We provide sort of a menu of services that you can pick and choose from. It starts with distribution and it’s really the entire supply chain process for content managers. What we’ve built is more of an asset management system rather than just a distribution infrastructure.

INgrooves, a digital distribution company, is fast becoming a favorite of music acts embarking on comebacks.

So, if I’m a label or artist, I hire you to do what?

McDaniels: We’re agnostic to whether you’re a label, artist, production company; really we work for anybody that controls the rights to media, images, video, and of course audio.

I think what’s really happening is consumer behavior patterns are changing. It used to be when we’re moving from the CD to the digital download everybody was saying that music fans still want to hold something, hold the physical good in their hand and that’s why CD sales would stay strong. Now consumer behavior is moving more towards digital downloads and everybody is saying everybody wants to own the download and they want to carry it with them wherever they go and streaming models aren’t going to take off. Well now the consumer is saying I don’t need to own the download. I’m happy with a cloud model where all my media is housed somewhere in an Internet locker for me and I can access it at any time. One of the reasons that consumer behavior is changing is because streaming is becoming more portable and interoperable.

Tell me about what you’re doing for Nokia.

McDaniels: This is an extension of our deal with Nokia for their online stores. Comes With Music is their new initiative based out of the United Kingdom but I understand it’s about to launch in the U.S. and a few other territories. It’s another retail outlet for us. It’s another way to reach the consumer and a great outlet for our independent music. We sort of approach the retail model in much the same way we approach the client model. We’re agnostic to the manner to in which music fans consume music.

You’re doing only UMGD. Why aren’t you doing delivery for all of its labels, such as Geffen?

McDaniels: Universal is obviously a very big client for us. They have a large catalog. The digital logistics business is very complex. Nobody really other than the people involved understands the complexities involved. To take on that large of a catalog with all the intricacies of distributing out to dozens if not hundreds of different retailers is a large undertaking so we decided to stage the migration of their catalog to our system.

Who else have you done that for?
McDaniels: Artists we’ve worked for directly are Too Short, Tila Tequila, Snoop Dogg’s Doggystyle Records, Thievery Corporation, and the Crystal Method.

But just don’t call the privately held INgrooves a music label. “I don’t like the label… label,” quipped Robb McDaniels, the company’s CEO.

(Credit:
INgrooves)

Last year, San Francisco-based INgrooves oversaw digital distribution and marketing for the release of Dolly Parton’s album “Backwoods Barbie.” The record debuted as the No. 1 country album on iTunes. This spring, when the spoof metal group Spinal Tap releases its first album since 1992, the boys in the band are trusting INgrooves to distribute the material to iTunes, Amazon, and other online retailers.

Q: Do you consider yourself a label?

McDaniels: I don’t like the label…label. We provide some services that an artist would expect from a label. We provide some services that an independent label would expect from a major label. I think we are as good as anyone out there in terms of digital distribution and marketing.

McDaniels recently spoke with CNET News to discuss where digital distribution was headed.

I can access that music for more devices and more places and so it’s becoming more convenient. I think that Spotify is hitting the market at the right time. I don’t know it’s that novel of an idea but I think it’s got great timing and great user functionality.

What is your relationship like with retailers and services such as YouTube?

McDaniels: We deliver content into YouTube, audio and video, for INgrooves clients. We sit in the middle. We’re like a clearinghouse between content owners, typically labels or artists, and online and mobile retailers. We’re like the Visa of media. We receive back from all of the retail channels all of the sale statements and process all of the paybacks to the content owners. We see all of the sales data, all of the content. We know who’s buying what, where, when and how much.

McDaniels says INgrooves is a service company that acts much like an indie record company, such as IODA or The Orchard, but has no wish to compete against record labels. And in fact, one of the 7-year-old company’s most important clients is Universal Music Group, the largest of the top four recording companies. Universal last year invested in INgrooves.

What are you doing for Universal?

McDaniels: About a year ago they made a strategic investment in us and we are providing them with digital distribution services. They looked at our software platform and they felt that it would be the right thing for the delivery of their content in North America. What our system does is handle the Universal Music Group Distribution labels and we deliver all their content under their contracts in all of North American retailers.

