Critical Zero-Day Flaw Opens Holes in IE 6 and 7

A newly discovered threat that doesn't yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted. Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault. According to Vupen's post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware.

Symantec's post says its tests confirm the published exploit works, but that it "exhibits signs of poor reliability," ie. it doesn't always work. There aren't yet any reports of active attacks, but exploit code is publicly available. An additional e-mail from Symantec says that Vista is affected as well, but Microsoft has not yet confirmed the vulnerability. According to Vupen, disabling Active Scripting in the Internet and Local intranet security zones will block attacks against this flaw, but doing so would likely block Web site functionality as well. Zero-days that affect IE are typically major threats, so attackers will likely begin hiding attacks that target this flaw on compromised Web sites, and spewing out e-mails and online comments with links to sites that contain attacks.

Current reports do not list IE 8 as vulnerable, but Symantec warns that "there are possibilities that other versions of IE and Windows may also be affected." Your best bet may be to use an alternate browser such as Firefox until a patch is available.

Is e-mail a perfect cloud application?

In the beginning there was e-mail. The network was devoid of PCs. So all e-mail was accessed via a terminal and a command line interface. And e-mail was run on a Unix server.

E-mail management a mighty struggle for US agencies So, by some current definitions, e-mail began as a "cloud" application. And, since network-based storage was expensive and local storage was inexpensive, thus began a logical move to downloading e-mail from the network and storing it on local devices/media. Then came the PC. And along with the PC, came local storage. Now, many of us use our e-mail archives as a primary record-keeping mechanism, and our historical e-mail files are perhaps our most precious resource. Whether your primary e-mail is a part of a corporate network or simply your personal copy, odds are darn good that you have your e-mail set to delete the messages from the server as soon as they are downloaded to the PC. And even a copy of the e-mails may still exist somewhere in the bowels of the IT department, recovering these e-mails is a major issue.

But what happens if the e-mail files are not backed up regularly? This issue hit really close to home this week when one of our associates had a crashed hard drive on an almost-new notebook. At this point, we could start yet another rant about how we all need to have current backups, and how corporate networking departments need to somehow enforce a policy of regular backups for all materials on the users' notebooks. And, of course, all of the e-mail archives were on that disk – with no recent backup. But that would simply be "preaching to the choir." Instead, we would like to offer a different solution. This has the advantage of potentially recovering not only the correspondence itself, but also the vast majority of important files.

Had our associate been using a network-based service, such as Gmail, then all of the e-mail would be "safe." In fact, this is exactly how our associate is now rebuilding everything. After all, virtually every file of any import is sent and/or received via e-mail. In the meantime, we invite you to join the discussion of this topic at TECHNOtorials. In the next newsletter, we'll look at some of the advantages and disadvantages of the use of public and/or private "cloud" services for e-mail. Com.

Mac News Briefs: PDFpen has new OCR engine

SmileOnMyMac Software has updated PDFpen, incorporating Nuance Communications' OmniPage OCR engine into the PDF editing program. SmileOnMyMac lauded the OmniPage OCR engine for its accuracy. PDFpen 4.5 uses version 15.5 of the OmniPage OCR, replacing the Tesseract open-source OCR engine in PDFpen on Intel-based Macs. Beside the new OCR engine, PDFpen 4.5 lets Snow Leopard users scan directly into the application from Image Capture or TWAIN scanners.

The 4.5 update is free for registered users of PDFpen 4.x. The PDF editing application costs $50, with a Pro version available for $100. Both PDFpen and PDFpenPro run on Mac OS X 10.4 and later.-Philip Michaels Typinator features DropBox syncing Ergonis Software released a new version of Typinator, its text-replacement utility. There's also a new text highlighting tool that selects and highlights text in a single action. Typinator 3.6 features automatic syncing with DropBox, a tool for syncing files across multiple machines (and online). Taking advantage of the new capability is as simple as modifying Typinator's preferences to store its settings folder within the DropBox folder. Typinator 3.6 is available now from the company's web site, for €19.95 per single-computer license, or €34.99 for a two-machine license. The updated Typinator also allows abbreviations that begin with a space, features a simplified registration interface, and offers numerous speed and memory usage improvements. The update is free to anyone who bought the application in the last two years.-Rob Griffiths Real Software updates development applications RealBasic and Real Studio 2009, Release 4 shipped Tuesday, adding 97 enhancements and 39 new features to the cross-platform software development tools, according to developer Real Software.

The report editor lets developers visually create a layout for printing by dragging and dropping labels, fields, images, and more. Leading the changes to this latest version of RealBasic is a new report editor, which Real Software says will be included in all RealBasic versions. The editor creates both single- and multi-page reports. The feature lets developers automate the most common functions of building applications without having to write IDE scripts. Real Studio also gets a new build animation feature for its Project Editor. A complete list of what's new in Release 4 is available on Real Software's downloads page.

It supports many formats including AVI, WMV, MOV, MPG, ASF, and DivX. The application automatically provides ideal default settings and offers the flexibility to crop video, set duration, adjust quality, and control many other audio and video preferences. The software maker also provides a video highlighting new features in RealBasic and Real Studio.-PM Macvide announces VideoFlash Converter 2.9 Macvide has announced VideoFlash Converter 2.9, an update of its video-to-Flash conversion utility for Mac OS X. VideoFlash Converter allows conversion of QuickTime-compatible video files to Adobe Flash. Version 2.9 also includes a new Web update and other fixes. VideoFlash Converter gives you the option of creating an HTML file along with the video and lets you customize how viewers see it. You can use the program to have Flash videos play directly in a Web page, not in a new window or separate page. You can designate that the video start automatically and continuously play when viewers access the page, for example.

The software works with OS X 10.4 (Tiger) or 10.5 (Leopard) and is a Universal app. The app also integrates with iWeb. VideoFlash Converter is available for $40 per single license, and can be downloaded from the Macvide Web site.-Jackie Dove Algoriddim releases Djay3 Algoriddim has released Djay 3, a revamped version of its music software application for Mac and iTunes. The program's interface has also been redesigned. It offers a host of new features, including automatic tempo and beat detection, auto-cut scratching, and MIDI support. With the new version, users can match the playback speed of two songs for a perfect transition.

The changes are aimed at making the program easy enough for novices while letting professional DJs do more with their mixes. In addition, the Auto-Cut feature allows users to scratch music in sync with a song's beat and rhythm. Djay 3 costs $50. A free 15-day trial is available from Algoriddim. The software runs on Mac OS X 10.4 or later.-JD

Cisco, EMC joint venture makes progress

A month since its introduction, the joint data center venture between Cisco and EMC is percolating with activity before it starts business in the first quarter. These so-called "VBlocks" are intended to allow channel partners to easily sell and integrate simplified data center and private cloud computing packages to customers. Acadia is being formed by the two companies to accelerate the adoption of technologies forged from the Virtual Computing Environment coalition, of which Cisco, EMC and VMware are developing pre-integrated compute, networking, storage and virtualization systems. Acadia's role is to wrap the VBlocks in the training and consulting services needed to initially build and operate the VBlock infrastructure, then transfer it to the partner.

Sources say Elias is chairing the board but he would not confirm that. The Acadia board is made up of Howard Elias, president and chief operating officer, EMC Information Infrastructure and Cloud Services; Gary Moore, Cisco's senior vice president of Advanced Services; Rob Lloyd, Cisco's executive vice president of Worldwide Operations; and Mitch Breen, EMC senior vice president, Global Channel Strategy and Sales. He has help from Moor, though, in leading Acadia for the time being. "The two of us have really sponsored the work to get Acadia formed and beginning to stand up," Elias said. Acadia will employ 130 and begin operations in early Q1. The venture is not only looking for "the best and brightest" from the parent companies but also recruiting from across the industry, Elias said. In addition to the formation of the board and management team, employees are being hired, Elias said.

