User: b.foster

How to make the Xbox a success

on Microsoft Loses $177m on Xbox in Three Months

As an avid gamer and self-proclaimed "gadget freak," I can tell you that Microsoft has spent the last two years shooting itself in the foot with regard to their Xbox strategy. I have seen Xbox Live, and to be frank, the extra voice features and other refinements are nothing to write home about. I have a few suggestions as to how Microsoft can turn the trend around and avoid a massive failure like Microsoft Bob or UltimateTV:

• Keep it open, stupid. The barrier to entry is very high for Xbox development - the very opposite of the strategy that have made Linux and Windows very successful amongst amateur programmers such as the founder of this site. "Developer" Xboxes which will run all signed and unsigned software should be plentiful and cheap - not subsidized, but rather sold slightly above cost. This has the benefit of making Microsoft's economy of scale pay off for thousands of potential game developers (read: licensees) as well as hardware hackers who are looking for a cheap PC.
• Buck the content industry. Manufacturing Xboxes that defeat region encoding and macrovision with small modifications would cause sales to skyrocket. Likewise, since Sony has their own gaming arm and no other RIAA/MPAA company is involved in game production, the support of the content industry is meaningless.
• Focus on getting better games. Why does nobody develop good games for the Xbox? For starters, Microsoft has failed to push Xboxes in the game capital of the world, Japan. Microsoft needs to revamp their entire strategy with regard to this country, starting with the release of hentai games and ending with the successful ports of many PS2 games over to the Xbox platform. The Xbox will go nowhere if there is no good software to run on it.
• Keep manufacturing costs down. Microsoft needs to switch to AMD or Transmeta chips, which pack more power for the buck, run cooler, and are 100% compatible with their existing software base. Also, this will allow them to use cheaper graphics coprocessors by using a cheaper, more powerful main CPU.

These are just a start, but if Microsoft takes these suggestions, their Xbox division will be well on its way to profitability.

On the contrary, this is a Good Thing(tm)

on CA Law Demands Public Disclosure Of Break-Ins

This bill is exactly what we need, and it should be adopted by all 50 states. Why? Accountability. Let's look at the facts before we jump to conclusions:

• 99.4% of all breakins are caused by known, unpatched vulnerabilities. Businesses that cannot take simple steps to keep their systems up to date should be shunned by privacy-conscious consumers. After all, when you hire a business, you are trusting them and their network to keep your data safe and operate reliably.
• This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.
• This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm).
• Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.
• Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.

It's time to adapt to a new reality

on Open Fonts For The Web -- Harder Than It Sounds

Localization of the WWW and other computing/internet resources is a noble goal. However, before we as a community take the plunge and embrace Open Fonts and all of the other I18N measures, we need to step back and look at the big picture.

• America invented the internet. No, not Al Gore, but Tim Bernstein-Lee and Mark Andreeson created the World Wide Web as we know it today. DARPA created the infrastructure and Berkeley created the protocols. The Internet is a Western invention and anyone who wants to use it has no choice but to live with its Western customs.
• America uses the internet the most. During the late 90s, Internet traffic in North America more than doubled every six months. Certainly, the same could not be said of any country that writes with worm trails on paper instead of using the standard A-Z alphabet.
• The West contributes the most to civilization. From industrialization, to computers, to biotechnology, and beyond, history has shown that Westerners have done more in 100 years to advance civilization than the rest of the world has done in two millennia. Why should the West be forced to subsidize cultures and nations that produce no tangible benefits to humanity?

Just my 2c.

-b.

How proprietary software costs us our security

on New Closed Source Voting Systems Malfunction

Many readers of SlashDot.org will be happy to point out the fact that open source software, such as Linux, presents the user with a more secure, more auditable, and more correctable product in general. However, this is not the reason why open source electronic voting machines would work better than their proprietary cousins. The fact of the matter is, open source programmers are scared into learning about and understanding computer security by the close scrutiny of their peers, whilst proprietary software developers are free to stroke their egos as they write poor, insecure code that never sees the light of day.

