miercuri, 31 octombrie 2007

Samsung unveils 64Gbit flash memory chip

Company expects technology to appear in its storage cards by 2009

Samsung Electronics Co. today announced that it has built a 64Gbit NAND flash memory chip.

The new flash storage device utilizes 30-nanometer processing technology and was developed using Samsung's self-aligned double patterning technology (SaDPT), said Samsung officials.

The company said it plans to start manufacturing 30-nm 64Gbit NAND flash devices during 2009. Samsung has already applied for as many as 30 patents for the new flash memory chip, officials said in a statement.

By combining a total of 16 separate 64Gbit flash devices, businesses can create a 128GB flash storage device capable of holding up to 80 DVD movies or 32,000 MP3 music files, noted Samsung.

While some analysts have forecasted of somewhat sluggish NAND demand in 2007-2008, Gartner Inc. has predicted that sales of 64Gbit NAND flash and other higher density flash storage devices could reach $20 billion by 2011.

Joseph Unsworth, an analyst at Stamford, Conn.-based Gartner, called Samsung's achievement "impressive" but openly questioned the company's ability to mass produce the technology with good yields. "Samsung has had a difficult time adhering to its timelines for mass production due to the complexity of MLC architectures and ever shrinking process geometries," remarked Unsworth.

Samsung said that its new double-pattern technology creates a wider-spaced circuit design of the target process in the first pattern transfer and fills in the spaced area more closely with its second pattern transfer on the chip.

Although NAND already has a strong grip on multimedia handsets, Unsworth said vendors must find ways to cut its price and provide more compelling benefits in terms of boot up speed, reliability and power efficiency to make a significant impact on computing capacity.

Samsung said it has also designed and constructed a 32Gbit NAND flash storage chip using the same technology as its new 64Gbit offering.

SanDisk introduces video download device, service

SanDisk's Fanfare adds to the growing number of iTunes rivals, including's "Unbox" service

SanDisk Corp. introduced on Monday a service for downloading free and advertising-supported video from the Internet, which could compete with Apple Inc.'s iTunes.

SanDisk said its new system, called "Fanfare," serves as a companion to the Sansa TakeTV PC-to-TV Video Player, a pocket-sized memory module which it also introduced on Monday. The device lets users save videos downloaded onto a personal computer and move them to a traditional television.

Fanfare, now in the early "beta" stage, will be launched as a full version early next year.

SanDisk's device and online service arrive as consumers are exercising more control over when they watch TV programs, with many viewing shows on computers or portable media players.

Apple remains dominant in video and audio downloading, but it is expected to face a tougher time filling its iTunes store with TV shows and movies as big media companies gird against repeating the music industry's mistakes by giving away content at cheap prices.

Fanfare adds to the growing number of iTunes rivals, including's "Unbox" service.

"The overall vision of Fanfare is to enable users to draw from a rich catalog of free and paid video content from a single location for playback on a wide variety of portable devices in the future," SanDisk said in a statement.

The only major U.S. network affiliated with the service at launch is CBS Corp.'s CBS and its pay-tv unit, Showtime Networks, with shows such as "CSI" and "Dexter." Fanfare will also have videos from Smithsonian Networks, The Weather Channel and TV Guide Broadband.

Federal judge delays decision on Microsoft antitrust oversight

New Jan. 30, 2008 deadline gives all sides more time to argue the case

A federal judge today gave Microsoft Corp., state regulators and the Department of Justice (DOJ) more time to argue whether the company should be held to its antitrust settlement until 2012.

U.S. District Court Judge Colleen Kollar-Kotelly approved a motion filed by Microsoft, the DOJ, 17 states and the District of Columbia that pushed the extension decision out as far as Jan. 31, 2008. Originally, Kollar-Kotelly was expected to rule next Tuesday on whether major sections of the consent decree that Microsoft and regulators signed in 2002 would expire Nov. 12.

"It would not be practical for the parties fully to brief the Motions, and for the court to consider the Motions and render a ruling, prior to the current expiration of the Final Judgments," Kollar-Kotelly said today in a ruling.

"This temporary extension is procedural in nature and not a ruling on the merits of the motions," cautioned Jack Evans, a Microsoft spokesman, in an e-mail Tuesday afternoon. "[This] will give Microsoft and the other parties a bit more time to file their briefs and the court more time to issue a ruling."

Although most of the consent decree was to expire in under two weeks, several states have been pressing for another five years of oversight, saying that Microsoft still has a monopoly on the desktop operating system market and could stymie attempts by Web-based applications to break that hold. Earlier this month, California and New York, each leading a different group of states, filed motions with Kollar-Kotelly asking her to watch Microsoft until November 2012.

"The threat that these [Web-based] technologies pose to Microsoft's Windows monopoly through their ability to erode the applications barrier to entry depends, in large part, on Microsoft's willingness to maintain [Internet Explorer] as a standards-compliant browser and to continue supporting cross-platform implementations," the California group said in its filing.

Under the new schedule, Microsoft will have until Nov. 6 to submit its response to the California and New York requests for further oversight. U.S. antitrust regulators have until Nov. 9 to file a brief explaining why the DOJ doesn't want an extension, and the states will have until Nov. 16 to reply.

Kollar-Kotelly did not set a date for her ruling, saying only that it would come before the Jan. 30 deadline. She has given no hint as to how she will rule, but antitrust experts said as recently as last week that it would be a long shot to expert her to add another five years to the decree. "She is going to have to have some evidence that the decree hasn't done what it's supposed to to extend," Herbert Hovenkamp, an antitrust scholar from the University of Iowa College of Law, said then. "She'll need more than what she's heard."

Microsoft has maintained that the 2002 agreement has served its purpose, and will presumably argue that point in its filing next week.

The Google phone: Has a wireless upheaval begun?

Questions remain, but analysts expect a Google phone by mid-2008

The Google phone is inching closer to reality, with wireless handhelds running Google Inc. applications and operating software expected in the first half of 2008, several industry analysts said today.

Some see Google's model as revolutionary in the U.S., where nearly all customers buy their cellular phones from a wireless carrier and are locked into a contract with that carrier. But Google's entry could signal a more open system where a customer buys the Google phone and then chooses a carrier, they noted.

The Wall Street Journal today cited unnamed sources and said that Google is expected to announce software within two weeks that would run on hardware from other vendors. The Google phone is expected to be available by mid-2008. The company did not comment.

Last week at the semiannual CTIA show in San Francisco, several analysts said they had heard rumors that Google would be offering software to Taiwan-based device maker High Tech Computer Corp. (HTC) for the Google phone.

Today, Gartner Inc. analysts Phillip Redman said the rumor was still that the Google phone "is coming from HTC for next year, [with] 50,000 devices initially."

HTC could not be reached for immediate comment.

Lewis Ward, an analyst at Framingham, Mass.-based market research company IDC, said Google is clearly working on software for a phone, but after making a presentation at CTIA on emerging markets last week, he said, "It didn't sound like it was on HTC after all."

