Wednesday, August 27, 2008

Introducing Ubiquity

An experiment into connecting the Web with language.

It Doesn’t Have to be This Way

You’re writing an email to invite a friend to meet at a local San Francisco restaurant that neither of you has been to. You’d like to include a map. Today, this involves the disjointed tasks of message composition on a web-mail service, mapping the address on a map site, searching for reviews on the restaurant on a search engine, and finally copying all links into the message being composed. This familiar sequence is an awful lot of clicking, typing, searching, copying, and pasting in order to do a very simple task. And you haven’t even really sent a map or useful reviews—only links to them.

This kind of clunky, time-consuming interaction is common on the Web. Mashups help in some cases but they are static, require Web development skills, and are largely site-centric rather than user-centric.

It’s even worse on mobile devices, where limited capability and fidelity makes this onerous or nearly impossible.

Most people do not have an easy way to manage the vast resources of the Web to simplify their task at hand. For the most part they are left trundling between web sites, performing common tasks resulting in frustration and wasted time.

Enter Ubiquity

Today we’re announcing the launch of Ubiquity, a Mozilla Labs experiment into connecting the Web with language in an attempt to find new user interfaces that could make it possible for everyone to do common Web tasks more quickly and easily.

The overall goals of Ubiquity are to explore how best to:

  • Empower users to control the web browser with language-based instructions. (With search, users type what they want to find. With Ubiquity, they type what they want to do.)
  • Enable on-demand, user-generated mashups with existing open Web APIs. (In other words, allowing everyone–not just Web developers–to remix the Web so it fits their needs, no matter what page they are on, or what they are doing.)
  • Use Trust networks and social constructs to balance security with ease of extensibility.
  • Extend the browser functionality easily.

Learn more about Ubiquity and the capabilities that it could provide for users and developers.

The Initial Prototype

As part of this announcement, we’re also releasing an early experimental prototype to demonstrate some of the concepts of Ubiquity and the possibilities that it opens up. This release is meant as a illustration of a concept and mainly focuses on the platform. The next release will explore interfaces that are closer to features that might make it into Firefox.

Install the prototype and you’ll be presented with a tutorial to get you started.

Ubiquity 0.1

  • Lets you map and insert maps anywhere; translate on-page; search amazon, google, wikipedia, yahoo, youtube, etc.; digg and twitter; lookup and insert yelp review; get the weather; syntax highlight any code you find; and a lot more. Ubiquity “command list” to see them all.
  • Find and install new commands to extend your browser’s vocabulary through a simple subscription mechanism
  • Read about Ubiquity In Depth, or see a number of the commands in action (with screenshots) in the Ubiquity Tutorial.

All of the code underlying the Ubiquity experiment is being released as open source software under the the GPL/MPL/LGPL tri-license.

This is the goal of what kinds of language-based services Ubiquity hopes to inspire people to create:

This is a screenshot of Ubiquity’s current map functionality:

Influences, References, and Background Resources

For a full list, see the credits page.

Get Involved

Mozilla Labs is a virtual lab where people come together online to create, experiment and play with Web innovations for the public benefit. The Ubiquity experiment is still in its infancy and just getting started. There are many ways to join the team and get involved:

We’ve also started compiling a suggestion list for possible Ubiquity commands. If you have any suggestions, add them here or get inspired and develop one of them and add them to the command repository.

Original here

Facebook Hits 100 Million Users

Fast growing social network Facebook has hit the 100 million users mark, according to a statement today by Dave Morin, the company's Senior Platform Manager.
How does that compare to MySpace's ascent? A guy named Rick appears to have become MySpace's 100 millionth registered user in 2006. MySpace took 3 years after launch to hit that magic number; for Facebook it took 4 years and 6 months.


The first years of MySpace were characterized by music and spam, while Facebook's beginnings were in college parties and drama. That drama continues today. For example, the company reports that only 20% of its 100 million users have visited the dramatically redesigned version of the site by clicking on a button at the top of their screen in recent weeks. Facebook users don't like change.

The company wants to spin the 20% number as a positive embrace of the changes (and the ordinarily fabulous Eric Eldon at Venture Beat buys that spin for some reason) but in fact it fits in the history of conflict between Facebook and its users.

Innovation and Monetization

None the less, the site is growing by leaps and bounds. 100 million registered users probably includes a substantial number of regularly active users. Now if only the company could figure out how to monetize those numbers as well as they'd like.

