Upgrade Your Home Entertainment

TV aficionados have a number of things to look forward to this year, as vendors are poised to upgrade everything from HDTVs to set-top boxes to recorders for both the living room and the PC. That means bigger screens, better color quality, and more choices in recording and viewing your favorite shows.

TVs are getting some of the more significant upgrades. To start with, Sharp's splashy demonstration of a whopping 108-inch prototype LCD set further cements the notion that LCD can compete with plasma at the largest screen sizes, says Eric Haruki, IDC research director for digital TVs.

Sharp's new plant, which produced the megaunit, can also make cheaper 46-inch and 52-inch LCDs. The upgraded capacity drives down prices at those sizes, Haruki adds. When Sony and Samsung open their own next-generation LCD plants later this year, that downward price trend will continue.

Also look for HDTVs with 120-Hz refresh rates (60 Hz and 75 Hz are standard currently) and HDMI 1.3 connections. The higher refresh rate will offer better clarity; Philips, Samsung, and Sharp are readying such sets. HDMI 1.3 provides more throughput, which enables improved color fidelity (Panasonic, Samsung, Sharp, Sony, and other vendors have these new HDTV sets).

This spring and summer, you'll also start to see TVs and set-top boxes with CableCard slots. The Federal Communications Commission mandated that set-top boxes shipping after July 2007 come with the cards. The technology will let you choose a set-top box you like--with the storage and processing power you prefer--so that you aren't bound to the device that your cable or satellite Service provider gives you.

Three Minutes With Vista Security Analysts

Microsoft has been ballyhooing Windows Vista's security for years, saying that it will prove to be its strongest, toughest operating system ever.

But now that the long-awaited operating system is out, how will Vista really stack up? Ben Fathi, the former head of Microsoft's security group and now the chief of development in the Windows core operating system group, recently set the security bar.

"I made a statement six or nine months ago that I would like to see half as many vulnerabilities as XP [had] in the first year," Fathi said earlier this month at the RSA Conference 2007 in San Francisco. "Obviously, I'd like less than that; I'd be happy with zero. But I think it's reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal."

In the first year after Windows XP debuted in October 2001, Microsoft posted 30 security bulletin pegged to the Home version of the then-new operating system. (Unlike today, Microsoft didn't spell out the number of vulnerabilities in each bulletin.)

For Microsoft to meet Fathi's goal, that means 15 or fewer security updates will tag Vista before the end of January 2008--a year after the retail/consumer release. Is Fathi being overly optimistic, or is he being conservative in the hope that the first 12 months look even better than predicted? Computerworld asked a half-dozen security researchers and analysts for their take on Fathi's target. Not surprisingly, they don't all agree on whether the security objective is obtainable--or out of the question.

Minoo Hamilton, senior security researcher, nCircle Network Security

"I agree when he says that it's a 'great goal,' where 'great' implies tremendous luck and fortune. Whether it's a reasonable goal, it will remain to be seen, but I don't think so. I think that would be quite spectacular, if it came to pass.

"I think he's overconfident, but also speaking hopefully. They've put a tremendous amount of effort into improving things in Vista. I just think a few factors make that harder to come to pass. First, there is so much new code and new opportunity for vulnerabilities. Secondly, the ease, speed and ability of people to find flaws have really improved.

"I think the age of mass-proliferating Internet worms in waning, because the remote surface space is finally starting to diminish. This may partly be due to host-based firewalls and better enforcement of IT policy, but also--in the case of Vista--more standard OSs are starting with a more conservative approach to exposure. How this shifts the offensive tactics of malware and virus writers, I can't be completely sure, since it's incredibly hard to predict. But I think this will force them into continuing the trend toward browser, e-mail and parsing exploits.

"In the case of Vista, owning a box will now require multiple hoops or combining exploits, like a browser vulnerability and a local vulnerability that gives privilege escalation, for example. In any case, I believe this raising the bar will coincide with the trend of increased sophistication of attackers and balance out.

"I am not expecting a huge decrease in Microsoft vulnerabilities. My best guess is more likely a 20% decrease, if that."

Michael Cherry, analyst, Directions on Microsoft

"Making these kinds of predictions is like saying when you're going to ship. If you're right, no one pays attention. But if you're wrong, they'll rub your nose in it.

"Actually, I don't want to set my mindset to a certain number of vulnerabilities, or say a certain number is acceptable. I don't care if it's only one vulnerability, because if it's really, really bad, that's worse than 20 cosmetic bugs. Better, I think, would be to set a goal that says 80% of the vulnerabilities in the first year will be [rated] important or less.

"Fathi should have said, 'We are just not going to discuss counting' and leave it at that.

Graham Cluley, senior technology consultant, Sophos PLC.

"I have to say that I admire Microsoft's optimism.

