Subscribe

Archive | Technology

VCs Eye Location-Based Startups

With UMTS license bids in Germany in full swing [2000], there’s tons of hype about the coming of the mobile Internet. Signs are encouraging that the new mobile Internet will in fact allow VCs to look at some rapidly emerging technologies that will indeed change the way Europeans use information.

And right now, the smart money is betting on location services. VCs are saying they’re the coming killer app on the UMTS-powered mobile internet. The character string “m-” is currently as in vogue as was the character string “e-” two years ago. The space is heating up quickly, but there’s room for many.

“We haven’t yet invested in the end-application space, but I’m certainly personally very interested in finding some good, solid business plans in the area,” said Peter Boehringer, Investment Manager at 3I in Munich, which currently invests in location infrastructure company, Cambridge Positioning Systems.

“These are great applications that allow businesses to super-target their marketing and sales to very specific areas without wasting a lot of money. And the user likes it, too, because they get noticed and start getting offered things they really want and can use. Up to now no one’s been able to address this really local market on a broad scale.”

Great. So in the near future, as we’ve all heard, if we’re within five minutes’ walk of a Starbucks, our phone will beep telling us that a) a friend of ours happens to be nearby, and b) if we’d like to get together and have a coffee, we’ll get $1 off a large half-caf-mocca-skim-chocca-no-fat-triple-latte –if we show up in the next ten minutes.

There are two sides to the space, both interesting. There’s infrastructure technology – companies like Cambridge Positioning Systems, which develop the technology that can do the positioning systems and report locations of users. Cambridge’s Cursor system compares the relative times of arrival of signals between base transceiver stations and the actual handset and can thus extrapolate a user’s location within 50 meters or so. Cursor has already undergone trials working with companies including the AA, Vodafone and Maxon.

And then there are other companies, such as iProx that are developing means to use the positioning data for end-commerce applications.

“iProx is a very interesting company,” said Martin Fiennes, Investment Manager at Top Technology Limited, a UK VC firm, “and we’ve indirectly invested in them through Brainspark. Iprox is developing a series of applications and my personal view is that I don’t know which of them will become the killer app, but I’m confident that one or more of them will.” iProx received seed funding of US$1 million in April, and is presently in the middle of an interim round of funding, looking for £3 to £5 million.

“The trick is,” said Ravi Kanodia, Iprox co-founder and Chief Operating Officer, “if you know where the people, stores and places of interest are, then you can be quite clever with the technology, for example by letting people know when their buddies’ phones are in the area without their actually “asking” for it, through our use of intelligent profiling. You have to be capable of following millions of users but you mustn’t send the traffic bandwidth through the roof or require millions of supercomputers to process.”

There are barriers.

First, the technical: telecoms believe that the location data it can provide are the crown jewels in their collection of services, and they’re not only not willing to let those go cheaply, they want to have total control over them. This brings up the issue of just whose data it is – it isn’t the operator’s location, it’s the user’s location, and it could well be argued that the user may indeed own the rights to his location signal.

But it would seem that this first barrier is less of a problem than it might seem: true, different telecoms use different technology, and have in the past refused to share it with their rivals. But companies offering end-use applications will have the opportunity to act as a ‘Switzerland’ – a middle ground interface offering cross-platform services. This has benefits for both telecoms and users: for example, SMS usage became what it is today only after the telecoms allowed it to became a cross platform tool.

“I think that rather than the services being controlled by the operators,” said Sandeep Kapadia, Investment Associate at Prime Technology Ventures in Amsterdam, “what we’ll see is something similar to the web-based portals, and similar to what NTT DoCoMo is currently doing: synergy of multiple applications. There will be hundreds of available applications, from hundreds of companies, and the operators will take a cut.”

Another barrier is, naturally, that this brings up the old privacy bugaboo in a major way. Privacy laws and etiquette varies throughout Europe, and, as 3i’s Boehringer says, “Not everyone wants their movements tracked.”

But VCs agree that solutions to the legal as well as the privacy issues are on the horizon, perhaps as early as this coming autumn. Users probably will be able to selectively give permission to m-marketers to allow them to receive, say, certain types of offers. Or use Iprox’s much touted “buddy system”, which tracks the movements of a group of friends, constantly vigilant for the opportunity to beep any two and tell them they’re in close proximity to one another.

And the legal issues are currently under review throughout Europe as well. It is to the advantage of all parties to come up with a solution to any legal barriers as quickly as possible.

One last thing: this is an entirely Euro-phenom. US-based mobile systems are simply too creaky, too convoluted and frankly to pre-m-historic to even contemplate such a system without major investment. With this technology, Europe clearly leads the way, and things are moving fast – so fast that searching the internet for companies in the space will likely be an unrewarding activity.

“We’re talking about something that’s moving fast,” said 3i’s Boehringer, “way too fast for Internet here.”

Family Radios Keep You In Touch

It’s a holiday nightmare: your child, found tearfully tugging at the skirts of a grinning theme park employee, has ratted you out as the parents that lost him.

As hundreds of university students in air conditioned fur character suits have your description, the net closes in. Goofy’s speaking into his wrist and pointing at you!

Now you’ve got to face dozens at the dreaded Guest Relations, where you collect your wayward child and sheepishly explain that, “I only turned my back for a SECOND!” For families and groups of even two visiting American theme parks or malls, Walkie Talkies on the new US Family Radio Service can be a Godsend.

A new range of inexpensive handheld radios operate on the FRS, a set of US radio frequencies that are available to users without an FCC license. Hand-held CB radios, while powerful, couldn’t provide a traffic-free channel, and carrying a roaring pocket full of “good buddies” through the Magic Kingdom just didn’t seem practical.

So radio manufacturers Motorola and Radio Shack made the FCC a deal: loosen restrictions on the airwaves, and they would produce low-cost walkie talkies that would allow friends and families to communicate. Say, across the wilds of a theme park, shopping mall, park or forest.

The FCC passed the Family Radio Service act in 1995, clearing the way for Motorola, Radio Shack and other manufacturers to produce some of the coolest little handheld radios on the market.

Motorola’s main entry, selling at around US$89 a piece in shops (but listed as $129 by Motorola), is the neon-colored TalkAbout: very colorful and retro-modern looking (think Buck Rogers) two-way radios with a range, they claim, of up to two miles.

Radio Shack’s 2-Way Personal Radio models, which are actually built by Motorola and cost about the same as the TalkAbout, look somewhat more Mission Impossible. They’re clumsily marketed, but the Radio Shack models, along with FRS walkie talkies from companies including Kenwood and Midland, are very good products with just about the same technical specs as the Motorola branded models.

