[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips June 3, 2002

Clips June 3, 2002


ARTICLES

Panel Releases Blueprint for Internet Reform
Digital TV Founders on Fears of Internet Piracy
A Hot Deal on Spy Gear  - Air Force parts for sale on eBay
DOT Standing Firm on Airline Deadline
In Terror War, Privacy vs. Security
Questions About Online Data
Privacy Is Common Issue Online
Suit Unmasks Louisiana Professor and Shuts Down His Controversial Web Site
eSlate gets voters' approval
Many Dot-Name Domains Break The Rules - Study
In Terror War, Privacy vs. Security
VeriSign to Help Telecoms With Wiretap Orders
Fee-Based Networks Making a Connection
Transforming Congress
Fingerprint Scan Spurs Debate
Studying counterterrorism
Bringing science to homeland security
State CIOs advise on homeland security plan
Guidelines open data, Web to FBI
Carnivore bites off too much
FirstGov revs search engine
Secure way forward for digital TV
OMB: E-gov projects will help reduce bad payments
Germany gives Microsoft the cold shoulder
Wild About Wi-Fi
Broadband users cut into cable
Fighting Web Fraud
Workplace e-mail is not your own
Aerospace workers arrested for hacking
Security Under the Gun
Pop-under ads may hit publisher wallets

******************
Reuters
Panel Releases Blueprint for Internet Reform

WASHINGTON (Reuters) - The group that oversees the Internet's traffic system moved closer to a complete overhaul over the weekend when a committee recommended changes aimed at making the controversial body function more smoothly.


In a report released late Friday night, a committee set up by the Internet Corporation for Assigned Names and Numbers recommended that the group retool its internal structure and change how corporate directors are chosen, but rejected a proposal to bring governments on board.

The committee, which consists of four of ICANN (news - web sites)'s 19 directors, emphasized that its report did not represent the official views of the entire ICANN board. But the report came out five days after the committee met privately with the other directors to come up with a rough consensus over how the global body should operate in the future.

"For ICANN to be successful in the future, when it will face even more difficult challenges, it must evolve into a more effective entity," the report said.

The committee asked for public feedback and said it hoped to approve a reform plan when ICANN next meets in Romania at the end of June.

Created to control the domain-name system that enables Internet users to find Web pages by typing in names like "www.example.com," ICANN has been plagued since its inception with questions about how it should function and who should participate.

In February ICANN's president, M. Stuart Lynn, recommended that the group abandon online elections and instead rely on a "nominating committee" to pick the board members who were not chosen by technical and business groups.

Lynn's plan drew widespread opposition from critics who said it would reduce accountability as the planet's 500 million users would no longer have a direct voice. At a meeting in March, ICANN ruled out future elections and set up the committee to fine-tune Lynn's plan.

The restructuring committee, which is made up of four of ICANN's 19 directors, rejected Lynn's proposal to give national governments control of one-third of the board.

But the committee upheld other key Lynn proposals. Under the committee's plan, seven seats on the ICANN board would go to groups representing domain-name sellers, security experts, government delegates, and other established technical and commercial groups.

The international community behind "country code" domains such as France's ".fr" would also get a seat.

Another five to 11 seats would be chosen by a nominating committee to represent the Internet community as a whole, but the report declined to say who would sit on that committee.

Outsiders could file complaints with an ombudsman, or go to an independent arbitration forum if they believed the group was violating its bylaws.

ICANN should steer clear of any attempts to control online content, the reports said.
*******************
Washington Post
Digital TV Founders on Fears of Internet Piracy

Congress has mandated that television broadcasts in the United States go digital, but two of the industries involved in that transition are stuck on a little problem called the Internet.

Movie studios worry that digital-TV viewers will share programs over the Internet, just as many music fans share MP3 files online. Consumer-electronics companies fear that the studios' proposed piracy countermeasures would force them to make products that nobody wants to buy. Yesterday, this gridlock caused a major working group to miss its deadline for recommending how to stop digital TV broadcasts from being shared over the Internet.

The Broadcast Protection Discussion Group, made up of representatives from the technology and motion-picture industries, began meeting at the end of November to resolve the issue. The group is part of the Copy Protection Technical Working Group, the same industry organization that established the standard for DVD movies' copy-prevention encryption.

Robert Perry, vice president of marketing at Mitsubishi Digital Electronics America and one of three co-chairs of the discussion group, said he had not anticipated the level of disagreement he encountered among its members.

"Can we all agree on a method to keep digital content from being illegally distributed on the Internet? The premise is so simple and crystal clear, it's surprising the amount of debate it's created," he said, citing a last-minute flurry of criticism from consumer-electronics manufacturers, consumer groups and others.

"Everybody except chicken farmers and professional wrestlers submitted comments," said Perry, who estimated that the combined objections submitted to the group would amount to hundreds of pages. The group now plans to meet this weekend and finish its report on Monday.

Most of those who commented object to various points of a rough draft of the discussion group's report, released in May. Tech-policy groups such as the Electronic Frontier Foundation have argued that proposals in the report would prevent consumers from recording some television shows for their personal viewing or sharing recordings with friends. They have also assailed the discussion group's closed-door policy.

Tom Patton, vice president of government relations at Philips Electronics, a member of the discussion group and a critic of its secretive workings, spent yesterday waiting for the report and was upset to have not gotten any official word of the delay.

"Where the heck is some notice of that?" said Patton. "I want to go home."

Other member organizations were less concerned. "It's far more important for the report to be complete than quick," said Rich Taylor, vice president of public affairs at the Motion Picture Association of America.
*************************
MSNBC
A Hot Deal on Spy Gear
Air Force parts for sale on eBay

June 10 issue The Air Force Office of Special Investigations is trying to determine how a shipment of sensitive Air Force aircraft communications parts wound up in a worldwide auction on eBay, NEWSWEEK has learned. Rogue nations such as Iran routinely seek replacement parts for their U.S.-manufactured military planes.

ANTIQUES DEALER NORB Novocin put the parts, which are used in the SR-71 spy plane, the F-16 fighter, KC-10 aerial tankers and C-5 Galaxy giant cargo jets, up for sale on the auction site. He says he bought the sofa-size crate full of parts for $244 from A&A Transfer, which shipped it in 1989 from Dover Air Force Base in Delaware. The parts were destined for the Warner Robins Air Logistics Supply Depot in Georgia, but never made it. Apparently no attempt to locate the missing items was ever made. The crate sat in A&A's storage space for 12 years before it was put up for auction in Jacksonville, Fla., four weeks ago as unclaimed property.
Novocin says he bought the parts without realizing what they were. After researching the items, Novocin says he learned that 11 of the 18 items he purchased were coded "D," which demands total destruction and does not permit public ownership in a condition other than scrap metal. Novocin contacted Warner Robins, but he says it did not want his wares and suggested he sell them on eBay.
During the seven-day auction on eBay that ended May 29, Novocin says he sold four items, including an X-Band Weather Radar Modulator for $500 and a high-frequency radio circuit card for $32. Air Force officials were not aware that the items were being sold before being contacted by NEWSWEEK. "Oh, my God," said one official after viewing the list of items being offered on eBay. "This is now under active investigation by the OSI," says Lt. Col. Mike Caldwell, the Air Force public-affairs chief at the Pentagon. Novocin says that Air Force OSI has contacted him and asked him to refrain from selling or shipping the communications items and to return the materials to the government. Novocin says he has turned over the names and addresses of the purchasers and is cooperating fully with the OSI's requests. He says the OSI has offered to buy the parts back.
**********************
Reuters
DOT Standing Firm on Airline Deadline
Mon Jun 3, 3:14 AM ET

WASHINGTON (AP) - The Bush administration is turning aside a call by airport officials to reconsider a Dec. 31 deadline for mandatory screening of all checked baggage.


A key lawmaker says, however, that Congress may revisit the matter.

Officials of 39 airports wrote Transportation Secretary Norman Y. Mineta last week asking him to pressure Congress to push back the deadline. They said the current timetable is apt to cause major problems for passengers and flights.

"We're not sure airports will be able to operate on Jan. 1," said Larry Cox, chief executive of the airport in Memphis, Tenn. "It's just not going to work unless we slow down and do it right."

The letter warned of "harried installations" of explosives detection machines in airports that have little space for new equipment. It said the changes "promise to disrupt passenger flows and further increase the hassle of air travel."

Mineta has maintained that while it will be difficult, several types of machines can be in place before 2003 to check approximately 1 billion bags a year for explosives. The screening is required by an airline safety law passed after the Sept. 11 attacks.

Transportation Department spokesman Chet Lunner said Sunday that while Mineta understands industry concerns, he "is dead set about meeting the letter of the law, and we will."

"The law doesn't give us an option of relaxing the deadlines," Lunner said.

Rep. John Mica (news, bio, voting record), R-Fla., chairman of the House Transportation and Infrastructure subcommittee on aviation, said that acquiring the equipment and hiring screeners by the end of the year will be a challenge. He said Congress probably will reconsider the issue after fall elections.

"I think there will be a major crisis, and the Congress will revisit it," Mica said.

The letter was signed by leaders of airports which handle a majority of the country's air traffic, including Atlanta, Dallas, Denver, Detroit, Houston, Indianapolis, Las Vegas, Memphis, Washington, Orlando, Phoenix, San Francisco, St. Louis and Charlotte, N.C.

Mineta has said that large $1 million explosives detection equipment will be installed in some airports, while others will have smaller, less expensive machines.
*****************
Washington Post
In Terror War, Privacy vs. Security
Search for Illicit Activities Taps Confidential Financial Data

In the amorphous war on terrorism, government officials believe they have a new weapon: the growing number of financial institutions that use powerful technology to monitor confidential customer activity and report suspicious behavior to law enforcement and intelligence officials.

Driven by little-known provisions of the USA Patriot Act, the anti-terror legislation that was approved after Sept. 11, banks, securities firms and other companies are deploying computer systems that draw together millions of transactions, sometimes automatically, in searches for money laundering, terrorist financing or other unusual patterns.

"The Patriot Act is imposing a citizen-soldier burden on the gatekeepers of the financial institutions," said David Aufhauser, general counsel at the Treasury Department and head of an inter- agency task force on terrorist finance. "In many respects, they are in the best position to police attempts by people who would do ill to us in the U.S., to penetrate the financial systems."

Federal regulators three years ago tried to impose similar monitoring requirements on financial institutions to combat money laundering but dropped their plan, known as "know your customer," after it caused an uproar among consumers concerned about their privacy. Now some specialists believe the scrutiny of consumers on the government's behalf is going even deeper.

"Sept. 11 obviously made us totally rethink where to draw the line with respect to government access to customer information," said David Medine, a former financial privacy specialist at the Federal Trade Commission.

"The question going forward is: Did we draw that line in the right place?" Medine said. "It is really a fundamental civil liberties issue."

The increased financial scrutiny is part of an expanded campaign by the government to tap into public and confidential data in search of people who pose terrorist threats. The push relies heavily on data and analytical tools, some of them developed in the 1990s for direct mail, credit-card offers and other kinds of targeted marketing.

