: These days hardly a week goes by without a new buzzword. Well, here’s the latest: digital hubs. These are home-based wireless transmitters that let consumers manage, store and distribute a vast amount of content, including TV broadcasts, movies, audio and Web information.These devices, typically 802.11-based, will let you distribute on-demand content to anywhere in the home, and, intentionally or not, to your immediate neighbors, or, if you like, over the Internet.

    Of course, there’s trouble in paradise, in the form of content owners who foresee another Napster disaster. (OK, I won’t argue at this pointwhether Napster really was a disaster or not). The Copy Protection Working Group, a consortium of TV networks, Hollywood studios, and consumer electronics firms, wants all content tagged, supposedly invisibly and inaudibly, so TVs, DVD players, personal video recorders, and other devices could prevent a broadcast from being stored digitally. They want to use a Digital Rights Management (DRM) scheme similar to the Digital Transmission Content Protection (DTCP) method created by Intel, Hitachi, Sony, Toshiba and Matsushita. DTCP, however, is focused on wireline connectivity.

    Although many in the entertainment device industry think that encrypting and decrypting wireless transmissions might be too large a computational challenge for consumer grade equipment, unfortunately, RSA, a leading security firm, recently announced Fast Packet Keying, a technique that allows individual wireless data packets to be encrypted and decrypted rapidly. So it won’t be long before Disney gets to say whether you can transmit the latest *NSync concert up to Junior’s computer so you don’t have to watch it in the living room.
    802.11 Planet

 

StratVantage – The News – 01/23/02

 Choosing a Cell Phone

Alert SNS Reader Roger Hamm wants to know what to do about PDA/cell phone convergence. Is it time to make the jump, or does it make sense to wait until new services such as GPRS (General Packet Radio Service) become available?

With the average cell phone user getting a new phone every two years or so, it’s likely that anything you buy today will be replaced soon enough anyway, so there’s little risk in buying a phone today, at least for the cheaper ones. With the PDA-integrated phones costing north of $300, however, the decision becomes a little harder.

The only reason to wait to buy a normal phone would be to see if AT&T Wireless (now independent of its famous parent) gets its act together with GPRS. From a pilot in Seattle a little more than six months ago, the company has added eight markets and plans to serve about 40 percent of current customers with GPRS by the end of the year, and serve all its markets by the end of 2002. So they’re making progress.

So what’s so cool about GPRS? Well, first of all, data rates are faster than the 2G (Second Generation) digital wireless system you undoubtedly have today. With a normal phone, data access is pretty limited, about 9.6Kbps or roughly five to six times slower than a 56Kbps modem. With GPRS, you could use up to four 9.6Kbps timeslots, yielding throughput of about up to 38.4Kbps, which is comparable to the speed you get when uploading using a 56Kbps modem. You’ll see vendors claiming much faster access. In the real world, however, it’s unlikely you’ll ever get all four available slots, so your mileage may vary. In fact, you could be sharing timeslots with other users, since GPRS doesn’t require a dedicated slot, but rather acts more like a normal IP network and sends traffic when it can. These limitations notwithstanding, you at least have a shot at faster throughput.

Of course, the question is, what will you do with that throughput. On the dinky little screens available on most phones, I’d say not much. I’ve got Internet access on my phone and couldn’t be less interested in slogging through dozens of screens to look up a movie time, for example.

Undaunted by the real challenges of the crippled cell phone user interface, AT&T promotes these advantages for GPRS:

  • Wireless access to information and e-mail. AT&T wants you to believe that mobile workers can have access to corporate applications, email, and intranets or the Web. Of course, you can do that today, just not easily.
  • Voice calling on the world-standard GSM network. The GSM standard is in use in over 150 countries around the world. Unfortunately, not every GSM system uses the same radio bandwidth, so this advantage is softened.
  • Constant connectivity. Unlike the kludgy Web access available on current phones, which require you to stop talking and initiate a data connection first, GPRS offers instant access to the data network. Once in data mode, you are ready to send or receive data in real time since there’s no dial-up required to connect to the network. The company falls short of claiming you can talk on the phone and surf the Web at the same time.
  • Pay only for the data you use. This “advantage” could turn into a disadvantage. Palm started its Palm VII wireless service with a similar scheme, although AT&T users only pay for the amount of transmitted data rather than network connect time. AT&T is bundling 400 voice minutes with a megabyte of download for $50. However, users don’t like variable cost Web access, so we’ll just see how long this business model lasts.
  • Powerful, easy-to-use devices. The AT&T Wireless GSM/GPRS network supports a variety of devices, including phones and GSM/GPRS PC Card modems, for use with a Pocket PC or a laptop computer.
  • Long battery life. Characteristics of the AT&T Wireless GSM/GPRS network provide for more efficient battery use.
  • Secure and reliable transmissions. The AT&T network provides encryption and authentication for enhanced voice and data transmission security, and packet data technology for reliable transmissions. We’ll just see how secure it is.
  • Get customers to pay for 3G network upgrade. This benefits AT&T mostly, of course. By doing the GPRS upgrade, AT&T will incur most of the expense of offering advanced 3G wireless services and get revenue in the process. “We’ve got to install switches, new antennas and software,” AT&T Wireless spokesman Ritch Blasi says. “As we move to deploying EDGE [Enhanced Data rates for Global Evolution, a rather grandiose name for the next level of technology], that’s a software upgrade.” The final evolution to UMTS (Universal Mobile Telephone System), or full 3G technology, will involve software and minor hardware upgrades. Unfortunately, UMTS is only one of at least three technologies competing to be the 3G standard worldwide.

AT&T is not the only wireless player to have GPRS capability, although they were the first.

Cingular Wireless has started migrating its network to EDGE technology that supports speeds as high as 384Kbps. Sounds great, but their first step is to install GSM and GRPS technology on top of its TDMA (Time Division Multiple Access) and analog networks, just like AT&T. Cingular has already employed GPRS in some markets, including Seattle and Las Vegas, the Carolinas, eastern Tennessee and coastal Georgia.

Voicestream, the US’s largest GSM network, said its new GPRS-based iStream network operates at 40 Kbps, and is available nationwide. They are charging $5 per month for a megabyte. Currently, the service only works with the MotorolaP280 and T193 wireless phones.

Sprint plans on skipping directly to true 3G services, offering speeds of up to 144 kbps, and nationwide. It remains to be seen if this is the smart move or not.

So is it worthwhile to wait until GPRS is available? Hard to say. The PDA/cell phone converged devices are already available for current wireless networks (of course, not including the one I use, AT&T). They’ll have larger screens and make it somewhat less annoying to use the Internet. Many of the currently available combo units even feature the Palm operating system.

If you don’t want to wait, Sprint has the Kyocera phone, and I’ve talked to several people who have it and love it. It’s fatter than a phone and skinnier than a Palm V. The screen is approximately two-thirds the size of the Palm V, but it beats trying to fit a Palm and a phone in your pants pocket. Another alternative is theSamsung phone (reported in a previous SNS) which is Palm-based with a color screen, but which is a little pricey ($499).

Sprint also has an add-on module for the Handspring PDA that turns it into a phone (reported in a previous SNS). I’ve heard good things about it, but don’t know anyone who has it.

Verizon offers the cool Motorola V200, which is a pager on steroids. This is an example of the engineers not understanding their true role in life. About a year ago Motorola announced that they’d have a converged phone by 2003 or 2004. I thought, what the heck? Their lunch will be all eaten by then. Well nobody told the pager guys it was hard to do. So they just slapped a phone into their text pager, and voila! Convergence.

Verizon also offers the Kyocera phone.

Voicestream’s network coverage is improving, but still lags the others. They offer the Motorola V100, similar to the V200.

Cingular offers a cool Motorola phone, but their coverage is not nationwide, although they claim more than 21.2 million customers in 38 states, and 42 of the top 50 markets nationwide, covering more than 93 percent of the urban business population located in 492 Metropolitan Statistical Areas (MSAs) and non-MSAs with a total population of 200 million people. They sound a tad defensive, don’t they? And they’re not in Minneapolis, so what does that tell you?

BTW, Cingular has by far the worst Web site of the bunch. Wringing any significant information out of it is an achievement.

Several regional wireless players also have cool phones. For example, Qwest offers the Kyocera phone. Qwest’s coverage is quite limited, however, and does not include Illinois, for example.

And we can’t forget our favorite software monopoly. Microsoft is pushing its SmartPhone technology, but I’m not aware of any major phone maker who is planning on releasing it in a phone.

So the answer to Roger’s question is: If you’re willing to plunk down $400 to $500 on a converged device that might be obsolete as early as the end of this year, go for it. For my money, I’d get a Handspring with the plug in module. It’s a bulkier, more expensive package, and the antenna could poke holes in your pants, but at least you’ve got a shot at selling the module on eBay once it becomes obsolete.

