sr4hrh.org

“It’s a little bit more concrete in other states but here it’s very organic, so the products they’re getting from him are likely outdated,” Lapsley said.

These are merely minor skirmishes in what amounts to a far broader ambition: to persuade all branches of government, at every level, including the court system, to open their massive data banks to free public access through the Internet. Malamud convened a group he calls the Independent Government Observers Task Force that has held a series of meetings and compiled a list of eight principles for what they view as a truly open government.

SEBASTOPOL, Calif.–From a corner of a nondescript office building at the edge of wine country, Carl Malamud is masterminding an electronic guerrilla war against governments across the nation.

(Credit:
Declan McCullagh/CNET News)

In California, Barclay’s, a subsidiary of Thompson West, is the officially-designated publisher of the state Code of Regulations. A 2008 price list says the complete code of regulations is $2,315 in printed form and $3,288 with a one-year subscription with updates. A CD-ROM version with updates is $1,556.

[Editor's Note: One of the benefits of having an archive as extensive as ours is that we can provide a window into Internet history. Here's our article about Carl Malamud in April 1998 titled "Patent office slammed for not posting data." A followup from June 1998 reported the Clinton administration's response and was titled "Government puts patents online."]

Susan Lapsley, director of California’s office of administrative law, said on Wednesday that the state claims copyright “to protect that intellectual property of the state.”

“Here in California, we are the ones who publish (and) compile the regulations,” Lapsley said. To take legal action against Malamud, “we’d have to go through the state attorney general. We haven’t investigated it.”

Sonoma County, just an hour’s drive north of San Francisco, has chosen LexisNexis, part of Reed Elsevier, as its commercial publisher. The 42-chapter Sonoma County Code can be bought from LexisNexis’ online bookstore for a mere $200.

Most geeks tend to be a bit obsessive, and Malamud is no exception. He’s devoted his life to liberating laws, regulations, court cases, and the other myriad detritus that governments produce daily, but often lock up in proprietary databases or allow for-profit companies to sell for princely sums.

“One of the most important products our government makes is information,” said the 49-year-old tech activist, who created a Lego animation to buttress his point. “We forget the important role of the government in producing these vast databases of information. That to me is infrastructure no different from electrical lines or roads.”

Carl Malamud, online activist-archivist, with part of his collection of government documents to be scanned in and liberated.

That dispute, at least, had a happy ending. Malamud showed up to testify before the state legislature (”the fact that works of government are in the public domain is thus one of the foundations of our system of government”), and politicians eventually backed down.

This month, he’s busy liberating California government codes, including San Francisco’s building code, electrical code, fire code, and zoning code. That means purchasing printed copies for as little as $40 or as much as thousands of dollars, digitizing them, and posting them as PDF files without copy protection. Two months earlier, he posted the California Administrative Code.

Malamud and some of his allies replied by drafting a sample court complaint, which made the common-sense argument that the copyright was invalid: If citizens are required to comply with state law, they should be able to reproduce it freely without threat of lawsuits. And, besides, the government employees tasked with creating the law have their salaries paid for by taxpayers.

Malamud’s solution typically has been to create a proof-of-concept Web site, with the hopes of embarrassing government entities into building that infrastructure themselves. In the 1990s, his activism was responsible for persuading the Securities and Exchange Commission and the Patent and Trademark Office to make their data available for free on the Internet. Now, on his public.resource.org Web site, he’s resumed posting hundreds of thousands of pages of government documents–all of which are, or at least should be, in the public domain.

Malamud in his Sebastopol office with his ‘great seal.’

CNET’s Stephanie Condon contributed to this report

Varah warned that Malamud’s document may prove to be out-of-date, and that city residents rely on it at their peril: “The city does not make any representation as to whether codes accessed on the Internet through non-city Web sites are accurate or up-to-date versions of the San Francisco Municipal Code.”