As directed by the Patriot Act, Treasury Department regulations require that securities firms, money-services businesses and broker-dealers file reports on suspicious activity, something banks have been doing for several years. Those firms, along with mutual funds, operators of credit-card companies and some other financial companies, also must have anti-money-laundering programs.

Congress also said that financial companies must authenticate new customers, check their identities against government watch lists and maintain records for government scrutiny.

The law encourages financial institutions to share information among themselves about customers suspected of being involved with terrorism or money laundering, and it gives them protection from legal liability for doing so. In addition, it gives law enforcement and intelligence agencies greater access to confidential information without a subpoena while also requiring that credit bureaus secretly turn over credit reports to the CIA, National Security Agency and other intelligence agencies when presented with a request signed by a senior agency official.
*********************
New York Times
Questions About Online Data

CAN the easy distribution of data promised by the Internet actually bring the type of scrutiny that ultimately leads to less information being available?

That is the question being raised by a new law called the Data Quality Act, which requires the government to set standards for the accuracy of scientific information used by federal agencies. It is the latest move from Washington highlighting the balance of risks and rewards when disseminating information on the Internet.

The law, which takes full effect on Oct. 1, creates a system under which anyone could point out errors in documents; if an error is confirmed, an agency would have to remove the data from government Web sites and publications.

The Data Quality Act, along with recent efforts by government agencies to scrub their Web sites of information to guard national security, indicate a substantial shift to a more conservative culture of information, said Darrell West, a political scientist at Brown who tracks government information on the Web.

Though the Internet created fewer fortunes than had been expected, it did deliver riches of information, creating an age of government disclosure not seen before. Not so long ago, the mantra was openness; some legislators even scrambled to get lists of campaign contributors into cyberspace where the voters could see.

But that age may be over.

"The open-access people just put things online and worried about the consequences later," Professor West said. "Now we're hitting the consequences."

The Center for Regulatory Effectiveness, a primary backer of the Data Quality Act, has already started requesting changes in government information that is published in print and online.

This year, the center requested that the United States Global Change Research Program withdraw dissemination of the National Assessment on Climate Change on the basis of "numerous data quality and scientific flaws," according to a letter posted on the group's Web site.

The center also asked the Environmental Protection Agency to modify its Web site on global warming to reflect the scientific uncertainties about global climate change.

William Kelly, western representative for the center, said the poor quality of federal data created problems for everyone who used it, from regulators to consumers.

"With the blossoming of the Internet, it's turned into a huge problem for industry," Mr. Kelly said. "Agencies were encouraged to post virtually everything on the Internet. It wasn't such a problem when people had to go through a Freedom of Information Act request."

Some watchdog groups say that agencies need to create policies on how to treat information on the Internet, arguing that otherwise, haphazard decisions would lead to more restrictions.

"The problem is, it's much easier to make decisions about taking down information," said Ari Schwartz, associate director of the Center for Democracy and Technology, a nonprofit group in Washington. "The policy seems to be, take everything down, and we'll make decisions later."

Employees of the Interior Department learned the consequences of that approach earlier this year, when a federal judge ordered all the department's computer communications shut because its Web sites were vulnerable to hacking. Agencies fielded complaints from a wide range of people, from those planning vacations to national parks to those seeking the status of bird species. Most of the its Web sites have since been restored.

Removing information from Web sites became more of a government interest after Sept. 11, as agencies took down information they thought might be useful to terrorists.

A nonprofit group in Washington called OMB Watch is trying to assess just how much information agencies removed from public Web sites under the new directives. The group sent requests under the Freedom of Information Act to a dozen agencies in January. So far, only the Environmental Protection Agency has sent back a list.

According to OMB Watch, E.P.A. officials have restored much of the information that they withdrew from its Web sites last fall, including pages dealing with watersheds in New York City and the Envirofacts database, which allows users to retrieve information about air pollution, chemicals at government and business installations, water pollution and grants.

Responses to the group's inquiry indicate that other agencies may have removed a significant amount of information from the Web. The Energy Department, according to OMB Watch, reported that it had stacks of information waiting to be organized before it could be sent.

"We have nothing we can nail them down on, and we have no index of what they had in the past," said Sean Moulton, a senior policy analyst with OMB Watch. He said the directives to remove data and the new data-quality guidelines were part of "an overarching mosaic that is about restricting information and removing information from public access."

"Unfortunately," Mr. Moulton said, "Sept. 11 is being utilized as a pivot point for industry to push an agenda they already had."

OMB Watch has advocated creation of an office that would oversee what data agencies publish online and the security measures they use.

But even when done with care for quality and security, publishing on the Internet can still bring unexpected trouble to agencies.

Five years ago, the Social Security Administration set up a service on its Web site that let individuals look up their income histories and check what benefits were available. People had to enter five pieces of information: full name, Social Security number, date of birth, place of birth and mother's maiden name.

"By requiring those five items, we felt that was adequate security. It was addressed," said Mark Hinkle, a spokesman for the Social Security Administration.

That is more information than most people need now to check their bank accounts online, but the agency received a letter from several senators with concerns that hackers could steal individuals' personal information from the site.

Though no fraud was ever reported, the agency took down the database. Now, Social Security sends earnings records each year by mail.
********************
New York Times
Privacy Is Common Issue Online

THOUGH businesses and their customers have largely taken divergent paths to e-commerce businesses promoted it endlessly; consumers embraced it tepidly these two groups are in lock step on at least one issue: online privacy.

They both profess concern, but do little about it.

This reality is underscored by a report to be issued today by Jupiter Research, the online consulting company, which found that businesses and their customers barely lifted a finger to protect individual privacy online, but fretted outwardly about the possible abuses of personal information and the chilling effect on Internet spending.

Although 70 percent of online consumers say they are worried about online privacy, the study found, just 40 percent read Web site privacy statements, and 82 percent would give personal information to new shopping sites in exchange for a chance to win $100 in a sweepstakes.

The business attitudes toward online privacy are slightly more difficult to quantify, but Rob Leathern, who wrote the Jupiter report, said that most companies budgeted less than $40,000 annually for online privacy initiatives.

It has been increasingly clear over the last year that consumers and businesses have been talking out of both sides of their mouths on the online privacy issue, but the Jupiter report suggests that businesses are nonetheless losing what could be an easy opportunity to score points with consumers by crafting privacy-friendly policies, and failing to head off a movement in Congress to force-feed those principles to businesses.

"If you make it easy for customers to exercise their privacy rights, they will do it," Mr. Leathern said. But, he said, such thinking is beyond the scope of most corporations today, "since companies are spending all their money on C.R.M.," shorthand for customer relationship management technology.

With a sophisticated system, a company's customer service representative could, for instance, look at a computer screen when a customer calls with a problem, and see her entire purchasing history, be it through a catalog, a Web site or a store, while also seeing prompts for product recommendations or the optimal length of time to spend on the phone, given the customer's value to the company.

For consumers who do not necessarily trust corporations to treat their personal information with the proper amount of respect whether that involves not sharing it with other companies or keeping it secure the push to adopt such technologies should be further reason for anxiety, Mr. Leathern said.

"You don't see a lot of companies putting together all the pieces, and understanding the implications of bringing all this data together and letting all these people inside the company see all the data," Mr. Leathern said.

That is bad news not just for consumers, he said, but also for the companies that lined up in 1999 and 2000 to serve what they thought would be a rising demand for privacy-enhancing technologies. Companies like Zero-Knowledge Systems, SafeWeb and others initially offered products that helped people surf anonymously or manage the information companies could collect about them online.

But consumers were unwilling to pay for such technologies, and advertisers were unwilling to pay enough to reach the visitors these sites and others attracted, so the privacy technology companies turned to Plan B, as in B-to-B. Aside from selling their consumer technologies to companies like Hewlett-Packard to install on new computers, as is the case with Zero-Knowledge, privacy technologists have also been adapting their products to suit other corporate needs.

For instance, SafeWeb originally gained notoriety in 2000 and 2001 for creating technology that let Internet surfers avoid being tracked. Late last year, it began packaging its software inside an appliance that helps keep communications between corporations, remote partners and employees secure and private.

Other companies like Watchfire, Privacy Council and PrivacyRight have devised technologies that help companies manage the flow of customer data, and detect when it is being used in a way that could violate government regulations or the companies' stated privacy policies.

But with companies moving slowly on the privacy issue, despite the ongoing prospect of additional government regulation, these privacy technologists are digging in for a long, hard sell.

Austin Hill, co-founder and chief strategy officer of Zero-Knowledge, said: "You'll start to see more activity on this in the next year and a half to two years. A lot of organizations have moved beyond questions like, `What's our privacy policy?' And now they're looking at what tools they have to help manage it."

Technology companies see some hope in corporations like the RBC Financial Group, which operates the Royal Bank of Canada and RBC Centura Bank in North Carolina, among others, and has used what analysts regard as a progressive privacy policy to differentiate itself from competitors.

W. Peter Cullen, RBC's corporate privacy officer, said that in the last two years the company had used about 15 different programs to show consumers that it was striving to exceed government-mandated privacy regulations for financial service providers in the United States.

For instance, the company is preparing to give away so-called personal fire wall software to its online banking customers, after a successful test of the offering last year. RBC also delayed the rollout of wireless banking until it found a Nokia phone with a chip allowing customers to encrypt passwords and other information.

"You do that sort of thing enough, and it starts to drive people's positive perception of your brand," Mr. Cullen said.

RBC has tried to quantify the effects of its privacy policies, relying on research suggesting that 7 percent of a customer's buying decision relates to privacy issues. Using that and other assumptions, Mr. Cullen said RBC's privacy policies were responsible for $700 million worth of consumer banking business.

Over the last two years, some observers have said that these types of aggressive privacy initiatives would force competitors to follow suit. But that has not yet been the case.

E-Loan and Expedia began subjecting themselves to voluntary privacy audits by PricewaterhouseCoopers in 1999 and 2000. The audits have helped demonstrate that the companies' internal data-handling methods are consistent with their privacy policies, but they have not sparked much interest among competing companies.

Expedia, which received another passing grade for privacy from PricewaterhouseCoopers in April, acknowledged that its lead had not been followed by competitors. Suzi LeVine, Expedia's director of product marketing, said the company still gleaned benefits from the audits, in that it learned about how to improve its data handling.

As for whether the audits, and the PricewaterhouseCoopers seal of approval on Expedia's site, have helped it gain customers, Ms. LeVine said it was hard to tell. "But we believe it's the right thing to do," she said, "and we'll continue to try to get people to recognize that value."

Ms. LeVine would not disclose the cost of the audits, but E-Loan has said they cost about $120,000 a year, not counting lost staff time. In an Internet economy where both cash and staff are in short supply, and where there is a surplus of consumer apathy when it comes to privacy, it is little surprise that not many companies are following suit.
*******************
Chronicle of Higher Education
Suit Unmasks Louisiana Professor and Shuts Down His Controversial Web Site
By DAN CARNEVALE

A professor who anonymously ran a Web site that criticized administrators at the University of Louisiana at Monroe revealed his identity last week, and the site was shut down, after a vice president of the university sued the Internet company that hosted the site.

John L. Scott, an associate professor of economics at the university, disclosed that he has operated the Truth at ULM Web site, which discusses news and rumors about the university.

