Slashdot Mirror

eBay announced today a new Price Match Guarantee for over 50,000 items across its site -- promising that it will have the best deal online, or it will match the lowest price of a competitor. While only select items are available for this offer, "the move is a significant effort on eBay's part to ensure that it doesn't lose customers to Amazon, Walmart and other online stores as the market consolidates behind the industry's major players," reports TechCrunch. From the report: In order to qualify, the item must be one of the new, unopened items sold daily through eBay Deals, for starters. Deals are eBay's selection of "trending" inventory across all its categories -- like consumer electronics, home & garden, and fashion. The deals are also generally offered at 20 percent to 90 percent off, and are sourced from over 900 of eBay's trusted sellers. These sellers include both smaller merchants looking to grow their customer base as well as major consumer brands. At any time, eBay says there are "tens of thousands" of items offered through the Deals site, with featured deals updating at least once per day, beginning at 8 AM PT.

eBay announced today a new Price Match Guarantee for over 50,000 items across its site -- promising that it will have the best deal online, or it will match the lowest price of a competitor. While only select items are available for this offer, "the move is a significant effort on eBay's part to ensure that it doesn't lose customers to Amazon, Walmart and other online stores as the market consolidates behind the industry's major players," reports TechCrunch. From the report: In order to qualify, the item must be one of the new, unopened items sold daily through eBay Deals, for starters. Deals are eBay's selection of "trending" inventory across all its categories -- like consumer electronics, home & garden, and fashion. The deals are also generally offered at 20 percent to 90 percent off, and are sourced from over 900 of eBay's trusted sellers. These sellers include both smaller merchants looking to grow their customer base as well as major consumer brands. At any time, eBay says there are "tens of thousands" of items offered through the Deals site, with featured deals updating at least once per day, beginning at 8 AM PT.

ATT yesterday announced that its 2G wireless network was officially shut down on January 1, 2017. Since the network is no longer active, it means that, as the Verge points out, the original first-generation iPhone (also known as the iPhone 2G) will no longer receive cellular service from ATT's network. If you still happen to use an iPhone 2G, it may be time to upgrade or list it on eBay. Mac Rumors reports: Few people appear to have been using the original iPhone as there were no complaints from iPhone owners two weeks ago when the network was shuttered, but going forward, customers who keep the device as part of a collection will only be able to use it on WiFi. Originally released in June of 2007 and discontinued in 2008, the first iPhone was made obsolete by Apple back in 2013, and it has not received software updates since the 2009 release of iPhone OS 3, later renamed iOS 3. According to ATT, shutting down its 2G network frees up valuable spectrum for future network technologies, including 5G. ATT says the spectrum will be repurposed for LTE.

He Who Has No Name writes: A little over a week ago, Thingiverse user Loubie posted Sad Face! to Thingiverse, protesting the use — without permission — of their designs and those of others by JustPrint3D, an Ebay seller marketing physical prints of the designs in question (over 2,000 by some counts). Despite a terse and legally shaky denial of any wrongdoing by JustPrint3D, there are obviously multiple violations of various iterations of the Creative Commons licenses (several forms of the CC license are options for Thingiverse uploaders to assign to their Things when uploading, and one is the default). Now MakerBot itself is wading into the uproar firmly on the side of its users, and has released a statement mentioning potential legal action.

An anonymous reader writes Via Eurogamer comes news of possibly the rarest of all NES games selling on the auction site Ebay for a staggering 99,000 Dollars at this time, with 4 days left to go. The game in question the 1987 NES game Stadium Events was released then pulled only 2 days later. Stadium Events was released by Bandai as a test title for its Family Fun Fitness Control Mat — an early version of the technology now found in Dance Dance Revolution floor pads. But Nintendo acquired the technology for itself, just as the game was being released. The company ordered an immediate return of all copies so the game could be rebranded with Nintendo's version of the controller mat, now named as the NES Power Pad .

Nerval's Lobster writes "In the early 1980s, Atari made what seemed like a slam-dunk bet: a game based on E.T.: The Extra-Terrestrial, one of the most beloved (and highest-grossing) films of all time. The company was so sure it had a hit in the making, in fact, that it manufactured millions of E.T. game cartridges, which flooded store shelves just in time for holiday shopping in December 1982. The game sold well at the outset, but it didn't sell well enough: By early 1983, Atari still had 3.5 million unsold cartridges on its hands. Embarrassed by the failure, Atari dumped those cartridges into a city landfill in Alamogordo, New Mexico. In 2003, Canadian entertainment company Fuel Industries received permission from Alamogordo's town counsel to excavate the landfill for the long-lost cartridges. Now some of those cartridges have surfaced on eBay, selling for $50 and up; if you ever wanted to own a little slice of video-game history, now's your chance." (You might recall the news from earlier this year that some copies of E.T. had been found.)

Dishwasha (125561) writes "Just a few days ago I incidentally discovered a little known secret called free-to-air. Amazingly enough even in the depths of Slashdot, there appear to have been no postings or discussions about it. Just like over-the-air programming, there is free programming available via various satellite systems that only requires a one-time cost of getting a dish and receiver. Both Amazon and Ebay appear to have a plethora of hardware out there. I personally settled on the Geosatpro MicroHD system with a 90cm 26lbs light-weight dish (queue lots of comments about my describing 26 lbs as being light-weight) and I should be receiving that in just a few days. I'm curious, who else is using satellite FTA? What are your setups? Has anyone hacked on any of the DVR/PVR devices available? Besides greater access to international programming, what are your channel experiences?"

Dishwasha (125561) writes "Just a few days ago I incidentally discovered a little known secret called free-to-air. Amazingly enough even in the depths of Slashdot, there appear to have been no postings or discussions about it. Just like over-the-air programming, there is free programming available via various satellite systems that only requires a one-time cost of getting a dish and receiver. Both Amazon and Ebay appear to have a plethora of hardware out there. I personally settled on the Geosatpro MicroHD system with a 90cm 26lbs light-weight dish (queue lots of comments about my describing 26 lbs as being light-weight) and I should be receiving that in just a few days. I'm curious, who else is using satellite FTA? What are your setups? Has anyone hacked on any of the DVR/PVR devices available? Besides greater access to international programming, what are your channel experiences?"

192_kbps writes "Catcher in the Rye author J. D. Salinger wrote the short story The Ocean Full of Bowling Balls and left depository copies with a few academic libraries with the understanding that the work would not see mass distribution until the mid-21st century. The only authorized place to read the story is in a special reading room at Princeton where electronics are not allowed and a librarian continuously babysits the reader. A PDF of the story, as well as two other unpublished stories, appeared on private bittorrent site what.cd where a huge bounty had been placed for the work. Incredibly, the uploader (or someone connected to the uploader) bought an unauthorized copy on eBay for a pittance. The file, Three Stories, is making the bittorrent rounds but can also be read on mediafire."

theodp writes "The Mercury News has an exclusive sneak peek of Apple's planned headquarters in Cupertino, which Steve Jobs personally sought approval for in 2011. 'We found that rectangles or squares or long buildings or buildings with more than four stories would inhibit collaboration,' Apple CFO Peter Oppenheimer said, explaining the motivation behind the so-called Apple Ring. Nice, but if you wanted to hurt the feelings of the Design Gods at Apple, you could point out that, for all its $5 billion glory, what Apple calls 'the best office building ever' doesn't look all that different from an old-school $3.95 6250 BPI magnetic tape reel (still available on eBay, kids!)."

ilikenwf writes "For a cool $10,000,000.00, the prototype of a surveillance rock full of spy gadgets could be yours! More importantly, server backups from the gentleman's time at Lockheed are included, being the real valuable in this auction, as it contains schematics and such. The seller seems to think that the current xBee radio products are actually based on his work with Lockheed. The proceeds will go towards legal action the seller is apparently taking against his former employer." This may be the most unusual eBay product description I've ever encountered, and one of the most interesting, too.

Alsee writes "Center of flaming controversy across the Internet and here on Slashdot for claiming to travel 'Directly Downwind Faster Than The Wind, Powered Only By The Wind, Steady State' (DDWFTTW), the Blackbird is now up for auction on Ebay. It has been certified by the North American Land Sailing Association and Guinness World Records to have reached 2.8 times wind speed directly downwind and was subsequently modded to also achieve more than double windspeed directly upwind. It has been the subject of an MIT physics paper and was included as a model problem in the International Physics Olympiad, yet many still argue it would violate the laws of physics. Let the bidding (and debate) commence!"

First time accepted submitter VanGarrett writes "Someone at the University of Chicago went through a lot of trouble to baffle a few people, with an old timey package addressed to Indiana Jones. From the article: 'The package contained an incredibly detailed replica of "University of Chicago Professor" Abner Ravenwood's journal from Indiana Jones and the Raiders of the Lost Ark. It looks only sort of like this one, but almost exactly like this one, so much so that we thought it might have been the one that was for sale on Ebay had we not seen some telling inconsistencies in cover color and "Ex Libris" page (and distinct lack of sword). The book itself is a bit dusty, and the cover is teal fabric with a red velvet spine, with weathered inserts and many postcards/pictures of Marion Ravenwood (and some cool old replica money) included. It's clear that it is mostly, but not completely handmade, as although the included paper is weathered all of the "handwriting" and calligraphy lacks the telltale pressure marks of actual handwriting.'"

Frequent contributor Bennett Haselton writes this week with his favorite novelty science gift items for 2012. Levitation engines, puzzles, optical illusions brought to life, and all of the tips and tricks he's found for getting the products to work correctly. Decorative, whimsical, and not too expensive — except for the items that have earned it by being pretty amazing. Read on for the details, and be sure to mention other good possibilities (Just 14 shopping days left until Christmas) in the comments below.

You already know how to find all the latest iPad or iPhone accessories, or how to find all the licensed merchandise if your BFF is a fan of some specific franchise. The items in this list are things that most people wouldn't even think to look for, but that I thought seemed interesting once I found out that they existed.

I'm more of a science geek than a gadget geek, so this list is built around optical illusions, whimsy, conversation pieces that demonstrate some scientific principle, and a reasonable budget. (The "Swinging Sticks Kinetic Energy Sculpture" from ThinkGeek is a work of art, but at $225, the price is apparently set to extract as much as possible from all the people who have to have one after seeing it in Iron Man 2.)

Also, unless otherwise noted, I've actually tried everything listed here and verified that it actually works; there were some items that I really wanted to make work, but couldn't. The Double Sand Sculpture, for example, looks great (especially in colors other than that ugly orange), but in all three models that American Science & Surplus sent me — the original plus the two free replacements — air bubbles formed in the hourglasses after a few days, which blocked the sand grains from flowing through the apertures. I could also never get Educational Innovations' Color Changing Nail Polish to change color, even under a UV light. And I loved the look of the Tornado Fountain from Fascinations.com, but no matter how I calibrated it, the drain at the bottom made a squirting and scraping sound like the last dregs of water draining from a bathtub, which pretty much killed its potential as a "tranquil" conversation piece. (As far as I can tell, any tabletop water fountain that costs less than $100 is either too noisy or doesn't work, but I haven't given up looking.) Of course, if you can get any of those things to work, more power to you.

For most of these items I've included the tips and tricks that I've accumulated for getting the full effect out of the product, tips that in some cases would have saved me a lot of hassle if I'd known them when the product first arrived. So you get the full benefit of my impulsive early-September Christmas shopping.

Neither I nor Slashdot make any profit from these links (except some items are from ThinkGeek, which is a corporate cousin of Slashdot for a few more weeks — but I didn't know that when I was making this list, and besides, it's not like you can put together a geek gift guide without including some stuff from ThinkGeek anyway).

Here are some of the things I've found that look as cool in person as they do in their catalog photos, and actually work:

- - - - - - - - - - - - - - - - - - - -

Levitron Revolution
Made by Fascinations.com, $100 from Innovatoys.com.

I bought my first "Levitron"-branded product out of a Sky Mall catalog 15 years ago, assuming the picture of the levitating spinning top had to be a doctored photo, and half-set on proving that the product was a sham. I had spent enough time trying to levitate repelling magnets as a kid to conclude that it "couldn't be done," but I held out the faintest glimmer of hope that this might be the holy grail that I'd given up chasing about 10 years earlier. When the box arrived, I spent all evening and a sleepness night trying to get it working (the original product had to be calibrated and balanced very carefully, and you could waste a lot of time trying to make it work if the weights or alignments were slightly off), until just as the sun was coming up, I got the spinning top to levitate above the magnetic base for about four seconds before falling, and felt as if it had all been worth it. And the Levitron product line has come a long way since then, so you probably won't have to journey to the edge of your sanity to get this latest one working.

