Clips 3/4/02

[Lillie Coney <lillie.coney@xxxxxxx>]

Wired News Service
House Cool to Copy Protection 
By Declan McCullagh and Robert Zarate 
2:00 a.m. March 4, 2002 PST 
WASHINGTON -- The U.S. House of Representatives doesn't seem willing to
intercede in an increasingly bitter dispute over embedding copy protection
controls in all consumer electronic devices. 
Key legislators in the House have indicated they're skeptical of the government
mandating anti-piracy technology, an approach that Democrats of the Senate
Commerce Committee endorsed during a hearing last Thursday.
 
Fretting that online piracy of digital content will imperil sales, Hollywood
studios have asked Congress to bypass their negotiations with Silicon Valley
firms by requiring that all PCs and consumer electronics sport technology to
prohibit illicit copying. Senate Commerce Chairman Fritz Hollings (D-South
Carolina) has championed this approach. 

"Mr. Coble believes Hollings' approach would have the government mandate
specific software standards governing encryption or access to copyrighted
works, which are transmitted digitally in lieu of negotiated industry
standards," said a spokesman for Rep. Howard Coble (R-North Carolina), the
chairman of the House Judiciary Subcommittee on Intellectual Property. 

Spokesman Terry Shawn said: "He is concerned that this approach is too
interventionist and could lead to standards which favor certain brands of
software over others, and which could quickly become obsolete as technology
improves or changes." 

Hollings has drafted, but has not introduced, legislation called the Security
Systems Standards and Certification Act (SSSCA). A version of the SSSCA obtained
by Wired News would prohibit creating, selling or distributing "any interactive
digital device that does not include and utilize certified security
technologies." 

The SSSCA defines an interactive digital device as any hardware or software
capable of "storing, retrieving, processing, performing, transmitting,
receiving or copying information in digital form." 

"Hollings' bill would mandate copy protection chips on all sorts of hardware
and machines in the same way that the V-chip was mandated on television sets,"
said Richard Diamond, a spokesman for House Majority Leader Dick Armey
(R-Texas). 

Diamond said his boss, one of the more vocal members of the Republican Party's
free-market wing, doesn't like the government requiring standards: "Rep. Armey
found the V-chip inappropriate too." 

There is no legislation similar to the SSSCA in the House, and given the House
Republican leadership's apparent opposition to it, no House version of the
SSSCA seems likely to appear anytime soon. 

One explanation for the opposition to Hollings' approach may not be principle
but politics. The House this week voted 273-157 for a Republican-backed
broadband bill -- the Tauzin-Dingell legislation -- that Hollings has vowed to
block in the Senate. 

During last Thursday's hearing in the Senate, it was the Democratic members of
the committee who proclaimed the need to legislate -- while Republican senators
such as John McCain (R-Arizona) and Sam Brownback (R-Kansas) said they "would
be extremely hesitant regarding any proposal for government to mandate
copy-protection technology." 

Witnesses testifying at the hearing included Walt Disney chairman Michael
Eisner, News Corp. president Peter Chernin and Intel Executive vice president
Leslie Vadasz. 

Also, in the 2000 election cycle, the entertainment industry handed Democrats a
whopping $24.2 million in contributions compared to $13.3 million to
Republicans, according to open secrets.org. 
Not all House Republicans in a position to influence a future SSSCA are so
critical of the idea. 

Ken Johnson, a spokesman for the House Energy and Commerce Committee, said his
colleagues had reviewed an early draft of the SSSCA. Hollings has refused to
release newer drafts. 
"We agree with Sen. Hollings that a solution to this problem has to be found,"
Johnson said, adding that committee chairman Billy Tauzin (R-Louisiana) supports
the concept of the SSSCA. 