Richard L. Baxter, vice president for external affairs at the university, had previously sued in both federal and Louisiana courts to have the Web site's proprietor named; those proceedings are still pending. In April, he sued Homestead Technologies of Menlo Park, Calif., the site's Internet provider, in the Federal District Court for the Western District of Louisiana. The suit seeks $75,000 in damages, alleging that the company took no action against the site even though, according to the lawsuit, it had defamed him and others.

Under his contract with Homestead, Mr. Scott was obligated to protect the Internet company from financial harm, so the suit essentially forced him to choose between paying Homestead's legal costs or closing the site. Mr. Scott took the latter route.

He told the university's president, James E. Cofer Sr., about his role in the site on May 22 and then went public on Thursday.

Although Mr. Scott took a number of precautions to hide his identity, he had figured it wouldn't stay a secret forever. "I thought it was a very real possibility that the identification would come out," he said Friday.

The Web site had posted articles critical of university administrators, including its previous president, Lawson L. Swearingen Jr., who resigned in September. Mr. Baxter, the university's vice president of external affairs, was referred to at one point on the Web site as "the vice president of excremental affairs."

Joshua Weinberg, director of communications for Homestead Technologies, said the company had an agreement with Mr. Scott that if the company were ever sued because of the Web site, Mr. Scott would have to accept full financial responsibility.

After the company was sued, Homestead Technologies officials asked Mr. Scott whether he wanted to reveal his identity instead of paying its costs in the lawsuit. "He was required to protect us financially," Mr. Weinberg said. "We chose to give him another option."

But Mr. Scott said the company asked for $75,000, which he said was hardly an option he could afford.

Mr. Baxter said uncovering the identity of the Web-site operator was not meant to leave the professor vulnerable for personal attack. "I never had a concern about who the person was," he said. "It's about being libeled or not being libeled."

Mr. Baxter's lawsuit was filed against up to six anonymous Web-site operators. Mr. Scott would not reveal whether he was working with anyone else, except to say, "I had sources."

Mr. Scott said he doesn't expect to lose his job over the ordeal. "I've been given reassurances by the president," he said.

Mr. Cofer, the president, would not comment about the situation. Instead, he released a brief written statement saying open discourse should not be conducted anonymously.

But Mr. Scott said he doesn't feel the need to criticize university administrators anymore. Calling the current administration "a breath of fresh air," he said the people who run the university now don't keep secrets from the faculty members.

"There's no need for a Truth at ULM Web site with these guys," Mr. Scott said.
**********************
Los Angeles Times
Dot-Coms' Bust Is a Boon to Classrooms
Education: Laid-off tech employees are rejoining work force as public school teachers.
By JENIFER RAGLAND
TIMES STAFF WRITER

June 3 2002

Tera Creech has cracked genetic coding as a researcher for a biotech firm and taken apart software programs as a skilled technician for a booming dot-com.

But that's nothing compared to what she plans to do next: teach high school science.

Creech is one of about 200 laid-off technology workers in California who are rejoining the work force as public school teachers. With help from a $1.6-million state grant, they are bringing their science degrees and high-tech backgrounds into a public school system that is facing a severe shortage of qualified math and science instructors.

Creech, 25, a biology major from California Lutheran University in Thousand Oaks, used to spend most of her days sitting in front of a computer in an isolated cubicle. Her job was trouble-shooting software programs.

She was laid off from Camarillo-based eLabor.com in September--along with about 90 other workers--just weeks before she gave birth to her daughter, Abigail, now 7 months old.

This fall, Creech will stand in front of 30 hormone-charged teenagers and attempt to get them excited about biology and chemistry.

But she's confident she is up to the challenge.

"I'm a little bit nervous, but definitely excited," said Creech, who also worked as a research assistant at biotechnology giant Amgen Inc. "Part of the reason I went into science was because I had teachers who made it fun and interesting. I want to open that world to kids."

Ventura County and four government agencies in the Silicon Valley were awarded grants from the state Employment Development Department in March to create the Technology to Teacher program.

Participants can apply for grant money to pay for tuition, books, testing fees, counseling and other support services, said Suzanne Schroeder, department spokeswoman. The program is run through local job centers.

The idea was for the incentives to make the difference for displaced tech workers who otherwise would not choose to go into teaching, particularly because the job pays at least $20,000 a year less than most private-sector technology positions.

"I think it has been an influence," said Amy Fonzo, who is coordinating the effort in Ventura County. "Many of them were looking for another technology position, and decided to go into teaching instead."

The largest chunk of the state money--$536,000--went to the North Valley Job Training Center in Sunnyvale, which is the part of the state hardest hit by the dot-com crash and tech-industry downsizing.

About 100 people likely will take part in the program there, said Director Mike Curran, including 25 who will start taking classes toward a credential at San Jose State University later this month.

Those students plan to get internship jobs at schools while they complete their classes at night, Curran said.

Amy DeMasi, a technical writer who was laid off last fall from Santa Clara-based Applied Materials, is one of them. With a bachelor's degree in geology and a master's in geochemistry, she worked for five years as a technical consultant for the Environmental Protection Agency's Superfund program.

DeMasi moved to the Silicon Valley from northern Virginia two years ago, for a job at Applied Materials that doubled her salary.

But the whole time, she said, she felt her career lacked meaning.

When she lost her job and heard about the state's new teacher training program, she knew it was the right thing to do.

"They need teachers here, and I really feel like my work experience is very valuable," said DeMasi, who wants to teach environmental science in an inner-city high school. "So many people don't understand basic science to be able to do what's right for our country."

With thousands of teachers retiring each year and student populations continuing to grow, K-12 schools across the state are struggling to fill positions, particularly in specialty science fields.

Needs are greatest at middle schools and high schools in urban areas, where percentages of poor and non-English speaking students are highest, state education officials said.

Last year, the state issued nearly 2,700 emergency permits for science teachers, according to the California Commission on Teacher Credentialing.

That's about 20% of the entire science teacher work force, and is the highest number of permits issued for any single subject, said Marilyn Errett, a consultant with the commission.

An emergency-permit teacher may only be hired if a credentialed instructor cannot be found, Errett added.

Creech, whose parents and husband are also teachers, said going into the profession had crossed her mind before.

But when she graduated from college, she said it was tough to choose a lower-paying job with more hoops to jump through in education over a higher-paying and seemingly easier job in business.

"Becoming a teacher can be a very daunting process," Creech said. "I probably would never have done it, and I think what this program is doing is great."

Creech will enroll in Cal State Northridge's credential program in the fall, while also teaching in a public school classroom under an internship program.

It should take her about two years to be fully credentialed.

"I think I'll be feeling a lot more reward, and job satisfaction," Creech said. "I will be able to see that I'm making a difference."
********************
Federal Computer Week
eSlate gets voters' approval

More than one-fifth of the voters in a Charlottesville, Va., city council election last month cast their votes on an electronic system that was making its debut in Virginia, and the majority liked the experience.

An exit survey was distributed among voters to gather feedback on eSlate, the new electronic voting device, and 81 percent returned their surveys, according to Sheri Iachetta, Charlottesville registrar. Iachetta said that 90 percent of respondents who used the new equipment were satisfied, but the remaining 10 percent were not impressed with the electronic tool.

"Some people just don't like computers and electronics," Iachetta said, adding that she was impressed with the technology, especially its accuracy. "The machine will not allow an over vote, making it extremely accurate. Not only was the machine accurate, it worked very quickly as well."

The eSlate device was developed by Hart InterCivic and is about the size of a legal pad. After entering a code to get the correct ballot, voters turn a wheel to select their choice on the screen. Audible signals, large red and green buttons and headphones are available for those who have vision or hearing impairments. Once a voter hits enter on a selection, the vote is shown in bold on the screen. After entering all selections, voters may review their selections before submitting them.

Certification of the eSlate device in Virginia could be near thanks to the success rate achieved during the general election in Charlottesville.

"I truly believe that people are looking forward to getting rid of those punch cards," Iachetta said.

States that have already instituted eSlate as a voting system include Colorado, Maryland and Texas.
*********************
Washington Post
Many Dot-Name Domains Break The Rules - Study
Brian McWilliams
Newsbytes.com Staff Writer
Friday, May 31, 2002; 3:00 PM


Thousands of recently registered "dot-name" domains violate regulations governing the new Web addresses, according to a study released today.

A review of dot-name domains registered before May 16 showed that nearly 6,000, or more than eight percent, fail to comply with registration restrictions approved by the Internet Corporation for Assigned Names and Numbers (ICANN), according to Ben Edelman, a technology analyst for Harvard's Berkman Center For Internet & Society.

The ".name" suffix went live in mid-January, following a preregistration period in which Internet users signed up for 60,000 dot-name addresses.

Under restrictions approved by ICANN, registrations of dot-name domains must adhere to the format "firstname.lastname.name" and must be "a person's legal name, or a name by which the person is commonly known."

But Edelman's review of nearly 74,000 dot-name registrations showed, for example, that more than 100 dot-name domains include the word "domain," while almost 400 include the word "the," and more than 500 registered dot-name domains include the word "family."

Edelman also noted that two people registered dozens of dot-names that bore the names of famous individuals.

While he concedes that "some members of the Internet community may consider such non-compliance unimportant," Edelman said the statistics do not bode well for the opening of registrations for dot-pro domains, expected late this year.

"If we can't even enforce the restrictions on .NAME properly, it's not so obvious that .PRO will turn out so well," said Edelman.

What's more, Edelman said, the large number of apparently commercial or "cybersquatting" dot-name registrations means that "intellectual property owners have to chase after more and more cybersquatters in more and more different TLDs."

Under its agreement with ICANN, Global Name Registry, the firm designated by the Internet governance board to operate the central registry of dot-name domains, is not required to screen registrations and verify whether they comply with ICANN's rules.

Edelman's study of dot-name registrations is on the Web. http://cyber.law.harvard.edu/people/edelman/name-restrictions/


Global Name Registry is at http://www.gnr.com/ .
**********************
Washington Post
In Terror War, Privacy vs. Security
Search for Illicit Activities Taps Confidential Financial Data
By Robert O'Harrow Jr.

In the amorphous war on terrorism, government officials believe they have a new weapon: the growing number of financial institutions that use powerful technology to monitor confidential customer activity and report suspicious behavior to law enforcement and intelligence officials.

Driven by little-known provisions of the USA Patriot Act, the anti-terror legislation that was approved after Sept. 11, banks, securities firms and other companies are deploying computer systems that draw together millions of transactions, sometimes automatically, in searches for money laundering, terrorist financing or other unusual patterns.

"The Patriot Act is imposing a citizen-soldier burden on the gatekeepers of the financial institutions," said David Aufhauser, general counsel at the Treasury Department and head of an inter- agency task force on terrorist finance. "In many respects, they are in the best position to police attempts by people who would do ill to us in the U.S., to penetrate the financial systems."

Federal regulators three years ago tried to impose similar monitoring requirements on financial institutions to combat money laundering but dropped their plan, known as "know your customer," after it caused an uproar among consumers concerned about their privacy. Now some specialists believe the scrutiny of consumers on the government's behalf is going even deeper.

"Sept. 11 obviously made us totally rethink where to draw the line with respect to government access to customer information," said David Medine, a former financial privacy specialist at the Federal Trade Commission.

