VERY,VERY HOT READS, I Would Read The News In This Thread This Thead Is To post Any Thing Ye Want About The News,,NEWS WAS MOVED,READ MY FIRST POS...

uTorrent: shaping the future

p2p news / p2pnet: p2pnet's Alex H recently had an interesting introductory chat with µTorrent's Ludvig Strigeus in which Strigeus said file sharing applications were sending a message: the information super highway is finally living up to its name.

Now, in a fresh, tight, interview Slyck's Tom Mennecke talks to both Strigeus and daily ops admin, Firon.

"No one will ever take away the enormous contribution Bram Cohen has given to the file-sharing community," writes Mennecke.

"Much like the revolution of file-sharing under Napster in 1999, BitTorrent has redefined the way people share and search for information. Initially, BitTorrent evolved largely under the direction of its creator. More recently however, this protocol is shifting further away from the direction of Bram Cohen and more towards independent developers."

That is the case indeed, and more power to it >>>>>>>>>>>>>>>>>>>>>>>

BitTorrent End to End Encryption and Bandwidth Throttling - Part I
By Tom Mennecke - Slyck

One of the key focuses currently facing members of the BitTorrent community is traffic shaping (or bandwidth throttling.) Since its inception, BitTorrent has become the unquestioned consumer of bandwidth, as CacheLogic reports over 60% of all Internet traffic is attributable to this protocol. Some ISPs have simply reinvested in their networks and allowed BitTorrent to flourish, while others report that Shaw Cable and Rogers Cable in Canada have made their BitTorrent experience excessively slow and intolerable.

In response, BitTorrent developers have introduced “end to end” encryption in an effort to counter these policies. By fooling traffic shaping software, this has become very welcomed news from those who experience bandwidth throttling. Interestingly enough, Bram Cohen, the founder of BitTorrent, has not supported this direction. Yet as the course of BitTorrent evolution changes, the needs of the populace are instead being addressed by community oriented developers.

In today's interview, Slyck speaks with the developer of µTorrent, Ludvig Strigeus, with additional information provided by the administrator of daily operations, "Firon."

Slyck.com: First and foremost, how effective has this feature proven to be?

µTorrent: I don't really know how effective this option is yet, it's only been tested in a limited environment. We haven't been able to do any significant tests with users of ISPs that shape. But so far, it seems to be helping shaped users in swarms that have PE-enabled clients.

Slyck.com: What is your motivation and philosophy behind this feature? Why are you working on it and what do you hope the benefit for the BitTorrent community will be?

µTorrent: I'd like all users to be able to use BitTorrent and be able to upload and download. After all, BT is being used in many legal things, including distribution of public domain content, patches for games, and so on. An ISP shouldn't be able to block a legitimate protocol.

Slyck.com: Could you spend a moment to explain how end to end encryption works?

µTorrent: The encryption uses a shared secret (the torrent info hash), which is different for each torrent, in combination with Diffie-Hellman keys that are generated when the connection is set up. The Diffie-Hellman helps minimizing the risk of passive listeners, and the shared secret helps avoiding man-in-the-middle attacks.

Slyck.com: Recently, Bram Cohen brought up several arguments against end to end encryption. What is your reaction to these arguments, and how valid do you believe they are? Do you think perhaps they are being made to further his effort to make BitTorrent more legitimate?

µTorrent: I don't really agree with his arguments. He seems to be a bit out of touch with the reality of the situation. There's a significant number of severely throttled users (or that have BT blocked outright)out there, and ISPs need to realize that the internet is not port 80, 443 and e-mail. Very, very few ISPs cache BT, even less so than those that shape, so that's a fairly lousy argument to counter encryption.

His argument to let the tracker handle which peers are PE-enabled isn't very good either, since it's trivial for an ISP to block or alter the tracker request/response to achieve their desired effect of saving bandwidth because they can't cope with non-HTTP traffic. And one of the main problems with ISPs that shape is that they don't shape reasonably (say to maintain network quality and not interfere with VoIP or some such), but always throttle it down to a grinding halt. This is unfair, and users should be able to use the bandwidth they paid for.

Slyck.com: How dynamic is your approach to end to end encryption? For example, will you be able to maintain a likely technological arms race with ISPs?

µTorrent: If some severe flaw were discovered with PE, it would be significantly easier for us to update the clients with a fix than it would be for an ISP to update their hardware/software to detect any such changes we make.

Slyck.com: Bram Cohen stated "Most ISPs don't do such shaping", yet the reaction from Shaw and Rogers broadband customers reflects differently. How many other ISPs do you know of shape traffic, and do you believe that the number will increase in months and years to come?

µTorrent: I think he's wrong, a significant number of Canadian users seem to be shaped, and there's various ISPs in Singapore doing similarly.

There's ISPs in the US, Israel, and Australia, Belgium, and many others (some are listed on Azureus'wiki). It seems to be a growing trend, since the list of ISPs that users report are shaping seems to be growing.

Slyck.com: Is the encryption static or is it dynamic (does it change according to some parameters)?

µTorrent: The parameter that changes per-connection is the Diffie-Hellman key. The info hash also influences the encryption, but it's not different for each connection (obviously).

Slyck.com: What has been the feedback from end users? For example, are people complaining the decryption of Diffie-Hellman is resource hungry?

µTorrent: We have not had any feedback yet. The amount of resources for Diffie-Hellman is quite small, we're talking much less than a percent of CPU time for normal users. The data stream is encrypted with RC4.

My Pentium 4 can encrypt at 300MB/s (with optimized assembly code), so even if you download at a very fast speed, the RC4 encryption would just use a percent or two of CPU time, which is much less than the time required to compute SHA hashes of all downloaded pieces.

Slyck.com: Encryption is a tool better known for securing the transfer of private information. Are there any benefits of securing the transfer of information that is being offered publicly, or is the encryption soley to circumvent ISP throttling?

µTorrent: The major goal of the protocol was to circumvent throttling, however it was designed with the idea in mind, that it should be hard for a passive listener to detect what traffic is transmitted.

Slyck.com: By encrypting the data, is there a risk BitTorrent will lose some of its acceptance, hence encouraging more ISPs to throttle?

µTorrent: I don't know, did HTTP lose acceptance when HTTPS was invented? I don't think so.

Like the eDoneky2000 network, BitTorrent’s control and direction is slowly morphing towards the open source community. MetaMachine, the original creative force behind eDonkey2000 has seen the direction of this network forever replaced by eMule. This evolution of events is nearly impossible for original talents to reverse, and the future of BitTorrent is little different.

Also See:
introductory chat - p2pnet uTorrent interview, October 9, 2006

(Tuesday 7th February 2006)
http://p2pnet.net/story/7848

 

Using Rootkits to Defeat Digital Rights Management

rootkit1 Two of the most popular CD emulation utilities are Alcohol and Daemon Tools and they both use rootkits.

Alcohol advertises itself as enabling you “to make a duplicate back-up to recordable media of nearly all your expensive Game/Software/DVD titles, and/or an image that can be mounted and run from any one of Alcohol's virtual drives”. When you run a RootkitRevealer scan of a system on which Alcohol is installed you see several discrepancies Mark's Sysinternals Blog: Using Rootkits to Defeat Digital Rights Management


Using Rootkits to Defeat Digital Rights Management
The Sony rootkit debacle highlighted the use of rootkits to prevent pirates and authors of CD burning, ripping, and emulation utilities from circumventing Digital Rights Management (DRM) restrictions on access to copyrighted content. It’s therefore ironic, though not surprising, that several CD burning and disc emulation utilities are also using rootkits, though the technology is being used in the opposite way: to prevent DRM software from enforcing copy restrictions.

Because PC game CDs and DVDs do not need to be compatible with set-top players software vendors can store data on media in unorthodox ways that require software support to read it. Attempts to make a copy of such media without the aid of the software results in a scrambled version and the software has DRM measures to detect and foil unauthorized copying.

CD burning and emulation software companies owe a significant amount of their sales to customers that want to store games on their hard drives. The legitimate claim for doing this is that it enables fast, cached access to the game., though it is well known that this is also used to make illegal copies of games to share with friends - so content-protected CDs and DVDs present a challenge the companies can’t ignore. One way to deal with the problem is to re-engineer the software that interprets the data stored on the media, but that approach requires enormous and on-going resources dedicated to deciphering changes and enhancements made to the encoding schemes.

An easier approach is to fool game DRM software into thinking its reading data for playing a game from its original CD rather than from an on-disk copy. DRM software uses a number of techniques to try to defeat that trick, but a straightforward one is simply to detect if CD emulation software is present on the system and if so, if the game is being run from an on-disk emulated copy. That’s where rootkits come in. Two of the most popular CD emulation utilities are Alcohol and Daemon Tools and they both use rootkits.