We believe they will probably figure it out. More interesting to us is watching Facebook develop its feature set, leading then falling behind in innovation. 100 million registered users is a lot of people to innovate with.

Unfortunately for Facebook, sometimes it seems that those people are not interested in innovation or monetization - they just want to communicate with each other. I guess when you call yourself a "utility" some people expect you to remain unexciting.

Original here

Lasers Could Send World's Most Secure Messages Through Space

New experiments using Heisenberg's uncertainty principle extend the range of quantum cryptography, an advanced method of communicating in unbreakable code.


Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar "Forgot your password?" link and, after entering your pet's name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there's a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You’d be surprised how easily someone can uncover Fido's name or your alma mater with a little creative searching.

Some security researchers are beginning to sound the alarm about "password resetting" tools, suggesting they could be the weakest link in Web security.

As an experiment, Herbert Thompson, chief security strategist of People Security, recently asked a few friends for permission to "hack" into their bank accounts. Using only information gathered from Web sites, Thompson found his way in within minutes.

"This is a serious problem. It kind of blew me away," Thompson said.

Here’s what Thompson did. Using only one friend’s name and place of employment, he found her blog and résumé. That provided a font of information on her grandparents, pets, hometown and more. He then visited her bank’s Web site, where her user name was simply her first initial and last name. He asked for a password reset. The bank sent an e-mail with that information to her Web mail account. Thompson then asked for a password reset there, which sent a link to her old college e-mail account. There, Thompson needed only supply the woman’s address, zip code, and birth date. Once successfully in the college account, Thompson hacked his way into the Web mail account – supplying her birthplace and father’s middle name -- and ultimately entered her bank account by supplying her pet’s name.

“I did this a couple of times. But the scariest thing would be someone doing this with some scale,” Thompson said. A more detailed description of his romp through someone else's identity can be read on the Scientific American Web site.

There are no known cases in which hackers have widely exploited “forgot your password” links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.

In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he’s seen demonstrations of far more sophisticated tools designed to “scrape” information off blogs and social networking pages for later use by hackers.

“It’s an automatic dossier building tool,” he said.

Like Paris Hilton
Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as “fallback authentication.” Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF)titled in part, “Security Questions in the Era of Facebook.” It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can’t seem to get rid of that question. … If we do nothing this will get steadily worse."

In some situations, statistics give the criminal an advantage. For example, data published by some U.S. cities indicated about 1 percent of the nation’s dogs are named “Max,” making that a pretty good guess for a criminal trying to break into thousands of bank accounts. When a bank asks consumers who their favorite president was, it rarely takes more than two guesses, Rabkin said.

Even if the questions are more personal, and even if the subject doesn’t have their own blog, others might blog about their dog, car or high school. And search engines can easily unearth such minutiae.

“There is an arms race here between people who trying to ask obscure questions about (us) and people who are trying to answer obscure questions about (us),” Rabkin said.

Not a bad idea
Thompson, the People Security expert, said that asking “challenge” questions with so-called “out of wallet” answers – questions that even a criminal who stole your wallet couldn’t answer – once was a secure way to confirm someone’s identity.

“If you think about it, 10 years ago this didn’t seem like horrible idea, to ask for someone’s personal information,” he said. “You could say, ‘It’s probably unlikely that someone will know all of this information about me, or spent the time necessary to gather it.’ But now it’s really easy for someone who's never met you to know all this about you.”

Coming up with secure challenge questions is no easy task. There are two problems to consider: The question must be difficult for a stranger to answer but it also must be easy enough so the customer doesn't forget. Quick: What's your kindergarten teacher's name? Was it McFadden or MacFadden or Mcfadden?

“In some cases, it’s easier for an attacker with good data mining skills than the real person to answer these questions,” Jakobsson said. He is hard at work developing a new solution, one which relies on the answers to “preference” questions rather than fact-based personal questions. A consumer who requests a password reset might be confronted with questions like, “Do you like antique stores?” or “Do you like opera?”

Asking 16 questions like these would provide positive identification in better than 99 percent of cases, he said. “And preferences are rarely stored in databases.” (More on this idea can be found at

Rabkin is all for improving the problem of forgotten passwords, but he is careful to not exaggerate the problem. In addition to the lack of proof that any widespread forgotten password hacking has occurred, he says banks have multiple systems in place to prevent thefts from online services. When a password reset is initiated, for example, banks automatically set a red flag on an account and watch it for suspicious behavior. Any large transactions following soon after would surely be stopped, he said.

