The U.S. Federal Communications Commission needs to prohibit mobile phone carriers from blocking text messages from competitors, a group of advocacy groups said Monday.

Mobile carriers continue to block text messages sent by competitors and there's nothing stopping them from blocking political messages, said officials with Public Knowledge, Free Press, and other groups. The groups first raised concerns about text-message blocking last September, when Verizon Wireless blocked Naral Pro-Choice America from sending messages to people who opted into a text-message campaign.

Even though Verizon Wireless quickly reversed its decision after media reports on its blocking of Naral's messages, the FCC needs to put rules in place, said Gigi Sohn, president of Public Knowledge. "If wireless carriers are allowed to decide who can speak to whom, it has huge implications for free speech, civic discourse, accessibility for the disabled ... and for competition," Sohn said.

Public Knowledge and other groups filed comments Monday in the FCC's inquiry into text-message blocking. Free Press, Public Knowledge, and other groups filed a complaint with the FCC in December.

"There is a real and ongoing problem in the U.S. communications network today," the groups said in their new filing. "Those who control the entry points into the communications system want to be able to control who can speak to the public and what can be spoken about through the rapidly growing medium of text messaging. Wireless carriers are currently openly engaging in discrimination against potential competitors, and claim the right to exercise editorial control over what their customers read and who they can communicate with."

In addition to the free speech issues, people with hearing disabilities are increasingly turning to text-messaging to communicate using phones, added Karen Peltz Strauss, legal counsel for Communication Service for the Deaf. People who depend on text-messaging need FCC guarantees that text-messaging will not be interfered with, she said.

Verizon and other mobile carriers have argued that an FCC rule is not necessary and could hurt consumers. Mobile-phone users could be inundated with spam messages if carriers are not allowed to block some messages, several carriers have argued.

Public Knowledge and other groups calling for FCC action failed to "present any facts that could justify regulation," Verizon Wireless said in March 14 comments to the FCC. Verizon Wireless has approved more than 3,200 requests for groups to send text messages, the company said.

But Verizon also screens advertisers and doesn't allow text campaigns for some products, the company said. If the FCC stops carriers from blocking some messages, "wireless operators would be prohibited from preventing ads promoting drugs, pornographic content, harassing messaging campaigns, or unsolicited messages, from barraging their customers," Verizon said in its filing.

The carriers' concern about messaging spam is misguided, said Jed Alpert, CEO of Mobile Commons, a text-messaging marketing vendor. The petition before the FCC is asking the agency to prohibit mobile carriers from blocking messages that their customers have asked to receive, not unwanted spam messages, he said.

"Nothing that's being asked for here, in any way at all, increases the likelihood that anyone would get spam on their mobile phone," Alpert said. "These are all [messaging] programs that require the user opt in, in some cases, multiple times."

Microsoft plans to launch its Live Mesh offering next week at the Web 2.0 Expo in San Francisco but so far is not revealing details of the service.

On Friday night, Microsoft sent out e-mail invitations to a "Mesh it up" event on April 24 featuring demos by Microsoft "experts." The invitation includes a reference to the mesh.com Web site, which currently requires visitors to sign in with a Windows Live ID and then displays an error message.

Microsoft declined to offer any more details about Live Mesh except to say that it will launch next week and further information will become available on Tuesday evening, April 22.

Earlier this year at Mix 08, Microsoft chief software architect Ray Ozzie vaguely referred to the Mesh concept as a way to use the Web through Microsoft products to connect devices, entertainment, businesses, and development.

The Web 2.0 Expo Web site includes a listing for a presentation by Microsoft executive Amit Mital, general manager of Live Mesh, entitled Get Mesh. Mital was previously a general manager of Live Meeting and BizTalk Server, according to the listing.

As it faces competition from online services, Microsoft has been slowly rolling out services that fall under its software-as-a-service strategy. In addition to Office Live Workspace and SkyDrive, Microsoft also has begun offering hosted versions of Exchange and SharePoint.