"I would perhaps be more cautious than Fathi because in the last five years, the number of hackers and researchers who are examining Microsoft's code for vulnerabilities with ever greater intensity has increased. Furthermore, we have seen a number of legitimate security companies (including some who may have a vested interest in debunking Microsoft's status as a security player) put efforts into finding flaws in Microsoft's code.

Phishing Sites Explode on the Web

Think the new built-in phishing filters in Internet Explorer 7 and Firefox 2 will protect your private data? Think again. The number of sites devoted to phishing skyrocketed last year, and the number of Americans taken in by phishing schemes has nearly doubled. In November 2006, the last month for which data is available, the Anti-Phishing Working Group found 37,439 new sites, up an astounding 709 percent from the 4630 sites in November of 2005. (Click on the "Image Enlargement" icon above to see the chart showing this trend.)

Last October, both Mozilla and Microsoft released new versions of their browsers that use blacklists to block access to known phishing sites. In response, resourceful phishers are flooding new fake Web sites onto the Internet too quickly for them all to be shut down or blacklisted.

The alarming ease with which the fraudsters changed course, plus other new phishing tactics, makes some security experts say that phishers have the upper hand in the war against online fraud.

"Ultimately," warns Zulfikar Ramzan, who is a senior principal researcher with Symantec's Security Response Group, "technologies that rely heavily on blacklists are going to be useless."

Easy Phishing
According to RSA, a security vendor, hackers in January started selling a phishing kit that lets criminals set up very convincing fake Web sites with little effort. The fake site pulls images and layouts from the real site, usually a bank or other financial institution, and passes the user's information back to the real site to mimic a regular log-in--while keeping a copy of the account data for the criminals.

The draw, of course, is ever-increasing profits. Research firm Gartner estimates that 3.5 million Americans gave up sensitive information to phishers in 2006, an 84 percent jump from the previous year--for a total loss of $2.8 billion. One single phishing gang, called Rock Phish, is estimated to have taken in more than $100 million.

According to security experts, Rock Phish has pioneered many of the techniques that have contributed to the recent jump in phishing sites. And the image spam that hides its pitch from filters by embedding it in a picture was a Rock Phish invention, these experts say. On some days this one group, which specializes in spoofing U.S. and European financial institutions, may account for as many as one-half of all the phishing sites in operation, according to researchers.

Heuristic scanning may help combat the scourge. Instead of depending on a blacklist of known phishing sites, it analyzes a site's behavior, looking for techniques commonly used by phishers. IE 7 uses heuristics, as does the free SiteAdvisor browser add-on for IE and Firefox.

An emerging standard for a new type of site certification--called Extended Validation Secure Sockets Layer, or EV SSL--may also help. To get this certificate, sites will have to be checked out by third parties like VeriSign or Entrust to make sure that they at least appear to be legitimate. On such sites, the browser address bar will turn green.

Microsoft supports EV SSL in its IE 7 browser, and major online-commerce sites such as PayPal have now started to come on board as well.

But if the current surge in phishing sites demonstrates anything, it's that phishers can and do get around automated tools and procedures to protect their sizable profits. Recently they have been developing new technologies that could well thwart protection measures like EV SSL, according to Avivah Litan, a Gartner analyst.

Litan, who doubts EV SSL certificates will have much impact on phishing, believes security technology firms deserve some of the blame for the growing phishing threat.

"The security industry has been a little arrogant," she explains. "I don't think that people realize how sophisticated these [online] criminals are."

Best Defense
Although no magic bullet may exist now (or ever) to safeguard us all, there is one simple way to protect yourself from the majority of phishing attempts: Never click a link in an e-mail or on a third-party site to go to any of your financial accounts. If, instead, you always use your own bookmark or type in the address, even when you're 100 percent certain that the e-mail is legitimate, you should be safe.

Automated tools, such as the free Password Safe and PwdHash utilities can still provide help. But to combat ever-adapting phishers, your best protection remains...you.

Microsoft Ponders Ruby Language

Microsoft is "very interested" in the Ruby programming language and also plans to expand its Expression design tools line, a Microsoft official said this week.

During an Internet chat with InfoWorld, Forest Key, Microsoft director of Web and client user experience marketing for the company's developer division, acknowledged Ruby is on the company's radar screen. Asked if the company would accommodate the Ruby on Rails Web framework, which is based on Ruby, in Expression, Key said, "Ruby is currently more of a 'developer' concept for us."

"We are very interested in Ruby and have lots of thinking going on," but nothing to announce at this time, Key said. He advised chatters to "stay tuned."

Key added he was not the Microsoft person to comment in detail on this subject because he did not know the company's plans. One chatter expressed wishes for an IDE for Ruby on Rails from Microsoft.

SapphireSteel, meanwhile, has shipped Ruby in Steel Developer , a Ruby environment for Visual Studio.

