WikiLeaks: Intel threatened to move Russian jobs to India

December 4, 2010

Dec 03, 2010 08:11 pm | IDG News Service
The Moscow Embassy describes how Intel bypassed Russia’s tough crypto import regulations
by Robert McMillan

Intel engaged in high-level talks with Russian officials and ultimately said it would pull research and development work from the country unless it could get around Russia’s tough encryption import laws, according to a U.S. Department of State cable published by WikiLeaks.

The Nov. 3, 2009, Moscow Embassy cable describes the intensive lobbying efforts required to get cryptographically secure hardware into the country for use by Intel’s 1,000 Russian engineers.

“Intel was able to by-pass the cumbersome licensing process by engaging in high-level lobbying and capitalizing on Russia’s desire to become a ‘knowledge-based’ economy,” the cable reads.

Some countries put a limit on, or even ban, devices entering the country that can store encrypted data, such as laptops and mobile phones. That can make it hard for technology companies with employees working abroad to lock down their intellectual property.

According to the State Department cable, the issue was a deal-breaker for Intel, which told Russian officials that unless it could quickly import encrypted development kit hardware, it would have to lay off more than 200 engineers and move R&D work to India or China.

“This high-level lobbying secured Intel a meeting with key FSB (Federal Security Service) officials,” the cable states. “Intel was able to demonstrate the reasonableness of its request and, as a result, by-passed the current extensive licensing requirement.”

The waiver may have been good news for Intel, but because the underlying regulations remained in place it did not “appear to represent a breakthrough in the importation of commercial products with cryptographic content,” the cable states.

Former Intel Chairman and CEO Craig Barrett met with Russian Federation President Dmitry Medvedev to discuss “this and other issues,” said Intel spokesman Chuck Mulloy in an e-mail. “We didn’t threaten anyone,” he said. ” We lobbied and negotiated with the Russian government on behalf of ourselves and OEMs and distributors to make it easier. This is all routine stuff when it comes to dealing with governments around the world.”

Both the FSB — Russia’s state police service — and the Ministry of Economic Development and Trade must sign off on encryption import licenses — a six-month process that involves laboratory analysis. Russia agreed to streamline the process in 2006 but had not done much to fix the problem, the cable states.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at@bobmcmillan. Robert’s e-mail address is

Thank you

Best Regards,

Nilay Sangani


10 Things to know about Facebook’s messaging system

November 16, 2010

TOI Tech

Facebook’s much-speculated messaging service is here. CEO Mark Zuckerberg has termed the new system a “convergent” modern messaging system that “handles messages seamlessly across all the ways you want to communicate” in a single inbox.

Though as widely speculated the messaging system is not an email killer, it surely further heats up Facebooks growing rivalry with Google and puts pressure on other email services from Yahoo, Microsoft and AOL.

Here we bring to you a ready reckoner on Facebook’s new messaging system, what exactly it is, how it will work, privacy issues and much more

Facebook’s new messaging feature allows users to send and receive instant text messages in addition to standard email and Facebook notes. Facebook is giving all users an “” e-mail address.

How will it work?

The news messaging system will allow users to send messages to their friends that will appear as mobile-phone text messages, e-mails or instant messages, based on the preferences they set for each friend.

To send message to a friend, a user would click on the friend’s name rather than hunt for a phone number or an email address. If that friend prefers to get text messages, that’s how the message will be seen. If the friend likes email, the message will go in email form.

The new system does away with the “subject” line. Instead, all the messages between two people will be threaded together into one long-running conversation.

How will Facebook organise messages?

The messages will be automatically routed from a person’s most frequently-contacted acquaintances into a main inbox. Those lower-priority messages will be tossed in a separate folder labeled “Other.”

Facebook will supposedly use what it knows of a user’s relationships to build a social inbox that will filter out the messages it deem less important from strangers or overly chatty friends, and impersonal messages.

How can I get email address?

If you’re on Facebook and you want one, then yes, you’ll be able to get one. However, it may take a few months for Facebook to roll out the service for all its users.

In case you want it fast, you can also leave a request on Facebook’s site.

Supports Microsoft Office?

Users will also be able to view Microsoft Word, Excel and PowerPoint documents as attachments to their messages, without having to download or pay for the software. Licensed users can create and send such documents as attachments.

Users can also send photos, videos or documents with their messages.

Who can send you messages?

As Facebook tells on its website, by default, anyone on Facebook can send you a message, and if you set up a Facebook email address, anyone outside of Facebook can send you email.

According to Facebook, if a message comes from an email address that they can’t confirm as belonging to one of your friends they will block it. However, for this you need to select “Friends Only” setting

If an email appears to be from someone you know but Facebook is unable to confirm the sender’s address, you will still receive the message, but it will include a warning.

How will people find my Facebook email address?

If you choose to set up your email address, by default your Facebook email address does not appear as part of your contact information on your profile. However you can easily adjust your messages privacy setting to share your email address with friends.

However, remember that your Facebook email address is the same as your public username.

