Microsoft Botnet-hunting Tool Helps Bust Hackers

Botnet fighters have another tool in their arsenal, thanks to Microsoft.

The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows.

Although Microsoft is reluctant to give out details on its botnet buster -- the company said that even revealing its name could give cyber criminals a clue on how to thwart it -- company executives discussed it at a closed door conference held for law enforcement professionals Monday. The tool includes data and software that helps law enforcers get a better picture of the data being provided by Microsoft's users, said Tim Cranton, associate general counsel with Microsoft's World Wide Internet Safety Programs. "I think of it ... as botnet intelligence," he said.

Microsoft security experts analyze samples of malicious code to capture a snapshot of what is happening on the botnet network, which can then be used by law enforcers, Cranton said. "They can actually get into the software code and say, 'Here's information on how it's being controlled.'"

Botnets are networks of hacked computers that can be used, almost like a supercomputer, to send spam or attack servers on the Internet. They have been on Microsoft's radar for about four years, ever since the company identified them as a significant emerging threat. In fact, the software vendor has held seven closed-door botnet conferences for law enforcement officials over the years, including an inaugural event in Lyon, France, hosted by Interpol, Cranton said.

Microsoft had not previously talked about its botnet tool, but it turns out that it was used by police in Canada to make a high-profile bust earlier this year.

In February, the Sûreté du Québec used Microsoft's botnet-buster to break up a network that had infected nearly 500,000 computers in 110 countries, according to Captain Frederick Gaudreau, who heads up the provincial police force's cybercrime unit.

The case illustrates how useful Microsoft's software and data can be.

After monitoring hacker chat rooms and interviewing sources, Quebec police had suspects in their case. But what they didn't have was a clear link showing who was actually controlling the botnets. Because botnets usually get their instructions from other hacked computers, it can be hard to connect the dots in a case like this. "We knew that those people were really active and what we needed to really charge them was to do deeper intelligence, and to know how they were using those botnets," he said.

Sûreté du Québec officers had heard about Microsoft's tool in at a 2006 Microsoft law enforcement conference. A few months later, they decided to give it a try.

Analysis by Microsoft's software allowed investigators to identify which IP address was being used to operate the botnet, Gaudreau said. And that cracked the case.

Building up this kind of case sometimes can involve staying on top of network traffic and malicious software over a long period of time, said Paul Ferguson, a network architect with anti-virus vendor Trend Micro who works with law enforcement on similar cases.

This is an area where companies can really help out with criminal investigations, he added. "We need to see a lot more cooperation between law enforcement and private industry," Ferguson said. "Law enforcement is ill-equipped to handle the global scale and the sheer volume of the threats."

According to Gaudreau, he'd still be stalking his botnet hackers if not for Microsoft. "If we hadn't had that tool it would have maybe taken two years more to do the investigation," he said.

Make Sure That General E-Mail Gets Answered

How does your business handle general and sales query e-mail? In many organizations these messages go to a shared e-mail account, such as info@yourdomain.com. Answering them may be the responsibility of any one of several company reps.

But how do you ensure that your company promptly handles all queries sent to a shared e-mail address? In today's fast-paced business world, letting an e-mail sit too long unanswered can spell the difference between winning a sales order and losing it. And how do you prevent multiple employees from wasting their time (and giving the customer a bad impression of your business's processes) by answering the same query?

Email Center Pro (ECP) can help. It's a new Web-based service for sharing e-mail messages among coworkers, who may add comments to messages and use templates or collaborate to produce timely responses.

Depending on how you set up the system, sharing messages may have privacy implications. And ECP is not designed to replace your business e-mail; it works with your existing service to ensure that your staff doesn't drop the ball in its electronic correspondence.

You can evaluate ECP using a free, advertising-supported plan. Paid plans start at $19 per month.

Using Email Center Pro

You can sign up for an ECP account online--and create one or more mailboxes--in just a couple of minutes. ECP recommends that you channel mail to the service by setting up POP retrieval from a specific mailbox (for example, sales@yourdomain.com); but if you prefer, you can forward mail as it comes in, or simply give out your ECP mailbox address (though this will produce a clunkier-looking address--something like sales@yourdomain.emailcenterpro.com).

You can use the service for private accounts, of course, but doing so will render that individual's e-mail no longer private. Still, when employees take ill or go on vacation or maternity leave, using ECP to handle theirher accounts (perhaps by temporarily forwarding their messages to ECP) can help coworkers pick up the slack on e-mail that would otherwise languish until the absent employees returned.

After logging in to ECP's online service, you can view and search all e-mail messages in the covered accounts, amounting to a history of customer communication. Also, to create a more complete record, you can forward older messages and pertinent messages from individual accounts not handled by the service.

ECP uses SpamAssassin as an antispam filter. Incoming spam does not count against the service's rather tight monthly e-mail message quotas.

A drop-down menu lets you assign a new message to a specific person for follow-up. You can also arrange to send new message notifications, and you can track responses to see how long an e-mail has gone unanswered--or append notes to an e-mail thread with a customer, to share information with your team.

The built-in editor permits you to create custom message templates, reducing the time required to craft a custom response and introducing a degree of consistency in your company's answers.

Smart folders let you organize your e-mail by filtering criteria you specify--such as by message subject or e-mail assigned to you for a response. These folders make it easier for you to view the messages you consider most important.

Is Email Center Pro Right for You?

ECP grew out of a need by business planning software developer Palo Alto Software to better manage its own e-mail. The company says that because ECP uses the Amazon Web Services infrastructure, it possesses the same level of reliability as the Amazon.com store.

A free plan, supported by ads in e-mail footers, provides 1GB of storage, accepts 250 nonspam e-mail messages per month, and accommodates five users and two mailboxes. Ad-free paid plans start at $19 per month for 5GB storage, 2500 e-mail messages monthly, unlimited users, and five mailboxes; these plans also include a service for backing up your data.

The most expensive plan costs $149 per month for 30GB of storage, 15,000 e-mail messages monthly, secure SSL communication, and unlimited users and mailboxes.

ECP isn't the only way to manage shared e-mail. I discussed a less elegant (and less expensive) strategy in a previous column. A help-desk ticketing system, such as Cerberus Helpdesk, is another option. However, ECP is easy to use and simple to set up alongside your existing e-mail system.

Identity Theft Goes Corporate

Do you know where your personal and corporate identity information resides or may be lurking? According to two Canadian security experts, personal and corporate identity theft is quickly becoming commonplace in the market and more vigilance and formal corporate policies are needed in order to help combat this issue.

According to Claudiu Popa, president of Toronto-based Informatica Corp., a consulting firm that specializes in privacy compliance and security, someone's identity is perhaps by far the most valuable thing that can be stolen.

"Thieves have a lot of options since they can use someone's identity time and time again," Popa said. "As a criminal, applications for credit cards and mortgages can be made by assuming someone else's identity and by stealing things like social insurance numbers, passports and credit cards."

Popa points out that the issue is not so much just around the issue of sensitive information being stolen, although it does happen he says, but is rather around the fact that it's unknowingly given out in some cases by the users themselves.

"Phishing has become a successful practice because thieves ask for someone else's information which they can then use to impersonate them," Popa explains. "They'll send out forged e-mails impersonating banks and will ask unsuspecting users to fill out forms in detail with their personal information. The issues nowadays are evolving because everyone's trying to exploit new niches so we should all be aware of the dangers," he adds.

Furthermore, Popa also highlights the problem involving corporate identity theft that he says is also on the rise today. He says on its own, security software is often difficult to blame in the incident of an identity theft within a business because sometimes, he adds, it's the administrative staff who will leak out important business information and/or records.

Referring to users as being both the strongest and weakest links within a business, Popa said a reliance on security technology and software will only get one so far when it comes to security and protection of assets. He says it's easy for a thief to obtain any necessary information just by stealing an organization's domain name and then re-routing all traffic to another Web site to then access the desired files and information.

David Senf, director of research, security and infrastructure software at IDC Canada, said the problem of identity theft also occurs from a business level too, since the majority of them he said, do not have formal policies in place for its employees.

"Starting from a top down perspective," Senf advises, "businesses need to look at their data from a risk perspective and see where they should be prioritizing the areas that are of the greatest risk. Firms can do things such as put policies in place that state what can be sent out or saved to a machine and around things like controlling who has access to the data. Getting employees to follow a policy and getting them to take security seriously is something that everyone needs to be looking at."