The Levitron Revolution is a levitation device which uses a base containing four computer-controlled magnets, and a magnetic disc that levitates about 1/2-inch above the base and can support a weight of up to 1 pound placed on top of it while continuing to levitate. It still takes a bit of practice to learn how to position the disc above the base to start the levitation, but the payoff is worth the effort. You can even rotate the base sideways and upside down, and the levitating disc will stay in the same position relative to the base while you turn it.

I used mine to levitate a crystal specimen that I got from a specialty gem store, which set me back about another $30, but I liked the way it glittered in the lights from the magnetic base. The rock was labeled "quartz / pyrite / sphalerite" at the store, and if you're looking for a similar rock to go with the Levitron Revolution, it looks like you can find one on Google Shopping for less than I paid for mine.

You can also use the Levitron Revolution for homemade illusions like levitating a cupcake in mid-air. (A Hostess dessert cup has a circular cavity on top to hold strawberries and whipped cream; turn it upside down and it fits perfectly over the Levitron disc. The book underneath the cupcake in the video was hollowed out to contain the magnetic base.)

Innovatoys sells several other Levitron products made by Fascinations, which all fall into two categories: those based on the classic Levitron design (which include any product showing the yellow-necked Levitron spinning top), and those based on the newer Levitron Revolution technology (everything else). I also have a Levitron CherryWood which is part of the "classic" lineup. The pros and cons of the two series are:

• The classic Levitron levitates the spinning top a full two inches above the base, which is much more visually impressive than the 1/2-inch that the magnetic disc floats above the base of the Levitron Revolution.
• The classic Levitron has to be hand-spun, however, and takes even more practice to operate than the Levitron Revolution.
• The classic Levitron has to be perfectly level for the top to float (the base comes with three adjustable legs to help you level it perfectly); the Levitron Revolution can be tilted and rotated, and the magnetic disc will continue to float in position relative to the base.
• The classic Levitron levitates in a very delicate equilibrium, with just the slightest touch being enough to push the floating top out out of balance and make it fall, so it can't be used to support other objects (and the top is spinning so fast that you wouldn't be able to see anything attached to it anyway). The Levitron Revolution floating disc can be touched and objects can be placed on top of it without pushing it out of equilibrium.
• The classic Levitron requires no power to operate, but because the top has to keep spinning at a high rate for the gyroscopic force to keep it from flipping over, after about two minutes the air friction will slow down the top enough that it falls. The Levitron Revolution will levitate forever as long as the DC power supply is connected.

The Levitron invention itself has something of a contentious history (recounted here and here). Evidently, the physicist Ray Harrigan had patented a similar device a few years earlier and showed it to Bill Hones, who later got his own patent for a similar device and called it the "Levitron," but Hones was advised by his own lawyer that his own invention was sufficiently different from Harrigan's that he could market it without infringing Harrigan's patent or giving him credit or royalties. Apparently Harrigan was so disgusted and distrustful of his own lawyer that he never took the issue to court, so we'll never know what a judge would have thought. (The only issue which was ever litigated in court was over a former re-seller's use of the trademark "Levitron" — but that seems more straightforward, since the company that made up the word and trademarked it, owns it, completely separate from the merits of the invention that bears the name.) Some physicists have mixed feelings about the Levitron because of this, but it was apparently Harrigan's choice not to pursue the issue. (Besides, the new Levitron Revolution design uses nothing of Harrigan's idea, so some might feel that it's less "tainted".)

For cheaper levitation that takes no skill to operate, you can get the Diamagnetic Levitation Kit from Educational Innovations or search for pyrolitic graphite levitation on eBay — much less visually impressive though, with the graphite sheet levitating only 1 millimeter above the magnets.

Or for a more expensive conversation piece, the Levitron Lamp ($450 from InnovaToys or $400 from WorldToHome) levitates an entire lampshade above the base. I haven't tried that one out though.

- - - - - - - - - - - - - - - - - - - -

Levitating Picture Frames
Heart-shaped frame $25 from ZOpid; rectangular frame $70 from Hammacher Schlemmer.

Computer-controlled levitation operating on a similar principle to the Levitron Revolution products. The $25 ZOpid picture frame is currently hanging out in Amazon limbo with a solitary 1-star review from a customer whose model broke after 4 months. But I think they look fine, and I'm giving two of them as gifts and crossing my fingers that I'm not that unlucky. With both the ZOpid and the Hammacher Schlemmer frames, unfortunately, there's apparently no way to switch off the LED lights (short of turning off the whole model).

Protip: You can prepare these as gifts by using photos downloaded from a friend's Facebook profile, but Facebook reduces the quality of uploaded photos, so that if you print them out, the pixellation will be noticeable up close. If you want the photos to look the best, you need to print them from high-res originals.

- - - - - - - - - - - - - - - - - - - -

Hanayama Japanese Pocket Puzzles
$13 from ThinkGeek and other vendors; some puzzles available for slightly less on eBay.

Some disassembly puzzles are complete fails, either because there are so many separately moving pieces that you can't manipulate the puzzles in your hands at all (e.g. Yin and Yang"), or the moving parts are hidden from view so you can only "solve" them by pure guesswork (e.g. the "Bolted Closed" puzzle). The Hanayama pocket puzzles actually get it right — you can see all the pieces and move them comfortably in your hands, so solving them is just a matter of figuring out the right sequence of moves.

These are basically grown-up versions of the twisted nail puzzles you might have grown up with (and which you could also get, of course, as much cheaper stocking stuffers). But the Hanayama ones look good as shelf knick-knacks as well.

Hanayama pocket puzzles come with no solution included, but you can download a solution by going to this page and submitting your email address to request a download link.

- - - - - - - - - - - - - - - - - - - -

LED Jellyfish Mood Lamp
$35 from ThinkGeek and other vendors; no cheaper alternatives on eBay

Works more or less as shown in the video, with one caveat: In both the first model that I tried, and the free replacement ThinkGeek sent me when I reported the problem, the transitions between the different colors were much more abrupt and jarring than the smooth "color fade" shown in the video. (For some reason, some color LEDs would switch from completely on to completely off at the same time that other LEDs would switch on.) Unfortunately this small problem completely breaks the "reverie" effect of staring at the jellyfish floating around in the water, so I just set mine to a single color without using the transition effect.

Protip: You have to use real distilled water like the instructions tell you. I tried to make it work with regular tap water, and bubbles kept forming around the jellyfish and causing them to float to the surface. Fill it with distilled water and the jellyfish should sink beneath the surface without too much trouble.

Note, Fascinations has come out with a similar product, again sold on Innovatoys.com; I haven't tried that one, so it might be better (might actually get the color transition right), or it might not. Discovery Kids also makes a similar product which I haven't seen and which has been pulling pretty bad reviews on Amazon.

- - - - - - - - - - - - - - - - - - - -

Vino Vault and Cryptex Puzzle Pod
$30 and $22 from 4Thought Products LLC

The Puzzle Pod is a gift container that can only be opened by arranging the 5 rings to spell out a 5-letter password. It arrives pre-configured with the keyword "GRAPE"; once opened, you can re-configure the Pod with a new 5-letter secret word, seal a gift inside, and gift it to a recipient who has to find the secret word to open the puzzle and retrieve the gift. (It's re-usable, and you can set a different 5-letter "password" every time.) The Vino Vault is a larger version of the Puzzle Pod that can hold a bottle of wine.

I've only sampled the Puzzle Pod, so I can just vouch for the fact that it works exactly as described and doesn't get stuck or break easily. When you line up the letters of the secret word correctly, it actually slides smoothly open like it's supposed to.

- - - - - - - - - - - - - - - - - - - -

Ambiguous Vase
$33 from Grand Illusions Ltd (ships from the UK)

This is a real-life version of the Rubin vase optical illusion. For years, Grand Illusions sold only a ceramic version for about $400 (plus another $200 to ship to the U.S.), but in November 2012 they released the $33 plastic version. It can also be used as a real vase (as long as you don't mind the barrier running down the center that divides the two halves).

- - - - - - - - - - - - - - - - - - - -

Steam Powered Top
$14 from Grand Illusions (ships from the UK)

The world's simplest steam engine, made from a tube of copper pushed through a piece of cork, as shown in the demo video. Wikipedia explains the principle here — when the water in the copper tube is heated by the candle flame and boils, it expands and pushes out the ends of the tubes (driving the spinning motion). When the water contracts again, in sucks in water through the ends of the tubes — but the sucking motion pulls in water from all directions (while the expulsion of water pushes in only one direction), so the suction doesn't counteract the propulsion, and the top continues spinning.

Now, the original version is from Germany (and comes with detailed German instructions); the version that I got came with a sheet of English instructions that weren't as detailed. The instructions say to push the copper tube through the cork platform and "bend the tube at a 90-degree angle"; however if you just try bending the tube, it will probably crimp and create a hole, making it useless. To bend the tube so that it curves gradually, place your thumb on the cork next to where the tube protrudes, and use the fingers of your other hand to gently push the tube so that curves around your thumb. (This is spelled out in the original German instructions.)

Also, the instructions say to fill the copper tube by holding it under running tap water. This didn't work at all for me, since the tube is only about 2mm wide and the surface tension of water makes it hard to "push" it into a tube that small. Fortunately, a straw from a grocery-store juicebox fits perfectly over the other end of the copper tube, so if you submerge the other end in water, you can suck on the straw to fill the tube that way. (It's just copper after all, not lead.)

Finally, if you leave the cork floating in water too long, it eventually gets waterlogged and sinks, and as far as I can tell it's very hard to dry it out and bring it back to its original buoyancy. The workarounds for this are: (1) to increase the buoyancy, first put another tea light directly into your bowl of water so that it floats, and then lower the top into the water on top of that tea light, which will then help keep the top afloat; and (2) don't leave the top floating in water when not in use.

- - - - - - - - - - - - - - - - - - - -

"Flying F*CK" Remote-Control Helicopter
$20 from ThinkGeek

Again with the ThinkGeek swag; I swear I didn't know.

This is pretty self-explanatory, except I've tried two of them and the product doesn't seem to work too well as an actual remote-control helicopter; one of them couldn't hover in place (its two modes were "shooting up at the ceiling" or "falling"), and with the other, the R/C didn't seem to work through furniture. But that's probably OK since the whole point of this gift is in the giving and not the having.

In my case, I hid it behind a friend's chair at his birthday party, then at the appropriate time gave a speech ending with, "And so I thought, what do I give my friend to mark this occasion? What do I give? After much thought, I decided, this is what I give:..." There followed a dramatic pause where I pressed the "up" control on the remote, and nothing happened, whereupon I muttered, appropriately enough, "Fuck", then wandered over behind my friend's chair, repeated the setup line, pressed the remote button, at which point the copter shot up, banged into a chair and fell to the ground, whereupon for my third attempt I just picked it up and held it on the palm of my hand, pressed the remote, and the copter took flight and finally delivered the punch line, and all was good. If I'm there when he re-gifts it (since we both agreed that was the point of a gift like this), I hope it works better for him.

- - - - - - - - - - - - - - - - - - - -

Falling Sand Sculptures
$13 for the smaller 'Sandscape'; $80 for the larger 'Deep Sea Round'; both available from Educational Innovations

These both make good decorations and shelf widgets. The sand in the Sandscape always falls in more or less the same pattern, since it's pre-determined by the gaps in the shelves holding the sand; the Deep Sea Round is more interesting since the pattern is determined by the placement of air bubbles and varies every time.

Pro tip: water evaporates from both of these, so eventually the water level will drop and the volume of air will increase, getting in the way of the sand flow. The 'Deep Sea Round' comes with a syringe that you can use to draw out air and inject more water into the aperture on the side. The cheaper 'Sandscape' doesn't come with a syringe, but it has a hole in the side where you can use a syringe to inject more water, if you buy the syringe separately.

- - - - - - - - - - - - - - - - - - - -

Galileo Thermometer
$17 for a wood-mounted model from Office Playground; cheaper ones available without wood mounting

Just your basic elegant conversation piece demonstrating the principle that the density of a liquid changes with temperature. Pro tip: If you get the wood mounted one, before emailing the seller to complain that it's not working because all the spheres are bunched together at the wrong end, make sure it's not upside-down. (I realized, before I hit Send, that the felt-covered end goes on the bottom.)

- - - - - - - - - - - - - - - - - - - -

All of the remaining items on this list do exactly what they say they do, with no need for any special instructions not included by the manufacturer, so I'm just going to list them:

Glass Water Faucet — $50 from Uncommon Goods — a nice double optical illusion (faucet suspended in space, and glass-as-water).

Slicked Grandfather Clock — $30-$60 depending on who's selling it.

Tin Can Robot Kit — about $15 from various vendors — my stepdad and I assembled one using one of his beloved Hansen's soda cans.

Mini metal DIY sculptures — the Metal Works sculptures from Innovatoys ($7-$12) take some time to assemble but they come out looking pretty much like the pictures and make good shelf decorations. These Mikro sculptures ($10 and up, also available from Grand Illusions if you're filling your shopping cart there) are a bit easier to assemble since you just have to bend some shapes out from the metal sheet that they're carved from.

