PAUL SPINELLI/GETTY IMAGES
a proprietary music player, also included
on the disk. Using this music player
prevents consumers from converting
their CDs to MP3 files for play on
popular portable digital music devices,
such as the iPod, or from uploading
the files to peer-to-peer Internet filesharing networks, where copyright
piracy is ubiquitous.
XCP prevents users from bypassing
Sony BMG’s music player by permanently overriding some functions of
the operating system (OS). To conceal
these changes, the XCP software uses
a technique typically seen only in the
employ of black-hat hackers, a so-called
rootkit. Rootkits first appeared as
stealth viruses in the 1990s, explains
Mark Russinovich, the security researcher whose blog entry on 31 October
kicked off the public controversy surrounding the XCP software. “A rootkit
cloaks the presence of files from
security and other software….it’s
implemented by modifying parts of the
OS.” says Russinovich. “You can’t
manage it…you can’t even get rid of it.”
In XCP’s case, when a user first inserts a copy-protected CD into a PC, the
user is automatically prompted to install
the music player. Installed at the same
time is the rootkit, which is designed to
hide the existence of any file or folder
whose name begins with “$sys$.”
The copy-protection software is then
hidden in such a folder, and the OS is
altered so that when a user tries to
access a CD using normal system
commands, the request is first passed
on to the cloaked software, which
checks to see if the CD is supposed to
be copy-protected. If it is, the access
attempt is blocked; otherwise, the
request is passed on to the original OS
function that handles reading CDs.
With the rootkit hiding any software
that is prefixed by “$sys$,” it creates
“this huge hole in the system, which
could be used by any hacker, any virus
writer, to hide anything they want,”
explains Mikko Hyppönen, chief
research officer of F-Secure Corp.,
a computer security firm based in
Helsinki, Finland. Because the XCP
software had already been installed in at
least hundreds of thousands of computers, F-Secure decided not to make
a public announcement when it became
aware of the problem in early October
for fear of tipping off virus writers.
Hyppönen claims F-Secure presented
Sony BMG with its concerns that the
rootkit could be used to hide malware
www.spectrum.ieee.org
on 7 October, but the music label “did
nothing concrete until it was on the
front page of USA Today.”
A Sony BMG insider acknowledges
that the label was contacted in early
October by F-Secure and says it referred F-Secure to First 4 Internet. But
this source claims that security issues
were not raised by F-Secure to Sony
BMG until mid-October, when it was
agreed that F-Secure and First 4
Internet would “work together toward
a solution.” (First 4 Internet declined
to comment.) After Russinovich
announced the problem, it took only
nine days before F-Secure began seeing
malware that exploited the XCP cloak.
Once the story broke, Sony BMG’s
inexperience with software and security
issues showed, when Thomas Hesse,
president of global digital business for
Sony BMG said on 4 November on
National Public Radio’s “Morning
Edition”: “Most people don’t even know
what a rootkit is, so why should they
care about it?”
One party that cares is the U.S.
Department of Homeland Security,
which includes cybersecurity as part of
its portfolio. On 10 November, as reported by the Washington Post, Stewart
Baker, assistant secretary for homeland
security, made a pointed reference to the
Sony BMG protection system, noting
that companies need “to remember that
it’s your intellectual property—[but] it’s
not your computer.” Baker went on to
say that “in the pursuit of protection of
intellectual property, it’s important not
to defeat or undermine the security
measures that people need.”
Not only the federal government
but state courts, too, are concerned.
Texas Attorney General Greg Abbott
has filed a lawsuit against Sony BMG
for violating the state’s anti-spyware
laws, and several consumer rights
organizations and law firms are
considering class-action suits.
Sony BMG initially offered consumers a complex multistep process to
uninstall the rootkit, but this provoked
another round of security and privacy
concerns. Finally, Sony declared that it
had halted production of XCP-protected
CDs and on 18 November offered to
exchange XCP CDs for regular CDs.
The details of the exchange program
can be found at http://cp.sonybmg.com/
xcp/. Ironically, the site also offers the
option of downloading affected albums
in the format the label had been dread—STEPHEN CASS
ing all along—MP3.
TOO HOT:
Temperature pill
tells trainers when
to cool athletes off.
