NetworkWorld's Carolyn Marsan marks the occasion of the 20th anniversary of the Internet Engineering Task Force (IETF) with a comprehensive and mostly flattering review of what the standards-setting body has accomplished to date. Marsan is very fair and points out, warts and all, how much this all-volunteer organization has done to make the net work.

My company is very involved with the IETF's SecSh Working Group which is defining the Secure Shell (SSH2) protocol. SSH2 recently reached RFC status for a number of the core drafts that define the protocol - a landmark achievement that has been in the works for a long time (about 8 years).

Announced yesterday, Microsoft's MSN and Research divisions are teaming up in a new research and development effort called Microsoft Live Labs.

"REDMOND, Wash. — Jan. 25, 2006 —Microsoft Corp. today announced the formation of Microsoft® Live Labs, a research partnership between MSN® and Microsoft Research. Under the leadership of Dr. Gary William Flake, noted industry technologist and Microsoft technical fellow, Live Labs will consist of a dedicated group of researchers from MSN and Microsoft Research that will work with researchers across Microsoft and the academic research community. Live Labs will provide consistency in vision, leadership and infrastructure as well as a nimble applied research environment that fosters rapid innovations.

“Live Labs is a fantastic alliance between some of the best engineering and scientific talent in the world. It will be the pre-eminent applied research laboratory for Internet technologies,” Flake said. “This is a very exciting opportunity for researchers and technologists to have an immediate impact on the next evolution of Microsoft’s Internet products and services and will help unify our customers’ digital world so they can easily find information, pursue their interests and enrich their lives.”

Smart move. I've had the pleasure of meeting some of the MSR folks and Dr. Flake at previous MSN Search Champs events. These are some passionate, visionary people. Sparks are sure to fly. Check out the Live Labs page for more information.

Forbes.com has an interesting opinion piece that suggests that Google's denial and promised legal challenge to the recent government request for search query data may have a lot more to do with the company protecting itself than keeping user's private information from curious eyes.

The article suggests that the amount of pornography being searched on the net's biggest search engine might be a huge embarrassment to the company.

ReveNews suggests that Google is afraid of setting a precedent that could come back to haunt them if the government's all-seeing eye should turn to an investigation of click fraud. And the author, Shmuly Tennenhaus (I have no idea if that's his real name), issues the following challenge:

"Google is a big-talker but they do not walk the walk. They believe in the free access and proliferation of information. Here's the fun part: when you call up Google's corporate offices, the operators are forbidden to give out their first names. I swear on my most beloved possessions; my first three seasons of 24 on DVD. You read correctly. Not last names. First names are verboten when calling Google. I've asked them (can't name anyone, since they're all anonymous in Google...) and they've told me it's corporate law. The FBI receptionists @ 202-324-3000 have the same policy. Are Google & the FBI actually twins separated at birth???

Does anyone appreciate the absurdity in all of this? With Google, I can probably find out how old you were when you first lost your virginity. (The second time you lost your virginity would be a bit tougher to track down with Google Search. For that you'd need Google Local.) Google believes in the-open-flow-of-info. Yet their own secretaries cannot "divulge" their first names. This is the same Google that aims for everyone to know everything about anything! Today, I urge you to take the Google Hypocrisy Challenge. Call up google corporate: 650-623-4000 & say "Hi, was wondering if you can help me. My first name is Wally. What's YOUR first name?" And they will reply that it's against company policy to share this (top-secret) information. Ridiculous I say! Let's see how many calls of this nature it takes for Google to publicly rationalize this nutty & contradictory edict!"

Microsoft has released new Community Technology Previews (CTP) of Expression Interactive Designer and Expression Graphic Designer. This is a refresh for the Graphic Designer application and the first public CTP release for Interactive Designer. Registration is required for these downloads.

From the Graphic Designer download page:

"Microsoft Expression Graphic Designer (formerly code named "Acrylic") is a professional illustration, painting, and graphic design product. Visit the Expression Graphic Designer Features page for an overview of the main features. For more detailed information please view the videos that are also available on the Expression Graphic Designer site."