If my username is public, will my Facebook email address too be public?

Yes. If your Facebook URL is, your email address would be Since your Facebook username is publicly viewable this means that anyone who can see your public username (for example in a search) will be able to figure out your Facebook email address.

Security firm Sopho suggests users to choose the “Friends Only” setting to ensure that only your Facebook friends can message you.

Is the new system spam and malware proof?

No. According to Sophos, the new features do increase the attack surface of the Facebook platform, and make the accounts of users all the more alluring for cybercriminals to break into.

Facebook accounts will now be linked with many more people in your social circle – opening up new opportunities for identity fraudsters to launch attacks. Furthermore, because Facebook will be storing a complete archive of all of your communications with one person – there will be concerns as to how such data could be misused if it

Is this just an email?

However, as widely anticipated the new messaging system is not an email killer. As Facebook CEO Mark Zuckerberg told reporters “This is not an email killer. This is a messaging system that includes email as one part of it.”

The new messaging system is more like sending a text or an instant message. Also, Facebook will store the complete history of all of your communications with one person in one place (unless you choose to delete it).

Thank you,

Best Regards,

Nilay Sangani








Penetration tests: 10 tips for a successful program

November 15, 2010

Pen tests need to accomplish business goals, not just check for random holes. Here’s how to get the most value for your efforts.

By Neil Roiter

November 15, 2010 — CSO

Why are you performing penetration tests? Whether you’re using an internal team, outside experts or a combination of the two, are you simply satisfying regulatory or audit requirements, or do you actually expect to improve enterprise security?

We asked penetration testing experts for guidance on how to improve your program to get the most benefit for your time, money and effort. If you turn to outside expertise, their advice will show you what to expect and demand from consultants. The following 10 tips will show you understand the goal and focus of your testing; develop effective testing strategies; make effective use of your personnel; and make the most effective use of pen test results to remediate issues, improve processes and continuously improve enterprise security posture.

Tip 1: Define Your Goals

Penetration testing—really, all information security activity—is about protecting the business. You are taking on the role of attacker to find the vulnerabilities and exploiting them to determine the risks to the business and making recommendations to improve security based on your findings. Attackers are trying to steal your data—their techniques are a means to an end. So too, penetration testing: It’s not about the cool technical things you can do to exploit a vulnerability; it’s about discovering where the business risk is greatest.


“If can’t express things in terms of my business, you’re not providing me value,” said Ed Skoudis, founder and senior security consultant at InGuardians. “Don’t tell me you’ve exploited a vulnerability and gotten shell on that box without telling me what that means for my business.”

Also see Network stress test tools: dos and don’ts on

With that understanding, from a more tactical perspective, penetration testing is a good way to determine how well your security policies, controls and technologies are actually working. Your company is investing a lot of money in products, patching systems, securing endpoints etc. As a pen tester, you are mimicking an attacker, trying to bypass or neutralize security controls.

“You’re trying to give the company a good assessment if their money is being well spent,” said Alberto Solino, founder and director of security consulting services of Core Security.

The goal should not be to simply get a check box for pen testing to meet compliance requirements, such as PCI DSS. Pen tests should be aimed at more than discovering vulnerabilities (vulnerability scanning should be part of a pen testing program but is not a substitute). Unless the testing is part of a sustained program for discovering, exploiting and correcting security weaknesses, your money and effort will have gained you at best that check mark, and at worst, a failed audit by a sharp assessor.


Tip 2: Follow the data

Organizations have limited budget and limited resources for pen testing, regardless of whether you are conducting internal tests, hiring outside consultants or using a combination of both. You can’t conduct penetration tests across your entire IT infrastructure, spanning hundreds or thousands of devices, yet pen testers will often be told to try to compromise devices across an extensive range of IP addresses. The result is likely to be the most cursory of testing regimens, yielding little or no value. You can’t even expect to conduct vulnerability scans and remediate flaws across a very large number of devices in a reasonable amount of time and at reasonable cost.


“In many cases customers have thousand of IP addresses they want us to pen test,” said Omar Khawaja, Global Products Manager, Verizon Security Solutions. “We could run vulnerability tests and see what’s most vulnerable, but they may not be the most important to your organization.”

Step back and ask, “What am I trying to protect?” What critical data is at risk: credit card data, patient information, personally identifiable customer information, business plans, intellectual property? Where does the information reside? Do you even know every database, every file repository and every log store that contains sensitive data? You may not know, but chances are an attacker will find it.

So, the first critical step is to narrow the scope of pen testing is data discovery: determining which sensitive data is at risk and where it is. Then the task is to play the role of attacker and figure out how to get at the prize. (Read Red team versus blue team for more ideas on this approach.)

“The idea to mimic what a real attacker will do during time frame agreed to with the customer,” said Core Security’s Solino, “not to find all the possible problems.”


Tip 3: Talk to the Business Owners

Work with the business people. They know what is at risk—what data is critical, what applications create and interface with that data. They will know at least the more obvious places in which the data resides. They will tell you which applications must be kept up and running.

