Oracle/Sun: Why European Union jurisdiction matters

A mild war of words is breaking out between American and European regulators on the proposed merger between Oracle and Sun. But American officials are not contesting Europe's jurisdiction over the matter and previous cases show that European regulators have broad powers over American companies that do business in Europe. Slideshow: Hottest Tech M&A deals U.S. government officials have expressed displeasure with the European Commission's objection to Oracle's planned acquisition of Sun.

The European Commission issued a fine of more than $1 billion to Intel this year after finding the company guilty of antitrust violations. In 2001, for example, Europe prevented a merger between General Electric and Honeywell even after American regulators had given the deal a green light. "If the annual turnover of the combined businesses exceeds specified thresholds in terms of global and European sales, the proposed merger must be notified to the European Commission, which must examine it," European officials explain on their official competition Web site. "These rules apply to all mergers no matter where in the world the merging companies have their registered office, headquarters, activities or production facilities. In rare cases, Europe has also blocked mergers between American companies. This is so because even mergers between companies based outside the European Union may affect markets in the EU if the companies do business in the EU." In its merger regulation, the EU stipulates that it has control over mergers in which the combined worldwide revenue of the companies involved exceeds $7.5 billion, and more than $374 million within Europe. Sun earned $11.4 billion in worldwide revenue in fiscal 2009, and $3.8 billion in Europe. In fiscal 2009, Oracle alone pulled in more than $23 billion in worldwide revenue and nearly $8 billion in the Europe, Middle East & Africa (EMEA) region.

When Oracle first announced its deal to purchase Sun in April, the merger was valued at $7.4 billion. European officials objected to "the combination of Sun's open source MySQL database product with Oracle's enterprise database products and its potential negative effects on competition in the market for database products," Sun said in a filing with the U.S. Securities and Exchange Commission. Although U.S. officials gave Oracle and Sun the green light, the European Commission issued a formal statement of objections this week, a decision that could scuttle the acquisition. U.S. officials issued a mild criticism of their European counterparts. "Several factors led the [U.S. Antitrust] Division to conclude that the proposed transaction is unlikely to be anticompetitive," Deputy Assistant Attorney General Molly Boast of the Department of Justice's Antitrust Division said in a written statement. "There are many open-source and proprietary database competitors. The Department also concluded that there is a large community of developers and users of Sun's open source database with significant expertise in maintaining and improving the software, and who could support a derivative version of it." The U.S. comments were described as "unusual" by a European official. The Division concluded, based on the specific facts at issue in the transaction, that consumer harm is unlikely because customers would continue to have choices from a variety of well established and widely accepted database products.

According to the Reuters wire service, a European Commission spokesman named Jonathan Todd said "That's unusual. We apply European merger control rules, they apply U.S. merger control rules," Todd said. I cannot recall any instance where the European Commission has ever issued a statement concerning ongoing investigations in another jurisdiction." Todd further noted that the United States and Europe have different methods of judging whether a deal is anticompetitive."We have our methods, they have theirs. The GE/Honeywell failure was the last time U.S. and European authorities have issued different decisions on a merger, according to the Reuters article. The Antitrust Division will continue to work constructively with the EC and competition authorities in other jurisdictions to preserve sound antitrust enforcement policies that benefit consumers around the world." Follow Jon Brodkin on Twitter. In her statement, Boast said the United States will continue to work with Europe on competition policy. "The Department and the European Commission have a strong and positive relationship on competition policy matters," Boast said. "The two competition authorities have enjoyed close and cooperative relations.

Apple Changes App Store Review Process

Apple may be feeling the Android heat. Many see the move as yet another step by Apple to keep app store developers from defecting to competing mobile platforms - namely Android. The company has changed the way it deals with iPhone app developers letting them now keep closer tabs on how their software is proceeding through Apple's strict App Store review process.

As first reported in Wired this week, a software developer can now see precisely when an app is "Ready for Review," "In Review," and "Ready for Sale." Before that, developers only got vague status bulletins from Apple giving the "average wait time" around finding out whether or not Apple has okayed an app. Meanwhile, many mobile developers have started to expand their mobile platform horizons by creating apps not just for iPhones but myriad other phone environments, including Android, RIM, Palm's Pre, and Microsoft's Windows Mobile. Software developers began complaining loudly about Apple's review policies late last year, after Apple offered a hodgepodge of reasons for banning apps ranging from the Murderdrome comic book to the "Pull My Finger" fart joke app and Alex Sokirynsky's "Podcaster" app. To help pacify developers, Apple recently added a new in-app feature that lets users of free iPhone apps upgrade to expanded capabilities from directly inside the apps, so that a visit to the App Store is no longer needed At the same time, fewer complaints have been emerging lately about applications getting arbitrarily rejected from the App Store. The iPhone still has a lot more applications for its users than any other mobile platform, with more than 100,000 applications available in Apple's App Store in comparison to "10,000-plus" on Google's Android Market, for instance.