Tauzin prefers that Hollywood and Silicon Valley work out a solution first, but
"we haven't shut the door" on legislation, Johnson said. 
A spokesman for the Democrats of the House Judiciary Committee said they had
not reviewed the SSSCA and had no comment. 
Robert Zarate contributed to this report.
*************
Computer World
Some Interior Department Web sites back online after two-month shutdown 

By Linda Rosencrance 

(Mar. 01, 2002) After being shuttered for more than two months by a court order,
about 40% of the U.S. Department of the Interior's (DOI) Web sites are back
online. 

Some officials at the National Park Service were rejoicing that their Parknet
Web site is up and running again. 

"It was a living hell," said Park Service spokesman David Barna. "In the
winter, we have 700,000 hits a day on our Web site from people trying to plan
vacations, students doing reports, and professors and scientists trying to
access environmental data. We have 1.2 million hits a day in the summer. People
weren't able to do that when we were shut down." 

The DOI's Web sites, and the agencies under its authority, were shut down in
December after a federal judge found that the DOI was in violation of a court
order issued two years ago that required the agency to improve its managing of
accounts in the Individual Indian Monies Trust (see story). The trust fund was
established to compensate American Indians for the taking of their tribal lands
by the U.S. government in the 19th century. The judge ruled that the DOI didn't
adequately secure the trust data and ordered the department's computers
disconnected until they were adequately secured. 

The DOI's Web site, as well as the sites of most of its agencies were shut
down. 
Among its problems, said Barna, the agency hires about 8,000 seasonal employees
for the summer, all of whom apply online. 

"Most of that is done over Christmas break, when college students are home," he
said. "We were shut down during that period." 

Barna said his agency couldn't pay its contractors, many of whom were looking
for payments for the 2001 tax year, because all payments are made
electronically. 

Paying employees, which is also done electronically, was also difficult, he
said. 
"We had to go back to using paper time cards and FedExing them to our service
center in Denver. It took 100 employees to do the payroll by hand," Barna said.
"But we didn't pay any overtime or holiday pay during that time. Now, we have
to go back and do that." 

Barna said that without e-mail, the agency increased the mail sent through the
U.S. Postal Service, which presented its own set of problems. 

"Because our mail goes through the Brentwood processing center [in Washington],
which tested positive for anthrax, all our mail is irradiated, but the machines
were set so high they cooked the mail, basically destroying it. The letters
just fell apart," Barna said. "But I think they must have turned the machines
down, because now the letters are just yellow." 

About 40% of Interior Department Web sites are now back online, said Tianna
Chattin, a DOI spokeswoman. 

One of the sites that remains unconnected to the Internet is that of the U.S.
Fish and Wildlife Service. However, the agency has a temporary Web site where
it posts the latest news releases. 

A spokesman for the Fish and Wildlife Service said that its Web site usually
gets about 200,000 hits a day. With the site down, the agency's 14 public
relations staff members have been fielding far more telephone calls than usual.

"Overall, it's been very inconvenient for the public and more expensive for the
agency to do business. We've had to do more faxing and mailing of information
that people were able to get at our Web site." said Rachel Levin, a spokeswoman
for the Fish and Wildlife Service. Levin couldn't say how much the Web shutdown
is costing the agency, nor did she know when the Web site would be back online.


Levin also said the agency's outreach efforts have been stymied because of a
lack of access to e-mail. "We were trying to get out information to migratory
bird hunters but couldn't reach everyone we normally would," she said. 
"We forget how much we rely on the Internet," concluded the Park Service's
Barna. 
******************
Los Angeles Times
Patching Holes in the Net
Bush advisor Richard A. Clarke discusses ways to boost cyber security.
By CHARLES PILLER
TIMES STAFF WRITER

March 4 2002

Cyberspace security often seems reminiscent of the movie "Groundhog Day," in
which a TV weatherman played by Bill Murray wakes up and relives the same day
over and over.

After each massively disruptive software infection or hacking episode, users
and computer administrators briefly get security religion, swearing that this
time they really will take precautions and get things fixed. But such vigilance
soon returns to sleepy complacency, only to be followed by a rude awakening
with the next big breach.

