Minding online store a case of 'Not my job' for eBay, legal foes

Last month, a federal judge ruled that eBay Inc. had fulfilled its obligations to investigate and control users who were trying to use its Web site to sell counterfeit Tiffany goods — a decision that put the onus on Tiffany & Co. to monitor eBay's site itself.

The ruling by U.S. District Judge Richard Sullivan was a major victory for eBay in its fight with Tiffany and other luxury goods companies over the sale of their merchandise — counterfeit or otherwise — on its auction site. If the ruling stands, it could have big implications for trademark owners, which would have to deploy technology to scour eBay's site for counterfeit and pirated goods, have employees manually monitor the site or pay other companies to watch it for them.

But similar lawsuits filed against eBay in French and German courts haven't turned out in eBay's favor, resulting in a split decision internationally — and the possibility that in the end, eBay might have to bite the bullet and increase its own enforcement efforts.

On June 30, two weeks before Sullivan sided with eBay, the French Tribunal de Commerce in Paris ordered eBay to pay a group of companies a total of $61 million because it failed to stop counterfeit perfumes and other products from being sold through its site. That followed a similar, though much smaller, judgment against eBay by another French court in early June.

And last year, a court in Cologne, Germany, ruled that once eBay's subsidiaries in that country were notified that fake Rolex watches were being sold on the eBay Germany site, the company should have taken measures to prevent the recurrence of counterfeit Rolex postings.

The financial stakes are high on both sides of the legal dispute. Tiffany, which last week filed an appeal of Sullivan's ruling in the U.S. Court of Appeals in New York, said that in the five years before the lawsuit was filed in 2004, it spent $14 million on technology and manpower to police its trademarks on eBay's site.

But between $3 million and $5 million of Tiffany's spending was on the lawsuit itself, and Sullivan described the New York-based company's overall monitoring tab as "relatively modest" in his ruling.

Meanwhile, eBay, which is appealing the European court decisions, said it spends $20 million annually to identify counterfeit goods on its site. That figure would likely increase substantially if eBay were forced to take on more responsibility for rooting out sales of fake products. And the company probably would have to change the way it handles counterfeiting across the board, not just in those two countries.

"EBay operates on one technology platform, and to the extent that eBay has to change its business model in other countries — it would change it everywhere," said Heather McDonald, an attorney at law firm Baker & Hostetler LLP in Cleveland.

McDonald, who specializes in intellectual property enforcement and anticounterfeiting litigation, added that if eBay didn't do so, trademark owners in the U.S. could argue that the company was offering more protections to foreign businesses than it was to them.

"If we have to change our business in relation to [the Tribunal de Commerce's] ruling, it will be a massive undertaking," eBay spokeswoman Nichola Sharpe acknowledged. "We don't view it as just affecting eBay France, but affecting all eBay sites globally."

McDonald and other legal experts said the different rulings weren't surprising, because European courts typically take a stricter stance against trademark infringement and the sale of counterfeit goods than their U.S. counterparts do.

On the other hand, eBay said the ruling in the U.S. case confirms what it has maintained all along: that its efforts to stop counterfeit sales have been reasonable. According to Sharpe, eBay removed 2.2 million potentially counterfeit listings worldwide last year alone. It also suspended about 50,000 sellers who were found to be offering fake goods and took steps to make it harder to post such items, she said.

One of the ways that eBay tries to stop the sale of counterfeit goods is through its Verified Rights Owner Program, or VeRO, which provides software tools to help companies look for fake goods on its site. More than 18,000 businesses take part in VeRO, eBay said; if a company determines that a seller is peddling counterfeit merchandise, it notifies eBay, which immediately takes down the auction.

McDonald said businesses that want to invest in a technical solution to the monitoring problem can write algorithms that automatically scan eBay for listings with their brand names, then dump the information into spreadsheets so workers can determine whether the products are counterfeit.

Ethan Horwitz, an intellectual property attorney at King & Spalding LLP in Atlanta, said trademark owners also can buy packaged software from vendors such as MarkMonitor Inc. and OpSec Security Group PLC that combs the Web and finds uses of their brand names. Or, they can hire services firms to do the online sleuthing for them, he said.

Over a period of about 18 months, the Software & Information Industry Association spent hundreds of thousands of dollars to develop a tool to help it check for counterfeit or pirated software on eBay's site — money that the SIIA said should have come out of eBay's pockets.

Tiffany says eBay can't ignore fake goods on its site

In its appeal of U.S. District Judge Richard Sullivan's ruling in favor of eBay, Tiffany argues that trademark law doesn't allow online auction sites to turn a blind eye to the problem of counterfeit goods.

James Spire, a partner at Washington law firm Arnold & Porter LLP who is representing Tiffany in the case, said that prior court decisions have held that flea market operators and store owners have "a duty to investigate and take action" if they know of a problem with counterfeiting. "In neither instance is there any obligation on the trademark owner to investigate what is happening on-site," he added.

But Tiffany is fighting an uphill battle on the appeal, according to Ethan Horwitz, an intellectual property attorney at law firm King & Spalding. Horwitz said Sullivan's ruling was a "well-reasoned decision" with a solid legal basis for its finding that Tiffany had done "very little, if anything," to protect its trademarks.

Eric Goldman, an assistant professor and director of the High Tech Law Institute at the Santa Clara University School of Law, agreed that the ruling was "almost uniformly thoughtful, thorough and well researched. It looks like the judge intentionally wrote it to be as appealproof as possible."

But Goldman added that if Tiffany does lose on appeal, he wouldn't be surprised to see the battle move to Congress.

In a statement, eBay said Tiffany's appeal "doesn't do anything to combat counterfeiting." The best way to stop the sale of fake goods, it added, is "ongoing collaboration between companies, government agencies and law enforcement."

The SIIA last month threatened to sue eBay over the issue. Like Tiffany, the trade group contended that eBay is making money from the sale of counterfeit and pirated goods and thus should bear the financial burden of stopping such sales.

"At some point, the trademark and copyright owner has done as much as possible," said Keith Kupferschmid, the SIIA's vice president of intellectual property policy and enforcement. "There's so much piracy on the site that eBay really needs to do something [more] about it."

But the ruling in the U.S. case instead reinforced the position that trademark owners have to bear most of the expense of monitoring third-party Web sites.

"[Tiffany] complained, and the court basically said, 'Tough,'" said Eric Goldman, assistant professor and director of the High Tech Law Institute at the Santa Clara University School of Law.

Sullivan's position is that eBay has to be the enforcer but not the detective, noted Horwitz. That puts the burden on trademark owners to do their own investigating of items listed on the eBay site, he said.

