Slashdot Mirror

Brento writes "MSN is reporting that 'AOL said that it's almost done developing the technology that would allow its messaging services to operate with those offered by other industry players.' The article is light on details, but it sounds like they're going to offer interoperability directly with other servers -- not allow users to log in with new clients. 'It expects to complete an agreement with a leading technology company to conduct a live test between two different servers later this summer.' That would mean good news for competing services like MSN, but it would mean we might have to set up our own Jabber servers to really get the level of service we want."

Of course, since other projects have demonstrated they can do the same things that AIM does, and AOL has repeatedly shut them out of its IM network, it's interesting to see a sudden interest in "interoperability."

Kierthos writes: "This article mentions that a new bionic ear for people who are truly deaf has been developed. It doesn't amplify sounds, but converts them into electric impulses. And apparently, it's the software which is under review by the FDA, not the implanted chip." Silicon retinas, plastic hearts, synthetic skin, ceramic hips ... the line between possible and impossible keeps getting thinner.

|proc|meminfo writes: "MSN is bringing internet access to park benches in Bury St. Edmunds, England. The bench (for now) will be in Abbey Gardens, and those with laptops will be able to hook up to recieve free MSN internet access through the bench. MSN says it should be ready for operation in August/September."

Interesting to see Microsoft's approach here -- a park bench on the internet is a good idea. The concept of connecting community centers with computers predates the Net and is going on all around, though; you may find these two academic overviews (here's one, and another) intriguing, especially the mentions of the Berkeley-area Community Memory project. And looking beyond parkbenches, various community networking groups like consume.net are working to decentralize Net access, at least for those living where coverage is available.

QwkHyenA writes: "Seems that Ralph Nader and his Consumer Watchdog group has fired the first shot in pegging 8 search engines for reshuffling query results based on fees paid to them. Like we didn't see this happening! Nader has asked the FTC to look into this based on deceptive advertising practices..." Check out the complaint, which itself references pages like this one detailing how to pay for placement at all the major search engines.

Un1v4c writes: "According to this article on MSN... "A Delaware-based archaeological group is sufficiently intrigued to send a diving team to an atoll 2,000 miles southwest of Hawaii to get an up-close look at whatever produced the rust-colored spots on the space photographs taken by Space Imaging of Thornton. "Nothing out there occurs naturally that's rust colored," said Rick Gallespie of the International Group for Historic Aircraft Recovery. He believes the rusty object just beyond the reef that surrounds the uninhabited atoll could be an engine and the landing gear of Earhart's Lockheed 10-E Special Electra."" See also this article on space.com and the picture in question. Apparently Earhart never had a piece of outhouse wash up on shore to help her escape.

IdleMindUI writes: "According to this article on MSNBC, OEMs will now have the option of adding products to or removing products from the windows desktop. Earlier licensing agreements prohibited OEMs from changing the windows desktop. "Reserving its harshest criticism for this practice, the court said Microsoft used its power to illegally maintain a monopoly by pushing potential competitors off the computer desktop, considered to be the prime real estate of new computers."" Microsoft's press release has more information on what Microsoft will and will not permit OEM's to do.

IdleMindUI writes: "According to this article on MSNBC, OEMs will now have the option of adding products to or removing products from the windows desktop. Earlier licensing agreements prohibited OEMs from changing the windows desktop. "Reserving its harshest criticism for this practice, the court said Microsoft used its power to illegally maintain a monopoly by pushing potential competitors off the computer desktop, considered to be the prime real estate of new computers."" Microsoft's press release has more information on what Microsoft will and will not permit OEM's to do.

phillippaxton writes: "Abner Doubleday lives in the 21st century. Two mechanical engineers have gotten together and created what may be the perfect pitching machine, powered by a P3 850MHz computer. Using an eight-axis industrial robot, it has the ability to throw practically any pitch within the strike zone. Custom-built software enables you to choose the type of pitch by pointing at a touch-screen, setting the speed, location, handedness, as well as fastball, curveball, slider, slurve, changeup, cutter, sinker, splitfinger fastball or knuckleball. There's also a database of 2500 preset pitches in a database."

imipak writes: "Microsoft have finally commented on the recent seven day outage at their Messenger IM service -- some users have permanently lost data, and there's still no explanation of the cause. Interesting earlier story from CNet News. Key quote: "... an outage that lasts seven days with no valid explanation really starts to make you think about .Net, and about Microsoft's plans for the Internet. What if this were the new Office software verification service that was down?"" Here 's a story on MSNBC as well.

