Subscribe

Archive | Technology

Germans Flip Over Tax Reform (In A Good Way)

German business leaders are euphoric over a tax overhaul that lets them redirect investment once tied up in other German companies, and funnel it into high-growth sectors like high-tech. But there is growing concern among German retail investors that the package, introduced by the German government after years of debate may pose more questions than it answers.

The tax scheme, expected to reduce by almost DM60 billion German tax receipts by 2005, includes a provision that removes corporate long-term capital gains taxes. This ends the post-war German tax regime which effectively required German companies to hold stock in one another.

Business leaders hail the long-debated reform, and are almost counting their earnings already from investments in euro-dot.coms and high-tech ventures. But according to an n-tv poll published in the Abendzeitung, 51% of Germans surveyed said they felt that the tax package would hurt, not help them, despite a personal income tax cut for both low and high income earners.

Some labor leaders worry that a mass shift of funds by banks and insurers away from more esoteric or even merely poorly performing holdings and into industry consolidation and mergers and acquisitions could threaten German jobs, and the decades-long peace between German industry and labor unions.

But business leaders insist that freeing up their investment capital will allow them to invest in high growth sectors. “This decision increases strategic development for German corporations,” said Stefan Radloff, Senior Vice President Accounting & Financial Controlling, for Infineon Technologies, “However, we do see further discussion necessary regarding individual points of the decision, particularly within the area of corporate income tax law and tax write-off regulations.”

The funding from capital gains “will allow companies to focus on their core competencies ,” said Peter Klostermeyer, senior analyst at VMR, “German old economy companies, for example, in steel and mining, already have in place an IT business or Internet division, so they’ll probably take money out of cross-investments and use it to build up and possibly spin-off these divisions.” The value-adding investments would garner the attention of investors and increase stock prices.

Cross-Holding
Cross-holding was introduced after WWII as a means to promote consensus among German corporate management, which had to maintain holdings in diverse industries – such as insurance companies investing in tire manufacturers, construction firms and banks. The velvet hammer of compliance with this system, widely credited with smoothing the course of the German Wirtschaftswunder – economic wonder – was that corporations would be hit with earth-shattering capital gains taxes should they sell their cross-holdings.

All that changed when the compromise, a mainstay of parliamentary debate in Germany since before the Kohl era, was passed.

German Business Ready To Rock
Though the Financial Times has reported that Deutsche Bank Chairman Rolf Breuer plans aggressive divestment of Deutsche Bank’s estimated €23 billion in industrial holdings (including DaimlerChrysler and until last month, insurance group Allianz), Breuer has made clear the bank “…will try to avoid overcrowding the market with potential sellers. We will have to do it smartly.”

Banking analysts also believe that the odds of a fast-paced sell-off are slim. “As far as I can see, this will encourage some divestiture, but on balance I think this issue may be overblown,” said an analyst at Commerzbank. “Banks have really enjoyed the earnings smoothing capacity of these cross holdings, which has allowed them to realize profits that can offset costs such as restructuring – without this, the volatility in the German banking climate over the last few years would have been very significant. And dumping the shares would dilute the price, and banks aren’t dumb.”

Analysts also say that in addition to pure financial motives that would encourage a steady and slow sell off as opposed to a rapid money move, there is also a very real sense of tradition.

“These are legacy positions,” said the Commerzbank source, “and there are some very strongly-held views that these are the family shield, so you won’t see a wholesale sell off within a short space of time, but rather a slow, gradual process.”

But the overhang – the market’s sense of “waiting for the other shoe to drop” on releases of chunks of stock, may in itself provide downward pressure on German stock prices over the long term.

Changing Insurance Landscape
For the insurance industry, at least for insurers with large portfolios, the newly found freedom from cross-holding would seem to be an equal shake. While German companies in other industries will surely divest themselves of some of their insurance holdings, German insurers will be free to consolidate further within Germany as well as to expand across European borders.

“This won’t mean any immediate change in ratings,” said Karin Clemens, Associate Director at Standard & Poors, “but this will speed up the consolidation process within the German insurance market. And it would mean opportunities to broaden. For example, Allianz can’t further expand in Germany, so we would expect them to try to build their positions outside Germany – but we also expect further that it will allow foreign insurers the chance to get in to the German market.”

Labor Unions
Some have expressed concern that shifting capital out of certain sectors could threaten German jobs, and the peaceful relations between industry and labor unions that has been a hallmark of the German post-war success.

“We support the tax reform package in general, and think it is good for Germany and for Europe” said Claus Eilrich, a spokesman for IG Metall, Germany’s largest labor union, “but we have some problems with the corporate capital gains cut. Germans must pay a tax for everything, so we question why large corporations should get what amounts to a present from the government – this even took the insurance and banking industries by surprise.”

Personal Income Tax
The German plan also provides a healthy tax cut for the wealthy, and much smaller cuts for middle and lower income earners. Some believe that this “Supply side” approach creates an unbalanced economic model, but German economists feel confident the mixture is a prudent one.

“That supply-side issue is always a problem,” said Rudiger Parsche, Expert for Financial and Tax Matters at Munich’s IFO Institute for Economic Research, “but I think this package has a good mix, reducing tax rates significantly and increasing the minimum amount of tax free income to DM15,000 by 2005. So taken altogether we suppose that the package will also increase the demand side.”

Visiting The Front Lines

The future is wireless, or at least that is what Nokia, Ericsson and a host of startups and network operators are earnestly hoping. But the quick success of 3G – The Third Generation of mobile telephony – is more than profitable icing for these companies; it has now become a matter of survival….

This article, which ran in the February, 2001 issue of Tornado Insider magazine, looks at the overall climate in European development of 3G, and then explores how each of Europe’s largest telecom networking manufacturers, Ericsson and Nokia, is coping with the challenge.

…………………………………………………….

For some time, both Ericsson and Nokia have vigorously embraced the role of global industry hothouse by developing new divisions and enhancing old ones to deal with the 3G challenge. But it is about more than money.

“For a fraction of what the operators spent on 3G licenses, they could buy 10 application startups to help with rollout,” says Martti Malka, a partner in Nokia Venture Partners, which is independent from parent Nokia. “It’s not the money; it’s the business model, and the successful operator is going to look to third parties to come up with the innovative business propositions.”

