[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips June 3, 2002
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, Charlie Oriez <coriez@xxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;
- Subject: Clips June 3, 2002
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Mon, 03 Jun 2002 16:19:19 -0400
- Cc: lillie@xxxxxxx
Clips June 3, 2002
ARTICLES
Panel Releases Blueprint for Internet Reform
Digital TV Founders on Fears of Internet Piracy
A Hot Deal on Spy Gear - Air Force parts for sale on eBay
DOT Standing Firm on Airline Deadline
In Terror War, Privacy vs. Security
Questions About Online Data
Privacy Is Common Issue Online
Suit Unmasks Louisiana Professor and Shuts Down His Controversial Web Site
eSlate gets voters' approval
Many Dot-Name Domains Break The Rules - Study
In Terror War, Privacy vs. Security
VeriSign to Help Telecoms With Wiretap Orders
Fee-Based Networks Making a Connection
Transforming Congress
Fingerprint Scan Spurs Debate
Studying counterterrorism
Bringing science to homeland security
State CIOs advise on homeland security plan
Guidelines open data, Web to FBI
Carnivore bites off too much
FirstGov revs search engine
Secure way forward for digital TV
OMB: E-gov projects will help reduce bad payments
Germany gives Microsoft the cold shoulder
Wild About Wi-Fi
Broadband users cut into cable
Fighting Web Fraud
Workplace e-mail is not your own
Aerospace workers arrested for hacking
Security Under the Gun
Pop-under ads may hit publisher wallets
******************
Reuters
Panel Releases Blueprint for Internet Reform
WASHINGTON (Reuters) - The group that oversees the Internet's traffic
system moved closer to a complete overhaul over the weekend when a
committee recommended changes aimed at making the controversial body
function more smoothly.
In a report released late Friday night, a committee set up by the Internet
Corporation for Assigned Names and Numbers recommended that the group
retool its internal structure and change how corporate directors are
chosen, but rejected a proposal to bring governments on board.
The committee, which consists of four of ICANN (news - web sites)'s 19
directors, emphasized that its report did not represent the official views
of the entire ICANN board. But the report came out five days after the
committee met privately with the other directors to come up with a rough
consensus over how the global body should operate in the future.
"For ICANN to be successful in the future, when it will face even more
difficult challenges, it must evolve into a more effective entity," the
report said.
The committee asked for public feedback and said it hoped to approve a
reform plan when ICANN next meets in Romania at the end of June.
Created to control the domain-name system that enables Internet users to
find Web pages by typing in names like "www.example.com," ICANN has been
plagued since its inception with questions about how it should function and
who should participate.
In February ICANN's president, M. Stuart Lynn, recommended that the group
abandon online elections and instead rely on a "nominating committee" to
pick the board members who were not chosen by technical and business groups.
Lynn's plan drew widespread opposition from critics who said it would
reduce accountability as the planet's 500 million users would no longer
have a direct voice. At a meeting in March, ICANN ruled out future
elections and set up the committee to fine-tune Lynn's plan.
The restructuring committee, which is made up of four of ICANN's 19
directors, rejected Lynn's proposal to give national governments control of
one-third of the board.
But the committee upheld other key Lynn proposals. Under the committee's
plan, seven seats on the ICANN board would go to groups representing
domain-name sellers, security experts, government delegates, and other
established technical and commercial groups.
The international community behind "country code" domains such as France's
".fr" would also get a seat.
Another five to 11 seats would be chosen by a nominating committee to
represent the Internet community as a whole, but the report declined to say
who would sit on that committee.
Outsiders could file complaints with an ombudsman, or go to an independent
arbitration forum if they believed the group was violating its bylaws.
ICANN should steer clear of any attempts to control online content, the
reports said.
*******************
Washington Post
Digital TV Founders on Fears of Internet Piracy
Congress has mandated that television broadcasts in the United States go
digital, but two of the industries involved in that transition are stuck on
a little problem called the Internet.
Movie studios worry that digital-TV viewers will share programs over the
Internet, just as many music fans share MP3 files online.
Consumer-electronics companies fear that the studios' proposed piracy
countermeasures would force them to make products that nobody wants to buy.
Yesterday, this gridlock caused a major working group to miss its deadline
for recommending how to stop digital TV broadcasts from being shared over
the Internet.
The Broadcast Protection Discussion Group, made up of representatives from
the technology and motion-picture industries, began meeting at the end of
November to resolve the issue. The group is part of the Copy Protection
Technical Working Group, the same industry organization that established
the standard for DVD movies' copy-prevention encryption.
Robert Perry, vice president of marketing at Mitsubishi Digital Electronics
America and one of three co-chairs of the discussion group, said he had not
anticipated the level of disagreement he encountered among its members.
"Can we all agree on a method to keep digital content from being illegally
distributed on the Internet? The premise is so simple and crystal clear,
it's surprising the amount of debate it's created," he said, citing a
last-minute flurry of criticism from consumer-electronics manufacturers,
consumer groups and others.
"Everybody except chicken farmers and professional wrestlers submitted
comments," said Perry, who estimated that the combined objections submitted
to the group would amount to hundreds of pages. The group now plans to meet
this weekend and finish its report on Monday.
Most of those who commented object to various points of a rough draft of
the discussion group's report, released in May. Tech-policy groups such as
the Electronic Frontier Foundation have argued that proposals in the report
would prevent consumers from recording some television shows for their
personal viewing or sharing recordings with friends. They have also
assailed the discussion group's closed-door policy.
Tom Patton, vice president of government relations at Philips Electronics,
a member of the discussion group and a critic of its secretive workings,
spent yesterday waiting for the report and was upset to have not gotten any
official word of the delay.
"Where the heck is some notice of that?" said Patton. "I want to go home."
Other member organizations were less concerned. "It's far more important
for the report to be complete than quick," said Rich Taylor, vice president
of public affairs at the Motion Picture Association of America.
*************************
MSNBC
A Hot Deal on Spy Gear
Air Force parts for sale on eBay
June 10 issue The Air Force Office of Special Investigations is trying to
determine how a shipment of sensitive Air Force aircraft communications
parts wound up in a worldwide auction on eBay, NEWSWEEK has learned. Rogue
nations such as Iran routinely seek replacement parts for their
U.S.-manufactured military planes.
ANTIQUES DEALER NORB Novocin put the parts, which are used in the SR-71 spy
plane, the F-16 fighter, KC-10 aerial tankers and C-5 Galaxy giant cargo
jets, up for sale on the auction site. He says he bought the sofa-size
crate full of parts for $244 from A&A Transfer, which shipped it in 1989
from Dover Air Force Base in Delaware. The parts were destined for the
Warner Robins Air Logistics Supply Depot in Georgia, but never made it.
Apparently no attempt to locate the missing items was ever made. The crate
sat in A&A's storage space for 12 years before it was put up for auction in
Jacksonville, Fla., four weeks ago as unclaimed property.
Novocin says he bought the parts without realizing what they were.
After researching the items, Novocin says he learned that 11 of the 18
items he purchased were coded "D," which demands total destruction and does
not permit public ownership in a condition other than scrap metal. Novocin
contacted Warner Robins, but he says it did not want his wares and
suggested he sell them on eBay.
During the seven-day auction on eBay that ended May 29, Novocin
says he sold four items, including an X-Band Weather Radar Modulator for
$500 and a high-frequency radio circuit card for $32. Air Force officials
were not aware that the items were being sold before being contacted by
NEWSWEEK. "Oh, my God," said one official after viewing the list of items
being offered on eBay. "This is now under active investigation by the OSI,"
says Lt. Col. Mike Caldwell, the Air Force public-affairs chief at the
Pentagon. Novocin says that Air Force OSI has contacted him and asked him
to refrain from selling or shipping the communications items and to return
the materials to the government. Novocin says he has turned over the names
and addresses of the purchasers and is cooperating fully with the OSI's
requests. He says the OSI has offered to buy the parts back.
**********************
Reuters
DOT Standing Firm on Airline Deadline
Mon Jun 3, 3:14 AM ET
WASHINGTON (AP) - The Bush administration is turning aside a call by
airport officials to reconsider a Dec. 31 deadline for mandatory screening
of all checked baggage.
A key lawmaker says, however, that Congress may revisit the matter.
Officials of 39 airports wrote Transportation Secretary Norman Y. Mineta
last week asking him to pressure Congress to push back the deadline. They
said the current timetable is apt to cause major problems for passengers
and flights.
"We're not sure airports will be able to operate on Jan. 1," said Larry
Cox, chief executive of the airport in Memphis, Tenn. "It's just not going
to work unless we slow down and do it right."
The letter warned of "harried installations" of explosives detection
machines in airports that have little space for new equipment. It said the
changes "promise to disrupt passenger flows and further increase the hassle
of air travel."
Mineta has maintained that while it will be difficult, several types of
machines can be in place before 2003 to check approximately 1 billion bags
a year for explosives. The screening is required by an airline safety law
passed after the Sept. 11 attacks.
Transportation Department spokesman Chet Lunner said Sunday that while
Mineta understands industry concerns, he "is dead set about meeting the
letter of the law, and we will."
"The law doesn't give us an option of relaxing the deadlines," Lunner said.
Rep. John Mica (news, bio, voting record), R-Fla., chairman of the House
Transportation and Infrastructure subcommittee on aviation, said that
acquiring the equipment and hiring screeners by the end of the year will be
a challenge. He said Congress probably will reconsider the issue after fall
elections.
"I think there will be a major crisis, and the Congress will revisit it,"
Mica said.
The letter was signed by leaders of airports which handle a majority of the
country's air traffic, including Atlanta, Dallas, Denver, Detroit, Houston,
Indianapolis, Las Vegas, Memphis, Washington, Orlando, Phoenix, San
Francisco, St. Louis and Charlotte, N.C.
Mineta has said that large $1 million explosives detection equipment will
be installed in some airports, while others will have smaller, less
expensive machines.
*****************
Washington Post
In Terror War, Privacy vs. Security
Search for Illicit Activities Taps Confidential Financial Data
In the amorphous war on terrorism, government officials believe they have a
new weapon: the growing number of financial institutions that use powerful
technology to monitor confidential customer activity and report suspicious
behavior to law enforcement and intelligence officials.
Driven by little-known provisions of the USA Patriot Act, the anti-terror
legislation that was approved after Sept. 11, banks, securities firms and
other companies are deploying computer systems that draw together millions
of transactions, sometimes automatically, in searches for money laundering,
terrorist financing or other unusual patterns.
"The Patriot Act is imposing a citizen-soldier burden on the gatekeepers of
the financial institutions," said David Aufhauser, general counsel at the
Treasury Department and head of an inter- agency task force on terrorist
finance. "In many respects, they are in the best position to police
attempts by people who would do ill to us in the U.S., to penetrate the
financial systems."
Federal regulators three years ago tried to impose similar monitoring
requirements on financial institutions to combat money laundering but
dropped their plan, known as "know your customer," after it caused an
uproar among consumers concerned about their privacy. Now some specialists
believe the scrutiny of consumers on the government's behalf is going even
deeper.
"Sept. 11 obviously made us totally rethink where to draw the line with
respect to government access to customer information," said David Medine, a
former financial privacy specialist at the Federal Trade Commission.
"The question going forward is: Did we draw that line in the right place?"
Medine said. "It is really a fundamental civil liberties issue."
The increased financial scrutiny is part of an expanded campaign by the
government to tap into public and confidential data in search of people who
pose terrorist threats. The push relies heavily on data and analytical
tools, some of them developed in the 1990s for direct mail, credit-card
offers and other kinds of targeted marketing.
As directed by the Patriot Act, Treasury Department regulations require
that securities firms, money-services businesses and broker-dealers file
reports on suspicious activity, something banks have been doing for several
years. Those firms, along with mutual funds, operators of credit-card
companies and some other financial companies, also must have
anti-money-laundering programs.
Congress also said that financial companies must authenticate new
customers, check their identities against government watch lists and
maintain records for government scrutiny.
The law encourages financial institutions to share information among
themselves about customers suspected of being involved with terrorism or
money laundering, and it gives them protection from legal liability for
doing so. In addition, it gives law enforcement and intelligence agencies
greater access to confidential information without a subpoena while also
requiring that credit bureaus secretly turn over credit reports to the CIA,
National Security Agency and other intelligence agencies when presented
with a request signed by a senior agency official.
*********************
New York Times
Questions About Online Data
CAN the easy distribution of data promised by the Internet actually bring
the type of scrutiny that ultimately leads to less information being available?
That is the question being raised by a new law called the Data Quality Act,
which requires the government to set standards for the accuracy of
scientific information used by federal agencies. It is the latest move from
Washington highlighting the balance of risks and rewards when disseminating
information on the Internet.
The law, which takes full effect on Oct. 1, creates a system under which
anyone could point out errors in documents; if an error is confirmed, an
agency would have to remove the data from government Web sites and
publications.
The Data Quality Act, along with recent efforts by government agencies to
scrub their Web sites of information to guard national security, indicate a
substantial shift to a more conservative culture of information, said
Darrell West, a political scientist at Brown who tracks government
information on the Web.
Though the Internet created fewer fortunes than had been expected, it did
deliver riches of information, creating an age of government disclosure not
seen before. Not so long ago, the mantra was openness; some legislators
even scrambled to get lists of campaign contributors into cyberspace where
the voters could see.
But that age may be over.
"The open-access people just put things online and worried about the
consequences later," Professor West said. "Now we're hitting the
consequences."
The Center for Regulatory Effectiveness, a primary backer of the Data
Quality Act, has already started requesting changes in government
information that is published in print and online.
This year, the center requested that the United States Global Change
Research Program withdraw dissemination of the National Assessment on
Climate Change on the basis of "numerous data quality and scientific
flaws," according to a letter posted on the group's Web site.
The center also asked the Environmental Protection Agency to modify its Web
site on global warming to reflect the scientific uncertainties about global
climate change.