I recently took the Motorola radios on a little trip through Walt Disney World, the Sawgrass Mills Shopping Mall, the Kennedy Space Center and the entire state of Florida, and the Radio Shack radios through Orlando. I’m happy to report that when you’re in the theme parks or on the same floor of a mall, these things are absolutely fantastic.

Plop! One shortcoming was that despite the rugged looking case, the TalkAbout is by no means waterproof. While planning our day poolside, I read with interest the TalkAbout manual, which said, “Water Resistant…” and before I finished reading the sentence I tossed the little yellow box into the pool, expecting it to float.

I have never seen something sink so quickly.

I dived in after it, and when it surfaced, I turned the power switch on. It made the most pathetic electronic noise since R2D2 was deactivated: Beeeeeewooop. After an hour with a newly-bought six-point star socket wrench and a hair dryer, I’m happy to report it worked as good as new.

“Water resistant”, apparently, means it can be rained on lightly. Tempting as it may be, don’t expect the thing to work under water unless it’s in a waterproof plastic bag.

Vowing to use it only as intended, my wife Corinna and I set out for Orlando and the theme parks.

Disney
The thing to remember is that the range conditions stated on the box are optimal – as in, optimally you’ll use it at night, at sea level, with clear skies, and in Tahiti.

The actual range we found was just about a mile, which is perfect for, say, the whole family in the same Disney park. Across the Magic Kingdom, we were able to communicate perfectly, making this a natural for parents to let their kids run off with one radio while they keep the other.

We did a range test, with my wife on the monorail to Epcot. We were able to hear each other only for a little while before her comments became just about,

“Im gzzrbth with baazrrrb CRACK Epcot”

But within the parks themselves, the radios functioned absolutely as promised. We even had no interference – our own private channel – despite the sight of about seven or eight other families in the area using their FRS radios.

That’s because all brands of these radios allow you to broadcast subaudible tones which effectively multiply the available channel sets tremendously: there are 14 channels and 38 subtones from which to choose.

The Radio Shack model worked great throughout the Belz discount outlet mall. We had some fading in and out, but could always hear each other.

Since specs are all very similar, your choice is really which one you like best or, more likely, which one’s cheapest at the time you;re shopping for them.

The TalkAbout and TalkAbout Plus, while not water resistant, are certainly rugged, and stood up to drops and bumps. We saw a kid at the Kennedy Space Center kicking his radio and then speaking on it. The manual didn’t mention anything about this but I assume it is not recommended.

The best place to buy the radios – whichever brand you decide on getting – is in the States, where the prices are better than in Europe. They’re sold at many electronics shops, all Radio Shack locations and in ham and commercial two way radio shops. You can also buy them over the internet, and have them delivered to your hotel in the US, saving on international shipping and import duties.

Motorola’s website is www.motorola.com. Radio Shack’s website is at http://radioshack.com. Midland and Kenwood FRS Radios are available through Northern Mountain, www.northernmountain.com

Clinitrac’s Brick Could Save Pharmaceutical Companies Millions

The development cost of a pharmaceutical drug can easily run between $500 million to $800 million, and clinical trials alone can cost between $1 million and $2 million per day in lost future revenues. So imagine a service that could reduce by a year the time it takes to perform a clinical trial, analyze the results and submit them to the US Food and Drug Administration (FDA).

That’s the dream of Stockholm-based Clinitrac, which has produced a working prototype of its GSM-based wireless solution geared to the problem of initiating, gathering, analyzing and accessing the information generated through medical clinical trials. The time to market is, of course, dependent on loads of factors, but probably refers to larger, longer trials.

VCs Believe
Clinitrac received $3 million in seed funding in May 2000, mainly from BrainHeart Capital and HealthCap, but also netted stakes by the Swedish Industry Fund and others. The company is currently entering a second round with the original funders, to the tune of an additional “three to four times that amount,” and are seeking to bring in an additional, US-based venture partner to the fray.

The company has yet to produce revenues, but its working prototype is impressive. It has already cut a deal with Psion for the Netpad and is in discussions with a major PDA manufacturer. And it has had meetings with US GSM operators to ensure that Clinitrac’s product will have all the GSM network coverage it needs when it offers its product to US markets in 2001.

Patients enter information on a half-brick-sized Psion NetPad, which has a wireless Internet connection, a touch-activated screen and enough shock absorption around its edges to tolerate a month in a New York City public secondary school. The information is then transferred back to the company performing the testing, and made immediately available to doctors, scientists, product managers and developers.

“This sounds like an interesting technology,” said Nick Woolf, biotech analyst for ABN AMRO. “There are other companies in clinical trial services who claim to have various systems – voice recognition systems and others – but it’s certain that real-time information on a clinical study is valuable.”

Clinical Trials Today
The process is, in a word, revolutionary. Today, patients are asked to fill in paper forms, and they often forget, fill them in late or inaccurately. This information is delivered to a doctor after 30 days, which means that a patient who repeatedly misses his noontime dosage or has an adverse reaction to a drug would not be identified until after at least a month.

“The biggest problem with clinical trials,” said Clinitrac CEO Andreas Segerros, “is keeping the patient in the trial. Once they blow the protocol a certain number of times, you need to take them out. Our product would allow monitors to see, on a daily basis, that Mr. Thompson over there keeps missing his 3 p.m. pill, and call him early enough to keep him in the study by making sure he took the drug.”

That indicates a level of involvement and monitoring of tested subjects unheard of today. Currently, paper forms are stacked up from around the world, flown to central data processing facilities and keypunched into systems before anyone can even have an idea of the nature of the data.

The major risk, Woolf said, is getting the product out there and recognized as a clinical trial service. Most large pharmaceutical companies, he said, contract out much of the work of clinical trials to Contract Research Organizations (CROs).

“Today there are CRO subcontractors that do nothing but take dirty paper forms filled in by patients and scan in the results,” said Henrik Linder, Clinitrac’s clinical research operations senior director. “[Our] system gives you clean data, digitally, directly where you need it and in real time. And when we approach the pharmaceutical companies, they’re like, “Finally! Thank you!””

There are potentially several areas in the pharmaceutical industry where a product like this could be used to affect both savings for the end user as well as increased profits for the manufacturers. Traditionally, on approval of a drug, the onus is on the drug companies to appeal to the FDA in order to maintain a high price – the FDA is in effect negotiating on behalf of the American Medicaid system, which will pay or not pay for a drug based on the assessment of the FDA.

