Most people know it's probably not a good idea to use your corporate e-mail account to write about how you skipped out on work and had too many beers at the Dodgers game. But you may want to think twice about doing the same via text message on your work-issued phone.

New guidelines for financial firms that were issued in December (you can read a PDF download here) mean that companies are responsible for any secure information employees send over their mobile phones, in addition to e-mail. Hospitals and other organizations that work with personal information are also cracking down on employees who send messages over phones.

But it's not as easy for employers to read your text messages as it is for them to read your e-mail. Right now, text messages sent on employee phones are archived, but a hole in most systems means that if an employee sends a text message and then deletes the sent file, the archive won't store it.

So Onset Technology has come up with Big Brother software that enables employers to monitor employees' texts, as well as control who they're writing texts to and what they're writing. It's called METAmessage Advanced Compliance Tool.

"We scan and block text messages so the company makes sure there are no text messages going out that violate company policy," said Zack Silvinger, the company's vice president of business development and marketing.

That means if your company has decided that curse words, sexually explicit words, or even the word "beer" aren't acceptable, you'll be thwarted every time you try to send a text message with banned words on it. What's more, your message will be sent to the human resources department. Yikes!

Companies using the software can also create blacklists to control whom employees can text.

If you're scared now, you might get some relief knowing that federal law prevents service providers from turning over contents of text messages to an employer, even if an employer pays for the service. But with this software, your employer scans the text messages before you even send them.

It may seem ridiculous for companies to employ these tactics, but they can prevent legal issues from arising, said Patrick Corr, Onset's vice president of sales. "The idea is to protect the enterprise," he said.

In non-business speak, this means your employer is monitoring your texts to save its own rear end. And maybe prevent you from saying things about the Dodgers you might later regret.

-- Alana Semuels

Photo: Surveillance cameras in London. Credit: akanekal via Flickr

Gas prices are soaring, roads are congested and you've gotten kind of hooked on Days of Our Lives. Sounds like it's time to telecommute.

But good luck trying to use your virtual private network, or VPN, while sending e-mail and surfing the Web. According to a Forrester Research study released Wednesday, telecommunication companies don't focus on consumers who work from home. As a result, those workers suffer slower Web speeds, slower customer service and security issues they otherwise might not face if they were working at the office.

"Because home workers' telecommunication needs are not strictly personal nor precisely business-based, providers have a difficult time creating a product strategy for these consumers," analyst Sally M. Cohen wrote in the report.

They should start thinking about consumers who telecommute (Cohen calls them "prosumers"). According to Forrester, 41% of adults who use a computer at work also work at home after-hours. About 9% of online consumers telecommute regularly, and 22.8 million consumers run a business from home.

Cohen listed a few features telecommuters might need:

• More bandwith. About half of enterprises in the U.S. and Europe have virtual private networks that can be accessed from home, but logging in with low bandwith can be next to impossible.
• Better customer care. The last thing telecommuters want to do when they're rushing to file a report is wait in a customer-service line or yell at voice prompts.
• Increased security. Telecommuting can create privacy concerns for employers and employees.

I asked AT&T, Charter, Time Warner and Verizon what services they offer for people who telecommute. The answer: nothing special. But consumers who pay a bit more for Internet might be all set anyway. Verizon's FiOS, only available in some areas, transmits at speeds up to 50 megabits per second. Its DSL goes up to 7 megabits. Time Warner's top package transmits at 6 megabits per second, although some areas get service as fast as 10 megabits per second. AT&T's DSL and U-Verse (also only available in some areas), offer the same speeds as Time Warner.

For now, telecommuters in Glendale, Burbank, Long Beach and Riverside have it best: those with Charter Communications can get speeds as fast as 16 megabits per second as well as a free anti-virus and security package to boot.

-- Alana Semuels

Semuels, a Times staff writer, covers marketing and the L.A. tech scene.

Photo by Stanley Leary / Associated Press

Acclaimed Internet security researcher Dan Kaminsky detailed a flaw in the current architecture of the Internet today, firing the starting gun for a race between hackers who can now take advantage of the vulnerability and the big companies who have yet to patch their systems.

