Earlier this week, TLP reported that Australian law enforcement agencies were being given the right to secretly hack into any Australian’s Internet-connected computer and perform ‘remote searches’ in certain criminal cases.

Civil rights and free speech activists were outraged by the plan.

Now, leading Internet security vendors including Symantec (‘Norton’), Sophos and Kaspersky have stated that their security products would effectively block police hacking efforts in the same manner as they would any other attempts to breach customers’ systems.

Look for a spike in sales of Symantec (‘Norton’), Sophos and Kaspersky security suites in Australia.

The question of whether security vendors will ultimately cooperate with law enforcement agencies to allow legally-mandated hacks to bypass their security systems remains unresolved.

Adobe yesterday finally plugged a security hole in its popular Acrobat Reader (for .PDF files), a hole that had been left open for almost two months.


That delay in addressing the issue, considered excessive by many,generated a lot of criticism toward Adobe. TLP’s resident security expert, Eric Jacksch, takes a detailed look at that kafuffle in a separate story today.

In its official advisory, Adobe notes that the vulnerability had some pretty serious potential consequences…

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe recommends that Users of Reader and Acrobat 9.0 update, now, to version 9.1. Updates for versions 7 and 8 should be available in about a week.

Internet security giant McAfee Inc. has announced two grants under the company’s Initiative to Fight Cyber Crime.


McAfee has pledged (US)$55,000 to the Council of Europe’s effort to fight cybercrime, announced last week, and an equal sum to the U.S. National District Attorneys Association, both grants to be, “utilized in programs to train law enforcement, prosecutors and judges on cybercrime to make a practical and measurable impact on decreasing criminal activity.”

“Cybercrime is a growing problem that negatively impacts everybody, especially in the current economic climate,” said McAfee President and CEO DeWalt. “A lot has been done to combat cybercrime over the past decade, but criminals still have the upper hand. McAfee is proud to support these two organizations to advance their efforts to make the world a safer place.”

“Much of our private life takes place on and is stored on our computers,” said Alexander Seger, head of the Economic Crime division for the Council of Europe and responsible for the Council’s global project on cybercrime. “This means that if our computers are attacked, our fundamental rights are attacked. Therefore, we need to take action against cybercrime. It is clear that McAfee shares our dedication and we thank them for this grant.”

The National District Attorneys Association represents state and local prosecutors across the United States. The NDAA is a key group in the prosecution of cyber criminals, it provides education of local constituencies and offers assistance to cyber crime victims. The NDAA will use McAfee’s grant to offer an electronic cyber crime training course for prosecutors and law enforcement across the U.S.

Researchers at Osaka University in Japan have successfully demonstrated a new hands-free headset which can not only deliver music but control a host of devices, literally with a wink of your eye.

The Mimi Switch incorporates a set of tiny infrared sensors, connected to a microcomputer, which detect equally tiny movements inside the ear canal that result from specific facial expressions.


Albert Einstein: Not controlling an iPod

“You will be able to turn on room lights or swing your washing machine into action with a quick twitch of your mouth,” inventor Kazuhiro Taniguchi told news agency AFP. “An iPod can start or stop music when the wearer sticks his tongue out, like in the famous Einstein picture. If he opens his eyes wide, the machine skips to the next tune. A wink with the right eye makes it go back.”

In fact, the Mimi Switch is completely programmable, allowing any of a long list of facial expressions to control virtually any device that accepts digital control inputs.

Taniguchi also notes that the Mimi Switch can record expression data and learn about a specific user’s twitches and facial idiosyncrasies.

While there’s an almost inexhaustible list of things the Mimi could do in the consumer electronics realm, Taniguchi is more interested in higher-level applications for his invention.

Among other assistive uses, Taniguchi sees the Mimi being employed as a multi-role remote control for the elderly or physically challenged. He even sees medical diagnostic applications for the Mimi, which can detect very small changes in the tissues and blood vessels of the ear canal.

Taniguchi says he expects it will be at least three years before Mimi technology starts to show up in retail products.

