Slashdot Mirror

There's a great article by JC Herz about The Sims and its implications for information architecture versus urban planning. Cool article - I've certainly planned a lot of The Sims, and can testify to its addictiveness. The whole aspect of involving the community with "skinning" and object creation - in an environment *designed* to accept it has made the difference, IMHO, for the game.

Machina writes: "Seems Microsoft was a little late in claiming their X-Box Trademark . "Microsoft (MSFT) could face a legal challenge to its use of the Xbox name for its forthcoming videogame console. Microsoft filed its claim to the name with the U.S. Patent and Trademark Office on Oct. 18, 1999, but a Florida company registered its use of the Xbox mark with the USPTO on March 10, 1999. "

Scott_Marks writes: "In the fine tradition of the previously-reported finger-phone, DoCoMo has brought out their Eggy! The Babelfish translation is, as usual, a total hoot." I'm a little confused about what this thing will do to your poor "knitting machine," but imagine a baby-blue Nintendo controller with a built in camera, a small LCD and a nice chunk of RAM, equipped with a Web browser. And for anyone who laughs at the fingerphone, I had a chance to use one of these in October courtesy of a DoCoMo representative in Atlanta, and called home with surprizing clarity. So maybe this little thing isn't so crazy ...

News for those in the (large?) corner of the giant Venn diagram we all inhabit blessed with both a noticable social consience and computer skills, as well as the time to devote to some travel abroad; Good news for everyone whose number travels with them; a tad more on background of the 3dfx merger; and what appears to be the unraveling of eToys. All below, in tonight's Slashback.

The few, the proud, the advententurous, the dorky. Elvis Maximus writes: "Geekcorps has been mentioned here before and met with some interest. Their first batch of volunteers are winding up their tours in Ghana, and the Industry Standard has run a nice piece on their experiences. This is an interesting effort that deserves some attention."

Congratulations (and admiration) to those who participated in this. GeekCorps is good stuff.

Remember, saliva causes stomach cancer ... ByteHog points to this AP story about the alleged connection between cell phone use and cancer, writing: "Kinda interesting, but I'm still going to be wearing tinfoil around my head whenever I make a call ..."

This issue has been raised for years, with no clear winner. The upshot from this study is a data point for the null hypothesis, but inevitably this will drag on, and the next study to become famous will probably be one that contradicts this. Don your tin-foil, kneepads and breathing masks, until fatality is cured.

Resistance is futile, for now. Fervent writes: "Gamecenter has an interesting article on why 3DFX collapsed. Among the reason cited: the proprietary API Glide, not allowing OEM's to sell Voodoo hardware, and NVidia's agressive product cycle." This makes an intersting followup to the recent announcement of the absorption of 3dfx by NVidia.

Play, play, play, and be gone with ye! Greyfox writes: "According to USA Today Etoys is putting itself up for sale. It's the standard dot com failure story. It'd be delicious irony if the folks running the Etoy domain they sued a while back bought their domain name." DarkKnight points to this link at CNETas well.

RomulusNR writes: "Just posted to the Dead Media e-mail list this week, a story that Yahoo! is making a version of its site for the Minitel. Makes sense; take advantage of existing infrastructure instead of trying to reinvent and replace it. And after last week's story about the Gopher Manifesto, I wonder if we will see a Gopher version; after all the text-only, line-by-line interface is common to Gopher just as it is to WML devices and Minitel. And Minitel's older, isn't it?"

DorianGre writes "The following story in The Standard as well as this follow-on at Gigalaw announce RIAA's intention of controlling the royalties of all downloadeble music on the Internet. These are the same people suing Napster and MP3.com. Stand up now for true copyright protection as afforded under the U.S. constitution or risk giving it up forever to global monopolies such as this."

An Anonymous Coward writes: "The Standard has a brief article on student Web sites and the schools that try to shut them down. The good news: it appears students prevail in court most of time." No kidding. Students have rights too.

Lawrence Lessig offers a diatribe on the strange distinction the court system draws between different types of speech infringement. For anyone who's ever wondered why the good guys won the CDA case but lost the DeCSS case...