In addition, Popa says when business and personal information is given out over the Internet, he mentions that privileged information should only be shared on a need-to-know basis.

Senf also says it's common for organization information to be leaked when devices such as company laptops are lost. Sensitive customer information is often stored on the notebook hard drive easily enabling hackers to gain access to the information. From there hackers can do whatever they like with it if it's not encrypted. Symantec's most recent Internet Security Threat Report Volume (ISTR) XIII, marking the six-month period from July 1 to December 31, 2007, found that theft or the loss of a computer or other data-storage device accounted for 57 percent of the total of majority of data breaches that could have led to identity theft.

"Web applications, e-mail applications and the network are the really big areas through which data can be lost," Senf said. "Companies need to make sure they're securing end-points to help prevent data from being leaked."

Senf said for Canadian channel partners, a wealth of opportunities are available for those working in this space.

"Channel partners can help firms define policies for sensitive data because not a lot of them have these in place," Senf said. "There are opportunities for partners to find and help train firms to become aware and vigilant with these policies. Vulnerability, security, identity and event management are also areas that can help an organization understand what's going on because they can help provide visibility within their network."

As found by Phone Busters, a Canadian anti-fraud call center associated with the Government of Canada and the RCMP, between January 1 and December 31, 2007, over C$6 million (US$5.9 million) in losses were reported by Canadians linked to identity fraud.

Ram Manchi, president of AGMA (Alliance for Gray Market and Counterfeit Abatement), a non-profit organization based in Fremont, Calif., that works to educate and raise awareness around the issues of IT counterfeiting and the gray market, said in the gray market, hackers who do bulk purchasing can obtain user IDs and passwords for as little as 50 cents to $1. Furthermore, Symantec's ISTR stated that full identities, when purchase in larger volumes, often ranged anywhere from $1 to $15.

Senf and Manchi both said businesses also need to establish and invest in more control and maintenance when it comes to securing their company infrastructure.

"The key is control, authentication and verification," Manchi explains, "these things have to be constantly monitored and procedures also need to be in place in the company's back-end to make sure authentication and encryption is being done as needed."

Mark Lorne, general manager of technology at retailer Grand & Toy, said for businesses and personal use, encrypted USB keys are best suited for storing personal and important information. These portable devices, he advises users, should already have security features built in such as file and data encryption.

He also warns that identity thieves may also be a lot closer to home than we think.

"When people think about identity theft and security, they tend to imagine an identity thief as someone far away," Lorne said. "They forget about the person sitting right beside them. A business person updating a proposal on a plane trip, for example, should be aware that the notebook's screen is visible to (those) sitting on either side, or across the aisle," he added.

In this case, he suggests travelers invest in products such as notebook privacy screens, which are portable privacy filters that fit directly over top of a notebook screen to provide visibility only to the user who's sitting directly in front of the display.

For personal and businesses, Lorne also suggests an investment in a paper shredder to ensure information is not being lost and/or stolen.

"Putting a piece of paper in the recycle bin doesn't mean that the valuable information printer on it is...gone," Lorne said. "Anyone combing through waste can find it. Grand & Toy offers a complete line of paper shredders for personal...or communal areas. (To protect both their personal and corporate data, users) should shred all personal and confidential documents," he adds.

Microsoft-Yahoo: Deal or No Deal?

Three weeks ago, Microsoft Corp. CEO Steve Ballmer threatened to launch a hostile takeover if Yahoo Inc. 's board did not accept its US$44.6 billion takeover bid.

Now, however, Microsoft seems to have backed away from its tough talking and said it's prepared to withdraw its offer to buy Yahoo if there is no progress by this weekend. "As we said recently to the board, unless there's progress by this weekend, we will reconsider our alternatives," said Chris Liddell, Microsoft's chief financial officer, in a conference call yesterday to discuss the company's financial results.

Yahoo did not respond to a request for comment about the deadline, but the company has said it would consider Microsoft's offer if the software giant upped the ante, which is is unlikely to happen. Microsoft declined to comment for this story.

"Although Microsoft could live without Yahoo, its perception is that acquiring Yahoo would put it in a much better position to compete against Google ," said Keith Hylton, a professor at the Boston University School of Law. "So while they could live without Yahoo, it's an asset they think is pretty valuable."

Still Serious

While Microsoft is backpedaling a bit on its threat to take its case directly to Yahoo's shareholders, Hylton said it's his guess that Microsoft is serious about acquiring Yahoo as soon as possible and, if all else fails, every option is on the table, including a hostile takeover.

"I don't think this is something they're just going to walk away from at this stage, although there may be a stage where they walk away, like if the takeover takes too long or if there are regulatory obstacles that stand in the way," Hylton said.

On the other hand, Rob Enderle, principle analyst at Enderle Group in San Jose, said it looks like Microsoft is positioning itself to walk away instead of initiating a hostile takeover.

"The rhetoric that is coming out, especially from their CFO, says he is on the side that says we walk away from this, and the CFO gets a significant vote," Enderle said. "And clearly if you look at the internal support for this, it has dwindled within Microsoft by quite a bit, so I think at this point they're likely to walk away."

In addition, Enderle said Microsoft's latest financial results weren't where they needed to be to make this kinds of acquisition.

"The design of the bid that Microsoft put forward, as high as it was, was so it would happen quickly," Enderle said. "A hostile [takeover] would be a long, drawn out, proxy fight and antithetical to what Microsoft wanted to accomplish."

He added that it doesn't make sense for Microsoft to drag Yahoo kicking and screaming into its company. "It's just not a good practice, even in a recessionary year, and I think Microsoft is starting to step back and say it thinks there are other things it can do that are looking more attractive," he said.

If there is no deal, Enderle said the market would "reward" Microsoft for stepping away. "Microsoft's stock dropped dramatically on announcement of this deal, and I think that the market would reward Microsoft for walking away and reward them sharply," he said.

Yahoo Perspective

However, the prospects wouldn't be so rosy for Yahoo.

"Yahoo craters," Enderle said. "Its stock was largely supported by the bid. The market was trading its shares substantially lower before the acquisition attempt and the market would clearly punish Yahoo for walking away. And I also think the possibility of stockholder lawsuits against Yahoo would be very high."

Marc Edelman, a law professor at New York Law School and a former antitrust lawyer, said there are a number of steps Yahoo could take at this point.

"Yahoo could accept Microsoft's bid; attempt to operate independently; continue its recently announced joint venture with Google, hoping it's not found to violate any antitrust laws ; accept a bid from someone else, if there is really one out there; or ask Microsoft to extend its deadline."

Microsoft Walks?

Edelman also said there was a strong possibility that Microsoft could walk away from the deal.

He said the fact that Microsoft missed its earnings estimate could mean a few things. It could mean the company needs the merger to start pushing its earnings forward and might indicate that Microsoft would increase its bid. It could also mean that Microsoft expects to have less free cash and won't attempt a takeover bid. Or, he said, it could mean that Microsoft has its own internal issues to handle and adding Yahoo on top of that would complicate matters further. In that case, he said, Microsoft would probably just drop the deal.

"Yahoo is a big loser if a deal does not take place with anybody," Edelman said. "Even though Yahoo slightly beat estimates this past quarter, it has been a troubled company for some time and there is no indication in its past earnings reports that it has passed the hump and turned things around. And Yahoo really does need a partner to maintain strength against Google."

If a deal doesn't go through. Edelman predicts that Microsoft would file an antitrust lawsuit against Google and Yahoo if they try to continue their advertising relationship.

But Edelman cautioned that while Google could probably withstand the economic impact of such a lawsuit, Yahoo could not.

"If Yahoo really needs to turn the financial corner, the last thing Yahoo needs is to get sued by Microsoft," he said. "Such a lawsuit will lead to one of two things: additional expenses for Yahoo, or it will cause Yahoo to abandon its temporary relationship with Google, which will put Yahoo right back where it was a few weeks ago where it seemed to an outsider that no doubt Yahoo needed the Microsoft deal.

Security Vendors Slam Defcon Virus Contest

There will be a new contest at the Defcon hacker conference this August, one that antivirus vendors already hate.

Called Race-to-Zero, the contest will invite Defcon hackers to find new ways of beating antivirus software. Contestants will get some sample virus code that they must modify and try to sneak past the antivirus products.