Symantec chairman and CEO John Thompson last week delivered a keynote speech to thousands of security professionals at the RSA Conference 2008 in San Francisco. Network World senior editor Ellen Messmer caught up with Thompson at the RSA event, where he expanded on a range of topics, including vendor alliances, Symantec's competition, and the importance of data-loss prevention technology.

Network World: Cisco just announced a partnership with EMC's RSA division to make use of the data-loss prevention technology based on Tablus, a company RSA acquired last year. Any comment on that?

John Thompson: It's a little bit ironic. Cisco had a wonderful and profitable relationship with [data-loss prevention vendor] Vontu  before we bought them. Cisco was a Vontu reseller. It shows Cisco would rather work with anyone other than Symantec. Cisco has a philosophical point of view that if you compete with me, you can't partner with me.

NW: What's Symantec doing with Vontu, which it acquired last December?

JT: The DLP technology Vontu brings to a company specifically makes policy-based decisions about information flowing over a network, an area important to highly regulated financial services, health care providers, or the merger and acquisition transactions at a company. The Vontu acquisition was important for us since we will now integrate that policy engine into the storage and network tier in what Symantec researchers internally are calling Project Huggie.

NW: How does the Veritas merger of three years ago look to you today?

JT: We put together our $2.6 billion company with $2 billion Veritas and spent two years fully integrating the two companies. This was not an easy task. We made some mistakes. But the market has proven that our vision was correct.

NW: Why doesn't Symantec acquire an encryption-technology company?

JT: We license encryption technology for implementation in our products. We don't need to own the technology. My view is the real opportunity about encryption is managing the keys that unlock the data.

NW: Any take on virtualization?

JT: The virtual-machine phenomenon is here to stay. At the server level, it's optimizing the hardware resources a lot better. Most are underutilized. You can run more applications on a server. Given that you will virtualize the infrastructure, you'll also virtualize the backup and management. The complexity of the virtual environment goes up quite a bit due to the nature of the applications. The opportunity is around application isolation. You want trusted applications, so if something were to occur in one virtual instance, it wouldn't contaminate what was running in another. Everyone in this industry wants to wrap themselves in a "virtual cloak" as it were.

NW: What do you think of McAfee, often viewed as your rival?

JT: It's a nice little company and they do a nice job. The industry needs competition. But we don't see their portfolio as competing directly with ours. We help customers manage their infrastructures better.

NW: What about Microsoft's entry into anti-virus about two years ago?

JT: It's been much ado about nothing. Their results have been fairly abysmal, although Microsoft has done a lot to make Vista a secure operating system. Customers like the concept of diversity. Products like McAfee, Sophos, Panda, and more serve as part of the ecosystem.

NW: In past election seasons, you publicly voiced a preference for a particular presidential candidate. Are you doing that for this November's presidential election?

JT: I'm just going to run Symantec. I'd just say a new administration, whatever it is, hopefully realizes the importance of technology for everyone on the planet.

Nevis Networks is upgrading software for its NAC appliances so that it can do more application-specific monitoring and enforcement.

With Version 4.0 of its system software, the company is moving toward application intelligence in its devices. The first example of this is the ability to recognize and control peer-to-peer and instant messaging. This will be upgraded over time to recognize and control more applications, the company says.

The new software includes a messaging client that puts an icon in the system tray of users' machines that pops up messages. For example, it might tell the user that his anti-virus is out of date and, therefore, his machine is being quarantined.

A new policy evaluation tool lets customers write changes to policies and see how they interact with existing policies before they go into effect. Thus, if a user is granted membership in an additional user group in Active Directory, the tool can show how the aggregate rules of the user's previous groups and the proposed new group will interact and be enforced. This can be done without actually deploying the new rules and inadvertently creating security holes.

The software adds ActiveX and Java agents for performing health checks on devices that are logging in to networks; the agents can be distributed even if the user doesn't have administrative rights to the machine. The agents can be downloaded via Microsoft Windows Installer.

A new real-time health dashboard lets administrators see what users are on the network, what machines they are using, how many machines have violated policies, and the like. This data was available before, but only historically.

