After years of trying to combat the scourge through e-mail filters, blacklists, lawsuits and criminal charges, the spam tide finally turned this week (the fascinating story was first reported by Brian Krebs of the Washington Post). Internet security firms say that the volume of unsolicited e-mail has dropped markedly, somewhere in the neighborhood of 66%, in the past few days. As Joseph Menn explains in today's L.A. Times story about the spam decline:

The surprising respite had very little to do with the hundreds of millions of dollars that corporations and consumers have spent on anti-spam software or with the lawsuits and criminal cases brought against spammers in the last decade.

Instead, a ragtag band of researchers pulled off the unprecedented coup of drastically cutting the spam volume by adopting a new strategy: going after mainstream U.S. companies that can unknowingly help spammers, identity thieves and child porn purveyors by carrying their traffic on the Internet.

Researchers don't expect the slowdown to last. But this latest success has given hope to those who fight on behalf of our inboxes. Read Menn's full story for more details about how they slowed the spammers and how the e-mail cops may try to protect us in the future.

-- Chris Gaither

Read the full story for details on why there has been such a rift between the public and private sectors over Internet security and what experts say the next president should do to tackle the problem.

-- Joseph Menn

The solution fits in your pocket.

Eight of the 10 biggest U.S. banks now provide at least basic services on cellphones, allowing account holders to check their balances by tapping away on their tiny keypads.

Millions of U.S. consumers have signed up for mobile banking as those services grow increasingly useful. Depending on your bank, your phone and your wireless plan, you might be able to approve bill payments, transfer money and receive alerts when balances get low, all while riding the bus.

"Most consumers aren't aware that it's out there yet, but the day is coming," said Mark Schwanhausser, an analyst with Javelin Strategy & Research in Pleasanton, Calif. "Phones are ever-ready, always on and always with you, and you can't match that with a computer."

Read the full mobile-banking story for more details about which banks offer which services, and where this all is heading.

-- Joseph Menn

Illustration: Doug Ross / For the Times

The nonprofit Identity Theft Resource Center, which compiles a list of incidents from media reports, privacy websites and official outlets, said this year's running total passed the 2007 mark of 446 on Friday, with more than four months to go.

Lucky No. 447 was Alaska Airlines. The center's co-founder, Linda Foley, said an airline insider had been accused of misusing payment card data supplied by customers. The matter came to light in a letter from the airline to the New Hampshire attorney general.

Of course, the real number of breaches is much higher. Many go unreported, and the ITRC counts only once some breaches that hit multiple sets of people.

For example, the May theft of computer equipment containing under-protected sensitive data from Colt Express Outsourcing Services Inc. counts as one breach. But letters sent to employees of various Colt clients, and to officials in states requiring notification when residents could be affected, reveal that workers at 20 employers have data at risk.

Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, Calif.: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn.

Attempts to reach Colt on Friday were unsuccessful, and the company's website is nearly empty.

"They disappeared off the face of the earth," Foley said. "I think I would too."

-- Joseph Menn

Photo illustration by Mikey G. Ottawa via Flickr

-- Speaking of grand theft, the gaming industry has suddenly upgraded its weaponry and attacked file sharing in the U.K., threatening to sue 25,000 people it's accusing of peer-to-peer piracy. TimesOnline

-- One day soon, you will be able to cut-and-paste text on your iPhone! Probably! CNet

-- Palm (remember Palm?) has a newer and better not-an-iPhone. TechCrunch

-- The economy hasn't slowed Hewlett-Packard's growth, much. LAT

-- Yeah, you have to pay for checking a single bag, but American Airlines is letting you surf the Web, on some routes, for $12.95 a flight! Or so it was said -- the 9 a.m. live in-flight update from a blogger hasn't materialized yet. CrunchGear

-- The chief executive of British bank HBOS has account looted by identity thefters. The Register

-- Verified Identity Pass, Steve Brill's plan to speed people through airport security without them having to be O.J. Simpson, raises $44 million more in funding, recently stolen database or no. Silicon Alley Insider

-- EBay changes its selling fees again, and EBay sellers are upset again. AP via LAT

-- Joseph Menn

Photo: Grand Theft Auto's protagonist. Credit: Take-Two

Both men had been on a slate of candidates for the board Icahn put forward after Yahoo failed to sell itself to Microsoft. After it became likely that Icahn wouldn't win enough shareholder votes to get control of the board, he accepted a compromise that gave him one seat and Yahoo's pick of his allies two more.