Richard A. Clarke, appointed in October as a special advisor to President Bush
on cyberspace security and chairman of the newly established Critical
Infrastructure Protection Board, is at the heart of the government's efforts to
interrupt that cycle and guard against online crime and mischief. He reports to
both National Security Advisor Condoleezza Rice and Thomas J. Ridge, head of
the new Office of Homeland Security. The need for Internet security is huge.
Analysts estimate that attacks by hackers cost American businesses billions of
dollars annually in lost revenue and productivity. And since Sept. 11, security
experts have warned that terrorist hackers may be targeting U.S. commerce,
telecommunications and utility grids.

Officials hope America's new security consciousness will lead to real
improvements in online security.

Clarke--a veteran national security and counter-terrorism expert who has served
four presidential administrations--has a strong background to lead that charge.
But with no authority to enforce new security practices or policies, he must
rely on moral suasion and the power of the White House. Clarke talked with The
Times about key priorities for Internet security.

*

Question: Government and private industry networks seem wide open to cyber
attacks from hackers. What are the keys to improving the situation?

Answer: The first step is to admit we have problems. A lot of people in the
private sector and the government haven't been willing to admit that until
recently. Part of the reason is that they assumed that a certain amount of
disruption in their information technology--IT--systems was a cost of doing
business, and a cost that they could afford.

In the last six to nine months, the costs have gotten much higher. The
sophistication and frequency of viruses, worms and denial-of-service attacks,
as well as hacks, has gotten to the point where everyone realizes that we can't
afford the level of damage that is being done. And in the wake of Sept. 11,
it's not just a matter of damage that has been done in the past but the
possibility of much greater damage in the future.

The second step is to develop a partnership between the private sector and the
government.

*

Q: You recently said that on average, corporations spend only about .0025% of
revenue on IT security--less than they spend on coffee for employees. How much
should industry be spending on improvements?

A: There's not a direct, one-to-one correlation between how much money you
spend and what you get for it. But every manager, every CEO, every member of a
board of corporate directors ought to ask themselves, "How much importance are
we giving to IT security?"

*

Q: Given your small staff and lack of direct control over federal agencies'
policies, how will you push the agenda?

A: The president created the Critical Infrastructure Protection Board in
October. That board is made up of senior people from various federal
departments.... [On the advice of that board], this year, for the first time,
departments had their budgets returned to them by the White House and were
instructed to increase the amount of funding for IT security. As a result, the
overall federal budget for 2003 has a 64% increase for IT security [to $4
billion].

*

Q: Will that be sufficient to make major improvements in the government's cyber
security?

A: It will take that level of investment for several years before we are
feeling more comfortable.

*

Q: Would it be fair to say that the hundreds of security holes in Microsoft's
nearly ubiquitous software products pose the biggest computer security threat
today?

A: Microsoft [recently] made a decision to change the way they do business, to
make IT security the No. 1 design criterion and subordinate other functionality
to security in future products.

A lot of people greet that announcement with cynicism and doubt because of the
problems that Microsoft has had in the past with security. It would be more
constructive if we all said that we welcome the new policy and will work with
them to make sure it happens. Because you're right--given the ubiquity of
Microsoft software, if there are problems in Microsoft, there are problems
throughout our infrastructure.

*

Q: What should Microsoft do differently?

A: All software manufacturers need to design security into their products
rather than [putting] it on as an afterthought. Default settings should have
unnecessary programs and functions turned off. Things should come out of the
box with high security settings--the customer would have to make an intentional
decision to lower the security.... Any software company now that brings
products to market riddled with security vulnerabilities risks losing market
share.

*

Q: Yet given Microsoft's monopolies, competitive pressures haven't done much to
improve its security record. Should the government require security reviews or
product certification?

A: When the federal government gets into regulation, it frequently gets
ham-handed, and out of a wealth of good intentions becomes clumsy and
counterproductive.