A reader writes: "DoCoMo has done it again. This time they have a phone where the speaker is your finger. Put your finger in your ear and listen as you speak into the mic which is integrated into the wristwatch. Also in the wrist watch is some sort of gadget which sends the sound waves up your wrist and into one of your fingers." Thanks to Cubase de Pilsen for sending me a link to one of the pictures.

joshstaiger writes: "An article was posted here on Slashdot a while back about the International Olympic Committee's banning of many forms of Internet broadcast of the upcoming Olympic Games. Now they are going even further, forbidding athletes to keep online journals of their experiences during the games under the reasoning that the athlete would be acting as a journalist (and therefore outside the IOC's nice little ring of corporate sponsors and media giants). Check this article from thestandard.com: IOC Bans Athletes From Net Storytelling." Also, note that athletes may not wear "branded clothing of unauthorized sponsors when receiving medals." Don'tcha love that true spirit of amateurism and admirable, personal ambition?

HiyaPower writes: "The Standard has an interesting article about the amicus filed today by some fairly heavyweight industry folks (e.g. Yahoo, AT&T, etc.). While they are a bit wishy-washy about Napster itself and the standard of "higher knowledge", they are quite concerned that the ruling in the Napster case could be applied much more broadly against isps in general. The RIAA brief is due Sept. 8, so it will be a bit before they go at this again, but this is getting beyond just the Napster vs RIAA stage of involvement in concern by company lawyers, as well it should." Seems like some appropriate self-interest is involved here -- after all, bad laws may benefit a few folks, but the reality of arbitary shuttings-down is one that large ISPs and most others don't really want in the long term. And if new technology is outlawed on the basis of its possible disreputable use, it's potential good will be blithely overlooked.

Anonymous Coward writes "Titled The World's Most Secure OS, this article in The Standard talks about what is needed to be "Secure by Default"" Probably the best OpenBSD article I've read in recent months. Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right. [ Update: noeld wrote in with a link to a similar article at rootprompt.org. Must be something in the water. ]

Anonymous Coward writes "Titled The World's Most Secure OS, this article in The Standard talks about what is needed to be "Secure by Default"" Probably the best OpenBSD article I've read in recent months. Theo doesn't pull his punches (then again, he never does), in particular, discounting the "more eyes means better security" philosophy. Then again, he's probably right. [ Update: noeld wrote in with a link to a similar article at rootprompt.org. Must be something in the water. ]

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

NoiseLesion writes "The Standard has reports on a new bill granting surveillance privileges to a new arm of MI5. Carnivore looks tame compared to this."

NoiseLesion writes "The Standard has reports on a new bill granting surveillance privileges to a new arm of MI5. Carnivore looks tame compared to this."

GusherJizmac writes "I know it's not totally on subject, but Razorfish is currently being sued over the website they did for IAM. IAM claims that "Razorfish breached the Agreement with IAM.com by delivering wholly inadequate deliverables and services." Could this set a precendent for the quality required for custom built software?" I dunno, maybe it's because of the time I spent working at a web design place, but this just seems funny to me. Update by RM 5:32 p.m. EST: link and typo corrected

Do you want an i-Opener, and for how much? Are space-vehicle rescues "your thing"? Does your cute iMac suffer from a video-game-violence deficiency? Do your Web habits stray to courtroom and crime-scene voyeurism? Do you think that online privacy agreements must of needs outlive the dot-com-ephemera which offer them? If Yes to any or all, you've come to the right place.

Money changes everything. After numerous writeups about the hacking potential of their iOpener device, Netpliance changed their service model and even the design of the product itself. Sounds like that wasn't enough: Cy Guy writes: "Netpliance has announced that they are raising the price of the i-Opener from the introductory price of $99 to $399 (neither price reflects the $21.95/month cost of Netpliance's Internet service which must be used with the device.) In a c|net interview Netpliance president Kent Savage dismissed hacker modifications to the device as a factor in the price increase." As Ioldanach puts it, "Think its 'cause they finally realised it was cheaper to raise prices then 'hack-proof' their product?"

What I'd like to see is Netpliance package the LCD and CPU of the i-Opener and sell those packages to OEMs, so they could create custom housings, new uses, etc -- after all, lots of people would like a small LCD X-terminal.

