Saturday, March 24, 2007

Gates: With Vista, seeing is believing

NEW YORK--Not sure what Vista means for you? Bill Gates would be happy to show you.

While some reviewers have given lukewarm opinions on the new operating system, the Microsoft chairman says that a three- or four-minute demo should convince most people that Vista has much to offer over Windows XP.

Gates sat down with CNET News.com on the eve of Vista's consumer launch, along with the release of Office 2007. In part one of a two-part interview, he responds to the critics, outlines his Vista sales pitch and talks about the potential of a comeback for peer-to-peer computing.

In the second part of the interview, to be published later this week, Gates talks Xbox, Windows Live and whether TV as we know it is outmoded.

Q: You've been waiting for this day for a long time. How important is the launch of these two products (Vista and Office) for Microsoft?
Gates: Windows Vista is the platform that almost the entire industry builds on, whether it is innovative hardware or software applications. Having it out in the marketplace and letting them use that as the foundation for their work, it's very exciting. We've had 5 million people help guide us in this, tell us that it is ready to go. This is our chance to thank them and let everyone else get the benefits of all the work.

Q: I took a look at all the advertising circulars over the weekend as all the PC retailers started trying to advertise Vista. It seemed like there was still a bit of a challenge for them to figure out what to sell. How big a challenge is it to try and explain what Vista is to consumers.
Gates: Well, with software the best thing is always if you can let people have about a three- or four-minute demo. Then they'll really understand why we think this is a big "wow." We talk about how it's easier--that's things like search, and the setup and the user interface. We talk about safer--that's parental control, antiphishing. We talk about better-connected, the simple Wi-Fi capability. More entertaining--that's HD Movie Maker, DirectX 10 games.

I don't think after you've seen it for three or four minutes, you'll say, "Wow, that's the same as XP." You'll see it's quite different. Given that people spend more time on Windows PCs than watching TV now, having that be the best experience possible is worth a lot.

Q: If you were talking to a friend and you were trying to convince them to upgrade to Vista and they were skeptical, what would you tell them? What things about Vista are the most compelling?
Gates: It would be easiest if I could take them over to my machine and show them how Photo Gallery lets you find and organize things in a better way. I could show them the great graphics capabilities that Windows Vista has unlocked. I'd show them on parental control how I can set the time for my son's work with the PC. Or, for my daughter, how I can look at an activity report and see what kind of Web sites she's going to.

Pretty quickly they'd get a concrete view. For some people, just the fact that it turns on faster, the way we've made that a lot better. Different things will appeal to different people.

Q: Some of the changes with Vista are things that aren't necessarily visible the first time you turn it on. It's things under the hood for developers. What changes in computing do you think Vista will help bring about?
Gates: Things like peer-to-peer. We've got an infrastructure in there. Advanced use of RSS (Really Simple Syndication) so all the applications don't have to go and rebuild those things. I was really impressed seeing how HP had taken their touch screen and made photo-type scenarios really simple. You don't even think you are using software when you select and organize and do a little bit of editing. It's so natural.

Q: You mention peer-to-peer. We haven't heard a lot about peer-to-peer lately. It got kind of a bad rap from the music-sharing days. Is that technology ready for a comeback, and what sorts of things does it allow?
Gates: We have rich APIs (application programming interfaces) and we actually use those ourselves to let you set up a meeting with somebody who is nearby and share a screen with them. We haven't seen it as something that all software people can build on. Most people have had to build their own infrastructure and that's meant that it has really limited the usage. Now we are seeing that (software makers) in general can write peer-to-peer applications. It's up to them to show us where it can go.

Q: One of the things that Microsoft tried to introduce with Vista is the idea that megahertz isn't necessarily the best way to measure a PC. The Windows Experience Index was an attempt to give you an overall sense of how powerful a PC is. We've seen it go from something that was really prominent in the early test versions to something that is maybe not as prominent. Is it still something that's important?
Gates: Our team has done a great job on this, where you can look at the score in each individual area, like the graphics or CPU. You can also have an overall rating. It had gotten so confusing for people to try and understand these things, that we decided just having a linear scale in a few of the key areas and a way of bringing that together, it would help you in terms of picking games out or knowing what the right hardware is. (We've done) a lot of work with the industry to try and take what has been very complex and bring it down to a numeric scale.

Some of the early reviews of Vista haven't exactly been glowing. I'm curious what you make of that?
Gates: Actually, most of the reviews have been very positive. In some ways, people covered the schedule, but they forgot all of the cool stuff that was going on. So they are kind of amazed now that they look and (see) hey, this is what this has been all about.

You laid out the vision for where you guys were going with Vista at the Professional Developers Conference in Los Angeles back in 2003. From your perspective, how much of that vision is reflected in the product that is shipping this week?
Gates: We were able to achieve virtually everything we set out to do. We did not change the file system into a database-like approach. That turned out to be a little ahead of its time. With the exception of that, the presentation richness, the security, the organization-type things that we have here. It's very dramatic. Obviously, we will do more in the future, but this is the foundation that will make Windows computing far simpler.

Office and Vista are just now becoming available for consumers, but they have been available to large businesses since November. Do you have any sense yet of how quickly businesses might be moving to the new product?
Gates: We've got some huge customers like Citicorp, with 350,000 desktops, who have decided to make that move fully this year. A lot more software distribution is being done over the network, so you are not having to visit the machines. It is easier for corporations to do the upgrade than it would have been in the past. A lot of people with their corporate licenses have these upgrades available to them. We expect to see a faster uptake than ever before on a new version. Obviously consumers have been faster to move to the new thing than businesses in general, but here we've made the ease of migration the best it's ever been.

Microsoft patches 20 security flaws

Microsoft on Tuesday released fixes for 20 vulnerabilities in a variety of products including Windows, but none of the operating system flaws affect Vista.

The fixes arrived in a dozen security bulletins, released as part of Microsoft's monthly patch cycle. Six of the alerts were tagged "critical," the company's most serious rating. These flaws could enable an attacker to gain complete control over a vulnerable computer with no action, or minor action, on the part of the user, Microsoft warned.

The critical vulnerabilities are in Windows, Internet Explorer, Office and in Microsoft security tools such as Windows Live OneCare and Windows Defender. None of the Windows or Office flaws affect Vista or Office 2007, Microsoft's latest updates. However, Windows Defender ships as part of Vista, so the new operating system is at risk from that direction.

Microsoft used its February patch day to clear a backlog of "zero-day" flaws, or security holes that have been publicly disclosed but not fixed. Seven of the 20 vulnerabilities addressed by Tuesday's bulletins were zero-days, and five of those were in Office applications. Microsoft planned to issue patches for the Office zero-day bugs last month, but postponed their delivery.

Most of the Patch Tuesday flaws are only potentially harmful if people with vulnerable PCs visit a malicious Web site or open an infected document. For example, the Microsoft security tools could be compromised when they scan a rigged PDF file, according to the company's advisory.

The updates will be pushed out to Windows PCs that have enabled Automatic Updates. They are also available for manual download from Microsoft's Web site.

Windows Mail bug may expose Vista users

A possible security vulnerability in Windows Mail could let attackers run applications on PCs running Vista.

An attacker could send an e-mail with a malicious link that, when clicked on, would execute a program on the PC without warning, according to a description of the problem published Friday on a widely read security mailing list called Full Disclosure. Windows Mail is the successor to Outlook Express, Microsoft's free e-mail client, and ships with Vista.

Microsoft is investigating the issue, a company representative said in an e-mailed statement. "As a best practice, users should always exercise extreme caution when clicking on links in unsolicited e-mail from both known and unknown sources," the representative said.

Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said.

However, the risk is mitigated because Vista is not widely used, Marcus said. "I don't think they will see a lot of exploitation simply because there is so little Vista deployed," he said. "I think Microsoft would take this seriously and wrap this up in their next patch."

Vista has been available to consumers since late January. Since then, Microsoft has issued one security update for the operating system to repair a "critical" vulnerability in the scanning engine for Windows Defender, the built-in antispyware tool.