(Credit:
Declan McCullagh/CNET News)

One of those says the data should be “reasonably structured to allow automated processing,” which would allow Malamud and his allies–including the Internet Archive and the Boston Public Library, which Public.Resource.Org is paying to scan 2.5 million pages of congressional hearings–to repackage files with XML tags and permit them to be readily indexed and cataloged. Eventually, search engines might even become smart enough to interpret those tags and act accordingly.

It’s true that Sonoma’s code, which covers everything from wood-burning stoves to abandoned vehicles and home water delivery, is available on LexisNexis’ Web site without charge. But the company’s terms of use says that the content is “protected by copyrights” and that it cannot be used for “commercial” purposes, one reading of which would prohibit commercial contractors from accessing it.

At least California, San Francisco, and Sonoma let their citizens view the documents without using digital rights management techniques. Not New York state, which boasts a DRM-enabled building code on the Web site of the International Code Council. The PDF files can’t be printed, probably because the ICC sells the code in book form for $105 a copy.

Given that Malamud has made a habit of butting heads with Reed Elsevier, Thompson West, and various government entities, it’s almost surprising that he hasn’t been sued. He’s not exactly hoping for it, but also is doing nothing that could be interpreted as shying away from a fight. (The Electronic Frontier Foundation has from time to time provided him with legal advice. His nonprofit group, Public.Resource.Org, has received money from Google, eBay founder Pierre Omidyar’s charitable foundation, and the Sunlight Foundation. He’s renting office space from O’Reilly Media.)

“I believe access to knowledge is a human right,” Malamud said. “When I see people putting barriers around useful information, I find that offensive.”

Adine Varah, a San Francisco deputy city attorney, declined to answer questions on Wednesday about legal action or the enforceability of the copyright notice. “The city and county of San Francisco strongly supports and ensures the public accessibility of its municipal codes,” Varah said. “The San Francisco Municipal Code is a public record under our state and local public records laws. In addition, the city and county of San Francisco makes those codes publicly available for free on our Web site.”

One recent spat arose when the state of Oregon began sending cease-and-desist letters in April to Web sites that had posted the text of the Oregon Revised Statutes. That is “copyrighted material, the author and copyright owner of which is the Legislative Counsel Committee of the State of Oregon,” the warning said.

Malamud says that’s why he prefers to buy physical copies and pay a local business to scan them in. “The electronic stuff either has a terms and conditions on checkout, or they’re using some sort of copy-protected PDF–it is a DMCA thing,” he said. “Plus, on checkout, you agree to abide by that. They’ll put some sort of contractual restriction around it.” The DMCA, or Digital Millennium Copyright Act, broadly restricts circumventing copy-protection measures.

One hitch is that San Francisco is one of those municipalities that claims its building code is copyrighted. (The notice says: “All rights reserved. No part of this publication may be reproduced or distributed by any means or stored in a database or retrieval system without prior written permission of the City and County of San Francisco.”)

“I haven’t heard from anybody” in the city government, Malamud said, since the documents were posted early last week. “That is a little surprising. I would have expected that someone would have at least called up and asked what we hoped to accomplish by doing this.”

California’s Code of Regulations: only $3,288 for one year
One reason that city and state officials tend not to appreciate Malamud’s efforts is that selling copies of regulations can be a source of revenue.

Lapsley said the state already makes an effort to distribute at the materials on the Internet, in state depositories, and through libraries. She said having government-certified sources is useful because the code is constantly in flux, with her office approving or rejecting 5 to 10 rulemakings a day and updating the official version accordingly. (In response, Malamud says that only a portion of the code is online and that the second part with building, electrical, plumbing, mechanical, and elevator regulations must be purchased.)

If it turns out the astronauts need more time for the repair work, the fine guidance sensor replacement could be deleted.

The space shuttle Atlantis, bolted to a mobile launch platform atop an Apollo-era crawler-transporter, was hauled to launch pad 39A at the Kennedy Space Center on Tuesday for work to ready the ship for blastoff May 12 on a fifth and final mission to service the Hubble Space Telescope.

Shuttle Atlantis moved to pad 39A for May 12 launch.