Elias said Acadia's opportunity is "substantial and unique" – enabling existing channel partners to easily and broadly implement private cloud computing infrastructure to increase their own opportunities. "We're offering this intellectual property that Acadia is creating to our partner ecosystem so that they can then deliver and help accelerate the adoption of those VBlock packages by our customers," he said. How do I get access, proof of concept?' We're going to have to hit the ground running in Q1 to be able to start to fulfill some of this interest and demand. He says the company's challenge is to meet high expectations. "There's a lot of interest and demand out there, talk of 'What does this mean? It's about setting expectations all around, " Elias said.

Google Chrome: Redefining end user computing

One of the most profound changes in how computing services are being delivered is the use of the Web as a frontend for just about everything. In the application development world Adobe's Adobe Integrated Runtime (AIR) is perhaps one of the most profound re-thinks of what should be the underpinnings of application architecture by making it possible to deploy applications on the Web and the desktop of Windows, Mac, and Linux with more-or-less identical functionality. We have seen this transformation in the thousands of software as a service (SaaS) offerings that have appeared in the last few years that now cover the entire spectrum of applications from corporate accounting through to video editing (something that just a few years ago was hard to imagine becoming a reality). The 5 best, and 5 worst, features of Google Chrome OS Now the Web is redefining not just how processing functionality is delivered but also what an application is and what an operating system is.

If you doubt the success of AIR consider that by January of this year, a scant year after the version 1.0 release of the SDK, Adobe claimed 100 million installations. Entirely Web-based, Chrome OS sports a tabbed interface to manage concurrent applications which are all Web-based (you can forget all of your standard desktop applications, this is not a Windows alternative) and it eschews client-side hard disk storage for flash and cloud storage. Now Google is pushing the envelope with their recent release of details about the much rumored (and hyped) Google Chrome OS. Google also has a video explaining the end user context of GCOS which is useful (its cheery hipness may well annoy you as much as it did me). You could describe Chrome OS as the big brother of Google's Chrome Web browser. The intention of Chrome OS appears to be to define the netbook market and thus it is being designed to run on both x86 and ARM processors. That said, being open source it is guaranteed that the OSS community will jump on the chance to extend, enhance, and port Chrome OS onto just about every conceivable platform. The entire code base is open source but Chrome OS isn't intended to be something that you'll download and install on a netbook; rather, you'll get Chrome OS pre-installed on Google approved devices.

Some of the most powerful concepts in Chrome are about the issues that users complain about with Windows. With Chrome updates are intended to be transparent and automatic – you'll always have the latest version and patches immediately on refresh. For example, updating Windows is a messy, ugly business that users really hate. And should your Chrome OS instance get corrupted or compromised, the intention is the Chrome will self-heal. My money is on big-time success in the consumer market.

So, will Chrome OS succeed? We've already seen the surprising success of netbooks which address consumer market demand for low price and portability. The SMB market will certainly be paying attention and as their infrastructure investments life out the lure of cheap computing will become very strong. Add to that simplified maintenance and repair and Google's huge brand awareness and I'd say that the probability of success is very close to 100%. In the corporate market, Chrome OS will make slower inroads. The enterprise market will, in a limited way, embrace Chrome OS but only as much as they need to embrace user demand – enterprise manageability concerns will need to be addressed to allow Big IT to feel at all comfortable.

Google's Chrome OS is scheduled for release towards the end of 2010 and I believe will be, to say the least, an important event with long term implications for how consumers and the enterprise deal with personal computing. That said, enterprise IT will most likely have the same scenario they faced with users bringing their own laptops into the work environment and WiFi within the enterprise envelope –unstoppable trends that had to be controllable and, to some extent, accommodated.

Ellison mocks Salesforce.com's 'itty bitty' application

Oracle CEO Larry Ellison mocked on-demand CRM (customer relationship management) vendor Salesforce.com during a shareholder meeting Wednesday, saying its "itty bitty" application depends on Oracle's products. "We think Salesforce.com has got terrific underlying technology," he said in response to a question from a shareholder about Salesforce.com and the competitive pressures posed by the cloud-computing model. "In fact, everything they run is on an Oracle database. But they don't stop there. We think the Oracle database is fabulous cloud technology.

On top of the Oracle database they build their applications using - what is it? Oh, my God." Ellison's comments follow reports that Salesforce.com CEO Marc Benioff will be speaking at Oracle's OpenWorld conference during an "executive solution session." Salesforce is also a sponsor of OpenWorld this year. Oracle middleware. His appearance seemed surprising to some observers, given the history between the two companies. Indeed, Ellison's scathingly sarcastic remarks on Wednesday made it sound like the companies' rivalry has not dimmed at all. "Let's look at their technology," he said. "They buy computers. Ellison was an early investor in Salesforce.com and once sat on its board, but left after a falling out with Benioff.

They rent a room. They buy electricity and plug it in. Uh, they put the computers in the room. They then buy an Oracle database to run on those computers and then they buy Oracle middleware to build their applications. A Salesforce.com spokesman wouldn't directly address Ellison's comments, but pointed to the company's successes. "Customers are moving towards cloud computing and away from traditional software," said Bruce Francis, vice president of corporate strategy, via e-mail. "We have more than 63,000 customers experiencing success in the cloud.

Oh, excuse me, and then they build this little itty-bitty application for salesforce automation. ... Most of the technology at Salesforce.com is ours." In addition, a long list of companies have "chucked" Salesforce.com's software and replaced it with Oracle's on-demand CRM software, Ellison claimed. And, as we reported in August, the number of customers grew 32% in Q2."

China takes questions for Obama from Internet users

China's state-run news agency Friday started collecting questions from local Internet users for U.S. President Barack Obama, who is slated to speak to Chinese youth next week during his first visit to the country. Obama is scheduled to hold the session in Shanghai next Monday as part of a three-day visit to a country of rising economic and political influence worldwide. China and the U.S. have appeared to wrangle over the details of the dialogue session, such as whether it will be broadcast live. China's Xinhua News Agency opened an online forum for users to submit questions and said the Web site would broadcast the event.

Chinese officials often portray the Dalai Lama, Tibet's exiled spiritual leader, as a dangerous separatist, while he is usually seen as a peaceful religious activist in the West. "Do you really understand our China?" another question read. Questions that appeared in the forum ranged in tone from innocently curious to accusatory and nationalistic. "China's total elimination of serfdom [in Tibet] in 1959 was identical in nature to Lincoln's abolition of slavery in the U.S.," one post in the forum read, repeating a comparison made by a Chinese foreign ministry spokesman at a press briefing the previous day. "Mr. Obama, do you plan to meet with the Dalai Lama after leaving China?" Demands for greater religious and political autonomy in Tibet are among the most hot-button issues in China. Other questions were more personal. "What kind of Chinese name would you pick for yourself?" one post read. A representative at the U.S. Embassy in Beijing said a final decision on the format of the event still had not been reached. Xinhua did not say if the event would also be broadcast on other Web portals or on TV. When asked earlier this week if the event would be broadcast, Ben Rhodes, a U.S. deputy national security advisor, told reporters that Obama hoped to reach as wide an audience as possible at the session but that details remained to be worked out, according to a transcript of his comments. Chinese leaders including President Hu Jintao have held rare online chats with Chinese Internet users in an apparent attempt to boost the government's image.

Local Internet companies are expected to erase sensitive comments that appear on blogs or other parts of their Web sites and can face punishment for failing to do so. Chinese authorities heavily police the Internet for sensitive political content, pornography and other material deemed harmful.

Report: New net neutrality rule coming next week

Federal Communications Commission chairman Julius Genachowski will propose a new network neutrality rule during a speech at the Brookings Institute on Monday, the Washington Post reports. Additionally, the principles state that consumers are "entitled to competition among network providers, application and service providers and content providers." Broadly speaking, net neutrality is the principle that ISPs should not be allowed to block or degrade Internet traffic from their competitors in order to speed up their own. Anonymous sources have told the Post that Genachowski won't offer too many details about the proposed rule and will likely only propose "an additional guideline for networks to be clear that they can't discriminate, or act as gatekeepers, of Web content."  The Post speculates that the rule will essentially be an add-on to the FCC's existing policy statement that networks must allow users to access any lawful Internet content of their choice, to run any legal Web applications of their choice, and to connect to the network using any device that does not harm the network.