Resources for innovation, too, are only part of the problem. Ericsson has established itself as a curious anomaly. The heavily bureaucratic, press release-driven monolith commands a sensational ability to introduce and gather support for industry-wide protocol initiatives, like Bluetooth and OSGI, its home gateway protocol. Nokia, meanwhile, has made huge progress in end-user customer loyalty through its desirable handsets, capturing 30 percent of the worldwide handset market. Nokia is claiming great gains in GPRS and 3G networking contracts as well.

Nokia and Ericsson realize that in order to give their customers, the operators, the return they’re demanding, they must aggressively court small startups working on applications, services, and hardware for 3G. They’ve partnered with VCs for some, and will continue to do so for others. They have also spent considerable time and money making sure that when 3G rolls out it will live up to the hype.

Enter the startups
“We know we have to develop this market and the key issue is getting the right applications,” says Bengt Larsson, marketing manager for Ericsson Business Innovations (EBI), an independent subsidiary of Ericsson. “It’s not until we have the applications on board that we will see the 3G market take off.”

Nokia Venture Partners, with $500 million under management, concentrates on early stage mobile Internet companies, and looks specifically toward those creating enabling technologies. A perfect example is AVS Technologies, an Espoo, Finland, company whose MVQ (motion vector quantization) method is a high-end video compression and transfer technology that compresses video streams 10 times more effectively than RealPlayer or Windows Media.

For its part, EBI, as well as main divisions of Ericsson such as its Mobile Location Services, work closely with small startup companies developing applications that would eventually work with an Ericsson 3G network. For instance, Ericsson Mobile Location Services works and co-markets with It’sAlive, a startup games-maker funded by Speed Ventures in Stockholm. It’sAlive just rolled out its first product, a location-based game called BotFighters, in which SMS messages appear when opponents are in firing range.

BotFighters is currently running in Sweden on regular public networks. “Ericsson would welcome any application developer who would like to try out a 3G application to come and use it on our demo network in Kista. It’s one of the few places in the world where you can actually test 3G applications in a practical environment,” says EBI’s Larsson.

The first step taken by application startups is a visit to the Ericsson and Nokia developers’ websites, which allow any company to register to receive technical specifications, assistance, emulators, and limited access to the developers’ community for the particular product in which they’re interested. Companies that push past that point and go for a more formal partnership, like It’sAlive, are given co-marketing support and access to live research and development projects, not out-of-the-box technology.

While Ericsson and Nokia are both taking to their roles with gusto, developing deals with laundry lists of third parties from startups to global players, there are subtle differences in their approaches. The following profiles look at the efforts by each of the vendors, and compare and contrast their approaches.

Dell? He’s All Wrong In Europe…

To hear Hermann Oberlehner tell it, Michael Dell has got it wrong in Europe. “We’ve looked at this very carefully,” he said, “and in Europe outside the U.K., the Dell model just won’t work.”

This statement might ordinarily be dismissed as having come from a jealous also-ran. But Oberlehner is founder and chief executive of Gericom AG, based in Austria, which has quietly become the leading vendor of personal notebook computers in Germany. Last quarter, Gericom shipped 111,000 units in Europe, beating out such heavyweights as Dell Computer Corp., Toshiba Corp., International Business Machines Corp. and Acer in Germany.

In Europe overall, Gericom is the No. 5 vendor in mobile computing, according to International Data Corp., with a 9 percent market share.

“They are a very aggressive vendor in the consumer portable market, with a very strong focus on the lower-end consumer market,” said Stefania Lorenz, senior analyst for European personal computing at IDC.

But Oberlehner said he realized in the mid-1990s there was a hole in the European mobile computing space. As manufacturers struggled to make ever-slimmer notebooks for the lucrative corporate market, consumers were being left behind.

Gericom discovered that, with modifications, cheaper Intel Corp. chips designed for desktop computers would work in notebooks. While the company had initial quality control problems and a high rate of return – some say as high as 30 percent – new heat dissipation methods were employed, and the problems were worked out.

“Where before everyone had thought ‘smaller,’” said Ranjit Awtal of Gartner Inc., “Gericom asked, ‘Just how much mobility do you need to move your computer from the kitchen to bedroom?’

“They took risks when other vendors were reluctant. By providing a cheaper, slightly heavier and less mobile PC, Gericom actually paved the way for much of the mobile growth in the European home market today.”

By about 1996, Oberlehner, looking to cut costs and frankly tired of contending with retailers, took a hard look at Dell’s U.S. mail-order business and seriously considered emulating it in Europe.

“We tried to compete using the Dell model here in Europe,” said Oberlehner, who established Gericom in Linz in 1991, “but we discovered that we just didn’t need to – in fact, that it just wouldn’t work here.”

Of course, Dell has been doing just fine in Europe, with about 10 percent of the overall PC market, trailing only Hewlett-Packard Co.

Oberlehner believes that on the Continent, the customer’s buying experience differs drastically from that in North America. In Europe, customers prefer a more intimate sales environment, and they trust that salespeople have experience with the machines they proffer. The selection process is heavily geared toward comparison shopping by cost, brand and features, especially local-language and culture-based add-ons.

This, Oberlehner said, is unlike the experience in North America and Britain. “Americans are poor computer buyers,” he said. “They don’t look at specs – they look at the brand, the size, and buy. Dell works so well because the entire American retail system is set up with enormously costly pitfalls.”

Since no one cares about the specs, the logic goes, the sales team does not need – and often does not have – much information. Customers buy the name, and when they have a problem or the machine does not do something they need it to, they can bring it back to the retailer because of the generous U.S. return policies.

Oberlehner says that while profit margins in the United States are higher than in Europe so are costs. So Oberlehner stopped looking at retailers as adversaries and began seeing them as a symbiotic necessity: Where the retailers can provide marketing access to a customer base, Gericom can get the product quickly to market. As long as Gericom is willing to move quickly and provide post-sales support and service, the model works, he says.

But to succeed, he said, you must be willing to take razor-thin margins and produce using small teams working around the clock. Gericom, which outsources much of the assembly-line production of its notebooks to the Taiwan-based assembler Uniwell and some other Asia-Pacific companies, employs fewer than 300 people in Austria.