Some may say this is a bold statement, so I will provide examples to back it up:

• Windows NT 4.0 contained several well-known backdoors that allowed non-admin users to pop their code straight into kernel space. This was done with "ease of use" for developers in mind, and since the OS was closed-source, nobody questioned the poor design. The Microsoftie who wrote it obviously conferred with several other Microsofties, who, lacking security training, had no idea it was not the Right Way(tm) to do things.
• In contrast - Andrew Morgan's continuing work on the Linux privileges project is the antithesis of Microsoft's uneducated, misguided attempt to build a secure OS. Andy started out as we all do - with a naive view of computer security and interprocess authorization. However, he learned from the masters, and quickly designed and implemented a rock-solid privilege foundation that is used, in its original form, to this day in the Linux kernel. Granted, few distributions other than OpenWall Linux take advantage of it (which is sad) - but if they did, we would all be much safer from the threat of root compromises.
• The Windows 2000 FTP daemon has been notoriously insecure, in contrast with open source products like MuddleFTPd and ProFTPd. Why? Because the coders who wrote this security-critical part of the system just didn't care.

And that is my point with these voting systems: they are produced with the bottom line and a fat contract on the line, not produced by people who actually care about developing a product that encapsulates accountability, security, and accuracy. In other words, these products are developed by your stereotypical non-geeks who buy a CS degree "so they can make more money." And those, my dear friends, are the enemy of everybody in our profession.

Where has he been?

on Creating the New Public Network

Connectivity on the modern internet has been broken for many years, and will continue to stay that way as long as it is in providers' best interest to do so. Let's take a look at some examples to see why the problem is intractable:

• The internet is global. Although America has a bit of a stranglehold on most of the network, large portions of the internet are controlled by different governments, many of whom do not cooperate with the others. Saudi Arabia, China, and Iraq all firewall off most of the American internet hosts to suppress democracy. What makes My. Lyons think that these nations would be open to creating a "new public network" that allows free and open access?
• Blackhole lists are the rule, not the exception. Remember MAPS and ORBS, who asked participants to load ACLs onto their routers that killed off the class Cs and class Bs of suspected spammers? Well, these almost always resulted in collateral damage to unsuspecting customers of spammer-friendly ISPs. This created a dark underbelly of the internet: redlined addresses that were like the bastard half-brothers of the other hosts on the network, unable to access many important sites.
• Rogue nations need to be dealt with. Some nations, such as Korea and Russia, are widely acknowledged to have a preposterously bad record in dealing with security issues. Part of the problem is that their WHOIS system is unfriendly to English speakers; part of the problem is that their system administrators are severely overburdened and do not have time to fix r00ted systems. The problem arises in that it makes sense for Western hosts and ISPs to block traffic to and from these nations, in order to protect their own interests.

What's left to do?

on The Perl Foundation Grants Are Running Out

I have been a Perl guru since version 2.0, and I can honestly say that the features added since that time have not made my life any easier. Perl has reached a very mature stage in product development - a stage that is rare amongst feature-happy open source coders. At this stage, it is no longer worthwhile to pay people to continue developing the language. The only necessities are bug and security fixes, which can easily be handled by one person working part-time.

I am not by any means saying that Perl is dead - indeed, it will be many years before Python is able to offer the versatility and brevity that Perl has provided me with for ages. But the developers need to get off the gravy train and head for greener pastures. The time to leave is now; there is no work left to do.

Just my 2c.

b.

Answer: the end of the world.

on Will Instant Messaging Ever Unite?

Companies are designed from the ground up to act in their own best interest. With that in mind, let's take a look at why the major players in the IM market might not be too keen on a common, universal IM standard.