You’ll learn much of what you need to know about the threat level associated with particular applications, the value of the data and the assets that are important in the risk equation.

An important part of this process is to work with people who understand the business logic of the application. Knowing what the application is supposed to do and how it’s supposed to work will help you find its weaknesses and exploit them.

“Define the scope that includes critical information assets and business transaction processing,” said InGuardians’ Skoudis. “Brainstorm with the pen test team and management together.”

Skoudis also suggests asking for management to give their worst case scenario, “what’s the worst thing that could happen if someone hacks you?” The exercise helps scope the project by determining where “the real crown jewels” are.


Tip 4: Test Against the Risk

The value of the data/applications should determine the type of testing to be conducted. For low-risk assets, periodic vulnerability scanning is a cost-effective use of resources. Medium risk might call for a combination of vulnerability scans and manual vulnerability investigation. For high-risk assets, conduct exploitative penetration testing.


For example, the security director for a large university said they started performing pen testing to meet PCI DSS requirements. Once that program was in place, it became the model for testing a potential attacker’s ability to penetrate their systems. The university classifies data as public, internal, sensitive and highly sensitive.

For information that’s highly sensitive, we perform pen testing under much the same guidelines as PCI,” he said. “We back off from there, based on some specific criteria and some subjective judgment that goes into what level of pen testing, if any, will be done for system.”

So, for example, on the lower end of the risk spectrum the university will test a random sample of systems and/or applications, depending on criteria for a particular category and time and budget constraints. With tens of thousands of devices on a campus network, even a low-level scan of all of them would be infeasible.

“You can test on a business system that has a clear owner and systems administrator,” he said. “But when you have 3,000 Wiis attached to the network, you don’t want to scan those and figure out who they belong to.”


Tip 5: Develop attacker profiles

Your pen testers need to think like and act like real attackers. But attackers don’t fit into one neat category. Build profiles of potential attackers.


External attackers may have little or no knowledge of your company, perhaps just some IP addresses. They may be former employees or work for partners or service providers and have considerable knowledge of the inside of your network. An insider may be a systems administrator or DBA with privileged access and authorization and knows where critical data resides.

Motive is a factor in developing profiles. Is the attacker after credit card numbers and PII that can be turned into cash? Intellectual property to sell to a competitor or gain a business advantage? The attacker may be politically/ideologically or competitively motivated to bring your Web application down. He may be an angry ex-employee who wants to “get back at the company.”

Work with business owners to help fashion these profiles and learn what types of potential attackers they are most concerned about.

The profile narrows the focus of the pen testing, and tests will vary based on each of these multiple profiles.

“We get a snapshot of what a particular attacker can do against a target, and we don’t mix results,” said Core Security’s Solino. “For every profile, we get the result of the pen test and do another profile.”


Tip 6: The More Intelligence the Better

Information gathering is as much a part of the process as the actual exploit—identify devices, operating systems, applications, databases, etc. The more you know about a target and its connected systems, the better chance you have of breaking in.

Each step may yield valuable information that will allow you to attack another asset that will eventually get you into the target database, file share etc. The information will allow you to narrow the search for exploitable vulnerabilities. This reconnaissance is typically performed using automated scanning and mapping tools, but you can also use social engineering methods, such as posing as a help desk person or a contractor on the phone, to gather valuable information.

“We’re increasingly starting to do social engineering,” said Verizon’s Khawaja. “It’s essentially reconnaissance—performed with the permission of the customer—to let us find everything in the environment that could assist us in breaking in.”

Multi-stage penetration testing typically is a repeated cycle of reconnaissance, vulnerability assessment and exploitation, each step giving you the information to penetrate deeper into the network.


Tip 7: Consider All Attack Vectors

Attackers can and will exploit different aspects of your IT infrastructure, individually or, frequently, in combination to get the data they are seeking.


Thorough pen tests will leverage any and all of these potential attack vectors, based on the attacker’s end goal, rather than the vulnerability of each.

“A few years ago we would do network penetration testing, and application pen testing and wireless pen testing, and then we stepped back and said ‘that makes absolutely no sense,” said Solino. “The bad guy doesn’t say, ‘I can only break into a system using the network.'”

Successful pen tests, like real attacks, may leverage any number of paths that include a number of steps till you hit pay dirt. A print server may not seem particularly interesting, but it may use the same admin login credentials as a database containing credit card information.

“Pen testers find flaws and exploit them, then pivot from that machine to another machine, to yet another,” said InGuardians’ Skoudis.

An attack on a Web application might fail in terms of exploitation, but yield information that helps exploit other assets on the network. Or an attacker might get information about employees without high privileges, but with access to the internal network that act as a springboard.

Also see How to compare and use wireless intrusion detection systems

So, a critical resource may not be directly assailable, but can be compromised through other systems.