MxTxL writes "MSNBC is running a fairly nifty story here about how a few telco companies are thinking of using cell phone, pager and GPS signals and even the toll-payer transponders to analyze traffic patterns and give operators better abilities to route traffic around congestion. The article even mentions a few privacy issues and talks a little bit on how the GPS units in cars could be alerted to warn the driver about upcoming congestion and suggest an alternative route. "

MxTxL writes "MSNBC is running a fairly nifty story here about how a few telco companies are thinking of using cell phone, pager and GPS signals and even the toll-payer transponders to analyze traffic patterns and give operators better abilities to route traffic around congestion. The article even mentions a few privacy issues and talks a little bit on how the GPS units in cars could be alerted to warn the driver about upcoming congestion and suggest an alternative route. "

Paintthemoon writes: "The Stanford Linear Accelerator Center released a paper Friday that may explain why matter won the battle with antimatter following the big bang. In studies of B mesons, they determined that there is a significant differential in decay rates between B mesons and anti-B mesons. Similar studies in the 60s of K mesons led to a Nobel Prize."

Skywise writes: "MSNBC has a very good article looking at the history of copyrights, their implementation into law by the founding forefathers to protect democracy, and the extreme danger the DMCA will be to our country."

Rainstorm writes "MSNBC has a story on Slashdot, with a good bit of history on the site and its own interpretation of the goals of the site. It also references some possible outcomes of the recent VA Linux announcement." Is anyone besides me sick of reading about Slashdot? I feel like they write them just to get us to link them, and we almost have to link them because hundreds of readers submit them thinking that I care that yet another web site is blabbing about Slashdot. Anyway the story covers a lot, although I'm not at all worried about "The Future of Slashdot". OSDN continues to be very supportive, and the Slashteam is almost ready to move Slashdot to the new code tree with all sorts of wacky new stuff (bug fixes, messaging, journals, and more) Oh, and their poll doesn't work under Konqueror, so I reposted it here cuz darn it, I'm curious ;)

Everyone and their brother sent in this unsurprising news: the Appeals Court handling the Microsoft anti-trust case has overturned the break-up decision. A few story URLs: CNet, BBC, ABC, AP, Reuters, MSNBC. The decision is available in .pdf format. A brief summary: the Findings of Fact (Microsoft's conduct, etc.) are still in place, but Judge Jackson's evaluation of those facts and the penalty he imposed are thrown out. A new District Judge will examine the case, starting from the Findings of Fact. Update 2h later by J : Dan Gillmor's analysis is good. So is this Washington Post column, which is insightful except it doesn't go far enough. It also shows MS CEO Steve Ballmer's attitude even before today's ruling: "Is there any limit to what you think you can put into the operating system at all?" "...as a matter of law, no, I don't think so..."

Matt Watson writes: "MSNBC is running this story on Compaq's shifting mainly to software and services. The article states that the sluggish PC market is partly to blame." More specifically, Compaq is talking about "industry-specific" packages. Niche marketing, basically, but with a very lage company that can concentrate on certain areas.

Welcome to Slashback for the evening: Yes, another big security problem with the world's second-most popular web server, a slight revision of the plight of Silicon Valley's homeless, and good news from the Indymedia front.

Remember, Free Software Sinks Ships curtS was one of the many to point out that "MSNBC has an article about a security hole you could throw a cat through." This might be more exciting if it was the first time, but jamie posted about a very similar-sounding flaw a few months ago.