*

Q: You've been a big backer of GovNet--the plan to create a super-secure,
government-only network. What are its advantages?

A: Think of GovNet as a question rather than as a program. Are there functions
so critical that you don't want them connected to a worldwide network that
anyone can get into?... Where has it been written that the control of the
electric power grid should be dependent on the Internet?

*

Q: Much of the power grid management system is already separate from the
Internet, so why is this a problem?

A: Electric power generation, distribution and transmission systems, because of
deregulation, are increasingly using Internet connectivity. Even when they
think they have networks that are not connected to the Internet, when we do
security audits we find out that they are connected--for diagnostic purposes,
repair purposes.... In general, there are some functions that are so critical
that [they should be on a separate] system. That's what we're exploring. 
If you want other stories on this topic, search the Archives at
latimes.com/archives. For information about reprinting this article, go to
www.lats.com/rights. 
******************
Newsbytes
U.S. Court Hands Barcelona.com To Spanish City  
By Steven Bonisteel, Newsbytes
ALEXANDRIA, VIRGINIA, U.S.A.,
01 Mar 2002, 3:13 PM CST

A U.S. court has declared that the operators of a tourism portal at
Barcelona.com are cybersquatters, and that the Internet address they registered
in 1996 should be awarded to the Spanish city of Barcelona. 

The decision, from a U.S. District Court Judge in Alexandria, Va., effectively
upheld one of he most controversial rulings in a two-year-old dispute
resolution procedure adopted by the Internet Corporation for Assigned Names and
Numbers (ICANN), which has now dispatched thousands of squabbles between
trademark holders and registrants of Internet addresses. 

In an August 2000 decision under ICANN's quasi-judicial Uniform Domain-Name
Dispute Resolution Policy (UDRP), an arbitrator found that city's claim to the
"Barcelona" name trumped that of the husband-and-wife team behind the Web
portal, despite the fact that Spanish law doesn't permit either of the party to
trademark the word "Barcelona" alone. 

The UDRP decision meted out on ICANN's behalf by the World Intellectual
Property Organization was viewed as either a threat to hundreds of substantial
Internet businesses or a sad anomaly. 

But Judge Claude Hilton's ruling this month in what amounted to Barcelona.com's
appeal of its UDRP case could renew fears for companies such as Boulevards New
Media, whose domain holdings include the destinations LosAngeles.com,
WashingtonDC.com and London.net. 

Hilton ordered the domain Barcelona.com to be transferred to the government of
the Spanish city "forthwith" after ruling that Concepcio Riera and her husband,
Joan Nogueras Cobo, had attempted to profit by waylaying Web surfers who would
be expecting to find an official government site at the dot-com address. 

In addition, Hilton wrote in his decision that the couple had used their
Barcelona.com address in efforts to extract money from the city, including
presenting to city officials in 1999 a business plan "which grossly exaggerated
the value of the Barcelona.com business prospects." 

Texas lawyer Dale Robertson, hired by Barcelona.com when it elevated its fight
to the U.S. courts, told Newsbytes that Hilton apparently did not agree that
the couple's search for investors should have included the city. 

"They just wanted anybody - the city or anyone else - to invest in their site,"
he said. 

But Robertson said the real surprise for him in reading Hilton's decision today
was the U.S. judge's frequent citation of Spanish trademark law. 

Because the U.S. District Court for the Eastern District of Virginia was chosen
by the city as the forum for future litigation when it launched its UDRP
complaint, Robertson said, he was expecting Hilton to rule entirely on the
basis of U.S. trademark law. 

But Hilton referred to Spanish trademark law - and trademarks held by the city
in Spain for longer phrases containing the word Barcelona - to come to the
decision that the city had a real claim on Barcelona.com. 