Alcohol advertises itself as enabling you “to make a duplicate back-up to recordable media of nearly all your expensive Game/Software/DVD titles, and/or an image that can be mounted and run from any one of Alcohol's virtual drives”. When you run a RootkitRevealer scan of a system on which Alcohol is installed you see several discrepancies:



The first two are data mismatches whereas the last one is a key that’s hidden from Windows. A data mismatch occurs when RootkitRevealer obtains a different value from a Registry API than it sees when it looks at the raw Registry data where the value resides. When you view either of the values in Regedit they appear to be composed of sequences of space characters:



Why would Alcohol want to use data mismatching rather than the typical cloaking technique to hide the value altogether? The values in question are located in HKLM\Software\Classes\Installer\Products and HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall and both areas are where applications store information for use by the Windows Add/Remove Programs (ARP) utility. ARP uses the ProductName value in an application’s Products key as the name it displays in its list of installed applications so an empty value implies that we should see a product with no name in the list. However, a quick look shows that there are no missing names and we know that the value is associated with Alcohol, but it shows up in the list:



Using Regmon to capture a Registry activity trace of ARP, which as a Control Panel applet is implemented as a DLL hosted by Rundll32.exe, confirms that ARP reads displayed Alcohol text from the mismatched ProductName value whereas Regedit sees only empty data for the same value:



The other mismatched value behaves the same way and it’s my guess that Alcohol masquerades strings that identifies its presence on a system from anything but ARP in order to avoid detection by DRM software like that included in games that disable themselves in the presence of CD/DVD copy and emulation software. There are many other signs DRM software can use to sense Alcohol’s presence, but the Alcohol developers likely discovered that a check of installed products is or was the most commonly used.

The remaining RootkitRevealer discrepancy is the cloaked Jgdd40 key in the Config subkey of the Vax347s driver. Alcohol must include a device driver that presents phantom devices to Windows in order to create virtual CD and DVD devices and Vax347s is the driver that fills that role. An easy way to see inside a cloaked Registry key is to open the parent of the inaccessible key in Regedit, choose Export from the File menu and select Registry Hive Files from the format drop down. Then copy the file to a different system, launch Regedit, navigate to HKLM, and choose Load Hive in the File menu. The name you enter for the key is up to you. When you follow the steps on the cloaked key you see a single value, Ujdew, within it:



The contents are binary data, but my guess is that it describes the volumes that the driver virtualizes. Game DRM software that is Alcohol-aware would be unable to determine whether the volume from which it was executing was on a real device or one that was emulated. Evidence that supports this theory lies in Jdgg40’s parent key, Config, which also contains a single value named Ujdew, but with slightly different contents than the one that’s hidden. The second value is almost certainly a decoy to throw off DRM developers that determined that it at one time contained virtual drive mappings:



Alcohol, like Sony’s rootkit, uses system call hooking to intercept Registry APIs and manipulate their behavior. This memory dump of the Windows kernel-mode system call table contains addresses that fall outside of the kernel image, the telltale sign of a system-call hook:



The addresses correspond to Registry-related system calls and the debugger confirms that the addresses lie in a second Alcohol driver, Vax347b, that’s responsible for the cloaking:



On a system with Daemon Tools installed RootkitRevealer reports the presence of a single discrepancy:



An interesting aspect of Daemon Tools’s rootkit is that it doesn’t cloak the presence of the key listed, but rather denies access even to RootkitRevealer, which should be able to open any key regardless of the key’s security. Following the same steps I described earlier for gaining access to off-limit keys unveils the key’s contents:



Paralleling the Alcohol example, the key is part of Daemon Tools’ virtual device driver and appears to contain configuration information, implying that Daemon Tools hides the key to fool game anti-emulation software by preventing it from finding a way to distinguish virtual volumes from real ones.

There’s no proof that Alcohol and Daemon Tools use rootkits to evade DRM, but the evidence is compelling. If they do their usage is clearly unethical and even potentially runs afoul of the US Digital Millennium Copyright Act (DMCA). In any case, there’s no reason for these products, or any product as I’ve stated previously, to employ rootkit techniques.
[Clarification: when I say "their usage is celarly unethical" I'm not referring to users of the products, but to the utilities themselves being designed to circumvent DRM. I've previously defined rootkits and explained their risks.]



ye must go here to see all the info and pixs on this story

http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html

 

curse those rootkits

 

Hacking Xboxes For Fun And Profit

Apparently, the original Xbox has been completely hacked without the need for any modchip/softmod. According to hackers online, this also opens the door for them to really begin hacking on the Xbox360.

A hacker, known as the specialist posted this on XboxHacker.net:

Yes ! I've just played a backup DVD on a XBOX 1 without any modchip/softmod, just a hacked firmware. This completes our work on the XBOX 1. The drive I modded was a 8050L. The good news is that the firmware in this drive is very similar to the firmware in the GDR3120, used in the XBOX 360. I think it's time for me to buy one now.

Based on this information, some places are suggesting using the Xbox as a media extender, provided one is running Windows XP Media Center Edition. Some may find this recommendation useful.

If the Xbox360 gets hacked completely, this could create some problems for Microsoft, who has already had numerous problems with security in the past. At this point though, based on the nature of how game consoles work, it would seem very difficult to fix problems like these hacks seem to cause. Some updates could be done for the onboard software but it looks like these consoles will have similar vulnerabilities as normal computer software.

http://www.securitypronews.com/news/securitynews/spn-45-20060206HackingXboxesForFunAndProfit.html

 

Spyware remains rampant as Winamp exploited
Published: 2006-02-06

A new study by the University of Washington finds that one in twenty executables on the Internet contain spyware.

The study, which sampled more than 20 million Internet addresses, also found other disturbing trends. Among them: one in 62 Internet domains contains "drive-by download attacks," which try to force spyware onto the user's computer simply by visiting the website. The problems for web surfers primarily affect Microsoft's Internet Explorer browser but exist to a lesser extent for other browsers as well. The study at the 13th Annual Network and Distributed System Security Symposium in San Diego. While the study's coordinators did notice a 93% reduction between May and October 2005 - likely due to an increased use of anti-spyware tools among average users - spyware remains a major problem for unsuspecting Internet users.

The study is released on the heels of a new spyware application found for Winamp, the widely popular MP3 player. Sunbelt Software has found malicious spyware that exploits a recent flaw discovered in Winamp. The flaw permits remote code execution and allows shady websites to install several spyware applications, which then hijack's a user's browser.

Spyware remains a major menace on the Internet for many Windows users - it is often installed without the user's knowledge, and can be very difficult to remove. A copy of the study (PDF) is available from the University of Washington. Users are encouraged to install one or several anti-spyware applications freely available on the Internet, or purchase commercial alternatives to thwart the threat.
http://www.securityfocus.com/brief/128

 

Apple rolls out 1GB Nano

By Dawn Kawamoto
Staff Writer, CNET News.com

update Apple Computer on Tuesday unveiled a couple changes to its iPod lineup, introducing a 1GB iPod Nano while lowering the price of its iPod Shuffle to less than $100.

The new 1GB iPod Nano will be priced at $149 and offer the same features as the 2GB and 4GB iPod Nano models, such as a high-resolution color screen, a 30-pin dock connector and the ability to display album art while playing music.

Apple's 1GB iPod Nano, which comes in black or white, can hold up to 240 songs or 15,000 photos. The device is designed to connect to Macs equipped with a USB 2.0 port and Mac OS X 10.3.4 or later versions, along with iTunes version 4.9 or later.

Windows users will also need a USB port, with their system running on Windows 2000, XP Home or Professional and a similar version of iTunes.

In addition to the new 1GB iPod Nano, Apple is lowering the price on its iPod Shuffle to $69 for a 512MB device and $99 for the 1GB model.

Apple's iPod line expansion and lower prices come as competitors from Dell to Creative Labs grapple with the realities of the music player market.
http://news.com.com/Apple+rolls+out+1GB+Nano/2100-1041_3-6035974.html?tag=nefd.top

 

Kodak packs two lenses in latest camera

By Jonathan Skillings
Staff Writer, CNET News.com

The new Easyshare V570 digital camera from Eastman Kodak includes a pair of lenses in a slim body.

Kodak calls the V570 the world's first dual-lens digital still camera. The device incorporates both a wide-angle (23 mm) lens and a 3x optical zoom lens, stacked vertically in the center of a black and silver frame that's less than an inch thick.

Besides taking still images, the 5-megapixel camera captures video at 30 frames per second using MPEG-4 compression.

A panorama feature lets users create 180-degree images from three shots. The camera has a 2.5-inch LCD screen for viewing images.

The V570 will be available worldwide later in January for $399, a price that also includes a docking station. The company will be showing it off at the Consumer Electronics Show (CES) in Las Vegas this week.