"The question going forward is: Did we draw that line in the right place?" Medine said. "It is really a fundamental civil liberties issue."

The increased financial scrutiny is part of an expanded campaign by the government to tap into public and confidential data in search of people who pose terrorist threats. The push relies heavily on data and analytical tools, some of them developed in the 1990s for direct mail, credit-card offers and other kinds of targeted marketing.

As directed by the Patriot Act, Treasury Department regulations require that securities firms, money-services businesses and broker-dealers file reports on suspicious activity, something banks have been doing for several years. Those firms, along with mutual funds, operators of credit-card companies and some other financial companies, also must have anti-money-laundering programs.

Congress also said that financial companies must authenticate new customers, check their identities against government watch lists and maintain records for government scrutiny.

The law encourages financial institutions to share information among themselves about customers suspected of being involved with terrorism or money laundering, and it gives them protection from legal liability for doing so. In addition, it gives law enforcement and intelligence agencies greater access to confidential information without a subpoena while also requiring that credit bureaus secretly turn over credit reports to the CIA, National Security Agency and other intelligence agencies when presented with a request signed by a senior agency official.

While law-enforcement officials said the cooperation of the financial services industry is critical to the war on terrorism, some industry officials have expressed concern.

H. Rodgin Cohen, a leading financial services lawyer in New York, said he believes that financial companies may find themselves asking customers about seemingly suspicious but innocent activity that might be embarrassing or involve private matters, such as health care. He predicted that they also will file more suspicious-activity reports, with less evidence, to avoid trouble from the government.

"As long as the government can enlist the financial institution as part of the front-line defense against money laundering and terrorism, it has got to be anticipated there will be more in the way of intrusions on privacy," said Cohen, chairman of Sullivan & Cromwell. "It is just a different manifestation of whether they can wiretap you."

Tracy Calder, chief money-laundering prevention officer at UBS PaineWebber Inc., agreed the new reporting mandates, coupled with the sophisticated monitoring technology, are "absolutely intrusive." But, she said, they will help fight terrorism and crime, something she believes most people will embrace. "Americans are willing to accept more intrusiveness in exchange for security," she said.

The computerized systems create profiles of customer activity, sometimes including more than a year's transactions, and sift through deposits, wire transfers, ATM activity and links among account holders. Mantas Inc., a Fairfax County spinoff from SRA International Inc., a government contractor that works closely with U.S. intelligence agencies, recently demonstrated how its software can monitor millions of transactions a day.

Using data culled from people whose identities were masked, officials showed reports that a bank analyst might receive from an overnight computer review. One report in the demonstration had a risk score of 95 out of 100. A click on a screen that resembled a Web page pulled up a file that showed several unrelated individuals at the same address had, over several days, sent out 18 checks or money orders for a total of $9,000.

Another click on the screen brought up a report about links among five relatively new accounts at different branches of the same bank. Those accounts had transferred $125,000 to another account in Miami. The system noted that the account holder there then wrote a check for $125,000.

While each account on its own did not appear to represent a risk, the coordinated activity set off alarms, said Don Temple, an anti-money-laundering specialist at Mantas and a former special agent at the IRS. "You can only detect suspicious transactions today with sophisticated data-mining and pattern-recognition software," Temple said.

Experts said such systems could also flag a securities account that never trades stocks. Or the systems could draw attention to someone of apparently modest means who receives a $40,000 wire transfer from abroad and then sends out a large check. Specialists said the systems, by sweeping through vast electronic depositories of information, can find links among customers that a person might never see.

"Sometimes we've referred to our product as the 'Big Brother,' " said Alison Holland, spokeswoman for NetEconomy, a Dutch firm that is pitching its systems to U.S. firms. "It can monitor so many things."

Some companies used such tools before Sept. 11, as computer power increased and the government increased efforts to stop the flow of drug and mob money through the U.S. banking system. But TowerGroup, a Massachusetts research firm that tracks financial services, estimated that banks and other institutions will double their spending on monitoring systems this year, to $120 million. "This is just a sea change in the industry," said TowerGroup analyst Breffni McGuire.

UBS PaineWebber, for example, recently signed a deal with Searchspace Corp., a company that says its computer system "captures and uses all transactions that flow through an organization to provide continuously adaptive profiles of all individuals."

Riggs Bank NA is working with Americas Software Corp. to install a similar system that will automate procedures it has had in place for several years. Citigroup Inc. has contracted with Mantas, which says its software can "reduce the risk of money laundering with comprehensive, enterprise-wide surveillance of your customer, account, and transaction information . . . to reveal suspicious and previously unknown behaviors."

Last week, in response to a mandate in the Patriot Act, the Treasury Department's Financial Crimes Enforcement Network, known as FinCen, began operating a secure online network to make it easier for financial companies to report suspicious behavior by customers to the government.

Central to that relationship are suspicious-activity reports, which require officials to fill in more than 50 kinds of information, including addresses, account numbers, Social Security numbers and phone numbers.

They are maintained by FinCen in databases that are available to local, state and federal law-enforcement agencies. Under Patriot Act provisions, intelligence agencies also have the right to get such reports on demand. People who are the subjects of the reports may not see them, a FinCen official said.

The number of suspicious-activity reports filed with the government was almost 163,000 in 2000, compared with 81,000 in 1997, the first full year the reports were collected, the agency said.

The pace of the reports jumped sharply after the Sept. 11 attacks. About 125,000 were filed from Oct. 1, 2001, to the end of March, compared with about 86,000 in the same period the previous year, agency officials said.

John Byrne, senior counsel at the American Bankers Association, said members have cooperated with the government in tracking down terrorist assets and matching customer names against government lists of suspects since Sept. 11. But Byrne said that financial institutions, even those using the most sophisticated technology, need guidance and timely intelligence to help the government.

"We have proven our willingness to respond to legal government requests to search records and report suspected crime," he said. "What concerns us is any policy that suggests that the financial industry on its own determine potential terrorist activity. At the end of the day, the financial sector is not law enforcement."

Officials at FinCen said they have no interest in deputizing the financial industry and intruding unnecessarily into the financial lives of most people. They want the industry to act as a gatekeeper, not a cop, and to focus on risky customers.

"We have this important practical reason for paying attention to privacy concerns," FinCen Director James F. Sloan said. "If we don't, we're going to end up losing these tools."

Sloan said suspicious-activity reports, coupled with powerful data warehouses and mining tools at FinCen, have turned up leads and suspects. "This created an opportunity for dialogue that has never existed before," Sloan said of the Patriot Act. "It has given us an opportunity to work with the industry like never before."
********************
Washington Post
VeriSign to Help Telecoms With Wiretap Orders

SAN FRANCISCOSecurity and Web address provider VeriSign Inc. Monday unveiled a new service to help U.S. telecommunications carriers comply with wiretapping regulations that have gained more prominence since the attacks of Sept. 11.

Mountain View, California-based VeriSign is testing its new "NetDiscovery" wiretapping services, which is expected to be commercially available in early July for land-line, wireless and cable carriers, said Terry Kremian, executive vice president of VeriSign's telecommunications services.

Under the Communications Assistance for Law Enforcement Act of 1994, telecommunications companies must have systems that allow law enforcement officials acting with a court order or other legal authorization to intercept targeted telephone calls and access caller ID data quickly.

The law also requires carriers to provide the resulting wiretap data to the police or the FBI in a way that allows it to delivered or transmitted offsite to government offices.

While the deadline for complying with the federal wiretapping act was originally set for Sept. 30, 2001, the Federal Communications Commission has extended it several times because of the complexity and cost of the task, Kremian said. Carriers and telecom providers now have until June 30 to comply.

Kremian said carriers can outsource these operations to VeriSign for a monthly fee, Kremian said, rather than spending as much as $500,000 to upgrade each switch and $150,000 annually to administer such a system.

The company, which operates the ".com," ".net" and ".org" domain name look-up system and sells Web addresses, also offers e-commerce security and payment services, and recently added telecom services with the acquisitions of Illuminet Holdings and H.O. Systems.

With Illuminet, VeriSign acquired the largest independent carrier-to-carrier switching network in the United States. The network routes land-line and wireless calls and enables carriers to offer caller ID, roaming and other services.
*******************
Los Angeles Times
Fee-Based Networks Making a Connection
Internet: Upstarts tout peer-to-peer technology as way for clients to offer digital goods, for a price.
By JON HEALEY

Before it ran afoul of the courts, Napster Inc. taught more than 70 million consumers that "peer to peer" meant copying whatever they wanted from other people's computers without paying for it.

Ever since, a small but growing band of upstarts has been trying to teach a new lesson: that peer-to-peer networking is a better way for businesses to send music, videos and other digital goods through the Internet. And no one has to receive anything free.

The new players range from consumer-oriented systems--including CenterSpan Communications Corp.'s Scour and those from Wippit Ltd., Yaga Inc. and Blue Falcon Networks Inc.--to distribution systems aimed at corporate customers, including Kontiki Inc. and Uprizer Inc. In addition, Altnet Inc. is building a fee-based network on the back of Kazaa, a free network that the record and movie companies are suing for copyright infringement. Like Kazaa and other free networks, the upstarts slash the cost of sending digital goods by transforming consumers into distributors. Songs, movies and other files flow from user to user, with the costs absorbed by the users' Internet providers.

The difference is that users of the new networks don't control what gets traded on them. The only files available through these systems are the ones approved by copyright owners.

The ventures have attracted some blue-chip investors, but as a group they're low on customers. That's partly because of concerns about Napster-style piracy and partly because the record labels and Hollywood studios have been slow to adapt their business models to the Internet.

"I think they're all willing to do deals now, but they're wary. Too wary," Paul Myers, chief executive of London-based Wippit, said of the major record companies. "I think they're missing huge opportunities. They're playing into the arms of the illegal services."

Peer-to-peer networks are designed to solve one of the thorniest problems in transmitting bulky audio and video files on the Internet: The larger the audience, the higher the cost.

Unlike with conventional broadcasting, which uses the same airwaves no matter how many people tune in, transmitting a file over the Internet takes up more network capacity as the audience grows. Everyone who watches a concert online or downloads a movie connects separately to the supplier's Web site, so each user drives up the amount of capacity, or bandwidth, the supplier has to pay for.

Peer-to-peer networks, by contrast, spread files the way a case of chicken pox spreads through a grade-school classroom. A popular song might start on one user's computer, but each user who copies it becomes a new source for other users.

The network points users to the closest available source, so the first user ultimately supports only a small portion of the total copies. More advanced networks enable users to copy a file from multiple sources at the same time, taking small pieces from each.

"This is the greatest distribution mechanism for content ever invented," said Chris Kitze, chief executive of San Francisco-based Yaga. "You have the ability to reproduce infinitely, at almost no cost, unlimited amounts of content, which means you never run out of inventory."

Though Kazaa and other free networks let users decide which files to share with other users, the copyright-friendly upstarts don't. Instead, network administrators decide which files can flow from user to user. And electronic locks let copyright owners dictate how much, if anything, people must pay for a file.

In Blue Falcon's approach, for example, central computers ensure that only authorized users supply and copy files. Those computers also would provide the keys to locked files and bill users for what they download.

