Lauren Ramsey

Nearly four months after deadly ethnic riots in China's Muslim region led authorities to shut off the Internet there, local residents are still barred from sending text messages and getting online. The rioting between Uighurs, a mostly Muslim minority group native to Xinjiang, and Chinese Han, the country's ethnic majority, also led China to block various social networking Web sites nationwide. The clampdown on telecommunication in China's western Xinjiang province, where rioting claimed nearly 200 lives in early July, has hurt local businesses and cut residents off from many nongovernment sources of news and other information. Twitter, similar Chinese services and Facebook all remain inaccessible in the country.

Observers have cited a series of sensitive anniversaries this year as a reason for the blockages, but those dates, including China's 60th anniversary of communist rule on Oct. 1, have passed. "The unfortunate truth is that the Chinese government can impose and sustain this kind of Internet service disruption ... for as long as it feels it's necessary," said Phelim Kine, a researcher in Hong Kong for New York-based Human Rights Watch. "The government is impervious to concerns from the business sector and certainly those of ordinary citizens." Some companies have been allowed to communicate via a regional network in Xinjiang, said the marketing manager for one local company when reached by phone. China has blamed communication on such Web sites for helping lead to the riots, which were sparked by an ethnic brawl in far-away southern China. The manager predicted that regular Internet access could return in around one month. "It's relatively calm on the streets of Xinjiang now," he said. The owner of another online store, which sells dried fruits, nuts and other snacks, said she did not know of any regional network in Xinjiang. The manager's company, which sells make-up and other cosmetic products online, is one of many that have had to relocate staff outside of Xinjiang to continue operations, he said. Most of the store owner's staff remain in neighboring Gansu province, she said.

China has given little sign of when it will lift the Internet restrictions but said it will gradually do so as Xinjiang stabilizes.

The Advanced Television Systems Committee (ATSC), which oversees TV standards for the U.S., said Friday it has approved a standard for mobile digital broadcasts. Consumers may be able to pick up the broadcasts on laptops, handheld TVs and in-vehicle entertainment systems as well as mobile phones. The ATSC Mobile DTV Standard will allow local TV stations to broadcast to mobile devices on the frequencies they already have.

Mobile TV has been more successful in some other countries, such as Japan and South Korea, than in the U.S. Handset makers Samsung Electronics and LG Electronics were promoting two different specifications to the ATSC until last May, when they joined forces on a unified proposal. However, the FLO service is paid and is focused on national rather than local offerings. Consumers can already watch TV broadcasts on some Verizon Wireless and AT&T handsets, via the FLO TV network backed by Qualcomm. ATSC Mobile DTV is carried alongside the regular over-the-air DTV broadcasts that U.S. stations have been delivering exclusively since analog TV was discontinued across the country in June. It can support interactive services, subscription-based TV and downloading of content for later viewing, the group said. It uses a system called Vestigial Side Band modulation, with an IP (Internet Protocol) transport system, according to the ATSC. The technology can send H.264 video and HE AAC v2 (High-Efficiency Advanced Audio Coding, Version 2) audio.

LG will unveil its first ATSC Mobile DTV device, a portable DVD player with built-in TV, at the International Consumer Electronics Show in Las Vegas in January, said John Taylor, vice president of public affairs for LG Electronics USA. The device will probably cost less than US$250. He believes the addition of TV to a phone would increase the cost by only a small amount. The Open Mobile Video Coalition has said a total of 70 broadcasters in the U.S. have announced plans to use the technology by the end of this year. Unlike with some standards, there is already an ecosystem in place for ATSC Mobile DTV, with 30 broadcasters already using it, Taylor said. "This is ready for deployment now," he said. It costs less than $100,000 for a broadcaster to add the mobile capability, Taylor said. For one thing, the three largest U.S. carriers may not want to embrace a technology that could compete with their existing mobile TV products.

