Slashdot Mirror

Yesterday in a toasty courtroom in lower Manhattan, Stanford Law School dean Kathleen Sullivan faced off against lawyers for the world's biggest movie companies and a lawyer for the U.S. Justice Department with oral arguments in the appeal of the 2600 case. One of the three judges hearing the case -- Jon Newman -- appeared to be the designated questioner. He asked nearly all of the questions in both this case and the ones heard earlier in the day. He probed both sides about equally, trying to find flaws in the arguments of whoever was speaking at the time. I'll cover the hearing below, and there's possibly a few areas where the Slashdot crowd could assist in the case.

Sullivan spoke first. She argued that since the DMCA restricts speech, under the First Amendment the government must narrowly tailor the law to only restrict those specific areas of speech that it is targeting. Furthermore, the government bears the burden of proving that the speech it is restricting is a problem in some way -- usually it does this by holding hearings, getting testimony, etc., in the process of passing a law. She noted that none of this was done for the DMCA, and that the DMCA restricts many areas of speech that cannot constitutionally be restricted.

She also made much of a rather telling fact: there is no piracy attributable to DeCSS whatsoever. Not one traditional copyright infringement has ever been attributed to DeCSS, and the movie studios admitted in the case that they could not produce even one example of an infringement due to DeCSS. (Technically-literate people may realize that mass DVD copying is performed by stamping complete copies of the DVDs, encryption and all, no decryption required, though that wasn't covered in the hearing.) But Sullivan jumped on this point for all it was worth and then some -- the judges seemed fairly skeptical about accepting it, trying to insist that widepsread and massive copyright infringement due to DeCSS must be occurring, somehow, somewhere. It just must be.

She ran into her first really hard question when she stated that computer programs were expressive, and the judge asked her to explain. Her answer was that programs were beautiful in and of themselves, that they could represent scientific research, that they could be poems, and that they could do things -- their functional nature. I felt the response was lacking. Sullivan managed to work in the recent ruckus over a Princet on scientist unable present his work due to DMCA threats, which was cunning of her. If a Slashdot reader can create a pithy and short explanation for how and why a computer program is expressive speech and/or what it expresses, it might be useful.

Sullivan also argued that under free-speech precedent, if less restrictive alternatives were available to the government and it failed to use them, the law must be overturned. The judge mentioned the Audio Home Recording Act -- the law passed in 1992 which both implemented serial-copy protection in digital audio tapes and explicitly legalized home taping. Sullivan pointed to AHRA's serial copy prevention as an example of a law which restricted copying but which was not as restrictive as the DMCA turned out to be. This argument seemed to be pretty powerful with the judge.

The next point to be discussed concerned the injunction issued by Judge Kaplan, and his written opinion in the case. The Appeals judge made the point that the injunction could not be considered to apply to anyone except the specific defendants -- that is, just because 2600 was enjoined from posting or linking to DeCSS, doesn't mean that anyone else necessarily would. On the other hand, the reasoning applied in the opinion could be assumed to apply to other U.S. citizens wanting to post DeCSS. The gist was that Sullivan couldn't argue her case as if anyone would be enjoined from linking to DeCSS, but only regarding the specific defendants that were.

Finally they got to the idea of "disseminat ion," since the DMCA prohibits dissemination of circumvention devices. What does disseminate mean on the internet? The judge and Sullivan agreed that the New York Times is in the business of disseminating information (the NYT being today's quintessential example of "the press"). The judge asked if the New York Times intends to disseminate all of the information on every page it links to in its online edition. Sullivan said yes. The judge asked if the NYT specifically intends to disseminate every bit of info on every single page that it ever links to -- again Sullivan said yes.

Assistant U.S. Attorney Daniel Alter was up next. He started with a hypothetical: What if someone developed a program that could shut off the navigation system in commercial airplanes? What if someone developed a program that could shut off smoke detectors in public buildings? Surely, he said, the government could ban the publication of programs which were a threat to people's lives. He proceeded with the standard quotable rhetoric: DeCSS is a "digital crowbar." Hey, if you're a reporter covering the case and you don't understand it, at least you got a phrase that jumped out at you screaming to be quoted.