Through the first half of 2005, Kodak was the top seller of digital cameras in the U.S., just ahead of Canon--with analysts predicting that Canon could soon claim the lead.
http://news.com.com/Kodak+packs+two+lenses+in+latest+camera/2100-1041_3-6014939.html

 

Invention: Exploding ink

* 14:00 07 February 2006
* NewScientist.com news service
* Barry Fox

For over 30 years, Barry Fox has trawled the world's weird and wonderful patent applications, uncovering the most exciting, bizarre or even terrifying new ideas. His column, Invention, is exclusively online. Scroll down for a roundup of previous Invention articles.
Exploding ink

A very unusual ink-jet printer cartridge, containing explosive ink, has been patented by Qinetiq, the commercial spin-off of the British Ministry of Defence.

The ink is a mixture of very fine aluminium particles, each 1 micrometre in diameter, particles of copper oxide 5 micrometres wide, epoxy varnish and alcohol. The ink is stable in liquid form, making it safe to print onto conventional paper, but forms an explosive fuse once dry.

An engineer can easily sketch out a printable fuse using computer imaging software, modifying the delay in milliseconds by changing the length, thickness and pattern of the line on the paper.

The ink can then be printed between a small strip of metal and a larger patch of explosive ink. Feeding a current through the metal strip makes it hot enough to ignite the fuse, which burns until it reaches the explosive patch. This explosion can then trigger the detonation of a much larger amount of explosives.

Qinetiq suggests printed fuses could be used for precisely controlling fireworks, triggering vehicle air bags or for conventional munitions. Ganging hundreds or thousands of fuses together could even make a miniature rocket engine capable of precisely adjusting the orbital position of a spacecraft, the company says.

Read the exploding ink patent in full here.
http://www.wipo.int/ipdl/IPDL-CIMAGES/images3.jsp?WEEK=50/2004&DOC=04/106268&TYPE=A2&TIME+ll38961871

Cannabis cough cure

In most countries, using cannabis is likely to land you in trouble with the law. But the stuff has also inspired a cure for coughing fits.

Tetrahydrocannabinol (THC), the main psychoactive chemical found in cannabis, has a well known effect on the brain. But it also latches onto the nerve cells in the upper airways of mammals and short-circuits the signals that cause coughing spasms.

The US government's National Institute of Health (NIH) has been paying the University of California in Oakland, US, to develop a cough cure based on this effect. Oakland has found that a recently discovered relative of THC – arachidonylethanolamide (anandamide) – can have a similar cough-quelling effect, but without also making users high.

Anandamide can be puffed into a person's airways from an aerosol inhaler and latch onto the same nerve cells as THC. But it binds so tightly to the cells that it will not get into the bloodstream.

The drug has so far been tested on rats and guinea pigs, which were given the treatment and then sprayed with pepper. Microphones inside the animal's cages counted the coughs – and they were significantly reduced after the aerosol cure was administered.

Read the cannabis cough cure here.
http://appft1.uspto.gov/netacgi/nph...77".PGNR.&OS=DN/20060013777&RS=DN/20060013777


Infrared missile disrupter

The threat to passenger planes posed by shoulder-launched missiles is a big concern to the airline industry. But Lawrence Livermore National Laboratory (LLNL) in California, US, has come up with a novel way to jam this type of weapon.

Surface-to-air missiles can be fired in the general direction of a plane, and will use an infrared sensor in their nose to home in on the heat produced by a jet's engines.

Military planes can escape incoming heat seekers by launching decoys flares to fool the weapon's heat sensors. For commercial airliners, however, it's impractical to carry an arsenal of flammable decoys for every take off.

The LLNL defence system relies on a laser to produce a rapid stream of picosecond pulses at an infrared wavelength. The pulses are fed through a crystal to generate harmonic distortion and the original and the distorted beams are recombined to create even more distortion across many infrared frequencies.

This distorted signal can be beamed in the direction of any incoming missile (detected by an airliner's radar). The pulsed infrared should blind and confuse the missile's sensor, causing it to veer off target. And the beam ought to pose no danger to other aircraft, because it is beyond the range of human vision.

Read the infrared missile-disrupter patent here.
http://appft1.uspto.gov/netacgi/nph...88".PGNR.&OS=DN/20060000988&RS=DN/20060000988

 

how to cook an egg with two cell phones

Weekend Eating:
Mobile Cooking

with Suzzanna Decantworthy
additional research: Sean McCleanaugh

Many students, and other young people, have little in the way of cooking skills but can usually get their hands on a couple of mobile phones. So, this week, we show you how to use two mobile phones to cook an egg which will make a change from phoning out for a pizza. Please note that this will not work with cordless phones.

To do this you will need two mobile phones -they do not have to be on the same network but you will need to know the number of one of them. The only other items you will need are:

1. An egg cup, (make sure that the egg cup is made of an insulating material such as China, wood or glass - plastic will do. DO NOT use stainless steel or other metal).
2. A radio, AM or FM - you can also use your hifi.

3. A table or other flat surface on which to place the phones and egg cup. You can place the radio anywhere in the room but you might as well put it on the table.




How To Do It:

1. Take an egg from the fridge and place it in the egg cup in the centre of the table.

2. Switch on the radio or hifi and turn it up to a comfortable volume.

3. Switch on phone A and place it on the table such that the antenna (the pokey thing at the top) is about half an inch from the egg (you may need to experiment to get the relative heights correct - paperbacks are good if you have any - if not you may be able to get some wood off cuts from your local hardware shop).

4. Switch on phone B and ring phone A then place phone B on the table in a similar but complementary position to Phone A.

5. Answer phone A - you should be able to do this without removing it from the table. If not, don't panic, just return the phone to where you originally placed on the table.

6. Phone A will now be talking to Phone B whilst Phone B will be talking to Phone A.

7. Cooking time: This very much depends on the power output of your mobile phone. For instance, a pair of mobiles each with 2 Watts of transmitter output will take three minutes to boil a large free range egg. Check your user manual and remember that cooking time will be proportional to the inverse square of the output power for a given distance from egg to phone.

8. Cut out these instructions for future reference.

Note: We cooked our egg during the evening using free local calls, if you were to cook an egg for lunch it would cost £3.00 - not cheap but you do have the convenience.





Phone A > > > > > > Egg < < < < < < Phone B

 

Regarding THC as a cough supressant:

Just FYI, cigarettes will do the same thing. Nicotanic Acid paralyzes pulminary celia. Even back in the old days when one could smoke in a hospital, surgical patients were not allowed to: the incision anywhere from the neck to the groin would hurt when you take a deep breath so the impulse is to take shallow breathes which builds up pulminary fluids..this combined with the nicotanic acid's paralyzing effect on pulminary celia was/is an RX for pneumonia.

Same applies when one quits smoking, after two days you start to cough up and spit up this nasty brown phlegm...that is the mucus which was located in the paralyzed pulminary celia breaking up as the celia becomes flexible again.

I have no idea why I just posted this but it seemed like a good idea at the time. I was a marine corps combat surgical corpsman years ago and that useless little piece of trivia just occured to me....Gerry

Forgot to add that using THC as a cough suppressant is probably more fun for some. "Smokers cough" is a different story as it is caused by an irritation of tissue in the throat so the body is trying to expel the cause of the irritation. THC wouldn't help that cough either...it has a different physiological cause.

 

Sloppy RIAA 'investigation' attacked

p2p news / p2pnet: Did RIAA spokesman Jonathon Whitehead switch the names of two completely different p2p applications in a deliberate bid to fool a court hearing a p2p file sharing case?

The question is raised in an affidavit presented in the latest stage of Atlantic Recording v John Does 1-25.

The RIAA (Recording Industry Association of America) still claims the existence of metadata in shared folders is enough to prove copyright infringement took place, but the assertion has again been roundly attacked by programming expert Zi Mei.

"Whitehead shot himself in the foot with his latest declaration," Mei told p2pnet. "He asserts that all Does are Gnutella users, directly contradicting earlier testimony, which included pages of Kazaa screenshots.

"This demonstrates that he either doesn't have a clue what he's talking about, or that he's simply inventing evidence and switching to Limewire after we totally destroyed him on the Kazaa stuff, hoping no one would notice.

"It's obvious that Mr. Whitehead doesn't know Kazaa from a kazoo either, or he's simply pretending he doesn't. The RIAA's 'investigative' techniques are sloppy and harmful, to say the least."

After weeks of non-stop, principally voluntary, work to meet the February 7 deadline, Mei today submitted his second affidavit, revealing telling holes in RIAA spokesman Jonathon Whitehead's second set of assertions in Atlantic v. John Does 1-25, and also, "pointing out its inconsistencies with the first declaration, as well as its inconsistency with the way computers work, and with the way the internet works," says Recording Industry vs The People.
http://recordingindustryvspeople.blogspot.com/2006/02/zi-mei-slams-whiteheads-second.html


Zi recently appealed to p2pnet readers for help and he told us he was grateful for the input he subsequently received.

http://p2pnet.net/story/7742

In his affidiavit, Mei wonders if Whitehead deliberately and knowingly switched the names of Kazaa and Limewire p2p, "in an attempt to mislead the Court and reconcile flaws in his earlier testimony".