Commenting on the future of the new Expression line, Key said the company was "just getting started with V1 (version 1) of the Expression Studio," which includes the suite of Expression tools.

One area targeted for expansion is interaction design, which pertains to designing the actual interaction or structure of an experience rather than just designing the onscreen pieces. A goal is to better tie Visio , the company's diagram drawing software used by many interaction designers, to Expression and the company's Visual Studio software development platform.

While Expression is for application designers and Visual Studio is geared toward the coding side of software development, Key said some features of Expression would turn up in Visual Studio. Software developers would want to use Expression, he said.

The planned "Orcas" version of Visual Studio, for example, includes the same design surface for Cascading Style Sheets rendering as the Expression Web product, Key said. Orcas also has XAML capabilities, which are featured in the Expression Blend product.

"There are some features that are only in Expression and vice versa, but we are really focused on giving all features to both audiences, just doing it in a role-specific way where everyone can be more comfortable and successful with the solution they are using," Key said.

Microsoft believes in collaboration between designers and developers to build user experience-based applications and content, Key said.

"If by Web 2.0 we are talking about great experiences that combine Web technologies, social computing components, services, the browser and components of the desktop such as richer graphics an integration with local data, etc, then you could say Expression is all about Web 2.0," Key said.

Microsoft also plans more community-accessible content for both XAML and the Expression tools. Key said.

JotSpot Users Give Google Mixed Reviews

Almost four months after Google Inc. acquired JotSpot, business users and commercial developers of this hosted wiki service give mixed accounts of life as Google customers.

Some report technical improvements in their wikis, while others complain about serious Web site availability problems. Most are eager to find out what Google plans to do with JotSpot, because they have a lot riding on that decision.

"As customers, we've gotten very little feedback about product strategy and direction for JotSpot. That's concerning right now," said James Brennan, president of Mandalan Media Inc., in Culver City, California.

Google declined to answer questions for this story but provided via e-mail a statement saying that while it would make sense to integrate JotSpot into current products, "we have no plans to share just yet." The JotSpot team is focused on moving the service to the Google infrastructure "to take advantage of greater reliability and scalability" and eager to provide customers with updates about JotSpot "as soon as possible," the statement reads.

Google acquired JotSpot in October of last year, saying that the wiki technology was "a strong fit" with the Google Groups discussion forum and with the Google Apps suite of hosted communication and collaboration applications. Wikis, which are Web sites that multiple users can edit, have become popular collaboration tools in workplaces. JotSpot, founded in 2004, allows people to design wikis with visual tools, without needing programming knowledge. JotSpot wikis can have multiple applications and components in them, such as spreadsheets, calendars, documents and photo galleries.

At the time of the acquisition, JotSpot had an installed base of thousands of businesses, including Mandalan Media, which built its commercial video sharing site Strmz.com on the JotSpot platform and launched it in early 2006. Since the Google acquisition, the site suffers about two hours of downtime per week. Because of this months-long situation the company is considering migrating the site to another platform, said Brennan, who otherwise raves about JotSpot, calling it a "phenomenal" product.

Strmz.com, which gets anywhere between 5,000 and 20,000 visitors per day, generates revenue from advertising, so if it's unavailable, Mandalan loses money. Mandalan generates about 10 percent of its total revenue from Strmz.com. Its other JotSpot wikis, which get much less traffic and are used for its interactive media consulting and producing business, haven't suffered performance problems.

Payscroll.com, a startup developing a yet unreleased career and job-related Web site, actually has seen a performance improvement in its JotSpot wiki since the Google acquisition, said Alfred Toh, the company's co-founder. Payscroll adopted JotSpot in October 2006 and has about 5 users on it, mostly for internal work. "Before, page loading could be slow, but right now it's great," Toh said.

Toh is also happy with Google's decision to make the service free for all users and put everyone on the same level of service, which for him meant an upgrade. Now, he is allowed to have an unlimited number of JotSpot pages as well as unlimited storage and applications. "That's one of the best things that's come across so far," Toh said.

However, others feel this has removed their leverage as paying customers.

"I'm not really comfortable using a free service as a key element of our business, because the vendor has basically no obligation to us," said Stephen Bronstein, chief operating officer of IODA Alliance, a San Francisco provider of distribution and marketing services to independent musicians and a JotSpot user since 2004.

In the weeks following the acquisition, IODA's JotSpot wikis had significant performance and availability problems. Those problems got resolved, but Bronstein remains conflicted. JotSpot technology is "hugely important" to the company, where all 60 employees use it. "When we were paying them, they were obligated to provide a certain level of support," he said.

