Related link: http://news.cnet.com/news/0-1004-200-6674297.html

c|net’s news.com reports that some users have been suspended or terminated by their ISPs for using filetrading clients like Morpheus or Bearshare. Does Napster’s downfall and the rise of decentralized filesharing networks mean that individual users are next on the chopping block?

The article notes, interestingly, that filesharing programs have been one of the biggest adoption drivers for high-speed Internet connections. ISPs, it seems, have a real revenue incentive to allow filesharing, but also a regulatory prohibition (under the Digital Millenium Copyright Act) against doing so.

It would seem like the remedy for individual users would be to use filesharing clients to receive files, but prevent them from serving files. “One-way” filesharing clients would be harder for copyright holders to detect and prosecute — though they would also degrade the utility of the filesharing networks. To combat one-way clients, ISPs would need to sniff and filter specific types of traffic (either traffic to particular ports, or traffic on port 80 with particular characteristics).

The Legislative/Digital Rights Management (DRM) track at The O’Reilly Peer-to-Peer and Web Services Conference will address this issue for several audiences. Perhaps by then David McOwen will not be the only P2P user facing criminal prosecution…

Related link: http://news.zdnet.co.uk/story/0,,t269-s2091693,00.html

Mono could quickly become mired in intellectual property difficulties. Tony Goodhew, a program manager in Microsoft’s
developer products group, has warned that licensing problems might result if open source code is mixed with Microsoft’s .NET source code. For more, check out this article, featured in ZDNet UK.

What are your thoughts?

Related link: http://web.siliconvalley.com/content/sv/2001/07/18/opinion/dgillmor/weblog/index…

In his Weblog today, Dan Gillmor notes the Wall St. Journal report that Java will not be shipped with Microsoft’s Windows XP operating system. Dan remarks, “The shoes just keep dropping, don’t they.”

I agree that Microsoft seems to have found a way to have another negative article about Windows XP in the press week after week. It’s astonishingly well-coordinated and timed. For now, as a consumer, I have decided to take my copies of Windows 2000 and Office 2000 and hole up in a bomb shelter (or a falling-shoe shelter) with them until the war is over.

Nonetheless, I strongly disagree that this is another falling shoe from Microsoft. To be blunt, if they don’t ship their Java browser extension with every copy of Windows XP, so what? Why does that matter? Applets — the browser-based Java technologies that are affected by this move — have never taken off, and where they have found niches of utility, they are almost universally used with the more modern Java Plug-in. The plug-in incorporates all of Java’s significant advances in the Java 2 (version 1.3) platform, which puts it several years ahead of Microsoft’s Java 1.1-based browser extension. The open-source Mozilla browser announced its support for the Java plug-in back in 1998! It’s a much better model to ship Java as a plug-in than to cram it into every browser shipped.

I looked through my full set of bookmarks and could only find one site that uses Java in the browser without requiring the Java plug-in. The site? Microsoft’s own MSN Gaming Zone, with its popular Java game, Bejeweled. I guess the company decided its own site could get by even if users need to download Java separately.

Related link: http://www.audiogalaxy.com/

Now that Napster has transformed from a technology company into a law firm, many users have started looking around for other companies with technology similar to Napster’s. One company that has started to attract attention is Audiogalaxy, a Texas-based company, which was featured in the Wall St. Journal on Monday, July 16th.

In trying out the Audiogalaxy system, I was impressed with the number of music files I could find in its databases. I was much less impressed, though, with the security choices made by the company’s engineers. Here is the note I sent them reporting my concerns:

To: help@audiogalaxy.com
Subject: AudioGalaxy sending cleartext password in URL

To the maintainers of AudioGalaxy,

I started up your AudioGalaxy Satellite peer-to-peer filesharing client tonight and noticed that when I pressed the ‘Go’ button in its main screen, my browser went to the following URL:

<http://www.audiogalaxy.com/satellitelogin?loginUsername=USER&loginPassword=PASS>

[I have removed my username and password from the URL above.]

It is problematic to send a password over the Internet in plaintext in this manner. Worse, your authentication method enters the username and password into the user’s browser history records, where it then can be discovered by anyone else using the same computer.

Many users choose the same password for most or all Web site accounts they create. While this is not a good practice, it means that sending a cleartext password and storing a password in the browser’s history create the potential for a user to have many accounts compromised — not just the account on your service.

I notice that you use PHP extensively on your site. PHP has built-in support for MD5 hashes — see <http://www.php.net/manual/en/function.md5.php>. Hashing the password when the user chooses it on your site, storing the hash in your database, and having the Satellite send the password hashed for login would be at least some improvement over your current practice. (This would also protect the user’s password if your database machine were ever compromised.) Please consider making this change, or preferably an even more rigorous one, in a future release of your software.

Obviously you don’t want a lecture from a user, but the peer-to-peer architecture of your program, shifting significant functionality out of the browser and into a custom client with filesystem access, increases my concern about security in your software. You are not restricted by the security restraints built into Web browsers, and you need to take greater responsibility for your code’s actions as a result. Your password handling choices do not leave me with much confidence in your ability to meet this responsibility, so regretfully I have uninstalled your Satellite program from my machine and will not use it in the future.