Microsoft is not aware of any attacks that actually attempted to use the newly reported Windows Mail vulnerability, it said. Upon completion of its investigation, the company could issue a security update or provide guidance in another way, the representative said.

Study: Windows has fewest security holes

Microsoft Windows has the lowest number of vulnerabilities and the fastest turnaround time for patches of all commercial operating systems--but it also has the most serious flaws, according to Symantec.

Despite having the fewest security holes, Windows was hit by more critical flaws than either Red Hat Linux or Mac OS X, Symantec found.

Symantec's latest "Internet Security Threat Report" (PDF) reveals 39 security holes were discovered in Windows during the second half of 2006, with an average patch development turnaround time of 21 days, up from the 22 Windows holes found in the first six months of the year.

Red Hat Linux had 208 vulnerabilities for the same period with an average patch time of 58 days, a huge increase on the 42 patched vulnerabilities for the first half of the year.

Apple's Mac OS X had 43 vulnerabilities--more than double the number for the first half of 2006--and an average patch time of 66 days.

But almost one-third of the 39 Windows holes were high severity, and 20 were medium severity. Just two of the 208 Red Hat Linux security holes discovered were high severity, with 130 medium severity and 70 low severity. Only one of the Mac OS X holes was considered high severity, with 31 classed as medium and 11 as low severity.

The report found that Windows also had the most vulnerabilities with exploit code and exploit activity, which Symantec claims may be one explanation why Microsoft has been pressured to develop and issue patches more quickly than other vendors.

Mozilla Web browsers, such as Firefox, are also more secure than Microsoft's Internet Explorer, according to the report.

It found 54 holes in IE during the second half of 2006, with one of these being of high severity, compared with 40 holes in Mozilla browsers, which had no high-severity vulnerabilities. Only four holes were found in the Safari and Opera browsers over the same period.

The latest Symantec threat report, which covers the six-month period from July 1 to December 31, 2006, also reveals the number of "zombie" PCs hijacked by hackers and used to launch denial-of-service attacks or send out spam has risen by almost 30 percent in the past year.

Arthur Wong, senior vice president for Symantec Security Response and Managed Security Services, said attack methods used by cybercriminals are becoming more complex and sophisticated to escape detection.

Trojan horse targets Skype users

Miscreants have again adapted the Warezov Trojan horse to target Skype users, Websense Security Labs warned on Thursday.

The attack is similar to threats that target instant-messaging applications. A targeted Skype user will receive a chat message with the text "Check up this" and a link to a malicious executable called "file_01.exe" on a Web site, Websense said in an alert. If the user runs the file, several other files are downloaded and run, it said.

Once infected, a computer will be at the beck and call of the attacker and the Trojan horse will start sending messages to the victim's Skype contacts to propagate, Websense said. The attack is similar to one reported in February, but it has been adapted with files hosted at different locations and a new version of the malicious code, the security company said.

Skype has acknowledged in the past that its instant-messaging feature could be used for nefarious purposes just like any other IM service. The company has said that it is looking at partnerships with security firms to offer a capability for the Skype client that filters out malicious links.

"Harmful viruses and Trojan horses may damage a user's computer and collect private data, regardless of whether a person is using Skype, e-mail or IM clients," Kurt Sauer, Skype chief security officer, said Friday. Skype warned users against opening the malicious file and said they should take caution in general when opening attachments. The company also recommends using antivirus software to check incoming files, Sauer said.

Warezov, also known as Stration, has been around since at least September. Several variants of the malicious code have appeared. Miscreants have spread it via spam e-mail, as well as Skype.

Microsoft probes possible IE 7 phishing hole

Microsoft is investigating a possible vulnerability in Internet Explorer 7 that could help cybercrooks launch phishing scams, the company said Wednesday.

An attacker can use an error message displayed by the latest Microsoft browser to send Web surfers to malicious Web sites that will display with the address of a trusted site, such as a bank, Aviv Raff, a developer in Israel, wrote on his Web site. Raff included an example where the error message directs the Web surfer to a site of his choice.

Microsoft is looking into the issue, a representative said. "Microsoft is not aware of any attacks attempting to use the reported vulnerability," the representative said in an e-mailed statement. "Microsoft will continue to investigate... to help provide additional guidance for customers as necessary."

The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker's page, but showing an arbitrary Web address, he wrote.

To launch a phishing attack, an attacker can create a Web link that purports to go to a trusted site, such as a bank. When clicked, the link results in a rigged error page. Following the reload link on that page will display the attacker's Web site with the address of the trusted site in the IE 7 address bar, Raff wrote.

Phishing attacks are a prevalent Internet threat that typically use fraudulent Web sites and spam e-mail to trick people into giving up personal information such as Social Security numbers and credit card details.

IE 7 on Windows Vista and Windows XP are affected, Raff wrote.

100 years of Grace Hopper

For most people who work in IT, the programming language COBOL is as dead as the dodo.

Yet Grace Hopper, the woman credited with establishing COBOL (Common Business-Oriented Language) as the language of business, would be pleased to know that 100 years after her birth, the language still underpins many applications that keep modern businesses going.

This Saturday is the centennial of Grace Hopper, who was born on December 9, 1906. Often referred to as "the mother of COBOL," her contribution to the theory and practice of programming is commonly appreciated as enormous. She is credited, among other achievements, with being the first person to develop a compiled program in an age when computers worked by running programs that were interpreted one line at a time.

Hopper got her first degree in mathematics and physics at Yale University and her master's in the same subjects. She taught at Vassar College before joining the U.S. Naval Reserve in 1943 and working on one of the earliest electronic calculators, the Harvard Mark 1. She was in her element working as, effectively, one of the world's first computer programmers--and she was very good at it. (For a comprehensive bio, read Wikipedia's entry on Hopper.)

She continued working on the Harvard Mark 1 and Mark 2 before moving to another company in 1949 to work on the Univac 1, where she developed the compiler.

After returning to the Navy, she worked on validating software written in the new language, COBOL, with which her name would be indelibly associated. Her greatest achievement in computing was here, as she gradually evolved the idea that software should be easy to use instead of being a long string of mathematical functions and notations.

From that point came the principle that programs should be easy enough for businesspeople to use and understand; in principle, COBOL is for the businessperson, not the scientist.

"COBOL is still in use today and plays a part in those programs that keep businesses running," said Julian Dobbins, director of product management at Micro Focus, one of the key companies still developing for the language. "(Analyst firm) Gartner reckons that 75 percent of business transactions are still done in COBOL."

Banks and other financial institutions are chiefly accountable for this high figure. Systems that run banking transactions, such as those used by ATMs, were largely written years ago and are still running. They are economical and efficient, and COBOL code is easy to fix if these go wrong, so, the argument goes, why change them?

As for new applications, there is little, if any, work still done in COBOL, with more modern languages, such as C++, having replaced it.

So why use COBOL today? "As a programming language, it was designed on sound principles," Dobbins said. "And you can take modern principles like Web services and service-oriented architectures (SOA), and find that it offers really very easy deployment."

But even Dobbins, who has used COBOL himself since his college days, admits that COBOL is stuck with a poor image. "I remember chatting with a programmer at a conference and talking about using COBOL in object-oriented apps," Dobbins recalled. "He said, 'Why would I want to do that? It would be like turbocharging an oxcart.' My response was to say that the world does not rely on oxcarts."

Dobbins sticks with the view that the world does rely on COBOL. Dobbins believes that the principles that make COBOL a sound language to this day are those first established by Grace Hopper and that 100 years after her birth, the world should continue to be grateful for them.

Hopper died January 1, 1992.

Indian offshore call centers 'not doomed'

Offshore call centers are expected to continue growing, despite the fact that some companies are bringing their customer care services back home.


Last week, Lloyds TSB became the latest British company to decide to reduce its use of Indian call centers. But earlier this week, Barclaycard announced that it is moving more work to Mumbai, and Datamonitor contact center outsourcing analyst Peter Ryan said it is shortsighted to predict the end of customer service outsourcing.