I use a lot of Adobe products. Lightroom, Photoshop, Premiere and Acrobat to name some. So, when blogs started buzzing about an Acrobat vulnerability, they grabbed my attention. And, when my distinguished colleague Larry Seltzer at eWeek.com wrote that “It May Be Time to Abandon Adobe”, I began to wonder if the sky was falling.

Adobe deserves a Colbert-style wag of the finger and I can understand why Seltzer is frustrated by the delay in obtaining a patch. But his suggestion that companies consider dumping Adobe in favour of other third-party pdf readers — that he himself admits also have a track record of security issues — just doesn’t make sense.

Let’s take a look at what happened.

In February, a vulnerability in several versions of Acrobat was discovered.  In summary, it is possible to manipulate a pdf document so that your system becomes infected when you open it or under certain circumstances, when your computer indexes it (more on that later).

Things appear to have been quiet until Feb 19th, when various security researchers and vulnerability databases picked it up.  Adobe released an advisory the same day and updated it on Feb 24th.  The advisory stated that a patch will be available on March 11th.  They worked with antivirus vendors to protect customers, released a patch and have information on their blog.

Yes, Adobe had a security defect in their code and took a few weeks to release a patch.  Yes they need to be more careful and respond faster.  But that’s only part of the story.

Aside from the overly sensationalistic and unbalanced journalism, much of the buzz had to do with the fact that, as Stevens points out in his blog post, infection can occur, “…on a Windows XP SP2 machine with Windows Indexing Services started and Adobe Acrobat Reader 9.0 installed…And the bug happens in a process running with Local System rights!”  Nasty indeed, but that is only partially Adobe’s fault.

No process interacting with user data, including an indexing service, should be running with system privileges.  It’s the type of stupidity that should cause first year computer science students — and experienced IT writers — to point their finger and laugh.  No process indexing a user’s files should have the right to change operating system files. Ideally, the process also should not be able to write to any of the files it is indexing.  It doesn’t need those privileges to do the job and it shouldn’t have them. It’s called the Principle of Least Privilege.  If the operating system was properly designed, the impact of this code defect would have been significantly decreased.

If we really want to see fewer security vulnerabilities, we need to start better architecting software and operating systems and building-in security, rather than considering it as an afterthought.  We need to design systems to tolerate code mistakes without breaching security.  It can be done but software developers won’t do it until the market demands it.

Or, I guess you could just take Seltzer’s advice. Dump Adobe, and move to Foxit. That product hasn’t had a security vulnerability announced in two days. And look, it’s the same issue as Adobe. Or take Seltzer’s advice and try Sumatra PDF, an open source solution that has about 200 open defects, some of which are from 2007.

Adobe may not be perfect and the company could have reacted faster. But put away the pitch forks. Or, at least, aim them in the right direction.

The compact disk is officially 30 years old this week. And, thanks to the rampaging popularity of its successor, the DVD, the CD is celebrating quietly, at home, with close friends and family…

But, as popular gadget blog Gizmondo quips, “Compact discs weren’t always impromptu drink coasters. Once, in the not-so-distant past, they played music, contained pictures, and let people play video games…”

Some trivia:

  • The CD was (literally) spun off from the laserdisc by researchers and engineers at Philips in the Netherlands.
  • It didn’t get much notice, much less catch on, though, until Philips and Sony partnered to promote the new ‘standard’.
  • The first music album released on CD was Billy Joel’s 52nd Street (which the vast majority of fans nevertheless bought on vinyl, at that very early date).

Whatever else you might say about CDs, you have to admit that they made digital media applications not only possible but commonplace for consumers. And the studio-rivalling quality of CDs started a decades-long debate about copy protection, which has since spread to the Internet and is now being is now referred to, more broadly, as ‘digital rights management’.

And, glued back to back, with a hole drilled through near the outer edge for a thread or ribbon, they make wonderful, glimmery Christmas tree ornaments!

British YouTube fans will no longer be able to view music videos on the popular site. At least, for now.