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
    CTOMentor

  • All Things Must Pass: Microsoft has announced that it is ending support for Windows 95. The operating system has entered the “Non-Supported” phase of Microsoft’s product lifecycle. This means only online support is offered, and good luck getting any bugs fixed. Expect other software vendors to follow suit and drop support for Win95 versions, like Black Ice Defender did recently. Win95 was the last Microsoft OS that ran decently on 486 machines, so it’s time to either donate those machines to a good cause or load Linux on them. The following OSes are either non-supported or scheduled to be:

    MS DOS x.xx (December 31, 2001)
    Windows 3.xx (December 31, 2001)
    Windows 95 (November 30, 2001)
    Windows NT 3.5x (December 31, 2001)
    Windows 98/98 SE (June 30, 2003)
    Windows NT 4.xx (June 30, 2003)

    Microsoft

  • Let Me Roll You: Alert SNS Reader David Dabbs sent along an article about Rolltronics Corporation and Iowa Thin Film Technologies, who recently demonstrated the first working silicon transistors made using a new “roll-to-roll” manufacturing technique. In this process, a continuous sheet of flexible polymer is unrolled from one spool, covered with silicon circuit designs, and collected on another spool. Such cheap, thin electronics could be incorporated into radio-frequency ID tags, (see the Auto-ID entry in theTrendSpot), digital X-ray detector panels, biometric sensors and flat screen displays.
    Technology Review

 

StratVantage – The News – 01/10/02

 You’re Hit. What Next?

The hackers have hit; your systems are down; now what? Many firms these days face this scenario. There are lots of issues here, but one of the biggest involves what to do immediately after the attack.

If you think you may want to prosecute the miscreant(s), it is critical to preserve the evidence so it can be used in court.

Your initial impulse is to just get up and running again, and that’s understandable, especially if mission-critical systems are hit. But if you want to press a court case, you need to understand computer crime forensics, the science of reconstructing the cyberattack and establishing a chain of evidence back to the attacker.

There are three places to be concerned about forensics: on the perpetrator’s computer, on the compromised computer and on the network devices in between the two.

A big advantage in unraveling the attack and possibly identifying the perp is access to system logs. Thus, it makes sense to store copies of important system logs on other computers, since crackers can edit logs on compromised systems to remove traces of their actions.

You should also:

  • Restrict physical access to the area to preserve fingerprints
  • Unplug any phone lines that could dial in to the attacked computer
  • Unplug the computer from the network
  • Photograph the scene, including connections to any peripherals, for later reference if the machine needs to be disassembled for examination
  • If the computer is off, don’t turn it on; if it’s on, don’t reboot it, as this could launch viruses or time bombs. Merely turning on a Windows computer changes timestamps and other important evidence, for example.
  • Avoid accessing any files on the compromised machine as that changes access timestamps.

After immediately securing the area and the computer, call in a network forensics specialist. These are high-priced consultants that can advise you further on evidence preservation. Mark Lanterman, CEO of Computer Forensics, said in a recent presentation that many times the best thing you can do is pull the electrical plug on the affected machine. Then a forensics specialist can use special software to make an exact image of the drive, preserving the evidence for later use in court. Killing the power and replacing the hard drive is another option if you need to get up and running right away. After all, restoring the machine is easy, since your organization has up-to-date, comprehensive backups of every critical machine right?

Your next steps depend on whether you want to prosecute, and risk adverse publicity, or keep the incident quiet. Frankly, my advice is to always prosecute. As long as these script kiddies and other bad actors feel there is little chance of getting caught, or, even if caught, little chance of paying for their misdeeds, they’ll keep right on attacking systems. Bringing computer criminals to justice, en masse and in public, will have some deterrent effect. If companies just sweep these problems under the rug, the Internet could become unusable due to the escalation of viruses, worms, and other attacks.

If you decide not to prosecute, it is still in your best interest to catch the crook. Otherwise he (yes, they’re mostly male) may strike again.

If you decide to get law enforcement involved, it may be in your best interest to conduct a thorough investigation first. US Attorney Elizabeth McKibbon said at a recent meeting of the Minneapolis Infragard chapter that private companies have more leeway in conducting investigations. Once the FBI gets involved, various laws concerning privacy and other civil rights issues come into play. This can be especially true if the perpetrator is a current or ex-employee – and up to 80 percent of cybercrime incidents involve insiders.