Tell me what artists you work with and give me an example of what you do for them.

McDaniels: We provide services to Universal Music Group, K-Tell and VP Records as well as successful artists that are going out on their own: people like Dolly Parton and Too Short. We did Dolly Parton’s last release worldwide digital. Dolly formed her own label called Dolly Records and was looking for a digital partner for distribution and digital marketing. We signed her to an agreement and she opted into our worldwide digital distribution and our strategic marketing services. Our marketing group did an analysis of which retail partners would be the best ones, would do exclusives on the Dolly album, “Backwoods Barbie.” We then set about executing the marketing plan leading up to the release and then pushed it out to all of our online and mobile outlets on the day of the release. It was Dolly’s highest Billboard debut ever. We did very well digitally for her. The album has gone on to sell over 130,000 copies.

eMarketer on Tuesday revised its projections for social-network ad spending in the U.S. this year to $1.4 billion, down from the previous projection of $1.6 billion. The Internet market researcher said the poor economy was partly to blame for the revision.

Making money off social-network advertising may prove tougher than originally thought.

The revised projections come on the heels of Rupert Murdoch blaming the U.S. economy for putting the squeeze on advertising budgets. Fox Interactive Media, which oversees all News Corp. Internet business, including MySpace.com, announced that it expected to fall $100 million short of its ambitious $1 billion annual revenue goal.

“Social-network sites are still trying to figure out what sort of advertising works,” Debra Aho Williamson, a senior analyst who authored the report, said in a statement. “Tapping into consumers’ conversations and spreading brand awareness virally has proven more challenging than companies originally thought.”

Still, the market research firm expects the sector to grow by 55 percent in 2008.

The real problem is that Mowser fit right into a niche that is likely disappearing. Here’s the thing: the last year has seen a trend toward narrowing the gap between the desktop Web and the mobile Web. A bizarre hardware company called Apple released this cute little device called the “iPhone” that a couple of people bought, and one of the cool features on it is that you can browse Web sites more or less just as they appear on a regular computer. There are still plenty of people out there with far less advanced mobile phones, but many of them still aren’t browsing the mobile Web in the first place.

Trouble raising venture capital? Search-engine optimization strategy not working out? Sounds like what the irrational-exuberance crowd has been talking about.

Beattie also acknowledged the inevitable: “Yes, this means I have to find a real job again.”

Beattie seemed to get the point. “I think anyone currently developing sites using XHTML-MP markup, no Javascript, geared towards cellular connections and two inch screens are simply wasting their time, and I’m tired of wasting my time,” he wrote. The presence of a separate “mobile Web,” he said, is “limited at best, and dying at worst.” He probably has the right idea. Other start-ups focusing on mobile Web sites might want to take note.

Granted, it wasn’t a particularly hyped dot-com. But I’m guessing that more than a few start-ups will be commiserating soon.

“We haven’t been able to raise funding, and as a site, growth has been flat or falling for the past couple months because of various search-engine tweaks I’ve done,” founder and former Yahoo mobile strategist Russell Beattie related in a blog post. “We’ll keep the site running for the time being, but we’re going to encourage others to not rely on the service as it could disappear in the future.”

It’s not like Pets.com closing its doors or anything, but here’s another small sign that we could be nearing the beginning of the end of Bubble 2.0: Mowser.com, a start-up that “translates” Web sites into mobile-friendly versions, is dying a quiet death.

Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft’s BitLocker and Apple’s FileVault and then view the contents of supposedly secure files.

In a paper (PDF) published Thursday that could prompt a rethinking of how to protect sensitive data, the researchers describe how they can extract the contents of a computer’s memory and discover the secret encryption key used to scramble files. (I tested these claims by giving them a MacBook with FileVault; here’s a slideshow.)

“There seems to be no easy remedy for these vulnerabilities,” the researchers say. “Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today’s Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed.”

