[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips 2/22/02



Federal Computer Week
Officials fit IT into homeland goals 
BY Diane Frank 
Feb. 21, 2002 

The Bush administration is advancing quickly to determine how information
technology can help agencies achieve the broad homeland security goals outlined
by the president in his State of the Union address, officials said Feb. 20.
Senior administration officials said that policy and IT officials must come
together to identify how to reach the president's goals ? to secure the
homeland, win the war against terrorism and restore economic stability ? even
before Congress can decide on the $722 million requested for homeland security
IT projects in fiscal 2003.

To that end, officials from the Office of Homeland Security and the Office of
Management and Budget are leading the development of a paper that lays the
foundation for that process. The first step is to identify mission objectives
for each goal and then to identify specific IT initiatives to reach the
objectives, one official said. 

For example, the goal to secure the homeland includes an objective to better
understand who is coming into the country. One initiative under that objective
is the entry/exit system that the Immigration and Naturalization Service will
develop.

Key to this process is making sure the objectives are mission-based and are
identified by program and policy officials within agencies and the
administration, the official said. 

Once those mission objectives are set, the IT administrators will determine the
best technology solution ? based on a strong business case with clear
performance measures ? to reach the objectives, said another official. The most
critical homeland security initiatives will move forward without complete
business cases, but that situation will have to be fixed as soon as possible,
he said.

Officials expect to finish the paper soon and, once it is approved, will give
it to the program office at the Critical Infrastructure Assurance Office for
implementation, the first official said.
*******************
Disclosure Guidelines For Bug-Spotters Proposed  
By Steven Bonisteel, Newsbytes
CAMBRIDGE MASSACHUSETTS, U.S.A.,
21 Feb 2002, 5:21 PM CST

A pair of computer security researchers are seeking comments on a proposal to
bring order to the reporting and fixing of security holes in software, a
process that frequently takes place in adversarial arenas. 
In a document known as an Internet Draft submitted to the Internet Engineering
Task Force (IETF), Steve Christey of MITRE and Chris Wysopal of @stake outline
what could become standard procedures for both bug hunters and software vendors
when dealing with newly discovered vulnerabilities. 

The "Responsible Disclosure Process" Internet Draft comes as even Internet
security sleuths themselves continue to debate how quickly they should publish
their reports and how detailed they should be. Meanwhile, software giant
Microsoft Corp. has been the most vocal among vendors who have criticized the
bug hunters for reporting problems before they are patched. 

Christey's and Wysopal's IETF submission calls on those who report
vulnerabilities to adhere to a policy of "responsible" disclosure that ensures
they have made a substantial effort to verify their findings and allow vendors
to respond to their reports. 

The draft suggests a role for "coordinators" in the security industry that can
work with both bug reporters and vendors. Such coordinators could be fall-back
points of contacts for those who find bugs but don't have the resources to
follow through on testing and communicating with vendors. 

The draft also recommends that those who create software adopt uniform
approaches to receiving bug reports and responding to them. 
Those procedures would include making available clearly defined sections on
their Web sites for that purpose and adopting a standard naming scheme for
e-mail mailboxes to which bug reports may be submitted. 

The proposal says vendors would be expected to acknowledge bug reports within 7
days and that they should continue to provide regular status reports until an
issue is resolved. 

"Developers, customers and the security community all have divergent
perspectives on the impact of vulnerabilities," Christey and Wysopal wrote.
"Currently, vulnerability release is inconsistent and largely driven from the
perspective of the party who has the greatest ability to control the process. 

"In an effort to create a common framework by which objectives are met to the
benefit of all parties, this document communicates a formal, repeatable process
for addressing vulnerability disclosure in a responsible manner." 

The full Internet Draft can be found here: 

http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-0
0.txt 

Reported by Newsbytes.com, http://www.newsbytes.com . 
******************
Spam worsens, slows AT&T e-mail 
Unsolicited messages now 20 percent off all traffic 

Feb 21  Think spam is just annoying? Ask AT&T WorldNet users. A spam attack
actually interrupted delivery of e-mail to thousands of WorldNet customers
earlier this week, as the company fought off a deluge of marketing messages
destined for customers. It?s a sign of the times, says WorldNet spam filtering
company Brightmail Inc., which claims that junk e-mail has soared in the past
12 months and now represents 20 percent of all e-mail floating around the
Internet.