Investment in offshore markets will continue for some time, as companies attempt to capitalize on lower costs and high-quality client care, Ryan said, predicting that more industries "than ever before" will be looking to adopt outsourced customer services.

This year "will be one of the most challenging in contact center outsourcing's history," Ryan said.

Ryan said, however, that call center operations will have to invest in Web-chat, SMS and e-mail technologies if they want to attract new customers. They also must offer systems tailored to specific vertically integrated industries, he said.

Companies will be looking for suppliers that can satisfy demand from multiple contact channels rather than just voice, he added.

Datamonitor predicts that outsourcers will start to focus on higher-value services--such as business-to-employee care and technical support--that are likely to lead to higher revenues and profits over the long term.

Steve Ranger of Silicon.com reported from London.

Blogs turn 10--who's the father?

Someone, somewhere created the very first Web log. It's just not quite clear who.

It may not be one of the Internet's grandest accomplishments, but with the number of active bloggers hovering somewhere around 100 million, according to one estimate, there are some serious bragging rights to be claimed by the first person who provably laid fingers to keyboard in the traditional bloggy way.

Was the first blogger the irascible Dave Winer? The iconoclastic Jorn Barger? Or was the first blogger really Justin Hall, a Web diarist and online gaming expert whom The New York Times Magazine once called the "founding father of personal blogging"?

Or did all three merely make incremental improvements on earlier proto-blogs? The answer is most likely "yes" to all of the above. In truth, awarding the title "first blogger" is more than a little tricky because the definitions of blog and blogger are slippery. Any definition should probably include posts sorted by date, with the newest posts at the top and the rest archived for future use (criteria that would eliminate the Drudge Report, for instance).

Winer is a pioneer of Web syndication techniques and editor of Scripting News, which launched on April 1, 1997.

He boasts on his site that Scripting News "bootstrapped the blogging revolution" and that it is the "longest currently running Web log on the Internet." A decade ago, however, Winer wasn't actually using the term "Web log," nor does he claim to have invented the term. Winer did not respond to repeated requests for comment from CNET News.com until after this article appeared. He replied in a post claiming "the first blogs were inspired" by Scripting News.

Barger, a programmer, futurist and James Joyce scholar, is not afraid to say, indeed, he's the guy who invented the term "Web log." In December 1997, he created RobotWisdom.com to feature entirely bloggy collections of links to articles about politics, culture, books and technology that he found interesting.

"Since I made up the word, I assume I get to define it," Barger said in an e-mail message to CNET News.com on Monday. "And by my strictest definition Winer wasn't quite a blog--he mixed up the reverse-chronological ordering too much. So--unsurprisingly--the first 100 percent Weblog would be mine."

Barger said his site amounted to something of a day-to-day log of his reading and intellectual pursuits--and because it was online, he called it a "WebLog." And thus a new term, which would soon be abbreviated and de-capitalized to "blog" by Peter Merholz of Peterme.com, was born.

"Winer called them 'news pages,' but I didn't plan to do mainly news, but rather anything I found that I thought was worth reading or visiting," Barger said in an e-mail. "So at the last minute I needed to come up with a title, and I used AltaVista to see whether various possibilities were already taken (with 'log' being the critical descriptive term). 'Weblog' was being used as a synonym for 'server log' or 'html log' by site administrators, but since they had the other options I grabbed the more general one."

Building on the .plan
But as any Internet graybeard will tell you, early Net denizens were just as active in sharing details of their personal lives and commenting on politics (though, perhaps, not the antics of their pet cats) as the latest generation of bloggers. They did it on mailing lists and through a now virtually forgotten technique called a ".plan" file that was invented in the early 1970s.

A .plan file was a publicly visible text file of any length that could be attached to each individual account on a Unix system and often used reverse-chronological blog-like ordering with newer items at the top. Internet users could edit their own .plan files to include details of their personal life, work projects or musings on the nature of reality.

Many did. One of the most famous .plan files was created by John Carmack, who co-founded Id Software and was the lead programmer on blockbuster video games including Doom, Quake and Wolfenstein 3D. (Carmack's .plan file has since been converted to a blog.)


Some of Carmack's frequent updates described programming accomplishments, such as "made qport more random" and "fixed map reconnecting." Others were conversational: "Quake has bugs. I freely acknowledge it, and I regret them. However, Quake 1 is no longer being actively developed, and any remaining bugs are unlikely to be fixed. We would still like to be aware of all the problems, so we can try to avoid them in Quake 2."

The humble .plan file even played a role in the early history of the Linux kernel. In July 1991, as part of his first public post about the kernel, Linux developer Linus Torvalds asked for help with operating system standards. As an aside, he also mentioned a tweak to his .plan file to make it change automatically, and that was what generated far more attention.

Torvalds' Usenet post was eventually seen by Ari Lemmke, who gave Linux its name (Torvalds had proposed "Freax") and who provided an online home for what would become one of the world's most popular operating systems, according to Torvalds' own history.

Putting a 'finger' on blogging's birth
Dot-plan files were read through the "finger" command, which is so antique it actually dates back to the pre-Internet days of the ARPAnet.

It was created in the early 1970s by Les Earnest, who had already invented the first spell-checker and the first successful cursive writing recognizer. Earnest is currently a senior research scientist emeritus at Stanford University's computer science department, an enthusiastic bicyclist and a cycling association official. (Read the rest of an interview with Earnest).

"It was used in much the same way as blogs are now--that is, the .plan file was intended to be just a way to tell people where you were going to be," Earnest said in a telephone interview. "If you were going off on vacation or a trip or something, or were just going to sleep for a while, you could post that in your .plan file. But then people noticed that it could be used as a statement of personal views on things and they started doing that...(For) expressing your personal views on things, it was very much like a blog, a personal blog."

Earnest's creation of the "finger" command and .plan file became an official standard (RFC 742) in December 1977 and was updated in 1991. (Along the way, of course, it also led to innumerable jokes about how to "finger me" among oversexed computer science undergraduates.)

Plan files, or at least instructions on how to read them, found their way onto business cards and into the Geek Code, a mid-1990s method of describing how geeky someone is.

Students used them to keep journals, post schedules, or talk about tae kwon do practice. In 1994, one undergraduate student at Carnegie Mellon University created a rambling online diary in his .plan file that was hundreds of pages long. Some still exist today.

Because they were merely text files, however, even the most sophisticated .plan files could not include features we take for granted in blogs today: RSS, CSS, trackbacks, formatted text, hyperlinks, and of course, comments.

Those were gradually added after the Web was created, and Justin Hall was one of the first Web-based diarists to experiment with this then-novel medium. He was profiled by the Times for his very personal diaries at links.net, which began when he was a student at Swarthmore College. Hall is now working on a research area that he calls passively multiplayer online games.

In an interview on Monday, Hall said he started in January 1994. "I was inspired by every home page I saw online--a picture of some scientist and his dog, his collection of old English riddles, whatever--it was so simple and trivial, I thought, it can't be hard to post a page here," he said. "It wasn't hard at all! Once I found a way to post my pages up, I could create more and more interlinked text."

Hall doesn't claim to be the first blogger; rather, he said he prefers thinking of spontaneous appearances of similar sites. "Where was the first printing press with movable type?" he asked. "Good luck tracking that down."

Microsoft temporarily closes video site

Microsoft is closing its video-sharing site, Soapbox, to new users for up to two months so it can create better safeguards against pirated content.

The software giant, which agreed earlier Thursday to distribute movies and TV shows for big media companies, has seen Soapbox fill up with unauthorized clips since a test version of the site launched last month.

No new subscribers will be accepted, but anyone who has already signed up for Soapbox can continue to access the site, said Adam Sohn, a director in Microsoft's online-services group.

Microsoft stood to be embarrassed by the existence of pirated work on Soapbox. There was a real possibility that the company could have found itself distributing video from News Corp. and NBC Universal, at the same time another one of its units was hosting material stolen from those same companies.