Calling off the dogs of war. An anonymous reader writes: "Slashdot reported that Indymedia had received a court order to hand over the logs and other records pertaining to the IMC's coverage of anti-globalization protests in Quebec City. Now FBI has dropped the case. Here is the press release."

phunhippy points to coverage at Wired as well.

This Old House - gr8dane writes "I was just checking out the Sunday posting on /. about .commers in homeless shelters and Salon is running an update to the same story. The previous post prompted quite a bit of feedback on /. and this update article seems to support those who felt the Sunday article wasn't indicative of the industry as a whole. 'John Sacrosante says he went from six figures to a shelter. His friends say there's something fishy in San Jose.' Quite interesting ... "

DoctorZ writes: "In response to reading the recent article about Zero-Knowledge's withdrawal from Linux development for Freedom. I emailed them discussing my concerns along with everyone else's. Here was their response:

'Hello,

We know....

We understand your disappointment. It is not a easy decision. We are not giving up on Linux. Our entire Freedom Network is Linux based!This decision was taken in response to the number of people purchasing the Linux version as compared to the number purchasing the Windows version. While many of us at Zero-Knowledge are Linux enthusiasts, the number of interested Linux users downloading Freedom simply didn't warrant continued development efforts, and we have chosen instead to apply our development resources in a way that will maximize value to our customers.

Once again, thank you for expressing your concerns.

Regards,

Alan"

Welcome to Slashback for the evening: Yes, another big security problem with the world's second-most popular web server, a slight revision of the plight of Silicon Valley's homeless, and good news from the Indymedia front.

Remember, Free Software Sinks Ships curtS was one of the many to point out that "MSNBC has an article about a security hole you could throw a cat through." This might be more exciting if it was the first time, but jamie posted about a very similar-sounding flaw a few months ago.

Calling off the dogs of war. An anonymous reader writes: "Slashdot reported that Indymedia had received a court order to hand over the logs and other records pertaining to the IMC's coverage of anti-globalization protests in Quebec City. Now FBI has dropped the case. Here is the press release."

phunhippy points to coverage at Wired as well.

This Old House - gr8dane writes "I was just checking out the Sunday posting on /. about .commers in homeless shelters and Salon is running an update to the same story. The previous post prompted quite a bit of feedback on /. and this update article seems to support those who felt the Sunday article wasn't indicative of the industry as a whole. 'John Sacrosante says he went from six figures to a shelter. His friends say there's something fishy in San Jose.' Quite interesting ... "

DoctorZ writes: "In response to reading the recent article about Zero-Knowledge's withdrawal from Linux development for Freedom. I emailed them discussing my concerns along with everyone else's. Here was their response:

'Hello,

We know....

We understand your disappointment. It is not a easy decision. We are not giving up on Linux. Our entire Freedom Network is Linux based!This decision was taken in response to the number of people purchasing the Linux version as compared to the number purchasing the Windows version. While many of us at Zero-Knowledge are Linux enthusiasts, the number of interested Linux users downloading Freedom simply didn't warrant continued development efforts, and we have chosen instead to apply our development resources in a way that will maximize value to our customers.

Once again, thank you for expressing your concerns.

Regards,

Alan"

artemis67 writes "MSNBC is reporting that GM is getting ready to invest heavily in hydrogen fuel cell technology, believing that it is the way to go to increase fuel economy and reduce emissions. They believe their cars can go 500 miles without refueling, and possibly create their own hydrogen by chemically converting (not combusting) gasoline. The article can be found at MSNBC." Of course, the financial details aren't given in terms of dollars, but when the largest automaker recognizes that a seachange is coming, that's something to note. Or, they could be hedging their bets. Yeah. Probably the latter.

