Internet phones are becoming more and more attractive to hackers as the technology proliferates among home and business users. Several malicious attacks directed against Net phone networks have already resulted in millions of dollars in lost business. Hackers or angry employees with access to a corporate phone server can listen in on conversations by secretly setting up software that tracks voice packets, and Net phone tapping is much easier than wiretapping. Phone manufacturers and Internet security experts say the damage caused by Internet phone hacking has been low, while quantifying the extent of the damage is difficult because the technology is immature and many companies are reluctant to reveal problems; however, the general feeling is that Net phone exploitation will become more frequent and more serious as companies establish digital phone networks and integrate them with their data networks. "Voice over Internet phones are not in the spotlight of hackers yet, but in this voyeuristic world, if someone can listen in on people's conversations and get a thrill, they will," warns Avaya security consultant Joe Seanor. Beyond cheap thrills, hackers may eavesdrop on digital phone conversations to gather information that can be sold to rival companies. Measures hackers may take against digital phone networks include programs that seek holes in firewalls and disrupt phone traffic and counterfeit voice packets that can get past security programs. Vonage and other companies supply Internet calling services that are more difficult to hack into, but hackers could still infect an individual phone user's computer and eavesdrop on any emails and voice calls that go through the compromised system. Experts say firms can avert incidences of internal sabotage by installing encryption software and restricting code access to a select handful of employees or resort to "deep packet inspection" in case the first strategy fails.
Click Here to View Full Article
(Articles published within 7 days can be accessed free of charge on this site. After 7 days, a pay-per-article option is available. First-time visitors will need to register.)

The Defense Department is investing in projects that aim to harness artificial intelligence for the purpose of identifying signs of terrorist activity early enough to prevent terrorist incidents. AI research that focuses on counterterrorism was the topic of papers presented by teams of university researchers at last week's AI conference in San Jose: Although the viability of using AI to track down terrorists was demonstrated, the researchers agreed that the technology is in an early phase of development and needs more funding. NASA Ames Research Center software engineer Peter Jarvis remarked that government intelligence analysts are overwhelmed by a glut of information and that he and researchers at SRI International and the Palo Alto Research Center have developed a pattern recognition system that can spot unusual relationships in information. One research initiative involved giving computers access to multiple databases, some of which were full of useless data and others contained valuable clues for investigators. The system sifted through a massive collection of alerts and from it generated a cluster of connected data and then recommended that agents study a sequence of events pointing to a possible terrorist attack. Meanwhile, the University of Southern California's Institute for Creative Technologies has created a video game designed to train U.S. military commanders in planning missions by having them control digital soldiers that use AI to follow battlefield strategies. The progress of AI research as it applied to machines that can mimic the behavior or conversations of humans was demonstrated at the San Jose conference, but Bill Smart of Washington University in St. Louis reported that machine learning is "still [in] the early days."
Click Here to View Full Article

Essay-grading computers, such as Educational Testing Service's e-rater, are proliferating throughout the U.S. testing industry, though not all scholars welcome the transition, as the programs' emphasis on grammar, sentence structure, and coherence may overlook important elements, such as thought and originality. "When machines can provide a good summary of the Federalist Papers and a competent commentary on their style and cogency, I will then believe that they can replace competent human readers on important assignments," declares National Writing Board founder Will Fitzhugh. During e-rater's development, essays were subjected to a "natural language processing technology" that identifies sentence structure, grammar, and vocabulary strength, while Educational Testing Service executive Richard Swartz says the computer is also programmed to scan for elements typical of a solidly supported essay. Essays graded by people were analyzed for any indications that the computer could identify in order to refine the technology's judgmental qualities. The GMAT Web site claims that e-rater's and independent readers' evaluations are in sync about 87 percent to 94 percent of the time, on average. The computer's grade is compared with the judgment of a single human grader, and Swartz says a second human grader is brought in in cases where there is a more than one-point difference in scores. E-rater has been used in the GMAT since 1999 and is being considered for the Test of English as a Foreign Language and for the Graduate Record Examination. Testing experts believe computers will be grading essays in the SAT and ACT tests as well. Graduate Management Admission Council CEO David Wilson calls e-rater more accurate than human graders because it is "not subject to the variabilities of mankind," though he admits that the GMAT's adoption of e-rater was chiefly motivated by the technology's cost savings.
Click Here to View Full Article
(Access to this site is free; however, first-time visitors must register.)