"Frank's extensive experience in the entertainment and media industries, combined with John's deep management experience in telecommunications, will provide valuable perspectives to our already diverse board," Yahoo Chairman Roy Bostock said in a prepared statement. "We look forward to working with them as our board continues its ongoing efforts to enhance stockholder value."

Biondi was CEO of Universal Studios between 1996 and 1998; before that, he spent more than eight years as CEO of Viacom. Chapple was CEO of Nextel Partners from 1998 until 2006, when Sprint bought the company.

Former AOL Chief CEO Jonathan Miller, an ally of both Icahn and Yahoo CEO Jerry Yang, had been seen as a shoo-in for the board. But Miller's candidacy was derailed when AOL parent Time Warner invoked the noncompete clause he had signed.

-- Joseph Menn

Photo: Frank Biondi. Credit: Sam Mircovich / Reuters

The Russian government denies responsibility, and it got some reputable defenders today. The ShadowServer Foundation, a nonprofit group that tracks criminal activity on the Net, said that ordinary Russian citizens were helping attack the Georgian government websites with the aid of programs distributed through friendly sites. Top security expert Gadi Evron went further, saying all of the blame might lie with a bunch of kids.

The most discussed of the recent technological assaults have been denial-of-service attacks that overwhelmed the government sites with constant requests for information and rendered them unavailable to people in Georgia seeking information. Researchers in touch with network administrators in Georgia said a lot of the malicious traffic has been coming from servers controlled by the Russian Business Network, a notorious group out of St. Petersburg that has been linked to child pornography and major phishing and identity-theft scams.

Some researchers have pointed out, correctly, that the Russian Business Network is not the Russian government. In fact, some say the network is just a hosting company that specializes in having criminal clients. Anyone can use its resources, the argument goes.

But researcher Don Jackson of SecureWorks has devoted a fair amount of time to the question, and in an interview he made a convincing argument that the Russian government, despite its denials, is indeed involved.

To begin with, whether the Russian Business Network is a major organization or merely a helper for a variety of other groups is beside the point. Criminals pay the bills: It is a criminal outfit.

On the main issue, the computers issuing commands to the computers that are, in turn, attacking Georgian sites aren't all on Russian Business Network servers. Some are better-hidden but reside on Internet addresses belonging to state-owned telecommunications companies in Russia. Both are using MachBot, which is a software attack tool favored by Russian Business Network clients.

And it's not just denial-of-service attacks: People are also infiltrating Georgia's government networks to steal information, and websites are being defaced with propaganda.

Most crucially, there is the question of where and when. Many of the most serious attacks began just as the tanks began to roll, although the networks had been set up beforehand. And the choice of targets is especially telling. Official sites in Gori, along with local news sites, were shut down by denial-of-service attacks before the Russian planes got there.

"How did they know that they were going to drop bombs on Gori and not the capital?" Jackson asked. "I would say that from what I've seen firsthand, there was at some level actual coordination and/or direction [by the Russian government], especially in regard to the timing and the targets of some of the attacks."

-- Joseph Menn

Image: A Georgia government site that was hacked and defaced with pro-Russian images. Courtesy of SecureWorks

-- Apple

-- No really, Apple is really actually on fire! CNet

-- Yahoo is close to naming ex-Viacom chief Frank Biondi and ex-Nextel Partners chief John Chapple as the remaining Carl Icahn-approved board members. WSJ

-- Georgia government websites are still being attacked from Russian servers, and they were under attack well before the shooting started. NYT

-- And if it's not the Russians or organized crime or both, then maybe it's kids. CNet

-- Many Apple users can't watch clips of the Olympics. Thanks, Microsoft and NBC! Web Scout

-- Facebook platform marketer Benjamin Ling is leaving the company for parts unknown, suggesting turmoil. VentureBeat

-- Yahoo will now let anybody write programs that take advantage of your physical location. ReadWriteWeb

-- L.A.-based TV ad agency Spot Runner is reorganizing, laying off 50 but hiring as well. PaidContent

-- Networking equipment maker Brocade Communications scoffs at alleged recession, tops earnings estimates. Associated Press via CNN

-- Joseph Menn

Photo: peasap via Flickr

We have already pointed out that identity thieves have a pretty wide-open field on MySpace, Facebook and their ilk. Scammers find it fairly easy to pretend to be someone real, either by creating a profile page or by taking over an existing one. When they send messages to "friends" on the sites, they are far more apt than with ordinary spam to get victims to click on a link that installs password-stealing keyloggers.