(Credit:
NASA)

But testing a spare ground unit at the Goddard Space Flight Center in Greenbelt, Md., getting it certified for flight, and working the mission back into NASA’s shuttle manifest ended up delaying Atlantis and Hubble Servicing Mission 4, or SM-4, for seven months, when all was said and done.

There are no technical problems of any significance with Atlantis or its payload, but analysts are still evaluating the threat posed by orbital debris at Hubble’s 350-mile-high altitude. Because of a satellite collision in February, the debris environment is somewhat worse at Hubble’s altitude and, as of this writing, the mean chance of a catastrophic impact during the shuttle visit is believed to be around 1 in 185.

Because the Hubble Space Telescope is in a different orbit than the that of the International Space Station, the Atlantis astronauts cannot seek safe haven aboard the lab complex, if a major problem develops that might prevent a safe re-entry.

Odds worse than 1 in 200 require an executive-level decision on whether the additional risk is acceptable. Engineers say additional analysis, possible changes to the shuttle’s orientation in space, and other factors are expected to improve those odds, and senior managers appear confident that Atlantis ultimately will be cleared for flight.

05/12: Launch
05/13: Heat shield inspection
05/14: Hubble capture (11:16 a.m.)
05/15: EVA-1 (Grunsfeld/Feustel): Wide Field Camera 3; SI C&DH; SCM, locks
05/16: EVA-2 (Massimino/Good): Rate sensing unit gyros (2 sets); batteries (1 set)
05/17: EVA-3 (Grunsfeld/Feustel): Cosmic Origins Spectrograph; Advanced Camera for Surveys repair
05/18: EVA-4 (Massimino/Good): Space Telescope Imaging Spectrograph repair; insulation
05/19: EVA-5 (Grunsfeld/Feustel): batteries (1 set); fine guidance sensor replacement; insulation
05/20: Hubble release (7:15 a.m.)
05/21: Crew off-duty day; crew news conference
05/22: Cabin stow; re-entry preps
05/23: Landing (9:55 a.m.)

The new 135-pound science instrument command and data-handling unit will be wired into Hubble’s electrical system during the first spacewalk, after the Wide Field Camera 3 is installed.

Shuttle commander Scott Altman, pilot Gregory C. Johnson, flight engineer Megan McArthur, and spacewalkers John Grunsfeld, Michael Massimino, Andrew Feustel, and Michael Good plan to fly to Kennedy late this week to inspect the replacement computer unit before it is moved to the pad April 18, along with the rest of the Hubble payload, for installation in Atlantis’ cargo bay.

As a result, NASA plans to move the shuttle Endeavour to launch pad 39B on April 17 to ready the ship for a quick-response blastoff on an emergency rescue mission, if needed. If not, Endeavour will be moved to pad 39A, after Atlantis lands for normal processing, and launch around June 13 on the next space station assembly mission.

Replacement science instrument command unit arrives at Kennedy Space Center.

Hubble SM-4 is the fifth and final planned shuttle mission to the space telescope (SM-3 was spread across two flights). During five back-to-back spacewalks, the Atlantis astronauts plan to install a new camera, called the Wide Field Camera 3, the Cosmic Origins Spectrograph, a full set of batteries, six new stabilizing gyroscopes, a new fine guidance sensor, new insulation, and to carry out repairs on two other science instruments that are currently out of action.

(Credit:
William Harwood)

As it now stands, no major mission objectives have been deleted, despite the late addition of the SI/C&DH installation. But to get everything done, the astronauts must be able to complete a complex repair of the Advanced Camera for Surveys during a single spacewalk. The original flight plan broke that task into two parts.

Shuttle program managers plan to meet April 20 and 21 to review launch processing, followed by an executive-level flight readiness review April 30 at the Kennedy Space Center to formally clear the ship for launch. If no problems develop, Atlantis’ countdown will begin May 9 for a launch attempt the afternoon of May 12.