However, a lot of pieces have to come together for the new technology to succeed, according to analyst Avi Greengart of Current Analysis. While AT&T and Verizon sell FLO TV, Sprint offers a TV service that goes over its 3G network. Taylor said LG has had discussions with its carrier partners but none has publicly agreed to use ATSC Mobile DTV. Broadcasters may have their own qualms about investing in the technology without a guarantee that it will help them make money, Greengart said. Because mobile operators sell most of the handsets in the U.S., and in many cases dictate what's in those devices, their support will be key, Greengart said. There may be a chicken-and-egg problem between availability of handsets and of broadcasting stations, with each side hesitating to move first, he said. Content rights may also be an issue, noted Bill Stone, president of FLO TV. "Many pieces of content today have mobile rights associated with them," Stone said.

However, with growing competition from cable channels, Web sites and other sources of video, mobile over-the-air TV could be an opportunity for local broadcasters to grab back some viewers, he said. For example, if a carrier has the right to show a local sports event through a national relationship with the league, a local broadcaster may not be allowed to show it to phones even though it has the traditional TV rights, he said. Though FLO TV doesn't disclose subscriber numbers, Stone said the average viewer on Verizon and AT&T watches the service more than 30 minutes per day. Over the five-year process of building its network, which now can reach about 200 million people in the top 100 U.S. cities, FLO TV has learned it takes a lot of work to get the coverage, devices and content in place for a successful service, Stone said. However, the ATSC standard may help to solve the biggest barrier FLO TV faces: Most consumers don't know they can watch TV on a phone, Stone said. "If there's a way for us to partner and work together to help build that awareness, that's a positive," Stone said.

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason. Apple has fixed the problem for Safari for Macs.

Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time." The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to. Black Hat's most notorious incidents: a quiz "Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Current versions of Safari for Mac, Firefox and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders. In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks. For instance, someone might register www.hacker.com.

In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. An attacker could exploit the weakness by setting up a man-in-the-middle attack and intercepting requests from vulnerable browsers to set up SSL connections. Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

If the attacking server picks off a request to bestbank.com, it could respond with an authenticated x.509 certificate from bestbank.com\0hacker.com. The user who has requested a session with bestbank would naturally assume the connection established was to bestbank. The vulnerable browser would interpret the certificate as being authorized for bestbank.com and set up a secure session with the attacking server. Once the link is made, the malicious server can ask for passwords and user identifications that the attackers can exploit to break into users' bestbank accounts and manipulate funds, for example, Marlinspike says. These certificates use an asterisk as the sub-domain followed by a null character followed by a registered root domain.

In some cases attackers can create what Marlinspike calls wildcard certificates that will authenticate any domain name. A vulnerable browser that initiated an SSL session with bestbank.com would interpret a certificate marked *\0hacker.com as coming from bestbank.com because it would automatically accept the * as legitimate for any root domain. Such a wildcard will match any domain, he says. This is due to "an idiosyncrasy in the way Network Security Services (NSS) matches wildcards," Marlinspike says in a paper detailing the attack. The differences between what users see on their screens when they hit the site they are aiming for and when they hit an attacker's mock site can be subtle. A Microsoft spokesperson says Internet Explorer 8 highlights domains to make them more visually obvious, printed in black while the rest of the URL is gray. "Internet Explorer 8's improved address bar helps users more easily ensure that they provide personal information only to sites they trust," a Microsoft spokesperson said in an e-mail.

The URLs in the browser would reveal that the wrong site has been reached, but many users don't check for that, Marlinspike says. Marlinspike says the null character vulnerability is not limited to browsers. "[P]lenty of non-Web browsers are also vulnerable. Outlook, for example, uses SSL to protect your login/password when communicating over SMTP and POP3/IMAP. There are probably countless other Windows-based SSL VPNs, chat clients, etc. that are all vulnerable as well" he said in an e-mail.