Today, security firm Sophos warned that bad guys are writing on Facebook users' comment walls, urging them to watch a video that appears to be hosted by Google. But the displayed link actually asks users to download a program that surreptitiously opens a back door into their computers. Similar scams ...

... have been used to turn PCs into zombies for sending spam.

"People have got to learn that clicking on links in messages to websites can lead to a malware infection, whether the messages are in your e-mail or on a site like Facebook," said Graham Cluley of Sophos.

The other reminder came in the form of a presentation by researchers at Black Hat, the Las Vegas convention devoted to tech security.

Shawn Moyer and Nathan Hamiel showed they could include invisible code in a comment on someone's MySpace profile page that would log the recipient out of the site as soon as they viewed it. More impressive: They sent a similar mini-program in a comment that forced someone to become their friend.

Malicious applications, even those that initially appear innocent, also have an enormous amount of power over users' information, and they can attack other applications or the users' friends.

The hackers' friendly advice: Social networking sites need to reduce the range of activities that applications are allowed to perform. And they need to block links to external content, or at least do much more to ensure that such content is both of a specific type -- such as a photo -- and at a trusted place, such as Flickr or Photobucket.

Facebook and MySpace didn't immediately respond to requests for comment.

-- Joseph Menn

Speaking to hundreds of technology security professionals and enthusiasts at the annual Black Hat conference in Las Vegas, Kaminsky said that a majority of the Fortune 500 have protected their machines with a series of fixes developed in secret since March.

Kaminsky coordinated an industry-wide effort that brought out patches from Microsoft, Cisco, Sun Microsystems and other major technology vendors, and customers began applying them after he issued a public warning a month ago.

The hole lies in the Domain Name System, which steers Internet users seeking a site by title, such as www.google.com, to a numerical address. Kaminsky showed today how hackers could corrupt the process, taking users to an imitation site that could install malicious programs.

He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.

"We got lucky with this bug," Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."

Kaminsky also showed how the flaw could be used to attack places that some professionals had believed immune.

The Secure Sockets Layer, signified by "https://" at the beginning of a website address, could be circumvented, as one example. Impostors could fool the authentication companies, such as Verisign, and so get an approved digital certificate shown to site visitors, though Kaminsky said those companies have revamped their procedures. A large number of firms simply sign their own certificates, which an impostor could do, without dissuading consumers from continuing.

"Everywhere you look, SSL shoots itself in the face," Kaminsky said.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

Other scary scenarios include intercepted and manipulated e-mail coming from trusted parties and the fact that automatic software updates, which are a key way to get security fixes installed automatically, can easily be hijacked.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

"DNS is the Achilles' heel of the Internet," agreed Joris Evers, a spokesman for security company McAfee Inc. "There's a lot of attention that's been focused on this -- and that's good."

In an interview, Kaminsky said that more than 120 million home broadband users have already been protected, and that workplace systems might be more at risk. Some attacks have already occurred, and Kaminsky said he was most worried about the tens of millions of sites that have a link to click on if users forget their passwords. A hacker could pretend to be specific users and get the passwords sent to them.

Ordinary computer users can't do much to patch their own machines, though they can prod their employers or Internet service providers to act. They can check to see if patches have been applied by visiting www.doxpara.com and clicking on "Check my DNS."

-- Joseph Menn

Black Hat company logo from richardmasoner via Flickr; photo of Kaminsky courtesy of the subject.

The ring is accused of driving past retailers and restaurants with wireless equipment, looking for ways into the corporate wireless networks. Once inside, they planted "sniffers" to capture credit card and debit card information as it was being transmitted internally, according to indictments in Boston and San Diego.

A three-year undercover investigation turned up records on 41 million people stored on computers in Eastern Europe. Tens of millions of dollars were lost as the perpetrators created new bank cards with stolen data and then made withdrawals from ATM machines.