The major telcos have uniformly opposed net neutrality by arguing that such government intervention would take away ISPs' incentives to upgrade their networks, thus stalling the widespread deployment of broadband Internet. The debate over net neutrality has heated up over the past few years, especially after the Associated Press first reported back in 2007 that Comcast was throttling peer-to-peer applications such as BitTorrent during peak hours. Several consumer rights groups, as well as large Internet companies such as Google and eBay, have led the charge to get Congress to pass laws restricting ISPs from blocking or slowing Internet traffic, so far with little success. Essentially, the AP reported that Comcast had been employing technology that is activated when a user attempts to share a complete file with another user through such P2P technologies. The FCC explicitly prohibited Comcast from engaging in this type of traffic shaping last year. As the user is uploading the file, Comcast would then send a message to both the uploader and the downloader telling them there has been an error within the network and that a new connection must be established.

Both friends and foes of net neutrality have been waiting anxiously to see how Genachowski would deal with the issue, ever since his confirmation as FCC chairman earlier this year. Tim Karr, the campaign director for media advocacy group Free Press, said at the time of Genachowski's nomination that he was instrumental at getting then-presidential candidate Barack Obama to endorse net neutrality during his presidential campaign. Net neutrality advocates cheered when Genachowski took over the FCC, as many speculated that he would be far more sympathetic to net neutrality than his predecessor Kevin Martin.

Survey: More Companies Hiring CSOs

Even though the worst economic recessionin decades has compelled companies to spend less on outsourced security services and do more in-house, security budgets appear to be holding steady. That's one of the big takeaways from the seventh-annual Global Information Security survey, which CSO and CIO magazines conducted with PricewaterhouseCoopers earlier this year. And more of companies are employing a chief security officer.

Some 7,200 business and technology executives worldwide responded from a variety of industries, including government, health care, financial services and retail. Part of the reason is that regulatory compliance pressures have jolted open the eyes of top brass who may have been blind to their internal security needs previously. For an alternate look at the job picture, check out the following: * Undercover: A Painful Lack of Security Jobs * Surviving Layoffs: Five Career Lessons from the Security Trenches "I have seen examples where companies are making bigger investments in training over time to make internal staff more security savvy," says Miguel Lopez, a Los Angelas-based IT security practitioner who has worked for such companies as MSC Software and Stamps.com. Lopez points to one of his friends in the industry for an example of how things have changed. "My friend, an information security manager, sits on an executive security committee with doctors and other non-IT personnel," he says. "Security is being heard from and listened to more now than ever before." A New Corporate Commitment Companies may still struggle with the quality of their data security, but the response to this year's survey suggests their executive peers have agreed, finally, that security can't be ignored. Not only are more companies investing in security technologies, but overall security investments are largely intact, despite the economy.

Companies' budget plans tell part of the story. Twelve percent of respondents expect their security spending to decline in the next 12 months. Two factors are influencing companies to maintain security as a corporate priority: Seventy-six percent say the increased risk environment has elevated the importance of cybersecurity among the top brass, while 77 percent said the increasingly tangled web of regulations and industry standards has added to the sense of urgency. But 63 percent say their budgets will hold steady or increase (although fewer foresee increases than did last year). For starters, more companies are hiring CSOs or chief information security officers (CISOs). Eighty-five percent of respondents said their companies now have a security executive, up from 56 percent last year and 43 percent in 2006. Just under one-third of security chiefs report to CIOs, 35 percent to CEOs and 28 percent to boards of directors. Respondents were asked how important various security strategies had become in the context of harsher economic realities. Notes Mauricio Angee, senior manager of IT security and compliance and CSO at Universal Orlando: "For segregation of duty purposes, it's interesting to see how companies are being askedby compliance auditors, qualified security assessors and through legislationto hire IT security managers with a much-more-defined set of roles and responsibilities." Such roles include setting the company's security policy, making the security budget pitch (instead of the CIO) and delegating responsibility among lower-level IT security administrators and engineers.

Seventy percent cited the growing importance of data protection while 68 percent cited the need to strengthen the company's governance, risk and compliance programs. None of these developments, however, make a focus on information security a sure bet in the eyes of IT leaders. Angee sayes security leaders still have to fight hard for every penny. Just because companies feel they have to spend money on security doesn't mean executives view it as an essential, even beneficial business process instead of a pain-in-the-neck task being forced upon them. Meanwhile, security execs don't have the same decision-making power as other C-level leaders in every company, says Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. If something goes wrong, he concludes, "all you'll have is somebody to blame and fire."

CIOs can bring in a CSO or CISO without a strategy and budget for that person to work with and end up achieving nothing.

Cisco undervalues Tandberg, investment firms say

Two investment consulting companies laid out objections to Cisco's US$3 billion offer for Norwegian videoconferencing vendor Tandberg on Friday, saying in an open letter to Cisco and a press interview that the bid undervalues Tandberg. The agreement requires owners of 90 percent of the company's shares to sign off on the acquisition by Nov. 9. According to recent media reports, holders of 24 percent of Tandberg stock don't plan to accept the deal. Cisco and Tandberg announced the deal on Oct. 1, but it still needs to be approved by Tandberg's shareholders.

Cisco suggested on Monday that it might drop its offer rather than raise it. Cisco has high-definition, immersive videoconferencing systems in its Telepresence line as well as desktop collaboration offerings in its WebEx line. Acquiring Tandberg, one of the major suppliers of videoconferencing equipment, would expand Cisco's already strong position in technology for virtual meetings. Chairman and CEO John Chambers has said video is the key application that will shape communications and drive network infrastructure growth in the coming years. Germonpre reportedly said Panta and investment consultants Scott & Associates own less than 1 percent of Tandberg but have heard other shareholders take the same view.

Panta Capital Managing Director Peter Germonpre said in an interview that Cisco would have to offer at least 170 Norwegian Kroner per share, about 11 percent above the current bid of 153.5 Kroner, according to a Wall Street Journal report. In an open letter on behalf of Tandberg shareholders, addressed to Chambers and Chief Strategy Officer Ned Hooper, Panta and Scott said Cisco isn't offering enough of a premium. In addition, they said estimates of the company's 2009 results have fallen by only about 9 percent, outperforming estimates for the technology sector and for Tandberg rival Polycom, which fell between about 30 percent and 45 percent. Among other things, the consultants said Tandberg's third-quarter financial results beat the consensus estimates of analysts for revenue and profit. They said Cisco is valuing Tandberg on a par with Polycom while the Norwegian company is actually outperforming its competitor. Panta and Scott rejected that argument, saying Tandberg had been seen as a takeover target before then.

When the deal was announced, Cisco said its offer represented a 38.3 percent premium over Tandberg's share price on July 15, which Cisco said was just before the company's stock started to rise because of takeover speculation. Cisco reiterated its position on the Tandberg offer in a prepared statement. "We believe we are paying a fair price for a quality asset, and our offer comes recommended by the Tandberg Board of Directors," Cisco said. "Further, Cisco's general approach to M&A activities is that no acquisition should be pursued or completed if it runs counter to the broader principles of prudence and financial fairness."

Online libel case stirs up free speech debate

An Illinois politician's attempt to unmask the identity of an e-mail poster who allegedly made disparaging remarks about her teenage son in an online forum is stirring a debate about free speech rights on the Internet. The paper had run a story describing a bitterly contested local election that Stone was running in. The case involves Lisa Stone, Trustee of the Village of Buffalo Grove, Il. According to a story in the Chicago Tribune , someone anonymously posted "deeply disturbing" comments about Stone's 15-year old son earlier this year in a local newspaper.

In response to that story an individual using the name Hipcheck15 posted comments that were critical of Stone. Those comments, in turn, evoked allegedly defamatory statements directed against Stone's son by Hipcheck15, the Tribune story said. The comments apparently prompted Stone's son to go online and post comments in defense of his mother. The paper did not say what exactly Hipcheck15 wrote, but it quoted Stone as describing the comments as being "vile" and "shocking." Stone did not immediately respond to an e-mailed request from Computerworld seeking comment for this story. In response to an order from the court, the paper turned in the IP address for Hipcheck15. Stone then obtained a similar order from the circuit court judge that asked Hipcheck15's Internet service provider, or ISP, to reveal the true identity of the person to whom the IP address was assigned to. As part of an effort to file a defamation lawsuit against Hipcheck15, Stone approached the Cook County Circuit Court and asked it to order the newspaper to turn in the true identity of the poster, the Tribune said.