• AOL
  • AOL is the undisputed leader in the IM market. They were the pioneers; instant messages have been a part of AOL since the service was called AppleLink back in the late 1980s.
  • AOL does not need any more users on its IM network. It does not want more users on the network. Everybody who is anybody has an AIM account.
  • Facilitating compatibility with other IM networks would cost AOL money unnecessarily. They would not be able to install their spyware and ads on your system. And they would not be able to use the competing services to try to get you to join AOL. The economics of the situation favor the current approach.
• MSN
  • Microsoft would also lose out from giving up the right to blast ads and spyware at all of the users of its network.
  • Microsoft fully intends to leverage a monopoly in the instant messaging arena to further its desktop and server monopoly. At that point they will begin charging for service. This would be less effective if they opened their network.
  • Keeping their network closed encourages more users to get Passport accounts, which Microsoft uses to harvest personal information and sell consumer dossiers and mailing lists.
• Jabber
  • Jabber.org would benefit from an open IM standard. Unfortunately, Jabber.com would lose its only competitive advantage and would quickly go out of business.
  • Decentralization would make administration simpler, but would be unnecessarily incompatible with the centralized models of AOL, MSN, and (to a large extent) ICQ.

b.

Who really owns the airwaves?

on Canadian Government to Jam Radio Signals

Ever since the FCC was established in 1916, there has been a considerable debate about who really owns the right to control the airwaves. Should the RF spectrum be considered a free-for-all, in which the loudest (and therefore richest) participants can be heard? Should the government control the allocation of frequency ranges? If so, should the government necessarily be in the business of selling this public good to the most politically connected or most wealthy bidder? How should minority views (such as the views of Black or Gay Americans) be represented?

As it turns out, our representatives wisely decided to opt for a capitalist system. The highest bidder (that is, the bidder with the strongest desire to speak), is able to purchase spectrum at a reasonable cost from the American people. Thus, the maximum possible return is achieved for the taxpayers, and the highest bidder has paid a fair price for the scarce resource they need. Capitalism works - period.

Unfortunately, Canadia is not a capitalist society. Canadians favor socialist approaches to health care, government, and (yes) RF spectrum allocation. This means that the rights to an area of spectrum belong to the government, not to the people (as in America). And the Canadian government is now flexing their muscle and exercising their right to take this valuable resource away from its citizens, who wish to communicate amongst themselves. This underscores a crucial point of socialism: its sole purpose is to maintain control over the populace, at any cost. The basic premise of capitalism flies in the face of this sort of manipulation, and that is why America will never become a police state, regardless of what Draconian laws the Bush administration manages to pass.

So, in summary: you get what you elect. If you vote for socialists, don't expect to get fair use out of the natural resources and public goods in your country. The lesson comes at a high cost for many Canadians (witness the breakdown of their health care system), but recognizing the problem is the first step in finding a solution and joining the rest of the Western world in becoming a capitalist country.

Bill

The case for the Corporate Death Penalty

on Government Brings Antitrust Actions Against Rambus, Micron

Most enlightened Americans believe that certain individuals in a society - such as murderers, drug dealers, and socialists - who actively work toward the goal of destroying the system they live in and prosper from, deserve to be removed from society so that they do not harm others. But, although the courts in America have long considered corporations to be the same as individuals under the law, they have been reticent to hold corporations accountable for the crimes they commit in a similar sense.

However, as companies begin to lower their ethical standards and sink to the level of Enron, Anderson, and Rambus, the citizens of this fine nation need to stand up and demand accountability. Rambus should be a rallying cry, and it should be the pilot case for testing the resurrection of the corporate death penalty. Why?

• Rambus produces nothing. The Rambus technology was licensed (albeit in a very unethical manner) from several other companies. Rambus has never employed a single engineer. They exist only to facilitate the creation and maintenance of an artificial monopoly.
• Rambus is a threat to other businesses and consumers. Rambus has attempted to assert patent rights on several key, widely deployed technologies, such as SDRAM. This is a textbook example of extortion. Rambus did not create these technologies; they manipulated the sale of them so that they would be able to prosecute their competitors in court. An individual would rot in jail for doing something similar.
• Rambus does not support alternative operating systems. Thus far, Rambus has refused to cooperate with the Linux developers who are trying to optimize performance on machines with RDRAM. This gives Microsoft an unfair advantage and again hurts the consumer by inhibiting choice.

The list goes on, but the point is clear: Rambus deserves to get the corporate death penalty.