For example, said Khawaja, Verizon pen testers were unable to directly compromise a Web server that had access to a sensitive database. If the testers focused narrowly on testing the Web application on that server, the conclusion would be that the data was safe. But by taking a data-centric approach, they discovered that the Web server was connected to a second Web server, which had a critical vulnerability that an attacker could exploit to gain access to the first Web server and, hence, the database. (Read more about Web application attacks in How to evaluate and use Web application security scanners.)

“We care about anything that isn’t cordoned off from the network segment we are targeting,” he said. “Are there any network controls to prevent an attacker from jumping from a vulnerable low-value system to a more critical system?”

That being said, there are valid cases for vector-specific testing. For example, a company may be particularly concerned about wireless security, because it knows it has been somewhat lax in this area or may have recently installed or upgraded WLAN infrastructure. But even if you are confident that a particular vector is safe—for example , if the wireless network is isolated from the credit card database—don’t be too sure. Attack paths can be complex and byzantine.


Tip 8: Define the Rules of Engagement

Pen testing simulates attack behavior, but it is not an attack. Whether you are conducting in-house testing or contracting with a consultant, you need to establish parameters that define what can and cannot be done, and when, and who needs to know.

The latter depends on whether you are conducting white box or black box testing. In the former case, there’s probably an acknowledgement that the security program of the company (or a particular department or business unit) needs a lot of work, and the pen testing is open process known to all involved.

On the other hand, black box testing is more clandestine, conducted more like a real attack—strictly on a need to know basis. You are determining how good the company’s people are at their jobs and the effectiveness of the processes and systems supporting them.

“Whether it’s the operations center, or the investigative response team or physical security guards, everyone has to pretend it’s just another day at the office,” said Verizon’s Khawaja.

Typically, companies will perform white box testing first to learn the security issues that have to be addressed. Subsequently, black box testing will help determine if the initial findings have been effectively remediated. Sometimes, for example, a CSO will want to know not only how vulnerable critical systems are, but how good their personnel are at detecting and responding to an attack.

In either case, certain key people need to be involved to avoid problems that might impact the business or undermine the testing. At least one person in the target environment who is involved in the change control process should be in the loop, said InGuardians’ Skoudis. Under the rules of engagement, for example, the company may permit the pen testers to install software on the target devices to do more in-depth pivoting, but at least that one person has to be involved to make sure that the testers are not stopped by dropping their IP address from a router ACL or invoking a firewall rule.

In both white box and black box scenarios, Skoudis recommends daily briefings with the test stakeholders to let them know what the testers are doing. For example, the rules of engagement may allow the pen testers to exploit vulnerabilities, but the briefing can be used to give folks a heads up that they are about to do it.

“It builds bridges,” he said. “It shows the pen testers are not a distant, evil group that is out to ‘catch me.’ Rather, it’s all about transparency and openness.”

The rules of engagement also may set limits on what may and may not be exploited, such as client machines, or techniques that may or may not be used, such as social engineering.


Tip 9: Report Findings and Measure Progress

The goal of penetration testing is to improve your security posture, so if you are conducting internal tests, your report should provide useful, actionable and specific information.

“The goal is to help improve security, for management to make decisions to improve business and help the operations team improve security,” said InGuardians’ Skoudis.

You should provide an executive summary, but the heart of your reporting should include detailed descriptions of the vulnerabilities you found, how you exploited them and what assets would be at risk if a real attack took place. Detail every step used to penetrate, each vulnerability that had to be exploited, and, most important, perhaps, all the attack paths.

“The beauty of identifying the attack path is that it allows you to solve specific problems by breaking the path,” said Core Security’s Solino.

Be very specific about recommendations. If architectural changes are required, include diagrams. Explain how to verify that a fix is in place (use this command, or that tool to measure). In cases where multiple systems are involved, explain how to mass deploy a fix, using GPOs if possible.

Make sure that each recommended remediation includes a caveat that the solution is thoroughly tested before it is implemented in a production environment. Enterprise IT infrastructure may be very complex.

“This is a huge issue,” said Skoudis. “You don’t know all the subtleties. You don’t want to break production.”

Penetration testing should not be a one-time exercise, and successive results should be compared. If you are performing internal testing, put together deltas to measure how your people are addressing issues. If the problems from the last test—or the last two—remain unaddressed, you may have a problem. Perhaps the software patching program isn’t working as it should, or developers are not being properly trained to write secure code.

“What we’re looking for are trends,” said the university security director. “It’s just like you would treat an audit report. If you have repeat findings, it indicates you might have a more serious problem.”


Tip 10: Decide Who Your Pen Testers Are

The decision to use in-house staff for pen-testing depends on the size of your organization, the value of the information you are trying to protect and where you want to put your internal resources. A company may have a dedicated pen testing team or a group within the security team. An internal team is in a better position to conduct regular testing. If your organization is large and distributed, create mechanisms and promote an environment in which information can be shared.

“If have internal community that can share information, make sure they have a strong knowledge base backed up by mature knowledge management systems,” said Verizon’s Khawaja . “You want to make sure that what happened in your Beligian unit doesn’t happen in Brazil.”