If that was the case, says the programmer, "it casts clear doubt as to his integrity".

Whitehead, "betrays either confusion or ignorance of how decentralized P2P networks like FastTrack (Kazaa) and Gnutella (Limewire) actually work," he states.

"Moreover," he goes on later in the paper, "Mr. Whitehead still has not even attempted to explain the process through which the plaintiffs allegedly obtained the IP addresses allegedly associated with defendants."

Go here for a .pdf scan of Mei's paper. We'll try and bring you a text version in the near future.
http://www.p2pnet.net/stuff/zi2.pdf

Meanwhile, definitely stay tuned. When it concludes, this case will further damage the Big Four's steadily eroding credibility and have an enormous impact on future sue 'em all suits.

Also See:
Atlantic v. John Does 1-25 - Tech expert hacks at RIAA evidence, December 29, 2005
Recording Industry vs The People - Zi Mei Slams Whitehead's Second "Declaration", February 7, 2006
p2pnet readers - Help Zi against the RIAA, January 27, 2006
http://p2pnet.net/story/7850
(Tuesday 7th February 2006)


Tech expert hacks at RIAA evidence

Ray Beckerman

p2p news / p2pnet: A technical expert working with the lawyer who's been handling the Patti Santangelo case hopes he'll be opening a new factual frontier, for the first time debunking supposed evidence upon which many of the Big Four Organized Music cartel's anti-p2p file sharing lawsuits are pinned.

Ray Beckerman has been looking for a way to crack the process through which Sony Music, Vivendi Universal, Warner Music and EMI supposedly "prove" someone has been infringing copyrights.

And Zi Mei is the man, Beckerman told p2pnet. "I've known him for a long time. He's brilliant."

Among other things, RIAA employee Jonathan Whitehead claims, "metadata accompanying each file [allegedly downloaded from defendants' computers by the RIAA] demonstrates that the user is engaged in copyright infingement," says Zi Mei in an affidavit supporting a motion to vacate an ex parte order.

'Ex parte' means, "one side has communicated to the Court without the knowledge of the other parties to the suit," says Beckerman in an earlier explanation of the way the RIAA identifies its victims. It's, "very rarely permitted, since the American system of justice is premised upon an open system in which, whenever one side wants to communicate with the Court, it has to give prior notice to the other side, so that they too will have an opportunity to be heard," he says.

But, Zi Mei goes on in the document, the RIAA doesn't even begin to explain how it manages to reach the conclusion that the metadata are proof of copyright infringement.

And that's not surprising, he says, "since there is no correlation whatsoever between (a) metadat in the files allegedly downloaded by the RIAA and (b) the origin of these files."

Zi Mei also emphasises that mp3 metadata are optional and may, or may not, be present in a file, and may or may not be accurate.

Since they're aren't part of the audio data, a computer or mp3 player can play files regardless of the existence or content of metatags, he says, also pointing out that literally anyone can create, edit or remove ID3/ID4 tags with software bundled with mp3 players, or any other easy to find applications.

"Simply put, there is no correlation between metadata in a file and the origin of the file," states Zi Mei in his document. "In no way can it be used as a tracking mechanism like a FEDEX or UPS tracking number.

"It certainly cannot be used to determine whether the files allegedly found on the defendants' computers got there legally or illegally, since those files could have been downloaded from an authorized online service, or copied legally from commercially purchased audio CDs.

Zi Mei also explains that moreover, hash files are equally useless as proof of wrong-doing.

On Recording Industry vs The People, Beckerman says at the core of the entire RIAA litigation process are:

(1) the mass lawsuit against a large number of "John Does";
(2) the "ex parte" order of discovery; and
(3) the subpoenas demanding the names and addresses of the "John Does".

"In Atlantic v. John Does 1-25, a case pending in federal court in Manhattan, a midwesterner sued as John Doe Number 8 has made motions which seek to knock out all three (3) prongs of the RIAA litigation machine," he declares.

"On December 1st he made a motion to sever the mass lawsuit, and dismiss as to John Does 2-25, on the ground that it is impermissible to join 25 unrelated defendants under the federal rules, where there is no connection between the defendants other than the fact that they are accused of engaging in similar, but unconnected, conduct.

"Also on December 1st, he moved to quash the subpoena issued to his ISP, on the ground that the RIAA has not sufficiently alleged any copyright infringement.

"Today, December 28th, he has moved to knock out the third underpinning of the RIAA John Doe weaponry - the ex parte order."

More to come on this. Stay tuned.

Also See:
earlier explanation - How the RIAA gets its victims, December 29, 2005
Beckerman - Programmer Challenges RIAA "Investigation" in Court Papers Filed Dec. 28th to Vacate "Ex Parte" Order, December 29, 2005
Patti Santangelo - Patti Santangelo fights Goliath: II, December 17, 2005

(Thursday 29th December 2005)
http://p2pnet.net/story/7451


Help Zi against the RIAA

p2p news / p2pnet: The members of the Big Four Organized Music cartel spare no expense in their bitter war against the 'consumers' whom, they claim, are thieves and criminals who "illegally" download music without paying for it.

This isn't, however, a criminal matter, efforts by the cartel's RIAA to elevate it to that level notwithstanding. It's a civil one. And what's at issue isn't if someone's broken a law – it's whether or not he or she has infringed a copyright, which is a very long way from "criminal" or "illegal".

But this time the Big Four aren't merely beating up on defenceless men, women and children who have no hope of matching their bottomless legal and financial resources.

Now the labels have You and the World Wide Web to contend with.

John Doe Number 8 – one of the cartel's more than 17,000 victims – wants a court to throw out an RIAA ex parte discovery order filed in Atlantic Recording v Does 1-25. But the RIAA's (Recording Industry Association of America) Jonathan Whitehead claims the metadata in John Doe Number 8's shared files folder shows illegal copying took place.

JDN 8's lawyer, Ray Beckerman, recently asked Zi Mei to check this out in detail.

Zi submitted an affidavit and now he's asking you to give him a hand.

Hello p2pnet readers:

Many of you have been following developments on the RIAA lawsuits for a while here and at Ray Beckerman's blog.

This time, we really need your help.

The RIAA has responded to my affidavit and I'm gathering research to put together a response that we need to send back to the courts by February 7.

This is a tight timeframe, so I'm calling on everyone to put on their thinking caps and contribute their thoughts on how we can fight this latest effort to misuse the American legal system.

Let's pull together and make a difference.

Please post thoughts and comments here or on Ray's blog http://tinyurl.com/9vejz.

Thanks folks.

Zi

And as he says on the blog, Recording Industry vs The People, "I'm just one guy, and I don't have the unlimited time and financial resources that the RIAA most certainly does. In the true spirit of p2p and distributed computing, let's put our brains together and fight these idiotic lawsuits. We're a lot smarter than the RIAA's hired goons, so let's put on our thinking caps and end this attack on our freedoms.

"Most of all, let's end this nightmare for dozens of the helpless people who are being sued."

By way of back-ground, as we said an an earlier post on this, 'ex parte' means, "one side has communicated to the Court without the knowledge of the other parties to the suit," says Beckerman in an earlier explanation of the way the RIAA identifies its victims. It's, "very rarely permitted, since the American system of justice is premised upon an open system in which, whenever one side wants to communicate with the Court, it has to give prior notice to the other side, so that they too will have an opportunity to be heard," he says.

But, Zi goes on in the document, the RIAA doesn't even begin to explain how it manages to reach the cnclusion that the metadata are proof of copyright infringement.

And that's not surprising, he says, "since there is no correlation whatsoever between (a) metadat in the files allegedly downloaded by the RIAA and (b) the origin of these files."

He also emphasises that mp3 metadata are optional and may, or may not, be present in a file, and may or may not be accurate.

Since they're aren't part of the audio data, a computer or mp3 player can play files regardless of the existence or content of metatags, he says, also pointing out that literally anyone can create, edit or remove ID3/ID4 tags with software bundled with mp3 players, or any other easy to find applications.

"Simply put, there is no correlation between metadata in a file and the origin of the file," states Zi in his document. "In no way can it be used as a tracking mechanism like a FEDEX or UPS tracking number.

"It certainly cannot be used to determine whether the files allegedly found on the defendants' computers got there legally or illegally, since those files could have been downloaded from an authorized online service, or copied legally from commercially purchased audio CDs.

Zi also explains that moreover, hash files are equally useless as proof of wrong-doing.

On Recording Industry vs The People, IndieFeed's Chris MacDonald posts:

I'm not so sure this is a technical question so much as an identification question. The metadata tag in question appears to be the "comments" field where ripping entities provide information about their software, or the individual who does the ripping. So to the extent that your collection has various and sundry comment "signatures" you could establish that the possessor of the file obtained the files from various and sundry sources, debunking any claim that the person lawfully transcoded the file from their cd to their own music management system. It's an interesting argument but it would seem to make sense.