Awards will be given for "Most elegant obfuscation," "Dirtiest hack of an obfuscation," "Comedy value" and "Most deserving of beer," contest organizers say.

The contest was announced Friday. Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks.

"It will do more harm than good," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."

Some compared the contest to a controversial 2006 Consumer Reports review of antivirus software. In that article, the magazine created 5,500 new virus samples, based on existing malware, and was roundly criticized by antivirus vendors for contributing to the rapidly expanding list of known malware.

Security companies are already having a hard time keeping up with the torrent of new malware.

With antivirus vendors already processing some 30,000 samples each day, there's no need for any more samples, said Roger Thompson, chief research officer with antivirus vendor AVG Technologies. "It's hard to see an upside for encouraging people to write more viruses," he said via instant message. "It's a dumb idea."

Contest organizers say that they're trying to help computer users understand just how much effort is required to skirt antivirus products. "The point behind the contest is to illustrate that antivirus alone is not a complete defense against malware," said one of the contest's organizers, who identified himself only as "Rich," in an e-mail message.

The Race-to-Zero sponsors hope to present the contest results during Defcon, Rich said.

The contest is not organized by Defcon, but is one of the unofficial events that the show's organizers have encouraged attendees to arrange.

Defcon runs Aug. 8 to Aug. 10 at the Riviera Hotel & Casino in Las Vegas.

Huge Web Hack Attack Infects 500,000 Pages

Attacks on legitimate Web domains, including some belonging to the United Nations that began earlier this week, have expanded dramatically, security researchers said Friday, with hundreds of thousands of pages hacked by Friday.

One anti-virus vendor said the sites might have been compromised through a "security issue" in Microsoft's Web server software that has been reported to Microsoft's engineers.

On Wednesday, several security companies, including California-based Websense, said large numbers of legitimate sites, including URLs for the U.N., had been hacked and were serving up malware. These latest site compromises were only the most recent SQL injection attacks, however; similar attacks have been launched since the first of the year, and were last detected in large numbers in March.

Earlier in the week, Dan Hubbard, Websense's vice president of security research, estimated the number of hacked sites in the low six figures. By today, that number had soared as firms such as Panda Security pegged the number at 282,000, and F-Secure said its infected-page count was above half a million.

Ryan Sherstobitoff, a corporate evangelist for Panda, said his company had reported a problem with Internet Information Services (ISS) to Microsoft that was probably responsible for the hacks. "We reported a security issue, but I don't have any specific details on whether it's a vulnerability," Sherstobitoff said.

"It's not like this is a brand-new problem," he said, referring to legitimate site compromises. "But Microsoft has already issued a security advisory that said they are investigating public reports of problems with IIS. This seems to be related to that advisory."

That advisory was published April 17, and warned users of a bug in most versions of Windows that could be exploited through custom Web applications running in IIS. It could also be exploited via SQL Server, Microsoft said.

On Friday, Microsoft said it did not know whether the ongoing site attacks were linked to the bug described in the April 17 advisory. "We have not yet determined whether or not these reports are related to Microsoft Security Advisory 951306 released last week," a company spokesman said in an e-mail.

Microsoft also contested Panda's claim that it had reported a problem. "Microsoft is currently aware of and is reviewing reports regarding public claims of attacks on IIS Web servers," said Bill Sisk, a communications manager who works in the Microsoft Security Response Center. "While we have not been contacted directly regarding these reports, we will continue to monitor all reports either publically shared or responsibly disclosed and investigate once sufficient details are provided."

How It Works

Although it may not be clear how attackers are compromising such large numbers of Web sites, what happens after a site is infected is well-understood, researchers have said. When a visitor reaches one of the hacked sites, malicious JavaScript loads an IFRAME from a malware-hosting server; the IFRAME redirects the browser to a different page, also hosted on the hacker's server.

Next, a multiple-strike attack kit is downloaded to the visitor's PC. The kit tries eight different exploits, and if it finds one that works, hijacks the system.

These kinds of attacks, said Sherstobitoff, essentially make the idea of a "trusted site" moot. "You used to know that if you walked down the dark streets of the Web, you would be infected. Today, you really can't tell what the dark streets are."

The hacker strategy, of course, is to leverage that uncertainty. "This is getting really bad," Sherstobitoff said.

It's so bad, in fact, that while security companies urged Web site administrators to check their server logs for evidence of a compromise, and told corporate security staffs to block several malware-hosting sites at their companies' perimeters, they didn't have much useful advice for end-users.

"Users should be extremely wary when visiting sites, even those typically trusted," was about all Symantec could come up with in an alert to customers of its DeepSight threat notification service.

Disabling JavaScript can also protect against such attacks, Symantec added. Users, however, are often reluctant to switch off JavaScript because without it, many sites are crippled or won't display properly.

Dell to Offer Windows XP Beyond June 30 Cutoff

InfoWorld confirms that Dell will sell and support Windows XP to consumers beyond the June 30 Microsoft sales cutoff date that Microsoft reaffirmed today, after comments from CEO Steve Ballmer yesterday seemingly indicated it might reconsider that decision.

Dell will take advantage of a licensing option in Vista Business and Vista Ultimate that lets PC makers provide XP under the Vista license, which Microsoft calls a "downgrade" license. (Enterprises with site licenses have these same rights with any version of Vista.) In essence, the user is buying a Vista license that it can apply to XP, and Microsoft can still claim a Vista sale.

Dell will preinstall XP Professional as a "downgrade" on a variety of desktop PCs and laptops, a spokesperson said, saving users the hassle of doing it themselves. The computers available with the XP option will include the Windows Vista installation DVD in the box so users can later install Vista over XP under the same license if they wish.

The "downgrade" program is available as an option on some Dell Latitude, OptiPlex, and Dell Precision systems at no charge. It's also available as an option on some Vostro and Dell XPS gaming systems for a small fee; these systems are targeted mainly at small business users and consumers.

A Dell spokesperson said this program will be supported as long as Microsoft supports the "downgrade" program.

Although Dell will ship a resource DVD that includes XP and Vista drivers for included peripherals, it's unclear whether Dell will ship XP drivers for all the available options. For example, a Vostro 200 desktop today available with a choice of Windows XP and Windows Vista has an option for a wireless card that will not work under XP

Web 2.0: Offline Access to Web Apps Is Trend

Offline access to Web applications is becoming an important trend, with Adobe and Google looking to make the most of this new direction.

Representatives of the two companies touted offline access technologies during a presentation at the Web 2.0 Expo conference in San Francisco on Wednesday. Adobe provides its Adobe AIR (Adobe Integrated Runtime) software for this space, while Google is working on its Google Gears technology.

"Really, what it's about is developer choice," said Ryan Stewart, Adobe platform evangelist. Previously, the Web was limited to the browser, but now it is expanding, Stewart said. He cited several examples of new trends in Web technologies, including Prism, that bring Web applications to the desktop in a similar manner to Adobe.

"The creativity for development pretty much went to the browser," because it was cross-platform and easy to develop for, Stewart said. The browser helped foster development of exciting applications.

"Adobe AIR wants to bring some of that to the desktop," said Stewart. The company wants to take the best of the Web and offer more functionality beyond browser limitations, he said.

AIR users can take advantage of resources on their local machine; also, AJAX (Asynchronous JavaScript and XML) applications can be built inside AIR, Stewart said. AIR applications feature an installer supported across multiple operating systems. AIR provides real desktop applications that use Web technologies, and it features Flash integration and local file access.

"You really have full control over the file system," Stewart said.

Google's Dion Almaer hailed Google Gears, a beta-phase project intended to enable more powerful Web applications. Among other capabilities, Gears allows Web applications to interact naturally with the desktop.

Gears, Almaer said, is an open source update mechanism for the Web. Possible additions to Gears include a location API, providing the ability to know where a user of a browser is; an audio API; and a notification API, which would provide alerts for users.

Google Gears features a local server cache for application resources, the SQLite database for data storage, and the ability to make Web applications more responsive through the WorkerPool capability. Resource-intensive operations are performed asynchronously via JavaScript-based WorkerPool.

Almaer cited a user site, Buxfer, which is a Web 2.0 startup that handles personal finances for students sharing resources. Some users do not want to store their banking information in Buxfer servers; with Gears they can store it locally, said Almaer.

"They're using the database not in an offline [capacity] but just as a place to store this data," he said.