Ulexite "Television Stones" — $10 from Educational Innovations — a naturally occuring rock containing thousands of parallel fiber optic strands. Give it as a gift together with a square of patterned fabric so you can see the eerie effect when you place the rock against the fabric and the pattern "magically" appears on the opposite side of the rock.

And finally, if you need a last-minute gag gift for someone, browse through the gum and hand sanitizers from BlueQ.com — they're not geek-themed, but at $5.49 for the hand sanitizers and $1.39 for the gum, you can afford to stock up so you'll have a reserve of gag gifts suited for a variety of different people's tastes (except, of course, good taste).

And those are my favorites for gift-giving season 2012. You can send me suggestions for any items in this category that I've missed; I'll be back for Valentine's Day.

- - - - - - - - - - - - - - - -
Remember, if you have a feature idea, we'd love to hear it.

Frequent contributor Bennett Haselton writes this week with his favorite novelty science gift items for 2012. Levitation engines, puzzles, optical illusions brought to life, and all of the tips and tricks he's found for getting the products to work correctly. Decorative, whimsical, and not too expensive — except for the items that have earned it by being pretty amazing. Read on for the details, and be sure to mention other good possibilities (Just 14 shopping days left until Christmas) in the comments below.

You already know how to find all the latest iPad or iPhone accessories, or how to find all the licensed merchandise if your BFF is a fan of some specific franchise. The items in this list are things that most people wouldn't even think to look for, but that I thought seemed interesting once I found out that they existed.

I'm more of a science geek than a gadget geek, so this list is built around optical illusions, whimsy, conversation pieces that demonstrate some scientific principle, and a reasonable budget. (The "Swinging Sticks Kinetic Energy Sculpture" from ThinkGeek is a work of art, but at $225, the price is apparently set to extract as much as possible from all the people who have to have one after seeing it in Iron Man 2.)

Also, unless otherwise noted, I've actually tried everything listed here and verified that it actually works; there were some items that I really wanted to make work, but couldn't. The Double Sand Sculpture, for example, looks great (especially in colors other than that ugly orange), but in all three models that American Science & Surplus sent me — the original plus the two free replacements — air bubbles formed in the hourglasses after a few days, which blocked the sand grains from flowing through the apertures. I could also never get Educational Innovations' Color Changing Nail Polish to change color, even under a UV light. And I loved the look of the Tornado Fountain from Fascinations.com, but no matter how I calibrated it, the drain at the bottom made a squirting and scraping sound like the last dregs of water draining from a bathtub, which pretty much killed its potential as a "tranquil" conversation piece. (As far as I can tell, any tabletop water fountain that costs less than $100 is either too noisy or doesn't work, but I haven't given up looking.) Of course, if you can get any of those things to work, more power to you.

For most of these items I've included the tips and tricks that I've accumulated for getting the full effect out of the product, tips that in some cases would have saved me a lot of hassle if I'd known them when the product first arrived. So you get the full benefit of my impulsive early-September Christmas shopping.

Neither I nor Slashdot make any profit from these links (except some items are from ThinkGeek, which is a corporate cousin of Slashdot for a few more weeks — but I didn't know that when I was making this list, and besides, it's not like you can put together a geek gift guide without including some stuff from ThinkGeek anyway).

Here are some of the things I've found that look as cool in person as they do in their catalog photos, and actually work:

- - - - - - - - - - - - - - - - - - - -

Levitron Revolution
Made by Fascinations.com, $100 from Innovatoys.com.

I bought my first "Levitron"-branded product out of a Sky Mall catalog 15 years ago, assuming the picture of the levitating spinning top had to be a doctored photo, and half-set on proving that the product was a sham. I had spent enough time trying to levitate repelling magnets as a kid to conclude that it "couldn't be done," but I held out the faintest glimmer of hope that this might be the holy grail that I'd given up chasing about 10 years earlier. When the box arrived, I spent all evening and a sleepness night trying to get it working (the original product had to be calibrated and balanced very carefully, and you could waste a lot of time trying to make it work if the weights or alignments were slightly off), until just as the sun was coming up, I got the spinning top to levitate above the magnetic base for about four seconds before falling, and felt as if it had all been worth it. And the Levitron product line has come a long way since then, so you probably won't have to journey to the edge of your sanity to get this latest one working.

The Levitron Revolution is a levitation device which uses a base containing four computer-controlled magnets, and a magnetic disc that levitates about 1/2-inch above the base and can support a weight of up to 1 pound placed on top of it while continuing to levitate. It still takes a bit of practice to learn how to position the disc above the base to start the levitation, but the payoff is worth the effort. You can even rotate the base sideways and upside down, and the levitating disc will stay in the same position relative to the base while you turn it.

I used mine to levitate a crystal specimen that I got from a specialty gem store, which set me back about another $30, but I liked the way it glittered in the lights from the magnetic base. The rock was labeled "quartz / pyrite / sphalerite" at the store, and if you're looking for a similar rock to go with the Levitron Revolution, it looks like you can find one on Google Shopping for less than I paid for mine.

You can also use the Levitron Revolution for homemade illusions like levitating a cupcake in mid-air. (A Hostess dessert cup has a circular cavity on top to hold strawberries and whipped cream; turn it upside down and it fits perfectly over the Levitron disc. The book underneath the cupcake in the video was hollowed out to contain the magnetic base.)

Innovatoys sells several other Levitron products made by Fascinations, which all fall into two categories: those based on the classic Levitron design (which include any product showing the yellow-necked Levitron spinning top), and those based on the newer Levitron Revolution technology (everything else). I also have a Levitron CherryWood which is part of the "classic" lineup. The pros and cons of the two series are:

• The classic Levitron levitates the spinning top a full two inches above the base, which is much more visually impressive than the 1/2-inch that the magnetic disc floats above the base of the Levitron Revolution.
• The classic Levitron has to be hand-spun, however, and takes even more practice to operate than the Levitron Revolution.
• The classic Levitron has to be perfectly level for the top to float (the base comes with three adjustable legs to help you level it perfectly); the Levitron Revolution can be tilted and rotated, and the magnetic disc will continue to float in position relative to the base.
• The classic Levitron levitates in a very delicate equilibrium, with just the slightest touch being enough to push the floating top out out of balance and make it fall, so it can't be used to support other objects (and the top is spinning so fast that you wouldn't be able to see anything attached to it anyway). The Levitron Revolution floating disc can be touched and objects can be placed on top of it without pushing it out of equilibrium.
• The classic Levitron requires no power to operate, but because the top has to keep spinning at a high rate for the gyroscopic force to keep it from flipping over, after about two minutes the air friction will slow down the top enough that it falls. The Levitron Revolution will levitate forever as long as the DC power supply is connected.

The Levitron invention itself has something of a contentious history (recounted here and here). Evidently, the physicist Ray Harrigan had patented a similar device a few years earlier and showed it to Bill Hones, who later got his own patent for a similar device and called it the "Levitron," but Hones was advised by his own lawyer that his own invention was sufficiently different from Harrigan's that he could market it without infringing Harrigan's patent or giving him credit or royalties. Apparently Harrigan was so disgusted and distrustful of his own lawyer that he never took the issue to court, so we'll never know what a judge would have thought. (The only issue which was ever litigated in court was over a former re-seller's use of the trademark "Levitron" — but that seems more straightforward, since the company that made up the word and trademarked it, owns it, completely separate from the merits of the invention that bears the name.) Some physicists have mixed feelings about the Levitron because of this, but it was apparently Harrigan's choice not to pursue the issue. (Besides, the new Levitron Revolution design uses nothing of Harrigan's idea, so some might feel that it's less "tainted".)

For cheaper levitation that takes no skill to operate, you can get the Diamagnetic Levitation Kit from Educational Innovations or search for pyrolitic graphite levitation on eBay — much less visually impressive though, with the graphite sheet levitating only 1 millimeter above the magnets.

Or for a more expensive conversation piece, the Levitron Lamp ($450 from InnovaToys or $400 from WorldToHome) levitates an entire lampshade above the base. I haven't tried that one out though.

- - - - - - - - - - - - - - - - - - - -

Levitating Picture Frames
Heart-shaped frame $25 from ZOpid; rectangular frame $70 from Hammacher Schlemmer.

Computer-controlled levitation operating on a similar principle to the Levitron Revolution products. The $25 ZOpid picture frame is currently hanging out in Amazon limbo with a solitary 1-star review from a customer whose model broke after 4 months. But I think they look fine, and I'm giving two of them as gifts and crossing my fingers that I'm not that unlucky. With both the ZOpid and the Hammacher Schlemmer frames, unfortunately, there's apparently no way to switch off the LED lights (short of turning off the whole model).

Protip: You can prepare these as gifts by using photos downloaded from a friend's Facebook profile, but Facebook reduces the quality of uploaded photos, so that if you print them out, the pixellation will be noticeable up close. If you want the photos to look the best, you need to print them from high-res originals.

- - - - - - - - - - - - - - - - - - - -

Hanayama Japanese Pocket Puzzles
$13 from ThinkGeek and other vendors; some puzzles available for slightly less on eBay.

Some disassembly puzzles are complete fails, either because there are so many separately moving pieces that you can't manipulate the puzzles in your hands at all (e.g. Yin and Yang"), or the moving parts are hidden from view so you can only "solve" them by pure guesswork (e.g. the "Bolted Closed" puzzle). The Hanayama pocket puzzles actually get it right — you can see all the pieces and move them comfortably in your hands, so solving them is just a matter of figuring out the right sequence of moves.

These are basically grown-up versions of the twisted nail puzzles you might have grown up with (and which you could also get, of course, as much cheaper stocking stuffers). But the Hanayama ones look good as shelf knick-knacks as well.

Hanayama pocket puzzles come with no solution included, but you can download a solution by going to this page and submitting your email address to request a download link.

- - - - - - - - - - - - - - - - - - - -

LED Jellyfish Mood Lamp
$35 from ThinkGeek and other vendors; no cheaper alternatives on eBay

Works more or less as shown in the video, with one caveat: In both the first model that I tried, and the free replacement ThinkGeek sent me when I reported the problem, the transitions between the different colors were much more abrupt and jarring than the smooth "color fade" shown in the video. (For some reason, some color LEDs would switch from completely on to completely off at the same time that other LEDs would switch on.) Unfortunately this small problem completely breaks the "reverie" effect of staring at the jellyfish floating around in the water, so I just set mine to a single color without using the transition effect.

Protip: You have to use real distilled water like the instructions tell you. I tried to make it work with regular tap water, and bubbles kept forming around the jellyfish and causing them to float to the surface. Fill it with distilled water and the jellyfish should sink beneath the surface without too much trouble.

Note, Fascinations has come out with a similar product, again sold on Innovatoys.com; I haven't tried that one, so it might be better (might actually get the color transition right), or it might not. Discovery Kids also makes a similar product which I haven't seen and which has been pulling pretty bad reviews on Amazon.

- - - - - - - - - - - - - - - - - - - -

Vino Vault and Cryptex Puzzle Pod
$30 and $22 from 4Thought Products LLC

The Puzzle Pod is a gift container that can only be opened by arranging the 5 rings to spell out a 5-letter password. It arrives pre-configured with the keyword "GRAPE"; once opened, you can re-configure the Pod with a new 5-letter secret word, seal a gift inside, and gift it to a recipient who has to find the secret word to open the puzzle and retrieve the gift. (It's re-usable, and you can set a different 5-letter "password" every time.) The Vino Vault is a larger version of the Puzzle Pod that can hold a bottle of wine.

I've only sampled the Puzzle Pod, so I can just vouch for the fact that it works exactly as described and doesn't get stuck or break easily. When you line up the letters of the secret word correctly, it actually slides smoothly open like it's supposed to.

- - - - - - - - - - - - - - - - - - - -

Ambiguous Vase
$33 from Grand Illusions Ltd (ships from the UK)

This is a real-life version of the Rubin vase optical illusion. For years, Grand Illusions sold only a ceramic version for about $400 (plus another $200 to ship to the U.S.), but in November 2012 they released the $33 plastic version. It can also be used as a real vase (as long as you don't mind the barrier running down the center that divides the two halves).

- - - - - - - - - - - - - - - - - - - -

Steam Powered Top
$14 from Grand Illusions (ships from the UK)

The world's simplest steam engine, made from a tube of copper pushed through a piece of cork, as shown in the demo video. Wikipedia explains the principle here — when the water in the copper tube is heated by the candle flame and boils, it expands and pushes out the ends of the tubes (driving the spinning motion). When the water contracts again, in sucks in water through the ends of the tubes — but the sucking motion pulls in water from all directions (while the expulsion of water pushes in only one direction), so the suction doesn't counteract the propulsion, and the top continues spinning.