The pharmaceutical company will argue that a) the thing took them years and billions of dollars to research, b) it meets an immediate, and heretofore unaddressed, need of the general public, and c) the quality of life improvement, or simply the decrease in necessary medical attention required by a patient taking this drug, is so compelling as to justify a higher dose or daily cost of the drug.

Clinitrac said its product can help in this process as well, by allowing pharmaceutical manufacturers to have access to a broader-than-ever range of quality-of-life questions, or information above and beyond the physical effects of the drug.

For example, in addition to hard medical questions of efficacy to a patient on a clinical trial for a drug that attacks skin rash, they would also be asked questions such as: “In the last week, how often did embarrassment about your condition cause you to make more conservative clothing choices?”

The answers to questions such as these would enable pharmaceutical makers to argue that in addition to straight efficacy, the drug in question has a positive impact on the patient’s quality of life – a compelling argument for a higher price for the drug.

“As a monitoring tool it could be extremely effective,” said ABN AMRO’s Woolf, although he stopped well short of saying that the technology alone would amount to a stronger negotiating position. “Whether you can correlate the monitoring tool to a gain of negotiating points with the FDA, HMOs and other reimbursement agencies would be difficult to claim.”

He added: “These guys need to team up with a Quintiles or a Covance,” referring to two of the larger CROs. “Because those are the ones that already have the relationships and access to clinical hospitals.”

Absolutely true, Clinitrac agreed. For now.

But the company is convinced that eventually pharmaceutical companies will see the savings involved in their real-time offerings, and Clinitrac won’t be keeping many friends in the CRO world for long.

A sample network access policy

In order to protect our network, computers and the confidential data of our clients, [Firm Name] (the “Firm”) has instituted this Network And Computer Access Policy. We’re protecting against not just the damages and liability created when unauthorized access occurs, but also against viruses and physical damage to our systems.

Introduction
This document sets forth standards which must be adhered to by all employees, contractors and any user granted access to any machine on the Local Area Network (LAN) at any time, whether physically present at the Firm or via remote access.

Failure to comply with the policies set forth in this document will result in disciplinary action, and may result in termination of employment.

Definitions
For the purposes of this document, an “Employee” is any employee, contractor, agent, temporary worker, vendor and any other person in a position to know or obtain information about computers or devices on the LAN.

The firewall is a hardware or software device which protects the ports of computers on the LAN. For the purposes of this document, “Remote Access” shall mean access to the Local Area Network from any location outside the firewall by any method, including but not limited to Virtual Private Network (VPN), dial-in modem, frame-relay, SSH, cable-modem and any other method of accessing the LAN from outside the firewall.

Policy Scope
The Policy applies to any person granted authorization to access any computer or device on the Firm’s LAN (an “Authorized User”). This includes but is not limited to contractors, temporary workers, vendors, sub-contractors, employees, attorneys and partners authorized to access any of the Firm’s computers, locally or via Remote Access, for any reason, including email and Internet or intranet web browsing.

Physical Security
All computers and devices on the LAN must be physically secured when leaving them unattended. All servers must be additionally secured with locking devices such as keyboard locks.

Any notebook or laptop computer, Personal Digital Assistant (PDA), Internet-capable cellular device, Wi-Fi-enabled device or other device capable of connecting via Remote Access to the LAN (A “Mobile Device”) must be secured with a BIOS password, and user authentication. Any Mobile Device must run up-to-date anti-virus protection and properly configured software firewall (see __ below).

Any Authorized User must take reasonable steps to ensure that any Remote Access to the LAN is treated with the same security approach as a connection made within the Firm.

Information Security
It is essential that each Employee be instructed never to tell even the most seemingly innocuous detail about the Firm’s Information Technology (“Sensitive Information”) to a third party. While it may seem inconvenient or rude, all Employees – from temporary receptionist to senior Partner – must treat as suspicious any request from any third party person not personally Known to that Employee. Private detectives and others who specialize in information retrieval may call several people in a firm, asking each for a seemingly innocuous detail, which combined can result in a breach of the Firm’s security. Employees must jealously protect any information about the Firm’s Information Technology, including but not limited to:

  • Never telling a caller any details including but not limited to server names, Internet Service Providers, telephone provider, email server information (including email server name), printer type, computer brand, router type or brand;
  • Never telling a caller the name of your Information Technology specialist, whether that Information Technology person is in-house or contracted;
  • Never telling a caller the name of any Wireless Access Point (WAP) SSID; never confirming the presence of a Wi-Fi WAP;

Any caller not personally known to the Employee who requests Sensitive Information must be referred to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner. If such referral is not possible or practical, then the Employee must request from the caller a callback number, to be given to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner.

Password Security
All Authorized Users must use strong passwords. Unacceptable passwords include but are by no means limited to,

  • first or last names, or combinations thereof;
  • names of an Authorized User’s children or pets;
  • words found in a dictionary, combinations of dictionary words with a sound alike digit (second2, etc);
  • use of the words or variants on the word password, admin, update, access, login, computer, terminal, workstation, work, home, etc.

Strong Passwords are a string of at least eight characters of upper and lower case letters and numbers.

Authorized Users should change their password regularly.

No Employee may leave a password written down in proximity to the computer or device which the password accesses.

No Employee may ever provide their login or email password to anyone, including family members.

Acceptable Use
Authorized User may access the Internet for Firm business or personal information provided that they:

  • do not jeopardize the security of any Firm or confidential client information which may be present on the computer being used to access the Internet;
  • do not violate any of the Firm’s policies;
  • do not engage in illegal or prurient activities;
  • do not engage in outside business interests;

Wi-Fi Security
Any Wi-Fi Access Point (WAP) must be configured to comply with the four-step Proposed Standard of Reasonable Wireless Network Security in Law Firms available at http://www.delmaropensource.com/standard.htm. This proposed standard provides four steps to securing a WAP, which includes:

  • Changing the WAP defaults (administration password, router name, router IP address, SSID name, etc);
  • Encrypting the signal using the best available encryption method, in order from most to least desirable, WPA2, WPA, 128-bit WEP;
  • Requiring VPN access into the LAN from anywhere outside the Firewall;
  • Implementing a written access policy, such as this one

Wireless (Wi-Fi) Access
Any access to any computer or device on the LAN behind the firewall must be via VPN. Any Authorized User accessing the LAN via VPN from their home or other WAP (a, “Remote WAP”) must apply all four steps above to the Remote WAP.