Gears was described as a bleeding-edge implementation of HTML 5, the specification for which features capabilities to help Web application authors and improved interoperability for user agents, according to the World Wide Web Consortium's Web page on HTML 5.

Customers Balk at Dell XPS One Update. Is It Legit?

Some Dell customers were left scratching their heads after Dell sent out a recent firmware update for the company's XPS One desktop systems.

Dell sent out the black CDs over the past few weeks to a "small number" of XPS One customers who purchased the systems with Samsung hard drives, said Dell spokeswoman Anne Camden. Because the systems do not ship with a hard-drive diagnostics system called SMART (Self-Monitoring, Analysis, and Reporting Technology) enabled, the hard drive can eventually go into an auto-scan mode that makes it unrecognizable to the operating system.

There's nothing wrong with the Samsung hard drives themselves, but if users don't install the firmware, there's a risk they will lose access to their data.

The problem is that Dell's update just didn't seem authentic to some customers.

One customer, who asked not to be identified, said he received Dell's firmware CD via courier in March, but something about the package just didn't seem right.

The customer, a chief financial officer at an East Coast investment fund, said he was about to install the software when he had second thoughts. The letter from Dell was on black-and-white letterhead and it was poorly written. He had narrowly avoided being infected by Web-based malware just days earlier. Could this be another attack?

"As I'm pushing it in, I said, 'let me call tech support,'" he said.

First he checked Dell's Web site. There was no mention of the issue.

Then he tried the company's technical support telephone line. After being transferred several times, he finally got an answer from a technician: "He said, 'we didn't send it; throw it away.'"

"Somehow, he reached the one tech guy who did not know anything about this," said Camden.

She would not say how many people have been sent the software, but noted that at least one other customer had "questioned" whether it was legit.

With online scams now a daily threat for most computer users, some simply don't know whom to trust anymore.

Last week, C-level executives were targeted in an e-mail scam in which they were told they'd just been sued. Victims were then sent to a Web page that told them to download an Adobe plug-in, which was actually malware.

"You just start getting a sense that computers are going to get less useable," the CFO said. "I think the whole security thing and identity fraud has people concerned about doing anything."

Dell XPS One customers who have the Samsung drives should have received the firmware update by now, but users who are concerned should call tech support, Camden said.

Hackers Jack Thousands of Sites, Including U.N. Domains

Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware, a security researcher said Wednesday as massive JavaScript attacks last detected in March resume.

"They're using the same techniques as last month, of an SQL injection of some sort," said Dan Hubbard, vice president of security research at Websense , referring to large-scale attacks that have plagued the Internet since January.

Among the sites hacked, said Websense, were several affiliated with either the U.N. or U.K. government agencies.

The exact number of sites that have been compromised is unknown, said Hubbard. He estimated that it's similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com.

"The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack," Websense said in an alert posted yesterday to its Web site. "We have no doubt that the two attacks are related."

How It Works

Although the malware-hosting domain has changed, it's located at a Chinese IP (Internet Protocol) address, just like the one used in March, Hubbard said. "It also looks like they're using just the one [hosting] site, but changing the link within the JavaScript," he added, talking about an obfuscation tactic that the attackers have used before.

When a visitor reaches one of the hacked sites, the malicious JavaScript loads a file from the malware-hosting server, then redirects the browser to a different page, also hosted on the Chinese server.

"Once loaded, the file attempts eight different exploits," noted the Websense warning, including one that hits a vulnerability in Internet Explorer's handling of Vector Markup Language (VML) that was patched in January 2007.

Another security researcher, Giorgio Maone, who also develops the Firefox add-on "NoScript," said late Wednesday that although the U.K.-based sites appeared to have been cleansed of the malicious JavaScript, the U.N. sites had not.

Maone also said "I told you so" in his blog post yesterday. In an August 2007 entry, he had said that rather than fixing the underlying security problems on the UN site, the agency had simply deployed a "pretty useless" firewall that masked the most obvious attack surface.

Even the disinfected sites, however, could fall victim again, Maone maintained. "The sad truth, though, is that even those 'clean' sites are still vulnerable, hence they could be reinfected at any time," he said.

"Web site owners have to start securing their code," Hubbard agreed.

Unlimited Voice Calls: I'm Not Impressed

Four major U.S. cell carriers offer all-you-can-eat voice-call plans, but they're pricey--and the drawbacks abound.

All you can eat. I remember how sweet those words sounded when I first heard them in connection with something other than food: a flat-rate dial-up Internet account back in the 1990s. Recently all four major national cell phone carriers went the same route for voice calls, announcing new plans that set no limits on talk time. But unlimited talk is pricey (the plans charge $100 a month), and several other drawbacks make the offers less appetizing than they sound.

For starters, the plans don't do much for families. Verizon Wireless, which was the first to announce its unlimited-calling plan, gives no break whatsoever for additional lines: Each one will cost another $100. Same nondeal with AT&T Wireless & T-Mobile.

Sprint does offer discounts, starting at $5 off for a second line and increasing the reduction by another $5 for each additional line, up to five in all. But that totals a still-hefty $450 for a family that needs five phones.

Landline Substitute?

The pricing strategy makes substituting cell phones for landlines a nonstarter for households with more than one person, since you don't pay a dime more for a landline no matter how many family members (or friends) use it to talk their hearts out.

Also, substituting a cell phone for a landline introduces problems such as getting agencies to respond to the right location for emergency 911 calls, or making sure the handset is charged.

What about overseas calls? You can easily find deals on long-distance landline services, but international calls get very expensive on cell phones. Also, if your broadband service is tied to a landline (DSL or ISDN, for example), and you don't have a good alternative, you have to stick with the landline anyway.

Only Sprint Includes Data

Another reason I'm not impressed by unlimited talk plans: Most don't help with fees for data service, which are an increasingly big chunk of my cell phone bill. AT&T and Verizon charge separately for messaging and data services; T-Mobile includes unlimited messaging (instant, text, and picture and video), but not data.

Only Sprint's appropriately named Simply Everything plan bundles unlimited voice, data, and messaging, which makes it the best deal. Sprint even throws in GPS navigation service. Sprint's offer comes with a lot of fine print, however: For example, the company can terminate service if most of your voice minutes or data use involves roaming, and you can't use your phone as a modem.

Of course, you still have to pay regulatory fees and taxes, too, so all these plans top the $100 mark by the time the bill arrives. For really big talkers--mobile professionals, for example--they'll be worthwhile, eliminating worry about whether you're using night, weekend, rollover, or regular daytime minutes.

But cell phone talk minutes have become so cheap that most other people probably wouldn't benefit. My husband and I rarely get close to using the 450 shared anytime talk minutes in our low-end AT&T plan (at this writing we have nearly 4000 rollover minutes). And even with data fees, we don't pay anything close to the $200 we'd be charged for one of the new plans.

The bottom line: I'm not thrilled about these new offers. People who live on their cell phones will want to investigate them--especially the Sprint offering--but unlimited nationwide voice calling is probably overkill for most folks.

Asustek to Share Eee PC at Taiwan Open Source Summit

Asustek Computer plans to share its experience with open-source software in its popular Eee PC low-cost laptop at the OpenTechSummit Taiwan 2008, which runs from April 25 to 29, the company said.

The Taiwanese PC vendor is the largest corporate sponsor of the event and is currently selling the most popular laptop that carries an open source OS, the Eee PC.

The company officially started selling the Eee PC last October in Taiwan, offering four different configurations from NT$7,000 (US$231) for the 2G-byte "Surf." They all run a Linux OS from Xandros of New York.

So far, Asustek said it has sold a million of the low-cost laptops, but it declined to break down the number of Linux versions sold versus the number of Eee PCs sold with Microsoft Windows XP.

The Linux OS has allowed the company to keep prices down on the laptops in two ways. First, open-source software comes at little or no cost, and second because the streamlined OS requires a bare minimum of hardware to run. It's been the same story as for the One Laptop Per Child Foundation (OLPC), which also uses a Linux OS in its XO laptop.

The foundation has been working with Microsoft to develop a streamlined version of XP that can be used in the XO with lower hardware requirements than full XP.

Microsoft earlier this month published new guidelines for designing ultra low-cost laptops for Windows XP.

Asustek launched its first Eee PC with Windows XP earlier this year, and said the OS had a big impact on sales. The company has forecast that two-thirds of the 5 million Eee PCs it expects to sell this year will run Windows XP, while the remainder will run a Linux OS.