"Under Spanish law, when trademarks consisting of two or more words contain one
word that stands out in a predominant manner, that dominant word must be given
relevance," Hilton wrote. "Thus, under Spanish law, when considering a mark
that contains two or more words, one must determine which work creates the most
dominant impression in the mind of the consumer. 

"In addition, the law of Spain provides that names of Spanish communities,
municipalities and provinces cannot be registered as trademarks without the
authorization of the municipal authorities," the judge also wrote. 

Robertson said the decision seems to award new muscle to businesses looking to
wield local trademarks outside their own countries. 

"Anyone with a geographical name is indeed in great danger of a governmental
entity that has that name taking it away," he said. "But I think it's broader
than that: it's any domain name owner (without its own trademark) where there
is a trademark anywhere in the world. 
"It's definitely a wake-up call for any geographical domain-name owner,"
Robertson added. 

The current holders of Barcelona.com, who quickly incorporated their business
in the U.S. when the city first threatened to claim their address nearly two
years ago, have yet to decide whether they will battle on, Robertson said. 

Hilton's decision marks the first time a U.S. court has ruled in a clash of
trademarks involving an Internet address and a geographical place name. 

The federal court for the Southern District of New York came close when global
portal Virtual Countries Inc. (VCI) launched a lawsuit against the Republic of
South Africa in a bid to keep that country away from VCI's SouthAfrica.com
domain. 

But Judge Allen Schwartz ruled that VCI pulled the trigger too soon when it
asked the court to issue a declaratory judgment affirming its right to use
SouthAfrica.com and to prevent the South African government from launching a
UDRP complaint. 

Schwartz said that, while South Africa may have threatened to turn to WIPO and
the UDRP, it had not actually filed a complaint. And, without even a UDRP
complaint assigning "mutual jurisdiction" to his court, Schwartz ruled that he
didn't have the right to stop any arbitration or settle a trademark spat
involving the government of South Africa. 

Reported by Newsbytes.com, http://www.newsbytes.com . 
***************
Newsbytes
Online Fraud Loss 19 Times Offline's - Gartner  
By Dick Kelsey, Newsbytes
STAMFORD, CONNECTICUT, U.S.A.,
04 Mar 2002, 1:48 AM CST

More than 5 percent of online consumers last year were victims of credit card
fraud, a crime that accounted for more than $1 out of every $100 spent on
Internet sales, according to a report published today. 

Online crooks made off with more than $700 million, a figure that - dollar for
dollar - is 19 times the year's offline fraud total, a GartnerG2 survey found.
The e-fraud losses make up 1.14 percent of total annual online sales of $61.8
billion. 

The survey found that 5.2 percent of 1,000 adult online consumers in the U.S.
were hit by Internet credit card fraud and 1.9 percent were victims of identity
theft. None, however, knew for sure whether their identity was stolen online or
offline. 

The good news, Gartner says, is that more online consumers are taking steps to
protect their credit card data from such fraud. More than 18 percent said they
are using safeguards offered by MasterCard or Visa. 

GartnerG2 Research Director Avivah Litan said credit card companies have
finally developed user-friendly authentication technology, which consumers are
more willing to adopt than systems that take more steps than simply entering a
password. 

"Other security schemes, including public key infrastructure (PKI), smart cards
that the credit card firms also support and disposable card numbers, receive
far less consumer support," Litan said in a news release. 

Now the ball is in the credit card companies' court, she says, advising them to
lower merchant fees for online transactions. MasterCard and Visa are planning
to make issuers, not merchants, liable for protected online purchases. 

"The credit card companies should, however, back up their belief in these
systems by lowering fees for all merchants who support them," Litan said. "This
would guarantee even more widespread adoption." 
Reported by Newsbytes.com, http://www.newsbytes.com 
********************
New York Times
March 4, 2002
The Corner Internet Network vs. the Cellular Giants
By JOHN MARKOFF

SAN FRANCISCO, March 3 ? The informal Wi-Fi networks that inexpensively provide
wireless Internet access are fine, as far as they go ? which is generally a few
hundred feet. But what happens when there are enough of them to weave together
in a blanket of Internet coverage?