HiredMan writes: "The LA Times says in a story that 'hackers' had penetrated the Cal-ISO, the California electric grid parent company, and were attempting to compile code to allow them penetrate the 'firewalls' to access the actual grid control computers. Apparently the 'hackers' -- who came through a Chinese server -- breached a development computer that wasn't hardened and the intrusion went undetected for over two weeks until the intruders brought too much attention to themselves. Trying to downplay the incident one official said, 'It was a compromise, not really an attack.'" An anonymous reader pointed to coverage at MSNBC as well.

byrd77 writes: "IBM is touting new 'strained' silicon as being up to 35 percent faster while reducing power requirements. Let's hope this is more than just an exercise in straining credulity..." See also their press release.

jyuter writes: "Nevada has approved in theory to license on-line gambling sites. It will probably take a while for them to actually start licensing since they need (among other things) "resonable assurences" that the vendors can prohibit minors. One lawyer even suggested "biometrics" or a fingerprint scan to detect minors, or GPS to determine if the person playing is in a legal state." The word "spoof" keeps hurling itself across my line of sight. (Should the state get to charge people $500,000 every two years for operating a business without toxic waste? Talk about a barrier to entry!)

An anonymous submitter sent in a pretty timely link as we enter the summer hype, er, summer movie season. Let the ticket-buyer beware...

Ksop writes: "Predictive Networks Inc. sells a product that can identify users by recognizing their input patterns. The way you use the mouse and keyboard may be used to track you. Story here. That scares me a little. But its also a cool idea."

mizhi writes: "MSNBC reports that AOL6.0 will be bundled with Windows XP and given prominent placement on the desktop in exchange for exclusive Internet Explorer support. They're also talking about making Windows Media Player the exclusive player for AOL. No monopoly here... keep moving along..." What about MSN? Mozilla? If AOL isn't going to switch to a new Netscape or Mozilla browser to base their client upon, what happens to Netscape?

mizhi writes: "MSNBC reports that AOL6.0 will be bundled with Windows XP and given prominent placement on the desktop in exchange for exclusive Internet Explorer support. They're also talking about making Windows Media Player the exclusive player for AOL. No monopoly here... keep moving along..." What about MSN? Mozilla? If AOL isn't going to switch to a new Netscape or Mozilla browser to base their client upon, what happens to Netscape?

mduell writes: "The U.S. government approved a deal allowing top Internet domain registrar VeriSign to retain control of the lucrative ".com" Web addresses, the Commerce Department said Friday." ICANNwatch has a couple of stories about the deal finally reached, and the steps taken by the Commerce Department to promote competition in the DNS.

mduell writes "The National Arbitration Forum (NAF) decided that the "AIM" in Aimster violates America Online's trademark and that Aimster must relinquish several Internet domain names with "AIM" in them to AOL." Just another in a long series of cases that prove that if you have a trademark, you have the right to any domain name that contains those letters in that order. I don't like it any more then you do.

mduell submitted an MSNBC story about a company in Russia offering more trips to space. No docking with the space station for these tourists tho. No word on price... instead of a week in Soyuz capsule, how about you give me half of the multi-million-dollar-fee, and you can stay at my place and I'll get you drunk. You'll feel like you're in zero Gs, but with a bigger room.

6EQUJ5 writes: "I sighed bitterly when I read the headline at MSNBC_SpaceNews_Front: "NASA voices 2020 vision for Mars" (OK, let's hope I live that long!) Bitterness gave way to sheer comedy when I read the next headline: NASA craft to watch coffee crop. Dan Goldin has the worst sense of priorities if he thinks 20 years is an acceptable time frame for a manned (and/or womanned) Mars mission -- in the meantime NASA picks up odd jobs like watching coffee grow." While these stories make a funny contrast, a) I'm sure there's a lot to learn (and plan) before sending a mission to Mars and b) if NASA's going to test cool new tech, like that solar wing, perhaps giving it a practical earthside purpose is a good idea.

6EQUJ5 writes: "I sighed bitterly when I read the headline at MSNBC_SpaceNews_Front: "NASA voices 2020 vision for Mars" (OK, let's hope I live that long!) Bitterness gave way to sheer comedy when I read the next headline: NASA craft to watch coffee crop. Dan Goldin has the worst sense of priorities if he thinks 20 years is an acceptable time frame for a manned (and/or womanned) Mars mission -- in the meantime NASA picks up odd jobs like watching coffee grow." While these stories make a funny contrast, a) I'm sure there's a lot to learn (and plan) before sending a mission to Mars and b) if NASA's going to test cool new tech, like that solar wing, perhaps giving it a practical earthside purpose is a good idea.