"It's not about file sharing, it's file distribution," said Ian Clarke, co-founder of Santa Monica-based Uprizer.

That's an important distinction because corporate officials are skittish about the whole concept of peer-to-peer networking. Mountain View, Calif.-based Kontiki bills its services as "peer assisted," not peer to peer, and pitches to corporate customers by saying, "Here's a more effective way to communicate," said Mark Szelenyi, director of enterprise marketing.

Kontiki has about 20 customers in various stages of testing or deployment, and they typically use the network to distribute sales and training material and software updates, Szelenyi said. Similarly, Uprizer focuses on helping corporations cut the cost of internal communications, using peer-to-peer technology to distribute material to employees and branch offices.

Blue Falcon specializes in using peer-to-peer technology for Webcasts, helping customers such as Radio Free Virgin, a leading online radio network tied to Virgin Group Ltd., cut bandwidth costs by as much as 50%. Zack Zalon, general manager of Radio Free Virgin, said peer-to-peer techniques, better compression software and other improvements over the next few years could enable his company to reach up to 30 times more listeners for the same amount of money.

There are signs that the studios and record companies are ready to start experimenting with peer-to-peer systems. Amid pressure from the Justice Department and burgeoning online piracy, negotiations with tech companies have intensified, several executives at peer-to-peer companies said.

Wippit, a network that offers unlimited MP3 files for a flat monthly fee, has signed up one of the five major record companies, Myers said, although it has yet to announce which one. Hillsboro, Ore.-based CenterSpan has acquired the rights to songs from Sony Music's catalog, and a subsidiary of Vivendi Universal has agreed to launch a CenterSpan-powered entertainment service, said Michael Kassan, co-president of CenterSpan digital media and entertainment group.

"We're in the midst of some very advanced discussions on the video-on-demand side," Kassan said, adding that entertainment companies' attitudes about peer-to-peer technologies have changed dramatically.

The music labels and film studios have been very good at promising online initiatives, but not at delivering them. Although many have tried, none of the companies has been able to obtain all the licenses needed to compete with the unauthorized online networks. Nor have the studios' video-on-demand ventures gotten off the ground--in fact, one of the two major initiatives already has collapsed.

Still, Jay Haynes, chief executive of Blue Falcon in Los Angeles, said he expects the labels and studios to embrace peer-to-peer distribution soon. "In the next 12 months, I expect to see explosive growth in on-demand [services]."

Napster and its successors did the entertainment industry a favor, Kitze of Yaga said, by inducing consumers to want to get music online. "The next change in the behavior is to get from 'free' to 'paid for,'" he said.
*********************
Federal Computer Week Editorial
Transforming Congress

Congress, unfairly or not, has earned a reputation for being a group of Luddites. This reputation dates back to 1995, when Capitol Hill voted to provide freshman lawmakers with laptop computers but did not approve their use on the floor of the House or Senate.

That's what makes the vision of a "virtual hearing room" proposed by Rep. Curt Weldon (R-Pa.) so refreshing. Still in the concept stage, the hearing room would be equipped with secure workstations and videoconferencing technology that would enable committee members to question witnesses located anywhere in the world.

The workstations also could be used to provide multimedia presentations on issues at hand.

The particulars of Weldon's proposal are less important than his motives.

Congress, Weldon argues, needs to grasp the broader ramifications of technology what the Defense Department calls "transformation" and the virtual hearing room represents a way to learn about technology, through both seeing and doing.

Weldon is right. Many of the Bush administration's top priorities including homeland security, DOD modernization and e-government aim to transform, not just automate, government operations through increasingly sophisticated uses of information technology.

Congress is a necessary partner in these initiatives, because such efforts often require changes to rules and regulations and always need money. Members are adept at learning on the fly as they craft legislation and review budgets, but as the White House advances into newer and stranger territory with IT, many members may find themselves out of their depths.

Weldon's idea of a virtual hearing room would be a creative way to begin the education process. But whatever the fate of this particular proposal, his concerns have merit and should be addressed.

For Congress, transformation ought to begin at home.
******************
Los Angeles Times
Fingerprint Scan Spurs Debate
Technology: Program's database is linked to credit or debit cards. Customers weigh privacy concerns, convenience.
By HELEN JUNG

SEATTLE -- Christopher Conrad cuts off telemarketers on the phone, regularly reminds direct-mail associations to keep him off their lists and diligently opts out of mass e-mail lists.

But the Seattle commercial photographer didn't hesitate to give his fingerprint, credit card information and phone number to a company he had never heard of.

Conrad is one of the 2,000-plus customers of a Thriftway grocery store in West Seattle who signed up in a pilot program run by Oakland, Calif.-based Indivos Corp. that links customers' fingerprints with their credit or debit cards, allowing them to buy groceries by running a finger over a scanner. "I always leave my wallet in the car or forget it in another pair of pants," Conrad said. "It doesn't feel so much like an invasion of privacy but more like a convenience."

Privacy advocates and others are questioning whether the lure of convenience outweighs the vulnerabilities of the technology and fears of privacy intrusion.

"With most of these applications there's an interesting starting point, and then there are new applications and pretty soon you have full force Big Brother watching over you," said Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center, a public-interest research group.

Currently, there are no federal laws regarding the sale of fingerprint databases and information.

Indivos Chief Executive Phil Gioia said his company signed a contract with Thriftway not to sell that information to marketing companies. But Lee Tien, senior staff attorney for San Francisco-based Electronic Frontier Foundation, says the technology raises such novel and sticky legal issues as who owns the actual fingerprint.

Thriftway's pilot program has nevertheless proved popular from its May 1 adoption, said store owner Paul Kapioski.

"A lot of them walked right in the door and said, 'Where is it? Let me sign up,'" Kapioski said. He said representatives from other grocery stores in the area have come in to look at the program.

In Texas, some Kroger Co. stores use technology from an Indivos rival, Biometrics Access Corp. Ron Smith, Biometrics Access chief executive, says it is helping Kroger also cut down on check fraud.

And McDonald's in Fresno, Calif., used Indivos' technology for a brief pilot program but decided to discontinue it, said spokeswoman Lisa Howard. McDonald's Corp. is exploring other cashless electronic payment alternatives, such as radio transponder wands.

At the Thriftway, customers scan one finger five times to get an accurate image, which is then digitized and stored in Indivos' database. The customer also registers a bank account, credit card, debit card or even food-stamp account and a seven-digit number, such as a phone number, which will be used to help pinpoint that fingerprint's location among the thousands in the database.

Then, customers can simply scan their finger at checkout counters and enter the seven-digit number. The scanner picks up 10 or 12 points on the finger at random, compresses that down to a 300-byte package and shoots it over an encrypted connection to the database in Oakland for comparison with the stored fingerprint.

In practice, it's not a huge time savings over credit-card transactions. The customer still needs to punch in the seven-digit number. And they still have to sign a receipt for credit card transactions or enter another personal identification number for a debit card purchase.
***********************
Federal Computer Week Policy Briefs
Policy briefs
June 3, 2002 Printing? Use this version.
Email this to a friend.

Anti-terror bills progress

Congress is moving forward to put money and muscle behind programs to fight terrorism at home and abroad.

The House passed a bill May 24 to provide $29 billion to fight terrorism. Billions would be showered on information technology projects to tighten security systems and fund tools such as devices that detect explosives at airports.

The House approved several other anti-terrorism measures, which still await Senate action, including:

* A bioterrorism package that would give authorities more clout in preparing for and responding to public health emergencies.

* $9.1 billion for the Customs Service to buy and deploy detection equipment along the Canadian and Mexican borders.

n $100 million for the Department of Veterans Affairs to develop four research centers, with at least one focused on biological terrorism, one on chemical threats and one on radiological threats.

Air Force consolidates IT

The Air Force is one-third of the way through the process of consolidating its IT resources in the hopes of building a greater enterprise infrastructure, John Gilligan, Air Force chief information officer, said May 29.

The goal is to have the process completed by fiscal 2004, although bases have had trouble finding the money to buy larger servers. Gilligan said the Air Force was considering a proposal that would accelerate that schedule.

The goal is to improve reliability, enhance security and reduce cost, Gilligan said. "We don't have the outages that we used to have," he said. The consolidation includes servers for e-mail, Web access, data and files. It is also an effort to bring together functions, such as financial and personnel data.

GSA preps security solutions

The General Services Administration is readying new solutions for government security.

GSA's Federal Computer Incident Response Center (FedCIRC) patch authentication and dissemination capability will be ready for some agencies to use June 20, said Sallie McDonald, GSA's assistant commissioner for information assurance and critical infrastructure protection.

In July, FedCIRC officials expect to release a request for proposals on a security knowledge management portal, McDonald said May 22 at a New York City conference. FedCIRC also is looking at creating a security toolkit, giving agencies central access to all of the security tools developed and already paid for by governmental and quasi-governmental organizations. In addition, the center plans to issue a request for proposals this summer for a contractor to identify the tools, assemble them into a suite of services and market them to agencies, she said.

Official: 'We're bandwidth hogs'

The Army could always use more bandwidth, but the service does have enough to accomplish its missions if it's willing to revamp its business practices and truly take advantage of its resources, according to one technology leader.

Col. Nick Justice, program manager of Force XXI Battle Command Brigade and Below, within the Program Executive Office for Command, Control and Communications Systems-Tactical, said he could always fill up more bandwidth if it were made available. However, the Army is not using its bandwidth "in efficient, effective processes," he said, speaking May 29 at Army IT Day in McLean, Va.

"We're bandwidth hogs," Justice said. "We want more. It's a [natural] quest for us."
*****************
Federal Computer Week
Studying counterterrorism

The quasi-governmental agencies in the National Academies the National Academy of Sciences, the National Academy of Engineering, the Institute of Medicine and the National Research Council will address 10 areas in a counterterrorism study expected to be released in June.

Those areas are:

* How to enhance the connectivity between the government and the science and technology community.

* The effect of the threat of terrorism on scientists and universities and the implications for research, open scientific communication, and accessibility to and tracking of foreign students.

* How to improve research standards and practices to prevent misuse of biotechnology research.

* How to improve national cybersecurity through research.

* How to protect Americans' privacy and civil liberties as personal information is increasingly collected and analyzed.

* What immediate steps can reduce the risk of nuclear weapons or materials falling into the hands of terrorists.

* How to address the threat of biological attack and ensure adequate detection, response and recovery capabilities.

* The main threats and appropriate responses regarding agricultural terrorism.

* Possible new sensor technologies to enhance the security of U.S. aviation systems and how to secure all transportation systems.

* The motives, sociology and psychology of terrorist activity against the United States.
********************
Federal Computer Week
Bringing science to homeland security
OSTP, National Academies to aid strategy

The role that science and technology will play in the Bush administration's homeland security plans is coming into focus through efforts by the White House Office of Science and Technology Policy (OSTP) and the National Academies the quasi-governmental agencies that provide independent advice to the federal government on scientific and technical matters.

OSTP is writing the research and development chapter of the Bush administration's homeland security strategy. That chapter will focus on a long-term mechanism for gathering ideas and technologies from the private sector and putting them to use within the government, OSTP Director John Marburger said at a press briefing May 29.