Larry Rosenstein says he agrees MacDonald.

Zi Mei describes the technical aspects of metadata, including that it is optional (does not affect playing the tracks) and easily modified.

It becomes a legal question whether having tracks with a lot of different metadata characteristics is proof of infringement.

An analogy might be someone who has a collection of books with hand-written notes in the margins, all with different handwriting. Is that proof that the books are stolen?

And jaded posts:

In his declaration, Messr Whitehead indicates that 'Doe 8 is a user of the Limewire system' and that 'all of the Doe Defendants in this case are users of the Gnutella network'. This is interesting in light of the fact that all of the Exhibits associated with the original filing were screen-shots of Kazaa, which is not, from what I understand, a Gnutella network. It is its own network, I believe. This is an inconsistency that cannot be resolved with the material available, but does suggest there is some confusion on the part of the RIAA.

Beyond that, the User Log that is attached to the current declaration is a fabricated document (i.e., I do not believe that it is a report that can be readily produced by LimeWire, or probably even Kazaa). The only way that an association can be made between a users IP and the list of songs is to have a screen capture showing a download occurring from Doe 8 with Doe 8's IP address and nickname clearly visible (ergo the comment above re the depiction of Kazaa screen captures in the initial filing). The other piece that would be needed is a screen capture that associates Doe 8's nickname with the list of shared songs that are included in the attachment to the exhibit. I don't believe that LimeWire even provides a way for a user to dump (i.e., print) a copy of what files they might have in their own share folder. Given that, there obviously would be no way to easily print, or capture, the files shared by another. If there is a utility that the RIAA agents have used to automate this, it has not been disclosed and subjected to scrutiny.

Beyond that, there is the issue of metadata (and the hash codes, which was not discussed in this declaration). There is certainly a wealth of circumstantial evidence that suggests that the files might have been obtained from other sources, but there is no conclusive evidence. All of the evidence points to the use of a Comment field that anyone can alter at will. Now, would anyone not associated with a particular web-site type that web-sites URL into a file's ID3 comment field - one can only speculate. Is it possible - ABSOLUTELY. Anyone can do so.

There are, however, tell-tale markings that encoders do introduce into a file that serve to identify which encoder was used, but this is not metadata and only available by perusal of the binary file itself (there are some tools out there that attempt to do that - it's not an exact science). One must have physical copies of the actual files to do this level of investigation.

What has not been shown, and would be a simple matter to do, is an indication of exactly which files it is that the RIAA had downloaded from that list (one would expect that this file would be the same file shown to be down-loaded from the above screen capture). If this file has none of the attributes that Messr Whitehead alludes to in his declaration, then nothing is proven. Absent that, all that exists is a listing that purports to represent a number of files that contain arbitrarily changeable metadata (for the most part - bit rate and length is not changeable, obviously).

But what is there to prove that an arbitrary file that the RIAA has is, in fact, the specific file that was downloaded by the RIAA agents? There will be a time-tag associated with the created file, but that is also something that can be readily altered. There is, in fact, NOTHING that can be used to show conclusively that any file that the RIAA might have in its possession came from the alleged Doe 8. Even the hash code, which presumably would be shown as being the same as others shared files could come from any one of those sources (or even fabricated, as discussed below).

WRT the hash code, as has been previously indicated and captured in Zi's declaration, any rip/encode of a CD track with the same version of an encoder and quality setting (etc., etc.) should result in files with the same hash code. [I've not tried this myself, but am sufficiently intrigued to contemplate doing so.] Further, going to commonly available on-line metadata repositories would result in the same data being inserted as metadata which, once again, should result in the same hash code. Unique aspects of a files metadata, such as the Comment field discussed above, should also result in the same hash code if entered identically between the two files.

Says Zi in response (noting he's replying without having had a lot of sleep ; )

Yes, Whitehead conspicuously switches to Limewire in this document whereas previous RIAA documents I responded to referred only to Kazaa. They consisted of several Kazaa screenshots and no screenshots of Limewire or any associated exhibits mentioning Limewire.

This time Whitehead specifically and conspicuously names Limewire, stating that "ALL" users in the suit were Limewire users. It is important to note that their long SHA-1 list is the same format as the list in the Kazaa affidavit, and presumably generated from the same software. They're submitting this kind of list again now for Limewire. Doesn't this contradict earlier statements, Ray? They showed screenshots of Kazaa, not Limewire, but now they're attaching this "log". This is an obvious bait and switch tactic and reveals that they know their Kazaa attempts were fruitless and unfounded, so they're beginning anew with Limewire. Does anyone know what this is a "UserLog" of (item 5 in Whitehead)? A "log" has to be a log to something! I know Kazaa doesn't produce logs like this, and am pretty sure that neither does Limewire or any p2p application, but I have not used Limewire in a long time. This looks like some unnamed and unknown mumbo-jumbo software the RIAA goons are using, the validity and accuracy of which needs to be examined. It is not produced by any software that I know. I stand with jaded in his assertion that it is fabricated by the RIAA and not produced by any p2p application.

Given that Whitehead's earlier affidavit talks at length about Kazaa, but now he's switched completely to Limewire, how can we be certain that these are not TWO SEPARATE individuals? First, he showed us Kazaa screenshots in an attempt show unlawful downloading (which is not true, since they are just files in a shared folder). Now he's removed the screenshots and just left a SHA-1 list. No screenshots of Limewire are shown. Kazaa and Limewire are two completely different programs. This seems to be a clear case of misidentification. By way of an analogy, if I went to the police and said the burglar drove a white Ford Bronco one day, and then went back and said, no, it was a blue Honda Civic the next, they are not going to believe me. Whitehead simply says John Doe 8 is using Limewire, without presenting a screenshot or any evidence whatsoever. Where are these hundreds of files? I question their existence.

But more seriously, Whitehead deliberately chooses to ignore all of my questions regarding their investigative techniques and appeals to document their procedures. This lack of transparency to me and independent technical experts who are able to verify the veracity of their claims, or lack thereof, is not surprising. Their methods are unknown, so it cannot be determined whether they are scientific or not. They most likely are unscientific. Right now, it is just RIAA hocus pocus as to how they've obtained the defendant's IP address in this case and all other cases. Given the highly inaccurate, reckless, and fallacious claims that the RIAA has brought against numerous innocent people (Sarah Ward [a 66 year old woman who uses a Mac-- there is no Mac version of Kazaa ], Candy Chan [a computer illiterate mom ], Gertrude Walton [a deceased 83 year old grandmother], mistaking a child's Harry Potter book report as an illegal download, etc.), it behooves them to reveal the means through which they have identified John Doe 8, as it behooves the plaintiff in any case. The burden of proof has not been satisfied. Whitehead very deliberately avoids answering my probes as to how they got this IP address in the first place, so how can we be sure this is not another case of mistaken identity. Discussion on the extreme unreliability and inaccuracies of the metadata tags is moot until he can show definitive proof that this IP address is irrefutably accurate and properly ascertained, particularly when IP addresses are so easily spoofed, that many users use unprotected wireless networks, that ISP's assign the same IP address over any given period of time to a number of different people, among other important technical facts. Basically, Whitehead is saying "we found this smoking gun, and it's yours and you're in a lot of trouble" without any proof and expects the courts to accept that at face value. To this date, my technical challenge remains unanswered and their process cannot

be verified by an network engineer or internet professional. They're doing it all behind closed doors, and who knows what shenanigans they're pulling. When so much is at stake for John Doe 8 and other defendants, this question cannot go unanswered. Given the RIAA's awful record of getting things wrong, even basic facts such as whether an individual is even alive or not, we cannot trust them to be meticulous. The internet bountry hunters employed by the RIAA have an economic interest in identifying large numbers of people to sue and their carelessness is reflected in their work. The courts need to hold the RIAA to a higher standard instead of allowing them free reign to accuse and invade the privacy of users with these dangerous lawsuits.

Stay tuned, and if you have any thoughts you'd like passed on to Zi privately, please email me and I'll make sure they reach him. And - post his request anywhere useful you can think of.

Cheers!
Jon

(Friday 27th January 2006)
http://p2pnet.net/story/7742

 

Digital Music Biz Ain't Booming

Commentary by Joanna Glasner | Also by this reporter
02:00 AM Feb, 07, 2006 EST

Many people would consider me among the least qualified individuals to write a column about what's wrong with the digital music industry.

They'd have good reasons, too. For one, I don't spend any money on music. I've never purchased a CD by a living composer, never paid to download a tune and haven't bought a concert ticket in years.

Future Stock columnist Joanna Glasner
Future Stock
It gets worse. Not only do I not own an iPod, I've never used one. Call me a germaphobe. I don't like the idea of using someone else's earbud. The entirety of my music collection consists of tunes purchased or downloaded by other people. Most of the time, when I want music, I listen to over-the-air radio.