Taking Body
Temperature,
Inside Out
A radio pill designed to monitor
an astronaut’s temperature finds an
application at the line of scrimmage
Football—the U.S. kind, played by physical
giants—is a cold-weather sport. Some of
the most memorable games of all time have
been played with snow falling on ice-covered
fields. But long before temperatures dip,
athletes—some of whom weigh well over
135 kilograms—sweat it out in summer
training camps where on-field temperatures
often exceed 32 ºC.
These conditions test the endurance of
behemoths getting into shape by doing sprint
drills (aptly named suicides), tackling each
other, and practicing plays over and over
again. The time between two torturous
workout sessions a day is frequently spent
tending to bodies suffering from cramps and
dehydration as they near the point of heat
exhaustion [see photo, “Too Hot”].
In 2003, this annual hazing proved too
much for Korey Stringer, a player on the National Football League’s Minnesota Vikings. By
the time the 167-kg player collapsed from heatstroke, his core body temperature had reached
42.7 °C. He never regained consciousness.
Since then, several pro and college teams
have begun issuing “radio pills” to players who
they think might be at risk for heatstroke.
Once swallowed, the multivitamin-size pill
January 2006 | IEEE Spectrum | NA
13
INDIA’S YEAR OF COMPUTING
INEXPENSIVELY
THE YEAR 2005 will go down in India’s annals
as the year of cheap computing. Manufacturers
would, of course, prefer to call what’s involved
“inexpensive,” “low-cost,” or “affordable.” But it
all comes down to the same bottom line: some
laptops and PCs that were selling for as little as
10 000 rupees at the beginning of the year were
going for less than half that by year’s end, or
approximately US $100 for a network machine.
Admittedly, the $100 Nova NetPC offered
by the year-old start-up Novatium Solutions
Ltd. [see “Leading the Pack”] is a thin-client
server that depends on external support from
Internet service providers or cable companies
for most of its data processing and applications.
But if its maker is to be believed, the NetPC
breaks ground in terms of both manufacturing
quality and capabilities.
“Most Net PCs or thin clients available
today are stripped-down versions of PCs that
run on the same hardware architecture,” says
CEO Alok Singh. “But we have built a complete
motherboard and a new platform, and we’re
looking to the triple play of audio, video, and
computing. There’s no compromise on the
computing experience.”
In July, when HCL Infosystems, headquartered near New Delhi and India’s largest
computer maker, launched its PC for India, it
made similar claims. “Most of the existing lowcost PCs are either stripped-down versions or
made of poor quality or counterfeit components,”
claimed CEO Ajai Chowdhry. He said that HCL’s
machine broke the 10 000-rupee barrier without
compromising quality or functionality.
Arguably the first through that barrier was
Xenitis Infotech’s Aamar PC, which has been
issued with variant names for regional appeal.
Xenitis says it has been selling more than
10 000 units per month at around $225.
All those introducing inexpensive
computers are betting on economies of scale.
In a country of more than 1 billion people in
which fewer than 1 percent own computers, that
isn’t much of a gamble. Encore Software, which
14 IEEE Spectrum | January 2006 | NA
Leading the Pack
AAPNA PC LINE, US $225
One in a line of standard desktop computers
that also includes the Aamar and Aamchi PCs,
the Aapna was released in March by Xenitis
Infotech Ltd., in Mumbai. Equipped with
a 40-gigabyte hard disk, 128 megabytes of
RAM, a color monitor, and a modem, it runs on
Intel 1-gigahertz processors and uses Linux.
MOBILIS PC LINE, $200–$300
This PC was developed by Encore Software Ltd.,
in Bangalore, the company behind India’s
innovative Simputer [see “Indian Handheld,” IEEE
Spectrum, News, August 2002]. A cross between
a PDA and a laptop, Mobilis [photo] runs on Intel’s
PXA255 processor and uses Linux. A wireless
version supports the Global Positioning System
and the European General Packet Radio Service
(GPRS) cellphone standard.
NOVA NETPC, $100
Released in late fall by Novatium Solutions Ltd.,
in Chennai (Madras), this Net PC runs on a
DSP chip set made by Analog Devices Inc.,
in Norwood, Mass., and either Linux or
Novatium’s own Windows-like operating
system. A thin-client device, it relies on flash
memory rather than RAM and depends on
being connected to a server by an Internet
service provider or cable company.