Information Society Technologies' CATCH-2004 project established city information services and systems that can be accessed via a multimodal, multilingual, interactive interface. The project, which involved the participation of IBM France, several other European IBM technical units, Nokia, OTE, and the Olympic Committee, set up working prototype systems in the cities of Cologne, Athens, and Helsinki. The interface supports both direct and spoken-language interrogation, while a homogeneous architecture accommodates input from diverse client devices; the Web databases linked to the architecture feature voice-enabled access. The system boasts built-in ViaVoice-based voice and language recognition, which gives CATCH-2004 the ability to identify a user's native tongue from the first sentences spoken, removing the need to choose from any menu. Users can access CATCH-2004 data through city information kiosks, telephones, or PCs using speech, text, or graphics. The Athens deployment, which supported Web browsers and telephone access and could handle queries in English, German, or Greek, provided information on local cultural events and Olympic sporting events, and providers set up a voice XML interface based on the database they were given. The Helsinki installation, which could handle interrogations in English or Finnish, was designed to supply information on city events but proved so successful that its scope was widened to include multichannel radio and TV program information that could be listed according to inquiries into program type, date, channel, performer, and time. Cologne, meanwhile, has merged components of the CATCH-2004 technology with existing metropolitan information kiosks.
Click Here to View Full Article

The Conference on Email and Anti-Spam, which brought together researchers from both academic and industry labs, represented the first serious academic conference to focus on spam and spam countermeasures, according to Microsoft Research's Joshua Goodman. The hottest debate centered on the proliferation of economic-based models for spamming deterrents, such as programs where spammers pay a fee for sending unsolicited commercial email, perhaps as a micropayment when a message is determined to be spam by a recipient. The same panel explored a Microsoft research project that employs a computational puzzle strategy to force spammers' computer systems to consume additional CPU or memory resources to send email in bulk, as well as challenge-response questions. University of Cambridge researcher Richard Clayton argued that each deterrent could be subverted by determined spammers. Challenge-response systems, for instance, could be thwarted by cheap labor employed by spammers, while computing power could be stolen from zombie systems in order to beat computational obstacles. "The problem is that not only is my machine insecure and my identity insecure but that my money is insecure as well," Clayton explained. Presentations at the conference included: an analysis of phishing schemes by MailFrontier engineer Jon Oliver, who concluded that even legitimate marketing emails from major companies are being misinterpreted as phishing scams because the problem is so widespread; a report from the University of Illinois at Champaign-Urbana's Ben Gross that 50 percent of people use multiple email accounts; and observations from Geoff Hulten of MSN's Anti-Spam Technology and Strategy Group that spam for non-graphical sexual products is increasing dramatically, while spam for explicit sexual products is falling.
Click Here to View Full Article

Hackers from all over the U.S. are planning to engage in a massive game of capture the flag next February, in which they will launch a cyberattack of unprecedented scale against systems set up and maintained by other hackers. The three-day event will pit East Coast against West Coast hacker teams in what is publicized as the first large-scale hacking competition to be waged over the public Internet; the contest's organizers, the Ghetto Hackers security group, expect to have 1,000 participants signed up by February. The game is being advertised at this week's Defcon hacking convention. So that the game does not leak onto the Internet, the Ghetto Hackers intend to build a network that runs on the Internet but is independent from it, through the use of a virtual private network. Security experts are largely unfazed by the event: Counterpane Internet Security founder Bruce Schneier notes that most players will not resort to "large-scale, uncontrollable attacks." Jennifer Granick of Stanford University's Center for Internet Law and Society reports that in a case where a virus or worm spills over from the game onto the Internet and causes damage, there could be a basis for legal action. Doug Tygar of the University of California, Berkeley doubts that the capture-the-flag game will yield anything significant to scholars, though he does see value in the experiment as a learning experience. Every year for the last three years at the Defcon convention, the Ghetto Hackers have coordinated a small capture-the-flag game in which eight teams hack each other on a closed network, but next year's contest promises not only to be global but to involve more amateur hackers.
Click Here to View Full Article

MIT and Cornell University researchers have created a prototype system that can determine the contents of a document and build a summary that properly orders the topics, using an automatic classification algorithm or content model trained on subject-specific sets of documents and document summaries. The algorithm, which is based on the hidden Markov model, can extricate the topic structure of a bunch of related topics and create a summary by choosing and organizing topics: By training the content model on film reviews, for instance, the system was able to automatically build capsule synopses of movies from a movie information database. Cornell computer science professor Lillian Lee says the hidden Markov model can determine mathematically that topics in a film review are likely to be ordered as opinion/plot/director/director's previous films/opinion, as opposed to actors/opinion/director's previous films/director/actors/plot. "We did not want to specify the set of topics ahead of time, but rather wanted the system to automatically decide on a set of topics itself," Lee notes; the system clusters similarly patterned sentences and ascribes a different topic to each cluster. So that the system could deal with digression, the researchers added a mathematical model of previously unseen topics. Lee thinks the system could refine the accuracy of search engines by enabling them to ascertain a Web page's general topic and domain discourse, raise the suitable content model to study the page's topic organization, and then return only topic-relevant pages. She estimates that adapting the content model for this purpose could take a decade. The Alfred P. Sloan Foundation and the National Science Foundation were underwriters of the MIT-Cornell project.
Click Here to View Full Article