From the Interactive Designer download page:

"Welcome to the January 2006 Community Technology Preview (CTP) of Microsoft Expression Interactive Designer. This is our first public CTP release and represents our initial opportunity to share our work with you—though it is still very much in progress.

If you are building user experience for WinFX® applications on the Windows® platform, this tool is a great start. Future versions of Expression Interactive Designer may be optimized for other platforms such as the Web and mobile devices.

This release of Expression Interactive Designer is a great way to experiment and begin familiarizing yourself with the tool, but we do not recommend using it for production work. We welcome you try its innovative features such as rich 2D & 3D graphics, animation, dynamic layout, data binding, style & template editing, and resource management.

Because this is an unfinished product, some knowledge of WinFX (see the Windows Presentation Foundation section) and .NET programming will help you when working with this CTP. You can get a free copy of Microsoft® Visual Studio® 2005 Express here."

A new version of Skype 2.0 for Windows has been released that corrects a Data Execution Prevention (DEP) flaw that makes the app appear to be virus-like to some protection software like Windows OneCare. Ed Bott pointed this issue out and get a double tip of the hat for also providing an alert about the fix.

Ken Moss posted an explanation on the MSN Search Blog explaining the reasoning behind MSN's decision to release search query data to the U.S. government last week when presented with a subpoena. Yahoo also handed over the requested information. Google rejected the request and has stated it will test the legality of the request in the courts.

The argument Moss puts forward seems reasonable - it's well-worded and soothing. But the comments following the post tell the real tale. Customers are angry about the release of information that might contain personally identifying information. The ratio of "oK with this" vs. "I'll never search using MSN again" is running about 1:9.

What do you think? Did MSN and Yahoo make a mistake by handing the data over without a protest? Do you admire Google for standing up to the request?

UPDATE: I'm no math genius. I flipped the ratio numbers around. More importantly, it's a lot clearer now, based on reports coming out of the MSN Search Champs meeting that just took place this week that MSN was very zealous about making sure no personally identifiable information was provided to the government. No IP addresses. Nothing that could link a particular query term and an individual person. It's all too easy to assume that Microsoft just "caved" - particularly for those who are predisposed to think poorly of the company. The reality is a different story.

Just posted to the MSN Search blog - a new set of Instant Answers for the MSN Search engine.

• Baseball stats
• Numerous statistics for historical baseball players and teams along with season data for current players.
• babe ruth home runs, babe ruth home runs allowed, ichiro suzuki hits 2003, Seattle Mariners attendance 1981
• Football stats
• Many lifetime and season facts for popular players and coaches.
• shaun alexander yards per catch, jake plummer quarterback rating
• Weather facts
• Weather statistics for US states and major cities.
• average temperature in January in Michigan, rainfall in honolulu
• Government officials
• Government leaders and world cabinet officials.
• defense minister of india, premier of russia
• Holidays
• Current dates of major holidays and info about how holidays are celebrated.
• memorial day in 2006, christmas eve customs

Conspiracy theorists will be dancing for joy if they listen the latest installment of the Security Now! podcast with Steve Gibson and Leo LaPorte. Gibson tries to explain, in his unique way, how a forensic examination of the Windows Metafile code has led him to the conclusion that this vulnerability is nothing of the sort. Unlike typical coding errors Microsoft has had called to their attention in the past, Gibson states that the code execution capability the recently issued patch disables could not have been the result of a mistake. It's an undocumented "feature" he claims was introduced during the Windows 2000 era and exists in all subsequent versions of the operating system.

Is he right? I've read the transcript and listened to the podcast and it appears he has substantial evidence to support his claim. I am not a developer so some of this is a bit over my head but I'm enough of a geek to be able to understand the logic behind what he's saying. It would explain why Microsoft classified this as a non-critical vulnerability in older versions of Windows including 98 and Me.

Gibson says he will investigate further this week and report back on the next show whether his initial assessment is correct. And he and LaPorte have extended an open invitation for someone from Microsoft to join them to rebut his claims. If this tuns out to be true, it's quite a bombshell - especially in light of the fact that this alleged back door should have been discovered during the code audit Microsoft conducted some time ago. If it turns out he's wrong, Gibson has a lot of apologizing to do.

Here's the description of the podcast with links so you can listen for yourself:

Description: Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error." It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor." We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.