A bit of history

on AP reports on renewed "Browser War"

Microsoft won the browser war because IE4 beat the hell out of any other browser that was available at the time. In fact, IE4 beats the hell out of the latest Netscape 4.7x release on any platform.

Unfortunately for Bill Gates, his company has rested on its laurels. IE6 offers little that wasn't present in IE5, and the many useful features in Mozilla 1.0 (tabbed browsing, anti-popup features, speed, stability, and security) mean that IE will be losing a significant amount of market share very soon.

And how can we complain about that? May the best product win - again. It's nice to see open source come out on top.

There really is cause for concern

on Coasters to Face G-Force Limits?

I used to think that the veritable laundry list of anal little safety requirements on amusement park rides were nothing more than C.Y.A. drivel from Six Flags' lawyers. After all, how many undeserving people actually got hurt on roller coasters? As far as I had ever known, the only injuries and fatalities at amusement parts were a direct result of blatant stupidity, and these instances provided fodder for many eager Darwinists and other persons interested in the well-being of the greater gene pool.

All of that changed, though, in one terrifying incident: my cousin, a perfectly healthy 16 year old kid, suffered a serious blackout during a particular roller coaster ride. My family obtained video evidence of his unconscious state from one of the cameras mounted on the ride to take visitors' pictures; he was completely limp and had passed out during one of the steeper drops. In the ensuing weeks after the vacation, he had frequent blackouts and seizures. His driver's license was revoked, and he lost his summer job as a result. Although the problem went away a few months later and now he is back to normal, it was a scary reminder of the fact that we really do not understand all of the potentially harmful effects of large gravitational fields on the human body. And maybe we should wait until we do before we subject the public to these risks.

Losing money never hurt Bill

on Xbox Price Drops to $200

It is a testament to the arrogance and sheer power of the Microsoft Corporation that lowering the X-Box price (and thus, losing any semblance of profit they would ever make on the device) will hardly make a dent in their bottom line.

Let's take a trip down memory lane and think about all of the other money-losing ventures that the pundits thought would be the death of Microsoft:

• Microsoft Bob. An absolutely horrible idea with an even worse execution. M$ spent millions developing and promoting it, and didn't sell more than a handful of copies.
• Internet Exploder. Originally intended to be sold at a profit, the IE group has cost Microsoft tens of millions of dollars in development and support costs. What they have created is a money pit crafted from insecure, non-modular spaghetti code. Many observers (such as ESR) expected IE to implode under its own weight around the release of version 4.0, but it never happened.
• UltimateTV. Microsoft's lame attempt to make a Tivo and sell consumers a crappy version of the Tivo service at the same high monthly price as Tivo somehow didn't pan out. Go figure.
• Mac support. As it stands, Microsoft has not recouped its development costs on any release of Office for the Mac. This should not come as much of a surprise, as they offer steep bulk/site discounts to educational institutions on these products.

As you can see from the above examples, Microsoft's sole goal is to dominate the computer industry by creating products that lose vast sums of money, but "hook" the consumer into their services and upgrades. This is why we need more than Linux and OpenOffice to compete against them; we need government action. We're already beating them in the marketplace, but that doesn't matter when they have infinitely deep pockets from which to draw funding.

And that, my friends, is why Sony and Nintendo have a formidable enemy in Microsoft. Neither company has the cash reserves to compete with Microsoft on such an unlevel playing field, and neither one seems likely to survive in the video game arena for long without help from Uncle Sam.

Why it's a slippery slope

on Supreme Court Rules on Challenge to COPA

Readers of the Congressional Register will recognize the following future threats to free speech and free commerce online, which had been held up in committee until the Supreme Court ruled on the COPA:

• H.R. 4239, which makes it a felony to distribute any kind of sexually explicit material to a user who does not register with a government-sanctioned age verification service (like AdultCheck).
• H.R. 4551, which outlaws the creation and distribution of "electronic burglary devices" such as system cracking scripts and port scanners.
• H.R. 4608, which taxes all sales of goods over the internet that originate overseas.
• H.R. 4277, which requires all ISPs to keep 6 months of records of all user activity and give law enforcement access to the records without a court order.