Microsoft, AOL and Yahoo have agreed to be part of a new online joint venture of media conglomerates that also includes NBC Universal and News Corp. The new video network, scheduled to debut this summer, will feature full-length programming, movies and clips from at least a dozen television networks and two major film studios.

Copyright issues have become a central issue to the nascent online video market. On YouTube, the largest video-sharing site, there are thousands of clips posted to the site without the copyright holder's consent.

To help create a filtering system that would prevent the uploading of copyrighted video clips, Microsoft licensed digital-fingerprinting technology from Audible Magic.

Sohn said the changes were not forced on Microsoft by its new partners, although he acknowledged that some of the content providers were very interested in how his company planned to clean up Soapbox.

"This software company is aligned very closely with the notion of intellectual-property rights," Sohn said. "We feel this is the right time to make these changes and stand up to do the right thing."

Thursday, March 22, 2007

Google Search Engine Improved Again

Google's Search Engine provides access to a variety of functions that help you find multiple types of information using a single keyword typed in the search box. Take the example of the Plus Box that provides you additional details about a website by clicking on the plus sign displayed under the link. Some time ago, the search giant removed map links to other rivals' services to allow you to view a tiny map displaying a certain business. This time, the company updates the search giant with a brand new feature meant to return stock quotes about a specific firm.

The procedure is quite simple: all you need to do is to type your desired keyword, let's say “computers”. After you'll press search, the Google technology will return you multiple weblinks to companies from all around the world. Then, you should be able to see a plus sign connected to the link of the page that provides you stock information given by the Google Finance solution.

“Google tests a new Plus Box for stock quotes. If a site is connected to a business listed on a stock exchange, you'll see a link that says: "stock quote for GOOG", for example. If you expand the box, you'll get information from Google Finance about the stock and the company. Unlike the OneBox results that show up at the top of the search results or at the bottom of the page, Plus Boxes are connected to individual search results and give more information about the context of the site. We can expect to see more expandable boxes in the months to come,” Ionut Alex, Google blogger, sustained about the new function.

This is not the first attempt of the search giant to provide additional results based on the OneBox technology. You can also find more information about music, movies, news, weather, travel, shopping and many other search services designed by Google.

You Can Now Click On Your Own Google Ads!

Google's AdSense is currently a popular service on the Internet because it helps users earn money by placing ads on their websites. Every time a user visits the site and clicks on a Google ad, a certain amount of money is transferred into your account so, more users, more money. Because the service works with financial data, it imposes several terms of service to registered clients that must avoid infringing them or they can get their account banned. One of the most known rules is that users are not allowed to click on their own Google ads because the search giant records the user's IP and, if it's similar with the owner's, it represents a click fraud.

Some time ago, the company released another type of adverts meant to increase their appearance but also display more products and an attractive commercial for a specific solution. Google Video Ads is not being implemented to a limited number of users but some of them are now encountering some simple issues with the adverts. In a discussion published on the WebmasterWorld forum, a webmaster reported that some video ads by Cadillac were included on his site but he avoids clicking on them because he's aware of click fraud. AdSense Advisor, a preferred member of the forum, posted a reply to the message, saying you can play the ads to view the content of the commercial.

The AdSense Advisor said in the WebmasterWorld discussion. Perform an advanced search query SOFTPEDIA

“Actually, you're welcome to watch the click-to-play video ads that appear on your site by clicking the Play button. We want publishers to be able to check the content of video ads playing on their sites, so we only count clicks that lead a user to the advertiser's site, such as a click on the display URL or on the video while it's playing. Clicking only the Play button will let you watch the ad without generating invalid clicks”

Lost or stolen employee laptops have cost businesses and government agencies millions of dollars and hurt their credibility, while putting the sensiti

One year ago, information giant LexisNexis revealed that hackers stole data on about 310,000 of its customers. As compensation, the company offered all those victims a year's worth of a free credit- monitoring service.

But only 18,000 consumers -- just shy of 6 percent of those affected -- took the company up on the offer, a surprisingly low acceptance rate for a pretty valuable gift.

Credit monitoring, which lets consumers look up their credit report any time they want and provides e-mail alerts any time a new account is being opened, can cost $200 a year. While it's not a service I would pay for, I would jump at it if offered to me for free -- particularly if I knew my personal information had just been stolen.

LexisNexis' experience is not unique. Last year some 60 million people had their identities exposed because of some kind of data leak, and almost all of them were offered free credit monitoring. But in case after case, a tiny percentage of consumers signed up.

While the notice letters informing them that their data has been compromised are compelled by law, the offer of free credit monitoring is not. It is the de facto penance companies perform after a data leak, a gift from companies meant to alleviate the wrong that had been done.

ChoicePoint, which last year revealed it had accidentally sold 145,000 dossiers on U.S. consumers to criminals, says only 10-15 percent of victims called in response to a warning letter. About half of those who called signed up for free monitoring.

Citibank send nearly 4 million letters to consumers last year after a data backup tape was lost in transit to a credit bureau. Only about 135,000 consumers -- or less than 4 percent -- signed up for free credit monitoring, the company says. Wells Fargo, which experienced several data losses, said it had a "relatively low" response to its offer.

Why the reluctance?
The critical question is: Why? After all, free monitoring is the only tangible compensation consumers receive after becoming data loss victims. Why would they consistently thumb their nose at such a perk?

At a recent conference I attended, consumer advocates from major financial and Internet companies lamented that sometimes it's impossible to get consumers to do anything to protect themselves. They can't get be bothered to read brochures, to take a few minutes to educate themselves about fraud or even to sign up for free products.

I think it's a fair point. Ultimately, consumers need to take responsibility for their own protection. But there are plenty of potential explanations outside sheer laziness or disinterest.

Beth Givens, executive director of the Privacy Rights Clearinghouse, says that many consumers whose data was leaked probably didn't read the disclosure notice because they thought it was junk mail. (In fairness to LexisNexis, the firm went to the extraordinary and expensive step of manually pasting real stamps on its letters - rather than run them through a postal meter -- to get the attention of recipients.)

Others may not have read all the way through the notice to get to the point where the free monitoring was offered, Givens said.

"People are accustomed to ignoring pieces of paper with a lot of dense print on them," she said. "My guess is a very small percentage of those who received the letters actually read the letters. Or they may have read them so quickly they missed the part where it said you get (credit monitoring) for free. You have to be a pretty careful consumer to realize this is something you should read."

Consumer confidence an issue
Some victims were probably scared off by the sign-up process, which could require divulging a Social Security number. After all, who wants to fork over personal information to a company that's just lost it?

Larry Ponemon, who operates the research firm The Ponemon Institute, found in a recent survey that 1 in 9 adult Americans received a data-loss disclosure notice last year. But most recipients told his firm they spurned free credit monitoring -- in many cases because they did not trust the company that was making the offer.

"More than half of the respondent group who were offered credit-monitoring services was suspicious about the ‘free’ offer," Ponemon said. "Many respondents told us that they thought this was likely to be a gimmick that would ultimately cost them in the future. Others refused out of principle, and didn't want their goodwill to be purchased. "(They) were simply angry with the organization that reported the breach and did not want to accept any tokens or gifts."

Victims demonstrated a greater willingness to accept a cash payout, Ponemon said. In one instance, consumers more readily accepted a $10 credit to their phone service than an offer of free credit monitoring, he said.

Credit bureau Equifax Inc., one of the firms that offers free monitoring on behalf of companies that have leaked data, has in the past year created a swat team to deal with such breaches. The company has so far offered credit monitoring to customers affected by leaks at more than 100 companies, including LexisNexis, and Equifax's Steve Ely said one-third of all its credit-monitoring customers received the service as the result of a security breach.

Acceptance rates on the rise
Levy said last year, most consumers did reject the offers made by companies like LexisNexis. But acceptance rates are on the rise, he said, as more consumers become familiar with the importance of their credit reports.

Also, leaks by companies with more tech-savvy consumers tend to result in more sign-ups -- in some cases as high as 30 percent. A month ago, Fidelity reported a laptop with 200,000 records of Hewlett-Packard employees had been stolen. Ely said the sign-up rate after that incident was "significantly higher" than the LexisNexis rate.