“The problem is not as bad as you think,” he said. “It’s not so easy to match up a pet name from Facebook with another database of login names and another database of Social Security numbers,” and use that to withdraw cash, he said.

Still, there is another problem associated with the importance of personal questions in security. A consumer who falls for an extensive phishing e-mail or has their blog copied by a hacker, may find it nearly impossible to navigate the digital world in the future. How would such a person ever reclaim a password or otherwise authenticate their identity?

“It would be incredibly difficult to recover from something like that,” Thompson said. “You can't really change your mother’s maiden name or these other things.”

Researchers like Jakobsson are looking for new ways to authenticate consumers. One obvious area of potential is biometrics. The chief criticism of this technology, which uses people’s eyes, fingerprints, etc., to verify their identity, is the “doomsday” possibility that once such information is compromised, it could never be trusted again. You can’t change irises, for example. But Thompson points out that the same is true for personal information such as your first pet’s name or you mother’s middle name. While biometrics has potential flaws, new systems will soon be necessary, Thompson said.

Of course, these security enhancements are still in the future, so for now, consumers must fend for themselves. When answering password recovery questions while registering for online banking and other Web sites, don’t always pick the most obvious question. Consider what someone might be able to find about you on your blog. Better yet, consider not disclosing any personal information on your blog.

Alfred Huger, a security researcher at Symantec Corp., offers this suggestion: Some sites now allow consumers to make up their own question. While that might be a hassle, it’s probably much more secure. Again, think of a question only you can answer, and something that’s unlikely to be in any database. That probably means the name of your first girlfriend or boyfriend won’t cut it.

Original here

Revealed: The Internet's Biggest Security Hole

By Kim Zetter

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

"It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.

"We're not doing anything out of the ordinary," Kapela told "There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working."

The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic.

Here's how it works. When a user types a website name into his browser or clicks "send" to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user's ISP then consults a BGP table for the best route. That table is built from announcements, or "advertisements," issued by ISPs and other networks -- also known as Autonomous Systems, or ASes -- declaring the range of IP addresses, or IP prefixes, to which they'll deliver traffic.

The routing table searches for the destination IP address among those prefixes. If two ASes deliver to the address, the one with the more specific prefix "wins" the traffic. For example, one AS may advertise that it delivers to a group of 90,000 IP addresses, while another delivers to a subset of 24,000 of those addresses. If the destination IP address falls within both announcements, BGP will send data to the narrower, more specific one.

To intercept data, an eavesdropper would advertise a range of IP addresses he wished to target that was narrower than the chunk advertised by other networks. The advertisement would take just minutes to propagate worldwide, before data headed to those addresses would begin arriving to his network.

The attack is called an IP hijack and, on its face, isn't new.

But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn't work -- the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

"Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"

Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.

Kapela said network engineers might notice an interception if they knew how to read BGP routing tables, but it would take expertise to interpret the data.

A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."

Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.

"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."

Filtering also requires ISPs to disclose the address space for all their customers, which is not information they want to hand competitors.

Filtering isn't the only solution, though. Kent and others are devising processes to authenticate ownership of IP blocks, and validate the advertisements that ASes send to routers so they don't just send traffic to whoever requests it.

Under the scheme, the five regional internet address registries would issue signed certificates to ISPs attesting to their address space and AS numbers. The ASes would then sign an authorization to initiate routes for their address space, which would be stored with the certificates in a repository accessible to all ISPs. If an AS advertised a new route for an IP prefix, it would be easy to verify if it had the right to do so.

The solution would authenticate only the first hop in a route to prevent unintentional hijacks, like Pakistan Telecom's, but wouldn't stop an eavesdropper from hijacking the second or third hop.

For this, Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop.

"That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said.

The drawback to this solution is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers.

Douglas Maughan, cybersecurity research program manager for the DHS's Science and Technology Directorate, has helped fund research at BBN and elsewhere to resolve the BGP issue. But he's had little luck convincing ISPs and router vendors to take steps to secure BGP.

"We haven't seen the attacks, and so a lot of times people don't start working on things and trying to fix them until they get attacked," Maughan said. "(But) the YouTube (case) is the perfect example of an attack where somebody could have done much worse than what they did."

ISPs, he said, have been holding their breath, "hoping that people don’t discover (this) and exploit it."

"The only thing that can force them (to fix BGP) is if their customers ... start to demand security solutions," Maughan said.