The list goes on. Naturally most of these will never become law, but statistically at least a few are likely to pass and make the internet that much more repressive. It's high time to vote Libertarian and try to preserve the few remaining liberties we actually have in this country.

The hidden costs of automation

on Computers and Cars: A Maddening Experience?

One of my college buddies is an actuary now, and he works for a large insurer to set rates and assess risk in automotive applications. When this car first came out, we had a good talk about it, and I learned some interesting things that may sway consumers away from computerized car interfaces. Among his comments:

• The electronic parking brake is unintuitive and dangerous. One of the factors that make some cars safer than others is the ease of use of the parking break in situations in which the main brake lines lose pressure or the pedal snaps off. This causes the liability and collision insurance rates to be slightly higher.
• A standard shift lever on an automatic transmission is considered a safety feature, as both the position and the dash lights make it immediately apparent to the driver that the car is in gear. The 745i has only the light, and even at that, the light is stuck in the middle of a confusing, crowded console. This also increases risk and thus insurance rates.
• The fact that many Americans are afraid of technology and unable to perform a task as simple as changing their VCR clock or installing a new hard drive is a chilling reminder of the fact that valets, test drivers, and other "guest drivers" of the 745i will be putting the driving public at risk and increasing the owner's insurance rates.
• Since it is extraordinarily difficult to do something as simple as turning on headlights or changing the radio station, the driver's attention is likely to be diverted from the road.

All told, my actuary friend told me that the insurance rates for the first year that a driver owns a 745i are going to be astronomical. Rates for successive years are slightly lower, although the vehicle is generally regarded in the community to be a threat to life and property, and a lawsuit waiting to happen.

Why Microsoft hurts free markets

on RealNames Closing Shop

Everybody knows that Microsoft practices monopoly pricing practices and hurts consumers in the process. After all, who wouldn't expect them to skew the software market in their favor if they do wield the power to do so? Any company would do the same thing, and it's no surprise that BillG and friends take advantage of their unique position at the top of the food chain to gouge customers.

However, there is a second, more subtle effect to Microsoft's dominance of the PC software industry: they have the power and funding they need to prop up unprofitable ventures that serve only to increase their stranglehold over PC consumers. Take the RealNames scenario, for instance: Microsoft was able to compete with the Internic registry[1] only because they could afford to bleed money for several years without hurting. In this case, the market prevailed and RealNames collapsed. However, this isn't always the case. Take a look at Internet Explorer: for many years it was inferior to Netscape's offering, and only recently has Mozilla again surpassed it in speed and usability. IE never made a single red cent for Microsoft, but their monopoly position and cash reserves were used to force it down users' throats. And that, my friends, is why Microsoft endangers the entire software industry and desperately needs increased government oversight. Judge Jackson ruined our first chance to fight back, but hopefully the DoJ will not give up that easily.

[1] I am not endorsing ICANN or their corporatist interests, but their system is clearly superior to RealNames' undemocratic process.

I used to develop for RISCOS...

on RISC OS Select 1st Release Out

In fact, I was one of the contributors to the Linux RISCOS emulation package. This package is an excellent way to get your hands dirty developing for an embedded platform, without having to shell out for expensive hardware or proprietary dev tools. I highly recommend that your consider the possible use of RISCOS for your next embedded MP3 player or DiVX ripper appliance.

Some of the more useful software available for RISCOS is online here, in a searchable directory. More information is also up on my friend Dr. Pearson's page.

More posturing, courtesy of the IEEE

on IEEE Adds DMCA Clause for Submitted Papers

I will freely admit that the DMCA, U.S. export regulations, and puritanical restrictions on pornography have made a veritable legal minefield out of the tech industry in this country. I oppose any limits on free speech on the net, and feel that techies, industry, and the nation-at-large is ill-served by all of the regulations dreamt up by content holders and elected luddites.