Originally scheduled for launch on October 14, the long-awaited Hubble overhaul was delayed when one channel of a critical data-processing system unit aboard the telescope failed just two weeks before liftoff. NASA managers decided to replace Hubble’s entire science instrument command and data handling unit, or SI/C&DH, to restore redundancy and improve reliability.

The last published launch time was 1:21 p.m. EDT, about 20 minutes into the Hubble launch window. But flight planners may adjust that, pending additional analysis of payload weight and ascent performance margin.

Here is a brief overview of the crew’s flight plan (assumes a launch at 1:21 p.m. on May 12; spacewalks, or EVAs, would begin around 6:46 a.m. each day):

The replacement SI/C&DH was delivered to the Kennedy Space Center on Monday, and Atlantis, attached to an external fuel tank and two solid-fuel boosters, took its first step toward space with a six-and-a-half-hour, 3.2-mile trip from the Vehicle Assembly Building to pad 39A on Tuesday.

Cisco Systems, which owns the WebEx Web conferencing service, announced Tuesday at the GSMA Mobile World Congress 2009 here that it is making a version of its WebEx client software available to several smartphones including Research In Motion’s BlackBerry Bold, BlackBerry Curve 8900, and BlackBerry Storm. It will also be available for the Nokia E71, Nokia E75, Nokia N97, and other Nokia E series and N series devices, as well as for the Samsung Blackjack II.

“Cell phone users will no longer be second class citizens,” said Doug Dennerline, senior vice president and general manager of Cisco’s collaboration software group. “The great thing is that people won’t ever have to miss out on a meeting if they’re late to a meeting for some reason or stuck in the airport. They don’t have to fire up their laptop. They can participate right from their phone.”

Research In Motion will be adding a quick access “button” on BlackBerry devices starting in April, so all users have to do is click on the icon to join a meeting, Dennerline said.

BARCELONA–Smarrtphone users will soon be able to participate in Web conferences using the hosted WebEx tool right from their phones.

The new functionality allows smartphone users to participate in Web and audio conference calls right from their mobile devices.

The company already offers the capability on the
Apple iPhone 3G. And the application, which is free for all WebEx users, has been downloaded more than 50,000 times, making it one of Apple’s top 10 business apps on its App Store.

How about Drunk guy passed out in my seat & can’t wake him up sec 442? (Perhaps he wants you to take his seat? It might be better.)

(Credit: CC Inbound Pass)

“Huh?” Wade stammers.

Reilly’s column reveals some of the real texts collected by one of the companies involved in this highly entertaining enterprise, In Stadium Solutions (please, will someone tell companies that “solutions” is so 1997?):

“Well, you know, you all those T-Mobile commercials you do. The owner thought you’d respect him more for doing this by text.”

Please make contact with that deep and joyous part of you that is passive-aggressive.

Rejoice, because the wonders of texting can now be brought to bear down on the miscreants of the sports arena. All you have to do is know one number and text the nature of the problem you’re having with another fan to that number.

Scott Meyers of ISS told ESPN: Only about 5 percent of the texts we get are pranks.” Yes, people have texted to suggest that the refs, the players, or the coaches be removed, though none has been known to come from Mark Cuban, as he seems to favor Twitter.

“Excuse me, Mr. Dwayne Wade,” a large individual in uniform might whisper to Wade at practice. “Please come with me. You’ve just been traded to the Clippers.”

Yes, the part of you that wants to remove the man sitting and spitting in the seat in front of you at an NFL game, or the lady who is flipping everyone off at a baseball game (probably a Yankees fan). Yes, the part of you that doesn’t want to get involved in finger gestures, f-words, or fisticuffs.

You will unquestionably be disturbed by Guy in black jacket is exposing himself to people. Section 408 row 4 seat 7. He has spikey hair. (Spikey hair? As Reilly worries, “Where?”)

"The fan that was removed was wearing turquoise and picking her nose repeatedly during free-throw attempts."

Lady in turquoise tank is flipping people off and cursing sec 235 row 14. (Turquoise has always been a suspicious color.)