What to make of this? I've always thought credit monitoring was a good idea, particularly for anyone who has reason to suspect they are a victim of recent identity fraud. But I've been reluctant to recommend it because I firmly believe consumers shouldn't have to pay for access to their own data.

In a case of a good result from a bad incident, data leaks have given millions of consumers a chance to use the services for free, and it's too bad more of them haven't signed up. Looking at your credit report is a bit like finding an old photo album in your grandmothers' house -- it's an intriguing walk down memory lane. As long as no one asks for your credit card number -- and you're sure you're not paying for it -- you should accept an offer of free credit monitoring when it comes your way.

On the other hand, it's understandable that more consumers haven't signed up. There have been some questionable presentations, which seemed more like marketing than a mea culpa. For example, Wells Fargo was criticized for offering its own credit-monitoring service after data leaks.

Not a perfect tool
And it's important to know that credit monitoring, while an effective tool, will not pick up every incidence of ID theft. It does little to alert consumers whose Social Security numbers are the only thing stolen, discussed previously in this blog. And it wouldn't ring any alarm bells for ID theft that doesn't involve financial theft, such as using someone's else's identity to escape arrest.

Finally, it doesn't include the most powerful tool consumers have been given to stop ID theft -- a credit freeze. Freezes allow consumers to lock up their credit report so it's impossible for a criminal to open a new account in their name. More than a dozen states now allow freezes, but they are spendy – a freeze can cost between $50 and $100 a year. In a perfect world, victims of a security breech would get an offer of a free credit freeze, and perhaps in some cases would have their credit reports automatically frozen to prevent theft and be given the opportunity to unfreeze their credit at their will.

While I have spoken to companies who I believe are trying to sincerely do the right thing after a data leak -- and I do think consumers bear some responsibility for reading their own mail -- more still needs to be done to protect victims. Something's wrong when only 5 percent sign up for the only service they are entitled to as compensation for the loss of their personal information. More should be done to make it right.

Seagate's encrypted hard drives on route

Chip reportedly makes it impossible for anyone to read data off disk


SAN JOSE, Calif. - Seagate Technology LLC, the world's largest hard drive maker, announced Monday the first manufacturer to sell laptop PCs with its new built-in encryption technology.

The hard drives, to be available in laptops made by ASI Computer Technologies, will include a chip that makes it impossible for anyone to read data off the disk, or even boot up a PC, without some form of authentication.

ASI, which manufacturers laptops under its own brand and builds systems for lesser-known PC makers, is expected to put the new technology in its machines within a few months. Other major PC makers are expected to introduce computers with Seagate's secure hard drives later this year.


Lost or stolen employee laptops have cost businesses and government agencies millions of dollars and hurt their credibility, while putting the sensitive information in the hands of identity thieves and other criminals. Dozens of states require businesses to encrypt computer data.

"I can't help but think that this kind of hard drive would become a standard issue on corporate laptops," said Dave Reinsel, a storage industry analyst at market research firm IDC.

Seagate's DriveTrust technology differs from existing security options, which usually include placing firewalls around computer networks and installing encryption software on systems.

The new technology is embedded directly in the hard drive — the computer's storehouse of data. It requires users to have a key, or password, before being able to access the disk drive or boot up the machine. Without the password, the hard drive would be useless, Seagate officials said.

Seagate teamed with security software provider Wave Systems Corp. to add an additional layer of tools to make the systems easier for corporations to manage the new kind of security technology.


Who's buying cell phone records online? Cops

Net sellers tell Congress they supply law enforcement officials with call lists

Both federal and local level law enforcement officials have purchased cell phone records and other private information from Internet-based data collection services as an investigative short-cut, MSNBC.com has learned. At least one Web-based data seller has told Congress that the FBI is a client.

Critics of the practice say it encourages alleged illegal behavior by Web site operators, who often obtain the information by tricking telephone company customer service representatives into revealing it.


A hearing on the sale of cell phone records is scheduled for this week before the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee.

The phone records are generally acquired by the resellers through fraudulent means and would not be admissible in court as evidence, but they are still helpful as an investigative tool, say officials familiar with the investigation.

The alleged use of the customer records by law enforcement officials could raise legal and ethical questions, as it would circumvent due process and years of established laws protecting consumers from random eavesdropping on electronic communications.

The U.S. House Energy and Commerce Committee and its Oversight and Investigations Subcommittee are looking into the fraudulent acquisition of consumer cell phone records by private investigators and online data sellers — an issue that exploded into the public sphere earlier this year after a blogger was able to purchase cell phone records of former presidential candidate Gen. Wesley Clark. But the business was thriving online long for years before that, with hundreds of Web sites advertising that they could obtain anyone's cell phone records for about $100.

The committee is attempting to learn who's selling the cell phone records, and who's buying.

FBI says it looks to private firms for help
As part of its inquiry, the committee has asked dozens of Web sellers to reveal their customers lists. MSNBC.com has viewed one such list, and spoken with several other data sellers.

One seller, Advanced Research Inc., which operates ADVSearch.com, told the committee that it has sold data to the FBI.

"On occasion, ARI (Advanced Research) has done work for municipalities, banks, mortgage and insurance companies, private companies, foreign governments, law enforcement, even the FBI," ARI's letter to Congress said.

FBI spokesman Richard J. Kolko said Sunday he could not confirm or deny whether the bureau had received mobile phone records from Advanced Research, but acknowledged that the FBI sometimes buys or receives data from private companies to help with investigations. But he said agents would never break any laws to obtain such evidence.

"The FBI, in pursuit of its investigative priorities, at times gets information from private companies that provide information to the public, or at least to others outside of the government," Kolko said. "This investigative technique is used to support investigations or other aspects of our missions. When this is done, we adhere to all established DOJ guidelines, FBI policy and the law."

Kolko also said he could not comment on processes the FBI may have in place to ensure that data it receives from private companies has been acquired legally by intermediaries.

Congress is now investigating how Web phone records sellers obtain their data; officials at state and federal agencies have said acquisition of customer mobile phone records without their consent is a criminal act.

Many buyers involved in debt collection
The dozens of Web sites now being investigated by Congress sell to a wide cross-section of customers buying data. Evidence gathered so far suggests many purchasers are involved in debt collection. But a steady stream of evidence also implicates law enforcement officials, who occasionally use the services as a shortcut, avoiding the need for court orders generally required to see phone records.

The phone records are often obtained by private investigators through a tactic known as "pretexting." Investigators call mobile-phone companies posing as legitimate customers and trick service representatives into delivering copies of records.

Many Web site sellers maintain the practice is legal, but cell phone companies, the Federal Communications Commissions and numerous state attorneys general have said impersonation of consumers is fraud. Several states also have sued data brokers over the acquisition and sale of phone records in recent months.

Just this week, the House of Representatives overwhelmingly passed a bill making acquisition of cell records through pretexting explicitly illegal. Those who obtain such records could face up to 20 years jail time under the bill that passed by a vote of 409-0 on Tuesday.

In its response to an inquiry by congressional investigators, Texas-based PDJ Investigations — which runs several look-up sites — stated that it provide records to law enforcement officers.

"On numerous occasions a wide variety of law enforcement officials on a federal, state and local level have asked for investigative assistance, which PDJ has provided free of charge," the company wrote.

The lawyer for another firm that's being questioned by Congress — IEI Investigations, also known as BestPeopleSearch.com — said he believed his client also has provided services to law enforcement for free and said the practice is common in the industry.

"It's a much easier and cheaper path to gather information," said the company's Los Angeles-based lawyer, Larry Slade. "But when law enforcement uses it, it raises other issues."

Civil liberties attorneys say the use of illegally obtained cell phone records as part of a criminal investigation raises serious questions.

‘Established legal procedures’ circumvented
“There are established legal procedures for obtaining phone records that provide checks against improper access,” said Chris Hoofnagle, an attorney at the Electronic Privacy Information Center who complained to the Federal Communications Commission and the Federal Trade Commission last year about the availability of cell phone records online. “These legal procedures allow fast access to phone record for law enforcement and provide accountability. That’s what missing here, the accountability.”