He then got down to the meat of his argument -- that the government can regulate conduct even if there's a speech component to it. He used the example of Giboney V. Empire Storage and Ice Co., a case where picketers (a constitutionally protected activity) were successfully prevented from picketing due to the functional intent of the picketing, which was apparently to violate certain laws relating to restraint of trade. Alter argued that the DeCSS case was similar -- the intent of distributing DeCSS is to promote violations of copyright law, therefore the speech part of such distribution can be ignored by the courts and the courts can focus on regulating actions without concerning themselves about speech issues.

Alter proceeded to postulate that the government has the ability to create and regulate a market in expression, and correct any market flaws that may exist. Viewed from this vantage point, the existence of the Internet and all of those unrestricted personal computers connected to it is one large market flaw which the government has the power to correct. He used the example of must-carry laws for cable systems -- cable television must carry local broadcast channels, and the official reasoning behind that is that otherwise cable systems would drive broadcast television into bankruptcy and the government is preserving a vibrant market in broadcast television through the must-carry laws.

He stated flatly that the problem with digital works is that they can be copied. He argued that the DMCA is actually pro-First Amendment, as a means to promote the market for digital works. So in the calculus of the government attorney, increasing the speech of a dozen movie studios at the cost of decreasing the speech of 260 million citizens is a win for the First Amendment.

The judge asked about the Audio Home Recording Act and serial copying -- why wouldn't the "no serial copies" approach taken to DAT recordings with SCMS under that law represent a less restrictive means for the government to promote copyright in the digital age? The attorney argued, of course, that the DAT law was inapplicable since it predated the massive growth of the Internet -- and this is where he pulled a fast one on the court. Alter stated that, due to the Internet, one only needs a single copy for "catastrophic" infringement, so even that one copy permitted by the Digital Audio Tape serial copy scheme would be too much. One copy, the judge asked? Yes, he said, just one copy and put it on the Internet and ...disaster. Apparently, in the attorney's world, once that lone copy is made, it pretty much automatically puts itself on the Internet with no further acts by any individual. The point Alter narrowly evaded evaded it is that the act of publishing a copyrighted work to the world is a copyright violation in the traditional sense, and is punishable under traditional laws.

So, the judge said, Congress needs a more restrictive technique to prevent copyright infringement because the Internet is now a factor? The DA claimed that it does.

The judge next moved to one of the most interesting questions of the day -- does fair use require access to a work in its original form? That is, one cannot excerpt a digital clip of a CSS-encrypted DVD, but one could point a video camera at the screen and create a clip, albeit of poor quality. Is that sufficient for fair use? This question has disturbing ramifications, depending on who is asking it and how it is answered. It seems odd, at first glance, to insist that one must be able to make fair use of a work in its full, unfettered, most-advanced, highest-quality form. But after thinking about it for a bit, I realized that anything else utterly destroys fair use. What if I could make clips of 256 kilobits/second mp3s, but the clips were at 16 kilobits/second? Would that be sufficient? Is a 16 kilobit/second mp3 even recognizable as music? What if book publishers could designate the Swahili version of a book as the "fair use" version, and completely shut down any quoting from the English version -- ("After all, you can still quote freely from the Swahili version; it may have a few words missing, and it's in Swahili of course, but you can still quote from it.") The judges seemed to be actually considering that filming a DVD movie from the television set or getting some macrovision-corrupted analog output might be sufficient for fair use purposes, and I hope they think it through and reject that idea entirely.

The attorney moved on to linking. He argued that 2600's actions ought to be examined in their entirety; that 2600 was effectively "shuttling" people over to commit a crime by linking to the DeCSS code. According to him, the entire conduct of the defendants should be considered to divine the purpose behind linking to the DeCSS code. If it were for some legitimate purpose, a link would be okay. But if the purpose were to "shuttle" people to commit a crime, that wouldn't be. The number of links would be important, the context would be important, and the intent of the writer would be important to this analysis. Search engines, according to the attorney, would be okay they are just providing lots of links without the harmful intent that the attorney felt was necessary. So apparently something like this:

"This is a scholarly discussion of DeCSS. We are a major media outlet, and would never encourage lawlessness, so this link to DeCSS is okay."

... is fine, while this:

"Hey all you l337 h4x0rz, come get DeCSS and use it to copy movies and watch them automatically distribute themselves via the Internet!"

... is not. How context works, I'm not sure. Certainly the vast majority of 2600's links that it has ever published are not "shuttling" people to copyright infringement -- the vast majority are for the standard journalistic purposes of disseminating information. But somehow under Alter's analysis, 2600 came up lacking while the NYT did not.