AT&T E-MAIL WAS sluggish Monday and Tuesday, according to company spokesperson
Janet Wyles. Some users complained e-mail took as long as a day to arrive.
Wyles said no e-mail was lost and the service has been returned to normal.

   AT&T uses Brightmail to trap spam using special filters before it gets to
WorldNet e-mail customers. 

   According to Brightmail spokesperson Francois Lavaste, an unidentified
Internet marketer overwhelmed Brightmail?s filtering system with messages,
slowing down all e-mail delivery.

   ?It was a side effect of curing spam,? he said. ?The reality of this attack
is, it shows spam can be used as a denial of service attack.?

   The incident is just the latest chapter in the cat and mouse game between
Internet Service Providers and e-mail marketers trying to get their message
out. 

   But this week?s incident seems to raise the stakes  Lavaste said he couldn?t
remember an incident where a major ISP?s e-mail was slowed for a day or more by
spam.
   
SPAM ATTACKS ON THE RISE 

Spam attacks are on the rise, he said, jumping some 46 percent since November.
In fact, Brightmail estimated a year ago that spam constituted about 10 percent
of all e-mail. That figure has now jumped to 20 percent, he said.

   ?And we have examples of companies or ISPs where over 60 percent of the
message flow is spam,? he said.

   Brightmail isn?t the only voice suggesting spam is on the rise.

   Bill Campbell, who operates Internet service provider Celestial Software
near Seattle, Wash., says he seen a dramatic rise in junk e-mail messages sent
from  or relayed through  Asian computers.

   ?In one case, we get half a million connection attempts per hour,? he said. 
?Spam is certainly getting worse, and I don?t know why.?

   Jim Gregory, Service and Security Manager at Slingshot Communications Inc.,
said his firm has also seen a recent sharp increase in the amount of spam.
Gregory hunts down spammers for Slingshot, which provides ?prepaid? Internet
access.

   ?It can literally take hours to work with other ISPs to track down a spammer
and get him turned off,? Gregory said. ?That time could have been spent
improving customer?s experience on our service, but it?s spent tracking down
somebody who is degrading everyone?s Internet experience. ... It?s incredibly
frustrating.? 


    Tom Geller, executive director of the SpamCon Foundation, said he thinks
spammers are getting smarter. For example, in a new kind of attack, spam
messages that are initially turned away by e-mail servers are programmed to
?morph? and try again. The messages repeatedly change e-mail addresses, for
example, until they hit on a valid name.

   ?They can just keep hammering away hundreds of thousands of times,? he said.
?I wouldn?t be surprised if we keep seeing more of these things.?

   While Lavaste said e-mail slowdowns resulting from spam aren?t common for
large ISPs, Geller said smaller companies have been dealing with the problem
for years. 

   ?It?s probably more common than you realize,? Geller said. In some cases,
spam aimed at an ISPs customers overwhelms an email server. In other cases,
spammers ?forge? return addresses, so rejected messages are sent back to
unwitting victims. A deluge of rejected messages can also topple an e-mail
server.

   ?Every Internet service provider goes through this,? Geller added.
******************
Federal Computer Week
N.Y. firehouse scouts biometrics 
BY Brian Robinson 
Feb. 21, 2002 

The events of Sept. 11 ? when many New York fire departments discovered just
how vital it was to keep close track of the whereabouts of personnel ? have
driven one Queens firehouse to look to biometrics as a way of clocking firemen
in and out of its building.

Previously, firefighters at the West Hamilton Beach Fire Department had to sign
in when they reported to the firehouse but might not remember to sign out when
they left. Problems also arose with people signing in for others who were not
there. As a result, one of the key issues on Sept. 11 was confusion regarding
who was actually at the World Trade Center site.

With the biometric solution supplied by Sense Holdings Inc., firefighters use
their fingerprints to check in and out of the firehouse ? a one-stop solution
that covers attendance and time on duty as well as identification,
authentication and security.

Having this technology could have meant all the difference Sept. 11, according
to John Velotti, chief of the West Hamilton Beach department.

"[It] could have given us up-to-the-minute reports on the location of our
firemen, which we could have then accessed from any place with an Internet
connection," he said.

Sense's CheckPrint T/A (time and attendance) biometric clock also provides for
a much more streamlined accounting and human resources system, said Dore
Perler, the company's chief executive officer. It can generate automated
reports in minutes, for example, and doesn't require firefighters to carry
security cards with them or remember access codes.