Recommendations from a soon-to-be-released National Academies study on the role of science and technology in homeland security will figure into that chapter, he said (see box). The Office of Homeland Security expects to deliver the national strategy to the president by early July.

The National Academies study could help find short-term solutions as well as aid OSTP officials in determining the best way to interact with industry over the long term, said Lewis Branscomb, co-chairman of the study.

Industry will be a key player in supporting the OSTP effort, but government officials may not tap the private sector for some time, because the process for determining industry's role is still under development, Marburger said.

However, private-sector officials must understand that the government will adopt new technologies only after identifying potential threats and responses, he added.

There are four steps to creating a homeland security strategy:

* Identifying and prioritizing threats.

* Determining and agreeing on a response for each threat.

* Specifying the technologies needed to support those responses.

* Exploring what technologies are available in the market or what research and development is needed to make the necessary technology available.

Industry can assist in the final two steps, but the government is still working on the first two, Marburger said.

Devising a long-term strategy is necessary and determining the threats and possible responses is a responsible first step, said David Colton, vice president of strategic initiatives for the Information Technology Association of America. However, the Bush administration must provide the private sector with a single point of contact now, so that when the government determines what it needs, the structure will already be in place.

"There's a balance between short-term and long-term, and getting some kind of framework in place as soon as possible is necessary," he said.

The National Academies study will also help private-sector leaders determine how to improve industry's resources, markets and security, Branscomb said. That is particularly important because companies and universities "are the targets as well as the solutions to many of the problems."

The study should be released by the end of June, Branscomb said.
******************
Federal Computer Week
State CIOs advise on homeland security plan

As Tom Ridge's Office of Homeland Security hammers away at a comprehensive national plan to defend the country's critical infrastructures, it has reached out to state government technology officials for help.

On May 23, Steve Cooper, senior director of information integration and the Homeland Security Office's chief information officer, asked representatives from the National Association of State Chief Information Officers (NASCIO) to form a working group to advise him on the resources states have to offer.

The move is significant, said state officials, because it shows that federal officials understand that states will bear the burden of implementing any recommendations from a national plan.

Eight state CIOs from NASCIO toured Capitol Hill May 22-23, holding more than 30 meetings with members of Congress, their staffs and executive branch officials on issues important to states, including homeland security, e-government, identity security, cybersecurity, commingling of federal information technology funds, enterprise architecture and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Rock Regan, NASCIO president and Connecticut's CIO, characterized the trip as an "educational outreach," to establish that the association is a resource to which federal lawmakers and other officials could turn.

NASCIO representatives discussed information sharing with Cooper and several other executive branch officials, including John Tritak, director of the Critical Infrastructure Assurance Office; Mark Forman, the Office of Management and Budget's associate director of IT and e-government; and David McClure, director of IT management issues at the General Accounting Office. The state representatives also met with officials from the FBI, CIA, Federal Emergency Management Agency, Environmental Protection Agency and Justice Department.

Regan promised Cooper he'd have a three- or four-member working group of state CIOs formed before June. "Their timeline is very tight, so it's something that we have to have some commitment to," said Regan, adding that it made sense for the federal government to seek input on homeland security matters.

"We're the ones providing the infrastructure to make sure the [data] flows, so I think that as the Homeland [Security Office] starts to [create] the document, the national strategy and some guidelines around it, we want to be involved as early as possible to make sure that what they're putting in place is actually doable from our perspective," he added.

A draft of the national strategy will likely be delivered to President Bush by early July. A senior administration official said in May that the plan outlining how the Office of Homeland Security expects to use IT to help secure the nation from terrorist attacks may not address all the concerns of federal agencies and state and local governments.

Kentucky CIO Aldona Valicenti said the tone of the NASCIO trip the second such "fly-in" in six months and one that the organization intends to make an annual event has changed as federal officials proactively reach out to the states. When HIPAA was passed in 1996, state governments weren't given an opportunity for input, she said. "We can actually address many of the operational issues," Valicenti said.
*********************
Federal Computer Week
Guidelines open data, Web to FBI

New investigative guidelines issued by Attorney General John Ashcroft May 30 permit the FBI to tap commercial databases, employ data mining and search the Internet for evidence of terrorist activity.

The new guidelines reverse decades-old restrictions imposed to curb FBI excesses of the 1950s and 1960s, when the agency actively spied on Americans involved in the civil rights movement, political dissent and war protests.

"They derive from a period in which Soviet communism was the greatest threat to the United States, in which the Internet did not exist, and in which concerns over terrorist threats to the homeland related mainly to domestic hate groups," Ashcroft said.

In the current war against terrorism, the restrictions provided "a competitive advantage for terrorists," Ashcroft said.

The restrictions date to 1976, when then-Attorney General Edward Levi imposed them, and attorneys general have the authority to amend them unilaterally.

In his announcement of the guideline changes, Ashcroft said, "FBI men and women in the field are frustrated because many of our own internal restrictions have hampered our ability to fight terrorism."

Under the guidelines now abandoned, Ashcroft said, "FBI investigators cannot surf the Web the way you or I can. Nor can they simply walk into a public event or a public place to observe ongoing activities. They have no clear authority to use commercial data services that any business in America can use."

New guidelines expressly permit agents to engage in online research, even when it is not tied to a specific criminal investigation. They also authorize the FBI to use commercial data mining services independent of particular criminal investigations.

The new guidelines also allow the FBI to operate "counterterrorism information systems, and to collect and retain information from all lawful sources, including publicly available sources, for that purpose."

The changes generated concern among privacy and civil liberties organizations. The American Civil Liberties Union warned that the new investigative guidelines "will trash a central protection against government fishing expeditions."

And the Electronic Privacy Information Center said the new rules "significantly broaden government ability to snoop on citizens."

"The FBI has always been able to use the Internet and databases, but only where there some indication of a crime," said Chris Hoofnagle, an EPIC lawyer. The new guidelines "change the dynamic" so that the FBI "can now watch people who are not suspected of doing anything wrong," he said.

According to the Justice Department, the investigative guidelines still "prohibit the FBI from keeping files on citizens on the basis of their constitutionally protected activities," such as exercising the right to free speech.

And the guidelines also "do not, and cannot, authorize the FBI to do anything prohibited by the Constitution or federal law," a department analysis says.
******************
Federal Computer Week
Carnivore bites off too much

Two years ago, the FBI unleashed Carnivore against Osama bin Laden's terrorist network, but the Internet spyware intercepted so much unrelated e-mail that the FBI stopped using it and might have destroyed information it collected related to the terrorists.

An internal FBI memo sent in April 2000 complained that when the spyware was used a month earlier to intercept al Qaeda e-mail messages, Carnivore acted more like an omnivore.

"The FBI software not only picked up the e-mails under the electronic surveillance [order] but also picked up e-mails on noncovered targets," said the memo, which was sent to Marion "Spike" Bowman, the FBI's associate general counsel. "The FBI technical person was apparently so upset that he destroyed all the e-mail take," including the e-mail messages the FBI was permitted to intercept, the memo said.

Intercepting messages not covered by court authorization would have violated federal wiretap laws, according to the Electronic Privacy Information Center, which obtained the memo through a Freedom of Information Act lawsuit.

David Sobel, general counsel for the center, said the memo and other information released by the FBI "confirm what many of us have believed for two years Carnivore is a powerful but clumsy tool that endangers the privacy of innocent American citizens."

FBI documents show that its officials also worried that "the improper capture of data" by Carnivore could "seriously 'contaminate' ongoing investigations."
*******************
Federal Computer Week
FirstGov revs search engine

The search engine bought from a Norwegian company to find information on the federal government's Web portal, FirstGov, is finally ready for service. It will be formally unveiled June 3 by Stephen Perry, administrator of the General Services Administration.

The engine, built by Fast Search & Transfer of Oslo, Norway, is expected to yield more relevant and more complete search results from more than 51 million federal and state pages now on the Internet.

Originally scheduled to begin operating March 31, the Fast search engine was delayed for two months because GSA decided to buy and install new switching servers for the search engine, according to a senior official at GSA, which operates FirstGov.

The new engine is supposed to be able to search through government Web pages in a wide variety of formats, including PDF, HTML, Extensible Markup Language and plain text, as well as Microsoft Corp. PowerPoint, Excel and Word.

In addition, the Fast engine will be capable of searching through government databases, according to Deborah Diaz, GSA's associate administrator for FirstGov. "So there's a plethora of information and services available throughout government that will now be available to citizens," Diaz said in an April interview.

The Fast engine is being supplied by AT&T Business Services, which will be paid $2 million a year for up to five years.

Spokesmen at AT&T and Fast Search & Transfer say they are prohibited from discussing the terms of their contract with GSA.
*************************
BBC
Secure way forward for digital TV

Digital TV operators must look to a new business model encompassing open standards and secure tools against hacking if they want to make money in future.
This is the view of experts in the light of the financial crisis facing many pay TV stations.

For years a battle has raged about the standards that control the technology behind pay TV.

Governments and regulators are keen to see an open standard, where all free-to-air and digital TV providers could be accessed through a single set-top box or interactive digital TV.

But most operators did not want their rivals using their equipment to sell services.

Viewing for free

With the rise of hacking this has become a costly decision for many pay TV operators, forced to replace all their set-top boxes when the decoder inside the box is hacked.

Up to a third of all services in some European countries are accessed for free using hacked smart cards that are widely available.

SCM Microsystems Chief Executive Robert Sneider believes the answer could be a removable module.

The CAM (Conditional Access Module) has two components, a smart card which descrambles encrypted TV signals and a piece of hardware which fits into a slot available on all digital TV sets and set-top boxes.

The anti-hacking software can be updated on a daily basis through a download from the provider to the set-top box down the telephone line.

If the module itself is hacked, it can be removed and replaced without need to touch the set-top box itself.

Obsolete business model

"Unauthorised access to digital networks represents huge revenue losses for providers. They simply cannot survive if this wastage continues at such a critical time in the industry's development," he said.

The module relies on an open standards model, which Mr Sneider believes operators will be forced to adopt, whether they want to or not.

"In my opinion the idea that they can own the consumer is an obsolete business model," he said.

With high profile digital TV failures such as the collapse of ITV Digital and governments across Europe keen to switch off the analogue signal by 2010, there will be a big push to get security right, believes Roger Stanyard, managing director of satellite consulting firm DTT.

"Recently hacking has become a desperate problem across Europe. When the decoder is built into the set-top box operators have to replace the whole box," he said.

"There will be a hefty bill coming up if they can't secure systems."

Hackers will find a way

Not everyone is convinced that a removable piece of hardware will alleviate hacking.

"Some companies say that if a module is generally available, hackers will get hold of the device and crack the technology that way," said IDC analyst Jason Armitage.

Mr Armitage does not think that hacking has had a significant impact on the demise of companies like ITV Digital.

"It is a big problem in southern Europe but in other European markets is not such an issue," he said.
**********************
Government Computer News
OMB: E-gov projects will help reduce bad payments
By Jason Miller

Bush administration officials expect that two of the 24 e-government initiatives will help the government lower the $20 billion in erroneous payments agencies made in fiscal 2001.

E-Payroll and E-Grants eventually could improve automation and tracking of money, according to an Office of Management and Budget report released Friday. The Office of Personnel Management is managing the E-payroll project, which will consolidate 16 civilian payroll processing systems into three.

