Slashdot Mirror

Hiro_Later writes "Sen. Charles Schumer of New York, a member of the Senate Judiciary Committee has asked state prosecutors to seek an injunction blocking the launch of Windows XP. His reasoning? "Without 'significant changes,' new technologies might never get the opportunity to compete." Microsoft of course disagrees arguing instead that XP will bring more choices and content to consumers not less. What I find interesting is Schumer was formerly a skeptic of the government's antitrust case against Microsoft, perhaps he has seen the light. Judge for yourselves here." Update: 07/25 01:41 AM by H :So, based on the e-mail I've been getting, evidently people have forgotten that what submittors type is in italics. Like this. Notice how when I type here that is in normal type - if you've got other questions, please check out the FAQ. There's lots of fun information in there. We now return you to our regularly scheduled programming.

Nerftoe writes: "CBS Marketwatch is reporting that AOL has been quietly integrating its AOL Instant Messenger and ICQ products. This would create a combined user base of about 146 million." That's a lotta people.

Nerftoe writes: "CBS Marketwatch is reporting that AOL has been quietly integrating its AOL Instant Messenger and ICQ products. This would create a combined user base of about 146 million." That's a lotta people.

There's a backdoor in Microsoft Webserver software. The Wall Street Journal article isn't very technical, so we don't know yet exactly which software is affected: IIS, FrontPage, or both. It apparently doesn't affect Windows 2000 or FrontPage 2000. The workaround Microsoft "urges" is to delete dvwssr.dll. And just to make your Friday a little more surreal, the secret backdoor password apparently has something to do with Netscape engineers being "weenies." Update: 04/14 09:02 by J : It's been a busy day for some programmers at Microsoft and elsewhere. The word as of 3:30 EDT, according to Russ Cooper, is that "there is NO VULNERABILITY IN DVWSSR.DLL. Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ." (more)

Here are the basic details from the article (expensive reg. req.), because I can't find this story anywhere else. Strange that the WSJ should have the scoop on a security issue.

Microsoft Acknowledges Its Engineers Placed Security Flaw in Some Software
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL

Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide. [...]

The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file-called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions.

While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files [...]

Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." [...]

And, Black Parrot passed along this link to a CBS Marketwatch story, which is free but short on detail.

markf was one of the first people to e-mail us about the ahead of schedule unveiling of the X-Box. As those who have watched the news, Microsoft's gaming console has been a close secret. Now we know it's going to be about 600 Mhz, DVD-ROM drive, 64+ megs of RAM. Gates went on to talk about the market, which is very interesting. They'll be aiming at Nintendo, Sony and Sega, the triumvirate of the Gaming Market. The machine itself will be Windows-based, and will support online "stuff" - although only through high speed connections. I've got to admit - this thing looks really interesting. They are hoping for a Christmas 2001 release, which will make competing with Dolphin and PSX2 difficult.

absolute writes, "Who would have thought Ebay the online auction site would ever had a chance to buy the venerable 250-year old auction house Sotheby's? Apparently, Ebay is trying to capitalize on the price fixing scandal at Sotheby's to buy it. The story is here." Hmm. I hope they get Sotheby's sniped from them at the last minute by some guy with a perl script. Update: 02/29 12:04 by R : eBay denies any interest in Sotheby's.

TheFitz writes "CBS is running a story about LinuxCare receiving some heavy backing. Also mentioned in the story is the potential for LinuxCare to go public with an IPO. " Several comments from Sifry and a few other tidbits about the company. Worth a gander if you're curious about Linuxcare.

After last week's TRUSTe story, I spoke with TRUSTe's Dave Steer about my concerns with the organization. A slightly clearer picture of TRUSTe's role emerged, but few of my concerns were allayed. Click for more.

First, the week's news in brief. There has been a class-action lawsuit filed against RealNetworks. Then there were two lawsuits - no, make that three lawsuits. Their stock faltered, then rallied, and is now about 40% above the day the privacy news broke.

Strangely, TRUSTe removed its press release "TRUSTe and Real Networks Announce A Pilot Software Privacy Program" from its News page on Saturday, along with one other, replacing them with an older one. There's no indication this has anything to do with the bad press of the last week.

Dave Steer had written a rebuttal to last week's story, but it is unfortunately still not available. If and when the rebuttal is published, we'll update this story with a link to it.

Now for the issues at hand. In our conversation, Dave wanted to make two key points. The first is that TRUSTe is not a "consumer advocacy group," the phrase I've been using. The second is that their press release regarding RealNetworks was a landmark decision, a culmination of six months' worth of their realizing that they have to move in a new direction.

If TRUSTe is not a consumer advocacy group, that raises the question of what it is. I didn't get a very clear answer from Dave on this. Its website says:

"The TRUSTe program was designed expressly to ensure that your privacy is protected through open disclosure and to empower you to make informed choices."

The "you" and "your" means you - the consumer. TRUSTe claims it was designed to empower and protect you.

But it's not going to do this by punishing corporations for privacy transgressions. TRUSTe is all carrot and no stick. The carrot is that, after a corporation has been caught breaking the rules, it can restore its damaged reputation by cooperating with TRUSTe: issuing a press release, taking some simple steps to improve the situation, etc.

This is a fault that's built into the way TRUSTe was set up: a design problem. There are some questions of poor implementation as well. After the March 1999 revelation of Microsoft's secret GUIDs (user-tracking technology that can lead the cops to your door), TRUSTe went to them and asked for action. Not punishment of any kind - all they asked for was an audit.

And according to Dave, "Microsoft said no."

How could Microsoft make TRUSTe back down? The poor implementation is that TRUSTe's contract with Microsoft, and with RealNetworks, and presumably with all its 750+ licensees, makes a distinction between privacy violations that take place over the web, and others. Companies that steal consumers' privacy through non-web-related technology are not covered under paragraph 5A of the TRUSTe License Agreement.