Gericom’s home-turf advantage also means that it can, for example, ship 7,000 units overnight to the main distribution centers for leading European retailers such as MediaMarkt, Lidl, Carrefour or Dixons without breaking a sweat.

And relying on local sales support and marketing initiatives rather than trying to centralize or even regionalize means that local buyers feel that the machines cater to them – whether the band name on the box is Gericom, Gerico, a Dixon line or something else.

“We can’t possibly compete with big vendors in the corporate market,” Oberlehner said, “where you have multinational needs. But likewise, the multinationals can’t compete with us in providing local support and computers that local people need. It’s not a question of price; it’s a question of tuning the products to meet the needs of each local market.”

Gericom keeps its focus on mobility. It was the first notebook maker to introduce a GPRS-enabled notebook computer, and it followed up with partly “ruggedized” notebooks aimed at the upper portion of its lower-end market.

Into the future, Oberlehner is counting on an “enormous potential” for replacing desktop computers with laptops in Europe. It cites research that says that fewer than 60 percent of German households own a computer, for example, and of those, only 15 percent have a laptop.

A proposal for Reasonable Wireless Security for law firms

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”

[Ian Sacklow co-wrote this white paper]

At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi1.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense2.

When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

The
proposed standard also includes a written security policy covering:

  • WAPs in the office
  • WAPs at the homes of those with remote-access authorization to the
    firm’s local area network
  • Computers which contain client data and access publicly-accessible
    WAPs (at coffee bars, airports, Bar Association Libraries, airports,
    etc.)

Wi-Fi: An Indispensable Tool

  • Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

  • The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 3003
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.

Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted4 users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

What’s
Your Responsibility?

  • Connecting an Open WAP to your firm’s LAN is literally as unsafe
    as placing your client files in an unlocked file cabinet in the
    center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”5

An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”6

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”7

An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.

Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

  • You
    cannot rely on existing laws to prosecute “unauthorized” WAP
    access. It is difficult to determine how a user becomes authorized
    to access a WAP, and there’s no common mechanism by which to post a
    notice that he is not.

In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”8.

The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

(i)
give actual notice in writing or orally to the user;

(ii)
prominently post written notice adjacent to the computer being
utilized; or

(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user9.

Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”10

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

    <li><p>
    <strong>If
    a mobile device automatically seeks and connects to a WAP, then
    accessing an Open WAP needn't even be intentional. </strong>
    </li>
    

    Most
    new notebook computers ship with the Microsoft Windows XP or
    Macintosh OSX operating systems, and are equipped with internal
    wireless adapters (see sidebar). If the wireless adapter is switched
    on, the notebook will seek, and attempt to connect with, WAPs – even
    before the screen comes to life.

    People set their notebooks to connect to any available network, so
    the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

    And New York Penal Law Section 156.50 provides a defense for persons who
    had reasonable grounds to believe that they had authorization to use
    the computer. Therefore, unfortunately, the issue will likely be left
    for the Courts to decide whether such a presumption exists and is
    applicable in any given case.

    Attorneys
    and the public must properly frame these issues and arguments, so
    that the Courts can properly interpret and apply the law.

    Determine
    Your Needs

      <li>
      <strong>You can protect your LAN while providing public access to your
      WAP and the Internet - so long as you configure your WAP properly</strong></li>
      

      Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
      to afford anyone in the area free access to the Internet. By giving
      pedestrians a good reason to mill about, this is a fine goodwill
      gesture towards local businesses at low cost.

      That’s
      a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
      access your LAN from the Hotspot. They placed the Hotspot outside
      their firm’s firewall, thereby providing a public service at little
      risk to their own network.

      It’s
      important that you, too, determine what you want your WAP to do, and
      deploy it properly.

      Don’t Panic … But Set A Policy

        <li>
        <strong>A clearly communicated and strongly enforced written policy
        governing remote network access is essential. </strong>
        </li>
        

        A
        written wireless data security policy is vital in any environment; in
        a law firm, the lack of one could be expensive, embarrassing and
        time-consuming. It could create civil liability – and even criminal
        liability (see sidebar) – for the firm.

        All
        people in the firm must be made aware of the policy, not matter their
        position: it does you no good to take steps to increase security if
        your receptionist or even a junior associate tells a caller
        information about your WAP and network. This happens far more often
        than you’d think. Specifics on what the policy should cover are
        listed below, within the proposed standard.

        Everybody’s Not Doing It

          <li>
          If you haven't
          locked down your firm's WAP, you're not alone. This problem is
          widespread and international.</strong> 
          </li>
          

          In March, 2005, data
          protection company RSA Security reported that a survey it
          commissioned from netSurity found more than one third of wireless
          business networks in four major cities were unsecured – 38% of
          businesses in New York, 35% in San Francisco, 36% in London and 34%
          in Frankfurt.

          Those numbers are about
          right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

          From Elite Geeks to An Unruly Mob

            <li>
            One no longer
            needs to be a gifted programmer to be a successful intruder.</strong></li>
            

            Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
            (see sidebar), and attorneys must never entrust WEP – no
            matter how large the bit-size – to be the sole means of protecting
            a LAN.

            The popular image of a “Hacker,” as a young, pale-skinned
            male perched behind a complex computer using arcane tools to
            penetrate computer systems is dated.

            Hacking, password- and encryption-breaking tools have become
            ubiquitous, sophisticated, simple to use and are totally free to
            download from the Internet.

            PROPOSED
            STANDARD

            A
            determined intruder with the right tools will get in no matter what
            you do – nothing offers 100% security or guarantees, but you
            should employ the best security you can install and maintain without
            unreasonably disrupting productivity. Take all reasonable steps to
            secure client information on your LAN with a well-configured
            firewall.

            If
            you merely wish to allow Trusted users wireless Internet access,
            securing your WAP can likely be done by Dan – that geeky intern who
            likes Star Trek. It can take as little as 15 minutes, and can
            cost nothing: if you’ve got a WAP, you’ve almost certainly got the
            hardware needed (and if you don’t, you can spend as little as $40 to
            get it).

            If
            you wish to allow the WAP to also grant LAN access, and you don’t
            have an IT person in-house, you might buy a combination VPN/WAP for
            as little as $149 (see sidebar). Otherwise, you may need to hire an
            outside consultant or installation specialist for a few hours’
            consultation or work to set up the VPN.