Music industry marketing gurus might think it wise to ignore people like me. Because they never made any money from me under the old regime of prepackaged albums and singles, why would they in the new era of digital downloads? Here's what they might not get.

I'm what I call business-model sensitive. That is, if the way something is marketed or priced doesn't appeal, I don't buy it -- unless I desperately want it. I prefer the price of a product to bear some relation both to the cost of producing it and its value to me.

It's this same business-model sensitivity that causes me to forgo cable television. Why should I pay for unlimited access when I don't watch more than an hour a day? It seems akin to paying for the all-you-can-eat breakfast buffet when I just want coffee.

Some would call such behavior cheap. I take great offense at such character assassination, although it may be true.

Either way, for someone who is business-model sensitive (or cheap, if you must), the digital music industry doesn't add up.

Here you have a product -- recorded music -- that costs very little to produce. Sure, you can spend a fortune on sound studios and videos. But even an amateurish recording of a live performance sounds OK. Nearly everyone knows some struggling band that has put out a decent-sounding release on a shoestring.

Once a recording exists, reproducing it costs next to nothing. Because most of us pay a flat monthly fee for internet access, there's no extra cost to send or receive a music file. CDs are also cheap. A pack of blank ones sells for a few dollars.

How, then, does the list price of a new music CD get to around $18? Why does it cost a dollar to download a song on iTunes? While $1 isn't much money, it seems high for something that costs nothing to reproduce.

The Recording Industry Association of America maintains that CD prices are actually quite low when one factors in promotional costs, like videos, advertising and concert tours. The dollar you spend on a digital download may also seem less exorbitant when you consider it gets split between label, retailer, performer and so on.

I'm not convinced. Plenty of other content online is free, including most news, and editors, writers and publishers are paid for their work, and in some cases, even make a profit. By comparison, the pay up-front business models of the modern digital-music industry seem like losing propositions. Surely something better will come along to decimate the status quo.

Thus far, reality has proven me wrong.


Shares of Apple have quadrupled in the last two years, boosted by iPod and iTunes sales. Stock in Napster, the music-download subscription service formed from the defunct file-trading site, surged more than 30 percent last week following news reports about a rumored alliance with Google. And shares of RealNetworks, which runs the Rhapsody music subscription service, are also up more than 50 percent in the last six months.

Sales of music downloads and streaming services are also growing at a brisk pace. The International Federation of the Phonographic Industry recently reported that global digital music sales tripled to $1.1 billion in 2005. About $400 million came from downloads of cell-phone ringtones. As for songs, people downloaded 420 million single tracks from the internet last year, about 20 times more than two years earlier.

Those numbers may sound encouraging. But put in perspective, it's hard not to conclude that these are actually piddly sums.

Look at it this way. According to Box Office Mojo, a movie-data site, the top-grossing films of 2005 (based on worldwide revenue recorded as of Monday) were:

1. Harry Potter and the Goblet of Fire: $880.2 million
2. Star Wars: Episode II -- Revenge of the Sith: $848.5 million
3. The Chronicles of Narnia: The Lion, the Witch and the Wardrobe: $638 million
4. War of the Worlds: $591.4 million
5. King Kong: $534.6 million
6. Madagascar: $527.6 million
7. Mr. & Mrs. Smith: $477.5 million
8. Charlie and the Chocolate Factory: $473.4 million
9. Batman Begins: $371.9 million
10. Hitch: $368.1 million

Remember, these are the revenues of an industry that's also reeling from rampant piracy. You'd think the global online music business would at least be able to outdo the combined take of No. 5, a remake starring a giant ape and No. 4, a Tom Cruise flick about alien invaders with all the visual appeal, according Roger Ebert, of an "ungainly erector set."

Even cat litter is selling better. In the United States alone, people spent an estimated $1.2 billion last year on the stuff, according to Information for Industry, the corporate sponsor of Business Trend Analysts. Granted, cat litter is a much more mature market, having been around since the 1960s. But still, what does it say when the global download business doesn't even exceed the amount Americans spent to fill boxes that collect feline feces?

Among other things, it says something is probably unappealing about the current model for selling downloads.

I like the idea of pricing digital music at a level that makes it disposable. So, if my hard drive gets fried, my CDs get scratched or my iPod falls into the toilet, and I don't have backups, I'd be able to repopulate my music collection at reasonable cost.

By this line of reasoning, the appropriate price for a song download should probably be no higher than a quarter. I think a quarter is still too much to motivate me to spend money on music. I'd rather pay 10 cents, or, ideally, get songs for free.

But like I said, I'm probably not the best target market. I'm still fiddling with the antenna on my TV to see if I can receive one or two stations clearly. That way, I won't have to pay for cable.
http://www.wired.com/news/columns/0,70170-0.html?tw=rss.index

 

Have mad respect for you Ireland.

 

Multiple Vulnerabilities in Mozilla Products
Well, they say the same thing about Internet Explorer.

Hell, personally I think nothing we use is perfectly safe. Well, that's not true... turning off the power to ones computer does make one about as safe as they can be.

Mozilla software, including the following, is affected:

- Mozilla web browser, email and newsgroup client
- Mozilla SeaMonkey
- Firefox web browser
- Thunderbird email client

- US-Cert.gov


Multiple Vulnerabilities in Mozilla Products
Original release date: February 7, 2006
Last revised: --
Source: US-CERT
Systems Affected

Mozilla software, including the following, is affected:

* Mozilla web browser, email and newsgroup client
* Mozilla SeaMonkey
* Firefox web browser
* Thunderbird email client

Overview

Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.
I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including:

VU#592425 - Mozilla-based products fail to validate user input to the attribute name in "XULDocument.persist"

A vulnerability in some Mozilla products that could allow a remote attacker to execute Javascript commands with the permissions of the user running the affected application.
(CVE-2006-0296)

VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code.
(CVE-2006-0295)
II. Impact

The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other impacts include a denial of service or local information disclosure.
III. Solution
Upgrade
Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.

For Mozilla-based products that have no updates available, users are strongly encouraged to disable JavaScript.
Appendix A. References

* Mozilla Foundation Security Advisories - <http://www.mozilla.org/security/announce/>
* Mozilla Foundation Security Advisories - <http://www.mozilla.org/projects/security/known-vulnerabilities.html>
* US-CERT Vulnerability Note VU#592425 - <http://www.kb.cert.org/vuls/id/592425>
* US-CERT Vulnerability Note VU#759273 - <http://www.kb.cert.org/vuls/id/759273>
* US-CERT Vulnerability Notes Related to February Mozilla Security Advisories - <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_2006>
* CVE-2006-0296 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>
* CVE-2006-0295 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>
* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
* The SeaMonkey Project - <http://www.mozilla.org/projects/seamonkey/>

http://www.us-cert.gov/cas/techalerts/TA06-038A.html

 

p2p file sharing is on the rise

p2p news / p2pnet: The desperate Big Four Organized Music Goliaths say their p2p file scaring tactics are either significantly reducing the numbers of people using the p2p networks, or the numbers are static.

Depends on if you're talking to the RIAA (Recording Industry Association of America - Down) or IFPI (International Federation of the Phonographic Industries - Static), both owned by the Big Four, Warner Music, Vivendi Universal, EMI and Sony BMG.

However, the real story is: the numbers of file sharers in the US and around the world continues to rise, says p2p research firm Big Champagne.

Below are it's latest findings:



(Tuesday 7th February 2006)

 

Brain scans reveal power of Super Bowl adverts

* 16:09 07 February 2006
* NewScientist.com news service
* Roxanne Khamsi



Brain scans of Super bowl viewers suggest that certain commercials more effectively excite the brain’s empathy and reward centres, making them "light up".

Companies spend millions of dollars to air commercials during the Super Bowl – one of the most watched US broadcasts of the year – in hopes that the advertisements will capture consumers' imaginations and their brand loyalty. Now researchers in California have used brain scans to gauge how much of an impression the ads from 2006’s sporting spectacle might have had on the brain.
NS Forum
Will advertisers one-day make use of studies like this? Should they?
Discuss this story >>


Five volunteers were tested on Sunday evening, just after the American football championship ended, as part of a preliminary experiment led by Marco Iacoboni at the University of California, Los Angeles, US. Their brain activity was monitored using functional magnetic resonance imaging (fMRI) as they watched more than 20 commercials which had aired during Super Bowl.

“The complete analysis shows that the best ads are the Disney/NFL ad and the Sierra Mist ad,” he says, referring to the theme-park and soft-drink commercials. “In the Disney ad, NFL players ecstatically repeat ‘I am going to Disney’. I can see how this ad can elicit strong empathic responses.”