However, cutting to the chase, the IEEE and the authors it represents really have little to fear in reality. The IEEE isn't "2600" Magazine; it doesn't deal with controversial subject matter on a regular basis. They aren't in the computer security business and they are unlikely to accept any remotely controversial manuscript in the first place. They changed their rules for one simple reason: they think it will make people care about the injustices of the law.

Unfortunately, they are sadly mistaken. Engineers have zero political clout, here and anywhere else in the world. If we had clout, the CDA wouldn't have seen the light of day; Clinton wouldn't have been able to get away with jacking up the H1-B visa quota by 1.5 million every year during the tech boom; and the USA-PATRIOT act wouldn't have come to fruition. The IEEE wants to bring about public awareness of the injustices of our government, but they're just preaching to the choir. We, as computer professionals (especially the academics among us), understand the problem and want a solution. But we don't vote; we don't lobby; and we don't rent hookers for our congressmen.

What is the solution? The solution is to get the right people on our side. We need to forge a partnership with major corporations; we need to practice give-and-take to arrive at a compromise. That's hard for most techies to do because most of us hate corporations. But if we don't join them, they will beat us. The choice is ours.

bill

It's too bad Iomega is dying anyway

on Iomega's New Unix (Optional) NAS Appliance

One of my college buddies took a job at Iomega after graduation because it was an up-and-coming company - back in its heydey, most new PCs came with a shiny Zip100 drive next to the floppy, and times were good. Iomega used to be one of the tech world's few great innovators - and the Jaz concept was pure genius, especially compared with the primitive Bernoulli boxes that Jaz superceded.

Unfortunately, times have been tough for Iomega. They haven't posted a profit for several years. On a related note, they haven't come up with a decent new product for several years. Instead of innovating, they tried to get into the business of producing cheap, commodity devices (like tape drives and CD writers) that nobody was interested in buying. Coupled with the Click of Death problems, this new strategy backfired and sent Iomega into the red - where they have remained ever since.

And that brings me to my story: I talked to my buddy on the phone a few weeks ago, and he said that morale is low at Iomega. The company has been slashing jobs and pay every quarter, and he has had to lay off many of his subordinates. He said that the NAS idea is a last-ditch effort to squeeze profits out of a dying industry, and that Iomega's business plan is to sell the NAS devices at a loss (to stay competitive with the big guys) and to sell overpriced support contracts to try to stay in business. For his sake I hope it works out, but for all intents and purposes Iomega is dead. But nobody said that mormons have any business sense anyway, so I don't blame them.

/B.

The FCC is no longer relevant

on FCC Petitioned to Restrict 2.4GHz Band

The question on most peoples' minds after reading this article is, "should the FCC regulate the 2.4Ghz spectrum?" On the contrary, I challenge you to ask yourself, "does it even matter if the FCC regulates the 2.4Ghz spectrum?"

Back in simpler times, when the airwaves were not filled with 1800CDMA and 900TDMA conversations, RC controllers, garage door openers, and 2000 channels of premium television services, the FCC had a fairly easy job enforcing their rules on spectrum use. They could enumerate every single transmitter within a major city, because the number of transmitters could be counted on one hand. Nowadays, however, the FCC has no idea what traverses the airwaves, doesn't care to locate rogue or illegal transmitters, and wouldn't have the resources it needs to find them even if it did care.

To support this claim, allow me just a few examples:

• My employer purchased about two dozen commercial UHF two-way radios several years ago. The FCC regulations require that a $75 license fee be paid to use these radios. My employer and several other companies I know of have never been forced to pay this fee; it is merely a "sucker tax."
• The last three PCs I have purchased were from hole-in-the-wall vendors who used several critical components that were not licensed for FCC Class B or Class A use; in order words, these devices are illegal because they give off way too much RF radiation. Does the FCC care? Hell no. The chink I bought the PCs from told me that a dissatisfied customer once threatened to report him to the FCC; the FCC called him, asked if he was in compliance, and closed the case when he said "yes."
• One of my friends built his own spark-gap based police radar jammer, which he installed in his car. The jammer makes it very difficult for any RF device at all (including FM radios and TVs) to work within about a 250-ft radius. Has the FCC shown up on his doorstep? Certainly not.
• There are millions of 802.11b devices out there. Nobody will bother to get a license, because nobody cares about intricacies of the law in this country. There are so many criminal offenses that knowing about them all, much less enforcing them, is close to impossible.