At least in the U.S. And at least for now — until the appeals process decides who really should be minding the online auction store.

Google solves Gmail outage, but questions remain

Late Friday night, Google Inc. resolved the third Gmail outage of the past two weeks, but questions remain about the stability of the webmail service, which is affecting the Google Apps hosted software suite.

Like the previous two outages, the latest one occurred as a log-in error that locked users out of their accounts. This time, some users were prevented from accessing their accounts for more than 24 hours.

All three outages affected not only individual Gmail users, but also people who use it as part of the Google Apps suite of collaboration and communication applications.

Google acknowledged the Gmail problem Friday and said it affected "a small subset" of the service's users. The company didn't immediately comment about what is causing the recurring log-in problem, nor did it provide a more specific figure for the amount of Gmail users affected.

The long outage was painful for several Google Apps users contacted via e-mail.

Denmark's chapter of Fair Allocation of Infotech Resources (FAIR), an international nonprofit group, just started using Google Apps. When the outage hit, system developer Benjamin Bach was showing the suite to his colleagues ahead of the planned launch of FAIR Denmark's Web site this week.

The outage lasted more than 24 hours. "Seeing such a long outage during the very first few days makes us wonder if a free solution provided by Google is actually 'pro' enough for us. We cannot correspond with schools in Africa or partners in Denmark and afford being out of mail for a whole day," Bach said.

FAIR, based in Norway, is devoted to supplying computer products to developing countries. The Denmark chapter is just getting off the ground and expects to grow its Apps user base from four people to as many as 20.

Google Apps comes in several versions, including Basic and Education, which are free, and Premier, which costs $50 per user per year and includes additional functionality, a 99.9% uptime guarantee for Gmail and phone-based technical support.

"I can give them a lot of credit for providing a free service, but they lose some of that when saying, 'Your e-mail is totally inaccessible, and we're not going to tell you why or for how long.' It's arrogant. I'm a system administrator, so I deserve to know a little more," Bach said.

Indeed, Google seemed slow to address this latest outage. The first reports started appearing in the official Apps and Gmail discussion forums on Thursday afternoon Eastern time. However, Google didn't acknowledge the problem in the forums until almost 5 p.m. on Friday, more than 24 hours after the first reports appeared. Google declared the problem solved shortly after 10 p.m. on Friday.

Also without Gmail for more than 24 hours was Howard Feldstein, chairman of the Mexico chapter of Democrats Abroad, the official U.S. Democratic Party organization for American expatriates. "We're quite busy leading up to the convention. I have relied on Gmail not only for e-mail but for my primary contact list and was totally isolated for more than a day," he said.

Abhishek Parolkar, an IT consultant in Bangalore, India, also lost access to his Google Apps and Gmail accounts for more than 24 hours, which disrupted important billing messages from clients.

Sadie Upchurch, president of Glinting Communications, a public relations firm near Atlanta, was affected for about 15 hours. "I was on client deadlines and had to work around for reroutes and resends of e-mails from those clients," she said.

"I do remind myself that I'm not paying for the service and that there's a level of patience and adequate backup you've got to have when you're getting something for free," she added.

Still, it's common for organizations to try out Google Apps via its free Basic version before considering a move to the fee-based Premier edition, so a wobbly e-mail component is unlikely to entice anyone to upgrade. Google serves all of its Gmail users, from individuals to Google Apps Premier account holders, from the same infrastructure, so Gmail outages hit all types of users indiscriminately.

The suite, even its free version, is geared toward workplace use and designed for employee collaboration, which is why it contains calendar, word processing, spreadsheet, presentation and Web site creation applications.

For that reason, it's unlikely that Google would consider several lengthy Gmail outages in a span of two weeks as the norm for Apps. After all, Google has aspirations that Apps will grow its very small presence among large enterprises, which demand high performance and availability levels from their software. Apps is currently used mostly by small organizations.

Microsoft faces Taiwan antitrust investigation

Taiwan's Fair Trade Commission has launched an investigation into whether Microsoft Corp. holds a monopoly position over the island's software market and whether it abuses such a position, an official said today.

The government investigation into Microsoft will also look into complaints that Microsoft is limiting consumer choices by restricting the availability of Windows XP on new PCs and whether pricing of Microsoft products is fair to consumers on the island.

Taiwan's investigation is unique in that no other region where Microsoft has previously faced regulatory issues, including the U.S., Europe and South Korea, is currently looking at the company for the same reason.

"Taiwan doesn't have its own [OS] software," said an official from the Fair Trade Commission. "Most people in Taiwan use Microsoft software and depend on it for work. Their market share should be very high," she said.

Should the world's largest software maker be found to have broken Taiwanese antitrust laws, the company could face a fine of up to $797,361 and could be forced to change some of its business practices on the island.

"We fully intend to comply with the process and make sure they get all the information they need," said Matt Pilla, Microsoft's director of public relations in Asia.

Taiwan's investigation was launched in part due to urging by Taiwan's nonprofit Consumers' Foundation.

The group last month called on Microsoft to continue selling Windows XP as an option on all new PCs, saying that discontinuing sales of the operating system would violate Taiwanese antitrust laws. The Consumers' Foundation alleges that Microsoft is using its market position to try to force people in Taiwan to switch to Windows Vista.

The foundation conducted a survey on the island that found 67% of consumers are opposed to Microsoft's decision to stop selling XP at the end of June.

The main complaint is over a lack of choice when people buy new computers. Around 56% of survey respondents who had bought a new computer recently were told they could not buy Windows XP and instead were forced to purchase Vista, the foundation said.

The foundation said Microsoft controls 98% of Taiwan's operating system market share, with 75% of survey respondents using Windows XP on their PCs and 23% using Vista.

A majority of respondents to the survey, more than 53%, said they did not think Vista is as useful as XP, while 23% said Vista is the better operating system.

Pilla pointed out that Microsoft has extended XP's life beyond traditional norms for the company, including allowing it to be sold on certain systems meant for businesses until June 30, 2009, and on ultralow cost PCs through June 30, 2010.

Extending the life of an older product isn't easy, he said. By extending the dates of usage, Microsoft also has to extend the time it will support Windows XP, which now stands at April 2014.

Long after it will cease being sold, the product will still have to be updated with new hardware drivers and other software support.

In addition, most of Microsoft's software developers are working on Vista, so the company has to reallocate resources to continue working on XP.

Taiwan's Fair Trade Commission investigation is at least the third action taken against Microsoft in recent years.

In 2004, the commission worked with Microsoft to resolve disputes around Windows Media Player after a ruling by the European Union found Microsoft guilty of trying to destroy competition in that market. A year earlier, the commission reached a settlement with Microsoft over the bundling of Office software.