Now, the original version is from Germany (and comes with detailed German instructions); the version that I got came with a sheet of English instructions that weren't as detailed. The instructions say to push the copper tube through the cork platform and "bend the tube at a 90-degree angle"; however if you just try bending the tube, it will probably crimp and create a hole, making it useless. To bend the tube so that it curves gradually, place your thumb on the cork next to where the tube protrudes, and use the fingers of your other hand to gently push the tube so that curves around your thumb. (This is spelled out in the original German instructions.)

Also, the instructions say to fill the copper tube by holding it under running tap water. This didn't work at all for me, since the tube is only about 2mm wide and the surface tension of water makes it hard to "push" it into a tube that small. Fortunately, a straw from a grocery-store juicebox fits perfectly over the other end of the copper tube, so if you submerge the other end in water, you can suck on the straw to fill the tube that way. (It's just copper after all, not lead.)

Finally, if you leave the cork floating in water too long, it eventually gets waterlogged and sinks, and as far as I can tell it's very hard to dry it out and bring it back to its original buoyancy. The workarounds for this are: (1) to increase the buoyancy, first put another tea light directly into your bowl of water so that it floats, and then lower the top into the water on top of that tea light, which will then help keep the top afloat; and (2) don't leave the top floating in water when not in use.

- - - - - - - - - - - - - - - - - - - -

"Flying F*CK" Remote-Control Helicopter
$20 from ThinkGeek

Again with the ThinkGeek swag; I swear I didn't know.

This is pretty self-explanatory, except I've tried two of them and the product doesn't seem to work too well as an actual remote-control helicopter; one of them couldn't hover in place (its two modes were "shooting up at the ceiling" or "falling"), and with the other, the R/C didn't seem to work through furniture. But that's probably OK since the whole point of this gift is in the giving and not the having.

In my case, I hid it behind a friend's chair at his birthday party, then at the appropriate time gave a speech ending with, "And so I thought, what do I give my friend to mark this occasion? What do I give? After much thought, I decided, this is what I give:..." There followed a dramatic pause where I pressed the "up" control on the remote, and nothing happened, whereupon I muttered, appropriately enough, "Fuck", then wandered over behind my friend's chair, repeated the setup line, pressed the remote button, at which point the copter shot up, banged into a chair and fell to the ground, whereupon for my third attempt I just picked it up and held it on the palm of my hand, pressed the remote, and the copter took flight and finally delivered the punch line, and all was good. If I'm there when he re-gifts it (since we both agreed that was the point of a gift like this), I hope it works better for him.

- - - - - - - - - - - - - - - - - - - -

Falling Sand Sculptures
$13 for the smaller 'Sandscape'; $80 for the larger 'Deep Sea Round'; both available from Educational Innovations

These both make good decorations and shelf widgets. The sand in the Sandscape always falls in more or less the same pattern, since it's pre-determined by the gaps in the shelves holding the sand; the Deep Sea Round is more interesting since the pattern is determined by the placement of air bubbles and varies every time.

Pro tip: water evaporates from both of these, so eventually the water level will drop and the volume of air will increase, getting in the way of the sand flow. The 'Deep Sea Round' comes with a syringe that you can use to draw out air and inject more water into the aperture on the side. The cheaper 'Sandscape' doesn't come with a syringe, but it has a hole in the side where you can use a syringe to inject more water, if you buy the syringe separately.

- - - - - - - - - - - - - - - - - - - -

Galileo Thermometer
$17 for a wood-mounted model from Office Playground; cheaper ones available without wood mounting

Just your basic elegant conversation piece demonstrating the principle that the density of a liquid changes with temperature. Pro tip: If you get the wood mounted one, before emailing the seller to complain that it's not working because all the spheres are bunched together at the wrong end, make sure it's not upside-down. (I realized, before I hit Send, that the felt-covered end goes on the bottom.)

- - - - - - - - - - - - - - - - - - - -

All of the remaining items on this list do exactly what they say they do, with no need for any special instructions not included by the manufacturer, so I'm just going to list them:

Glass Water Faucet — $50 from Uncommon Goods — a nice double optical illusion (faucet suspended in space, and glass-as-water).

Slicked Grandfather Clock — $30-$60 depending on who's selling it.

Tin Can Robot Kit — about $15 from various vendors — my stepdad and I assembled one using one of his beloved Hansen's soda cans.

Mini metal DIY sculptures — the Metal Works sculptures from Innovatoys ($7-$12) take some time to assemble but they come out looking pretty much like the pictures and make good shelf decorations. These Mikro sculptures ($10 and up, also available from Grand Illusions if you're filling your shopping cart there) are a bit easier to assemble since you just have to bend some shapes out from the metal sheet that they're carved from.

Ulexite "Television Stones" — $10 from Educational Innovations — a naturally occuring rock containing thousands of parallel fiber optic strands. Give it as a gift together with a square of patterned fabric so you can see the eerie effect when you place the rock against the fabric and the pattern "magically" appears on the opposite side of the rock.

And finally, if you need a last-minute gag gift for someone, browse through the gum and hand sanitizers from BlueQ.com — they're not geek-themed, but at $5.49 for the hand sanitizers and $1.39 for the gum, you can afford to stock up so you'll have a reserve of gag gifts suited for a variety of different people's tastes (except, of course, good taste).

And those are my favorites for gift-giving season 2012. You can send me suggestions for any items in this category that I've missed; I'll be back for Valentine's Day.

- - - - - - - - - - - - - - - -
Remember, if you have a feature idea, we'd love to hear it.

First time accepted submitter dangthill writes "On August 21, eBay updated its end-user agreement by adding a binding arbritration clause. By accepting the new agreement, users forfeit their right to join class action lawsuits and instead must submit to arbitration. However, users may opt-out by mailing eBay a signed notice. eBay joins Microsoft, Sony, Electronic Arts, Valve and other companies attempting to prevent class actions after the Supreme Court of the United States ruled such tactics valid."

Okian Warrior writes "A Milford, CT man was pulled over when a state police car radioactivity scanner flagged his car as being radioactive. The man had been given a cardiac exam using radioactive dye, and had a note from his physician attesting to this, but it raises questions about the legality of the stop. Given that it is not illegal to own or purchase or transport radioactive materials (within limits for hobbyist use), should the police be allowed to stop and search vehicles which show a slight level of radioactivity?"

Frankie70 writes "Starting Sunday, December 11th at 6:00 p.m. Central time, 16GB and 32GB Touchpads will be available on HP's ebay store. A $79 accessory bundle will also be available, which includes a case, charging dock and wireless keyboard. The caveat with this deal is that these are refurbished TouchPads rather than the brand new models sold during the first firesale."

ElectricSteve writes "The lightcycle scene was probably the most memorable part of an absolutely jaw-dropping movie when Tron was released in 1982. One of the first films to use the kinds of computer-generated special effects that later become commonplace, it was a glimpse into a whole new world that left an indelible impression on most who saw it. Now, as Disney prepares to release Tron Legacy, a sequel some 28 years after the original, the lightcycles are back and looking meaner than ever. Built by the same guys who did the memorable Batpod replica, the new lightcycles feature massive dual hubless wheels, carbon fiber/fiberglass bodies, and all the lashings of neon that you'd expect. And there will be five running models built — all of which are now up for sale on eBay for a cool $35,000."

krick-zero writes "eBay recently rolled out a new page design. Many eBay sellers are reporting issues with missing description text, resulting in lost sales. Buyers are reporting the same intermittent issue, on multiple platforms, with multiple browsers. After complaining to eBay customer service, one user got this response: 'I have reviewed several of your listings using my computer and had several of my coworkers view your listings as well and we are seeing the complete listings. Many times when buyers are not able to see the whole description or just bits and pieces it is due to browser issues they are having. A lot of times if they simply clear out their cache and cookies or change browsers (i.e. change from Internet explorer to Firefox or vice versa) they no longer have this problem.'"

krick-zero writes "eBay recently rolled out a new page design. Many eBay sellers are reporting issues with missing description text, resulting in lost sales. Buyers are reporting the same intermittent issue, on multiple platforms, with multiple browsers. After complaining to eBay customer service, one user got this response: 'I have reviewed several of your listings using my computer and had several of my coworkers view your listings as well and we are seeing the complete listings. Many times when buyers are not able to see the whole description or just bits and pieces it is due to browser issues they are having. A lot of times if they simply clear out their cache and cookies or change browsers (i.e. change from Internet explorer to Firefox or vice versa) they no longer have this problem.'"

krick-zero writes "eBay recently rolled out a new page design. Many eBay sellers are reporting issues with missing description text, resulting in lost sales. Buyers are reporting the same intermittent issue, on multiple platforms, with multiple browsers. After complaining to eBay customer service, one user got this response: 'I have reviewed several of your listings using my computer and had several of my coworkers view your listings as well and we are seeing the complete listings. Many times when buyers are not able to see the whole description or just bits and pieces it is due to browser issues they are having. A lot of times if they simply clear out their cache and cookies or change browsers (i.e. change from Internet explorer to Firefox or vice versa) they no longer have this problem.'"

psych787 writes "OQO's product line — much loved by their community at oqotalk — has recently suffered a slow, agonizing death. After dropping warranty repairs, not returning several units sent in, disconnecting phonelines, and leaving trash at their headquarters, a couple of units have survived and found eBay. The last one went for $4.5k. Now the only PC for sale to include an OLED has gone for $6.5k. At that price, perhaps a competitor bought the device to come up with something that meets the same market?"

The plane moves me or I move the plane? writes "After years of people complaining about their luggage locks being broken in the name of the Transportation Security Administration, and after countless properly-stowed utilities and tools had been scrutinized from a paranoid point of view, an employee of the TSA (which is part of the Department of Homeland Security) has been captured with evidence of over $200,000 worth of stolen property he was selling on eBay. With the help of local police and the USPS, a search of his house found a great deal of property pilfered from the un-witnessed searches that occurred after luggage had been checked, where the rightful owner was not allowed. 'Among the items seized were 66 cameras, 31 laptop computers, 20 cell phones, 17 sets of electronic games, 13 pieces of jewelry, 12 GPS devices, 11 MP3 players, eight camera lenses, six video cameras and two DVD players, the affidavit said.'"

Sir_Kurt writes "In eBay's latest FAQ, they explain that sellers (for the good of the buyers) will no longer be allowed to accept checks or money orders as payment. They can take electronic payments only. So, will Google Checkout, Checkout by Amazon or Amazon Flexible Payment be allowed? No, says eBay: 'Google's and Amazon's products and services compete with eBay on a number of levels, so we are not going to allow them on eBay.' Options are limited to PayPal, ProPay, direct credit payments to the seller, and 'payment upon pickup.' But remember, this is for our own good!" eBay ran into trouble earlier this year for trying to restrict payment options.

bughunter writes "Today GE announced the successful demonstration of the world's first roll-to-roll manufactured organic light-emitting diode (OLED) lighting devices (press release). This demonstration is a key step toward making OLEDs and other high-performance organic electronics products at dramatically lower costs than what is possible today. The green crowd is thrilled as well. Personally, as the parent of a 3-year-old technophile, I'm dreading the animated cereal boxes." Now can I get my Optimus Keyboard for less than $1,299?

Trip Ericson writes "ArsTechnica is reporting that eBay plans to drop negative feedback on buyers. It's just one of a number of changes eBay will be making in the near future. 'eBay's data shows that sellers are eight times more likely to retaliate in kind against negative feedback, a figure that has grown dramatically over the years. In an attempt to mollify sellers, eBay will initiate a handful of seller protections to offset the inability to speak ill of a buyer. Negative and neutral feedback will be removed if a buyer bails on a transaction or if the buyer has his or her account suspended. Buyers will have less time to leave feedback, and won't be able to do so until three days after the auction ends. eBay is also pledging to step up monitoring and enforcement of its policies around buyers who behave very badly.'"

DeltaV900 writes to alert us to an auction on eBay of the last Sky Commuter concept car. About 7 hours remain in the auction and the top bid at this writing is $55,100. The seller (with some help from posters in the auction forum) makes clear that the thing won't actually fly, and in fact never did. Other Sky Commuters may have hovered. This one traveled around to air shows and trade fairs.

Nintendo is making Wii consoles at a record pace, some 1.8 million a month. Last week they sold 350,000 units. Yes, just last week. And yet, still, it's going to be almost impossible to find a Wii in a store this Christmas. Wired reports that the problem actually began back in August. Summer being the traditional 'dry' season in gaming usually leads to hardware surpluses, but not with Nintendo's console. The result is a holiday season that Nintendo essentially couldn't prepare for. "Demand for Wii is so high, says analyst Michael Pachter, because of all the different types of consumers competing for the units ... it's not just kids who crave Wii. [It's] an especially big hit at retirement homes ... Hard-core gamers, who initially spurned the Wii's lower graphic power compared to the Xbox and PlayStation 3, have changed their tune on the console, thanks to brilliant software like the first-person shooter Metroid Prime 3. And eBay scalpers? They really want Wii." In fact, the only reliable way to get your hands on a Wii is to go that most dubious of routes. Ebay Wii sales are very brisk indeed this week.