Remote Devices
Any Employee using any Remote Device must ensure that such device is updated with the most recent security patches for their Operating System.

All machines on the LAN and any Remote Device must run current versions of anti-virus software with regularly updated virus definitions. Note that new viruses are introduced every hour; “regularly updated virus definitions” means at a minimum of once each week. It could be argued it is reasonable to update every 24 hours.

Any Remote Device must be running a properly-configured firewall program such as Zone Alarm or Computer Associates eTrust. Users at Public Hotspot must be aware that, if such Remote Device is not running a firewall, a malicious user can gain access to the Remote Device and install software or remove files from the Remote Device’s hard drive.

Any Authorized User using a Remote Device outside the firewall must use the VPN to send and receive Firm email. No Firm email may be sent using third-party email services (including but not limited to gmail, hotmail, etc).

Any Authorized User accessing any computer or device on the LAN for remote management or administration must use SSH or VPN. For remote file transfer, SCP, SFTP or VPN must be used. Under no circumstances shall Telnet, FTP or other un-encrypted access method be used.

No Employee using any Remote Device shall access the LAN while connected to any other network, except a personal network over which such Employee has complete control.


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all


There’s Money In Them Thar Parts

When you find your 14 year-old son in the middle of the living room with a guilty look on his face, a screwdriver in his hand and your nifty new UMTS cell phone in a million pieces on the floor, hold off on blowing up for a second – the pieces you see represent the achievements of some of today’s greatest European start-ups. And there’s opportunity in them thar parts.

“We make the software that runs OC layers one through three of the handset,” said Clifford Dong, CTO at Zesium, a Munich start-up that last year received a seed investment of €2 million from 3i. He’s referring to the “seven layer” stack concept which includes level 1, the ‘physical layer’ which actually sucks and blows bits into the airwaves; layer 2, responsible for guaranteeing the safe delivery and receipt of data, and layer 3, which deals with what data will be transferred along with mobility management, radio resources and call control.

3i says that because Zesium’s business is personnel, not finance, intensive, they don’t expect to have to sink any further money into Zesium any time soon – even though the company is making extraordinary headway and faces little competition to date. “They have very specialized know-how,” said Peter Boehringer, investment manager at 3i, “and there are several large manufacturers who would rather buy the software than build it, and Zesium is very good at building this software.”

Some larger handset manufacturers, Boehringer said, are committed to building it themselves, but Boehringer thinks that those companies might not have the manpower they would like, and therefore even they might end up at Zesium’s door. “We’ll just build it and see what happens,” Boehringer said.

VCs say that this kind of guts-building is exactly where small start-ups can benefit best from the spending frenzy as European telcos prepare to invest what Commerzbank estimates will be &euro87.5 billion over the next four years and a total of €175 billion over ten years.

“We see a trend,” said Max Oppersdorff, Vice President of EM Warburg Pincus in Munich, “that hardware vendors are acting more like general contractors. The major part of what they supply they make in house, but they’re trying to buy from third parties that are out on the edges of advanced technilogy where perhaps the vendors are not as advanced – and sometimes the customers themselves are even demanding this.”

Much of the spending flurry will be focused on issues of infrastructure, and while much of the backbone and base station action is likely to be taken up by the Nokias, Lucents and Ericssons of the world, there are literally dozens of niche areas in which small, independent and fast moving technology companies can move in and own the space.

Take, for example, base station amplifiers. The frequency and bandwidth used by the next generation of mobile phones pushes the envelope of the specs of existing base station transmitter equipment, and there is an enormous and immeiate need for more efficient linear amplifiers. Amps, in the boxes at the bottom of base stations, currently require fans and other cooling technology, and must be constantly monitored. The infrastructure cost associated with all this coddling can add up.

“Telecoms spend tens of millions of pounds in any year on electricity,” said Dave Cheesman at Advent Venture Partners, “and a lot of that goes to wasted power in amplifiers .”

Advent is backing, along with Deutsche Bank and 3i, a company called Wireless Systems, which makes range of patented, next generation, wide-band linear, high efficiency amplifiers. Wireless just closed its third funding round for $23 million.

Opportunities Everywhere
New hardware and software technologies – or even new applications of existing technologies – are also absolutely essential. Squeeze any portion of the mobile world and an opportunity just might pop out: the next generation of mobile phones, and their increased bandwidth, means that handset range given the available power will decrease. To combat this, handsets require far more efficient antennas in order to provide services without sucking dry batteries in the dialing process.

Consider, too, the humble handset. The amount of technology crammed into those tiny little buggers is astounding: aside from the chips, switches and other hardware, today’s typical handset already contains around 2MB of code. That is expected to quadruple in size as mobile devices become more complex.

Or ponder the very deployment of base stations. New generation mobile cells will be smaller, and therefore more will be required. Companies that make a new generation of network planning software will be of intense interest to telecoms looking to maximize the efficiency of physical placement of base stations, and even the angle at which to point the antennas to squeeze every gram of coverage possible out of the new systems.

Even backlighting technology is being reconsidered: Advent’s Cheesman says that current systems, which use light emitting diodes (LEDs) and molded acrylic light guides to sorta – shove the light where it’s needed are less than perfect. “They use lots of power and don’t supply even lighting,” said A. Kianin, Technical Director for Elumin in Wales. Elumin uses electro-luminescent material for a range of applications, from private jet refurbishments to escape lighting on aircraft, to night vision devices and, of course, mobile telephone handsets.

EL’s nothing new in the world, but it is relatively new to handsets. It uses a light-emitting phosphor sandwiched between layers of insulation and conducting electrodes which are then laminated together. The result is a light that can produce various brightness with negligible heat. Advent has recently invested more than €2.5 million into Elumin, which Kianin says, expects to begin production for “a big company” of their backlighting products as early as November.

Germans Flip Over Tax Reform (In A Good Way)

German business leaders are euphoric over a tax overhaul that lets them redirect investment once tied up in other German companies, and funnel it into high-growth sectors like high-tech. But there is growing concern among German retail investors that the package, introduced by the German government after years of debate may pose more questions than it answers.

The tax scheme, expected to reduce by almost DM60 billion German tax receipts by 2005, includes a provision that removes corporate long-term capital gains taxes. This ends the post-war German tax regime which effectively required German companies to hold stock in one another.