According to the Tribune, the ISP late turned in the identity of Hipcheck15 to the court last month. Stone apparently has insisted that all she is trying to do is protect her son and other children from being similarly attacked online. A hearing is now scheduled for November 7 to decide whether the judge should provide Stone with Hipcheck15's true identity. She is hoping the case will serve as a deterrent against similar attacks. Individuals who libel or defame others online, anonymously or otherwise, are just as exposed to lawsuits as they are in the physical world and cannot expect First Amendment rights to automatically protect them. "Saying you're a lousy professor is one thing.

Eugene Volokh, professor of law at the University of California at Los Angeles' School of Law, said the case serves as another reminder that online anonymity does not automatically provide immunity against libel charges. But saying you molest 13-year olds is completely different," he said. Judges in other cases have shown a willingness to do just that if, in their opinion, the complaints had merit. Though one might use a pseudonym to conceal their true identity a court can force an ISP to unmask them in such cases, Volokh said. In a similar case earlier this year, a Texas circuit court judge ordered an online news aggregation site to turn over identifying information on 178 people who had anonymously posted allegedly defamatory comments about two individuals involved in a sexual assault case.

William Pieratt Demond, a partner at Connor & Demond PLLC, a law firm in Austin that is representing the couple, today said that the online site has since turned over information that has so far led to three people being identified as tied to the comments. The two individuals, who were acquitted of all charges, had claimed they had been subjected to intense and inarguably defamatory comments in the online forum. Libel lawsuits have been filed against all three, Demond told Computerworld today. Judges have to make the decision whether an online comment reflects just a personal opinion which is protected, or if it crosses the line and becomes defamatory. "Courts have said that because revealing a speaker's identity could end up deterring people from speaking up, we are going to require some showing whether there is a cause," he said. In the Stone case, it is hard to know how much merit her complaint has, Volokh said. Ed Yohnka, spokesman for the American Civil Liberties Union of Illinois, said the case was troubling. "We think anonymous speech on the Internet is really critical and needs to be protected," Yohnka said.

Yohnka warned against a growing tendency by corporations and individuals to use defamation claims as a way to get the courts to force ISPs to unmask anonymous online commentators. "Saying something is defamatory shouldn't be the trigger" for deciding when someone should be unmasked he said. It has traditionally been one way in which people have chosen to express themselves on political and social issues, he said. Corporations and public figures in particular need to show they have a prima facie case before they are allowed to seek the identity of an anonymous poster, Yohnka said.

Hiring budgets begin to thaw

Employers could be filling IT positions in the coming months, research suggests, as the number of positions expected to be created could begin to outpace anticipated job cuts in some industries. Outplacement firm Challenger, Gray & Christmas reports that employers in September began to detail plans to hire more workers than they did in 2008. Through September 2009, employers have announced plans to hire 169,385 workers this year, marking an 88% increase over the nearly 90,000 planned hires announced in the first three quarters of 2008. The sectors planning the most hires include the retail, government and nonprofit, and enterprise and leisure industries. Where the IT jobs are: 10 American cities Hiring budgets could be coming out of the deep freeze initiated at the start of the economic recession, according to industry watchers.

Employers in the telecommunications industry announced 6,339 planned hires for 2009, compared to 2,689 last year. Electronics companies are expecting to add 1,765 new jobs, another decline from 2008's 3,013 planned positions. Aerospace and defense employers intend to add 2,618 new position, less than the 4,709 in the previous year. E-commerce vendors reported they would augment staff with 1,572 new openings, an increase over the 500 added in 2008. And while the computer industry reportedly announced 7,717 new hires, the data Challenger, Gray & Christmas tracked so far this year shows the industry isn't planning any new hires so far in 2009. "These figures represent just a tiny fraction of the hiring and available jobs out there. There simply are more job seekers than there are jobs. We track hiring announcements," said John Challenger, CEO at the outplacement firm, in a statement. 20 most useful career sites for IT professionals Challenger, Gray & Christmas also cited recent Bureau of Labor Statistics data that showed 2.4 million job openings as of August, down from 3.9 million in 2008. And the same government agency reported that 4 million workers were hired in August, despite the unemployment rate nearing 10%.  "There is no doubt that this is a tight job market.

However, it would be a mistake to assume that no one is hiring," Challenger said. David Foote, CEO and chief research officer, said in a statement that while high-tech industry segments have been posting job losses, they are losing fewer jobs and in some cases adding positions. Separately, IT research firm Foote Partners also found cause for optimism in recent government statistics. For instance, "five IT bellwether job segments" have posted collective job losses of between 4,000 and 11,000 jobs each month (including 4,300 lost in August), but also showed gains such as 7,400 positions in July.  "Consider that according to the Department of Labor's labor market segmentation there has been a net loss of 32,600 IT related jobs since January 2009, but a net gain of 1,400 since July, it's clear that we're heading in the right direction," Foote said. "We continue to maintain optimism for the rest of the year, for IT services sector in particular." Do you Tweet? Follow Denise Dubie on Twitter

NEC upgrades to HYDRAstor grid storage system

NEC Corp. today unveiled several upgrades to its flagship HYDRAstor grid-storage system , adding write-once, read many (WORM) capabilities and the ability to encrypt data in transit. NEC officials said that the upgraded software will increase performance by 67%, while boosting security by improving HYDRAstor's ability to archive mission-critical data. "Over 70% of even high I/O data from source applications such as databases have not been touched after 6 months. The upgraded system also provides deduplication capabilities for more third party backup applications.

A lot can be off loaded onto more efficient platforms," said Gideon Senderov, director of product management for NEC's IT Products Group. The new RepliGrid in-flight data encryption capability protects data as it's being transmitted between HYDRAstor grids and data centers, he added. The new HYDRAlock WORM capability allows administrators to lock out any changes to documents or other records, maintaining a chain of custody for regulatory purposes, Senderov said. NEC also announced that it will allow users to license additional physical capacity that can be activated without adding additional components. A new quota management system allows administrators to set limits to the maximum effective capacity allocated for each file system and its associated application. For example, can now license as little as 12TB of capacity in a 24TB configuration and then pay a fee to activate additional capacity as needed.

The quota management system also offers threshold notifications as well as the ability to set aside a capacity reserve for other applications, such as critical archive data. The upgraded system can deliver up to 1.8TB per hour per accelerator node and up to 90TB per hour for the largest supported configuration of 55 accelerator nodes and 110 storage nodes, according to the company. Previously, the HYDRAstors grid architecture had a default capacity of 256 petabytes for all applications. "We are really looking forward to taking advantage of the new in-flight encryption and quota management functions," said Scott Ashton, a LAN/WAN specialist at TLC Engineering for Architecture Inc., an Orlando, Fla.-based engineering firm. "We've really seen the return on our initial investment as we've been able to take advantage of each new upgrade with HYDRAstor since our early adopter installation in 2007." NEC said that the performance boost comes from software enhancements and more efficient inter-node data transfer and communication protocols. Accelerator nodes are the controller blades with the CPU processing power and storage nodes are the system blades with disk storage capacity. NEC today also introduced lower-capacity, or "entry-level" models of HYDRAstor offering raw storage capacities of 12TB (or over 150 TB effective capacity); 24TB (or over 300 TB effective capacity) and 36 TB (or over 450 TB effective capacity). "A highly resilient storage solution primed for archiving, that self-evolves with the ability to intermix several generations of technology, offers global deduplication, great scalability, and automates provisioning, migration, workload balancing and system management will be the key features of a storage solution that the market will demand," said Dave Russell, a vice president at researcher Gartner Inc.