"Sept. 11 has really been a kick in the pants for the biometrics sector,"
Perler said. "Before, no one really knew what biometrics meant, and now they
are beginning to."
*********************
Newsbytes
Worldwide Internet Growth Is Slowing - Study  
By Michael Bartlett, Newsbytes
CEDAR KNOLLS, NEW JERSEY, U.S.A.,
22 Feb 2002, 12:48 AM CST

The Internet still is welcoming millions of new netizens each year, but
according to a new study, the growth rate is slowing down - especially in
developed countries. 

Alan Mosher, a senior analyst with Probe Research, the company that conducted
the study, told Newsbytes the base number of Internet users has become so large
that the days of triple digit growth are not possible any more. 

"You see this especially in the United States," said Mosher. "It is becoming
incremental growth, rather than the wide-open growth we saw in the past." 

Analysts are waiting for the Internet's "next stage," he said, as the world's
Web users make up their mind how aggressively they convert to broadband. 

"People have a group of things they do on narrowband, for example instant
messaging, which broadband won't make a difference. You could add color video,
but that would change the product." 

"It is quite a jump from $20 to $25 for dial-up to $45 to $50 for broadband,
without a huge change in perceived value," he added. 

The Probe Research study said DSL made a strong move in 2001, much more so than
cable modems. 

Mosher said there were fewer than 20,000 DSL connections in Japan at the end of
2000, but by the end of 2001, there were 1.5 million. 

"You see similar growth in Germany and France," he said. "At the end of 2000,
there were less than 500,000 DSL subscribers in Germany, and at the end of
2001, there were 1.4 million. In the same time period, France went from less
than 100,000 to over 500,000." 

Why has DSL been so successful? Mosher said in Japan it is "dirt cheap," and
there is a lot of competition. "In Germany, there is virtually no cable modem
competition for broadband," he said. 

The study noted that some regions other than the U.S. still are poised for
strong growth in the next three years, especially markets in Asia. 

South America's wired Internet connectivity - which includes subscribers plus
users of free Internet services - was 6.8 million in 
January of 2001. By the end of this year, Probe Research projects 9.9 million
connections, and 17.96 million by the end of 2005. 

Europe ended 2001 with 41.6 million, and will end 2002 with 46.5 million, the
study said. By the end of 2005, the region will have 58.8 million Web
connections. 

Asia is projected to have the biggest growth of all. Mosher said the region
includes India and China, which are two populous but "under-computered"
countries. He expects a combination of computer sales and set-top boxes to
boost connectivity significantly. 

At the end of 2000, Asia had 39.3 million wired Internet connections, he said.
That figure hit 52.2 million at the end of 2001, and is projected to rise to
65.1 million at the end of 2002 and 145 million by the end of 2005. 

Probe Research is at http://www.proberesearch.com . 

Reported by Newsbytes.com, http://www.newsbytes.com . 
*******************
Protest e-mails crash Olympic server
By Reuters 
February 22, 2002, 5:25 AM PT
http://news.com.com/2100-1023-842924.html 

SEOUL--South Koreans took to the information superhighway on Friday to let the
world know their anger at the disqualification of their skater in the Olympic
1,500 meters men's short track on Wednesday. 
South Korea is among the world's most wired countries, and e-mail and Web sites
were at the forefront of protest, back by the more traditional media. 
Korean Kim Dong-sung crossed the line first but was disqualified for impeding
American Apolo Anton Ohno, who was awarded the gold medal. 

A flood of "insulting" e-mail from South Korea caused the server of the United
States Olympic Committee (USOC) to crash on Thursday. 

A spokesman for the USOC said it received 16,000 e-mails from South Korea
within five hours of Ohno's win, some of which constituted threats to Ohno and
were passed on to the FBI. 

Comments on Web sites included a call to harass the U.S. soccer team when it
plays in the World Cup finals in South Korea in June. 

"All the referees are servants of the U.S.," said one of hundreds of angry
comments on the Web site of the Sports Chosun. 

"The United States is a gangster country," wrote another. The Joongang Ilbo
daily paper said the result proved there was an "axis of favoritism"--a jab at 
President Bush's "axis of evil" comments about North Korea. 

Some Koreans expressed relief the controversy boiled up after Bush had left
South Korea on Thursday after a 40-hour visit that was stalked by small but
noisy anti-U.S. protests. 

Ohno told a news conference in Salt Lake City that he had been unaffected by
the flood of e-mail from furious Koreans. South Korea has appealed against the
decision and also plans to file a lawsuit in a U.S. district court. 