Microsoft issues massive security update for Windows, Office

Microsoft Corp. today released its largest security update in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE), Windows Messenger and other software.

"Today is a perfect storm of client-side issues," said Amol Sarwate, manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched."

At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs because technical details about the flaws had been circulating prior to today.

"It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days."

Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat rating -- set a 2008 record, Microsoft left one expected fix off the table. Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista.

Microsoft has yanked updates at the last minute in the past, and the company typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. It did the same today. "The bulletin has been removed prior to today's bulletin release because of a last-minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail.

Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory. The former was patched by MS08-041, while the latter was fixed by MS08-042.

The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said.

Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file-parsing vulnerabilities here," he said, " and a ton of replacement bulletins."

File-format bugs are not new to Microsoft's software, especially the applications in its Office suite, but the number patched today -- a full dozen altogether -- took Storms by surprise. "Every Office product got touched today," he said. "The good thing is that if Office 2007 [applications] are affected, they're less affected, because the file format changed with that version."

File-format vulnerabilities -- like the ones patched in Excel (MS08-043), Office in general (MS08-044) and PowerPoint (MS08-051) -- remain valuable to attackers, Storm maintained.

"They'll continue to pop up because the file formats, the older formats in particular, have been so well documented outside of Microsoft," Storms said.

On the theme of replacement bulletins, Storms noted that seven of the 11 updates unveiled today replace earlier Microsoft security patches. "It's not unusual to have a few, and by 'a few' I think of one or two, maybe three, but we're looking at a full deck here.

"It tells me that one of the best ways to find new vulnerabilities continues to be to look at what Microsoft has patched in the past and what they might have missed when they did," Storms said.

That tactic pays dividends, he argued, citing the large number of replacement updates as proof. "Absolutely, this works. You look in the same area of code as the fix Microsoft applied. Maybe the function call they patched here is being used somewhere else."

While Microsoft addressed six critical vulnerabilities in its IE browser today with MS08-045, it did not tackle a bug first reported in 2006 that returned to the limelight in May 2008 when security researcher Aviv Raff claimed that it could be combined with the so-called "carpet bomb" flaw in Apple Inc.'s Safari. Apple and Mozilla Corp. have patched their browsers to prevent the kind of blended threats that Raff has outlined.

Microsoft also issued a separate security advisory today that announced it had set the "kill bits" for a pair of third-party ActiveX controls from Hewlett-Packard Co. and Aurigma Inc. The practice, which debuted in April, lets Microsoft disable vulnerable ActiveX controls remotely through its Windows Update service.

Microsoft kills more third-party ActiveX controls

Microsoft Corp. today issued "kill bit" updates for ActiveX controls from HP and a Washington state developer, the third time it's disabled third-party add-ons in the last four months.

One security researcher linked the release to a new program Microsoft announced last week that's designed to help other vendors find and fix bugs in their own software.

Microsoft disabled ActiveX controls from two companies, Hewlett-Packard Co. and Tacoma, Wash.-based Aurigma Inc., in its kill bit update, according to the security advisory issued today. The update was released through Windows Update, but it can also be downloaded from the Microsoft site.

Both companies have acknowledged vulnerabilities in their ActiveX controls, and have, in fact, patched those controls. The HP software that Microsoft killed today were older ActiveX controls associated with a customer support application bundled with some of its PCs; the program, dubbed "HP Instant Support," is meant to help users update key drivers and other HP software.

HP patched its Instant Support in early June.

Aurigma's Image Uploader, meanwhile, also has a troubled past. In late January, security vendor Symantec Corp. reported multiple vulnerabilities in the software, which is licensed by sites such as MySpace and Facebook, to give their users a way to upload photos from within Internet Explorer.

Aurigma quashed the bugs in a March 2008 update to Image Uploader.

The first time Microsoft released a kill bit update for another vendors' software was in April, when it disabled a buggy ActiveX control used by Yahoo Inc.'s music player. In June, it released a kill bit that crippled an ActiveX control used by Logitech International SA to retrieve updates for software for its keyboards and mice.

In April, company officials said they would issue kill bit updates whenever asked by a vendor. "If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail [us] to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center, said at the time.

Setting the kill bit for an ActiveX control involves modifying the Windows registry. It does not patch the problem, and setting the kill bit means the control's functionality is lost. In today's cases, however, Microsoft was setting the kill bits for the older, vulnerable versions of the HP and Aurigma controls; users who had updated to the newer editions should not lose the programs' functionality.

"This is right in line with Microsoft's presentation at Black Hat," said Andrew Storm, director of security operations at security vendor nCircle Network Security Inc., referring to last week's security conference. At Black Hat, Microsoft said it would launch Microsoft Vulnerability Research in two months. The program helps third-party developers of Windows applications and add-ons find and fix bugs in their software.

"They said many times that they are working as a coalition to better secure the Windows operating system and everything which runs on it," Storms continued. "While Microsoft has issued a few kill bits in the past for third-party products, this is something we are going to continue to see going forward."

Kaspersky Internet Security 2009 -- fast, lean, effective

Fans of all-in-one security suites should take a serious look at the just-released Kaspersky Internet Security 2009, which includes modules for antivirus, antispyware, firewall and more, yet uses little enough system resources and RAM that it won't slow down or clog up your system.

Like many of its competitors, Kaspersky takes the "everything but the kitchen sink" approach to Internet security, and it largely succeeds. The software's sprawling features are well integrated via a single control panel with individual screens for anti-malware, system security, online security and content-filtering sections. The default settings for each module should work well for most people, but for those who like to tweak, the program offers considerable customization tools as well.

Cyberattacks knock out Georgia's Internet presence

Hackers, perhaps affiliated with a well-known Russian criminal network, have attacked and hijacked Web sites belonging to Georgia, the former Soviet republic now in the fourth day of war with Russia, a security researcher claimed on Sunday.

Some Georgian government and commercial sites are unavailable, while others may have been hijacked, said Jart Armin, a researcher who tracks the notorious Russian Business Network (RBN), a malware and criminal hosting network.

"Many of Georgia's Internet servers were under external control from late Thursday," Armin said early Saturday in an entry on his Web site. According to his research, the government's sites dedicated to the Ministry of Foreign Affairs, the Ministry of Defense, and the country's president, Mikhail Saakashvili, have been blocked completely, or traffic to and from those sites' servers have been redirected to servers actually located in Russia and Turkey.

As of midnight Eastern time on Sunday, Georgia's presidential and defense ministry sites were unavailable from the U.S. Although the foreign ministry's site remained online, the most recent news item was dated Aug. 8, the day Georgian and Russian forces first clashed.