The new application-aware deduplication feature allows newly-supported third-party backup applications such as IBM's Tivoli Storage Manager and EMC's NetWorker, as well as previously previously supported Simpana from CommVault and NetBackup from Symantec, to take advantage of the data reducing feature. With the exception of WORM capability, the customers can install the latest HYDRAstor upgrades for free. The WORM upgrade costs $14,000 per accelerator node.

Defunct airport fast-pass program may be revived

Tens of thousands of subscribers to a registered air traveler program, who were left feeling scammed when the company offering the service abruptly went out of business, may soon get a break. Subscribers to the Clear service, some of whom had signed up for two years or more of service just before VIP went out of business, will be offered a chance to continue their subscriptions after the deal goes through. A new investment group based in California has signed a letter of intent with Morgan Stanley, the defunct company's largest debt holder, according to the New York Times . Under a proposed plan, the investment firm will be allowed to buy the assets of Verified Identity Pass Inc. (VIP) and restart the Clear fast-lane security service, the Times reported, quoting the owner of the Emeryville, Calif.-based investment banking firm, Henry Inc.

If an individual chooses not to, any personal data on that individual that had been collected by VIP for Clear, will be permanently destroyed, the Times said quoting the investment banker. VIP was one of seven companies approved by the Transportation Security Administration (TSA) to operate a registered traveler program, which lets air travelers get through airport security checks faster. The news is likely to provide some comfort to thousands of customers of VIP who were left in the lurch when the company in June abruptly announced it could no longer offer the Clear service because it had run out of cash. It offered the service at 21 major airports, including New York's John F. Kennedy International Airport, La Guardia, Boston's Logan International and Atlanta's Hartsfield-Jackson airports. To sign up for VIP's Clear service, customers had to submit to background checks and provide identifying information, including Social Security and credit card numbers, home address, date and place of birth, phone numbers and driver's license number.

More than 200,000 customers had signed up for the service when the company went out of business. They also had to provide fingerprints, iris scans and digital images of their faces. The company made matters worse by hinting that it would sell the data it had collected to fulfill its debt obligations. VIP's decsion to shut the service raised concerns about the fate of the data that had been collected by the company. Many participants were left feeling scammed when VIP announced that it couldn't refund their subscriptions because it had run out of money. The motion was in response to a lawsuit brought by concerned customers.

Days after the company's closure, the chairman of the House Committee on Homeland Security asked the TSA to ensure that all information collected by VIP was properly protected and destroyed . In August, a federal judge in New York issued an injunction prohibiting VIP from selling, transferring or disclosing to any third-party the data it collected while operating the Clear service. The injunction, however, was later lifted on a technicality. For the moment, the purchase does little to alleviate the major complaint in the lawsuit, which is that VIP's customers didn't get a refund from their subscriptions. "That is something that they are entitled to regardless of whether or not other companies" purchase VIP, he said. Todd Schneider, an attorney with Schneider, Wallace, Cottrell, Brayton, Konecky LLP, a San Francisco law firm representing one of the parties in the lawsuit, today said he was unclear on the ramifications of the reported purchase of VIPs assets by the investment banking firm. A hearing in the case has been scheduled for Oct. 16, where Schneider plans to again ask the judge to bar VIP from selling its data assets to any third party.

News of the proposed purchase comes as the House Committee on Homeland Security is scheduled to hold a hearing today on the future of the registered air traveler program.

Avaya promises near-term support for Nortel gear

Nortel enterprise customers will be able to buy the company's current line of products for 12 to 18 months after Avaya officially takes ownership of Nortel's enterprise division that it won at auction for $900 million. Support for Nortel gear will continue throughout that transition, an Avaya spokesperson says. Slideshow: The rise and fall of Nortel    After that period, Avaya says it will have a migration path laid out that customers can follow to bring themselves into Avaya's official product line. Because the two companies' products overlap, some analysts think the deal was more about customers than it was technology.

Regardless of the migration path, Avaya says it will honor three- to five-year product support for all customers. Task forces from both companies will be tapped to figure out what products make the most sense to keep and which ones need to be merged. The company says the product road map for the expanded Avaya will be ready 30 days after the deal is officially closed. The contracts in question extended to Verizon customers through its services business. Avaya says it will honor all Nortel's service contracts including those that Verizon claimed in a legal filing would be canceled.

Verizon sought last week to get Avaya removed from the auction for Nortel's enterprise division. The customers will receive service," an Avaya spokesperson says. The last-minute appeal claimed Avaya intended to toss out the contracts and that would result in national security issues because some of the gear was supplied to critical governmental agencies. "We intend to fulfill the contract that is the subject of their filing. Long term Avaya says it will rely on its Aura Session Manager platform to unify customers' Session Initiation Protocol-based communications gear into a single system. Because Avaya Aura is compatible with Nortel's open architecture, customers will be able to build multi-vendor environments without requiring a swap-out to all-Avaya equipment.

Aura already supports Nortel gear as well as products from major VoIP vendors Alcatel-Lucent, Cisco, Mitel, NEC, Nortel, ShoreTel and Siemens. As for R&D, Avaya says the Nortel and Avaya resources are complementary enough to help the combined company bring new products to market more quickly.

Microsoft Internet Explorer SSL security hole lingers

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason. Apple has fixed the problem for Safari for Macs.

Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time." The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to. Black Hat's most notorious incidents: a quiz "Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Current versions of Safari for Mac, Firefox and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders. In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks.

For instance, someone might register www.hacker.com. In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. An attacker could exploit the weakness by setting up a man-in-the-middle attack and intercepting requests from vulnerable browsers to set up SSL connections. Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

If the attacking server picks off a request to bestbank.com, it could respond with an authenticated x.509 certificate from bestbank.com\0hacker.com. The user who has requested a session with bestbank would naturally assume the connection established was to bestbank. The vulnerable browser would interpret the certificate as being authorized for bestbank.com and set up a secure session with the attacking server. Once the link is made, the malicious server can ask for passwords and user identifications that the attackers can exploit to break into users' bestbank accounts and manipulate funds, for example, Marlinspike says. These certificates use an asterisk as the sub-domain followed by a null character followed by a registered root domain. In some cases attackers can create what Marlinspike calls wildcard certificates that will authenticate any domain name.

A vulnerable browser that initiated an SSL session with bestbank.com would interpret a certificate marked *\0hacker.com as coming from bestbank.com because it would automatically accept the * as legitimate for any root domain. Such a wildcard will match any domain, he says. This is due to "an idiosyncrasy in the way Network Security Services (NSS) matches wildcards," Marlinspike says in a paper detailing the attack. The differences between what users see on their screens when they hit the site they are aiming for and when they hit an attacker's mock site can be subtle. A Microsoft spokesperson says Internet Explorer 8 highlights domains to make them more visually obvious, printed in black while the rest of the URL is gray. "Internet Explorer 8's improved address bar helps users more easily ensure that they provide personal information only to sites they trust," a Microsoft spokesperson said in an e-mail.

The URLs in the browser would reveal that the wrong site has been reached, but many users don't check for that, Marlinspike says. Marlinspike says the null character vulnerability is not limited to browsers. "[P]lenty of non-Web browsers are also vulnerable. Outlook, for example, uses SSL to protect your login/password when communicating over SMTP and POP3/IMAP. There are probably countless other Windows-based SSL VPNs, chat clients, etc. that are all vulnerable as well" he said in an e-mail.

IPv6: Not a Security Panacea

With only 10% of reserved IPv4 blocks remaining, the time to migrate to IPv6 will soon be upon us, yet the majority of stakeholders have yet to grasp the true security implications of this next generation protocol. While IPv6 provides enhancements like encryption, it was never designed to natively replace security at the IP layer. Many simply have deemed it an IP security savior without due consideration for its shortcomings.