Speaking to hundreds of technology security professionals and enthusiasts at the annual Black Hat conference in Las Vegas, Kaminsky said that a majority of the Fortune 500 have protected their machines with a series of fixes developed in secret since March.

Kaminsky coordinated an industry-wide effort that brought out patches from Microsoft, Cisco, Sun Microsystems and other major technology vendors, and customers began applying them after he issued a public warning a month ago.

The hole lies in the Domain Name System, which steers Internet users seeking a site by title, such as www.google.com, to a numerical address. Kaminsky showed today how hackers could corrupt the process, taking users to an imitation site that could install malicious programs.

He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.

"We got lucky with this bug," Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."

Kaminsky also showed how the flaw could be used to attack places that some professionals had believed immune.

The Secure Sockets Layer, signified by "https://" at the beginning of a website address, could be circumvented, as one example. Impostors could fool the authentication companies, such as Verisign, and so get an approved digital certificate shown to site visitors, though Kaminsky said those companies have revamped their procedures. A large number of firms simply sign their own certificates, which an impostor could do, without dissuading consumers from continuing.

"Everywhere you look, SSL shoots itself in the face," Kaminsky said.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

Other scary scenarios include intercepted and manipulated e-mail coming from trusted parties and the fact that automatic software updates, which are a key way to get security fixes installed automatically, can easily be hijacked.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

"DNS is the Achilles' heel of the Internet," agreed Joris Evers, a spokesman for security company McAfee Inc. "There's a lot of attention that's been focused on this -- and that's good."

In an interview, Kaminsky said that more than 120 million home broadband users have already been protected, and that workplace systems might be more at risk. Some attacks have already occurred, and Kaminsky said he was most worried about the tens of millions of sites that have a link to click on if users forget their passwords. A hacker could pretend to be specific users and get the passwords sent to them.

Ordinary computer users can't do much to patch their own machines, though they can prod their employers or Internet service providers to act. They can check to see if patches have been applied by visiting www.doxpara.com and clicking on "Check my DNS."

-- Joseph Menn

Black Hat company logo from richardmasoner via Flickr; photo of Kaminsky courtesy of the subject.

The U.S. Justice Department said today that it had charged 11 people for their alleged roles in the largest identify theft case cracked to date, one best known for the loss of personal information on customers at chains owned by TJX Cos., including TJ Maxx.

The ring is accused of driving past retailers and restaurants with wireless equipment, looking for ways into the corporate wireless networks. Once inside, they planted "sniffers" to capture credit card and debit card information as it was being transmitted internally, according to indictments in Boston and San Diego.

A three-year undercover investigation turned up records on 41 million people stored on computers in Eastern Europe. Tens of millions of dollars were lost as the perpetrators created new bank cards with stolen data and then made withdrawals from ATM machines.

U.S. Atty. Gen. Michael Mukasey and other officials said the ring was led by a Secret Service informant who functioned as a triple agent, warning suspects of ongoing probes. Albert Gonzalez of Miami faces a maximum penalty of life in prison.

Also charged were residents of Ukraine, Estonia and China, underscoring the increasing globalization of cyber-crime.

-- Joseph Menn

Photo: Atty. Gen. Michael Mukasey. Credit: Gerald Herbert / Associated Press

Telecommuting has its distinct advantages: no stressful trips on the freeway, a kitchen full of snacks, working in pajamas, even animal companionship (just watch out for paws on the keyboard).

But working from home isn't all kitty cats and cozy fires. A study released this morning by the Center for Democracy and Technology and Ernst & Young said telecommuting and other remote access of corporate networks poses data security and privacy challenges for employers. The report, "The State of Telecommuting: Privacy and Security" (PDF download) warns:

It is difficult enough to secure a corporate network with the constant and persistent threat from malicious external parties, from hackers to spammers to viruses. But for the chief technology officer or chief risk officer of today's organization, perhaps no issue presents more complexity -- or more headaches -- than the necessity to protect corporate and personal information in an environment where employees travel widely or routinely work at home, using personal computers, laptops, non-corporate-owned machines and personal digital assistants.