Original here

10 fundamental differences between Linux and Windows

Before debating the relative merits and shortcomings of Linux and Windows, it helps to understand the real distinctions between them. Jack Wallen has distilled the key differences into one list.

I have been around the Linux community for more than 10 years now. From the very beginning, I have known that there are basic differences between Linux and Windows that will always set them apart. This is not, in the least, to say one is better than the other. It’s just to say that they are fundamentally different. Many people, looking from the view of one operating system or the other, don’t quite get the differences between these two powerhouses. So I decided it might serve the public well to list 10 of the primary differences between Linux and Windows.

Note: This information is also available as a PDF download.

#1: Full access vs. no access

Having access to the source code is probably the single most significant difference between Linux and Windows. The fact that Linux belongs to the GNU Public License ensures that users (of all sorts) can access (and alter) the code to the very kernel that serves as the foundation of the Linux operating system. You want to peer at the Windows code? Good luck. Unless you are a member of a very select (and elite, to many) group, you will never lay eyes on code making up the Windows operating system.

You can look at this from both sides of the fence. Some say giving the public access to the code opens the operating system (and the software that runs on top of it) to malicious developers who will take advantage of any weakness they find. Others say that having full access to the code helps bring about faster improvements and bug fixes to keep those malicious developers from being able to bring the system down. I have, on occasion, dipped into the code of one Linux application or another, and when all was said and done, was happy with the results. Could I have done that with a closed-source Windows application? No.

#2: Licensing freedom vs. licensing restrictions

Along with access comes the difference between the licenses. I’m sure that every IT professional could go on and on about licensing of PC software. But let’s just look at the key aspect of the licenses (without getting into legalese). With a Linux GPL-licensed operating system, you are free to modify that software and use and even republish or sell it (so long as you make the code available). Also, with the GPL, you can download a single copy of a Linux distribution (or application) and install it on as many machines as you like. With the Microsoft license, you can do none of the above. You are bound to the number of licenses you purchase, so if you purchase 10 licenses, you can legally install that operating system (or application) on only 10 machines.

#3: Online peer support vs. paid help-desk support

This is one issue where most companies turn their backs on Linux. But it’s really not necessary. With Linux, you have the support of a huge community via forums, online search, and plenty of dedicated Web sites. And of course, if you feel the need, you can purchase support contracts from some of the bigger Linux companies (Red Hat and Novell for instance).

However, when you use the peer support inherent in Linux, you do fall prey to time. You could have an issue with something, send out e-mail to a mailing list or post on a forum, and within 10 minutes be flooded with suggestions. Or these suggestions could take hours of days to come in. It seems all up to chance sometimes. Still, generally speaking, most problems with Linux have been encountered and documented. So chances are good you’ll find your solution fairly quickly.

On the other side of the coin is support for Windows. Yes, you can go the same route with Microsoft and depend upon your peers for solutions. There are just as many help sites/lists/forums for Windows as there are for Linux. And you can purchase support from Microsoft itself. Most corporate higher-ups easily fall victim to the safety net that having a support contract brings. But most higher-ups haven’t had to depend up on said support contract. Of the various people I know who have used either a Linux paid support contract or a Microsoft paid support contract, I can’t say one was more pleased than the other. This of course begs the question “Why do so many say that Microsoft support is superior to Linux paid support?”

#4: Full vs. partial hardware support

One issue that is slowly becoming nonexistent is hardware support. Years ago, if you wanted to install Linux on a machine you had to make sure you hand-picked each piece of hardware or your installation would not work 100 percent. I can remember, back in 1997-ish, trying to figure out why I couldn’t get Caldera Linux or Red Hat Linux to see my modem. After much looking around, I found I was the proud owner of a Winmodem. So I had to go out and purchase a US Robotics external modem because that was the one modem I knew would work. This is not so much the case now. You can grab a PC (or laptop) and most likely get one or more Linux distributions to install and work nearly 100 percent. But there are still some exceptions. For instance, hibernate/suspend remains a problem with many laptops, although it has come a long way.

With Windows, you know that most every piece of hardware will work with the operating system. Of course, there are times (and I have experienced this over and over) when you will wind up spending much of the day searching for the correct drivers for that piece of hardware you no longer have the install disk for. But you can go out and buy that 10-cent Ethernet card and know it’ll work on your machine (so long as you have, or can find, the drivers). You also can rest assured that when you purchase that insanely powerful graphics card, you will probably be able to take full advantage of its power.