As Wade tries to come to terms with a potential life in the NBA equivalent of a row boat with no oars, the large man in uniform whispers: “The owner thought this was the most, you know, modern, sensitive way to do it.”

Imagine, the Miami Heat gets a new, slippery owner. He decides the save money. He decides he doesn’t need star guard Dwayne Wade. He decides to scale a new height of passive aggression.

However, one can only imagine if, one day, an especially passive-aggressive owner, which would exclude both Cuban and Al Davis of the Oakland Raiders, might use the service to fire a coach or trade a player.

Twenty-nine of the 32 NFL stadiums employ the service–described by ESPN’s Rick Reilly as “tattletexting.” So do many Major League Baseball, NBA and, yes, even NCAA March Madness games. (Hockey has it too. But surely, one would only want to text to get the slobbering, scuffling players off the ice.)

The Cincinnati Bengals, a team that seems to have more antisocial elements on its team than in its seats, has the lovely tattletexting number 513-381-JERK.

The tattletexting system is very simple. It doesn’t just take the texter’s word for it. The message goes through to closed-circuit camera operators, who check to see whether the lady in turquoise, the passed-out dude, or the exposed spikey hair really exist.

In October, officials in Norway raided Fast’s offices as part of an accounting probe. Last month, following Microsoft’s own investigation of the accounting scandal, John Lervik, the former CEO of Fast, stepped down from his position as corporate vice president of the Microsoft Enterprise Search Group.

“Fast itself had best quarter it has ever had,” Koenigsbauer said.

“Going forward, as Fast search is bundled with a big investment in SharePoint, it ensures that search will be a critical component of an enterprise deployment, rather than an afterthought,” Owens said. “I think it makes it hard for independent search vendors to sell into a company that has made a commitment to SharePoint for enterprise content management and collaboration.”

A year ago, the ink was just drying on Microsoft’s $1.2 billion offer to buy Norway’s Fast Search and Transfer. On Tuesday, Microsoft will unveil its first set of joint products.

The team is now led by two people, Koenigsbauer, who leads the business side, and Bjorn Olstad, the former CTO of Fast who now holds the title of Microsoft Distinguished Engineer and heads the technical team for enterprise search.

But all of those conference calls have paid off, Microsoft says.

Kirk Koenigsbauer

“SharePoint is like kudzu in the enterprise–it spreads out faster than some IT departments anticipate,” Owens said. “So a great search engine is critical to getting a handle on a SharePoint implementation.”

“You go to bed at night and you think you’ve got it done, and the next morning there is a whole pile of e-mail (with) issues,” he said.

Olstad said that every two weeks he takes a short plane ride to Copenhagen and then takes an 11-hour flight from there to Seattle. “It’s mountains and it’s fjords and it’s raining,” he said of the Seattle area. “It looks like Norway.”

That doesn’t mean it’s all been smooth sailing since the acquisition was completed in late April.

On Tuesday, Microsoft is announcing two new products at its Fastforward ‘09 customer conference in Las Vegas. One product is essentially a revamp of Fast’s core enterprise search product. The other puts Fast’s search technology on top of Microsoft’s SharePoint portal software.

“We couldn’t really be happier about the progress,” said Microsoft veteran Kirk Koenigsbauer, who serves as general manager for the Fast unit. Not only has the technical work been completed to bring the two companies’ products together, Koenigsbauer said, but the December quarter was a blowout for sales of Fast’s existing products, which help businesses search their documents.

“A thorough review of the past financial practices that led to a restatement of Fast’s 2006 & 2007 earnings has been undertaken to help ensure that such problems are not encountered again,” Microsoft said in a statement. “With the conclusion of this process, John Lervik has chosen to resign from Microsoft’s Fast subsidiary.”

In a joint interview this week, Koenigsbauer and Olstad said that, accounting scandal notwithstanding, the integration of Fast within Microsoft has been remarkably smooth. Koenigsbauer noted that both teams “like to work hard and play hard.”