6EQUJ5 writes: "I sighed bitterly when I read the headline at MSNBC_SpaceNews_Front: "NASA voices 2020 vision for Mars" (OK, let's hope I live that long!) Bitterness gave way to sheer comedy when I read the next headline: NASA craft to watch coffee crop. Dan Goldin has the worst sense of priorities if he thinks 20 years is an acceptable time frame for a manned (and/or womanned) Mars mission -- in the meantime NASA picks up odd jobs like watching coffee grow." While these stories make a funny contrast, a) I'm sure there's a lot to learn (and plan) before sending a mission to Mars and b) if NASA's going to test cool new tech, like that solar wing, perhaps giving it a practical earthside purpose is a good idea.

tadghin pointed out this Newsweek article on bioinformatics, and also notes: "At O'Reilly, we just published our first bioinformatics book last week, Learning Bioinformatics Computer Skills, by Cynthia Gibas and Per Jambeck, and it immediately rocketed to the top of the Amazon Computer bestseller list. This definitely appears to be a new area for the computer industry that's just starting to hit people's radar big time. I've also made the point to VCs looking at distributed computation startups that what I see on sites like slashdot is a lot of movement by hackers towards new and interesting problems. And science looks a lot more interesting than some of the business computing that's been front and center the past couple of years. And the Biological Open Source Computing Conference I spoke at last year was definitely popping with ideas and excitement. Unfortunately, this year's conference is in Copenhagen, right before the O'Reilly open source convention, but I definitely urge slashdotters to check out this area. Demand for perl expertise is especially high."

jhaberman writes: "MSNBC has an amusing article. It is a ride-along with a Silicon Valley repo man. You know, those guys who swipe cars from people who can't pay. He is taking cars right out of all the big players (Apple, Intel, Cisco, Sun) parking lots! Needless to say, he has quite a bit of work right now. Hilarious."

jhaberman writes: "MSNBC has an amusing article. It is a ride-along with a Silicon Valley repo man. You know, those guys who swipe cars from people who can't pay. He is taking cars right out of all the big players (Apple, Intel, Cisco, Sun) parking lots! Needless to say, he has quite a bit of work right now. Hilarious."

Handulschteim writes: "As if nobody could have guessed, the Internet community has continued to circumvent the entertainment industry. According to this Reuters article, HavenCo has joined the action. It might be great marketing for them. But it might also be the beginning of the end if they attract the ire of their closest neighbor and its American buddies." (ruebarb contributes a link to the same story featured on MSNBC.) Since ISPs are going to face increasing pressure from the various 4-letter acronyms, it seems like the obvious next step for the the entertainment factories to lobby for would be a ban on all encrypted traffic for which no key is in escrow for easy policing.

quakeaddict writes: "I guess it was inevitable. According to this story IBM is spending 25% of their considerable R&D budget to build self healing servers. One memorable quote: "Most important, Wladawsky-Berger said, the machines will be so simple that they will be no more difficult to operate than a kitchen appliance. That should reduce the need for highly skilled workers who are in increasingly short supply." I hope I can make enough for early retirement!" Of course, "IBM plans to develop failproof servers" is a bit like "Ford Plans to develop fuel-sipping flying cars," but the more intelligence built into machines, perhaps the better overall.

John Higgins writes "The Wall Street Journal has a great article on my greatest worries about setting up a wireless network in my home. White hatter Peter Shipley and Matt Peterson of, among other things, the Bay Area Wireless User Group, drove the reporter around the valley with some rudimentary equipment to find how many corporate networks they could "see" from the street or parking lot. (Sun Micro, check your encryption!) Call me a techie lightweight, but it looks like HPNA2 for me!"