Story Copyright © 2002 Reuters Limited. All rights reserved. 

***********************
USA Today
Calif. high court to consider DVD encryption case

SAN FRANCISCO (AP) ? The California Supreme Court entered the entertainment
arena Wednesday, agreeing to hear a case permitting Internet surfers to share
software enabling the copying and playing of DVDs on computers.

The high court did not indicate when it would hear the closely watched case
involving a decoding program for digital video discs. Nor did the court comment
on the case, which stems from a San Jose-based state appeals court which ruled
in November that it was a "prior restraint" to prohibit the posting of the
encryption-breaking code on the Internet.

The 6th District Court of Appeal lifted an injunction prohibiting Andrew Bunner
of San Francisco from posting the encryption software, a move that the DVD Copy
Control Association, an industry group, said was akin to giving crooks the
technology to reproduce protected material ? such as movies ? en mass.

The association controls a program called the content scramble system, or CSS,
which prevents unauthorized use of a movie recorded on DVD. A Norwegian
teen-ager in 1999 posted a program giving users of the Linux computer operating
system the codes to play or reproduce DVDs on computers. Others, including
Bunner, posted that program on various Web sites.

The association sued Bunner and others under the Uniform Trade Secrets Act, a
California law designed to protect trade secrets.

The court of appeal, in overturning a San Jose judge's order forbidding the
posting of the code, ruled that protecting trade secrets is not as important as
"the First Amendment right to freedom of speech."

Last year, the 2nd U.S. Circuit Court of Appeals in New York said postings of
the encryption program violated the federal Digital Millennium Copyright Act.

The court ruled in November that Eric Corley, operator of the 2600 magazine Web
site, had to remove links to a DVD decryption program called DeCSS.

Corley's attorneys had argued at trial that publishing the program was
protected as free speech and their client was merely covering the news value of
the technological development by posting the code.
**********************
New York Times
February 21, 2002
Panel's Ruling on Royalties Is Setback for Web Radio Services
By AMY HARMON

The fledgling Internet radio industry was handed a setback yesterday as a
government arbitration panel said online radio stations should pay recording
companies nearly 10 times what the Webcasters had proposed for the songs they
play.

The panel's long-awaited recommendation was considerably less than the rate the
recording industry had suggested. But several Webcasters said that if the
proposal passed the next hurdle ? approval by the United States Copyright
Office, which set up the panel ? it might mean an end to free radio on the
Internet.

"Over a million people play our free service every month," said Dennis Mudd,
chief executive of Musicmatch, "and it's going to be impossible to even come
close to breaking even with these new rates. Radio on the Web should be able to
serve the same function that radio over terrestrial airwaves performs, and it's
not going to be able to do that because of these rules."

Under the panel's proposal, commercial Webcasters would pay royalties of 0.14
cent per listener per song. Internet transmissions of regular AM or FM radio
broadcasts would cost 0.07 cent per song. Rates would be lower for
noncommercial broadcasters, at 0.02 cent for radio rebroadcasts and 0.05 cent
for Internet-only programming.

The rates would be effective retroactively, to 1998. The rules also require
Internet radio stations to count their users and report their geographic
locations. Some Webcasters say fulfilling that requirement would violate their
privacy policies.

Analysts said the ruling would help dispel the uncertainty that has hovered
over the Internet radio business since a 1998 federal law mandated that
Webcasters ? unlike conventional radio stations ? pay royalty fees for the
songs they broadcast.

"At least this will allow them to create business models," said Aram Sinnreich,
a senior analyst at Jupiter Media Metrix (news/quote), an Internet market
research firm. "The question that remains, though, is: How many online
broadcasters are going to be able to develop business models that can handle
this kind of structure?"

Internet radio, which seemed to provide the proverbial level playing field
because no one had to own a broadcasting tower or be part of a media
conglomerate to compete effectively, has proved more difficult than it
initially seemed. Advertisers have been hard to come by, and bandwidth costs
have remained fairly high. Industry executives said yesterday that the new
rules would hasten the fallout and consolidation already under way among
Webcasters.

Still, music industry representatives have argued that Internet entrepreneurs
need to find a way to make a profit while fairly compensating artists and
record labels for the use of their work. Several Webcasters, including
Musicmatch and RealNetworks (news/quote), offer successful subscription-based
radio services, for instance.