MacGuyver, The A-Team, NASA ... Grave writes: "Looks like NASA got DS1 functioning again. A probe that was almost entirely made up of experimental technologies can be salvaged, yet two hopefully-soon-to-be-routine flights to Mars can't be. Ah, well, at least we know that Ion Engines are workable. Bring on the TIEs!"

TRUSTe dusts off the white hat for a bit? Last week, a story appeared which noted the alarming news that failed web-merchant Toysmart planned to sell its customer information in an effort to recover some money. According to this Standard story, "The nonprofit organization TRUSTe announced Friday it is planning to file a brief in bankruptcy court that will decide whether Toysmart.com can sell its customer lists." Jamie raises two points to consider:

1. Time will tell what effect (if any) TRUSTe's planned brief will have on the Toysmart bankruptcy proceedings.
2. The company that bought Boo.com insists they will continue to honor the old privacy policy for old customers.

Maybe we could combine this with 'Survivor'? jgalvin222 writes "APB Online, Inc. has filed for bankruptcy. This web site is known for offering in-depth breaking news, tons of information on ongoing investigations, and you can listen to live police scanners. This web site will surely be missed, and if you read the article, you can see that some of their techs have volunteered to post crime and safety articles over the next couple of weeks - without pay. If anything, you should peruse their video library, some of the clips are both amusing and interesting."

The Devil will find work for idle hands to do. Ryan writes: "Here is something to keep us Mac fans happy. Go2Mac reports that Diablo II has gone gold for Mac version, making this one of the quickest PC to Mac conversions ever." Here is the official announcement from Blizzard.

Janthkin writes: "It seems the U.S. isn't going to allow MCI and Sprint to merge after all, so they WON'T be creating 'a telecommunications and Internet giant, one that would carry more data traffic than any other carrier and that would have left the U.S. long-distance market with only two major competitors instead of three.' (Text from the Standard story here). CNN coverage here." The U.S. side of the merger is not completely ruled out, but this seems a strong blow against it.

Imagine a preacher-turned-conman starting a company that claims to have developed a new, high-compression method of delivering full-screen video over the Internet. Imagine mandatory 36 hour shifts and prayer meetings. Imagine investors pouring millions of dollars into this venture, and high-profile executives joining the company in hopes of getting rich when it goes public. This is an astounding story, told in great depth by The Standard. Pixelon, the company in the article, has been mentioned in Slashdot once before: when they sponsored The Who's live reunion concert and webcast last October.

Imagine a preacher-turned-conman starting a company that claims to have developed a new, high-compression method of delivering full-screen video over the Internet. Imagine mandatory 36 hour shifts and prayer meetings. Imagine investors pouring millions of dollars into this venture, and high-profile executives joining the company in hopes of getting rich when it goes public. This is an astounding story, told in great depth by The Standard. Pixelon, the company in the article, has been mentioned in Slashdot once before: when they sponsored The Who's live reunion concert and webcast last October.

yankeehack writes: "Oh Joy! The Standard published this article which explains predicted shortages of critical memory and LCD components (resulting in-of course-higher prices and delayed product launches). Component makers including Intel, Hyundai, NEC and Sharp Electronics are among those quoted for the article. Those afflicted by the shortage include Nintendo's Game Boy Advanced handheld console (Does anybody *still* use those?) which will be released 6 months late and mobile phone manufacturers, who are having trouble getting the hardware for all those nifty features they advertise."

yankeehack writes: "Oh Joy! The Standard published this article which explains predicted shortages of critical memory and LCD components (resulting in-of course-higher prices and delayed product launches). Component makers including Intel, Hyundai, NEC and Sharp Electronics are among those quoted for the article. Those afflicted by the shortage include Nintendo's Game Boy Advanced handheld console (Does anybody *still* use those?) which will be released 6 months late and mobile phone manufacturers, who are having trouble getting the hardware for all those nifty features they advertise."

LarsG writes: "Lawrence Lessig is taking a historical view of IP law and the DMCA in connection with the recent statements by Adobe's John Warnock. This article appears in The Standard." Lawrence Lessig == smart.

Paul Boutin writes "The Industry Standard talked to Kerberos' principal author and all-around ubergeek Clifford Neuman about his proposed rewrite of the IETF Kerberos standard (RFC 1510) to close the loophole Microsoft has been using to create a non-interoperable version. " It also looks like Apple will be bringing Kerberos to OSX, in partnership with MIT.

MP3.com was bloodied Friday. As of this writing, the online music service is trying to negotiate a settlement with RIAA. A U.S. District Court ruled Friday that the site's My.MP3.com storage service violated copyright law. But the music-user rebellion sparked by this landmark technology is by no means over. The manner in which music is disseminated has been changed for good, whether record labels acknowledge it or not (and over the weekend, a few executives actually did). Without a settlement, the recording industry is in danger of blowing a historic opportunity to protect artists, make money, and capitalize on, rather than shun, the information distribution tools of the future. P.S. Who are the pirates? A record exec e-mails me this a.m. that it cost about 50 cents to make a CD, for which consumers pay $16.95. (Read more).

For several years now, the distribution of free music online has been evolving into a bitter, costly and signficant test of whether new information technologies will change the nature and meaning of copyright, or alter the ways in which culture and ideas have been owned, marketed and distributed. The Net has made possible, for better or worse, the free acquision of music and other kinds of intellectual and creative products.

MP3 technology -- a format which jumped from obscurity to ubiquity in 1999 -- has turned out to be revolutionary. Millions of people whose access to music was previously limited to radio and CDs suddenly had instant and free access to much of the music recorded in modern times. MP3 sparked a cultural and economic revolution that is just beginning to be understood.

An entire generation has grown up seeing the acquisition of music as a right. This generation has a voracious appetite for music, something that should please the makers of it. Industry executives and many artists, of course, see the way they satisfy that appetite as nothing more than a pervasive form of thievery.

A number of artists have bitterly complained that the downloading of music on sites like MP3.com is simply piracy. They have criticized writers like me (with justification) for not highlighting artists' rights as well as those of music lovers. Friday's ruling by a federal judge against MP3 was the clearest and most powerful blow yet struck against the by-now deeply ingrained tradition, especially among younger music lovers, of acquiring vast music libraries for free. MP3.com could face stunning penalties.

At issue is something complicated and important, something not taken into account, or even acknowledged, by the Federal court ruling. There is hardly anyone reading this who hasn't acquired some form of free intellectual property on the Net, from music to text to software. Artists definitely have a right to be paid for their work, but branding a whole generation of music fans thieves seems simplistic, even self-destructive.

The question now becomes political and cultural, as well as legal and technological. Judge Rakoff issued a startlingly brief order Friday holding MP3.com "liable for copyright infringement." The suit, brought by RIAA (The Recording Industry Association of America), a consortium of the world's largest record labels, seeks to shut down MP3.com. But over the weekend, some music industry officials, including Paul Vidich, an executive vice president for Time Warner, said RIAA wasn't trying to put MP3.com out of business as much as force it to change.

The court found that MP3.com had violated copyright law by creating an online database -- MyMP3.com -- of 80,000 major label records. The ruling doesn't affect the use of MP3 compression technology (not owned by MP3.com) to make copies of music via the Net.

It follows a growing number of lawsuits -- some by recording artists like Metallica and Dr Dre -- against Napster. RIAA also has a suit pending against Napster in federal court. MP3.com shares dropped sharply in late Nasdaq trading Friday afternoon.

As strong a victory for the music industry as Judge Rakoff's ruling sounded, it seemed both short-sighted and far from clear cut. MP3 has altered the music industry for good. Shutting down MP3 and Napster would hardly mark the end of the battle.

"The shame here," a dissident, savvy music industry executive said in a phone interview over the weekend, "is that the record labels could have embraced MP3 and Napster, rather than going to war against them. What they don't grasp is that while piracy issues have a lot of validity, Napster constituted a rebellion against monopolistic music industry practices and greed, as well as a copyright problem. Instead of reforming, and grasping a real chance to change, the industry simply used the most heavy-handed method in dealing with these issues. Those of us who know the Net know this ruling will last for about a week. Piracy issues aside, the industry has a full-blown rebellion on their hands. These kids are never going back to the old way of buying music. We need a new system that responds to them and really does protect artists."