Jay Dempsey, marketing director at Heritage's Dairy Stores, in Thoroughfare, New Jersey, is happy with recent improvements to JotSpot but wonders what Google is planning for the future. After about 2 years of use, about 20 employees are on JotSpot, out of a staff of 550. JotSpot has worked very well, and Dempsey wants to expand its use significantly.

"Ultimately, what I want to do is use JotSpot for the stores to do more of an information exchange, to be able to access various pieces of information they need" and cut down on endless, circular e-mail threads, he said.

Microsoft Office 2003 Apps Hit with New Crash Bugs

Microsoft Corp.'s Word 2003 and Excel 2003 can be crashed by attackers who feed the business applications malformed documents, Symantec Corp. reported Monday.

In separate alerts sent to subscribers of its DeepSight threat system, Symantec warned that the bugs -- both discovered and disclosed by a Russian researcher with the moniker "sehato" -- could be exploited by attackers to bring down the Office applications.

Microsoft did not immediately respond to an e-mail request for confirmation and comment.

"A remote attacker may exploit this vulnerability by presenting a malicious WMF file to a victim user," said Symantec's report on the Office 2003 flaw. "The issue is triggered when the application is used to insert the malicious file into a document."

Specially crafted WMF (Windows Metafile) image files were the root of a major attack in late 2005 and early 2006 that was launched from hundreds of malicious Web sites and compromised thousands of PCs. This bug seems to be different from the 2005/2006 vulnerability.

The Excel flaw can be leveraged by a malformed spreadsheet file rather than a WMF image, Symantec added.

Attacks using either vulnerability require users to download malicious files from a Web site or open them when they arrive as e-mailed file attachments.

Also at risk, said Symantec, is XP's and Server 2003's Windows Explorer, the operating system's file interface. Explorer will crash when attempting to open a malformed WMF image, said the Cupertino, Calif.-based company. Sehato divulged this third bug as well.

Problems with Microsoft's Office software have been endemic since early 2006, and there are no signs that hackers and researchers have emptied its well of vulnerabilities. During 2006, for example, Microsoft issued 13 security updates for Office 2000 and 11 for Office 2003. In the first two months of 2007, it released four bulletins for Office 2000 and six for Office 2003.

And last week, eEye Digital Security announced that its researchers had uncovered the first known Office 2007 flaw.

HP Launches Small Business Storage Products

Competing with Dell Inc. for small business users who needs to back up their data, Hewlett-Packard Co. launched a low-priced, disk-based backup and recovery system on Monday.

The HP StorageWorks D2D Backup System will automatically save the data from as many as four servers, with total capacity of either 750G bytes or 1.5T bytes. Users can restore lost files within minutes, compared to a process of several hours for a tape-based system, HP said.

Most users say that tape-based systems are the most cost-effective method of backing up data, but as new accounting laws demand greater storage regulations, that could soon change, said Adam Thew, marketing director for HP's StorageWorks division.

Compared to connecting a direct-attached tape storage device to every server in a business, HP's new disk-to-disk product can reduce the cost of ownership and chance of human error, Thew said during a webcast Monday. The D2D system is designed for small business owners with little IT management experience, offering a simple setup wizard interface, Web-based monitoring, and standard Ethernet cables with iSCSI (Internet Small Computer Systems Interface).

Still, HP says tape-based storage is important for a complete backup system. "D2D will not replace tapes entirely. We do recommend that customers keep a single tape-based system offsite for disaster recovery," Thew said.

Dell and its partner EMC Corp. launched a similar backup system on Feb. 20, offering the disk-based CX3-10 SAN (storage area network) array for small and medium businesses. Like HP, Dell says its system works best in concert with tape-based storage, and also launched two new products in its tape library line, the PowerVault TL2000 and PowerVault TL4000.

Dell's systems are intended for buyers with larger storage needs and hardware budgets than HP's, with the CX3-10 starting at US$22,000 and the PowerVault libraries starting at 9,300.

HP sells the D2D110 model with 750G bytes useable storage capacity for $1,999, and the D2D120 model with 1.5T bytes for $2,999. HP charges $1,000 more to bundle its Data Protector Express software with the products.

Sony Intros New Cyber-Shot Digital Cameras

Sony introduced new Cyber-Shot digital point-and-shoot cameras on Tuesday. The new cameras are expected to hit store shelves in March, April and May for prices between US$300 to $500 depending on features. Look for them soon at Sony's Web site .

The new DSC-T100 camera features a 5x optical zoom lens and 2.5 inch LCD display, and comes in pink, white, black and silver colors. The DSC-T20 sports a 3x optical zoom and 2.5-inch LCD. Both cameras are 8 megapixel models. The T100 will be released in March and the T20 in April for $400 and $330 respectively.

Both cameras feature high-definition video output; they're compatible with Sony's VMC-MHC1 HD component video cable, and they can also be connected via a Cyber-Shot Station dock. HD video output is standard across the new cameras Sony unveiled on Tuesday.