Unlike several analysts who said that Google could face a fight from carriers opposed to open networks and open devices, Ward and Redman said some carriers will cooperate with Google. "It's possible some carriers will work with Google," Ward said. "AT&T seems to be more open already with its iPhone support and other things, while T-Mobile and Sprint Nextel may be more open than Verizon Wireless."

Redman said that Google's "brand is attractive, so I think there will be takers" for building hardware and for providing network support.

At CTIA, Ward said a Google phone would make a wireless portal out of what Google already provides on a wired network to a PC, such as maps, social networking and even video sharing.

"This is about Google as a portal," Ward said last week. "This is fundamentally about wireless and wire-line converging."

Ward said Google's plans for its phone software are still up in the air. "What's unclear also is whether it will be a Linux free and open [operating system] running on top of the hardware, with applets and widgets and search and all the advanced stuff that Google has done in the past."

Jeffrey Kagan, an independent wireless analyst based in Atlanta, said many questions are raised by Google's proposition, including what the phone could be named. "Will it be a regular phone, or will it be more like the Apple iPhone? How will customers pay for it? Will it be different from the traditional way we use and pay for wireless phones? There are so many questions," Kagan said.

Like Apple Inc. with the iPhone, "Google could be very successful if they crack the code." Kagan added. "The cell phone industry ... is going through enormous change and expansion. Many ideas will be tried. Some will work, and some will fail."

marți, 30 octombrie 2007

Excel 2007 flunks some math problems

Microsoft confirms spreadsheet returns 100,000 when it should show 65,535

Microsoft Corp. yesterday confirmed that Excel 2007, the newest version of its market-leading spreadsheet, returns incorrect calculation results in some cases.

The math bug first surfaced Saturday on Microsoft's own Excel support newsgroup when a user named Molham Serry reported that when he multiplied 850 by 77.1, Excel 2007 returned 100,000 rather than the correct 65,535. Others on the newsgroup quickly took up the standard, eventually posting more than 120 messages to the thread. Among their findings: Other calculations claimed 100,000 was the correct answer.

Yesterday, the Excel team offered a mea culpa posting to a Microsoft company blog. "The majority of reports were focused on multiplication, but our testing showed that this really didn't have anything do to with multiplication," said David Gainer, lead project manager for Excel. "It manifested itself with many, but not all calculations in Excel that should have resulted in 65,535. Further testing showed a similar phenomenon with 65,536 as well."

Only Excel 2007 is a math dummy. Earlier versions of the spreadsheet, including its immediate predecessor, give the correct answers.

Gainer said that the bug isn't in Excel's calculations, but in code that takes values and formats them to be displayed in the worksheet. To prove that Excel knows its multiplication tables, he suggested entering 850*77.1 in Excel 2007 -- yielding the incorrect 100,000 -- then multiplying the result by 2. The spreadsheet will return the right value, 131,070, not 200,000.

Excel displays the wrong result in an even dozen cases, Gainer added, all involving six floating-point numbers around 65,535 and 65,536. "All other calculation results are not affected," he said.

A fix for Excel -- and for SharePoint's Excel Services, which also sports the bug -- is in the works, Gainer said. He didn't set a date for the bug fix release, saying only that "we expect [it] to happen very soon." The patch will be posted for downloading, presumably to Microsoft's download site, and will also be pushed to users via a future Windows Update and a Windows Server Update Services offering. A Microsoft spokeswoman, however, said a date had not been set for the fix, or for its appearance on WU and WSUS.

Microsoft's next scheduled security patch day is Oct. 9.

Microsoft rebuts OneCare auto update accusations

But it should better spell out user settings changes, says adware expert

Microsoft Corp. confirmed that its OneCare consumer security software modifies Windows' overall patch options during installation but said that the tool tells people that their settings may be changed.

"When you first install Windows Live OneCare, setup informs you that if you choose to proceed, your computer settings will be changed to automatically download and install important updates from Microsoft Update," an unidentified member of the OneCare team blogged late last Thursday.

Earlier that same day, a popular Windows newsletter reported that OneCare altered Automatic Updates (AU) in Windows XP and Vista without telling users or getting their approval. According to Scott Dunn, an editor of the "Windows Secrets" newsletter, OneCare sets AU to full-automatic mode and even switches a pair of services back on if they have been manually disabled by the user. Dunn speculated that the behavior might explain two-week-old reports of patches being installed and systems rebooting without permission.

"This behavior is by design and is not unique to the latest version of OneCare," the Microsoft blog post continued. "It helps ensure that your computer continues to receive important updates as soon as possible after they are released."

The post included a screenshot of the first installation dialog that users see. Text in that dialog reads, "By using OneCare you agree to let Microsoft make changes to your system, such as enabling features that keep your system up to date and make it safer for you to browse the Internet." The disclaimer does not specifically say that AU's settings will be changed and, contrary to the statement in the OneCare blog post, it does not mention the Microsoft Update patch service.

A researcher noted for his work in dissecting questionable install disclosures said that OneCare fumbles when it comes to adequately informing users.

"Microsoft uses a lengthy multiparagraph statement in an installer screen, and the affirmative button is labeled simply 'Next' (not 'I agree' or similar)," said Harvard Business School assistant professor Ben Edelman, who has investigated adware installation disclosure policies and language. "This design means some users will inevitably 'consent' and receive updates without fairly understanding what will occur."

Edelman called on Microsoft to clearly state what it will do to users' PCs before it installs OneCare. "[They] ought to do more to alert users to the significance of the text on that screen, both by emphasizing what's most important and by assuring that the continue-install button alerts users to the fact that they're not just going on to the screen, but that they're actually indicating agreement to have their computer modified as Microsoft sees fit," he said.

The OneCare team hinted that it might do just that but stopped short of promising changes. "We are evaluating user feedback and will be revisiting how we communicate the installation details of Windows Live OneCare," the blog said.

A OneCare user commenting to the Microsoft blog called for more information during installation. "I see no practical reason you cannot post a warning label on that same initial notice that all updates for the OS on which OneCare is being installed will be set to 'Install updates automatically,' and give an opt-out option," said someone identified as Uncfudd.

Dunn, the "Windows Secrets" editor who first reported on OneCare's AU changes, reacted Monday to Microsoft's rebuttal. "It isn't apparent that this [disclosure] refers to updating your entire system via AU or just updating virus definitions," he said in an e-mail. "A better way to go would be to ask a question as part of the installer, with the default being to not change the user's current settings.

"Microsoft used to be an innovator in user interface research," he added. "Surely this isn't too hard for them to figure out."

After a Data Breach: Navigating the tangle of state notification laws can be exasperating -- and costly

There are already more than 30 different notification requirements on the books was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences.

Roughly 250 customer records were exposed, likely after an individual stole an administrative password by accessing systems remotely. (Site owner Bananas at Large has since put additional security procedures in place to prevent a recurrence.)

After the breach, the 25-person company scrambled to comply with the many state laws requiring customer notification. It alerted only the affected customers, either by mail or e-mail. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach.

Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” says Bananas President J.D. Sharp. “They’ll fine the pants off you,” he adds.

The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach. With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes. But so far, federal legislation that would unify corporate disclosure rules is merely inching forward.

With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm.

Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says.

Many organizations are integrating the efforts of IT, Legal and other departments to come up with strategies to comply with state regulations and ultimately weather worst-case scenarios.
Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted.

Companies as varied as Microsoft Corp., Bank of America Corp. and Verizon Communications Inc. have all taken steps to address the issue with specific teams and processes to handle disclosure in the event of a breach. In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph Rosem­baum, a partner at New York law firm Reed Smith LLP.

The lack of a central authority can create problems.

“Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes.

Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. Some states require notification only if a breach is likely to harm individuals. Others force companies to cast a wider net.

“For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold.

The timing on triggers also varies. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami.

Notification triggers aren’t the only differences among state laws. For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va.

And as learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “Enterprises may face potential litigation and fines,” says Scott.

Damage Control

The team at ChoicePoint Inc. knows all too well the complexities of navigating state disclosure laws.After a data breach two years ago, the Alpharetta, Ga.-based company dashed out notices to about 163,000 people. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance.

The company’s woes made headlines, but the incident also prompted it to codify breach management plans and assemble a response team. Its policy now “lists all enacted state data breach notification laws, as well as the unique requirements of each law,” Cwalina says.

In addition, ChoicePoint leans heavily on its government affairs team and legal department to track the laws and monitor compliance in the event of a breach.

Large or small, companies should plan ahead to lessen the burden of notification in the event of a data breach. “Encryption is the single most effective way to avoid the negative business impact of data breaches,” says Scott. “Under most privacy statutes, if you have encryption, you get a free pass from notification.”

But with or without encryption, it’s wise to devise a strategy for disclosure in the event of a breach. Companies should have a team in place that can assess the scope of damage and meet the demands of state regulators and credit card companies.

The goal, says Cwalina, is to “act quickly, investigate thoroughly and notify promptly.”

sâmbătă, 27 octombrie 2007

Google launches IMAP support for Gmail

Users can sync Gmail with their e-mail clients

Google Inc. has launched a new IMAP (Internet Message Access Protocol) service for Gmail that will allow users to sync Gmail with their e-mail clients.

"It keeps the same information synced across all devices so that whatever you do in one place shows up everywhere else you might access your e-mail," said David Murray, associate product manager, in a blog post. "For example, I can read an e-mail in Gmail, then move it to the 'Starred' folder on my iPhone, then archive it by moving it to 'All Mail' in Thunderbird, then see all of those changes on my BlackBerry or any of [these] devices for that matter."

Previously, Google offered only POP (Post Office Protocol) access, for Gmail, which meant if users made changes on other devices, those changes weren't seen in Gmail when they logged back in. Users then had to re-read and re-sort all their e-mails. The IMAP feature means all user e-mails will be stored on the server, so users can sync their data across a wide variety of devices.

Murray said users can use Gmail at work, in the car or anywhere on any device. He added that the actions users take will automatically sync with Gmail on the Web and anything users do on the Web will be seen on their phones or their e-mail clients.

To use the new service, users should click on the "Forwarding and POP/IMAP" tab in their Gmail Settings and turn it on.

Rain doesn't stop Leopard from roaring in NYC

Even pouring rain and gusty winds didn't stop the Mac faithful from turning out for the release of Apple's Mac OS X "Leopard" at the Apple Store in New York's SoHo neighborhood Friday night.

The sidewalk in front of the store and around the corner was a sea of colored umbrellas as about 200 people lined up to be among the first to purchase Leopard in North America. Those who hadn't prepared for the weather hunched under pieces of cardboard or just got wet, as people bustled past on busy Prince Street and wondered aloud what all the fuss was about.

The New York launch was part of a worldwide rollout of Leopard, which went on sale at 6 p.m. local time around the world Friday, beginning in Australia and New Zealand. Rain also plagued the Leopard launch in Tokyo, which marked the first place the OS went on sale at an official Apple Store, but didn't deter users from lining up ahead of the time there, either.

A New York Mac enthusiast named Adam was first in line outside the SoHo store, saying he arrived at 2 p.m. and was joined about a half hour later by other Mac enthusiasts. Strangely enough, Adam, who owns three Mac computers and frequents Apple Stores when the company launches new products, was not there to buy Leopard. He merely wanted the free T-shirt Apple was giving out to people waiting in line to purchase the OS.

"They're difficult to get unless you live in Cupertino and can go to the Apple store," he said, adding that he would purchase Leopard in about six months after Apple had "worked out the kinks."

Unlike Adam, others shivering in line said they were there to be among the first to get their hands on Leopard. Still, it wasn't just the OS that inspired people to wait in the rain. Douglas Packer, also of New York, said that although he was looking forward to using Leopard -- particularly its new Time Machine and Spaces features -- he was also was there "for the experience."

"Everyone's more excited about it, and being here with other people waiting makes it more fun than just a piece of software," said Packer, who works in video production.

Time Machine is a new feature in Leopard that allows for automatic back-up of files, while Spaces enables the user to create and manage virtual desktops.

Another user waiting to purchase Leopard who gave props to Time Machine was Evan Herman, also of New York. But he also said he was "probably the only person in line" excited about the Back to My Mac feature of Leopard, which makes it easy for users to set up the ability to remotely log in to a Leopard machine from anywhere.

Herman said this feature will make it easy for him to help troubleshoot problems on his parents' Mac, which he finds himself doing often enough on the phone anyway.

Herman switched from Microsoft Windows to a Mac three years ago when he left a position providing desktop support to PCs. He said he regularly joins the queue for major Apple releases and has stood in line for both the Tiger release of OS X and the iPhone.

Leopard is the first major upgrade Apple has made to its OS in two and a half years. The software will now be installed on all new Apple computers, or costs $129 for an upgrade for those running its predecessor OSes. Apple has said the vast majority of Macs sold over the past four years will be able to run Leopard, as well as some older machines, depending on their configuration.

miercuri, 24 octombrie 2007

Mozilla rushes to fix regression bugs in Firefox

Mozilla Corp. will rush another version of Firefox to users as early as next week, the company's user interface designer said Tuesday, to fix five bugs it introduced in last Wednesday's security update.

Firefox patched ten vulnerabilities, including three critical flaws, but also shipped with five regression bugs -- problems unintentionally introduced when code was changed to plug other holes.

"Most users won’t see any difference or experience any problems," said Mike Beltzner of Mozilla in a posting to the company's development center blog. "We’re working fast to understand and fix these problems, and will shortly be issuing a update to address them."

According to notes from a weekly Mozilla meeting on Firefox, the regression reports began accumulating over the weekend. Firefox was posted for download late Wednesday, Oct. 17. Three of the five problems were limited to Windows, but two page rendering issues affected all versions of the browser, including those for Mac OS X and Linux.