New reporting software enables custom reports that could be devised, for instance, to help show that a business is meeting a government or industry regulation. A related online community has been set up so that customers can share these regulation-specific reports with others that need to comply with the same regulation.

The software also now supports end-point scanning for Mac OS X. Before, Macintoshes could be whitelisted but not scanned.

The Nevis LANenforcere 2124 appliance is shipping. It supports 3,000 users and costs $45,000.

Microsoft unveiled on Monday new content partners for its Silverlight technology and provided details of a forthcoming DRM (digital rights management) technology for its multimedia platform.

The company made these announcements to promote the use of its Silverlight multimedia development and deployment technology to broadcasters at the annual NAB Show 2008 in Las Vegas.

Among the companies that now have projects based on Silverlight are MSG (Madison Square Garden) Interactive, Tencent, Abertis Telecom, Terra Networks Operations, SBSi, MNet, and Yahoo Japan, Microsoft said.

Specifically, MSG Interactive is using Silverlight to provide users with live, on-demand digital entertainment and sports content, while Abertis Telecom is using the platform as the basis for a new Spanish-language video channel that will go live in the next couple of months. Terra Networks also plans to use Silverlight to deliver a new HD channel on Terra TV, an online video and TV service that serves 18 countries in Latin America and the U.S.

Meanwhile, the two Asian companies -- Tencent, a Chinese Internet portal, and Yahoo Japan -- said they will use Silverlight for future video distribution and Internet services.

On Monday, Microsoft also unveiled details of a new DRM technology for streaming live content called Silverlight DRM. The technology is based on Microsoft's PlayReady technology and is expected to be available later this year when Microsoft releases Silverlight 2.

Microsoft said Tuesday that Silverlight DRM will be compatible with Windows Media DRM 10 content and is aimed at protecting content that is streamed live or on-demand. The company is giving NAB 2008 attendees demonstrations of Silverlight DRM in its booth at the conference.

Microsoft unveiled Silverlight last year to compete with Adobe's Flash multimedia runtime and player; however, Microsoft has optimized Silverlight for HD video content in particular as a way to differentiate its technology from Flash.

According to Microsoft, Silverlight is logging about 1.5 million downloads per day, which includes downloads spurred by Microsoft running Silverlight on its own Web sites and for company Webcasts.

As the fight for 4G (fourth-generation) supremacy continues, seven industry heavyweights have joined forces to set up rules for licensing LTE technology, but Qualcomm is missing.

The companies on board are Alcatel-Lucent, NEC, Nextwave Wireless, Ericsson, Nokia, Nokia Siemens Networks, and Sony Ericsson. They are all committed to a framework for maximum aggregate costs for licensing intellectual property rights that relate to LTE (Long Term Evolution), according to a statement.

"We want to increase the confidence for the rollout of LTE," said Gustav Brismark, vice president for patent strategies and portfolio management at Ericsson.

Membership is open to anyone, and there have been discussions with other vendors as well.

But so far Qualcomm has decided to not get involved, according to Richard Tinkler, European marketing manager and public relations director at Qualcomm.

"You have to bear in mind that we are members of ETSI and NGMN, and we support a market-based approach to innovation," said Tinkler.

The real reason is Qualcomm's support for UMB (Ultra Mobile Broadband), according to Gartner analyst Carolina Milanesi.

"It is pushing UMB as an alternative to LTE, at least in the short term. So right now it's not backing LTE," said Milanesi.

She still sees the announcement as step in the right direction. "It might heat things up a bit; still, there are more questions than answers," said Milanesi.

The companies support that a reasonable maximum aggregate royalty level for LTE in handsets is a single-digit percentage of the sales price.

For notebooks, with embedded LTE capabilities, they support a single-digit dollar amount as the maximum aggregate royalty level, according to a statement.

The appearance and disappearance of a Windows XP installation snafu indicates that Microsoft patched a critical vulnerability in XP's still-unfinished Service Pack 3 (SP3) weeks before it fixed any other version of Windows. The glitch, which sent some PCs into an endless round of reboots, was strangely similar to one faced by Vista users in February.