Also new are the 8-megapixel DSC-H9 and DSC-H7 models, coming in April for $480 and $00, respectively. Both cameras sport 15x optical zoom lenses and face detection technology that adjusts focus, white balance, flash and exposure. They also can shoot at up to 1/4000th of a second. The cameras feature "Super Steady Shot" optical image stabilization. The H9 includes a 3-inch flip up LCD display, while the H7 has a non-articulating 2.5-inch LCD.

The DSC-W200 is a 12-megapixel camera; it's joined by the DSC-W90 (an 8-megapixel model) and the DSC-W80 (7.2 megapixel). All feature 3x optical zoom lenses, eye-level viewfinders and 2.5-inch LCD displays. The silver W200 ships in May for $400; the W90 in March for $300, in black and silver. The W80 is coming in March for $250, and comes in pink, white, black or silver.

The cameras sport a built-in slideshow function, and can play back images with pans, fades and wipe transitions set to music. A new nine-point autofocus system has been incorporated, along with optical image stabilization and noise reduction technology that reduces noise at high ISO settings (up to 3200).

In related news, Sony has also introduced two new portable photo printers that use dye-sublimation technology: The DPP-FP90 and DPP-FP70. The DPP-FP90 has a 3.6-inch LCD screen, while the DPP-FP70 has a 2.5-inch viewscreen. Both printers feature an "Auto Touchup" feature that corrects exposure, focus and red-eye. They can incorporate pre-set phrases like "Happy Birthday," "Thank You" and "Congratulations," and you can customize the color and placement of the superimposed text.

Both printers also feature new filter effects, including cross filtering, partial color filters, paint filters and more. The cameras are PictBridge compatible but offer optimized performance for CyberShot and Sony's Alpha DSLR camera models.

The DPP-FP90 and DPP-FP70 are coming in March for $200 and $150 respectively. New 4x6 inch print packs for the printers are also coming in quantities of 40, 80 and 120 sheets for $20, $30 and $35 respectively.

Parallels Updates Windows Virtualization for Macs

Parallels Inc. Tuesday updated its flagship virtual machine software for running Windows on Intel-based Macs so that it now lets users fire up Windows applications without having to look at Microsoft Corp.'s operating system.

The newest edition, Parallels Desktop for Mac Release Candidate 3, adds a feature dubbed "Coherence" that runs Windows XP or Vista applications directly on the Mac OS X desktop.

Under Coherence, individual Windows applications show up as windows on the Macintosh desktop and can be docked just like any Mac app, according to information from Parallels. "Use Windows and Mac applications on your home OS X desktop at the same time ... [with] no moving between OSes," Parallels says on its Web site. Typically, users must switch between the host operating system and a guest OS in a virtual environment, in effect leaving one system's interface for the other. Coherence skips that part of the process.

Other changes to the software -- which has been in beta testing since last summer -- include drag-and-drop file transfer and copying between Mac and Windows virtual machines, support for USB 2.0, and an updated Transporter. The latter lets Windows users move the entire contents of an existing real PC to a Parallels virtual machine. Transporter can also convert VMware and Microsoft Virtual PC virtual machines to ones that run on Parallels.

The update, Build 3170, can be downloaded from the Renton, Wash., company's Web site. Parallels Desktop for Mac is priced at US$79.99; a 15-day free-trial product key can also be requested.

With Microsoft out of the Mac virtualization picture -- it announced last year that it would not update Virtual PC for Apple Inc.'s Intel-based Macs -- Parallels' prime competition is VMware Inc., which has software called Fusion in beta testing.

Take Action: Julie Amero Porn Case

If you're not familiar with Julie Amero's legal problems, you can catch up by reading "Teacher Faces Prison for Pop-Up Infested PC."

This week I have more for you on the case.

I've been privy to conversations with a dozen high-level security experts, forensic examiners, and a top-notch attorney.

Unfortunately, there's lots I can't repeat. What I can say is the consensus is that Amero is getting a bad rap. For a sample of what intelligent, tech-savvy folks are saying, I've got two excellent articles for you. The first is Randy Abrams's "Can a Legal System Unversed in Technology Result in a Fair Trial?" Next is Mark Rasch's "Mouse-Trapped."

After my Amero column posted, many of you asked how you could help. You've got plenty of options, but first I thought I'd share some interesting e-mails I've gotten.

A Juror Speaks Out
One of the jurors in the case sent me an e-mail explaining why he thinks Amero is guilty. The juror said he subscribed to my newsletter, then proceeded to talk about his rationale. He asked me not to reveal his name, but I've verified that he was on the jury that convicted Amero.

Here's what he wrote in his e-mail to me. I've lightly edited it to remove a few typos and make it a little easier to read. (I've inserted my comments in brackets):


I was on the jury and yes we did find her guilty.


