StratVantage – The News 03/27/02

Wireless Serendipity

 Sometimes you can get lost in the Web when you’re seeking specific information. And sometimes getting lost is actually productive, turning up information you’re much more interested in.

This happened to me the other day, while doing research for the next CTOMentor white paper, on wireless. The paper will be based on one I did for a client in October 2000, and I’m starting to go through it and update the information. What follows is a description of the path I took to answer a simple question: What happened to Ericsson’s cell phone manufacturing business? Along the way I tripped over a few very interesting infonuggets I might not have found had I been looking for them.

It all started when my intern, Jeremy, sent me a link to a ZDNet story on Palm’s integration of Bluetooth capabilities into an add-on card for its PDAs. The story mentions a company called Sony Ericsson. I couldn’t remember what the deal was with this company, although I knew Ericsson had pretty much gotten out of the business of making their own phones. This is a testament to the competitive nature of the cell phone business – Ericsson was the number one cell phone manufacturer not all that long ago, until Nokia ate their lunch.

So to figure out if Sony bought all of Ericsson’s manufacturing business, I go and scan the press releases. Sure enough, there’s a mention of Sony Ericsson and Ericsson banding together on a project: Ericsson’s Instant Messaging and Presence Server (IMPS). Cool. I vaguely remember reading something about this, and Instant Messaging is something I wrote quite a lot about in the CTOMentor P2P white paper.

The IMPS is built upon the Wireless Village version 1.0 specification and the companies claim it “will provide network operators with an advanced personal communication tool for users that can deploy to 2G, 2.5G and 3G networks worldwide. The new instant messaging solution, which also works with legacy handsets, is to be announced by Ericsson in the upcoming months.”

I’ve never heard of Wireless Village, but the press release describes it: “Founded by Ericsson, Motorola, and Nokia, Wireless Village, the Mobile Instant Messaging and Presence Services (IMPS) Initiative, was formed in April 2001 to define and promote a set of universal specifications for mobile instant messaging and presence services.”

This sounds like an important initiative, so I check out the Wireless Village Web site.Turns out they just recently launched their 1.0 specification. Also on the site is a white paper, which quotes “Research reports instant messaging is the Number Two requested application after voice. With the monumental growth patterns of SMS, where 10 billion messages are sent every month globally according to the GSM Association, and the adoption rate of desktop instant messaging (IM), with over 100 million registered users and over 50 million regular users as reported by Jupiter Media Metrix, we foresee that wireless IMPS will capitalize on both these trends.”

Hey! That’s the same ResearchPortal survey I quote in my earlier white paper: “Surprisingly, instant messaging (which we imagine includes paging functions) was the most desired feature by mobile professionals. Equally surprising was the fact that consumers rated both messaging and email more highly than did the professionals. Understandably, professionals ranked the ability to manage Personal Information Manager (PIM) data higher than did consumers.” The study thus has to be about two years old, then. There’s no stat like an old stat.

Nokia 3390 Gold with AOLNonetheless, the Ericsson/Sony Ericsson/Wireless Village initiative combined with the fact that VoiceStream is offering access to AOL Instant Messenger on its phones means I’d better talk a lot more about wireless IM in the next white paper.

Getting back to the original questions (What happened to Ericsson’s manufacturing and who is Sony Ericsson?) I dump “Sony Ericsson” into Google, and come up with their Web site. In the “About us” section, it says: “Sony Ericsson Mobile Communications was established in 2001 by telecommunications leader Ericsson and consumer electronics powerhouse Sony Corporation. The company is equally owned by Ericsson and Sony, whose combined mobile phone businesses on a pro-forma basis achieved annual unit sales of approximately 50 million units and sales of USD 7.2 billion in 2000.”

Plugging “Sony Ericsson” into ZDNet’s search yields an interesting article: Old Atari games will run on cell phones. In case you have never heard of Atari, they were the king of video games in the ’70s, originating the classics Asteroids and the world’s first video game, Pong, both of which will be available to play on Sony Ericsson cell phones.

I still want to know if Sony got all of Ericsson’s manufacturing business, so I plug “cell phone manufacturer” into ZDNet’s search. And finally, I get the payoff: Ericsson is licensing its technology to other cell phone makers, including LG Electronics and Samsung, and “Ericsson Mobile Platforms, based in Sweden, will stay within the Ericsson group when the company merges its handset operations with the mobile-phone unit of Japan’s consumer-electronics group Sony on Oct. 1 [2001].”

Arguably I could have answered my question by finding Sony Ericsson’s site in the first place, but where’s the fun in that? Besides, I found several other interesting pieces of information along the way, including the fact that folks are still relying on a survey of cell phone users that must be at least two years old.

So, two important points for those doing research on the Web: serendipity, within reason, can provide surprisingly pertinent results; and don’t believe stats asserted without citations – things have a way of taking on a life of their own on the Web.

Briefly Noted

  • Shameless Self-Promotion Dept.: Take our survey on corporate policies on home use of network resources.

    StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.

    CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

  • What’s the Deal with Number Searches? I use Atomz’ free site indexing service to provide search facilities on both the StratVantage and theCTOMentor Web sites. A nice feature of the service is the summary email they send each week detailing what users were searching for.I get the usual off-topic search keywords, for the most part – searches for sex, sluts, Excel password cracks. But this week’s report has me scratching my head. There were three searches for “23569 26519 27494 29579” and one for “35910 35910 40857.” I plugged these phases into Google and came up with nothing, but when I tried them individually, I turned up some pages from Taiwan.It seems that various Taiwanese (Chinese?) characters are represented in HTML by referring to an extended character set thusly: 少, 林, and so on. When these characters are used in the title of a page, they aren’t parsed. For example, a page entitled “¤p¬õ¨§ªº·tÅʦP·ù·|” (or the Taiwanese equivalent) shows in the title bar as “小 紅 豆 的 暗 戀 同 盟 會.” So my best guess is that I had some Chinese visitors. Wonder what they were looking for?
  • Yahoo!/ACNielsen Internet Confidence Index Declines: My old employer, ACNielsen, has partnered with Yahoo! to create this quarterly study of confidence in the Internet. ACNielsen uses CATI Omnibus methodology (I don’t know what that is, either), utilizing a sample size of 1,000 adults, who may or may not be currently utilizing the Internet. For the First Quarter 2002, the Index dropped to 111, four points off the fourth quarter of 2001. The companies claim the slight decline was driven primarily by heavy Internet users who are less confident with online order fulfillment. The Index is still higher than both the second and third quarter levels in 2001 and indicates that more people intend to shop online during the second quarter of 2002. The projected $13.8 billion spend in the second quarter is slightly less than first quarter projections. More than 40 percent of users manage some aspect of their personal finances online, while 26 percent intend to use the Web for tax research this year.
  • Spoofed MP3s Pose Danger: Finjan Software reports that miscreants are embedding URLs in spoofed multimedia files (such as .MP3 and .WAV). Although the files may have the proper extension, they don’t have the proper format, and can be used to “hijack” users to malicious Web sites when users click on MP3 or WAV files. For example, an .MP3 file may really be another file type, such as a .AFX file, which may contain a URL. Worse yet, Internet applications such as Internet Explorer or Outlook may even open such files without asking the user what to do. Since the spoofed file extension is considered “safe,” some multimedia applications open the files despite the difference between the file type (for example, AFX) and the spoofed file extension (for example, WAV). According to Finjan, some pornographic Web sites are already using this technique.
  • Microsoft Readying Converged Phones: Alert SNS Reader Larry Kuhn notes that even cooler phones are on the way. Microsoft’s SmartPhone effort will produce phones that feature Pocket Outlook, Pocket Internet Explorer, MSN Messenger and Windows Media Player. Microsoft and VoiceStream recently announced plans to bring Microsoft® Windows® Powered Pocket PC 2002 Phone Edition-based devices to customers later this year for use over VoiceStream’s high-speed GSM/GPRS (Global System for Mobile/General Packet Radio Service) wireless voice and data network. The announcement seemed to indicate that the phones would also have built-in 802.11b (WiFi)  connectivity, for use with VoiceStream’s 650 public WiFi locations.The software giant also recently inked a deal with FedEx, which will use the Pocket PC operating system for a new mobile scanner and package-tracking device called the PowerPad. FedEx selected AT&T Wireless’ GPRS data network to support new, high-bandwidth applications on the device, which will be used by its 40,000 couriers.

StratVantage – The News 03/22/02

Cleaning Out the Old Links, part 2

 I’ve got such a collection of interesting and important material that hasn’t found its way into SNS yet that I have to clean house. I cleaned out a bunch in the lastSNS. Here’s some more of the best of what I’ve got.
  • Facial Recognition and Other Threats to Privacy: Virage Inc. has developed software that can automate video security, eliminating the need to pay low wages to bored personnel just to stare at monitors all day. You can program the system to recognize suspicious faces, locations, words or phrases. Great. Now surveillance can be in the hands of machines. Doesn’t that make you feel better? To top it off, Visionics, a maker of face recognition software, is enthusiastic about the possibility of creating “national shield” (Mom & apple pie alert!) linking every camera in the country.Thankfully, not everyone thinks this is a great idea. “We’re collecting data on everyone on the assumption that anyone may be the next terrorist,” said Deirdre Mulligan, director of the Law and Technology Clinic at UC Berkeley. “This subverts our traditional notion of the ability of the government to survey its citizens” only if there is probable cause to suspect criminal conduct. Security expert Bruce Schneier agrees: “You end up with a society in which the database is more important than reality.”
    LA Times
  • UK ISP Closes After DoS Attack: For those who are still wondering if the danger posed by Internet miscreants is mostly hype, check out this story. UK Internet Service Provider (ISP) Cloud-Nine was forced to close after being hit with a massive denial of service (DoS) attack.
    ISP Review (UK)
  • Walk-up Printing for PDAs: Startup Flexiworld wants to make it easy for your to walk up to any printer and print emails or other documents wirelessly. I don’t even want to think about the security implications of this idea.
    The Portland Business Journal
  • The eBay Scam: Miscreants have been attempting to steal unwary users’ credit card numbers through a fake email that purports to be a purchase confirmation from eBay. My Dad received the email in mid-January, along with thousands of others. Recipients received the following email:

Your order has been completed and will be mailed within 24-48 hours.