William Kelly, western representative for the center, said the poor quality
of federal data created problems for everyone who used it, from regulators
to consumers.
"With the blossoming of the Internet, it's turned into a huge problem for
industry," Mr. Kelly said. "Agencies were encouraged to post virtually
everything on the Internet. It wasn't such a problem when people had to go
through a Freedom of Information Act request."
Some watchdog groups say that agencies need to create policies on how to
treat information on the Internet, arguing that otherwise, haphazard
decisions would lead to more restrictions.
"The problem is, it's much easier to make decisions about taking down
information," said Ari Schwartz, associate director of the Center for
Democracy and Technology, a nonprofit group in Washington. "The policy
seems to be, take everything down, and we'll make decisions later."
Employees of the Interior Department learned the consequences of that
approach earlier this year, when a federal judge ordered all the
department's computer communications shut because its Web sites were
vulnerable to hacking. Agencies fielded complaints from a wide range of
people, from those planning vacations to national parks to those seeking
the status of bird species. Most of the its Web sites have since been
restored.
Removing information from Web sites became more of a government interest
after Sept. 11, as agencies took down information they thought might be
useful to terrorists.
A nonprofit group in Washington called OMB Watch is trying to assess just
how much information agencies removed from public Web sites under the new
directives. The group sent requests under the Freedom of Information Act to
a dozen agencies in January. So far, only the Environmental Protection
Agency has sent back a list.
According to OMB Watch, E.P.A. officials have restored much of the
information that they withdrew from its Web sites last fall, including
pages dealing with watersheds in New York City and the Envirofacts
database, which allows users to retrieve information about air pollution,
chemicals at government and business installations, water pollution and
grants.
Responses to the group's inquiry indicate that other agencies may have
removed a significant amount of information from the Web. The Energy
Department, according to OMB Watch, reported that it had stacks of
information waiting to be organized before it could be sent.
"We have nothing we can nail them down on, and we have no index of what
they had in the past," said Sean Moulton, a senior policy analyst with OMB
Watch. He said the directives to remove data and the new data-quality
guidelines were part of "an overarching mosaic that is about restricting
information and removing information from public access."
"Unfortunately," Mr. Moulton said, "Sept. 11 is being utilized as a pivot
point for industry to push an agenda they already had."
OMB Watch has advocated creation of an office that would oversee what data
agencies publish online and the security measures they use.
But even when done with care for quality and security, publishing on the
Internet can still bring unexpected trouble to agencies.
Five years ago, the Social Security Administration set up a service on its
Web site that let individuals look up their income histories and check what
benefits were available. People had to enter five pieces of information:
full name, Social Security number, date of birth, place of birth and
mother's maiden name.
"By requiring those five items, we felt that was adequate security. It was
addressed," said Mark Hinkle, a spokesman for the Social Security
Administration.
That is more information than most people need now to check their bank
accounts online, but the agency received a letter from several senators
with concerns that hackers could steal individuals' personal information
from the site.
Though no fraud was ever reported, the agency took down the database. Now,
Social Security sends earnings records each year by mail.
********************
New York Times
Privacy Is Common Issue Online
THOUGH businesses and their customers have largely taken divergent paths to
e-commerce businesses promoted it endlessly; consumers embraced it
tepidly these two groups are in lock step on at least one issue: online
privacy.
They both profess concern, but do little about it.
This reality is underscored by a report to be issued today by Jupiter
Research, the online consulting company, which found that businesses and
their customers barely lifted a finger to protect individual privacy
online, but fretted outwardly about the possible abuses of personal
information and the chilling effect on Internet spending.
Although 70 percent of online consumers say they are worried about online
privacy, the study found, just 40 percent read Web site privacy statements,
and 82 percent would give personal information to new shopping sites in
exchange for a chance to win $100 in a sweepstakes.
The business attitudes toward online privacy are slightly more difficult to
quantify, but Rob Leathern, who wrote the Jupiter report, said that most
companies budgeted less than $40,000 annually for online privacy initiatives.
It has been increasingly clear over the last year that consumers and
businesses have been talking out of both sides of their mouths on the
online privacy issue, but the Jupiter report suggests that businesses are
nonetheless losing what could be an easy opportunity to score points with
consumers by crafting privacy-friendly policies, and failing to head off a
movement in Congress to force-feed those principles to businesses.
"If you make it easy for customers to exercise their privacy rights, they
will do it," Mr. Leathern said. But, he said, such thinking is beyond the
scope of most corporations today, "since companies are spending all their
money on C.R.M.," shorthand for customer relationship management technology.
With a sophisticated system, a company's customer service representative
could, for instance, look at a computer screen when a customer calls with a
problem, and see her entire purchasing history, be it through a catalog, a
Web site or a store, while also seeing prompts for product recommendations
or the optimal length of time to spend on the phone, given the customer's
value to the company.
For consumers who do not necessarily trust corporations to treat their
personal information with the proper amount of respect whether that
involves not sharing it with other companies or keeping it secure the push
to adopt such technologies should be further reason for anxiety, Mr.
Leathern said.
"You don't see a lot of companies putting together all the pieces, and
understanding the implications of bringing all this data together and
letting all these people inside the company see all the data," Mr. Leathern
said.
That is bad news not just for consumers, he said, but also for the
companies that lined up in 1999 and 2000 to serve what they thought would
be a rising demand for privacy-enhancing technologies. Companies like
Zero-Knowledge Systems, SafeWeb and others initially offered products that
helped people surf anonymously or manage the information companies could
collect about them online.
But consumers were unwilling to pay for such technologies, and advertisers
were unwilling to pay enough to reach the visitors these sites and others
attracted, so the privacy technology companies turned to Plan B, as in
B-to-B. Aside from selling their consumer technologies to companies like
Hewlett-Packard to install on new computers, as is the case with
Zero-Knowledge, privacy technologists have also been adapting their
products to suit other corporate needs.
For instance, SafeWeb originally gained notoriety in 2000 and 2001 for
creating technology that let Internet surfers avoid being tracked. Late
last year, it began packaging its software inside an appliance that helps
keep communications between corporations, remote partners and employees
secure and private.
Other companies like Watchfire, Privacy Council and PrivacyRight have
devised technologies that help companies manage the flow of customer data,
and detect when it is being used in a way that could violate government
regulations or the companies' stated privacy policies.
But with companies moving slowly on the privacy issue, despite the ongoing
prospect of additional government regulation, these privacy technologists
are digging in for a long, hard sell.
Austin Hill, co-founder and chief strategy officer of Zero-Knowledge, said:
"You'll start to see more activity on this in the next year and a half to
two years. A lot of organizations have moved beyond questions like, `What's
our privacy policy?' And now they're looking at what tools they have to
help manage it."
Technology companies see some hope in corporations like the RBC Financial
Group, which operates the Royal Bank of Canada and RBC Centura Bank in
North Carolina, among others, and has used what analysts regard as a
progressive privacy policy to differentiate itself from competitors.
W. Peter Cullen, RBC's corporate privacy officer, said that in the last two
years the company had used about 15 different programs to show consumers
that it was striving to exceed government-mandated privacy regulations for
financial service providers in the United States.
For instance, the company is preparing to give away so-called personal fire
wall software to its online banking customers, after a successful test of
the offering last year. RBC also delayed the rollout of wireless banking
until it found a Nokia phone with a chip allowing customers to encrypt
passwords and other information.
"You do that sort of thing enough, and it starts to drive people's positive
perception of your brand," Mr. Cullen said.
RBC has tried to quantify the effects of its privacy policies, relying on
research suggesting that 7 percent of a customer's buying decision relates
to privacy issues. Using that and other assumptions, Mr. Cullen said RBC's
privacy policies were responsible for $700 million worth of consumer
banking business.
Over the last two years, some observers have said that these types of
aggressive privacy initiatives would force competitors to follow suit. But
that has not yet been the case.
E-Loan and Expedia began subjecting themselves to voluntary privacy audits
by PricewaterhouseCoopers in 1999 and 2000. The audits have helped
demonstrate that the companies' internal data-handling methods are
consistent with their privacy policies, but they have not sparked much
interest among competing companies.
Expedia, which received another passing grade for privacy from
PricewaterhouseCoopers in April, acknowledged that its lead had not been
followed by competitors. Suzi LeVine, Expedia's director of product
marketing, said the company still gleaned benefits from the audits, in that
it learned about how to improve its data handling.
As for whether the audits, and the PricewaterhouseCoopers seal of approval
on Expedia's site, have helped it gain customers, Ms. LeVine said it was
hard to tell. "But we believe it's the right thing to do," she said, "and
we'll continue to try to get people to recognize that value."
Ms. LeVine would not disclose the cost of the audits, but E-Loan has said
they cost about $120,000 a year, not counting lost staff time. In an
Internet economy where both cash and staff are in short supply, and where
there is a surplus of consumer apathy when it comes to privacy, it is
little surprise that not many companies are following suit.
*******************
Chronicle of Higher Education
Suit Unmasks Louisiana Professor and Shuts Down His Controversial Web Site
By DAN CARNEVALE
A professor who anonymously ran a Web site that criticized administrators
at the University of Louisiana at Monroe revealed his identity last week,
and the site was shut down, after a vice president of the university sued
the Internet company that hosted the site.
John L. Scott, an associate professor of economics at the university,
disclosed that he has operated the Truth at ULM Web site, which discusses
news and rumors about the university.
Richard L. Baxter, vice president for external affairs at the university,
had previously sued in both federal and Louisiana courts to have the Web
site's proprietor named; those proceedings are still pending. In April, he
sued Homestead Technologies of Menlo Park, Calif., the site's Internet
provider, in the Federal District Court for the Western District of
Louisiana. The suit seeks $75,000 in damages, alleging that the company
took no action against the site even though, according to the lawsuit, it
had defamed him and others.
Under his contract with Homestead, Mr. Scott was obligated to protect the
Internet company from financial harm, so the suit essentially forced him to
choose between paying Homestead's legal costs or closing the site. Mr.
Scott took the latter route.
He told the university's president, James E. Cofer Sr., about his role in
the site on May 22 and then went public on Thursday.
Although Mr. Scott took a number of precautions to hide his identity, he
had figured it wouldn't stay a secret forever. "I thought it was a very
real possibility that the identification would come out," he said Friday.
The Web site had posted articles critical of university administrators,
including its previous president, Lawson L. Swearingen Jr., who resigned in
September. Mr. Baxter, the university's vice president of external affairs,
was referred to at one point on the Web site as "the vice president of
excremental affairs."
Joshua Weinberg, director of communications for Homestead Technologies,
said the company had an agreement with Mr. Scott that if the company were
ever sued because of the Web site, Mr. Scott would have to accept full
financial responsibility.
After the company was sued, Homestead Technologies officials asked Mr.
Scott whether he wanted to reveal his identity instead of paying its costs
in the lawsuit. "He was required to protect us financially," Mr. Weinberg
said. "We chose to give him another option."
But Mr. Scott said the company asked for $75,000, which he said was hardly
an option he could afford.
Mr. Baxter said uncovering the identity of the Web-site operator was not
meant to leave the professor vulnerable for personal attack. "I never had a
concern about who the person was," he said. "It's about being libeled or
not being libeled."
Mr. Baxter's lawsuit was filed against up to six anonymous Web-site
operators. Mr. Scott would not reveal whether he was working with anyone
else, except to say, "I had sources."
Mr. Scott said he doesn't expect to lose his job over the ordeal. "I've
been given reassurances by the president," he said.
Mr. Cofer, the president, would not comment about the situation. Instead,
he released a brief written statement saying open discourse should not be
conducted anonymously.
But Mr. Scott said he doesn't feel the need to criticize university
administrators anymore. Calling the current administration "a breath of
fresh air," he said the people who run the university now don't keep
secrets from the faculty members.
"There's no need for a Truth at ULM Web site with these guys," Mr. Scott said.
**********************
Los Angeles Times
Dot-Coms' Bust Is a Boon to Classrooms
Education: Laid-off tech employees are rejoining work force as public
school teachers.
By JENIFER RAGLAND
TIMES STAFF WRITER
June 3 2002
Tera Creech has cracked genetic coding as a researcher for a biotech firm
and taken apart software programs as a skilled technician for a booming
dot-com.
But that's nothing compared to what she plans to do next: teach high school
science.
Creech is one of about 200 laid-off technology workers in California who
are rejoining the work force as public school teachers. With help from a
$1.6-million state grant, they are bringing their science degrees and
high-tech backgrounds into a public school system that is facing a severe
shortage of qualified math and science instructors.
Creech, 25, a biology major from California Lutheran University in Thousand
Oaks, used to spend most of her days sitting in front of a computer in an
isolated cubicle. Her job was trouble-shooting software programs.
She was laid off from Camarillo-based eLabor.com in September--along with
about 90 other workers--just weeks before she gave birth to her daughter,
Abigail, now 7 months old.
This fall, Creech will stand in front of 30 hormone-charged teenagers and
attempt to get them excited about biology and chemistry.
But she's confident she is up to the challenge.
"I'm a little bit nervous, but definitely excited," said Creech, who also
worked as a research assistant at biotechnology giant Amgen Inc. "Part of
the reason I went into science was because I had teachers who made it fun
and interesting. I want to open that world to kids."
Ventura County and four government agencies in the Silicon Valley were
awarded grants from the state Employment Development Department in March to
create the Technology to Teacher program.
Participants can apply for grant money to pay for tuition, books, testing
fees, counseling and other support services, said Suzanne Schroeder,
department spokeswoman. The program is run through local job centers.
The idea was for the incentives to make the difference for displaced tech
workers who otherwise would not choose to go into teaching, particularly
because the job pays at least $20,000 a year less than most private-sector
technology positions.
"I think it has been an influence," said Amy Fonzo, who is coordinating the
effort in Ventura County. "Many of them were looking for another technology
position, and decided to go into teaching instead."