Just my 2c.

Bill

Why smartcard security sucks

on Vivendi Universal vs. News Corporation

I used to have a roommate who hacked DirecTV smart cards to get free pr0n channels back in the day, and we had many interesting discussions on the merits of smartcard security. He taught me that the dirty little secret of the industry is that every smartcard in history has been cracked. Now why might that be the case? Simply put, there are more avenues of attack on a smartcard device than you can shake a stick at. Let us examine a few of the most important ones:

• Bugs in the code on the card. This is somewhat analogous to buffer overflows and format string bugs in poorly written daemons like IIS, UPNP, and BIND. Often the first thing that hackers will do with a new smartcard is to explore its known instructions to try to find "read holes" (which let you read the ROM or EEPROM) or "write holes" (which allow you to modify the code on the card).
• Glitching. In order to circumvent the security on smart cards, some hackers will buy a special device called a "glitcher" that momentarily lowers the power supply voltage going to the card at just the right time in order to get the CPU on the card to skip the desired instruction. The result is that the security on the card can be bypassed. In the case of DTV access cards, glitching is also used to "unloop" cards that have been illegally modified and subsequently disabled by DTV's electronic countermeasures.
• Replay attacks. Often a card may be convinced to accept ROM updates by crafting an instruction packet that appears to be an authorized update, but in fact has a forged signature on it. This is caused by the use of weak mathematics such as IDEA and CBC, which have been almost fully compromised.
• Communication logging. Often, critical data that passes between a card and its peer can be observed and logged. This data can leak important decryption keys, passwords, and data.
• Power use analysis. Hackers with access to expensive equipment can observe how much power a smartcard uses while performing a given operation, and can sometimes deduce decryption keys from this power trace as a result of poor implementation of cryptographic algorithms.
• Insecure operating environments. Some smartcard designers choose to implement things like Java or Lunix on their smartcards, which have proven security vulnerabilities and cannot withstand a dedicated attack.

The one thing that surprises me about this article is that NDS spent a million dollars on this research. Satellite hackers who want to steal DirecTV's signal do the same thing for free every day, and usually do a more thorough job of cracking the card. However, the one lesson to take from this is simple: smartcard security Just Doesn't Work(tm).

Bill

A taste of the future

on ACPI Forced On & Option Disabled in WinXP-Certified Motherboards

I work at a company that (among other things) produces PC-compatible hardware. Although I am primarily a coder, many of my friends work on the hardware side of the business and they have remarked in the past about Microsoft's increasing willingness to "tighten the screws" on hardware manufacturers who include features in their products that have a negative impact on Windows compatibility. Although it would be quite a damning allegation to imply that this is an anticompetitive measure, it certainly seems like Microsoft's efforts to make hardware incompatible with alternative PC operating systems could fit into their overall strategy quite well, especially when faced with such credible threats as GNOME and Nautilas on the desktop.

Some of the things that Microsoft has forced us to change in the past few years include:

• One of our main products was in full compliance with the IEEE specification for the USB interface. However, because Windows 2000 used a while() loop for a timing operation, it was sometimes flaky when dealing with our product. As a result, we needed to re-engineer an ASIC (this was damn expensive) to make it compatible. The original version, of couse, was fully compatible with Linux.
• Normally Windows communicates in a little-endian fashion. However, for two particular device status operations, Windows inexplicably violates yet another published spec and forces the device into big-endian (mac fag) mode. We needed to change firmware to fix this, and delay the release of our product by 3 weeks.
• Microsoft required that the source code to our Windows drivers got audited in order for the product to be approved. Hmm, why don't they let us audit their code?

Naturally, though, since the DoJ has dropped the ball on Microsoft, this sort of thing will only get worse. Get used to it, and vote Democratic in 2004.