The judge cut deep with a hard question: "Can you prosecute a newspaper who publishes a list of stores where obscenity can be purchased?" The parallels to this case should be obvious. The attorney dodged the question with an outstanding answer: "Yes and no." He tried to go back to his theory of looking at the overall conduct of the newspaper, but it was clear that he didn't want to say "Yes, we can prosecute the newspaper for publishing the list of stores" but did want 2600's actions to be covered, and wasn't sure how to reconcile those two desires ... and neither were the judges. I'm not sure they bought his argument.

Finally, Charles Sims, the lawyer for the MPAA.

He had had time to pay attention to the previous efforts and tailor his argument somewhat. He tried to cover weak areas -- insisting, for instance, that no record of harm is required for Congress to regulate pure speech. He brought up the Congressional record (hearings, testimony, etc.) that pre-dated the DMCA, and said it showed "actual harm" to the movie industry.

Actual harm, the judge asked? "Yes. Actual harm," he replied. "Well, actual threat of harm." That got a laugh from the audience, and scored him no points with the judges. He didn't use the "digital crowbar" metaphor, but insisted that publishing DeCSS was like publishing the combination to a bank vault in a newspaper -- something which is not, as far as I know, a violation of any law, though it might well inconvenience the bank.

The judge asked this lawyer too the hard question about less restrictive means to accomplish the same goal and serial copy management. The MPAA's tactic was similar but slightly different than the U.S. Attorney's; the AHRA is inapplicable, he said, because Congress didn't take the Internet into consideration when drafting it. He also argued something that will make him no friends with the RIAA -- that motion pictures deserved more and better protection than music (so the AHRA serial copying wasn't appropriate for movies). After all, he said, motion pictures have never been subject to the sort of fair uses that music has, the copying and so forth. I suppose he doesn't own a VCR. This argument about motion pictures being more deserving than music seemed strangely surreal -- for the first several decades of motion pictures, they had much, much weaker First Amendment protection than other forms of speech because the courts considered them to be solely entertainment, and only an assortment of free-speech challenges to laws restricting them earned them the privilege to stand on a par with other forms of speech in the protection of the First Amendment. Now, the motion picture people are not only arguing that their form of speech is more privileged than others, but they're arguing that still another form of speech, computer programs, ought to be considered in that inferior, functional category that motion pictures worked so hard to escape from. It's a strange world we live in.

The judge asked whether the DMCA created a "permanent" copyright, or an effective extension of copyright. The lawyer smoothly dodged the questions by saying that movie studios could (not "would," but "could") publish works in unencrypted form when (if) their copyright on the work ever expires, or perhaps someone could use a decryption device then, since it would no longer be illegal under the DMCA to do so. The judge asked where those encryption devices would be, after all, they've been banned by the DMCA. The lawyer had faith that they would appear. So apparently: the fact that the studios haven't gotten encrypted content working in an impenetrable fashion yet means that they aren't screwing you out of your access to works when copyright expires.

In closing, the MPAA lawyer compared CSS to one putting a painting in one's living room or charging admission to a movie theater to see a movie. But the right to exclude people from your living room or a movie isn't created by copyright law, it's created by property law -- your home is your home, and you can exclude people from it to your heart's content. The MPAA's conception of property law was that the movies they release are essentially their home, and they have an absolute right to do anything they want with this property until copyright expires. It is a nice sleight of hand to conflate one's right to one's home, perhaps one of the most powerful rights a citizen has, with one's right to control how a movie is viewed is someone else's home. He seemed to be hoping that the one would rub off on the other.

In closing, Sullivan had a brief rebuttal period. Not worth going into; she tried to call the other two lawyers where she thought they went too far astray and she could zap them.

The judges took the case. They also requested one last brief from both sides, due by May 10th, to cover anything that came up at the hearing and the parties think needs to be explained further. I would suggest that it's likely that the people who draft the brief will read this article; and that insightful comments could be of assistance. I think there are a couple of key areas which people may be able to answer:

1. Why and how is a computer program expressive speech? What does it express? 2600's lawyers are entirely familiar with Touretzky's Gallery, so forget about those. Assume you have some C or perl staring at you, any random block of code in any random print-out. What does it express? Why should that code be protected expression?

2. What examples of fair uses absolutely require access to the work in its most modern, digital, uncorrupted, un-macrovisioned form? The only one that jumped out at me is making a backup copy in case the original is destroyed. But perhaps there are others.