            Four Main Steps

            Because
            Linksys is the most popular WAP maker, examples below refer to
            Linksys products; your WAP’s instruction manual contains specific
            How-Tos and instructions to do all the following. All brands provide
            similar steps and menus, and all use the same terminology.

            STEP ONE: CHANGE THE DEFAULTS

            The simplest solution for a range of common problems raised by WAPs is to
            change the default information on the WAP itself. This is
            accomplished by opening a web browser and surfing to the IP address
            of the WAP device.

            First go to the Setup Page:

              <li>
              Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
                  </li>
              <li>
              Change the last two fields in the WAP's Local IP address to
              something other than what's there. Reasonable entries include
              192.168.11.1 or 192.168.0.25. 
              </li>
              

              Next,
              go to the Wireless Basic Settings Page. The Service Set Identifier
              (SSID) is the name of the wireless network your users will connect
              to. By default it is set to “Linksys.”

                <li>
                Change the SSID to something non-descriptive - not your firm's
                name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
                </li>
                <li>
                Then, disable the SSID broadcast, so it won't be readily visible to
                users who don't know that the WAP is there (though &quot;war-drivers&quot;
                - people who drive around looking for Open WAPs - might see it.
                Yes, there's a war-driving subculture). 
                </li>
                

                STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD

                A hacker, using the default username of (nothing) and the default
                password of “admin” can take over your WAP and lock you out. In the Administration page:

                  <li>
                  Set a new, hard-to-guess administration password, using at least an
                  eight character string which is not a word found in a dictionary,
                  and which comprises upper and lower case letters and numbers.</li>
                  

                  STEP
                  THREE: ENCRYPT THE SIGNAL

                  Use
                  the best encryption method you possibly can, preferably WPA2 (see
                  sidebar). If WPA2 is not available, then deploy, in descending order
                  of preferability, either WPA or WEP. If you absolutely must use
                  WEP, use 128-bit encryption – which takes a bit longer to crack
                  than weaker versions of WEP.

                  STEP FOUR: VPN INTO THE LAN

                  You absolutely, positively may not allow access to your LAN through the
                  WAP except with the use of a VPN.

                  Because
                  the VPN’s authentication is vastly more secure than Wi-Fi’s and
                  encrypts all data between the client (that’s your notebook computer
                  or PDA) and the LAN, it helps ensure that anyone gaining access to
                  the LAN is authorized.

                  Written Policy

                  Anyone who has been granted remote access to your LAN must abide by
                  the written remote access policy. This policy must cover the remote
                  users’ notebook computers, PDAs and other mobile data devices; their
                  home LAN and any home computers, and any other machines which they
                  may use to access the company LAN.

                  The policy must be clearly posted in the firm, and discussed with all
                  remote users and staff. It must explicitly set forth rules governing
                  what employees may tell outsiders about your computers, your network,
                  your WAP and your security policies. It must be regularly reviewed.

                  For a sample written policy, see http://www.nickselby.com/wifi

                  Protect Home WAPs

                  Anyone granted permission to access the LAN via VPN must apply all
                  four steps above to their home or other remote WAP. This not only
                  protects your LAN, it protects personal data they store on their home
                  machines.

                  Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

                  Anyone accessing the LAN must ensure that their device is updated
                  with the most recent security patches for their Operating System.

                  All machines on the LAN must run current versions of anti-virus
                  software with regularly updated virus definitions. Note that new
                  viruses are introduced every hour; “regularly updated virus
                  definitions” means at a minimum of once each week. It could be
                  argued it is reasonable to update every 24 hours.

                  Any
                  device accessing from outside the LAN must be running a
                  properly-configured firewall program such as Zone Alarm or Computer
                  Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
                  unless you’re encrypting your email through a VPN, or an encryption
                  program such as PGP.

                  Always
                  assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
                  you care about – such as email or confidential files – is encrypted
                  across a tunnel.

                  Call
                  For Discussion

                  As when you access a Hotspot, you’re always looking for the balance
                  between ease of access and loss of security. The best we can do
                  is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

                  As I mentioned earlier, this is all very new. The proposed standard
                  is a first step towards reducing the likelihood that your LAN will be
                  compromised, or your Internet connection abused. In order to further
                  this recommendation and develop a final specification, I welcome your
                  comments.

                  Ian Sacklow, the founder of the Capital District Linux Users Group and
                  Information Systems Manager for Dodge Chamberlain Luzine Weber
                  Associates, an architectural firm with offices in East Greenbush,
                  Plattsburgh and Jericho, New York, co-authoried this white paper.

                  Members
                  of the Capital District Linux Users Group contributed technical
                  information and fact checking for this article.

                  <p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
                  Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
                  wireless area network (WAN) complying with IEEE 802.11
                  specifications. Wi-Fi&reg;
                  is a Registered Trademark of the Wi-Fi Alliance. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
                  course as the state of the art changes, so must any standard be
                  updated.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
                  can extend this range in a variety of ways, all fairly technical.
                  300 feet is the default, stock range without modification, and
                  therefore the range I discuss here.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
                  a network, a &quot;Trusted&quot; user is given access to sensitive
                  files. An &quot;Untrusted&quot; user may be granted access to
                  certain parts of the network, but not to areas containing sensitive
                  data. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
                  New York Lawyer's Code of
                  Professional Responsibility , DR
                  4-101 [1200.19] 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
                   District of Columbia
                  Ethics Opinion 303, February 2, 2001</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
                   Delaware State Bar Association Opinion 2001-02
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
                   New York Penal Law Section 156.05</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
                   New York Penal Law Section 156.00</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
                  change the Router Name to slow down would-be intruders. Router Names
                  provide enough information to attackers to obtain all default
                  information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
                  Website which provides lookups which match Router Names with
                  manufacturer and model number, linking to the manufacturer website
                  which lists that machine's default settings and password.</p>
                  


                  Also in this series…
                  A proposal for Reasonable Wireless Security for law firms

                  A sample network access policy

                  Wifi encryption standards

                  “There’s nothing on my desk worth stealing”

                  …and free hotspots for all


There’s Nothing On My Network Worth Stealing

Many computer users feel that, because they don’t engage in high-fallutin’ top secret information, they don’t have much to offer an intruder.