E-Grants, managed by the Health and Human Services Department, will standardize and streamline federal grant programs. OMB officials estimate the initiative could save the government $1 billion in administrative costs alone.

The report, Financial Management Status Report and Governmentwide Five-Year Financial Management Plan, also said that financial system and computer security weaknesses were two of the most prevalent troubles auditors found. OMB said agencies also failed to account for billions of dollars in intra-agency transactions.

OMB said the two biggest mispayers were Medicare, which erroneously paid out $12.1 billion, and the Housing and Urban Development Department, which handed out $3.3 billion in errant rental subsidy payments.

The report is posted online at www.whitehouse.gov/omb/financial/2002_report.pdf
***************************
USA Today
Consumers test fingerprint scanning program

SEATTLE (AP) Christopher Conrad cuts off telemarketers on the phone, regularly reminds direct-mail associations to keep him off their lists and diligently opts out of mass e-mail lists.

But the Seattle commercial photographer didn't hesitate to give his fingerprint, credit card information and phone number to a company he had never heard of.

Conrad is one of the 2,000-plus customers of a Thriftway grocery store in West Seattle who signed up in a pilot program run by Oakland, Calif.-based Indivos Corp. that links customers' fingerprints with their credit or debit cards, allowing them to buy groceries by simply running a finger over a scanner.

"I always leave my wallet in the car or forget it in another pair of pants," Conrad said. "It doesn't feel so much like an invasion of privacy, but is more like a convenience."

Technology that links your fingerprint with a credit card or bank account is making strides into everyday purchases, with businesses from Thriftway in Seattle to three Kroger stores in Texas.

But privacy advocates and others are questioning whether the lure of convenience outweighs the vulnerabilities of the technology and fears of privacy intrusion.

"With most of these applications there's an interesting starting point, and then there are new applications and pretty soon you have full force Big Brother watching over you," said Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center, a public-interest research group.

And currently, there are no federal laws regarding the selling of fingerprint databases and information.

"There could be some abuses," Rotenberg said.

Thriftway's pilot program has nevertheless proved popular from its May 1 adoption, said store owner Paul Kapioski.

"A lot of them walked right in the door and said where is it, let me sign up," said Kapioski. He said representatives from other grocery stores in the area have come in to look at the program. "I think it's the way it's going to be here in a couple of years. We may be the first, but you'll see it around here."

It's already in Texas, at some Kroger stores, which use technology from an Indivos rival, Biometrics Access.

Ron Smith, Biometrics Access chief executive, says it is helping Kroger also cut down on check fraud.

And McDonald's in Fresno, Calif., used Indivos' technology for a brief pilot program but decided to discontinue it, said spokeswoman Lisa Howard. McDonald's is exploring other cashless electronic payment alternatives, such as radio transponder wands.

At the Thriftway, customers scan one finger five times, to get an accurate image, which is then digitized and stored in Indivos' database. The customer also registers a bank account, credit card, debit card or even food-stamp account and a seven-digit number, like a phone number, which will be used to help pinpoint that fingerprint's location among the thousands in the database.

Then, customers can simply scan their finger at checkout counters and enter the seven-digit number. The scanner picks up 10 or 12 points on the finger at random, compresses that down to a 300-byte package and shoots it over an encrypted connection to the database in Oakland for comparison with the stored fingerprint.

In practice, it's not a huge time savings over credit-card transactions. The customer still needs to punch in the seven-digit number as well as key in approval for the purchase. And they still have to sign a receipt for credit card transactions or enter another personal identification number for a debit card purchase.

Some customers said they didn't like giving away something as personal as a fingerprint. They fear that even if the database is kept by a private business and not linked to buying habits, it might not always reside with that company.

"To me it's the same thing as the government having your fingerprints," said Jennie Helms, a West Seattle Thriftway shopper. "They don't need to know what I buy."

Security is also a concern.

While well-designed fingerprint-based systems are not easily fooled, some researchers have already shown that fingerprint readers are hardly spoof-proof, said James Wayman, former director of the U.S. National Biometric Test Center and now a biometric identification researcher at San Jose State University.

Recently, a cryptography researcher in Japan created a fingerprint mold out of gelatin and succeeded in fooling fingerprint scanners four out of five times. A paper detailing his work was presented to the International Society for Optical Engineering.

The fingerprint companies' executives acknowledged that all technology is ultimately vulnerable. But they said would-be thieves don't have the means, much less access to a viable fingerprint, to crack one of their sensors.

And what of worries that companies might sell the fingerprint/information database to marketers?

Indivos chief executive Phil Gioia said his company signed a contract with Thriftway not to sell that information to marketing companies. But Lee Tien, senior staff attorney for the San Francisco-based Electronic Frontier Foundation, says the technology raises such novel and sticky legal issues as who owns the actual fingerprint.

Even Gioia recognizes that much remains uncharted.

For example, if Indivos were to some day be acquired by a credit-card issuing bank that institution would gain ownership of the fingerprint database. Gioia's response: "that's in the future ... we haven't nailed that down."
******************
USA Today
Germany gives Microsoft the cold shoulder

FRANKFURT, Germany (AP) Germany's government said Monday it has agreed with computer maker IBM to increase the use of open-source software on its computers, a move aimed at reducing dependence on U.S. software giant Microsoft.

Interior Minister Otto Schily said using non-Microsoft operating systems based on the open-source Linux system would save money and improve the security of computer systems used by federal and local governments.

"We are raising computer security by avoiding a monoculture, and we are lowering dependence on single suppliers," Schily said in a statement. "And so we are a leader in creating more diversity in the computer field."

Under the deal, IBM would give the government discounts on computers running Linux. The software installed on the IBM computers would be bought from German company SuSE, a major supplier of Linux-based software products.

The statement didn't disclose financial terms.

Unlike most commercial software, the underlying code in open-source software such as Linux is freely available and benefits from continual scrutiny and improvements made by a community of programmers. Proponents say that makes Linux more reliable and secure than products made by Microsoft and others a claim Microsoft disputes.

Though individual companies charge for the operating system, technical support and services, Linux versions can be downloaded legally for free on the Internet. Many companies and governments have turned to Linux as a low-cost alternative to Microsoft's Windows operating systems.

Thomas Baumgaertner, a spokesman for Microsoft's German subsidiary, said the government chose to ignore studies it had commissioned that favored Microsoft.

"Their own studies showed that an all-Microsoft environment was superior both technically and on price," said Baumgaertner.

Even with the decision, the German government remains a major customer for Microsoft products, he said.
******************
MSNBC (News Week)
Wild About Wi-Fi
Rising from the grass roots, high-speed wireless Internet connections are springing up everywhere. Tune in, turn on, get e-mail. Sometimes for free.
By Steven Levy and Brad Stone

June 10 issue Pete Shipley's dimly lit Berkeley home has all the earmarks of a geek lair: scattered viscera of discarded computer systems, exotic pieces of electronic-surveillance equipment and videos of the BBC sci-fi "Red Dwarf" show. But among the hacker community, Shipley, a 36-year-old freelance security consultant, is best known for his excursions outside the homeas a pioneer of "war driving."
BREATHE EASY: this isn't a "Sum of All Fears" kind of thing. War driving involves roaming around a neighborhood looking for the increasingly numerous "hot spots" where high-speed Internet access is beamed to a small area by a low-power radio signal, thanks to a scheme called Wireless Fidelity. Imagine your computer as a walkie-talkie, but instead of talking, you're getting high-speed Internet access. Wi-Fi, as it's generally called (propellerheads call it 802.11b), has unexpectedly emerged as the wireless world's Maltese Falcon, something truly lustworthy and, once possessed, impossible to let go of.
Two million people use it now, a number expected to double by next year, according to Gartner, Inc. And International Data Corp. predicts that public hot spots will jump from a current 3,000 to more than 40,000 by 2006. Consumers use Wi-Fi to establish wireless networks in their homes; businesses adopt it to untether employees from desktops, and techno-nomads celebrate its presence in cafes (from Starbucks to Happy Donuts), airports and hotel lobbies. (Next on the docket: airplanes.) It seems that moving megabytes on the move is almost mystical, like an out-of-body experience. "Once you are untethered from a wall it becomes like candy; it's a really insatiable appetite," says Michael Chaplo, the CEO of one Wi-Fi start-up. "You just want it everywhere." Like the early Internet, Wi-Fi is a jaw-dropping technology with unlimited promise. Also like the Internet, it opens up a rat's nest of security woes.

200 UNPROTECTED NETWORKS
There's nothing like a war drive to expose both sides of this cutting-edge sword. Shipley Velcroes two weird-looking antennae to a NEWSWEEK reporter's car, and connects them to a Lucent wireless card plugged into a Fujitsu Tablet PC. He boots a program called Net Stumbler, which transforms the system into a sniffing machine, capable of detecting Wi-Fi networks with the reliability of a drug beagle, and we're off. Almost instantly, the rig starts finding networks16 of them within the first three blocks (last year Shipley was getting just two). Turning toward the campus, name after name of wireless setups scroll by, some set up by corporations, some by ... well, who knows? Cal Bears Network ... V Street Network ... Henry Household. About half of the more than 200 networks he finds are unprotected by encryption or access control, meaning that anyone passing by could potentially grab the data. Or a freeloader could plant himself in front of the network owner's house and send out thousands of spam e-mails, leaving the owner to take the heat.
This is not just a West Coast phenomenon: a war-driving security specialist in Omaha, Neb., recently found 59 hot spots, 37 of them unprotected. And on a war walk through New York's Greenwich Village last week, NEWSWEEK found more than 50 hot spots in a quarter-hour. A disturbing security situationin effect, it's like opening a drive-in window to an otherwise firewall-protected networkbut also an exhilarating opportunity. Without knowing exactly who was beaming out the broadband, it was possible to stand on a random street corner and grab sports scores and e-mail. The Internet was in the air.
That's only one irony in the Wi-Fi revolution: while most of the tech industry gripes about how hard it is to provide high-speed Internet access, seemingly out of nowhere a technology has emerged to do just that, at low cost or even for free. And without those nasty wires! The secret of Wi-Fi comes from its mongrel origins. Wireless technology is actually a kind of radio, and different devices run on different frequencies on the radio bandwidth. Some portions are hotly contested, and governments reserve their use for favored parties: in some cases, like cellular phones, firms pay billions to use portions of the spectrum. No one pays a penny for Wi-Fi, which springs from a semi-orphaned frequency range formerly known as the Industrial, Scientific and Medical Band, designated for humble appliances like cordless phones and microwave ovens. (It's around 2.4 gigahertz, for those keeping score at home.) This junk spectrum is unlicensed, meaning that as long as you keep the power low, no one limits your activity. This freedom appealed to computer people, who see it as an open invitation to innovate and experiment. As a result, cool things keep happening with Wi-Fi.
A lot of this still goes on among the geek set. For instance, Rob Flickenger, author of "Building Wireless Community Networks," has gained renown for designing a long-range $6.45 Wi-Fi antenna housed in a Pringles potato-chip can. (It's been recently outperformed by an antenna made out of a Big Chunk beef-stew can.) BUILT-IN WI-FI
But even as the wireheads build their toys, serious companies sense big money. Things really began to take off three years ago when Apple adopted Wi-Fi for its home-networking AirPort device. Simply plug your Internet cable into the flying-saucer-shaped gizmo, and your Macs (if equipped with a $99 wireless card) instantly become wireless Net machines. Last year Microsoft rolled out its new Windows XP operating system with built-in Wi-Fi support: every time an XP user with a wireless card gets within sniffing range of a network, a little dialogue box pops up and asks if he or she wants to hook up. And this year IBM began shipping ThinkPad computers with Wi-Fi built in.
Dozens of start-up companies hope to ride the Wi-Fi wave. Boingo wants to be at the center of a sprawling Wi-Fi archipelago. It offers customers service at hundredsone day maybe millions, dreams CEO Sky Dayton (who earlier founded Earthlink)of hot spots signed on to the Boingo system. In return, Boingo handles the billing and kicks back part of the user fees. A company called Joltage provides software to turn hot spots into instant mini-Internet service providers. Other firms are working to go beyond hot spots to larger "hot zones," like WiFi Metro, which has placed antennas in Palo Alto and San Jose, Calif., to blanket six-block areas in a single network. Going a step further are companies attempting "mesh networks" to create hot regions. For instance, a company called SkyPilot wants to Wi-Fi the suburbs by hopscotching bandwidth from computer to computer: sort of a Napster approach to connectivity.
While entrepreneurs envision hot spots in their bank accounts, some people are organizing on the principle that connectivity in the air should be as free as the breeze. In more than 50 cities and towns, community-based network groups are setting up regions where people are encouraged to partake of free wireless Internet. NYC Wireless has more than 60 "guerrilla installations," including Tompkins Square Park in the East Village. In Pittsburgh, you can Web-surf for free in Mellon and Market Squares.