Sales of the Eee PC have been strongest so far in Europe, where around 40 percent of all of the low-cost laptops have been shipped. The company expects that figure to rise to 50 percent later this year.

Microsoft Data Show Web Attacks Taking off

Criminals changed tactics in the last six months of 2007, dropping malicious e-mail in favor of Web-based attacks, according to data reported to Microsoft by Windows users.

The company saw the number of Trojan downloader programs it removed from Windows machines jump by 300 percent, according to Jimmy Kuo, principal architect with Microsoft's Malware Protection Center. These programs masquerade as legitimate pieces of software, but once installed they then download malicious software such as spyware or adware onto the victim's computer. They are typically installed via the Web.

The shift to the Web has been forced onto criminals, as system administrators have become better at blocking executable files from being sent via e-mail. So instead of sending their malicious software directly via e-mail, the bad guys are now being forced to send out spam messages that trick victims into visiting the malicious Web sites. "Executables are often being stripped completely regardless of what they are," Kuo said.

Many companies compile data on Web attack trends, but Microsoft's is the most comprehensive -- based on data from the approximately 450 million computers that run the Microsoft Malicious Software Removal Tool that ships with Windows.

Kuo said that there are still a lot of infected Windows boxes out there, although there are fewer than some have reported. On average, Microsoft removed malware from one out of every 123 computers it inspected each month during the period. In the U.S., that number was 1 in every 112. Japan was the least-infected country, with malware found on just one in 685 machines.

Microsoft published its findings Monday in its Microsoft Security Intelligence Report, Volume 4.

Other data from Microsoft's report:

* The total number of malware items removed by Microsoft's tool was up 55 percent from the first six months of 2007.

* Adware is still the most common form of unwanted software, and was up 66 percent in the second half of the year to 34.3 million detections. The top piece of adware for the period was Win32/Hotbar, which installs an Internet Explorer toolbar that spews pop-up ads onto the PC.

* Between 75 and 80 percent of phishing pages tracked by the Microsoft Phishing Filter were in English, and phishing is now moving from e-mail onto social networks.

* Rogue security software is on the rise. The most widely spotted of these bogus or malicious programs that pretend to protect PCs was Win32/Winfixer. It popped up five times as frequently as its nearest rival.

* Microsoft fixed fewer bugs in 2007 than in 2006. The company released 69 security updates, fixing 100 bugs in 2007. That's down nearly 30 percent from the 142 vulnerabilities it fixed in 2006.

Asustek to Launch Eee PC With 10-inch Screen

Asustek plans to launch a new version of the Eee PC with a 10-inch screen, a top executive said Monday.

The company's CEO made the statement at the launch of the new Eee PC 900 with an 8.9-inch screen, in Taiwan. The original Eee PC 701 carries a 7-inch screen.

"The feedback we've received from users has been great. Many have asked us for bigger screens and better usability. That's what made us start developing the Eee PC 900," said Jerry Shen, CEO of Asustek, during a news conference in Taipei. People are asking for bigger keypads and more software as well, issues the company continues to work on.

An Eee PC with a 10-inch screen could be out later this year, and it will be the biggest screen an Eee PC will ever get, Shen said. The company defines anything with a 12-inch screen or larger a classic notebook PC, not an Eee PC.

Asustek believes that screen size makes a difference in sales.

The new Eee PC 900 with the 8.9-inch screen will likely account for 50 percent of overall Eee PC shipments by June, and 60 percent or more of shipments sometime in the second half of the year, said Shen.

He declined to set a firm date for release of a new Eee PC with a 10-inch screen, and would not talk about possible prices. But a 10-inch screen could make a new Eee PC model much more expensive than the 8.9-inch model. Once screen sizes reach 12-inches, they are nearing mainstream sizes, where mass production reduces the price-per-unit. But a 10-inch screen is still a specialty, and therefore more expensive screen size.

The Eee PC 900 went on sale Monday in Taiwan for NT$15,988 (US$528).

Google Docs: Your Online Office?

Over the next few weeks, Google will be rolling out a new feature that allows Google Docs users to access their documents even without an Internet connection. For now the change only applies to the word processor, but similar capabilities are expected to become available for spreadsheet and presentation documents once the initial trials are complete.

This move wasn't unexpected. The updated Google Docs take advantage of the company's Google Gears library, a programming tool that allows Web application developers to synchronize online data with files on the user's local hard drive. It also intensifies the burgeoning competition between Google and Microsoft, which offers Web-based collaboration features similar to Google Docs in the form of Microsoft Office Live Workspace. Some pundits feel that online services like Google's are the Number One threat to Microsoft's dominance of the productivity software market. Myself, I remain skeptical.

Current fans of Google Docs will surely appreciate this new feature, but I still have a hard time seeing how a Web-based application could ever replace traditional word processing software for serious business computing. I have a hard enough time getting all the capabilities I want out of alternative office suites, such as OpenOffice.org.

And then there are the security and liability concerns. Having access to your documents from any computer anywhere is a powerful productivity enhancement, but quite frankly I work with a lot of documents that should never leave the walls of my office -- and I'm just small potatoes. Google, Microsoft, and other online application providers will have to demonstrate a serious commitment to document security before they can attract enterprise customers to these services, especially given the current regulatory climate.

How comfortable are you with shifting your business computing off the desktop and into the network? Do you see browser-based applications becoming viable alternatives to the apps of old? Or are they just another flash in the pan we call "Web 2.0"? Sound off in the PC World Community Comments.

Apple Alters Windows Software Update Tool

Amid criticism over the way it was promoting its software to Windows users, Apple has altered the look of its software-update application for Windows. The newly released Software Update 2.1 now features two panes--one for programs already installed on a Windows PC and the other for new offerings.

Software Update 2.1 for Windows splits offerings into two panes, Updates and New Software. Applications in the New Software pane--the just-released Safari 3.1.1, for example--are checked by default.

The change to Software Update comes a month after Apple came under fire for the way it was pushing its software to Windows users. Apple's Software Update is installed on a PC when iTunes and QuickTime are installed. In March, Apple began including Safari as a download in Software Update, even for Windows users who hadn't previously installed the browser.

The loudest criticism came from Mozilla, makers of the rival Firefox browser. Mozilla CEO John Lilly wrote on his blog that Apple's approach "undermines the trust relationship great companies have with their customers" and compared the move to "malware distribution practices."

Apple didn't acknowledge those comments in revamping the Software Update tool. Rather, the company attributed the changes to its desire to improve ease of use. "In this latest release we have made it easier for customers to identify between software updates and new applications," Apple spokesman Anuj Nayar said.

Whether that change will satisfy Apple's critics remains to be seen. In a follow-up blog post, Mozilla's Lilly calls the update "a good change," but adds that Apple has "a bit more to do"--likely a reference to the fact that Software Update 2.1 continues to check boxes to download new software by default.

Oracle to Expand SAP Lawsuit, May Target Execs

Oracle plans to expand its lawsuit against SAP to include charges that its TomorrowNow subsidiary stole software applications from Oracle, and that it did so with the knowledge of SAP executives, according to court papers filed Thursday.

Oracle said it plans to file a second amended complaint against SAP and TomorrowNow that will reveal "a pattern of unlawful conduct that is different from, and even more serious than," the conduct described in its initial complaint.

SAP's lawyers accused Oracle of exaggerating its claims, using court filings as "press releases" and trying to prolong the case unnecessarily. "Ignoring Judge Jenkins's admonitions, Oracle continues to submit hyperbolic argument in the guise of (court documents)," SAP's lawyers wrote.

Oracle filed its suit against SAP a year ago, alleging that TomorrowNow employees posed as Oracle customers in order to download software patches and other support materials from an Oracle support Web site. TomorrowNow used the materials to provide cut-price services to Oracle customers, and try to switch them to SAP's platform, Oracle said.

Based on recent depositions, Oracle now claims that TomorrowNow workers downloaded Oracle business applications, as well as just its support materials. "TomorrowNow then used the software "to service other customers, train its employees, and create fake 'SAP' branded fixes, updates and related documentation for distribution," Oracle said.

It also said SAP executives may have been complicit -- something SAP has vehemently denied. "It appears that SAP AG and SAP America knew -- at executive levels -- of the likely illegality of TN's [TomorrowNow's] business model from the time of their acquisition of TN and, for business reasons, failed to change it," Oracle said. It did not name any SAP executives.