Targets of intruders, though, are as difficult to predict as the closing price of next Tuesday’s light sweet crude trading. In fact, the possibilities are endless. And here’s just one way leaving your WAP unprotected – essentially running a Hotspot – could cause you pain.

Lawyer? Or Terrorist?
Parked outside your office within connection range sits Mr. Soren Marrwaakle, a Danish terrorist associated with the dreaded Copenhagen Resistance, which has sworn to destroy the American way of life. Soren drives around large cities seeking unprotected wireless connections just like yours.

Soren connects, through your unprotected WAP, to the Internet and thence his public, anonymous email account. After receiving from his cell the floor plans to a target building, he transmits back an email message to his handler, acknowledging receipt of the plans and passing on a recipe for low-fat brownies he got from Emeril.com.

Has your firm just violated the Patriot Act? You know, the part which says you’re not allowed “…to commit an act that the actor knows, or reasonably should know, affords material support, including a safe house, transportation, communications, funds, transfer of funds or other material financial benefit, false documentation or identification, weapons (including chemical, biological, or radiological weapons), explosives, or training…” [emphasis added]

Perhaps more to the point, do you wish to explain your views to the 33 FBI Agents in blue windbreakers who are at this moment milling about your conference room?

Sure, after only three days, by which time they’ve become mostly convinced of your innocence, 18 of the agents leave. But how much do you think it will eventually cost you in time, effort, resources and bad coffee to get the rest of them to go? How many of your clients will express delight upon learning that their lawyers are under Federal investigation for aiding a terrorist group?

And how will those pictures of guys in blue windbreakers carrying boxes out of your office look in the Times Union?


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all


And free hotspots for all

Because many cities and towns around the world have begun providing publicly-accessible wireless APs, how is a reasonable computer user supposed to know that an unprotected network is not there specifically to allow him to access the Internet? All stores in the Panera Bread chain offer Wifi Internet access that’s as free as the air. A visitor to downtown Albany will find himself in a brightly- “lit” environment which has so many free wireless access points that it’s hard to find an area in which you can not connect.

So imagine the surprise in early July, 2005 when police in St Petersburg, FL, picked up a man for accessing an AP on a residential street, connecting to the Internet and checking his email. Benjamin Smith III was arrested and charged with unauthorized access to a computer network.

He might well get off. After all, if all he did was access the Internet to check his email, who’s to say it’s unreasonable for Smith to assume this was kosher? The AP was wide open. If Smith didn’t attack any of the other machines on the local network, he may have been perfectly reasonable to assume that the network was meant for him to use.

While not endorsing the practice of the unauthorized use of someone else’s wireless signal, in this day and age, it can be hard to tell when you’re not supposed to log on and surf the web.

We believe that anyone who sets up a Wireless Access Point and does not follow the installation wizard’s advice to change the ESSID and password and set up encryption should be presumed to be providing publicly accessible wireless at no cost.

There is, however, a vast difference between hopping on an open access point and intruding into someone else’s network for nefarious purposes.


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all


Venture Fever Hits Scandinavia

As recently as three years ago, “venture capitalism” in Scandinavia meant lending 50 bucks to your friend Soren – the one who’s fond of the racetrack. And even though Scandinavia is known throughout Europe as a hotbed of really smart people making exceptionally sexy technology, until recently entrepreneurs were, in essence, good technicians who didn’t understand commercialization.

Let’s fast forward. In the past year, more than 60 VC firms and incubators have been formed in Stockholm alone, a combination of professional VCs, as well as groups of angel investors, who have bundled themselves into unions. Many are local players, but some are international capitalists coming from the US, Finland, Norway and the Netherlands.

Last summer, Tornado-Insider.com did a feature on Swedish VC firm e-Chron, which had established a contest and networking event for Swedish startups called the E-Challenge. At the time, the founders said they were starting the event because of “the slow and difficult process of getting venture funding in Sweden.” E-Chron wanted to make it easier for startups to grow by bringing together entrepreneurs and the support industries that surround them, such as VCs, professional service providers and larger ICT corporations.

Since then, the VC industry has ballooned in Sweden and elsewhere in Scandinavia, in large part due to the fact that wireless is the flavor of the month. In fact, the whole VC vibe is more sophisticated and connected, with large sums of money available and a clear keenness to do deals.

VC firms are forming alliances in order to share resources and expertise, in an aim to fund more deals and better serve existing portfolio companies. One such alliance is the Global Venture Alliance, bringing together 2m Invest, Telenor Ventures and Ledstiernan. Schmooze sessions are also on the increase with events like the invitation-only Sockerbiten (“sugar-bite”), which offers a clubby atmosphere of VCs exchanging ideas and business cards and just, well, talking to one another.

Why all the hubbub? “Greed,” said Niclas Carlsson, CEO and Founder of e-Chron. “People look at this old, socialistic country and then Altitun sells for $860 million – people go crazy.”

Okay, he admitted, it’s more than greed; it’s an attitude shift as well. Scandinavian VCs agree the most important change in the last two years is that entrepreneurs are more mature. They’re packaging themselves better, making it easier for VCs to invest. However, entrepreneurs also have a lot more capital to choose from.

“It’s definitely easier to start up here than ever before, and absolutely easier to start up here than even in other areas of Europe,” said Panu Mustonen, CEO of Springtoys, which makes games and entertainment software for mobile phones and PDAs. Springtoys recently closed its first round of funding, which included a 15 percent stake taken by Eqvitec and a 20 percent stake taken by Sonera.

Some investors say the draw of Scandinavia is that there are so many competent small enterprises in the region feeding off the well-established market of the larger players, especially in the wireless sector. “The proximity of Ericsson and Nokia, and mobile in general, has done a lot,” said Jukka Hayrynen, a partner at Helsinki-based Eqvitec. “When we built our technology fund in 1997, people said, ‘technology – that’s so narrow.’ Now they say, ‘technology, that’s so darn broad.”

Such a flourishing of technology startups can only benefit regional VCs, who are seeing an increasing demand for specialized expertise. Local VCs have the ability to concentrate on specific niches, learning the ropes of a particular business space.