Even if you do some in-house testing, there are good reasons for hiring consultants to perform at least some of the work. Some regulations require external companies to perform pen tests; consider that insiders may have too much information about the target systems, as well as a vested interest in the outcome. So, beyond compliance requirements, it’s a good idea to bring a fresh view from the outside periodically.

For the same reasons, if you do hire outside testing consultants, rotate among vendors, just as would with auditors every few years.

“Bringing in outside people gives an added degree of confidence in the results,” said the university security director. “There’s no perception of conflict of interest.”—

For your internal team, look for the right blend of knowledge and curiosity.

A good training candidate, said Core’s Solino, has a strong knowledge of networking and application protocols as a foundation. Mostly, he looks for curiosity and a hacker mentality.

“It’s IT knowledge and that attitude, a specific mindset that denies something is secure and says, ‘Go for it!'”

“This is an art,” said Skoudis. “Although there are tools and methodologies, you have to be creative in finding problems in target systems and applications.”

Thank you,

Best Regards,

Nilay Sangani




Bill O’Reilly hacker gets 30 months

November 9, 2010

A 23-year-old Bellevue, Ohio, man has been sentenced to 30 months in prison following a 2007 online crime spree in which he used a network of hacked computers to attack and knock offline websites belonging to conservative pundits Bill O’Reilly and Ann Coulter.

By Robert McMillan

November 08, 2010 — IDG News Service —

A 23-year-old Bellevue, Ohio, man has been sentenced to 30 months in prison following a 2007 online crime spree in which he used a network of hacked computers to attack and knock offline websites belonging to conservative pundits Bill O’Reilly and Ann Coulter.

Mitchell Frost must also pay US$40,000 in restitution to O’Reilly and $10,000 to the University of Akron, where he was enrolled at the time of the hacking. He had pleaded guilty to the charges in May.

Frost was a first-year student at the university at the time of the attacks. He used the school’s computer network to control a botnet he’d built up between August 2006 and March 2007, and launched denial of service (DOS) attacks against Rudy Giuliani’s website, and He attacked the Bill O’Reilly site five times, ultimately forcing it offline.

The University of Akron was disrupted too, when Frost knocked its network offline for eight-and-a-half hours while trying to DOS-attack a gaming server hosted by the university. That happened on March 14, 2007. Frost’s dorm room was raided two weeks later. He wasn’t charged, however, until May of this year.

Prosecutors asked the court for a tough sentence after Frost lied to his probation officer about an online business he’d set up following his arrest. In a letter to the court, Frost said he set up the website earlier this year after quitting his job as a Stanley Steemer carpet cleaning technician. JWH is a form of synthetic cannabis that is legal for sale in some U.S. states, including Ohio.

Frost said he was selling the product as a bonsai plant fertilizer and never meant for it to be consumed by humans. He said that he lied to his probation officer in a moment of panic.

“I thought that if they see I am making this money through my online business [and] if I were to go away to prison they would want it all as a penalty,” he wrote in his letter.

Frost was sentenced Thursday by Judge Lesley Wells of the Northern District of Ohio. He must serve three years’ probation after his 30-month sentence.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is


Copyright 2010 IDG News Service, International Data Group Inc. All rights reserved.

Thank you,

Best Regards,

Nilay Sangani



President Obama: offshoring fears are outdated, unwarranted

November 7, 2010

Nov 06, 2010 11:16 am | IDG News Service
The president also made a pitch for larger exports from the country to India
by John Ribeiro

The perception that Indian call centers and back office operations cost U.S. jobs is an old stereotype that ignores today’s reality that two-way trade between the U.S. and India is helping create jobs and raise the standard of living in both countries, U.S. President Barack Obama told a gathering of business executives in Mumbai on Saturday.

President Obama’s remarks come after some moves in the U.S. that had Indian outsourcers worried that the U.S. may get protectionist in the wake of job losses in the country. The state of Ohio, for example, banned earlier this year the expenditure of public funds for offshore purposes.

U.S. exports to India have quadrupled in recent years, and currently support tens of thousands of manufacturing jobs in the U.S., he said in a speech that was also streamed live. In addition, there are jobs supported by exports to India of agriculture products, travel and education services.

Indian investment in the U.S. also runs into billions of dollars, and supports jobs in the country, he said.

President Obama, who is in India on a three-day visit, said that more than 20 deals worth about US$10 billion [b] were announced on the first day of his visit. The deals, in a variety of areas including aircraft, turbines, and mining equipment, could potentially create over 50,000 jobs in the U.S., he added.

President Obama said his objective was to create jobs in the U.S., and to rebuild the country’s economy, but it would not be at the expense of the creation of jobs in other countries. The U.S. will instead discover, create and build products that are sold all over the world, he said.

President Obama’s speech is a recognition that jobs cannot be created by protectionism but by a growth in trade, said Som Mittal, president of the National Association of Software and Services Companies (Nasscom). The message for India’s outsourcing industry in the speech was very positive, he added.