The Windows-specific bugs included one that disables Firefox extensions after updating. The problem doesn't affect every copy of on Windows -- one user said it had hit just one of his four PCs -- and can be remedied by deleting a trio of files from the hard drive. Programmers are still working on a fix.

Another under the microscope, however, has no workaround. Firefox crashes on startup on some Windows XP and Vista systems, a listing in Mozilla's bug reporting database said, and although developers quickly came up with a test to reproduce the crash, they seemed unsure whether they were on the right track. "This seems to have been fixed on trunk (regarding the test case) between 2007-08-21 and 2007-08-22," said Martijn Wargers.

"Hmm. I wonder whether we're hitting EM restart weirdness here or something," replied another developer, Boris Zbarsky.

Beltzner said Mozilla hoped to put a new Firefox, version, into the pipeline next week.

This isn't the first time that the open-source developer has scrambled to set things right. In March, it release Firefox and to fix several regressions that slipped into the prior versions, which hit the street the month before.

duminică, 21 octombrie 2007

AT&T sues Vonage for patent infringement

AT&T claims that Vonage is willfully using patented technology allowing VoIP calls to be made with standard telephone equipment
AT&T filed a lawsuit against VoIP provider Vonage on Friday seeking damages for alleged patent infringement.

The lawsuit comes just days after Vonage settled a patent-infringement lawsuit with telecom provider Sprint Nextel.

In a filing with the U.S. District Court for the Western District of Wisconsin, AT&T alleged that Vonage wilfully infringed an AT&T patent related to telephone systems that allow people to make VoIP calls using standard telephone devices.

In the legal filing, AT&T said it tried to reach an agreement with Vonage to license the patent, but failed, which forced the lawsuit.

Vonage announced on Oct. 8 that it settled its suit with Sprint Nextel for $80 million. As part of that agreement, Vonage agreed to license VoIP patents from Sprint, including more than 100 patents covering technology for connecting calls from a traditional phone network to an IP network.

Vonage is also in the process of resolving a patent infringement dispute with Verizon. Earlier this year, a court found Vonage infringed on Verizon patents and ordered an injunction that could have prevented Vonage from signing up new customers. Vonage won an injunction staying the order and is appealing the original infringement ruling. Vonage in August said it was close to rolling out workarounds for two of the three patents Verizon claimed.

Vonage is one of the largest independent VoIP providers in the U.S. with nearly 2.5 million customers.

vineri, 19 octombrie 2007

Microsoft: Google gets undue credit for ad conversions

Microsoft is developing 'conversion attribution' technology that it says will track users' viewing trail and give advertisers a more balanced view of the value of their online ads

Google undeservedly has gotten all the credit for many clicks on the online ads it delivers via its search engine, but Microsoft wants to put a stop to that.

So said Brian McAndrews, senior vice president of Microsoft's Advertiser Publisher Solutions Group during a panel discussion at the Web 2.0 Summit in San Francisco Thursday.

Currently, systems for tracking ad conversions and analyzing online marketing campaigns focus on the last ad a user viewed or clicked on, he said. This gives all credit to that last publisher and not to others the user may have been at before and influenced the user to seek more information about the advertiser, McAndrews said.

In particular, this situation has unfairly benefitted Google because many times someone will see a display ad on a site and go to Google, search for the vendor's name, and then click on the vendor's text ad served by Google, he said.

But Microsoft is developing a technology called "conversion attribution" that will track the trail of ads seen by a user, so that advertisers get a more complete understanding of how effective their marketing campaigns are, he said.

Along the way, advertisers will get a more balanced view of the value of their ads across a wider trail of Web sites and via a variety of ad formats, not just the last ad displayed by the last publisher, which is often Google, he said.

"We'll introduce conversion attribution to give [more publishers] credit and it will devalue search [advertising]," McAndrews said.

Search advertising is the largest online ad format, accounting for about 40 percent of total ad spend. Google has built its empire on these pay-per-click ads, which the company matches to the content of queries on its search engine and to the content of third-party Web sites on its ad network.

While search has been the main driver of the blistering growth of online advertising in the past five years, that won't be the case in the coming five years, McAndrews said.

In addition to the "conversion attribution" technology, the shift away from search ads will be fueled by the increased spending in online ads from large companies which prefer display and rich media advertising designed to boost their brands, and for which pay-per-click text ads are less effective, he said.

Google didn't have any representatives participating in the panel. The company didn't immediately respond to a request for comment.

Microsoft didn't immediately respond to a request for clarification on the availability of the "conversion attribution" technology.

McAndrews, who came to Microsoft recently via its $6 billion purchase of aQuantive, of which he was the CEO, shared the stage with other ad executives in a panel titled "Edge: The Advertising Model" moderated by conference chair John Battelle.

miercuri, 17 octombrie 2007

MySpace will use Skype for VOIP in social network

Deal with Skype will enable MySpace members to engage in free voice chats via the new MySpace instant messaging service

MySpace will give its millions of members the ability to engage in free voice chats via the MySpace instant messaging service, thanks to a partnership with VOIP provider Skype.

News Corp.'s MySpace and eBay subsidiary Skype will announce the beta version of the service, called MySpace IM with Skype Wednesday at the Web 2.0 Summit in San Francisco.

MySpace, the world's largest social network, has about 110 million monthly active users, while Skype has about 220 million registered users, the companies said.

MySpaceIM with Skype will mesh MySpace's IM service, which has an installed base of 25 million users, with Skype's Internet voice communications services, the companies said.

MySpaceIM with Skype will be released generally in November, along with the ability to let people also link their MySpace profiles with their Skype accounts.

The voice chat service will let MySpace users call others in the social network as well as Skype users. MySpaceIM with Skype will not require users to download any additional Skype software.

MySpace will launch the voice chat service in 20 countries where it has "localized" communities. Meanwhile, Skype will allow its users to link their accounts to their MySpace profile worldwide except in Japan, China, and Taiwan.

Beyond the free voice chat service, MySpace users will also get the option of buying other premium Skype products, such as SkypeOut for generating calls from Skype to outside lines, as well as SkypeIn for receiving calls from outside lines.

marți, 16 octombrie 2007

Smart security testing on the cheap

A pragmatic open source testing methodology, and an abundance of excellent free tools, help you plug security holes without busting the budget

You don't need to be paranoid to be a chief information security officer, but it helps. Whether certifiably paranoid or, as the Woody Allen joke goes, just keenly observant, the chief security officer must tune into threats that others can't see, quantify risks that others can't fathom, and uncover weaknesses -- in the company's networks, systems, and business processes -- that want to remain hidden.It's a big job that requires a comprehensive plan, strong skills, and a good set of tools.

The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly.

An open source method
The open source testing framework I recommend is called the Open Source Security Testing Methodology Manual (OSSTMM). The brainchild of Pete Herzog and his legion of dedicated security testing professionals, this project is well supported by the open source community, and it continues to impress me with its documentation and approach. Providing specific testing objectives and procedures, the OSSTMM is the cookbook for using your tools, in what order and at what time.

