Want CNET to notify you of price drops and the latest stories?

Week in review: Security blame game

Though much of the finger-pointing for software vulnerabilities falls on hackers, virus writers and software developers, it may be time to take a closer look at how the PC user also contributes.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
6 min read
Though much of the finger-pointing for software vulnerabilities falls on hackers, virus writers and software developers, it may be time to take a closer look at how the PC user also contributes.

A treasure trove of personal and corporate information was uncovered on used disk drives by two Massachusetts Institute of Technology graduate students. The pair bought 158 disk drives for less than $1,000 on the Web and at swap meets. On those drives, they found more than 5,000 credit card numbers, medical reports, detailed personal and corporate financial information, and several gigabytes worth of personal e-mail and pornography.

The students found that 129 of the 158 drives they acquired were still functional. Of these, they found 28 drives in which little or no attempt was made to erase the information. On one drive, the pair found a year?s worth of financial transactions. The drive apparently came from an ATM in Illinois.

Arguably, Internet security is the greatest concern for consumers. A group of security experts compiled a list of site flaws that it believes are the primary culprits in undermining the security of online applications. The list is intended to help developers and corporate security administrators close the holes that allow attackers into many companies.

Web sites that send information to other applications, such as a database or e-commerce server, inside the company's network should be analyzed for the 10 security problems as soon as possible, according to the report. The top vulnerability: Sites that don't validate information before sending it to another server. Attackers can use such a flaw to send malicious code designed to compromise back-end applications through the Web server.

CNET special focus: A year ago, Microsoft Chairman Bill Gates sent a memo designed to rally Microsoft employees into making the company's products more "trustworthy." The company has spent millions to train staff in privacy concerns and secure programming, while building new tools and processes to help create reliable software.

But critics--and Microsoft's own executives--said much more work remains. "A year after, the verdict is mixed," said one security expert.

That's an assessment Microsoft readily concedes to. "We said that Trustworthy Computing is a 10-year project, sort of like (President) Kennedy sending people to the moon," said Microsoft's chief security strategist.

Microsoft surprises
With an eye toward alleviating some security concerns, Microsoft surprised many by announcing that it would share the closely guarded source code underlying its Windows operating system with several international governments. The company has signed deals or expects to do so shortly with 10 countries and organizations.

Under the program, governments will be able to see source code for Windows 2000, XP, Server 2003 and CE; use that code to build those versions of Windows; see Microsoft security documentation the company doesn't otherwise share; visit Microsoft's headquarters; speak with Microsoft developers; and perform their own tests on the code.

In an unexpected move, the software titan announced its first-ever annual dividend of 16 cents per share. The total payout will be $870.6 million, a fraction of its $40.5 billion cash reserves.

Analysts had been watching this quarter for signs of how Microsoft might better use its cash hoard. Microsoft's decision to pay out an annual dividend comes as Congress considers approving a White House proposal to end investor taxes on dividends.

Gates will rake in almost $100 million per year in potentially tax-free income from the company's newly instated stock dividend program. Based on Microsoft's latest proxy statement, Gates has about 621 million shares, or 11.6 percent of the company. That would give him a dividend bonanza of $99.48 million. CEO Steve Ballmer, with some 235 million shares, would get $37.68 million per year.

Case closed
Steve Case announced he would step down as chairman of AOL Time Warner in May, saying he wants to avoid "distractions" at a critical time for the company. Case will remain a member of the company's board.

"Given that some shareholders continue to focus their disappointment with the company's post-merger performance on me personally, I have concluded that we should take steps now to avoid the possibility of that effort hindering our ability to pull together as a team and focus fully on our businesses," Case said.

CEO Richard Parsons will assume a newly created position of chairman and CEO of AOL after a unanimous vote by the company's board of directors. The move cements Parsons' authority over the troubled media giant, giving him a dual executive role at a time when a wave of business scandals has heightened concerns that U.S. corporations have not done enough to ensure adequate boardroom checks and balances.

Parsons faces an enormous task in righting a company that has listed badly amid an advertising downturn that turned the once-touted growth engine of AOL into an anchor around its neck. Advertising revenue at the division has tanked, and subscriber sign-up rates have slipped, weighing heavily on successes at other parts of the company, such as the film studios.

In agreeing to step aside, Case admitted a rare defeat in an unpredictable career that carried him from computer start-up to the top of the media establishment. Sources close to the company have said the coup was led by shareholders upset by a 70 percent decline in the value of the company since the $106 billion merger was finalized in January 2001, as well as ongoing accounting scandals.

Case had become the focus of ire for many of these people as he is the last architect of the troubled merger between AOL and Time Warner to still hold a position in the company.

Ad nausea
The Gator online advertising network is testing a new paid search product that lets rivals poach each other's territory, in one of the Net's hottest new marketing venues. Search Scout triggers a pop-under window when Gator members search on a site such as Google and Yahoo. The window lists search results tied to keywords purchased through competing search services.

A small "info" tag on the results says they originate from "top search engines." During the test phase, Gator is using results from paid search kingpin Overture Services, Terra Lycos and FindWhat.com. Like previous products from Gator, Search Scout allows advertisers to reach members of the Gator network when they are visiting competitors' sites--a feature that has already drawn lawsuits in the context of banner and pop-up advertising.

Internet surfers appear to have a love-hate relationship with those pop-ads: Everyone claims to hate them, but somebody keeps reading. In a survey, 78 percent of respondents claimed they found pop-up ads "very annoying." In contrast, only 49 percent of participants applied the same rating to banner ads.

Yet pop-ups had click-through rates almost twice as high as those of banner ads, meaning they're probably going to stick around for a while. Indeed, Nielsen/NetRatings' online-advertising rating, AdRelevance, found that pop-up impressions jumped from 1.2 billion to 4.9 billion between January 2002 and September 2002.

When it comes to television ads, most would rather just skip them. A hidden feature on remote controls for TiVo digital video recorders lets viewers do just that. An "Easter egg"--industry jargon for a feature that is revealed when an unlikely series of keystrokes is entered--allows subscribers to make 30-second jumps in recorded programming.

The special sequence of key commands is being promoted on TiVo enthusiast Web sites, such as TiVo Community Forum. A TiVo representative said the company does not plan to remove the capability from the software's Linux-based code, nor does it plan to promote it as a feature.

Also of note
AOL Time Warner's Mozilla project is facing new questions about quality after Apple Computer's release of a browser based on rival open-source code...The U.S. Supreme Court ruled that Congress had the power to extend the duration of copyrights, a decision that dealt a grave blow to a growing movement against more expansive legal protections of artistic works...The majority of Americans will be able to file their taxes electronically at no cost as part of a program the Internal Revenue Service unveiled...Seven former Datek Online employees have agreed to pay $70 million in fines in one of the largest online trading fraud settlements ever...The U.S. government spent at least $2.9 billion in 2002, on information technology related to homeland security and is slated to spend at least that amount again this year...Broadband Internet use in U.S. homes surged 59 percent in 2002, fueled by consumer defections from slower dial-up connections.