A publicly elected official caught up in the congressional inquiry also has said publicly that he obtained phone records for law enforcement officials. Colorado state Rep. Jim Welker, owner of Universal Communications Co., told the Rocky Mountain News earlier this month that he sold phone records to law enforcement officials, as well as debt collectors and financial companies.

"I look at it (the business) as helping the good guys find the bad people," he told the paper. Welker -- an enigmatic figure in Colorado politics who recently said at a press conference that legalizing gay marriage would eventually lead to inter-species marriage -- did not return phone calls from MSNBC.com seeking comment.

One potential customer of MPIS Inc.'s PublicPeopleFinder.com service was the Ruston, La., Police Department. In January, Ruston Police Chief Randal Hermes told MSNBC.com that he sent an e-mail to MPIS asking about the Web site’s ability to locate cell phone calling records.

"We are finding the need more and more often to search cellular telephone records," the letter said. "It's unbelievable to me how difficult it is in this day and time to identify the subscriber of a cell phone."

In reply, MPIS's Jodi Leatherman wrote, "We're always looking to help law enforcement," Hermes said.

When asked about the e-mail exchange, Hermes said his department was investigating a string of cell phone thefts, and had "run into some pretty rough road blocks" trying to get records from cell phone companies. Up-to-the minute calling records are the best way to find a thief after a cell phone is stolen, but the records can be hard to get, he said.

‘You want the records quickly’
"If your phone is stolen and you want the records quickly, it's impossible to do," he said. "We were looking on the Internet to see if there were other places we could go that had cell phone records."

Hermes said he never obtained any records from PublicPeopleFinder.com, however. Soon after the Jan. 25 exchange with Leatherman, Hermes found a helpful employee at a cell phone company and the department was able to obtain the records through standard procedures, so he no longer needed the Internet-based services, Hermes said. “It didn’t go any further,” he said.

One company under investigation replied to the Congressional inquiry letter with what appears to be a a partial customer list, which was viewed by MSNBC.com. The spreadsheet, titled "Copy of Call Record Customers," revealed that most cell phone record buyers were small companies, most likely hoping to perform debt collection. The list included several apartment complexes, doctor's offices and law offices.

Also on the list is an employee of a major insurance provider who works in the company's "special investigations unit."

The list also includes a Washington D.C.-area resident who says on his Web site that he's a consultant for law enforcement officials in the D.C. area, and an expert in CALEA — the Communications Assistance for Law Enforcement Act. Federal officials and police officers often utilize CALEA statutes to legally obtain consumer telephone record information.

The Washington D.C.-area resident did not return requests for comment. It is not clear that he ordered cell phone records on behalf of law enforcement officials.

The use of extreme means by debt collectors is hardly new; one professional pretext caller interviewed by MSNBC.com, who spoke under condition of anonymity, said that use of cell phone records to track debtors is an important cog in the lending system. Without it, lenders would have no hope of collecting from customers who default on loans — and would have to stop lending money to consumers with lower credit scores.

The anonymous pretext caller said he occasionally did free work for law enforcement. In one case, the source said, he helped a police detective in Nassau County, N.Y., who wanted to prove an association between two alleged criminal accomplices. The suspects denied knowing each other, but their cell phone records showed otherwise.

"He knew it wasn't admissible, but he used it to shake them down (during interrogation)," the source said.

Witness: 'Not being fully investigated'
Rob Douglas, an information security consultant who operates PrivacyToday.com, performed research for the House committee conducting the investigation. He recently quit because he said significant issues “were not being fully investigated.”

In a letter announcing his resignation, Douglas said the committee needs to look into dramatic allegations that officials from the Homeland Security Department are among the law enforcement officials purchasing the cell phone records.

"There have been allegations made by one party in the investigation that the Department of Homeland Security purchased American's phone records from a company in Texas," Douglas wrote. "It is not clear that this lead is being fully and aggressively explored."

Russ Knocke, a spokesman for the Department of Homeland Security, said his agency would not use cell phone records Web sites to obtain information.

"There are privacy laws in this country,” he said. “We had the NSA (eavesdropping) debate already.”

The use of the records can cut both ways for law enforcement. On two occasions reviewed by MSNBC.com, a data broker traced a cell phone number for an Internet buyer and revealed that it belonged to a law enforcement official. The records suggest those consumers could also have been able to obtain call records for a police officer's cell phone — exactly the nightmare scenario the Chicago police department warned its members about in a January memo.

Douglas said some commercial data brokers, in an effort to boost their argument that obtaining cell phone records is legal, have in the past exaggerated claims of working with law enforcement officials. Still, the sheer amount of evidence pointing to the use of illegally obtained phone records by law enforcement official warrants deeper investigation, he said, adding that the current witness list for an upcoming Congressional hearing on the matter does not include law enforcement officials or other government officials accused of purchasing the records.

“The constitutional issues raised by government agents looking at Americans' phone records absent judicial oversight are serious,” he said. “Equally important is the protection of those very same agents from criminals buying their records in an attempt to do harm to the agents or their investigations. Congress must fully explore these issues and not short-cut the current investigation."

A hearing on the committee’s findings is tentatively scheduled for May, Douglas said. A spokesman for the committee said in an e-mail statement that it would not comment on the committee's work until it is finished.

"The committee is conducting an extensive investigation into potential breaches of basic privacy. Until that inquiry is complete and we're satisfied about the reliability, authenticity and significance of the raw data coming in now in response to requests and subpoenas, we will defer trying to characterize it," wrote Larry Neal, deputy staff director for the House Energy and Commerce Committee. He also wrote that there may be as many as a "half-dozen" investigative hearings, and that the committee has not yet decided whom to call.

The Federal Trade Commission is separately conducting its own investigation of cell phone record online sales, as are several state attorneys general.


Conn. bill would force MySpace age check

Bill comes after man sent to prison for using site to set up sexual encounter


HARTFORD, Conn. - Connecticut lawmakers unveiled legislation Wednesday that would require MySpace.com and other social-networking sites to verify users' ages and obtain parental consent before minors can post profiles.

The bill comes a day after a man was sentenced to 14 years in prison for using MySpace.com to set up a sexual encounter with an 11-year-old Connecticut girl. It was one of the first federal sex cases involving the popular site.

Attorney General Richard Blumenthal, who met with other attorneys general on Tuesday, said 10 to 20 other states are considering similar legislation.

"The technology is available. The solution is financially feasible, practically doable," he said. "If we can put a man on the moon, we can check ages of people on these Web sites."

Under the proposal, any networking site that fails to verify ages and obtain parental permission of users under 18 would face civil fines up to $5,000 per violation. Sites would have to check information about parents to make sure it is legitimate. Parents would be contacted directly when necessary.

MySpace did not immediately return a call seeking comment.

The bill, which is scheduled for a public hearing on Thursday, would apply to any organized online networking organization, including chat rooms.

Parents, school administrators and law-enforcement authorities have been increasingly warning of online predators at sites like MySpace, whose youth-oriented visitors are encouraged to expand their circles of friends through messaging tools and personal profile pages. It has more than 100 million registered users.

The site has responded by expanding educational efforts and partnerships with law enforcement. It also adopted new restrictions on how adults may contact the site's younger users and has helped design tools for identifying profiles created by convicted sex offenders.

The site's current policy bars children under 14 from setting up profiles. Users who are 14 or 15 can display their full profiles — containing hobbies, schools and any other personal details — only to people already on the teen's list of friends. Others see only the bare-bones profile, listing username, gender, age and location.

But MySpace relies on users to specify their age.

News Corp.'s MySpace is the largest social-networking site, with more than 100 million registered users.

Sweden plan would monitor e-mail

Gov't says fraction of e-mail will be affected, but critics are skeptical


STOCKHOLM, Sweden - Sweden's government presented a contentious plan Thursday to allow a defense intelligence agency to monitor — without a court order — e-mail traffic and phone calls crossing the nation's borders.