Armin warned that Georgian sites that appeared online may actually be bogus. "Use caution with any Web sites that appear of a Georgia official source but are without any recent news [such as those dated Saturday, Aug. 9, or Sunday, Aug. 10], as these may be fraudulent," he said in another entry posted midafternoon on Sunday.

Statements from Georgia's foreign ministry have appeared in a blog hosted on Google, perhaps in an attempt to circumvent attacks.

Researchers at the Shadowserver Foundation, which tracks malicious Internet activity, confirmed some of Armin's claims. "We are now seeing new attacks against .ge sites [Editor's note: .ge is the top-level domain for Georgia.] ... www.parliament.ge and president.gov.ge are currently being hit with HTTP floods," the researchers said in a Sunday update to a July post.

On Saturday, Armin reported that key sections of Georgia's Internet traffic had been rerouted through servers based in Russia and Turkey, where the traffic was either blocked or diverted. The Russian and Turkish servers Armin identified, he said, "are well known to be under the control of RBN and influenced by the Russian government."

RBN, which pulled up stakes last year and shifted network operations to China in an attempt to avoid scrutiny, has been fingered for a wide range of criminal activities, including a massive subversion of Web sites last March.

Later on Saturday, Armin added that network administrators in Germany had been able to temporarily reroute some Georgian Internet traffic directly to servers run by Deutsche Telekom AG. Within hours, however, the traffic had been again diverted to Russian servers, this time to ones based in Moscow.

The attacks are reminiscent of other coordinated campaigns against Estonian government Web sites in April and May 2007 and against about 300 Lithuanian sites on July 1. Like Georgia, both countries are former republics in the Soviet Union.

Three weeks ago, a distributed denial-of-service attack knocked Georgia's presidential site offline for about a day.

Late Sunday, Russian ground forces were reported advancing toward Gori, an important transportation hub in central Georgia.

Google China Music Search Live

Google has released a Music search site for China " and China only, unless youre using a proxy* to access it. We discovered traces of this a while ago, and the Wall Street Journal also covered Googles plans before. In China, music searching is one of the existing advantages of competing services like Baidu over Google, but now Google may try to find a more legal, licensed basis for such a site.

The services main page shows a search box and a list of top songs and their artists, along with links enabling you to e.g. listen to the song online. (Please note the translations in the screenshots are given as approximations as I had automatic translation help me compile them.)

When starting to enter something in the search box, youll get a dropdown box, which can both help auto-complete your query, but also transliterates Pinyin into Chinese characters. (The Google China homepage itself has auto-completion, too.) In the results, you can check several songs and add them to what looks like a song list. It opens in a new window served from Google partner Top100.cn. Songs play back without much hassle using Flash, accompanied by an animated ad banner. (And all that legal, apparently; Music 2.0 writes that authorities and Content Providers can now point to a viable alternative to Baidus mp3 search and snap out of their varying degrees of apathy and do something about it. Baidus recalcitrant attitude and financial abuse of so-called label partners as it pirates music in broad daylight will inevitably catch up with them now.)

Instead of streaming the song, you can also download it as MP3 file sometimes. What, no proprietary digital-rights-mangled format? Im eating a big surprise, as the saying goes... this service is actually uncluttered and useful in finding music. Even the lyrics which you can open in a new window can be (gasp) copied to your clipboard for reuse, something Yahoo Music, for instance, never let you do**. And why not, as theres enough chance for revenue in the vicinity of such a service, like advertisement or paid ringtones. If not for the fact all non-China users are banned from using this, its an almost barrier-free music download site " at the moment, though, the www in the sites address is lying.

-Thanks Xujie and Manoj Nahar!-

*In Firefox, try the following to use a proxy. In the menu open Tools -> Options. Switch to the Advanced tab and in it, the Network tab. Click the Settings button and check Manual proxy configuration. Enter 202.108.251.112 into the HTTP Proxy box and click OK below. Now try load Google Music Search. (If this proxy does not work for you try looking for others by searching Google for -china proxies- and similar.)

**Yahoo used an image instead of text for lyrics, among other hurdles built into their service.

Mozilla dishes up teasers for concept browser

Mozilla Labs is inviting industry wonks, higher education types and ordinary bods to contribute ideas on its new concept browser, Aurora.

The outfit behind popular open source browser Firefox wants people to get involved in its “Concept Series” project, looking at shaping the future design of web technologies.

Mozilla Labs has buddied up with San Francisco-based Adaptive Path, the firm behind the recent redesign of the MySpace website, to create the Aurora browser.

Anyone can put forward ideas, mockups or prototypes to the project, said Mozilla, which earlier this week released design and interface teasers for people to play with and adapt.

There is one caveat for individuals hoping to make a fast buck from their contribution: it wants all concepts and related source materials to be freely redistributed under either a Creative Commons licence (ideas and mockups) or the Mozilla Public Licence (prototypes).

“We're hoping to lower the barrier to participation by providing a forum for surfacing, sharing, and collaborating on new ideas and concepts,” said Mozilla.

“Our goal is to bring even more people to the table and provoke thought, facilitate discussion, and inspire future design directions for Firefox, the Mozilla project, and the Web as a whole.”

U.S. patent office to revisit Dell's 'cloud computing' trademark

The U.S. Patent and Trademark Office (USPTO) has done an about-face on Dell Inc.'s effort to claim a trademark on "cloud computing" and is reconsidering its earlier action.

Dell had received near-final approval for this trademark, but the USPTO canceled its "Notice of Allowance" on Tuesday, according to trademark records. The application has been "returned to examination."

Dell spokesman David Frink said the company isn't commenting on the USPTO's action, other than to acknowledge that the issue is going back to the examiner for additional review. He didn't want to speculate on what that might mean.

Joe Englander, an intellectual property attorney at Shutts & Bowen LLP in Fort Lauderdale, Fla., said the USPTO 's decision may have been prompted by the public attention the trademark was getting.

Englander suspects a primary examiner, a person in a senior position, "looked at it and probably agreed with some of the arguments that were made public."

The USPTO move is a setback for Dell, said Englander. "It means that right when you thought you were out of the woods, you are not," he said.

Englander was among the attorneys who argued that "cloud computing" is a generic term. Even if the USPTO ultimately grants approval, the company may still face challenges.

Dell, however, already owns cloudcomputing.com.

Open-source e-voting gets LinuxWorld test run

Computer engineer Alan Dechert didn't like what he saw during the controversial vote tallying in Florida in 2000's presidential election.

That was when he decided that there had to be a better way for U.S. citizens to safely and accurately cast their ballots.