The European Council supports a revision in that region's patent system that would make it easier to file for software and business process patents; the effort faces resistance from the open-source community, numerous industry groups, and the European Parliament, and also highlights the ongoing flaws in the U.S. patent system, which has been criticized from many sides as being too liberal with software and business process patents. Critics say these types of patents significantly increase risk for companies developing software, especially those that do not have patent portfolios they can trade with. To small companies without teams of dedicated lawyers, discovering a patent infringement after a product has been developed would be devastating, says analyst Clay Ryder. An overview of some of the worst software and business process patents is available at Out-Law.com, which keeps a list of the 10 worst patents, including those covering Internet-borne phone calls and copying music onto CDs. ProHelp Systems president Bo Horne sees serious consequences for patent liberalization in the U.S. and now in Europe, and says software development will become burdened with the threat of litigation similar to how doctors now contend with the managed health care system. Eventually, companies might use their software patents to collect "protection fees" from companies in exchange for withholding litigation, says Ryder--but actually collecting on alleged patent infringement is a difficult task that requires significant legal acumen and strong evidence, points out Lawrence Rosen in a recent NewsForge article. Moreover, many companies that now hold software patents, such as IBM, may be doing so for defensive reasons. IBM's ownership of software methodology that manages the Caps-Lock key, for example, is probably a defensive patent the company does not intend to exploit for revenue.
Click Here to View Full Article

The SIGGRAPH Tech Talk series will include a special panel session that highlights the impact of New Zealand companies on computer graphics technology development and production. New Zealand Trade and Enterprise, a government trade and development agency, will host the session, "Middle Earth: Imagination Made More Real," which will be moderated by Pixar Animation Studios founding member Dr. Steve Upstill, who recently immigrated to New Zealand. Among the New Zealand companies slated to participate in the panel discussion and demonstrate their technologies and productions are visual effects facility WETA Digital, software developer Right Hemisphere, and software developer Massive. WETA Digital is also expected to deliver a presentation on its effects work for "The Lord of the Rings: The Return of the King." SIGGRAPH's computer graphics conference is expected to attract 11 companies from New Zealand. The SIGGRAPH conference will take place at the Los Angeles Convention Center, Aug. 10-13, with the Tech Talk scheduled for Wednesday, Aug. 11, from 4:00-6:00 PM.
Click Here to View Full Article

A pair of Columbia University researchers, Shree K. Nayar and Ko Nishino, have devised a system employing computer algorithms that analyze the mirror image reflected off the surface of the human cornea to reveal information. Nayar, a computer science professor, captured high-resolution imagery of people and collaborated on the algorithms with Nishino; the corneal imaging system can automatically retrieve wide-angle perspectives of what people are looking at and determine where their stare is focused. The image reflected by the cornea has a wider scope than what the retina sees, which is why Nayar and Nishino's system can recover wide-angle views showing details to the side and behind the viewer. The technology's potential applications include camera surveillance, a tool to verify the truthfulness of eyewitness accounts, replication of original lighting in old movies in order to realistically splice-in virtual objects, or an interface that enables quadriplegics to control computers via their gaze. The Columbia researchers are planning to see how well the system works with archival photos. Catadioptric systems--imaging systems that integrate lenses and mirrors--are a subject of great interest to Nayar, and he and Nishino discovered that the catadioptric principle could be applied to the cornea and lenses of the eye. The corneal imaging system's most critical algorithm automatically calculates the cornea's relative position and orientation in relation to the camera by focusing on the limbus separating the cornea from the white of the eye. "The shape of the limbus tells you where the eye is in the 3D scene and which direction the eyeball is pointing," Nayar explains.
Click Here to View Full Article
(Articles published within 7 days can be accessed free of charge on this site. After 7 days, a pay-per-article option is available. First-time visitors will need to register.)