The old notion that anything encrypted is secure doesn't stand much ground in today's Internet, considering the pace and sophistication in which encryptions are cracked. Unfortunately, IPsec, the IPv6 encryption standard, is viewed as the answer for all things encryption. For example, at the last Black Hat conference hacker Moxie Marlinspike revealed vulnerabilities that breaks SSL encryption and allows one to intercept traffic with a null-termination certificate. But it should be noted that:  IPsec "support" is mandatory in IPv6; usage is optional (reference RFC4301). There is a tremendous lack of IPsec traffic in the current IPv4 space due to scalability, interoperability, and transport issues. Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This will carry into the IPv6 space and the adoption of IPsec will be minimal. IPsec's ability to support multiple encryption algorithms greatly enhances the complexity of deploying it; a fact that is often overlooked.

This is far from the truth and a major misconception. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this). IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers? However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will.

IPv6 tunneling should never be used for any sensitive traffic. By enabling the tunneling feature on the client (e.g. 6to4 on MAC, Teredo on Windows), you are exposing your network to open, non-authenticated, unencrypted, non-registered and remote worldwide IPv6 gateways. Whether it's patient data that transverses a healthcare WAN or Government connectivity to an IPv6 internet, tunneling should be avoided at all costs. The rate at which users are experimenting with this feature and consequently exposing their networks to malicious gateways is alarming. The advanced network discovery feature of IPv6 allows Network Administrators to select the paths they can use to route packets. Is your security conscious head spinning yet?

In theory, this is a great enhancement, however, from a Security perspective it becomes a problem. So where are the vendors that are supposed to protect us against these types of security flaws? In the event that a local IPv6 Network is compromised, this feature will allow the attacker to trace and reach remote networks with little to no effort. The answer is, not very far along. Since there are no urgent mandates to migrate to IPv6, most are developing interoperability and compliance at the industry's pace. Like most of the industry, the vendors are still playing catch-up.

So the question becomes: will the delay in IPv6 adoption give the hacker community a major advantage over industry? As we gradually migrate to IPv6, the lack of interoperability and support at the application and appliance levels will expose loopholes. Absolutely! This will create a chaotic and reactive circle of patching, on-the-go updates and application revamp to combat attacks. There is more to IPv6 than just larger IP blocks. Regardless of your expertise in IPv4, treat your migration to IPv6 with the utmost sensitivity.

The learning curve for IPv6 is extensive. Many of the fundamental network principles like routing, DNS, QoS, Multicast and IP addressing will have to be revisited. People can't be patched as easily as Windows applications, thus staff training should start very early. Reliance on given IPv4 security features like spam control and DOS (denial of service) protection will be minimal in the IPv6 space as the Internet 'learns' and 'adjusts' to the newly allocated IP structure. Jaghori is the Chief Network & Security Architect at L-3 Communications EITS. He is a Cisco Internetwork Expert, Adjunct Professor and industry SME in IPv6, Ethical Hacking, Cloud Security and Linux. It's essential that your network security posture is of the utmost priority in the migration to IPv6. Stakeholders should take into account the many security challenges associated with IPv6 before deeming it a cure-all security solution.

Jaghori is presently authoring an IPv6 textbook and actively involved with next generation initiatives at the IEEE, IETF, and NIST. Contact him at ciscoworkz@gmail.com.

Analyst: AT&T likely to keep iPhone exclusive deal

Despite widespread speculation that Apple Inc. will open the iPhone exclusive arrangement with AT&T Inc. to include Verizon Wireless after 2010, one analyst firm is predicting AT&T's exclusive deal as the wireless carrier will be extended beyond then. The main reason Apple is likely to stick with AT&T beyond 2010 is the relatively wide usage and growth expected for the HSPA air standard used by the carrier for 3G data." It appears iSuppli reached it conclusions without any direct knowledge of what Apple will do regarding the exclusive deal. In a report, iSuppli Corp. said that its main reason for expecting an exclusive extension is based on its analysis of a growth in usage of a faster wireless standard at AT&T known as High Speed Packet Access (HSPA). The global growth in HSPA usage will far outstrip growth in usage of EVDO (Evolution Data Optimized), a different standard used by Verizon, iSuppli said. "Speculation is rife that Apple will end its exclusive U.S. iPhone service deal with AT&T when the current contract expires in June 2010, and begin to offer phones that work with the Verizon network," said Francis Dieco, an iSupply analyst, in a statement. "However, iSuppli doesn't believe this will be the case. AT&T and Apple have been mum on the issue for months, and were again today.

Many analysts have speculated that Apple would want to work with more than a single carrier in the U.S. just to expand the opportunities to sell the iPhone. Gartner Inc. analyst Ken Dulaney agreed that AT&T will "definitely extend their deal" for exclusive sales of the iPhone. "AT&T would be crazy not to sell iPhone," he said in an e-mail, but added that Apple will also support Verizon, possibly with a different type of unit. "If you are beholden to stockholders to make money, there is no easier money than in your home turf through a carrier desperate for this type of device," Dulaney added. Today, Jack Gold, an analyst at J. Gold Associates, said that Apple would more likely want to open the exclusive deal for both AT&T and Verizon, the two largest carriers in the U.S. Gold said he didn't agree with iSuppli's conclusions, primarily because there isn't that much incentive for Apple to stay with AT&T "unless AT&T throws a lot of money at Apple." Gold rejected the analysis of growth in HSPA as a sufficient rationale to stay with AT&T, partly because adherence to a wireless standard doesn't fully determine how data throughput occurs. Many AT&T customers using the iPhone have been outraged about service interruptions and slow downloads, which may occur because a tower might not be nearby due to buildings or terrain, Gold and others have noted. "Raw speed with a wireless standard doesn't mean anything." Gold added. "It's important to realize, when three people are on a tower, that's no big deal, but when you have 300 people on a tower in downtown Boston or downtown L.A., that's huge." The analysis from iSuppli predicts that Verizon might get Apple products to sell other than the iPhone. A major factor in what a user experiences is determined by the number of users on a single cell tower, and how many towers are located in dense areas, he noted. Dieco based that prediction on his finding that there's no information indicating that Apple is prohibited from pursuing a relationship with Verizon for non-iPhone products, such as another phone model, tablet computer, netbook or an enhanced iTouch.

In 2009, there were 269 million HSPA subscribers globally, a number expected to soar to 1.4 billion in 2012. For EVDO, there were 145 million subscribers globally in 2009, a number expected to reach 304 million in 2013. Verizon has undertaken a program to move to faster LTE wireless in the 2011 to 2013 timeframe, and some analysts have assumed future iPhones could work over LTE, assuming Apple strikes an agreement with Verizon. Part of the reason iSuppli relied on the growth projections for HSPA versus EVDO to make its predicion is that HSPA growth globally will be so much bigger.

India schedules 3G license auction for December

India's auction of 3G and WiMax licenses is now scheduled to be held in December, according to a notice on the Web site of the country's Department of Telecommunications. Bidding for 3G licenses will start Dec 7, with the WiMax auction scheduled to start two days after the 3G auction is complete, according to the notice. The auction was originally scheduled for January of this year, but was postponed after disagreement within the government on the minimum cost of the licenses.

Both Indian and foreign companies are allowed to bid for the licenses, but foreign companies will have to set up joint ventures with Indian investors to run services in the country. The Ministry of Communications will license four slots for 3G in each of India's 22 service areas, with a fifth slot reserved for two government-run telecommunications companies. A group of ministers, set up to resolve the dispute over pricing the licenses, has named Indian rupees 250 billion (US$5 billion) as the minimum revenue from the auction of the 3G and WiMax licenses in the country, India's Minister of Communications, A. Raja said last month. A telecommunications company bidding for 3G licenses in all 22 circles will have to pay at least Indian rupees 35 billion, according to the new minimum pricing proposed by the Indian government. Two companies, Bharat Sanchar Nigam Ltd. and Mahanagar Telephone Nigam Ltd., were allotted 3G spectrum ahead of the auction, and have started offering services.

By the pricing announced last year, they would have to pay about rupees 20 billion. The government said last year that these companies would have to pay license fees equal to the highest bid in each service area. The final date for applications from bidders is Nov 13.