Reader Trinition also points to this brief a ZDNews article on the hearing; the case was well-attended by the press and by people like the members of LXNY, New York's Free-software organization, so there are quite a few personal and press accounts around the Net.

Patrick Darden asks: "Alacritech has a series of high performance FastEther NICs that offload the IP stack onto ASICs. They call it Session Layer Interface Card technology (SLIC) and claim that it increases TCP performance tremendously. PC Magazine has reviewed this card twice (the latest here) and shows 16-400% speed boosts over other NICs. They have a single port, dual port, and quad port. These are for NT only right now, but Linux drivers are in the pipe. Intel has a NIC geared towards servers that they claim decreases CPU usage tremendously. But only for NT. 3Com has a similar NIC, also only for NT (afaik). What is the best FastEther NIC for Linux? Are there any performance roundups? Any studies based on real criteria? Any real performance figures?" What about FastEther drivers for the other Unicies out there? There was a similar Ask Slashdot about this about two months ago. Is this a substantially different technology, or just more of the same under a different name?

"I'm also curious about Gigether and ATM? Until now, I have always chosen NICs for Linux by compatibility and driver maturity. At this point, it seems reasonable to grab the better NICs and have a shootout, if someone else hasn't already. If anyone is interested in helping, or knows of a similar study, please send me an email."

isaac writes: "The cat is out of the bag! Palmstation has photos of the new PalmOS pda from Handera (formerly TRG of TRGPro fame). Features include a 320x240 screen with "soft" grafitti area, CompactFlash *and* SD slots, and Voice Recording. No word yet on built-in RAM or other capabilities - an official launch at Handera's website is rumored for Monday. The alleged name of this device is the "HandEra 330". Wish they'd do something about the name." There's also a combination PDA/phone that looks interesting.

nutbar writes: "Intel, seeing a slow uptake of its latest processor, the Pentium 4, are going to slash prices by as much as 50% this month. Full full story at ZDNet." The article mentions the goal of P4 systems, including monitors, for under a thousand dollars by the end of the year. Will these price cuts invert the price / performance ratio which has led people to scoff at the P4 in favor of AMD chips? Maybe it's best to wait for odd-numbered chip generations ... Pentium Pentium?

stuccoguy writes: "In a press release on Tuesday Sprint and Lucent announced the successfull testing of a 2.4Mbs wireless internet connection and plans to ship the technology by 2002. ZDNet speculates that this technology will change everything. Sprint will answer questions about the technology on a webcast this Friday."

Lizard_King writes: "In this ZDNet story, Microsoft has announced that they will support Apple's Firewire technology in Windows XP and not USB 2.0. Looks like USB 2.0 hardware manufacturers will have to supply their own drivers for the initial release of XP." I sure hope this isn't a death knell for USB 2.0, but the argument that there just aren't that many USB devices seems valid, if circular. (And Firewire is good stuff.)

Chris writes "GameSpot has posted a feature story that details the entire development process for Peter Molyneux's new PC game Black & White. There are a lot of quotes from Molyneux as he takes you through the whole three years they spent making the game. A lot of interesting stuff about the philosophical underpinnings of how the game judges you good or evil."

janpod66 writes: "Tim Berners-Lee is putting his weight behind a new programming language designed by David Kranz intended to replace existing client-side programming languages like Java and JavaScript, as well as HTML. You can find more information at InteractiveWeek. Dertouzos, head of MIT's Lab for Computer Science is also involved. You can also find more information at the startup company's web site. They have programming manauls on their web site. It looks vaguely like a mix of Tcl, Lisp and C (lots of low-level type declarations possible). They also provide a brief rationale. Now, I'm the first to admit that HTML, XML, DOM, JavaScript, Java, and style sheets have become rather complex. Actually, Curl looks pretty nice and clean. But does it stand a chance? And is going with something new, untried like this better than going with mature, widely understood technology?"

CBNobi writes: "The National Committee on Information Technology Standards (NCITS) has rejected 4C Entity's proposal of the CPRM, a copy-protection that can be placed on future hard drives. While this may be a win for us, many other organizations are attempting the same thing. Full article at ZDNet." This is only a very temporary victory - there is nothing to prevent this addition to the ATA standard from being proposed again, or to prevent Intel, IBM, Toshiba and Matsushita from figuring out another way to implement it. Another submitter notes: "According to The Register, Apple, Adaptec, ST Micro, Western Digital, Maxtor, LSI Logic and Hale Landis voted against "Generic Functionality" in ATA devices for content control. Voting in favor of content control were IBM, Toshiba (4C members), Hitachi, Iomega, Microsoft, Phoenix, Absolute Software, and Circuit Assembly."