The largest chunk of the state money--$536,000--went to the North Valley
Job Training Center in Sunnyvale, which is the part of the state hardest
hit by the dot-com crash and tech-industry downsizing.
About 100 people likely will take part in the program there, said Director
Mike Curran, including 25 who will start taking classes toward a credential
at San Jose State University later this month.
Those students plan to get internship jobs at schools while they complete
their classes at night, Curran said.
Amy DeMasi, a technical writer who was laid off last fall from Santa
Clara-based Applied Materials, is one of them. With a bachelor's degree in
geology and a master's in geochemistry, she worked for five years as a
technical consultant for the Environmental Protection Agency's Superfund
program.
DeMasi moved to the Silicon Valley from northern Virginia two years ago,
for a job at Applied Materials that doubled her salary.
But the whole time, she said, she felt her career lacked meaning.
When she lost her job and heard about the state's new teacher training
program, she knew it was the right thing to do.
"They need teachers here, and I really feel like my work experience is very
valuable," said DeMasi, who wants to teach environmental science in an
inner-city high school. "So many people don't understand basic science to
be able to do what's right for our country."
With thousands of teachers retiring each year and student populations
continuing to grow, K-12 schools across the state are struggling to fill
positions, particularly in specialty science fields.
Needs are greatest at middle schools and high schools in urban areas, where
percentages of poor and non-English speaking students are highest, state
education officials said.
Last year, the state issued nearly 2,700 emergency permits for science
teachers, according to the California Commission on Teacher Credentialing.
That's about 20% of the entire science teacher work force, and is the
highest number of permits issued for any single subject, said Marilyn
Errett, a consultant with the commission.
An emergency-permit teacher may only be hired if a credentialed instructor
cannot be found, Errett added.
Creech, whose parents and husband are also teachers, said going into the
profession had crossed her mind before.
But when she graduated from college, she said it was tough to choose a
lower-paying job with more hoops to jump through in education over a
higher-paying and seemingly easier job in business.
"Becoming a teacher can be a very daunting process," Creech said. "I
probably would never have done it, and I think what this program is doing
is great."
Creech will enroll in Cal State Northridge's credential program in the
fall, while also teaching in a public school classroom under an internship
program.
It should take her about two years to be fully credentialed.
"I think I'll be feeling a lot more reward, and job satisfaction," Creech
said. "I will be able to see that I'm making a difference."
********************
Federal Computer Week
eSlate gets voters' approval
More than one-fifth of the voters in a Charlottesville, Va., city council
election last month cast their votes on an electronic system that was
making its debut in Virginia, and the majority liked the experience.
An exit survey was distributed among voters to gather feedback on eSlate,
the new electronic voting device, and 81 percent returned their surveys,
according to Sheri Iachetta, Charlottesville registrar. Iachetta said that
90 percent of respondents who used the new equipment were satisfied, but
the remaining 10 percent were not impressed with the electronic tool.
"Some people just don't like computers and electronics," Iachetta said,
adding that she was impressed with the technology, especially its accuracy.
"The machine will not allow an over vote, making it extremely accurate. Not
only was the machine accurate, it worked very quickly as well."
The eSlate device was developed by Hart InterCivic and is about the size of
a legal pad. After entering a code to get the correct ballot, voters turn a
wheel to select their choice on the screen. Audible signals, large red and
green buttons and headphones are available for those who have vision or
hearing impairments. Once a voter hits enter on a selection, the vote is
shown in bold on the screen. After entering all selections, voters may
review their selections before submitting them.
Certification of the eSlate device in Virginia could be near thanks to the
success rate achieved during the general election in Charlottesville.
"I truly believe that people are looking forward to getting rid of those
punch cards," Iachetta said.
States that have already instituted eSlate as a voting system include
Colorado, Maryland and Texas.
*********************
Washington Post
Many Dot-Name Domains Break The Rules - Study
Brian McWilliams
Newsbytes.com Staff Writer
Friday, May 31, 2002; 3:00 PM
Thousands of recently registered "dot-name" domains violate regulations
governing the new Web addresses, according to a study released today.
A review of dot-name domains registered before May 16 showed that nearly
6,000, or more than eight percent, fail to comply with registration
restrictions approved by the Internet Corporation for Assigned Names and
Numbers (ICANN), according to Ben Edelman, a technology analyst for
Harvard's Berkman Center For Internet & Society.
The ".name" suffix went live in mid-January, following a preregistration
period in which Internet users signed up for 60,000 dot-name addresses.
Under restrictions approved by ICANN, registrations of dot-name domains
must adhere to the format "firstname.lastname.name" and must be "a person's
legal name, or a name by which the person is commonly known."
But Edelman's review of nearly 74,000 dot-name registrations showed, for
example, that more than 100 dot-name domains include the word "domain,"
while almost 400 include the word "the," and more than 500 registered
dot-name domains include the word "family."
Edelman also noted that two people registered dozens of dot-names that bore
the names of famous individuals.
While he concedes that "some members of the Internet community may consider
such non-compliance unimportant," Edelman said the statistics do not bode
well for the opening of registrations for dot-pro domains, expected late
this year.
"If we can't even enforce the restrictions on .NAME properly, it's not so
obvious that .PRO will turn out so well," said Edelman.
What's more, Edelman said, the large number of apparently commercial or
"cybersquatting" dot-name registrations means that "intellectual property
owners have to chase after more and more cybersquatters in more and more
different TLDs."
Under its agreement with ICANN, Global Name Registry, the firm designated
by the Internet governance board to operate the central registry of
dot-name domains, is not required to screen registrations and verify
whether they comply with ICANN's rules.
Edelman's study of dot-name registrations is on the Web.
http://cyber.law.harvard.edu/people/edelman/name-restrictions/
Global Name Registry is at http://www.gnr.com/ .
**********************
Washington Post
In Terror War, Privacy vs. Security
Search for Illicit Activities Taps Confidential Financial Data
By Robert O'Harrow Jr.
In the amorphous war on terrorism, government officials believe they have a
new weapon: the growing number of financial institutions that use powerful
technology to monitor confidential customer activity and report suspicious
behavior to law enforcement and intelligence officials.
Driven by little-known provisions of the USA Patriot Act, the anti-terror
legislation that was approved after Sept. 11, banks, securities firms and
other companies are deploying computer systems that draw together millions
of transactions, sometimes automatically, in searches for money laundering,
terrorist financing or other unusual patterns.
"The Patriot Act is imposing a citizen-soldier burden on the gatekeepers of
the financial institutions," said David Aufhauser, general counsel at the
Treasury Department and head of an inter- agency task force on terrorist
finance. "In many respects, they are in the best position to police
attempts by people who would do ill to us in the U.S., to penetrate the
financial systems."
Federal regulators three years ago tried to impose similar monitoring
requirements on financial institutions to combat money laundering but
dropped their plan, known as "know your customer," after it caused an
uproar among consumers concerned about their privacy. Now some specialists
believe the scrutiny of consumers on the government's behalf is going even
deeper.
"Sept. 11 obviously made us totally rethink where to draw the line with
respect to government access to customer information," said David Medine, a
former financial privacy specialist at the Federal Trade Commission.
"The question going forward is: Did we draw that line in the right place?"
Medine said. "It is really a fundamental civil liberties issue."
The increased financial scrutiny is part of an expanded campaign by the
government to tap into public and confidential data in search of people who
pose terrorist threats. The push relies heavily on data and analytical
tools, some of them developed in the 1990s for direct mail, credit-card
offers and other kinds of targeted marketing.
As directed by the Patriot Act, Treasury Department regulations require
that securities firms, money-services businesses and broker-dealers file
reports on suspicious activity, something banks have been doing for several
years. Those firms, along with mutual funds, operators of credit-card
companies and some other financial companies, also must have
anti-money-laundering programs.
Congress also said that financial companies must authenticate new
customers, check their identities against government watch lists and
maintain records for government scrutiny.
The law encourages financial institutions to share information among
themselves about customers suspected of being involved with terrorism or
money laundering, and it gives them protection from legal liability for
doing so. In addition, it gives law enforcement and intelligence agencies
greater access to confidential information without a subpoena while also
requiring that credit bureaus secretly turn over credit reports to the CIA,
National Security Agency and other intelligence agencies when presented
with a request signed by a senior agency official.
While law-enforcement officials said the cooperation of the financial
services industry is critical to the war on terrorism, some industry
officials have expressed concern.
H. Rodgin Cohen, a leading financial services lawyer in New York, said he
believes that financial companies may find themselves asking customers
about seemingly suspicious but innocent activity that might be embarrassing
or involve private matters, such as health care. He predicted that they
also will file more suspicious-activity reports, with less evidence, to
avoid trouble from the government.
"As long as the government can enlist the financial institution as part of
the front-line defense against money laundering and terrorism, it has got
to be anticipated there will be more in the way of intrusions on privacy,"
said Cohen, chairman of Sullivan & Cromwell. "It is just a different
manifestation of whether they can wiretap you."
Tracy Calder, chief money-laundering prevention officer at UBS PaineWebber
Inc., agreed the new reporting mandates, coupled with the sophisticated
monitoring technology, are "absolutely intrusive." But, she said, they will
help fight terrorism and crime, something she believes most people will
embrace. "Americans are willing to accept more intrusiveness in exchange
for security," she said.
The computerized systems create profiles of customer activity, sometimes
including more than a year's transactions, and sift through deposits, wire
transfers, ATM activity and links among account holders. Mantas Inc., a
Fairfax County spinoff from SRA International Inc., a government contractor
that works closely with U.S. intelligence agencies, recently demonstrated
how its software can monitor millions of transactions a day.
Using data culled from people whose identities were masked, officials
showed reports that a bank analyst might receive from an overnight computer
review. One report in the demonstration had a risk score of 95 out of 100.
A click on a screen that resembled a Web page pulled up a file that showed
several unrelated individuals at the same address had, over several days,
sent out 18 checks or money orders for a total of $9,000.
Another click on the screen brought up a report about links among five
relatively new accounts at different branches of the same bank. Those
accounts had transferred $125,000 to another account in Miami. The system
noted that the account holder there then wrote a check for $125,000.
While each account on its own did not appear to represent a risk, the
coordinated activity set off alarms, said Don Temple, an
anti-money-laundering specialist at Mantas and a former special agent at
the IRS. "You can only detect suspicious transactions today with
sophisticated data-mining and pattern-recognition software," Temple said.
Experts said such systems could also flag a securities account that never
trades stocks. Or the systems could draw attention to someone of apparently
modest means who receives a $40,000 wire transfer from abroad and then
sends out a large check. Specialists said the systems, by sweeping through
vast electronic depositories of information, can find links among customers
that a person might never see.
"Sometimes we've referred to our product as the 'Big Brother,' " said
Alison Holland, spokeswoman for NetEconomy, a Dutch firm that is pitching
its systems to U.S. firms. "It can monitor so many things."
Some companies used such tools before Sept. 11, as computer power increased
and the government increased efforts to stop the flow of drug and mob money
through the U.S. banking system. But TowerGroup, a Massachusetts research
firm that tracks financial services, estimated that banks and other
institutions will double their spending on monitoring systems this year, to
$120 million. "This is just a sea change in the industry," said TowerGroup
analyst Breffni McGuire.
UBS PaineWebber, for example, recently signed a deal with Searchspace
Corp., a company that says its computer system "captures and uses all
transactions that flow through an organization to provide continuously
adaptive profiles of all individuals."
Riggs Bank NA is working with Americas Software Corp. to install a similar
system that will automate procedures it has had in place for several years.
Citigroup Inc. has contracted with Mantas, which says its software can
"reduce the risk of money laundering with comprehensive, enterprise-wide
surveillance of your customer, account, and transaction information . . .
to reveal suspicious and previously unknown behaviors."
Last week, in response to a mandate in the Patriot Act, the Treasury
Department's Financial Crimes Enforcement Network, known as FinCen, began
operating a secure online network to make it easier for financial companies
to report suspicious behavior by customers to the government.
Central to that relationship are suspicious-activity reports, which require
officials to fill in more than 50 kinds of information, including
addresses, account numbers, Social Security numbers and phone numbers.
They are maintained by FinCen in databases that are available to local,
state and federal law-enforcement agencies. Under Patriot Act provisions,
intelligence agencies also have the right to get such reports on demand.
People who are the subjects of the reports may not see them, a FinCen
official said.
The number of suspicious-activity reports filed with the government was
almost 163,000 in 2000, compared with 81,000 in 1997, the first full year
the reports were collected, the agency said.
The pace of the reports jumped sharply after the Sept. 11 attacks. About
125,000 were filed from Oct. 1, 2001, to the end of March, compared with
about 86,000 in the same period the previous year, agency officials said.
John Byrne, senior counsel at the American Bankers Association, said
members have cooperated with the government in tracking down terrorist
assets and matching customer names against government lists of suspects
since Sept. 11. But Byrne said that financial institutions, even those
using the most sophisticated technology, need guidance and timely
intelligence to help the government.
"We have proven our willingness to respond to legal government requests to
search records and report suspected crime," he said. "What concerns us is
any policy that suggests that the financial industry on its own determine
potential terrorist activity. At the end of the day, the financial sector
is not law enforcement."
Officials at FinCen said they have no interest in deputizing the financial
industry and intruding unnecessarily into the financial lives of most
people. They want the industry to act as a gatekeeper, not a cop, and to
focus on risky customers.
"We have this important practical reason for paying attention to privacy
concerns," FinCen Director James F. Sloan said. "If we don't, we're going
to end up losing these tools."
Sloan said suspicious-activity reports, coupled with powerful data
warehouses and mining tools at FinCen, have turned up leads and suspects.
"This created an opportunity for dialogue that has never existed before,"
Sloan said of the Patriot Act. "It has given us an opportunity to work with
the industry like never before."
********************
Washington Post
VeriSign to Help Telecoms With Wiretap Orders
SAN FRANCISCOSecurity and Web address provider VeriSign Inc. Monday
unveiled a new service to help U.S. telecommunications carriers comply with
wiretapping regulations that have gained more prominence since the attacks
of Sept. 11.