#5: Command line vs. no command line

No matter how far the Linux operating system has come and how amazing the desktop environment becomes, the command line will always be an invaluable tool for administration purposes. Nothing will ever replace my favorite text-based editor, ssh, and any given command-line tool. I can’t imagine administering a Linux machine without the command line. But for the end user — not so much. You could use a Linux machine for years and never touch the command line. Same with Windows. You can still use the command line with Windows, but not nearly to the extent as with Linux. And Microsoft tends to obfuscate the command prompt from users. Without going to Run and entering cmd (or command, or whichever it is these days), the user won’t even know the command-line tool exists. And if a user does get the Windows command line up and running, how useful is it really?

#6: Centralized vs. noncentralized application installation

The heading for this point might have thrown you for a loop. But let’s think about this for a second. With Linux you have (with nearly every distribution) a centralized location where you can search for, add, or remove software. I’m talking about package management systems, such as Synaptic. With Synaptic, you can open up one tool, search for an application (or group of applications), and install that application without having to do any Web searching (or purchasing).

Windows has nothing like this. With Windows, you must know where to find the software you want to install, download the software (or put the CD into your machine), and run setup.exe or install.exe with a simple double-click. For many years, it was thought that installing applications on Windows was far easier than on Linux. And for many years, that thought was right on target. Not so much now. Installation under Linux is simple, painless, and centralized.

#7: Flexibility vs. rigidity

I always compare Linux (especially the desktop) and Windows to a room where the floor and ceiling are either movable or not. With Linux, you have a room where the floor and ceiling can be raised or lowered, at will, as high or low as you want to make them. With Windows, that floor and ceiling are immovable. You can’t go further than Microsoft has deemed it necessary to go.

Take, for instance, the desktop. Unless you are willing to pay for and install a third-party application that can alter the desktop appearance, with Windows you are stuck with what Microsoft has declared is the ideal desktop for you. With Linux, you can pretty much make your desktop look and feel exactly how you want/need. You can have as much or as little on your desktop as you want. From simple flat Fluxbox to a full-blown 3D Compiz experience, the Linux desktop is as flexible an environment as there is on a computer.

#8: Fanboys vs. corporate types

I wanted to add this because even though Linux has reached well beyond its school-project roots, Linux users tend to be soapbox-dwelling fanatics who are quick to spout off about why you should be choosing Linux over Windows. I am guilty of this on a daily basis (I try hard to recruit new fanboys/girls), and it’s a badge I wear proudly. Of course, this is seen as less than professional by some. After all, why would something worthy of a corporate environment have or need cheerleaders? Shouldn’t the software sell itself? Because of the open source nature of Linux, it has to make do without the help of the marketing budgets and deep pockets of Microsoft. With that comes the need for fans to help spread the word. And word of mouth is the best friend of Linux.

Some see the fanaticism as the same college-level hoorah that keeps Linux in the basements for LUG meetings and science projects. But I beg to differ. Another company, thanks to the phenomenon of a simple music player and phone, has fallen into the same fanboy fanaticism, and yet that company’s image has not been besmirched because of that fanaticism. Windows does not have these same fans. Instead, Windows has a league of paper-certified administrators who believe the hype when they hear the misrepresented market share numbers reassuring them they will be employable until the end of time.

#9: Automated vs. nonautomated removable media

I remember the days of old when you had to mount your floppy to use it and unmount it to remove it. Well, those times are drawing to a close — but not completely. One issue that plagues new Linux users is how removable media is used. The idea of having to manually “mount” a CD drive to access the contents of a CD is completely foreign to new users. There is a reason this is the way it is. Because Linux has always been a multiuser platform, it was thought that forcing a user to mount a media to use it would keep the user’s files from being overwritten by another user. Think about it: On a multiuser system, if everyone had instant access to a disk that had been inserted, what would stop them from deleting or overwriting a file you had just added to the media? Things have now evolved to the point where Linux subsystems are set up so that you can use a removable device in the same way you use them in Windows. But it’s not the norm. And besides, who doesn’t want to manually edit the /etc/fstab fle?

#10: Multilayered run levels vs. a single-layered run level

I couldn’t figure out how best to title this point, so I went with a description. What I’m talking about is Linux’ inherent ability to stop at different run levels. With this, you can work from either the command line (run level 3) or the GUI (run level 5). This can really save your socks when X Windows is fubared and you need to figure out the problem. You can do this by booting into run level 3, logging in as root, and finding/fixing the problem.

