Jason Yow

If a research and development tax credit is allowed to expire at the end of the year, 120,000 U.S. jobs could be put at risk, according to a group of companies supporting an extension. The coalition on Wednesday called for Congress to make the tax credit permanent and to increase the credit paid to some companies. A lapse in the tax credit could also put at risk US$16 billion in R&D and related economic activity, the R&D Credit Coalition said. The R&D tax credit, which gives eligible companies a tax credit of 14 percent to 20 percent of R&D spending, has been temporarily extended multiple times since it was first approved by Congress in 1981. The tax credit "has been a driver of jobs and a boost for the U.S. economy, said Karen Myers, vice president of global government relations for CA. Coalition members are concerned that Congress will adjourn this year without extending the tax credit, putting U.S. companies' R&D plans in flux, she said.

Some groups, including tax reform advocates Citizens for Tax Justice, have called the R&D tax credit "corporate welfare." But members of the coalition said the tax credit has huge economic benefits for the U.S. and President Barack Obama, who has called for the credit to be made permanent, has said it returns $2 to the U.S. economy for every dollar spent. "We're talking about 120,000 jobs - if anything, this is citizen welfare ... or employee welfare," said Bartlett Cleland, senior director of policy for TechAmerica, a tech trade group aligned with the R&D Credit Coalition. "These are not 120,000 sweep-the-floor jobs. Lawmakers have been reluctant to make the tax credit permanent partly because of its cost - about $7 billion [b] a year. These are highly compensated, well-educated U.S. employees. The U.S. had the highest R&D incentives when the tax credit was first passed in 1981, but now 16 other nations have more generous incentives, they said. "When you see the other incentives that countries are offering, it's becoming a more challenging hurdle to keep R&D in the United States," said Marie Lee, director of finance and tax policy for TechAmerica. "Particularly when we see the credit lapse, that does [affect] the decisions companies make." The cost of extending the credit - without increasing it to 20 percent across the board, as the coalition wants - would cost about $68 billion over 10 years, according to congressional estimates. There's a growing pressure on U.S. companies to take R&D work overseas, coalition members said. Asked about budget concerns in Congress, Myers said many lawmakers continue to be concerned about jobs and unemployment in the U.S. "Lawmakers are very sensitive to cost in this environment," she said. "However, the fact that the credit is very closely aligned with jobs, and closely aligned with economic growth, I think its an incentive for which lawmakers have a lot of sympathy." On Tuesday, more than 400 companies and trade groups sent a letter to all members of Congress, asking them to make the R&D credit permanent and increase the rate.

A number of companies outside the IT sector also signed the letter, including Harley-Davidson, Toyota and the Schwan Food Co. A number of tech companies signed the letter, among them Adobe Systems, AT&T, Cisco Systems, Dell, Intel, Hewlett-Packard, and Microsoft.

A Seattle computer security consultant says he's developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. The attack, while difficult to execute, could give attackers a very powerful phishing attack.

While the attack is extremely difficult to pull off - the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network - it could have devastating consequences. The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there's still no way to read the information coming back. The attack exploits the SSL (Secure Sockets Layer) Authentication Gap bug, first disclosed on Nov. 5. One of the SSL bug's discoverers, Marsh Ray at PhoneFactor, says he's seen a demonstration of Heidt's attack, and he's convinced it could work. "He did show it to me and it's the real deal," Ray said. Heidt sends data that causes the SSL server to return a redirect message that then sends the Web browser to another page. A consortium of Internet companies has been working to fix the flaw since the PhoneFactor developers first uncovered it several months ago. He then uses that redirect message to move the victim to an insecure connection where the Web pages can be rewritten by Heidt's computer before they are sent to the victim. "Frank has shown a way to leverage this blind plain text injection attack into a complete compromise of the connection between the browser and the secure site," Ray said.

Their work gained new urgency when the bug was inadvertently disclosed on a discussion list. Last week, IBM researcher Anil Kurmus showed how the flaw could be used to trick browsers into sending Twitter messages that contained user passwords. Security experts have been debating the severity of this latest SSL flaw since it became public knowledge. This latest attack shows that the flaw could be used to steal all sorts of sensitive information from secure Web sites, Heidt said. Many high-profile banking and e-commerce Web sites will not return this 302 redirect message in a way that can be exploited, but a "huge number" of sites could be attacked, Heidt said. To be vulnerable, sites need to do something called client renegotiation under SSL and also to have some element on their secure Web pages that could generate a particular 302 redirect message.