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

Doug Miller is Director of Competitive Strategy in Microsoft's Windows Server Marketing Group. Doug is responsible for a team within Microsoft focused on competitive strategy and enterprise interoperability products. He's been spotted at Linux shows. He uses vi. He was a Unix guy for many years. His previous company, Softway Systems, was acquired by Microsoft in 1999. What are you going to ask him today? Up to you, but one question per post, please. We'll send Doug 10 of the highest-moderated questions and post his answers next week.

n7lyg writes: "ZDnet reports that IBM is replacing the venerable OS/390 with something called z/OS. What I want to know is if using z/OS is still like 'kicking a dead whale down the beach,' as Ken Thompson once said of one of its predecessors (DOS? OS/360? I forget the exact OS he was complaining about)." Well, z/OS does add 64-bit support and other goodies.

eviljolly writes: "ZDnet's Gamespot reports about the new AMD Palomino core which will be released at 1.5ghz. They also mention something about AMD's first 64bit processor called the ClawHammer which will come out in early 2002 at 2ghz"

eviljolly writes: "ZDnet's Gamespot reports about the new AMD Palomino core which will be released at 1.5ghz. They also mention something about AMD's first 64bit processor called the ClawHammer which will come out in early 2002 at 2ghz"

Gary writes: "Nintendo begins shipping its next-generation handheld game in Japan this week. Nintendo estimates that it holds a 90 percent share of the portable game market, though some analysts believe that percentage to be even higher. It is the first to have a horizontal alignment, and it is 17 times faster than the Game Boy Color, which was released in 1998." This is the first portable gaming system I'm really tempted by -- horizontal alignment is The Way Things Should Be on such things;) Update: 03/21 03:53 AM by T : And Prabhjeet "The One" Singh writes: "According to Gamespot, Activision will be releasing a version of DOOM for Nintendos upcoming Game Boy Advance. No game has given me more sleepless nights. Now its time for sleepless plane rides, mall trips, etc. I can't wait."

Carnage4Life writes "While browsing ZDNet I found this article that describes how U.S. members of congress receive so much email (about 55,000 a month) that they now routinely ignore email messages especially since a lot of them do not even come from their constituents. " Here's a similiar story where emails to our congressional representatives are referred to as spam. Although I'm sure mass-mailing reps is common, I wouldn't be at all surprised if 50,000 people emailed during the Napster hearings. But we've said it before, Reps don't understand bits and bytes. If you don't send them dead trees, they don't think you vote.

jaredcat writes "According to bwcenter.com and an article on ZDNet's GameSpot, Peter Molyneux's eagerly awaited Black & White has finally gone gold and will be shipping in North America on 3/27/01. I know what I'll be doing for spring break..." I just read that ZDNet article linked above - the ASPCA will be protesting this game, mark my words.

An Anonymous Coward, indicating this ZDnet story, writes: "Apparently e-week had to eat it's words. The Newsh (Tim Newsham) is well respected in the security community, and his work has been confirmed by many sources as being a major problem in the implementation of TCP on many operating systems."

evenprime writes "In this zdnet column, Evan Leibovitch responds to linux critics who say that Caldera and Red Hat will be the only distributions to survive. Evan points out that the diversity of available distributions, and the ability to roll your own, is a great strength." The arguement Evan makes is one that, IMHO, is correct - and people need to remember that the diversity of the distributions isn't necessarily a bad thing. Sure, maybe the commericial variants will move down to a couple, but I think for the overall community, diversity is a strength.

Non-Newtonian Fluid writes: "An industry group headed by the usual suspects (Microsoft, AOL, Sun, AT&T, etc), just released four industry-funded studies that claim privacy is just too darn expensive, so why bother? They seem to want to kill any privacy legislation before it can get off the ground. Interestingly enough (though not surprising), they also seem to be working with the Direct Marketing Association on this." Scott McNealy, working hard to make sure we get over it. I should probably also mention that since the new health privacy regulations have been delayed (possibly indefinitely), the USA is firmly committed to remaining the industrial nation with the least privacy protection.