PC FOR INDIA, $230
Released in July by HCL Infosystems Ltd., in
Noida (near New Delhi), the PC for India runs
on a 1-GHz processor supplied by Taiwan’s Via.
Like the Aapna line, it has 128 MB of RAM,
a 40-GB hard disk, and the standard features
expected to support applications such as
e-mail and Internet browsing.
has introduced Mobilis, a line of devices that
straddle the worlds of laptops and PDAs, hopes
to sell 50 000 to 100 000 units in a year.
To reduce costs and maximize function,
several of the PC makers are steering away from
the Windows/Intel world: HCL, for example, has
turned to the Taiwanese company Via Technologies Inc., in Taipei, for the 1-gigahertz processor
in its PC for India, and it uses the Linux operating system. Via itself has introduced a $230
computer, the Terra PC, which relies on Linux
rather than Windows and runs its operating
system on flash memory. —SEEMA SINGH
acts as an internal thermometer, providing
continuous readings of a player’s body temperature,
which can be picked up by a sensor placed against
the small of the player’s back. Players take the pills
a couple of hours before the start of practice, allowing
the capsules time to reach an athlete’s small intestine,
where core body temperature readings accurate to within
0.1 °C can be taken.
A year after the Vikings player died, Philadelphia
Eagles player Tra Thomas was saved from a similar fate
during summer training camp when a radio pill reported
that he had a core body temperature of 40.9 °C and
trainers pulled him off the field. “He hadn’t shown any
signs of heat stress,” said Derek Boyko, the Eagles’ director of football media services. “Who knows if, without the device, the training staff would have known he
was in danger before it was too late.”
The radio pill, part of the CorTemp Physiological
Monitoring System manufactured by Palmetto, Fla.–based
HQ Inc., relies on a temperature-sensitive quartz crystal
oscillator whose vibration frequencies are well known
for temperatures ranging from –60 °C to 150 °C. For
instance, the crystal oscillates at 262.25 kilohertz at the
normal body temperature of 37 °C. The electronic
components calculate the temperature and transmit the
data as a digital signal. Power comes from a silver oxide
hearing aid battery that holds enough energy for nine
days of temperature readings. The capsule remains in
the body for only 24 to 36 hours before it is eliminated.
The temperature readings are transmitted wirelessly
to a handheld receiver–data recorder. As the digital
signal induces a voltage on the pill’s communication
coils, this voltage creates a quasistatic magnetic field
with a radius of about a meter. When a coach or trainer
holds the receiver to the small of a player’s back, a magnetic coupling between the pill and the receiver induces
a voltage in the handheld device’s antenna, which is then
demodulated to retrieve the original temperature data.
Because magnetic communication does not generate
a propagating wave and there is strong attenuation of
the signal with distance, the data are hard to intercept
and virtually free from interference—even if there are
dozens of other players running around the practice
field with radio pills in their guts. Creating such a
magnetic communication bubble also requires very little
power, which allowed the radio pill’s designers to use
the tiniest of commercial batteries.
The technology was originally developed in the
mid-1980s by NASA so the space agency could monitor
the body temperatures of astronauts on the Space
Shuttle. For instance, when former Mercury astronaut
and retired U.S. Senator John Glenn returned to space in
1998 at age 77 aboard the Space Shuttle Discovery, a radio
pill continually monitored his internal temperature.
HQ acquired a license to use the technology from
the Johns Hopkins Applied Physics Laboratory in the
1990s as part of a NASA technology transfer program
and began refining it for use in medical and industrial
research. Bill Hicks, president of HQ, says the product
has “proven itself as a diagnostic tool with which
www.spectrum.ieee.org
ENCORE SOFTWARE LTD.
NEWS
teams can determine whether their athletes are in danger.”
The company is now branching out, marketing its temperaturesensing technology for use in applications including military
clothing. Sensors would make it easier for commanders in the field
to know when heat stress is limiting their soldiers’ effectiveness.