Gonzalez pleads guilty to TJX, other data heists

The man described by federal authorities as the mastermind of the massive data thefts at TJX Companies Inc., Heartland Payment Systems and other retailers today pleaded guilty to charges in a 19-count indictment that include conspiracy, wire fraud and aggravated identity theft. That case was being prosecuted separately in New York but was merged with the case in Boston under a plea agreement negotiated with prosecutors a few days ago. Albert Gonzalez, 28, of Miami, also pleaded guilty to one count of conspiracy to commit wire fraud related to a data theft at Dave & Buster's restaurant chain. Gonzalez is scheduled to be sentenced Dec. 8 by U.S. District Court Judge Patti Saris in Boston.

Under the plea agreement, Gonzalez will serve between 15 and 25 years for both cases and will be fined as much as $250,000 for each of the charges. He faces a maximum of 25 years in prison for the charges in Boston and 20 years for the case in New York. Gonzalez will also forfeit more than $2.7 million in cash as well as multiple pieces of real estate and personal property, including a condominium in Miami, a BMW and several Rolex watches that he is alleged to have acquired through his ill-gotten gains. Gonzalez was arrested in Miami in 2008 along with 10 other individuals on charges relating to the thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In August, federal authorities in New Jersey indicted Gonzalez on charges involving breaches at Heartland Payment Systems, Hannaford, 7-Eleven Inc. and two other unnamed retailers. About $1 million of the money being forfeited was recovered from a container buried in Gonzalez' back yard, according to a statement released today by the U.S. Department of Justice.

Prosecutors alleged that Gonzalez, along with two unnamed Russian conspirators, stole more than 130 million credit and debit cards from the five retailers. It is not clear if Gonzalez was the leader of a worldwide criminal gang or merely acting at the behest of powerful crime gangs based in Russia and East Europe. Today's plea brings to an end, for the moment, to the career of a hacker who federal authorities say has been the mastermind of the biggest data thefts in U.S. history. But his actions, which his lawyer has claimed stemmed from a computer addiction , have caused millions of dollars in losses to his victims. In addition, some of the companies that were Gonzalez's victims have had to pay fines to Visa and the other card brands for being noncompliant with the credit card industry's Payment Card Industry Data Security Standard and to spend more money to revamp their security controls.

TJX has publicly estimated that costs to the company from the data breach will touch $200 million . Heartland has already spent or set aside more than $12 million and is facing numerous lawsuits from affected institutions.

Larry Augustin: Open source fueling enterprise software shift

Open source is giving a mighty boost to the enterprise software industry, changing the support equation for users and signaling to Microsoft and other proprietary vendors that it's time to catch on or be left out, according to Larry Augustin, an open source visionary and the current SugarCRM CEO.

Augustin, who took over SugarCRM about three months ago, built his reputation on his early work in the open source community and during a stint as a venture capitalist. He thinks the maturing software industry is showing signs of changes that will redefine the customer/vendor relationship, alter current business and distribution models, and eventually fuel cloud computing.

"It wasn't long ago that software was this mysterious magical stuff," says Augustin, who is credited with helping coin the term "open source."

"Now people understand software and they understand that many applications have matured. I think we'll see over time the software industry reach a point where it is not proprietary vs. open source, but the shade of how much control you want, how much do you want to do yourself, and how much do you want the vendor to do," Augustin says.

Those control issues, fostered by having source code for applications, will help balance the customer/vendor relationship, Augustin says. In essence, users won't get locked into applications that vendors no longer push forward even while they continue to collect support fees.

All those factors, Augustin says, put pressure on vendors such as Microsoft and others to consider their future business models.

"Over time you will see Microsoft adopt more open source principals as they strive to continue to make Windows relevant," he says. "They have put a toe in the water with their Shared Source program. I don't think it gets them there, but you can see them thinking about it."

Augustin's SugarCRM has built a relationship with Microsoft that began in 2006 with an interoperability deal on the back of a license that is part of Microsoft's Shared Source Initiative, a program through which Microsoft shares source code with customers, partners and governments worldwide.

Microsoft's recent actions also back up Augustin's words. Over the past year or so, Microsoft has donated code to PHP, offered support to the Apache Foundation, and just last month made its first code submission to the Linux kernel (even though it happened under a cloud of duress).  Augustin says these moves show signs that the software industry has matured.

"It is why you see so many open source applications and why Microsoft is really struggling," he says. "They are in a mature market now and trying to figure out how to make changes. IBM went through similar change in the 1990s and almost went out of business."

Augustin says Microsoft has to figure out how to emerge in an industry where the company cannot simply define things on its own. Customers want more flexibility and openness because they have that understanding of software, he says.

One big influence on changes currently taking place, Augustin says, was brought to light during his 2002-2004 tenure as a venture capitalist at Azure Capital Partners. He says it is clear that a shift in software distribution models gave open source a lift.

"There was this recent period in time where it was difficult to get an enterprise software company funded," he says. "The problem was not that people weren't creating interesting new technology, the problem was that it was hard to distribute and sell. All the money would go into sales and marketing."

But enterprise software is back, he says, "and the reason why is open source. It has given people a way to get their software out there and get it distributed and make its way into companies at a fraction of the cost that it used to take to sell and market enterprise software."

Successful open source companies such as MySQL (now owned by Sun/Oracle), Red Hat, SpringSource and Hyperic (both  now owned by VMware) started life as venture funded companies, he notes.

Augustin is now eyeing a revolution in cloud computing that is borrowing some of open source's principals. He says cloud computing introduces an element of flexibility that original application service providers (ASP) and pure hosted applications could not offer.

"Now customers may make different decisions on levels of service they want out of an application and apply that where it makes sense for them," he says.

With SugarCRM today, users have a back-end database they can move from internal clouds, to external clouds, to hosting environments.

"It's all the same database and all you have to do is move it between providers, onto your own internal provider infrastructure or out to the cloud," he says.

Augustin says the goal is to provide a one-touch or instant ability to move the database, a process that would eliminates manual steps.

"You can imagine that you could run [the database] on internal IT infrastructure and have a provider with a warm standby or vice versa depending on what makes sense for the end user," he says.

Augustin says cloud computing is getting to the point where infrastructure is going to become commoditized, which will enable even more flexibility and choice for running applications.

"As a CRM vendor I would rather invest in the software than the infrastructure," he says.Follow John on Twitter: twitter.com/johnfontana

Low-tech Internet scams net big money

Domino's Pizza lost about $77,000 in free pizza due to a weak password on an online promotion that wasn't supposed to go live - a type of security problem that is all too common, according to a presentation slated for the Black Hat USA conference this week.

A hacker guessed a promotional coupon code that authorized a free medium one-topping pizza and publicized the code, which got used about 11,000 times in 48 hours, according to Jeremiah Grossman, founder and CTO of White Hat Security, who will deliver the talk.

Black Hat's most notorious incidents: a quiz

Patrons ordering pizza online would put in their order then enter the code, essentially a password, into the "coupon" field on the site, he says.

The Domino's incident is one of about a dozen examples of how people can make money - not necessarily legally - off the Internet that Grossman will discuss in his briefing, called "Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way".

The person who guessed the Domono's password - BAILOUT - was never caught, Grossman says, and the promotion had been set up in the chain's system without getting the go-ahead. Many businesses authorize their marketing departments to set up such promotions without advice from their network security teams so they often lack anti-brute-force protections and lockouts, he says.

In another malicious guessing game, a man charged with scamming Apple out of 9,000 iPod Shuffles did so in part by guessing at legitimate Shuffle serial numbers, Grossman says.

He set up a phony Web business called iPod Mechanic that supposedly took in broken iPods and returned them for new ones under Apple's advanced replacement program. Apple required a legitimate iPod serial number and a credit card number to bill if Apple didn't receive the broken device, Grossman says.

The man used credit card numbers from Visa gift cards to satisfy pre-authentication for the replacement service, and using the known serial numbers of actual iPod Shuffle's, he guessed at others. When the new iPods arrived, he sold them on eBay for $49 each, Grossman says.

The scammer was caught because Apple's trademark protection people flagged the unauthorized use of iPod in the business' name, iPod Mechanic. Police found $571,000 in cash at the perpetrator's house, Grossman says.