The CDT and Ernst & Young surveyed 73 organizations from 10 industries in the United States, Canada and Europe and found that the risks of telecommuting often were ignored. Half of the respondents said they had no formal policies or training for remote access of their systems.

"Most of the security and privacy risks associated with telecommuting are already known," CDT Vice President Ari Schwartz said in a release unveiling the study.  "In a lot of cases those risks can be addressed if companies would simply put more emphasis on the procedures and policies they already have in place."

And it's not just electronic data. Only 25% of the respondents said they require telecommuters to store paper records in secured cabinets. Even then, the records aren't always secure, as this 2007 episode demonstrates: Confidential files of 13 people from the Social Security Administration office in Milwaukee were lost for months when a telecommuting worker took them home. The employee said she kept them in a locked cabinet, but believes she left them behind when she fled her home because of domestic violence. Some of the files -- which contained Social Security numbers, medical information and other private data -- were eventually found in a Milwaukee dumpster.

The study recommends that employers focus more on telecommuters, whose ranks are expected to grow to 46 million by 2011. Among the suggestions are inspecting home offices, using encryption to connect to corporate networks and providing locked cabinets and shredders for paper records. Just make sure the cat stays away from the shredders.

-- Jim Puzzanghera

Puzzanghera, a Times staff writer, covers tech and media policy from Washington, D.C.

Photo by DDFic via Flickr

The Motorola DynaTAC 8000X holds its place in wireless history as the world's first commercial cellphone. The hefty device (both in weight -- like a brick -- and price -- nearly $4,000 when introduced in 1984) also represents state-of-the-art as far as federal tax law is concerned.

That's bad news if your employer provides you with a cellphone.

As you can read in our story today, many employers may stop paying for employee cellphones because the Internal Revenue Service recently has been cracking down on tax rules set in 1989. Those rules consider cellphones a pricey fringe benefit, reserved for the likes of high-powered businessmen such as Gordon Gekko.

The IRS says employees must keep detailed logs of their calls, indicating which are for business and which are personal. If they don't, the phone and its monthly service plan are considered taxable income.

UCLA was hit this year with a bill for $239,196 in unpaid taxes for employee cellphones and is considering changing its policy.

Those changes are on hold as Congress considers bringing IRS cellphone rules into the 21st Century. Legislation to do so passed the House this year, and a similar bill is pending in the Senate. 

-- Jim Puzzanghera

Puzzanghera, a Times staff writer, covers tech and media policy from Washington, D.C.

Photo: Motorola DynaTAC 8000X, circa 1984. Credit: Motorola

Security researchers said today they had discovered an enormous flaw that could let hackers steer most people using corporate computers networks to malicious websites of their own devising.

For bad news, that's pretty impressive. But there are two pieces of good news: First, no bad guys are known to be using the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches fixing the problem.

System administrators will have 30 days to apply those patches -- from the likes of Microsoft, Sun Microsystems, Red Hat and others -- before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.

Security experts -- including the man who discovered the flaw, Dan Kaminsky of IOActive -- hope that the patches are broad enough that evil types won't be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.

"We got lucky in this particular bug, because it's a design flaw," Kaminsky said in an interview. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."

US CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert today on the scope of the problem. CERT didn't go into all the backroom dealing that brought so many companies together for the patch, but it made the initial discovery seem like child's play. "It took a couple of hours to find the bug," said Kaminsky, "and a couple of months to fix it."

Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several.

"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."

-- Joseph Menn

Photo of Dan Kaminsky by Dave Bullock / eecue

The number of publicly reported privacy breaches jumped 69% in the first six months of the year from the same period in 2007, according to the nonprofit Identity Theft Resource Center.

Businesses accounted for much of the increase, the San Diego group found by surveying media accounts, state disclosures and other sources. They reported 37% of the 2008 breaches, up from 29% in the first half of last year and 21% in the year-earlier period.