The new charges are outlined in a 30-page joint filing submitted ahead of a case management conference scheduled for next week at the U.S. District Court for the Northern District of California in San Francisco. Oracle said it hopes SAP will agree to its filing the amended complaint, otherwise it will amend the new charges to the current one.

SAP did not return a call for comment Thursday evening. It postedthe documents on its Web site about the case. Oracle also has a Web page about the suit.

SAP has admitted that TomorrowNow may have made some "inappropriate downloads" from Oracle, and has replaced top executives at the subsidiary since the case was filed. But it has characterized any wrongdoing as isolated incidents, rather than the pattern of illegal behavior that Oracle alleges.

Oracle is seeking damages to be proven at trial, an injunction for SAP to return any Oracle software, and legal costs.

SAP reluctantly agreed with Oracle to push the jury trial date back by a year to February 2010, the new documents show. Oracle said it needs the time to complete discovery. SAP wants to retain the date for a settlement conference this October, but Oracle asked the court to delay that by a year also.

SAP's lawyers repeatedly expressed frustration at Oracle for what they view as delaying the case by demanding "limitless discovery." They asked the court to make Oracle explain soon how SAP's conduct has damaged the company.

"Oracle recites essentially every element of every one of its claims as a factual dispute, ignoring that its repetitive claims all boil down to the same basic issues -- what was allegedly copied; was that copying permissible; how was Oracle harmed? Those are the factual issues in dispute," SAP said.

"Oracle does not want to be focused, nor does it apparently want to effectively or timely resolve this case," it said.

Oracle said the case involves an "extraordinary" amount of discovery, including terabytes of computer records that take weeks just to copy, forensic scientists, and "potentially hundreds of third parties." It also asked to extend the length of the trial from four weeks to six.

Open Solutions Alliance Looking for Momentum Boost

The Open Solutions Alliance is hoping to shake off some growing pains as it moves through its second year, according to its president, Dominic Sartorio.

"We've definitely had challenges," he said. "We've gone through the challenges any volunteer organization has. ... [But] I am so confident that the OSA is going to be a successful consortium."

Formed in February 2007, the OSA is a nonprofit group aimed at fostering interoperability and adoption of open-source software. While it is backed by a number of for-profit vendors, the group's work has relevance for customers as well, according to Sartorio.

"The average end-user isn't going to care about my challenges in motivating a volunteer workforce," he noted. "But if we succeed, then they are going to see a lot more interoperable solutions."

"Most companies ... pick up different [open-source] point solutions and say, 'I want to roll it out to my end-users so it looks like a single app,'" Sartorio added. "Larger enterprises will say, 'I need to orchestrate business processes. ... It's too much work to integrate all these components and point solutions the open-source community generates.'"

As a sort of calling card, last year the OSA developed the Common Customer View, a prototype application that integrates data from a number of OSA member products.

The group got its "hands dirty" with that project, Sartorio said: "We could have just pontificated, or wrote up a bunch of white papers and best practices." The challenge in 2008 is to better publicize the effort, according to Sartorio.

Money is an ongoing concern, since OSA's roughly 15 dues-paying members contribute just US$10,000 each to the organization. "With that amount of money you can do a lot of things ... but you're not going to have an executive director, or have your own lab," he said.

Visibility among member companies could also be improved, as some have appointed midlevel employees to serve as representatives, not top executives, he said: "It's been a challenge to me to say 'Look guys, your CEO or CMO needs to know what you're doing.'"

Politics of a familiar sort has reared its head as well, according to Sartorio. While many companies want to integrate open-source elements with the Microsoft stack, that reality has clashed somewhat within the OSA's ranks, he said. "They say, 'Look, be careful what you do with Microsoft. ... I don't want to be part of an open-source movement that is working closely with Microsoft.'"

"The challenge at Microsoft is the old guard is trying to keep Wall Street happy and their revenues flowing in a predictable way," he said, but the company is on the whole "not monolithic" in its thinking regarding open source.

"There aren't any specific plans between OSA and Microsoft," he added. "It's a matter of ongoing dialogue."

The OSA now has about 20 members. Two vendors -- EnterpriseDB and Groundwork -- did not renew their memberships, Sartorio said. One new member expected to join within a few months is a publicly traded platform vendor, which he declined to name.

EnterpriseDB left the organization as "a matter of focus," CEO Andy Astor said via e-mail. "Like any company, EnterpriseDB needs to allocate its scarce resources among conflicting priorities. OSA is a terrific organization that has made solid progress in its first year, but we simply weren't participating and contributing to a sufficient level to justify continued membership."

Malicious Microprocessor Opens New Doors for Attack

For years, hackers have focused on finding bugs in computer software that give them unauthorized access to computer systems, but now there's another way to break in: Hack the microprocessor.

On Tuesday, researchers at the University of Illinois at Urbana-Champaign demonstrated how they altered a computer chip to grant attackers back-door access to a computer. It would take a lot of work to make this attack succeed in the real world, but it would be virtually undetectable.

To launch its attack, the team used a special programmable processor running the Linux operating system. The chip was programmed to inject malicious firmware into the chip's memory, which then allows an attacker to log into the machine as if he were a legitimate user. To reprogram the chip, researchers needed to alter only a tiny fraction of the processor circuits. They changed 1,341 logic gates on a chip that has more than 1 million of these gates in total, said Samuel King, an assistant professor in the university's computer science department.

"This is like the ultimate back door," said King. "There were no software bugs exploited."

King demonstrated the attack on Tuesday at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, a conference for security researchers held in San Francisco.

His team was able to add the back door by reprogramming a small number of the circuits on a LEON processor running the Linux operating system. These programmable chips are based on the same Sparc design that is used in Sun Microsystems' midrange and high-end servers. They are not widely used, but have been deployed in systems used by the International Space Station.

In order to hack into the system, King first sent it a specially crafted network packet that instructed the processor to launch the malicious firmware. Then, using a special login password, King was able to gain access to the Linux system. "From the software's perspective, the packet gets dropped... and yet I have full and complete access to this underlying system that I just compromised," King said.

The researchers are now working on tools that could help detect such a malicious processor, but there's a big problem facing criminals who would try to reproduce this type of attack in the real world. How do you get a malicious CPU onto someone's machine?

This would not be easy, King said, but there are a few possible scenarios. For example, a "mole" developer could add the code while working on the chip's design, or someone at a computer assembly plant could be paid off to install malicious chips instead of legitimate processors. Finally, an attacker could create a counterfeit version of a PC or a router that contained the malicious chip.

"This is not a script kiddie attack," he said. "It's going to require an entity with resources."

Though such a scenario may seem far-fetched, the U.S. Department of Defense (DoD) is taking the issue seriously. In a February 2005 report, the DoD's Defense Science Board warned of the very attack that the University of Illinois researchers have developed, saying that a shift toward offshore integrated circuit manufacturing could present a security problem.

There are already several examples of products that have shipped with malicious software installed. In late 2006, for example, Apple shipped Video iPods that contained the RavMonE.exe virus.

"We're seeing examples of the overall supply chain being compromised," King said. "Whether or not people will modify the overall processor designs remains to be seen."

Open Source Census Launches

The Open Source Census, an effort to pin down hard statistics regarding the implementation of open-source software around the world, gets underway on Wednesday.

The census was first announced in December by founder OpenLogic, a vendor of tools and services for managing open-source software deployments. It has provided an automated census tool called OSS Discovery under an open-source license for the project.

Companies and individuals can use the tool to scan their computers for open-source software and then anonymously upload the data to the effort's site. The information will be available in two forms. Those who contribute can get reports summarizing their own use, as well as comparative data based on similar companies' results. Aggregated data untraceable to any company will be available publicly on the site.

There is a practical reason for enterprise shops to participate in the effort, one observer suggested.

"Survey stuff like this -- and OpenLogic isn't the only one talking about or doing it -- are really examples of Enterprise 2.0 philosophy in action," said Michael Coté, an analyst with Redmonk. "Why not pool together the collective product-use intelligence from all enterprises to help enterprises make build-buy decisions, instead of relying on vendors, analysts and other middlemen in the process of doing IT procurement?"

Sample census data provided by OpenLogic showed several ways the numbers could be crunched. They could list the popularity of various Linux distributions, chart the countries of respondents, or even list the top 20 open-source packages.