But Apple's tops-down App Store policies again spurred confusion in late October, when Apple suddenly restored a 3G TV app formerly banned from its online store. Apple's move to improve communications should go a long way toward keeping developers in the iPhone fold, even though developers really still have no way of knowing in advance whether or not their software will make it into the App Store.

MySpace adds music features in bid to reinvent itself

As part of its attempt to reinvent itself, MySpace unveiled a slew of new music products, including a massive collection of music videos, at the Web 2.0 Summit in San Francisco. But Van Natta strove to keep the packed session on the topic of new music services being dished up on the site. MySpace CEO Owen Van Natta took the main stage Wednesday to talk about the lagging social network's business strategy and its position behind rival Facebook.

Separately, reports circulated Wednesday that Google was also planning a music service . The company announced MySpace Music Videos, which is set up to be one of the most biggest collections of online videos. And to give users better access to the video library, MySpace also unveiled a new Video Search Tab. Van Natta explained that they worked with the company's music label partners to gather fully licensed music videos. The tab is designed to help users search for videos, songs and artist profiles. The dashboard is designed to give bands and singers with MySpace profile analytics on who is listening to their music and how they're interacting with it. "We think MySpace has the opportunity to be the next generation digital distributor of content," said Van Natta, who was an early executive at Facebook before leaving to join MySpace. "MySpace is positioned uniquely to be the place where the socialization of content occurs." MySpace has been slipping in popularity as rival Facebook moved to the top of the social networking pile.

MySpace's roster of new music products also includes an Artist Dashboard. Last December, Facebook drew almost twice as many worldwide visitors as MySpace. At the beginning of Van Natta's presentation, the moderator polled the audience about what social networking site they used. In June, Facebook surpassed MySpace in the U.S. , which had been MySpace's stronghold. A smattering of hands went up to show people who used MySpace. Later in his presentation, the MySpace CEO said he's optimistic about the company's ability to get back on its feet. "We believe that we have all of the building blocks and we need to focus on execution," he said. "If we do a great job at executing and building a great user experience... then we will realize this vision to be the place where you discover a huge amount of content through other people.

When asked who used Facebook, a sea of hands shot up, along with a ripple of laughter from the audience. "Thanks for framing that up for me," Van Natta said. If that is happening in music or other areas, like games, TV and films, it'll be easy to recognize success because you'll just know this is where a huge amount of that socialization is happening."

New Banking Trojan Horses Gain Polish

Criminals today can hijack active online banking sessions, and new Trojan horses can fake the account balance to prevent victims from seeing that they're being defrauded. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions. Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds.

Unfortunately, criminals facing those obstacles have gotten smarter, too. Greater Sophistication Banking attacks today are much stealthier and occur in real time. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program. Unlike keyloggers, which merely re­­cord your keystrokes, URLzone lets crooks log in, supply the required authentication, and hijack the session by spoofing the bank pages. According to Finjan, a so­­phisticated URLzone process lets criminals preset the percentage to take from a victim's bank account; that way, the ac­­tivity won't trip a financial institution's built-in fraud alerts. The assaults are known as man-in-the-middle attacks because the victim and the attacker access the account at the same time, and a victim may not even notice anything out of the ordinary with their account.

Last August, Finjan documented a URLzone-based theft of $17,500 per day over 22 days from several German bank ac­­count holders, many of whom had no idea it was happening. Criminals using bank Trojan horses typically grab the money and transfer it from a victim's account to various "mules"-people who take a cut for themselves and transfer the rest of the money overseas, often in the form of goods shipped to foreign addresses. But URLzone goes a step further than most bank botnets or Trojan horses, the RSA antifraud team says. URLzone also seems to detect when it is being watched: When the researchers at RSA tried to document how URLzone works, the malware transferred money to fake mules (often legitimate parties), thus thwarting the investigation. When victims visited the crooks' fake banking site, Silentbanker in­­stalled malware on their PCs without triggering any alarm. Silentbanker and Zeus Silentbanker, which appeared three years ago, was one of the first malware programs to em­­ploy a phishing site.

Silentbanker also took screenshots of bank accounts, redirected users from legitimate sites, and altered HTML pages. According to security vendor SecureWorks, Zeus often focuses on a specific bank. Zeus (also known as Prg Banking Trojan and Zbot) is a banking botnet that targets commercial banking accounts. It was one of the first banking Trojan horses to defeat authentication processes by waiting until after a victim had logged in to an account successfully. Zeus uses traditional e-mail phishing methods to infect PCs whether or not the person enters banking credentials. It then impersonates the bank and unobtrusively injects a request for a Social Security number or other personal information.