Hackers use search engines to discover vulnerabilities in Web site source code, and security experts forecast an increase in this behavior. "People have discovered that they can make a really tight Google query that comes back with results that show lots of vulnerabilities at once," says SPI Dynamics application security analyst Matt Fisher. He points out that backup files and source code are sometimes stored in clear text or as HTML files, adding that the problem lies with poor Web application security, not search engine security practices. Passwords are sometimes found in embedded code, and searching with an invalid file extension, such as .inc, .bak, or .old, will usually return Web site source code. The information tells what the site is storing, as well as configuration data that could be helpful in a hack. "Developers are not taught secure coding," Fisher says, noting that firewalls will not protect against such invasions. Chris Wysopal, vice president of @stake, says that hackers also use search engines to hide their locations and to complicate forensic investigations. Since hackers view the search engine results through a third-party cache, there is no information left about their IP address. Also, the MyDoom.O worm used search engines to locate email addresses stored in a domain range. Wysopal warns people must understand how attackers work and that they are not usually going after a given site but just searching for an opportunity.
Click Here to View Full Article

TopCoder uses a unique platform that lets programmers compete for design and development projects online: The company employs just 25 staff who work to provide requisite case diagrams, activity diagrams and technical constraints, proposed platform architecture, deployment diagram, and other necessary documents. Some 40,000 TopCoder members are available to compete in design and development contests, with open metrics grading them based on the quality of their work, as well as on their work ethic, including the validity of their challenges to other programmers' work and their consistency in producing work. Projects are split into components and modules; the competition is then described on the TopCoder Web site in terms of complexity level, payment, and deliverables. Eligible programmers have four days to review the documents and ask questions and are given further technical documents and access to a secure online forum if they choose to compete. Designs are rated by the TopCoder review board, which tests development phase competitions in order to check compliance with company standards. More than half of a project is usually made up of reusable software components already stored in the TopCoder Component Catalog; custom components and application-specific code belongs to the client, while developers earn royalties on components contributed to the catalog. TopCoder CTO Michael Lydon says the company development model is not for every firm, but might be beneficial where the scale justifies the cost of maintaining the programmer community. Programmers can make good money, such as Polish programmer Tomasz Czajka who earned $75,000 for two contests requiring less than 10 hours of work. Most programmers are skilled in C++ and Java, and a growing number of high school students are earning recognition.
Click Here to View Full Article
(Access to this site is free; however, first-time visitors must register.)

Dealing with malware on desktop systems is often as simple as rebooting the computer, but this strategy does not apply to embedded systems, whose operation must continue even when faced with security threats. The National Institute of Standards and Technology (NIST) has prepared a list of security-related design principles for designers to think about throughout the embedded systems' lifespan, such as defining a security agenda, designing the product, accommodating upgrades and changing threats, incorporating a new technology, erecting multiple security layers, and training programmers to develop protected software. Issues that must be addressed in order to determine the best security measures include what data needs to be protected and what kinds of potential attackers are out there and how sophisticated they are. Because embedded devices, particularly portable ones, are vulnerable to so many more threats than desktop systems, designers are advised to include physical protection, such as hardened enclosures and seals or tapes that provide visible evidence of tampering, in addition to traditional software security. Designers can also follow embedded software security standards, such as the Common Criteria for Information Technology Security Evaluation and Multiple Independent Levels of Security. Users must pass a multi-stage authentication process before they are allowed to interact with secure embedded systems. When an embedded system must be linked to a network or the Internet, designers encrypt the data either symmetrically or asymmetrically, though both methods require a secret key and an encoding sequence to translate plain text into cipher text and back again. Embedded-product-development budgets are expected to grow so these safeguards can be provided.
Click Here to View Full Article

The maturation of the Web has facilitated the transition of portals into the epicenter of activity for online business applications, but the augmentation of portals to accommodate more and more diverse applications has led to an increase in their complexity. Portlets have emerged as a key foundational element for mainstream portal development; the Java 2 Platform, Enterprise Edition (J2EE) portlet has become popular among vendors, and its open, collaborative enhancement scheme via the Java Community Process adds to its appeal. When it comes to meeting the needs of contemporary portal development, J2EE's "vanilla form" is inadequate. Portal-produced pages are usually comprised of content taken from multiple sources, which encourages a tendency to split the portal page into multiple windows or sub-pages, each presenting different content and perhaps boasting individual security requirements. Portlets are plugged into a particular server environment on an as-needed basis, which means that portlet development can be separate from the general interface design; buying or downloading portlets can also serve as an alternative to internal portlet development. The increase in disparate portlet deployments has led to cross-platform compatibility and portability issues. Java Specification Request (JSR) 168 was finalized in 2003 to solve this problem. It supplies a unified portlet development model with a universal API that sets up a consistent standard for portlet container construction. JSR 168 cannot support cross-platform compatibility in a more heterogeneous development environment, which is where the complementary Web Services for Remote Portlets (WSRP) specification comes in; WSRP enables portal applications to be dynamically built out of distributed portlets. This should facilitate an improvement in the general quality of the distributed applications.