“The Sierra Mist ad is a funny ad about an airport search. Maybe viewers identify with the character because they are fed up with these extensive airport searches that are not convincingly effective,” Iacoboni suggests.
Mirror neurons

The researchers found that the ads produced variable effects in the reward-related areas of the brain, such as the ventral striatum and the orbitofrontal cortex. They also found that some commercials caused more activity in the brain regions known to contain "mirror neurons", indicating empathy.

Previous studies have revealed that mirror neurons fire in an animal’s brain when it completes a task or sees a counterpart from the same species complete that same task.

The team also looked at how the Super Bowl ads sparked activity in the visual and auditory regions of the brain. But Iacoboni says that the commercials typically produced only short-lived activity in these areas.

“A bad ad would show activity only in visual and auditory areas,” he says, adding that good commercials also left a lasting impression on the brain’s reward and empathy centres.
Beer and women

One ad that succeeded in striking an emotional note, according to the study, was the commercial for a Michelob beer, which featured a woman playing American football with her friends. In an initial analysis of two of the five volunteers, the researchers found that this sketch caused mirror neurons in the female brain to fire, indicating empathy. But in the male subject the commercial produced activity in reward-centres of the brain.

But the ad for Budweiser beer, which featured a "secret fridge", managed to stir the brain’s visual areas only. This suggests that it might be less effective but, in fact, consumer rankings by newspaper USA Today put this commercial as the most popular.

Iacoboni stresses that the study examined only a few people, which limits the generality of the findings. “We have too few subjects to achieve the statistically reliable effects required by peer-reviewed journal articles,” Iacoboni explains. “However, we think we gained great insights about the human brain, and we will likely use these insights in future studies.”
Printable version Email to a friend RSS Feed

 

HOT NEWS,
French court rules in favor of private P2P use

2/7/2006 8:31:42 PM, by Ken "Caesar" Fisher

On the eve of France's Parliament returning to discuss the possibility of legalizing P2P via a compulsory or global license, the French judiciary has sent a message to deputies a day early, clearly siding with non-commercial users of P2P applications. The message from the French tribunal actually dates back to December 8 of last year, but the decision has just been made public in a rather serendipitous way. As the French think about the possibility of making P2P legal by merely charging internet users a flat monthly fee, the court looks to be suggesting that current usage is already legal.

At issue was the fate of a young man ("Antoine G") charged with uploading and downloading over 1,200 audio files whose copyrights were represented by a French recording industry organization, the Société de Civile de Producteurs Phonographique. After a victory in a lower court, the SCPP had to represent its case to the district court of Paris (Tribunal de Grande Instance de Paris), seeking a final judgment against the man accused of the non-authorized reproduction and distribution of commercial content. The defendant had been an avid user of Kazaa, and during 2004, his activities were monitored by agents of the SCPP, revealing him to be a frequent user of the P2P network. He allegedly had almost 1900 files containing copyrighted materials.

The ruling from the district court is rather clear (PDF, in French): the defendant was making use of these files for private, personal use, and thus his use was legal. According to the court, French law permits citizens to make fair use of copyrighted materials so long as that usage is not collective, or for commercial gain. Similar laws in Canada have also been used to attempt to differentiate between methods of exchange and legitimate use. In 2004, a Canadian court ruled that P2P applications were akin to photocopiers and that files on the network were like library books; the mere act of making a file available for download, for instance, would be no different than a library making a book available. How someone makes use of a copyrighted work (e.g., photocopying a portion for personal use as opposed to making entire copies for resale), not what tool is used, is of prime importance. Regardless, the P2P situation in Canada is still rather unclear, and lobbyists there are working hard to see the law changed to so that any such use is unequivocally illegal.

For now, the French court appears to be giving the go-ahead not only for downloading music on P2P networks for personal use, but also for sharing files that have been downloaded.
The Association of Audionautes, which is leading the defense, is a non-for-profit organization founded by French students as a means of defending against infringement claims made on behalf of the music industry. They have released an English press release celebrating the victory (PDF).

"This most recent decision is consistent with the definitive decision of the French Appellate Court of Montpellier. It is an important stepping stone in our fight to legalize P2P," said Jean-Baptiste Soufron, Legal Counsel of the ADA.

The ADA and the SCPP will see each other soon enough. The SCPP has appealed the decision to a higher court, although where things go from here on out appear to be in the hands of the French Parliament.
http://arstechnica.com/news.ars/post/20060207-6135.html

 

Where Did Firefox Come From?

ffox The story of Mozilla is long and rich in detail. There are many perspectives. This is mine.

I got involved with Mozilla because I loved the idea of working on something that had the potential to make an impact on millions of people. My friends and I lived in our browsers, so there was also a tangible payoff for contributions that made it into a shipping Netscape release. After switching gears on the layout engine, it looked like Netscape needed all the help it could get. In early 1999 only the most basic elements of the old Communicator suite were in place in the new browser; you could barely browse or read mail as Netscape's engineers worked furiously to erect the framework of the application. Inside Firefox - The Inside Track on Firefox Development

Where Did Firefox Come From?

The story of Mozilla is long and rich in detail. There are many perspectives. This is mine.
Getting Involved

I got involved with Mozilla because I loved the idea of working on something that had the potential to make an impact on millions of people. My friends and I lived in our browsers, so there was also a tangible payoff for contributions that made it into a shipping Netscape release. After switching gears on the layout engine, it looked like Netscape needed all the help it could get. In early 1999 only the most basic elements of the old Communicator suite were in place in the new browser; you could barely browse or read mail as Netscape's engineers worked furiously to erect the framework of the application.

I thought about what I could offer. It was difficult — through my website I had taught myself JavaScript and HTML, but I did not know C++. Perhaps more importantly my AMD K6/166 was not really capable of compiling a codebase as large as Mozilla (even when it could almost fit on a floppy!). What I did notice though was that the user interface was being developed using something similar to HTML and JavaScript. Realizing that my fussiness and attention to detail could be useful, I began working on improving the UI. I became involved both polishing the developing browser front end and in the design of the XUL toolkit that rendered it. After a few months I was offered a job on the Browser team.

It was mid January, 2000, and I stood in the dimly lit international arrival lounge at SFO waiting for my ride. After a few moments a smiling man with a burst of reddish hair approached. It was gramps, and I had arrived.
An Awkward Alliance

The relationship between Netscape and the Mozilla open source project was uneasy. Mozilla wanted an independent identity, to be known as the community hub in which contributors could make investments of code and trust, while companies like Netscape productized the output. Netscape was not satisfied to let Mozilla turn the crank however; building and shipping a product with as many constraints as the Netscape browser was — and remains — a mighty challenge. Netscape was convinced it was the only one that knew what needed to be done. At the time, I think it was true.

While there were many community volunteers, there were more missing essential features than were present. There were more unfixed critical bugs than fixed. The only organization that had a strategy to drive the ominously lengthy bug lists to zero was Netscape.
Netscape's Communication Problem

Netscape made two mistakes. They did not publish enough product management information to enable the community to help them achieve their goals. They did not even consistently communicate what these goals were. The cohabitation of engineers and PMs did not contribute to open dissemination of information as it was easier to communicate with your immediate team than those on the outside. Without understanding the importance of publicly available documentation to effective community development, the extra steps to publish the results of internal discussions were not always taken.

The other mistake was not having a clear vision for product development. For the folks working in Client Product Development (CPD — the browser/mail software division at Netscape), the idea was to rebuild and improve upon the Communicator suite using the newly selected layout engine. The goal was to make a better browser and mail reader.[1]
Netcenter's Agenda

More importantly however, Netscape had to make money to survive. Across campus, the Netcenter division management had browser ideas of its own. Once the most popular site on the web, Netcenter's fortunes were waning as users switched to other portals like Yahoo and MSN. Netscape had to replace revenue from declining traffic and it looked at what it could do to differentiate itself. The one thing Netcenter had was close affiliation with a browser. Netcenter sought to monetize the browser in two ways: by linking the browser very closely to the portal itself in design and content and by linking the browser to features supplied by business deals.

Netcenter passed various requirements on to CPD. Over time these included things like a browser “theme” that was supposed to merge seamlessly into a particular iteration of the Netcenter web site. Users could be forgiven for thinking, when using the freshly themed browser, that their monitor was broken. Adding to the injury was an overload of links in the browser UI to Netcenter and partner properties, and a large eye-catching but mostly useless sidebar panel with additional partner content vying with web content for the user's attention.

Eventually, Mozilla.org forced Netscape to push most of its business specific functionality into its own private branding cvs server, where features like Netscape Instant Messenger were also developed. The controversial “Modern” theme, panned in the Netscape 6 Preview Release 1, was eventually removed and replaced by a more stylish but similarly non-native theme.
Mozilla's UI Dysfunction

Since most of the user interface design for the Netscape products was done by Netscape staff working to Netcenter requirements, the Mozilla user interface suffered. Instead of being a clean core upon which Netscape could build a product to suit its needs, the Mozilla suite never felt quite right; it was replete with awkward UI constructs that existed only to be filled in by overlays in the Netscape's private source repository — the “commercial tree.”