Educational organizations and government sources, the next two most common sources of exposed personal information, both reported fewer breaches for a second consecutive year. They reported 21% and 17%, respectively, of the latest data leaks.

The Identity Theft Resource Center didn't estimate how many records were involved in total, because almost 40% of the public reports didn't reveal the extent of the compromise.

Just because data is at risk doesn't mean it will be misused. Laptops or other devices that were lost or stolen accounted for 1 in 5 of the incidents, and they might not have been targeted for the information they held.

Insider theft was blamed in 16% of the cases, loss or theft by a contractor in 14% and hacking in 12%.

-- Joseph Menn

Photo by hyku via Flickr

As Bill Gates leaves full-time work as chairman of Microsoft today, he can look back on one of the most extraordinary careers in the annals of business -- a rise from college dropout to world's wealthiest individual. Along the way, his forceful execution fulfilled the audacious goal of putting a computer in nearly every home, at least in the U.S.

But the company Gates leaves behind is, at long last, floundering. Its stock price is where it was six years ago. Microsoft has just bungled an attempt to buy Yahoo in what would have been the largest acquisition in Silicon Valley history. And the attention of the technology world, once riveted on the Redmond, Wash., company, has turned elsewhere, to Google and beyond.

Perhaps most surprising, Microsoft appears to be losing ground on the one product that it rode to world dominance: the operating system powering 9 in 10 personal computers.

By coincidence, today also marks the last day of general availability of Windows XP, the operating system that Microsoft finally got right. Its successor, Windows Vista, is so unworthy that even Microsoft's closest partner, top chip maker Intel, is refusing to distribute it to employees.

What do you think? If Gates went wrong, where? Will Microsoft ever command the technology industry again?

-- Joseph Menn

Photo: Bill Gates in 1990. Credit: Marty Lederhandler / Associated Press

UPDATE: Here's a more detailed version of this story from the paper.

-----

Ushering in the most dramatic expansion of virtual real estate in 40 years, the group controlling Web addresses said today that pretty much anyone would get a shot at buying a top-level domain to go along with the current crop, which includes .com and .net.

The Internet Corp. for Assigned Names & Numbers, which is as close as the Internet gets to a governing body, opted to open up the process to companies, individuals and coalitions. That means that any word or name approved by ICANN could conceivably follow the dot in a Web address. Get ready for .pickles and .google.

"The potential here is huge. It represents a whole new way for people to express themselves on the Net," ICANN Chief Executive Paul Twomey said in a news release issued from the group's Paris meeting. New domains could be forthcoming next year, after another round of refinements and the first applications.

"There are already interested consortiums wanting to establish city-based top level domain, like .nyc (for New York City), .berlin and .paris," ICANN said in the release.

The decision stems from ICANN's philosophy of keeping as little power for itself as possible, as well as from lobbying by the companies that dole out domain names. Those companies, including some in Los Angeles, see a potential windfall in administering new top-level domains and selling off individual addresses.

But not everyone was thrilled with the step. Critics warn that scammers will rush in, grabbing up trademarked names or misspelled versions of those names and then taking their chances in court.

"Google doesn't want a scam artist running Google.whatever," said tech policy consultant Lauren Weinstein, co-founder of the nonprofit People For Internet Responsibility. "It's almost like an extortion racket -- you'd better buy your name in this new top-level domain or you're going to get blamed."

"The process has been hijacked to a significant extent by folks who see the domain-name system as their personal piggy bank."

-- Joseph Menn

Image courtesy of ICANN

Microsoft really isn't trying to buy Yahoo anymore, at least not right now, Chairman Bill Gates and CEO Steve Ballmer said late last night in a rare joint appearance at Dow Jones' All Things D conference in Carlsbad.

The pair, who generally are kept from being in the same place outside of Redmond, Wash., for security reasons, stuck to the script Microsoft has been using for a while. That is, they are exploring a smaller partnership with the Internet power, they aren't bidding for the whole caboodle and they reserve the right to bid for said caboodle in the future (here's video from the conference).