Business leaders hail the long-debated reform, and are almost counting their earnings already from investments in euro-dot.coms and high-tech ventures. But according to an n-tv poll published in the Abendzeitung, 51% of Germans surveyed said they felt that the tax package would hurt, not help them, despite a personal income tax cut for both low and high income earners.

Some labor leaders worry that a mass shift of funds by banks and insurers away from more esoteric or even merely poorly performing holdings and into industry consolidation and mergers and acquisitions could threaten German jobs, and the decades-long peace between German industry and labor unions.

But business leaders insist that freeing up their investment capital will allow them to invest in high growth sectors. “This decision increases strategic development for German corporations,” said Stefan Radloff, Senior Vice President Accounting & Financial Controlling, for Infineon Technologies, “However, we do see further discussion necessary regarding individual points of the decision, particularly within the area of corporate income tax law and tax write-off regulations.”

The funding from capital gains “will allow companies to focus on their core competencies ,” said Peter Klostermeyer, senior analyst at VMR, “German old economy companies, for example, in steel and mining, already have in place an IT business or Internet division, so they’ll probably take money out of cross-investments and use it to build up and possibly spin-off these divisions.” The value-adding investments would garner the attention of investors and increase stock prices.

Cross-Holding
Cross-holding was introduced after WWII as a means to promote consensus among German corporate management, which had to maintain holdings in diverse industries – such as insurance companies investing in tire manufacturers, construction firms and banks. The velvet hammer of compliance with this system, widely credited with smoothing the course of the German Wirtschaftswunder – economic wonder – was that corporations would be hit with earth-shattering capital gains taxes should they sell their cross-holdings.

All that changed when the compromise, a mainstay of parliamentary debate in Germany since before the Kohl era, was passed.

German Business Ready To Rock
Though the Financial Times has reported that Deutsche Bank Chairman Rolf Breuer plans aggressive divestment of Deutsche Bank’s estimated €23 billion in industrial holdings (including DaimlerChrysler and until last month, insurance group Allianz), Breuer has made clear the bank “…will try to avoid overcrowding the market with potential sellers. We will have to do it smartly.”

Banking analysts also believe that the odds of a fast-paced sell-off are slim. “As far as I can see, this will encourage some divestiture, but on balance I think this issue may be overblown,” said an analyst at Commerzbank. “Banks have really enjoyed the earnings smoothing capacity of these cross holdings, which has allowed them to realize profits that can offset costs such as restructuring – without this, the volatility in the German banking climate over the last few years would have been very significant. And dumping the shares would dilute the price, and banks aren’t dumb.”

Analysts also say that in addition to pure financial motives that would encourage a steady and slow sell off as opposed to a rapid money move, there is also a very real sense of tradition.

“These are legacy positions,” said the Commerzbank source, “and there are some very strongly-held views that these are the family shield, so you won’t see a wholesale sell off within a short space of time, but rather a slow, gradual process.”

But the overhang – the market’s sense of “waiting for the other shoe to drop” on releases of chunks of stock, may in itself provide downward pressure on German stock prices over the long term.

Changing Insurance Landscape
For the insurance industry, at least for insurers with large portfolios, the newly found freedom from cross-holding would seem to be an equal shake. While German companies in other industries will surely divest themselves of some of their insurance holdings, German insurers will be free to consolidate further within Germany as well as to expand across European borders.

“This won’t mean any immediate change in ratings,” said Karin Clemens, Associate Director at Standard & Poors, “but this will speed up the consolidation process within the German insurance market. And it would mean opportunities to broaden. For example, Allianz can’t further expand in Germany, so we would expect them to try to build their positions outside Germany – but we also expect further that it will allow foreign insurers the chance to get in to the German market.”

Labor Unions
Some have expressed concern that shifting capital out of certain sectors could threaten German jobs, and the peaceful relations between industry and labor unions that has been a hallmark of the German post-war success.

“We support the tax reform package in general, and think it is good for Germany and for Europe” said Claus Eilrich, a spokesman for IG Metall, Germany’s largest labor union, “but we have some problems with the corporate capital gains cut. Germans must pay a tax for everything, so we question why large corporations should get what amounts to a present from the government – this even took the insurance and banking industries by surprise.”

Personal Income Tax
The German plan also provides a healthy tax cut for the wealthy, and much smaller cuts for middle and lower income earners. Some believe that this “Supply side” approach creates an unbalanced economic model, but German economists feel confident the mixture is a prudent one.

“That supply-side issue is always a problem,” said Rudiger Parsche, Expert for Financial and Tax Matters at Munich’s IFO Institute for Economic Research, “but I think this package has a good mix, reducing tax rates significantly and increasing the minimum amount of tax free income to DM15,000 by 2005. So taken altogether we suppose that the package will also increase the demand side.”

Visiting The Front Lines

The future is wireless, or at least that is what Nokia, Ericsson and a host of startups and network operators are earnestly hoping. But the quick success of 3G – The Third Generation of mobile telephony – is more than profitable icing for these companies; it has now become a matter of survival….

This article, which ran in the February, 2001 issue of Tornado Insider magazine, looks at the overall climate in European development of 3G, and then explores how each of Europe’s largest telecom networking manufacturers, Ericsson and Nokia, is coping with the challenge.

…………………………………………………….

For some time, both Ericsson and Nokia have vigorously embraced the role of global industry hothouse by developing new divisions and enhancing old ones to deal with the 3G challenge. But it is about more than money.

“For a fraction of what the operators spent on 3G licenses, they could buy 10 application startups to help with rollout,” says Martti Malka, a partner in Nokia Venture Partners, which is independent from parent Nokia. “It’s not the money; it’s the business model, and the successful operator is going to look to third parties to come up with the innovative business propositions.”

Resources for innovation, too, are only part of the problem. Ericsson has established itself as a curious anomaly. The heavily bureaucratic, press release-driven monolith commands a sensational ability to introduce and gather support for industry-wide protocol initiatives, like Bluetooth and OSGI, its home gateway protocol. Nokia, meanwhile, has made huge progress in end-user customer loyalty through its desirable handsets, capturing 30 percent of the worldwide handset market. Nokia is claiming great gains in GPRS and 3G networking contracts as well.

Nokia and Ericsson realize that in order to give their customers, the operators, the return they’re demanding, they must aggressively court small startups working on applications, services, and hardware for 3G. They’ve partnered with VCs for some, and will continue to do so for others. They have also spent considerable time and money making sure that when 3G rolls out it will live up to the hype.

Enter the startups
“We know we have to develop this market and the key issue is getting the right applications,” says Bengt Larsson, marketing manager for Ericsson Business Innovations (EBI), an independent subsidiary of Ericsson. “It’s not until we have the applications on board that we will see the 3G market take off.”