As part of our 10-Year anniversary, we've decided to have a little charity auction, with the cash going to the EFF. The items currently up for bidding are 'Triton' (the big old tower case from the first x86 used to host Slashdot from Feb 11 1998 through much of 1999... picture is attached to the story if you're curious). A low numbered UID (3 or maybe 2 digits!) so you can win those stupid low UID pissing match threads. Your URL plugged in the story where we announce the auction winners. Oh the fame! The Slashdot Grab Bag: We're putting stuff around the office in a box- random t-shirts, hats, even an old Nokia NGage. The mystery box could contain anything that we stuff in the box before the contest ends... there's a picture of what we have so far attached. A copy of the watchmen trade paperback singed in Hemos's 1999 house fire. An @slashdot.org email alias (tasteful names only ;) The auctions will be running for like 10 days, and we'll post the results when they come up.

Triton currently has a couple of P2s in it that may or may not work, as well as a number of SCSI controllers that may or may not work. It also has a 300W power supply that may or may not work. Remember, you are donating to charity here... but these guts have been sitting in a closet for probably 5 years now. We don't have any idea what works.... the machine was originally hosted in our Holland office, but eventually was shipped to California for colocation. While there it got its guts replaced from dual P133s to dual P2s. After that, it flew back to Holland where it was a file server for a few years until we retired it

The grab box will at least contain some shirts. We have a crate of shirts- some given to us by random companies, others are mis-prints of various corporate things... I think we have some static stickers and hats... but there's no promises here... again... you're making a donation to a worthy charity here! The picture shows you some things that will probably be in the box including Nate's Nokia ngage, a collection of hats... we'll throw in a few of the 10-year anniversary t-shirts as well...

We're willing to sign the things if you think that makes it worth donating more. Or more likely not, if you think it's worth more without our childish scribblings on it. And bid high folks! This is for the EFF after all...

As part of our 10-Year anniversary, we've decided to have a little charity auction, with the cash going to the EFF. The items currently up for bidding are 'Triton' (the big old tower case from the first x86 used to host Slashdot from Feb 11 1998 through much of 1999... picture is attached to the story if you're curious). A low numbered UID (3 or maybe 2 digits!) so you can win those stupid low UID pissing match threads. Your URL plugged in the story where we announce the auction winners. Oh the fame! The Slashdot Grab Bag: We're putting stuff around the office in a box- random t-shirts, hats, even an old Nokia NGage. The mystery box could contain anything that we stuff in the box before the contest ends... there's a picture of what we have so far attached. A copy of the watchmen trade paperback singed in Hemos's 1999 house fire. An @slashdot.org email alias (tasteful names only ;) The auctions will be running for like 10 days, and we'll post the results when they come up.

Triton currently has a couple of P2s in it that may or may not work, as well as a number of SCSI controllers that may or may not work. It also has a 300W power supply that may or may not work. Remember, you are donating to charity here... but these guts have been sitting in a closet for probably 5 years now. We don't have any idea what works.... the machine was originally hosted in our Holland office, but eventually was shipped to California for colocation. While there it got its guts replaced from dual P133s to dual P2s. After that, it flew back to Holland where it was a file server for a few years until we retired it

The grab box will at least contain some shirts. We have a crate of shirts- some given to us by random companies, others are mis-prints of various corporate things... I think we have some static stickers and hats... but there's no promises here... again... you're making a donation to a worthy charity here! The picture shows you some things that will probably be in the box including Nate's Nokia ngage, a collection of hats... we'll throw in a few of the 10-year anniversary t-shirts as well...

We're willing to sign the things if you think that makes it worth donating more. Or more likely not, if you think it's worth more without our childish scribblings on it. And bid high folks! This is for the EFF after all...

As part of our 10-Year anniversary, we've decided to have a little charity auction, with the cash going to the EFF. The items currently up for bidding are 'Triton' (the big old tower case from the first x86 used to host Slashdot from Feb 11 1998 through much of 1999... picture is attached to the story if you're curious). A low numbered UID (3 or maybe 2 digits!) so you can win those stupid low UID pissing match threads. Your URL plugged in the story where we announce the auction winners. Oh the fame! The Slashdot Grab Bag: We're putting stuff around the office in a box- random t-shirts, hats, even an old Nokia NGage. The mystery box could contain anything that we stuff in the box before the contest ends... there's a picture of what we have so far attached. A copy of the watchmen trade paperback singed in Hemos's 1999 house fire. An @slashdot.org email alias (tasteful names only ;) The auctions will be running for like 10 days, and we'll post the results when they come up.

Triton currently has a couple of P2s in it that may or may not work, as well as a number of SCSI controllers that may or may not work. It also has a 300W power supply that may or may not work. Remember, you are donating to charity here... but these guts have been sitting in a closet for probably 5 years now. We don't have any idea what works.... the machine was originally hosted in our Holland office, but eventually was shipped to California for colocation. While there it got its guts replaced from dual P133s to dual P2s. After that, it flew back to Holland where it was a file server for a few years until we retired it

The grab box will at least contain some shirts. We have a crate of shirts- some given to us by random companies, others are mis-prints of various corporate things... I think we have some static stickers and hats... but there's no promises here... again... you're making a donation to a worthy charity here! The picture shows you some things that will probably be in the box including Nate's Nokia ngage, a collection of hats... we'll throw in a few of the 10-year anniversary t-shirts as well...

We're willing to sign the things if you think that makes it worth donating more. Or more likely not, if you think it's worth more without our childish scribblings on it. And bid high folks! This is for the EFF after all...

As part of our 10-Year anniversary, we've decided to have a little charity auction, with the cash going to the EFF. The items currently up for bidding are 'Triton' (the big old tower case from the first x86 used to host Slashdot from Feb 11 1998 through much of 1999... picture is attached to the story if you're curious). A low numbered UID (3 or maybe 2 digits!) so you can win those stupid low UID pissing match threads. Your URL plugged in the story where we announce the auction winners. Oh the fame! The Slashdot Grab Bag: We're putting stuff around the office in a box- random t-shirts, hats, even an old Nokia NGage. The mystery box could contain anything that we stuff in the box before the contest ends... there's a picture of what we have so far attached. A copy of the watchmen trade paperback singed in Hemos's 1999 house fire. An @slashdot.org email alias (tasteful names only ;) The auctions will be running for like 10 days, and we'll post the results when they come up.

Triton currently has a couple of P2s in it that may or may not work, as well as a number of SCSI controllers that may or may not work. It also has a 300W power supply that may or may not work. Remember, you are donating to charity here... but these guts have been sitting in a closet for probably 5 years now. We don't have any idea what works.... the machine was originally hosted in our Holland office, but eventually was shipped to California for colocation. While there it got its guts replaced from dual P133s to dual P2s. After that, it flew back to Holland where it was a file server for a few years until we retired it

The grab box will at least contain some shirts. We have a crate of shirts- some given to us by random companies, others are mis-prints of various corporate things... I think we have some static stickers and hats... but there's no promises here... again... you're making a donation to a worthy charity here! The picture shows you some things that will probably be in the box including Nate's Nokia ngage, a collection of hats... we'll throw in a few of the 10-year anniversary t-shirts as well...

We're willing to sign the things if you think that makes it worth donating more. Or more likely not, if you think it's worth more without our childish scribblings on it. And bid high folks! This is for the EFF after all...

As part of our 10-Year anniversary, we've decided to have a little charity auction, with the cash going to the EFF. The items currently up for bidding are 'Triton' (the big old tower case from the first x86 used to host Slashdot from Feb 11 1998 through much of 1999... picture is attached to the story if you're curious). A low numbered UID (3 or maybe 2 digits!) so you can win those stupid low UID pissing match threads. Your URL plugged in the story where we announce the auction winners. Oh the fame! The Slashdot Grab Bag: We're putting stuff around the office in a box- random t-shirts, hats, even an old Nokia NGage. The mystery box could contain anything that we stuff in the box before the contest ends... there's a picture of what we have so far attached. A copy of the watchmen trade paperback singed in Hemos's 1999 house fire. An @slashdot.org email alias (tasteful names only ;) The auctions will be running for like 10 days, and we'll post the results when they come up.

Triton currently has a couple of P2s in it that may or may not work, as well as a number of SCSI controllers that may or may not work. It also has a 300W power supply that may or may not work. Remember, you are donating to charity here... but these guts have been sitting in a closet for probably 5 years now. We don't have any idea what works.... the machine was originally hosted in our Holland office, but eventually was shipped to California for colocation. While there it got its guts replaced from dual P133s to dual P2s. After that, it flew back to Holland where it was a file server for a few years until we retired it

The grab box will at least contain some shirts. We have a crate of shirts- some given to us by random companies, others are mis-prints of various corporate things... I think we have some static stickers and hats... but there's no promises here... again... you're making a donation to a worthy charity here! The picture shows you some things that will probably be in the box including Nate's Nokia ngage, a collection of hats... we'll throw in a few of the 10-year anniversary t-shirts as well...

We're willing to sign the things if you think that makes it worth donating more. Or more likely not, if you think it's worth more without our childish scribblings on it. And bid high folks! This is for the EFF after all...

As part of our 10-Year anniversary, we've decided to have a little charity auction, with the cash going to the EFF. The items currently up for bidding are 'Triton' (the big old tower case from the first x86 used to host Slashdot from Feb 11 1998 through much of 1999... picture is attached to the story if you're curious). A low numbered UID (3 or maybe 2 digits!) so you can win those stupid low UID pissing match threads. Your URL plugged in the story where we announce the auction winners. Oh the fame! The Slashdot Grab Bag: We're putting stuff around the office in a box- random t-shirts, hats, even an old Nokia NGage. The mystery box could contain anything that we stuff in the box before the contest ends... there's a picture of what we have so far attached. A copy of the watchmen trade paperback singed in Hemos's 1999 house fire. An @slashdot.org email alias (tasteful names only ;) The auctions will be running for like 10 days, and we'll post the results when they come up.

Triton currently has a couple of P2s in it that may or may not work, as well as a number of SCSI controllers that may or may not work. It also has a 300W power supply that may or may not work. Remember, you are donating to charity here... but these guts have been sitting in a closet for probably 5 years now. We don't have any idea what works.... the machine was originally hosted in our Holland office, but eventually was shipped to California for colocation. While there it got its guts replaced from dual P133s to dual P2s. After that, it flew back to Holland where it was a file server for a few years until we retired it

The grab box will at least contain some shirts. We have a crate of shirts- some given to us by random companies, others are mis-prints of various corporate things... I think we have some static stickers and hats... but there's no promises here... again... you're making a donation to a worthy charity here! The picture shows you some things that will probably be in the box including Nate's Nokia ngage, a collection of hats... we'll throw in a few of the 10-year anniversary t-shirts as well...

We're willing to sign the things if you think that makes it worth donating more. Or more likely not, if you think it's worth more without our childish scribblings on it. And bid high folks! This is for the EFF after all...

A very large number of readers sent in stories about one or the other of the two new claims to have unlocked the iPhone for use on other GSM carriers. A New Jersey teenager, George Hotz, posted instructions for unlocking the iPhone using a soldering gun and a lot of patience. This is from coverage in a local NJ paper: "If someone handed him an iPhone new out of the box, he could modify it in 'about an hour,' he said. A person following his directions might take 'a good 12 hours,' the teen estimated." Hotz has put up a YouTube video substantiating his claim, and is conducting an eBay auction for one of his two hacked phones. The other hack is by a commercial outfit called iPhoneSIMfree.com, whose claim Engadget has verified. The company will be selling licenses to the hack, minimum quantity 500, at a price not yet announced. These hacks are much bigger news for those outside America. Expect to see an industry spring up to meet European (and Asian?) demand for freed iPhones.

RagingMaxx writes "An Italian antiques dealer has recently put to auction a mint condition, fully operational Enigma machine on eBay. The machine, dated circa 1938, will be sold to the highest bidder in just over a week, but after 30 hours of bidding the price has already surpassed $12,000 US. For those of you who can't afford the real thing, why not make your own?"

Slashdot contributor Bennett Haselton has written an essay on a subtle privacy issue affecting many websites (including Slashdot!) He says "Suppose your girlfriend called up Match.com and said, "I think my boyfriend might be cheating on me. His e-mail address is joeblow - at - aol - dot - com. Can you tell me if he's a member?" And Match.com phone support told her, "Why, yes, he is a member. You'd better have a talk with him." After you had gotten over the guilt of getting caught -- I mean, the guilt of cheating -- would you not feel like Match.com had violated your privacy by telling a third party that you were a member?" Keep reading to see what he's getting at and to decide if and when it's a problem.

Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.

There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)

With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:

• Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
• Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
• Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.

Each attack works better if you can avoid triggering an e-mail message sent to the e-mail address in question, whether in a success or failure condition. For example, if the forgot-your-password form only accepts an e-mail address as input, then if the e-mail address you enter really does belong to a member, a password reset e-mail will be sent to that member. That won't prevent you from continuing your attack, but if enough Match.com members get password reset e-mails that they didn't request, some of them will let Match.com know what is going on, and Match.com might find a way to stop the attack in progress. On the other hand, suppose the password-reset form requires an e-mail address and a birthdate, and if you enter an e-mail address without a birthdate, you get one error message telling you that the birthdate was missing, and another error message if the e-mail address you entered is not associated with an account. This avoids triggering an e-mail message to the user in either case, and increases the chance that you can carry on the attack longer without being noticed. And once you've confirmed that someone is a member, this type of password reset form would also let you use trial and error to determine their birthdate as well, something that might make identity theft easier later on. (This, by the way, is exactly how the current Match.com password reset form works. Match.com did not respond to requests for comment.)

With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.

There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)

Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.

On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)

Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...

So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.

Slashdot contributor Bennett Haselton has written an essay on a subtle privacy issue affecting many websites (including Slashdot!) He says "Suppose your girlfriend called up Match.com and said, "I think my boyfriend might be cheating on me. His e-mail address is joeblow - at - aol - dot - com. Can you tell me if he's a member?" And Match.com phone support told her, "Why, yes, he is a member. You'd better have a talk with him." After you had gotten over the guilt of getting caught -- I mean, the guilt of cheating -- would you not feel like Match.com had violated your privacy by telling a third party that you were a member?" Keep reading to see what he's getting at and to decide if and when it's a problem.

Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.

There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)

With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:

• Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
• Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
• Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.

Each attack works better if you can avoid triggering an e-mail message sent to the e-mail address in question, whether in a success or failure condition. For example, if the forgot-your-password form only accepts an e-mail address as input, then if the e-mail address you enter really does belong to a member, a password reset e-mail will be sent to that member. That won't prevent you from continuing your attack, but if enough Match.com members get password reset e-mails that they didn't request, some of them will let Match.com know what is going on, and Match.com might find a way to stop the attack in progress. On the other hand, suppose the password-reset form requires an e-mail address and a birthdate, and if you enter an e-mail address without a birthdate, you get one error message telling you that the birthdate was missing, and another error message if the e-mail address you entered is not associated with an account. This avoids triggering an e-mail message to the user in either case, and increases the chance that you can carry on the attack longer without being noticed. And once you've confirmed that someone is a member, this type of password reset form would also let you use trial and error to determine their birthdate as well, something that might make identity theft easier later on. (This, by the way, is exactly how the current Match.com password reset form works. Match.com did not respond to requests for comment.)

With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.

There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)

Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.

On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)

Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...

So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.

theodp writes "eBay CEO Meg Whitman will accept a special Webby Lifetime Achievement Award next month on behalf of the eBay Community, which has 'permanently changed the way people connect, discover and interact with each other.' Perhaps by then, people will have forgotten how eBay enabled buyer 'Blazers5505' to hook up with sellers like 'oneclickshooting' just weeks before the worst mass shooting in modern US history, prompting eBay to issue a gun-parts-don't-kill-students-guns-and-ammo-do statement that showed little evidence of its celebrated commitment to social consciousness. CEO Whitman, who received $11.1M last year for her leadership efforts, has kept a low profile since tooting eBay's trust-and-safety horn for Wall Street analysts two days after the Va. Tech rampage."

The growing popularity of Massively Multiplayer games has brought the issue of ownership rights in virtual worlds, and the appropriateness of what is called 'real money transfer' (RMT) into an increasingly public light. The success of the company IGE, as well as the launch of Sony Online Entertainment's 'Station Exchange' service would seem to indicate that RMT is now an acceptable part of Massive gaming. The well-known auction site eBay has recently made a policy decision that may throw these assumptions into a different light. Following up on a rumour that's been going around I spoke today with a media representative for the company, who confirmed that eBay is now delisting all auctions for 'virtual artifacts' from the site. This includes currency, items, and accounts/characters; not even the 'neopoints' used in the popular Neopets service is exempt from this decision. Read on below for the company's rationale for this decision, and a few words on the impact this could have on future RMT sales. Mr. Hani Durzy, speaking for eBay, explained that the decision to pull these items was due to the 'legal complexities' surrounding virtual property. "For the overall health of the marketplace" the company felt that the proper course of action, after considerable contemplation, was to ban the sale of these items outright. While he couldn't give me a specific date when the delistings began, he estimated that they've been coming down for about a month or so. Mr. Durzy pointed out that in reality, the company is just now following through with a pre-existing policy, as opposed to creating a new one. The policy on digitally delivered goods states: "The seller must be the owner of the underlying intellectual property, or authorized to distribute it by the intellectual property owner." Given the nebulous nature of ownership in online games, eBay has decided the prudent decision is to remove the possibility for players to sell what might be the IP of other parties via their service. Mr. Durzy made it a point to say that initial listings of virtual property would not have punitive actions. Their assumption, he said, is that most users break with policies because they're unaware of them, rather than maliciously. Initial infractions will result in a delisting of items, and an attempt to educate the user on the policy. Persistent disregard for the policies, of course, will result in a removal of the seller's account.

We've spoken before on the possibility of taxation of virtual goods in the U.S. and abroad, as well as the economic impact these sales can have. With the removal of a very popular, very public source of virtual currency and goods from the market, what does this mean for the future of RMT? Will small businessmen who previously worked via eBay now turn to larger independent sites like IGE? Given that eBay is ipso facto declaring virtual goods to be the property of the game makers and not the players who 'earn' them, what does this mean for the future of virtual rights in general?

An anonymous reader asks: "We are a small startup trying to decide how best to handle the conflicts that will inevitably arise between users which have real-world monetary consequences. While sites like eBay seem to have set the standard for internal/outsourced dispute resolution, it frequently feels like a random corporate drone is choosing your fate for you. Other sites like GimmeNow.com have come up with various variations on the arbitrary mediation (they use rock, paper, scissors for parties that can't come to an obvious agreement) which seem to be more interactive, yet still feels like a resolution system heavily biased by luck. Slashdot, how do you handle user conflicts in a way that feels fair to everyone involved?"

We got lots and lots of questions for Dean Hachamovitch, whose formal title is "general manager Internet Explorer at Microsoft Corp." Picking a mere 10 of those questions was not easy, and I wish Dean could have answered twice as many -- and so does he, but his schedule has been tight this week. Anyway, here are his answers to the Chosen Ten. 1) How about this...
by also-rr

Would you like to make available IE on other operating systems?

Dean Hachamovitch:

We did make versions of IE available on other operating system for a pretty long time, up through IE5 on Unix and the Mac. At the time we developed them, those offerings made sense. I don't see a good reason to make IE available on other operating systems at this time.

2) IE7 release time
by BeeBeard Why did IE7 take such a long time to release after IE6?



Dean Hachamovitch:

Basically because we were doing a lot of other things before we started work on IE7: a few releases of MSN Explorer, a lot of work on what turned out to be Windows Presentation Foundation, a lot of investment in what turned into IPv6 support in Windows Vista, and lot of security response, a pretty intense effort on Windows Server 2003 (and IE's "Enhanced Security Configuration"), and then a pretty intense effort on Windows XPSP2. You can read a more detailed answer here

3) Follow up
by LordEd

If you had more time, is there a new feature you would have liked to include in IE7?

Dean Hachamovitch:

Yes, several come to mind. None were more important than shipping. None were more important than the bug fix work we did in response to beta feedback.

The temptation to get "just one more feature in" is so strong... one more CSS fix, one more neat facility for developers, one more performance optimization, one more cool end-user feature. The thing that made it easier to resist the temptation and ship is the prototype and planning work we've started on the next release of IE.

4) Simple questions
by Billosaur

IE has a dominating command of the market, although Firefox is slowly making inroads, due to innovations such as tabbed browsing that IE has had to incorporate to maintain that command. But where are the IE innovations? Why can't the IE team get ahead of the curve on Firefox? Is there anything you consider an innovation that is unique to IE that would plausibly be something the browser market would have to incorporate to stay competitive?

Dean Hachamovitch:

I think IE7 is the first browser with integrated real-time anti-phishing functionality, with an RSS platform and support for Simple List Extensions (see below), with "QuickTabs," with support for OpenSearch, and with shrink-to-fit printing on by default. In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges.

I think that during the IE7 beta process, you've seen other browser vendors copy some of these features and/or deliver add-ons for others. (IE has also delivered some functionality - like spell-checking in forms or in-line find, as add-ons; you can read more here.

I want to call out the Phishing Filter and RSS in particular. I think there's a clear difference between the protection offered in IE7 and other places. I suggest readers look here and here and decide for themselves. I was surprised when I read this because I think IE7 delivers real-time protection that respects user privacy at the same time.

I think IE7's RSS is pretty deep. First, the support for the Simple List Extensions that we made available under a Creative Commons license is cool - check out the links below in IE7. Also, the platform enables developers to deliver on some great scenarios, like sharing subscription information between different applications and services easily (from the new version of Outlook 2007 I run at work to IE7 at home via Newsgator). You can read more about that here.

- Amazon Wish List as an RSS feed

- eBay Search Result as an RSS feed

- Yahoo Music Top 10 list as an RSS feed

In regards to tabs, according to http://en.wikipedia.org/wiki/Tabbed_browsing, NetCaptor (an IE-based browser) was first.

5) My shot
by Njovich

What do you consider the greatest weakness of Firefox?

Dean Hachamovitch:

Hey, I've met a bunch of the Firefox folks and respect them and am not about to say mean things about them or their product, period. I have started to see some things that even some Slashdotters find a little confusing, like the whole Iceweasel thing.

6) Security
by Seto89

One of IE7's revolutionary features was supposed to be security, although it took less than 24 hours for Secunia to post an advisory about a security hole. Moreover, the bug seemed to be carried over from as early as IE5.5. What approach did you take to improve browser's security, and how come the vulnerabilities have been carried over?

Dean Hachamovitch:

The overall approach we took is called the secure development lifecycle. You can read more about it in general at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp and http://www.microsoft.com/MSPress/books/8753.asp. The very short version is that we stepped back to analyze all the ways to attack a browser and then figured out the best ways to defend in depth against attacks. We reduced attack surface area, for example, turning off several feature and protocols by default and with ActiveX opt-in. We re-wrote a lot of the URL handling code in our networking layer. We ran a lot of tools against the source code to look for vulnerabilities. We listened to feedback from lots of smart people who are skilled in the art of attack.

As anyone who reads SecurityFocus or FullDisclosure will tell you, security is an industry problem and innovation in attacks is ongoing.

The MHTML issue is pretty interesting. IE calls another Windows component to handle some MTHML functionality. That component has a vulnerability. The important things here are (1) a malicious site can steal user data and (2) of course Microsoft cares about privacy and will fix this issue promptly. Some of the blogs over at zdnet - in particular George Ou's and Ed Bott's, have had some balanced opinion pieces on this issue.

While I was writing this, someone disclosed another issue irresponsibly. On the one hand, it's minor (a malicious site can make the address bar, when it's selected and in a pop-up window, deceiving... clicking in the pop-up window addresses the issue) and our anti-phishing technology helps a lot. The MSRC blog has more detail. At the same time, an attacker could draw a fake or misleading address bar in a pop-up window in a browser that doesn't automatically show the address bar in every window. Again, I think all this shows is that innovation in attacks is ongoing.

7) How about this....
by Toreo asesino

Let's pretend for a moment that Internet Explorer isn't the default web-browser built into Windows and instead, users are presented with a choice on first login (e.g. a message asking 'How would you like to browse the internet? MSIE, Firefox, Opera').

Would you expect IE to become as dominant as it is now if users had to specifically choose it over another?

Ignoring the slight impracticalities, if so (I'm guessing you do), on what basis would this be?

Dean Hachamovitch:

OK, I'll pretend. My first question is when we ask users this question... if it's in 1995, then Opera isn't on the list (Wikipedia just told me that its first public release was in 1996) and neither is Firefox. If it's today, then, candidly, we have 10+ years of people seeing the IE icon and all that that means to them.

The funny thing about your question is that in some ways, users are about two clicks from this scenario every time they run Windows XP: from the Start menu, select Set Program Access and Defaults. And it's not limited to the browsers you list, but any browser that they can download.