Your credit card has been charged $460.50 for the following purchase…

– Microsoft X Box ( $399.00 )

– NFL Fever ( $50.00 )

Plus shipping and handling.  If you feel that your credit card has been billed wrongly, please visit and fill out all the needed information to cancel the following order.

Again that site is <a href=””>eBay Services:  Cancel Order</a>,

Thank you,

eBay Services. is an URL redirection service that sent users to a page hosted at AOL. The page asked the user to enter credit card number and other personal information so that eBay could cancel the order. Obviously, eBay was not involved in this scam, but, oddly, Harry Caray’s Chicago-area restaurants were, albeit unknowingly. For some reason, after users submitted the information, they were sent to a page on Harry Caray’s restaurants site that simply said, “Your order has been canceled.”
  • Unbreakable” Oracle 9i Broken: It had to happen. The good marketing people at Oracle thought an ad campaign calling Oracle 9i unbreakable was a good idea. If they’d asked the Oracle techies, they probably would have been told that nothing’s unbreakable, given enough time and motivation. Sure enough, the software has been cracked, easily, using the ever-popular buffer overflow exploit. Make sure your marketing department has a better clue than Oracle’s!
  • More from the FBI Survey: A recent SNS quoted results from a recent survey by the Computer Security Institute (CSI), in conjunction with the FBI Computer Intrusion Squad. In addition to finding that that 81 percent of corporate respondents said the most likely source of attack was from inside the company, the survey also revealed:
    • 85 percent of respondents (Large corporations and government agencies) detected security breaches within the last twelve months
    • 35 percent of respondents quantified their financial losses at $377,828,700
    • 91 percent of respondents detected employee abuse of Internet privileges
    • 94 percent detected computer viruses within their network
    • 78 percent of respondents stated they had detected Denial Of Service Attacks
    • 58 percent reported their network had been attacked 10 or more times


  • Domain Sellers Busted: Alert SNS Reader Roger Hamm sent along this article about domain scammers who were selling bogus .usa domain names. The UK company,, traded on Amercians’ patriotic sentiment to sell more than $1 million in names at $59 apiece before being busted by the FTC. Buyers of the .usa domains found they couldn’t be used on the Internet. Oops.
  • Genomics Predictions: The Centre for Research on Innovation and the Institute for Alternative Futures recently released predictions from the ESRC Genomics Scenario Project. One of the most intriguing: “By 2005 biomarkers indicate the likely presence of several cancers, classify their defining molecular characteristics, and indicate which therapies should be beneficial to the particular type of tumour.”
    Institute for Alternative Futures
  • Verticalnet Gets Serious: Last month, Kevin McKay, former SAP CEO, was appointed Verticalnet’s new president and CEO. McKay appears to be a heavyweight, having held key positions at SAP, Sony Electronics and PricewaterhouseCoopers. Erstwhile B2B exchange Verticalnet appears to be trying to remake itself as a vendor of Collaborative Supply Chain solutions. Such solutions provide supply chain visibility, comprehension, and rapid response that leads to lower costs and inventory, higher revenue, and growth opportunities. Modernizing the supply chain by improving communication and planning processes will be corporations’ big To Do for this decade. Strategic Sourcing, Collaborative Planning, and Multi-tier Order Management look to shave dollars off supply chain costs. It remains to be seen, however, how successful Verticalnet will be in a marketplace dominated by i2 and, to a lesser extent, Manugistics.
    Philadelphia Business Journal
  • Automated Security Testers: I’ve recommended the Microsoft Personal Security Advisor, and the enterprise tools offered by its creator, Twin Cities-based Shavlik Technologies, in the past. They’re great tools, and a must for any Microsoft-based user. A new player in the area of security vulnerability assessment and automated fixes is, which offers customers a free online service that finds security holes, software bugs, outdated drivers, and viruses on a PC, then automatically retrieves and installs the patch or update. It’s unclear if BigFix makes use of the Microsoft database of security vulnerabilities that the Shavlik tools access. To use BigFix, the user must subscribe to Fixlet sites maintained by experts around the world, who provide Fixlets in their area of expertise. I’m a little wary of allowing “experts” to determine how to fix my software, however. And while automatic updating might be OK for desktop computers, I don’t think it would fly for production servers. A free consumer version of the software is available
  • Wireless Email Easily Hacked: If you use a BlackBerry™or SMS (Short Message Service) or any other kind of messaging on your wireless phone, be aware that your messages can be intercepted. While you may not be sending information on your company’s latest secret project from your portable device, if you route all your messages to your BlackBerry, you could be receiving sensitive information. The latest demonstration of the insecure nature of wireless communications is courtesy of @Stake Inc., a security consulting company in Cambridge, Mass. mentioned in a previous SNS. @Stake was able to intercept BlackBerry Internet Edition traffic using a scanner with a digital output, an antenna and freely downloadable software. Since the email is sent over the wireless network in the clear, much like the email you send over the Internet every day, once the message is intercepted, it’s easily readable.

Briefly Noted

  • Shameless Self-Promotion Dept.: Take our survey on corporate policies on home use of network resources.StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.

    CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

Home Networking Survey

Take our survey on corporate policies on home use of network resources.

This issue can be found at:

Return to Mike’s Take

Copyright © 2000-2008, StratVantage Consulting, LLC. All rights reserved.
Please send all comments to

Home Networking Survey

Take our survey on corporate policies on home use of network resources.

Announcing Linked InSolutions, a New Social Media Consulting and Training Service from StratVantage

Our first workshop:

Linked In or Left Out –
Using LinkedIn, Twitter and Facebook to Find a Job

Heard the buzz about online social networks like LinkedIn, Twitter and Facebook?

Did you know many people are using them to get jobs? Yes, even Facebook!

Online Social Networking was ranked by recent hires as the #1 job-getting strategy, beating in-person networking by a wide margin!

Attend this Power Workshop and learn how you can use Web-based social networks to build professional relationships – even if you don’t know the first thing about them – and learn how to use these relationships to find your next job.

  • Each Power Workshop session is limited to 25 attendees to enable personal attention
  • Not in the Twin Cities? Attend the simultaneous Virtual Power Session over the Web – unlimited number can attend

Classroom rate: $125
Webinar rate: $65

We have two upcoming sessions at 2 pm and 5:30 pm on Thursday, May 28th. Sessions are held at:

The Commerce Building, 2nd Floor Conference Room
8200 Humboldt Avenue So.
Bloomington, MN 55431

Located near the junction of 494 and 35W

Sign up at!

House for Sale

Beautiful 3812 sq. ft. 5 BR, 4.5 BA Yankee Barn on large 1.54 ac. in exclusiveEastman Community in Grantham, NH.

Offers 3 levels of living! Central air & vacuum, light and bright kitchen & canning kitchen! 1st floor laundry, master suite opens to heated solarium and to large 40+ ft deck, skylights, fireplace, storage cedar closet, etc. Walkout from the large 24 x 24 family room! This home has so much to offer!!

The detached 28 x 36 Garage has lots of storage and will accommodate parking your RV inside! $1863 ECA dues, $3000 member fee @ closing.


Contact for more information, to request a 360° virtual tour, or to arrange a showing.

Looking to light up your office, your business, or your city?

The WiMAX Guys can help you easily provide secure wireless Internet to your customers.

The WiMAX Guys specialize in designing and running wireless networks. We’re experienced, we’re quick, and we won’t cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow.

Call Mike Ellsworth
Head Guy

Please Support SNS

For more than five years, SNS has been free, but, sadly, it is no longer, ad-free.

I know I said I’d rather do almost anything other than charge a subscription or pelt you with banner ads, but the time has come to derive some monetary benefit. I now host ads.

If you select the button below, you’ll go to PayPal’s site via a secure, encrypted connection. Once there, you can donate any amount — 1 dollar to hundreds — to the cause of keeping SNS coming.

Since the connection is secure, you don’t need to worry about anyone stealing your personal information or credit card number.

Note: The PayPal account you will be sending money to is If the form you see says any other name (and that’sextremely unlikely!), please cancel and email me.

So please think about it. A dollar here, a dollar there could allow me to ditch the ads. Please be assured, however, that even if you don’t give (till it hurts), I’ll keep sending you SNS till they pry my keyboard from my cold, dead fingers!

Thanks for your support.

StratVantage – The News – 03/15/02

 Cleaning Out the Old Links

I’ve got such a collection of interesting and important material that hasn’t found its way into SNS yet that I have to clean house. Here’s the best of what I’ve got.

