Monday, March 28, 2005

For Photo-Share Sites, A Second Act on Web


Say cheese: Your picture may soon be online. It's as though the Web has just discovered, or perhaps rediscovered, photography.

In recent days, Yahoo and Hewlett-Packard have both acquired big photo-sharing sites, though the two, Snapfish, now H-P's, and Flickr, bought by Yahoo, each has its own emphasis. By now, just about every big-name Internet, computer and consumer-electronics company has some sort of photo-oriented Web site or service, from Sony's ImageStation to Kodak's Ofoto (now called Kodak EasyShare Gallery), Apple Computer's iPhoto and Google's Picassa.

The current move toward photography is the Internet's second encounter with the field. Back in the glory days of the dot-com bubble, photo sites sprang up like video cameras at a kindergarten recital. These sites typically offered free photo storage, and occasionally even free photo processing and prints. Many didn't survive the bust.

Most of the current crop of photo sites and services still store pictures for free, which they can do because disk storage has gotten so cheap. They also take traditional steps to try to make money from your use of them, often by trying to get you to order prints of your digital pictures, along with calendars and mouse pads.

But getting consumers to do something physical with a virtual image is an increasingly tough sell. Photographs today are much more likely to be e-mailed than they are to be printed. In fact, in middle-class families all around the country, kids are growing up looking at more family photos than their parents ever dreamed possible -- courtesy of, if nothing else, their cellphone cameras -- but without ever actually holding any of these pictures in their hands. Sometimes, they don't even bother to keep the pictures, taking a quick look at them and then erasing them to make room for even more.

When you are a company that is used to selling well-branded, high-margin photo-based consumables, like Kodak's photo paper or H-P's ink-jet printer ink, this new world of abundant but entirely screen-based photography can be a scary place.

Kodak had to begin making its peace with the trend several years back. It will be a struggle for H-P, too. The company makes roughly a fifth of its profit from the sale of printer ink. For the time being, both companies seem content to use the Internet to try to collect all their potential customers in a single place.

Someone who had spent the last few years in a cave wouldn't find anything about sites like Snapfish and EasyShare Gallery very difficult to understand. They are dedicated to the preservation of familiar Kodak moments, in which adorable, sentimental photos are shared, often with the grandparents.

Flickr, though, represents something of a generational shift in photo sites. It has a hipper sensibility, one that owes less to the world of birthday-party portraiture and more to the world of blogs and online communities. That might explain why it was bought by Yahoo rather than by H-P or Kodak.

The Flickr site lets you upload your photographs and then assign labels, or "tags," to them. These are a bit like captions, though a picture can have more than one tag. You can then search through other tags on the site to find people interested in the same things you are. The most common tag on Flickr, by the way, is "cameraphone."

And while you can set up your Flickr account so that only friends and family can see your pictures and tags, just as photos used to be shared in the old days, what would be the point of that? Indeed, Flickr is aimed at the growing numbers of people who would never dream of doing something without chronicling it online, often while they are still doing it.

Flickr was started a year ago by a husband and wife team in Vancouver, British Columbia, and it grew by word of mouth to the point where it was able to attract Yahoo's attention. Flickr used generic Internet technologies that other services could take advantage of. As a result, there is a constellation of emerging technologies around Flickr, making the site a good example of the new rule for Web businesses: If you want to get big, let other businesses help you do it.

Mappr, for instance, was developed by a team of San Francisco programmers. The free Web site looks through the tags of all the Flickr pictures, and tries to guess where the picture was taken. Sometimes the job is easy, as when the tag says "Golden Gate Bridge." Other times, say when the tag just says "Blushing bride," it's impossible.

For all the pictures for which it has a location, Mappr creates a map, with a small "thumbnail" of each shot at the place on the map where it was taken. It is thus a great way to see what people in different parts of the country are photographing, or to see how pictures of, say, "home remodeling" vary from region to region.

Sometimes, the results are remarkable. Mappr's programmers searched Flickr for all shots tagged "Route 66," and then plotted them. Sure enough, the pictures wound from Chicago to L.A., with stops in Kingman, Barstow and San Bernardino. Oh, so pretty.

Friday, March 25, 2005

Does IM stand for insecure messaging?


update When Jimmy Kuo gave his 13-year-old daughter permission to begin using America Online's AIM Express, he warned her that if she managed to download any viruses, the result would be no IM for a long, long time.

Of course, since Kuo is a research fellow at IT security specialist McAfee, he's significantly better informed about the risks of instant messaging than the average parent. Because teenagers as a group are among the most active regular users of IM, lax habits at the keyboard on their part could result in a serious problem, Kuo said.

At the heart of the matter is the growing number of IM-borne threats, most of which rely for their proliferation on ignorance of their existence among users and IT administrators.


What's new:
Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts say.

Bottom line:
Experts agree that all IM users--whether on a home computer or a corporate network--need more education in how to protect themselves.

More stories on IM security

"I sat her down and made her read a story about attacks before I let her log onto IM," Kuo said. "Unfortunately, the average parent isn't going to be aware of this problem, and a person unaware of the IM threat is the biggest risk that exists for these viruses to have some success."

Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts have said.

Nearly all agree that all IM users--whether adults or teenagers, whether on a home computer or a corporate network--need more education in how to protect themselves.

This month, two offshoots of the rapidly evolving Bropia IM worm emerged, called Kelvir and Serflog. In less than three months, 2005 has already established itself as a watershed year for attacks. Since January, antivirus researchers have identified more than a dozen of the threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.

To Phillip Hallam-Baker, principal scientist at VeriSign, which sells network security software, the only thing that's surprising about the IM threats is that the malicious code has taken so long to materialize.

Back-stabbing buddies

Recent attacks have seen IM used to spread viruses and worms.


Date: March 8

Method: Worm sent via URL in message.

