Slashdot Mirror

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

An Anonymous Coward writes: "This article on MSNBC opens the door to the "Copyright protected CD's". Apparently the very first copyright protected cd is set to burn this April for some country star's album. Copyright protected cd's do not allow you to replicate them in a cd burner nor do they allow you to rip the audio tracks "digitally" (although can still be done through analog)." I wonder how long before someone finds a way around this. Actually the article is well-written, covering all the bases, although it neglects to say how we're all expected to bend over while our fair use of stuff we paid for is taken away from us.

An Anonymous Coward writes: "This article on MSNBC opens the door to the "Copyright protected CD's". Apparently the very first copyright protected cd is set to burn this April for some country star's album. Copyright protected cd's do not allow you to replicate them in a cd burner nor do they allow you to rip the audio tracks "digitally" (although can still be done through analog)." I wonder how long before someone finds a way around this. Actually the article is well-written, covering all the bases, although it neglects to say how we're all expected to bend over while our fair use of stuff we paid for is taken away from us.

C. Mattix writes "It looks as though they finally got some - MSNBC has a story on the polar station that detected neutrinos. " It's got a good explanation of the AMANDA station and what they're doing - not the heaviest scientific article, but good to read.

Several people wrote in with news about a possible new genus of pre-humans, based on fossils found in Kenya. Check out the less-technical articles at CNN or MSNBC, or the hardcore paper in Nature (which has some very nice pictures of the actual fossils).

Craving at least some small bit of followup to old stories? Well, sit comfortably in your thousand-dollar Relax-the-Back recliner and savor a (minor) update on the fabled and hopefully forthcoming Indrema console, again something to chew on regarding deja again, and more.

The name of Gildred's project has me hooked ;) impaler writes: "Looks like Indrema's Game Exchage site is up. There are a number of free and commercial projects already started. Now, when do people get to fjear my insanely low gxc UID of 15 (I was the first non-indrema person added to the database). Seems like they are even closer to becoming a reality (even though the launch date seems to have been pushed back). So, start writing cool games!"

I wrote to Indrema honcho John Gildred recently to inquire about the console's current status, hopefully we'll have an update on that soon. In the meantime, you may prefer to visit the English-language version (kudos, Oliver) of the Linux-on-Playstation petition mentioned shortly ago.

"Whither newsgroups?" is not an idle question. Ronda Hauben wrote to point out her essay newly posted at Telepolis about the recent sale of the Usenet Archives by Deja to Google,Inc. She writes:

"The culture of the online community is based on fostering collaborative activity and online contributions.

How does the technical and research community continue to foster the online contributions and collaboration? Is there any problem having such contributions bought and sold? Is there a way to have nonprofit or academic or research institutions involved in archiving such collaborative contributions like Usenet?"

To read and ponder; hopefully someone at Google will have some things to say as well. And when you're done, check out more at Netizens.

Apropos the former, the following: wdavies writes: "A previous article suggested that Idealab's new company New.net would provide a plug-in -- this article suggests otherwise -- more of a series of deals with large ISP to support the resolution of TLD with private DNS. The article suggests there might also be a plug-in available, but seems to hammer home the point they are planning an end-run around ICANN decision making on TLD's. Interesting, what if they can indeed undermine ICANN's role using commercial pressure ? Good or Bad for the internet ?"

And finally, please don't do this. And getting worse and worse since the last time it was mentioned on Slashdot, Midnight Thunder writes: "There is a great page on how to write unmaintainable code. Now that you have insured that you will keep the job, now for the demands ;-)"

yesthatguy writes: "According to an MSNBC Article, Microsoft 'plans to voluntarily insert a V-chip-like control in its new video game console.' More details are to be released at E3 in May. I wonder if this will catch on, or if it is just a Microsoft move to appease the government, or if, as the article suggests, it will reduce game censorship, and allow consumers to censor the games themselves."

mduell writes: "Just saw this over on MSNBC. It looks like Apple rushed OS X to meet the deadline, and that many key features (like DVD playing and burning) won't be functional when it ships on the 24th of this month. Also, there won't be a big splashy introduction, perhaps one in the summer when Puma (OS X 1.1) comes out." Which is not to say that Mac owners can't watch DVDs -- if they are dual-booting, at least. The article gets into a few other gripes as well, but none sounds earthshaking to me.