Attackers have already tried to exploit that bug, which was patched last Tuesday -- as it turned out, two weeks after the newest build of Windows XP SP3 was released with the flaw fixed.

According to reports from multiple users on a Microsoft support newsgroup, PCs began rebooting immediately after they had been updated to SP3. "I have just updated my pc from xp sp2 to sp3," said a user identified as "yaojinglin" in a message to a SP3 support forum last Thursday. "The installation was successful, but when I reboot my pc after the installation finished, my pc started to reboot again and again."

Nearly two months before, some Windows Vista users experienced similar endless rebooting after an update designed to prepare machines for the upcoming Service Pack 1 (SP1) locked up PCs. It's believed that the similarities are a coincidence.

An explanation emergesOn the XP SP3 support threads, a Microsoft representative named Shashank Bansal stepped into the rebooting discussion, which was beginning to seem as endless as the rebooting itself. Bansal asked for more information, then offered an explanation: "This issue happens with 3311 build of XP SP3. It happens because KB948590 stops installation of SP3 version of gdi32.dll on the system due to file-version differences."

The 3311 build of Windows XP SP3 was released to the general public Feb. 19, and dubbed "Windows XP SP3 Release Candidate 2" by Microsoft. It was superseded by the public release of "Windows XP SP3 RC2 Refresh" on March 25; that version was pegged as Build 5508.

"Using a later SP3 build (5508) would ensure the issue would not happen," Bansal told users whose PCs had been rebooting. He also said that the problem could be solved by booting with a Windows installation disc, selecting the Repair option, then copying the "gdi32.dll" from one directory to another.

That GD... IThe support document that Bansal referenced covers one of the eight security bulletins Microsoft issued last Tuesday, and spells out a pair of critical vulnerabilities in Windows' GDI, or graphics device interface, a core component of the operating system. Within 48 hours of Microsoft patching the GDI, however, attackers had crafted an exploit and were using it in attempts to infect PCs, said Symantec.

Ironically, SP3's endless reboot problem and Bansal's response on the support newsgroups confirmed that the service pack -- which is still in development -- was not only the one version of Windows that did not require a GDI patch, but also that it was patched 14 days before any supported edition of Windows.

"The KB [948590] mentioned was released post 3311," said Bansal, talking about the GDI fixes. "The KB carried a version of gdi32 higher than [the version included in] 3311 (as it was released later). This caused the [file version] difference."

The file version conflict caused the reboot error, but affected only users who had patched their copies of Windows XP SP2 with the GDI fixes, then subsequently tried to upgrade to SP3 using an older build of the service pack.

As Bansal had hinted, upgrading with XP SP3 Build 5508 would not create the endless reboot problem, because its version of gdi32.dll was the same as that rolled out last week as part of Patch Tuesday. Comparison of the gdi32.dll files showed as much: the file included with XP SP3 Build 5508 was called version 5.1.2600.5508 and date-stamped as Feb. 28. The patched version issued last week by Microsoft for the 32-bit edition of Windows XP SP2 was called version 5.1.2600.3316 and dated Feb. 20.

Earlier last week, Microsoft's MS08-021 security bulletin -- the one which explains the GDI vulnerabilities -- noted that "Windows XP Service Pack 3 is not affected by this vulnerability." But on Friday, after Computerworld asked Microsoft for more information about why XP SP3 was not affected by the GDI bugs, the company yanked the reference to XP SP3 from the bulletin.

A Microsoft spokeswoman said the mention had been a mistake. "The inclusion of Windows XP SP3, which is still in beta, was an editorial oversight," she said in an e-mail. However, she did not provide an explanation why other recent operating system updates -- notably Vista SP1 and Server 2008 -- had not been patched prior to their release.

The simplest explanation, said Andrew Storms, director of security operations at nCircle Network Security, was one of timing. "I prefer to stick with the simplest possibility -- Microsoft already knew about the vulnerability and had already delivered [the patch] as part of SP3," Storms said Friday.