This level of data can be tough to obtain through traditional survey techniques, said Matthew Lawton, an IDC analyst covering open-source software business models.

IDC targets a range of respondents for its surveys, from CIOs to developers, but no single person can have "complete visibility over all the open-source software in an organization," he said. For example, a respondent might have a good sense of the major open-source projects in use at their company, but not a full accounting of every small module or pilot project in existence, Lawton explained.

"This type of census approach, to scan computers and get a complete list of what has been loaded on those computers, is a fundamentally more sound way to measure the amount of open-source software," he said.

IDC is among a number of additional project sponsors being announced Wednesday. Others include CollabNet, the Open Solutions Alliance, the Open Source Business Foundation and O'Reilly Media.

Apache Foundation Chairman Jim Jagielski and Tony Wasserman, director of the software management program at Carnegie Mellon University's West Coast campus, are acting as advisers to the project.

Cisco's Linksys Phase-out Moving Along

Cisco Systems' Linksys brand may disappear sooner than expected, according to a top executive for small business at the company, although he wouldn't say how quickly.

The company sells networking gear for small and medium-sized businesses (SMBs) under both the Cisco and Linksys brands, which has created some confusion, vice president of SMB Solutions Marketing Rick Moran acknowledged in an interview on Monday. Linksys was a successful vendor of home and SMB networking gear that Cisco acquired in 2003. There are routers, wireless LANs and other products under both brands that are aimed at small enterprises.

Chairman and CEO John Chambers said last year at an event in Europe, captured in a YouTube video, that Linksys would disappear under the Cisco brand over time. Linksys followed up by saying its brand wasn't going anywhere in the near term.

Cisco had already moved to allow its SMB channel partners to sell both Cisco and Linksys products, starting about a year ago, but in the process found out most of them didn't want to carry both, Moran said. Those that sold Cisco gear weren't interested in selling the simpler Linksys products because they wanted to sell their customers system integration services, and Linksys resellers were more geared toward selling individual products, he said.

Now Cisco is working to clear up the confusion by modifying its SMB Web site and having Cisco and Linksys product teams work more closely together, Moran said. Their product road maps are now aligned, he said. But there will still be an evolution toward one brand.

"It will be shorter than you think," Moran said. The evolution is likely to happen first outside the U.S., where Linksys products are sold but Cisco hasn't spent any money building up that brand, he added.

The Linksys brand ultimately will be replaced by a product category, similar to the Catalyst series of switches or WebEx conferencing services, which Cisco acquired last year, he said. The company has worked out how to do so without "orphaning" the Linksys name, according to Moran. Cisco won't leave any of the channels that now carry its SMB products: retail, distributors, small value-added resellers and service providers. The key difference will remain support.

"We need a definition to say there's a difference in the support model that goes behind them," Moran said. Cisco products are known for extensive support, while Linksys gear is designed for ease of use out of the box.

Also on Monday, Moran said the SMB market is "a challenge" in the ailing U.S. economy, but that Cisco has gained elsewhere from the relative weakness of the dollar. And his own research has shown that over the past 40 years, small businesses have led recoveries in both the U.S. and Europe.

"The first people to slow down spending are SMBs, but the first people to start back, even before the recovery is noticeable, are small businesses," he said.

What's the Future of Mobile Music?

DENVER (Billboard) - If a ringback tone launches on a network and nobody hears it, did it ever really exist?

With the exception of ringtones, no single mobile music application has yet to score an obvious home run with mobile users, even though the number of mobile music products has exploded in recent years.

And while there's been much discussion about how ease of use, need for innovation, pricing and so on contribute to the problem, one of the overlooked issues is that of marketing. Talk to any mobile industry executive or major-label representative, and they'll tell you all about how excited they are over ringback tones, mobile video, full-song downloads and such. But ask them to take out their checkbook and pay for some advertising around these services and you'll soon be facing empty air.

Mobile music is the bastard child of mobile and music industry parents, and neither wants to take full responsibility. Both want to make money on mobile music, but both want the other to pay for advertising and marketing needed to generate consumer interest.

Each has its own "legitimate" child that dominates their attention. Both industries make far more money on other products and as such direct their marketing dollars there.

The wireless industry, for instance, is overwhelmingly dominated by voice minutes. Take a look at your mobile phone bill. Unless you're a teenage text-message fanatic, the bulk of that bill is covering your talk time, not for content and services.

CTIA-The Wireless Assn. revealed at its annual conference earlier this month that what it calls "data revenue" now makes up 17% of carrier revenue. That's an impressive 53% increase over the year before. But data revenue to a wireless operator is any cash earned from something other than voice minutes. That includes text messages, corporate e-mail applications, photo messaging, etc. According to data from research firm M:Metrics, only about 15% of mobile users even buy ringtones, and far less buy full songs, ringback tones and other products.

Record labels to a degree are in the same boat. This is an industry built on selling records, and as such its marketing core competencies are based on promoting new music and selling albums, not educating fans on a new technology. Digital music revenue in total contributes roughly 30% to labels' overall revenue pie. Mobile makes up about half that total, with ringtones making up about 75% of the mobile figure. So at best, all other mobile music applications combined contribute maybe 3% to a label's bottom line.

Spending more on marketing may bump these figures for both industries, but how much can you justify spending on such a niche product?

The argument could be made that mobile music is more important for the music industry -- which desperately needs new revenue channels -- than it is to the wireless industry -- which is making loads of cash of voice minutes. And therefore, the music industry should shoulder the brunt of the marketing effort.

But wireless operators don't make it easy to do so. Take ringback tones. With ringtone sales sliding, ringback tones have been pegged by the music and mobile industries as the next growth area.

First, there's pricing. A ringback tone costs about $2 a pop, of which the label gets a cut. But operators charge an additional $1 per month to maintain the service, of which labels don't see a cent. Why, labels argue, should they spend their dwindling revenue marketing a service in which they don't share in all the proceeds?

Then there's branding challenges. Each operator calls its ringback tones service something different -- AT&T has Answer Tones, T-Mobile uses CallerTunes, and Sprint likes CallTones. Only Verizon Wireless simply calls them Ringback Tones. The same situation occurred with master ringtones (TrueTones, RealTones, etc.), but labels could simply refer to them using the familiar "ringtone" moniker. Ringback tones take longer to explain.

Finally, ringback tones are a network service, not a device download like ringtones and games. Because ringback tones operate within the network, only the network provider can sell them. That means labels can't work with third-party content providers like Thumbplay or Jamster to market and sell them, nor can labels sell them from artists' Web sites directly, like they do with ringtones.

"Everybody calls it something different, and the only way to get it is on the deck," RCA Records director of mobile marketing Sean Rosenberg says. "How do we message this to our fans?"

Fortunately, ringbacks are a viral application that in a way market themselves. Call a friend with one and you immediately get the idea. Other mobile music services aren't so lucky. For them to thrive in a digital entertainment market growing increasingly more competitive, mommy and daddy are going to have to start providing a bit more nurturing to their neglected love child.

First Centrino Atom Computer Coming in June

The first portable computer based on Intel's Centrino Atom chip package is coming in June, although it will be bigger and more expensive than such devices were expected to be.

The Willcom D4 ultramobile PC is manufactured by Sharp and will be priced at ¥90,200 (US$910) with a two-year data contract that costs an additional ¥1,600 per month.

Intel launched Centrino Atom at the Intel Developer Forum in Shanghai, but only showed prototypes of portable computers based on the new chips. However, Intel executives promised 20 such devices are in the works and will ship soon. The Willcom D4 announced Monday appears to be among those devices.

Centrino Atom was developed for small, pocketable devices based on Linux that Intel calls mobile Internet devices, or MIDs. These devices were expected to be priced starting from US$500, according to Intel.

Besides being substantially more expensive than the estimated price, the D4 is also bigger. At 84 millimeters by 192 millimeters by 26 millimeters and weighing in at 470 grams, the D4 is easily portable but not pocketable.

Unlike other prototypes that have been rolled out, the D4 is the first Centrino Atom device to be announced with a release date. The computer has a 1.33GHz Atom processor, a 5-inch widescreen display, 1G byte of RAM, a 40G-byte hard disk, and includes support for Willcom's PHS (Personal Handyphone System) data network, as well as Wi-Fi and Bluetooth. It has a slide-out keyboard and a monitor that tilts up slightly, making it easier to read when typing on a flat surface.