The government insists only a fraction of the electronic communications will be affected, but critics worry the program, designed to combat terrorism and other threats to national security, is too far-reaching.

Their concerns resemble criticism of a U.S. surveillance program launched in 2001 that monitors international phone calls and e-mails to or from the United States involving people suspected by the government of having terrorist links.

The American Civil Liberties Union sued the National Security Agency last year on behalf of journalists, scholars and lawyers who say the project has made it difficult for them to do their jobs because they believe many of their overseas contacts are likely targets of the surveillance.

The Swedish proposal, which needs parliamentary approval, would give the National Defence Radio Establishment a green-light to use so-called data mining software to search for sensitive keywords in all phone and e-mail communication passing through cables or wires across the country's borders.

Today, such traffic can only be monitored with court approval if police suspect a crime, although the agency is already free to spy on airborne signals, such as radio and satellite traffic.

European governments have gradually been expanding their surveillance powers, wiretapping rules and police search powers as part of efforts to unravel terror plots.

But the Swedish proposal is among the most far-reaching when it comes to intercepting e-mail traffic.

The Dutch secret service can monitor e-mail in specific cases, but does not have a mandate to conduct blanket monitoring of international traffic.

In Britain, e-mails can only be intercepted with a warrant signed by a secretary of state, and the intercepted communications cannot be used in court.

Sweden's center-right government says it's only interested in international traffic, and that e-mails and phone calls between Swedes will be filtered out.

"This is about mapping situations so that we in Sweden will be able to fulfill what is one of the most central tasks for a government: protecting the country and its own citizens," Defense Minister Mikael Odenberg said.

However, critics say it is impossible to make such guarantees, as e-mails sent between two colleagues in the same office are often routed via a server abroad and could end up in the military's hands.

"They're going from fishing with a hook to fishing with a net," said Par Strom, a spokesman for The New Welfare Foundation, a civil liberties think tank. "We are crossing a very fundamental border."

Even Sweden's security police, SAPO, has criticized the proposal, saying it violates personal integrity.

Opposition politicians from the Green and Left parties say they will fight the bill when it comes to a vote in Parliament later this year. The main opposition Social Democrats said they had not yet decided how to vote.

"We're going to evaluate whether there are enough guarantees to safeguard people's integrity," said Thomas Bodstrom, justice minister in the previous Social Democratic government. "The other issue is, do we want to change society so that the military gets a completely new role when it comes to fighting crime?"


Your new ID-theft worry? Photocopiers

Experts aren't aware of any known incidents but say potential is very real


SAN JOSE, Calif. - Consumers are bombarded with warnings about identity theft. Publicized threats range from mailbox thieves and lost laptops to the higher-tech methods of e-mail scams and corporate data invasions.

Now, experts are warning that photocopiers could be a culprit as well.

That's because most digital copiers manufactured in the past five years have disk drives — the same kind of data-storage mechanism found in computers — to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

Some copier makers are now adding security features, but many of the digital machines already found in public venues or business offices are likely still open targets, said Ed McLaughlin, president of Sharp Document Solutions Company of America.

"You actually have a better chance at winning 10 straight rolls of roulette than getting those hard drives on copiers rewritten," he said.

Sharp plans to issue a warning about photocopier vulnerabilities Wednesday — just ahead of tax time.

The company, one of the leading makers of photocopiers, commissioned a consumer survey that indicated more than half of Americans did not know copiers carried this data security risk. The telephone survey of 1,005 adults, conducted in January, also showed that 55 percent of Americans plan to make photocopies and printouts of their tax returns and related documents.

Of that segment, half planned to make the copies outside their homes — at offices, libraries and copy shops. An additional 13 percent said they plan to have their tax preparers make copies.

Although industry and security experts were unable to point to any known incidents of identity thieves using copiers to steal information, they said the potential was very real.

"It is a valid concern and most people don't know about it," said Keith Kmetz, analyst at market researcher IDC. "Copying wasn't like this before."

Added Paul DeMatteis, a security consultant and teacher at the John Jay College of Criminal Justice at the City University of New York: "We know there are bad people out there. Just because this is difficult to detect doesn't mean it isn't being exploited."

Daniel Katz-Braunschweig, a chief consultant at DataIXL, a business consulting firm, includes digital copiers among his list of data holes corporations should try to protect. He couldn't specify names but said a few of his company clients did learn about the vulnerability after their copiers were resold and the new owners — in good faith — notified them of the data residing on the disks.

Sharp was among the first to begin offering, a few years ago, a security kit for its machines to encrypt and overwrite the images being scanned, so that data aren't stored on the hard disks indefinitely. Xerox Corp. said in October it would start making a similar security feature standard across all of its digital copiers.

Randy Cusick, a technical marketing manager at Xerox, said many entities dealing with sensitive information, such as government agencies, financial institutions, and defense contractors, already have policies to make sure copier disks themselves or the data stored on them are secured or not unwittingly passed along in a machine resale.

Smaller businesses and everyday consumers are less likely to know about the risk, but should, he said.

Sharp recommends that consumers take precautions, such as asking their tax preparers or the copy shops they are using about whether their copier machines have data security installed.


Google tightens privacy measures

Company promised to wrap a cloak of anonymity around search requests


SAN FRANCISCO - Google Inc. is adopting new privacy measures to make it more difficult to connect online search requests with the people making them — a move it believes could prevent showdowns with the government over the often sensitive data.

Under revisions announced late Wednesday, Google promised to wrap a cloak of anonymity around the vast amounts of information that the Mountain View-based company regularly collects about its millions of users around the world.

Google believes it can provide more assurances of privacy by removing key pieces of identifying information from its system every 18 to 24 months. The timetable is designed to comply with a hodgepodge of laws around the world that dictate how long search engines are supposed to retain user information.

Authorities still could demand to review personal information before Google purges it or take legal action seeking to force the company to keep the data beyond the new time limits.

Nevertheless, Google's additional safeguards mark the first time that a major Internet search engine has spelled out precisely how long it will hold onto data that can reveal intimate details about a person's Web surfing habits.

While Google will still retain reams of information about its users, the changes are supposed to lessen the chances that the company, a government agency or another party will be able to identify the people behind specific search requests.

Privacy experts applauded Google's precautions as a major step in the right direction.

"This is an extremely positive development," said Ari Schwartz, deputy director of the Center for Democracy and Technology. "It's the type of thing we have been advocating for a number of years."

Google is tightening its privacy standards a year after it became embroiled in a high-profile battle over the control of the user information that it had been stockpiling.

While gathering evidence for a case involving online pornography, the U.S. Justice Department subpoenaed the major search engines for lists of search requests made by their users.

While Yahoo Inc., Microsoft Corp.'s MSN and AOL all complied with parts of the legal demand, Google fought the request to protect its users' privacy. A federal judge ordered Google to turn over a small sampling of Web addresses contained in its search index, but decided the company did not have to reveal the search requests sought by the government.

In another demonstration of the privacy risks posed by search engines, Time Warner Inc.'s AOL last summer released 19 million search requests on the Internet as part of a research project. Although only sets of numbers were attached to the requests, the information was used to identify some of the people behind the AOL searches.

AOL subsequently apologized for the lapse, which triggered the resignation of its chief technology officer and the firings of two other workers.

Google and its rivals all say they keep information about their users so they can learn more about them as they strive to deliver the most relevant responses.

By purging some of the personal information from its computers, Google warned it might not be as effective at improving some services as it has been in the past. "But we believe the additional privacy provided by the change outweighs the benefit of the data we are losing," Google said.

The privacy safeguard also could make more people feel more comfortable about relying on Google, an advantage that could help the company widen its already formidable lead in the lucrative search engine market.

Protecting the sanctity of search requests should be a search engine's top priority, said Kurt Opsahl, staff attorney for the Electronic Frontier Foundation, an online civil liberties group. "You are talking about a potential treasure trove of information," he said. "A person's searches reflect their dreams, hopes and fears."