That turned out to be true, as XP SP3 Build 5508 -- with the patched gdi32.dll -- was made available two weeks before Microsoft patched the component in the rest of its Windows portfolio.

However, according to the date stamps of the gdi32.dll files included with last week's patches, fixes for Vista SP1 and Server 2008 were finished Feb. 21 and Feb. 22, nearly three weeks after both operating systems were designated as RTM (release to manufacturing), and shipped to OEMs and duplicators.

Computerworld is an InfoWorld affiliate.

Oracle on Monday announced a pair of products aimed at securely archiving enterprise content and e-mail.

The Universal Online Archive application sits on top of Oracle's database, said Andy MacMillan, vice president of product marketing in Oracle's enterprise content management division. That means the content can leverage features like SecureFiles, a file encryption and compression system native to Oracle's 11g database release.

Oracle developed the core of the software organically, but it also employs some technology from its acquisition of Stellent, according to MacMillan.

Despite its name, the initial release of Universal Online Archive will first be available as an on-premises install, according to MacMillan. However, he added, "We are looking very aggressively at what it would take to make this an on-demand product."

An accompanying offering also announced Monday, Oracle E-Mail Archive Service, provides a means for storing content from Microsoft Exchange, IBM Lotus Notes, and SMTP-based mail systems, Oracle said.

"The e-mail archiving market is a growing market for a lot of compliance reasons," MacMillan noted. "This product really grew from a lot of market demand we got from our own customers."

The announcements garnered a nod of approval from one observer.

"I think what Oracle is trying to do with [Universal Online Archive] is develop an infrastructure application that will sit behind all of the other systems and allow retention and retention policies to occur and be managed centrally," wrote David Roe, a technical lead/architect in the enterprise content management group at Ironworks Consulting, on his blog.

"Where I think they are doing it right is by not trying to force companies into replacing their current applications," he added. "I don't think anyone would be interested in another Exchange or another SharePoint just to implement better compliance software."

Oracle did not name a firm date for the products' release, saying only that they are expected to be available in 2008. Universal Online Archive is expected to cost $20 per named user plus or $75,000 per CPU, and the E-Mail Archive Service will be priced at $50 per named user plus or $40,000 per CPU.

It made the announcements at the start of Collaborate 08, an Oracle user conference going on this week in Denver.

You might know how to secure your network devices and datacenters to keep your corporate intelligence safe. But do you know how to teach your employees how to guard against attacks -- not generically, but based on the work they do?

Experts suggest that a well-constructed security plan involves customized training by job function. You need to tell your HR people to manage personnel files that might reside in multiple locations, your facilities crew to watch out for people entering the building with fake IDs, and your salespeople to guard access to the company's CRM system.

Trusting an employee with access to mission-critical or sensitive systems is a risky but unavoidable gamble. Let's face it: People are wild cards. In fact, let's take the gambling analogy a step further. Just as casinos thwart cheaters at every table or station on their floors, so, too, can IT officials thwart breaches by customizing security plans for individual employees in every zone of their companies.

[ Learn more about combatting data leaks in: "The debate over the right data loss prevention strategy." ]

In fact, casino practices can be translated to the corporate IT world to create at a common-sense list of do's and don'ts for redoubling security based on who does what job. The lessons we learn from craps pits and blackjack tables reveal that it's never wise to entrust your business's most valuable or vulnerable assets to a single employee. Instead, compartmentalize access whenever possible, and never hesitate to look over employees' shoulders.

Above all, follow the golden rule of a casino: Gauge your level of risk and develop airtight audit trails, urges Bruce Schneier, a security expert in Mountain View, Calif., who has written several books on computer and network security, including "Applied Cryptography" (Wiley, 1996). Schneier often uses the casino metaphor to drive home important points surrounding individualized security. "If you look at a casino floor, you will notice immediately that people are watching people," he says. "That's because a lot of cash is moving, and it's moving very quickly."

Just as edgy casino managers constantly size up everyone on the floor as potential security threats, so must corporate IT security leaders size up every employee. "People are the weakest link in security. They always have been, and you will never change that," Schneier says. "But the reality is that you've got to deal with people, and people are going to make mistakes."