Foxxz writes "MSNBC has a story on online journals. personally, ive been writing in an online journal for almost a year using a perl script i whipped up. It can be a great outlet for a bitchfest." This is a great example of the whole "peer to peer" journalism that everyone wets their pants over about the Internet. Call it what you will, but the ease of accessibility to the materials is, IMHO, one of the most compelling reasons for web surfing.

xpccx writes "Here is a very interesting article at MSNBC by Arthur Caplan, Ph.D., director of the Center for Bioethics at the University of Pennsylvania in Philadelphia. He states that "The genome reveals, indisputably and beyond any serious doubt, that Darwin was right - mankind evolved over a long period of time from primitive animal ancestors. Our genes show that scientific creationism cannot be true." This is arguable but should spark quite a debate." Even Kansas agrees.

xpccx writes "Here is a very interesting article at MSNBC by Arthur Caplan, Ph.D., director of the Center for Bioethics at the University of Pennsylvania in Philadelphia. He states that "The genome reveals, indisputably and beyond any serious doubt, that Darwin was right - mankind evolved over a long period of time from primitive animal ancestors. Our genes show that scientific creationism cannot be true." This is arguable but should spark quite a debate." Even Kansas agrees.

TheHulk writes: "Complex carbon molecules and water, which are key ingredients for life, have been found in the dust and gas around distant stars. The findings boost the theory that the cosmic stew of life is common in the universe."

ECaldwell writes: "It looks as though Sharp is stepping up to the PDA plate with a unit (the Zaurus) that uses Linux instead of Palm, CE or a proprietary OS. These units are designed to be direct competitors with Palms, Handspring and other PDA's. The timing for a release of is planned for around Christmas. The problems for Palm and CE devices so far is the limit of easy to use programming languages which makes it difficult for a novice to write even an basic progam (I don't know C or C++). The good news here is, with Linux loaded on a Zarus we should be able to use any of the great languages that Linux already supports to flood that market with good software." (Read on for more).

Lynuhx indicates a Japanese-language page where you can see a cute mockup of this thing, and denisbergeron points to these two links on yahoo for a bit more: [(1) and (2)] Sharp's products and reputation seem to have languished in the U.S., so this planned offensive will be interesting -- especially if by Christmas, "Linux PDAs" has become a crowded field.

mliu sent in: "An interesting article about how with modern methods it could be theoretically possible to link census data back to a person and the steps the Census Bureau is taking to prevent this." The marketers know so much now that even the general data the Census Bureau releases could possibly be linked up with Credit Bureau data... ouch.

Matrium writes: "MSNBC is running an article about Sony's new Slim TV is thinner, brighter, and has a better picture then current LCD screens. The organic electroluminescent (OEL) display is a little thicker then a credit card was showed Wednesday. These screens offer a faster responce then LCD becuase the are self-luminous (no back-lighting required) and allow a wider viewing angle. Sony hopes to have these screens in mass production by 2003." Someday we'll lose our laptops in between pages of books just like we lose plane tickets/notes/phone numbers today.

Matrium writes: "MSNBC is running an article about Sony's new Slim TV is thinner, brighter, and has a better picture then current LCD screens. The organic electroluminescent (OEL) display is a little thicker then a credit card was showed Wednesday. These screens offer a faster responce then LCD becuase the are self-luminous (no back-lighting required) and allow a wider viewing angle. Sony hopes to have these screens in mass production by 2003." Someday we'll lose our laptops in between pages of books just like we lose plane tickets/notes/phone numbers today.