In Finland, the amount of money available has made it difficult for some VC firms to find enough partners to manage their range of portfolio firms effectively, said Mustonen. That means VCs who really know a specific sector are in demand. “If I were a venture capitalist myself,” he said, “I would concentrate only on exactly what I know best; if you understand the sector, can limit yourself to just five companies and concentrate on building their businesses, you’ll make a killing in this city.”

Joining together with other VC firms is one way to concentrate efforts and expertise. “There’s a real attempt to get together and gear our resources,” said Kim Bach, vice president at 2m. Joint activities such as co-investing, sharing knowledge, extending buying power and working with shared databases could help VC firms “reach critical mass in sectors faster than we ever were able to before,” Bach said.

Bertelsmann Wants It All. They May Already Have It.

The announcement of a deal between Terra Networks, Lycos and Bertelsmann to create effectively the world’s broadest-based Internet portal is the latest in a series of Bertelsmann plays to aggressively expand their Internet activities. This fits nicely into Bertelsmann’s core strategy to leverage their enormous content pool into the one of the world’s largest offering of digital products.

“Kudos on their aggressiveness and their long-term vision,” said Michael Blok, senior analyst with Rabo Securities, “They enjoy a nice natural ‘hedge’, whereby if things on the web move as fast as the company expects, it will be in a good position to deliver through its Internet plays. And if things move slower, then their old core businesses will make more money for a longer time.””

Bertelsmann is not a publicly-traded company, but does allow individual investors to participate in profit sharing, through the use of profit participation certificates, sold on the Frankfurt Exchange and called Genussschein; about 30% of BertelsmannE’s equity capital is derived through these certificates (trading currently at Euro97.4).

Less splashy in the press than the Terra/Lycos/Bertelsmann deal but crucial to Bertelsmann’s overall internet strategy was a decision yesterday by the European Commission that cleared the way for a Bertelsmann purchase of 50% of Sweden’s Bokus.

Bokus, which successfully established itself as an online media and entertainment shop in Sweden, Norway, Denmark and Finland, in all local languages, is not surprisingly the market leader in all those countries – countries which, by the way, have the highest percentage of internet users by population in Europe. The joint venture acts as a major strategic foothold for BOL in Scandinavia, and dovetails nicely into Bertelsmann’s overall goals.

To get an idea of the strength of Bertelsmann’s holdings, consider that the privately-held German company is the world’s largest publisher of English-language books, through its acquisition of Random House; it is Europe’s largest broadcaster, with a 50% stake in Luxembourg based CLT-UFA, offering 40 TV and radio stations, and with their merger with Pearson TV, part of Pearson PLC, they will also be Europe’s largest production company. Bertelsmann owns BMG, the world’s fourth largest music label; magazine publishing giant Grüner and Jahr, and scientific publisher Springer.

And in order to sell all that content digitally, Bertelsmann has built, through development and acquisitions, a multimedia empire that includes BOL, a stake in US-bookseller barnesandnoble.com, a 50% stake in Lycos Europe, and created the Bertelsmann Broadband Group, which develops interactive services such as television and film for cable networks utilizing broadband technology.

“Our core strategic focus is on further development of our positions in our different content markets,” said Bertelsmann spokesman Markus Payer, “so on the technological side, we’re working to digitize all our content.”

“That may be their long term goal, but that’s not the whole story,” said Blok, “It’s also based on organic growth and new initiatives, and perhaps cause they’re privately owned, they’ve been reasonably willing to suffer losses whereas publicly quoted publishers are less willing to lest their stock nosedive. “

But Blok points to rapidly changing factors in Bertelsmann’s core businesses, such as music publishing, which will find it increasingly difficult to make the level of profits to which they’ve become accustomed as the Internet changes the music publishing business model completely.

One of Bertelsmann’s most valuable sales assets are their book clubs, with 25 million subscribers throughout the world. The clubs are already fully operational on the internet, giving Bertelsmann a wet-dream of a mailing list. But Blok warns that this too can change, as the internet would tend to make less attractive the kind of monopolistic or duopolistic models Bertelsmann enjoyed with its clubs to date.

Bertelsmann, meanwhile, is aggressively pressing to further their goals; to that end, Random House is working to digitize its entire backlist of books, and BMG is digitizing all its music offerings. Bertelsmann also has a 60% stake in Pixel Park (Neuer Markt: PXL.NME), one of Europe’s leading internet services companies, providing services to establish and maintain online presence, Internet and intranet solutions, e-commerce platforms and a consultancy business.

“As an analyst I’m looking for true leaders, with high barriers to entry,” says Blok, “Now, Bertelsmann currently don’t have a stake in something extremely huge that is certain to dominate a submarket – an amazon.com or even, anymore, an AOL. If they had something like that, then whatever happens in the next five years they would come out ahead.”

But, Blok noted, Bertelsmann’s BOL is well on its way, and should provide for a nice battle when Amazon really enters the European market.

Whither The Euro Portal

In the aftermath of the disasterous Lastminute.com, World Online and Lycos Europe IPOs, and with softening expectations for T-Online’s mid-April IPO, web insiders are taking a fresh look at the European portal business. To industry experts, the “bigger is better” American portal model just doesn’t work over here.

Instead, new home-bred ‘affinity portals’ are rapidly increasing their traffic, focusing content to narrow ranges of interest, building loyal online communities, expanding across borders and cultures and attracting investment. In this market, analysts and experts say, focused is beautiful, and general portals are out.

Consider comdirect.de, a German financial portal whose 1999 profits were up 600%, and which last month brought in more traffic than the German versions of T-Online, AOL and MSN combined.

Or Dooyoo.com, a Berlin-based comparitive shopping portal that has successfully expanded into several European countries. “It’s essential for commerce players to have that kind of pan-European approach, and this multi-national focus is key,” said Noah Yasskin, Europe anaylst at Jupiter Communications, “We’ve yet to see a clear leader emerge in that sector and there are still opportunities to lock this market.”

Dooyoo, and its German rival Ciao.com, have several advantages over the US competition beginning to move into Europe, including knowledge of local markets, and the ability to spend, while US shareholders are currently a bit squeamish about investing in Europe.

This trend is good news for the dozens of young, ambitious European start-ups that are on the scene today. And it’s good news for their investors.