There were hopeful signs over the weekend. Danny Goldberg, one of the industry's most enlightened execs, and chief executive of Artemis Records, an independent label that releases CD's and runs Internet radio and music subscription services, said of music-sharing: "It seems counterintuitive, but an increase in free downloads coincided with an increase in paid sales. Particularly among the young audience, the people who are most wired, the evidence is that it's bonding a new generation to music." Goldberg's comments suggest that at least some leaders in the music industry grasp that new transmission technologies could be good both for the music industry and for artists.

History suggests that once new technologies like MP3 and Napster exist, they will be used and replicated. Many music industry executives believe the recording artists would make more money, not less, if they embraced digital music-distribution technologies. When the record labels went after MP3, the industry triggered the Napster rebellion. Napster software, spreading wildly on the Web, allows MP3 users to share files. If suits against Napster are successful, why wouldn't yet another technology crop up? In fact, it already has, in the bumper crop of programs both client and server which basically treat the Internet as a searchable and vast remote filesystem.

Pretending otherwise doesn't protect the rights of artists, it simply sets them up to get ripped off forever, and needlessly politicizes the tradition of free music among younger consumers. Selling music more innovatively just might permit artists to get paid and let consumers keep their new-found ability to acquire more music for less money.

Brian Ploskina of inter@activeWeek.com quoted Gene Hoffman, chief executive of EMusic.com, an online MP3 store and showcase as likening the free music legal battles to prohibition, doomed efforts to restrict the sale of liquor. "In the 20's," he said, people made a lot of bathtub gin, but they don't do that today because they can buy it for $20." His well-taken point is that music-downloaders would probably pay for music too, if the prices were more affordable.

It was an apt analogy. The music industry and the Temperance movement both thought they could legislate the social tastes and desires of millions of Americans. Whether they have merits to their arguments or not, history says their task is impossible. Recent legal actions make it likely that key distribution points for both MP3 and Napster -- particularly universities and other institutions that till recently have allowed music distribution software on their servers -- will be shut down. Others will obviously emerge. The legal actions won't stop the proliferation of music-transmission software, or the epidemic resentment and anger at the way the greedy record labels operate. The music industry is in the odd position of winning one court ruling after another while alienating an entire generation of customers.

For years now, millions of music lovers have been acquiring diverse kinds of music for nothing, making music more popular than ever. In l999, the record industry posted an 8 percent growth in revenue -- from $13.7 billion in l998 to $14.6 billion in l999 -- while the number of audio and video units sold rose from l.12 billion to 1.16 billion, according to RIAA statistics. Many executives believe those numbers would have been higher if the record industry were using MP3 for sales and promotion. Hundreds of music-sharing sites exist all over the Net and Web besides MP3 and Napster, including ones which take advantage of instant-messaging systems and privately-built and run Web sites.

Do recording executives really believe that music fans will suddenly give up on acquiring diverse and numerous forms of music for free and go back to buying a handful of expensive CDs a few times a month? That wouldn't protect artist's rights or those of music lovers. This digital genie isn't going back into the bottle. Successful negotiatioins between MP3.com and the music would be the sanest step yet in the music wars, and a healthy precedent for other businesses who sell intellectual property as well as artists.

Note from timothy: Thanks to twiin and other readers who sent word of Metallica's upcoming online chat tomorrow (2nd May 2000) as part of an ArtistDirect promotion, where you can tell them what you think directly. I quote: "Hold nothing back: this is Metallica, after all. They can take it."

Lawrence Lessig has written a short and sweet essay, Battling Censorware , explaining why the DMCA allows Mattel to claim the rights to CPHack. He hits the nail on the head. I found myself reading this sentence over and over: "code that cracks a protection device is criminal under the DMCA even if the use of the copyrighted material that the code enables would be fair use."

"AOL and Time Warner Merge" has been a huge front-page headline in most U.S. newspapers and on news Web sites everywhere, and it has been on the minds of many people in the media business both online and off. For reactions to the merger from a wide selection of journalists and other concerned people, please click below.

