Microsoft plans to fire people and hire people as it deals with what Chief Executive Steve Ballmer today called a "once-in-a-lifetime set of economic conditions." And the company thinks things will get worse before they get better.

Executives from the Redmond, Wash., company gave Wall Street more specifics about their plans for dealing with the deteriorating global economy. They include cutting thousands of jobs in response to slowing sales of the PCs that run its Windows and Office software and making some hires in areas of potential growth such as Web search.

"We’re certainly in the midst of a once-in-a-lifetime set of economic conditions," Ballmer said during a conference call after the company announced weaker-than-expected quarterly earnings and as many as 5,000 layoffs, or 5.5% of its workforce. "The economy is resetting to a lower level of business and consumer spending."

As businesses and consumers have reduced spending and bought fewer PCs, Office and Windows sales also have slowed. Microsoft's client business, which includes those products, saw revenue fall 8% to $3.9 billion in its fiscal first quarter, which ended Dec. 31. PC spending, which the company had anticipated would grow 10%-12%, was flat, said Bill Koefoed, general manager of investor relations.

Ballmer said that as many as 5,000 Microsoft jobs would be cut, as well as thousands of external jobs held by independent contractors and vendors. The reductions will be in the areas of research and development, marketing, sales, finance, legal, human resources and information technology, and about 1,400 of those cuts will occur today. However, the company does anticipate adding 2,000 to 3,000 jobs in ...

Let's say you're a big-name advertiser, and one of your TV commercials mocks airplanes, flying and water landings. You probably wouldn't want to run that ad during CNN's coverage of US Airways Flight 1549, which crash-landed Thursday in the Hudson River, right? Unfortunately for tech giant Cisco Systems, it's sometimes difficult to pull such an ad from TV networks across the country in the unlikely event of a water landing.

Cisco's Travel Less, Save More commercial begins with a man talking to the screen, welcoming people to flight 1120. Various people recite familiar flight attendant lines throughout the ad, talking about how to buckle a seat belt, how oxygen masks will drop from the ceiling and what will happen in the "unlikely" event of a water landing. They wear floating devices. They play with oxygen masks. Then the ad ends with a voice-over about the "endless hours" lost to airport delays.

Some people watching real-life coverage of US Airways flight 1549 yesterday on CNN saw the ad during a commercial break. They were treated to the jarring feeling of watching real-life coverage of ...

Most people know it's probably not a good idea to use your corporate e-mail account to write about how you skipped out on work and had too many beers at the Dodgers game. But you may want to think twice about doing the same via text message on your work-issued phone.

New guidelines for financial firms that were issued in December (you can read a PDF download here) mean that companies are responsible for any secure information employees send over their mobile phones, in addition to e-mail. Hospitals and other organizations that work with personal information are also cracking down on employees who send messages over phones.

But it's not as easy for employers to read your text messages as it is for them to read your e-mail. Right now, text messages sent on employee phones are archived, but a hole in most systems means that if an employee sends a text message and then deletes the sent file, the archive won't store it.

So Onset Technology has come up with Big Brother software that enables employers to monitor employees' texts, as well as control who they're writing texts to and what they're writing. It's called METAmessage Advanced Compliance Tool.

"We scan and block text messages so the company makes sure there are no text messages going out that violate company policy," said Zack Silvinger, the company's vice president of business development and marketing.

That means if your company has decided that curse words, sexually explicit words, or even the word "beer" aren't acceptable, you'll be thwarted every time you try to send a text message with banned words on it. What's more, your message will be sent to the human resources department. Yikes!

Companies using the software can also create blacklists to control whom employees can text.

If you're scared now, you might get some relief knowing that federal law prevents service providers from turning over contents of text messages to an employer, even if an employer pays for the service. But with this software, your employer scans the text messages before you even send them.

It may seem ridiculous for companies to employ these tactics, but they can prevent legal issues from arising, said Patrick Corr, Onset's vice president of sales. "The idea is to protect the enterprise," he said.

In non-business speak, this means your employer is monitoring your texts to save its own rear end. And maybe prevent you from saying things about the Dodgers you might later regret.

-- Alana Semuels

Photo: Surveillance cameras in London. Credit: akanekal via Flickr

Gas prices are soaring, roads are congested and you've gotten kind of hooked on Days of Our Lives. Sounds like it's time to telecommute.

But good luck trying to use your virtual private network, or VPN, while sending e-mail and surfing the Web. According to a Forrester Research study released Wednesday, telecommunication companies don't focus on consumers who work from home. As a result, those workers suffer slower Web speeds, slower customer service and security issues they otherwise might not face if they were working at the office.

"Because home workers' telecommunication needs are not strictly personal nor precisely business-based, providers have a difficult time creating a product strategy for these consumers," analyst Sally M. Cohen wrote in the report.

They should start thinking about consumers who telecommute (Cohen calls them "prosumers"). According to Forrester, 41% of adults who use a computer at work also work at home after-hours. About 9% of online consumers telecommute regularly, and 22.8 million consumers run a business from home.