More than seven years later, Dechert is here at the LinuxWorld Conference & Expo, publicly displaying the open-source e-voting system he helped develop that fixes some of the problems that he and other critics found in the nation's voting systems almost a decade ago.

"I watched the 2000 election, and I was stunned that we didn't know how to count ballots," Dechert said.

In Florida, where paper punch-card ballots were used at the time in many counties, the nation watched in disbelief for weeks as the presidential election came down to the wire over punch cards that were analyzed individually and manually by voting officials. At issue was voter intent, as officials tried to decipher who voters had selected on the ballots, which often weren't fully punched out by the machines that were supposed to mark the ballots.

It took analysis of those ballots and a U.S. Supreme Court decision to finally decide the winner of that election, almost a month after the last polling place closed.

That December, Dechert co-founded the Granite Bay, Calif.-based Open Voting Consortium to try to help come up with a better way to vote in this country.

"This was conceived as a pilot project for Sacramento County [Calif.] in December 2000," he said. The idea was to create an electronic voting system that allows voters to make their candidate selections on a screen, then clearly print their ballots and have them scanned and tallied by reliable machines.

By creating such a system, Dechert said, then "there's no ambiguity about what the voter intended," fixing one of the most glaring problems of the old punch-card systems and poorly designed ballot layouts.

The system, which was set here at LinuxWorld for show attendees to view and vote in mock elections, runs on PCs loaded with Ubuntu Linux and the free, open source e-voting application created by the consortium.

For election officials, the system is a simple one that would allow voters to be sure of their choices before they leave the ballot-casting area, Dechert said. Officials could set up and create the ballot in any elections intuitively with a special software tool that would add candidate names, office titles and other relevant information without requiring major computing skills.

The application runs on standard PC architecture and requires no specialized equipment.

"They don't have to do anything special," Dechert said of local election officials who would use the system. "They don't have to know anything special."

LinuxWorld attendee Greg Simonoff tests out the Open Voting Consortium's proposed e-voting system. Photo by Todd Weiss.

By going to an open-source system, he said, the application's code could be carefully and publicly analyzed for flaws and security issues, then could be fixed and made trustworthy for use. At least, that's the position of open-source advocates who think they can build a better system than those created by proprietary vendors across the nation.

"What we're trying to advance is full public scrutiny, with many eyes on the code," Dechert said.

The open-source system aims to address several concerns about traditional vendor-supplied e-voting systems in use across the U.S., he said, including the following:

• By being open source, the code can be checked at any time for flaws or problems by any qualified programmer or developer, making it more transparent and trustworthy.
• By using off-the-shelf PC hardware and printers and other peripherals, it's much cheaper than custom, purpose-built e-voting consoles and equipment.
• It's usable by handicapped voters and by voters who speak languages other than English.
• It contains a voter-verifiable and fully auditable paper record that can be preserved and is recountable.

"It could be used now," Dechert said. Some local voting jurisdictions are in talks with the group now about looking further at the system, including local officials in at least one Maryland county, he said.

For use in national elections, the system would have to be heavily analyzed and eventually certified as an election system, Dechert said. That process is part of the group's future goals, he said.

Here in San Francisco, for the system in display on the show floor, mock voters entered a booth and stood in front of a computer screen that lay flat in front of them on a table. The voters then used a traditional computer mouse to make their selections on the one-screen ballot and then advanced the ballot selections with on-screen arrows. Voters could also choose to go back to check or change their selections.

After completing the ballots, participants were asked to confirm their candidate or referendum-question selections several times, then were able to print their ballots on a printer also in the voting cubicle. Each voter then put the printed paper ballot in a manila folder and walked it over to a nearby election official, who electronically tallied and scanned it in front of the voter.

More than 300 people tried out the system yesterday. Project organizers set up a ballot with the three major party candidates in this year's presidential election, as well as several referendum questions about e-voting and other topical public issues.

Dick Turnquist, an IT manager at the Association of California Water Agencies in Sacramento, test-voted on the proposed system and said he liked what he experienced. "It certainly was easy enough to use. I probably would prefer it" to existing e-voting systems, Turnquist said.

Greg Simonoff, an engineer at the California Department of Transportation, said he liked using the system but would prefer a touch-screen voting mechanism rather than a mouse-based system.

Dechert said the mouse-based system is being used in the demonstration phase of the project to cut costs but would be replaced with a touch-screen system in production.

Credit card thieves ran a polite, professional help desk

The criminal network identified in the Justice Department indictments this week as having stole tens of millions of credit card numbers used people with skills in technology, finance and black markets -- some whom were notably polite, attentive and productive.

In one chain of ICQ messages excerpted by federal authorities in an indictment, there is back-and-forth about the software used to get credit card data from Dave and Buster's Inc.Albert Gonzalez, of Miami in an instant message. restaurant chain. The U.S. says it was one of nine retailers hit. The hackers gave the chain a positive review: "A very nice place, they have many locations," wrote

But little time was wasted on chitchat. Tech support was needed to modify sniffer software for an intrusion. Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, in a message to Gonzalez, briefly discussed the need and finished by asking: "...could you, please recompile it :-) Thanks."

Gonzalez's response: "I can compile right now." There was no tech support whining in these messages -- just professional interest, and perhaps some pride, in how the software worked: "Did your guy use or say anything about my sniffer for dandb [Dave and Buster's]?"

"My guy told me to tell you big thanks and etc ;-)" was Yastremskiy's reply. Some 5,000 credit card numbers were taken from the chain.

For some employees, praise is as important as money, and this group evidently had both, according to what's in the federal charging documents. They made millions until the feds closed their operations this year.

"These guys collaborate," said Sam Curry, vice president of the identity access and assurance at RSA Security, a division of EMC Corp. "They even have SLAs (service level agreements) and support numbers to reach other. They have specialized roles, sophisticated economics, [and] worldwide reach," he said.

It's the degree of specialization that's a tip-off as to how big these organizations are. It took focus and organization to attack nine major retailers, steal some 40 million credit and debit card numbers, decrypt PIN numbers, withdraw cash and sell the numbers on black markets.

The main targets were retailers. The thieves parked their cars near retail outlets, searched for open networks, and installed programs to capture the wanted data.

Retailers are particularly susceptible to theft because IT departments are kept lean, crucial technology improvements are deferred, and people with the skills needed to configure systems aren't always on staff, said Paul Kocher, president and chief scientist of Cryptography Research Inc. in San Francisco.

Amit Sinha, vice president and chief technology officer of AirDefense, Inc., a wireless security firm in Atlanta, said retail firms "have been lagging significantly," despite being a favorite target.