Under its new standards, Google will wipe out eight bits of the Internet protocol, or IP, address that identifies the origin of specific search requests. After the IP addresses are altered, the information will be linked to clusters consisting of 256 computers instead of just one.

Google also will depersonalize computer "cookies" — hidden files that enable Web sites to track the online preferences and travels of their visitors.

As the owner of the Internet's largest search engine, Google has been under growing pressure to adopt greater privacy controls. Regulators in Europe have been particularly vocal about their concerns.

The new measures pleased Billy Hawkes, Ireland's data protection commissioner.

"It's a very welcome development," Hawkes said. "Personal information should be held on to no longer than it has to be."

Hawkes and other privacy advocates are hoping other search engines will follow Google's lead.

Yahoo, which runs the second largest search engine, was vague about how it might respond.

"Protecting our users' privacy and maintaining their trust is paramount to us, the Sunnyvale-based company said in a statement. "Data retention practices depend largely on the diverse nature of our data as well as the practical considerations of storage costs and processing system requirements."

Most computer attacks originate in U.S.

Spam made up 59 percent of all e-mail traffic Symantec monitored


SAN JOSE, Calif. - The United States generates more malicious computer activity than any other country, and sophisticated hackers worldwide are banding together in highly efficient crime rings, according to a new report.

Researchers at Cupertino-based Symantec Corp. also found that fierce competition in the criminal underworld is driving down prices for stolen financial information.

Criminals may purchase verified credit card numbers for as little as $1, and they can buy a complete identity — a date of birth and U.S. bank account, credit card and government-issued identification numbers — for $14, according to Symantec's twice-yearly Internet Security Threat Report released Monday.

Researchers at the security software company found that about a third of all computer attacks worldwide in the second half of 2006 originated from machines in the United States. That makes the United States the most fertile breeding ground for threats such as spam, phishing and malicious code — easily surpassing runners-up China, which generates 10 percent of attacks, and Germany, which generates 7 percent.

The United States also leads in "bot network activity." Bots are compromised computers controlled remotely and operating in concert to pump out spam or perform other nefarious acts.

The legitimate owner of the computer typically doesn't know the machine has been taken over — and the phenomenon is largely responsible for the palpable increase in junk e-mail in the past half year.

Spam made up 59 percent of all e-mail traffic Symantec monitored. That's up 5 percentage points from the previous period. Much of the spam was related to stock picks and other financial scams.

The United States is also home to more than half of the world's "underground economy servers" — typically corporate computers that have been commandeered to facilitate clandestine transactions involving stolen data and may be compromised for as little as two hours or as long as two weeks, according to the report.

The study marks the first time Symantec researchers have studied the national origins of computer attacks. The report focused on attacks during the last half of 2006 on more than 120 million computers running Symantec antivirus software. The company operates more than 2 million decoy e-mail accounts designed to attract messages from around the world to identify spam and phishing activity.

Alfred Huger, vice president of Symantec Security Response, said online criminals appear to be adopting more sophisticated means of "self-policing." They're launching denial-of-service attacks on rivals' servers and posting pictures online of competitors' faces.

"It's ruthless, highly organized and highly evolved," Huger said.

One of the most startling findings: The worldwide number of bot-infected computers rose — an increase of about 29 percent from the previous six months, to more than 6 million computers total — while the number of servers controlling them plunged. The number of such "command-and-control" servers declined by about 25 percent to around 4,700.

Symantec researchers said the decrease signifies that bot network owners are consolidating to expand their networks, creating a more centralized, efficient structure for launching attacks.

Twenty-six percent of the world's bot-infected computers were in China, a higher percentage than any other country.

According to Symantec, Microsoft Corp.'s Internet Explorer was the most-targeted Web browser, attracting 77 percent of all browser attacks.

Symantec said it expects to see more threats begin to emerge against Microsoft's Vista operating system. It also expects multiplayer online games to be targeted by phishers, who fool users into divulging passwords or other personal information by creating fake Web sites that look like the real thing.

Privacy for Internet names moves forward

Proposal that would give more options to small businesses, individuals

NEW YORK - Many owners of Internet addresses face this quandary: Provide your real contact information when you register a domain name and subject yourself to junk or harassment. Or enter fake data and risk losing it outright.

Help may be on the way as a key task force last week endorsed a proposal that would give more privacy options to small businesses, individuals with personal Web sites and other domain name owners.

"At the end of the day, they are not going to have personal contact information on public display," said Ross Rader, a task force member and director of retail services for registration company Tucows Inc. "That's the big change for domain name owners."

At issue is a publicly available database known as Whois. With it, anyone can find out the full names, organizations, postal and e-mail addresses and phone numbers behind domain names.

Hearings on the changes are expected next week in Lisbon, Portugal, before the Internet Corporation for Assigned Names and Numbers, or ICANN, the main oversight agency for Internet addresses.

Resolution, however, could take several more months or even years, with crucial details on implementation still unsettled and a vocal minority backing an alternative.

Under the endorsed proposal — some six years in the making — domain name registrants would be able to list third-party contact information in place of their own — to the chagrin of businesses and intellectual-property lawyers worried that cybersquatters and scam artists could more easily hide their identities.

"It would just make it that much more difficult and costly to find out who's behind a name," said Miriam Karlin, manager of legal affairs for International Data Group Inc., publisher of PC World and other magazines. She said she looks up Whois data daily to pursue trademark and copyright violators.

Privacy wasn't a big consideration when the current addressing system started in the 1980s. Back then, government and university researchers who dominated the Internet knew one another and didn't mind sharing personal details to resolve technical problems.

Today, the Whois database is used for much more. Law-enforcement officials and Internet service providers use it to fight fraud and hacking. Lawyers depend on it to chase trademark and copyright violators. Journalists rely on it to reach Web site owners. And spammers mine it to send junk mailings for Web site hosting and other services.

And Internet users have come to expect more privacy and even anonymity. Small businesses work out of homes. Individuals use Web sites to criticize large corporations or government officials. The Whois database, for many, reveals too much.

The requirements for domain name owners to provide such details also contradict, in some cases, European privacy laws that are stricter than those in the United States.

Registration companies generally don't check contact information for accuracy, but submitting fake data could result in missing important service and renewal notices. It also could be grounds for terminating a domain name.

Over the past few years, some companies have been offering proxy services, for a fee, letting domain name owners list the proxy rather than themselves as the contact.

It's akin to an unlisted phone number, though with questionable legal status. The U.S. government has banned proxies entirely for addresses ending in ".us," even after many had already registered names behind them.

Critics also complain that such services can be too quick or too slow — depending on whom you ask — in revealing identities under legal pressure.

"Right now there's no regulation, no accreditation, no standards," said Margie Milam, general counsel for MarkMonitor, a brand-protection firm. "Some can take weeks, which can slow down investigations."

The task force proposal, known as operational point of contact, would make third-party contacts a standard offering. Domain name owners could list themselves, a lawyer, a service provider or just about anyone else; that contact would forward important communications back to the owner.

Details must still be worked out, but the domain name registrant rather than the proxy would likely be clearly identified as the legal owner, unlike the current, vague arrangement. ICANN's staff also pressed for more clarity on to whom and under what circumstances the outside contact would have to release data.

Although that proposal received a slight majority on the Whois task force, some stakeholders including businesses and lawyers have pushed an alternative known as special circumstances. Domain name holders would have to make personal contact details available, as they do today, unless they can justify a special circumstance, such as running a shelter for battered women.

"On the whole, society is much better off having this kind of transparency and accountability," said Steven Metalitz, an intellectual-property lawyer on the task force.

ICANN's Council of the Generic Names Supporting Organization plans public hearings in Lisbon, after which it could make a recommendation or convene another task force to tackle implementation details.

Supporters of the new proposal remain hopeful that resolution is near.

"A lot of public interest groups have been waiting a long time to see if this process actually works or if it's just a charade," said Wendy Seltzer, a non-voting task force member and fellow with Harvard University's Berkman Center for Internet and Society. "If this turns out to have been for naught, you will have a lot of frustrated people."