What begins to appear is a high-speed wireless data network built from the
bottom up, rather than the top-down wireless cellular data networks now being
established by giant telecommunications companies.

Many Silicon Valley engineers now believe that it will be possible to take the
tens of thousands of inexpensive wireless network connections that are popping
up in homes and coffee shops all over the country and lash them together into a
single anarchic wireless network. Connections could theoretically be passed
from one Wi- Fi node to another, similar to the way wireless phone signals pass
from cell to cell, thereby significantly extending the wired Internet.

Modeled closely on the original nature of the Internet, which grew by chaining
together separate computer networks, the technology ? known as wireless mesh
routing ? is being rapidly embraced in the United States as well as in the
developing world, where it is viewed as a low-cost method for quickly building
network infrastructure. 

If the engineers are right, the popular and inexpensive Wi-Fi wireless
standard, also known as 802.11, could serve as the wedge for the
next-generation Internet, enabling a new wave of wireless portable gadgets that
ultimately blanket homes, schools and shopping malls with Internet access. 

Currently most 802.11 networks serve as individual beacons that provide
wireless Internet connections to portable computers situated within 200 feet or
so of an 802.11 transmitter. What wireless mesh routing offers is the promise
of a vastly more powerful collaboration driven by the same forces that
originally built the Internet. 

"The good news is that broadband wireless access will finally explode," said
Nicholas Negroponte, the director of the M.I.T Media Laboratory. "The social
contract is simple: you can use mine when you are in the vicinity of Mount
Vernon Street, Boston. But I want to be able to use yours when I am near you."

The technology is being driven both by a gaggle of ambitious start-up companies
in Silicon Valley and elsewhere and by a hobbyist movement that mimics the
original Homebrew Club that led to the personal computer industry.

Today, Tim Pozar and several of his friends are seizing the high ground,
literally and figuratively, in a movement that could undercut the nation's
cellular companies, which are investing tens of millions of dollars in
top-down, heavily engineered, digital cellular networks.

Mr. Pozar, a radio engineer, is a member of the Bay Area Wireless Users Group,
an active band of hobbyists who have been building free networks in communities
through the region. Mr. Pozar and some of his friends have quietly begun
obtaining the rights to place $2,000 wireless network access stations on the
mountains and hilltops that encircle San Francisco Bay. If he succeeds, the
network will be a starting point for a wireless data network that could
eventually spread all over the Bay Area. 

Significantly, what will set Mr. Pozar's planned Sunset Network and those like
it apart from the commercial cellular networks now being constructed at great
expense is that they will "self assemble" ? expanding from one neighborhood to
the next as individuals and businesses join by buying their own cheap antennas
that either attach to the wired Internet or pass a signal on to another
wireless node.

Mr. Pozar has even come up with a new acronym to describe his plan. In addition
to the existing terminology of LAN's and WAN's ? local and wide area networks ?
he is proposing the idea of NAN's, or neighborhood area networks. 

The so-called Nanny Networks are rapidly becoming the hottest thing in Silicon
Valley and internationally. There are now at least 19 companies developing
proprietary wireless mesh routing technologies, all trying to replicate the
original Internet in a wireless form.

It is not an easy task because the companies are engineering for a new kind of
design, with which they must route data packets over paths where network nodes
constantly pop up and disappear. 

Moreover, wireless networks must overcome an array of environmental obstacles
that do not plague wired networks, including hills, rain and trees. 

Such networks, however, do have the critical advantage of economy of scale. In
contrast to the cellular data networks, in which every customer is an added
cost, in some respects in wireless mesh networks the more users who join the
better the network performs.

In the jargon of Silicon Valley, wireless mesh routing is potentially a
"disruptive technology," a new technology that is likely to upset the existing
order by using the same powerful economics of cost and scale that initially
drove the growth of the commercial Internet.