Retailers who lose data risk customer ill will, of course, but they also can face also action by the Federal Trade Commission for letting it happen, said Richard Hackett, an adjunct professor at Boston University School Law.

DSW Inc., the shoe retailer, had its data stolen by this group of thieves in 2005, prompting action by the FTC. In a settlement reached that same year, DSW agreed to security improvements and regular audits.

Along with Dave and Buster's, other retailers known to have been targeted are BJ's Wholesale Club, TJX, DSW Shoe Warehouse, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21.

The FTC's view is that "it is unfair to consumers to take their information and place it in a system that is not reasonably secure from unauthorized access," said Hackett.

Credit card thieves ran a polite, professional help desk

The criminal network identified in the Justice Department indictments this week as having stole tens of millions of credit card numbers used people with skills in technology, finance and black markets -- some whom were notably polite, attentive and productive.

In one chain of ICQ messages excerpted by federal authorities in an indictment, there is back-and-forth about the software used to get credit card data from Dave and Buster's Inc.Albert Gonzalez, of Miami in an instant message. restaurant chain. The U.S. says it was one of nine retailers hit. The hackers gave the chain a positive review: "A very nice place, they have many locations," wrote

But little time was wasted on chitchat. Tech support was needed to modify sniffer software for an intrusion. Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, in a message to Gonzalez, briefly discussed the need and finished by asking: "...could you, please recompile it :-) Thanks."

Gonzalez's response: "I can compile right now." There was no tech support whining in these messages -- just professional interest, and perhaps some pride, in how the software worked: "Did your guy use or say anything about my sniffer for dandb [Dave and Buster's]?"

"My guy told me to tell you big thanks and etc ;-)" was Yastremskiy's reply. Some 5,000 credit card numbers were taken from the chain.

For some employees, praise is as important as money, and this group evidently had both, according to what's in the federal charging documents. They made millions until the feds closed their operations this year.

"These guys collaborate," said Sam Curry, vice president of the identity access and assurance at RSA Security, a division of EMC Corp. "They even have SLAs (service level agreements) and support numbers to reach other. They have specialized roles, sophisticated economics, [and] worldwide reach," he said.

It's the degree of specialization that's a tip-off as to how big these organizations are. It took focus and organization to attack nine major retailers, steal some 40 million credit and debit card numbers, decrypt PIN numbers, withdraw cash and sell the numbers on black markets.

The main targets were retailers. The thieves parked their cars near retail outlets, searched for open networks, and installed programs to capture the wanted data.

Retailers are particularly susceptible to theft because IT departments are kept lean, crucial technology improvements are deferred, and people with the skills needed to configure systems aren't always on staff, said Paul Kocher, president and chief scientist of Cryptography Research Inc. in San Francisco.

Amit Sinha, vice president and chief technology officer of AirDefense, Inc., a wireless security firm in Atlanta, said retail firms "have been lagging significantly," despite being a favorite target.

Retailers who lose data risk customer ill will, of course, but they also can face also action by the Federal Trade Commission for letting it happen, said Richard Hackett, an adjunct professor at Boston University School Law.

DSW Inc., the shoe retailer, had its data stolen by this group of thieves in 2005, prompting action by the FTC. In a settlement reached that same year, DSW agreed to security improvements and regular audits.

Along with Dave and Buster's, other retailers known to have been targeted are BJ's Wholesale Club, TJX, DSW Shoe Warehouse, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21.

The FTC's view is that "it is unfair to consumers to take their information and place it in a system that is not reasonably secure from unauthorized access," said Hackett.

A photo that can steal your Facebook account

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they've developed that could steal online credentials from users of popular Web sites such as Facebook, eBay and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

"We've been able to come up with a Java applet that for all intents and purposes is an image," said John Heasman, vice president of research at NGS Software.

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file, however a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. For its part, the browser treats this malicious applet as though it were written by the Web site's developers.

Here's how an attack would work: The bad guys would create a profile on one of these popular Web sites -- Facebook for example -- and upload their GIFAR as an image on the site. Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR. At that point, the applet would run in the browser, giving the bad guys access to the victim's Facebook account.

The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Amazon.com, they say.

Because GIFARs are opened by Java, they can be opened in many types of browsers.

There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. "The attack is going to work best wherever you leave yourself logged in for long periods of time," Heasman said.

There are a couple of ways that the GIFAR attack could be thwarted. Web sites could beef up their filtering tools so that they could spot the hybrid files. Alternatively, Sun could tighten up the Java runtime environment to prevent this from happening. The researchers expect Sun to come up with a fix not long after its Black Hat talk.

But researchers say that while a Java fix may disable this one attack vector, the problem of malicious content being placed on legitimate Web applications is a much larger and thornier issue. "There will be other ways to do this, with other technologies," said GIFAR developer Nathan McFeters, a researcher with Ernst & Young's Advanced Security Center.

"In the long term, Web applications are going to have to take control of the content," McFeters said. "It's a Web application issue. The Java attack that we're currently using is just one vector."

He and his fellow Black Hat presenters have entitled their talk The Internet is Broken.

Ultimately, browser makers will have to make some fundamental changes to their software too, said Jeremiah Grossman, chief technology officer with White Hat Security. "It's not that the Internet is broken," he said. "It's that browser security is broken. Browser security is really an oxymoron."

IBM plans large cloud data center in North Carolina

IBM today said it is spending $360 million on a new cloud data center facility in North Carolina, the latest in a series of moves by this company to develop technology and infrastructure to support that platform.

IBM's announcement follows one earlier this week by Hewlett-Packard Co., Intel Corp., and Yahoo Inc., to jointly provide compute resources to universities to help advance cloud computing research.

All these announcements say one thing: These vendors see big potential and profit in this platform, but perhaps some cause for concern as well. Cloud computing is focused on service delivery, not on the underlying technology that these companies sell. It's a platform that could bring many new service providers into this market -- a business model along the lines of what Amazon is doing with its Elastic Compute Cloud (EC2).

IBM says it is renovating an existing building in Research Triangle Park to build 60,000 square feet of raised-floor data center space, and will complete the work early next year. The $360 million cost, according to IBM, includes construction, technology and personnel expenses. IBM now has nine centers worldwide devoted to cloud computing, and the North Carolina facility will be the largest.

The company employs about 11,000 in existing IBM facilities in that area already, but did not disclose how many would be working specifically in the North Carolina facility.

IBM today also today said that it was opening a cloud computing center in Tokyo, costing about $40 million. And the company is working with Google on some of the technology issues around cloud computing.

Jay Subramonia, the director of high performance on demand solutions at IBM, said its facilities are used for research but also as test beds by customers to experiment with this platform, and see what they can do to make internal operations more cloud-like -- meaning virtualized, automated and dynamic.