The nine researchers listed on the paper include San Francisco-area programmers Jacob Appelbaum and Seth Schoen and a team of Princeton University computer scientists such as graduate students J. Alex Halderman and Nadia Heninger and professor Ed Felten. The paper is titled “Lest We Remember: Cold Boot Attacks on Encryption Keys.”

Their technique doesn’t attack the encryption directly. Rather, it relies on gaining access to the contents of a computer’s RAM–through a mechanism as simple as booting a laptop over a network or from a USB drive–and then scanning for encryption keys. How the scan is done is one of the most clever portions of the paper.

The reason I say this research could prompt a rethinking of how to protect data is that many of us who use encrypted file-systems believe that if our computers are lost or stolen, our data will be secure. But if a thief (or nosy border guard, or FBI agent) nabs my laptop locked with a screen saver or in sleep mode with the RAM intact, the paper shows that encryption provides no protection.

“You can’t rely on the screen saver,” said Peter Gutmann, a computer science professor at the University of Auckland in New Zealand who has done related work but is not affiliated with Thursday’s paper. “If you really are that worried, you have to turn off your PC.”

The researchers say their technique works against Apple’s FileVault, the BitLocker Drive Encryption feature included in the Enterprise and Ultimate versions of
Windows Vista, the open-source product TrueCrypt, and the dm-crypt subsystem built into Linux kernels starting with 2.6. The other researchers include William Clarkson, William Paul, and Ariel J. Feldman.

In its marketing literature, Apple promises that, with FileVault turned on, “the data in your home folder is encoded and your information is secure if your computer is lost or stolen.” When I contacted the company for comment, Apple would say only this: “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the
Mac.”

Microsoft was more forthcoming, saying:

The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer’s memory can be accessed by a determined third party if the system is running. BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in ‘Sleep mode’ it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication.

At this point, clever readers might be thinking: If the attack involves executing a specific memory-dump utility while rebooting, then Apple, HP, Toshiba, and so on can simply lock down the hardware to prevent any such utility from being run until the RAM can be safely wiped. Problem solved?

Well, not so fast. Another interesting technique that Thursday’s paper describes is how to supercool the RAM chips with a can of compressed air held upside-down. Then the cooled memory can be physically extracted and inserted in another computer owned by the attacker. (If the memory is permanently affixed to the motherboard, there are still other methods [PDF] that can be used.)

The paper states:

Contrary to the expectation that DRAM loses its state quickly if it is not regularly refreshed, we found that most DRAM modules retained much of their state without refresh, and even without power, for periods lasting thousands of refresh intervals. At normal operating temperatures, we generally saw a low rate of bit corruption for several seconds, followed by a period of rapid decay. We obtained surface temperatures of approximately −50 degrees C with a simple cooling technique: discharging inverted cans of “canned air” duster spray directly onto the chips. At these temperatures, we typically found that fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (ca. −196 degrees C) and saw decay of only 0.17% after 60 minutes out of the computer.

Gutmann, the New Zealand computer scientist, previewed this kind of attack in a 1996 paper that said: “To extend the life of stored bits with the power removed, the temperature should be dropped below -60 degrees C. Such cooling should lead to weeks, instead of hours or days, of data retention.”

But in reality, such extreme methods probably won’t be necessary. If thieves, FBI agents, or border guards have physical access to a computer that’s turned on, they have other options. In 2004, Maximillian Dornseif showed how to extract the contents of a computer’s memory merely by plugging in an
iPod to the Firewire port. A subsequent presentation by “Metlstorm” in 2006 expanded the Firewire attack to Windows-based systems.

Translation: If you use an encrypted file-system and want privacy and security when you’re not using your computer, you need to shut down your computer and wait a few minutes for the RAM contents to vanish. Another option for sensitive files is to use an encrypted volume like a PGP disk and unmount it as soon as you’re done.

That assumes PGP erases the encryption keys from memory once the volume is unmounted, which the company swears it does. “We go well beyond that,” said John Dasher, PGP Corporation’s director of product management, adding that PGP products take “very elaborate measures to make sure that things are properly and completely disposed of.”