One recent Zeus-related attack posed as e-mail from the IRS. Unlike previous banking Trojan horses, however, the Zeus infection is very hard to detect because each victim receives a slightly different version of it. According to Joe Stewart, director of malware research for SecureWorks, Clampi captures username and password information for about 4500 financial sites. Clampi Clampi, a bank botnet similar to Zeus, lay dormant for years but recently became quite active. It relays this information to its command and control servers; criminals can use the data immediately to steal funds or purchase goods, or save it for later use. Clampi defeats user authentication by waiting for the victim to log in to a bank account.

The Washington Post has collected stories from several victims of the Clampi botnet. It then displays a screen stating that the bank server is temporarily down for maintenance. Defending Your Data Since most of these malware infections occur when victims respond to a phishing e-mail or surf to a compromised site, SecureWorks' Stewart recommends confining your banking activities to one dedicated machine that you use only to check your balances or pay bills. When the victim moves on, the crooks surreptitiously hijack the still-active bank session and transfer money out of the account. Alternatively, you can use a free OS, such as Ubuntu Linux, that boots from a CD or a thumbdrive.

Most banking Trojan horses run on Windows, so temporarily using a non-Windows OS defeats them, as does banking via mobile phone. Before doing any online banking, boot Ubuntu and use the included Firefox browser to ac­­cess your bank site. The key step, however, is to keep your antivirus software current; most security programs will detect the new banking Trojan horses. Older antivirus signature files can be slow to defend PCs against the latest attacks, but the 2010 editions have cloud-based signature protection to nullify threats instantly.

Seagate Goes Solid State with Pulsar Drive

Seagate tosses its hat into the solid state drive (SSD) market today with the unveiling of its Pulsar drive, a unit aimed at enterprise-level blade and server applications. With the Pulsar drive, Seagate lays claim to being "the first enterprise HDD vendor to deliver an enterprise-class SSD solution." The Pulsar drive is built with single-layer-cell (SLC) technology, which Seagate says enhances the reliability and durability of the SSD. Solid state drives offer much faster data access speeds than the rotating media in conventional hard disk drives (HDDs) since there are no moving parts. The new drive stores up to 200GB of data in a 2.5-inch form factor with a SATA interface. According to Seagate, the Pulsar drive achieves a peak performance of 30,000 read IOPS (input/output operations per second) and 25,000 write IOPS, which is a measure of how a drive processes small, random blocks of information.

The drive comes with a five-year warranty and has an annualized failure rate (AFR) of 0.44 percent, according to Seagate. "Seagate is optimistic about the enterprise SSD opportunity and views the product category as enabling expansion of the overall storage market for both SSDs and HDDs," said Dave Mosley, Seagate's executive vice president for sales, marketing, and product line management in a press release. The drive is rated at up to 240 megabytes per second for sequential reads and 200 mbps for sequential writes; a measure of how it accesses large chunks of contiguous data. Solid state drives built with single layer cell technology can offer faster read/write speeds than those built with multiple layer cell technology (MLC), but MLC drives can offer more storage. The Pulsar drive, which was made available to select OEM (original equipment manufacturer) customers in September, is now available to all OEMs.

IPv6: Not a Security Panacea

With only 10% of reserved IPv4 blocks remaining, the time to migrate to IPv6 will soon be upon us, yet the majority of stakeholders have yet to grasp the true security implications of this next generation protocol. While IPv6 provides enhancements like encryption, it was never designed to natively replace security at the IP layer. Many simply have deemed it an IP security savior without due consideration for its shortcomings. The old notion that anything encrypted is secure doesn't stand much ground in today's Internet, considering the pace and sophistication in which encryptions are cracked.

Unfortunately, IPsec, the IPv6 encryption standard, is viewed as the answer for all things encryption. For example, at the last Black Hat conference hacker Moxie Marlinspike revealed vulnerabilities that breaks SSL encryption and allows one to intercept traffic with a null-termination certificate. But it should be noted that:  IPsec "support" is mandatory in IPv6; usage is optional (reference RFC4301). There is a tremendous lack of IPsec traffic in the current IPv4 space due to scalability, interoperability, and transport issues. Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This will carry into the IPv6 space and the adoption of IPsec will be minimal. IPsec's ability to support multiple encryption algorithms greatly enhances the complexity of deploying it; a fact that is often overlooked.

This is far from the truth and a major misconception. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this). IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?