  • Face Recognition Not There Yet: OK, I’ll probably get in trouble again for linking to The Register, but I can’t help it. It’s one of the places on the Net I find unvarnished opinions about technology. This time, they’re on about the “dismal” failure of current face recognition technology. It seems the ACLU has gotten access to system logs created by the face recognition program in use in Tampa, FL (see previous SNS discussions here and here), and what they’ve found is that it doesn’t work all that well. “The earliest logs provided by the department show activity for July 12, 13, 14, and 20, 2001. On those dates, the system operators logged fourteen instances in which the system indicated a possible match. Of the fourteen matches on those four days, all were false alarms,” the ACLU notes. This bodes ill for Minneapolis-basedVisionics, the maker of the Tampa system, and other firms like Viisage. And it brings up the question of whether airports should be scrambling to install face recognition systems.
    The Register
  • Space Nukes Back in Vogue: NASA has requested funding for development of a space nuclear reactor in the 2003 budget for the first time in a decade. This doesn’t make me happy, considering that the first US space reactor, launched in 1965, operated for 43 days and remains in orbit, just waiting to rain nuclear material down on us upon its inevitable re-entry.  We spent half a billion dollars on the last space nuke project, a joint NASA-Defense Department effort called SP-100, and have launched around two dozen spacecraft utilizing plutonium-powered electrical generators for missions such as the Cassini probe to Saturn in 1995.NASA says they need nukes whenever moderate levels of electrical power (tens of kilowatts or more) are required in space over an extended period of time. For background see “Thermionics Quo Vadis?” a new National Research Council report on the status of thermionics, which is an energy conversion technology used in some space reactor designs.  The report provides some general information on space nuclear power.
    Department of Energy
  • Pringles Cans a Security Threat? Oh, good grief! What next? Apparently you can find recipes on the Internet that teach you to make a wireless antenna out of a Pringles can or a cardboard tube. (Big whup!) You can then use it to tap into wireless networks. E-fense Inc. (no it’s not a shady pawnbroker firm!) found 60 wide open access points that allowed them see every computer on the entire network in just the 10 miles between an employee’s house to their office. At the recent CyberCrime Fighter Forum 2002, Arnold Kwong of Extratelligence predicted that, despite a coming improvement over the pitiful Wired Equivalent Privacy (WEP) standard, wireless networks like 802.11b will not be secured without the use of Virtual Private Network (VPN) technology.
    Denver Post
  • .Net Compiler Security Flaw: OK, first, the way this vulnerability was announced was wrong (even a monopoly can be a victim): Software risk management firm Cigital told The Wall Street Journal of a flaw in Microsoft’s latest tools for creating Windows and .Net programs after giving the software giant a little more than 12 hours to respond. Such behavior is self-serving grandstanding, in my opinion.However, the security vulnerability was apparently pretty serious. The just-released Visual C++.Net and Visual C++ version 7 had a flaw that turned off checking for buffer overflows, one of Net miscreants’ most popular attack strategies. Cigital said that because the compilers were just released, they wanted to warn developers before any code could get released. However, it’s unlikely that any code would have made it into production in less than a day.
  • The Worm Turns in Napster Case: I guess the beleaguered P2P file-sharing service was due to get a break. Judge Marilyn Hall Patel is allowing Napster to investigate whether the record labels sought to create a monopoly of the digital music market with their MusicNet and Pressplay digital music joint ventures. In a forcefully worded ruling in which she called both sides “dirty”, Patel wrote: “These ventures look bad, smell bad and sound bad. If Napster is correct, these plaintiffs are attempting the near monopolization of the digital distribution market.” That sounds about right to me.
    New York Times (registration required)
  • Fiddling with Napster While CDs Burn: This is the type of thing that just had to happen: People are trading Zip files containing entire albums, or even the entire output of an artist, on online trading services such as Audiogalaxy. Searching for “zip” on the service turns up more than 3,000 compressed albums.
    New York Times (registration required)
  • Domain Name Auction: As the result of a suit against Neulevel, the registrar of the new .biz generic Top Level Domain (gTLD), 40,000 coveted domain names such as SHOW.BIZ, INTERNET.BIZ, TICKETS.BIZ and AMERICA.BIZ were auctioned last month. Interestingly, the names of the winners of these four domains are not listed in the registration records yet. (Check out the registration of was found to be operating an illegal lottery in using their method of allocating domains, and thus had to auction off all domains with at least two applicants. Oddly, I could find no press coverage of this event and only became aware of it through direct mail spam from an outfit called .bizauction. Curious.
  • Is the Web Ready for 3D? Back when I first got on the Net in 1993, I was excited about its potential for three dimensional, immersive, virtual collaborative environments. At 3CyberConf in Austin, TX in the summer of 1994, Amy Bruckman of MIT reported on MediaMOO, a text-based, networked, virtual reality environment, and I met Mark Pesce, co-creator of Virtual Reality Markup Language. VR seemed almost close enough to touch.Unfortunately, VR has remained a technology ahead of its time, always just out of reach. Only recently has connectivity and processor power caught up with the demands of this technology. Non-immersive 3D gaming has been a success (Doom, Quake), but using VR to do real work has been elusive.

    In what could be a breakthrough for the VR effort, Linden Lab is readying a product called Linden World, an online 3D environment enabled by a technology that the company claims yields a 100-fold improvement in graphics streaming techniques. “With the ability to collaboratively build and modify a 3D environment in real time, users will not simply consume content—they will create it,” the company said at the recent DEMO 2002 conference. Yeah, I’ve heard that before. Nonetheless, immersive environments may finally take off, making telecommuting an even more attractive and feasible alternative to congregating in 100-story towers.
    New York Times (really, I do read other sources!)

  • Bruce Schneier’s Recommendations: OK, I promised myself I’d lay off Microsoft on the security issue, and here’s the second item in this newsletter about it. Well, it’s only to report the sage advice of renowned security expert Bruce Schneier of Counterpane. Here’s what Bruce thinks the monopoly should do:

Office: Macros should not be stored in Office documents. Macros should be stored separately, as templates, which should not be openable as documents. The programs should provide a visual interface that walks the user through what the macros do, and should provide limitations of what macros not signed by a corporate IT department can do.

Internet Explorer: IE should support a complete separation of data and control. Java and JavaScript should be modified so they cannot use external programs in arbitrary ways. ActiveX should eliminate all controls that are marked “safe for scripting.”

E-mail: E-mail applications should not support scripting. (At the very least, they should stop supporting it by default.) E-mail scripts should be attached as a separate MIME attachment. There should be limitations on what macros not signed by a corporate IT department can do.

.NET: .NET should have a clear delineation of what can act and what cannot. The security community has learned a lot about mobile code security from Java. Mobile code is very dangerous, but it’s here to stay. For mobile code to survive, it should be redesigned with security as a primary feature.

Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn.

There. That was constructive, wasn’t it? Microsoft says they’re serious about security, so I can’t imagine why they wouldn’t seriously consider Schneier’s advice.

  • EU Plans to Tax Internet Sales: Well, it had to happen: Some jurisdiction was bound to tax Net sales sooner or later. Looks like it’s sooner. Last month, the European Union Council of economic and finance ministers approved a European Commission proposal that levies a value-added tax (VAT) on digital products delivered online, including computer games and software, as well as radio or television broadcasting.What’s worse, non-EU companies will have to calculate and collect the tax, making eCommerce suddenly a lot more complicated. US Treasury officials hate the tax and are threatening to take up the matter with the World Trade Organization.


StratVantage – 02/28/02

A Bad Year for Security Incidents

 As I gear up to co-produce CyberCrime Fighter Forum 2002 on March 12th, I return my attention to the subject of security, or the lack thereof.

I was recently asked by an executive if there wasn’t a component of urban myth to all this recent emphasis on CyberCriminals (crackers, script kiddies, virus writers and the like). Were there really that many attacks on systems? Are viruses really the problem the anti-virus vendors make them out to be? Are security breaches really costing business the millions of dollars reported?

These are all good questions. Of course we shouldn’t take all the hype and hysteria on faith. There are many in the industry for whom crying wolf is self-serving. Nevertheless, there are many sources of somewhat objective information on security breaches.

One of the most difficult aspects of CyberCrime to pin down is the amount of actual damages. You’ll find estimates all over the map, from the FBI’s estimate that computer losses are up to $10 billion a year to Computer Economics’estimate that the worldwide impact of malicious code was $13.2 billion in 2001. Computer Economics stated that the biggest losses were caused by SirCam ($1.15 billion), Code Red (all variants $2.62 billion), and NIMDA ($635 million).

Estimates are fine, but published reports of actual losses are better. However, most corporations would rather be summoned before Congress than admit to a security problem. Of course, if they can use a security breach to justify bad fiscal performance, like CryptoLogic did, that’s another story. CryptoLogic, a Canadian maker of gambling software, reported a 10 percent drop in fourth-quarter revenue primarily due to a charge taken as the result of a security breach.

So where are these threats coming from? Most people point to CyberCriminals on the Internet, but they may be only a small part of the problem. The FBI and the Computer Security Institute performed a survey on CyberCrime and found that 81 percent of corporate respondents said the most likely source of attack was from inside the company. This confirms the conventional wisdom among security administrators that the biggest problem is your own employees or contractors. And according to an @stake Security research report entitled The Injustice of Insecure Software, 30 percent to 50 percent of the digital risks facing IT infrastructures are due to flaws in commercial and custom software. According to CERT®, security vulnerabilities more than doubled in the last year, from 1,090 holes in 2000, to 2,437 reported in 2001. Likewise, the number of reported incidents also drastically increased from 21,756 documented in 2000 to 52,658 in 2002.

This year is very likely to be worse, according to SecurityFocus co-founder and CEO Arthur Wong, who spoke recently at RSA Conference 2002. According to Wong, around 30 new software vulnerabilities were discovered each week In 2001, and this represented a decrease in the trend that produced a doubling of new vulnerabilities each year for much of the late ’90s. He expects 2002 to bring a return to old growth rates, and predicted that 50 new software security holes will be found each week in the coming year.

Michael Vatis, the former director of the National Infrastructure Protection Center (NIPC) agrees, saying, “The rate of growth of our vulnerabilities is exceeding the rate of improvements in security measures.”  He’s most worried about CyberAttacks that could bring down ATMs, power grids and public transportation systems.