To answer your core question: I don't know how people would answer that question. I think we've asked users far simpler ones (like setup programs that ask "Do you want a typical or custom software installation?") that have proven frustrating to them. I do blog searches just about every day to read what people are saying about their browser choice, the browser I work on, and the other browsers you list. While it may surprise you, for many users, the differences between today's browsers aren't as clear and obvious as they may seem to many in the Slashdot crowd. I've read a lot of posts that say, "I tried IE7, I'm pleasantly surprised, and I'm switching back." (I read a lot of others for sure.) For some folks, having professional technical support to contact makes all the difference in their browser choice. During a press interview with a technical trade journal recently I asked the reporter "So what do you browse with" and he said "Mostly IE6, sometimes Firefox 1.5." That might surprise some of you.

8) Allowing Developers to Test for Compatibility
by miyako

IE7, like IE6, renders a lot of pages significantly differently than the other main HTML rendering engines available (Geko, KHTML, and Opera). At the same time, IE7 requires WGA to run - so that applications like Wine are unable to run it. This means that web developers who are using Linux and Mac OS X will have an extremely difficult time testing their sites with IE7. Was this intentional? If so what was the reason behind it (do you want to force developers to move to Windows for web development, or simply set IE aside as something different that isn't a regular browser and must be specifically developed for), and if not how do you plan to rectify the situation?

Dean Hachamovitch:

I think the core of your question is about giving away Windows licenses for free. We love developers, period. We're also not about to give away Windows client licenses. Because we want end-users to have a great experience on the web, of course we want web developers to have an easy experience working with IE and testing their sites with IE. That's why we published tools like the web developer toolbar and the Application Compatibility Toolkit and so much documentation during the course of IE7 development. I also respect that - as hard as everyone at Microsoft works to make Windows the best operating system for developers run - some developers will choose to run others. Mac developers have a fine solution - I've talked with hardcore Mac people who bought a copy of Windows that they run on their Mac with Parallels to test their work in IE. For other developers, I've seen some very clever solutions like BrowserCam that should help.

9) I asked Hakon about CSS and now I ask you:
by Chabil Ha'

This past summer Håkon Wium Lie was interviewed on /. and my question was selected concerning IE7's glaring lack of full CSS support. Why is it that MS has avoided meeting at least the ACID2 spec for CSS in order to bring some semblance of comformity for developers?

Håkon Wium Lie's response to these questions is boiled down to the fact that you do have the talent and resources to fix these issues and he says that "the fundamental reason, I believe, is that standards don't benefit monopolists" like MS.

How do you respond to his comments (the author of the CSS spec) and does MS have any near future plans to adhere to the existing CSS standard? If not, what would it take for MS to take a more proactive role in supporting it?

Dean Hachamovitch:

During IE7's development, we prioritized the work we did based on the web development community's real-world feedback. The engineering exercise here was choosing the best work for a finite number of developers to do during a finite period of time, especially given the compatibility impact of changing how IE behaves. The work that we delivered in IE7 simply has more positive impact and makes web developers' jobs easier than making an arbitrary (if terribly clever) web page render the way its author intended.

The Acid 2 test explicitly states that it isn't part of a formal compliance suite and it is not a "spec for CSS." It's a suite of tests of HTML, CSS, PNG, and data URL features that Mr. Lie thought were important. I'm glad that Mr. Lie - who is one of the authors of the CSS specifications - acknowledges that Microsoft's developers have the talent to address these issues.

The question here isn't whether we want to support those features or if we understand that web developers want them (we do), but simply prioritization. We focused on web developers' real world problems.

The real goal here is interoperability - something that Microsoft product teams believe in (remember, Microsoft has more than one product that works with HTML, CSS, and other web standards, and they have to interoperate too) and something that benefits customers (end-users, developers, IT Pros, et al.) across the board. The work in Windows Vista around IPv6 as well as the work we've done in IE7 with OpenSearch, RSS and with Certificate Authorities and other browser vendors on Extended Validation certificates are good examples of following through on that belief in interoperability.

Your question also asks about Microsoft's plans to comply with the existing CSS standard; there are actually several CSS standards, some still under construction (CSS level 3) and some made obsolete over time (e.g. CSS 2.1 fixing errors, removing ambiguities and changing required behavior from CSS 2). Just as we did in IE7, we're going to listen to the web development community and prioritize the remaining CSS work and deliver the parts we hear are most important first. We do intend to comply with the standard; no other browser I'm aware of has complete support of every feature in CSS 2.1, so it's clear that we all have to use prioritization to know where best to place our resources.

10) Why develop IE at all
by CmdrGravy

Given that you are not planning on selling IE 7 and the fact that there are already other browsers on the market which can allow Windows users to experience the web fully why is Microsoft investing so much time and effort in continuing the development of IE?

Dean Hachamovitch:

Windows customers expect the best, safest experience with their PCs out of the box, especially around the web browser. We're investing so much time and effort in IE in order to give Windows customers a great, secure, default experience. I'm glad that users can choose other browsers as they see fit - Windows is a platform. We're working this hard on IE because so many end-users rely on it and so many developers have built on the APIs that IE exposes as a part of the Windows platform.

-------

Editor's note: Next week's Slashdot interview guest will be a FireFox person. Only fair, right? :)

Warlock7 writes "Well, it's official. The pre-orders have begun ... and mostly ended. I just got mine ordered and four hours later there are already units on eBay. Some acutions have already gone north of $1000 USD. The guys at EBGames told me that the most units going to any one store was 36 and that there were an average of 8 units being distributed to each store. The one I went to reported that they were going to be getting a total of 16 units. They waited this long to take pre-orders because they wanted to be sure that they weren't going to get burned like they did for the XBox 360 launch." The reports from across the internets are varied, with long lines netting nothing for some, and others reaping the sweet rewards.

whoever57 writes "eBay has added Google Checkout to the list of payment options banned on eBay. A recent update to the Accepted Payments Policy includes Google Checkout (click on 'Show' next to 'Some Examples' to reveal the list). More comments on this action can be found at the eBay Strategies Blog."

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

I've spent seven years working as a writer and editor for Slashdot's parent company. During this time I've been to at least a dozen mainstream journalists' and editors' conferences where the most-asked question was, "How do we adapt to the Internet?" You'd think, with all the smart people working for newspapers, that by now most of them would have figured out how to use the Internet effectively enough that it would produce a significant percentage of their profits. But they haven't. In this essay I will tell you why they've failed to adapt, and what they must do if they want to survive in a world where the Internet dominates the news business. I'm going to use the Bradenton Herald as an example, not because it's a bad newspaper but because I live in the middle of its circulation area. The Herald is a typical Knight Ridder small-city newspaper in every way except one: it serves Manatee County, an area with a fast-growing population where most new residents are old enough that they grew up reading newspapers every day. Despite these favorable factors, the Herald's circulation has declined by 3.5% in the last year. Of course, newspaper circulation declines are now normal rather than exceptional. Other newspapers have done far worse, with the San Francisco Chronicle recording a 16.4% drop in the last six months alone.

Readership vs. Circulation

Much of the Chron's circulation decrease was because it stopped giving away free papers. The Boston Globe also stopped a giveaway program and suffered a circulation decline as a result, although only about half as big a loss as the Chron's, but the Globe's marketing people have said that only half of the loss came from stopping the giveaways, and blamed the rest of it on the usual suspects, notably TV and the Internet.

These figures only measure paper newspaper circulation. They don't include Web readership, which generally seems to be trending (slowly) upwards on newspaper Web sites. Circulation figures can also be misleading because they only measure the total number of newspapers distributed, not the kind of people who read them. And readership quality can often be more important, in a business sense, than quantity. This is especially true for those newspapers (namely, just about all of them) that rely on advertising for the bulk of their income.

By definition, anyone who reads a newspaper online at home can afford a computer and an Internet connection, which means they aren't at the very bottom of the economic pile. Online readers are also likely to be more open to new experiences, products, and services than those who don't feel they need to use the Internet -- which by some estimates may be as many as half of all households within the Herald's circulation area, which has a higher percentage of retirees than all but a few other U.S. counties.

Journalism professor Douglas Fisher and media executive Alan Mutter have both talked about intentional circulation losses on their blogs. In his post, Fisher says, "The industry evolves to the point of small, expensive print publications and most of the 'mass' news on the Web somehow. Then, as we evolve toward paid content online will come issues such as whether a certain amount of 'base' information should be free for every person -- sort of like a public utility of information (perhaps presented as a social utility necessary in a functioning democratic society)."

Meanwhile, when newspapers talk about readership vs. circulation, they're typically trying to estimate how many people read each copy of their print product (pdf download) rather than come up with a total picture of their publication's readership, including its online presence. This is a mistake. Instead of treating their Web sites like unwelcome stepchildren, newspapers should turn them into their primary method of news delivery -- and teach their reporters, editors, and ad sales people how to work effectively with this new -- to them -- medium.

Slashdot Lessons

1. No matter how much I or any other reporter or editor may know about a subject, some of the readers know more. What's more, if you give those readers an easy way to contribute their knowledge to a story, they will.

Imagine a newspaper with a space for comments below each story on its Web site. This Slashdot story has comments directly attached to it, not tucked away from public view the way the Bradenton Herald's site hides reader comments on Bulletin Boards that aren't directly connected to any of the paper's articles or editorials. To make matters worse, the Herald's Bulletin Boards require a separate login to post. Even if you're a logged-in reader you must put in your username and password again to use them.

As a result of these posting barriers, you hardly see any reader comments on the Herald's site, and what few there are seem to come from a small group that posts over and over. Even the Herald's single (hard to find) blog, maintained by token hip-dude entertainment reporter Wade Tatangelo, draws so few daily comments that you could count them on the fingers of one hand -- and usually have four or five fingers left over.

By contrast, the Washington Post's Web site has two blogs, Achenblog and The Debate, prominently displayed on the Opinions page that almost always draw 100+ comments per post.

A truly Web-hip newspaper would not only allow but encourage reader comments on all of its stories, not just on a blog or two. With thousands of readers as fact-checkers, mistakes would rarely go uncorrected for long, and if there was any perceived bias in a controversial article, reader comments would make sure the other side got heard. Even better, a reader who witnessed an event the paper covered would be able to add his or her account of it to the reporter's, which would give other readers a richer and deeper view of it.

2. Not all readers know what they're talking about.

While some readers know more about any given topic than a professional journalist writing about it, most don't. Some, indeed, post anything about anything, including misleading or false information. This is why Slashdot has a moderation system, and why all newspaper Web sites need to have moderation systems in place before they allow reader posts attached directly to stories. Slashdot's, which is built into the code that runs the whole site, is probably too complicated for most newspapers, but everyone (including newspaper publishers) is free to download, use, and modify it. For those who don't want to use the code behind Slashdot, there are many other free (and proprietary) content management programs available that have similar -- and often simpler and less geeky -- moderation features built into them.

3. No matter what you do, some readers will post malicious and/or obscene comments

Slashdot removes posts only in response to Cease and Desist orders or legitimate copyright infringement complaints. We find that malicious or obscene posts are usually moderated into oblivion almost immediately, because our readers -- hundreds of whom have moderation power at any given moment -- have a sharp eye for stupid stuff.

A mainstream newspaper might choose to remove blatantly disgusting posts, which would take some staff time. There would also -- inevitably -- be second-guessing and complaints, including whines from readers who believed their posts were removed because they didn't follow the [fill in political party here] line, not because they used offensive language.

Moderation never makes everyone happy. Someone will always feel the rules are too loose, while someone else will believe they're too tight. And moderates -- I mean moderators -- will always get flak from ____-wingers who think they're biased. But these problems shouldn't stop grown-up newspaper people from soliciting and publishing readers' posts. They should already be accustomed to bias accusations.

4. What if readers post comments that advertisers don't like?

This is a problem, and one to which some newspapers are extremely sensitive --not just over readers' comments but sometimes over their own reporters' stories. A 1999 Washington Monthly article had some examples of how newspapers sometimes cater to advertisers instead of their readers. Allowing readers to comment on stories, and allowing them to post anything they want (other than obscenities, blatant hate speech, and personal attacks) increases readers' faith in the newspaper, which makes it a more effective advertising medium in the long run because some of that trust will rub off on advertisers that support it.

The Business Side of a Newspaper Web Site

Slashdot, like almost all other Web, broadcast, and print media outlets, depends on ad revenue for most of its income. For the first few years of its existence as a commercial entity, major advertisers were afraid to buy ads on Slashdot or other free-wheeling, community-driven sites. They worried that every time they touted a product, all the customers they'd ever irritated would post bad things about them. It's impossible to run a company of any scale without having at least a few dissatisfied customers, no matter how good your products and services are, so this was not an unjustified fear.

Luckily for Slashdot (and our parent company), many companies have learned that they are going to get criticized online whether they like it or not, so at the very worst, running ads on pages where they get slammed gives them a chance to tell their side of the story.

Keyword-based ad placement helps them do this. Imagine making software that's often knocked for its security vulnerabilities, while competing software is available that costs little or nothing and doesn't share your product's problems. You'd want to run a Get the FUD (Fear, Uncertainty, and Doubt) campaign on every Web page where the competing product was being discussed so that you could tell people who are (obviously) interested in the competing product how awful it is, and why they should buy yours instead.