But the men gave off an air of finality to the situation. That surprised some in the audience who had seen the standoff as a tactical ploy, especially now that the Yahoo board has come under intense pressure from Carl Icahn and other activist shareholders to get back to the table.

"I'm not frustrated at all," Ballmer said. "We couldn't agree on price, basically."

"I still think it's a scale business," he said. "We must think there is something of mutual benefit," or Microsoft wouldn't be trying to cut a new deal.

Under steady needling by interviewers Walt Mossberg and Kara Swisher, Ballmer and Gates, in their own pro-Microsoft way, also conceded that the latest version of Windows, Vista, wasn't all that they'd hoped.

"We have a culture that's very much about `We need to do better,'" said Gates, who has one more month to go as a full-time Microsoft employee. "Vista has given us more opportunity."

That line brought a chorus of laughter from many in the audience. Dell founder Michael Dell, whose computers rely on Microsoft's operating systems, was seated near the front. He didn't come close to smiling.

-- Joseph Menn

Photo: From left, Kara Swisher interviews Bill Gates and Steve Ballmer at the All Things D conference in Carlsbad. Credit: Loic Le Meur via Flickr

With his biggest acquisition to date, Hewlett-Packard Chief Executive Mark Hurd may prove how ruthless he can be.

Since he took the helm three years ago, Hurd has driven the Palo Alto company back to the top of the computing industry by cutting costs. He’s done it relentlessly and without sentimentality, repeating the efficiency mantra every quarter — even as the company’s fortunes improved. That approach will get its biggest test yet as HP tries to absorb the 140,000 employees of Electronic Data Systems Corp., the Plano, Texas-based technology outsourcing company that HP said Tuesday it would acquire for $13.2 billion in cash.

“This is an order of magnitude bigger than what he has done before,” said Fariborz Ghadar, director of Pennsylvania State University’s Center for Global Business Studies.

Hurd, 51, indicated today that job cuts loomed as HP tried to improve its position in the market for data-center management, consulting and other high-tech services.

“We think we know a lot about how to look at overhead and how to look at costs that result from overhead,” he said during a conference call with analysts. “So think of us doing a lot of work that we know how to do and have done at HP.”

Some investors worried that this time Hurd had bitten off more than even he could chew. They have knocked more than 10% off HP’s stock since reports Monday that the two companies were close to a deal. HP shares tumbled $2.56, or 5.5%, to $44.27 Tuesday.

Read more here about the challenge Hurd faces with this deal.

-- Michelle Quinn

Hewlett-Packard's $12.8-billion deal to acquire Electronic Data Systems is all about slow and steady revenue.

Corporate belt-tightening + slumping consumer confidence = a rough time to sell PCs and printers.

But IT services, ah, now there's a smooth business. The idea is to sign huge companies to multiyear contracts setting up their data centers, software systems and other high-tech stuff, then watch the money flow in like clockwork. That can help offset the ups and downs of selling hardware. Here's more from our story:

Analysts said the bid for Electronic Data showed that HP was trying to protect its balance sheet from the softening economy.

The company is the worldwide leader in personal computer and printer sales and a strong competitor in computer servers, but sales of those products ebb and flow.

In contrast, the services business -- which includes consulting as well as setting up and running corporate data centers, software and other technology -- often grows during downturns as companies outsource tasks to reduce costs. Plus, corporations often sign multiyear contracts that pay out in predictable ways.

The services business also holds greater potential for growth than many of HP's computer and printer businesses, said Tom Smith, a computer hardware analyst at Standard & Poor's Equity Research.

"There are more ways to add and invent new consulting services if you can establish long-term contracts," he said. "And if you have good services, it supports the next round of hardware sales, and so on. It creates a steadier business."

David Garrity, director of research at Dinosaur Securities, said offering strong services had made hardware companies such as HP "a trusted advisor to a business."

-- Chris Gaither

Photo by LM Otero / Associated Press