It Was Always Over Over Here
The American portal model is to make a homepage on which users feel comfortable to begin each web session – an all-encompassing, broad-based link farm and search engine which tries to allow users to find whatever it is they’re looking for on the web from a single starting point. The model holds that the more users there are online in a given market, the more the portal is worth to advertisers, who pay fixed amounts per thousand views of their ad.

But therein lies the problem with the model in Europe. The American portal model is based on a culturally and linguistically homogeneous online society. Europe, as some have noted, does not share this homogeneity.

Fragmentation In A Model Built on Unity
In other words, what plays well in Peoria doesn’t necessarily play well in Passau or Paris. It’s simple math: if every Belgian came online, you’d have a grand total of 10.1 million potential customers (in any case, only about 10% are online). And sure, Germany’s a big market with 82 million people, and 20% of them are online.

But Germans speak German.

T-Online, Europe’s largest German-language portal, has that portal market (along with Austria’s and German-speaking Switzerland’s) sewn up quite nicely, with over 7 million subscribers and 115 million monthly page views, and their upcoming IPO is highly anticipated, offering 108 million shares at a range set between Eur 25 and 30.

T-Online’s competitors in Germany have less robust numbers, and market share is being sucked up quickly. Traditional portals like MSN and Fireball.de come in routinely with under 30 million page views a month; Yahoo.de gets about half T-Online’s page views, as does the portal/ISP combination AOL, with 3.4 million users. T-Online would seem to be unstoppable.

Not quite. Right next door in France, T-Online holds about as much market sway as you’d predict, not even denting the already saturated French-language portal market. There, Yahoo.fr and Viola.fr are the belles of the ball, with over 70 million monthly page views each, and competition is heating up from rivals AOL.fr, MSN.fr and others. The large portal situation is the same in all European countries: fragmentation in a model built on unity.

As early as October 1999, a Jupiter Communications report proclaimed the European Portal market saturated: “The window of opportunity for European portals is closed,” it said, “Europe’s existing portals will consolidate into a few multinational portals capable of aggregating audiences across several markets.”

Jupiter’s Yasskin states: “Online content is available globally but only relevant locally, so content ventures must achieve scale and value through localized and branded category-leading sites, not portal plays.”

Making A Bad Situation Worse
Nonetheless, with fierce competition for eyeballs, Europe’s large portals have been forced to add heaps of free services such as free internet access, free email and other perks. National telecoms and their competitors got in on the action as well, and now attempt to create enough offline brand name recognition to pre-win online brand loyalty.

“The trend seems to point to portal services trying to attract not ‘millions of users’ “, said Bank Julius Bär analyst Joeri Sels, “but rather ‘dozens of millions of subscribers’, which will be necessary for profitable operations.”

The market for those monstrous “Über-Euro-Portals” may be flooded, but thereE’s still plenty of room to move with such smaller ‘affinity’ sites.

The Field
Today’s “portal” has expanded to include places where users decide to start particular activities or searches on the web – so an investor would begin her search for new high-tech European investment opportunities at tornado-insider.com; a travel writer at one of a multitude of ticket sites including ebookers.com, or otctravel.co.uk; a researcher in Cambridge at altavista.co.uk; a shopper in Milan or Berlin at dooyoo.com or ciao.com. All these are sites containing links to everything about a particular subject.

Look at comdirect.de, whose 330,000 customers have Eur 6.75 billion on deposit, and made over 5.1 million transactions last year. Comdirect appeals to the mass-market online investor by offering links to market news from around Europe, and attracting loyal users through an innovative game called “broker poker”. With broker poker, customers create pretend virtual portfolios and compete against one another in a giant pool, the winner taking a prize of Eur100,000.

Can this work in France and the UK as well?

“Absolutely,” said Suzan Nolan, President and lead marketing analyst for Paris-based Blue Sky International Marketing, “this is a great tool for teaching investors how to invest online, and it’s also a very nice way to let experienced investors run multiple portfolios, test what they’re thinking and expand their knowledge.”

That seems likely. With 388,000 users (63,000 new customers within March 2000 alone), and 335,000 direct brokerage customers, and after-tax profits up 600% last year to Euro 13.7 million, Comdirect plans its IPO on the Neuer Markt for later this quarter.

That’s what works: “build locally, cross the nearest border and do it again” might be a rallying cry for the new breed of specialized Euro-portals. And do it fast. While big guns attempt to develop an all-round pan-European strategy, smaller and more daring internet start-ups are taking ideas and charging with them, learning from their mistakes.

Or put another way, “Load…fire…aim,” the core strategy of feisty comparison shopping portal Dooyoo.com, which now has hard-hitting and successful practical-information shopping sites in Germany, Spain, Italy and France, and plans to launch in the near future in the UK and Scandinavia.

The site’s draw is consumer commentary on products from toasters to blenders to computers; ratings of products by consumers help others make purchasing decisions about specific products like laptops, or children’s books.

Dooyoo’s 43,000 members (and current 49,000 product listings) think this is so ducky that the site got six million page views in February. Perhaps more important, last month dooyoo secured its second round of funding (in the “double digit millions of dollars”) and solidified plans to go public on the Neuer Markt later this year.

“Compared to the fuss over general portals these kinds of companies might not appear very distinguished,” said Christian Junk, Senior Software Analyst at Commerzbank, “but it would seem they have a very good opportunity to contribute highly specialized content offerings and grow into affinity portals.”

Bank Julius Bär’s analyst Joeri Sels pointed at a Dooyoo rival, Ciao.com, which bills itself a ‘horizontal one-click shopping portal’, and which is also moving fast, with sites in Spain, Italy, France, UK, Austria and Germany. Ciao recently merged with another similar German start-up, Amiro.com. “The first step is lots about building a feeling of community,” said Frederick Paul, CiaoE’s founder and director. Ciao started with US$5MM from Wellington Partners and media house Burda, and they’re about to close their second round of about 20MM; the new company is presently valued, they say, at about $75MM, and say they’ll go to an IPO at the end of 2000 at the latest.

The Near Future
The big-is-beautiful crowd isn’t going away overnight, and the “gaggle” factor of European web investing will still follow these major players into the market. There will be more portal IPOs in the coming months, and as the numbers increase there’ll be even more consolidation. The huge players will be elbowing one another to grab the remaining sections of the general portal market.