Subramonia said the "entry point" for enterprises on working with the cloud model has been in deploying collaboration tools and Web 2.0 systems, as well as using them for software development test environments.

Charles King, an analyst at Pund-IT, Inc., a research firm in Hayward, Calif., said that in contrast to the research initiative announced this week by HP, Yahoo and Intel, IBM is demonstrating an early lead on commercial cloud development by by building out test beds.

Cloud systems being built by some of the larger firms, such as Google and Yahoo, are relying on x86-based systems. But IBM says it will include a range systems, from its mainframe on down, in its data center. King believes that IBM will "use all the tool in their garage" to make the case that x86 environments won't meet every need.

After facing shareholders, Yang must fulfill promises

Yahoo CEO Jerry Yang will face a tough crowd at Friday's shareholders meeting, but the expected tongue-lashing is likely the least of his worries as he stares at the towering list of promises he has made and must fulfill.

Since replacing former CEO Terry Semel in mid-2007, Yang has been assuring employees, partners, external developers, publishers, advertisers and online-service consumers that he has a foolproof plan to get Yahoo back on track financially and technologically.

For shareholders, the problem with Yang's rhetoric is that when he took over from Semel, Yahoo's stock price was in the US$27 to $28 range. On Thursday, it closed at $19.89, far from the $33 per share Microsoft offered before negotiations collapsed in early May, and very close to the $19.18 price on Jan. 31, the day prior to the bid's announcement.

"There is a lot of anger and discontent among shareholders. It will be lively tomorrow," said IDC analyst Karsten Weide in a phone interview.

Activist investor Eric Jackson, president of Ironfire Capital, plans to attend and get vocal at San Jose's Fairmont Hotel, and is encouraging others to do the same. "[The meeting] will be an opportunity for us to speak up and make our voices heard. If you're in the Bay Area, I encourage you to come out ... Hopefully, we'll have a lively set of questions posed to the Yahoo board in a true direct fashion," Jackson wrote on his blog Monday.

While Friday's meeting will give shareholders a soapbox to vent frustrations, the event is also of significance to Yahoo end-users, advertisers, publishers, partners and developers who are trusting that Yang and his team will deliver the promised goods.

With Microsoft no longer circling the waters and having appeased Carl Icahn -- who wanted to kick out the entire board and boot Yang from the CEO throne -- Yahoo's management now has no excuse for the company's underperformance.

After all, at Friday's meeting, despite the likely sound and fury from the floor, the current board will retain a solid majority -- eight members -- as part of an agreement that grants seats to Icahn and two of his candidates. This leaves Yang and his team on much more solid job-security ground.

Or maybe not. Industry analyst Rob Enderle of Enderle Group wouldn't be surprised if top management changes are announced at the meeting or shortly afterward, involving either the replacement of Yang as CEO or the addition of a new executive in a prominent role, possibly former AOL CEO Jonathan Miller, a candidate for an Icahn seat.

The mere fact that Icahn will have a say in Yahoo's operations assures changes will be made to current plans and strategies, so people and organizations tied to Yahoo services would do well to pay attention to what transpires at the meeting, especially discussions about possibly changed plans and strategies, Enderle said.

After Microsoft made its bid, Yahoo went into a hyperactive mode with product and strategy announcements, seemingly to prove that it was worth more than Microsoft was willing to pay and also able to survive independently. It's likely that that list of projects will be pared down, according to Enderle. "I don't think they'll be able to execute on all of them," he said.

Probably the most ambitious project is Yahoo Open Strategy (Y OS), which promises end-users and developers alike a major revamping of how they will respectively use and develop applications for Yahoo online services. It's generally agreed that if the Y OS vision is fully realized, it could give Yahoo a significant and long-needed boost in key areas like search and social networking.

Announced in April to great fanfare, Y OS calls for Yahoo to open all its sites, online services and Web applications to outside developers, and give users a "social profile" dashboard to unify and manage their Yahoo services. To accomplish this, officials recognize that it will be necessary to rewire Yahoo's technology back-end inside and out -- no small feat.

"It's a cool, bold, visionary project, but it will be hard to do," Weide said. "The question is: Can Yahoo pull it off?"

Another big project in the works, this one aimed at advertisers, is AMP, a new advertising management platform that the company says will greatly simplify buying and selling ads online, and -- Yahoo promises -- provide laser-like ability to target audiences.

In June, when it announced its latest of several major reorganizations in the past two years, Yahoo shocked observers with the creation of a Cloud Computing and Data Infrastructure Group, which many have speculated is a sign Yahoo plans to get into the hosted software and IT infrastructure services markets.

In addition, Yahoo has ongoing projects to continually improve its mobile services, its franchise e-mail and instant messaging products, and Panama, its much-touted search advertising platform whose efficacy fell into doubt when Yahoo recently agreed to outsource part of its search ad business to Google in order to jump-start those segment revenues.

In addition, during Microsoft's pursuit, Yahoo also acquired online video player Maven Networks, announced its social network OneConnect mobile service, re-launched its video site and introduced social news site Yahoo Buzz.

So on Friday, while shareholders hurl verbal rotten tomatoes at Yang, President Sue Decker and the other top managers, end-users, developers, publishers and advertisers should be watching, looking for signs that their promises will be fulfilled.

After facing shareholders, Yang must fulfill promises

Yahoo CEO Jerry Yang will face a tough crowd at Friday's shareholders meeting, but the expected tongue-lashing is likely the least of his worries as he stares at the towering list of promises he has made and must fulfill.

Since replacing former CEO Terry Semel in mid-2007, Yang has been assuring employees, partners, external developers, publishers, advertisers and online-service consumers that he has a foolproof plan to get Yahoo back on track financially and technologically.

For shareholders, the problem with Yang's rhetoric is that when he took over from Semel, Yahoo's stock price was in the US$27 to $28 range. On Thursday, it closed at $19.89, far from the $33 per share Microsoft offered before negotiations collapsed in early May, and very close to the $19.18 price on Jan. 31, the day prior to the bid's announcement.

"There is a lot of anger and discontent among shareholders. It will be lively tomorrow," said IDC analyst Karsten Weide in a phone interview.

Activist investor Eric Jackson, president of Ironfire Capital, plans to attend and get vocal at San Jose's Fairmont Hotel, and is encouraging others to do the same. "[The meeting] will be an opportunity for us to speak up and make our voices heard. If you're in the Bay Area, I encourage you to come out ... Hopefully, we'll have a lively set of questions posed to the Yahoo board in a true direct fashion," Jackson wrote on his blog Monday.