Nokia Venture Partners, with $500 million under management, concentrates on early stage mobile Internet companies, and looks specifically toward those creating enabling technologies. A perfect example is AVS Technologies, an Espoo, Finland, company whose MVQ (motion vector quantization) method is a high-end video compression and transfer technology that compresses video streams 10 times more effectively than RealPlayer or Windows Media.

For its part, EBI, as well as main divisions of Ericsson such as its Mobile Location Services, work closely with small startup companies developing applications that would eventually work with an Ericsson 3G network. For instance, Ericsson Mobile Location Services works and co-markets with It’sAlive, a startup games-maker funded by Speed Ventures in Stockholm. It’sAlive just rolled out its first product, a location-based game called BotFighters, in which SMS messages appear when opponents are in firing range.

BotFighters is currently running in Sweden on regular public networks. “Ericsson would welcome any application developer who would like to try out a 3G application to come and use it on our demo network in Kista. It’s one of the few places in the world where you can actually test 3G applications in a practical environment,” says EBI’s Larsson.

The first step taken by application startups is a visit to the Ericsson and Nokia developers’ websites, which allow any company to register to receive technical specifications, assistance, emulators, and limited access to the developers’ community for the particular product in which they’re interested. Companies that push past that point and go for a more formal partnership, like It’sAlive, are given co-marketing support and access to live research and development projects, not out-of-the-box technology.

While Ericsson and Nokia are both taking to their roles with gusto, developing deals with laundry lists of third parties from startups to global players, there are subtle differences in their approaches. The following profiles look at the efforts by each of the vendors, and compare and contrast their approaches.

Dell? He’s All Wrong In Europe…

To hear Hermann Oberlehner tell it, Michael Dell has got it wrong in Europe. “We’ve looked at this very carefully,” he said, “and in Europe outside the U.K., the Dell model just won’t work.”

This statement might ordinarily be dismissed as having come from a jealous also-ran. But Oberlehner is founder and chief executive of Gericom AG, based in Austria, which has quietly become the leading vendor of personal notebook computers in Germany. Last quarter, Gericom shipped 111,000 units in Europe, beating out such heavyweights as Dell Computer Corp., Toshiba Corp., International Business Machines Corp. and Acer in Germany.

In Europe overall, Gericom is the No. 5 vendor in mobile computing, according to International Data Corp., with a 9 percent market share.

“They are a very aggressive vendor in the consumer portable market, with a very strong focus on the lower-end consumer market,” said Stefania Lorenz, senior analyst for European personal computing at IDC.

But Oberlehner said he realized in the mid-1990s there was a hole in the European mobile computing space. As manufacturers struggled to make ever-slimmer notebooks for the lucrative corporate market, consumers were being left behind.

Gericom discovered that, with modifications, cheaper Intel Corp. chips designed for desktop computers would work in notebooks. While the company had initial quality control problems and a high rate of return – some say as high as 30 percent – new heat dissipation methods were employed, and the problems were worked out.

“Where before everyone had thought ‘smaller,’” said Ranjit Awtal of Gartner Inc., “Gericom asked, ‘Just how much mobility do you need to move your computer from the kitchen to bedroom?’

“They took risks when other vendors were reluctant. By providing a cheaper, slightly heavier and less mobile PC, Gericom actually paved the way for much of the mobile growth in the European home market today.”

By about 1996, Oberlehner, looking to cut costs and frankly tired of contending with retailers, took a hard look at Dell’s U.S. mail-order business and seriously considered emulating it in Europe.

“We tried to compete using the Dell model here in Europe,” said Oberlehner, who established Gericom in Linz in 1991, “but we discovered that we just didn’t need to – in fact, that it just wouldn’t work here.”

Of course, Dell has been doing just fine in Europe, with about 10 percent of the overall PC market, trailing only Hewlett-Packard Co.

Oberlehner believes that on the Continent, the customer’s buying experience differs drastically from that in North America. In Europe, customers prefer a more intimate sales environment, and they trust that salespeople have experience with the machines they proffer. The selection process is heavily geared toward comparison shopping by cost, brand and features, especially local-language and culture-based add-ons.

This, Oberlehner said, is unlike the experience in North America and Britain. “Americans are poor computer buyers,” he said. “They don’t look at specs – they look at the brand, the size, and buy. Dell works so well because the entire American retail system is set up with enormously costly pitfalls.”

Since no one cares about the specs, the logic goes, the sales team does not need – and often does not have – much information. Customers buy the name, and when they have a problem or the machine does not do something they need it to, they can bring it back to the retailer because of the generous U.S. return policies.

Oberlehner says that while profit margins in the United States are higher than in Europe so are costs. So Oberlehner stopped looking at retailers as adversaries and began seeing them as a symbiotic necessity: Where the retailers can provide marketing access to a customer base, Gericom can get the product quickly to market. As long as Gericom is willing to move quickly and provide post-sales support and service, the model works, he says.

But to succeed, he said, you must be willing to take razor-thin margins and produce using small teams working around the clock. Gericom, which outsources much of the assembly-line production of its notebooks to the Taiwan-based assembler Uniwell and some other Asia-Pacific companies, employs fewer than 300 people in Austria.

Gericom’s home-turf advantage also means that it can, for example, ship 7,000 units overnight to the main distribution centers for leading European retailers such as MediaMarkt, Lidl, Carrefour or Dixons without breaking a sweat.

And relying on local sales support and marketing initiatives rather than trying to centralize or even regionalize means that local buyers feel that the machines cater to them – whether the band name on the box is Gericom, Gerico, a Dixon line or something else.

“We can’t possibly compete with big vendors in the corporate market,” Oberlehner said, “where you have multinational needs. But likewise, the multinationals can’t compete with us in providing local support and computers that local people need. It’s not a question of price; it’s a question of tuning the products to meet the needs of each local market.”

Gericom keeps its focus on mobility. It was the first notebook maker to introduce a GPRS-enabled notebook computer, and it followed up with partly “ruggedized” notebooks aimed at the upper portion of its lower-end market.

Into the future, Oberlehner is counting on an “enormous potential” for replacing desktop computers with laptops in Europe. It cites research that says that fewer than 60 percent of German households own a computer, for example, and of those, only 15 percent have a laptop.

A proposal for Reasonable Wireless Security for law firms

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”

[Ian Sacklow co-wrote this white paper]

At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi1.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense2.