Security isn't the responsibility of a single security manager or even a security department. Just as quality was understood in the 1980s to be the responsibility of everyone in an organization, so, too, is security everyone's responsibility.

Each person in the organization creates, works with, transports, and stores valuable information and physical assets. And each employee has a responsibility to safeguard those assets. Unfortunately, too often employees aren't educated by the organization as to what their duties are and how they can effectively manage risk while still getting their jobs done.

And the idea that an organization must guard against nefarious insider activity isn't new, either. "Most effective security programs address the people element, and any job function with access to an organization's valuable resources or assets is a risk," explains Kent Anderson, managing director of Network Risk Management LLC in Portland, Ore. Anderson cites a wide range of personnel who pose mighty risks -- everyone from security guards to IT workers to higher-level executives with the authority to override security controls.

The people problem continues to grow, since it is now harder to differentiate between internal and external threats. "The difference between an insider and an outsider is no longer clear," says Anderson, who cautions corporations to be aware of the ways that contractors, outsourcers, vendors, partner companies, and suppliers could gain access to sensitive corporate data -- either by accident or by design.

While spotting risks can be tricky enough, addressing weaknesses is even tougher, says Anderson. For example, security training programs often prove ineffective, and many employees will continually disregard advice and fail to pay heed to the cautionary tales delivered at droning security seminars.

"The average employee view is one-dimensional. These individuals are not looking at security from the standpoint of accountability for the organization. They are looking at the issue only as it affects their level of responsibility," observes Norris Roberts, director of technology for the Jennings, Mo., school district.

A quarterly employee-awareness seminar might provide a check for a compliance-driven security program, but if the employees are left to try to figure out how to apply security controls to their day-to-day job functions, that will probably never happen, says Anderson.

Roberts rattles off a list of security measures employees are likely to ignore. "Strong password practices are not being applied. The sharing of passwords continues. Good e-mail practices are ignored. And overall, inappropriate user rights and privileges remain a huge problem," he says.

"The most common mistake when educating end-users about security awareness is that the training is frequently presented in a Draconian fashion, which does nothing to encourage employees to cooperate with the policies being implemented," notes Eddie Zeitler, executive director of International Information Systems Security Certification Consortium Inc., or (ISC)2, in Palm Harbor, Fla.

"Security awareness doesn't have to be boring," he says, quickly adding that companies must do far more than just jazz up security training efforts. To make employees more invested, IT shops must convince workers that security measures are imposed for the benefit of both employer and employee.

"If employees realize they could lose their jobs over something that could have been prevented by practicing common-sense security measures, they are given extra incentive to play by the rules," Zeitler says.

Playing by the rules is non-negotiable at casinos, where the stakes are high. Corporations that have just as much to lose must constantly communicate the same message. Only then will granting the privilege of access no longer be such a gamble.

Computerworld is an InfoWorld affiliate.

A Colombian man who used keylogging software in a lucrative identity theft scheme has been sentenced to nine years in prison and ordered to pay restitution of US$347,000.

Mario Simbaqueba Bonilla, 40, pleaded guilty in U.S. federal court in January to conspiracy, access device fraud and aggravated identity theft. His scheme, which he carried out alone and with a co-conspirator between 2004 and 2007, had more than 600 victims worldwide, including employees of the U.S. Department of Defense, according to the Department of Justice.

Bonilla installed keylogging software on hotel business-center computers and Internet lounges in order to steal passwords and other personal data. Then he and his partner used complex computer intrusion methods to steal money from accounts. After transferring the money to credit and debit cards or cash, Bonilla used it to buy electronics and pay for luxury travel to Hong Kong, France, Jamaica, the U.S., and other places, according to the Justice Department. The court pegged the actual and attempted losses from the scheme at $1.4 million.

Bonilla was arrested by federal agents last August when he flew into the U.S. with a laptop, purchased with stolen funds, that contained personal and financial information on more than 600 people.

In addition to the prison term and restitution, Bonilla was sentenced to three years of supervised release after his release.