While Friday's meeting will give shareholders a soapbox to vent frustrations, the event is also of significance to Yahoo end-users, advertisers, publishers, partners and developers who are trusting that Yang and his team will deliver the promised goods.

With Microsoft no longer circling the waters and having appeased Carl Icahn -- who wanted to kick out the entire board and boot Yang from the CEO throne -- Yahoo's management now has no excuse for the company's underperformance.

After all, at Friday's meeting, despite the likely sound and fury from the floor, the current board will retain a solid majority -- eight members -- as part of an agreement that grants seats to Icahn and two of his candidates. This leaves Yang and his team on much more solid job-security ground.

Or maybe not. Industry analyst Rob Enderle of Enderle Group wouldn't be surprised if top management changes are announced at the meeting or shortly afterward, involving either the replacement of Yang as CEO or the addition of a new executive in a prominent role, possibly former AOL CEO Jonathan Miller, a candidate for an Icahn seat.

The mere fact that Icahn will have a say in Yahoo's operations assures changes will be made to current plans and strategies, so people and organizations tied to Yahoo services would do well to pay attention to what transpires at the meeting, especially discussions about possibly changed plans and strategies, Enderle said.

After Microsoft made its bid, Yahoo went into a hyperactive mode with product and strategy announcements, seemingly to prove that it was worth more than Microsoft was willing to pay and also able to survive independently. It's likely that that list of projects will be pared down, according to Enderle. "I don't think they'll be able to execute on all of them," he said.

Probably the most ambitious project is Yahoo Open Strategy (Y OS), which promises end-users and developers alike a major revamping of how they will respectively use and develop applications for Yahoo online services. It's generally agreed that if the Y OS vision is fully realized, it could give Yahoo a significant and long-needed boost in key areas like search and social networking.

Announced in April to great fanfare, Y OS calls for Yahoo to open all its sites, online services and Web applications to outside developers, and give users a "social profile" dashboard to unify and manage their Yahoo services. To accomplish this, officials recognize that it will be necessary to rewire Yahoo's technology back-end inside and out -- no small feat.

"It's a cool, bold, visionary project, but it will be hard to do," Weide said. "The question is: Can Yahoo pull it off?"

Another big project in the works, this one aimed at advertisers, is AMP, a new advertising management platform that the company says will greatly simplify buying and selling ads online, and -- Yahoo promises -- provide laser-like ability to target audiences.

In June, when it announced its latest of several major reorganizations in the past two years, Yahoo shocked observers with the creation of a Cloud Computing and Data Infrastructure Group, which many have speculated is a sign Yahoo plans to get into the hosted software and IT infrastructure services markets.

In addition, Yahoo has ongoing projects to continually improve its mobile services, its franchise e-mail and instant messaging products, and Panama, its much-touted search advertising platform whose efficacy fell into doubt when Yahoo recently agreed to outsource part of its search ad business to Google in order to jump-start those segment revenues.

In addition, during Microsoft's pursuit, Yahoo also acquired online video player Maven Networks, announced its social network OneConnect mobile service, re-launched its video site and introduced social news site Yahoo Buzz.

So on Friday, while shareholders hurl verbal rotten tomatoes at Yang, President Sue Decker and the other top managers, end-users, developers, publishers and advertisers should be watching, looking for signs that their promises will be fulfilled.

Big stock exchanges now battling for microseconds

Computer systems, hardware and networking technologies have improved so much that two of the world's largest trading exchanges say they have begun measuring transaction times in microseconds.

What is a microsecond? It's one-thousandth of the relatively familiar millisecond — in other words, one-millionth of a second. Speed like that is too fast for us humans to visualize.

But trading systems inhabit a Terminator 2-type world, where machine battles machine. Such systems — which are, naturally, automated — compete for the best price by getting the electrons to travel through servers and networks as fast as they can. With millions of dollars, and customers, at stake, the IT managers who run these trading operations are continually finding ways to increase system performance.

In the past year, the New York Stock Exchange and CME Group, which operates the Chicago Mercantile Exchange and Chicago Board of Trade, have begun to frame their thinking in microseconds as they look at some of the processes involved in their superfast transactions.

The need for microsecond measures is an outgrowth of the steadily increasing speed of transactions, which are heading into the single-digit-millisecond range. Improvements are due to advances in hardware, networking and trading algorithms, and as transaction rate times continue to fall, the need to measure time in smaller units becomes more acute. "We got pulled into it," said John Hart, managing director of technology engineering at CME, of the move to microsecond measures.

At these extreme speeds, microseconds matter. A 3- or 300-microsecond improvement in one transaction, multiplied across systems that are processing millions of transactions in an hour, will add up.

"It's all at the microsecond level right now," said Steve Rubinow, CIO of NYSE Euronext, which operates the New York Stock Exchange. "The core trading stuff has to be in the hundredths of microseconds."

The increasing focus on finer measurement levels may have broad implications for businesses outside of financial services, especially as companies turn to software-as-a-service (SaaS) providers.

In the trading world, speed measurements are examined at both ends of the deal. Microsecond measurement data helps the exchanges improve systems at various points in a transaction, but the customers are also measuring transaction rates and making notes.

A trader who loses money may blame IT for that loss, and defending against that accusation will require measurement data, said Bernie Davidovics, chief technology officer of SeaNet Technologies Inc. His Kew Gardens, N.Y.-based company makes a hardware appliance that can use either GPS or cellular network time data to measure transactions in a network. "He who has the data wins," Davidovics said.

SaaS and cloud-type service providers and their customers may face similar concerns over response times. For SaaS providers, these kind of precise time measures will grow in importance, said Michael Salsburg, a director of the Computer Measurement Group Inc., a not-for-profit organization in Turnerville, N.J., whose members are concerned with IT service delivery. Vendors will likely use their speed as a competitive differentiator, but customers will measure as well to ensure that service levels are met, he said.

But when it comes to speed, the technology staffs at the exchanges are constantly looking for ways to improve response times by improving interconnects, tweaking operating systems and trying out new systems and the latest processors. Hart said CME, for instance, is already piloting Hewlett-Packard Co.'s just-released first blade system in the NonStop line, which he said doubles the throughput of earlier NonStop models.

The shift to microsecond measurement is also changing expectations for vendors. Rubinow tells the story of a storage manufacturer (that he didn't want to identify) that told him its new system delivered "sub-millisecond" response times.

Questioning the vendor about the "sub-millisecond" claim, Rubinow said, "Do you mean 900 microseconds or 100 microseconds? Because that's a world of difference to us." The vendor said he wasn't certain because he hadn't been asked that question before. Rubinow responded: "Well, get use to it, because everybody in this industry is going to ask this question."