Cohen listed a few features telecommuters might need:

• More bandwith. About half of enterprises in the U.S. and Europe have virtual private networks that can be accessed from home, but logging in with low bandwith can be next to impossible.
• Better customer care. The last thing telecommuters want to do when they're rushing to file a report is wait in a customer-service line or yell at voice prompts.
• Increased security. Telecommuting can create privacy concerns for employers and employees.

I asked AT&T, Charter, Time Warner and Verizon what services they offer for people who telecommute. The answer: nothing special. But consumers who pay a bit more for Internet might be all set anyway. Verizon's FiOS, only available in some areas, transmits at speeds up to 50 megabits per second. Its DSL goes up to 7 megabits. Time Warner's top package transmits at 6 megabits per second, although some areas get service as fast as 10 megabits per second. AT&T's DSL and U-Verse (also only available in some areas), offer the same speeds as Time Warner.

For now, telecommuters in Glendale, Burbank, Long Beach and Riverside have it best: those with Charter Communications can get speeds as fast as 16 megabits per second as well as a free anti-virus and security package to boot.

-- Alana Semuels

Semuels, a Times staff writer, covers marketing and the L.A. tech scene.

Photo by Stanley Leary / Associated Press

Acclaimed Internet security researcher Dan Kaminsky detailed a flaw in the current architecture of the Internet today, firing the starting gun for a race between hackers who can now take advantage of the vulnerability and the big companies who have yet to patch their systems.

Speaking to hundreds of technology security professionals and enthusiasts at the annual Black Hat conference in Las Vegas, Kaminsky said that a majority of the Fortune 500 have protected their machines with a series of fixes developed in secret since March.

Kaminsky coordinated an industry-wide effort that brought out patches from Microsoft, Cisco, Sun Microsystems and other major technology vendors, and customers began applying them after he issued a public warning a month ago.

The hole lies in the Domain Name System, which steers Internet users seeking a site by title, such as www.google.com, to a numerical address. Kaminsky showed today how hackers could corrupt the process, taking users to an imitation site that could install malicious programs.

He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.

"We got lucky with this bug," Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."

Kaminsky also showed how the flaw could be used to attack places that some professionals had believed immune.

The Secure Sockets Layer, signified by "https://" at the beginning of a website address, could be circumvented, as one example. Impostors could fool the authentication companies, such as Verisign, and so get an approved digital certificate shown to site visitors, though Kaminsky said those companies have revamped their procedures. A large number of firms simply sign their own certificates, which an impostor could do, without dissuading consumers from continuing.

"Everywhere you look, SSL shoots itself in the face," Kaminsky said.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

Other scary scenarios include intercepted and manipulated e-mail coming from trusted parties and the fact that automatic software updates, which are a key way to get security fixes installed automatically, can easily be hijacked.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

"DNS is the Achilles' heel of the Internet," agreed Joris Evers, a spokesman for security company McAfee Inc. "There's a lot of attention that's been focused on this -- and that's good."

In an interview, Kaminsky said that more than 120 million home broadband users have already been protected, and that workplace systems might be more at risk. Some attacks have already occurred, and Kaminsky said he was most worried about the tens of millions of sites that have a link to click on if users forget their passwords. A hacker could pretend to be specific users and get the passwords sent to them.

Ordinary computer users can't do much to patch their own machines, though they can prod their employers or Internet service providers to act. They can check to see if patches have been applied by visiting www.doxpara.com and clicking on "Check my DNS."

-- Joseph Menn

Black Hat company logo from richardmasoner via Flickr; photo of Kaminsky courtesy of the subject.

The U.S. Justice Department said today that it had charged 11 people for their alleged roles in the largest identify theft case cracked to date, one best known for the loss of personal information on customers at chains owned by TJX Cos., including TJ Maxx.

The ring is accused of driving past retailers and restaurants with wireless equipment, looking for ways into the corporate wireless networks. Once inside, they planted "sniffers" to capture credit card and debit card information as it was being transmitted internally, according to indictments in Boston and San Diego.

A three-year undercover investigation turned up records on 41 million people stored on computers in Eastern Europe. Tens of millions of dollars were lost as the perpetrators created new bank cards with stolen data and then made withdrawals from ATM machines.

U.S. Atty. Gen. Michael Mukasey and other officials said the ring was led by a Secret Service informant who functioned as a triple agent, warning suspects of ongoing probes. Albert Gonzalez of Miami faces a maximum penalty of life in prison.

Also charged were residents of Ukraine, Estonia and China, underscoring the increasing globalization of cyber-crime.

-- Joseph Menn

Photo: Atty. Gen. Michael Mukasey. Credit: Gerald Herbert / Associated Press

Telecommuting has its distinct advantages: no stressful trips on the freeway, a kitchen full of snacks, working in pajamas, even animal companionship (just watch out for paws on the keyboard).