In a revelation that perfectly demonstrates the nexus between moral posturing and greed in America, MSNBC reported Friday that tracking data on student web-surfing is being sold by one of the largest manufacturers of content-blocking software -- and in the name of protecting kids, of course. That software is called Bess, and it restricts the browsing of more than 12 million students -- and thanks to the noxious Children's Internet Protection Act passed by Congress last year, that number is going to get much higher. Guess who one of the first customers was? The U.S. Department of Defense. [Note: jamie posted about this last Friday as well. Read on for Jon's take.]

You can blame the Children's Internet Protection Act (CIPA), passed by Congress last year over the violent objections of educators, civil libertarians and librarians. The election-year law takes control of children's online information lives away from schools, parents and local communities. Instead, CIPA requires all schools and libraries that want federal E-rate funds to help pay for Net access to install blocking and filtering software. This is the same dreary, censorious software that can't distinguish between porn sites and poetry passages, not to mention intelligently discriminate between breast-cancer education pages and breast-ogling sites.

Nearly half of all schools and libraries now use some sort of filtering software, according to research firm International Data Corp. N2H2 Corp.,the makers of Bess, has about 20 percent of this market, the Wall Street Journal reports. That means that Bess controls the Web choices of more than 12 million students kindergarten through high school, and the CIPA is expected to push those numbers much higher.

Now we learn that late last year, N2H2 began selling the data that Bess collects on children's Net and Web use. The information, called Class Clicks, is aggregated, says the company, meaning it can't be used to identify the habits of individual specific students, or even of specific schools. And Bess is a clever girl. Schools use the program as a gatekeeper, and nobody knows more than she does about where kids go, for how long, or which sites they try and access.

But for $15,000 a year, marketers and Web site operators can receive regular reports detailing exactly where kids are going on the Net, along with aggregate estimates of their ages and race. The company insists there's no way for users of this data to figure out precisely who the students are, but it isn't clear whether N2H2 or makers of the filtering programs know, or if so, what they are legally allowed to do with that information.

How do the info-peddlers feel about it? "This is a real nonissue for us," a spokesman for N2H2 told the Journal. "This information is so anonymous and vague."

But if it's so vague, why would anybody pay thousands of dollars for it? And it is definitely an issue for others, including the Electronic Privacy Center in Washington, whose general counsel, David Sobel, told the Journal: "Students just should not be contributing to marketing tools and subjected to profiling based on how they are using the educational tools of the Internet."

Nor, in fact, should anyone buy the notion that filtering software protects children. It doesn't. Statistically kids are in no danger on the Net. Their greatest source of harm comes from physical abuse from family members and people they know, according to U.S. Justice Department statistical abstracts on violence and the FBI Uniform Crime Report, and firearms and other accidents. Congress seems in no rush to block any of those dangers.

So far, just two clients have purchased the information N2H2 is selling. One is the New York-based education portal Big Chalk Inc. The other, strangely enough, is the U.S. DOD, which refused to tell the Journal what it plans to do with the data collected by Bess.

N2H2 says it began tracking kids' Net use in late 1999, believing the data might be useful to teachers and creators of youth-oriented websites. Last year, it began looking into other uses for this information, and began working with the marketing firm Roper Starch Worldwide to figure out what the two companies could sell.

According to the Journal, SurfControl PLC, another maker of blocking programs, said it doesn't collect data of any sort on its users' surfing habits and believes it would be inappropriate to do so.

Is this data-collection the kind of protection Congress had in mind when it compelled libraries and schools to install commercial censorship software, depriving parents, educators and local institutions and politicians of the right to make such choices?

Filtering software is a complex civil liberties problem on several levels, most unappreciated either by Congress or the general pubic:

• Most filtering programs don't disclose what they block or why, so the users have no real idea what level of protection is being offered. Parents think they are purchasing safety and morality, yet they have no idea what their children are being deprived access to.
• Blocking software doesn't protect kids, literally or morally. There is no evidence of any sort by any credible source that one single child is safer or more moral because of censorship technology installed on their computers, or because of limited access to the Net.
• Filtering software legitimizes censorship and invasion of privacy. Many parents buy filtering programs that permit them to re-trace the websites their children have visited. They aren't teaching kids morality but Orwellian intrusions of privacy, dignity, and, yes -- morality itself.