Several U.S. lawmakers urged the Internet Corporation for Assigned Names and Numbers (ICANN) to back off on a plan to offer an unlimited number of new generic top-level domains until concerns about trademark protections and other issues can be addressed. You guys made us come here today." The board at ICANN, the nonprofit organization created in 1998 to oversee the Internet's domain name system, voted in June 2008 to move toward unlimited gTLDs, in addition to the 21 gTLDs available now, including .com, .biz, and .info. Members of a subcommittee of the U.S. House of Representatives Judiciary Committee on Wednesday questioned ICANN Chief Operating Officer Doug Brent about why the organization continues to move forward with its plan to sell new generic top-level domains, or gTLDs. Judiciary Committee Chairman John Conyers, a Michigan Democrat, complained that ICANN hasn't been able to resolve complaints about its plan to sell new gTLDs to compete with .com, .org and other current TLDs. "This is a hearing we shouldn't have had to call," Conyers said. "If the parties had come together, I doubt if we'd be here this morning.

Under the ICANN plan, anyone could apply for a new gTLD - some suggested have been .food, .basketball and .eco - at a cost of about US$100,000. Asked by lawmakers how soon ICANN planned to offer new gTLDs, Brent said he wasn't sure. Critics of the TLD expansion, including Hewlett-Packard and Dell, have complained that a huge expansion of gTLDs would force trademark owners to buy multiple domains on each new gTLD, potentially costing them and their customers billions of dollars. ICANN had originally planned to offer them this year, but the latest estimate is February, and Brent said he expects that deadline to slip as ICANN works with critics to resolve issues. This week, the Coalition Against Domain Name Abuse (CADNA), an organization with 19 large-business members, called on the U.S. government to conduct a "full-scale" audit of ICANN. "ICANN has not properly vetted this decision in an objective fashion," CADNA said. "This rollout expands the size of the Internet exponentially without first performing a sound cost/benefit and security and risk analysis to determine both desirability among and risk to Internet users." At the Wednesday hearing, Conyers seemed to connect the gTLD disagreements with the end of an oversight agreement ICANN has with the U.S. Department of Commerce. A spokesman for Conyers wasn't immediately available to clarify his comment. ICANN's long-standing formal relationship with the U.S. government ends Sept. 30. "If you don't meet the 30th deadline, you're going to all be sorry that you didn't make it," Conyers said.

ICANN's Brent defended the organization's decision to move forward with new gTLDs. Internet users, including the U.S. government, have long called for new TLDs, he said. Winners of new gTLDs will have to abide by a lengthy set of rules, he said. "ICANN did not casually think this plan up," Brent added. "This will not be an unbridled expansion. In addition, the expansion of TLDs would allow Internet users who don't use the Roman alphabet to have domain names in their native languages, he noted. It is the work of many hands from a bottom-up process." Representative Bob Goodlatte, a Virginia Republican, questioned whether ICANN had enough resources to enforce strong trademark protections and other rules in the new gTLDs. He asked if ICANN saw that there were still "a lot of things that need to be worked out here." "We might question 'a lot,' but I think, absolutely we have more work to do," Brent answered. Instead, we should address these concerns." But Steve DelBianco, executive director of e-commerce trade group NetChoice, suggested the new gTLDs are little more than an effort to create new labels, when ICANN has more important issues to work on. "Every day our industry and my members create new applications, Web sites and services," he said. "Labels are just one of the ways people find these new services. Despite the continued concerns, Paul Stahura, CEO and president of domain-name registrar eNom, said the ICANN plan will lead to more competition among domain-name registries. "There is high consumer demand for many new gTLDs," he said. "There currently is little or no competition to satisfy this demand, and ... we shouldn't prohibit competition because of trademark concerns.

The label is not the creation, it's just something we stick on it." One proposed gTLD is .food, he said. "Dot-food won't create a single new restaurant," DelBianco said. "It won't create a new Web page, it won't create new restaurant reviews or online reservation sites."