Mountain View, California-based VeriSign is testing its new "NetDiscovery"
wiretapping services, which is expected to be commercially available in
early July for land-line, wireless and cable carriers, said Terry Kremian,
executive vice president of VeriSign's telecommunications services.
Under the Communications Assistance for Law Enforcement Act of 1994,
telecommunications companies must have systems that allow law enforcement
officials acting with a court order or other legal authorization to
intercept targeted telephone calls and access caller ID data quickly.
The law also requires carriers to provide the resulting wiretap data to the
police or the FBI in a way that allows it to delivered or transmitted
offsite to government offices.
While the deadline for complying with the federal wiretapping act was
originally set for Sept. 30, 2001, the Federal Communications Commission
has extended it several times because of the complexity and cost of the
task, Kremian said. Carriers and telecom providers now have until June 30
to comply.
Kremian said carriers can outsource these operations to VeriSign for a
monthly fee, Kremian said, rather than spending as much as $500,000 to
upgrade each switch and $150,000 annually to administer such a system.
The company, which operates the ".com," ".net" and ".org" domain name
look-up system and sells Web addresses, also offers e-commerce security and
payment services, and recently added telecom services with the acquisitions
of Illuminet Holdings and H.O. Systems.
With Illuminet, VeriSign acquired the largest independent
carrier-to-carrier switching network in the United States. The network
routes land-line and wireless calls and enables carriers to offer caller
ID, roaming and other services.
*******************
Los Angeles Times
Fee-Based Networks Making a Connection
Internet: Upstarts tout peer-to-peer technology as way for clients to offer
digital goods, for a price.
By JON HEALEY
Before it ran afoul of the courts, Napster Inc. taught more than 70 million
consumers that "peer to peer" meant copying whatever they wanted from other
people's computers without paying for it.
Ever since, a small but growing band of upstarts has been trying to teach a
new lesson: that peer-to-peer networking is a better way for businesses to
send music, videos and other digital goods through the Internet. And no one
has to receive anything free.
The new players range from consumer-oriented systems--including CenterSpan
Communications Corp.'s Scour and those from Wippit Ltd., Yaga Inc. and Blue
Falcon Networks Inc.--to distribution systems aimed at corporate customers,
including Kontiki Inc. and Uprizer Inc. In addition, Altnet Inc. is
building a fee-based network on the back of Kazaa, a free network that the
record and movie companies are suing for copyright infringement. Like Kazaa
and other free networks, the upstarts slash the cost of sending digital
goods by transforming consumers into distributors. Songs, movies and other
files flow from user to user, with the costs absorbed by the users'
Internet providers.
The difference is that users of the new networks don't control what gets
traded on them. The only files available through these systems are the ones
approved by copyright owners.
The ventures have attracted some blue-chip investors, but as a group
they're low on customers. That's partly because of concerns about
Napster-style piracy and partly because the record labels and Hollywood
studios have been slow to adapt their business models to the Internet.
"I think they're all willing to do deals now, but they're wary. Too wary,"
Paul Myers, chief executive of London-based Wippit, said of the major
record companies. "I think they're missing huge opportunities. They're
playing into the arms of the illegal services."
Peer-to-peer networks are designed to solve one of the thorniest problems
in transmitting bulky audio and video files on the Internet: The larger the
audience, the higher the cost.
Unlike with conventional broadcasting, which uses the same airwaves no
matter how many people tune in, transmitting a file over the Internet takes
up more network capacity as the audience grows. Everyone who watches a
concert online or downloads a movie connects separately to the supplier's
Web site, so each user drives up the amount of capacity, or bandwidth, the
supplier has to pay for.
Peer-to-peer networks, by contrast, spread files the way a case of chicken
pox spreads through a grade-school classroom. A popular song might start on
one user's computer, but each user who copies it becomes a new source for
other users.
The network points users to the closest available source, so the first user
ultimately supports only a small portion of the total copies. More advanced
networks enable users to copy a file from multiple sources at the same
time, taking small pieces from each.
"This is the greatest distribution mechanism for content ever invented,"
said Chris Kitze, chief executive of San Francisco-based Yaga. "You have
the ability to reproduce infinitely, at almost no cost, unlimited amounts
of content, which means you never run out of inventory."
Though Kazaa and other free networks let users decide which files to share
with other users, the copyright-friendly upstarts don't. Instead, network
administrators decide which files can flow from user to user. And
electronic locks let copyright owners dictate how much, if anything, people
must pay for a file.
In Blue Falcon's approach, for example, central computers ensure that only
authorized users supply and copy files. Those computers also would provide
the keys to locked files and bill users for what they download.
"It's not about file sharing, it's file distribution," said Ian Clarke,
co-founder of Santa Monica-based Uprizer.
That's an important distinction because corporate officials are skittish
about the whole concept of peer-to-peer networking. Mountain View,
Calif.-based Kontiki bills its services as "peer assisted," not peer to
peer, and pitches to corporate customers by saying, "Here's a more
effective way to communicate," said Mark Szelenyi, director of enterprise
marketing.
Kontiki has about 20 customers in various stages of testing or deployment,
and they typically use the network to distribute sales and training
material and software updates, Szelenyi said. Similarly, Uprizer focuses on
helping corporations cut the cost of internal communications, using
peer-to-peer technology to distribute material to employees and branch offices.
Blue Falcon specializes in using peer-to-peer technology for Webcasts,
helping customers such as Radio Free Virgin, a leading online radio network
tied to Virgin Group Ltd., cut bandwidth costs by as much as 50%. Zack
Zalon, general manager of Radio Free Virgin, said peer-to-peer techniques,
better compression software and other improvements over the next few years
could enable his company to reach up to 30 times more listeners for the
same amount of money.
There are signs that the studios and record companies are ready to start
experimenting with peer-to-peer systems. Amid pressure from the Justice
Department and burgeoning online piracy, negotiations with tech companies
have intensified, several executives at peer-to-peer companies said.
Wippit, a network that offers unlimited MP3 files for a flat monthly fee,
has signed up one of the five major record companies, Myers said, although
it has yet to announce which one. Hillsboro, Ore.-based CenterSpan has
acquired the rights to songs from Sony Music's catalog, and a subsidiary of
Vivendi Universal has agreed to launch a CenterSpan-powered entertainment
service, said Michael Kassan, co-president of CenterSpan digital media and
entertainment group.
"We're in the midst of some very advanced discussions on the
video-on-demand side," Kassan said, adding that entertainment companies'
attitudes about peer-to-peer technologies have changed dramatically.
The music labels and film studios have been very good at promising online
initiatives, but not at delivering them. Although many have tried, none of
the companies has been able to obtain all the licenses needed to compete
with the unauthorized online networks. Nor have the studios'
video-on-demand ventures gotten off the ground--in fact, one of the two
major initiatives already has collapsed.
Still, Jay Haynes, chief executive of Blue Falcon in Los Angeles, said he
expects the labels and studios to embrace peer-to-peer distribution soon.
"In the next 12 months, I expect to see explosive growth in on-demand
[services]."
Napster and its successors did the entertainment industry a favor, Kitze of
Yaga said, by inducing consumers to want to get music online. "The next
change in the behavior is to get from 'free' to 'paid for,'" he said.
*********************
Federal Computer Week Editorial
Transforming Congress
Congress, unfairly or not, has earned a reputation for being a group of
Luddites. This reputation dates back to 1995, when Capitol Hill voted to
provide freshman lawmakers with laptop computers but did not approve their
use on the floor of the House or Senate.
That's what makes the vision of a "virtual hearing room" proposed by Rep.
Curt Weldon (R-Pa.) so refreshing. Still in the concept stage, the hearing
room would be equipped with secure workstations and videoconferencing
technology that would enable committee members to question witnesses
located anywhere in the world.
The workstations also could be used to provide multimedia presentations on
issues at hand.
The particulars of Weldon's proposal are less important than his motives.
Congress, Weldon argues, needs to grasp the broader ramifications of
technology what the Defense Department calls "transformation" and the
virtual hearing room represents a way to learn about technology, through
both seeing and doing.
Weldon is right. Many of the Bush administration's top
priorities including homeland security, DOD modernization and
e-government aim to transform, not just automate, government operations
through increasingly sophisticated uses of information technology.
Congress is a necessary partner in these initiatives, because such efforts
often require changes to rules and regulations and always need money.
Members are adept at learning on the fly as they craft legislation and
review budgets, but as the White House advances into newer and stranger
territory with IT, many members may find themselves out of their depths.
Weldon's idea of a virtual hearing room would be a creative way to begin
the education process. But whatever the fate of this particular proposal,
his concerns have merit and should be addressed.
For Congress, transformation ought to begin at home.
******************
Los Angeles Times
Fingerprint Scan Spurs Debate
Technology: Program's database is linked to credit or debit cards.
Customers weigh privacy concerns, convenience.
By HELEN JUNG
SEATTLE -- Christopher Conrad cuts off telemarketers on the phone,
regularly reminds direct-mail associations to keep him off their lists and
diligently opts out of mass e-mail lists.
But the Seattle commercial photographer didn't hesitate to give his
fingerprint, credit card information and phone number to a company he had
never heard of.
Conrad is one of the 2,000-plus customers of a Thriftway grocery store in
West Seattle who signed up in a pilot program run by Oakland, Calif.-based
Indivos Corp. that links customers' fingerprints with their credit or debit
cards, allowing them to buy groceries by running a finger over a scanner.
"I always leave my wallet in the car or forget it in another pair of
pants," Conrad said. "It doesn't feel so much like an invasion of privacy
but more like a convenience."
Privacy advocates and others are questioning whether the lure of
convenience outweighs the vulnerabilities of the technology and fears of
privacy intrusion.
"With most of these applications there's an interesting starting point, and
then there are new applications and pretty soon you have full force Big
Brother watching over you," said Marc Rotenberg, executive director of the
Washington, D.C.-based Electronic Privacy Information Center, a
public-interest research group.
Currently, there are no federal laws regarding the sale of fingerprint
databases and information.
Indivos Chief Executive Phil Gioia said his company signed a contract with
Thriftway not to sell that information to marketing companies. But Lee
Tien, senior staff attorney for San Francisco-based Electronic Frontier
Foundation, says the technology raises such novel and sticky legal issues
as who owns the actual fingerprint.
Thriftway's pilot program has nevertheless proved popular from its May 1
adoption, said store owner Paul Kapioski.
"A lot of them walked right in the door and said, 'Where is it? Let me sign
up,'" Kapioski said. He said representatives from other grocery stores in
the area have come in to look at the program.
In Texas, some Kroger Co. stores use technology from an Indivos rival,
Biometrics Access Corp. Ron Smith, Biometrics Access chief executive, says
it is helping Kroger also cut down on check fraud.
And McDonald's in Fresno, Calif., used Indivos' technology for a brief
pilot program but decided to discontinue it, said spokeswoman Lisa Howard.
McDonald's Corp. is exploring other cashless electronic payment
alternatives, such as radio transponder wands.
At the Thriftway, customers scan one finger five times to get an accurate
image, which is then digitized and stored in Indivos' database. The
customer also registers a bank account, credit card, debit card or even
food-stamp account and a seven-digit number, such as a phone number, which
will be used to help pinpoint that fingerprint's location among the
thousands in the database.
Then, customers can simply scan their finger at checkout counters and enter
the seven-digit number. The scanner picks up 10 or 12 points on the finger
at random, compresses that down to a 300-byte package and shoots it over an
encrypted connection to the database in Oakland for comparison with the
stored fingerprint.
In practice, it's not a huge time savings over credit-card transactions.
The customer still needs to punch in the seven-digit number. And they still
have to sign a receipt for credit card transactions or enter another
personal identification number for a debit card purchase.
***********************
Federal Computer Week Policy Briefs
Policy briefs
June 3, 2002 Printing? Use this version.
Email this to a friend.
Anti-terror bills progress
Congress is moving forward to put money and muscle behind programs to fight
terrorism at home and abroad.
The House passed a bill May 24 to provide $29 billion to fight terrorism.
Billions would be showered on information technology projects to tighten
security systems and fund tools such as devices that detect explosives at
airports.
The House approved several other anti-terrorism measures, which still await
Senate action, including:
* A bioterrorism package that would give authorities more clout in
preparing for and responding to public health emergencies.
* $9.1 billion for the Customs Service to buy and deploy detection
equipment along the Canadian and Mexican borders.
n $100 million for the Department of Veterans Affairs to develop four
research centers, with at least one focused on biological terrorism, one on
chemical threats and one on radiological threats.
Air Force consolidates IT
The Air Force is one-third of the way through the process of consolidating
its IT resources in the hopes of building a greater enterprise
infrastructure, John Gilligan, Air Force chief information officer, said
May 29.
The goal is to have the process completed by fiscal 2004, although bases
have had trouble finding the money to buy larger servers. Gilligan said the
Air Force was considering a proposal that would accelerate that schedule.
The goal is to improve reliability, enhance security and reduce cost,
Gilligan said. "We don't have the outages that we used to have," he said.
The consolidation includes servers for e-mail, Web access, data and files.
It is also an effort to bring together functions, such as financial and
personnel data.
GSA preps security solutions
The General Services Administration is readying new solutions for
government security.
GSA's Federal Computer Incident Response Center (FedCIRC) patch
authentication and dissemination capability will be ready for some agencies
to use June 20, said Sallie McDonald, GSA's assistant commissioner for
information assurance and critical infrastructure protection.
In July, FedCIRC officials expect to release a request for proposals on a
security knowledge management portal, McDonald said May 22 at a New York
City conference. FedCIRC also is looking at creating a security toolkit,
giving agencies central access to all of the security tools developed and
already paid for by governmental and quasi-governmental organizations. In
addition, the center plans to issue a request for proposals this summer for
a contractor to identify the tools, assemble them into a suite of services
and market them to agencies, she said.