Jon Katz, Slashdot Columnist:

"There is absolutely nothing in Steve Case's background that suggests he is particularly well-equipped to lead a new kind of unimaginably complex media conglomerate into the 21st century, and Wall Street analysts who are so blinded by the hype surrounding this deal that they fail to consider it carefully are likely to be sorry. Along with some of the other arrogant lynchpins of the digital economy, AOL would rank tops among companies that have routinely exploited and mis-handled their dependent customer bases. Could there be anybody alive in America who hasn't personally experienced or known many people who have personally experienced the interminable cut-offs, waits and disconnections that have, from the first, been a staple of the way American Online has done business? How many times has Steve Case had to go on his own online service to apologize for delays and problems brought about by a company that prized growth well ahead of honesty and service?

"Are consumers really well served when one company controls more content and access than any other company in the world? Is individualism, free expression, diverse opinion advanced when the information economy breaks down into two or three "old and new" media conglomerates that control virtually all of the archived news and entertainment information online, and increasingly, the means to deliver it?"

- Wayne A. Martin, News Manager, Amiga.org:

"Smaller niche websites could be pushed further into the shadows by mega-media companies like AOL/Time Warner that have almost unlimited Internet and television promotion resources they can use to boost their own websites. But on the good side, the merger between AOL and Time Warner seems to go hand-in-hand with AOLs recent deal with Gateway to use Gateway's new Information Appliances based on Amiga technology. This could open the doorway to Information Appliances in the market place a lot quicker than many might have expected. With Gateway, Amino [now Amiga Coporation] and probably others able to produce this type of machine, this could possibly be the fatal blow to MS that many have been waiting for."

Brock Meeks, MSNBC correspondent:

"The bottom line of this proposed deal is nothing more than crass commercialism. What a huge advertising coup this is for Bob Pittman of AOL, he must be drooling at the thought of how to put AOL's nefarious 'pop-up' ads on CNN and print via Time magazine. From a public policy perspective, this venture is D.O.A. as well: no company should be allowed to own the content as well as the conduit. Despite the rosey promises from AOL's Steve Case that 'all comers' will be welcomed to compete on the new venture's cable Internet access system, it remains to be seen just how stalwart Case remains in backing up that promise. Remember, this is the same Steve Case that, under oath during his deposition in the Microsoft antitrust case, swore with a straight face that 'We are not a competitor to Microsoft.'"

David Cassel, Editor, AolWatch Newsletter:

"Here's a reason to fear AOL's control. AOL blocked delivery for the last edition of the AOL Watch newsletter. Did the newsletter's 25,000 AOL subscribers trigger an overzealous spam filter? Or was it that this edition was the first to remind users of the phone number for discontinuing service. (AOL had kicked the ACLU off the service after six years, and there was discussion about cancelling accounts en masse...) Either way, remember: Whoever controls the wires can control the content."

Marty Bass, Morning Edition co-host, WJZ TV (Baltimore):

"I can't imagine that this merger will in any way affect local news gathering or viewing. To duplicate the job we do would require setting up a newsroom. I mean, let's face it; with streaming audio and video you could do a 6 PM News, but this would require a ton of cash, and the local stations already have the major headstart, not only in style but in established viewing. This would be an expensive proposition that would not bear fruit for longer than the 'bean counters' could stand.

"Also lets just say that my station which is a CBS O&O, (CBS already provides news to AOL) put our newscast on-line. Would this change the way our competition does news? No, the primary audience is still watching over breakfast or dinner or in bed at 11. The smaller on-line audience would essentially be getting a big promo for the big shows."

Chris Johnson of airwindows.com:

"What with AOL consuming Time Warner and threatening the stability of the world and all, it seemed to me that it would be good and proper to seek the lighter side of the matter. Here is a short quiz. Identify the proper AOL Spokesmen for the following phrases...

'You've, I say, you've got mail, boy!'

'We are going to buy ICQ because it obstructs our view of Venus!'

'Nnnnyou've got mail, Doc!'

"These are of course restricted to classic WB cartoons. But the fun of it is, AOL now owns most of Western Media! :P - so the field of potential spokesmen is almost infinite!"

