Slashdot Mirror

cosjef writes "In an open letter to Sun, an analyst for Merrill Lynch tells Sun to change or risk adding itself to the junkyard of formerly-great technology companies like DEC or Data General. The letter even recommends taking the helm away from McNealy, whose 'brash and contrarian personality have been synonymous with the company's image and success. Unfortunately, the act is getting old.' Sun's mistakes are well documented, but the biggest one is believing that what made them successful in the past would make them successful in the future."

pcman cuts and pastes: "Amidst the hollowed halls and exhibition floor of the Jacob Javits Center here, one beacon of innovation shone brightly at the TechXNY trade show. At a time when even the show's keynote speakers failed to generate headlines, IBM showed off the might of its design savoir-faire akin to the European assault on the Big Three automakers by German designers and engineer."

ziggy_zero writes "Security software industry veteran Amit Yoran is expected to be named the new head of federal cybersecurity by the U.S. Department of Homeland Security (DHS) on Tuesday. The DHS is also partnering with CERT to form the "US-CERT" cyber-attack coordination center, coordinating efforts to fight cyber-attacks, worms, etc."

JoeJob writes "A couple of victories in the legal war against spammers. First, a Washington resident has been awarded a $250,000 decision against a spammer that sent him 58,000 copies of a spam. Second, looks like the spammers who are trying to sue Spamhaus, SPEWS, and other spam blacklists have decided to tuck their tails and run. Let's hope this trend continues." If you care to celebrate this, one food springs to mind.

prostoalex writes "The wide spread of unsolicited e-mails is leading publishers and site owners towards subscription-based RSS, the InternetNews.com article says. Chris Pirillo from LockerGnome is quoted saying that people just do not subscribe to free e-mail newsletters anymore, making a broad assumption that anyone offering them would be a spammer. This short article on About.com also argues for the RSS as preferred format for newsletters, site headlines and all sorts of updates that were e-mailed to customers before."

IanMurdock writes "This weekend, Debian turned 10. To mark the occasion, I've written a retrospective, published at LinuxPlanet. There's also a very nice piece, based in part on my early writings about Debian as well as the retrospective, at internetnews.com."

IanMurdock writes "This weekend, Debian turned 10. To mark the occasion, I've written a retrospective, published at LinuxPlanet. There's also a very nice piece, based in part on my early writings about Debian as well as the retrospective, at internetnews.com."

theodp writes "The speed with which the 4MB e-mail hoax purporting to be the new cookbook from the Naked Chef streaked across the Internet suggests to Slate that a new, disquieting era for the publishing world may be in sight. Indeed, the latest Harry Potter tale made the rounds on the Web just hours after the book went on sale, its 870 pages apparently scanned in and distributed by rabid fans. The old argument that no one likes reading on a computer has pretty much eroded. Just because publishing people can't conceive of book piracy doesn't mean it can't happen."

dacarr writes "Yahoo currently hosts a press release from SCO that basically calls for IBM to "move away from the GPL"." Lycoris tries to dodge the flood of idiocy from Utah. Another non-programmer has seen SCO's presentation, and without attempting to verify the facts through his own research, reported on it. One reader buys a SCO license. SCO justifies their continuing illegal distribution of the Linux kernel.

securitas writes "CNet Asia reports that China is building a 2000-processor supercomputer based on the AMD Opteron 64-bit CPU. The new supercomputer will run a Chinese-designed Linux operating system. Based on current standings, the resulting 10-teraflop machine will make it the third most powerful supercomputer in the world. The Red Grid project is being built by Dawning Information Industry and China's National Research Centre for Intelligent Computing Systems. The Red Grid/Dawning 4000A is expected to be complete by June 2004. But China has competition - weighing in at 40 teraflops, the Cray Red Storm AMD-based 10,000-Opteron supercomputer built for Sandia National Labs will become the supercomputer heavyweight next year. More at Infoworld , InternetNews and Yahoo."

John3 writes "InternetNewsM is reporting that PlanetLab is getting closer to reality. According to this article, a consortium of universities (including Princeton) is launching a test-bed platform based on Red Hat Linux. This project is different than Internet2 or some of the other "alternate Internet" networks being developed, and seems to offer the most benefit to distributed computing projects rather than generic WAN/Internet communications."