With Windows, you’re lucky to get to a command line via safe mode — and then you may or may not have the tools you need to fix the problem. In Linux, even in run level 3, you can still get and install a tool to help you out (hello apt-get install APPLICATION via the command line). Having different run levels is helpful in another way. Say the machine in question is a Web or mail server. You want to give it all the memory you have, so you don’t want the machine to boot into run level 5. However, there are times when you do want the GUI for administrative purposes (even though you can fully administer a Linux server from the command line). Because you can run the startx command from the command line at run level 3, you can still start up X Windows and have your GUI as well. With Windows, you are stuck at the Graphical run level unless you hit a serious problem.

Your call…

Those are 10 fundamental differences between Linux and Windows. You can decide for yourself whether you think those differences give the advantage to one operating system or the other. Me? Well I think my reputation (and opinion) precedes me, so I probably don’t need to say I feel strongly that the advantage leans toward Linux.

Original here

RIAA wins P2P case after defendant reformats hard drive

By Eric Bangeman

One of the most closely-watched copyright infringement lawsuits brought by the RIAA appears to be coming to a screeching halt, much to the music industry's delight. A judge ruled Monday that a defendant had willfully and intentionally destroyed evidence of his P2P activities after being notified of pending legal action by the RIAA. Furthermore, since it was done in bad faith, it "therefore warrants appropriate sanctions."

The order in Atlantic v. Howell was issued at the end of a pretrial conference held in an Arizona courtroom. Jeffery Howell, the defendant who represented himself throughout the case, was accused of copyright infringement for sharing music over the KaZaA P2P network. Howell denied the charges, saying that the music MediaSentry saw in his shared folder was for his own private use.

Howell won a major victory against the RIAA this past April, when a judge rejected the RIAA's cornerstone legal theory that simply making a file available on P2P network constituted copyright infringement. Judge Neil V. Wake denied the RIAA's motion for summary judgment, ruling that "a distribution must involve a 'sale or other transfer of ownership' or a 'rental, lease, or lending' of a copy of the work. The recording companies have not proved an actual distribution of 42 of the copyrighted sound recordings at issue, so their motion for summary judgement fails as to those recordings."

After that ruling, it appeared as though Atlantic v. Howell was headed for a bench trial this fall, but at the end of July, the record labels filed a motion seeking judgment in their favor due to what they characterized as Howell's attempts to cover his tracks. According to the RIAA's brief, Howell destroyed evidence on four separate occasions after first receiving the prelitigation settlement letter and later being served with the lawsuit. The RIAA's forensics experts found that Howell uninstalled KaZaA and deleted everything in the shared folder, reformatted his hard drive, downloaded and used a file-wiping program, and then nuked all the KaZaA logs on his PC. "Defendant's intentional spoliation of computer evidence significantly prejudices Plaintiffs because it puts the most relevant evidence of their claim permanently beyond their reach," argued the RIAA. "The deliberate destruction... by itself, compels the conclusion that such evidence supported Plaintiffs' case."

Judge Wake agreed with the RIAA, and will inform Howell of his fate (and presumably the amount of damages he'll have to pay) in a forthcoming written order.

Howell elected to defend himself in the case due to his limited financial resources and the difficulty in finding a lawyer who would take the case with the possibility of not getting paid at the end. "What this really underscores is how difficult it is for individuals who can't afford counsel to defend themselves," EFF staff attorney Fred von Lohmann told Ars. "He never had an adequate opportunity to explain what happened on his PC, while the RIAA had forensics experts and lawyers to tell the story. I think if Howell had an expert and lawyer to speak for him, he would have told a different story."

von Lohmann became involved in the case back in January when the EFF filed a brief on the making available issue. von Lohmann told Ars that he also tried to find Howell a lawyer, but failed due to Howell's inability to pay as well as the law firms that might otherwise take such a case as a "training exercise" deciding not to once they realized that they'd be facing the likes of Sony and the other Big Four labels. "Lawyers who do cases for free aren't willing to make enemies," said von Lohmann.

It appears that the RIAA's case against Howell will end in much the same way that the MPAA's lawsuit against TorrentSpy did: with the defendant ordered to pay damages due to mucking with the evidence. TorrentSpy was ordered to pay $110 million in damages to the MPAA after the judge found that the site's admins had intentionally destroyed evidence. So while opponents of the RIAA's legal campaign did win a very significant ruling out of the Atlantic v. Howell case, they've also learned another lesson. Once you're sued by the RIAA, reformatting your hard drive and nuking your P2P apps is likely to get you in hot water with the judge.