Official: 'We're bandwidth hogs'
The Army could always use more bandwidth, but the service does have enough
to accomplish its missions if it's willing to revamp its business practices
and truly take advantage of its resources, according to one technology leader.
Col. Nick Justice, program manager of Force XXI Battle Command Brigade and
Below, within the Program Executive Office for Command, Control and
Communications Systems-Tactical, said he could always fill up more
bandwidth if it were made available. However, the Army is not using its
bandwidth "in efficient, effective processes," he said, speaking May 29 at
Army IT Day in McLean, Va.
"We're bandwidth hogs," Justice said. "We want more. It's a [natural] quest
for us."
*****************
Federal Computer Week
Studying counterterrorism
The quasi-governmental agencies in the National Academies the National
Academy of Sciences, the National Academy of Engineering, the Institute of
Medicine and the National Research Council will address 10 areas in a
counterterrorism study expected to be released in June.
Those areas are:
* How to enhance the connectivity between the government and the science
and technology community.
* The effect of the threat of terrorism on scientists and universities and
the implications for research, open scientific communication, and
accessibility to and tracking of foreign students.
* How to improve research standards and practices to prevent misuse of
biotechnology research.
* How to improve national cybersecurity through research.
* How to protect Americans' privacy and civil liberties as personal
information is increasingly collected and analyzed.
* What immediate steps can reduce the risk of nuclear weapons or materials
falling into the hands of terrorists.
* How to address the threat of biological attack and ensure adequate
detection, response and recovery capabilities.
* The main threats and appropriate responses regarding agricultural terrorism.
* Possible new sensor technologies to enhance the security of U.S. aviation
systems and how to secure all transportation systems.
* The motives, sociology and psychology of terrorist activity against the
United States.
********************
Federal Computer Week
Bringing science to homeland security
OSTP, National Academies to aid strategy
The role that science and technology will play in the Bush administration's
homeland security plans is coming into focus through efforts by the White
House Office of Science and Technology Policy (OSTP) and the National
Academies the quasi-governmental agencies that provide independent advice
to the federal government on scientific and technical matters.
OSTP is writing the research and development chapter of the Bush
administration's homeland security strategy. That chapter will focus on a
long-term mechanism for gathering ideas and technologies from the private
sector and putting them to use within the government, OSTP Director John
Marburger said at a press briefing May 29.
Recommendations from a soon-to-be-released National Academies study on the
role of science and technology in homeland security will figure into that
chapter, he said (see box). The Office of Homeland Security expects to
deliver the national strategy to the president by early July.
The National Academies study could help find short-term solutions as well
as aid OSTP officials in determining the best way to interact with industry
over the long term, said Lewis Branscomb, co-chairman of the study.
Industry will be a key player in supporting the OSTP effort, but government
officials may not tap the private sector for some time, because the process
for determining industry's role is still under development, Marburger said.
However, private-sector officials must understand that the government will
adopt new technologies only after identifying potential threats and
responses, he added.
There are four steps to creating a homeland security strategy:
* Identifying and prioritizing threats.
* Determining and agreeing on a response for each threat.
* Specifying the technologies needed to support those responses.
* Exploring what technologies are available in the market or what research
and development is needed to make the necessary technology available.
Industry can assist in the final two steps, but the government is still
working on the first two, Marburger said.
Devising a long-term strategy is necessary and determining the threats and
possible responses is a responsible first step, said David Colton, vice
president of strategic initiatives for the Information Technology
Association of America. However, the Bush administration must provide the
private sector with a single point of contact now, so that when the
government determines what it needs, the structure will already be in place.
"There's a balance between short-term and long-term, and getting some kind
of framework in place as soon as possible is necessary," he said.
The National Academies study will also help private-sector leaders
determine how to improve industry's resources, markets and security,
Branscomb said. That is particularly important because companies and
universities "are the targets as well as the solutions to many of the
problems."
The study should be released by the end of June, Branscomb said.
******************
Federal Computer Week
State CIOs advise on homeland security plan
As Tom Ridge's Office of Homeland Security hammers away at a comprehensive
national plan to defend the country's critical infrastructures, it has
reached out to state government technology officials for help.
On May 23, Steve Cooper, senior director of information integration and the
Homeland Security Office's chief information officer, asked representatives
from the National Association of State Chief Information Officers (NASCIO)
to form a working group to advise him on the resources states have to offer.
The move is significant, said state officials, because it shows that
federal officials understand that states will bear the burden of
implementing any recommendations from a national plan.
Eight state CIOs from NASCIO toured Capitol Hill May 22-23, holding more
than 30 meetings with members of Congress, their staffs and executive
branch officials on issues important to states, including homeland
security, e-government, identity security, cybersecurity, commingling of
federal information technology funds, enterprise architecture and the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Rock Regan, NASCIO president and Connecticut's CIO, characterized the trip
as an "educational outreach," to establish that the association is a
resource to which federal lawmakers and other officials could turn.
NASCIO representatives discussed information sharing with Cooper and
several other executive branch officials, including John Tritak, director
of the Critical Infrastructure Assurance Office; Mark Forman, the Office of
Management and Budget's associate director of IT and e-government; and
David McClure, director of IT management issues at the General Accounting
Office. The state representatives also met with officials from the FBI,
CIA, Federal Emergency Management Agency, Environmental Protection Agency
and Justice Department.
Regan promised Cooper he'd have a three- or four-member working group of
state CIOs formed before June. "Their timeline is very tight, so it's
something that we have to have some commitment to," said Regan, adding that
it made sense for the federal government to seek input on homeland security
matters.
"We're the ones providing the infrastructure to make sure the [data] flows,
so I think that as the Homeland [Security Office] starts to [create] the
document, the national strategy and some guidelines around it, we want to
be involved as early as possible to make sure that what they're putting in
place is actually doable from our perspective," he added.
A draft of the national strategy will likely be delivered to President Bush
by early July. A senior administration official said in May that the
plan outlining how the Office of Homeland Security expects to use IT to
help secure the nation from terrorist attacks may not address all the
concerns of federal agencies and state and local governments.
Kentucky CIO Aldona Valicenti said the tone of the NASCIO trip the second
such "fly-in" in six months and one that the organization intends to make
an annual event has changed as federal officials proactively reach out to
the states. When HIPAA was passed in 1996, state governments weren't given
an opportunity for input, she said. "We can actually address many of the
operational issues," Valicenti said.
*********************
Federal Computer Week
Guidelines open data, Web to FBI
New investigative guidelines issued by Attorney General John Ashcroft May
30 permit the FBI to tap commercial databases, employ data mining and
search the Internet for evidence of terrorist activity.
The new guidelines reverse decades-old restrictions imposed to curb FBI
excesses of the 1950s and 1960s, when the agency actively spied on
Americans involved in the civil rights movement, political dissent and war
protests.
"They derive from a period in which Soviet communism was the greatest
threat to the United States, in which the Internet did not exist, and in
which concerns over terrorist threats to the homeland related mainly to
domestic hate groups," Ashcroft said.
In the current war against terrorism, the restrictions provided "a
competitive advantage for terrorists," Ashcroft said.
The restrictions date to 1976, when then-Attorney General Edward Levi
imposed them, and attorneys general have the authority to amend them
unilaterally.
In his announcement of the guideline changes, Ashcroft said, "FBI men and
women in the field are frustrated because many of our own internal
restrictions have hampered our ability to fight terrorism."
Under the guidelines now abandoned, Ashcroft said, "FBI investigators
cannot surf the Web the way you or I can. Nor can they simply walk into a
public event or a public place to observe ongoing activities. They have no
clear authority to use commercial data services that any business in
America can use."
New guidelines expressly permit agents to engage in online research, even
when it is not tied to a specific criminal investigation. They also
authorize the FBI to use commercial data mining services independent of
particular criminal investigations.
The new guidelines also allow the FBI to operate "counterterrorism
information systems, and to collect and retain information from all lawful
sources, including publicly available sources, for that purpose."
The changes generated concern among privacy and civil liberties
organizations. The American Civil Liberties Union warned that the new
investigative guidelines "will trash a central protection against
government fishing expeditions."
And the Electronic Privacy Information Center said the new rules
"significantly broaden government ability to snoop on citizens."
"The FBI has always been able to use the Internet and databases, but only
where there some indication of a crime," said Chris Hoofnagle, an EPIC
lawyer. The new guidelines "change the dynamic" so that the FBI "can now
watch people who are not suspected of doing anything wrong," he said.
According to the Justice Department, the investigative guidelines still
"prohibit the FBI from keeping files on citizens on the basis of their
constitutionally protected activities," such as exercising the right to
free speech.
And the guidelines also "do not, and cannot, authorize the FBI to do
anything prohibited by the Constitution or federal law," a department
analysis says.
******************
Federal Computer Week
Carnivore bites off too much
Two years ago, the FBI unleashed Carnivore against Osama bin Laden's
terrorist network, but the Internet spyware intercepted so much unrelated
e-mail that the FBI stopped using it and might have destroyed information
it collected related to the terrorists.
An internal FBI memo sent in April 2000 complained that when the spyware
was used a month earlier to intercept al Qaeda e-mail messages, Carnivore
acted more like an omnivore.
"The FBI software not only picked up the e-mails under the electronic
surveillance [order] but also picked up e-mails on noncovered targets,"
said the memo, which was sent to Marion "Spike" Bowman, the FBI's associate
general counsel. "The FBI technical person was apparently so upset that he
destroyed all the e-mail take," including the e-mail messages the FBI was
permitted to intercept, the memo said.
Intercepting messages not covered by court authorization would have
violated federal wiretap laws, according to the Electronic Privacy
Information Center, which obtained the memo through a Freedom of
Information Act lawsuit.
David Sobel, general counsel for the center, said the memo and other
information released by the FBI "confirm what many of us have believed for
two years Carnivore is a powerful but clumsy tool that endangers the
privacy of innocent American citizens."
FBI documents show that its officials also worried that "the improper
capture of data" by Carnivore could "seriously 'contaminate' ongoing
investigations."
*******************
Federal Computer Week
FirstGov revs search engine
The search engine bought from a Norwegian company to find information on
the federal government's Web portal, FirstGov, is finally ready for
service. It will be formally unveiled June 3 by Stephen Perry,
administrator of the General Services Administration.
The engine, built by Fast Search & Transfer of Oslo, Norway, is expected to
yield more relevant and more complete search results from more than 51
million federal and state pages now on the Internet.
Originally scheduled to begin operating March 31, the Fast search engine
was delayed for two months because GSA decided to buy and install new
switching servers for the search engine, according to a senior official at
GSA, which operates FirstGov.
The new engine is supposed to be able to search through government Web
pages in a wide variety of formats, including PDF, HTML, Extensible Markup
Language and plain text, as well as Microsoft Corp. PowerPoint, Excel and Word.
In addition, the Fast engine will be capable of searching through
government databases, according to Deborah Diaz, GSA's associate
administrator for FirstGov. "So there's a plethora of information and
services available throughout government that will now be available to
citizens," Diaz said in an April interview.
The Fast engine is being supplied by AT&T Business Services, which will be
paid $2 million a year for up to five years.
Spokesmen at AT&T and Fast Search & Transfer say they are prohibited from
discussing the terms of their contract with GSA.
*************************
BBC
Secure way forward for digital TV
Digital TV operators must look to a new business model encompassing open
standards and secure tools against hacking if they want to make money in
future.
This is the view of experts in the light of the financial crisis facing
many pay TV stations.
For years a battle has raged about the standards that control the
technology behind pay TV.
Governments and regulators are keen to see an open standard, where all
free-to-air and digital TV providers could be accessed through a single
set-top box or interactive digital TV.
But most operators did not want their rivals using their equipment to sell
services.
Viewing for free
With the rise of hacking this has become a costly decision for many pay TV
operators, forced to replace all their set-top boxes when the decoder
inside the box is hacked.
Up to a third of all services in some European countries are accessed for
free using hacked smart cards that are widely available.
SCM Microsystems Chief Executive Robert Sneider believes the answer could
be a removable module.
The CAM (Conditional Access Module) has two components, a smart card which
descrambles encrypted TV signals and a piece of hardware which fits into a
slot available on all digital TV sets and set-top boxes.
The anti-hacking software can be updated on a daily basis through a
download from the provider to the set-top box down the telephone line.
If the module itself is hacked, it can be removed and replaced without need
to touch the set-top box itself.
Obsolete business model
"Unauthorised access to digital networks represents huge revenue losses for
providers. They simply cannot survive if this wastage continues at such a
critical time in the industry's development," he said.
The module relies on an open standards model, which Mr Sneider believes
operators will be forced to adopt, whether they want to or not.
"In my opinion the idea that they can own the consumer is an obsolete
business model," he said.
With high profile digital TV failures such as the collapse of ITV Digital
and governments across Europe keen to switch off the analogue signal by
2010, there will be a big push to get security right, believes Roger
Stanyard, managing director of satellite consulting firm DTT.
"Recently hacking has become a desperate problem across Europe. When the
decoder is built into the set-top box operators have to replace the whole
box," he said.
"There will be a hefty bill coming up if they can't secure systems."
Hackers will find a way
Not everyone is convinced that a removable piece of hardware will alleviate
hacking.
"Some companies say that if a module is generally available, hackers will
get hold of the device and crack the technology that way," said IDC analyst
Jason Armitage.
Mr Armitage does not think that hacking has had a significant impact on the
demise of companies like ITV Digital.
"It is a big problem in southern Europe but in other European markets is
not such an issue," he said.
**********************
Government Computer News
OMB: E-gov projects will help reduce bad payments
By Jason Miller
Bush administration officials expect that two of the 24 e-government
initiatives will help the government lower the $20 billion in erroneous
payments agencies made in fiscal 2001.
E-Payroll and E-Grants eventually could improve automation and tracking of
money, according to an Office of Management and Budget report released
Friday. The Office of Personnel Management is managing the E-payroll
project, which will consolidate 16 civilian payroll processing systems into
three.