John3 writes "InternetNewsM is reporting that PlanetLab is getting closer to reality. According to this article, a consortium of universities (including Princeton) is launching a test-bed platform based on Red Hat Linux. This project is different than Internet2 or some of the other "alternate Internet" networks being developed, and seems to offer the most benefit to distributed computing projects rather than generic WAN/Internet communications."

Your daily dose of spam... rjwoodhead writes "Hansard, the official journal of the UK parliament, reports on a recent discussion of spam in the House of Lords which not only mentions Monty Python, but reads like one of their skits." A New York spammer has been arrested. One account isn't scientifically representative, but it's a grim picture when you're showing a spam-doubling every 42 days. And an article in New Scientist suggests solving a puzzle, which is essentially the same idea as hash cash.

HardcoreGamer writes "Today ATI shipped its Radeon 9800 Pro 256 MB DDR-2 card in time for E3 and nVidia announced the NV35-based GeForce 5900 which will be available in June. Early tests seem to say that while nVidia edges ahead of ATI in specific areas, overall ATI still has the better card. The caveat is that the next generation of DirectX 9-based games (like Doom 3 and Half-Life 2, demonstrated with ATI at E3) will truly determine which is the better card. Lots of coverage at PC Magazine, PC World, The Register (ATI) (nVidia), ExtremeTech, InternetNews, and Forbes/Reuters. Either way, at $450-$500, serious gamers are about to get another serious dent in their wallets."

turkeywrap writes "Looks like there's no hope for SONICblue, makers of ReplayTV and Rio MP3 players. An agreement with D&M holdings (parent company of audio equipment makers Denon) fell through, so now a bankruptcy court will hold an auction for both of the main business units, ReplayTV and Rio, on April 15. Glad I bought my tivo."

theodp writes "Slate reports on the press release issued by IT consulting giant EDS to announce new CEO Michael H. Jordan that curiously doesn't show Jordan to have any experience in the IT consulting field. In the late '90s, Jordan helped create IT consulting firm Luminant, took it public, and served as chairman of its board for 21 months. Luminant raised $80+ million from its IPO and paid $422 million to buy businesses as part of its pure-play roll-up strategy before filing Chapter 11 and having its assets sold for a mere $3 million. Slashdot readers may remember Luminant as the wacky workplace of My Fake Job, in which an ex-"Late Night" writer described 17 days he spent faking a job at the dot-com."

An anonymous reader submits: "internetnews is reporting that JBoss has started distributing compensation in the form of profit-sharing and options to developers that worked on the application server. The article can be found here. I can't find the announcement on the JBoss site but it can be found on any number of release wires like newsalert."

An anonymous reader submits: "internetnews is reporting that JBoss has started distributing compensation in the form of profit-sharing and options to developers that worked on the application server. The article can be found here. I can't find the announcement on the JBoss site but it can be found on any number of release wires like newsalert."

jorr writes "Bob Liu's commentary 'Copyrights: More Work, More Headaches' questions whether the demands from the RIAA violates due process. He states 'According to FERPA, school officials are permitted to access student records but outside organizations like RIAA would need "to comply with a judicial order or lawfully issued subpoena."'"

zachlipton writes "Internet World is reporting that initial reports from Office 2003 beta testers don't look good for those hoping to share documents with non-MS systems using the XML file format. Gary Edwards, the OpenOffice.org representative for the OASIS XML file-format group is quoted as saying "although it's still early in the review process, it does look as though XP XML has been so seriously crippled as to be useless to anyone but the big content management and collaboration system providers." Apparently, all formatting and presentation information is removed from the XML. Furthermore, Office's new collaboration featres will only work with users who are also running Office 2003 (requiring Windows 2000 or 2003) that are connecting over XP servers." So Microsoft will continue its efforts to lock-in users with proprietary formats, and hopefully the rest of the world will produce an XML standard document format without them.