Hicks wouldn’t comment on whether the U.S. military has
any plans to use the technology in Iraq, where daytime temperatures regularly soar above 50 °C. Six U.S. soldiers and one British
soldier have died from heat-related illness since the conflict in
Iraq began, according to iCasualties.org, a Web site that monitors
combat deaths there.
The CorTemp system is also being aimed at monitoring
another type of roasting. The device is helping food companies
test their products in order to learn, say, exactly how much heat
a hot dog can tolerate before it becomes overdone and leathery. It
—WILLIE D. JONES
seems there really is a pill for everything.
CUSHIONED: System operators for Tokyo Electric
Power Co. [left] are at work in the company’s new
emergency control facility, located on the outskirts of
Tokyo. Built to withstand a severe earthquake, the
building has pillars that rest on rubber cushions [above],
which in turn sit on the foundation.
Tokyo Power Quake-proofs
Its Grid Control System
Backup facility is designed to withstand extreme jolts
TOKYO ELECTRIC POWER CO.
For a land regularly pummeled by typhoons
and shaken by earthquakes, not to mention
its several active volcanoes, Japan suffers
remarkably few electric power disruptions
of any duration. In the 10-year period
between 1992 and 2001, customers of Japan’s
largest power supplier, Tokyo Electric
Power Co. (Tepco), suffered an average
power outage of less than 5 minutes in
any given year.
By comparison, customers of 65 power
utilities across 24 states in the United
States had sustained power interruptions
totaling 107 minutes on average in any one
year during the same period, according to
the nonprofit Electric Power Research
Institute, based in Palo Alto, Calif.
Tepco revealed how it keeps outage
durations down to an enviable few minutes
for its 27 million customers when for the
first time it allowed foreign journalists to
view its operations and the company’s new
Emergency Backup Facilities in the outskirts of Tokyo last fall. The installation,
housed on three floors of the Tachikawa
System Load Dispatching Office, are built
to deal with the ultimate disruption—
an earthquake knocking out the company’s
headquarters 40 kilometers away in central
www.spectrum.ieee.org
Tokyo [see photos, “Cushioned”].
The Tachikawa building is decoupled
from its foundation supports by interposing laminated rubber bearings. “This
allows the structure to sway horizontally
and survive a 7.3-magnitude earthquake,”
says Kunio Umesaki, deputy general
manager of the Tachikawa service center.
A gas turbine generator with fuel for three
days is also available should the two power
lines feeding the facility fail.
The emergency facilities comprise a
substitute central load-dispatching office
that oversees all supply and demand in
the network, a central telecommunications center, and an emergency task force
center. Tepco has also developed its own
communications network using wired,
fiber-optic, and microwave transmissions, as well as satellite and mobile
phone communications.
Should an earthquake disrupt part of
this network, vehicles equipped with
satellite communications equipment and
wireless telephone exchanges can take
over and maintain contact between
headquarters (or the backup facility) and
recovery units. Fleets of vehicles equipped
with high- and low-voltage generators, as
well as mobile transformers, can also be
called into action.
Arguably, one advantage Tepco has over
many of its U.S. counterparts is that it is
a vertically integrated company: it controls
all aspects of its business—from generation and transmission through to distribution and sales. “So in case of accidents, we
can all work together to deal with the
problem,” says Noburo Nakayama, general
manager of the Tachikawa System Load
Dispatching Office. In the United States,
separate companies may carry out some of
these functions for the power supplier.
“This can cause a problem with communications,” Nakayama adds.
In a country as prone to natural disasters as Japan, disruptions come with
inevitable regularity. But by maintaining
an attitude of vigilant preparedness, Tepco
is able to deal with the expected and
unexpected and keep its lines humming
almost all the time. The utility’s success
stems from a corporate culture that can be
boiled down to adhering to a policy of
preparing for the worst, as much as it does
from relying on leading-edge technologies
to deal with or head off troubles.
This is a prudent attitude, considering
that Tokyo straddles three tectonic
plates—the Eurasian plate, the Philippine
Seat plate, and the Pacific plate—and possibly a fourth. A repeat of the Great Kanto
Earthquake that devastated the city in 1932
appears to be a matter of when, not if.
—JOHN BOYD
January 2006 | IEEE Spectrum | NA
15