When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

The
proposed standard also includes a written security policy covering:

  • WAPs in the office
  • WAPs at the homes of those with remote-access authorization to the
    firm’s local area network
  • Computers which contain client data and access publicly-accessible
    WAPs (at coffee bars, airports, Bar Association Libraries, airports,
    etc.)

Wi-Fi: An Indispensable Tool

  • Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

  • The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 3003
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.

Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted4 users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

What’s
Your Responsibility?

  • Connecting an Open WAP to your firm’s LAN is literally as unsafe
    as placing your client files in an unlocked file cabinet in the
    center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”5

An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”6

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”7

An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.

Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

  • You
    cannot rely on existing laws to prosecute “unauthorized” WAP
    access. It is difficult to determine how a user becomes authorized
    to access a WAP, and there’s no common mechanism by which to post a
    notice that he is not.

In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”8.

The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

(i)
give actual notice in writing or orally to the user;

(ii)
prominently post written notice adjacent to the computer being
utilized; or

(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user9.

Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”10

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

    <li><p>
    <strong>If
    a mobile device automatically seeks and connects to a WAP, then
    accessing an Open WAP needn't even be intentional. </strong>
    </li>
    

    Most
    new notebook computers ship with the Microsoft Windows XP or
    Macintosh OSX operating systems, and are equipped with internal
    wireless adapters (see sidebar). If the wireless adapter is switched
    on, the notebook will seek, and attempt to connect with, WAPs – even
    before the screen comes to life.

    People set their notebooks to connect to any available network, so
    the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

    And New York Penal Law Section 156.50 provides a defense for persons who
    had reasonable grounds to believe that they had authorization to use
    the computer. Therefore, unfortunately, the issue will likely be left
    for the Courts to decide whether such a presumption exists and is
    applicable in any given case.

    Attorneys
    and the public must properly frame these issues and arguments, so
    that the Courts can properly interpret and apply the law.

    Determine
    Your Needs

      <li>
      <strong>You can protect your LAN while providing public access to your
      WAP and the Internet - so long as you configure your WAP properly</strong></li>
      

      Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
      to afford anyone in the area free access to the Internet. By giving
      pedestrians a good reason to mill about, this is a fine goodwill
      gesture towards local businesses at low cost.

      That’s
      a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
      access your LAN from the Hotspot. They placed the Hotspot outside
      their firm’s firewall, thereby providing a public service at little
      risk to their own network.

      It’s
      important that you, too, determine what you want your WAP to do, and
      deploy it properly.

      Don’t Panic … But Set A Policy

        <li>
        <strong>A clearly communicated and strongly enforced written policy
        governing remote network access is essential. </strong>
        </li>
        

        A
        written wireless data security policy is vital in any environment; in
        a law firm, the lack of one could be expensive, embarrassing and
        time-consuming. It could create civil liability – and even criminal
        liability (see sidebar) – for the firm.

        All
        people in the firm must be made aware of the policy, not matter their
        position: it does you no good to take steps to increase security if
        your receptionist or even a junior associate tells a caller
        information about your WAP and network. This happens far more often
        than you’d think. Specifics on what the policy should cover are
        listed below, within the proposed standard.

        Everybody’s Not Doing It

          <li>
          If you haven't
          locked down your firm's WAP, you're not alone. This problem is
          widespread and international.</strong> 
          </li>
          

          In March, 2005, data
          protection company RSA Security reported that a survey it
          commissioned from netSurity found more than one third of wireless
          business networks in four major cities were unsecured – 38% of
          businesses in New York, 35% in San Francisco, 36% in London and 34%
          in Frankfurt.

          Those numbers are about
          right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

          From Elite Geeks to An Unruly Mob

            <li>
            One no longer
            needs to be a gifted programmer to be a successful intruder.</strong></li>
            

            Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
            (see sidebar), and attorneys must never entrust WEP – no
            matter how large the bit-size – to be the sole means of protecting
            a LAN.

            The popular image of a “Hacker,” as a young, pale-skinned
            male perched behind a complex computer using arcane tools to
            penetrate computer systems is dated.

            Hacking, password- and encryption-breaking tools have become
            ubiquitous, sophisticated, simple to use and are totally free to
            download from the Internet.

            PROPOSED
            STANDARD

            A
            determined intruder with the right tools will get in no matter what
            you do – nothing offers 100% security or guarantees, but you
            should employ the best security you can install and maintain without
            unreasonably disrupting productivity. Take all reasonable steps to
            secure client information on your LAN with a well-configured
            firewall.

            If
            you merely wish to allow Trusted users wireless Internet access,
            securing your WAP can likely be done by Dan – that geeky intern who
            likes Star Trek. It can take as little as 15 minutes, and can
            cost nothing: if you’ve got a WAP, you’ve almost certainly got the
            hardware needed (and if you don’t, you can spend as little as $40 to
            get it).

            If
            you wish to allow the WAP to also grant LAN access, and you don’t
            have an IT person in-house, you might buy a combination VPN/WAP for
            as little as $149 (see sidebar). Otherwise, you may need to hire an
            outside consultant or installation specialist for a few hours’
            consultation or work to set up the VPN.

            Four Main Steps

            Because
            Linksys is the most popular WAP maker, examples below refer to
            Linksys products; your WAP’s instruction manual contains specific
            How-Tos and instructions to do all the following. All brands provide
            similar steps and menus, and all use the same terminology.

            STEP ONE: CHANGE THE DEFAULTS

            The simplest solution for a range of common problems raised by WAPs is to
            change the default information on the WAP itself. This is
            accomplished by opening a web browser and surfing to the IP address
            of the WAP device.

            First go to the Setup Page:

              <li>
              Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
                  </li>
              <li>
              Change the last two fields in the WAP's Local IP address to
              something other than what's there. Reasonable entries include
              192.168.11.1 or 192.168.0.25. 
              </li>
              

              Next,
              go to the Wireless Basic Settings Page. The Service Set Identifier
              (SSID) is the name of the wireless network your users will connect
              to. By default it is set to “Linksys.”