On a local newspaper Web site, a developer intent on replacing pristine wilderness along a scenic river with ugly condominium towers in the face of opposition from local citizens' groups could run a keyword-targeted campaign explaining why their buildings would be better than a swampy, mosquito-ridden riverfront. They could stress the fact that they would reduce the population of turtles, spiders, alligators, shore birds, frogs, and other annoying wildlife, and that runoff from their chemically-fertilized landscaping would help keep local fish populations down by contributing to red tide, thereby reducing the number of smelly fishermen infesting the area.

Other, more sensible, businesses would use the same tactic -- keyword ad placement -- to sponsor discussions in a positive way. An obvious example here in Florida would be resort property owners linking ads to tourism-related stories and the discussions attached to them. With geotargeting becoming common on the Web, ads aimed at visitors could be visible to all of a Florida newspaper's online readers, while ads for a local business would only be shown to local residents -- unless the local advertiser was canny enough to realize that Florida has many thousands of seasonal residents, and that reaching these snowbirds through the local newspaper's Web site before they come South is a great way to get a leg up on competitors.

Some other ways to exploit the Web that newspapers don't seem to do well:

• Print-them-yourself coupons. This is lots cheaper than putting coupons in a print newspaper. Many newspapers boast that today's paper contains $___ worth of coupon savings. Why don't more papers make this boast about their online editions? TV stations could do this on their sites, too. This would be an entirely new source of revenue for them, since there is no way to put a coupon in a TV spot.
• Online ad circulars, similar to the paper ones that pack print newspapers on Sundays and holidays. The print ones are expensive to produce and deliver, especially in color. Online circulars would be far less costly.
• Selling sponsorships for community calendars and other "public interest" sections that should be on every newspaper's Web site -- but often aren't or are produced in too scattered a manner to be useful for readers. C'mon, newspaper (and local TV) people! A well-organized, database-driven events calendar is easy to produce. If you don't have one (and sponsors for it), you should.
• Sponsored, "free to individuals and small businesses," local classifieds. craigslist and eBay are busily taking the classified ad market away from newspapers, with Google getting ready to help them with this effort. The Poynter Institute's Steve Outing suggests that the best way to beat back this threat is to "Turn newspaper classifieds into an active and interactive community, instead of just static, dull listings. A cold-hearted newspaper classifieds database could well be smothered by Google classifieds. A local-focused interactive community may be less vulnerable."

The Local-Focused Interactive Community

I believe the future of not only classified ads but of local news gathering and distribution is the "local-focused interactive community." According to this article, craigslist founder Craig Newmark agrees with me. So do plenty of other Web entrepreneurs and venture capitalists who are busily building and financing "community" sites.

Local newspapers should have dominated all of this interactivity from the beginning. They had the name recognition and -- through their print editions -- the promotional muscle to make their Web sites into unassailable community hubs. But they didn't, and now they're reduced to playing catch-up.

If the Sarasota Herald-Tribune had followed through on its plans to incorporate reader-written blogs into its site, Suncoastblog.com probably wouldn't exist. This group blog is an admittedly lame effort, barely begun, put together by several people in this area (including me) who thought it would be nice to have a local site that might eventually cover events and places that don't make their way into the local papers. We know the Herald-Tribune, whose circulation area overlaps the Bradenton Herald's, had thought about hosting reader blogs at one point, because they asked readers to submit blog ideas several months ago. I submitted one and never heard back.

I also submitted a local computer business column concept to the Herald. I came up with it because the Herald has a Sunday business page it calls "Digital Manatee," on which I have never seen anything other than out-of-town wire service material even though there is more than enough local computer and Internet business activity to fill a weekly column, and enough local computer and computer service vendors to surround that column with profitable advertising.

The Herald's editor didn't respond to my proposal. I've written three computer-oriented books, and thousands of articles that have run online and in print all over the world, but I am apparently not worth even a polite turndown from my local paper's editor. No problem. A week later I was having lunch with a couple of local entrepreneur buddies. I told them what had happened. They suggested an online computer business magazine instead of a Herald column, and offered to finance it on the spot, out of their pockets.

I don't have time to start a new publication. But I am in a position to help someone else start one, and to write a story or two for it now and then. Financing's in place. So is a domain name. So at some point the Herald and Herald-Tribune may have (yet) another niche publication competing with them. It won't be a big competitor, but its ad revenue will come from lucrative business-to-business accounts you'd think a local newspaper would be eager to lock up with a weekly (or more frequent) column for local computer-using business people.

This doesn't mean the Herald has a bad editor or that another small paper would have reacted differently. I use this anecdote only to point out that it is now easier to start an online publication than for even a highly-qualified outsider to get his or her work into a local paper. Is it any wonder that local blogs and other online niche publications are springing up like mad? And as a corollary, is it any wonder that newspaper circulation and influence continues to decline?

Newspapers need to open up more to the communities around them. They need to stop confining their interaction with readers to advisory board meetings and questionnaires, and allow readers' stories, opinions, and thoughts to become an integral part of the newspaper itself. They should not allow readers to alter the newspaper's own words, as the Los Angeles Times did back in June with their laughable wikitorial experiment. Moderated comments are a much better way to give readers a voice. So are journals that allow (logged-in) readers the same level of freedom they'd have with their own blogs, but also give them the cachet of being published on a "major brand" Web site.

'Local' is the Key Word

The Herald, Herald-Tribune, and many other (if not most) local newspapers seem to think that they are still their readers' primary source of national and international news, just as they were 20 years ago. So that's what fills their front pages most of the time, with local and regional news stuck in a "B" or "C" section.

Welcome to the Internet age, local newspaper (and TV) people. I can and do get my national and international news from the New York Times, The Washington Post, BBC, Al Jazeera, Fox News, CNN, and other online media that cover faraway events better and faster than you ever will. I turn to you for local news. You tell me more about last week's home invasion robbery on 11th Street East than they ever will.

It's time for local newspapers to become truly local; to feature local news on the front pages of both their Web sites and print editions, with only a few out-of-the-area stories up front, augmented by an above-the-fold story list that tells readers where to find national and international news on their inside pages.

Add readers' stories and comments to the mix and you suddenly have a local online community, not just a newspaper. This will not take work away from professional reporters, photographers, and editors, who will still be the foundation of local news-gathering. In fact, increased interaction with local community members will probably give them more work than ever, because they will find themselves inundated with news tips and story suggestions they never would have found on their own. Some of these story ideas will be dreck and some will be invaluable. It will be up to the newspaper's editors to find the (rare) nuggets in the huge pile of dross they will need to sort through every day, and up to the newspaper's reporters to follow up on them.

One important thing a community-oriented, Web-based newspaper must do is credit readers for their story leads unless they specifically request anonymity. Another good idea is to pay readers who submit news stories that are written well enough that they can run with only routine editing and fact-checking. Those readers are, in effect, doing a reporter's work, and they should get some sort of compensation for it. Some may even turn into stringers capable of covering government meetings and other events when staff reporters aren't available, and a few of those stringers eventually ought to become staff members. After all, if a newspaper is going to be about, by, and for its local community, shouldn't that community be its primary recruiting ground?

Newspapers Will Not Die

Some newspapers (and newspaper chains) will probably not survive the shift from news-as-monologue to news-as-dialog. Most will, although those that wait too long to adjust will have much of their audience, influence, and ad revenue taken away by more agile competitors.

The smartest newspapers will follow my survival recipe or come up with their own way to become an integral part of their community instead of a building full of people who have been sprinkled with Secret Journalism Powder that makes them better and smarter than their readers. These newspapers will not only survive, but prosper. They may even become the prime outlets for bloggers in their communities, which will increase their readership and ad revenue. Extreme ____-wing bloggers won't want their words associated with the hated Mainstream Media, but most others will be happy to have a widely-read, influential outlet for their work.

Eventually, I expect print newspapers to become "snapshots" of their Web editions taken at 1 a.m. or another arbitrary time, poured into page templates and massaged a little by layout people, then sent to the printing presses, a pattern that has potential for significant production cost reductions if handled adroitly. From that point on, their paper editions will be distributed the same way newspapers are now.

Senior citizens and others who can't afford (or don't want) computers are and will continue to be a viable market. So will commuters who use public transportation. Then there are those -- a substantial part of the population -- who simply prefer reading words and looking at pictures on paper to seeing them on a screen. They will still want physical newspapers, even if they are not as up-to-date or as complete as what they'd get on the Web.

However it is delivered, text will not go away anytime soon. For a fast reader, it is the most efficient way to take in large quantities of information. Most people speak at a rate of between 130 and 200 words per minute. Most college students, according to a Virginia Tech student guide, can read non-technical material at 250 to 300 words per minute, and can increase that reading speed significantly with a little thought and practice. Listening to a city council meeting at 150 words per minute takes much longer than reading a meeting transcript at two, three, four or ten times that speed. Now have a skilled reporter -- whether a staff member, paid contributor or volunteer -- write an intelligent summary of that meeting, and even an average reader can learn what happened there in a few minutes instead of slogging through a two hour audio or video recording.

The Web version of that summary can be posted without waiting for the printing presses and delivery trucks to roll, and can have audio or video snippets embedded in it, but there is no reason not to make the text portion of it available on paper for those who prefer it in that form, unless the paper's editors decide so few people are interested in a city council meeting that it doesn't deserve a spot in the print version -- and tracking page readership on the Web version of the paper before the paper edition goes to press should give those editors a good idea of what they should and shouldn't put on paper.

Printed newspapers will have a significant following for many years to come. They may or may not become "expensive," as Professor Fisher predicts, but they will likely become smaller than they are now, and subscription sales efforts will probably be targeted more closely at groups unlikely to have Internet connections, especially senior citizens.

On the Web side, it's likely that newspapers will end up keeping most of their content free, with specialty sections (and posting privileges) reserved for logged-in users. Whether they'll be able to charge for some or all of their Web content is questionable. I paid $50 for a year's subscription to the NYT's Times Select program, and I don't think it's a good enough value that I'll renew my subscription when it runs out. I would be more likely to pay if I lived in New York and that subscription, in addition to what it gives me now, offered access to additional features like complete transcripts of government meetings. Indeed, I would happily pay at least $30 per year to the Bradenton Herald for a well-organized Web edition that gave me what I now get in the paper edition, plus government meeting transcripts and other useful subscriber-only features.

But if I paid for an online subscription to the Herald, I'd probably drop my subscription to the paper edition. I'd still be the same person, with the same interests, earning power and spending habits. The only thing that would change about me, from the newspaper's perspective, would be my news delivery preference.

The challenge for local newspapers that beef up their Web editions at the expense of their paper versions won't be to keep (or add) readers, but to teach advertisers that the Web, not paper, is the best way to reach their most lucrative potential customers.

This may not be easy, but it will be a lot easier than explaining to advertisers why they should keep spending money in a newspaper that has fewer readers, and less influence, every year.

Despite the media's portrayal, Gamers are people too. hollismb writes "From IGN Xbox comes the news today Bungie, the developer of the Halo series, is raising money to aid the hurricane victims. How are they doing it? With a tee-shirt you can purchase from Bungie's store: 'Just so that we're clear, of the $19.95 the shirt costs, about $15 in cleared funds will go straight to the Red Cross and directly to the disaster relief. Nobody, not Bungie, the Bungie store, or the distributor will clear a penny profit.'" Kotaku has a story up with a firsthand account from a gamer trapped in the flood zone, and to provide relief has up a swag auction. If you've been looking for a pair of City of Heroes boxing gloves, this is the place to go. Similarly, Penny Arcade has an auction going, where they're selling the original artwork for the PAX 2005 program.

ackthpt writes "Gordon Moore's famous prediction, labeled Moore's Law, was originally published in the April 19, 1965 issued of Electronics. Sometime since, he lent out his copy and it has never been returned. Intel would like an original copy of the now defunct magazine and is offering $10,000 for a copy, presumably in good condition. The story is carried on Reuters, and if you happen to have a copy (of your own, not stolen from a museum or library) you may contact Intel via eBay's WantItNow."

Embedded Geek writes "Neil Gaiman is auctioning the opportunity to help pick a name in his upcoming novel Anansi Boys. Proceeds will go to the Comic Book Legal Defense Fund. "I've got to name a currently unnamed cruise ship in Anansi Boys. I have no idea what to call it, and, a couple of days ago, realised that my utter lack of inspiration could do good things for the CBLDF. If you wish, you can bid to have the ship named after you, your loved one, your dog, or even your favourite word." As of 10AM PST the bidding is up to US $2,225.00, but surely some slashdotter who cashed out of the bubble at the right time can bid it up. Be warned, though - the auction indicates "Successful bidder agrees to pay actual shipping costs.""