SharePoint’s explosive growth has also, in its own way, helped spur demand for Fast’s technology.

Bjorn Olstad

Koenigsbauer said that Microsoft knew about the past accounting problems when it decided to buy Fast.

With its development team split among Oslo, Norway, Redmond, Wash., and Needham, Mass., Microsoft relies on a lot of conference calls. “Someone is up very, very late or very early,” Koenigsbauer said. The benefit, he said, is that work is going on a round the clock. The downside is that the morning sometimes brings bad news on a project.

“We certainly went in eyes wide open,” he said, adding that “we certainly don’t have any regrets at all on the purchase of Fast.”

Linking Fast’s search product with SharePoint is a key, says Forrester analyst Leslie Owens.

The complaint also seeks an injunction and treble damages for alleged patent violations relating to Samsung flash memory that Spansion says has accounted for more than $30 billion in Samsung’s global revenues since 2003.

Kodak has licensed its imaging patents to several leading technology companies including: MEI/Panasonic, Motorola, Nokia, Olympus, Sanyo, Sharp, Sony, Sony Ericsson, and others.

The Kodak actions allege that both Samsung and LG camera phones infringe Kodak digital camera patents. The patents in question cover technology related to image capture, compression, and data storage and a method for previewing motion images, Kodak said.

Spansion, one of the world’s largest suppliers of flash memory chips, on Monday announced it has filed two patent infringement complaints against Samsung with the International Trade Commission and in the U.S. District Court in Delaware.

Flash memory is found in virtually all electronic devices and is one of the largest segments of the semiconductor industry, with nearly $130 billion in total revenues since 2000.

Spansion and Kodak slammed Samsung with two separate patent infringement lawsuits Monday.

Spansion is seeking the exclusion from the U.S. market of more than 100 million MP3 players, cell phones, digital cameras, and other consumer electronics devices containing Samsung’s allegedly infringing flash memory components.

Spansion also listed the “manufacturers of downstream products” containing Samsung’s infringing devices in its ITC complaint. Companies named in the ITC case include: Samsung, Apple, Asus, Kingston, Lenovo, PNY, RIM, Sony, Sony-Ericsson, and Transcend.

Kodak’s District Court complaints request compensation for damages resulting from the companies’ infringement, and both the District Court and ITC actions seek injunctions prohibiting Samsung and LG from further importation and sale of products cited in the complaints. Kodak did not disclose the amount of damages it is pursuing.

The chipmaker is also targeting MirrorBit, a “charge-trapping technology” that represents a growing share of the flash memory market and is expected to replace floating gate technology in the future. Flash memory companies including Samsung have publicly announced their plans to transition to charge-trapping type technologies for their future generation products, according to Spansion.

Kodak on Monday filed suit against Samsung and LG in the United States District Court for the Western District of New York, as well as in the U.S. International Trade Commission.

The Spansion patents named in the lawsuits are fundamental to floating gate technology, “which is the foundation for approximately 90 percent of the flash memory market,” according to Spansion.

The acquisition of Saifun appears to be one of the driving forces behind these lawsuits. “The acquisition of Saifun Semiconductor earlier this year expanded Spansion’s IP portfolio and was a key milestone in Spansion’s strategy to create a major licensing business, and generate new streams of significant revenue with very high margins,” the company said.

“Sorry! Due to the overwhelming popularity of the new T-Mobile G1, upgrades are temporarily unavailable. Please try again later,” the T-Mobile pre-order page told people who tried to sign up for the phone on Saturday, according to the Android Guys blog.

T-Mobile G1, the first phone powered by Google’s Android software

It looks like T-Mobile customers trying to get one of the initial models of the first phones powered by Google’s Android operating system will have to wait a bit longer.

(Credit:
T-Mobile)

The G1 phone, built by HTC, was announced Tuesday and goes on sale October 22. The price is $179.99 for those who sign up for a two-year contract with T-Moble.