E-Grants, managed by the Health and Human Services Department, will
standardize and streamline federal grant programs. OMB officials estimate
the initiative could save the government $1 billion in administrative costs
alone.
The report, Financial Management Status Report and Governmentwide Five-Year
Financial Management Plan, also said that financial system and computer
security weaknesses were two of the most prevalent troubles auditors found.
OMB said agencies also failed to account for billions of dollars in
intra-agency transactions.
OMB said the two biggest mispayers were Medicare, which erroneously paid
out $12.1 billion, and the Housing and Urban Development Department, which
handed out $3.3 billion in errant rental subsidy payments.
The report is posted online at www.whitehouse.gov/omb/financial/2002_report.pdf
***************************
USA Today
Consumers test fingerprint scanning program
SEATTLE (AP) Christopher Conrad cuts off telemarketers on the phone,
regularly reminds direct-mail associations to keep him off their lists and
diligently opts out of mass e-mail lists.
But the Seattle commercial photographer didn't hesitate to give his
fingerprint, credit card information and phone number to a company he had
never heard of.
Conrad is one of the 2,000-plus customers of a Thriftway grocery store in
West Seattle who signed up in a pilot program run by Oakland, Calif.-based
Indivos Corp. that links customers' fingerprints with their credit or debit
cards, allowing them to buy groceries by simply running a finger over a
scanner.
"I always leave my wallet in the car or forget it in another pair of
pants," Conrad said. "It doesn't feel so much like an invasion of privacy,
but is more like a convenience."
Technology that links your fingerprint with a credit card or bank account
is making strides into everyday purchases, with businesses from Thriftway
in Seattle to three Kroger stores in Texas.
But privacy advocates and others are questioning whether the lure of
convenience outweighs the vulnerabilities of the technology and fears of
privacy intrusion.
"With most of these applications there's an interesting starting point, and
then there are new applications and pretty soon you have full force Big
Brother watching over you," said Marc Rotenberg, executive director of the
Washington, D.C.-based Electronic Privacy Information Center, a
public-interest research group.
And currently, there are no federal laws regarding the selling of
fingerprint databases and information.
"There could be some abuses," Rotenberg said.
Thriftway's pilot program has nevertheless proved popular from its May 1
adoption, said store owner Paul Kapioski.
"A lot of them walked right in the door and said where is it, let me sign
up," said Kapioski. He said representatives from other grocery stores in
the area have come in to look at the program. "I think it's the way it's
going to be here in a couple of years. We may be the first, but you'll see
it around here."
It's already in Texas, at some Kroger stores, which use technology from an
Indivos rival, Biometrics Access.
Ron Smith, Biometrics Access chief executive, says it is helping Kroger
also cut down on check fraud.
And McDonald's in Fresno, Calif., used Indivos' technology for a brief
pilot program but decided to discontinue it, said spokeswoman Lisa Howard.
McDonald's is exploring other cashless electronic payment alternatives,
such as radio transponder wands.
At the Thriftway, customers scan one finger five times, to get an accurate
image, which is then digitized and stored in Indivos' database. The
customer also registers a bank account, credit card, debit card or even
food-stamp account and a seven-digit number, like a phone number, which
will be used to help pinpoint that fingerprint's location among the
thousands in the database.
Then, customers can simply scan their finger at checkout counters and enter
the seven-digit number. The scanner picks up 10 or 12 points on the finger
at random, compresses that down to a 300-byte package and shoots it over an
encrypted connection to the database in Oakland for comparison with the
stored fingerprint.
In practice, it's not a huge time savings over credit-card transactions.
The customer still needs to punch in the seven-digit number as well as key
in approval for the purchase. And they still have to sign a receipt for
credit card transactions or enter another personal identification number
for a debit card purchase.
Some customers said they didn't like giving away something as personal as a
fingerprint. They fear that even if the database is kept by a private
business and not linked to buying habits, it might not always reside with
that company.
"To me it's the same thing as the government having your fingerprints,"
said Jennie Helms, a West Seattle Thriftway shopper. "They don't need to
know what I buy."
Security is also a concern.
While well-designed fingerprint-based systems are not easily fooled, some
researchers have already shown that fingerprint readers are hardly
spoof-proof, said James Wayman, former director of the U.S. National
Biometric Test Center and now a biometric identification researcher at San
Jose State University.
Recently, a cryptography researcher in Japan created a fingerprint mold out
of gelatin and succeeded in fooling fingerprint scanners four out of five
times. A paper detailing his work was presented to the International
Society for Optical Engineering.
The fingerprint companies' executives acknowledged that all technology is
ultimately vulnerable. But they said would-be thieves don't have the means,
much less access to a viable fingerprint, to crack one of their sensors.
And what of worries that companies might sell the fingerprint/information
database to marketers?
Indivos chief executive Phil Gioia said his company signed a contract with
Thriftway not to sell that information to marketing companies. But Lee
Tien, senior staff attorney for the San Francisco-based Electronic Frontier
Foundation, says the technology raises such novel and sticky legal issues
as who owns the actual fingerprint.
Even Gioia recognizes that much remains uncharted.
For example, if Indivos were to some day be acquired by a credit-card
issuing bank that institution would gain ownership of the fingerprint
database. Gioia's response: "that's in the future ... we haven't nailed
that down."
******************
USA Today
Germany gives Microsoft the cold shoulder
FRANKFURT, Germany (AP) Germany's government said Monday it has agreed
with computer maker IBM to increase the use of open-source software on its
computers, a move aimed at reducing dependence on U.S. software giant
Microsoft.
Interior Minister Otto Schily said using non-Microsoft operating systems
based on the open-source Linux system would save money and improve the
security of computer systems used by federal and local governments.
"We are raising computer security by avoiding a monoculture, and we are
lowering dependence on single suppliers," Schily said in a statement. "And
so we are a leader in creating more diversity in the computer field."
Under the deal, IBM would give the government discounts on computers
running Linux. The software installed on the IBM computers would be bought
from German company SuSE, a major supplier of Linux-based software products.
The statement didn't disclose financial terms.
Unlike most commercial software, the underlying code in open-source
software such as Linux is freely available and benefits from continual
scrutiny and improvements made by a community of programmers. Proponents
say that makes Linux more reliable and secure than products made by
Microsoft and others a claim Microsoft disputes.
Though individual companies charge for the operating system, technical
support and services, Linux versions can be downloaded legally for free on
the Internet. Many companies and governments have turned to Linux as a
low-cost alternative to Microsoft's Windows operating systems.
Thomas Baumgaertner, a spokesman for Microsoft's German subsidiary, said
the government chose to ignore studies it had commissioned that favored
Microsoft.
"Their own studies showed that an all-Microsoft environment was superior
both technically and on price," said Baumgaertner.
Even with the decision, the German government remains a major customer for
Microsoft products, he said.
******************
MSNBC (News Week)
Wild About Wi-Fi
Rising from the grass roots, high-speed wireless Internet connections are
springing up everywhere. Tune in, turn on, get e-mail. Sometimes for free.
By Steven Levy and Brad Stone
June 10 issue Pete Shipley's dimly lit Berkeley home has all the
earmarks of a geek lair: scattered viscera of discarded computer systems,
exotic pieces of electronic-surveillance equipment and videos of the BBC
sci-fi "Red Dwarf" show. But among the hacker community, Shipley, a
36-year-old freelance security consultant, is best known for his excursions
outside the homeas a pioneer of "war driving."
BREATHE EASY: this isn't a "Sum of All Fears" kind of thing. War driving
involves roaming around a neighborhood looking for the increasingly
numerous "hot spots" where high-speed Internet access is beamed to a small
area by a low-power radio signal, thanks to a scheme called Wireless
Fidelity. Imagine your computer as a walkie-talkie, but instead of talking,
you're getting high-speed Internet access. Wi-Fi, as it's generally called
(propellerheads call it 802.11b), has unexpectedly emerged as the wireless
world's Maltese Falcon, something truly lustworthy and, once possessed,
impossible to let go of.
Two million people use it now, a number expected to double by next
year, according to Gartner, Inc. And International Data Corp. predicts that
public hot spots will jump from a current 3,000 to more than 40,000 by
2006. Consumers use Wi-Fi to establish wireless networks in their homes;
businesses adopt it to untether employees from desktops, and techno-nomads
celebrate its presence in cafes (from Starbucks to Happy Donuts), airports
and hotel lobbies. (Next on the docket: airplanes.) It seems that moving
megabytes on the move is almost mystical, like an out-of-body experience.
"Once you are untethered from a wall it becomes like candy; it's a really
insatiable appetite," says Michael Chaplo, the CEO of one Wi-Fi start-up.
"You just want it everywhere." Like the early Internet, Wi-Fi is a
jaw-dropping technology with unlimited promise. Also like the Internet, it
opens up a rat's nest of security woes.
200 UNPROTECTED NETWORKS
There's nothing like a war drive to expose both sides of this
cutting-edge sword. Shipley Velcroes two weird-looking antennae to a
NEWSWEEK reporter's car, and connects them to a Lucent wireless card
plugged into a Fujitsu Tablet PC. He boots a program called Net Stumbler,
which transforms the system into a sniffing machine, capable of detecting
Wi-Fi networks with the reliability of a drug beagle, and we're off. Almost
instantly, the rig starts finding networks16 of them within the first three
blocks (last year Shipley was getting just two). Turning toward the campus,
name after name of wireless setups scroll by, some set up by corporations,
some by ... well, who knows? Cal Bears Network ... V Street Network ...
Henry Household. About half of the more than 200 networks he finds are
unprotected by encryption or access control, meaning that anyone passing by
could potentially grab the data. Or a freeloader could plant himself in
front of the network owner's house and send out thousands of spam e-mails,
leaving the owner to take the heat.
This is not just a West Coast phenomenon: a war-driving security
specialist in Omaha, Neb., recently found 59 hot spots, 37 of them
unprotected. And on a war walk through New York's Greenwich Village last
week, NEWSWEEK found more than 50 hot spots in a quarter-hour. A disturbing
security situationin effect, it's like opening a drive-in window to an
otherwise firewall-protected networkbut also an exhilarating opportunity.
Without knowing exactly who was beaming out the broadband, it was possible
to stand on a random street corner and grab sports scores and e-mail. The
Internet was in the air.
That's only one irony in the Wi-Fi revolution: while most of the
tech industry gripes about how hard it is to provide high-speed Internet
access, seemingly out of nowhere a technology has emerged to do just that,
at low cost or even for free. And without those nasty wires! The secret of
Wi-Fi comes from its mongrel origins. Wireless technology is actually a
kind of radio, and different devices run on different frequencies on the
radio bandwidth. Some portions are hotly contested, and governments reserve
their use for favored parties: in some cases, like cellular phones, firms
pay billions to use portions of the spectrum. No one pays a penny for
Wi-Fi, which springs from a semi-orphaned frequency range formerly known as
the Industrial, Scientific and Medical Band, designated for humble
appliances like cordless phones and microwave ovens. (It's around 2.4
gigahertz, for those keeping score at home.) This junk spectrum is
unlicensed, meaning that as long as you keep the power low, no one limits
your activity. This freedom appealed to computer people, who see it as an
open invitation to innovate and experiment. As a result, cool things keep
happening with Wi-Fi.
A lot of this still goes on among the geek set. For instance, Rob
Flickenger, author of "Building Wireless Community Networks," has gained
renown for designing a long-range $6.45 Wi-Fi antenna housed in a Pringles
potato-chip can. (It's been recently outperformed by an antenna made out of
a Big Chunk beef-stew can.) BUILT-IN WI-FI
But even as the wireheads build their toys, serious companies sense
big money. Things really began to take off three years ago when Apple
adopted Wi-Fi for its home-networking AirPort device. Simply plug your
Internet cable into the flying-saucer-shaped gizmo, and your Macs (if
equipped with a $99 wireless card) instantly become wireless Net machines.
Last year Microsoft rolled out its new Windows XP operating system with
built-in Wi-Fi support: every time an XP user with a wireless card gets
within sniffing range of a network, a little dialogue box pops up and asks
if he or she wants to hook up. And this year IBM began shipping ThinkPad
computers with Wi-Fi built in.
Dozens of start-up companies hope to ride the Wi-Fi wave. Boingo
wants to be at the center of a sprawling Wi-Fi archipelago. It offers
customers service at hundredsone day maybe millions, dreams CEO Sky Dayton
(who earlier founded Earthlink)of hot spots signed on to the Boingo system.
In return, Boingo handles the billing and kicks back part of the user fees.
A company called Joltage provides software to turn hot spots into instant
mini-Internet service providers. Other firms are working to go beyond hot
spots to larger "hot zones," like WiFi Metro, which has placed antennas in
Palo Alto and San Jose, Calif., to blanket six-block areas in a single
network. Going a step further are companies attempting "mesh networks" to
create hot regions. For instance, a company called SkyPilot wants to Wi-Fi
the suburbs by hopscotching bandwidth from computer to computer: sort of a
Napster approach to connectivity.
While entrepreneurs envision hot spots in their bank accounts, some
people are organizing on the principle that connectivity in the air should
be as free as the breeze. In more than 50 cities and towns, community-based
network groups are setting up regions where people are encouraged to
partake of free wireless Internet. NYC Wireless has more than 60 "guerrilla
installations," including Tompkins Square Park in the East Village. In
Pittsburgh, you can Web-surf for free in Mellon and Market Squares.
'IT CONSTITUTES A THEFT OF SERVICE'
Traditional broadband providers cry foul when users take their
cable modem or DSL connections and beam them to friends, family and
passsers-by through Wi-Fi networks. "It constitutes a theft of service per
our user agreement," says AT&T Broadband's Sarah Eder. But at least one
very important observer doesn't buy that. "I don't think it's stealing by
any definition of law at the moment," says FCC chairman Michael Powell.
"The truth is, it's an unintended use."