                <li>
                Change the SSID to something non-descriptive - not your firm's
                name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
                </li>
                <li>
                Then, disable the SSID broadcast, so it won't be readily visible to
                users who don't know that the WAP is there (though &quot;war-drivers&quot;
                - people who drive around looking for Open WAPs - might see it.
                Yes, there's a war-driving subculture). 
                </li>
                

                STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD

                A hacker, using the default username of (nothing) and the default
                password of “admin” can take over your WAP and lock you out. In the Administration page:

                  <li>
                  Set a new, hard-to-guess administration password, using at least an
                  eight character string which is not a word found in a dictionary,
                  and which comprises upper and lower case letters and numbers.</li>
                  

                  STEP
                  THREE: ENCRYPT THE SIGNAL

                  Use
                  the best encryption method you possibly can, preferably WPA2 (see
                  sidebar). If WPA2 is not available, then deploy, in descending order
                  of preferability, either WPA or WEP. If you absolutely must use
                  WEP, use 128-bit encryption – which takes a bit longer to crack
                  than weaker versions of WEP.

                  STEP FOUR: VPN INTO THE LAN

                  You absolutely, positively may not allow access to your LAN through the
                  WAP except with the use of a VPN.

                  Because
                  the VPN’s authentication is vastly more secure than Wi-Fi’s and
                  encrypts all data between the client (that’s your notebook computer
                  or PDA) and the LAN, it helps ensure that anyone gaining access to
                  the LAN is authorized.

                  Written Policy

                  Anyone who has been granted remote access to your LAN must abide by
                  the written remote access policy. This policy must cover the remote
                  users’ notebook computers, PDAs and other mobile data devices; their
                  home LAN and any home computers, and any other machines which they
                  may use to access the company LAN.

                  The policy must be clearly posted in the firm, and discussed with all
                  remote users and staff. It must explicitly set forth rules governing
                  what employees may tell outsiders about your computers, your network,
                  your WAP and your security policies. It must be regularly reviewed.

                  For a sample written policy, see http://www.nickselby.com/wifi

                  Protect Home WAPs

                  Anyone granted permission to access the LAN via VPN must apply all
                  four steps above to their home or other remote WAP. This not only
                  protects your LAN, it protects personal data they store on their home
                  machines.

                  Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

                  Anyone accessing the LAN must ensure that their device is updated
                  with the most recent security patches for their Operating System.

                  All machines on the LAN must run current versions of anti-virus
                  software with regularly updated virus definitions. Note that new
                  viruses are introduced every hour; “regularly updated virus
                  definitions” means at a minimum of once each week. It could be
                  argued it is reasonable to update every 24 hours.

                  Any
                  device accessing from outside the LAN must be running a
                  properly-configured firewall program such as Zone Alarm or Computer
                  Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
                  unless you’re encrypting your email through a VPN, or an encryption
                  program such as PGP.

                  Always
                  assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
                  you care about – such as email or confidential files – is encrypted
                  across a tunnel.

                  Call
                  For Discussion

                  As when you access a Hotspot, you’re always looking for the balance
                  between ease of access and loss of security. The best we can do
                  is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

                  As I mentioned earlier, this is all very new. The proposed standard
                  is a first step towards reducing the likelihood that your LAN will be
                  compromised, or your Internet connection abused. In order to further
                  this recommendation and develop a final specification, I welcome your
                  comments.

                  Ian Sacklow, the founder of the Capital District Linux Users Group and
                  Information Systems Manager for Dodge Chamberlain Luzine Weber
                  Associates, an architectural firm with offices in East Greenbush,
                  Plattsburgh and Jericho, New York, co-authoried this white paper.

                  Members
                  of the Capital District Linux Users Group contributed technical
                  information and fact checking for this article.

                  <p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
                  Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
                  wireless area network (WAN) complying with IEEE 802.11
                  specifications. Wi-Fi&reg;
                  is a Registered Trademark of the Wi-Fi Alliance. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
                  course as the state of the art changes, so must any standard be
                  updated.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
                  can extend this range in a variety of ways, all fairly technical.
                  300 feet is the default, stock range without modification, and
                  therefore the range I discuss here.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
                  a network, a &quot;Trusted&quot; user is given access to sensitive
                  files. An &quot;Untrusted&quot; user may be granted access to
                  certain parts of the network, but not to areas containing sensitive
                  data. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
                  New York Lawyer's Code of
                  Professional Responsibility , DR
                  4-101 [1200.19] 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
                   District of Columbia
                  Ethics Opinion 303, February 2, 2001</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
                   Delaware State Bar Association Opinion 2001-02
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
                   New York Penal Law Section 156.05</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
                   New York Penal Law Section 156.00</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
                  change the Router Name to slow down would-be intruders. Router Names
                  provide enough information to attackers to obtain all default
                  information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
                  Website which provides lookups which match Router Names with
                  manufacturer and model number, linking to the manufacturer website
                  which lists that machine's default settings and password.</p>
                  


                  Also in this series…
                  A proposal for Reasonable Wireless Security for law firms

                  A sample network access policy

                  Wifi encryption standards

                  “There’s nothing on my desk worth stealing”

                  …and free hotspots for all


There’s Nothing On My Network Worth Stealing

Many computer users feel that, because they don’t engage in high-fallutin’ top secret information, they don’t have much to offer an intruder.

Targets of intruders, though, are as difficult to predict as the closing price of next Tuesday’s light sweet crude trading. In fact, the possibilities are endless. And here’s just one way leaving your WAP unprotected – essentially running a Hotspot – could cause you pain.

Lawyer? Or Terrorist?
Parked outside your office within connection range sits Mr. Soren Marrwaakle, a Danish terrorist associated with the dreaded Copenhagen Resistance, which has sworn to destroy the American way of life. Soren drives around large cities seeking unprotected wireless connections just like yours.

Soren connects, through your unprotected WAP, to the Internet and thence his public, anonymous email account. After receiving from his cell the floor plans to a target building, he transmits back an email message to his handler, acknowledging receipt of the plans and passing on a recipe for low-fat brownies he got from Emeril.com.

Has your firm just violated the Patriot Act? You know, the part which says you’re not allowed “…to commit an act that the actor knows, or reasonably should know, affords material support, including a safe house, transportation, communications, funds, transfer of funds or other material financial benefit, false documentation or identification, weapons (including chemical, biological, or radiological weapons), explosives, or training…” [emphasis added]

Perhaps more to the point, do you wish to explain your views to the 33 FBI Agents in blue windbreakers who are at this moment milling about your conference room?

Sure, after only three days, by which time they’ve become mostly convinced of your innocence, 18 of the agents leave. But how much do you think it will eventually cost you in time, effort, resources and bad coffee to get the rest of them to go? How many of your clients will express delight upon learning that their lawyers are under Federal investigation for aiding a terrorist group?

And how will those pictures of guys in blue windbreakers carrying boxes out of your office look in the Times Union?


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all