Paragraph 5C, however, allows TRUSTe to break the agreement and void the trustmark, for any reason. If it had wanted to pressure Microsoft, this would have been the threat to make: terminating the contract, and going public with a condemnation.

But that wasn't TRUSTe's goal. Although it claims:

"...licensees agree to cooperate with all TRUSTe reviews and inquiries. If we cannot reach a satisfactory resolution ... [this] could result in a Web site compliance review by a CPA firm, revocation of the trustmark, termination from the TRUSTe program, breach of contract proceedings, or referral to the appropriate federal authority."

...it will never take these steps. Microsoft refused to cooperate because the carrot wasn't big enough - so TRUSTe offered them a bigger carrot. RealNetworks scanned its users' hard drives for private personal data, uploaded it to their servers, and blatantly lied about it. Short of actually stealing our credit card numbers and running up a tab at the Sharper Image, it is hard to imagine a more serious violation of privacy. Yet TRUSTe went to them hat in hand, asking to be allowed to collaborate.

Those contracts that give TRUSTe no authority over non-web privacy violations? That's not a bug - that's a feature. Even when it has the right to take serious action, a right TRUSTe grants itself in paragraph 5C, it chooses not to use it. Design problem.

Corporate invasion of personal privacy is not a win-win situation. This is a war in which TRUSTe will often have to take sides. Learning that it backed down from Microsoft and had to haggle over even the audit it wanted to impose was an eye-opener. Chris Larsen, the CEO of E-Loan who revealed the behind-the-scenes haggling, described his company as "very concerned" about TRUSTe's inability to address the issue.

In fact, I never would have heard about that if not for the Slashdot comment where Seth Finkelstein called attention to it. It's not confidence-inspiring that TRUSTe has refused to allow any negative information on its homepage, in its press releases, or in its statements of findings. The constant comforting message leaves me uncomfortable.

Dave's second point was that this collaboration - on a new program which will cover non-web as well as web violations of privacy - heralds an important new direction in TRUSTe's history. Now that they have enough licensees to pay the bills, they are not beholden to any of their sponsors, and can start to take a harder line. And they can renegotiate their contracts to fix the web/non-web distinction.

I'd like to believe that's true. But the heads of TRUSTe surely know that, if they ever started condemning corporations' privacy violations instead of collaborating with them, renewals on their contracts would dry up. Corporations love to enter agreements with organizations which give them good press. Organizations that give bad press get ignored at best.

TRUSTe's reputation for lax enforcement is surely part of the reason they now have 750 licensees. It would be a very different story if the carrot ever got replaced by the stick.

I could be wrong. But TRUSTe's actions support this view even if its words don't. RealNetworks needed to be slapped, hard - but now it's up to the lawsuits to give the company a reality check.

Sure, TRUSTe may have helped RealNetworks figure out the proper reaction in this case. But it has 750 other licensees that all got the message loud and clear: whatever you do, TRUSTe will not chastise you. There is no incentive to do the right thing. By its actions, TRUSTe encourages corporations to violate privacy when they think they can get away with it. This will happen again - and it will be the same story each time.

And it may happen sooner rather than later. The most frightening thing I've heard all week was Dave Steer's offhand comment that programs like RealJukebox are probably more common than we think. That makes it all the more ironic that TRUSTe is unwilling to put consumers' interests first.

Bob Frankenberg was CEO of Novell in the early nineties, when Novell were marketing DR-DOS as a replacement for MS-DOS (DR-DOS is now the subject of a law suit between Caldera and Microsoft). In part of this CBS interview he explains why his new company, Encanto, is not using Microsoft software, and why they chose FreeBSD. Read on for a few notes.

There are a number of interesting things to take from this article. It's unsurprising that an ex-Novell CEO does not want to use MS software after the way Novell were treated by them, it is mildly surprising that he hasn't chosen a Novell, or other 'industry standard' solution.

Encanto's choice of FreeBSD over Linux is also interesting. Naturally, we all know that FreeBSD is the best choice (heh heh heh :-)), but Linux (or Solaris) would be the anti-MS knee jerk choice. Using FreeBSD suggests that they've actually investigated the different OS choices open to them, and chosen one on merit -- or that the first SA they hired preferred FreeBSD over Linux.

As ever, the media have got the licensing issues wrong. One of the key things about the BSD license is that you don't have to contribute enhancements back to the original codebase if you don't want to -- of course, that doesn't stop many companies from doing so anyway, because it's better business sense in the long run.

Having looked at the Encanto web site, and the products they're selling, the license may very well be the key issue. They sell network appliances -- plug and play web servers, that sort of thing, and the ability to make proprietry changes to the code base to support their product (and enhance their product's value) without having to disclose those changes is probably key to their business plan.

This is quite similar to the approach taken by Whistle and their Interjet devices. Whistle have been the classic example of a company which has contributed code back, even though the license doesn't force them to -- typically 6 to 12 months after they've deployed it in their product, and reaped the commercial benefit. This lets them recoup their development costs plus profit, and lets the rest of the community benefit from (and extend and support) the code later on.

Finally, CBS's phrase, "so-called open-source software" should get them a stiff letter from ESR...

terrified wrote to to us with the official word that Visio has been purchased by Microsoft. Visio makes some incredible network diagramming and technical drawing software and is used extensively worldwide. The deal was a 1.3$US billion dollar stock swap between the two companies.

getafix sent us a link to a decent little article on CBS's Marketwatch page about Netscape's Open Source Adventures. Its another "Look, Open Source is Swell" kind of article from the mainstream. Some Slashdot references too.