The OSSTMM is not simply a penetration testing approach but a methodological framework. The methodology helps guide the planning of the security audit project and properly quantifying the results, and provides the rules of engagement for those performing the audit. It relies on best practices and a threats database as well as knowledge of the target organization to provide a broad view of the risks posed to the infrastructure of the enterprise. Most testing frameworks, such as ISO 27001 (formerly 17799), OCTAVE, COBIT, and ISM3, take an organizational approach to assessment and evaluation. The OSSTMM takes an operational view of enterprise risk.

The OSSTMM contains six testing modules, covering information security, process security, internetworking, communications systems, wireless networks, and physical security. Together, they offer testing methodology and guides to measuring risk to intellectual property, private information, and paper documents, to social engineering attacks, to routers, switches, and firewalls, to PBX's, voicemail, and faxes, to WLAN sniffing and surveillance, and to environmental dangers to buildings and the locks on the doors.

The OSSTMM manual provides a wide range of template documents for the conduct of tests involved in each of the six modules. This set of templates negates the need for supporting software in completing other testing frameworks such as ISO 27001 or COBIT. However, you may need training from ISECOM (OSSTMM's parent organization) in the best use of the templates and modules.

In this authors estimation the true worth of this approach lies in the new "risk assessment values" (RAV) spreadsheet provided by the community. The spreadsheet is divided into the six operational areas and breaks down risk in each of these areas into a numerical value. All of these risk values are aggregated to provide an overall risk profile for the organization. Thus the OSSTMM provides an easy to use, consistent process that leads you toward meaningful results that can be compared over time. I am always comfortable approaching management with the numbers produced from my OSSTMM tests and the RAV spreadsheet. Though based in Spain the ISECOM organization provides global training courses and certifications. Just as the ISO 27001 and COBIT processes allow for test report validation, your OSSTMM reports may also receive certification.

A complete security testing toolbox
We've discussed the framework for conducting your penetration testing, now we move onto the basic toolbox for your testing. The tools below cover the information security, network and wireless modules of the OSSTMM. You'll need tools for testing servers and workstations, switches and routers, network protocols, wireless access points, applications, Web servers, and passwords, to name but a few. Because simple scanning does not meet the OSSTMM's requirement for thoroughness, you'll need exploit tools to verify potential vulnerabilities as well. My list of preferred tools is loosely based on the list of Top 100 Network Security Tools provided by Compiled through a global poll of professional security testers, this list is reviewed and updated every two years, and I've come to rely on it as the basis for my personal toolbox.

Although each tool in this set is important, it is ranked according to the list. The list shows whether the tool is either *nix, Windows based and whether it is open source or commercial software. When possible I like to use Windows tools. Don't get me wrong, I love Linux and use it all the time. I'm just lazy. If I don't have to switch between operating systems to conduct my testing, I'm happier. My management has an easier time understanding my reports if I can speak using an operating system they are familiar with.

Google and Google Hacking Database
Google is a great tool for finding all kinds of information on the Web -- including information that shouldn't be there. In the context of the information security portion of the OSSTMM process, Google is used for both the competitive intelligence and privacy scans of your assets. Johnny Long made this method famous with his Google Hacking Database (GHD).

Using Google to find vulnerable machines attached to our network is always an eye-opening experience. Imagine finding a printer attached directly through your firewall to the Internet. Well, this happens far more often than you might believe. Johnny Long's Web site is the easiest place to learn how this process is done. Simply redirect the queries in the GHD to your IP address range. Then massage the queries to match your particular routers, switches, printers, and Web servers. Granted, this is tedious work in the beginning but will save you many hours of penetration testing time in the long-term.

The same techniques are used to find privacy data of your employees that may have leaked to the Internet from your network. This process is well refined for any network infrastructure and systems that face the Internet. Where it becomes really interesting is in finding your corporate intellectual property on the Internet... but that is a story for another day. This is the first tool my team uses as it offers high risk results first. A vulnerability that faces the Internet and is known by Google is one that requires immediate attention.

Nessus security scanner
The open source Nessus Project was begun in 1998 by Renaud Deraison to compete with the available commercial vulnerability scanners. Nessus is no longer open source, but remains available in a free version that rivals the best commercial alternatives. As a result, Nessus is found in the toolbox of both the well funded and cash strapped security organizations. The difference between the free product and the licensed commercial version of Nessus is how often vulnerability signatures are updated. If you want up-to-the-minute vulnerability updates then opt for the commercial license. If you don't mind waiting seven days for those same updates, then the free product will serve you well.

Nessus has both a *nix version and a new Windows version (see screen image). The Nessus system consists of a Nessus server, a client, Nessus plug-ins and the knowledge base. The Windows version provides all these items in a single package though using it in this fashion is not required.

Nessus tests all aspects of a target including the operating system, ports, services, applications to name but a few. Thus the reports may be lengthy but are comprehensive. You'll need to validate the findings as

Nessus, like other network scanners, is prone to false positives.

Wireshark packet analyzer
Formerly known as Ethereal, Wireshark is an exceptionally powerful protocol analyzer. It runs a wide range of operating systems and allows for live capture of network traffic and analysis of traffic captured from external sources. It offers a wide range of default protocol decoders and can parse out traffic threads with ease. The screen is broken into four main sections: the menu bar, the packet list (color coded area, see screen image), packet details (protocols and protocol fields), and lastly the packet bytes showing the raw data stream in both hexadecimal and ASCII formats.

Wireshark's graphical analysis tools provide a clear picture when troubleshooting problems or looking for weaknesses during a penetration test. This example shows the handshake (communication initiation) process between various hosts on the network.

TCPDump network debugger
TCPDump and its Windows-based brother WinDump are the original packet capture utilities. They are identical in capability and are both actively supported. Both tools allow for the creation, injection, and capture of packets during a security test. Both are command line driven. The information provided is similar to that of Wireshark, and in fact the two may be used interchangeably (TCPDump data in Wireshark or the other way around).

TCPDump comes as a default installation with most *nix operating systems. WinDump requires the use of the Winpcap software for Windows to allow for packet capture. The Pcap software now allows for use with wireless capture as well. This is an old warhorse tool that continues to grow and change with the needs of the testing community.

Netcat network explorer
Netcat is known as the network Swiss army knife of testing tools. Netcat is a command line tool that's provides for reading and writing data across TCP and UDP connections. It creates nearly any connection needed including the acceptance of incoming connections. This makes it invaluable for exploring a network, server... during penetration testing. It is a perfect tool for setting up back doors and may be called from other programs. Thus your use of the tool may be automated or scripted. A wide range of Netcat derivatives now exist for specialized applications such as SSL or portable thumb drive based use.

Kismet wireless sniffer
Kismet is a powerful 802.11 (layer 2) wireless detection program. Unlike other wireless sniffers Kismet uses any wireless card that uses rfmon (raw monitoring) mode. This offers flexibility over other solutions. Kismet is capable of capturing both beaconing and nonbeaconing networks. The interface is neat and clean and allows for easy drill down for advanced information on a particular network. Its most interesting feature may be the ability to use Kismet with a GPS system to create maps of wireless networks.