But everything seems to be misquoted by the papers and reporters involved. The bottom line was that it didn't make a difference how the porn sites showed up on the computer.

According to the trial transcript, Amero testified that she made every attempt to keep the children from seeing the images. In fact, a number of children testified that she had attempted to block them from seeing the screen. Also, another substitute teacher testified that Julie had asked for help in the teachers lounge.


The fact that a teacher in a public school system did absolutely nothing to keep it away from the children is what was wrong. Yes, we were told that she was given no permissions to turn off the computer. She also said she was not allowed to use any other school equipment.


If a 40-year-old school teacher does not have the sense to turn off or is not smart enough to figure it out, would you or any other person wanting her teaching your child or grandchild?

At the trial Amero testified that she didn't, in fact, know how to turn a computer on or off.


If you and your wife were watching an xxx rated movie that you put into the dvd player, you powered it up and you hit play, then went into the other room for a snack and your child or grandchild entered the room would you expect your wife to stop the dvd or just let it play because she didn't start it. No you would be upset as all get out.


Even giving Julie the benefit of doubt, not knowing enough about a computer to be able to turn it off. Some paper and tape would have covered the screen or a coat or sweater. It was October after all.


Finally she was pronounced guilty because she made no effort to hide or stop the porno, not just because she loaded the porno onto the machine. Going to the history pages it was obvious that the pages were clicked on they were not the result of pop-ups.

Actually, the defense expert at the trial testified that the sites visited were from pop-ups.


Each web page visited showed where links were clicked on and followed to other pages. Pop ups go to sites without change lnk colors, as in used links.

That's incorrect. Pop-ups show as a changed type color, just like a normal site visit.

Personal note to the juror: I made a mistake using your partial e-mail address in my blog, even though you said it was okay to do so. I should have advised you not to do it--or ignored your permission--and just used "anonymous." As a result, many people found out who you are and you've received "over 250 e-mails most of them telling [you] how bad, stupid, or evil" you are. I don't think you are any of these. (I don't agree with your decision as a juror. Despite that, or perhaps in spite of it, I have to respect the judicial system.)

Either way, I owe you a tremendous apology for exposing you to the uncivil and contemptuous e-mail you received. --Steve

Norwich Detective Weighs In
As if that weren't enough, I also heard from Detective Mark Lounsbury, the crime prevention officer with the Norwich Police Department. Here's his e-mail, exactly as I received it.


Dear Mr. Bass, Unfortunately the truth in this matter is yet to be told to all those who were not located in the courtroom during the trial. Those in the courtroom saw and heard the truth. Once sentencing is done the truth CAN BE presented to the world IF they want it. I'm thinking the world doesn't want to hear the truth. IGNORANCE IS BLISS. The lies are exciting, bringing up STRONG emotions. OMG, that poor person, victimized by the Evil Government and its minions.


It continues to amaze me how people can base their opinion on what is fed to them. Did anyone ask the Expert for the evidence he recovered which would support his claims? The "curlyhairstye script", those pornographic googlesyndication.com generated pop ups? BUNK also known as errors of commission. Would you like to know the truth? Once sentencing is over I'd be more than happy to let you see the source code, scripts, etc.


I've received allot of calls and emails regarding this. All from people interested only in TELLING me their opinions or TELLING me they're going to get me. Not once has anyone called or written me to ASK me a question. They apparently have what they want. I work hard every day for the victims of crime. I search for the truth not for me but for them. If what the newspaper reported about my testimony was my actual testimony, taken in context, don't you think there would have been some consequences, a rebuttal, something.


Feel free to write if you wish.


Mark Lounsbury

I had tons of questions and fired them back in an e-mail. Unfortunately, this was his response:


Dear Mr. Bass, Once the sentencing phase for this case is done I can answer all your questions. I have all the information you seek. My opinion is not important but I am fleshing out a theory concerning site blocking software which was in place and how to circumvent it. I can provide you w/ the source code showing all the .htm and javascripting for each web page, images from those pages, date/time of creation, MD5 hashes, etc. I will contact you after sentencing. Thank you,


Mark Lounsbury

How You Can Help
You can check the Julie Amero blog and consider helping by way of the Julie Amero Defense Fund, which is linked to the site.

You can also use the power of e-mail. The State's Attorney responsible for supervision of David Smith, the prosecutor in the Amero case, is Michael L. Regan (at michael.l.regan@po.state.ct.us). You might want to write to him and strongly urge that he help Smith file a motion to vacate the conviction. An e-mail to the Chief State's Attorneys of Connecticut Kevin T. Kane (at conndcj@po.state.ct.us) and Connecticut Governor M. Jodi Rell (at Governor.Rell@po.state.ct.us) can't hurt, either.