Alice Hill, Editor, CNET Online:

"We don't really view either company as a competitor. We did a major deal with AOL in 1999 to provide our content for the computing channels on AOL.com, netcenter.com, compuserve.com and the computing and Internet channels on the subscriber services AOL and CompuServe. Over the past year we have enjoyed the relationship, and the audience. At this point, the notion of adding Time Warner to the mix makes it even better."

Carl Steadman, columnist, The Industry Standard:

"The lesson is clear: send out enough pieces of direct mail and you, too, can own the world."

For links to many more opinions on the AOL/Time-Warner merger, please see this excellent page put together by long-time online writer amd media critic Steve Rhodes.

Line Noise writes "According to an article on TheStandard, RealNetworks is accusing Streambox of violating the Digital Millenium Copyright Act with its Streambox Ripper and Streambox VCR. These products allow you to download and convert a RealAudio file into a MP3 or WAV, bypassing RealNetworks protection against piracy. "

Line Noise writes "According to an article on TheStandard, RealNetworks is accusing Streambox of violating the Digital Millenium Copyright Act with its Streambox Ripper and Streambox VCR. These products allow you to download and convert a RealAudio file into a MP3 or WAV, bypassing RealNetworks protection against piracy. "

Codex The Sloth writes "The Industry Standard has a story about industry feedback to the Clinton Administrations new Crypto Regulations which are being developed behind closed doors. Evidently it's requires high security like Hillary Clinton's health care reform plan..." Worth a read. It sounds like we're getting somewhere, although not everywhere.

bgarcia writes "There is a PR Newswire story stating that Red Hat and RSA Security have signed an agreement to include RSA's BSAFE SSL software in Red Hat Linux Professional Edition." And Wired tells us Red Hat is coming out with with a new version that improves large system performance and speeds crash recovery. (Click below for more)

Plus, earlier this week we read about the e-commerce product they're working on with Oracle and their rumored Cygnus acquisition. Hot stuff, especially for corporate Linux users.

It looks like Red Hat is back on track, doing great Linux stuff, instead of fooling around with peripheral things like their Linux version of MSNBC (with Salon, The Industry Standard, and The Register jointly playing NBC).

According to a friend of mine who dabbles in the stock market, Red Hat's stock is up nicely as a result of their decision to go back to doing more of what they do best: improving Linux and extending its marketability.

Mazeltov!

DaPhreaker writes "As reported by The Industry Standard in this article. The F.C.C has decided to take a hands off approach on the broadband market. " While I would advocate opening the lines up, I think the FCC may have adopted the best position for the next six months - let things sort themselves out more, especially in light of the rising battle between DSL and cable.

DaPhreaker writes "As reported by The Industry Standard in this article. The F.C.C has decided to take a hands off approach on the broadband market. " While I would advocate opening the lines up, I think the FCC may have adopted the best position for the next six months - let things sort themselves out more, especially in light of the rising battle between DSL and cable.

OKolzig37 writes "I won't even bother to comment on this one: Justice Department begins antihacking campaign. Oh brother. " Now kindergarten classes (the campaign is targeted to kids 12 and under, obviously an extreme threat to national security) will be visited by McGruff the Crime Dog, Smokey the Bear, and Mitnick, the Anti-Hacking Gerbil. Maybe someone should tell the DOJ that the reason for our current national prosperity is a generation of kids that grew up...hacking. The original press release is online also.

Kris_J " ...reports that AOL is suing AT&T for the use of some e-mail related phrases, including "you have mail" and "you've got mail." H: AOL is also cranky about "buddy list" and "IM" Sheesh-I feel like I need to put a copyright by those.

Easty writes "In the ongoing Microsoft vs. DOJ trial, it seems Microsoft's lawyers have finally found a new tactic - using Linux to save their collective butts. The lawyers now pointed out that Microsoft does NOT have a monopoly like the DOJ claims - they are losing ground rapidly to the Linux operating system. Will Linux be the point that saves Microsoft from the DOJ? Check out " it only took the efforts of thousands of programmers working an uncountable number of hours for free to compete. Yeah, they're not a monopoly. ok.