• Blocking sofware is an illusory technology. It permits the abdication of moral responsibility -- especially that of teachers and parents -- to supervise their children and provide moral direction.

What we have with Bess and CIPA is one more insight into the warped way American politicians exploit children while proclaiming that they're protecting their moral purity. William Bennett, our self-styled national "morals" czar, and a close adviser to President Bush, is a master at this, denouncing the immorality of music, TV, and the Net and Web and making millions off of books, calendars and stickers offering and celebrating "morally correct" stories for kids about hardworking bumblebees and frogs who can't wait to get to school.

Net use is statistically one of the safest things an American kid can do. When kids get in trouble online, it is usually adolescents drawn into powerful or obsessive relationships. Those are rare. Crime rates among the young have been dropping for years, and are now at their lowest levels in a half-century. Children are very rarely harmed as a result of going online. According to child safety experts, online safety rules are easy to learn and follow. So the idea of "protective" legislation is already spurious.

Moreover, even the sale of the aggregate behavior of children (almost always, says the Journal, without the knowledge of kids, parents or schools), has serious implications for privacy and free speech. It promises a future marked by ever-more-sophistiated digital tracking and eavesdropping. Obviously, aggregate figures can't be collected without access to individual statistics. What, exactly, is the boundary?

And once legitimized -- by the U.S. Congress, no less -- the notion of ever more specialized tracking of kids by business and government is now being built into the infrastructure of the Net as well as schools and libraries. It's an awful precedent, even though it's a "non-issue" to the corporation doing it. Even if Bess isn't tracking specific students or targeting specific schools -- yet -- who's to say that the next generation of software will do, or what a different company couldn't or wouldn't gather and sell, especially as Congress forgot to prohibit the marketing of this data in it's rush to "protect" kids from the Net.

Every significant law Congress has passed relating to speech and content on the Net, from the two Communications Decency Acts to the Sonny Bono and Digital Millenium Copyright Acts to CIPA has been offensive and menacing to privacy, free speech, and individual freedom to choose information. American kids seem much saner and more rational about technology than their so-called leaders and protectors. And this doesn't seem likely to get any better under the Bush administration, which has made the moral lives of children and the immoral content in TV, movies and on the Net a central campaign issue and policy priority.

The forced use of CIPA-mandated blocking (and tracking) software is bad enough, meaning that kids online have already relinquished much of their right to free speech, information choice and privacy. Selling the information that results takes away most of the rest of it, and is doubly appalling.

aardwolf64 writes: "msnbc.com has a story (taken from Inside.com) about the successor to Sega's DreamCast. Aparently it won't play actual DreamCast discs, but will instead download them to an internal hard drive through a digital cable connection. According to the article: 'Wallace said that the box, called the Games Gateway, can store up to 60 games at a time, and will play any and all of the 350 or so games developed for the Dreamcast platform. The box will ship next year, though Wallace declined to speculate whether it would ship in the U.S. or U.K. first. The deal is mutually non-exclusive; the box itself has been a year in development'"

aardwolf64 writes: "msnbc.com has a story (taken from Inside.com) about the successor to Sega's DreamCast. Aparently it won't play actual DreamCast discs, but will instead download them to an internal hard drive through a digital cable connection. According to the article: 'Wallace said that the box, called the Games Gateway, can store up to 60 games at a time, and will play any and all of the 350 or so games developed for the Dreamcast platform. The box will ship next year, though Wallace declined to speculate whether it would ship in the U.S. or U.K. first. The deal is mutually non-exclusive; the box itself has been a year in development'"

7card writes: "ok i was just doing my morning surfing and i found this article, which may be of some interest. It looks like the world has another club of security experts with the goal of security through obscurity. some of the members include Microsoft, Oracle, and Cisco." Reader Junin points to this CNET story as well.