He downplayed the potential threat to users of PGP, which provides both whole disk encryption and volume encryption and the researchers speculate will be vulnerable as well. “We never say buy whole disk and you’re done,” Dasher said. “You want to protect the device. You want to protect the data itself. And of course you’re not going to get rid of your network protection. Security’s not about buying whole disk encryption (and calling it a day).”

In response to the overall claim about the vulnerability of encrypted file-systems, Dasher said, “Even if it’s true, I don’t know if it changes my behavior.”

It’s been known for a long time–at least since Gutmann’s 1996 paper–that encryption keys are vulnerable when stored in memory. And additional research (PDF) by Adi Shamir and Nicko van Someren two years later talks about identifying encryption keys by scanning hard drives.

By demonstrating the limits of off-the-shelf encryption products, what the research published on Thursday may do is shift the debate from academic arguments to how to protect users in real-world situations. It also advances previous research by calculating how long dynamic RAM chips hold their contents at different temperatures (little decay until a few seconds elapse) and offering algorithms to reconstruct encryption keys even when the contents of memory have begun to decay.

The reconstruction technique works by taking into account what’s known as a “key schedule” for algorithms such as DES and AES, the U.S. government’s Advanced Encryption Standard. A key schedule is used in certain kinds of ciphers that do multiple rounds of encryption. The computer scientists said that it takes them “a few seconds” to reconstruct AES keys with 10 percent of the bits decayed; the more decay, the longer it takes.

So what are the countermeasures? As I noted above, shutting down the system, zeroing memory on boot, and unmounting encrypted volumes are some options. The paper suggests others, including limiting booting from network or removable drives, better methods of putting a computer to sleep (perhaps involving encrypting the portions of memory with the keys to the file system), recomputing keys when they’re needed to avoid keeping copies in memory, and hardware changes such as tamperproof or encrypting RAM.

There is one irony here. One Princeton Ph.D. student, Joseph Calandrino, is listed as having “performed this research while under appointment to the Department of Homeland Security.” Because this research lets them bypass file-system encryption in some cases, police agencies are the most obvious and immediate beneficiaries of this research.

As early as 1984, the FBI Laboratory began developing computer forensics hardware. And we know from the Scarfo, Forrester-Alba, and Boucher cases how intent federal police agencies are in trying to find ways to circumvent the privacy that encryption provides. If the feds didn’t know about these techniques already–remember, they were years ahead of everyone else in inventing public key cryptography–today will be a very good day for Homeland Security.

Update 12:30pm: I’ve been asked whether encrypted swap was turned on in our test to see if they could bypass FileVault. It was. But it actually doesn’t matter; remember, they’re analyzing the contents of RAM, not the contents of the hard drive.

Not because it combined the best facets of MySpace and StumbleUpon before either site existed, but because it was devilishly fun to put your own picture up there and get a general consensus of how other people thought you looked on a purely superficial level. Admittedly, there are serious flaws in such a system. Your picture could be not your own–and the camera can easily play tricks. What made the whole thing so damn fascinating were the stats. You got to see how you stacked up on a numerical scale, which at the time was revolutionary.

Following in Hot or Not’s steps is FaceStat–a perversion of this idea, letting others rate you in a dozen categories, and best of all, making all the results public for everyone to see.

Some of the categories are downright sophomoric, like “does this person look intoxicated” or guessing their wealth and political party. These stats splash out across people’s photos with little animations and can be browsed one at a time to see the specific percentages of how people ranked your shots.

One big difference from services like Hot or Not is that FaceStat uses Amazon’s Mechanical Turk to do the processing power, harnessing the power of the masses to do the legwork. Because of this, users are limited to just one upload a day, but will get results back in just a few hours. In our test we got our picture back in just 10 minutes.

To upload your own, just go here. You can add a shot from your hard drive, or Facebook. I have to give the site bonus points for not only letting you peruse your latest shots, but your entire folder of previous Facebook profile shots, which should make finding that shot of you that doesn’t look anything like you far easier.

Let other people figure out your life story from a single snap shot using FaceStat, a Web 2.0 version of Hot or Not.