Talks broke down yesterday, between You Tube and British royalty-collecting agency PRS for Music, on a deal that would have let YouTube continue to deliver music videos royalty-free to UK users.

“Our previous license from PRS for Music has expired, and we’ve been unable so far to come to an agreement to renew it on terms that are economically sustainable for us,” YouTube’s parent, Google, said, in a statement.

PRS for Music wasn’t at all happy with Google’s decision to simply block music videos to PRS’s primary market.

“Google has told us they are taking this step because they wish to pay significantly less than at present to the writers of the music on which their service relies, despite the massive increase in YouTube viewing,” the group said, in a statement of its own.

Google’s decision to block music vids to British users is not seen as final, though. Bith sides say thehy hope the dispute can be resolved, quickly.

Cloth diapers are nothing new. Neither are cloth table napkins and handkerchiefs. But how do you feel about reusable cloth toilet wipes?


Wallypop.net, of Des Moines, IA, has them. And lots of other reusable products that support a ‘natural lifestyle’.

Reuable toilet wipes have myriad advantages over the conventional paper variety, as the Wallypop Web site explains…

For one, it’s a lot more comfortable and soft on your most delicate body parts. It’s also more economical, uses less paper, and saves you those late-night trips to the store. And cloth wipes can be used wet without any of the sopping disintegration that regular toilet paper is prone to.

A ‘discussion of the practical aspects’ of using cloth toilet wipes is also thoughtfully provided. A ‘wet bag’ (like a diaper bag), to store soiled wipes, is available at additional cost.

Wallypop Family Wipes start at (US)$11 per dozen for the basic, cotton model. Check lout the Wallypop site for a vast selection of personal and household products you might not previously have thought of as ‘reusable’.

In the shadow of a controversial government program to filter the Web content that Australian Internet users can access, the Australian government has proposed another new regulation allowing police there to hack into any computer in the country, covertly, to spy on users.

The measure would allow warrants for ‘covert searches’  to be issued in investigations involving any Australian criminal offense punishable by seven or more years imprisonment.

The kicker is, police could apply to have the ‘searches’ kept secret for up to three years. And police would also have the power to ‘search’ any other computers at the same location, on the same network.

“This could include cracking codes and searching computers for evidence of child porn, drug running, and money laundering,” Premier Nathan Rees explained.

The Australian move comes in the wake of news earlier this year that the UK government had joined a European Union initiative which would extend police powers to allow remote searches of computers.

Needless (perhaps) to say, civil rights advocates both in Europe and Australia are mounting efforts to oppose the new regulations which they claim amount to a wholesale invasion of privacy.

Back in the fall I started work on a virtualization project.  I’ll write more about it in some future articles, but in terms of background, I wanted to build a VMWare ESX-based system to make testing software products easier.  ESX is a server virtualization product that allows me to run multiple virtual machines on one physical box.  If, for example, I need to test a product on Windows XP, I can simply boot up XP and install it.  ESX also provides snapshot capability.  For example, I can snapshot a virgin XP installation, install and test software, and then revert back to the snapshot when I’m done.

If you’re going to play with virtualization, you need a lot of disk space, and it must be reliable.  In a production environment, when you consolidate servers you also increase the impact if one physical server goes down.  In a test environment, you risk spending a lot of time reinstalling operating systems if a hard drive crashes.

The answer, of course is a RAID array.  I won’t go into the technical details (you can read all about it on Wikipedia), but in summary a RAID system uses several drives to create a larger, fault-tolerant logical drive.  There are quite a few RAID products available.  Some motherboards include RAID capability, and you can purchase various RAID controller cards for desktops and server.  However, as many who have tried ESX will tell you, only some RAID controllers are support.  Plug in one that isn’t, and it either doesn’t work or ESX sees each drive as a separate drive.

So we turned to the leader in RAID controllers:  LSI Corporation in Milpitas, California.  They very kindly sent over a MegaRAID SAS 8708EM2 to help us out.