However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. IPv6 tunneling should never be used for any sensitive traffic. By enabling the tunneling feature on the client (e.g. 6to4 on MAC, Teredo on Windows), you are exposing your network to open, non-authenticated, unencrypted, non-registered and remote worldwide IPv6 gateways. Whether it's patient data that transverses a healthcare WAN or Government connectivity to an IPv6 internet, tunneling should be avoided at all costs. The rate at which users are experimenting with this feature and consequently exposing their networks to malicious gateways is alarming.

The advanced network discovery feature of IPv6 allows Network Administrators to select the paths they can use to route packets. Is your security conscious head spinning yet? In theory, this is a great enhancement, however, from a Security perspective it becomes a problem. So where are the vendors that are supposed to protect us against these types of security flaws? In the event that a local IPv6 Network is compromised, this feature will allow the attacker to trace and reach remote networks with little to no effort. The answer is, not very far along.

Since there are no urgent mandates to migrate to IPv6, most are developing interoperability and compliance at the industry's pace. Like most of the industry, the vendors are still playing catch-up. So the question becomes: will the delay in IPv6 adoption give the hacker community a major advantage over industry? As we gradually migrate to IPv6, the lack of interoperability and support at the application and appliance levels will expose loopholes. Absolutely! This will create a chaotic and reactive circle of patching, on-the-go updates and application revamp to combat attacks.

There is more to IPv6 than just larger IP blocks. Regardless of your expertise in IPv4, treat your migration to IPv6 with the utmost sensitivity. The learning curve for IPv6 is extensive. Many of the fundamental network principles like routing, DNS, QoS, Multicast and IP addressing will have to be revisited. People can't be patched as easily as Windows applications, thus staff training should start very early.

Reliance on given IPv4 security features like spam control and DOS (denial of service) protection will be minimal in the IPv6 space as the Internet 'learns' and 'adjusts' to the newly allocated IP structure. Jaghori is the Chief Network & Security Architect at L-3 Communications EITS. He is a Cisco Internetwork Expert, Adjunct Professor and industry SME in IPv6, Ethical Hacking, Cloud Security and Linux. It's essential that your network security posture is of the utmost priority in the migration to IPv6. Stakeholders should take into account the many security challenges associated with IPv6 before deeming it a cure-all security solution. Jaghori is presently authoring an IPv6 textbook and actively involved with next generation initiatives at the IEEE, IETF, and NIST. Contact him at ciscoworkz@gmail.com.

New gadgets, prototypes to debut next week in Japan

Japan's biggest electronics and gadgets show, Ceatec, runs all of next week and many new technologies and prototype gadgets are expected to be on show. Originally developed by Toshiba, IBM and Sony for use in the PlayStation 3 games console, the Cell is expected to bring functions like real-time upscaling and processing of recorded videos. The first big news is expected on Monday afternoon when Toshiba unveils its first commercial LCD TV that includes the Cell multimedia processor, after showing a prototype of the television last year.

Panasonic will also focus on TV technology and showing a 50-inch plasma TV that can display images 3D. At the IFA electronics show in September the company said it planned to launch such a set next year, so Ceatec will provide more insight into what consumers can expect. The camera is aimed at content producers, not consumers, but the technology could eventually scale down into more compact cameras. Sony is also pushing 3D and will use Ceatec to show a new video camera that can record 3D images through a single lens. In the cell phone arena, NTT DoCoMo is planning to show a cell phone with a wooden rather than plastic case. The phone uses surplus cypress wood from trees culled during thinning operations to maintain healthy forests.

The prototype phone was made in conjunction with Olympus, which has developed a method for wooden casing, and Sharp. DoCoMo and its partners are also expected to show their progress in developing a cell-phone platform for future LTE (Long Term Evolution) wireless services. Meanwhile Fujitsu will show a new cell phone with a built-in golf-swing analyzer. The company is working with Panasonic, NEC and Fujitsu on development of a phone that can download data at up to 100M bps and upload at half that speed. The phone's sensors feed motion data to a 3D sensing program that analyzes the swing and then provides advice.

One of the hits from last year's Ceatec, Murata's unicycling robot, is due to make an appearance and show off a new trick. Each swing can also be compared against past swings. The latest version of the robot is capable of cycling at about 3 times the speed of last year's model. Specifically, the company plans to show off a technology that allows several cars to automatically follow a lead car. Nissan will also be at Ceatec showing off some of its latest research into advanced automotive IT systems.

The futuristic system, which will be demonstrated in robot cars, could one day be used to allow cars to automatically move along roads in "trains" of vehicles with little input from the driver. The exhibition, which is now in its tenth year, attracted just under 200,000 visitors last year. Ceatec runs at Makuhari Messe in Chiba, just outside of Tokyo, from Tuesday until Saturday.