If you write, try not to go on a rant. I know it's tempting, but if you use your computing expertise--and a civil argument--you'll likely get better results.

Security Vendors Lagging on Vista Support

Windows Vista's revamped security features are posing difficulties for some IT security vendors looking to make their software work on the new operating system.

Although leading security vendors such as Symantec Corp., McAfee Inc. and Trend Micro Inc. have released updates or patches to make some or all of their products Vista-compatible, many others remain deeply entrenched in testing Vista versions of their tools.

Despite numerous complaints from gamers about poor performance on Vista, most applications written for Windows XP run on the new client OS out of the box, with only a few major exceptions, according to Brett Waldman, an analyst at Framingham, Mass.-based IDC.

But not so for security software. Many of the biggest changes made by Microsoft as part of Vista are in areas such as installation and security, including the operating system's user account control, resource protection and protected-mode features. Those changes are more likely to inhibit or cripple security software brought over to Vista than other types of applications.

"It's like they've changed all of the plumbing to make Vista more secure," said Scott Matsumoto, principal architect at Dulles, Va.-based software consultancy Cigital Inc.

Moreover, Microsoft acknowledges that available workarounds -- such as Vista's compatibility mode, which emulates XP and other older versions of Windows so users can run non-Vista-ready applications -- don't work well with software that interacts deeply with the operating system, as antivirus tools and other security programs do.

Further complicating the situation was a tussle last fall over a new security management console for Vista that security vendors complained would affect the performance of their products. Microsoft eventually agreed to release application programming interfaces that enable other vendors to disable the built-in console.

In addition, security vendors say that porting their products to a new operating system is inherently more time-consuming than moving over other applications is.

"You have to be more careful than with a productivity app," said John Dasher, director of product management at encryption tools vendor PGP Corp. "If something goes awry, people can lose data."

Palo Alto, Calif.-based PGP is blocking its users from even installing non-Vista-ready versions of its software on the new OS. The company released a Vista-compatible beta of its PGP Desktop 9.6 software two weeks ago, but Dasher declined to predict when the final version would be ready.

All of the factors facing security vendors are adding up to more development work for companies such as Check Point Software Technologies Ltd., maker of the popular ZoneAlarm firewall.

"Because Vista is such a major overhaul to the Windows operating system, Check Point is busy in development efforts to ensure that new Vista-compatible versions of ZoneAlarm will live up to high standards of protection," said a spokeswoman for the company, which is based in Ramat Gan, Israel, and has its U.S. headquarters in Redwood City, Calif.

Check Point expects to release a Vista-compatible update in a few months, the spokeswoman said. But, she added, some of the features in the new version may differ from Check Point's current release "due to the different needs and functionality" in Vista.

F-Secure Corp. expects to release a Vista version of its flagship Anti-Virus 2007 software in May. Par Andler, a spokesman at Helsinki, Finland-based F-Secure, said the product is arriving later than Vista itself did because the company wants to make sure it gets enough customer feedback on a beta version of the antivirus tool.

"As the volume of Vista installations worldwide has been very low so far, it has been difficult for any vendor to ensure a high enough volume of external technology-review testers," Andler said. He added that F-Secure thinks it can complete a sufficient level of testing during the spring.

Even top vendors like Symantec are admitting to some difficulties. Symantec has ported its most popular products, including Norton AntiVirus and Norton Internet Security, to Vista. On Tuesday, the company also released a new bundle called Norton 360 that combines its security and data backup tools and runs on both Vista and Windows XP.

But it still has about 10 products that remain unready for use with Vista, including its Norton SystemWorks and Personal Firewall tools.

"We intend to have our entire list logo-certified" for Vista, said Lily De Los Rios, vice president of product delivery at Symantec, although she wouldn't specify when she expects to achieve that. She added that some of Symantec's products haven't been adapted or certified for Vista yet because the certification requirements "are relatively new, and the interpretation still can be somewhat unclear."

Perhaps the most Vista-compliant security vendor at this point is Trend Micro. The latest versions of its AntiVirus, Client Server Security Agent and PC-cillin Internet Security products not only work on Vista but have been certified as such by Microsoft. No other leading security vendor has received Microsoft's "Certified for Windows Vista" designation for any products thus far.

Security products that have been awarded the lesser "Works with Windows Vista" designation include Absolute Software Corp.'s Computrace laptop recovery tool, Avast Antivirus from Alwil Software A/S and Radialpoint Inc.'s Security Services, Security Cleanup and Servicepoint Agent technologies.

Gregg Keizer contributed to this story.

Dell, Lenovo Sell Windows-free Laptops

Two leading hardware vendors, Dell and Lenovo, are quietly selling laptops without preloaded Microsoft Windows to Linux customers who know where to look, says Lincoln Durey, CEO of EmperorLinux, an Atlanta reseller that customizes, installs and supports Linux on the major-brand laptops it sells.