LowneWulf writes "An InternetNews.com article mentions that the OASIS standards group today ratified the Extensible Access Control Markup Language 1.0 specification. But even better, Sun Microsystems Labs has backed this up with an open-source version in Java on Sourceforge."

aengblom writes "An agreement between 38 states and some of the nation's largest retailers is bringing taxes to the net, The Washington Post reports. In return for collecting taxes for all U.S. sales, the retailers would not be held liable for taxes they 'failed' to collect previously. Best quote: 'If we disclose who these companies are, it's like putting a target on their back.' The Post reports that Wal-Mart, Marshall Fields, Target, Toys R Us and Mervyn's have all 'independently' announced plans to collect taxes nation-wide." Internetnews.com has a story about the taxes and an article claiming it won't hurt online sales.

aengblom writes "An agreement between 38 states and some of the nation's largest retailers is bringing taxes to the net, The Washington Post reports. In return for collecting taxes for all U.S. sales, the retailers would not be held liable for taxes they 'failed' to collect previously. Best quote: 'If we disclose who these companies are, it's like putting a target on their back.' The Post reports that Wal-Mart, Marshall Fields, Target, Toys R Us and Mervyn's have all 'independently' announced plans to collect taxes nation-wide." Internetnews.com has a story about the taxes and an article claiming it won't hurt online sales.

Robin Miller has posted his third Linuxworld story. Theevilbalrog sent in a link to some LWCE photos. Some other Linuxworld-related stories include this one about open source in government and this one covering some of the many Linux business stories at the expo.

I was at the Expo on Thursday and Friday. Some of my impressions of the conference:

It's getting more business-y and less geeky every year. There are a lot of reasons for that, and it isn't all bad, but it's still vaguely sad to see.

HP and IBM accounted for about half the floor space - seriously. The Expo promoters must have played the two companies off against each other as far as conference participation went, and besides the large areas devoted to these companies, there were other large sections that were intended to represent an average company solving all its problems with Linux - these areas were jointly sponsored by HP, IBM and the other big companies at Linuxworld. It was - quite - as if the entire conference was owned by IBM and HP, but it was pretty close.

There was virtually no BSD presence. I think I saw some NetBSD people - that was it.

The .org pavilion is still going strong - while the rest of the conference is getting more business-oriented (fewer engineers and more salesdrones), the non-profit free and open source software area is still sizable and well-attended.

There were fewer "check out our neat new hardware gadget running Linux" booths and more "buy an expensive rack server running Linux from us" booths.

Linux.conf.au sucked a fair number of the geekiest attendees away from LWCE. Okay, the Australian conference is a lot smaller, but it's still dumb to schedule them simultaneously.

First there's the Microsoft worm, reported earlier, which in addition to all the other damage has apparently knocked Microsoft's Windows XP activation servers (and Bank of America ATMs) off the net. Then we've got a report about the ongoing demise of DALnet, perhaps not the way we expected it to go. And Canada discovers a risk of online voting.

dailywireless writes "Cometa Networks (formerly The Rainbow Project), a joint venture by IBM, Intel and AT&T, plans to merge Wi-Fi and cellular networks. 'Cometa's vision and plan for this is to offer a single sign-on, single authentication, seamless-roaming nationwide network,' said Michael Mass, vice president of marketing for the Communications Sector at IBM. 802 Plant reports 'AT&T will provide the network infrastructure and management, IBM the wireless installation and back-office system, and Intel the Banias processor. The company plans to have ubiquitous coverage - no further away than 5 minutes walk in an urban area or 5 minutes drive in a rural area - by 2004. which will require the deployment of more than 20,000 hotspot access sites across the U.S.' What fate awaits "free" networks like NYC Wireless, Seattle Wireless or Portland's PersonalTelco? Will AT&T use CoMeta's blanket coverage, with 20,000 "hotspots", to crush the "free" rebellion like a bug?"