If you’d like to get a near real-time picture of attacks worldwide, check out SecurityFocus’ ARIS Predictor. This service shows the actual number of incidents worldwide based on a sample of installations that contribute log information.

Against this rising tide of attack reports is a contrary stat: Security breaches and hacking attacks have actually decreased since the September 11 terrorist attacks, according to the Federal Computer Incident Response Center (FedCIRC).  FedCIRC shows just 15 incidents of intruder activity reported in December 2001, less than a third of that recorded in December 2000.

Where are all these attacks coming from? It turns out Europe is a virus hotbed, according to a report from mi2g’s Intelligence Unit. The Continent accounts for 57 percent of the world’s malicious code writing activity, with 21 percent originating from Eastern Europe, including Russia.  While conventional wisdom may tell us otherwise, North America only accounts for 17 percent of viruses developed, and the Far East only 13 percent.  The most prolific virus writers, according to the report, are Zombie, author of the Executable Trash Virus Generator; Benny from 29A virus group and author of the .Net Donut virus; Black Baron, author of Smeg; David Smith, author of Melissa; and Chen Ing-Hau, author of CIH.

So the solution for businesses is to stay alert, and stay patched. Make sure you’re always running the latest antivirus software and the latest patches on your operating systems and applications. However, Alan Paller, director of Research at the SANS Institute, said, “There are certain attacks that nobody can block. . . . If your people aren’t absolutely, all the time on the latest patches, you’re going to get hit.”

So hey, hey, hey! Let’s be careful out there! If you’re in the Twin Cities on March 12, be sure to attend the CyberCrime Fighter Forum 2002 and learn more about how you can be safe.

Briefly Noted

  • Shameless Self-Promotion Dept.: Did I mention CyberCrime Fighter Forum 2002? Also, in conjunction with the new CTOMentor paper, Basic Home Networking Security, we’re running a survey on home networking policies and procedures. The first survey cycle closed yesterday, but you can get in on thesecond, which will run through March 11.CTOMentor is also offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
  • International Reach: A note from a reader in Guam prompted me to check out the subscription list and see where in the world SNS is going. There are subscribers in Australia, Canada, Germany, Greece, Guam, India, Italy, Japan, and the UK. Besides noting the obvious country suffixes on some of the email addresses, I used a cool tool called VisualRoute to determine subscriber’s location. Alert SNS Reader Bob Burkhart let me know about this program. You type in an URL or an email address, and it shows you all the network hops between your computer and the target. That’s not spectacular, but what is nice is VisualRoute looks up the DNS records on the final computer and pulls out any location information, which it reports to you.The bad thing about this software, which is free for trial use, is it doesn’t clean up after itself completely when you exit it. On a Windows 2000 machine it left MsPMSPSv.exe (the Microsoft Digital Rights Manager) and wjview.exe(Microsoft VM Command Line Interpreter) running after it exited. I recommend using your software firewall (What’s that? You don’t have a software firewall? Get one! And read the new CTOMentor paper on home network security ) to only grant one time access to the Internet for the various programs VisualRoute uses (including vrping1.exe, and vrdns2.exe) just to be safe.
  • Microsoft As Security Threat: I missed this item from the irreverent UK site, The Register, back in December. They pull no punches in describing Microsoft as a bigger threat to security than Osama Bin Laden. Read the article and see if you agree.
    The Register
  • MessageLabs Says Viruses on the Increase: Message Labs, which sells a hosted antivirus service for email, reported that it detected one virus per 370 emails in 2001, compared to one in 700 in 2000 and one in 1400 in 1999.  The 2001 total of 1,628,750 infected emails that MessageLabs detected broke out this way:
    • More than 500,000 were infected with the SirCam.A virus
    • 258,242 with BadTrans.B
    • 152,102 with Magistr.A
    • 136,585 with Goner.A
    • 90,473 with Hybris.B.


StratVantage – The News 02/20/02

Handhelds in Health Care

 Wireless is one of those technology areas that always seems to be impending. Each of the last two years has been the year of wireless according to industry boosters. Pundits and prophets breathlessly report each twist and turn in the story. Yet when wireless nirvana hasn’t arrived, detractors have declared wireless a technology in search of a problem.

Wireless is here; so’s the gear. Get used to it.

Want proof? Take a look at health care, particularly in the hospital setting. Now there’s an information management problem. You’ve got doctors roaming around from room to room, changing orders, taking notes, and making life and death decisions. You’ve got nurses and other medical professionals monitoring patients, administering treatments and medications, and sometimes trying to figure out what the doctor said. Hospitals run on information, and the reliable transmission of information.

It’s critical to make sure that all this information is accurate, timely, and always available. That means most hospitals are in the paper shuffling business. Medical records departments are awash in it. For example, the RehabCare Group in St. Louis, an outsourcing staffing firm with 2000 therapists working at nearly 500 sites estimates that their therapists were writing and faxing an average of 3,000 pages of information each week. Many hospitals and clinics spend lots of money on keying services to convert the paper to bits so that the information can be managed.

Some hospitals today are digitizing the information at the source: the doctors and the nurses who care for patients. According to the Doctors Say E-Health Delivers study conducted this fall by the Boston Consulting Group and Harris Interactive, 89 percent of physicians use the Internet, 22 percent use electronic medical records to store and track information about their patients, and 11 percent are prescribing drugs electronically. The study further found that doctors were planning on adopting electronic information practices at a rapid rate.

Many of these forward-thinking doctors are going mobile. For example, about 30 doctors at the University of Minnesota have been testing a modular mobile Electronic Medical Records (mEMR™) software program designed by AllScriptsHealthcare Solutions. The modular nature of the AllScripts solution allows doctors to start using one solution and progressively add others. The company offers the following modules:

Using the AllScripts TouchWorks™ Dictate system, the Minnesota doctors record patient notes on wireless-enabled Compaq iPac Pocket PCs, creating an audio file that is sent wirelessly to medical transcribers through the hospital’s radio frequency network. The software supports dictation templates that can be customized to match hospital forms.

If the doctor strays outside the hospital’s radio network, when he or she enters an area with a wireless transceiver, the data is transmitted automatically. This is especially helpful since the University of Minnesota’s physicians work in more than 150 clinics around the state. Currently, 38 of the clinics are equipped with wireless equipment to capture data and transfer it to traditional land-based networks. The uploaded information is accessible to doctors and others through a Web site using their handhelds or office computers.

The physicians group plans to introduce the software’s other functions over a period of time, said Todd Carlson, Chief Operating Officer. After implementing medical transcription, the group will expand to electronic laboratory results, billing, scheduling, patient care and referring physician information.

Security of the data was a normal concern, and one that will become even more important once the HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations come into effect. “We are really afraid of hackers because we’re on a college campus and we’re afraid students will attempt to hack into our wireless system,” said Carlson. “We did a hacking audit with Ernst & Young at an additional cost because we wanted the system to be safe and secure.”

The Rehab Care Group in St. Louis is in the process of equipping as many as 1,500 of their workers with Palm Pilots, according to Senior Vice President and CIO Jeff Roggensack. The company developed a custom application that works with Palm handhelds. “It streamlines the data collection process for our therapists working in the field, and eliminates the faxes, data entry, delays and handwriting errors experienced with the paper-based system used previously,” said Roggensack. Currently, the workers synch their Palms with desktop PCs for transmission, although wireless access is planned for the future.

Today, 19 percent of physicians own personal digital assistants, and that number should exceed 40 percent by 2005, according to Fulcrum Analytics. A Forrester survey of 44 medical practice managers for a report titled Doctors Connect with Handhelds, found that physician practice managers are actually “overexuberant” about the potential of using mobile computing devices. If their predictions turn out to be true, 86 percent of practices will be processing prescriptions on handheld computers by 2003, whereas only 11 percent of practices do so today. Forrester predicts the market for mobile physician software, devices and management will grow from a $21.4 million market today to a $1.6 billion market in 2007.

According to Taking the Pulse v 2.0: Physicians and Emerging Information Technologies by Fulcrum Analytics and Deloitte Research, more than half of all physicians who responded to a survey hope to view lab results via their PDAs in the future. Of the 30 percent who report that they currently own a PDA, 84 percent maintain their personal schedules and 67 percent manage their professional scheduling through the device.

So the docs are on the leading edge, and are impatient for more wireless applications. They’re not the only ones. Wireless has applications in many industries, according to Summit Strategies analyst Jennifer DiMarzio. DiMarzio suggests considering the use of mobile wireless technology if the location of your workers, or of their next assignment, changes frequently; if timely information improves productivity; and if your company can improve billing if employees can instantly record the work as they finish it.
City Business

Briefly Noted

  • Shameless Self-Promotion Dept.: CTOMentor has published a new paper called Basic Home Networking Security that should be of interest to anyone who wants to access at-work networks from home.The paper covers, in plain language, types of threats, secure home networking practices, and describes the basic home network security toolkit every home user should have.

    CTOMentor is also offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

  • Kmart Supply Chain at Fault: Kmart CEO Chuck Conaway blamed many of Kmart’s problems on its supply chain. In September, Kmart wrote off $130 million for supply chain hardware and software and another $65 million for replacing two distribution centers. It didn’t help them avoid bankruptcy court. Nonetheless, Kmart plans to spend $1.7 billion or so on a project to improve the flow of goods to store shelves.
    Internet Week
  • Defacement Tracking Site Owner Steps Aside: The operator of a great resource for keeping tabs on Web site defacements (changes in Web pages caused by cybercriminals) is calling it quits. The Web site, which archives copies of defaced Web pages, announced that its founder would be retiring and the site moved to a new domain. Stefan Wagner said that dealing with system administrators who blamed for their defaced sites, denial-of-service attacks launched against his site, and a lack of a social life made him hang up his spurs. The site will move to in early March and be run by two staffers and volunteers.