Ant wrote to us with the report from eWeek concerning Guardent's find of a "potentially huge problem" in TCP. It's very similar to the hole found in some of the Cisco IOS software, concerning the ISN and the assignment of the number.

hansley writes: "Microsoft has extended its source code licensing program. Is it for distributed debugging purposes ? hmm ..." As the article points out, this limited and NDA-ridden disclosure is an expansion, rather than a wholly new idea. And remember, it has "nothing to do" with Linux or other Open Source software.

Stealth Dave writes "ZDNet has an article about a new television from Sylvania which is basically a Linux box with a 27" monitor and TV tuner (800x600 resolution, even)! It runs a Geode single-chip solution and is broadband capable. Lots of cool features, and is designed to support a hard drive as well. The ZDNet article has a surprising amount of details without being too technical to lose their broader audience." This "news story" reads a lot more like an advertisement, but take it for what it's worth.

Shadowhawk writes "According to this story on ZDNN, AOL filed a friend-of-the-court brief arguing that defamation lawsuits against anonymous posters to the Internet are 'an illegitimate use of the courts to silence and retaliate against speakers whose statements, while unpleasant from the standpoint of the [plaintiff], were not unlawful.'" AOL's web page about the case has the brief they filed. AOL is making an important argument about abuses of the legal system to identify ISP subscribers.

Jar writes "CNET is reporting that Sharp will be out with a Linux based PDA by October. They seem to be bracketing the PDAs into similar categories as those available from Palm/Visor - a no-multimedia PDA, one with mulitmedia capabilities and one with wireless connectivity. The wireless connectivity version is said to have phone features too." On the downside, Maxtor has ditched BSD for W2k in its network hard drive box.

mE123 writes: "Zdnet is reporting that Napster said that they would voluntarily block songs by filtering the filenames sometime this weekend. Because no one would ever spell Meta11ica wrong." Meanwhile, back at the ranch, FSF legal eagle Eben Moglen is wasting no time getting the word out about Napster alternatives.

Chuck Fu writes "Both the NFL and Major League Baseball submitted their brief today in support of the lower court's ruling against DeCSS, stating that DeCSS 'threatens to destroy the legitimate marketplace for works of art, music, film, software, literature and other video programming (including sports programming), and will deter the development and distribution of new works in state-of-the-art digital media.' ZDNet and CNet has the story."

An Anonymous Coward writes "As early as Wednesday, the RIAA has sent letters to the ISPs and operators of OpenNap servers in the U.S. which were listed on Napigator. Here's the story from ZDNET. The RIAA's letter refers to the U.S. Supreme Court decision against Napster. Given that nearly all the OpenNap servers are run by individuals who are never intending to charge for the service, this is an interesting assertion." And HyperbolicParabaloid points out this NYT story (free reg. req.) in which a lawyer says the decision "validates Gnutella" (ok, whatever, but there's also some interesting discussion about how the Sony VCR time- and space-shifting precedent fails to apply to Napster).

corky6921 writes "ZDNet is reporting that Metricom, the parent company of the Ricochet wireless network, may be out of cash and dead as soon as June! Forget Omnisky (the other company they mention in the article)" Richochet has always been in that group of really cool technologies that I fully accept will never make it out to where I live. But I hope it makes it. National coverage would be cool to tho ;)

corky6921 writes "ZDNet is reporting that Metricom, the parent company of the Ricochet wireless network, may be out of cash and dead as soon as June! Forget Omnisky (the other company they mention in the article)" Richochet has always been in that group of really cool technologies that I fully accept will never make it out to where I live. But I hope it makes it. National coverage would be cool to tho ;)

VB writes: "I saw this article at ZDNet "cleverly" entitled Hackers poised to land at wireless AirPort. We've probably all seen this coming, but, I'd be curious to see what people think about the possibility of securing a network that sends data through the air. What about promiscuous mode devices within range of transmitters, or satellite communications?"

Andy Tai writes: "This InteractiveWeek article describes how Microsoft, without much public attetion, has built multimedia content protection technology into Windows, thus encouraging the movie and music industries to adapt the Windows Media formats for their content. Microsoft's offering is not very different from other DRM (Digital Rights Management) technologies, but MS has the advangage of being able to place it in the OS, which gives it credibility in the eyes of content providers. 'What's novel is that it's built directly into (Windows Media) that is quickly gaining ground on its own, and that the two (DRM and media) technologies are inextricably linked. The technologies, in turn, are being set deeply into the Windows operating system. Other technologies being built into Windows further boost content-protection features, such as the so-called Secure Audio Path, which scrambles output from a computer sound card so that music streams can't be tapped and copied at that point.'"