JimW writes "Article at Practically Networked...A couple of senators actually have a clue about how broadband might be effectively promoted. Not that I have anything against my tax dollars propping up failing telco's by pushing DSL on areas where it isn't financially viable. Methinks the dark fiber will stay dark." Their plan calls for 255 MHz of spectrum to be allocated for wireless broadband - to compare, the band occupied by 802.11b is 83Mhz wide, with each channel being 22MHz (they overlap).

abhikhurana writes " Internetnews is reporting that Microsoft has launched Xbox Live broadband gaming service. To access Microsoft's service, Xbox gamers have to buy a $49.99 starter kit, which includes 12 month's worth of access to the Xbox Live service and a headset kit for voice communications. Microsoft said that about 16 games with online play capabilities will be available by the end of the year. So has anyone already tried it? If so, what do you think about it?"

maitas writes " Acording to this article, now any developer can GPL'd his Java implementation. Can't wait to see C# go the same path..."

haligan writes "Bell Labs research arm announced the development of two prototype chips that would allow mobile devices to receive more than 19 megabits of data per second on 3G networks." Power consumption is low enough for cel phone type applications.

Jon writes "Eugenia from OSNews is giving Red Hat 8.0 a run for its money. She posted a very detailed and balanced review for the new version of Red Hat, which aims to be a "business desktop". Very interesting article and discussion over at OSNews." Several people also sent in the stories from InternetNews as well as LinuxPlanet.

gondaba writes "The US Patent and Trademark Office has granted an all-encompassing patent to ActiveBuddy that covers every step of IM botmaking technology. According to internetnews, ActiveBuddy now plans to enforce the patent, even though the existence of prior art is well-known and documented."

zentec writes "An article at Datacenter wire indicates that Bulkregister sued Verisign over their often confusing and pretty slimy mailing campaign. The campaign is (of course) targeted to domains registered somewhere other than Verisign. The mailings are nothing more than domain "slamming", and look like renewal bills rather than a solicitation to renew with Verisign. What's particularily slimy is that the mailings are for renewals on domains either recently renewed with someone else, or for domains expiring between 120 and 180 days! Bulkregister is also seeking an immediate injunction against the mailings saying that they are an impediment to current contracts with their customers." There's also a Reuters article, or see our original story. Bulkregister has run their own sleazy marketing campaign in the past, and paid the price for it.

Mean_Nishka writes: "Internet News is reporting that satellite radio provider Sirius is petitioning the FCC to regulate and hinder providers of 802.11b based networks. Sirius claims their radios operate at frequencies only 55mhz lower than wifi's range, and fear that Wifi users could interfere (especially mobile and internet service providers). This could effectively kill free networks nationwide..."

Mean_Nishka writes: "Internet News is reporting that satellite radio provider Sirius is petitioning the FCC to regulate and hinder providers of 802.11b based networks. Sirius claims their radios operate at frequencies only 55mhz lower than wifi's range, and fear that Wifi users could interfere (especially mobile and internet service providers). This could effectively kill free networks nationwide..."

burnsy and others sent in links to stories about 802.11b that are cropping up everywhere. The New York Times has one. (Well, two, actually.) Salon has one. InternetNews has a piece about Boingo, a new wireless start-up, that's also covered in this Forbes article. (The NYT article above also mentions Sputnik.) Both Boingo and Sputnik are trying to leverage the existing community wireless networks to speed their network build-outs. MIT's Tech Review has an interesting piece about a wireless start-up that has already tried and failed. Fixed wireless is also booming, according to an industry study.

Clarkson University wins a server from IBM. Sun is bringing embedded Linux to its UltraSparc IIe processors. Wired has an overview of LinuxWorld, talking about how it's all business and the joy is gone; and so does Internet.com; and so does Newsforge, which also has a story about LinuxWorld in Paris. The Register has a lengthy interview with Miguel de Icaza, in which he notes "Gnome 4.0 should be based on .NET".

TonyG writes: "According to an item on InternetNews, the impending release of Apache 2.0 could very well mean the demise of IIS. Interestingly, the article asserts that Microsoft have already given up on IIS, the proof being its absence in XP Home and its non-standard presence in XP Pro. Apache.Net? Sounds catchy..." That's a silly argument by the internetnews.com writer - IIS isn't in the Home edition because Microsoft wants to charge more for "server" operating systems, not because they're "admitting defeat". But it's a decent look at the upcoming Apache 2.0.