U.S. Atty. Gen. Michael Mukasey and other officials said the ring was led by a Secret Service informant who functioned as a triple agent, warning suspects of ongoing probes. Albert Gonzalez of Miami faces a maximum penalty of life in prison.

Also charged were residents of Ukraine, Estonia and China, underscoring the increasing globalization of cyber-crime.

-- Joseph Menn

Photo: Atty. Gen. Michael Mukasey. Credit: Gerald Herbert / Associated Press

-- The technology press continues to chat about Microsoft's leaked plan for a non-Windows operating system that could operate as a service. This account is more intelligible than most. PC Pro via Slashdot.

-- Motorola names a CEO from Qualcomm for its soon-to-be-spun devices business. MocoNews 

-- Google's Blogger service mistakenly blocks bloggers from blogging, deepening a quality-perception problem among the blogoisie. The Register

-- After Apple, the deluge: The booming demand for downloading iPhone applications is forcing carriers to allow far more flexibility in what customers can put on their cellphones. NYT

-- Microsoft's attempt to blame consumers for the failings of Vista continues to rankle the tech-savvy. NYT

-- Linux is coming to more cellphones, courtesy of someone other Google. Stop the insanity! RCR Wireless

-- Social.FM, nee Mercora, goes to that place in the sky already crowded with companies that tried to make money from free music. GigaOm

-- Does McCain's failure to compute mean anything? NYT

-- Joseph Menn

Photo: Time Warner CEO Jeff Bewkes. Credit: Noah Berger / Bloomberg News

The letter (download a Word document here) from the senior Democrats and Republicans on the House Energy and Commerce Committee to AT&T, Comcast, AOL and 30 others follows a July hearing and their grilling of Embarq, a Kansas-based service provider that has tested personalized data collection. Among those getting letters were top search companies Google, Yahoo and Microsoft.

Embarq used software from a Silicon Valley start-up, NebuAd, as have other ISPs. One of the larger clients, Charter, dropped NebuAd under the glare of congressional scrutiny. It's unclear how many other ISPs engage in similar profiling with the massive data they have on hand. Historically, ad networks have done most of the spying aimed at targeting ads to consumers. But they have far less information than the people who provide the basic pipes for all Internet communications.

"The committee is interested in learning how pervasive this practice is among cable, phone and Internet companies, what safeguards are in place to ensure that consumers are aware of the practice and how best to preserve their privacy," Rep. John D. Dingell, a Michigan Democrat who is chairman of the committee, said in a written statement.

The committee is officially trying to learn if any of the targeting practices violate wiretapping and other anti-snooping laws. But the sheer exposure of what might otherwise be relegated to the fine print in user agreements might be enough to convince many more ISPs to drop their projects.

-- Joseph Menn

Photo: An actual watchdog on duty. Credit: fergie_lancealot via Flickr

--

-- Nintendo profits jump by a third as Wii console sales soar 74% in the U.S. Wheee! indeed. WSJ

-- Dell mulls sub-$100 digital-music player, again. CNet

-- How scary is the recently discovered DNS Internet vulnerability? One of the first experts to disclose how it works just had his own company compromised. Network World via Slashdot

-- Speaking of which: 41% of the Web remains at risk. Did we mention that exploit code has already been published? NYT

-- A U.K. hacker has lost his appeal to avoid extradition to the U.S. to face charges that he broke into Defense Department and NASA computers. Looks like he will get to explain his alleged quest for information on UFO sightings to judges here. AP via CNN

-- You know how you should keep a land line phone for emergencies, when cellphone networks get overloaded? Actually, land lines got creamed by yesterday's L.A. earthquake, too. LAT

-- MySpace appoints new executives, asserts everything is grand. TechCrunch

-- More women than men are on social networks, at least until men figure this out. ReadWriteWeb

-- Joseph Menn

Photo: Italian Prime Minister Silvio Berlusconi, who controls Mediaset. Credit: Plinio Lepri / Associated Press

Probably none has made quite so big a belly-flop splash as LifeLock, the service that slaps fraud alerts on your files at the three major credit bureaus, and perhaps commits fraud in order to do so.

LifeLock has advertised heavily and claims to be doing great, despite the little flap over the fact the company's co-founder was jailed on fraud charges earlier in his career and barred from the credit-repair business. Oh, and then there's the attention-grabbing bit by the company CEO, who fearlessly published his own Social Security number only to see it promptly stolen and used for fraud.