And don’t forget the portals run by the incumbent national telecoms, which provide both huge amounts of national traffic as well as juicy, content-rich merger target grist for the ever-expanding large portal mill.

Over 12 months, as investors and especially web users become more sophisticated, the organic attractiveness of such offerings will wane. Sure, they work in the USA, with its large, culturally and linguistically homogeneous market.

Whither The Über-Euro-Portal? This trend doesn’t by any means signal the death of the giants. By incorporating local content through mergers and alliances, and working to leverage the potential of e-commerce, m-commerce and wireless-mobile services, there’s still plenty of opportunities to grow for the big guys.

As T-Online, Yahoo!, AOL, MSN as well as banks and equipment makers move in, the European portals will continue to be enthralling places to watch for both investors as well as growing numbers of European internet users.

Setting up Squid. Then Using It.

So I’m here in California, staying at a hotel for ten days and want to look at some websites. Nothing too fancy, some blog entries, research for upcoming reports, maybe some racy stuff like No-Load Mutual Funds. And I am, of course, like you, on a free, open, wireless connection. My mail is tunneled, but web isn’t. So I realize I should set up a proxy server somewhere else, like at home, and tunnel into it, lest anyone sniffing on the local WiFi LAN (not that I’d ever do something like that with something like Wireshark) or indeed the hotel’s wireless contractor have a record of everything I look at and type.

No brainer: Squid’s your man. But in looking around for a plain-English How-To set up Squid and then use it guide, I couldn’t find one. So here it is. The first thing to do then, is install and configure Squid.

Setting Up Squid
Because I am on Gentoo, this was easy:

emerge —sync
emerge squid

I bet on Debian it’s as simple as

sudo apt-get update
sudo apt-get install squid

Once Squid was installed, I saved the original /etc/squid/squid.conf file as a backup and then made this my new one:


http_port 3128
cache_mem 50 MB
visible_hostname DOSA
cache_dir ufs /var/cache/squid 500 16 256
offline_mode off
maximum_object_size 102400 KB
reload_into_ims off
pipeline_prefetch on
acl my_network src 192.168.0.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
http_access allow my_network
http_access allow localhost
http_access deny all

Then save, and restart squid (or start it)

/etc/init.d/squid start

That, you’ll see, allows traffic from both local network and localhost but not to anyone else. We’re accessing via SSH, so once we’re tunneled in, we are on localhost.

I only allow access to the box via one port for SSH, and that is not a standard port. This little security-by-obscurity kludge was not for defense against hackers, but only to stop the bots from constantly knocking on my door and filling up my auth.log with automated login attempts. Those attempts were useless anyway because of the actual (non-obscurity-related) security measure: I don’t allow remote login with a keyboard password – you need a pre-saved key. Also, of course, the firewall does not accept connections to the Squid port – to get at that port, you need to SSH in and do port forwarding. (If anyone can tell me a better, safer way to do this I’d be obliged.)

There’s some other authentication stuff one could do quite easily (forcing a user prompt in the browser when users start a new session to authenticate to Squid via pam) that I feel comfortable ignoring in this case because I’m fairly confident about the physical access to the network (if that’s breached I have bigger problems) and also because web access to the box is limited as I’ve just described.

Setting Up The Tunnel
Now the trick is to get my machine here in the hotel to talk to Squid across an encrypted SSH tunnel lest I send my blog password and evidence of my looking at IBEX 35 stocks to everyone in my 17-floor hotel. This machine is an Ubuntu box, so I set up a simple SSH tunnel with port forwarding – using the technique first rattled off to me by Ian Sacklow, head of the Capital District Linux Users Group, while we were standing in a Barnes & Noble store about three years ago:

sudo ssh -L 3128:127.0.0.1:3128 user@your-server.com -p 7890 -f -N

The -L means bind the local port (given first) to the remote port (given last) of the server (given in the middle, wrapped between ::s). Put in a mnemonic way,

SSH BIND MY_PORT_HERE:server:THEIR_PORT_THERE.

By that standard, I’m binding port 3128 of my local machine (127.0.0.1) to port 3128 of the remote machine. Then I specify the remote machine with the user@your-server.com and specific port command (if that is required).

The -f sends the SSH shell to the background – but brings it back if the SSH server prompts for a password or sends something else back. The -N (in SSH2 only) says, “And while you’re in the background, don’t execute any remote commands,” or in this case, “Just set up the tunnel and make yerself scarce.”

If you’ve timed out a sudo session or if you have just opened the terminal, you’ll be first prompted for your user password to carry out the sudo part of the command. Once that’s done, if your SSH server allows you to use keyboard interactive logins and you don’t have a remote key, then you’ll be prompted for the password of the user name on the remote server. Enter it and if accepted, you should just return to a local user prompt. Same if you have an SSH key – after running the tunnel command, you’ll just be returned to a local user prompt.

Tip: If you set up the tunnel and you get a message saying that the local port is already in use, find out what’s using it: in this case, you’d run:

sudo lsof -i tcp:3128

That should get you info about what’s running. Kill it and then start the tunnel again. Unless you decide that you don’t want to kill it, in which case, you’d change the local bind to a different port. It doesn’t matter a whit to either SSH or Squid.

Firefox settings screenshotSetting up Firefox
Now things are easy. You’ve got Squid running on the remote server. You’ve got an SSH tunnel connecting you to it. Now just tell Firefox where to look. In Firefox select Edit -> Preferences -> Network -> Connection Settings. Tick the radio button marked, ‘Manual Proxy Configuration’, type E’127.0.0.1’ in the HTTP Proxy box and ‘3128’ (or whatever) into the Port box, click OK, then Close. Now type http://www.google.com into your URL bar and see what happens. With luck, you’ll get taken to Google.

To make sure you’re actually using the proxy, SSH into the Squid server box, and look at the tail of /var/log/squid/store.log. You should see something about google. To watch it change in near real time, do:

tail -f /var/log/squid/store.log

And surf to another location.

Summary
Web surfing in hotels or coffee shops is nasty stuff. This is one way to add a modicum of privacy to your activities at no cost but your time. Of course, corporate firewall requirements might require some modification to the tunnel commands to get out to your server, but shouldn’t present too much trouble. But beware – an entire industry exists which seeks to discover people engaged in just that kind of activity, which is certainly against your corporate access policy.