India’s top outsourcers like Tata Consultancy Services and Infosys Technologies, have posted strong revenue and profit growth in the quarter ended Sept. 30, and are adding staff by the thousands.

Besides the Ohio decision, the Indian outsourcing industry was hit earlier this year by a $600 million [m] measure for increased surveillance of the U.S.-Mexican border to prevent illegal immigrants. The funds for the bill, which was signed into law by President Obama, are to be raised from an increase in visa fees paid by tech workers brought into the country by companies with more than 50 staff, and in which more than 50 percent of the staff are on these visas.

Indian outsourcers, who send a large number of staff to customer sites in the U.S., were saddled as a result with an increase in visa costs. But they were more alarmed by the threat of increased protectionism from the U.S.

President Obama’s own remarks earlier this year fueled this fear. While proposing to reform the U.S. tax system for companies earning profits abroad, he alarmed Indian outsourcers in May last year when he made a reference to jobs getting created by U.S. companies in Bangalore, the hub of India’s outsourcing industry. The tax code is broken as it’s a tax code “that says you should pay lower taxes if you create a job in Bangalore, India, than if you create one in Buffalo, New York”, the president said.

President Obama this week however made it clear that trade between India and the U.S. should not be a one-way street. Less than 10 percent of India’s imports of goods are from the U.S., and only 2 percent of U.S. exports of goods are to India. There is still untapped potential for trade between the two countries, he said.

Some of the trade would be in technologies that were adapted by U.S. companies for Indian markets, such as mobile telephony towers that run on solar power, he said.

The president also said the U.S. would reform controls on the export of high technology to India. Some of these controls on dual-use technologies, that can be used for both civilian and military purposes, were imposed by the U.S. on certain government labs and organizations after India exploded a nuclear device.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at@Johnribeiro. John’s e-mail address is

Thank you,

Best Regards,

Nilay Sangani

5 Reasons why Apple postponed white iPhone

October 30, 2010

Apple-philes waiting breathlessly for the white iPhone 4 will need to hang on even longer before they, well, wait in line outside their nearest Apple store to get their hands on one.

The company announced it’s delaying the release of the white model again, this time until next spring. It’s the third such delay since the latest version of the popular smartphone was released in June.

1) Problems with color-matching

Could it be that Apple is having trouble getting its whites just right? British gadget blog Pocket-lint cites one source as saying the company is having a tough time matching the white color on the handset’s different parts.

“Apple is having trouble getting its two suppliers in the Far East to match the white used in the manufacturing of the parts. The white home button color doesn’t match the white front face plate color, it turns out,” the blog states. This explanation would be the most ironic, considering Apple’s long history of producing white products.

2)Problems with camera’s picture quality

Earlier in the year, The reported that a source close to the manufacturing process claimed Apple was having problems with the phone’s backlight seeping out at the edges and through the back of the phone. A related explanation being bandied about is that the white glass allows too much light back into the phone, causing the device’s built-in camera to produce washed-out pictures.

“The white iPhone 4 can’t take accurate photographs. The handset’s semi-translucent glass case leaks light in, ruining pictures taken with the internal camera, especially when the built-in flash is used,” a source with connections to Apple told the Cult of Mac blog.

3)Hold-ups at Apple’s overseas suppliers

According to AppleInsider, a newspaper report out of China this past summer revealed that Apple’s overseas manufacturers were having trouble hitting the “right balance of paint thickness and opacity, in order to ensure the panel allows enough space for the digitizer overlay, but also gives the level of white that Apple expects the product to have.”

4)Antenna-gate redux

Or, perhaps a more likely explanation is already well-known – the iPhone 4’s antenna problems. Upon its release in June, iPhone 4 users quickly began reporting that network signal strength dropped drastically when they held the device. Apple said it wasn’t aware of the problem prior to the launch, but that didn’t stop the company’s CEO Steve Jobs from handing out free cases that would help alleviate the problem to owners.

It’s now known that Apple manufacturers were instructed to make an internal insulation fix to solve the defect. As Scott Moritz at The writes, presumably Apple would need to halt production temporarily to implement a fix, which could push back the release date.

5)Demand is too high

Another possibility is that Apple underestimated just how high the demand for the white handsets would be. That’s one theory that was posited back in June when the first delay was announced.

However, one would expect the company to have gotten its manufacturing house in order by now. According to one report, the company’s overseas glass supplier was only able to make 3 iPhone 4 glass panels per hour, a rate it was suggested could only meet half of Apple’s demand for the device.

Thank you,

Best Regards,

Nilay Sangani




10 Most expensive domains

October 27, 2010

Ever wondered which are the most expensive Web domains ever sold?

Domains for which companies have paid in millions for ownership. Little, surprisingly the list mirrors what attracts maximum traffic on the World Wide Web.

Read on to know the WWW’s priciest domains.

The world’s priciest domain little surprising is An offshore holding company recently bought for $13 million.

Clover Holdings Limited, based on the Caribbean island of St. Vincent, made the top offer for Internet domain name that Escom LLC is being forced to sell due to bankruptcy, according to court documents.