Original here

Acoustic Band ‘Utterly Depends’ on Piracy

Written by enigmax

Steve Knightley is one half of ‘Show of Hands’, an award-winning acoustic and folk duo from the UK. Steve says he is thankful to the people that pirate the band’s music and go out of their way to promote the band. In fact, he says the band utterly depends on them.

Steve Knightley The music industry’s position is clear, every download is a lost sale and there is no such animal as ‘piracy is promotion’. However, some people feel that there are benefits associated with piracy, as free musical samples can go out today with very little fuss, for the no-risk perusal of potential future audiences.

My otherwise law-abiding parents will quietly take the time to have a listen to something on a CDR that might interest them, but overwhelmingly they buy media, go to live musical performances, the opera, and generally pay their way. They are not on their own. As unbelievable as this may sound to the music industry, everyone is not a habitual pirate and people do use piracy for good, something that band ‘Show of Hands’ has noticed.

Born in 1954, Steve Knightley is a musician singer-songwriter and one half of BBC award-winning acoustic roots duo, ‘Show of Hands‘. Just like every other band, from the smallest to the biggest, they aren’t immune to piracy.

“After any show we can always be found chatting to our audience, signing stuff and generally hanging out by the CD table. I always make a point of asking people how they first heard about us,” says Steve. “The three most common answers are, they’ve been ‘dragged’ along by friends, they heard us on the radio - or someone gave them a copy of one of our CDs. This last one is usually accompanied by a look of collective guilt and embarrassment.”

At this point Steve would call the police - if the IFPI had their way. But no, Steve sees these people in a very different light and is actually grateful that pirates didn’t chose someone else’s music to ’steal’:

“Let’s consider this more closely - a person who values our music has kindly made a copy of a CD and gone out of their way to spread the word about us. That recipient has then bought both a ticket to see us and a CD on the night.” So it’s obvious that being a pirate doesn’t exclude people from being a fan, they just aren’t paying at the point of piracy - but they will, when the circumstances are right.

Steve also believes that ’sharing’ really is ‘caring’, which is refreshing in these ’sue-em-all’ days: “You may call this process ‘piracy’ if you wish - for me it is an act of generosity and it both increases our audience size and record sales. And as I always say on the night - if you’re going to do it anyway you may as well feel good about it!”

Steve also says the band rarely objects if someone wants to film their performances as it’s yet another way of using technology to reach out to their audience.

“I believe the official term is ‘viral marketing’,” says Steve, “and we depend utterly upon it.”

“Don’t fight it - embrace it.”

Original here

The Top 100 Classic Web Sites

PC Magazine's definitive list of the best and most trustworthy Web sites of 2008.

Top Web Sites 2008

Slideshow | All Shots
All Web sites, whether classic or not, tend to follow the same evolutionary path: A site is conceived in the mind of an unusually intelligent person; starts off as a buggy alpha project; evolves into a less-buggy beta project; develops into a full-blown meme usually sometime around launch (Google betas excepted); and swirls around the Internet for a while. That's where the path diverges: the site can fade away into uncoolness and disuse, cater to a niche of hard-core users, or mature into a classic Web site that is used and loved by millions.

Buzz up!on Yahoo!

This list of 100 Classic Web Sites is for the last group, the sites that have transcended "going viral"; the sites that you, your parents, and your kids are familiar with, and that their kids may someday be familiar with. These 100 sites change the way we use the Web, pioneer new technologies and ideas, and inspire tons and tons of mimicry.

Unlike our list of Top 100 Undiscovered Web Sites, you've probably heard of most of these sites, but we hope there are some new finds and old friends here for you to enjoy. —next: How We Selected the Top 100 Classic Web Sites >

Original here

Alleged UK Pirates Offered Free Legal Representation

Written by enigmax

Over the last year, UK residents accused of sharing games like Dream Pinball have been threatened by lawyers Davenport Lyons. Stuck in a trap of not having enough money to defend themselves, many choose to pay compensation demands - guilty or not - fearful of a much bigger punishment if things go bad. Now a UK IP lawyer says he will defend as many people as he can - for free.