An unnamed correspondent writes: "Looks like Apple is at it again, according to this ZDNet article Apple is now going after anything that looks like OS X, regardless of having the Apple logos removed. I couldn't care less if Apple releases OS X for Intel, I will not do business with a company that behaves like this. Better be careful, they might sue slashdot for using the OS X-like Apple icon."

n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.

alexhmit01 writes "One of the better articles that I've read covering Linux in real deployments, eWeek has an article entitled, The state of Linux: Live free or die?, gives coverage of where Linux has improved in 2.4 and what it needs. It covers Linux's success as a web server, where it comes up short against other Unices, etc. It's a good read for the non-programmers in the Open Source Movement... for it focuses upon market adoption, not just technical capacity." Nothing exciting and new here, but its a nice little article, especially talking about whats new and wacky in the 2.4 kernel.

evenprime writes "Zdnet is reporting that N2H2 is selling statistics from their BESS filtering software (a product designed for use in schools) to marketing companies who are interested in students' browsing habits." N2H2's stock price jumped dramatically last month when they put up a helpful website to explain how schools can comply with the new federal mandate which requires the installation of censorware. And just wait for the profit reports once Europe makes it mandatory too. Anyway, this selling-traffic-patterns story is interesting because it's the next logical step in the continuing trend to cash in on kids -- if anyone gets suspended for reading Coke.com on Pepsi Day, let us know, OK?

evenprime writes "Zdnet is reporting that N2H2 is selling statistics from their BESS filtering software (a product designed for use in schools) to marketing companies who are interested in students' browsing habits." N2H2's stock price jumped dramatically last month when they put up a helpful website to explain how schools can comply with the new federal mandate which requires the installation of censorware. And just wait for the profit reports once Europe makes it mandatory too. Anyway, this selling-traffic-patterns story is interesting because it's the next logical step in the continuing trend to cash in on kids -- if anyone gets suspended for reading Coke.com on Pepsi Day, let us know, OK?

palo0019 writes "These are tough times for Sega fans, with rampant rumors of buyouts, sellouts, and every other scenario under the sun. The latest one actually makes sense, Microsoft needs a hot developer, and Sega needs a machine to call home. Gamers.com is reporting that the Xbox will be compatible with Dreamcast games. They are also reporting that that Sega is developing "a" Virta Fighter game, that may or may not be the new Virtua Fighter X. " Interesting rumor - I tried calling both Microsoft and Sega and got a firm "No Comment" from people. Update: 01/26 12:20 PM by H :Microsoft has apparently denied the rumor once more.

ZDNet has a story about the European Union spending millions on promoting Internet censoring software.

1+1trouble writes: "Gamespot is running an article outlining some rough features of the PS3. There isn't much to be said yet, but you can certainly see where Sony is going with it. I wouldn't be surprised if they struck some kind of deal with Tivo. From the sound of it, one can hardly tell if it will be a gaming console at all." I still don't have a PS2, why am I caring about the PS3, huh? I need my Tekken Tag! Curse CowboyNeal!

Fact-o-matic writes: " Compaq, government weapons facility Sandia National Laboratories and genetics researcher Celera Genomics are teaming up to build a petaflop computer -- one that will process 1,000 trillion operations per second. To listen to an audio playback of today's press conference announcing the project, Celera has set up a phone-in recording: call (800) 642-1687, and enter the conference ID: 818790 You can read the joint press release or the Compaq press release"

JasonMaggini writes: "ZDNet reports the American Library Association is planning to sue over the new federal law that is putting Web filters on public school and library computers. Great article title, too: 'Filter THIS!'"

JasonMaggini writes: "ZDNet reports the American Library Association is planning to sue over the new federal law that is putting Web filters on public school and library computers. Great article title, too: 'Filter THIS!'"

If you seek updates this evening, you're in luck. Below, we have some additional information for you on: the state of the dot-com-economy; more information (and a link to a very neat site) about your private bar-coding adventures; more about the bad things that can result from farming out your spam prevention; and the threads being plucked ungently from the fabric of the Matrix sequels. Enjoy.