Obviously, the best course of action is to prevent the intrusion in the first place. Businesses need to take security seriously, establishing and enforcing stringent security practices, and keeping up to date on the latest software releases and security patches. And please, get rid of the passwords posted yellow stickies on monitors!

Regardless of your security, you also need to prepare for the worst by establishing a Security Incident Response Team (SIRT) and putting them through training, including incident simulation, like that offered by Anti-Cyber Crime Team Training Services (ACCTTS).

When the unthinkable happens, it pays to be prepared. Concentrate on prevention, but be ready to act in a coordinated, effective, and evidence-preserving manner when security incidents happen. And believe me, no matter how good you are, they will.

Network Fusion

[Note: if you’re getting tired of SNS’ recent emphasis on security, take heart. The next SNS will examine another topic.]

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Burn Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
    CTOMentor

  • Thin is In: From the Great Idea; Too Late Department comes an item regarding efforts to shrink the size of the bulky cathode-ray tube that produces images on most television sets and computer monitors. Two IBM scientists have developed an inch-thick CRT. The technology is pretty amazing: “Basically we banged holes in a magnet and fired electrons through the device,” said co-inventor Dr. Andrew R. Knox. Electrons are produced behind the magnet and focused on the screen by the holes in the magnet. Thus, instead of one electron beam that scurries across the screen, illuminating pixels in turn, the new tube provides one electron beam for each pixel. Pretty cool, but doesn’t IBM know about the current flat screen monitors? Unless this invention is lots cheaper than current technology, it could be consigned to the scrap heap of history along with other great ideas like the Studebaker, the Betamax and the Apple Macintosh (boy, I’ll get mail about that one!).
    NY Times (registration required)
  • E Ink in PDAs:I don’t know about you, but I have a hard time reading the screen on my Palm PDA. The contrast sucks, and forget about the backlight mode. Well now digital paper vendor E Ink has teamed up with Royal Philips Electronics to incorporate electronic ink displays into mobile devices. The pair aims to replace the current LCDs by mid-2003. E Ink’s electronic ink is made up of millions of microcapsules. Each microcapsule is filled with positively charged white pigment chips and negatively charged black pigment chips and a clear fluid. Applying a negative charge makes the white pigment chips become visible and a positive charge makes the black pigment chips visible. The ink can be printing onto a sheet of plastic film that is laminated to a layer of circuitry.
    IDG
  • More Investment in High Tech Planned: The US House Science Committee voted to increase spending on high-tech research by 10 per cent per year over the next five years. They also want to require government agencies to coordinate their research efforts and agreed to allocate $105.7 million to new cyber-security programs in fiscal year 2003, increasing each year to $229 million in fiscal 2007.  The new funds would come on top of the roughly $60 million the federal government currently devotes to network security.
    US House of Representatives
  • The DOJ is Watching: The Department of Justice (DOJ) is already using new anti-terrorism powers to monitor cable modem users without obtaining a judge’s permission first.  The Mom & Apple Pie, er, USA Patriot Act changed federal law that previously said, “a cable operator shall not disclose personally identifiable information concerning any subscriber.” The law now reads, “A cable operator may disclose such information if the disclosure is … to a government entity.”  Michael Chertoff, Assistant Attorney General at the DOJ’s criminal division said that the new abilities have let police obtain information in investigations that was previously unavailable. “We would not have been able to do (this) under prior law without a specific court order.” I’m thinking there was a real good reason why you used to need a court order, but that’s just my opinion, and I could be wrong.
    Wired News
  • Know Your Enemy: PBS is rerunning their show, Hackers, which has been praised as a good look at the psyche of the typical computer adventurer. I haven’t seen it, but you can go to PBS’ Web site and read some truly fascinating transcripts of interviews with these dangerous youngsters.
    PBS
  • First IPv6 Network: Cisco announced that SURFnet, the national research network organization in the Netherlands, is now delivering native IPv6 Internet service on its broadband network. IPv6 is the next generation network-addressing scheme that removes the limitations imposed by the address space of current IP networks like the Internet. We should never run out of addresses with IPv6, as there are enough of them to assign one to every atom in the universe. IPv6 also promises other advancements like a means to ensure a particular Quality of Service (QoS) for transmissions like audio or video. IPv6 has been a bit of a tough sell due to the expense of converting networks and clients.
    Cisco
  • Sterling on Geeks and Spooks: Science fiction author Bruce Sterling has written some stunning books of near-future prophecy and one non-fiction book, The Hacker Crackdown: Law and Disorder on the Electronic Frontier, about hackers. While no expert on hacking, cracking, and cryptography, Sterling recently addressed the “Global Challenges, Trends and Best Practices in Cryptography” conference at the Information System Security and Education Center in Washington, DC. The text of his speech is available on his Web site, and it makes good reading.
    Viridian Design
  • Global Grid Progress: One way to solve huge computing problems is to link computers together in a federation and split the problem up into little pieces that each can work on. Sun and AVAKI, a P2P (peer-to-peer) startup have joined forces to improve the interoperability of Sun’s Grid Engine and AVAKI’s solution. Sun claims that its solution is running more than 118,000 computers today, and that more than 12,000 folks have downloaded its software. The company apparently plans to dominate the distributed computing industry, having previously established partnerships with Open Source efforts the Global Grid Forum and Globus. You can find out more about distributed, or hive, computing in CTOMentor’s first white paper, Peer-to-Peer Computing and Business Networks: More Than Meets the Ear, available online.
    Sun
  • Nokia and DoCoMo Collaborate on 3G Standard: Japan’s NTT DoCoMo and Nokia will cooperate in promoting open mobile architecture for WCDMA-based 3G services in areas such as browsing, messaging and application execution environment. The two companies have agreed on the adoption of the XHTML/CSS as the content description language and they will work towards the adoption of Wireless profiled TCP as a wireless transport layer. What this means is that two of the industry’s heavyweights are planning on joining forces to influence the course of so-called 3G, or Third Generation, wireless networks.
    Nokia