Other, quieter companies have the same basic approach, assisting clients by putting fraud alerts on files and then renewing them as they expire every 90 days. The alerts tell businesses they had better get in touch with you before issuing any new credit to someone using your name. LifeLock, Trusted ID and the rest typically charge about $100 a year, although you could do the same thing yourself for free.

Debix, however, does more, and does it for less. The company just dropped its price to $24 a year, and it puts a different phone number on the fraud alerts, so that potential creditors call Debix, and Debix tracks you down. Voice samples and secret codes round out the set-up; early reviews are enthusiastic.

While we're on the subject though, please know two things. First, you can do a whole lot for $0, including getting your own credit reports and putting a freeze on them so no new creditors can peek, making them highly unlikely to issue credit in your name.

Second, none of these systems prevents all types of identity fraud. A truly helpful rundown of how all this stuff works, and what questions to ask those peddling anti-ID theft services, has just been released by the nonprofit Privacy Rights Clearinghouse.

-- Joseph Menn

Photo: LifeLock co-founder Robert Maynard Jr. Credit: Courtesy of Wired

Microsoft said today it will bring its Web search ads to the popular social networking site by year's end, extending a partnership between the two companies.

Microsoft, which owns a small stake in Facebook, already has an exclusive agreement to deliver banner ads on Facebook pages.

It's unclear if the deal will be exclusive. But it's yet another move from Microsoft against its arch nemesis and search market leader Google.

The deal is only in the U.S., Facebook says. Facebook has yet to work out the details of how it will display Web search on its site.

"Facebook is working with Microsoft to design the best search experience for Facebook's users and advertisers," a spokesman said in an e-mail.

Microsoft outmaneuvered Google to buy a 1.6% stake in Facebook for $240 million in October. It also struck an advertising deal.

The expansion of that deal was announced during a meeting at Microsoft's Redmond, Wash., headquarters, attended by our intrepid Microsoft reporter Joseph Menn. The announcement comes as Chief Executive Steve Ballmer argues that Microsoft must continue to focus on search despite collapsed talks to buy Yahoo.

-- Jessica Guynn

Photo: Facebook founder and Chief Executive Mark Zuckerberg. Credit: Paul Sakuma / Associated Press

Speaking during Microsoft's annual presentation to investors and Wall Street analysts, Ballmer said the company wasn't currently talking about a deal with Yahoo to combine forces against Google.

"Does that mean that nobody will ever talk to anybody again? I suspect the answer is no," Ballmer said in remarks at the company campus in Redmond, Wash. Ballmer was in the awkward position of explaining both why Microsoft wanted Yahoo so much that it offered more than $44.6 billion for the company and why it later walked away from a deal at the same price.

"Yahoo for us was always a tactic, not a strategy," he said, blaming the breakdown in takeover talks on delays that would have pushed regulatory review into the next presidential administration. More recently, two attempts to buy just Yahoo's search business fell short, and Yahoo then co-opted the noisiest advocate for a sale within its shareholder ranks by giving Carl Icahn a minority of seats on the Yahoo board.

Ballmer said the major drivers for a deal included the chance to increase revenue per search query and improve the relevance of ads shown to search users. Scale, he suggested, is crucial for success, and Yahoo was a shortcut to scale.

Yet without Yahoo, Ballmer said Microsoft has more flexibility in its approach and can focus on other ways to make ads more useful for searchers.

"There is a huge, huge, huge new opportunity around the Net and online, and we need to embrace that opportunity," Ballmer said. "When people say to me, 'How do you lose $1.2 billion in this business?' ... we're anteing, we're reinventing."

-- Joseph Menn

-- Facebook founder Mark Zuckerberg addresses the developer masses today and may tout Facebook Connect, a more portable identification system. GigaOm

-- Vigilantes on eBay bid up items they suspect of fraud, blocking sales. LAT

-- San Francisco can have its network back, after the mayor picked up the keys. InfoWorld via Slashdot

-- Sony, Samsung et al team up on a wireless standard for transmitting high-def video. AP via Wired

-- Yes, those rumors again: Webheads debate whether Google buying Digg would be a bad thing, should it actually happen. CNet following TechCrunch

-- Yahoo's earnings definitely could have been worse. LAT

-- Thanks, Wii and Bluetooth! Chip maker Broadcom saw quarterly profit jump fourfold. LAT

-- Electronic Arts goes Hollywood. Ars Technica

-- AT&T had a good quarter, and that's not counting the sales of the new iPhone, which were twice as fast as the old iPhone in its early days. Silicon Alley Insider

-- Joseph Menn

Photo: chakote via Flickr

UPDATE: Elizabeth Silver-Fagan said in an interview that she "can't imagine" that anyone would think Perez Hilton endorsed her site.