Intel has addressed the matter this way: “We are working with these researchers. We take this research and all reports seriously. Currently as far as we know, there are no known exploits in the wild,” Intel spokesman George Alfs said in a written statement.

This bug, covered prominently by The New York Times and CNN at the time, actually had virtually no affect on users, except causing them to panic and, as a consequence, some insisted that Intel provide them with new processors. The recall cost Intel close to a half-billion dollars.

Some researchers claim that Intel has a serious chip bug on its hands. But that all depends.

But let’s not move on too quickly. First, a quote from an abstract of the paper (PDF) that has some of the chip world abuzz. “In this paper we have described practical exploitation of the CPU cache poisoning…This is the third attack on SMM (system management mode) memory our team has found within the last 10 months, affecting Intel-based systems. It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying.”

And what systems are potentially vulnerable? Though both Intel and Rutkowska say the “attack” presented in the paper has been fixed on some systems, Rutkowska goes on to say: “We have however found out that even the relatively new boards, e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn’t seem to be vulnerable though). The exploit attached is for DQ35 board–the offsets would have to be changed to work on other boards (please do not ask how to do this).” (Here is a list of Intel motherboards she refers to.)

Then there’s the whopper of them all–and a flaw very different in nature from the SMM vulnerability discussed above–the show-stopping 1994 Intel FDIV bug, discovered by Professor Thomas Nicely, then at Lynchburg College in Virginia. Also referred to as the floating-point bug, it wasn’t a flaw exploitable by malicious hackers; rather, it was a bug in Intel’s original Pentium floating-point unit. Certain arcane floating-point division operations done on these processors would generate incorrect results.

Security experts who are into the arcana of chip security may find “CPU cache poisoning” riveting and serious stuff. Others, however, may simply scratch their heads and move on.

So now that we know it’s scary, what could happen in a worst-case scenario? Suffice to say that gaining access to “privileged” SMM memory would essentially allow hackers to do anything to the target PC that they want. The question is, would they actually take advantage of this particular opening?

As do others. Not worried yet? “This is the scariest, stealthiest, and most dangerous exploit I’ve seen come around since the legendary Blue Pill!,” writes Jamey Heary in a Network World blog. He is a consulting systems engineer for Cisco Systems.

Who can do this? “We assume that the attacker has (what is in practice)…equivalent to administrator privileges on the target system, and on some systems, e.g. Windows, also the ability to load and execute arbitrary kernel code,” write Rutkowska and Wojtczuk.

Rutkowska and Wojtczuk, in the abstract, say that the paper discusses “how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits.”

So, what is the average user to make of all of this? Security attacks and security vulnerabilities have been around since (computer) time immemorial (in the relatively brief history of mass-market computing). A report from U.K.-based technology Web site The Register in 2006, for example, suggested that people should not purchase Core 2 Duo systems–now widespread worldwide–because of security vulnerabilities and cited an open-source expert, who prophesied doom and gloom for the Core 2 Duo architecture.

These motherboards are used with Core 2 Quad, Core 2 Duo, Pentium, and Celeron processors, according to Intel’s Web site.

Joanna Rutkowska, who exposed the potential of the so-called Blue Pill flaw in August 2006 and who founded Invisible Things Lab, wrote that excerpt (along with colleague Rafal Wojtczuk) and obviously takes this very seriously.

One point worth noting is that this is not an Intel errata per se, which Intel typically details in processor specification updates. This is a theoretical attack from a malicious hacker. Nevertheless, users can minimize the risk by keeping up-to-date on patches and on operating system and security suite updates. Particularly important are BIOS (basic input/output system) and firmware updates for the processors and motherboards referenced above.

“If a hacker can use this new exploit to embed a SMM rootkit (malware) they would have ultimate control over the box (computer). Additionally, it would be virtually undetectable,” Heary wrote in response to an e-mail query. But he also added: “In a nutshell. This exploit is very serious and needs to fixed. But…I don’t see a mass virus or worm using this. The attacks will be targeted. A rootkit must be perfectly matched to the hardware. This makes mass infection more difficult.”