High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-022.mp3
Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-022-lq.mp3

UPDATE: Priceless banter on Channel 9 of the "Steve Gibson is a snake-oil salesman" variety in response to Gibson's claim. This could get very interesting. It's bound to be entertaining at the very least.

UPDATE 2: The definitive explanation from Stephen Toulouse at the Microsoft Security Response Center blog via Scoble.

ZDNet reports that a rootkit installed by Symantec has been disclosed. Following on the heels of the Sony fiasco, this disclosure has to make you wonder what these developers are thinking. Symantec claims they made a directory undetectable to "help prevent users from accidentally deleting files" in the Norton Protected Recycle Bin. Probably not their cleverest idea ever, considering a hidden directory like this is a favorite place for malware to hide.

An update is available. If you're running Symantec's Norton SystemsWorks, run Live Update immediately and get this patched. Then run a full antivirus and spyware scan.

The ZDNet articles says:

"Symantec credits Mark Russinovich, the Sysinternals researcher who also investigated the Sony rootkit, and F-Secure, a Finnish security company that has a rootkit detection product, for helping it address the SystemWorks issue."

Russinovich has developed a rootkit detector utility that, while not appropriate for the faint of heart or casual PC user, is an excellent addition to a technically savvy user's utility toolkit.

Based on quotes in a Mercury News report from both Apple and Microsoft, you will in fact be able to set up a dual-boot environment and run both Windows and Mac OS X on one of the new Intel-based Macs announced yesterday. If you missed Steve Jobs' keynote, pop over to Engadget and read their blow-b-blow coverage for more details on everything announced by The Steve.

From Apple:

"Phil Schiller, Apple's senior vice president of worldwide product marketing, said in an interview Tuesday that the company won't sell or support Windows itself, but also hasn't done anything to preclude people from loading Windows onto the machines themselves.

"'That's fine with us. We don't mind,' Schiller said. 'If there are people who love our hardware but are forced to put up with a Windows world, then that's OK.'"

From Microsoft:

"'Any new machines that are on the market that run Windows are great,' said Scott Erickson, director of product management and marketing for Microsoft's Mac business unit.

Erickson said it was too early to say how Microsoft might take advantage of an ability to run Windows on Macs, saying only that it could give Mac users the potential to run Windows-based applications they previously couldn't."

Bink.nu has posted an image gallery with some excellent screenshots of the latest Vista build. The sample here shows the new sidebar. There's quite a selection to whet your appetite.

Courtesy of Mark Morford at SFGate.com, here's a tremendously funny mashup of the Bill Gates CES keynote drive-through of Windows Vista accompanied by a movie showing every feature mentioned as it currently ships in Mac OS X 10.4 Tiger. Undeniably hilarious and a perfect follow up to Ryan's earlier post.

UPDATE: There are actually three videos covering different features - all are a total blast. Kudos to tanquil - the author of these video compilations.

UPDATE: The invites are gone (for now). I'll put up another post when (and if) I get more. Thanks for playing!

I have a limited number (5) invitations to share for the new Windows Live Messenger beta. They are available on a first-come, first-served basis and when they're gone, that's it (unless and until Microsoft hands out more of course). Ryan and I have been testing it out and so far we're both pretty pleased with the new version of Messenger. We're hoping to test the video and VoIP chat modes this weekend. Ryan is working on a full review which he'll post here soon.

If you want in, send an e-mail to my full name (all one word) [at] hotmail [dot] com. That would be MY full name with no space between my first and last name - you got that, right?

Engadget's Peter Rojas and WSJ columnist Walt Mossberg - together at last. Great photo by Jason.

I know there's been a lot of chatter about what the exact requirements will be to run Microsoft Vista. A topic of particular concern has been the video requirements. I think it's safe to say that the new Dell XPS 600 Renegade will do an adequate job with Aero Glass effects in Vista.

Kevin Tofel, reporting for Engadget during the CES show, has all the specs on this completely insane machine. Four video cards, each with 512 MB VRAM. Three hard drives (one 150 GB unit at 10K speed, two 250 GB units at 7200 RPM). Yikes! No wonder this thing is painted like it's on fire.