Microsoft Must Show Source
From Dan Gillmor’s Weblog

Reuters: Judge says Microsoft must give states Windows code. Microsoft had tried to argue that the states’ request for the code, made Tuesday, came too late before hearings due to begin next month on whether additional sanctions should apply to the company for violating U.S. antitrust laws.

The judge did the right thing. Microsoft insists that removing IE from Windows would irrevocably screw up the OS. Without access to the source, who can tell?

Microsoft could have made IE in a way that plugged into the operating system. It chose to mingle the code to ensure that IE was “an integral part” of the OS. Maybe we’ll find out, one of these days, how good a job the company did in its anticompetitive act.

Dave Winer on how “things are really weird in Silicon Valley. The Good Earth in Palo Alto, one of the icons of our culture, shut down. That’s where I had dinner with Doug Engelbart, and lots of other cool people who call this place home. Up and down University Ave, the main commercial street of Palo Alto and Stanford University, are For Lease signs. Niehaus-Ryan, one of the highest flying PR firms of the Dotcom Boom, shut down last week. I read Nick Denton’s essay on what a stinky place this is, and while I share some of his snobbish attitude (I’m from NY) I look forward to the day when the carpetbaggers who came here seeking unearned fortune, go home. They fucked this place bigtime. Even as they leave they fuck us. Poor manners. I can’t afford to be so cavalier, because I am invested, with a company that’s based here, and I own a house and some land. “[Scripting News]

Simon Hoggart, writing in today’s Guardian, brings up the old joke about Herbert Morrison, Peter Mandleson’s grandfather and a Labour BigFoot in the immediate post-war years. Overhearing someone say that Morrison was ‘his own worst enemy’, Ernest Bevin, Foreign Secretary in the Atlee government, snapped: “Not while I’m alive, he isn’t”.

What’s this? An Internet IPO that doesn’t bomb? Shurely shome mishtake?

Not at all. PayPal went public this week and the stock went through the roof.

Snooping costs could put UK ISPs out of business
BBC Online story.

“Extensive snooping laws could put internet service providers out of business, an expert has warned.

Tim Snape, an influential member of the Internet Service Providers’ Association (ISPA), said the law would drive up costs.

He was speaking at ISPCON, a conference for the internet industry held in London this week.”

More extensions of the DMCA.
Wired story.

“The DMCA was intended to protect copyright owners who took technical steps to ‘lock up’ their content,” said von Lohmann. “But Sony PlayStation 1 games are not locked up. There is no encryption on these game CDs. That’s not stopping Sony from invoking the DMCA against PlayStation 1 mod chips. I guess when you’ve got the big hammer of the DMCA, everything starts looking like a nail.”

John Casey, writing in the Daily Telegraph about the late Princess Margaret, says: “There have been no really juicy royal scandals since the early 19th century and George IV, which is why the press has had to make what it could out of marriage break-ups – experienced by about a third of the married population anyway – occasional gaffes, and a few cases of minor royals exploiting their status to earn an honest thousand or two.”
Seems that the good Dr. Casey somehow missed out the Abdication of a reigning monarch in the 1930s, not to mention said ex-monarch’s infatuation with the Nazis.

Henry Jenkins of MIT has a good piece in Technology Review on the Blogging phenomenon.

Remember Oracle’s ludicrous ads about their ‘unbreakable’ database product? Bruce Schneier was predictably unimpressed:
‘Last November, Oracle started touting its security with an “Unbreakable” ad campaign and the slogan: “Oracle9i. Unbreakable. Can’t break it. Can’t break in.” This was a ludicrous claim then, but I decided to wait until it was actually broken before writing about it.

Well, it’s been broken. In several places. Using some pretty basic attacks. Unbreakable, it’s not.

On the one hand, I (and most people reading this newsletter) always knew that. We knew that the claims were exaggerated. We knew that the Oracle marketing department was lying. But it’s a sad commentary on the state of security discourse that Oracle wasn’t immediately laughed out of the room. Oracle9i won’t ever be unbreakable, unless the company makes some major changes in the way they design and develop software.

On the other hand, maybe it’s not just hubris. Maybe Oracle management actually believed that their product was unbreakable. Maybe they’re that clueless about security. If that’s the case, the problems run deeper than they look. The problem with believing your product is unbreakable is that you don’t bother to secure it in depth. If you think your walls are impenetrable, you’re not going to bother with guards and alarms and anything else. This is the case with Oracle9i. The attacks completely take over the database. Once the attacker has broken the “unbreakable” security, there’s nothing else to stop him.

In their backpedaling, Oracle has said that “unbreakable” didn’t mean what normal people take the word to mean. Oracle’s security chief, Mary Ann Davidson, claims that the campaign “speaks to” fourteen independent security evaluations that Oracle’s database server passed. This, to me, is the real story here. What good is a security evaluation, what good are FOURTEEN different security evaluations, if none of them can catch something as trivial as a buffer overflow? Security is hard. Think of a chain; any single weak link can break the chain. Buffer overflows are an obvious link: easy to avoid, easy to test for, easy to fix. Catching all buffer overflows doesn’t make your software secure; it’s the price of admission. The hard stuff is really hard.

So, I tried to find the fourteen independent security evaluations. I wanted to make fun of them: “Look at the fourteen security evaluations that don’t even guarantee buffer-overflow-free code.” Unfortunately, I could only find five: TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS 140-1. Oracle marketing turned five into fourteen by counting multiple levels of TCSEC and ITSEC as independent security evaluations, and counting identical evaluations of different Oracle products as independent security evaluations. I don’t know about you, but when I hear “fourteen different,” I don’t think it means “five different, some of them multiple times with different products or different levels.” Seems like Oracle has trouble with math as well as with English.

“Unbreakable” has a meaning. It means that it can’t be broken. It doesn’t mean “Unbreakable, except by people who know how to break things.” It doesn’t mean “Passes five or so questionable security evaluations, but is still vulnerable to buffer overflows.” I don’t care who Larry Ellison is; he can’t rewrite the dictionary.’

Bill Gates did a cameo appearance in tonight’s Frasier. He comes on to Frasier’s radio show ostensibly to be interviewed by the host, but the switchboard is immediately deluged with callers wanting to talk to Gates about XP, multi-media players etc. — and of course Billg delightedly takes them on, leaving Frasier fuming at having been thus sidelined. Neat!