-----

Celebrity celebrity-blogger Mario Lavandeira, better known as Perez Hilton, is quite possibly better at dishing it out than taking it.

The Los Angeles-based cultural authority, whose moniker could conceivably have something to do with the name of infrequently-clothed blond person Paris Hilton, is going to court to protect said moniker.

Lavandeira sued Infuse LLC, Margie E. Rogers and Elizabeth Silver-Fagan in L.A. federal court on Monday, accusing them of being the respective owner, editor and publisher of Perezrevenge.com. You can download a PDF of the lawsuit here.

Best known for annotating pictures of famous people and critiquing them, Lavandeira is demonstrably unhappy with the smaller site's purported tendency to post artwork from and critique PerezHilton.com.

The suit accuses the offenders of cyber-squatting and deceptive trade practices, with no reference to whether they look foolish in whatever they are wearing. 

The defendants, who didn't immediately respond to a request for comment, stand accused in the lawsuit of misleading the public by creating the impression that their site "is associated with and/or is otherwise authorized or endorsed by Lavandeira."

It's not clear how long such a misapprehension would last, however, since one recent post at the site began: "Mario Lavandeira a/k/a PerezHilton has once again twisted the facts (pictures below) so that he can spew his garbage, churn the rumor mill because he never??? tries to confirm a thing he writes."

The issue of confusion is an important one, legally-wise.

For example, even though it has the address www.drudge.com, DrudgeRetort probably would withstand accusations of unfairly usurping the page clicks more properly due the more famous DrudgeReport. That's because no one spending more than a few seconds on the liberal-leaning news and commentary site, which recently found itself in a legal scrap with the Associated Press, could think it was backed by Matt Drudge.

Or maybe it's still there because Drudge, who has been around the Web even longer than Lavandeira, knows that nothing generates more traffic for the little guy than a big ol' catfight.

-- Joseph Menn

Photo: Blogger Mario Lavandeira, better known as Perez Hilton, is going to court to protect his moniker. Credit: Myung J. Chun / Los Angeles Times

The public statement is the first by a major institutional investor supporting Yahoo management, and it's especially important because Miller has wavered in the past over how to vote. (T. Boone Pickens and other shareholders, none as large as Legg Mason, endorsed Icahn earlier.)

"We have met with representatives of the current board and management, including founder Jerry Yang, several times," Miller wrote. "We believe the current board acted with care and diligence when evaluating Microsoft's offers. We believe the board is independent and focused on value creation for long-term shareholders."

Miller (pictured) also took aim at a major argument put forward by the awkward alliance between Icahn, who badly wants Yahoo to sell to Microsoft, and Microsoft, which badly wants to buy Yahoo as cheaply as possible.

Microsoft said last week it would negotiate only with a new board (although it then proceeded to negotiate with the old board).

But some investors reason -- and Yahoo has argued -- that an Icahn-dominated board would have little leverage to negotiate the best terms with Microsoft, since Icahn has said little about a Plan B for the Internet company.

Miller agreed today that Microsoft shouldn't get to dictate who is on the other side of the bargaining table.

"If Microsoft wants to acquire Yahoo, it can make the terms and conditions of its offer public. If Yahoo shareholders support it, I am confident the board of Yahoo will accept it," Miller wrote.

Finally, Miller called the proxy fight "disruptive" and urged Yahoo and Icahn to negotiate a deal on the board's composition. Other shareholders have been floating that idea in private talks.

A joint board might make sure that all points of view are represented -- but it would also take some of the pressure off Yahoo's current board, which might still decide that doing a deal with Microsoft before the Aug. 1 annual meeting is the surest way to avoid an insurrection.

Microsoft and Icahn didn't immediately return calls seeking comment.

-- Joseph Menn

Photo credit: Andrew Serban / Bloomberg News