Aircrack WLAN cracker
Aircrack is a password cracking program for use with both WEP and WPA networks. It needs a large enough database of packets from the target network for password cracking to begin. The four modules of this suite include airodump, a wireless packet capture utility; aireply, which performs packet injection for security testing; aircrack, which does password cracking using brute force and cryptographic methods; and airdecap, which decrypts WEP and WPA packet streams once the passwords are cracked.

Two new tools have been added to suite recently that allow for encrypted packet creation and virtual tunnels. Aircrack may also be installed in a virtual machine.

Aircrack supports a wide range of wireless cards though a new driver or patch may be required for your card. The interface is a combination of both Windows GUI and command line interfaces though they are easy to navigate This is another tool that requires some time to master but given the reliance of wireless networks in today's enterprise may prove invaluable to your team.

Cain and Abel password cracker
Cain and Abel is the top ranked Windows specific password cracking tool for security testers. This tool is well documented and supported by the community. It has a clean interface and provides for the cracking of a wide range of password types including Cisco, VNC, remote desktops, and many many more. It can do its cracking on the local machine or sniff passwords off the network via specific capture filters. Cain and Abel supports standard dictionary and brute force attacks as well as cryptanalysis attacks. It continues to evolve with the addition of VOIP and wireless password crackers. This tool has proved invaluable to my team for everything from a forgotten workstation password to forensic analysis.

Wikto Web server scanner
Wikto is similar to the better-known Nikto Web server assessment tool. Both are well supported by the open source community with Wikto adding some extra functionality. For example, Wikto always starts with a Web scanning wizard (see screen image).

Wikto also makes full use of the Google Hacking Database. The Wikto spider crawls the target Web site and maps its directory structure, while the vulnerability scanner reviews possible security weaknesses. For vulnerability assessment, Wikto uses the Nikto vulnerability database. The one minor weakness is the use of the CSV format for exporting reports. CSV was never known as an easy way to view report data, though it gets the job done.

Metasploit exploit framework
Released in 2004, Metasploit is another must-have in your toolbox. Essentially a framework for building security tools and the exploits to launch with those tools, Metasploit is the easiest way to verify that a vulnerability identified by Nessus or Wikto is truly a security hole. Metasploit contains a module launcher to customize both the exploit and payload intended for a particular target. If the penetration is successful the tester is provided a shell to interact with the payload on the target system. There are around 350 different modules to choose from covering a wide range of hosts and operating systems. If the Metasploit repository doesn't already have a canned exploit for the vulnerability in question, you can create one.

The true power of the framework is the ease of creation of new modules. Modules may be exploits, payloads, encoders, and no-ops. You can define an entirely new module or create variations of preexisting modules. Documentation and forum support is broad, detailed, and comprehensive. Be prepared to spend some time learning the framework, but it will be time well spent.

A plan of action
Penetration testing is an invaluable process in assessing business risk via IT infrastructure. To make the process cohesive and efficient, however, you must put it in an organized system. I highly recommend using the OSSTMM framework to organize your testing and help you interpret the results. The OSSTMM covers several operational areas and provides templates and valuation of risk for each one.

Once the testing framework is in place you will need a wide range of tools for your toolbox. Vulnerability scanners, protocol analyzers, and wireless tools are but a few of the areas to consider. I have learned to trust the list at to provide most of the tools in my toolbox. Lastly, don't forget about researching the target before the test. Using search engines, you can develop important insight into a target with fairly little effort. The information gained here may save you countless hours testing operating systems and applications that don't exist in the target area.

luni, 15 octombrie 2007

10 IT security companies to watch

New companies have to be brash to enter the network security market, given that the industry has witnessed an explosion in creativity over the past five years and considering that big players such as Microsoft and IBM increasingly are throwing their weight around in security. Nonetheless, anyone who takes the time to listen to what IT managers say they would like to see from the security industry can't walk away without the impression that there is plenty of room for the new.

For example, Ryan Bagnulo, vice president and head of software architecture and innovation at Wachovia, says he'd like to see more industry action on automating security-policy administration based on the Organization for the Advancement of Structured Information Standards' eXtensible Access Control Markup Language.

Sometimes entire groups of users stand up and declare they need something new. The Jericho Forum wants to see a new generation of products and services designed for the world of e-commerce, where traditional firewall-edge boundaries are vanishing.

User demand will have the final say about whether security startups pan out as the successes their founders envision -- or end up as brief footnotes in the epic of networking. Here are our selections for 10 security newcomers worth watching:

Whatever happened to last year's 10 security companies to watch?

Founded: 2006
Headquarters: Maumee, Ohio
Funding: $1.6 million in first-round financing
CEO: David Burns

What the company offers: Real Privacy Management (RPM) software that offers continuous, two-factor user authentication and data encryption based on a patented, real-time algorithm that limits the opportunity for intrasession hack attacks and threats.

Why it's worth watching: Authenticating users has become a security best practice, but once is not enough. Methods such as public-key infrastructure (PKI) authenticate the user at first logon but leave the session open to hacker attacks thereafter. By performing continuous mutual authentication and encryption during every transmission between client and server, 2Factor reduces the potential for data theft and fraud by closing the window of opportunity for hackers.

How the company got its start: After working in cryptography for many years, founder and chief scientist Paul McGough saw the need for a simpler, more nimble and more effective alternative to PKI and other security technologies. The company claims RPM is based on provable mathematics, is as much as 100 times faster than PKI, and can be deployed quickly and easily in any type of software, chip or device.

Where the company got its name: A reference to two-factor security, where the first factor is "what you know" (typically a user name and password) and the second factor is "what you have" (typically some type of card or token).

Customers: The company says it's in discussions with several major financial institutions, plus mobile phone operators, digital media companies, government agencies and large healthcare institutions -- but won't name names.

Founded: 2006
Headquarters: Herndon, Va.
Funding: $7.5 million from undisclosed angel investors
CEO: Amit Yoran

What the company offers: NextGen, a security product that monitors and analyzes inbound and outbound traffic and stores and analyzes it based on users, applications and content.

Why it's worth watching: Business and government agencies are under pressure to boost network security and comply with numerous regulatory requirements to show they're meeting security policies. Thus, there's growing demand for tools to do this.

How the company got its start: Amit Yoran, former National Cyber Security Director at the U.S. Department of Homeland Security and also founder of security-services firm Riptech, was familiar with the version of NetWitness developed by CTX for national-intelligence agencies. Yoran last year led the buyout of ManTech's product assets, acquired when that company bought CTX.

Where the company got its name: It "witnesses" network traffic.

Customers: Washington, D.C.-area law-enforcement and intelligence agencies for which NextGen was developed originally. The latest commercial version, developed for broader use, was released in September.