Compounding this dysfunction, at the time the project was being developed by over a hundred engineers in different, sometimes poorly connected departments within CPD. Netscape had grown rapidly in previous years, and with an uneven hiring bar engineers with abilities that would suggest they needed more assistance from others had far too much autonomy in feature design and implementation. User experience assistance was sparse, and as a result the application quickly bloated.
Fighting For Change

Engineers in the Browser and Toolkit groups were not happy with the way things were going. For my part, I began working on what would become known as the “Classic theme” — a visual appearance that respected the system configuration and would later form the foundation of what would be Firefox's theme. Since I had little graphic design talent I used icons from Netscape 4. This became the default theme for Mozilla distributed releases, Netscape ultimately choosing to use its “New Modern” theme for Netscape 6. Several of us argued strenuously against this decision but were unsuccessful. In the eyes of reviewers, the alien appearance of Netscape 6 would be the straw that broke the camel's back. Suck.com, an early pop-culture review, wrote an article decrying the themed interface, using Netscape 6 as its prime example of the failure of theming.

Despite the failure of Netscape 6, engineers were still enthusiastic about continuing development. Now that Netscape could include its partner customizations[2] — engineers called them “whore bars” — in its commercial tree, the engineering teams focused on improving the Open Source releases instead, hoping Mozilla would be the suite they had dreamt of building. Netscape branded products were largely ignored.

Many contributors, myself included, pushed for further improvements to the user interface. We got extensive pushback from people within the company. On more than one occasion I tried to flex my muscle as “user interface module owner” (Mozilla parlance, then a something of a novelty — Mozilla had granted me this role in an attempt to show autonomy in project development after the disaster that was the original Modern theme). It did not go well. Weak management stressed the importance of seniority over logic when it came to feature design. I was told I could not expect to use Open Source tricks against folk who were employed by the Company (all hail!). I held true to my beliefs and refused to review low quality patches. I was almost fired. Others weren't so lucky. It became a source of great frustration and disillusionment for me. I lost motivation. I realized Netscape's Byzantine stranglehold permeated the design of the Mozilla product still, and that now as a Netscape employee I was expected to use my “module ownership” to support its whims. I was to be a puppet.

I disengaged. I no longer treated every patch I thought was low quality as a battle to be fought and won at all costs. Netscape and Mozilla continued to ship releases. The application improved in terms of stability and performance, but the user interface remained baroque.
New Beginnings

One night in mid 2001 I went to Denny's late at night with David Hyatt. Dave is the sort of person with an enthusiasm that is magnetic. You cannot help but become caught up in the excitement of the ideas generated during a discussion with him. We discussed the rot within Mozilla, which we blamed on Netscape and Mozilla's inability to assert independence. He suggested it'd be perhaps preferable to start again on the user interface – much of the code in the front end was so bloated and bad that it was better off starting from a fresh perspective. We talked about using C# and .NET, and Manticore was born. As is often the case with ideas and prototypes, the fun quickly deteriorates into tedium as the magnitude of the task becomes clearer. A couple of weeks after it was begun, Manticore died. Dave tried again though, first with Camino, and finally with Firefox.

These browser efforts were reactions to the rot we had seen in the Mozilla application suite. As Netscape began to lose favor within AOL, Netcenter's grip on CPD loosened, and the strength of the community grew. However even after Netscape cleaned up a lot of its engineering operations the UI did not improve. Rapid improvement to the user interface was now restrained by the same processes established to preserve code quality when weak engineers had free reign to check in.

There was no organized vision for the browser UI, and the ability to make changes was too widely distributed: anyone could make any change or addition to the UI as long as they had two other reviews. There was no clear plan for improving the resulting clutter. There was no vision.

Firefox was different. After 0.6 I laid out a plan for reaching 1.0. After a few cuts and sanity checks, a year and a half of engineering work by a motivated core of engineers on the front end and the continuing development of Gecko beneath, Firefox 1.0 shipped.

During this time Mozilla finally gained the independence it had long sought, establishing a non-profit foundation on the same day many of the remaining client engineers at Netscape were laid off in a mass termination that can only be described as a bloodbath.

There was and remains much resentment towards Firefox and its development model. At its creation, there was much shouting about how the many were not always smarter than the few, the merits of small development teams with strong centralized direction, the need to adhere strictly to Mozilla's module ownership policy[3]. In practice, these statements resulted in effectively locking everyone but the Firefox team out of the Firefox source code. We railed against the inefficiencies of past UIs. We were unnecessarily harsh, and polarized opinions. We had been badly wounded by the Netscape experience and the disorganization that had followed. I don't think a lot of people understood that. It wasn't something we could easily communicate.

To many, it looked like we were breaking ranks. We were claiming their work had no value. It was said that what we were doing went against the principles of community development. That wasn't true — as most open source projects are centrally managed by a small few. Many have well defined release plans and maintain tight control over what contributions make it in. We had hurt our case though by being so dogmatic up front. We did not do a good job of PR.
Vindication

We were determined, and we brought the product through to a 1.0 release. It was a long, difficult, all consuming road. I may eventually write more about it. But for now I'll just say that despite the rocky start, and the criticisms faced along the way, the model worked. It worked better than it ever had before for Mozilla or Netscape. Firefox 1.0 shipped to over a million downloads on the first day alone, 10 million downloads in ten days, and over a hundred million downloads before it was replaced by Firefox 1.5 just over a year later.

Today Firefox is one of the brightest stars in upcoming tech brands. It was voted by BrandChannel readers as the number 7 global brand across all segments — ahead of eBay and Sony. It is the first browser to stem the decline of market share against Internet Explorer and has reclaimed a healthy 10-25% share depending on country. It is still growing. Firefox's mail counterpart, Thunderbird, is a successful and comprehensively featured mail application. The dream that team of engineers had back in the darkest days of Netscape 6 product hell had been delivered at last.
Here & Now

I am writing this because I want to provide a historical perspective on where we are today with Firefox. A lot has been told about the development of the Firefox browser since Firefox 1.0. The reality is that the story is bigger than just Firefox 1.0. It goes back years, spans continents, and includes a cast of thousands. It's a fantastic story, with all of your standard themes — greed, rage, turmoil, love lost. But mostly it's a story of dedicated people laboring to create something they truly believe in. That's something I think everyone should be able to relate to - no matter what their walk of life. That's why Mozilla is so powerful and extends well beyond just Firefox.

For me, the story included the realization that I had never believed in something this much before, and discovering how easily and arbitrarily your dreams could be snatched away. Ultimately though I realized that with some patience and good old-fashioned hard work, anything is possible.

Over the years, Mozilla finally gained the ability to be that crossroads where people could come together and share their thoughts on the internet and where it is going. Different people have different ideas, and these are borne out in the different projects that exist: Camino, SeaMonkey, Thunderbird, Sunbird, Chatzilla, Bugzilla and so on. These projects create the ecosystem that is Mozilla. While related projects may not always agree on approach, the work that is done is inevitably beneficial — one project feeding off the ideas of another, and vice versa. Whatever project scratches the itch of any particular person, having their contributions and ideas around is beneficial for all projects. Generic tools to support many instances provide a backbone to support today's demands and tomorrow's as well.

Firefox is so successful today that it is gaining attention from many quarters. Many new contributors are finding the project and new ways to help out. This sort of thing is essential to keep the project vibrant and maintain the flow of innovation. It is important that those of us who've been round the block a few times share what came before, what did and did not work. The struggles that were fought, the price that was paid. This project has not been successful by accident. Its success represents the sum total of the energy expended by thousands people around the world for more than half a decade.

No contributor, no matter how new they are or what their motivation should let the story of Mozilla stray too far from their mind.
http://weblogs.mozillazine.org/ben/archives/009698.html

 

Microsoft Tool - Clear Cache Tool
This looks like a keeper.

This program is intended to automatically delete all temporary Internet files, cookies, and history files when it is installed and executed. The program was developed to programmatically clear these files when a corrupt entry caused errors with Internet Explorer.

System Requirements

* Supported Operating Systems: Windows XP Service Pack 1

Microsoft Internet Explorer 6.0 and later

Instructions
The program can be run directly from the Web site by clicking 'Run' when prompted. If you choose to save the program, run the program from the location to which it was saved. The program will automatically delete all temporary Internet files, cookies, and history files.

*Note- The program must be run each time the user wishes to automatically delete all temporary Internet files, cookies, and history files.


Additional Information
- Running this program does not send any information to Microsoft.
- Running this program might delete passwords that are stored in your temporary storage location.
- Before you use the tool, make sure you have the passwords for websites you visit on a regular basis.
- Running this program might cause some webpages to work incorrectly. This means that personalization you have set up on websites that use cookies might not work after you delete cookies.
- You can remove this program at any time

http://www.microsoft.com/downloads/...59-3b28-4801-8729-05335902ce79&displaylang=en