Will Apple's wonder gadget get more memory? Will it come in different colors? Who cares. A new processor is what it really needs.

Will the iPhone get more flash memory? Will it get new features, like a compass?

Who cares. What the iPhone really needs is a new processor. And there is no sign, yet, that it will get one.

Apple ( AAPL - news - people ) alluded to the problem in March, when it introduced new software for its smart phones. The reason it doesn't run more than one third-party application at a time, Scott Forstall, Apple's vice president for iPhone software development explained, is because such work will drain the battery too quickly.

It's more than just a power-management problem, however. "One of the drawbacks of the iPhone right now is it can only [run] one application at a time," says Will Strauss, president of wireless market research firm Forward Concepts. With a more powerful processor, he adds, the iPhone could run several applications concurrently.

Apple's rivals are already heading down that path. Palm is pushing out a new phone based around Texas Instrument's ( TXN - news - people ) OMAP3430 processor. One of the Pre's key features: the ability to show the user information from more than one application at a time. The software makes it slick, but TI's hardware makes that possible.

Apple, meanwhile, relies on an application processor from Samsung. There are two problems there. For starters, Samsung also sells smart phones, allowing it to give its phones the same capabilities, on paper, as Apple's iPhone. The bigger problem, however, is just about muscle. The relatively dinky processor can't match the TI model's power.

There are several possible solutions. Samsung could build a new processor around the same ARM Cortex-A8 architecture TI uses, or Apple could switch to TI, Strauss suggests. Alternatively, Apple could build a processor of its own, presumably one based on the ARM-architecture, with the chip designers it picked up last year with its acquisition of PA Semi (see "Apple Buys Chip Designer").

There are no signs that Apple is doing that--yet. Then again, if Apple were, it would likely keep such a move a very tightly guarded secret, because it would be the only information about its new phone that would really matter.

The problem with talking about jobs-per-kilowatt hour.

WASHINGTON, D.C.--The details of President-elect Barack Obama's stimulus plan for early next year are not yet drafted, but one thing is clear: Obama wants a lot of the stimulus focused on creating "green jobs."

A supposed benefit of technology like wind power and solar power is that it creates more jobs per kilowatt hour than investments in other industries. So if you want to tackle the environment and unemployment, why not plow money into whichever green technology creates the most jobs per kilowatt hour?

A recent report from the Center for American Progress, the liberal Washington think tank with many of its scholars now helping develop policy for the Obama administration, cites this as one of the most compelling reasons for a "Green Recovery." CAP claims that its $100 billion plan would "create nearly four times more jobs than spending the same amount of money within the oil industry and 300,000 more jobs than a similar amount of spending directed toward household consumption."

The American Wind Energy Association claims it is wind power that creates the most jobs per kilowatt hour. One oft-cited statistic is that there are 27% more jobs per kilowatt-hour from wind than from coal, and 66% more from wind than from natural gas.

Is that true? And does that make it good policy?

"I'm not sure how clearly it's been empirically demonstrated," says Kenneth Green, a resident scholar at the conservative American Enterprise Institute. "To the extent it's true, it illustrates these technologies aren't that efficient."

Green says this focus looks an awful lot like the "broken window fallacy." The fallacy is this: A kid throws a rock through a shopkeeper's window and therefore has helped the economy by creating work for window makers. If he breaks windows every night, he might even create a job for a janitor to clean up the shards.

How Unions Stop The Cars

Big Labor is a big problem for automakers' survival.

With the late-night demise of legislation containing $14 billion in emergency loans to Detroit's automakers, pressure is once again mounting on President Bush to step in. And he is reportedly thinking of doing just that. But the very thing that doomed this legislation will also doom any effort to rescue the industry: union intransigence. If Bush cares more about taxpayers than kudos, he should decline.

The legislation, backed by Sen. Bob Corker, a Tennessee Republican whose state itself is home to GM facilities, was the industry's best hope to return to health. It stripped some of the green baggage of the House bill that would have consigned Detroit to producing not cars that sell but what eco-warriors want. Nor would the legislation have handed quite as expansive powers of micromanagement to a car czar, forcing companies to obtain approval for basic product and capacity decisions.

Instead, it offered the automakers a way to restructure their massive obligations to labor and debtors, much like a bankruptcy court would do but without the stigma. Bondholders would have been required to accept a 70% loss--the remainder paid in stock, not cash. And Big Labor's main concession (besides accepting some stock instead of cash for its health care trust fund) was that it set a definite date for a pay cut next year.

At that time, its wages and benefits would fall in line with those that Nissan (nasdaq: NSANY - news - people ), Toyota (nyse: TM - news - people ) and other automakers pay their U.S. workers.

But the United Auto Workers reacted as if it had been asked to work in a Third World sweat shop and walked away. Sen. Debbie Stabenow, D-Mich., decried efforts to "sock it" to American workers. Never mind that labor costs make every car rolling out of Detroit $1,500 more expensive to produce than foreign cars made elsewhere in the U.S. Indeed, last year, GM and Toyota sold the same number of cars worldwide, but Toyota turned a healthy profit--while GM posted a $40 billion loss.

But the fact of the matter is that the wage cuts are a necessary condition to give Detroit a fighting chance for survival, but they're not sufficient. Indeed, that would require far more from unions.

Car sales next year are expected to drop 40%. This means that if auto companies are going to use any bailout money to restore viability, they will have to be able to shed some of its quarter-million-strong workforce.

However, if the UAW was unwilling to accept a pay cut, there is no reason to believe that it would compliantly accept such massive layoffs. More likely, it will use taxpayer money to keep every job alive as long as possible--and then return for more a few months later.

Beyond job cuts, the UAW will also have to agree to eliminate a whole host of exceedingly rigid work rules for its remaining constituents. Such rules, for instance, had historically made it difficult to train auto workers for multiple jobs to fulfill multiple needs. No less than labor's extravagant wage demands, these rules have crimped Detroit's adaptability.

Ford recently built a facility in Brazil where it can produce five different vehicle platforms at the same time, on the same line. What's more, many of its suppliers are housed in the facility as well, something that allows them to move parts to the assembly line at a moment's notice. Not only has this lowered Ford's production costs and boosted productivity, it has also given it flexibility to adjust its product mix to shifting market conditions. This is important at any time but is especially crucial now, when volatile oil prices are likely to produce abrupt shifts in consumer demand.

But union rules, with their featherbedding requirements and crabbed job descriptions, make it much harder for such a factory-of-the-future to operate in the U.S.

The irony is that foreign car makers are profitable in America--and the Detroit Three are profitable in every country but America. Only Big Labor can position Detroit carmakers for success in their own country. Bush shouldn't ask already-strapped taxpayers to make sacrifices to pull Detroit back from the precipice when its own key stakeholder won't.

Shikha Dalmia is a senior analyst at the Los Angeles-based Reason Foundation. She can be reached at shikha.dalmia@reason.org.

Security Watch: Problems with Penetration Testing

November 6, 2008
By Kenneth van Wyk

• Submit Feedback »
• More by Author »

Penetration testing is as popular as ever, yet it continues to miss the mark. As a means of validating the security of an application system, it fails miserably on several counts.

I continue to find organizations that make extensive use of penetration testing as their primary means of security testing systems before they go live, or periodically while they are in production. There are a myriad of problems with this approach, but I’d like to address one particular here that you likely haven’t considered.

My principal gripe with penetration testing is language. I’ll explain.

Over the years, I’ve seen, reviewed, and participated in hundreds of “pen tests,” and I’ve seen security engineers neglect the issue of language over and over. That is, they fail to adapt to the language of their audience. Ironically, those same engineers can almost always cite one of Sun Tzu’s admonishments: know your enemy as you know yourself and you need not fear the outcome of a thousand battles.

• Email Article
• Print Article
• Comment on this article
• Share Articles
  • Digg
  • del.icio.us
  • Newvine

Why is this such an important issue? Well, consider what the pen test report and its findings are intended to accomplish.

If the pen test is intended is to provide the CIO, IT security manager, or IT manager with visibility into the system’s vulnerabilities, that’s one thing. But if the pen test is intended to help the software developers who wrote the application being tested go and fix their mistakes, then that’s an entirely different thing.

Although these two purposes share the same goal of securing the “system,” they differ significantly in their audience. Not convinced? Consider the following scenario.

The pen test team does their test and finds numerous SQL injection defects in a Web-based application. They deliver their report and the security manager sets up a meeting with the software development team and presents the findings. The security manager delivers a message saying, “SQL injection is bad. Your software contains SQL injection flaws (see here!). Make it stop.”

Related Articles

• Testing SIP Security on a Budget, Part 1
• Does Hardware Matter?
• Software Market: Hurray for More Regulation!
• Tech Future: Change and Risk from Downturn

A perfectly natural human response to this message is to retreat and patch the software to stop that SQL syntax from being injected into the Web application. The developers are likely to write some logic that goes like: if (SQL syntax is present in an input) disallow the input.

Then, the pen test is repeated, the problem is resolved, and everyone is happy. Right? Wrong.

The problem with this approach is that it is almost always a negative model, not a positive one. That is, the programmers will naturally be drawn to checking a “blacklist” of banned SQL syntax, and then disallowing the input. This type of negative validation can invariably be broken by a determined adversary.

Now, consider this alternative approach to the same scenario. Instead of saying “SQL is bad…,” our software-savvy security manager says, “our pen test team uncovered several mutable database queries in your application and were able to exploit them. Since mutable queries can by definition be altered, we’d like you to change your queries to use immutable calls. Java, for example, can do this via an API called PreparedStatement.” (Implemented properly, PreparedStatement or other forms of parameterized SQL queries in languages other than Java, stop SQL injection in its tracks.)

The message here means the same thing as in the first case. The difference, on the other hand, is that the security team is giving the developers actionable guidance in language that makes sense to the developers. It is specific. It tells the developers what to do.

It also requires the security team to understand the software technology they are testing, however. That can make it tough for many security engineers and managers, but it is nonetheless vital to accomplishing the goals of the penetration test. Consider looking for software development skills in your in- or out-sourced pen testing team!

If you want to affect change in the software you’re testing, you need to speak to the software developers, and you need to speak to them in language that is meaningful to them.

That’s not to say there’s anything wrong with a pen test report that has an executive summary or even a list of findings in terms we’re all familiar with today. Vulnerability descriptions, screen shots of successful attacks, and all of these things are useful and meaningful to the security and IT management team. We want and need this information.

But if our message also needs to be sent to the software team who wrote the code we’re testing, then we need to adjust our language significantly. It’s also useful to be aware of and to make use of mechanisms that the developers use, such as bug tracking databases. Security teams possess enormous pools of vulnerability and testing data, but we often fail to get that data into the tracking tools used by the development teams.

I’m convinced of this approach, and I’m convinced it’s a direction we all need to be going. Attackers are increasingly focusing their attention on application-level vulnerabilities. We in the security field have to learn to speak to the application developers in meaningful ways. Don’t just tell them what they’re doing wrong; tell them how to do things right.

By Alexander Mooney
CNN

WASHINGTON (CNN) -- Former President Bill Clinton's international business dealings, global foundation and penchant for going off script could present a significant obstacle to Hillary Clinton becoming secretary of state, observers say.

Bill Clinton's extensive global ties could cause conflict if Hillary Clinton is appointed as secretary of state.

On the one hand, his established relationships with world leaders could instantly make the New York senator a welcome face in embassies around the world.

On the other, his complicated global business interests could present future conflicts of interest that result in unneeded headaches for the incoming commander-in-chief.

"These are issues that I'm sure are being discussed, and they will have to be worked out, and it's legitimate to ask these questions," said James Carville, a former aide to the Clintons and CNN contributor. Watch: Does Clinton

Two officials with President-elect Barack Obama's transition team confirm to CNN that it is investigating Bill Clinton's finances and post-presidential dealings. As part of the early vetting process, the team is looking for any negative information that could throw the prospect of Hillary Clinton as secretary of state into jeopardy.

A particular issue could be the donor list of Bill Clinton's global foundation, which might show connections to international figures who push policies that might conflict with those of the new Obama administration.

Obama last week asked Clinton if she would consider being his secretary of state, multiple sources told CNN. Clinton's response is expected this week.

Since exiting the Oval Office eight years ago, Clinton has reportedly raised more than $500 million for the foundation, a significant portion of which financed the construction of his presidential library. The foundation has also doled out millions for AIDS relief in Africa and other charitable causes around the world.

Amid repeated criticism from Sen. Clinton's primary opponents, Bill Clinton would not reveal the extent of the foundation's donor list earlier this year. But The New York Times has reported the list includes some foreign governments, including members of the Saudi royal family, the king of Morocco, a fund connected to the United Arab Emirates, and the governments of Kuwait and Qatar.

The former president has also reportedly solicited funds from international business figures connected to human rights abuses that his wife has outwardly criticized, including the governments of Kazakhstan and China.

During the New York senator's White House bid, critics repeatedly said that foreign governments and business executives could try to exert influence through donations to the foundation, prompting a pledge from the former president to publicly disclose all future donors.

Observers say the same criticism is likely to be raised should Hillary Clinton become secretary of state, especially if countries she is dealing with on the diplomatic stage have at the same time donated heavily to her husband.

The matter could be complicated even further if it remains unclear exactly which foreign governments are supporting Clinton's foundation and to what extent. On Monday, Politico reported that Obama's team is seeking more information about the former president's finances and is growing frustrated over the Clinton camp's response.

The Obama officials disputed the Politico report, but confirmed the transition team is seeking unspecified records from the former president to get a better handle on issues related to his foundation work and presidential library to try to deal with potential conflicts of interest.

Also at issue is the former president's role in general should his wife become secretary of state. Since leaving office, Bill Clinton has become a globetrotter of sorts, amassing millions in speaking fees as he gives talks before corporations around the world.

The Obama administration would probably seek to curtail that practice amid worries that the former president's words could contradict those of his wife at times and make unclear to some just who is speaking for the United States government. But it's unlikely that Clinton, who has always enjoyed the spotlight, would be willing to retreat from the public eye.

"She really has to sit down with her husband and work through where does this leave him," said David Gergen, a senior political analyst for CNN who worked in Clinton's White House. "After all, he's very deeply involved in the Clinton Global Initiative, doing good around the world. Could he continue to do that? Would he have to shut it down? Could he take money from people? There are lots of secondary questions."

Even more problematic could be the former president's history of going decidedly off message during speeches and his willingness to blatantly speak his mind seemingly without regard for the political fallout.

During her presidential bid last year, Sen. Clinton at times publicly criticized her husband for things he said on the campaign trail, and in one particularly embarrassing moment for the campaign, she told him to "knock it off."

But ultimately, the duty of keeping the former president in check may fall to the New York senator should she assume the top diplomatic post.

"If he doesn't stay on script, she's going to have to discipline him, just like she did in the campaign," said Gloria Borger, a CNN senior political analyst.

"It won't be up to Obama, it will be up to her."