Last week, thousands of news outlets reported that a single mother, Isabella Barwinska from London, had been found guilty of uploading the game Dream Pinball. She collected a staggering £16,000 bill for her trouble. However, following a TorrentFreak report last week where we revealed that far from being a ‘landmark ruling’, Miss Barwinska actually mounted no defense, people are realizing that all may not be as it seems. Maybe it’s possible to fight back - and win. The timing couldn’t be better

According to reports, any minute now lawyers Davenport Lyons will send out up to 25,000 further ‘pay up or get sued’ letters, demanding around £300 in compensation on the back of their so-called ‘landmark ruling’. Unfortunately, those accused of infringement have had limited choices up to now. Pay around £200-£250 for a few minutes with a lawyer and maybe get him to send a solitary letter, or go it alone, maybe with limited help from the UK’s Citizens Advice service. Either way, it’s pretty much guaranteed to cost more than £300, in time and/or money.

Until now.

Michael Coyle is a Solicitor Advocate, which means he is entitled to represent clients in the High Court and has frequently done so. He is also a Director at his company Lawdit Solicitors and leads the company’s Commercial and Intellectual Property legal section. He’s says he’d like to help those file-sharers wrongly accused, so we caught up with him to find out more.

TF: Please introduce yourself Michael, and tell us about your company. What do you specialize in?

MC: Lawdit Solicitors was formed on 3 September 2001 by me, Michael Coyle. Almost seven years later we are a busy commercial law firm with close connections in Marbella and Rome. Lawdit’s team consists of five Solicitors and support staff. While Lawdit is a commercial law firm a large part of its client base is concerned with intellectual property and copyright of course.

TF: What inspired you to start the firm?

MC: I wanted a law firm which was fair and would not price anyone out of securing at the very least a right of response when either the client’s intellectual property has been infringed or they are defending a claim for intellectual property infringement.

TF: Please tell us a little about Lawdit’s track record, relevant to this matter.

MC: Over the years I have advised clients in many aspects of copyright infringement from both perspectives, i.e the rights holder and the copier. In relation to P2P there is a paucity of legal case law largely due to lack of funds and the lack of defences. We have advised a retired gentleman and a 14 year old child, both threatened with lawsuits and both issues seem to have gone away.

TF: Why do you think they have gone away?

MC: It may be because the rights holder does not wish to take the case further as they now know legal representation is in place or they do not want the publicity. We will never know. Litigation can often be described as a game of poker. You have to always show a willingness to commence a legal action even if this is not your intention. At the same time you always need to show you will defend. At the time its usual for a ‘without prejudice’ exchange of correspondence to be maintained.

TF: Let us know what first got you interested in these Davenport Lyons cases.

MC: I have some clients who watch with interest all these developments and either they let me know or we are generally very good at keeping in touch with copyright laws

TF: What is your opinion of the ’settle up now or we sue’ letters?

MC: It can make sense to ‘settle up now’ if you have no defence to the claim and are almost certainly going to lose. It’s back to the poker game analogy. Will they sue? etc. It seems they will commence legal action as the recent case shows, however I would need to know more about each case. If there is no defence and you are sure that a claim will follow then perhaps a penalty is worth paying. If they have no defence and it is a case of ‘its not me guv’ then perhaps not. If you have a valid defence then you should fight it.

TF: What is your opinion on how these ‘default judgment’ cases have been selected and prosecuted and the blanket media coverage of a ‘landmark case’ ?

MC: The individual would have ample opportunity to deal with numerous letters from the Lawyers. Equally once a claim has been issued the defendant has over a month in many instances to provide a defence. So the individual really ought to deal with it as the ostrich approach is not helpful. Lawyers will generally want to shout about their success and I am no different. A default Judgement is still a win although a fairly one sided win!

TF: So what exactly are you and Lawdit offering?

MC: I think it’s important that individuals do have a voice in this matter. There will be some defendants who are infringing copyright with their use of the P2P software. But at the same time there will be others who may not be. I am willing to offer Lawdit Solicitors services as the law firm to represent these individuals. I will do so for free. Obviously we are a small firm and there may be limitations to this offer. That is 5 offers for help will not be a problem. 5000 may pose me a problem, but yes, we’re willing to be on the end of an email for sure.

TF: How would you like people to contact you, bearing in mind that at the moment there are a few hundred people receiving demands and this may increase to tens of thousands shortly, or so they say…..

MC: Email is best. I am often in court but the Blackberry is on and happy to help as much as I can email is michael.coyle[at]

TF: Thank you for your time.

Readers contacting Michael are strongly advised to be very clear and concise in their initial correspondence. A lot of people will be interested in this offer and Michael and his team are a limited resource. Make their job as easy as you possibly can, so they can help more effectively.

Original here