The card plugs into a PCIe slot and will handle up to 8 SATA hard drives.  My test machine’s motherboard was about two years old, but fortunately had on-board video, leaving the full-size PCIe slot empty.  I plugged in the MegaRAID card, connected it to three 1 TB hard drives, and fired it up.  I first tried the card’s built-in configuration GUI, but it wouldn’t work.  (I later confirmed that the problem was entirely due to the old desktop-class motherboard I was using.)  I rebooted the system, selected the command-line interface instead and within a few minutes I had the three drives in a RAID 5 configuration.  Then I rebooted, installed VMWare ESXi, and the performance can only be described as flawless.

If you haven’t used lower-end RAID controllers, it’s hard to appreciate what a good one will do for you.  For example, in days gone by I’ve rebooted my desktop PC only to have another vendor’s RAID controller decide that it needed to rebuild a mirrored drive (RAID level 1) by copying 250 GB of data — before allowing the boot to continue.  Creating the RAID array with some controllers is also just as slow.

In sharp contrast, once I configured the LSI product, I simply rebooted the machine and never looked back.  Because VMWare fully supports the LSI controller, I can see the status of the individual drives from within the VMWare admin software.

The LSI MegaRAID SAS 8708EM2 has a number of features that I haven’t had the opportunity to test.  For example, it can automatically rebuild hot spare drives and allows online RAID level migration and online capacity expansion.  So when I run out of space, I should be able to plug in another few drives and either add them to the existing array or create another.

I recently migrated to a brand new Intel DX48BT2 motherboard (more on that product in a subsequent article) with two full-size PCIe slots.  I put a video card in one, the LSI MegaRAID in the other, booted, entered the GUI, and was reassured that my RAID array was still intact.  LSI’s flawless performance continued through the hardware migration.

I’ve had the opportunity to use a number of different RAID products over the years.  In summary, the LSI MegaRAID SAS 8708EM2 is simply the best that I’ve seen.  If you’re building a server or high-end desktop and need reliable disk storage, look no further.

Apparently so. Bell Canada last week announced it has agreed to acquire national consumer electronics retailer The Source. The Source (formerly Radio Shack) was orphaned by the bankruptcy late last year of the U.S. Circuit City empire.


In addition to its current lineup of consumer electronics products, The (new) Source will carry the full array of Bell consumer services at its more than 750 stores across Canada, including Bell Mobility, Solo Mobile and, potentially, Virgin Mobile wireless products and services, Bell TV’s High Definition television services, Bell Internet and Bell Home Phone products, by January 2010.

The Source will continue to operate at arm’s length from Bell following its acquisition. No word if Bell will close any existing Bell Mobility stores in malls where there’s also a Source. But we bet they’re taking a hard look at anything that will help save money, in the current economic climate.

The European Union has started its official process to consider all sides of the Net Neutrality question. As we might expect, myriad lobbyists have descended on European Commission headquarters in Brussels to make their respective points.

Net Neutrality has more to do with network traffic management than content censoring, but the two concepts do overlap.

Net Neutrality is, essentially, the position that Internet providers and network operators should not engage in traffic management — particularly the practices known as ‘traffic shaping’ and ‘throttling’ — limiting users’ abilities to literally download unlimited amounts of data via their ‘unlimited’ access accounts.

Traffic management is already in use by many major ISPs, because problems caused by a few intensive users abusing the collective bandwith are already acute. AOL last fall revealed that just five per cent of its total users routinely tie up almost 50 per cent of its overall network capacity. What are they doing? Mostly, sharing tons of movies and other videos, huge files which require huge amounts of network capacity to transfer.

Canada’s Canadian Radio, Television and Telecomunications Commission (CRTC) will officially address Net Neutrality issues in hearings this July. Pre-hearing submissions closed late last month. The U.S. will also hold Net Neutrality hearings later this year. Observers say other governments may well take their lead from the outcome of the European Commission process, which will govern policies and regulations in all the EU member nations and constitutes the major regulatory force in Eurpe.