 

StratVantage – The News – 01/08/02

 Software Quality and Cyberterror Threats, Part 4

In the last three SNS issues, I discussed the huge task confronting Richard Clarke, the counter-terrorism expert in charge of the president’s Critical Infrastructure Protection Board, made the assertion that security problems are really software quality problems, and examined some of the reasons why the software industry pays so little attention to these problems. I also took a look at the industry’s response to the rising epidemic of worms and viruses. In this final installment, I consider some current forces militating against software quality and security, and look at two possible future scenarios.

Let’s focus for a moment on potential legal remedies for security bugs. In a perfect world, wouldn’t we make software companies responsible for the quality of their products? This doesn’t seem to be too much to ask. If Firestone makes truck tires that disintegrate, isn’t it natural to hold them accountable? If a software defect allows a virus to cause a billion dollars of damage, shouldn’t the vendor compensate the victims or at least be liable in some way?

When you look at it, there’s really no reason why software should be exempt from the kind of product quality legislation in place for things like tires, washing machines, cars, ladders, airplanes, and pretty much every other thing we buy. But then again, a far worse product, cigarettes, is not held to these standards, and so don’t hold your breath waiting for this level of legal solution.

In fact, things are headed in the exact opposite direction. The States are beginning to adopt a proposed standard body of law that addresses software and other electronic products. It’s called UCITA, the Uniform Computer Information Transactions Act, and it was developed by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999. UCITA was designed to create a uniform commercial contract law for electronic products and attempts to be “a cyberspace commercial statute.” It covers shrink-wrap and click through licenses and gives them further strength as contracts.

UCITA is supported by Software & Information Industry Association (SIIA) whose 1,200 member companies represent most of the biggest software and content vendors around – AOL Time Warner, Apple Computer, LexisNexis, Nokia, Novell, Oracle, and Sun, for example. (Microsoft is conspicuously absent.) The association’s interest in UCITA is consistent with another of their major initiatives, the SPA Anti-Piracy effort. In 2000, Virginia and Maryland became the first states to adopt UCITA.

In a summary brief on the SIIA site, one of the main advantages of UCITA for the software industry becomes apparent:

UCITA rejects the “perfect tender” rule for commercial licenses. One of the problems with Article 2 [of the Uniform Commercial Code] is that it requires delivery of goods that conform to the contract. Software is recognized as a product that cannot be made perfect and that it almost always will have bugs. The existence of bugs in software could violate the perfect tender requirement under Article 2. UCITA eliminates the perfect tender rule and replaces it with a substantial conformance standard. The perfect tender rule is retained for transactions involving consumers.

What? “Software is recognized as a product that cannot be made perfect”? I’m not ready to agree to that, are you? Yet on the other hand, most products can’t be made perfect. I’m reminded, for example, of the time a printer told me that if I wanted perfect registration (alignment of colors) on a printing job, I’d have to pay more. One could argue that no product can be made perfect, so why is it necessary to grant software a special dispensation to be shoddy?