Wait -- I thought we were already on the new, new, old, new, old new economy. davecb writes: "To compliment Jon's essay on the Myth of the Tech Slump, have a look at last month's cover article in The Atlantic, where computer technology is quietly changing the old-economy companies of the rust belt into something rather different: the new old economy.

The author asks (and answers) 'The great question about the surge in American productivity since 1996 is, Will it last, or is it simply a brief, blessed pop that will disappear forever when the next recession comes? That is essentially another way of asking whether the New Economy and the New Old Economy are real, or are just the Old Economy on adrenaline.'

He and I suspect it's the very opposite of a slump."

Mommy, where is my new baby brother's barcode? raincrow writes: "One of the only good things that came out of the CueCat fiasco (for me, anyway, besides the free barcode scanner and accompanying shiny coaster), was the discover of ReaderWare, which has made the management of my personal library so much better. The ReaderWare newsletter, in turn, has a lot of good tips on bar code scanners, and turned me on to Qode (http://www.qode.com/), which is a shopping system that uses a personal barcode scanner to let you set up your own shopping lists and other goodies (ReaderWare folks just like it because it can store barcodes untethered from the PC and therefore keeps you from having to lug all your books to the computer). What's interesting is that Qode.com makes a really big deal about being *anonymous*. Quoting from the site 'Note that we said anonymity, not privacy. Qode has been working to solve the problems of consumer privacy by designing a system that does not require any personal or identifying information. Qode matches promotions specifically to the products entered into the system by its anonymous users. It is impossible to connect this information to any individual. We then deliver the promotion to your private, custom web site ? not your e-mail.' Any experiences out there? I'm still looking for the holes, but that's a niftly little gadget for $50.00."

Lose mail free with Not-so-Hotmail! Just when you thought the confluence of spam (note to Hormel -- the bad kind, not your tasty meat product, which is uppercased) and email had exerted all the evil it could, the opposite proves true. Read this account on ZDnet about what happens when your mail doesn't get sent on hotmail due to hyperactive, automatic spam-prevention bots. (The "your" of course referring to people with Hotmail accounts.)

Don't they make video cards or something? Johnathon Walls writes "It seems that the sequels to The Matrix are in even more trouble as Carrie Moss ends up on crutches for six weeks due to a knee injury. This is added trouble to the previous holdups reported by Slashdot. Jet Li has also pulled out (though I'm uncertain how new this bit is)."

Fervent writes: "You want handwriting recognition, but you want to have a real machine, not a PDA? You want as compact a machine as possible, maybe as small as a screen and some notebook paper? Check out the article on IBM's new Thinkpad which will be debuting Friday at the CES. The article is at ZDNet -- keyboard and mouse are optional."

Fervent writes: "You want handwriting recognition, but you want to have a real machine, not a PDA? You want as compact a machine as possible, maybe as small as a screen and some notebook paper? Check out the article on IBM's new Thinkpad which will be debuting Friday at the CES. The article is at ZDNet -- keyboard and mouse are optional."

Dredd13 writes: "According to this Yahoo!News article [note: the same story is also being carried at MSNBC and ZDNet] , anti-piracy features in Whistler "won't allow the use of the customer's product key on a PC different from the one originally activated"... which means that if you have that older computer and decide to try and move your Whistler license (that you buy at a retail outlet like Best Buy or wherever) to your new whiz-bang fast model, you'll be completely boned. The code won't actually activate without authorization from a clearinghouse first. So much, also, for high security installations (where any connectivity, whatsoever, with the outside world is verboten)... without the ability to connect to the clearinghouse to "authenticate" the product key, they too will be unable to use their license. Part of me is happy because this is obviously a Bad Move by MS and will hurt them, but what if other software vendors start to think that this is a Neat Idea? {yuk!}" It's not a new idea, and lots of software is already sold this way -- but this time it seems to have caught a lot of people's attention. Windows' ubiquity, and Microsoft's history of mostly looking the other way when it comes to illegal copying of their OS, may mean that a lot of eyes get bigger, soon.

Platinum Dragon writes: "ZDnet ran an e-mail-based interview with Linus about that new kernel thingy. Linus replied to the fluff questions in typical self-mocking Linus fashion. " Check out original story on the release as well -- many people seem to have missed it, and keep submitting it.

Platinum Dragon writes: "ZDnet ran an e-mail-based interview with Linus about that new kernel thingy. Linus replied to the fluff questions in typical self-mocking Linus fashion. " Check out original story on the release as well -- many people seem to have missed it, and keep submitting it.