"Artists and labels, who have supported these new businesses from the start
with their music, are one step closer to getting paid," said Hilary B. Rosen,
the president of the Recording Industry Association of America, which
represents the major labels.

Jonathan Potter, executive director of the Digital Media Association, said the
recommendations would probably lead to more interactive offerings, which allow
a user to select a list of songs to be played, because the panel rejected the
recording industry's request to impose a premium on such services.

Representatives from both sides can continue to press the Copyright Office for
proposal changes for 60 days. Eric E. Van Loon, a member of the three-person
arbitration panel, said that the panel had received more than 14,000 pages of
testimony from more than 50 witnesses.
***********************
Microsoft freeware checks for Windows security holes

By Ellen Messmer, Network World
(Feb. 21, 2002) Microsoft Corp. this week made available a freeware
vulnerability-assessment tool for Windows desktops and servers. 

The tool, called Baseline Security Analyzer, runs locally on a PC and allows
network administrators to determine whether their NT 4.0, Windows 2000 or XP
desktops and servers are missing software patches for security holes or are
improperly configured. 

Baseline Security Analyzer is a read-only tool that doesn't automatically
locate and apply software patches, as other tools on the market do. Microsoft
signaled its growing interest in developing such software to automate this
process, however. 

To date, Microsoft has relied on Shavlik Technologies LLC, a St. Paul,
Minn.-based company that specializes in test tools, to produce the freeware
available from Microsoft. But the company has long-term goals to improve the
software-patching process for its customers that may entail Microsoft striking
out on its own in the test-tool area. 

"We need to find an automated way to do this," said Craig Mundie, Microsoft's 
vice president and chief technology officer, in his keynote at the RSA Security
conference. The numerous vulnerabilities discovered over time in Microsoft
operating system and application software has made any unpatched Microsoft
server and browser a popular target for hackers and computer worms, such as
Nimda and Code Red. 

Microsoft is working on a patch-rating system to define discovered software
holes on a scale of high to low risk. While Microsoft is making a concerted
effort to prevent coding errors that lead to problems such as buffer-overflow
vulnerabilities, Mundie said that the company's long-term goal is to create the
means to automate the discovery of holes and the patching process. 

"If we depend on people to do this, we'll be swamped," he said. "In fact, we
are swamped." 

The release of the Baseline Security Analyzer is but a first step, said Lara
Soskonsky, a Microsoft security program manager who was demonstrating the
freeware tool at Microsoft's pavilion at the RSA conference. 

"We don't push out the patches, but we may add that feature as an option in
Version 2.0. In future versions, we'll also add more applications, such as
Internet Information Server 4.0, 5.0, SQL 7, Internet Explorer 5.0 and up,
Office 97 and Office 2000, among others," Soskonsky said. "And we'll add .Net
[support] to Version 2.0." 

The second version may be out in just a few months, she said. 
Whether Microsoft will continue its reliance on Shavlik Technologies to build
the freeware is under review. "We haven't decided whether or not to go out on
our own," said Soskonsky. But it's possible Microsoft may be inching toward its
own suite of commercial test-tool products. 

Should that happen, Shavlik Technologies could see its symbiotic relationship
with Microsoft undergo a disruptive change. Currently, Shavlik can advertise
its more robust and full-featured vulnerability-assessment tools on Microsoft's
Web site, next to the freeware it built for Microsoft. 

Shavlik's first project for Microsoft was a Web-based vulnerability-assessment
service created last fall after the outbreak of the Nimda worm in August. The
second project, the Baseline Security Analyzer, is a stripped-down version of
Shavlik's own HFNetChk Pro AdminSuite 3.6, which can push out software patches
and remotely install them in a scheduled fashion. It can check for weak
passwords and weak administrative accounts. The latest version of Shavlik's
tool, which costs $1,500 for 50 users, also became available this week. 

For larger enterprises that want to do detailed analysis across machines,
Shavlik shipped Shavlik EnterpriseInspector, priced at $3,000 and up. This
version also checks to make sure antivirus software is installed on machines. 

"We have over 3 million people using our products," said company CEO Mark 
Shavlik. The Shavlik commercial tools require their own console and don't share
information with the Microsoft SMS management console without extensive coding
to enable that, he said. 

Shavlik said he hopes to continue the freeware relationship with Microsoft that
has benefited his firm. "It's been a way for people to learn about our products
at the Microsoft Web site," he said. 
********************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711