AntiFreeze writes "There is an interesting story on MSNBC about Intel's attempts at producing chips capable of running at faster than 10 gigahertz. There was a previous /. article in early December about this here. This article from MSNBC is much more detailed (both technically and non) than the original article referenced from December, and provides a very intriguing look at what Intel's planning to do over the next four years, and what they'll have to show the general public as soon as April 1st. And as always, there's the heated /. argument about Moore's law buried in there, too."

AntiFreeze writes "There is an interesting story on MSNBC about Intel's attempts at producing chips capable of running at faster than 10 gigahertz. There was a previous /. article in early December about this here. This article from MSNBC is much more detailed (both technically and non) than the original article referenced from December, and provides a very intriguing look at what Intel's planning to do over the next four years, and what they'll have to show the general public as soon as April 1st. And as always, there's the heated /. argument about Moore's law buried in there, too."

kormoc writes: "MSNBC has a story about a monster embryonic star in the constellation Orion that might have the potential to form planets. Wow."

kormoc writes: "MSNBC has a story about a monster embryonic star in the constellation Orion that might have the potential to form planets. Wow."

StoryMan and a lot of other people found this interesting: "Okay, here's a weird one. This is the first I've heard of it. A long article on MSNBC describes this new 'thing' called 'IT'. Apparently it can be assembled from a bunch of parts. Jobs loves it. Bezos loves it. But what is it? Anyone have any ideas? Is this for real?" I think it's an A-driven experimental swibble.

From "Service Call," a short story by Philip K. Dick:

The young man flushed, swallowed noisily, tried to grin, and then hurried on huskily, "Sir, I'm the repairman you asked for; I'm here to fix your swibble."

The facetious retort that came to Courtland's mind was one that later on he wished he had used. "Maybe," he wished he had said, "I don't want my swibble fixed. Maybe I like my swibble the way it is." But he didn't say that. Instead, he blinked, pulled the door in slightly, and said, "My what?"

"Yes, sir," the young man persisted. "The record of your swibble installation came to us as a matter of course. Usually we make an automatic adjustment inquiry, but your call preceded that -- so I'm here with complete service equipment. Now, as to the nature of your particular complaint..." Furiously, the young man pawed through the sheaf of papers on his clipboard. "Well, there's no point in looking for that; you can tell me orally. As you probably know, sir, we're not officially part of the vending corporation ... we have what is called an insurance-type coverage that comes into existence automatically, when your purchase is made. Of course, you can cancel the arrangement with us." Feebly, he tried a joke. "I have heard there're a couple of competitors in the service business."

Stern morality replaced humor. Pulling his lank body upright, he finished, "But let me say that we've been in the swibble repair business ever since old R.J. Wright introduced the first A-driven experimental model."

For a time, Courtland said nothing. Phantasmagoria swirled through his head: random quasi-technological thoughts, reflex evaluations and notations of no importance. So swibbles broke down, did they? Big-time business operations ... send out a repairman as soon as the deal is closed. Monopoly tactics ... squeeze out the competition before they have a chance. Kickback to the parent company, probably. Interwoven books.

[...]

A swibble. What the hell was a swibble? And he was on the in, industrially speaking. He read U.S. News, the Wall Street Journal. If there was a swibble he would have heard about it -- unless a swibble was some pip-squeak gadget for the home. Maybe that was it.

You can find this story in The Collected Stories of Philip K. Dick, Volume 4: The Minority Report.

Thoughtfully, he added, "In fact I'd say the real war was a war over swibbles. I mean, it was the last war. It was the war between the people who wanted swibbles and those who didn't." Complacently, he finished, "Needless to say, we won."