Bill

News Flash

on Tauzin-Dingell Up for Vote Soon

Third-party DSL providers are already dead. Can you name one who's made a profit for one single quarter? I'll give you a hint: it's not one of these losers:

• Covad (fucked from the get-go, but they blame Verizon)
• Northpoint (RIP)
• "DirecTV DSL" (they are taking *huge* losses, just like the rest of Hughes)
• Tung Communications (who?)

DSL service is an economy of scale, and carving it up amongst a dozen competitors in the same small geographical area will ensure that they will all sell at a loss and die. It's simple Economics 101.

Bill

Stealing from the poor and giving to the rich

on Towards an Internet-Scale Operating System

Let me preface this by saying that work related to SETI@home, the Human Genome Project, and politically motiviated cypher cracking is a Good Thing(tm) and should be preserved.

However, the proposed ISOS is big, powerful, and likely to be sought after by the most powerful corporations and institutions on the planet. How much lobbying would a large drug company need to do to get more than its share of distributed processing power? How much money would the U.S. Government need to give to them to use the system for cracking "terrorist" messages from the "evil ones" like Kevin Mitnick and Bernie G? How much money would the Government need to give to them to use the system for spying on individual users? Remember, this is the same government who pays Hollywood to put anti-drug themes in their sit-coms, so what would they not be willing to try?

The end result of this, then, is that ordinary computer users will be forced to subsidize (through the use of CPU cycles, electricity, wear and tear on hardware, and memory use) the efforts of large companies and governments who are working against their best interests. So, tell me again... what would we gain from this?

Bill

How this impacts *my* company

on Loki Games Closing?

I work for a small, moderately successful custom software company. We've got 95 employees and serve mostly medium size businesses in the U.S. that need us to engineer supply chain and inventory management software.

You may wonder why a bombshell in the Linux games market impacts us. Well, I did as well, until I started hanging out with my boss and understanding the way the marketing department works. And now I know that Loki's death is yet another nail in the coffin of the concept of ever using Linux on a client site again.

The problem here stems from the fact that customers purchase buzzwords from us, not solutions. Our software is simple - it can be implemeted in FORTRAN and run on VMS, for all we care. In the late 1990s, we began a massive shift from NT to Linux because, well, our clients asked us for a massive shift from NT to Linux. They didn't care that it was free (they still paid us for our "official" copy of Redhat which we made with our CD copies). They wanted it because it was fashionable. And that is why the tide has turned on us Linux fans now. Linux is out; it is not a hot topic anymore. Companies are asking for what they believe to be the "tried and true" solutions, and most of those come from Redmond and from Big Blue (and we aren't talking OS/2 here). If we stuck to our guns and sold Linux products, we would lose a lot of business and wind up in va's situation - barely alive. It's sad but that's the way it is. I want nothing to do with Windows but if I don't learn it, I will inevitably cost my company money and lose my job as a result.

What can we do to turn the tide in our favor again? Learn to write. Offer to write a computer advice column in your local/school newspaper and encourage users to pursue Free solutions. When somebody writes in with an Outlook problem, steer them toward Pine or Mutt. Take the time to teach people how to use Linux - if you let them sink or swim, they will take the path of least resistance and make billg richer. Nobody said it would be easy, but the only way our grass roots movement can succeed is by pursuading users to switch, one at a time.

Bill

Harrison's comments on it

on 'Indiana Jones 4' Finally A Go

Having watched Harrison Ford's speech the other night during the Golden Globe awards, I am confident that he is in no position to take on a role like this. Consider the following points:

• During his speech, he expressed a need to take some time off to console his daughter, who is recoving from leukemia.
• He looks like somebody's grandpa and appears to be quite depressed.
• For the most part, as he stated, he has retired from acting and will probably only play bit parts in the future.
• His brush with cancer two years ago took a tremendous toll on him and he continues to recover.

The speculation in Hollywood circles is that a young, hot stud like Brad Pitt might take the lead (Indy) role.

Bill