Affects: MSN Messenger

Serflog.A (Sumom)

Date: March 8

Method: Attachment carries worm. IM reads: "????omg click this!"

Affects: MSN Messenger


Date: February 3

Method: Worm in picture of a roast chicken with tan lines. Releases a second more dangerous worm, called Agabot.AJC.

Affects: MSN Messenger


Date: January 20

Method: Worm sent via URL in message. Installs bot software.

Affects: MSN Messenger


Date: September 30

Method: URLs to Web sites that host images with virus. Reads: "Check out my profile, click GET INFO!"

Affects: AOL Instant Messenger

"It's actually been interesting how few attacks there have been up to this point," Hallam-Baker said. "I think one of the things that's going on here is that as e-mail systems are being secured, there's a displacement effect and people are moving their efforts over to IM."

The vast majority of these attacks--in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread--come cloaked in messages that appear to have been sent by a known IM contact. They encourage the targeted individual to click on a Web link or to download an attachment enclosed in an IM message. In reality, these hide some form of malicious code.

Once sprung, the infectious message forwards itself to all of the names on the victim's IM buddy list, without ever giving the person who opened the threat any sign that they've launched malicious software. Some variants of Bropia also hide themselves on a PC, only to re-emerge at a later date.

One notable aspect of the recent Kelvir and Serflog offshoots of Bropia was that they bore signs that attackers have begun to use the malicious code to communicate with one another, in the same way street gangs use graffiti tags to mark their territory.

A text file deposited on infected machines by Serflog features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.A, which attempted to disable the Bropia worm.

A social, not software, glitch
Microsoft is quick to point out that Bropia and its offspring don't take advantage of any vulnerability in its IM client software. The software maker said that it is already working hard to combat the spread of the Trojan threats.

Stephen Toulouse, security program manager at Microsoft, compared today's IM-borne attacks to early e-mail viruses from the mid-1990s. When it comes to keeping IM infections from rivaling e-mail epidemics, he believes that educating customers could have a bigger impact than building better safeguards into IM applications.

"Most of the threats we've seen with IM aren't that new. They're the same sort of attacks we saw with e-mail, just delivered on a new

medium," Toulouse said. "We're already employing technological measures to help fight the problem in the next version of Messenger. But at the end of the day, it's really a matter of trying to help people to better protect themselves."

But the attackers don't have to look for new ways to formally hack IM applications while the current software remains open to Trojan-based infections, said Shimon Gruper, vice president of technology at antivirus specialist Aladdin Knowledge Systems.

How to protect yourself on IM

Take the same protective measures that you use in opening e-mail and build them into your IM habits.

Use a secure browser

Internet Explorer, Firefox, Mozilla, Safari and Opera all have the ability to encrypt Web communications and typically indicate that security is in use with a padlock icon.

Know your merchant

Check out smaller companies online by searching for complaints. If in doubt, just use sites that you know or that others have recommended.

Look before you click

Never open a link or attachment sent to you via IM until first making sure it is legitimate.

Double-check sender

Even if a message looks like it's from someone you know, make sure it's not a hoax before clicking on any links or attachments.

Protect your PC

Use firewall software to limit the kinds of data that can be sent to you over IM.

Don't talk to strangers

Do not accept IM invites or messages from contacts you don't already know.

Stay alert

Check with IM software providers to ensure that your applications are patched and up to date.

Source: CNET

"There's no need for hackers to attack the IM software yet, because unlike in e-mail, where applications have been set to block the dangerous types of attachments, there's little to no security built into IM," Gruper said. "The IM protocol, especially for Messenger, is very open and easy to use, so people can exploit that without a lot of effort, and they won't stop until the methods they're using now become less effective."

America Online, another leading provider of IM software, said that it is working to add new protections to its applications. It also said that getting the word out to consumers about the threats could have the biggest effect in alleviating the problem.

"In some cases, there are technological fixes we can use to help protect members, such as putting some automated blocks in place to keep the bad links from going through," said Andrew Weinstein, an AOL spokesman. "But we feel the best solution for protecting people is installing a healthy dose of caution among users. Even if an IM looks like its coming from someone they know, people should check with buddies to try to ensure everything is what it appears to be."

Yahoo, another major provider of instant messaging software, said it has already put preventative measures in place to help protect its IM users from attacks. These efforts include adding a mechanism to its application that limits the number of messages that can be sent out simultaneously from one of its individual customer accounts.

Until now, all the IM threats reported have been Trojan attacks that sit on top of IM software code, rather than a worm that takes advantage of a flaw to penetrate the applications themselves. But some experts believe that it's only a matter of time before such worms are released.

"We haven't seen attacks on the IM code yet, but won't surprise me if it does happen," said Ero Carrera, an antivirus researcher at security software maker F-Secure. "All it takes is for people to find one IM client that has some small code error for things to develop very quickly. Any application has some holes, and history has shown us that someone usually finds a way to hack those flaws."

Smart phone risk
There's another potential IM time bomb. The communications software is becoming popular for exchanging messages between smart phones and computers, which means it could help viruses spread from PCs to mobile devices.

Vincent Weafer, senior director of Symantec's Security Response organization, said that once IM threats begin to spread rapidly, it will be hard to keep them off wireless gadgets.

"A huge amount of IM is now translated onto smart phones, especially in Europe and Asia," Weafer said. "So when you start

looking at the problem, there's the reality that some of these threats could merge with the mobile threats."

Weafer contended that even when IM software makers address new viruses, it will be very hard to get people to update their devices, especially mobile phones.

"It's a social engineering issue," he said. "It's not so difficult to correct software flaws, but it's a monumental task in order to get people to download patches, or even to be aware that they need to get the necessary changes."

On the other hand, viruses that spread through PC-based IM clients might not be able to infect phone-based IM software, Weafer pointed out. In addition, most handset makers download automatic software updates to their models, which means they could protect devices without telling consumers they were doing so.

Neither AOL or Microsoft have made plans to launch marketing campaigns to alert people to IM threats, representatives for the companies said.

The increasing popularity of public IM applications in workplaces has opened corporate networks up to the threat of attacks too. But businesses tend to be less vulnerable targets than consumers, experts said, because most companies already have already installed firewalls and other protective technology. In addition, many companies won't allow employees to download certain files, such as attachments, over public IM networks.

Despite all this, some experts have predicted that a sharp increase in instant messaging virus attacks could cause many businesses that do not use corporate IM systems, or customized software meant just for in-house use, to reconsider whether to let workers install the applications.

According to these industry watchers, the best way to help people protect themselves is to instill the same distrust regarding Web links or attachments sent via IM that they have been taught to apply to e-mail.

"People will need to relearn what they've been told in the past about e-mail, but there are some new things, and it will take time to get the message across," said Shane Coursen, senior technology consultant for antivirus researcher Kaspersky Labs. "Software companies can only do so much to inform their customers. You have to convince them to look at every link or attachment with suspicion."

Phishers target Yahoo Messenger


Yahoo's free instant-messaging service is being targeted by phishers attempting to steal usernames, passwords and other personal information.

Yahoo confirmed Thursday that its service, Yahoo Messenger, was being targeted by a scam. According to the company, attackers are sending members a message containing a link to a fake Web site. The fake site looks like an official Yahoo site and asks the user to log in by entering a Yahoo ID and password.

Wednesday, March 23, 2005

Dot CON Job - Info Space - Part 2

Seattle Times

When times got tough, execs hid troubles, dumped stock...

Though their relationship would sour, InfoSpace Chairman Naveen Jain, left, and Go2Net CEO Russell Horowitz, right, are all smiles at a July 2000 conference call with analysts about the companies' upcoming merger. Arun Sarin, InfoSpace CEO, is at center. Within six months, all had quit. Only Sarin did not sell his stock.

When InfoSpace Chairman Naveen Jain went on CNN's financial network in late 2000, he proclaimed that his Internet company was doing great. "Our wireless business is on fire!"

But privately, he and key executives knew better.

As the company's finances worsened, key executives angled to get around trading restrictions to sell large blocks of personal stock before its value evaporated. Others just quit and sold their holdings.

Unknown to investors, Jain and his top two executives all resigned in a single week.

"I had never heard of anything like that before," Rick Thompson, former InfoSpace executive vice president, said in court documents. "It was the [Exxon] Valdez running along with nobody driving the damned thing."

Five years ago this week, at the peak of the dot-com stock mania, InfoSpace was worth $31 billion and was promising to eclipse Microsoft by bringing the Internet to everyone's cellphone.

But InfoSpace's success was an illusion, built on accounting tricks and the hype of charismatic founder Jain, a Seattle Times investigation has found.

InfoSpace had merged that October with another dot-com and, as a result, key executives could sell only a few shares for the next six months. Sales of too many shares by insiders would violate securities law and require InfoSpace to report a $1 billion loss, devastating its stock.

But interviews, court records and internal company documents show:

Key InfoSpace players

Ellen Alben: general counsel

Tammy Halstead: chief accounting officer

Larry Hile: outside auditor, Deloitte & Touche

Russell Horowitz: president

Naveen Jain: founder, chairman

Garth MacLeod: finance director

Arun Sarin: chief executive officer

Rick Thompson: executive vice president

• InfoSpace general counsel Ellen Alben demanded a demotion to skirt trading restrictions and made $1.6 million selling her stock. When her successor urged her not to sell, he said Alben brushed him off.

• Chief accounting officer Tammy Halstead took a demotion to staff accountant and sold $627,500 of stock. Jain said she wanted an "Ellen deal."

• InfoSpace concocted a plan to give its chief technology officer, who had financial problems, a fake demotion to allow him to sell shares. But in an anxious voice mail, the company's auditor warned, "If we got caught, we could burn."

• Jain himself accused several fellow executives of illegal insider trading, saying they sold stock knowing InfoSpace revenue projections were vastly inflated.

Through it all, faithful shareholders lost their savings. A dollar invested in InfoSpace at its peak five years ago is worth 3 cents today.

InfoSpace today has new managers and a culture that won't tolerate accounting tricks and exaggerations, CEO James Voelker said. The Bellevue company is profitable.

The story of InfoSpace's turmoil emerges now because The Seattle Times won a two-year legal battle to obtain thousands of pages of company records that had been sealed in a local shareholder lawsuit.

The documents, along with scores of interviews, offer a rare look at the insider dealings at what was once the region's biggest dot-com.

Two leaders clash

It was the summer of 2000 and Naveen Jain faced serious problems.

InfoSpace had made a name for itself as one of the few profitable dot-coms. But it relied on a controversial accounting method, used by many dot-coms, to calculate those profits. Known as "pro forma," this method didn't include such one-time expenses as the costs involved in buying a company.

When InfoSpace reported $46 million in pro-forma profits for 2000, for example, the company, by Securities and Exchange Commission accounting standards, had actually lost $282 million.

That summer, InfoSpace was losing money even using pro forma calculations. Jain needed to find revenues to buoy the stock price, then around $50 a share.

An accomplished deal maker, Jain believed he had found a fix: a $1.5 billion merger with Go2Net, a Seattle dot-com that ran Web sites and search engines.

On paper, Go2Net was profitable, plumped up with $426 million in financial backing from Microsoft co-founder Paul Allen's Vulcan Ventures. With Go2Net, Allen and other investors had placed a huge wager on the concept of connecting the masses to the Internet through their cable-ready TVs, using them as a big, interactive computer screen, downloading movies and music, and searching and shopping the Web.

But the merger sparked more problems than it solved.

Jain and Go2Net chief executive Russell Horowitz, then 33, soon developed a personality clash. Jain was boisterous and freewheeling, while Horowitz was pensive and private.

Horowitz thought Jain's claim that InfoSpace would make billions by charging the world's cellphone users monthly fees was misleading. Most cellphones couldn't access the Internet at all; those that could had painfully slow connections. What's more, cellphone users were reluctant to pay for stock quotes and weather reports they could get elsewhere for free.

By the time the companies formally merged on Oct. 12, 2000, Rick Thompson, an executive vice president, expressed contempt for Jain, records show. Thompson had been traveling with Jain to meet with fund managers and analysts, and he was shocked by Jain's extravagant claims about the company's finances and upcoming products, he later said in court documents.

The day after the merger, in a meeting with new president Horowitz, Thompson brought a list of obstacles facing the new InfoSpace. At the top: "Naveen." Others included: "reality versus the smoke," "assume nothing" and "verify everything."

Horowitz quietly put plans in place to keep Jain out of the media.

Skirting the rules

Despite the merger, InfoSpace's share price continued to fall. This alarmed insiders who watched their personal fortunes in InfoSpace stock slipping away.

But since the announcement of the merger, Horowitz, Jain, Alben, Halstead and other top executives were prohibited by federal securities laws from selling more than a minimal amount of their holdings until late January 2001.

By early October, Russ Arun, InfoSpace's chief technology officer, faced a personal financial crisis. In an e-mail to Jain, Arun said his stock-option riches from Microsoft, where he once worked, had been wiped out and he needed $5 million to pay income taxes.

Arun thought that if he quit, he could then sell his stock. But InfoSpace wanted Arun to stay and tried to find a way to enable him to raise the cash.

One idea was to demote Arun so that he was no longer an executive, allow him to sell stock, and later promote him back to his current job. Halstead, chief accounting officer, presented this plan to Larry Hile, a partner at the auditing firm Deloitte & Touche in Seattle.

As InfoSpace's auditor, Hile's job was to serve as a watchdog for the stockholders and to make sure that InfoSpace accurately reported its financial condition.

Listen to the voice mail from Hile to Halstead regarding "demotion by design" of Russ Arun.

In an Oct. 11 voice mail to Halstead, Hile raised concerns about the plan to demote Arun. Would it be a real demotion? Would Arun get paid less than his new boss? They might need to wait a year before giving Arun his old job back.

Hile said he had consulted with Russ Golden, a Deloitte colleague. "This is one that Russ feels is pretty dangerous to do," Hile said in the voice mail. "If we got caught, we could burn."

Gary Zeune, an accounting-fraud expert in Columbus, Ohio, said recently that it is shocking that the auditor was discussing a phony demotion.

"To me, that's clearly illegal. It's securities fraud," Zeune said. "What [Hile] should have said is, 'If you're going to do that, we're not going to be associated with you.' "

Hile later told the company not to carry out the demotion scheme, court documents show.

Hile declined to be interviewed. Deloitte & Touche said recently: "Any suggestion that Deloitte and Mr. Hile agreed to accept anything short of full and complete compliance with the rules is contrary to the evidence and is false."

Heeding Hile's advice, InfoSpace devised a new plan. Without telling its board of directors or seeking its permission, InfoSpace loaned Arun $4 million, allowing him to use his 200,000 InfoSpace shares as collateral. If he stayed for a year, Arun wouldn't have to repay the loan.

In essence "we agreed to buy those 200,000 shares at the current (market price)," Jain later said in an interview.

On Oct. 25, 2000, the newly combined management team faced its first conference call with stock analysts. The call was being broadcast to the public over the Internet. Jain and his managers hoped the analysts would continue to tell investors to buy InfoSpace.

That would be unlikely if the analysts knew the bad news that finance director Garth MacLeod earlier had given Jain and others. The merger was exacerbating revenue problems, he'd said. Revenue for the fourth quarter, expected to be $72 million, was going to fall $15 million to $20 million short.

Optimism in public

Talking with stock analysts could be a delicate dance. Securities law prohibits executives from misleading investors about company finances.

In preparing for the call, InfoSpace executives knew analysts had been asking for more information about its wireless Internet business — the key to the company's future success.

But they couldn't even agree on how much wireless revenue they had. MacLeod told Jain and chief accountant Halstead that wireless revenue made up only 8 percent of revenue.

Halstead disagreed, saying wireless accounted for 13 percent of revenue.

Your number is misleading, MacLeod replied to her by e-mail, because "as we know [it] is inflated by warrant revenue" and one-time startup fees.

Jain picked the higher figure. "I am at ease with our decision and let's roll with it," he said.

During the conference call with analysts, Jain, Horowitz and other InfoSpace executives gave no hint of the fourth-quarter troubles facing the company. The mood was upbeat, transcripts show. In fact, things were going so well, executives said, that the company was increasing its fourth-quarter revenue forecast.

What's more, the company said it was "extremely confident" that annual revenue would soar to $360 million in 2001, up from about $215 million.

Jain appeared on CNN's financial network the next day and bragged: "Our wireless business is on fire!"

"Over a barrel?"

Another insider who wanted to sell stock was chief counsel Ellen Alben. She demanded that Jain demote her to a part-time staff attorney, working 15 hours a week but at full pay, court records show. Once she was no longer an executive, she planned on cashing out her stock.


As InfoSpace's stock tumbled, general counsel Ellen Alben demanded a demotion to part-time staff attorney so she could sell her stock despite trading restrictions, court records show.

Jain was furious with Alben, worried that any future sales would cause trouble at a tricky time for the company.

Joanne Harrell, head of human resources, asked Jain in an Oct. 25 e-mail, "If she knows where all the 'dead bodies are' does she have us over a barrel? Or is it worth a court case with her?"

"Are you saying that we should give in to blackmail?" Jain replied. "Nobody has a sweet deal like her. I will like to sign up a deal like that too, where I work for 15 hours and get full pay. Where do I sign up?"

When Alben announced plans to sell all of her stock later that year, her replacement raised the prospect of suing her. "This would be ugly, however," wrote Ed Belsheim, the new general counsel.

He tried to change Alben's mind but she replied that "she was not going to see her investment reduced to a small amount and she was going to sell," according to Belsheim's account.

Alben made a "veiled threat," saying she was selling because "you don't know what I know," Belsheim noted.

In an interview several months ago, Alben said she stepped down as general counsel because she wasn't interested in working at what was now a big company. She said she sold stock late in the year to reduce her tax bill, not because she saw trouble coming for the company.

"Wanting to sell a whole bunch of shares was not my motivation. If I had wanted to do that, I would have done it well before the closing from the Go2Net merger" when stock prices were higher, she said. Records show she sold $12.5 million in shares before the merger and $1.6 million after.

Alben also said in court records that she believed the trading restrictions no longer applied to her. She had consulted with Larry Hile — the auditor from Deloitte & Touche — and with an outside lawyer about whether an executive at her level could sell InfoSpace stock 30 days after quitting or being demoted. She said they gave her their blessing.

An expert later hired by InfoSpace representatives in a shareholder lawsuit said there was no 30-day rule and concluded that Alben's sale of stock violated securities laws.

Another executive wanted to cash in her stock during the waiting period. In November, according to Jain, Tammy Halstead wanted an "Ellen deal."

Halstead had clashed with Horowitz, company president, who didn't like her accounting methods, according to court records. For example, Halstead credited InfoSpace with $1 million in revenue for services it sold to American Express, but the $1 million actually was a value she assigned to the "exclusivity" of the deal.

Under accounting rules, payments for a service can't be counted as revenue until the service is performed.

Horowitz wanted her fired, records show. But during a heated meeting, Jain and others strongly backed her.

Halstead accepted a demotion to staff accountant in November and soon sold most of her InfoSpace stock, making $627,500, records show. Halstead's lawyer recently said she couldn't comment because she had agreed to confidentiality when settling a shareholder lawsuit. In court records, she said she sold because she needed money for taxes, and left InfoSpace because her future there after the merger was limited.

Pessimism in private

From: Russell Horowitz
To: Naveen Jain, Arun Sarin
Subject: October consolidation distributed
"In looking at Q1, we have some SERIOUS work to do."

From: Jeff Bergstrom
To: Russell Horowitz
Subject: Revenue consolidated
"Pipeline is anemic."

Behind closed doors, Horowitz was sounding alarms about lagging revenue. In an e-mail to Jain and others, he noted that $16 million in revenue was coming from one-time deals that "fall off" at the end of the year.

"In looking at Q1, we have some SERIOUS work to do," Horowitz wrote on Nov. 15, 2000. He warned that InfoSpace needed to come up with another $40 million just to meet the first quarter target of $78 million.

Two weeks later, Horowitz received more bad news from the finance director. For the second and third quarters of 2001, InfoSpace had signed contracts for only one third of the revenue the company had told Wall Street to expect.

As for deals in the works, the "pipeline is anemic," the finance director wrote.

"Analysts vs. INSP Revenue Targets"
InfoSpace chart showing number of contracts signed

Its stock, trading around $11, down from $50 in midsummer, would take a beating if InfoSpace failed to meet its financial promises.

On Dec. 11, 2000, InfoSpace was dealt a blow by the man who once had boosted the company's stock by being its most influential cheerleader.

Famed Internet stock analyst Henry Blodget at the brokerage house Merrill Lynch had been receiving hate e-mail for months from stockbrokers who had followed his strong recommendation to buy InfoSpace stock. The brokers had been getting hit with complaints from angry clients who had lost money on InfoSpace.

Why was he backing InfoSpace so strongly when company insiders were selling so heavily? they asked by e-mail.

Merrill Lynch had made millions as a consultant in the Go2Net merger. But Blodget had lost confidence in InfoSpace, records show. He asked a colleague to remove the stock from the brokerage house's most-favored-stocks list.

From: Henry Blodget
To: Virginia Syer
Subject: FW: Handwritten InfoSpace Annual Report!?!?
"I am so tired of getting these things."

"Can we please reset this stupid price target and rip this piece of junk off whatever list it's on?" he wrote Oct. 20. "If you have to downgrade it, downgrade it."

It took seven weeks, but on Dec. 11, Merrill Lynch downgraded InfoSpace to "accumulate." The decision pummeled the stock, which fell 16 percent that day.

InfoSpace employees, who'd been watching their wealth evaporate for months, were shell-shocked and urged their executives to respond.

"It is difficult to see the NASDAQ ready to take off when we keep tanking and no reaction comes to calm down a growing frustration," one employee wrote Jain.

After internal debate, InfoSpace issued a news release on Dec. 13, saying it expected to meet its fourth-quarter revenue target. It added: "InfoSpace continues to experience momentum across all of our areas of focus, and we remain very confident with the financial guidance we have previously provided."

From: Naveen Jain
To: Dino Christofills
Subject: Updated language
"What's the internal forecast (not that it has any meaning)?"

It was obvious by then that InfoSpace could not meet its target of $360 million for 2001, Jain would later insist. He was in India at the time and said he wasn't involved in the release. Before Dec. 13, however, he and other insiders had seen internal forecasts that indicated the $360 million figure was two to three times greater than it should have been, Jain told lawyers doing a confidential investigation for InfoSpace's directors.

After Horowitz sold $1.4 million of InfoSpace shares on Dec. 15, Jain lashed out. Jain was furious at Horowitz because the sales signaled that insiders didn't believe in their own company and would drive investors to unload their InfoSpace stock.

In court documents, Horowitz said that he didn't know the $360 million forecast needed to be revised until a month after he sold his shares. He contended that the Dec. 13 press release was not about the $360 million figure.

No one in charge

Just after the New Year, executive vice president Thompson pushed his friend Horowitz to take control of InfoSpace, calling in an e-mail for an "insurrection."

"We have to make something happen," Thompson wrote Jan. 4, 2001. "This company has a great opportunity and it is dying of cancer at the same time."

The next day, Thompson lectured Horowitz for his inaction: "When you get pissed off or disillusioned, you sort of disappear. We all [are] starting asking each other, 'You seen Russ? What's he up to?' What we want is for you to rally us and to be our QB and to tell us how to get into the fight and what hill to take."

Instead of taking control, Horowitz quit on Jan. 8, 2001. InfoSpace's board assumed that most of the former Go2Net executives running InfoSpace would bolt as well, and sprang into action.

"He is fed up with InfoSpace's board and with Naveen," Thompson explained in a phone call to InfoSpace Chief Executive Officer Arun Sarin, court records show.

What would it take to keep Horowitz? Sarin asked.

You and Jain would both have to quit, for starters, Thompson replied.

On Jan. 10, Jain and Sarin both quit — leaving no one in charge.

The board tried to get Horowitz to return. He listed several demands, including making Jain personally pay $16 million to an employee investment fund that had tanked.

During negotiations, word spread that Jain was looking at office space in the same Bellevue building to start his own wireless company. His business concept involved micropayment technology — using a cellphone, for instance, to order and pay for a latte at Starbucks and having it ready when the customer walked in the door.

Some within the company were aghast. "There is NO way we can allow this," one manager said in an e-mail. "I think he's trying to do a land grab for one of the most prized [technologies] that we could offer."

Horowitz negotiated with Jain on terms of taking over the company. When they reached an oral agreement, the two men hugged. The board was relieved.

But on Jan. 20, 2001, Horowitz told the board he was quitting for good. He told friends he didn't think InfoSpace could deliver a "clean company" to him, and that Jain, its largest shareholder, would never truly cede power.

The board decided it had no choice but to ask Jain to return and run InfoSpace as chairman and CEO. Thompson could not believe it and lashed out at Jain, telling him "the Board had failed to do its job and had embraced a crook," court records show. Thompson was forced to resign.

On Jan. 22, the InfoSpace directors finally let investors and the public know about Horowitz's resignation and Jain's expanded duties.

In a press release, Horowitz was full of praise: "InfoSpace is exceptionally well positioned for success and I have very much enjoyed working with the strong management team in place."

Jain, his new chief financial officer, Halstead, and others quickly threw aside the $360 million revenue forecast, cutting it to $215 million for 2001.

Horowitz sold all of his InfoSpace stock on Jan. 31, making $33 million. A company investigation later concluded that Horowitz may have illegally sold his stock based on insider information about an impending layoff. Two other executives were also named as possible illegal insider traders.

InfoSpace lawyers could have pursued the matter, which might have resulted in millions of dollars being returned to the company and its shareholders. But they did not, giving as reasons "dirty laundry is aired" and "all the issues become very public," court records show.

Horowitz denies he knew about the layoff.

Founders again

Jain stayed at InfoSpace for two more years. He dumped shares of InfoSpace at rock-bottom prices, once even selling 81,900 shares for $1 each. To the investing public, it sent a message: Jain, worth several hundred million dollars, saw little future in the company.

The board ousted him around Christmas 2002.

Far from Seattle, the office of New York Attorney General Eliot Spitzer already was investigating a complaint from a Queens, N.Y., pediatrician, who had poured $500,000 into InfoSpace and kept it there at Merrill Lynch's urging.

Before long, investigators found that at the same time Blodget was denigrating InfoSpace as a "powder keg" in e-mail, he publicly promoted the stock to help Merrill Lynch's investment bank division, which was getting $10 million to advise on Go2Net's merger with InfoSpace.

The Spitzer inquiry ended in 2003 with 10 of the nation's largest brokerages agreeing to a landmark $1.4 billion settlement. Blodget was fined $4 million and banned for life from Wall Street.

By then Jain had started a new company, Intelius, which provides public-records information on people.

Horowitz also founded a new company, Marchex. It provides online marketing and search services for merchants.

Last April, Horowitz and his directors took Marchex public, making it the first new public Internet company here since the crash five years ago. With the wildly successful public launch of search engine Google, Wall Street watchers suggest that the dot-coms are coming back.

Last month, Marchex raised $222 million in another stock offering. Horowitz's holdings in his new company are now worth about $190 million.

Naveen Jain says when the time is right, he will consider taking Intelius public, too.

David Heath: 206-464-2136 or

Sharon Pian Chan: 206-464-2958 or

Mutual Funds Reveal Clients' Data on Web

Wall Street Journal

Lois Hatten, a 60-year-old widow of a truck driver in Otsego, Mich., was astonished to find out recently that her Individual Retirement Account number was posted on the Internet, along with her name, home address and the approximate number of shares she holds in two mutual funds. Even more surprising is who made the disclosure: her mutual-fund firm, Armada Funds.

In what appears to be a significant privacy breach, some of the nation's leading mutual-fund companies have publicly disclosed similar information about certain of their customers. The postings are readily accessible on a U.S. government Web site, and could leave these individuals vulnerable to identity theft or other crimes.

"I was pretty shocked," said Ms. Hatten, a retired former grocery-store employee, when told by The Wall Street Journal about the posting. "Nobody should know my business."

Among other fund companies that have made some customer account numbers publicly available: Pimco, a unit of German insurance giant Allianz AG; the Dreyfus unit of Mellon Financial Corp.; Bank of America Corp.'s Columbia Funds unit; Nuveen Investments; the First American Funds unit of U.S. Bancorp; AmSouth Bancorp's fund unit, and the CNI Charter fund unit of City National Bank of Los Angeles.

The leaks can be traced, in part, to Securities and Exchange Commission regulations that require fund firms to disclose the name, address and percentage ownership of any owner of more than 5% of a particular class of any mutual fund. The provision is meant to let shareholders know of anybody who might be in position to control or influence the fund.

The disclosures are typically contained in a "Statement of Additional Information" -- a supplement to the fund's prospectus -- and posted on the SEC's Web site. Many fund companies also post the supplements on their own Web sites.

Not-So-Private Equity

The proliferation of mutual funds in recent years, combined with some funds' array of different share classes, means that it sometimes doesn't take much to go over the 5% threshold. Armada lists Ms. Hatten, for example, as owning more than 7% of the "H Class" shares of two funds as of September 2003, even though her holding in each fund at the time was only about $10,000. Armada has since folded the Class H shares into another share class, and doesn't cite Ms. Hatten in its latest filing. But the filing that lists her account number, made in late 2003, is still on the Web.

Kathleen Barr, chief compliance officer at Armada Funds, a unit of the Cleveland-based bank National City Corp., says Armada was unaware of the breach before The Journal discovered it. "This is a big problem industrywide," she says. She adds that Armada now has contacted the customers involved and changed their account numbers, and has no reason to believe any of their accounts were affected. Most other fund firms asked about such inadvertent disclosure agree they made a mistake. "It is not our policy to disclose account numbers," says a spokesman for CNI Charter, which also says it is changing customer account numbers and preparing amended filings.

It's impossible to say how many customers have been affected, because such information is scattered among thousands of regulatory filings, just one of which sometimes runs hundreds of pages. Some filings on the Web list scores of 5% owners. Not all are individuals; some are investment institutions. It appears the majority doesn’t have account numbers attached. Still, there are some recent filings that appear to include account numbers for as many as 18 individual investors, along with their names and addresses.

The leaks come amid broader concern about electronic privacy. Congress earlier this month held hearings on the issue, after breaches of consumer information occurred at ChoicePoint Inc., LexisNexis and Bank of America. ChoicePoint, for instance, sold private data on 145,000 people to criminals posing as legitimate small-business customers, a breach that the people might never have known about but for a California consumer-protection law.

Review of 5% Rule

While the SEC requires disclosure of who holds 5% of any class of a fund and their addresses, "the law does not require brokerage-account numbers" be disclosed, said a spokesman for the agency. He wouldn't comment on individual filings. A person familiar with the SEC said its staff will review whether the 5% rule, first imposed in 1978, might need to be revised as part of a broader look at mutual-fund disclosure issues.

Some industry executives blame a fairly simple mistake: In putting together disclosure statements, fund companies or their outside administrators sometimes pick up account ownership information from a computer database. It often includes the customer's bank, mutual-fund or brokerage-firm account number. At AmSouth, a spokesman blames an "error" by an outside fund administrator for its posting of five account numbers in a recent filing, adding that the firm notified the customers and is taking steps to prevent a recurrence.

Not every fund firm has the problem. Fidelity Investments says it has a policy against including account numbers in such filings. Regions Financial Corp.'s Morgan Keegan fund group says it goes further. It includes only the name, hometown and ownership stake of the customer, omitting the street address and any other identifying data.

Banks and brokerage firms generally say the information listed in the filings wouldn't be enough to compromise a customer's account, because they have several layers of security protection.

Robert Douglas, a former private investigator who has testified before Congress on information privacy, isn't so sure. Armed with the data posted, "realistically and without too much difficulty an unscrupulous person could steal that money," he says.

Mr. Douglas, who heads a consulting firm called, says many identity-theft crimes entail "pretext calling": The fraudster phones a customer-service center and pretends to be an account owner. The more information the caller has about a real account holder, the more likely it is he can convince the customer-service representative that he is that person.

Suppose that "I now know the custodian, the account number, the account holder's address and the name of one security in the account," Mr. Douglas says. Additional persuasive information, such as a Social Security number, can easily be purchased on the Internet. Once a bank, mutual-fund firm or brokerage house is convinced the caller is genuine, Mr. Douglas adds, it's relatively simple to arrange to wire money out of the account.

'Very, Very Disturbed'

That prospect alarms Richard Murphy of West Simsbury, Conn., who was "very, very disturbed" to learn that information about his wife's ownership of a Pimco fund had been posted on the Internet in July, along with similar data for roughly a dozen other people. In addition to Nancy Murphy's name and address, the SEC Web site listed the account number of a family brokerage account that contains other holdings besides the mutual fund.

"Once they know the brokerage-account number, it wouldn't take much more to get into that account and make some transactions," says Mr. Murphy, a 62-year-old actuary. "You wonder why Pimco would consider it appropriate to put it out on the Web site."

A spokesman for Pimco, a big Newport Beach, Calif., firm best known for its bond funds, says the firm "inadvertently" included extra information about customers in a "very small number of cases." He says the firm has reinforced its operational procedures to prevent a recurrence, and has notified the affected investors' representatives.

Scottrade Inc., a discount brokerage firm, says it launched an inquiry after finding out that Pimco had posted a Scottrade account number for one of its customers, a man in Niagara Falls, N.Y. "That seems like the antithesis of any privacy policy," says a Scottrade spokeswoman. "Why have that information out there if it doesn't need to be?"

Scottrade quickly changed the customer's brokerage-account number and password, and doesn't believe the account was tampered with, says the spokeswoman, Kelly Doria.

Many people whose names appear on the lists of 5%-plus holders are surprised they are such big owners. Joe Isaac, a retired U.S. Treasury agent in Jacksonville, Fla., was listed along with his aunt as holding 6.5% of the Class C shares of Columbia Balanced Fund. "I wouldn't think we would own that much of it," says Mr. Isaac. "You're talking about millions of dollars that goes into these funds. I certainly don't have that kind of investment."

A Closer Look

In its December 2004 disclosure, Columbia Funds listed Mr. Isaac's name and address, the number of a brokerage account through which he owns the fund shares and the size of his holding. After being contacted by The Journal, Mr. Isaac said he informed his broker, Wachovia Securities.

"They were really upset," he said, adding that the brokerage firm told him it had begun investigating the matter. He also said it had changed his account number, which Wachovia confirms. Mr. Isaac was among 17 individual holders whose names and what appear to be their account numbers were listed in the filing by Columbia Funds.

Columbia says it is examining its processes to find out what happened. The firm is "committed to preserving customer privacy" and intends to "take additional steps above and beyond general industry practices to fulfill this commitment," says a spokesman, Tom Gariepy. A spokeswoman for Dreyfus funds, meanwhile, says the firm is "currently re-evaluating" the way it provides account identification in its filings, saying the information comes to it from a transfer agent. A U.S. Bancorp spokeswoman says First American officials are still looking into the matter. Finding all affected customers of all mutual funds may be difficult, requiring fund companies and brokerage firms to sort through thousands of filings. And it won't be enough just to scan recent ones. Some of the disclosures were made years ago and remain publicly available. Even if a customer has since sold that mutual fund, he or she may still have an IRA account or brokerage-account number that was listed in the filing.

At Armada Funds, Ms. Barr says, scanning filings "will be a huge endeavor. Every single page will have to be reviewed for that. But it will just have to happen."

Sunday, March 20, 2005

Hot-ticket item for kids: cell phones

Business Week

While some might question why someone so young might need one, and some scientists have expressed health concerns, many young kids are asking their parents for cell phones. And increasingly, they're getting them.

There were two things 11-year-old Patty Wiegner really, really, really wanted for Christmas. One was a furry, playful dog that's now filling her parents' home with the sound of barking. The other gift makes a different kind of noise -- it has a ring tone that mimics rapper 50 Cent's hit song "Candy Shop."

"It's cool and popular," Patty, a sixth-grader in Valrico, Fla., says of her reason for wanting the mobile phone. "And I can talk to my friends and talk to my dad and mom."

Her mom, Lisa Wiegner, wasn't entirely thrilled with the idea but gave in because she likes knowing her daughter can contact her if she needs to. "And," mom says, "I wanted to be able to be in touch with her in an emergency."

Some parents have been prompted to add their kids because their wireless companies offer "family plans," giving them a specified number of minutes to chat with one another each month.

Now, a few other companies are pushing the trend further by creating specific products for "tweens," a population of preteens as young as age 8 that some consider the next big, untapped market of cell phone users.

Firefly Mobile, one company that's developed a cell phone product for younger users, found that about 10 percent of tweens in its focus groups had phones, but that many more wanted them. The company also identified parent interest in a product that would allow them to keep tabs on their kids.

"What the market was telling us is that there's a need for kids to stay in touch with the people who are important to them," says Robin Abrams, Firefly Mobile's CEO.

The Firefly phone, created by a father in Illinois and being launched nationwide in months to come, is smaller than other cell phones, allowing it to fit more easily in a kid's hand. It has simpler buttons, including ones that speed dial "Mom" or "Dad" -- and gives parents more control by giving them password-protected access for programming the numbers the phone can dial and calls it can receive. The Firefly phone also has no games or capabilities for text messaging, a popular function with teens that some parents dislike because it can get expensive -- and distracting.

Meanwhile, Tiger Electronics, a subsidiary of Hasbro Inc., is taking another tack with its CHATNOW two-way radios, which allow communication -- including sending text messages and photos -- within a two-mile range. And toymaker Mattel is coming out with its own Barbie-themed prepaid cell phone.

It remains to be seen whether options like these will be a hit with their target age group.

Some kids say any phone is better than no phone. But others say they think they're old enough to handle a standard cell phone -- and abide by the limits their parents place on calling during expensive weekday hours.

"It shows if you're mature; it's a privilege to get a phone," says Stephanie Beaird, a 12-year-old in Northridge, Calif., who recently got a cell phone after begging her parents for more than a year.

Getting a phone was partly a reward for a very good report card -- but also a matter of convenience for Stephanie's parents, who've used it to find her when picking her up from school and after sporting events.

Seventh-grader Alex Chmielewski's parents have even called his phone to track him down while shopping in the same store. The 13-year-old from Irvine, Calif., got his phone when he was 12, and also carries it with him when he rides his bike to school, something he does often because there is no bus service.

If you have a phone, "some people view it as you're lucky," Alex says. "But I don't just use it for calling friends and stuff like that," he adds. "It gives me a sense of security or safety."

It's already common for kids in parts of Europe and Asia to have cell phones, though British officials have been more cautious, recommending against giving them to children until more research can be done on potential health risks to growing young bodies from the electromagnetic radiation that phones emit.

In this country, Rosemarie Young, president of the National Association of Elementary School Principals, says cell phones are more often an issue in schools in higher-income neighborhoods where students and their parents can afford them.

But increasingly, she says, schools that once had all-out bans on cell phones are allowing them, as long as students keep them turned off during class.

"I don't have a problem with it if parents are clear about the use of it," says Young, who's also an elementary school principal in Louisville, Ky., and has had teachers who've had to confiscate the occasional cell phone from kids who don't follow the rules.

Jennifer Hartstein, a child and adolescent psychologist at Montefiore Medical Center in the Bronx, N.Y., agrees that parents need to stick with limits they place on using the phones.

"The problem is, I'm not sure parents are doing that," says Hartstein, who has a few younger clients with cell phones.

She still thinks cell phones can be a good idea, depending on the kid. "But I also kind of laugh that my parents knew where I was when I didn't have a cell phone," says Hartstein, who's in her 30s. "When I was 8 or 9, we barely had answering machines."

That thought is not lost on Lisa Wiegner, the mother in Florida whose daughter got the dog and cell phone last Christmas. But she says that, so far, Patty has handled having a phone very well.

Her daughter thinks so, too: "I, as a person," Patty says in a grown-up tone, "am very resourceful with my minutes."

Martha Irvine is a national writer specializing in coverage of people in their 20s and younger. She can be reached at mirvine(at)