Palo AltoNetworks
Founded: 2005
Headquarters: Alviso, Calif.
Funding: $28 million from Globespan Capital Partners, Greylock Partners and Sequoia Capital
CEO: Dave Stevens

What the company offers: The PA-4000 Series network devices, introduced in June, which use a so-called App-ID application-classification technology to inspect about 450 applications traversing the PA-4000 hardware and apply security rules to these applications.

Why it's worth watching: Enterprises are frustrated with their traditional perimeter firewalls, because firewall ports increasingly are opened up to allow business traffic, particularly over Port 80. The PA-4000 line is offered as a transitional technology that works behind traditional, port-based firewalls to monitor applications and apply security rules to them.

How the company got its start: CTO Nir Zuk worked on some of the earliest firewalls at Check Point Software and later founded OneSecure, which was acquired by NetScreen Technologies, later acquired by Juniper Networks. Over time, Zuk observed that the relationship between ports and applications was diminishing, and he devised a method to look at the content itself through a new type of firewall he had invented.

Where the company got its name: Zuk, who selected it, reportedly lives in Palo Alto, Calif.

Customers: Constellation Energy and Mercy Hospital in Baltimore, and the city of Seattle.

Founded: February 2005
Headquarters: Mountain View, Calif.
Funding: $10 million in private funding; investors include Hitachi Systems
CEO: Antonio Espinosa

What the company offers: The LeakProof data-leak prevention product, released in January 2007.

Why it's worth watching: LeakProof isn't the first product to prevent the unauthorized transmission of sensitive content. However, Provilla's founders, who hail from Chinese universities but are developing the product in the United States, think they've come up with a better mousetrap: their DataDNA fingerprinting technology that scans file servers to create a signature for each document. Cosmopolitan in its outlook, Provilla's software supports the Japanese, Chinese and French languages in addition to English, as the founders look to building an international customer base.

How the company got its start: Co-founder Fei Huang was principal engineer at Sygate (later acquired by Symantec), which designed one of the earliest host-based network-access-control products. Huang teamed with Liwei Ren, a mathematician specializing in algorithms and pattern-matching, to come up with a desktop agent to detect unauthorized use of sensitive data.

Where the company got its name: "Pro" stands for protecting, and "villa" is Latin for village, so the name indicates that the company's technology protects a community of people.

Customers: Orchard Supply Hardware, Richard Fleishman & Associates, Sony-Ericsson Chinese joint venture. Distribution agreement with BigFix and Reconnex.

Robot Genius
Founded: 2005
Headquarters: Oakland, Calif.
Funding: $2 million from Kingdon Capital and Venio Capital Partners
CEO: Stephen Hsu

What the company offers: Syberus behavior-based malware-detection client software, an antimalware browser plug-in and the RGcrawler Web-crawling technology that looks for malware executables on the Internet.

Why it's worth watching: Although signature-based antivirus technology has a venerable history defending against known threats, the security industry is looking at other methods, such as behavior-based defenses that identify and block threats based on behavior. Robot Genius has come up with its own approach to malware detection to determine unsafe executables, and it could get picked up by the larger industry under a licensing plan.

How the company got its start: Hsu and CTO James Hormuzdiar teamed on start-up SafeWeb, sold it to Symantec for $26 million in 2003, and decided to continue working together to found another company to develop a new way to protect against malware.

Where the company got its name: Implies the technology's ability to replicate automatically the downloading and testing of executables off the Internet.

Customers: Not disclosed.

Founded: 2005
Headquarters: Austin
Funding: $14 million from venture capital firms including Austin Ventures, Lightspeed Venture Partners, Origin Partners and Silverton Partners
CEO: Mark McClain

What the company offers: Compliance IQ, identity risk-management software to help enterprises reduce business risk and become compliant by better understanding identity data. The software provides business context to the information generated by IT systems that report on which users have access to what data, offering sophisticated reporting and analytics for decision support.

Why it's worth watching: The company's product attempts to make sense of the reams of identity data generated by IT systems and applications; it's one thing to know what users are doing, it's another to combine that information with data about what they are allowed to do. Companies that combine the two stand a better chance of identifying fraud, theft and misuse. IDC estimated in 2006 the market for identity and access-management compliance will grow by 25 percent per year until it reaches $2 billion in 2010.

How the company got its start: McClain and SailPoint co-founder Kevin Cunningham stayed on at WaveSet when Sun acquired it in late 2003, but not for long. In 2005 with $5 million in funding behind them, the pair left Sun and began developing the technology behind Compliance IQ, which launched at Network World's DEMO 07 conference last January.

Where the company got its name: "Sailpoint" or "point of sail" is a term used to describe a sailboat's course in relation to the wind. To reach a destination, sailpoints must be adjusted continuously to harness the wind as efficiently as possible and to maintain safe control of the boat -- the company believes the same is true of enterprise IT governance.

Customers: Financial services and manufacturing firms, which the company declined to identify.

Founded: 2006
Headquarters: Kfar Saba, Israel; U.S. office in Woburn, Mass.
Funding: $3.5 million from Benchmark Capital
CEO: Nathan Shuchami

What the company offers: Database security monitoring tool, Hedgehog, released in June for the Oracle database.

Why it's worth watching: The Hedgehog software can be used in monitoring or blocking mode to warn security administrators about attempted SQL injection or buffer-overflow attacks. Because Hedgehog also looks at larger database actions, it also watches what insiders are doing, based on set policies.

How the company got its start: CTO Slavik Markovich, an expert in database architecture, sensed an opportunity on the security front and headed up basic product design and development. Sentrigo just added Guy Rinat as vice president of R&D, an activity formerly managed by Markovich, who will devote more time to new-product development and customer interaction.

Where the company got its name: They focused on the word "sentry" and came up with Sentrigo.

Customers: N.E.W. Customer Service Companies

Founded: 2004
Headquarters: Salt Lake City
Funding: $20 million in venture capital from Foundation Capital, Origin Partners, and UV Partners.
CEO: Trell Rohovit

What the company offers: Systems management for encryption at the client and server levels. Client Encryption Manager and Server Encryption Manager automate many of the manual tasks associated with administering encryption technology -- including keys and certificates --such as making sure that installed software with optional encryption settings has them turned on. The company plans to add encryption-management products for storage, backup systems, network devices and infrastructure in the near future.

Why it's worth watching: Venafi focuses on making encryption more accessible for enterprises by lessening its associated administrative headaches. The company says this promotes compliance, data security and risk mitigation.

How the company got its start: Spun out of IMCentric, a custom-engineering company that was automating encryption for a Fortune 500 company. The custom product that was developed turned into Venafi's offering.

Where the company got its name: Comes from the Latin root "vena," meaning vein or root, and "fides," Latin for trust or faith. Venafi says it manages the root of trust.

Customers: The company claims 10 of the world's top financial-services companies are customers, as well as three telecommunications giants.