Wi-Fi's success has already made some telecom companies like Nokia
and Nextel realize that their future lies in complementing, not competing,
with Wi-Fi. The new vision involves a hybrid scheme where people would do
heavy-duty computing in low-cost, high-activity Wi-Fi hot zones, and then,
when they drove out to the desert, or visited North Dakota, they'd stay
connected, using a more costly (licensed bandwidth) 3G-cellular network.
Performing this trick without fiddling with the computera so-called
vertical handoffis "the holy grail," says AT&T researcher Paul Henry. "It
would mean that wherever you were, the Internet would be there, too."
This would require superior security software. But it will take some
effort from users. The current form of protection, an encryption code
called WEP, is far from perfect, but a lot of people don't even bother to
turn it on. Nonetheless, experts assume that, like the Internet, Wi-Fi will
manage to increaseif not perfectits security so that problems won't stunt
its growth.
No matter who provides the signal, the Wi-Fi revolution is now
moving to a fascinating stage, where the medium affects behavior. Putting
wireless nets in businesses has affected culture in places like Microsoft
and IBM, where people trundle into meetings with laptops, pull up relevant
information on the spotand surf the Net if they're bored. An in-house video
at Cisco Systems tells the tale of an engineer who discovered a
toilet-paper shortage in the men's roomand was able to order more online
while maintaining his position.
And when the Internet is ultimately everywhere, imagine the effects
on journalism when, as tech columnist Dan Gillmor has speculated, hundreds
of witnesses to a local disaster have the ability to capture and send out
instant digital photos and videos.
All that from junk spectrum? Hard to believe. But not too long ago
surfing the Internet seemed as weird as, well, war driving.
*************************
MSNBC
Broadband users cut into cable
By Stefanie Olsen
June 3 When Noah A., an AT&T Broadband customer, dropped his subscription
to DirecTV several months back, he joined a small but growing group of
cable TV pirates who use their high-speed Internet connection to pilfer
video signals.
DRAWING ON old-school methods to splice cable TV lines for
unauthorized use, hackers say they can buy a splitter at the local
electronics store and easily run an additional line from the cable modem
line for the computer into the television. Without a set-top box, the
result is free, basic, analog cable; with an illegal converter or set-top,
hackers say they have access to premium channels such as HBO and Showtime.
"I only get (basic) cable. I don't subscribe; it just comes to my
house along with the cable modem signal," said Noah, who wished to keep his
last name anonymous. He saves roughly $40 a month on cable but spends about
$42 a month on Internet access.
"Lots of people do this if all you want is analog cable," he said.
"All cable services are run through the same line; they can't just cut
power to analog cable and still give you a cable modem."
Cable operators have battled this form of piracy for years, but
it's taking on new urgency in the race to build high-speed Internet
service. Broadband providers are struggling with costs, with AT&T just last
week instituting a price increase for cable modem customers.
Some lawmakers are also pushing Congress to help in the widespread
adoption of broadband Internet connections. Sen. Joseph Lieberman, D-Conn.,
last week said he would introduce legislation to expand broadband adoption
across the country to drive economic growth.
In this environment, piracy is just one more headache for cable
providers. The advent of digital cable and broadband Internet access is
seen as a mixed blessing for operators, bringing advancements to both deter
theft and increase it.
Siphoning TV access from cable modem lines is just one wrinkle to
widespread cable piracy, but companies such as AT&T Broadband, Cox
Communications and Comcast Cable Communications are starting to crack down.
All providers say they are aware of this specific kind of theft and are
taking various measures to stop it.
Cable TV piracy has been growing since the '70s, germinated by
corrupt or pliable cable technicians who simply take a kickback to turn on
extra, premium channels at no monthly cost. Now, in addition to making
payoffs, people regularly buy on the black market the cable converters and
de-scrambling devices necessary to access digital and premium cable.
About 13 million Americans get a free ride as a result, compared
with the more than 64.5 million paying cable subscribers, according to
research firm The Carmel Group. The losses are significant. The firm
estimates that the industry misses out on about $6.2 billion annually from
piracy.
Industry executives say stealing not only costs the cable
providers, but also takes money from public works. Cable operators must pay
5 percent of local cable sales to community services such as fire and
police departments.
SCOURING THE SYSTEMS
Steve Effros, an attorney and analyst for the cable industry at
Effros Communications, based in Fairfax, Va., said relatively few people
subscribe only to high-speed Internet access and not cable TV. Those who do
are a highly identifiable group to the cable operators, he said, making it
easy to install a trap that allows only the amount of bandwidth necessary
to provide high-speed Internet data.
"If it becomes an issue at all, it's very easy to stop it; they
just install traps on the lines," he said. "No thief ought to rely on this
one."
Cox spokeswoman Amy Cohn said the company has discovered some
instances in which high-speed Internet customers are stealing cable TV
channels, but she couldn't specify a number. As a preventive measure, she
said, the company installs traps on cable modem lines to prevent Internet
customers from accessing video signals through cable TV.
"We're currently auditing our networks to identify situations where
traps may be needed and are installing the appropriate equipment to prevent
this theft from occurring," Cohn said.
Tracy Baumgartner, a spokeswoman for AT&T Broadband, said the
company is proactively trying to prevent this kind of cable theft. She
wouldn't explain the specifics of its tactics, saying they may provide
clues to a workaround.
In general, AT&T Broadband tries to stop piracy by going from
neighborhood to neighborhood and performing a tap audit, which allows it to
detect all manner of cable theft. The tap audit lets the operator evaluate
services piped into the home to see if any are not being paid for.
Baumgartner said such cable theft typically degrades signals to
both the computer and the television, not to mention neighboring connections.
"The drops are not designed to be split," she said. "The Internet
product needs a dedicated feed so that it runs as efficiently as it's
supposed to."
But cable subscriber Noah said his TV reception and Net connection
come up without a hitch.
A Comcast Cable representative said the company also performs tap
audits to identify customers using authorized video hookups. It then gives
them time to make amends before disconnecting service, according to the
representative.
NEW FIX WOULD NOT BE QUICK
One long-term solution to such theft would be for cable operators
to completely convert their analog feeds to digital.
Cable providers have long used analog systems, which run at a
frequency of 400MHz or lower. Basic broadcast channels such as ESPN and CNN
are typically run through analog cable.
Now cable providers are shifting their systems to allow for digital
broadcasts, which operate on a different frequency from analog. For a true
digital broadcast, which can include premium channels such as HBO or
video-on-demand programming, the frequency must run around 750MHz.
Cable operators see promise in digital cable because they can
deliver more channels with less bandwidth and build in enhancements such as
interactive TV programming, video-on-demand and e-commerce. Some are
already testing digital, including AT&T Broadband, which started using it
in select markets, such as Los Angeles.
But digital is also a threat. Services such as Sonicblue's ReplayTV
allow consumers to share TV entertainment like they would on an online
file-sharing community such as Morpheus, raising fears about copyright
infringement.
Still, analysts insist that digital cable can curb the threat of
piracy. For one, companies are creating more sophisticated encryption
technology to make it harder for hackers to tap into unauthorized channels.
Another deterrent is that interactive TV programming requires a two-way
connection, meaning that a broadcaster could detect and verify a signal
coming back into its system from the subscriber.
"From that (digital) signal, the operator will have the ability to
recognize that end user and whether he is subscribing to that service,"
said Sean Badding, an analyst at The Carmel Group. "This could be a
prevention as we move into this (interactive TV) world."
In the meantime, as much as some people take advantage of
open-spectrum cable lines, some customers say the providers are equally
negligent about taking precautions against piracy.
Amy L., one longtime Comcast subscriber who asked that her last
name not be used, said that when she signed on to high-speed Internet
access several years ago, in addition to her monthly cable TV subscription,
the Internet connection boosted her family's access to premium cable
channels such as HBO and Showtime at no cost.
"The TV, including the cable, is literally right next to the
computer desk, so when the techs came to install the broadband they just
put a splitter on that cable with one leading to the cable box and one to
the cable modem," she said. "When the installers were finished, they told
me that I would be getting some additional channels,...a normal result of
having the broadband access installed, and that Comcast would eventually
filter it out.
"I didn't do anything, but Comcast never did anything either. I was
getting HBO, Showtime and a number of other additional and premium channels
for something like two years for free," she said.
Doug, a New Jersey resident who subscribes to cable-modem Internet
service and gets free digital cable through an illegal box, said he
believes that the cable operators are suffering at their own hands. He said
he bought a new digital box for about $80 that gives him free access to
more than 400 channels.
"All the cable operators are suffering from (cable theft) when all
they need to do is put in a filterthat would eliminate the issue," Doug,
who asked that his last name not be used, said in an e-mail interview. "I
don't condone stealing, (as they call it), but I don't see an issue if they
don't block it. If they cared about it, they could stop it."
*********************
MSNBC
Fighting Web Fraud
Security: The Internet has made it easier for crooks to rip your company
off. Here's how businesses can protect themselves and their customers
By Erik Sherman
NEWSWEEK
June 10 issue It was almost too easy. All the young woman had to do was
pick a stolen credit-card number and go online.
ACCORDING TO U.S. postal inspectors, she then bought computers and other
electronic gear. A measure of the extent: when police swooped down on her
New York apartment two years ago, they found $20,000 worth of gear. And she
was identified only because of fraud-detection software. When she made an
$800 purchase at the IKEA furniture and household-goods Web site, a program
called eDective noticed that the shipping address she gave was in a
different state from the billing address for her card. This raised a red
flag for IKEA fraud manager John Barry. He noticed, too, that the
cell-phone number she gave as a contact was in yet a third state. He
launched the probe that ended in her arrest for possession of stolen
property. She pleaded guilty, apparently to a lesser charge (the case is
sealed). But Barry counted it a win for his software. "Anybody who hangs
their sign out front to do business on the Web takes a tremendous amount of
risk," he says. "The Web gives the thief the edge. We can't see your body
language, hear the tone of your voice, see the sweat on your palms."
Fraud has always been a problem for businesses. The Internet has
made it easier. According to Visa USA, the rate of online credit-card fraud
is three to four times higher than fraud overall. Some industries are
peculiarly vulnerable, such as telecommunications. "In the entire telecom
industry, the current estimate is that $15 [billion] to $20 billion of
fraud happens on an annual basis," says Peter Smith, manager of AT&T's
global fraud-management center.
But new technologies enable companies to fight back. Given the sheer
volume of e-commerce today, software is the only solution. "You may have a
suspicion that something is going on, but even if you do see some, it may
only be the tip of the iceberg," says Colin Shearer, vice president of data
mining at statistical-software company SPSS. "In areas like e-commerce,
it's way beyond human capability to check each one of [the transactions]."
One widely used tool is known as rule-based-detection software.
Merchants who use it create what is sometimes called a "negative file,"
stating the criteria each transaction must meet. These might include price
limits and matches of the cardholder's billing address to the shipping
address for the purchase. The rules might flag an order for an unusually
high number of a single item. And they should always maintain current lists
of stolen credit-card numbers. The software then screens incoming orders
and uses the rules to approve or reject purchases.
A related tool is predictive-statistical-model software. It
examines mountains of data from previous transactions to create
mathematical descriptions of what a typical fraudulent transaction looks
like. It then looks at incoming orders and assigns each one a "risk value"
based on its resemblance to the prototypical fraud. AT&T, for example, uses
predictive models to sort through its more than 350 million calls a day,
identifying a thousand cases of questionable activity. An average of 50
investigators are on duty at any given time examine them to find the 200
cases of actual fraud. "You're literally trying to find the needle in the
haystack," says Smith. " [But] if you don't find that needle... you could
end up losing tens of millions of dollars within hours." It's worth the
effort and expense, though: Smith estimates that AT&T's software blocks "at
least" 100 frauds for every one it lets through.
Consumer fraud is not the only threat. In such industries as auto
insurance and health insurance, service providers often file fraudulent
claims. A body shop, for example, may include in its estimates repairs the
car doesn't need. In health care, according to estimates by the Center for
Medicare and Medicaid Services, $100 billion a year is lost in health care
to fraud from physicians, hospitals and other agencies that might, for
example, use false diagnostic codes in their electronic filings to suggest
costlier procedures than were actually done. Detection software can be
"tuned" to flag frauds characteristic of a particular industry. "Ninety-six
percent of the estimates we review are changed, and the average percent or
reduction is anywhere from 11 to 13 percent," says Eric Seidel, president
and CEO of eAutoclaims Inc., whose software lets auto-insurance firms track
claims and repair estimates.
Outside help is available. "It's valuable to have a trusted network
outside your company, because that's where the expertise will be," says
David Fisher, manager of the Verizon Communications fraud-prevention
center. Few companies can afford expertise in fraud prevention on the scale
of AT&T, so turning elsewhere makes sense. For example, Experian, one of
the three big credit-reporting companies in the United States, has
developed a cross-industry fraud database. Member companies can check
credit applications against problems reported by other members. One of the
clients recently ran a week of tests, checking credit applications against
the database. "That client had a 2 percent hit rate on the national fraud
database," says vice president of fraud solutions Lyn Porter. "We
identified around $50,000 in savings a day."
Of course, all the software in the world will be ineffective if
the enemy is within. A national retail chain found that its Dallas store
suddenly went bankrupt after hiring a new manager. He was diverting sales
revenues to himself through an elaborate combination of false invoices and
doctored credit-card charges. His inside knowledge helped him sidestep the
company's detection software. "He got away with it for 18 months," says
John Wiechman, president of TLSI Inc., the computer-forensics firm hired to
find the evidence. "The company was being run, but it wasn't being watched
real close. [Corporate management] walked into the Dallas warehouse and it
was empty." Even the best systems won't work for people asleep at the
on-off switch.
*************************
CNN
Workplace e-mail is not your own
Employers have legal right to snoop online
SAN FRANCISCO, California (CNN) -- If you work on a personal computer,
you'd better get used to it -- there's no such thing as private e-mail on a
company system.