The 2004 InfoWorld Security Survey of over 600 IT professionals paints a fairly bleak picture of enterprise security: Only 38 percent of respondents report strong confidence in their security, while just 8 percent report extreme confidence. IT leaders are also highly concerned with a lack of sufficient personnel and training to bolster security, while the swelling ranks of applications available online has increased concern about application vulnerabilities. Security fears are being stoked by the growing number of worms and viruses plaguing the Internet over the past 12 months--in fact, almost 30 percent of survey respondents called malicious code the greatest single threat to enterprise network security. Thirty percent of respondents have no clue as to how many attacks their network was subjected to in the past year, and 22 percent do not know how many successful attacks transpired at that time. These figures come as no surprise to SANS Institute research director Alan Paller, who explains that "It's difficult to find infected machines when the infection is meant to be kept hidden." Bank of America's John Schramm says low-level passive attacks occur with such regularity on some corporate networks that IT administrators usually ignore them and concentrate on higher-level attack data, while 57 percent of respondents working for enterprises that manage their own network security say the effectiveness of intrusion detection is often determined by the number of staffers on hand. Forty percent of surveyed IT professionals blame network exploits on operating system flaws, 24 percent report their organization suffered a denial-of-service attack, and 19 percent cite buggy Web applications; yet many respondents' loyalty to major software vendors remains steadfast. This year's respondents are chiefly fearful of malicious code, but experts believe that spyware, identity spoofing, and other threats of less concern are becoming increasingly serious, which makes a case for boosting awareness of enterprise security.
Click Here to View Full Article

A new lab membership program committed to supporting higher-education institutions was recently announced by the Open Source Development Labs (OSDL) consortium, whose mission is to speed the adoption of Linux. The new program was created to bring in affiliates among colleges and universities interested in Linux research and implementation. The first OSDL affiliates to be included in the program are Oregon State University, Marist College, Japan's Waseda University, Tokyo University of Technology, and Stanford University. The initiative allows accredited institutions to become OSDL affiliates and get involved in such programs as the OSDL Carrier Grade Linux, Data Center Linux, and Desktop Linux working groups. The program is designed to supply a colloquium where academic Linux researchers and commercial Linux vendors can exchange knowledge and work together on common problems, as well as enable university researchers to access the consortium's U.S.- and Japan-based data center computing facilities. "This new affiliate program will make it easy and attractive for colleges and universities around the world to join OSDL and participate in our initiatives," says OSDL CEO Stuart Cohen. OSDL and participating schools are jointly developing a Linux advancement program by establishing a collaborative, vendor-neutral environment; setting up industry-university connections to improve prospects for research projects and student placement; supplying insight on open source projects that fit well into higher education development; encouraging interchange between university and commercial CIOs; and starting a forum for curriculum sharing across institutions.
Click Here to View Full Article

Science fiction author and former computer science professor Vernor Vinge believes an integration of powerful processors, infinite data-storage capacity, pervasive sensor networks, and deeply embedded user interfaces will take place in the next three decades and come to embody a connection between people and machines that is "so intimate that users may reasonably be considered superhumanly intelligent." In his story, "Synthetic Serendipity," Vinge envisions the world circa 2020 as a place where people fully immerse themselves in artificial environments through a combination of virtual reality (where computer-generated stimuli are fed into users' sensory systems) and augmented reality (in which computerized images are superimposed over the person's view of the physical world). Fantastical as such visions may seem, they are nevertheless based on actual technology. The activities Vinge writes about hinge on precise location awareness supported by localizer nodes or transceivers that communicate with neighboring nodes in a 10- to 20-meter radius. University of South Australia researchers are taking a step in this direction by playing a virtual computer game on campus using portable units equipped with notebooks, cables, batteries, and GPS receivers while wearing head-mounted displays and head-tracking devices. A key technology Vinge describes is a retinal-scanning system incorporated into contact lenses that allows data to be laid over the user's view; Microvision's scanned-beam display, which laser-scans images directly onto the retina, could be an ancestor of this technology, while Jaron Lanier at Silicon Graphics sees even more potential in a display implanted within the eye itself. Vinge's story also depicts electronic control systems directed by users' gestures rather than vocal or keypad commands. Real-life research is focusing on not just gesture-based control systems but those that use eyeblinks and subvocal utterances.
Click Here to View Full Article