With so many Web sites at risk to the flaw, Heidt says he does not intend to release his code immediately. The attack is similar to the SSL Strip attack demonstrated by Moxie Marlinspike [cq] at a security conference earlier this year. From the victim's perspective, the only noticeable change during an attack is that the browser no longer looks as though it's connected to an SSL site. Leviathan Security Group has created a tool that webmasters can use to see if their sites are vulnerable to a SSL Authentication Gap attack. Thierry Zoller, a security consultant with G-Sec, says that theoretically, the flaw could be used to attack mail servers. "An attacker can potentially highjack mails send over secured SMTP [Simple Mail Transfer Protocol] connections, even if they are authenticated by a private certificate," he said in an instant message interview. Because SSL, and its replacement standard, TLS, are used in a wide range of Internet technologies the bug has far-reaching implications.

Zoller, who has not seen Leviathan's code, said that if the attack works as advertized, it will be just a matter of days before someone else figures out how to do it.

Social networking site MySpace.com announced today that it has switched from using hard disk drives in its servers to using PCI Express (PCIe) cards loaded with solid state chips as primary storage for their data center operations. MySpace said the solid state storage uses less than 1% of the power and cooling costs that their previous hard drive-based server infrastructure had and that they were able to remove all of their server racks because the ioDrives are embedded directly into even its smallest servers. "We looked at a number of solid state solutions, using many different kinds of RAID configurations, but we felt that Fusion-io's solution was exactly what we needed to accomplish our goals," Buckingham stated. The PCIe cards, from Fusion-io Inc., have allowed MySpace to replace multiple server farms made up of 2U (3.5-in high) servers that had used 10 to 12 15,000 RPM Fibre Channel drives each with 1U (1.75-in high) servers using a single ioDrive . "In the last 20 years, disk storage hasn't kept pace with other innovations in IT, and right now we're on the cusp of a dramatic change with flash technologies," said Richard Buckingham, vice president of technical operations for MySpace, in a statement.

MySpace's new servers also have replaced its high-performance hosts that held data in large RAM cache modules, a costly method MySpace had been using in order to achieve the necessary throughput to serve its relational databases. Salt Lake City-based Fusion-io claims the ioDrive Duo offers users unprecedented single server performance levels with 1.5GB/sec. throughput and almost 200,000 IOPS. The system can reach such performance levels because four ioDrive Duos in a single server can scale linearly, which provides up to 6GB/sec. of read bandwidth and more than 500,000 read IOPS. The cards come in 160GB, 320GB and 640GB capacities. MySpace said its new servers using the NAND flash memory modules give it the same performance as its older RAM servers. A 1.28TB card is expected in the second half of this year. "Social networking sites and other Web 2.0 applications are very database dependent. Ethernet pipe," David Flynn, CTO of Fusion-io, said in an interview.

Our 320GB ioDrive can fill a 10Gbit/sec.

Microsoft made its holiday pitch Tuesday in New York giving a sneak peak at what its gadget lineup will look like. The OS adds improvements to Internet Explorer Mobile, new navigation tools, Flash Lite support, and the introduction of Windows Marketplace for Mobile - a new app store. (See Related: Review of Windows Mobile OS 6.5 HTC Pure) To me Windows Mobile 6.5 seems like a transitional step to a future OS - might it be called Windows Mobile 7? - that could pose a more realistic challenge to Android, iPhone, and other mobile operating environments on the consumer side. Here Microsoft stressed its portable music player Zune, Xbox, Windows Mobile 6.5 OS phones, and Windows 7. Microsoft's Robbie Bach, head of Microsoft's entertainment and devices division, said this season it will stress the integration of "lifestyles" with "work-styles." All eyes were on Microsoft's Mobile 6.5 operating system which was announced today.

As for Zune and Xbox, Microsoft says it will be rolling out a new feature that enables content downloaded to one of these devices to be played back on the other. Microsoft Zune representatives say the move will represent the first in a series of steps by Microsoft toward greater integration between various Windows-enabled hardware devices. The video quality will support an impressive 1080p high-definition (HD) video. In attendance Tuesday was phone makers Samsung, HTC, LG, Hewlett-Packard and Toshiba were all on hand delivering first looks at Windows Mobile 6.5 devices. Microsoft, though, faces increasingly visible competition from both the Google Android and Apple iPhone camps in a struggle to expand beyond its relatively good position in the corporate smartphone space. Also on hand were mobile carriers Verizon Wireless, AT&T, Sprint, Telus and Bell Mobility.