StratVantage – The News – 02/04/02

The Next Internet?

The Internet started out life as a way for major universities and government research centers to communicate and collaborate. Imagine the mixed feelings with which researchers viewed the tremendous explosion of the Internet since it was commercialized, after 25 years of relatively slow growth, in 1994.

On the one hand, there is now more information available on the Internet than anyone thought possible back when the first four Internet nodes went live (UCLA, Stanford Research Institute (SRI), University of California Santa Barbara (UCSB), University of Utah).

On the other hand, the commercial Internet is so busy and growing so rapidly, it’s hard for researchers to get the bandwidth they need for really large projects.

Today’s Internet doesn’t:

  • Provide reliable end-to-end performance
  • Encourage cooperation on new capabilities
  • Allow testing of new technologies
  • Support development of revolutionary applications

The Internet was not designed for the congestion caused by millions of users. It wasn’t designed for multimedia or even for real time interaction. Yet these are the characteristics of today’s Internet.

Faced with these limitations to innovation, Internet2 was formed in 1996 as a consortium led by universities working in partnership with industry and government to develop and deploy advanced network applications and technologies.

The consortium’s mission is to develop and deploy advanced network applications and technologies, accelerating the creation of tomorrow’s Internet. Each university pays $500,000 to $1 million or more a year to gain access to Internet2 and upgrade its campus network.

At a recent seminar sponsored by the University of Minnesota Management Information Systems Research Center, Myron Lowe of the University of Minnesota’s Office of Information Technology described the Internet2 effort and some of the applications being developed using it. According to Lowe, there are now 187 member universities, 70 member corporations, and 28 GigaPoPs (high speed access points) on Internet2. The backbone network, dubbed Abilene, is a 2.5Gbps backbone covering more than 10,000 miles coast to coast.

One of the important uses of Internet2 is videoconferencing, with several major telepresence initiatives taking advantage of the new network’s bandwidth. One such effort is the Access Grid, which has 81 nodes. The Access Grid supports large-scale distributed meetings, collaborative work sessions, seminars, lectures, tutorials and training and focuses on group-to-group communication rather than individual communication.

Another effort is the Virtual Rooms Videoconferencing System (VRVS), a project of CalTech and the CERN Lab in Switzerland (which gave us the World Wide Web). VRVS provides a worldwide videoconferencing service and collaborative environment to the research and education communities over Internet2. The system includes more than 6,150 registered hosts in more than 50 different countries and hosts an average of 190 multipoint videoconference and collaborative sessions worldwide each month.

A related Internet2 application is tele-immersion, being developed by the National Tele-immersion Initiative(NTII). This effort, led by VR pioneer Jaron Lanier, aims to enable users at geographically distributed sites to collaborate in real time in a shared, simulated environment as if they were in the same physical room.

Rather than transmitting live images of participants, the technology creates a new environment for participants to interact in. In a tele-immersive environment computers recognize the presence and movements of individuals and objects, track those individuals and images, and then project them in realistic, immersive environments. This allows participants to interact with nonexistent objects, like simulations or models.

Other applications include tele-operation of an electron microscope, real-time 3D brain mapping, interactive courseware by North Dakota State’s WWW Instructional Committee, and the Visible Human, a three-dimensional, computer-generated cybernetic body, that can be viewed from any angle, dissected and reassembled by anatomy students, or used as a model to study the growth of cancer cells. Astronomers can also control the famous telescopes on the top of Mauna Kea in Hawaii from their desktops.

What’s in store for the Internet2? First of all, more bandwidth. Lowe said the Abilene backbone will be upgraded to 10 gigabits/second and employ new multiple wavelength capabilities by next year. Also in store is competition. European researchers were recently given access to GÉANT, a gigabit research network serving more than 3,000 European academic and research institutions that will eventually operate in 32 countries.But will the masses ever be let on to Internet2, inevitably forcing the researchers to build Internet3? Not necessarily. The Internet2 is based on the same high speed fiberoptic circuits available to anybody. It’s the technology that runs it that’s important. Thus, it’s likely that, rather than giving Internet users physical access to Internet2, the consortium will migrate the new technologies developed on Internet2 onto the existing Internet. Among these technologies is Internet Protocol version 6 (IPv6), which will be the subject of a future SNS.

For now, Lowe said, one of the true pleasures of Internet2 is no pop-up ads. I doubt that researchers would ever give that up.
New York Times (registration required)

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

  • SSPs Bite the Dust: IDC recently published an analysis of the Storage Service Provider marketplace, which has had a rash of company failures. Does this mean the “storage on demand” idea of locating your storage on someone else’s machines on the other end of a network wasn’t viable? As a standalone business model, it may not be. But IDC states that “the original SSP model now is being adopted by the likes of IBM Global Services, EDS, BellSouth, Qwest, AT&T, and other outsourcing and telecommunications firms.”By combining SSP services with a larger package of services such as Web hosting and telephone services, these firms stand a good chance of wringing some profit out of the concept, according to IDC. IDC has historically been quite bullish on the SSP idea, but is now revising their original February 2001 SSP forecast downward from $10 billion worldwide through 2005. Nonetheless, IDC projects nearly 50% compound annual growth rate (CAGR) for 2001 through 2006 for the total managed storage services market, which includes storage managed on a customer’s own site.

    The company doesn’t say why we should believe this estimate, when the one from a year ago was so inaccurate.

  • European 3G Operator Relief: Much has been made of the lead European countries enjoy in the penetration and use of wireless technology. But European wireless operators have faced a crisis of their own making. When various European governments held auctions for wireless bandwidth for development of 3G (Third Generation) wireless services, wireless operators bid the prices into the stratosphere. This saddled many operators with billions of euros of debt or investment, and as a result has hampered their ability to actually develop 3G services (which include high speed data access, location-based services, and eventually, wireless video). To date, only one small trial 3G network, on the UK’s Isle of Man, has gone operational, serving only 200 devices.So the second-most advanced wireless region (after Japan) is virtually dead in the water. Recently, European regulators have eased license fees and taxes to try to get the industry moving again. France has drastically reduced the license fees and changed future payments to a performance-based royalty scheme. Spain has cut their radio spectrum tax, and the Italian government is considering extending the country’s five 3G licenses from 15 to 20 years.Japanese wireless innovator,DoCoMo, is experiencing itsown problems. The company’s sales target is 150,000 3G users by March, but it only sold 11,000 3G handsets in October, when its 3G service, FOMA, went live with regional coverage. DoCoMo launched a popular trial video service, imotion, in November that will run through March. But just a week into the trial, the company had to recall 1,500 NEC N2002 handsets due to a software problem. The glitch destroyed users’ e-mails, content based on Java, call records and some of the handset’s personalized settings.

    The imotion service offers three types of multimedia files for download: full-motion videos, such as sports clips and trailers; slide shows of still pictures; and pure audio. DoCoMo has signed 28 content providers including Sony Music and Fuji TV. However, the FOMA revenue hasn’t met expectations as customers are still using their old cell phones to make voice calls less expensively. DoCoMo has also launched a Location-Based Service (LBS) called DLP, and has moved to license its technology in the Netherlands and Belgium.
    Third Generation Bulletin, December 2001, volume 3, issue 12

  • New Top Level Domains Go Live: Four of the seven new gTLDs (generic Top Level Domains) have gone live since September. Here’s a table of the “Go live dates” for the new global domains:
    TLD Go live date
    .info September 23, 2001
    November 7, 2001
    .name January 15, 2002
    .coop January 30, 2002
    .museum Demonstration: November 14, 2001
    Full Operations: mid-July, 2002
    .aero not clear
    (Stage 1 registration March-Apr 2002)
    ICANN agreement not yet complete

    Both .info and .name registrars claim they had 500,000 names registered about one month after going live. Hardly a land rush.

  • Office XP Hates ZoneAlarm: Alert SNS Reader Jeff Ellsworth sends along this complaint: Why would Microsoft release an Office XP Service Pack with a known conflict with a popular personal firewall? I don’t have an answer for him, and neither do Microsoft or ZoneLabs, maker of the ZoneAlarm firewall. Seems that if you don’t totally uninstall ZoneAlarm before applying the Office XP Service Pack, you won’t be able to access the Internet afterwards.Microsoft points users to ZoneLabs, and ZoneLabs, well, they’re kind of silent on the issue. Jeff tried their tech support, which, for free users, only accepts emails and says they’ll get back to you within five days. He tried upgrading to ZoneAlarm Pro, which gets you an answer in one to two days. Finally, after trolling the newsgroups, he found the instructions on really uninstalling ZoneAlarm, which turned out to be on the ZoneAlarm site as part of a resolution to conflicts with a Windows XP install.

    ZoneLabs’ uninstall program doesn’t really, totally, absolutely uninstall ZoneAlarm. You have to muck about in the registry and also search your disk for possible orphan files. Add to this the fact that, if you use Microsoft’s install off the Net option for the service pack, your computer is unprotected while you download and install the service pack. Unfortunately, this kind of issue is typical. Doesn’t anyone care about the poor user?


StratVantage – The News – 01/30/02

Just Some Short Ones

This time, we’ve got several shorter articles on topics of interest.

  • Memory Goes 3D: Thomson Multimedia announced it will use three dimensional write-once memory from Matrix Memory in memory cards that can be used to store digital photos or music.Matrix Memory’s patented technology allows them to build 3-dimensional memory by stacking memory arrays vertically, like towers of blocks. The resulting structure can store data for more than 100 years. The technique promises even higher memory density in the future as Matrix adds more layers onto the same chip.

    Using existing technology, you can already plug a half a gigabyte of memory into the same PC slot that used to hold 36MB or 64MB.Things will really get interesting when you can plug a terabyte in the same slot. (Don’t worry. Software developers will find a way to fill all that memory.)