Dredd13 writes: "According to this Yahoo!News article [note: the same story is also being carried at MSNBC and ZDNet] , anti-piracy features in Whistler "won't allow the use of the customer's product key on a PC different from the one originally activated"... which means that if you have that older computer and decide to try and move your Whistler license (that you buy at a retail outlet like Best Buy or wherever) to your new whiz-bang fast model, you'll be completely boned. The code won't actually activate without authorization from a clearinghouse first. So much, also, for high security installations (where any connectivity, whatsoever, with the outside world is verboten)... without the ability to connect to the clearinghouse to "authenticate" the product key, they too will be unable to use their license. Part of me is happy because this is obviously a Bad Move by MS and will hurt them, but what if other software vendors start to think that this is a Neat Idea? {yuk!}" It's not a new idea, and lots of software is already sold this way -- but this time it seems to have caught a lot of people's attention. Windows' ubiquity, and Microsoft's history of mostly looking the other way when it comes to illegal copying of their OS, may mean that a lot of eyes get bigger, soon.

adpowers writes: "You can find a picture and description of the Xbox at the press release from Microsoft." There's also shoots from Gamespy, news from C|Net, and a report from Reuters - and lastly, a report from MSNBC.

A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

Can your parents install Debian?

Now there's some smidgeon of Justice for ya Foggy Tristan writes "

According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

" You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

So that's why the bidding on eBay went so high, eh?

Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

Can your parents install Debian?

Now there's some smidgeon of Justice for ya Foggy Tristan writes "

According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

" You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

So that's why the bidding on eBay went so high, eh?

Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

A reader writes "MSNBC has posted a story about 3 weird new keyboards - the Keybowl, the DataHand, and the Half Keyboard. Pretty bizarre stuff." Both Rob and I played around with the one from Ergointerfaces who are releasing an updated version soon - and we had AskSlashdot on it a while ago - but what do you folks think?

Voorshwa and at least a dozen others wrote with this news: "Found this one over on ZDNet.com news. Turns out the security over at Egghead wasn't very good. Losing 3.1 million credit card numbers has got to put a damper on a lot of Christmas cheer!! Wish these big companies would learn a little ..." No yoke. It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions. Reader insmod points to coverage at MSNBC as well which mentions that Egghead was not the only site hit this holiday season.

It was supposed to be done by September 30, but Congress finally finished its budget for this year. Because it works best with our sometimes-bizarre legislative system, this year, like every year, hundreds of unrelated measures were rolled up into one massive package and crammed through the door. Your grandchildren may look up at you with a puzzled expression, fifty years from now, and say "grampa" (or gramma), "did you really use an unfiltered internet, back in the olden days? Wasn't that scary? How did you ever survive with all that porn jumping out at you?" If that happens, just sigh, and think back to the olden days -- December2000 -- before censorware became mandatory in public institutions nationwide.

The massive spending bill has been passed by the House and Senate, and President Clinton is expected to sign it soon. Despite some noises from the Clinton administration mildly protesting censorware, the small amendment making it mandatory is not considered to be an important enough issue to veto an entire appropriations bill.

Sen. John McCain (R-Ariz.), a longtime proponent of censorware, introduced the amendment.

As the ACLU says,

Earlier this year, an 18-member commission appointed by Congress rejected the idea of mandating the use of blocking software, which is notoriously clumsy and inevitably restricts access to valuable, protected speech. A wide spectrum of organizations have opposed blocking software mandates, including the American Library Association, the Society of Professional Journalists, the conservative Free Congress Foundation and state chapters of the Eagle Forum and the American Family Association.

"There was an Alice in Wonderland quality to this debate," said Marvin Johnson, a Legislative Counsel with the ACLU's Washington National Office. "With its vote, Congress rejected the advice it asked for from the panel it appointed."

The "wide spectrum of organizations" extends from educators to The New York Times to strongly conservative political/religious groups. For more on the COPA Commission and its recommendations, see our stories from July and August.

Essentially it says that any school or library which receives federal funds to build its network must install censorware. Since these funds are the chief way that poor and middle-income areas bring the internet into public institutions, effectively this means that only rich counties will have the option of an uncensored internet.

The text of the self-declared "Children's Internet Protection Act" is available from CDT. It uses the term "technology protection measure" to describe the software.

In related news, Peacefire, an advocacy group for youth free-speech rights, released a tool to provide one-click disabling of some popular censorware programs.