Analysts say this high-tech monitoring is a growing trend for employers,
particularly as the technology makes it increasingly easy to implement on a
large scale.
"Legally, they're not required to tell you if they're monitoring the
e-mail," says Shari Steele of the Electronic Frontier Foundation. "Legally
the equipment that you're using when at work belongs to your employer. And
therefore the employer can do anything they want to with the equipment."
Businesses can customize the software to identify senders and scan for
keywords that send up a red flag. They can also choose from a set of
keywords associated with viruses or unsolicited e-mail, or "spam."
Once a policy is set, the company chooses what happens next, whether that's
to quarantine the e-mail for review, divert it or send it to the trash.
"Well, it's not 1984 ... this is 2002 ... and yeah, this is Big Brother,"
says Jeff Smith, chief executive officer at Tumbleweed Communications,
which makes e-mail monitoring software used by 100 of the Fortune 500
companies.
Companies like Tumbleweed tout their products as ways for businesses to
track how employees may be wasting time recreationally surfing the Web and
to filter out harmful e-mails that could launch a costly virus or worm.
Tightening the Net
So how common is e-mail monitoring?
According to an industry survey in 2001, nearly 47 percent of large
corporations store and review e-mail messages -- three times more companies
than in 1997. What can't be quantified, however, is the number of e-mails
mistakenly screened-out.
CNN showed Smith an e-mail that got bounced back to the sender by his
software, a memo arranging a meeting for a charity fund-raiser. It did have
dollar signs and financial company names, but other appeared to be
completely innocuous.
"It could have been kicked-out for compliance violation," says Smith. "Or
alternatively, the software could have concluded that it was spam."
Legitimate concerns and a hard line -- administered by software.
*********************
CNN
Aerospace workers arrested for hacking
Firms temporarily banned from NASDA bids
TOKYO, Japan (AP) -- Three workers at a major Japanese aerospace company
were arrested Thursday for allegedly hacking into the computer network of
Japan's space agency to spy on a rival company, a Tokyo Metropolitan Police
spokesman said.
Shunsuke Migita, 28, Shoichi Motohashi, 44, and Masao Amano, 40 -- all
employees at NEC Toshiba Space System Co. -- were charged with illegally
obtaining Mitsubishi Electric Corp.'s antenna designs for a high-speed
Internet satellite from a computer at the National Space Development Agency
in December, the spokesman said on condition of anonymity.
Police believe Migita figured out the password to gain access to the
agency's computer system.
NASDA discovered the breach in February when Migita sent an e-mail to a
list of more than 80 people boasting about it. The list included Motohashi
and Amano, the agency said.
NEC Toshiba Space System, a joint venture set up by Japanese electronics
giants NEC Corp. and Toshiba Corp., is developing its own satellite for
superfast Internet connections. NEC and Toshiba have evenly divided work on
the project.
Following the discovery of the break-in, NASDA banned both NEC and Toshiba
from bidding for agency-related projects for one month.
*****************
Computerworld
Security Under the Gun
After Bruce Lobree, an information security engineer and a 20-year IT
veteran, lost his job in October, he decided to work for contracting firms
such as RHI Consulting in Menlo Park, Calif., while waiting out the
recession. Since then, Lobree has met client after client who wants a
jack-of-all-trades - someone who can administer any brand and version of
firewall and intrusion detection, is network-savvy, can code and is versed
in new technologies like XML, .Net and wireless.
Clients also want someone who can speak in terms of return on investment to
sell projects to executives and who knows everything about the client's
business, including its regulatory issues.
"I have peers going back for their MBAs," says Lobree, who has spent six
months charting cross-industry regulations and standards affecting security
and privacy to meet his clients' needs.
Everyone predicted that IT security jobs would be hot after the Sept. 11
terrorist attacks, but the reality is quite the opposite. Would-be
employers say that their security budgets are flat, that risk and threats
are rising, and that they're being asked to do more with less because of
staffing shortfalls elsewhere within their IT organizations.
For example, in addition to network monitoring and intrusion detection, a
security analyst might also have the security responsibilities of laid-off
Windows NT and Unix administrators, explains David Foote, president and
chief research officer at Foote Partners LLC, an IT workforce research firm
in New Canaan, Conn.
So rather than focusing on hiring people for their specific security
skills, corporate IT managers are looking inside their IT organizations for
the right combination of technology and business acumen and then training
workers in the ways of computer forensics, intrusion detection and incident
response.
"Certifications and technical security expertise aren't my first criteria
in placing a security specialist," says Mike Hager, vice president of
network security and disaster recovery at OppenheimerFunds Distributor Inc.
in New York. "I'm looking for other important factors: Do you understand
how the business works? Can you put this in perspective of easier, better,
faster and then sell it to the company? Are you a team player? Do you
understand the technology basics so I can teach you the rest?"
Monitoring and Response
As at other firms, hiring at OppenheimerFunds is flat overall. But that
doesn't stop Hager from dedicating existing resources to new security
problems. For example, he has sent two of his team members to the
University of Denver to study database security.
Hager has been assigning more training in intrusion detection and incident
handling, a move that's consistent with what other firms are doing, says
Bill Kasko, division director at RHI Consulting's staffing office in
Dallas. Although security jobs are scarce, Kasko says he's seeing more
client requests for administrators with knowledge of how to handle
cyberattacks, network monitoring and intrusion-detection programs.
"Companies are looking at vulnerabilities across every bit of their
organizations, even in their wireless systems," he says. "That takes a
basic understanding of network topology in addition to an understanding of
legal and compliance issues, which must trickle all the way down to the
security analyst level."
Despite the specialized technical nature of IT security work, employers are
more concerned with soft skills. For John Hartmann, vice president of
security and corporate services at Cardinal Health Inc. in Dublin, Ohio,
key skills include the ability to learn, build relationships and understand
business requirements.
Hartmann has provided his staff with training in security policy
development and implementation, compliance (particularly with the Health
Insurance Portability and Accountability Act) and best practices that are
the foundation of the company's vulnerability assessment program. Because
he possessed the core skills Hartmann considers prerequisites, Ed Daniels
was propelled from telecommunications networking manager to information
protection director two years ago at Cardinal, a $49 billion medical
supplies and services conglomerate. His networking management work put him
in daily contact with other business units, so critical relationships
already existed. On top of that, Daniels has a passion for learning, says
Hartmann.
Daniels builds his own staff using a similar approach. The company's
intrusion-detection analyst, who transferred from Cardinal's pharmaceutical
automation group, was picked for his diverse systems and customer service
background. The vulnerability assessor came from another Cardinal division,
where she provided Unix and database support. She was hired for her writing
and relationship-building skills. Even the two analysts hired from outside
the firm had little security background.
"All my analysts have diverse backgrounds that would add something to the
team," says Daniels.
Cardinal and OppenheimerFunds aren't alone in their approaches to skills
building. Because of layoffs and budget cuts, IT managers are being forced
to retrain existing staff on security issues, says Alan Paller, director of
research at the SANS Institute in Bethesda, Md. More than 12,000 students
went through the SANS Global Information Assurance Certification program
last year, and Paller said he expects that number to be about 16,000 this
year.
Meanwhile, the roles of senior-level security managers are also expanding,
according to Tracy Lenzner, founder and CEO of security executive search
firm Lenzner and Associates in Las Vegas. As is the case with other IT
positions, there's very little hiring of security managers going on, she
says, and those who still hold security jobs are picking up global
responsibilities, particularly where government liaison and international
legal issues are concerned. Security professionals with these types of
responsibilities are earning salaries of $150,000 to $300,000 per year,
says Lenzner, who adds that a handful of executive-level jobs even command
seven-figure salaries.
"Security executives must be expert in government regulations,
cyberterrorism protection, private-/public-sector partnerships like the
critical infrastructure and homeland security, even physical security," she
says. "So a lot of these candidates come from government backgrounds."
One such person is Charles Neal, vice president of managed security
services for business hosting provider Exodus, a unit of Cable & Wireless
PLC. Neal, who was promoted to the position six months ago, having joined
Santa Clara, Calif.-based Exodus as director of its cyberattack "tiger
team," had been a special agent in the FBI's computer crime squad in Los
Angeles.
"There's great expectations within the FBI to work with embassies around
the world, a necessity in the borderless Internet world," says Neal.
"There's a lot of carry-over from the FBI to the private sector that people
wouldn't expect."
Like his peers at Cardinal and OppenheimerFunds, Neal also looks for
business and soft skills from his technical team. When he finds articulate
security professionals who are good at relationship-building and have a
strong work ethic, he mentors them to take over some of his own workload.
Team-building through mentoring and training are critical first moves in
preparing a staff and building loyalty for what Foote predicts will be a
"hiring bubble" in the first half of next year. That's when he expects
CEOs, under pressure from shareholders, to fund more information security,
he says. But with a short supply of IT security professionals who are savvy
in both business and technology, IT security leaders should be planning
their hiring strategies now, he adds.
Says Foote, "If you're not putting your rebranding plan together in
security right now, that small pool of talent of hybrid security workers
will be long gone when your CEO is ready to sign that check."
*******************
News.com
Pop-under ads may hit publisher wallets
By Stefanie Olsen
Staff Writer, CNET News.com
Pop-under advertisements, the oft-annoying windows that spring up after a
requested Web page, might pack a financial punch to the publishers
supporting them if one dot-com has its way.
ExitExchange, an ad-technology provider that is claiming rights to the
invention dating back to 2000, had its patent application published by the
U.S. Patent Office last week. The filing broadly covers any systematic
delivery of a window launched after another, including those on devices
such as cell phones. If its application is approved, ExitExchange will have
rights to collect royalties on the use of pop-under ads.
That would be a direct hit to the pocketbooks of Web publishers such as
NYTimes.com and ad networks such as DoubleClick, which have adopted the
imposing ad format, among many other types, to better lure marketers during
a tough economy. Yahoo, for example, started running pop-under ads last
year amid concerns about its weakening online advertising revenue.
Pop-unders have become a kind of calling card for companies such as X10, a
seller of tiny surveillance cameras, and travel site Orbitz because they
can blanket the Internet with promotions at a cheaper price than direct
mail. The ads are also thought to get higher response from consumers than
standard display ads on Web sites.
Some ad industry executives are quick to point out that claiming rights to
the invention may be a tall order, given the history of experimentation in
online advertising. But patent experts say the ephemeral nature of the
Internet could make it a cinch to pass the Patent Office's approval process.
Greg Aharonian, who publishes the Internet Patent News Service and works
with law firms to vet patent claims, said that anyone who wants to debunk
ExitExchange's application would have to find a technology or reference to
the practice before 2000, or what's called prior art. This might be tricky,
he said, because the descriptions for inventions or practices often change.
A Web site operator of an adult site, for example, may have used pop-under
advertising prior to 2000, but the technology may not have been documented.
Someone would have to find reference to such a practice in an article or
journal to undermine the patent claim.
Such a daunting task is the primary reason many patent applications go
unchallenged and are easily approved by the Patent Office, which only has a
couple hours to review each application before making a decision, Aharonian
said. Critics say this has caused a great number of patents to be passed
that are based on simple, commonsense ideas that merely capitalize on the
system. A child, with the help of his patent attorney father, recently
seized on a patent for swinging sideways on a playground swing, for example.
"A lot of these ideas are indeed stupid, and if you have some manner of
time you can find something to kill it," Aharonian said. "In fields like
software, there is an abundance of prior art. But if the examiners don't
have the time then they'll have to issue it."
A "more polite" ad
Andrew Vilcauskas, founder and CEO of ExitExchange, said he thought of the
idea while owning and operating an Oregon-based Internet service provider
in the late '90s. He said he saw several complaints from ISP customers
about pop-up advertising, or ads that launch over a Web page. This gave him
the idea to create a "more polite" form of advertising, which would be
triggered once the Web surfer was done viewing a page. He said testing for
this form of marketing began in 1998 and his company ExitExchange launched
the ads in 2000.
ExitExchange has a network of about 40,000 publishers that display
pop-under ads, Vilcauskas said.
"The importance of this is that pop-unders have become the flagship
offering of the major portals," he said. "Our ultimate hope is that we
would bring our licensees to all agree to a standard for behavior for these
ads that would be palatable for the surfers out there."
FastClick, another pop-under technology provider founded in April 2000,
started running the ads in October of the same year. The company has an ad
network of about 4,000 publishers running the promotions.
Dave Gross, CEO of FastClick, said the company is looking into the patent
claim but would not comment further.
New York Times Digital said it could not comment on the patent application.
It did say that it had not heard of ExitExchange and was not aware of the
application. DoubleClick and Yahoo could not be immediately reached for
comment.
According to its patent application, ExitExchange is claiming rights on
pop-under advertising since May 2000. Specifically, the invention "is
directed to a post-session advertising system that may be used in media
such as computers, personal digital assistants, telephones, televisions,
radios and similar devices," according to the filing.
"A viewer initiates a load-triggering event and in response, a post-session
platform is opened to display a post-session display in the background of
the media," the filing reads.
Preparing to make them pay
Karen Oster, patent attorney for ExitExchange, said the company is
confident that no one can claim prior art on the invention.
"All these people that are infringing--if the patent is approved the way it
was published, then they would be liable for a reasonable royalty from the
date at which they had actual notice of the published patent application,"
Oster said.
The back payments would be required by a relatively new law, the American
Inventor's Protection Act, which was enacted in November 1999 and came into
effect the following year. It allows for the publication of inventors'
patent applications, a common practice in foreign countries, and it grants
rights to the approved patent going back to the time its application was
published.
This means that if the patent is approved, which could take anywhere from a
year to several years, companies regularly delivering pop-unders, including
DoubleClick and NYTimes.com, would need to pay royalties on the ads from
the time the patent was published, Feb. 14, 2002.
Still, marketing technology companies may have a strong incentive to find a
prior instance of pop-under advertising.
"That's what it's going to come down to: the claim on that one window
popping up after another," Aharonian said.
************************
Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711