Apple's move to slash the price of one its Apple TV models and discontinue another lower capacity model have many scratching their heads. At the same time, the price of the 160GB version was slashed by one hundred dollars to $229 from $329. Fulfillment of a prophecy? Monday morning the 40GB model of the Apple TV disappeared from U.S. retail locations and online. In the days before Apple's September 9 media event, where the company unveiled new iPods and a revamped iTunes, many analysts believed the Apple TV was due for a refresh.

In light of Monday's development, however, it may be Piper Jaffray analyst Gene Munster who is the most prescient, according to MacRumors. Speculation revolved around the possibility that Apple TV could be overhauled, and earlier speculation wondered if the device might morph into a gaming machine. Munster earlier this month noticed the shipping window-the time it takes for a product to go from factory to sales floor-for the Apple TV had slipped to one to two weeks. At the time of this writing, a new model has not been introduced to the Apple TV lineup. This development prompted Munster to suggest Apple would cut the 40GB model from its inventory and slash the price of the 160GB version to make room for a new model.

So what does this mean? It's possible, but since Apple TV is not a particularly high selling product, the move could be meant to boost sales. Will there be a new model coming soon? A price cut could entice people to pick up the set-top box for a relatively cheap price, thereby encouraging more video downloads and rentals from Apple's iTunes Store. Is this just a price cut to boost sales across North America or has Apple got something big planned for the Apple TV up its sleeve? So what do you say?

Three data storage start-ups have landed more than $28 million in first-round funding from venture capitalists, a rare feat in an economy that has punished new vendors looking to obtain financing. 10 biggest network venture capital deals from Q2 The multi-million dollar financing rounds went to Avere Systems, a Pittsburgh-based network-attached storage (NAS)  company; GreenBytes, a de-duplication vendor in Ashaway, R.I.; and Sonian of Needham, Mass., maker of a cloud-based e-mail archiving and disaster-recovery service. Early stage vendors have suffered as much as anyone, because a lack of successful IPOs and acquisitions has forced investors to put resources into existing companies longer than expected, leaving little left over for true start-ups. Venture capitalists have dramatically reduced spending on computer networking companies in the past couple years.

There seems to be good reason to lower investments in storage companies: Storage software revenue is down worldwide compared to last year and storage hardware revenue is down 18%. But Avere, GreenBytes and Sonian were able to secure Series A financing in funding rounds announced this week: $15 million went to Avere, $8 million went to GreenBytes and $5.6 million went to Sonian. "In the current economy, the bar on new investments is extremely high," says John Jarve, Menlo Ventures managing director, in the Avere announcement. Avere was founded in January 2008 and is led by CEO Ronald Bianchini, a former senior vice president at NetApp and co-founder of Spinnaker Networks, a storage grid company acquired by NetApp. All three start-ups are focused on making storage use more efficient, a key concern for enterprises grappling with expanding data volumes. Avere calls its technology "Demand-Driven Storage" and says it will consist of NAS products that let customers "scale storage network performance independently of capacity," reducing costs and space and power requirements. GreenBytes, featured in Network World's Companies to Watch series last year, makes de-duplication storage appliances designed for both primary and secondary storage tiers.

Avere, which received its funding from Menlo and Norwest Venture Partners, says it will release its technology in the fall of this year. The company, founded by CEO Robert Petrocelli in 2007, says its GB-X Series appliances allow "real-time, on-the-fly de-duplication of file blocks as they are stored, expanding the scope of applications into primary storage, as well as backup." GreenBytes' funding round was led by Battery Ventures. The company offers a 99.99% data retention service-level agreement. Sonian, founded in 2007 by CTO Greg Arnette, built its hosted e-mail archive platform with a grid computing architecture designed to eliminate single points of failure. Sonian, which received funding from Prism VentureWorks and Summerhill Venture Partners, was named a "cool vendor" in archiving by Gartner this year.

Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin