Gemstone Pendants blogs

Programming note: As of Friday, July 11, 2008, Defense in Depth will now only carry my weekly column plus additional commentary on the state of computer security. My security news blogs will instead appear under the CNET News Security banner going forward. And my CNET News Security Bites podcasts can be found at here. All of these can be subscribed to via RSS.

Another option was to sell the vulnerability to a third party like TippingPoint’s Zero Day Initiative. ZDI acts as the middleman, talking with the vendor and communicating with the researcher. The advantage here is that a researcher with no connections to the affected vendor can communicate the problem clearly.

Finally, as Kaminsky reminded me, there’s the option of selling your vulnerability to the criminal underside of the Internet.

At some point, July 8, 2008, was agreed upon as the date, perhaps because it coincided with Microsoft’s monthly Patch Tuesday. The date was significant in other ways: for example, it fell roughly 30 days before Kaminsky was scheduled to speak at Black Hat in Las Vegas.

What he and others he took into his confidence did over the last few months was not only responsible but extraordinary. The flaw that Kaminsky discovered could allow criminal hackers to guess the transaction ID of any request to a DNS server for a particular domain, such as one used for a bank or an e-commerce site, and then redirect that request to another site, a phishing site. It would do so silently, evading most anti-phishing technology because the change would be made not at the desktop level but at the DNS server itself. Certainly this is big, and certainly one would want to get the news out as soon as possible–but Kaminsky took the time to inform the proper vendors and authorities and, only after they were ready with patches, did he disclose some of what he’d discovered.

In retrospect, Kaminsky confessed that he really should have told more people. He had gone through great pains to inform the DNS community, the specific vendors, and few researchers. He did so to keep word from getting out.

Dan Kaminsky at DefCon in 2006.

But within hours of making his announcement, Kaminsky faced a chorus of public ridicule by other security researchers, most hearing about the flaw for the very first time. The complaints, at times, trivialized the announcement, with fellow researchers citing that similar claims had been made against DNS 3 to 10 years before or even longer. Some suggested Kaminsky was simply trying to advertise his talk at Black Hat next month.

One was to tell the vendor (or, in this case, vendors) directly. Ari Takanen of Codenomicon told me he prefers that security researchers keep vulnerabilities between them and the vendor. Vendors, Takanen said, have their own development cycles, and for a researcher to burst into a room or go public and demand that everyone work on his or her vulnerability is unrealistic. While Kaminsky was willing to work with the vendors, he wasn’t willing to give them forever.

There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties.

Whether or not Kaminsky knocks the socks off of everyone at Black Hat seems considerably less important than the responsible nature of his disclosure. He could have, as Ptacek notes, made thousands of dollars off this DNS thing. Instead, Kaminsky has set a high mark for future disclosures. He has changed Internet security, and done so for the better of us all.

ZDI has been credited with several vulnerabilities, such as those announced by Apple and Microsoft. Kaminsky has no qualms with those who opt for this method, although he said he didn’t understand why a company would pay for this information. (I know the answer: TippingPoint uses the vulnerability data it purchases to protect its customers first, thereby giving it a competitive advantage in the vulnerability assessment space).

Kaminsky, director of penetration testing at IOActive, is no stranger to vulnerabilities. Over the years he’s found a fair share and says that in the case of the DNS flaw he wasn’t looking for it. In this week’s Security Bites podcast, Kaminsky told me that after three days of testing he knew he had something important. At that point, early in 2008, he had a few options.

Another option for Kaminsky was to go public, to announce the vulnerability and publish details, including an exploit, on, say, Bugtraq. A few researchers have gone this route, but often as a last resort after getting a cold shoulder from the vendor. A few researchers have published flaw details first without contacting anyone, taking both the public and the vendor by surprise. But such moves are unwise since they give the bad guys all the information they need while everyone is vulnerable.

(Credit: Declan McCullagh/CNET News)

That meeting occurred at Microsoft’s Redmond, Wash., headquarters on March 31, 2008. There, representatives from 16 vendors sat down and listened to Kaminsky’s pitch. After deciding this was a real and exploitable problem, the vendors decided they would have little choice but to agree to release simultaneously their respective patches.

Whether or not Kaminsky knocks the socks off of everyone at Black Hat seems considerably less important than the responsible nature of his disclosure.

While security researcher Dan Kaminsky still won’t comment on the specific nature of a flaw within the Domain Name System–for fear that criminal hackers might exploit it before the worldwide network of name servers worldwide and client systems that contact them can be updated–he nonetheless went public on July 8 with some details, backed by simultaneous patch releases from Microsoft, Cisco, and others.

Between March and July, there was considerable back and forth among Kaminsky and the vendors, and then, as the date neared, he decided to share the details with a few others.

With the DNS flaw, Kaminsky was in a very weird position. What he found wrong with DNS, the servers that translate a Web site’s common name to its IP address, wasn’t just within one vendor’s product, it cut across various products, from various vendors. He said he consulted with DNS expert Paul Vixie, and together they decided they had to convene a meeting, and do so within a few weeks of the discovery.

That isn’t to say what Kaminsky did was perfect; he himself admits there are lessons to be learned and improved upon the next time this happens. Whether you agree with the severity of the flaw Kaminsky disclosed last Tuesday, I do think all future vulnerability disclosures could benefit from his example.

Most vocal was Matasano Security researcher Thomas Ptacek, who blogged his doubts. But Kaminsky called Ptacek and he retracted his comments. He now says, “Dan has the goods. Patch now, ask questions later.”

3. Rising competition
Distilled, an interest in mobile analytics is a test of the mobile industry slowly and more surely delivering on its promise to be the next paradigmatic information-processing medium. I need only to mention Friday’s hotly anticipated release of the iPhone 3G and rumors of a 3G Android phone for T-Mobile in October as a proof of progress.

(Credit:
Opera Software)

A central collection, however, is still absent. Opera’s Odland and AdMob’s Spero agree that ComScore or Nielsen will have to pump up a robust mobile data-gathering service for the industry to really cash in on the numbers. When it does, expect even better hardware, software, and Webware to follow.

The total mobile-ad spend may not amount to much in the grand scheme. VentureBeat, a blog tracking venture capital, cites a “consensus that mobile-advertising market revenues are somewhere between $100 million and $200 million worldwide.” Regardless, it is a sign of growth in an emerging and ever more closely watched market.

(Credit:
AdMob)

Who’s keeping score?
The tight knot of engineers, marketers, and entrepreneurs gathered at Mobile Monday certainly validated the importance of analytics, but ownership over those business-changing numbers is much less clear. Opera Software is two months into releasing public reports of its users’ browsing activity after substantially changing the methodology after the first month.

Roughly 150 mobile enthusiasts crowded into a Microsoft conference room on Monday night at the Mobile Monday meeting to discuss mobile analytics, the careful analysis of specific user data to drive big business decisions.

2. More money-making opportunities
Web businesses lean on analytics tools, like Google Analytics, to identify how visitors use their site. Based on the findings, which often point out areas of weakness and strength, companies are able to reposition their site targets to influence user behavior, for instance taking measures to induce repeat visits. In this way, jockeying around with the numbers can result in bigger bucks, especially when talk turns to mobile advertising.

Put simply, where people are, ads are. As the experience of the mobile Web increasingly mirrors the desktop, advertising will follow suit. In fact, it already has. Banner ads, link ads, and revenue sharing with search engines are three ways that cell phones are hooking into the Internet economy.

As an inevitable flood of new users will choose one device family, operator, or platform over another, companies will rely on analytics to edge the competition.

While Web companies have long been interested in kneading numbers, mobile business has its own angle–and its own turf to prove. Here are three reasons why mobile analytics matter.

Opera, Skyfire (beta), and
iPhone’s
Safari browsers already give surfers the ability to view entire Web sites on their phones, then zoom in where desired. Optimized mobile layouts are still a viewing option, but no longer a necessity. The take-home message is this: As mobile surfers grow steadily in number, cell phone users will make up a larger slice of an ordinary Web site’s total audience.

There is a trend among the companies that have started early, said Jason Spero, vice president of marketing at AdMob, which demonstrated a beta version of its free mobile-analytics tool on Monday night. Ringtones and other entertainment content comprise the largest chunk of mobile advertising, Spero added, along with
car ads, TV and movie promos, and ads for well-known consumer brands.

Nielsen Mobile is another scorekeeper that gleans data on consumer behavior, but it does not yet have intimate access to Internet traffic. AdMob takes a third approach, calculating advertising impressions and click-through rates to form a datascape.

1. Greater Internet demand
As mobile technology improves, it comes down to simple math that more people will access the Web from their smartphones more often. It’s widely cited that in developing nations, more people use cell phones to get online than they do PCs. And when they do, suggests Opera’s most recent report on the mobile Web, mobile surfers act just like the desk-bound, using their phones to search, socialize, and access news and entertainment.

(Credit: Lala.com)

So who would pay $0.10 for unlimited rights to stream a particular song? Probably people who are already using the Lala.com digital locker and want a cost-effective way to add new music to it without having to seek it out online or rip it from a CD and then upload it manually.

Lala.com has a history of coming up with innovative ideas that don’t quite conquer the world. The company is best known for its online used-CD trading service, which is an interesting idea but works well only if you have a large list of CDs available to trade.

Lala.com will let you stream any song once at no charge, and an unlimited number of times for $0.10 per song.

Unfortunately, this pay-per-song streaming model occupies a weird space halfway between all-you-can-eat subscription services and the free streaming files available elsewhere. If I’m a hardcore music fan who likes to discover and listen to lots of new music online, I’ll probably subscribe to a service like Rhapsody–one monthly payment gets me streaming access to all the music I want. But if I just want instant gratification–say, for example, I need to hear Iron Maiden’s “Run to the Hills” right now–I can turn to Imeem, or Last.fm, or the Songerize site (which uses the Seeqpod search engine to discover music files all over the Web, then provides a simple embedded player).

It also offers a music “locker” service that allows you to upload your music then listen to it from any computer with an Internet connection…but it only works with MP3 files, so you’re out of luck if you’ve been using (for example) iTunes to rip your CDs to AAC for the last four years. The site was also early to experiment with offering free streaming files, but has apparently shuttered that service because the numbers didn’t work out.

Now the company’s beta-testing another streaming service that lets you select any song to stream once. Then, if you want to stream it again, you can pay a one-time fee of $0.10 and get perpetual streaming rights to it.

(Credit:
Plista)

Think of it as Aggregate Knowledge meets MyBlogLog meets Sphere, with a dash of Matchmine (review).

Plista isn’t available yet, but you can sign up for the beta on the site.

By way of example, Matyka showed me Plista working with IMDB. I could rate movies on the site, and once I did, the service would show me other things it thought I would like based on the preferences of other people who liked what I did. What’s cool about Plista is that the recommendation engine works across sites, so it’ll recommend (in theory) books on Amazon based on movies you’ve rated on IMDB. And–also cool–it shows you your ad-hoc network of Plista members who have compatible tastes, so you can explore their recommendations.

Worse, many of the most important sites that Plista would work on–blogs, commerce sites, and databases–already have their own rating systems that Plista would compete with. I don’t see Amazon or Netflix adopting this system, for example.

I like the concept, and I like how easy it is for site managers to implement the system: They don’t have to do anything. Plista does the lifting.

I still like the concept here. Plista lets you rate products and content, gives you a lot in return for your rating activity, and it makes all your rating data yours; it doesn’t lock it away deep in some secret database on the sites you visit.

Plista adds rating features and feedback to several sites.

Unfortunately, I don’t get how this service is going win wide adoption. There’s a chicken-and-egg problem, for one: Getting a site Plista-enabled is a manual process, and while Plista can create the scripts for major sites, it can’t reach into the long tail to code them all. Plista will need site owners to do some work themselves. And there’s the egg: You can’t use Plista unless you have Greasemonkey installed. While it’s a popular engine for browser modification scripts, it’s not a mainstream add-on, so the potential audience is limited. And who wants to bother coding a site for such a small number of users?

Of the 20 or so demos set out to bake in the afternoon sun on the August Capital patio for the TechCrunch party Friday, my award for the most interesting goes to Plista, a social recommendation service that follows what you like and don’t across sites.

Plista does have a fighting chance, I believe, if it drops the Greasemonkey tactic and instead focuses on developing a way for retailers and content managers to port their rating data to the service, in return for cross-site recommendations and the affiliate revenues that would come with them.

Plista currently uses a Greasemonkey script. Once you install it, when you go to a site in the Plista system–CEO Dominik Matyka told me there are about 30 so far–you’ll find the page has new Plista pieces on it: A rating box on each element at the least, and possibly more content additions too.

The other small change that I think was long overdue is the option to sort out subscriptions alphabetically. This is something that’s incredibly useful if you’re monitoring a large quantity of feeds. Even the best organizational system can crumble when your mind’s not working, and simply sorting everything out alphabetically can help with that.

You can now sort out subscriptions alphabetically.

The two changes I want to highlight are the new tagging system and feed subscription sorter.

(Credit:
CNET Networks)

You can toggle back and forth between this and your drag-and-drop organization using a small options menu in the bottom left-hand corner of the screen. Still missing from that field is some sort of visual indicator (besides the post count number) that would let you see which feeds you’re completely ignoring–something that must be figured out via the service’s trends menu.

Tags in Reader have been present for feeds and individual stories, but they can now be found when sharing or noting a story in reader too. Below the text field that lets you personalize a note, you can now add as many comma separated tags as you want and they’ll show up on the shared item. From an editorial standpoint this means people who may be subscribed to your share feed will be able to better sort out what you’re sending them, either in Reader or whatever other tool that they’re using.

Google just released a handful of small updates for its RSS Reader product that continue to improve some of its organizational capabilities. Included in this update is a more pervasive tagging system, international sharing, a timestamp for the last time a feed was crawled, and an alphabetic sorting system for folders and subscriptions.

The way it works in the U.K is, starting in October, consumers there will be able to buy a Nokia 5310 Xpress Music device that will come with a free one-year music subscription to Nokia’s Music Store. With that subscription, Nokia users can download as many songs as they want. And once the subscription ends, they will be able to keep those tracks.

Mobile phone company Sony Ericsson is expected to launch a music service within the next week designed to compete with Nokia’s “Comes with Music” offering, according to recording-industry sources.

“This is the new frontier for a lot of these phone companies,” said Mike McGuire, a digital music analyst. “Clearly Sony Ericsson can’t be ignored. There should be some interesting potential in terms of linkage to other parts of Sony. Maybe you see it tied to the
PlayStation or Sony Pictures. It’s a pretty interesting ecosystem…but again, these things always look good on paper.”

Nokia’s strategy is a clear differentiator from other music stores and services. Apple’s iTunes requires users pay for individual songs or albums. Verizon Wireless and RealNetworks have launched the new Rhapsody music store for mobile phones. It also allows subscribers to download and listen to as much music as they like for $15 a month. But once users stop paying the subscription fee, access to the music disappears.

Nokia has deals with three of the four major record labels–Sony BMG, Universal, and Warner Music. It doesn’t yet have a deal with EMI. But it’s expected that EMI will sign on soon.

For the music industry, Comes with Music–which is expected to come to the U.S. sometime soon–is attractive because its really a new subscription model.

The sources said Omnifone’s MusicStation is expected to power the service, which may include a music-subscription model. A representative from Omnifone was not immediately available. And a spokesman for Sony Ericsson said the company had nothing to announce at this time and does not comment on rumors.

Nokia attracted gads of attention when it announced it would offer the bundled music phone package a year ago. The company launched the new bundle earlier this month in conjunction with U.K.-based cell phone retailer Carphone Warehouse.

Nokia has no plans to offer extended subscriptions to Comes With Music users. Instead, the only way to get more unlimited music downloads is to upgrade to a new Nokia Comes With Music device. While the 5310 Xpress Music device is the only one selling at the moment, Nokia plans to announce other Comes With Music phones later. Still, the fundamental strategy for Nokia appears to be using the music to sell more devices.

Sony Ericsson’s service is obviously a challenge to Nokia’s highly anticipated Comes with Music service.

CNET News staff writer Marguerite Reardon contributed to this story.

The Sony Ericsson service is being launched in partnership with British firm Omnifone, which provides unlimited music downloads to mobile service providers, according to the sources, who added that all four major recording companies have signed on.

Currently, users can only access the Nokia Music Store in 11 countries: Finland, the U.K., Germany, Ireland, Italy, Netherlands, Singapore, Australia, France, Sweden, and Spain. The company has said it plans to roll out more markets, but it hasn’t said when. Considering that the North America is one of Nokia’s most underrepresented markets, it’s unlikely the Nokia Music store will be available in the U.S. anytime soon.

Eventually, MySpace members will be able to create personalized merchandise using the photos. There are about 4 billion images on the site, according to MySpace.

MySpace is integrating HP technology into its Web site so members can print out text and images from their profile pages.

MySpace is partnering with HP to offer the ability for people to print directly from their MySpace profiles, the companies announced on Tuesday.

HP also has made Web-to-print partnerships with Facebook, Flickr and Windows Live Spaces.

The integration, which will roll out in November, will allow members of the social network to click on an HP-branded “click to print” icon to print out their photos, blog entries, comments, and messages.

(Credit:
HP/MySpace)

Epstein, the former CFO of Oberon Media, will join the database and enterprise software applications vendor on September 8. Epstein will replace Safra Catz, who will remain an Oracle co-president and board director.

Epstein will report to Catz and assume responsibility for finance, the controller’s office, finance operations, tax, treasury, real estate, investor relations, audit, and customer leasing.

Catz is returning to the co-president’s role full-time, after a nearly three-year run as Oracle’s CFO and co-president. She assumed the CFO role after former Microsoft executive Greg Maffei abruptly resigned from the post after a brief four months.

Maffei left Oracle in November 2005 to take a CEO post at Liberty Media. He had earlier replaced Oracle CFO Harry You, who resigned after a nine-month stint to join BearingPoint as its CEO.

Oracle named Jeffrey Epstein as its new chief financial officer on Wednesday, marking its fourth CFO since its long-time bean counter Jeff Henley retired from that post four years ago.

In naming Epstein as its new CFO, the company’s founder, Larry Ellison, said in a statement: “Jeff’s expertise in global operations and finance will further strengthen Oracle’s senior management team…We look forward to having him join us as our new CFO.”

With Intel looking very solid, it’s going to be a crucial six months for AMD CEO Hector Ruiz and his executives if they want to remain employed by the company in 2009. Despite getting its much-delayed Barcelona processor shipping in volume to customers and launching a new notebook processor without incident–not to mention a relatively healthy PC market–AMD still managed to lose money.

The company announced along with the release of its second-quarter earnings results Thursday that it is getting out of the handheld and digital television businesses. As has been the case for the last several quarters, AMD is continuing to lose bucketloads of money: $1.2 billion this time around.

The $1.2 billion isn’t as bad as it looks at first glance, but it’s still pretty bad. In order to get out of the business of making graphics chips for handhelds and digital TV processors, AMD has to take a one-time charge of $876 million, which accounts for the majority of the loss.

But even with the one-time charges out of the way, AMD lost $269 million on “continuing operations,” such as its processor and graphics businesses. That’s a little better than last year’s loss of $531 million from those businesses, but AMD still has plenty of work turning itself into a profitable company in the second half of the year, its stated goal.

AMD continues to stumble through another down year.

The charge relates to the amount of goodwill attached to the company’s $5.4 billion purchase of ATI Technologies in 2006: goodwill is an accounting term that in this case, stands for “the amount by which we overpaid.” AMD attached $3.2 billion in goodwill to the ATI merger, and has now written $2.5 billion of that goodwill off its balance sheet with the divestiture of the former ATI’s consumer chip business.

In addition, further exploitation of the world’s largest salt flat, the Salar de Atacama in Chile, and the development of new sites, such the large reserves in Bolivia, would cause substantial damage to those ecosystems, Tahil and the USGS’s Jaskula said.

General Electric recently assigned a research scientist the full-time job of studying sources of materials that are critical to GE, which is investing heavily in battery technologies for transportation and grid storage.

Today, lithium is extracted from dried salt ponds or “salt flats.” A briny liquid underneath the surface is pumped out and dried in the sun. The dried material can be made into lithium carbonate, which is later processed to make lithium.

“Prices in the last couple of years have slowly gone up,” Jaskula said. “But if the Chevy Volt and other cars like that become a big raging success and the demand really increases but supply doesn’t keep up, then the price will go up obviously.”

Because lithium is a commodity like oil, the same economics apply, said Ripu Malhotra, associate director at the chemical science and technology laboratory at SRI International.

He concluded that lithium supply will be absorbed largely by the fast-growing consumer electronics industry and that increased demand for lithium production will worsen relations between the U.S. and Latin America.

Limits of mineral supplies lead to higher prices and an incentive to accumulate bigger reserves, he said. And the higher prices will spur investment in new extraction technologies from unconventional sources. For example, the price of corn shot up to meet a surge in ethanol demand. Now, producers are developing methods to use alternative feedstocks, like wood chips and grasses.

“You can solve the transportation problem but end up creating an equally vexing commodity problem,” said Matthew Nordan, president of emerging technology consulting firm Lux Research. “It’s a big concern.”

“The ability to supply batteries, including the raw materials, from a national security standpoint is a valid question which we should be posing. I don’t know the answer,” said Glen Merfeld, manager of the Chemical Energy Systems Laboratory at GE Research.

Lithium ion batteries–the same used in electronic gadgets and laptops–have become the preferred battery type for plug-in hybrids and electric cars now starting to come to market.

There are widely divergent views on whether the existing producers of lithium–most located in South America and China–can keep pace with an onrush of hundreds of thousands or millions of new plug-in hybrid cars in the next few years.

The headlong rush to create electric
cars for green-minded consumers may come with a significant economic and environmental cost.

“The point is that electric cars are supposed to be environmentally friendly cars and there are many other materials such as zinc and iron…which don’t require any more environmental degradation than has already been done,” Tahil said in an interview.

Longer term, though, the picture is less clear. Batteries for cars are expensive, which is the biggest reason that plug-in electric cars cost more.

The results of Tahil’s studies are disputed. Geologist R. Keith Evan, for one, calculated worldwide reserves and concluded there is an abundance of lithium to meet electric-car demand.

Eye on South America

Today, Toyota’s Prius hybrid electric cars have nickel-metal hydride batteries. Because of improvements in weight and storage in lithium ion batteries, though, a number of auto manufacturers will be using them in plug-in hybrids expected to come to market in the next two years.

(Credit:
NASA)

Commodity rules apply

For economic reasons alone, some businesses are taking a strategic approach to effectively sourcing materials, like lithium, for alternative energy technologies.

Financial analyst Craig Irwin, who is vice president of energy storage and energy efficiency at Merriman Curhan Ford, indicated that projected lithium supply has not dampened enthusiasm for the technology. He noted that lithium can also be extracted from different materials, including the mineral spodumene.

That swelling demand has some industry observers concerned that there will be a shortage of the metal lithium, the material used to make the batteries.

With continued 25 percent yearly growth in portable electronics, there would only be enough lithium carbonate for 1.5 million Chevy Volt-type vehicles by 2015 with “optimum production increases,” according to Tahil.

“These are brand new markets. If it truly becomes a limiting factor, prices go up and we find new sources of material or ways to recycle the material,” SRI International’s Heydorn said.

Better Place, for example, plans to install battery-charging stations in Israel, Denmark, and Australia to jump-start a rapid transition to electric cars. But a lithium shortage will mean its ambitious plans would need to be scaled back, according to Nordan.

GE was caught “behind the curve” when one material used in its aircraft engines shot up in price, so it’s now looking for other “pinch points,” said Mark Little, director of GE’s research labs.

Energy and transportation consultant William Tahil of Meridian International Research last year rekindled the supply debate in a paper, which was followed by another paper (PDF) issued in May.

Other examples include indium, a material used in a new generation of low-cost CIGS solar cells, and coatings on solar panels, Day said. And for several years, researchers have sought to come up with an alternative material for expensive platinum, which is used as a catalyst in fuel cells, noted Barbara Heydorn, who is director at the center of excellence in energy at science research nonprofit SRI International.

Speaking at recent conference, Project Better Place co-founder and adviser Andrey Zarur acknowledged that the company is “betting big time” that recycling technologies and alternative to lithium ion batteries will emerge in the coming years.

“In all these newfangled clean technology applications, quite often the ones that appear to have strong growth potential face a challenge in that they are reliant on some material that has been in short use to date,” said clean-tech venture capitalist Rob Day, a partner at @Ventures. “Possibly, they don’t have enough supply to fulfill (growth) requirements.”

“There’s a flowering of interest in battery technologies with abundant materials,” Nordan said. “Abundant materials are the words of the day.”

Lithium ion car battery-pack suppliers themselves will have plenty of business in the years to come if sales come close to projections. But that growth will affect commodity prices, Nordan predicts. It’s also leading to stepped-up research into alternative battery chemistries, such as nickel-metal hydride variants, zinc air, and magnesium.

Whether or not a global run on lithium pans out as projected by the worriers, the situation highlights an underappreciated risk when it comes to alternative energy, namely securing supplies of natural resources. In other words, if some green technologies are successful in displacing fossil fuels, there could be shortages of materials that most people never heard of before.

General Motors, for example, plans to use lithium ion batteries for the Volt and the Saturn Vue plug-in hybrid, both of which are expected in late 2010. Toyota, too, is planning cars with lithium ion batteries, but it is said to be researching zinc air batteries for vehicles as well.

Tahil counters that the total inventory of lithium does not reflect the increased mining cost of getting lithium from sources other than lithium carbonate.

“There are two highly polarized camps,” Irwin said. “The processing technology (for spodumene) is not entirely mature yet, but I don’t think it’s an insurmountable challenge.”

The white patch on the bottom of this NASA satellite image shows the Salar of Uyuni in Bolivia, considered a significant but unexploited deposit of lithium. Lake Titicaca is the large body of water to the north.

Representatives from lithium ion battery maker EnerDel did not respond to a request for comment before publication. Another well-regarded lithium ion battery company, A123 Systems, declined to comment because it is in a quiet period before its planned public offering.

In the short term, auto companies will be able to bring plug-in hybrid cars to market as planned in the next few years. Production of lithium has increased since the 1990s to meet the demand for batteries in power tools and consumer electronics, said Brian Jaskula, the lithium mineral commodity specialist at the U.S. Geological Survey. Prices over the past few years have increased steadily as well, he said.