    I’ve written before about carbon nanotube memory and Nantero, which has a patented process for producing it. If commercialized, this technology will leave silicon-based techniques, like Matrix’s, in the dust. So even an innovation like the Matrix card could have a short shelf life.Although the Matrix cards plug into cameras, Thomson is working on card readers that will allow consumers to view digital photos on a television as well as in cameras and computers, said David Geise, Thomson’s vice president of accessories products. Plus, the cards will cost about $10, which is less than a third of the price of similar flash memory cards. The advantage of flash memory, however, is that you can erase and rerecord data on them, unlike the Matrix cards, which record the data permanently.

  • Cute Intel: The CIA’s own technology “accelerator”, In-Q-Tel, is getting more and more involved in technologies that can process massive amounts of data and highlight potential terrorist activities. In-Q-Tel (the Q honors James Bond’s gadget master) was started by the CIA in 1999 to find new technologies that might be useful to the Agency’s mission. It’s not the biggest VC in the world, with about $30 million a year to invest, but post-9/11 it has shown increasing interest in technologies that can make connections in massive amounts of information. For example, search engine Northern Light has teamed with In-Q-Tel to develop an advanced multilingual search system that will crawl Web sites identified by classification experts, create a database of relevant information and employ Northern Light’s multiple-factor relevance ranking algorithm to order the results.The CIA is also experimenting with data analysis software used by some casinos that tracks gambling cheaters. The Company will use the software to detect suspected terrorists and their associates when they make airline, hotel or rental-car reservations.The software, developed by Systems Research & Development Inc. (SRD), searches major computerized reservations and global distribution systems looking for non-obvious relationships. SRD said it can check a passenger’s name, address, phone number and other identifying information against those of suspected terrorists. The largest prototype examines data from 4,000 sources with information on about 1 million people.

    If this sort of application doesn’t make you shiver, consider other potential uses, such as finding tax cheats, or contributors to unpopular causes, or people critical of government policies.

  • Faster Wireless: Intersil Corporation has announced the first chip set designed to support the IEEE 802.11g draft standard. Big deal, you say? Well 802.11g is way faster than 802.11b, AKA Wi-Fi, which pokes along at a measly 11Mbps.The new chip set, operating in the 2.4 Ghz band, will enable data transmission speeds of up to 54Mbps. That’s more than half the speed of the fastest widely-deployed wireline LANs, which run at 100Mbps, and 1,024 times as fast as a 56Kbps modem. As if that’s not enough, the new chip sets will have a 30 percent range advantage over similarly speedy 802.11a systems and will consume less power.

    This technology will first be seen in PC Card-based systems for laptops, but it won’t be too long before the chip set is built into more-portable devices, like PDAs and cell phones. Lest we get too excited, the new standard is still a short-range connectivity solution; coverage is likely to be about 100 feet vs. 300 feet for 802.11b.
    802.11 Planet

  • New Jargon – Digital Hubs: These days hardly a week goes by without a new buzzword. Well, here’s the latest: digital hubs. These are home-based wireless transmitters that let consumers manage, store and distribute a vast amount of content, including TV broadcasts, movies, audio and Web information.These devices, typically 802.11-based, will let you distribute on-demand content to anywhere in the home, and, intentionally or not, to your immediate neighbors, or, if you like, over the Internet.

    Of course, there’s trouble in paradise, in the form of content owners who foresee another Napster disaster. (OK, I won’t argue at this pointwhether Napster really was a disaster or not). The Copy Protection Working Group, a consortium of TV networks, Hollywood studios, and consumer electronics firms, wants all content tagged, supposedly invisibly and inaudibly, so TVs, DVD players, personal video recorders, and other devices could prevent a broadcast from being stored digitally. They want to use a Digital Rights Management (DRM) scheme similar to the Digital Transmission Content Protection (DTCP) method created by Intel, Hitachi, Sony, Toshiba and Matsushita. DTCP, however, is focused on wireline connectivity.

    Although many in the entertainment device industry think that encrypting and decrypting wireless transmissions might be too large a computational challenge for consumer grade equipment, unfortunately, RSA, a leading security firm, recently announced Fast Packet Keying, a technique that allows individual wireless data packets to be encrypted and decrypted rapidly. So it won’t be long before Disney gets to say whether you can transmit the latest *NSync concert up to Junior’s computer so you don’t have to watch it in the living room.
    802.11 Planet


StratVantage – The News – 01/23/02

 Choosing a Cell Phone

Alert SNS Reader Roger Hamm wants to know what to do about PDA/cell phone convergence. Is it time to make the jump, or does it make sense to wait until new services such as GPRS (General Packet Radio Service) become available?

With the average cell phone user getting a new phone every two years or so, it’s likely that anything you buy today will be replaced soon enough anyway, so there’s little risk in buying a phone today, at least for the cheaper ones. With the PDA-integrated phones costing north of $300, however, the decision becomes a little harder.

The only reason to wait to buy a normal phone would be to see if AT&T Wireless (now independent of its famous parent) gets its act together with GPRS. From a pilot in Seattle a little more than six months ago, the company has added eight markets and plans to serve about 40 percent of current customers with GPRS by the end of the year, and serve all its markets by the end of 2002. So they’re making progress.

So what’s so cool about GPRS? Well, first of all, data rates are faster than the 2G (Second Generation) digital wireless system you undoubtedly have today. With a normal phone, data access is pretty limited, about 9.6Kbps or roughly five to six times slower than a 56Kbps modem. With GPRS, you could use up to four 9.6Kbps timeslots, yielding throughput of about up to 38.4Kbps, which is comparable to the speed you get when uploading using a 56Kbps modem. You’ll see vendors claiming much faster access. In the real world, however, it’s unlikely you’ll ever get all four available slots, so your mileage may vary. In fact, you could be sharing timeslots with other users, since GPRS doesn’t require a dedicated slot, but rather acts more like a normal IP network and sends traffic when it can. These limitations notwithstanding, you at least have a shot at faster throughput.

Of course, the question is, what will you do with that throughput. On the dinky little screens available on most phones, I’d say not much. I’ve got Internet access on my phone and couldn’t be less interested in slogging through dozens of screens to look up a movie time, for example.

Undaunted by the real challenges of the crippled cell phone user interface, AT&T promotes these advantages for GPRS:

  • Wireless access to information and e-mail. AT&T wants you to believe that mobile workers can have access to corporate applications, email, and intranets or the Web. Of course, you can do that today, just not easily.
  • Voice calling on the world-standard GSM network. The GSM standard is in use in over 150 countries around the world. Unfortunately, not every GSM system uses the same radio bandwidth, so this advantage is softened.
  • Constant connectivity. Unlike the kludgy Web access available on current phones, which require you to stop talking and initiate a data connection first, GPRS offers instant access to the data network. Once in data mode, you are ready to send or receive data in real time since there’s no dial-up required to connect to the network. The company falls short of claiming you can talk on the phone and surf the Web at the same time.
  • Pay only for the data you use. This “advantage” could turn into a disadvantage. Palm started its Palm VII wireless service with a similar scheme, although AT&T users only pay for the amount of transmitted data rather than network connect time. AT&T is bundling 400 voice minutes with a megabyte of download for $50. However, users don’t like variable cost Web access, so we’ll just see how long this business model lasts.
  • Powerful, easy-to-use devices. The AT&T Wireless GSM/GPRS network supports a variety of devices, including phones and GSM/GPRS PC Card modems, for use with a Pocket PC or a laptop computer.
  • Long battery life. Characteristics of the AT&T Wireless GSM/GPRS network provide for more efficient battery use.
  • Secure and reliable transmissions. The AT&T network provides encryption and authentication for enhanced voice and data transmission security, and packet data technology for reliable transmissions. We’ll just see how secure it is.
  • Get customers to pay for 3G network upgrade. This benefits AT&T mostly, of course. By doing the GPRS upgrade, AT&T will incur most of the expense of offering advanced 3G wireless services and get revenue in the process. “We’ve got to install switches, new antennas and software,” AT&T Wireless spokesman Ritch Blasi says. “As we move to deploying EDGE [Enhanced Data rates for Global Evolution, a rather grandiose name for the next level of technology], that’s a software upgrade.” The final evolution to UMTS (Universal Mobile Telephone System), or full 3G technology, will involve software and minor hardware upgrades. Unfortunately, UMTS is only one of at least three technologies competing to be the 3G standard worldwide.

AT&T is not the only wireless player to have GPRS capability, although they were the first.

Cingular Wireless has started migrating its network to EDGE technology that supports speeds as high as 384Kbps. Sounds great, but their first step is to install GSM and GRPS technology on top of its TDMA (Time Division Multiple Access) and analog networks, just like AT&T. Cingular has already employed GPRS in some markets, including Seattle and Las Vegas, the Carolinas, eastern Tennessee and coastal Georgia.

Voicestream, the US’s largest GSM network, said its new GPRS-based iStream network operates at 40 Kbps, and is available nationwide. They are charging $5 per month for a megabyte. Currently, the service only works with the MotorolaP280 and T193 wireless phones.

Sprint plans on skipping directly to true 3G services, offering speeds of up to 144 kbps, and nationwide. It remains to be seen if this is the smart move or not.

So is it worthwhile to wait until GPRS is available? Hard to say. The PDA/cell phone converged devices are already available for current wireless networks (of course, not including the one I use, AT&T). They’ll have larger screens and make it somewhat less annoying to use the Internet. Many of the currently available combo units even feature the Palm operating system.

If you don’t want to wait, Sprint has the Kyocera phone, and I’ve talked to several people who have it and love it. It’s fatter than a phone and skinnier than a Palm V. The screen is approximately two-thirds the size of the Palm V, but it beats trying to fit a Palm and a phone in your pants pocket. Another alternative is theSamsung phone (reported in a previous SNS) which is Palm-based with a color screen, but which is a little pricey ($499).