Attorneys representing Escom are asking a California bankruptcy court to approve Clover as the winning bidder and clear the way for the deal to be consummated and domain-name trading platform Sedo to get its commissions.

The world’s “most valuable” Internet domain name,, went up for grabs in July of this year after US-based Escom filed for bankruptcy. Escom is reported to have bought the domain name for from 12 million to 14 million dollars in 2006.

2)Another domain which got big bucks is The domain was reportedly bought for $9.99 million in 2008.
3)In May 2007 Web domain was sold for $9.5 million cash. In an announcement, domain name registrar and reseller said that was bought by Detroit-based MXN Ltd, an Internet media and investment business. MXN is affiliated with, an adult movie download site and, an adult Web site promotion company.
4) was purchased for $7.5 million in 1999. According, Telegraph, “Business search engine and web directory founded in 1999 by Jake Winebaum, a previous chairman of the Walt Disney Internet Group, and Sky Dayton, founder of Earthlink. In July 2007, the company, was sold to Yellow Pages publisher RH Donnelly for $345 million.”
5) purchased ‘’ for a reported $7.5 million in 2006 from Odimo Inc. is an online diamond and jewelry retailer
6) was sold for $7 million in 2004. William Fisher, a Web developer from Colorado was the first owner of domain in 1993 which he sold to generic domain name developer in 1999 for only $80,000 where Fisher was having 20% stake in the domain name.

Later, one of the world’s largest beer company Belgium-based Interbrew bought this domain name for $7.5 million.

7)The domain was bought by Jewish American Joel Noel Friedman in 1994. Friedman is believed to have bought the site as he feared it could be misused by someone else. The site gave general tourist information about Israel and its heritage.

In 2008, he sold the site for $5.88 million. The identity of the new owner was not revealed.

8)The domain was sold in the year 2003 for a price of $5.5 million.
9)In 2009, retailer Toys ‘R Us purchased for $5.1 million. ToysRUs beat National A-1, in a hotly-contested auction. auction was held after the recent meltdown of The Parent Company. The Parent Company filed for bankruptcy in December 2008 in the US.

10)Russian billionaire Roustam Tariko paid $3 million to acquire the domain.

Tariko’ Russian Standard Co conglomerate bought the domain primary to increase its prsence in the US market. Russian Standard Co controls large part of the sales of premium vodka in Russia and owns Russian Standard Bank.’s price tag is among the highest ever revealed for a generic Web domain.

Thank you,
Best Regards,
Nilay Sangani

Global ERP Rollouts: Management Secrets

October 26, 2010
Oct 26, 2010 02:46 pm |
by CIO Executive Council
Your ERP rollout is global. But as you work with offices around the world, remember that all ERP is local, say IT leaders who’ve been there. Consider this expert advice from IT leaders on the CIO Executive Council:

Jeri Dunn, Bacardi

Consider the Whole Office your Change Network

A big challenge with smaller offices is the limited number of people you have to work with to effect change. During our recent Asia-Pacific implementations, we deployed ERP in sites as small as Singapore and Taiwan. Offices this small don’t have a person solely dedicated to change management, so my team makes it a priority to identify early in the implementation process who the change champions are going to be. We look beyond our ERP guru and system integrators, since project success depends on an entire network of change agents. In some cases, your champion may not even be in favor of the deployment at first. For those who are most against the project, we get them in the room with us rather than have them remain outside throwing stones at us. The reality is that change management during ERP is the hard stuff–you can’t skimp on managing it.

We consider the entire office part of the larger change network. They all need to be immersed in the project from the beginning so they feel an ownership stake in the outcome. From day one of the ERP implementation, we meet with the local office staff, describing in detail how their life is going change. We involve them in the blueprinting sessions and integration testing, and then work to identify super-users for the full training sessions.

Clif Triplett, Baker Hughes

Avoid Distrust through Local Governance

It’s critical to oversee business stakeholder buy-in at the local level. Upon entering a smaller region, an important step for the team led by my director of business development services, Robert Harbert, is to create a governance structure to avoid local conflict and distrust. The governance group consists of local and regional management from operations and finance, the IT project leader, other relevant local stakeholders, and IT leadership from the central deployment services group. Determining the appropriate amount of ongoing dialogue with stakeholders in these smaller regions has been a challenge. To address this issue, we now hold a combination of regular meetings and teleconferences with different audiences–the local user groups, key stakeholders, implementation team and management chain. This may appear to be excessive, but it’s advantageous to maintaining focus on the goal.

Thank you,
Best Regards,
Nilay Sangani

Facebook sues Faceporn, claiming trademark infringement

October 23, 2010
Oct 22, 2010 08:03 pm | IDG News Service
The porn site is down for a redesign following the lawsuit
by Robert McMillan

Facebook has sued, claiming the porn site essentially copied Facebook to build an X-rated social network.