He will also discuss how a British builder located lead-tile roofs in London via Google Earth, then scaled the buildings - mostly museums and historic buildings - to steal the tiles. Police estimate that he made off with about $1.64 million in lead during his spree.

Grossman says he plans to talk about a scheme that netted perpetrators a nine-figure payday as well as the Gmail attack that compromised Twitter business plans. His talk is a follow-up to last year's talk, "Get rich or die trying, making money on the Web the black hat way."

Third State Department snooper sentenced

A former employee of the U.S. Department of State who pleaded guiltyto improperly accessing electronic passport records belonging to more than 50 high-profile individuals was sentenced today to one year of probation.

Gerald Lueders, 65, of Woodbridge, Va., who worked as a foreign service officer at the State Department and later as a recruitment coordinator for the agency, was also ordered by U.S. Magistrate Judge Alan Kay in Washington D.C. to pay a $5,000 fine.

In January, Lueders admitted that between July 2005 and Feb. 2008 he had logged onto the State Department's Passport Information Electronic Records System (PIERS) database and viewed passport applications of several celebrities, athletes, media personnel, family members and others out of "idle curiosity."

Leuders is the third department employee to be sentenced forsnooping on the passport records of dozens of high-profile individuals including then-Senator Barack Obama and others.

Lawrence Yontz, also a former foreign service officer and intelligence analyst, pleaded guilty to illegally accessing more than 200 passport records last September, and was sentenced in December to one year probation and 50 hours of community service.

In March of this year, Dwayne Cross, a former administrative assistant and contract specialist at the department, was sentenced to 12 months of probation and 100 hours of community service after pleading guilty to improperly accessing about 150 electronic passport records. The snooping case came to light in March 2008, when the State Department disclosed that three contract employees had accessed passport records belonging to certain individuals without any valid reason for doing so.

At that time, the State Department had disclosed that the individuals whose identities had been improperly accessed included Senators Obama, John McCain and Hillary Clinton.

The department had described the individuals who accessed their records as being motivated by "imprudent curiosity." Though their illegal access was repeatedly flagged by an in-house computer system designed to catch such violations, supervisors downplayed the alerts. Two contract workers were later fired, while the third worker was disciplined but allowed to continue to work for the department.

The incident attracted considerable attention, with Obama calling it an "outrageous" privacy violation at the time.

Passport records contain information that is submitted by an individual when filling out an application form and can include details such as date and place of birth, physical attributes, naturalization details, family status and occupation and details from background checks.

The PIERS database in which the data is stored is a classified system with access limited strictly to government duties.

The State Department snooping incident is not the only example of insiders abusing their rights. Earlier this year, a Kaiser Permanente hospital near Los Angeles fired 15 employees and reprimanded eight others for improperly accessing the personal medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.

In April 2008, the medical center at the University of California, Los Angeles, disclosed that as many as 165 doctors and other employees had improperly accessed the medical records of numerous celebrities, including Tom Cruise, Farah Fawcett and Britney Spears, over a period of as many as 13 years.

DRAM's inventor, 76, still going strong at IBM

Dennard's Law? It doesn't have quite the ring of Moore's Law, mostly because IBM researcher Robert H. Dennard remains unknown to the general public.

The research community, however, knows all about two significant contributions made by the 76-year-old scientist.

In the late 1960s, Dennard invented Dynamic Random Access Memory, or DRAM, the memory used in virtually all computers today.

Dennard followed in the mid-1970s with a groundbreaking paper describing how to keep shrinking transistors to build smaller, faster and less expensive chips.

Dennard's "scaling theory" ( PDF document) is often ascribed to Moore's Law, when, as Dennard modestly puts it, "scaling and Moore's Law go very well together."

For those achievements, Dennard, who celebrated his 51st year as an IBM employee this week, will receive a Medal of Honor from the Institute of Electrical Engineers next Thursday.

Fittingly, Dennard will get his Medal from IEEE one year after Intel's Gordon Moore did.

Without the invention of DRAM, computer memory might be the technology laggard that hard-disk drives and laptop batteries remain today.

As Dennard recalls it, the dominant memory used in IBM's mainframe computers of the late 1960s was magnetic core memory. Co-invented by the An Wang (later co-founder of workstation pioneer Wang Laboratories), magnetic core memory used small loops of wire to store bits of data.

Magnetic-core memory "was delicate like jewelry," Dennard said. "They were these teeny little things, almost like cheerios, but made out of ferrite [iron-based] material."

Not only was magnetic-core memory fragile, but it was expensive and slow. But it had one great advantage: It was non-volatile, meaning that you didn't need to send electric current to maintain the data.

DRAM, by contrast, seemed tricky and complicated. All of the prototypes other researchers had built up to that time were memory chips that involved multiple transistors, which made designs more complicated and expensive.

To solve this issue, some researchers were testing the use of bi-polar junction transistors. But Dennard preferred metal-oxide-semiconductor field-effect transistors, or MOSFETs, even though, he admits "MOS was definitely less advanced and more problematical. There were some basic problems to be solved to make it manufacture-able. But I still considered it more promising."

Dennard was eventually able to create a memory cell that was able to store a charge (representing a bit of data) and keep it continually refreshed, all in a simple single-transistor package. Dennard patented his invention in 1968. But multi-transistor DRAM continued to reign, both at IBM, then a major memory maker, and others.

It wasn't until the mid-1970s that the first single-transistor DRAM appeared. And the market never looked back.

Today, gamers and PC performance addicts can buy gigabytes of DDR3-1600 DRAM with a peak transfer speed of 12800 Megabytes/second (12.8 Gigabytes/second) for less than $100.

At 76, Dennard doesn't play many shoot-em-up videogames, or overclock many PCs. So he doesn't fully reap the fruits of his innovations.

"I have a seven-year-old PC in my office. Truthfully, I'm not a big computer user," he said, adding that if IBM still issued patent notebooks to its researchers for recording their ideas, he would.

"This was what I was taught at Carnegie Mellon. It was a very efficient way to work," he said.

Interest in DRAM has cooled, giving way to alternatives such as flash memory, used in solid-state disks (SSDs) and touted as an ultra-fast-albeit-still-thornyreplacement for hard-disk drives.

"Flash? Well, I've got a lot of it in my digital camera," Dennard joked. More seriously, Dennard concedes that "a lot of people are hopeful that flash memory can play more of a role in basic computing as well."

What about other non-silicon forms of memory, such as holographic storage?

"Optical computing has been a Holy Grail for a long time, but it's never broken through," he said. "I'm not sure what people are most hopeful about today."

His prediction: "Miniaturized CMOS technology will keep reaching a high level of performance," Dennard said. "People are still working on improving it. It's what's being manufactured today, so it will be very hard to replace."

Amazon.com to ship Kindle DX ahead of schedule

Amazon.com's new large-screen Kindle DX e-reader will ship earlier than expected, the company said Monday.

Amazon will begin shipping the product to customers on June 10, earlier than the third-quarter release the company had planned.

Amazon unveiled the new e-reader and allowed customers to begin pre-ordering it on May 6. The product, a follow-up to February's release of the Kindle 2, features a larger screen and more memory than either that product or its predecessor, the original Kindle released in November 2007. Kindle 2 also shipped slightly ahead of schedule.

The Kindle DX features a 9.7-inch screen, aimed at making it easier to read newspapers, textbooks, magazines and business documents. Other Kindle products have a 6-inch screen and were aimed mainly at reading paperback novels.

In addition to the regular online and retail sales channels, Amazon.com has worked out several distribution deals for its new devices, hoping to encourage customers to use them for their extended purpose.

The New York Times Company and Washington Post Company plan to launch pilots with Kindle DX this summer. The New York Times, The Boston Globe and The Washington Post will offer the Kindle DX at a reduced price to readers who live in areas where home-delivery is not available and who sign up for a long-term subscription to the Kindle edition of the newspapers.

In addition to the distribution deals with the newspapers, Arizona State University, Case Western Reserve University, Princeton University, Reed College and Darden School of Business at the University of Virginia will distribute hundreds of Kindle DX devices to students so that they can use them to read textbooks.

The Kindle DX costs US$489 versus $359 for other Kindle devices.