What’s worse, UCITA, the so-called “self help” provision, allows software developers to leave back doors and time bombs in their software as a means to enforce their copyrights or the length of software use. This provision opens such a Pandora’s box of potential security problems that even the framers of UCITA have reversed themselves and are trying to address this brain-dead provision. Yet another provision, the “automatic restraint” provision also authorizes back doors and time bombs, with even fewer restraints than the self help provision.

The problems with UCITA also include the prevention of vendor liability, even through gross negligence, for security vulnerabilities, and an implied prohibition against reverse engineering of any kind. Even worse, UCITA applies to content delivered through software as well. Imagine being prohibited from disparaging a movie review you read on AOL, or even from quoting from it.

Free software advocate Richard Stallman sums up this disaster of a law thusly:

We generally believe that big companies ought to be held to a strict standard of liability to their customers, because they can afford it and because it will keep them honest. On the other hand, individuals, amateurs, and good samaritans should be treated more favorably. UCITA does exactly the opposite. It makes individuals, amateurs, and good samaritans liable, but not big companies.

Is this the kind of future we want, one in which software vendors face no real incentive to deliver bug-free, secure software, one in which software gets less and less reliable, one in which researchers who currently point out software flaws are muzzled and arrested?

In that future, software quality will continue to decline. After all, the law says it can’t be perfected, so why try? In that future, the network will be overrun by berworms that make the Code Red worm and other recent malware look like a walk in the park in comparison. In that future, the jails will overflow with legitimate and illegitimate software researchers, script kiddies and superhackers, and penniless college students who ripped off music they couldn’t have afforded to buy anyway. But, hey, it’s not all bad. Software and content vendors will prosper. We’ll just have to be happy with what they give us.

Can we afford such a future in the post-9/11 world? Do you want critical infrastructure systems full of security flaws just waiting for terrorists to exploit them? Do you want the mission critical systems of your organization running on software created by corporations that have no liability for errors? Are we going to acquiesce and allow bad laws like DMCA and UCITA to tilt the playing field overwhelmingly in the direction of large software corporations?

Or are we going to recognize that software quality is a matter of national security? Are we going to regard as unpatriotic any software vendor that does not make security its highest priority? Are we going to fight for our right to fair and reasonable use, including the ability to analyze software to determine its quality and security?

The choice is ours. It’s an enormous choice, yet most people aren’t aware of the issues. You can help by forwarding this series of articles (part 1, part 2, part 3,part 4) to decision-makers you know, or by pointing them to the work of Bruce Schneier, Richard Stallman, the Electronic Frontier Foundation, or virtually any other security expert around. You can also support the work of the 26 state Attorneys General and others that oppose UCITA

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
    CTOMentor

  • Wireless Security Fixed: As previously reported in SNS, the Wired Equivalent Privacy (WEP) standard built into 802.11b wireless LANs is a joke. So RSA Security and Hifn have developed a technology called “fast packet keying” and announced that their solution has been accepted by the IEEE standards body. The technology generates a unique RC4 key for each data packet sent over the wireless LAN. Geez, it better be fast if it’s going to do that! RSA says the solution can be distributed as a software or firmware patch by wireless LAN vendors, allowing their customers to quickly update the existing vulnerable equipment. Thanks to Alert SNS Reader David Dabbs for the pointer.
    RSA
  • Another Bad Trademark Granted: Well, now I’m going to try to trademark the word “the.” If there’s a more brain-dead section of government than the US Patents and Trademarks Office, I’d like to see it. Now there’s a legal battle being waged over who has the right to use the word “Entrepreneur.”Everyone who uses this word is now subject to a lawsuit from the media group that publishes Entrepreneur Magazine. Minnesota Entrepreneurs President Ed Palmer notes the irony of the situation. “Yes, I know — how could this be?An organization that purports to support entrepreneurs sues entrepreneurs?Quite perverse, yet true. By the way, long before this trademark was filed for, The Minnesota Entrepreneurs were engaged in using the name. What’s up with this trademark?”
    MN Entrepreneurs
  • Spin Doctors*: TheCalifornia NanoSystems Institute, a joint effort of The University of California at Los Angeles and University of California at Santa Barbara, recently reported that it can now electronically control the “spin” of an electron. This breakthrough could mean extremely fast, dense, low heat electronics, since changing the spin takes an infinitesimal amount of energy compared to moving the charge in a wire back and forth, according to the company.
    (*That headline was inevitable, wasn’t it?)
    Small Times