Until recently, Faceporn billed itself as “the number one socializing porn and sex network,” offering a range of pornographic content. However,according to its Twitter account, the site has been down since Wednesday. It now says it’s offline for a redesign. “We’re currently working to launch a completely new version of the site, and it will be the best porn site the world has ever seen,” Faceporn says on its front page.

The lawsuit was filed on Oct. 15 in the U.S. District Court for the Northern District of California.

Facebook has gone to court before to prevent social-networking sites from using elements that it considers to be Facebook’s property, including the words “book” and “face.” In August, the company sued a startup called TeachBook, claiming that its use of the word “book” violated Facebook’s trademark. Teachbook doesn’t look much like Facebook, but it does give teachers a way to network online.

Critics have said that Facebook is reaching too far, essentially claiming ownership of common English words

According to Facebook’s court filings, however, Faceporn “blatantly copied the Facebook logo, site and Wall trademark.” Screen shots filed with the lawsuit show some Facebook-like elements, including Wall postings and a similar blue-and-white color scheme. Instead of poking, Faceporn users can apparently “send a flirt,” according to the screen shots.

Neither Faceporn nor its operator, Thomas Pedersen, could be reached for comment on this story.

“We don’t believe Faceporn should be able to trade on our name and dilute and tarnish our brand while doing so,” Facebook spokesman Simon Axten said Friday via e-mail. “Where there is brand tarnishment, dilution, or confusion as there is with Faceporn and Facebook, we must enforce our rights to protect the integrity of our trademark.”

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at@bobmcmillan. Robert’s e-mail address is

Thank you,

Best Regards,

Nilay Sangani



Apple dumps Flash from Mac OS X

October 23, 2010

Oct 22, 2010 08:08 pm | Computerworld

New Macs come without Adobe’s Flash, leaving users to install security updates themselves

Apple will stop bundling Adobe’s Flash with Mac OS X, the company confirmed Friday.

The new MacBook Air , which debuted earlier in the week, is the first Flash-less system from Apple . Other systems will follow suit as the company clears out inventory of Mac desktops and notebooks that include Flash.

Mac users will still be able to install Flash themselves, and Apple has done nothing to block Flash from running.

“We’re happy to continue to support Flash on the Mac, and the best way for users to always have the most up to date and secure version is to download it directly from Adobe,” Apple spokesman Bill Evans said in reply to questions on Friday.

The move also puts an end to Apple supplying Flash security updates to Mac OS X users as part of the operating system’s patch process. Instead, users will have to know about, locate, download and install those fixes themselves.

That’s not smart, said Andrew Storms, director of security operations at nCircle Security.

“What Apple is doing is separating themselves from the security community,” said Storms, who didn’t cotton to Apple’s decision. “Users, who are likely running an outdated version, typically don’t even know when Adobe issues patches.”

“I just don’t see the upside of this. Apple’s not helping out,” Storms said.

In the absence of Apple patching Flash, Adobe said Mac users were on their own for now. “Adobe recommends that users download the most up to date version of Adobe Flash Player from,” a spokeswoman said.

She urged Mac users to regularly monitor Adobe’s security blog , which posts news of impending and available Flash updates, or subscribe to its RSS feed to stay atop fixes.

Adobe plans to produce an auto-update notification feature in a future release of Flash Player for the Mac, but declined to set a release date. The feature would be similar to what’s now offered to Windows users.

People running Mozilla’s Firefox or Google ‘s Chrome will have an edge during the interim.

Firefox, for example, includes a plug-in checker that detects out-of-date add-ons, including Flash Player, and provides a link to Adobe’s download site. Chrome, meanwhile, automatically upgrades Flash Player in the background.

While Evans made no mention of Apple’s anti-Flash stance, Storms saw the decision as another example of the rocky relationship between Apple and Adobe over the technology.

“Apple’s trying to separate themselves even further from Flash,” Storms said. ” Microsoft doesn’t update Flash either, but they seem more interested in working with vendors than Apple. Adobe is a good example.”

Microsoft and Adobe collaborate on security, Storms argued, pointing to the latter’s July announcement to join the Microsoft Active Protections Program (MAPP), which gives select security companies early warning on upcoming patches.

Adobe has also adopted a version of Microsoft’s Software Development Lifecycle (SDL), a program designed to bake security awareness into products, and picked Microsoft developers’ brains to create the “sandbox” technology , slated to show up in Reader next month.

Storms, who in the past has criticized Apple for patching Flash months after the same fixes were available for Windows, wondered why the company singled out Adobe’s software.

“If they’re going to say they’re doing it so that users have the most up-to-date versions, then they should stop issuing patches for every other third-party application in Mac OS X,” Storms said.

Apple and Adobe have been at loggerheads over Flash ever since the former refused to allow the popular technology on its iPhone . The dispute has been heated this year, as the two companies traded blows over Flash content on Apple’s iOS mobile operating system, with CEO Steve Jobs trashing Flash in an April public missive and the co-chairs of Adobe’s board of directors accusing Apple of undermining the Web in mid-May.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg’s RSS feed . His e-mail address is .

Thank you,

Best Regards,

Nilay Sangani