Durey says that "basically all of the Latitudes" are now available without an OS. EmperorLinux sells Dell's D420, D520, D620, D820, D620ATG, and M90 with Linux. Of those models, only the ruggedized D620ATG and the M90, which is part of the Precision series, require the customer to buy preloaded Microsoft Windows, he says.

Dell has been smoothing out the ordering process for the Windows-free laptops since introducing the option about around three weeks ago, Durey says. "There were some ordering hiccups. They would call back and say we can't do that, and you would say, you can do it," he says. EmperorLinux's two most popular Dell laptops are the D820, available without a Microsoft license, and the M90, which is not.

Customers aren't saving money by passing up the OS license, though. "The Dell price is identical. Windows or nothing, it is exactly the same to the penny," Durey says. "I've actually seen one-time discounts on the Windows side that are not reflected on the Linux side for a week, so you could end up getting the Windows ones cheaper," he adds.

Lenovo, however, passes on a savings of about US$40 to customers who order ThinkPads without the Microsoft license, Durey says. Currently EmperorLinux sells some T Series ThinkPad models without the Microsoft license, but Durey says he has not yet been able to order an X series ThinkPad except with the license.

"The nice thing about not having the OS license is that it will lower the total cost of the solution," says Randy Hickel, Lenovo's Americas' sector leader.

ThinkPads without a preinstalled OS are not available through Lenovo's Web site, Hickel says. Customers who want a ThinkPad without the OS license have to order from EmperorLinux or one of Lenovo's distributors. "We've got a number of distributors who have the ability to ship our laptops without an operating system ," Hickel says. "But places like CDW are not going to have them."

Lenovo began offering Novell's SUSE Linux Enterprise Desktop on one ThinkPad model last fall, but the no-OS offering extends to more models, including the coveted X series, Hickel says. "We do have the ability to ship the X series without a preloaded OS. It's just a matter of us creating what we call a special configuration," Hickel says.

Durey says that tracking down and ordering the special configuration can be tricky, because Lenovo originally intended them for large companies that need electrical-engineering workstations. "Their goal in doing this was big huge manufacturers who used CAD software came to them," he says. "You can't get online, you really need to have this particular part number and go to somebody who's going to have them," he says. "We were introduced to them by Lenovo as part of our partner relationship."

But whether or not a customer can save money by not paying for an unused OS license, some just want to make a point. "We have a reasonable number of customers who are saying, yes, for the moral victory, let us get one," Durey says.

War of Words Erupts Between HP Scandal Players

The attorney for ousted Hewlett-Packard Co. chairman Patricia Dunn fired back Wednesday at public comments made by board rival Thomas Perkins about the HP pretexting scandal.

"Mr. Perkins...has made the biggest mistake of his career. He is a bully, and he is bullying the wrong people," wrote James Brosnahan, attorney for Dunn, in a statement in response to what Brosnahan called a "gratuitous attack" on his client in a speech Perkins gave Tuesday in San Francisco.

In an appearance at the VentureOne Outlook Conference, a gathering of venture capitalists, Perkins said the HP dispute about how to control leaks of board deliberations to the media was really a fight for control of the board, which Dunn won, according to media reports of his speech.

Perkins also lamented that many corporate boards, including HP's, have turned from being "guidance" boards into "compliance" boards. Rather than advising the company on how to run its business as a "guidance" style director, "compliance" directors are increasingly focused on maintaining compliance with U.S. Securities and Exchange Commission regulations governing publicly traded companies. He described Dunn as a compliance style director, according to the reports.

Dunn was indicted in October 2006 on four felony counts in California state court for authorizing an investigation into HP board member leaks to the media. Investigators hired by HP allegedly used false pretenses, or "pretexting," to get phone companies to divulge calling records for people they were investigating. A former legal counsel for HP and two private detectives hired by HP are also facing trial.

The scandal broke in September 2006 because Perkins demanded the company publicly state, in an SEC filing, why he quit the board four months earlier.

Because the state case is still awaiting trial, Dunn can't directly respond to Perkins' remarks, but her attorney had plenty to say.

"Mr. Perkins generated an attack on Patricia Dunn, hired lawyers, hired a public relations firm and all because his colleague on the Hewlett-Packard board [Jay Keyworth] was found to be leaking information. Now he is attempting to further prejudice the public against Patricia Dunn," Brosnahan wrote.

Perkins quit the board when Keyworth was outed as the director who leaked information to the media.

In his statement, Brosnahan said Perkins is likely to be called as a witness in Dunn's trial. He also accused Perkins of publicly criticizing Dunn to draw attention to Perkins' soon-to-be-published book, which is expected to touch on the pretexting scandal.

A call to Perkins' office was not immediately returned.