Sprint also has an add-on module for the Handspring PDA that turns it into a phone (reported in a previous SNS). I’ve heard good things about it, but don’t know anyone who has it.

Verizon offers the cool Motorola V200, which is a pager on steroids. This is an example of the engineers not understanding their true role in life. About a year ago Motorola announced that they’d have a converged phone by 2003 or 2004. I thought, what the heck? Their lunch will be all eaten by then. Well nobody told the pager guys it was hard to do. So they just slapped a phone into their text pager, and voila! Convergence.

Verizon also offers the Kyocera phone.

Voicestream’s network coverage is improving, but still lags the others. They offer the Motorola V100, similar to the V200.

Cingular offers a cool Motorola phone, but their coverage is not nationwide, although they claim more than 21.2 million customers in 38 states, and 42 of the top 50 markets nationwide, covering more than 93 percent of the urban business population located in 492 Metropolitan Statistical Areas (MSAs) and non-MSAs with a total population of 200 million people. They sound a tad defensive, don’t they? And they’re not in Minneapolis, so what does that tell you?

BTW, Cingular has by far the worst Web site of the bunch. Wringing any significant information out of it is an achievement.

Several regional wireless players also have cool phones. For example, Qwest offers the Kyocera phone. Qwest’s coverage is quite limited, however, and does not include Illinois, for example.

And we can’t forget our favorite software monopoly. Microsoft is pushing its SmartPhone technology, but I’m not aware of any major phone maker who is planning on releasing it in a phone.

So the answer to Roger’s question is: If you’re willing to plunk down $400 to $500 on a converged device that might be obsolete as early as the end of this year, go for it. For my money, I’d get a Handspring with the plug in module. It’s a bulkier, more expensive package, and the antenna could poke holes in your pants, but at least you’ve got a shot at selling the module on eBay once it becomes obsolete.

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

  • All Things Must Pass: Microsoft has announced that it is ending support for Windows 95. The operating system has entered the “Non-Supported” phase of Microsoft’s product lifecycle. This means only online support is offered, and good luck getting any bugs fixed. Expect other software vendors to follow suit and drop support for Win95 versions, like Black Ice Defender did recently. Win95 was the last Microsoft OS that ran decently on 486 machines, so it’s time to either donate those machines to a good cause or load Linux on them. The following OSes are either non-supported or scheduled to be:

    MS DOS x.xx (December 31, 2001)
    Windows 3.xx (December 31, 2001)
    Windows 95 (November 30, 2001)
    Windows NT 3.5x (December 31, 2001)
    Windows 98/98 SE (June 30, 2003)
    Windows NT 4.xx (June 30, 2003)


  • Let Me Roll You: Alert SNS Reader David Dabbs sent along an article about Rolltronics Corporation and Iowa Thin Film Technologies, who recently demonstrated the first working silicon transistors made using a new “roll-to-roll” manufacturing technique. In this process, a continuous sheet of flexible polymer is unrolled from one spool, covered with silicon circuit designs, and collected on another spool. Such cheap, thin electronics could be incorporated into radio-frequency ID tags, (see the Auto-ID entry in theTrendSpot), digital X-ray detector panels, biometric sensors and flat screen displays.
    Technology Review


StratVantage – The News – 01/10/02

 You’re Hit. What Next?

The hackers have hit; your systems are down; now what? Many firms these days face this scenario. There are lots of issues here, but one of the biggest involves what to do immediately after the attack.

If you think you may want to prosecute the miscreant(s), it is critical to preserve the evidence so it can be used in court.

Your initial impulse is to just get up and running again, and that’s understandable, especially if mission-critical systems are hit. But if you want to press a court case, you need to understand computer crime forensics, the science of reconstructing the cyberattack and establishing a chain of evidence back to the attacker.

There are three places to be concerned about forensics: on the perpetrator’s computer, on the compromised computer and on the network devices in between the two.

A big advantage in unraveling the attack and possibly identifying the perp is access to system logs. Thus, it makes sense to store copies of important system logs on other computers, since crackers can edit logs on compromised systems to remove traces of their actions.

You should also:

  • Restrict physical access to the area to preserve fingerprints
  • Unplug any phone lines that could dial in to the attacked computer
  • Unplug the computer from the network
  • Photograph the scene, including connections to any peripherals, for later reference if the machine needs to be disassembled for examination
  • If the computer is off, don’t turn it on; if it’s on, don’t reboot it, as this could launch viruses or time bombs. Merely turning on a Windows computer changes timestamps and other important evidence, for example.
  • Avoid accessing any files on the compromised machine as that changes access timestamps.

After immediately securing the area and the computer, call in a network forensics specialist. These are high-priced consultants that can advise you further on evidence preservation. Mark Lanterman, CEO of Computer Forensics, said in a recent presentation that many times the best thing you can do is pull the electrical plug on the affected machine. Then a forensics specialist can use special software to make an exact image of the drive, preserving the evidence for later use in court. Killing the power and replacing the hard drive is another option if you need to get up and running right away. After all, restoring the machine is easy, since your organization has up-to-date, comprehensive backups of every critical machine right?

Your next steps depend on whether you want to prosecute, and risk adverse publicity, or keep the incident quiet. Frankly, my advice is to always prosecute. As long as these script kiddies and other bad actors feel there is little chance of getting caught, or, even if caught, little chance of paying for their misdeeds, they’ll keep right on attacking systems. Bringing computer criminals to justice, en masse and in public, will have some deterrent effect. If companies just sweep these problems under the rug, the Internet could become unusable due to the escalation of viruses, worms, and other attacks.

If you decide not to prosecute, it is still in your best interest to catch the crook. Otherwise he (yes, they’re mostly male) may strike again.

If you decide to get law enforcement involved, it may be in your best interest to conduct a thorough investigation first. US Attorney Elizabeth McKibbon said at a recent meeting of the Minneapolis Infragard chapter that private companies have more leeway in conducting investigations. Once the FBI gets involved, various laws concerning privacy and other civil rights issues come into play. This can be especially true if the perpetrator is a current or ex-employee – and up to 80 percent of cybercrime incidents involve insiders.

Obviously, the best course of action is to prevent the intrusion in the first place. Businesses need to take security seriously, establishing and enforcing stringent security practices, and keeping up to date on the latest software releases and security patches. And please, get rid of the passwords posted yellow stickies on monitors!

Regardless of your security, you also need to prepare for the worst by establishing a Security Incident Response Team (SIRT) and putting them through training, including incident simulation, like that offered by Anti-Cyber Crime Team Training Services (ACCTTS).

When the unthinkable happens, it pays to be prepared. Concentrate on prevention, but be ready to act in a coordinated, effective, and evidence-preserving manner when security incidents happen. And believe me, no matter how good you are, they will.

Network Fusion

[Note: if you’re getting tired of SNS’ recent emphasis on security, take heart. The next SNS will examine another topic.]

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Burn Your Inbox™.

    As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

  • Thin is In: From the Great Idea; Too Late Department comes an item regarding efforts to shrink the size of the bulky cathode-ray tube that produces images on most television sets and computer monitors. Two IBM scientists have developed an inch-thick CRT. The technology is pretty amazing: “Basically we banged holes in a magnet and fired electrons through the device,” said co-inventor Dr. Andrew R. Knox. Electrons are produced behind the magnet and focused on the screen by the holes in the magnet. Thus, instead of one electron beam that scurries across the screen, illuminating pixels in turn, the new tube provides one electron beam for each pixel. Pretty cool, but doesn’t IBM know about the current flat screen monitors? Unless this invention is lots cheaper than current technology, it could be consigned to the scrap heap of history along with other great ideas like the Studebaker, the Betamax and the Apple Macintosh (boy, I’ll get mail about that one!).
    NY Times (registration required)
  • E Ink in PDAs:I don’t know about you, but I have a hard time reading the screen on my Palm PDA. The contrast sucks, and forget about the backlight mode. Well now digital paper vendor E Ink has teamed up with Royal Philips Electronics to incorporate electronic ink displays into mobile devices. The pair aims to replace the current LCDs by mid-2003. E Ink’s electronic ink is made up of millions of microcapsules. Each microcapsule is filled with positively charged white pigment chips and negatively charged black pigment chips and a clear fluid. Applying a negative charge makes the white pigment chips become visible and a positive charge makes the black pigment chips visible. The ink can be printing onto a sheet of plastic film that is laminated to a layer of circuitry.
  • More Investment in High Tech Planned: The US House Science Committee voted to increase spending on high-tech research by 10 per cent per year over the next five years. They also want to require government agencies to coordinate their research efforts and agreed to allocate $105.7 million to new cyber-security programs in fiscal year 2003, increasing each year to $229 million in fiscal 2007.  The new funds would come on top of the roughly $60 million the federal government currently devotes to network security.
    US House of Representatives
  • The DOJ is Watching: The Department of Justice (DOJ) is already using new anti-terrorism powers to monitor cable modem users without obtaining a judge’s permission first.  The Mom & Apple Pie, er, USA Patriot Act changed federal law that previously said, “a cable operator shall not disclose personally identifiable information concerning any subscriber.” The law now reads, “A cable operator may disclose such information if the disclosure is … to a government entity.”  Michael Chertoff, Assistant Attorney General at the DOJ’s criminal division said that the new abilities have let police obtain information in investigations that was previously unavailable. “We would not have been able to do (this) under prior law without a specific court order.” I’m thinking there was a real good reason why you used to need a court order, but that’s just my opinion, and I could be wrong.
    Wired News
  • Know Your Enemy: PBS is rerunning their show, Hackers, which has been praised as a good look at the psyche of the typical computer adventurer. I haven’t seen it, but you can go to PBS’ Web site and read some truly fascinating transcripts of interviews with these dangerous youngsters.
  • First IPv6 Network: Cisco announced that SURFnet, the national research network organization in the Netherlands, is now delivering native IPv6 Internet service on its broadband network. IPv6 is the next generation network-addressing scheme that removes the limitations imposed by the address space of current IP networks like the Internet. We should never run out of addresses with IPv6, as there are enough of them to assign one to every atom in the universe. IPv6 also promises other advancements like a means to ensure a particular Quality of Service (QoS) for transmissions like audio or video. IPv6 has been a bit of a tough sell due to the expense of converting networks and clients.
  • Sterling on Geeks and Spooks: Science fiction author Bruce Sterling has written some stunning books of near-future prophecy and one non-fiction book, The Hacker Crackdown: Law and Disorder on the Electronic Frontier, about hackers. While no expert on hacking, cracking, and cryptography, Sterling recently addressed the “Global Challenges, Trends and Best Practices in Cryptography” conference at the Information System Security and Education Center in Washington, DC. The text of his speech is available on his Web site, and it makes good reading.
    Viridian Design
  • Global Grid Progress: One way to solve huge computing problems is to link computers together in a federation and split the problem up into little pieces that each can work on. Sun and AVAKI, a P2P (peer-to-peer) startup have joined forces to improve the interoperability of Sun’s Grid Engine and AVAKI’s solution. Sun claims that its solution is running more than 118,000 computers today, and that more than 12,000 folks have downloaded its software. The company apparently plans to dominate the distributed computing industry, having previously established partnerships with Open Source efforts the Global Grid Forum and Globus. You can find out more about distributed, or hive, computing in CTOMentor’s first white paper, Peer-to-Peer Computing and Business Networks: More Than Meets the Ear, available online.
  • Nokia and DoCoMo Collaborate on 3G Standard: Japan’s NTT DoCoMo and Nokia will cooperate in promoting open mobile architecture for WCDMA-based 3G services in areas such as browsing, messaging and application execution environment. The two companies have agreed on the adoption of the XHTML/CSS as the content description language and they will work towards the adoption of Wireless profiled TCP as a wireless transport layer. What this means is that two of the industry’s heavyweights are planning on joining forces to influence the course of so-called 3G, or Third Generation, wireless networks.