But working from home isn't all kitty cats and cozy fires. A study released this morning by the Center for Democracy and Technology and Ernst & Young said telecommuting and other remote access of corporate networks poses data security and privacy challenges for employers. The report, "The State of Telecommuting: Privacy and Security" (PDF download) warns:

It is difficult enough to secure a corporate network with the constant and persistent threat from malicious external parties, from hackers to spammers to viruses. But for the chief technology officer or chief risk officer of today's organization, perhaps no issue presents more complexity -- or more headaches -- than the necessity to protect corporate and personal information in an environment where employees travel widely or routinely work at home, using personal computers, laptops, non-corporate-owned machines and personal digital assistants.

The CDT and Ernst & Young surveyed 73 organizations from 10 industries in the United States, Canada and Europe and found that the risks of telecommuting often were ignored. Half of the respondents said they had no formal policies or training for remote access of their systems.

"Most of the security and privacy risks associated with telecommuting are already known," CDT Vice President Ari Schwartz said in a release unveiling the study.  "In a lot of cases those risks can be addressed if companies would simply put more emphasis on the procedures and policies they already have in place."

And it's not just electronic data. Only 25% of the respondents said they require telecommuters to store paper records in secured cabinets. Even then, the records aren't always secure, as this 2007 episode demonstrates: Confidential files of 13 people from the Social Security Administration office in Milwaukee were lost for months when a telecommuting worker took them home. The employee said she kept them in a locked cabinet, but believes she left them behind when she fled her home because of domestic violence. Some of the files -- which contained Social Security numbers, medical information and other private data -- were eventually found in a Milwaukee dumpster.

The study recommends that employers focus more on telecommuters, whose ranks are expected to grow to 46 million by 2011. Among the suggestions are inspecting home offices, using encryption to connect to corporate networks and providing locked cabinets and shredders for paper records. Just make sure the cat stays away from the shredders.

-- Jim Puzzanghera

Puzzanghera, a Times staff writer, covers tech and media policy from Washington, D.C.

Photo by DDFic via Flickr

The Motorola DynaTAC 8000X holds its place in wireless history as the world's first commercial cellphone. The hefty device (both in weight -- like a brick -- and price -- nearly $4,000 when introduced in 1984) also represents state-of-the-art as far as federal tax law is concerned.

That's bad news if your employer provides you with a cellphone.

As you can read in our story today, many employers may stop paying for employee cellphones because the Internal Revenue Service recently has been cracking down on tax rules set in 1989. Those rules consider cellphones a pricey fringe benefit, reserved for the likes of high-powered businessmen such as Gordon Gekko.

The IRS says employees must keep detailed logs of their calls, indicating which are for business and which are personal. If they don't, the phone and its monthly service plan are considered taxable income.

UCLA was hit this year with a bill for $239,196 in unpaid taxes for employee cellphones and is considering changing its policy.

Those changes are on hold as Congress considers bringing IRS cellphone rules into the 21st Century. Legislation to do so passed the House this year, and a similar bill is pending in the Senate. 

-- Jim Puzzanghera

Puzzanghera, a Times staff writer, covers tech and media policy from Washington, D.C.

Photo: Motorola DynaTAC 8000X, circa 1984. Credit: Motorola

Security researchers said today they had discovered an enormous flaw that could let hackers steer most people using corporate computers networks to malicious websites of their own devising.

For bad news, that's pretty impressive. But there are two pieces of good news: First, no bad guys are known to be using the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches fixing the problem.

System administrators will have 30 days to apply those patches -- from the likes of Microsoft, Sun Microsystems, Red Hat and others -- before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.

Security experts -- including the man who discovered the flaw, Dan Kaminsky of IOActive -- hope that the patches are broad enough that evil types won't be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.

"We got lucky in this particular bug, because it's a design flaw," Kaminsky said in an interview. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."

US CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert today on the scope of the problem. CERT didn't go into all the backroom dealing that brought so many companies together for the patch, but it made the initial discovery seem like child's play. "It took a couple of hours to find the bug," said Kaminsky, "and a couple of months to fix it."

Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several.

"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."

-- Joseph Menn

Photo of Dan Kaminsky by Dave Bullock / eecue

The number of publicly reported privacy breaches jumped 69% in the first six months of the year from the same period in 2007, according to the nonprofit Identity Theft Resource Center.

Businesses accounted for much of the increase, the San Diego group found by surveying media accounts, state disclosures and other sources. They reported 37% of the 2008 breaches, up from 29% in the first half of last year and 21% in the year-earlier period.

Educational organizations and government sources, the next two most common sources of exposed personal information, both reported fewer breaches for a second consecutive year. They reported 21% and 17%, respectively, of the latest data leaks.

The Identity Theft Resource Center didn't estimate how many records were involved in total, because almost 40% of the public reports didn't reveal the extent of the compromise.

Just because data is at risk doesn't mean it will be misused. Laptops or other devices that were lost or stolen accounted for 1 in 5 of the incidents, and they might not have been targeted for the information they held.

Insider theft was blamed in 16% of the cases, loss or theft by a contractor in 14% and hacking in 12%.

-- Joseph Menn

Photo by hyku via Flickr