Meanwhile, the ACLU will be suing to stop this bill from taking effect. This is not a slam-dunk like the CDA was. They're in for a tough fight. Here are three reasons why:

1. The CDA's language was very broad. This bill targets its material precisely: obscenity, child pornography, and "harmful to minors" material. Of course there is no "technology protection measure" in existence which can censor only this material, or even claim to censor only this material.

2. The CDA covered speech. This bill addresses the right to read that speech in a public institution.

3. This bill regulates institutions which are taking public money and how they may use it. Legally, and also in many people's minds, it is more permissable to enact regulations which go against the grain of the Constitution if they are tied to acceptance of public funds.

(The classic example is that the Fourth Amendment protects our homes from unreasonable search and seizure, but when the government provides public housing, it sometimes tries to say that the 4th Amendment does not apply. Same situation, different Amendment.)

Brock Meeks is more optimistic, saying the bill is "doomed." The key issue, I think, will be whether censorware can work. If it does not work, if it cannot work, then the language of the bill is irrelevant; our Congress might as well have demanded a "technology protection measure" to give all our kids 200 IQs and an lifetime supply of free donuts.

When I get in the mood to be optimistic, I think about all the stories we hear from students who are already forced to use this software. It seems like everyone has an anecdote about how they were blocked from doing legitimate research for school.

So maybe if this legislation survives, in ten years, all the kids who grew up with first-hand experience with censorware will start to vote. That's about the only bright side I can see.

For now, Brown v. Board of Education is the example I'm keeping in mind. The Supreme Court, after a half-century of segregated schools, decided that "separate educational facilities are inherently unequal" -- the theory might be OK, but it had failed in practice.

The courts should evaluate the "technology protection measures" by what they do, not by what the law demands they do. The theory might be OK, but in practice, all the technology that I've looked at blocks much more than it should. I'll be hoping for a verdict that reads: "technology protection measures are inherently censorship."

And, hopefully, now -- not after a half-century.

Zeus305 writes: "Today NuTec Sciences, Inc. will be announcing its purchase of the world's fastest commercial supercomputer, second overall only to ASCI White. NuTec will use and lease time on the 1,250 clustered IBM servers to analyse genes decoded by the human genome project to try to better understand the causes of diseases like cancer by running month-long algorithms that analyse the relationships between different areas of the genome. This beast will have 2.5 terabytes of RAM and 50 TB of disk space."

jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here. This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer. Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"

Graymalkin sent in a nice article written for fairly novice folks comparing Mac OS X, Microsoft's upcoming .NET, and Nautilus's respective user interfaces. Considering all 3 are still vapor, it'll be even more interesting to read an article like this in a year, and compare it to this.

Well, the United States Supreme Court has given their "ruling" concerning the Florida Supreme Court. They've asked for more information fromthe Florida Supreme Court. Update: 12/04 06:01 PM by H : You can read the the actual ruling as well. Update: 12/04 07:59 PM by H :Thanks to Mr. Sturkel for this much better analysis: "In today's posting of the Supreme Court ruling on the Florida ballot case you state that the Supreme Court over turned the Florida State Supreme Court case on manual recounts; this is incorrect. The High Court "set aside" the case, not over turned it which is two different things. In setting aside the case the Supreme Court asked the Florida Supreme Court to re-examine the case and to explain and clarify further the basis of their ruling, In a nutshell, The Supreme Court wants to know why the Florida Supreme Court did what they did before issuing a final ruling on the case."

Xeno noted a story making the rounds about a Pro Linux Virus. Well, they're calling it a vrisu, but its a trojan. Its a flash thingee embedded in emails. It mails itself, and then renames zips and jpegs to have have a Pro-Linux message. Very bad advocacy, but when I turn off Dad Mode, I gotta laugh about it.