Founded: 2007
Headquarters: Burlington, Mass.
Funding: $19.5 million from venture capital firms 406 Ventures, Atlas Venture and Polaris Venture Partners
CEO: Former Symantec executive Matt Moynahan

What the company offers: SecurityReview is an automated service that does security testing and remediation of in-house and commercial applications. Enterprises submit the applications they would like reviewed to Veracode, which uses patented binary and Web-scanning technology to find flaws and suggest fixes.

Why it's worth watching: According to Gartner, 70 percent of all enterprise vulnerabilities reside in the software that organizations buy and run. Veracode's team of application-security experts are trained to spot such weaknesses, and can do so because the company's service examines binary code instead of source code to avoid trade-secret concerns. By reviewing an application's binary code the service can analyze not just the program but also third-party libraries it may call, as well as its interactions with other software.

How the company got its start: Its founders' ambition was to reduce the number of software vulnerabilities in the world. They call their approach the "democratization of security" because usually only companies with very deep pockets have the time and money to spend on checking and remediating software security flaws. The technology behind Veracode's service was first developed by @stake (since acquired by Symantec) in 2002.

Where the company got its name: "Ver," from the Latin "truth," was added to "code" to describe how the company looks for the "truth" in software.

Customers: Cisco, Digivera, Telus.

Founded: January 2004 (in stealth mode until the service launched in September)
Headquarters: Monterey, Calif.
Funding: More than $3 million from high-net-worth individuals, no venture capital
CEO: Neal Smith

What the company offers: Virtual Private Community (VPC), a private communications service that forms virtual business communities whose members can send and receive encrypted e-mail, documents and other exchanges safely. The service sets up a private domain name for each user and gives them a related e-mail address reserved for private communications with other WebLOQ users. VPC is available as a hosted service, with a version that companies can run internally slated for release early next year.

Why it's worth watching: Instead of trying to protect communications at the edges of corporate networks, WebLOQ secures the transit channel itself. By having encrypted communications only with other members of a community, users are freed from spam, viruses, phishing, and other e-mail Internet threats. However, such secure communications requires that both parties use the service. The company hopes to bring the concept of online community to the business world while ridding e-mail of the many threats plaguing it today.

How the company got its start: Chairman, CTO, and former ISP head George Sidman became intrigued with the idea of securing Internet communications. He formed a team at his ISP to begin working on the problem in 2003 and launched the service in 2007.

Where the company got its name: Sidman was amazed that no one had trademarked "LOQ" (pronounced "lock") as a brand. The company now has trademarked the terms WebLOQ and LOQ, intending to launch a brand around the latter.

Customers: Database vendor Objectivity. Company says some major banks, law firms and police agencies are testing the service.

vineri, 12 octombrie 2007

Student who disclosed security breach to campus paper barely escapes expulsion

A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.

But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.

Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.

After making a copy of the file, the newspaper's editor and Loving then informed the university about the security breach. Though the paper's final publication date for the academic year had already passed, it decided to publish a four-page special report with an article describing Loving's discovery. No names of any of the students were published in the article.

The episode triggered an internal investigation at WOU. It also prompted campus officials to send IT staffers into the paper's closed newsroom and search newsroom computers for copies of the file that may have been stored in those systems.

Two months into the investigation, Loving -- who is now a staffer with the newspaper -- was found to have broken a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location. On Sept. 28 he faced a disciplinary hearing over the incident.

Mark Weiss, the university executive vice president of finance and administration, on Wednesday cited student confidentiality and refused to describe the outcome of the hearing. But he denied that Loving had ever been expelled as a consequence for his action, as some local media outlets suggested.

Adviser adieu

Weiss also confirmed that Susan Wickstrom, who had been an adviser to students working at the newspaper, is no longer in that position since the university chose not to renew her contract. He did not say if the reason for the non-renewal had anything to do with Loving's security breach incident report.

A source at the university who wished to remain anonymous said that Wickstrom's contract was not renewed because of her failure to advise students against making copies of the exposed file and for her failure to advise them about the school relevant computer use policies.

"This was not a freedom of the press issue at all," Weiss said. The school newspaper should be able to write on any topic it wants to, he said. Similarly, "the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.

Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.

"Once confidential information is discovered, we don't expect people to be downloading copies of that information and giving it to other people," he said. "He mishandled copies of the file," Weiss said of Loving. "People who know this shouldn't be done should be advising students on what the right thing to do is," he said in an apparent reference to Wickstrom.

Weiss also defended the university's decision to send IT staffers to search for copies of the file on newsroom computers at a time when the newsroom was locked. "The last issue of the student newspaper had already been printed. We asked [newspaper staffers] for the files that were copied to be returned," Weiss said. When the newspaper did not respond, IT staffers went in to retrieve any files that might have been copied and stored on newsroom computers, he said. At the time when the IT staff went in the newspaper offices had been shut down for the summer, he explained.

He also maintained that the university had a right to look for the files on newsroom computers because the systems were owned by the university. "We considered whether or not it was appropriate to enter, look for and take those files that were taken from our systems and we concluded that it was appropriate," Weiss said.

Weird times for whistleblowers

The incident is similar to others in which individuals who discover or publicly disclose data braches at their places of work end up being in trouble themselves. Just last month, a former IT employee again working in Oregon but with Providence Health System, filed a wrongful termination lawsuit against the organization claiming he was fired in Feb 2006 simply because he reported a data theft to local law enforcement.

Even more recently, a St. Louis-based IT worker for The Boeing Co. claimed he was fired by the company for speaking with a Seattle newspaper about ongoing information security challenges at the company. A report in the Seattle Post-Intelligencer quoted a Boeing spokesman as saying that company had clear guidelines regarding the release of information outside the company and every employee was expected to follow those guidelines.

In yet another similar incident, a New Mexico jury awarded $4.3 million in damages to Shawn Carpenter a former network security analyst at Sandia National Laboratories. Carpenter had filed a wrongful termination lawsuit against Sandia after he was fired from the lab for disclosing details of an internal security breach with the FBI and others.

Oracle makes $6.7B offer for BEA Systems

Oracle Corp. announced today that it has offered to buy middleware vendor BEA Systems Inc. for $6.66 billion, or $17 per share, in cash.

Oracle said it had written to BEA's board of directors on Tuesday to make the offer, which represents a premium of 25% over BEA's closing share price yesterday. The Wall Street Journal valued the offer at $6.66 billion.

BEA was a pioneer in the market for Java application server software used to deploy business applications, competing with products like IBM's WebSphere. It has been rumored to be an acquisition target on numerous occasions but has managed to retain its independence.

"This proposal is the culmination of repeated conversations with BEA's management over the last several years," Oracle President Charles Phillips said in a statement. "We look forward to completing a friendly transaction as soon as possible."

However, BEA executives were not quoted in the statement, and there was no indication early today as to whether the company is open to being acquired.

Oracle said the acquisition would help it to beef up its own middleware suite, an important area for the company that links several families of business applications it has acquired.

The company said it would protect the investments of BEA customers if the deal were to go ahead.

"Our continuing support commitment has been amply demonstrated with all of our previous acquisitions, including PeopleSoft and Siebel. BEA will be no different," Phillips said.