Already, companies like Mesh Networks, based in Maitland, Fla., are selling
systems of wireless routers, making it possible to create self- assembling and
self-healing networks that would cover an urban area. 

There are also companies like Boingo Wireless and Sputnik, which focus on
software and services that make it possible for wireless users to roam among
networks. Similar technologies were crucial in the development of the original
nationwide analog cellular voice networks. 

In Silicon Valley, companies like Skypilot Network, FHP Wireless, Ultradevices,
CoWave Networks, SRI's Packet Hop and others are all developing networks that
have the potential to weave together networks made up of wireless antennas.

"We're going to start seeing more mom-and- pop Internet service providers
buying access points that will support 802.11," Mr. Pozar said. "At first I
thought it was going to just be geeks doing wireless, but now everyone has one
of these things deployed."
******************
Wired News Service
Britney Worm Tamer Than Anna, J-Lo  
By Dick Kelsey, Newsbytes
SUNNYVALE, CALIFORNIA, U.S.A.,
01 Mar 2002, 3:12 PM CST

A new e-mail worm dangling pop icon Britney Spears as a come-on may be as
tempting, but is less threatening than last year's vixen viruses named for
tennis ace Anna Kournikova and singer/actress Jennifer Lopez, security experts
said. 

Nevertheless, today they spread the word about VBS/BritneyPic@MM, warning that
it's passed along by opening an attachment claiming to bear pictures of the
young heartthrob. 

Perhaps virus fighters at McAfee.com say it best: "VBS/BritneyPic@MM is a
low-risk worm that has received a large volume of inquiries." 

Calling the Britney e-mail worm a "social engineering" virus, McAfee.com says
it slows down e-mail and Internet connections but does not appear to damage
infected computers. It's a name-dropper of sorts, however, so it will get a lot
more attention than most other worms and, potentially, reach more computers. 

"Social engineering viruses rely on sensational subject lines, in this case
'Britney Pics,' to tempt users," a McAfee alert said. "Using Britney Spears as
the subject of this e-mail attachment may cause this worm to spread more
readily." 

Anti-virus companies consider the latest worm low risk, at least for now, and
the virus was not in the wild as of this afternoon, McAfee said. Finland-based
F-Secure is less concerned, saying the worm sends itself only once per infected
system and to just one recipient. 

The tainted e-mail carries the subject line "RE:Britney Pics" with "Take a look
at these pics..." in the body of the message and "BRITNEY.CHM" on the
attachment. When the CHM file is run, a Window is displayed and an Internet
Explorer warning message overlays it. Clicking "yes" infects the local system,
sending itself to all entries in Outlook address books. The virus can also
distribute itself via Internet Relay Chat (IRC). 

The worm sets a registry key -
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\chm - that is used as an
infection marker, so the worm will not spread more than once from an infected
system, said F-Secure. 
The worm also travels under aliases VBS.Breetnee, VBS/BritneyPic.ini,
VBS/BritneyPic@MM, VBS/Chick.ini, Worm/BritneyPic, BRITNEYPIC, VBS/Britney-A
and CHM_BRITNEYPIC.A. 

The Britney worm and last year's JenniferLopez_Naked virus are small-time
distractions compared to the notorious Anna Kournikova menace that was
unleashed just over a year ago. 

The worm named for the blonde-hair, blue-eyed Russian tennis star was similar
to the LoveLetter virus, but its ability to hide itself with encryption made it
even nastier. A Dutch 20-year-old, who admitted having an eye for Anna, was
arrested for creating the Kournikova worm and sentenced to community service. 

"Britney has joined the ranks of glamorous, highly attractive people to have
viruses written about them," said Sophos technology consultant Graham Cluley.
"Britney is a very popular celebrity and many computer users - from
teenyboppers to fascinated fathers - would be interested in seeing photos of
her." 

Sophos Anti-Virus is at http://www.sophos.com . 


Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711