The D4 runs Windows Vista Home Premium, instead of a mobile version of Linux. It also comes with Microsoft Office Personal 2007 with PowerPoint 2007.

IBM Lays Claim to Cheaper, Faster Memory

IBM is developing a type of memory that it says could one day be faster and more reliable than today's hard drives and flash memory.

Called "racetrack," it is a solid-state memory that aims to combine the best attributes of flash, like having no moving parts, and the low cost of hard drives for an inexpensive form of nonvolatile memory that will be stable and durable, said Stuart Parkin, an IBM Fellow.

Racetrack memory stores information in thousands of atoms in magnetic nanowires. Without the atoms moving, an electrical charge causes data to move swiftly along a U-shaped pipe that allows data to be read and written in less than a nanosecond, Parkin said. A nanosecond is a billionth of a second and commonly used to measure access time to RAM.

The memory reads 16 bits of data through one transistor, so it reads and writes information 100,000 times faster than flash memory, Parkin said.

"In flash memory and hard drives, one transistor can access 1 bit, or with flash, maybe 2 or possibly even 4 bits, that's it. We are going to use ... a transistor to access many bits of information."

Racetrack is still in its early days. The concept was proposed four or five years ago, Parkin said, and IBM hopes to be able to provide terabytes worth of storage from such devices in a few years.

"It will take two to four years to build a prototype in which we build these reading-and-writing elements on a nanoscopic scale. In four years we can perhaps demonstrate it works and then manufacture it," Parkin said.

Racetrack memory has no moving parts, it is "virtually unbreakable" and will never wear out, unlike flash drives, which could wear out after 10,000 read-and-write cycles, Parkin said. He likened the U-shaped design of horizontal pipes to a racetrack.

The memory keeps atoms constant, making it more durable than hard drives or flash. "Whenever you start to move atoms you have problems and devices wear out from fatigue after a time," Parkin said.

Racetrack memory's storage capacity is similar to flash's and may soon exceed hard-drive capacities, Parkin said.

Hard disks rotate to access information, while racetrack memory uses an electrical charge to read and write data, so it also uses less electricity, he said.

It will be inexpensive to manufacture because fewer transistors will be required and each memory chip will hold thousands of nanowires in a small footprint, Parkin said.

The premise behind racetrack memory is spintronics, a technology that manipulates the charge and spin properties of electrons. Using spintronics, hard-drive makers have developed drives that read data from a microscopically small area.

Parkin is widely noted for his work on spintronics and helping double the density of hard drives every year. Scientists Albert Fert, of France, and Peter Grunberg, of Germany, won the Nobel Prize in physics in 2007 for their spintronics research.

Seven Technologies That Will Transform Businesses

Gartner has identified seven technologies that will "completely transform" business over the next 25 years, including parallel programming, wireless power sources for mobile devices, automated speech translation, and computing interfaces that detect human gestures.

"Many of the emerging technologies that will be entering the market in 2033 are already known in some form in 2008," Gartner said in a press release issued Wednesday from its Emerging Trends Symposium/ITxpo in Las Vegas.

Gartner says each of the seven technologies represents a "grand challenge" for IT researchers and CIOs, who should pay attention to the emerging research today so as to be ready for the changes they will bring.

"Gartner defines an IT Grand Challenge as a fundamental issue to be overcome within the field of IT whose resolutions will have broad and extremely beneficial economic, scientific or societal effects on all aspects of our lives," the analyst firm writes.

CIOs should chart which of these emerging technologies means the most for their businesses and track progress by reviewing related patents, the firm recommends.

Here's a rundown of Gartner's seven technology "grand" challenges:

-- Eliminating the need to recharge batteries for wireless devices. The future holds portable computing devices that are charged remotely, rather than with a wire, or devices that are simply powered by a remote source, making the use of batteries unnecessary, according to Gartner. A 2007 experiment at MIT was able to transfer power wirelessly, but commercial applications of wireless powering are "a long way off."

-- Parallel programming. Speed advances in computing are starting to come with multicore processors which, instead of simply speeding up a single core, use multiple processors that are a bit slower but solve problems faster by dividing tasks into smaller individual processes. The IT challenge this presents is developing applications capable of taking advantage of multicore processors. "Key issues will need to be addressed, including effectively breaking up processes into specific sub-processes, [and] determining which tasks can be handled simultaneously by multiple processes," Gartner writes.

-- Natural computing interfaces. The goal of interacting with computers without a mechanical interface is a longstanding one, but obstacles remain in developing the ability for computers to detect gestures, and check those gestures in real time against a gesture "dictionary" that tells the computer what action to take.

-- Automated speech translation. Natural language processing will be a key feature of computers after researchers resolve challenges related to speech synthesis and recognition, and machine translation. Some "rudimentary" automated speech translation systems have been created, but "the complexity extends further when translation and output is required to a target language that is understandable to a human," Gartner says.

-- Persistent and reliable long-term storage. Technologies today are ill-equipped to store the world's digital information on digital media for the long haul, according to Gartner. To have reliable storage that can last 20 to 100 years, researchers will have to overcome challenges related to data format, hardware, software, metadata and information retrieval.

-- Increasing programmer productivity 100-fold. Today's programmer is a shell of his future self -- or at least that's what Gartner is hoping. The output of each programmer will have to increase dramatically in order to meet future demands fueled by increasing reliance on the fruits of software development. The simple reuse of code will help, but optimizing the ability to reuse code has its own challenges, such as making it easier to find software modules quickly.

-- Identifying the financial consequences of IT investments. "One of the most perplexing challenges faced by IT leaders has been to convey the business value of IT in terms readily understandable by business executives," Gartner notes. No standard way of measuring IT value exists today.

Gartner's challenge to industry here is to find a model that can measure value consistently, similar to how financial accounting measurements are standard across public companies. Ideally, Gartner says IT shops should be able to tell business executives "If you invest in our IT proposal, you will see an additional [US]$0.03 earnings per share directly attributable to this project by the third quarter of next year."

Microsoft to Pilot Office Anti-Piracy Nagging

Microsoft Corp. will soon begin a pilot program for software that displays nagging notices on copies of its Office suite that the company deems counterfeit, the head of its anti-piracy effort said.

The program, which will run as a trial for Office users In Chile, Italy, Span and Turkey, will add notifications to the already-in-place Office Genuine Advantage (OGA) initiative that detects illegitimate copies of the suite and blocks their owners from downloading free files and non-security updates.

Microsoft already tags counterfeit copies of Windows with notifications as part of its Windows Genuine Advantage (WGA) technology. Until today, however, OGA did not have a notifications component.

"Consumers will receive a pop-up dialog box alerting them their Microsoft Office software is not genuine," said Cori Hartje, the director of Microsoft's Genuine Software Initiative, the nameplate for its anti-counterfeit group.

According to Hartje, the new OGA notifications will display the pop-up the first time each day a user opens any of the Office applications, and follows that with another dialog box two hours later. The process will continue for up to 30 days.

After the one-month run of the pop-up, Hartje said, the scheme changes. "Office applications will be marked with a visual reminder that the copy of Office is not genuine," she continued. "[But] none of the visual cues presented will impair a customer from accessing their data or preparing documents."

The reminders will disappear only when the user uninstalls the pirated copy of Office or replaces it with a valid version.

The four-country pilot program will be voluntary, Hartje said, adding that the notifications will be offered as an update. It was unclear, however, if users who had Microsoft Update -- the version of Windows Update that also detects fixes and patches for Office -- set to automatically download and install updates would get the notification pilot without any additional warning or without requiring further approval.

Hartje also denied a link between the new notifications for Office and the existing nags that appear on counterfeit copies of Windows. "The pilot OGA notifications user experience is different from the WGA notifications experience," she said. "The shared similarity in OGA notifications and WGA notifications is the common goal of educating customers about the benefits of genuine and risks of counterfeit, and of leveling the playing field for our genuine partners."

Typically, changes in Microsoft's anti-piracy practices and technology that have been run as trials in only a few countries have later been expanded to include users worldwide.

In April 2006, for instance, Microsoft debuted the OGA program with a pilot launched in Brazil, China, the Czech Republic, Greece, Korea, Russia and Spain. By October of that year, Microsoft was requiring all users to run OGA if they wanted to download free templates from the company's Web site; by January 2007, all users had to validate their copy of Office with the OGA technology to use the Office Update site and service.