Week in review: Cracking codes

Windows users who use only letters and numbers as passwords now have more to worry about, say researchers who dramatically reduced the time required to crack the passwords.

Steven Musil
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
4 min read
Windows users who use only letters and numbers as passwords now have more to worry about, according to researchers who have dramatically reduced the time required to crack the passwords.

Swiss researchers outlined a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds. The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes.

Called a time-memory trade-off, the method means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code. The results highlight a fact about which many security researchers have worried: Microsoft's manner for encoding passwords has certain weaknesses that make such techniques particularly effective, the researchers said.

Most Windows PCs are also susceptible to an unusually widespread "critical" flaw, Microsoft revealed. The flaw involves DirectX, a library of graphics and multimedia programming instructions used by most PC games, and could allow malicious users to run code of their choice on a vulnerable PC.

The flaw affects all versions of DirectX from version 5.2 to the current 9.0a running on all versions of the Microsoft operating system from Windows 98 through the new Windows Server 2003. The flaw allows a malformed MIDI file to overrun the buffer in DirectX, at which point extra software embedded in the file could be executed.

No Linux love lost
SCO Group, a company that says Linux infringes on its Unix intellectual property, announced that it has been granted key Unix copyrights and will start a program to let companies that run Linux avoid litigation by paying licensing fees. The company said it plans to offer licenses that will support run-time, binary use of Linux to all companies that use Linux kernel versions 2.4 and later.

SCO sparked a major controversy in the Linux world in March, when it sued IBM, saying the company had incorporated SCO's Unix code into Linux and seeking $1 billion in damages. In May, SCO Group sent about 1,500 large companies letters alleging that Linux illegally includes Unix intellectual property SCO owns. SCO went a step further Monday, saying companies could avoid potential legal action by paying a licensing fee.

However, one important section of the Linux market, large companies, so far don't seem fazed by SCO's warnings that Linux violates its Unix intellectual property. A new survey shows that large companies are increasingly using Linux for their Web sites. Web servers, typically lower-end machines that are used to dish up large numbers of Web pages, are a well-established market for Linux.

In the last two months, Linux had a net gain of 100 places among 24,000 Web sites run by 1,500 large companies across the globe, Netcraft said. Companies that have switched to Linux include Charles Schwab, Royal Sun Alliance, Deutsche Bank, SunGard and T-Online.

For companies that do have legal concerns, Microsoft is rolling out a new sales pitch for Linux users: Buy our software and stay out of court. The company has expanded the indemnity provisions that go with its software licensing agreements to remove a perennial sticking point in sales negotiations: who picks up the tab if a Microsoft customer gets sued because of Microsoft's products.

In older contracts, Microsoft agreed to pay all legal fees for volume license customers who got sued because of Microsoft, but only up to the value of the software they bought. The new provision removes the liability cap in intellectual property suits. But in real world terms, the changes won't likely dent Microsoft's legal budget; the indemnity provision rarely comes into play.

Helping handhelds
The handheld makers introduced two new devices to the market in hopes of jump-starting the slumping sector.

Palm led off by launching its newest Tungsten handheld targeted at businesses, the Tungsten T2. The T2 comes with 32MB of memory, twice that of its predecessor, the Tungsten T. It also includes a new "transflective" display, which is the same size and resolution as that of the Tungsten T, at 320 pixels by 320 pixels, but Palm says it is more easily viewed both indoors and outdoors.

Garmin began shipping its first PDA with global positioning system (GPS) technology. The device is the first PDA to come with GPS capabilities--it features a flip-up antenna and Garmin navigation software--combined with organizer functions. PDA manufacturers have been trying to add new kinds of features, from wireless to multimedia capabilities, as they look to revive what was once one of the most promising product categories in the technology industry.

It's hoped that the new products can turn around a sluggish market, in which worldwide shipments of handhelds declined 10.7 percent to 2.27 million units in the second quarter compared with the same period a year ago. The decline was attributed to sluggish demand from business buyers and consumers.

Also of note
In an unprecedented campaign urging people not to copy movies, the Motion Picture Association of America is launching a series of TV ads and movie trailers as well as a Web site warning of the dangers of violating copyright laws...Some universities are balking at stepped up demands from the recording industry to unmask alleged student file swappers, citing procedural uncertainties over an avalanche of subpoenas filed with the courts in recent weeks...Some question whether Google's commercial search business will help AOL out of its hole as quickly as Overture rescued Yahoo and MSN.