StratVantage – The News – 01/08/02

 Software Quality and Cyberterror Threats, Part 4

In the last three SNS issues, I discussed the huge task confronting Richard Clarke, the counter-terrorism expert in charge of the president’s Critical Infrastructure Protection Board, made the assertion that security problems are really software quality problems, and examined some of the reasons why the software industry pays so little attention to these problems. I also took a look at the industry’s response to the rising epidemic of worms and viruses. In this final installment, I consider some current forces militating against software quality and security, and look at two possible future scenarios.

Let’s focus for a moment on potential legal remedies for security bugs. In a perfect world, wouldn’t we make software companies responsible for the quality of their products? This doesn’t seem to be too much to ask. If Firestone makes truck tires that disintegrate, isn’t it natural to hold them accountable? If a software defect allows a virus to cause a billion dollars of damage, shouldn’t the vendor compensate the victims or at least be liable in some way?

When you look at it, there’s really no reason why software should be exempt from the kind of product quality legislation in place for things like tires, washing machines, cars, ladders, airplanes, and pretty much every other thing we buy. But then again, a far worse product, cigarettes, is not held to these standards, and so don’t hold your breath waiting for this level of legal solution.

In fact, things are headed in the exact opposite direction. The States are beginning to adopt a proposed standard body of law that addresses software and other electronic products. It’s called UCITA, the Uniform Computer Information Transactions Act, and it was developed by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999. UCITA was designed to create a uniform commercial contract law for electronic products and attempts to be “a cyberspace commercial statute.” It covers shrink-wrap and click through licenses and gives them further strength as contracts.

UCITA is supported by Software & Information Industry Association (SIIA) whose 1,200 member companies represent most of the biggest software and content vendors around – AOL Time Warner, Apple Computer, LexisNexis, Nokia, Novell, Oracle, and Sun, for example. (Microsoft is conspicuously absent.) The association’s interest in UCITA is consistent with another of their major initiatives, the SPA Anti-Piracy effort. In 2000, Virginia and Maryland became the first states to adopt UCITA.

In a summary brief on the SIIA site, one of the main advantages of UCITA for the software industry becomes apparent:

UCITA rejects the “perfect tender” rule for commercial licenses. One of the problems with Article 2 [of the Uniform Commercial Code] is that it requires delivery of goods that conform to the contract. Software is recognized as a product that cannot be made perfect and that it almost always will have bugs. The existence of bugs in software could violate the perfect tender requirement under Article 2. UCITA eliminates the perfect tender rule and replaces it with a substantial conformance standard. The perfect tender rule is retained for transactions involving consumers.

What? “Software is recognized as a product that cannot be made perfect”? I’m not ready to agree to that, are you? Yet on the other hand, most products can’t be made perfect. I’m reminded, for example, of the time a printer told me that if I wanted perfect registration (alignment of colors) on a printing job, I’d have to pay more. One could argue that no product can be made perfect, so why is it necessary to grant software a special dispensation to be shoddy?

What’s worse, UCITA, the so-called “self help” provision, allows software developers to leave back doors and time bombs in their software as a means to enforce their copyrights or the length of software use. This provision opens such a Pandora’s box of potential security problems that even the framers of UCITA have reversed themselves and are trying to address this brain-dead provision. Yet another provision, the “automatic restraint” provision also authorizes back doors and time bombs, with even fewer restraints than the self help provision.

The problems with UCITA also include the prevention of vendor liability, even through gross negligence, for security vulnerabilities, and an implied prohibition against reverse engineering of any kind. Even worse, UCITA applies to content delivered through software as well. Imagine being prohibited from disparaging a movie review you read on AOL, or even from quoting from it.

Free software advocate Richard Stallman sums up this disaster of a law thusly:

We generally believe that big companies ought to be held to a strict standard of liability to their customers, because they can afford it and because it will keep them honest. On the other hand, individuals, amateurs, and good samaritans should be treated more favorably. UCITA does exactly the opposite. It makes individuals, amateurs, and good samaritans liable, but not big companies.

Is this the kind of future we want, one in which software vendors face no real incentive to deliver bug-free, secure software, one in which software gets less and less reliable, one in which researchers who currently point out software flaws are muzzled and arrested?

In that future, software quality will continue to decline. After all, the law says it can’t be perfected, so why try? In that future, the network will be overrun by berworms that make the Code Red worm and other recent malware look like a walk in the park in comparison. In that future, the jails will overflow with legitimate and illegitimate software researchers, script kiddies and superhackers, and penniless college students who ripped off music they couldn’t have afforded to buy anyway. But, hey, it’s not all bad. Software and content vendors will prosper. We’ll just have to be happy with what they give us.

Can we afford such a future in the post-9/11 world? Do you want critical infrastructure systems full of security flaws just waiting for terrorists to exploit them? Do you want the mission critical systems of your organization running on software created by corporations that have no liability for errors? Are we going to acquiesce and allow bad laws like DMCA and UCITA to tilt the playing field overwhelmingly in the direction of large software corporations?

Or are we going to recognize that software quality is a matter of national security? Are we going to regard as unpatriotic any software vendor that does not make security its highest priority? Are we going to fight for our right to fair and reasonable use, including the ability to analyze software to determine its quality and security?

The choice is ours. It’s an enormous choice, yet most people aren’t aware of the issues. You can help by forwarding this series of articles (part 1, part 2, part 3,part 4) to decision-makers you know, or by pointing them to the work of Bruce Schneier, Richard Stallman, the Electronic Frontier Foundation, or virtually any other security expert around. You can also support the work of the 26 state Attorneys General and others that oppose UCITA

Briefly Noted

  • Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.

    As part of its launch, CTOMentor is offering a two part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.

  • Wireless Security Fixed: As previously reported in SNS, the Wired Equivalent Privacy (WEP) standard built into 802.11b wireless LANs is a joke. So RSA Security and Hifn have developed a technology called “fast packet keying” and announced that their solution has been accepted by the IEEE standards body. The technology generates a unique RC4 key for each data packet sent over the wireless LAN. Geez, it better be fast if it’s going to do that! RSA says the solution can be distributed as a software or firmware patch by wireless LAN vendors, allowing their customers to quickly update the existing vulnerable equipment. Thanks to Alert SNS Reader David Dabbs for the pointer.
  • Another Bad Trademark Granted: Well, now I’m going to try to trademark the word “the.” If there’s a more brain-dead section of government than the US Patents and Trademarks Office, I’d like to see it. Now there’s a legal battle being waged over who has the right to use the word “Entrepreneur.”Everyone who uses this word is now subject to a lawsuit from the media group that publishes Entrepreneur Magazine. Minnesota Entrepreneurs President Ed Palmer notes the irony of the situation. “Yes, I know — how could this be?An organization that purports to support entrepreneurs sues entrepreneurs?Quite perverse, yet true. By the way, long before this trademark was filed for, The Minnesota Entrepreneurs were engaged in using the name. What’s up with this trademark?”
    MN Entrepreneurs
  • Spin Doctors*: TheCalifornia NanoSystems Institute, a joint effort of The University of California at Los Angeles and University of California at Santa Barbara, recently reported that it can now electronically control the “spin” of an electron. This breakthrough could mean extremely fast, dense, low heat electronics, since changing the spin takes an infinitesimal amount of energy compared to moving the charge in a wire back and forth, according to the company.
    (*That headline was inevitable, wasn’t it?)
    Small Times