Security is a serious topic for peer-to-peer developers. P2P systems have the potential to poke holes straight through many of the security systems users have adopted while connecting to the Internet in recent years. While Audiogalaxy’s slip-up is not directly related to the ‘peer’ parts of its system, it nonetheless reveals a lax attitude about security that could easily carry over into its peer client programming. P2P security will be featured in its own track at the O’Reilly Peer-to-Peer and Web Services Conference in Washington, D.C., this September 18-21.

Related link: http://www.itnetworkms.com/j302/articles/101275.htm

“C# is seen by many as Microsoft’s answer to Java. But will Microsoft’s efforts to promote the language beyond its own community of friends succeed?” Find the answer in this edition of Computer Weekly’s Analyst Briefings.

What do you think? Does C# really have legs, when you consider possibilities like Halycon Software’s Java.NET, etc.?

Related link: http://developer.sharpsec.com/

Sharp recently announced a new PDA, currently just called the “Sharp PDA,” to be released sometime around September/October. The device, pictured at the developer Web site <http://developer.sharpsec.com/>, has a killer feature listing:

• An operating system based on Linux and Java;
• A 240×320 color screen;
• Both CompactFlash and SecureDigital exapnsion slots (just like the HandEra 330);
• A USB connector at the base;
• An IR port;
• Lithium ion rechargable battery power;
• 32MB built-in memory;
• A built-in “thumb” keyboard, similar to that on the RIM BlackBerry, but with a retracting slide cover; and
• A built-in headset jack.

Sharp indeed!

More details on the device, culled from various news reports, can be found at LinuxDevices.com. The pictures make it look a little hefty, but weighed against the feature list, it is surprisingly compact.

The first thousand people to register at Sharp’s developer program site will get the device for $399. It appears you can download a Java SDK and begin developing applications for the device now.

As I recently wrote elsewhere on oreillynet.com, the PDA market needs some fresh ideas. I am very skeptical about Java’s ability to perform on a handheld, given the extremely slow performance and limited featureset of Sun’s J2ME on PalmOS. Java has many virtues, but I don’t think it is necessarily right for today’s PDA processors. Nonetheless, I’m very encouraged by the hardware/OS profile Sharp has targeted. With the other Linux PDAs hitting the market, it looks like Linux may join PalmOS and PocketPC as a serious contender for the hearts and hands of geeks everywhere.

Related link: http://searchwindowsmanageability.techtarget.com/qna/0,289202,sid33_gci558164,00…

Platform Computing of Toronto has long been the leader in “traditional” distributed computing software products — that is, software to build clusters of dedicated servers (usually UNIX machines) for high-performance computing. Since 1992, they have developed and sold their industry-leading product LSF (”Load Sharing Facility”) to companies with large-scale computational problems. While they have remained relatively low profile, their product has an excellent reputation in a wide range of industries, including life sciences, aerospace, automotive, financial services, and entertainment.

When a new wave of distributed computing startups (including my last company, Popular Power) emerged using the SETI@home model of harvesting idle time from desktop computers, Platform protested that they had been doing P2P all along. Apparently they’ve decided to take things a step further, and have released a product, LSF ActiveCluster, aimed specifically at the desktop computing resources scattered around corporations.

One interesting note in the interview is that Platform has decided to use SOAP as a communication protocol for their P2P systems — pushing this as “.NET integration.” I have to wonder if they will go beyond SOAP to use some of .NET’s more platform-specific features, such as Passport or Hailstorm.

Platform’s P2P product targets Windows-based desktops exclusively, but their product line as a whole provides strong support for UNIX systems currently used as clusters. It will be interesting to see how the startup P2P distributed computing players, such as Entropia and DataSynapse, fare against this well-established and well-known player.

The Distributed Computation track at O’Reilly’s Peer-to-Peer Conference, coming up this September 18-21, 2001 in Washington, D.C., will feature many of the distributed computing companies discussing their product offerings — and perhaps defending against this new entry from Platform.

Yesterday I installed the .NET SDK on my home machine. I had been playing around with User-Agent strings, the text a Web browser uses to identify itself to a Web server, for another project. Before installing .NET, my MSIE 5.5 User-Agent string was:

Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

After installing .NET, I noticed that the User-Agent string had changed to:

Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.2914)

This is nothing new, in that many companies have used User-Agent as the dumping ground for all sorts of nonsense for years. (In the example above, the string ‘Mozilla’ is a remnant of a time five years ago when some Web sites would show high-design content only to Netscape browsers — which used Mozilla as a User-Agent string — as these browsers supported non-standard HTML other browsers did not. Microsoft adopted the tag to avoid exclusion, and, well, it stuck.) It is interesting that the .NET CLR is advertised as though it were an operating system itself, which of course in a way it is.

So, are you interested in seeing how many of your site’s visitors have installed .NET? Now you can know for sure! With a little JavaScript, you could even compare Java Plugin installs (which are installed with the Java SDK and Runtime) versus .NET installs and see market penetration for the two competing technologies.

Related link: http://www.zdnet.com/enterprise/stories/main/0,10228,2783293,00.html

“Microsoft intended to deceive Java developers.” Within the
following eWeek analysis of the US Court of Appeals decision on June 28 in the Microsoft antitrust case, “Java developers will find their darkest suspicions vindicated.”

Does this confirm your suspicions? What are your thoughts?