(Credit:
CNET Networks)

That is to say, conferences are often not the best examples of a focus on taking care of the environment.

For example, while I was told at the recent South by Southwest that its efforts to be green were improved from a year earlier, the endless sea of attendee bags on display–each with a small mountain of literature inside–was a visceral testament to the fact that it has a long way to go.

At South by Southwest 2008, there was a nearly endless sea of attendee bags, each of which was full of literature that would largely end up being tossed away.

(Credit:
Daniel Terdiman/CNET News.com)

That’s why I was pleased to see a post today on the official Web 2.0 Expo blog announcing that event’s new attempts to address its impact on the environment.

Note: The Web 2.0 Expo is an official partner of CNET’s Webware 100 Awards.

“It’s a bit hard on the old conscience being employed in an industry (that) creates as much waste as the events industry,” wrote Web 2.0 Expo general manager and co-chair Jennifer Pahlka. “Much is made of the carbon footprint of an event, but I’m well aware of an even more daunting measure, the ecological footprint, which looks at the sum total of resources used. Take a look at all that goes into producing an event the size of Web 2.0 Expo (including what our sponsors, exhibitors, and speakers bring) and you can either get depressed or try to tackle the problem. We’re doing both… We have a long way to go, but I thought I’d share some of the changes we’ve implemented this year.”

Among the changes Pahlka mentioned: Using 100 percent recycled materials for the program guide, attendee direct mail, attendee bag, and event signage; reducing the program guide by a third; recycling badges; providing water coolers and encouraging attendees to bring their own bottles; and more.

Of course, even Pahlka acknowledged that the efforts are only a start. And I do wonder how many attendees will bring their own bottles or recycle their program guides–another initiative.

“One thing I’ve become painfully aware of is that recycling is a good step, but not generating the waste in the first place is orders of magnitude more beneficial to the earth,” Pahlka wrote. “That’s why ‘reduce’ should always be the real goal. We’re working with sponsors on further steps for reducing, and with our vendors on all three Rs. In some areas, we’re aware we’re taking risks. For instance, we’ve tried to limit the print run of the program guide this year, so there’s a chance we’ll run out if people don’t follow our lead and leave their used guides for others to reuse. We hope you will all be tolerant of any errors we make in support of this effort.”

Well, a start is a good thing, and I would love to see other confabs do the same thing. Or more.

Anecdotally, I heard that the Office 2.0 conference has put on a fully green event, though I couldn’t find any direct evidence of that.

But if you’ve got good examples of conferences that are making impressive strides toward the greening of the industry, I’d like to hear about them. Please leave a comment or send me an email to daniel dot terdiman at cnet dot com.

I wish I’d had the Easy-2-Pick electronic luggage tag in hand Sunday night. I was just off a long-delayed flight that appeared to transport the entire population of Southern California to San Francisco. And wouldn’t you know it? Ninety percent of the seemingly millions of passengers jostling for their suitcases seemed to have the same black bag.

The pair also developed a less sophisticated, less expensive gizmo–a $4 strip that fits onto a suitcase and flashes LEDS in four different colors once it hits the carousel. The owner of the baggage sets the light combination.

(Credit:
Israel21C)

The Easy-2-Pick, expected out this fall for $15 to $20, is a handheld device that lights up, beeps, and vibrates once your suitcase makes it onto the carousel and within 40 to 50 feet of where you’re standing. The heads-up gives you a chance to stand away from the crowd, possibly avoiding an elbow in the gut as you try to locate your lookalike bag.

The gadget comes courtesy of Israeli developer Yoav Ben-David and his partner, Zvi Kanor of American Express Travel in Tel Aviv. It consists of a circular receiver on a keychain and a credit card-size transmitter that goes around the handle of your baggage.

I am not sure how the company lost sight of what matters to our customers (both business and home) the most, but in my view we lost our way. I think our teams lost sight of what bug-free means, what resilience means, what full scenarios mean, what security means, what performance means, how important current applications are, and really understanding what the most important problems [our] customers face are. I see lots of random features and some great vision, but that doesn’t translate onto great products.