Today Verizon and Google announced a partnership to bring Android-based smartphones, PDAs, and netbooks to market later this year. At the CTIA show in Dallas, TX this week, Samsung and T-Mobile introduced the Behold II, a touchscreen phone that brings together the Linux-based Android operating system with Samsung's new TouchWiz user interface for one-touch access to the user's favorite features and applications.

Baring a last minute delay, the Federal Trade Commission is set to enforce its identity theft rules known as Red Flags on Nov. 1. The rules have been delayed three times already and were originally set to become practice Nov. 1, 2008. NetworkWorld Extra: 12 mad science projects that could shake the world Under the Red Flags rules all companies or services that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents.

The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said. Many entities also argue that, because they generally are not required to comply with FTC rules in other contexts, they have not had enough time to develop compliance plans. The FTC stated that some industries and entities within the agency's jurisdiction were uncertain about their coverage under the Red Flags Rule. Others have raised a stink about complying with the rules. This month the House unanimously approved a measure to exempt health care, legal and accounting firms employing fewer than 20 people from Red Flags. As a result the program hasn't been without its legal challenges.

That bill is now in committee. The ruling gave a victory to an industry that objected to the FTC's definition of what constitutes a "creditor." The FTC said it may fight that ruling. Also this month a US District court ruled that lawyers are exempt from the red flags rule requirements. Meanwhile the identity theft problem appears to grow unabated. For the ninth year in a row identity theft - particularly in Arizona and California - was the number one consumer complaint filed with the Federal Trade Commission in 2008. Of 1,223,370 complaints received in 2008, 313,982 - or 26%- were related to identity theft.

The FTC in February released the list of top consumer fraud complaints for 2009 and showed that for the ninth year in a row, identity theft is the number one problem and it is showing no signs of letting up. The FTC 's list shows that credit card fraud was the most common form of reported identity theft at 20%, followed by government documents/benefits fraud at 15%, employment fraud at 15%, phone or utilities fraud at 13%, bank fraud at 11 %and loan fraud at 4%. The CSN received over 1.2 million complaints during calendar year 2008.

Future doctors are too frequently putting inappropriate postings and sometimes confidential patient information on social sites like Facebook and Twitter, according to a study published in the Journal of the American Medical Association. Thirteen percent reported that students had violated patient confidentiality in postings on social networking sites. The study shows that in a survey of medical colleges, 60% reported incidents of medical students' posting unprofessional content online. The survey also showed that 39% of colleges found medical students posting pictures of themselves being intoxicated, and 38% reported medical students posting sexually suggestive material.

Of the schools that reported finding inappropriate student content only, 67% said they gave informal warnings and 7% said they expelled the student. The study, published this week, surveyed deans or their counterparts at 78 U.S. medical colleges. People are frequently warned that photos and posts, and even comments from friends and family - on sites like Facebook, MySpace and Twitter could come back to haunt them. Dan Olds, an analyst with The Gabriel Consulting Group, said people who post inappropriate material, such as pictures of themselves drunk, has long been a downside of social networking. Companies report that they check social networking sites before hiring a prospective employee, and an off-hand comment about a work project or annoying colleague can easily come back to bite someone in the office. However, when health care workers are involved in such activity, it takes on a new dimension. "Doctors are in a bit of a unique position in society - almost universally trusted by patients to hold some of their most personal information confidential," Olds said. "This relationship needs to exist, because if patients hold back information from their doctor, it can have a serious impact on their lives.

And it's hard to believe that medical students, folks who are highly educated, are so stupid as to not see the downside of these social networking activities." He added that aside from posting patient information online, it's also a bad idea for medical students to post pictures of the drunken party they were at the night before or information about their latest tryst. "Even though this was probably done innocently and with no bad intent, the potential for damage to patients is large," Olds said. "Seeing their doctors partying and drunk is not the way to engender trust, particularly if you're the person who has an appointment with that doctor the next day." If patients believe their doctors are unintentionally, or, worse yet, intentionally, revealing confidential information, then that trust will be irreparable damaged.