An AC sent in this: "AuthenTec's scan gathers information from radio frequency signals bounced down to a live layer of skin. Those signals return to the fingertip-size chip where a tiny array of antennas take the feedback and chart out peaks and valleys, yielding a three-dimensional "sculpture" of even the faintest fingerprint."

kade writes: "MSNBC has an article on a story about the FBI hacking the machines of a bunch of Russian crackers in an attempt to get evidence on them due to the the inability or unwillingness of the Russian goverment to assist them in fighting cybercrime." Another reader pointed to coverage on CNN as well.

kade writes: "MSNBC has an article on a story about the FBI hacking the machines of a bunch of Russian crackers in an attempt to get evidence on them due to the the inability or unwillingness of the Russian goverment to assist them in fighting cybercrime." Another reader pointed to coverage on CNN as well.

tkrotchko writes "The first meteor shower of the year peaks early tomorrow morning. The Lyrid Meteor shower started April 16th but peaks Sunday morning between 2 AM and 5 AM. MSN has a good overview of the Lyrid, but if you intend on watching, astronomy.com has a map showing you exactly where to look. My experience with meteor showers in the past has been hit or miss; most are a bust, but occasionally, there are some pretty spectacular showers."

MSNBC is running a nice piece about a private company that aggregates data about you and sells it to the government. Things like this are why I just don't understand the typical Libertarian babble that government data collection is bad, but corporations should be allowed to collect and sell whatever data they want. Hey, guess what: if a corporation can collect and sell your information, it's available to the government too. Ten billion records! That's more than 30 lines of data - each line could have dozens of pieces of information - about every man, woman and child in the United States. The mind boggles.

bahtama writes: "Yahoo and others are running a story about the Sex.com cyber-squatter who has to pay big bucks to the original owner." MSNBC says the owner plans to make it a *cough* sticky portal.

Observations made by the Hubble telescope have produced evidence that the universe is full of "dark energy", stuff that has mass but does not emit nor block light, and that a disregarded theory first postulated by Einstein about "negative gravity" is actually valid. If true, this would provide firm evidence that the universe will not collapse in a "big crunch" but will expand indefinitely. See the SF Chronicle, New York Times, MSNBC, or CNN for stories (the Chronicle story is the best, IMHO). For background information, you may want to check out the cosmology FAQ or more information about negative gravity. (Update: 04/04 11:03 AM by michael : A couple of people have pointed out that this write-up is inaccurate; I'm not going to try to correct it, but read the comments for more information.)

RebornData (on behalf of the madding crowd) writes: "I'm sending this via a dialup account because Northpoint just shut off their network (according to my ISP -- Telocity) as a consequence of their financial troubles. Here's an MSNBC story about it. Telocity claims that they will find an alternative provider for me, but it will be at least three weeks. Methinks anyone trying to order / change DSL service from anyone in the next few months is going to be hosed ... because *every* Northpoint customer will have to be reprovisioned. Ugh." As a former Flashcom victim, my thoughts go out. And those of you with the enviable opportunity to catch up on some cuddling by the fire can perhaps burn all your old contracts and "cheap, always-on access" advertisements.

NeoCode writes: "This articles chronicles a day in the life of two hackers. Seems like a reporter anonymously paid these hackers to log in their typical day. In the article, they talk about how they fool people with their spams and phreaking scams. Its in quite a bit of detail in terms of what these guys do to make money (and tons of it). Obviously these guys are breaking the law and nibbling on innocent/naive users. Looks like AOL and other ISPs still have to beef up their filters to stop spamming." Not a lot of details, but it's kinda interesting.

ephraim writes: "A group of scientists has discovered that the secret to sight involves just 10-12 "output channels" between the eye and the brain. One of the researchers explains that "Even though we think we see the world so fully, what we are receiving is really just hints, edges in space and time." MSNBC has the story here. This appears to be the first of many steps towards creating a bionic eye."

ephraim writes: "A group of scientists has discovered that the secret to sight involves just 10-12 "output channels" between the eye and the brain. One of the researchers explains that "Even though we think we see the world so fully, what we are receiving is really just hints, edges in space and time." MSNBC has the story here. This appears to be the first of many steps towards creating a bionic eye."

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."