There’s much more. I encourage you to read them all. They illustrate that Microsoft has long been one of the most forward-thinking and self-aware companies in the business…but also one of the most threatened (and threatening).

But then there’s also the internal acknowledgements of the rising threat (and validity) of open-source software:

commentary

The Seattle Post Intelligencer has collected and ranked the all-time worst (read: most incriminating) Microsoft emails of all time, and a dandy list it is, too. For heavy email users like me, it’s also a reminder that some things are better left unsaid…or at least unwritten.

The project must be cool enough that the intellectual reward adequately compensates for the time invested by developers. The Linux OS [operating system] excels in this respect….

Perhaps my favorite of the bunch is Jim Allchin’s 2004 blast against Windows…and in favor of the
Mac:

OSS [open-source software] systems are considered credible because the source code is available from potentially millions of places and individuals. The likelihood that Apache will cease to exist is orders of magnitudes lower than the likelihood that WordPerfect, for example, will disappear. The disappearance of Apache is not tied to the disappearance of binaries (which are affected by purchasing shifts, etc.) but rather to the disappearance of source code and the knowledge base….

Microsoft was first to spot the open-source threat. It’s unfortunate that it didn’t also recognize the open-source opportunity.

[On attacking Linux.] Linux’s homebase is currently commodity network and server infrastructure. By folding extended functionality (e.g. Storage+ in file systems, DAV/POD for networking) into today’s commodity services, we raise the bar & change the rules of the game.

Moving on to cheap laptop news, it seems that manufacturers could very well be racing to the bottom, price-wise. The latest example: Dell confirmed its plans to build more cheap laptop models for the Asia market. It’s a trend that has the attention of at least one senior vice president at Sony; Mike Abary expressed concern that systems like the $299 Eee PC could potentially force all the major players to lower their prices.

Other tidbits: the CNET Editors Choice-winning ThinkPad X300 officially became available on Tuesday; Acer continues gobbling up computer companies, as the Europe Commission OK’d the company’s acquisition of Packard Bell; California-based company Nanoexa is working on batteries that don’t explode; and consumers feeling burned over Microsoft’s confusing “Vista Capable” designation for new computers can just blame Intel.

For the five of you who actually back up your laptop’s data regularly, Apple also finally started shipping the Time Capsule backup drive that Steve Jobs announced at this year’s Macworld. We’ve got our hands on one, so expect a review soon. (And seriously, start backing up your data regularly. Also, don’t forget to floss.)

This week Apple updated its MacBook and MacBook Pro laptops to include Intel’s newest Penryn processors, with the Pro models also getting the multitouch track pad introduced on the MacBook Air earlier this year. Initially it looked like Apple had also updated the laptops’ battery life expectations with lower numbers, despite the promise of power savings with Penryn. But as Dan Ackerman quickly pointed out, the apparent drop (from 5 hours to 4.5 hours on the 17-inch MacBook Pro) was the result of a change in how Apple reports battery life and not the battery life itself. Phew.

Come on, come on, come on, come on / Touch me, baby

Have a great weekend!

Finally, Crave Asia offers a word of caution for buyers looking at a laptop with a Blu-ray drive, noting that displaying video in high def might take a toll on battery life. Pity that laptop with a built-in solar panel is still in the concept stage.

Dipping into this week’s rumor mill we find word that Intel’s next Centrino mobile platform, codenamed Montevina, will double the graphics performance of its current Centrino (aka Santa Rosa) lineup–but the company isn’t expected to release the new platform for a few months, so verification of that claim will have to wait. We’ve also got the scoop on Diamondville, Intel’s upcoming single-core (read: slower performance, lower power consumption) Celeron replacement, which will most likely make its way into laptops in emerging markets.

That’s not to say Sony’s not keeping up with the high end of laptops as well: this week saw the newest designs for the “Graphic Splash” editions of FZ series notebooks. Not only do you have your choice of groovy colors and patterns, but you can now choose the font for your key labels. That’s progress!