Steve Wight writes "Looks like Sony had a bit of robot envy the other day when Honda officially released their 120cm humanoid robot. Well, here is MSNBC's story about Sony's new walking humanoid robot which looks pretty cool, even if it is on 1/2 a meter tall. Fifteen meters per minute walking speed and can get up if it falls down. Although, the Honda robot could squish it under its foot. *grin*"

Whanana sent us an article about information objects as visualized by Robert Kahn. The article is written from a fairly childish place (it explains DNS for crying out loud, and the bulk of it is a history lesson obviously designed for a mainstream paper) but Kahn's Digital Object Identifier concept is interesting. If anyone has links to RFCs and the like, please post them in the comments.

discovercomics sent us a nifty report from MSNBC telling the tale of the Embedded Linux Devices that were present at COMDEX. They talk about the IPAQ, The Yopy, the Axis 2100 network camera (which is cool, but expensive), and more.

wonko writes: "IBM has begun shipping new monitors that are as much as 12 times sharper than current displays, and 4.5 times sharper than HDTV. These new 22-inch active matrix liquid crystal displays use aluminum-based technology and have over 9 million pixels. IBM will soon be licensing the technology to other display makers, so you could soon see these screens in laptops, PDAs, cellphones, etc. Pardon me while I wipe the drool off my keyboard ..." This is the same high-definition display you read about here earlier. They are not yet in CompUSA, to put it lightly -- first examples are going to Lawrence Livermore -- but the trickle-down effect in a couple of years is promising.

Screenbert writes "This article talks about simulating gravity for space missions. However this article also spawned deeper and darker questions. Go with me on this for a minute.... If you spin something around really fast and you are on it, you get pushed to the edge of the spinning object. IE, a merry-go-round. Gravity is a side-effect of mass. Since the earth is spinning, it pushed everything out from it, thereby having a counter-effect of mass. So if the Earth where to stop spinning, would we become mushrooms?&"

poixweryth asks: "Just reading an article pointed to by a recent story in which they refer to "an object bigger than 0.6 mile (1 kilometer) in diameter". This is obviously American journalism. What I want to know is this: is the American public ever going to convert to the metric system?"

dynoman7 writes: "eWEEK Labs has tested the first public beta release of Whistler, which became available Oct. 31. They think it is 'stable.'" He points to a review at eWEEK, also playing on MSNBC. It's a bit of a mixed review, actually -- the review points out that by "leaving its Windows 9x code base behind, [Microsoft is] creating many potential Windows platform compatibility problems in the process," and notes of the included "remote help" feature, "[G]iven Microsoft's well-documented security gaffes, sites will have to carefully evaluate the potential security risks of such a widely deployed remote-control feature." Whatever its faults, this Windows-to-come is supposed to have improved type handling and other goodies which every other OS will inevitably be scrutinized for, including [your favorite].

Anonymous Coward writes: "Germany pressured MSFT into removing the defrag tool in Win2k because it was developed by a software company whose CEO is a Scientologist. They were afraid there were security risks from using software from a Scientologist. No joke." The outcome of this bizarre and long-running story stemming from the interaction of Germany, Scientology, and programming, according to reader telstar, is that "Microsoft has decided that they would provide step-by-step instructions in German on how to uninstall this utility."

Anonymous Coward writes: "Germany pressured MSFT into removing the defrag tool in Win2k because it was developed by a software company whose CEO is a Scientologist. They were afraid there were security risks from using software from a Scientologist. No joke." The outcome of this bizarre and long-running story stemming from the interaction of Germany, Scientology, and programming, according to reader telstar, is that "Microsoft has decided that they would provide step-by-step instructions in German on how to uninstall this utility."

Somewhere in the chorus, Bandwidth_ writes: "Time to start stockpiling those beans and working on your Y2K shelter again. Astronomers have confirmed that object 2000 SG344 has a 500-to-1 chance of hitting earth in the year 2030, a much higher probability of impact than any object before it. Scientists aren't certain what it is, but it's most likely a tiny asteroid or it could be a leftover Apollo rocket booster. It is not a major threat, damage would be contained to a localized area in the 1 to 3 megaton range if a collision were to ever happen." As jamie points out, this probably ought not worry you unduly, but it is the first nonzero-rated object on the Torino scale. N2UX points to an MSNBC article on the object which points out that the threat has now been downgraded to a more comforting level.

LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.

LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.

Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.