PerlStalker writes: "Internet News has an article up that mentions, among other things, that Road Runner (owned primarily by AOL/TW) will not support XP. From the article: 'Road Runner, the second-largest cable Internet service provider (ISP) in the nation with more than 1.4 million subscribers, does not support the controversial new operating system (OS) for its customers and will not support its use on the cable network.'" Note that this doesn't stop customers from connecting to Road Runner from XP systems, but until their staff is trained specifically, Road Runner won't help them with technical problems arising from that combination.

PerlStalker writes: "Internet News has an article up that mentions, among other things, that Road Runner (owned primarily by AOL/TW) will not support XP. From the article: 'Road Runner, the second-largest cable Internet service provider (ISP) in the nation with more than 1.4 million subscribers, does not support the controversial new operating system (OS) for its customers and will not support its use on the cable network.'" Note that this doesn't stop customers from connecting to Road Runner from XP systems, but until their staff is trained specifically, Road Runner won't help them with technical problems arising from that combination.

n8twj writes: "According to this story at Internetnews.com, AT&T has decided to graciously bow out of the Fixed Wireless arena. This is a move that strands 47,000 of its customers, displaces its entire fixed wireless division staff and costs the company more than $1 billion." Iridium, Ricochet, and Sprint's ION are now gone or all-but-gone, too -- it's been a bad year for unconventional Internet service customers.

emc3 writes: "This article at InternetNews says that OASIS, the XML interoperability consortium, has announced the formation of a committee to develop Human Markup Language, 'to promote a specification for conveying human characteristics through XML.' The idea is to codify psychological, emotive, cultural, and physical characteristics in a standardized way. They say that the most obvious application would be for describing phsyical characteristics and actions in virtual reality environments. Other real-world uses could include describing a patient's psychological state for medical records. The OASIS press release is here. No more :-/ for me. From now on, it's <smirk>!"

emc3 writes: "This article at InternetNews says that OASIS, the XML interoperability consortium, has announced the formation of a committee to develop Human Markup Language, 'to promote a specification for conveying human characteristics through XML.' The idea is to codify psychological, emotive, cultural, and physical characteristics in a standardized way. They say that the most obvious application would be for describing phsyical characteristics and actions in virtual reality environments. Other real-world uses could include describing a patient's psychological state for medical records. The OASIS press release is here. No more :-/ for me. From now on, it's <smirk>!"

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

The One-Click Saga has been going on for a while now. BountyQuest has now thrown in the towel on finding a definitive usage of one-click web shopping that predates Amazon's patent. Tim O'Reilly wrote a response to the finding, where he accepts Amazon's patent as valid - with nary a mention of the fact that most of the world doesn't permit software patents at all. Finally, Internetnews.com looks at the future of one-click and notes that despite any smoking gun, this might help Barnes and Noble fight their lawsuit against Amazon.

sallen writes "An article in the Internet News which can be read here indicates the Appeals Court handed Barnes and Noble a victory by overturning the the injunction of the lower court based on the Amazon Patent. In the article it stated "The United States Court of Appeals for the Federal Circuit found, after careful review, "that BN has mounted a substantial challenge to the validity of the patent in the suit." All I can say is, it's about time!"

wonderdog writes: "I don't remember seeing this here before... but MAPS has added a bunch of MSN's mail servers to their list. Catch the story at internetnews.com. It was brought to my attention by an MSN user who called us to complain that we were rejecting his mail."

resistant writes: "This article at Network World Fusion (seen at Linux Today) says, "In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones." The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."

commodoresloat writes: "According to this article, the top-level domain (TLD) .god will soon be available. Most interesting is that Joe Baptista, who will be selling domain names under the TLD, says outright that he will not respect trademarks or even court decisions ordering him to respect trademarks. Does this mean anyone can register microsoft.god?" Available, maybe, but not very useful if ICANN doesn't care to ever recognize them. Note, though, the site is only semi-functional. "The registry will allow you to look up dot.god names for availability but it will not allow you to register at this time." Pity. I hope CmdrTaco gets credit.