'IT CONSTITUTES A THEFT OF SERVICE'
Traditional broadband providers cry foul when users take their cable modem or DSL connections and beam them to friends, family and passsers-by through Wi-Fi networks. "It constitutes a theft of service per our user agreement," says AT&T Broadband's Sarah Eder. But at least one very important observer doesn't buy that. "I don't think it's stealing by any definition of law at the moment," says FCC chairman Michael Powell. "The truth is, it's an unintended use."
Wi-Fi's success has already made some telecom companies like Nokia and Nextel realize that their future lies in complementing, not competing, with Wi-Fi. The new vision involves a hybrid scheme where people would do heavy-duty computing in low-cost, high-activity Wi-Fi hot zones, and then, when they drove out to the desert, or visited North Dakota, they'd stay connected, using a more costly (licensed bandwidth) 3G-cellular network. Performing this trick without fiddling with the computera so-called vertical handoffis "the holy grail," says AT&T researcher Paul Henry. "It would mean that wherever you were, the Internet would be there, too."
This would require superior security software. But it will take some effort from users. The current form of protection, an encryption code called WEP, is far from perfect, but a lot of people don't even bother to turn it on. Nonetheless, experts assume that, like the Internet, Wi-Fi will manage to increaseif not perfectits security so that problems won't stunt its growth.
No matter who provides the signal, the Wi-Fi revolution is now moving to a fascinating stage, where the medium affects behavior. Putting wireless nets in businesses has affected culture in places like Microsoft and IBM, where people trundle into meetings with laptops, pull up relevant information on the spotand surf the Net if they're bored. An in-house video at Cisco Systems tells the tale of an engineer who discovered a toilet-paper shortage in the men's roomand was able to order more online while maintaining his position.
And when the Internet is ultimately everywhere, imagine the effects on journalism when, as tech columnist Dan Gillmor has speculated, hundreds of witnesses to a local disaster have the ability to capture and send out instant digital photos and videos.
All that from junk spectrum? Hard to believe. But not too long ago surfing the Internet seemed as weird as, well, war driving.
*************************
MSNBC
Broadband users cut into cable

By Stefanie Olsen

June 3 When Noah A., an AT&T Broadband customer, dropped his subscription to DirecTV several months back, he joined a small but growing group of cable TV pirates who use their high-speed Internet connection to pilfer video signals.

DRAWING ON old-school methods to splice cable TV lines for unauthorized use, hackers say they can buy a splitter at the local electronics store and easily run an additional line from the cable modem line for the computer into the television. Without a set-top box, the result is free, basic, analog cable; with an illegal converter or set-top, hackers say they have access to premium channels such as HBO and Showtime.
"I only get (basic) cable. I don't subscribe; it just comes to my house along with the cable modem signal," said Noah, who wished to keep his last name anonymous. He saves roughly $40 a month on cable but spends about $42 a month on Internet access.
"Lots of people do this if all you want is analog cable," he said. "All cable services are run through the same line; they can't just cut power to analog cable and still give you a cable modem."
Cable operators have battled this form of piracy for years, but it's taking on new urgency in the race to build high-speed Internet service. Broadband providers are struggling with costs, with AT&T just last week instituting a price increase for cable modem customers.
Some lawmakers are also pushing Congress to help in the widespread adoption of broadband Internet connections. Sen. Joseph Lieberman, D-Conn., last week said he would introduce legislation to expand broadband adoption across the country to drive economic growth.
In this environment, piracy is just one more headache for cable providers. The advent of digital cable and broadband Internet access is seen as a mixed blessing for operators, bringing advancements to both deter theft and increase it.
Siphoning TV access from cable modem lines is just one wrinkle to widespread cable piracy, but companies such as AT&T Broadband, Cox Communications and Comcast Cable Communications are starting to crack down. All providers say they are aware of this specific kind of theft and are taking various measures to stop it.
Cable TV piracy has been growing since the '70s, germinated by corrupt or pliable cable technicians who simply take a kickback to turn on extra, premium channels at no monthly cost. Now, in addition to making payoffs, people regularly buy on the black market the cable converters and de-scrambling devices necessary to access digital and premium cable.
About 13 million Americans get a free ride as a result, compared with the more than 64.5 million paying cable subscribers, according to research firm The Carmel Group. The losses are significant. The firm estimates that the industry misses out on about $6.2 billion annually from piracy.
Industry executives say stealing not only costs the cable providers, but also takes money from public works. Cable operators must pay 5 percent of local cable sales to community services such as fire and police departments.
SCOURING THE SYSTEMS
Steve Effros, an attorney and analyst for the cable industry at Effros Communications, based in Fairfax, Va., said relatively few people subscribe only to high-speed Internet access and not cable TV. Those who do are a highly identifiable group to the cable operators, he said, making it easy to install a trap that allows only the amount of bandwidth necessary to provide high-speed Internet data.
"If it becomes an issue at all, it's very easy to stop it; they just install traps on the lines," he said. "No thief ought to rely on this one."
Cox spokeswoman Amy Cohn said the company has discovered some instances in which high-speed Internet customers are stealing cable TV channels, but she couldn't specify a number. As a preventive measure, she said, the company installs traps on cable modem lines to prevent Internet customers from accessing video signals through cable TV.
"We're currently auditing our networks to identify situations where traps may be needed and are installing the appropriate equipment to prevent this theft from occurring," Cohn said.
Tracy Baumgartner, a spokeswoman for AT&T Broadband, said the company is proactively trying to prevent this kind of cable theft. She wouldn't explain the specifics of its tactics, saying they may provide clues to a workaround.
In general, AT&T Broadband tries to stop piracy by going from neighborhood to neighborhood and performing a tap audit, which allows it to detect all manner of cable theft. The tap audit lets the operator evaluate services piped into the home to see if any are not being paid for.
Baumgartner said such cable theft typically degrades signals to both the computer and the television, not to mention neighboring connections.
"The drops are not designed to be split," she said. "The Internet product needs a dedicated feed so that it runs as efficiently as it's supposed to."
But cable subscriber Noah said his TV reception and Net connection come up without a hitch.
A Comcast Cable representative said the company also performs tap audits to identify customers using authorized video hookups. It then gives them time to make amends before disconnecting service, according to the representative.

NEW FIX WOULD NOT BE QUICK
One long-term solution to such theft would be for cable operators to completely convert their analog feeds to digital.
Cable providers have long used analog systems, which run at a frequency of 400MHz or lower. Basic broadcast channels such as ESPN and CNN are typically run through analog cable.
Now cable providers are shifting their systems to allow for digital broadcasts, which operate on a different frequency from analog. For a true digital broadcast, which can include premium channels such as HBO or video-on-demand programming, the frequency must run around 750MHz.
Cable operators see promise in digital cable because they can deliver more channels with less bandwidth and build in enhancements such as interactive TV programming, video-on-demand and e-commerce. Some are already testing digital, including AT&T Broadband, which started using it in select markets, such as Los Angeles.
But digital is also a threat. Services such as Sonicblue's ReplayTV allow consumers to share TV entertainment like they would on an online file-sharing community such as Morpheus, raising fears about copyright infringement.
Still, analysts insist that digital cable can curb the threat of piracy. For one, companies are creating more sophisticated encryption technology to make it harder for hackers to tap into unauthorized channels. Another deterrent is that interactive TV programming requires a two-way connection, meaning that a broadcaster could detect and verify a signal coming back into its system from the subscriber.
"From that (digital) signal, the operator will have the ability to recognize that end user and whether he is subscribing to that service," said Sean Badding, an analyst at The Carmel Group. "This could be a prevention as we move into this (interactive TV) world."
In the meantime, as much as some people take advantage of open-spectrum cable lines, some customers say the providers are equally negligent about taking precautions against piracy.
Amy L., one longtime Comcast subscriber who asked that her last name not be used, said that when she signed on to high-speed Internet access several years ago, in addition to her monthly cable TV subscription, the Internet connection boosted her family's access to premium cable channels such as HBO and Showtime at no cost.
"The TV, including the cable, is literally right next to the computer desk, so when the techs came to install the broadband they just put a splitter on that cable with one leading to the cable box and one to the cable modem," she said. "When the installers were finished, they told me that I would be getting some additional channels,...a normal result of having the broadband access installed, and that Comcast would eventually filter it out.
"I didn't do anything, but Comcast never did anything either. I was getting HBO, Showtime and a number of other additional and premium channels for something like two years for free," she said.
Doug, a New Jersey resident who subscribes to cable-modem Internet service and gets free digital cable through an illegal box, said he believes that the cable operators are suffering at their own hands. He said he bought a new digital box for about $80 that gives him free access to more than 400 channels.
"All the cable operators are suffering from (cable theft) when all they need to do is put in a filterthat would eliminate the issue," Doug, who asked that his last name not be used, said in an e-mail interview. "I don't condone stealing, (as they call it), but I don't see an issue if they don't block it. If they cared about it, they could stop it."
*********************
MSNBC
Fighting Web Fraud
Security: The Internet has made it easier for crooks to rip your company off. Here's how businesses can protect themselves and their customers
By Erik Sherman
NEWSWEEK

June 10 issue It was almost too easy. All the young woman had to do was pick a stolen credit-card number and go online.

ACCORDING TO U.S. postal inspectors, she then bought computers and other electronic gear. A measure of the extent: when police swooped down on her New York apartment two years ago, they found $20,000 worth of gear. And she was identified only because of fraud-detection software. When she made an $800 purchase at the IKEA furniture and household-goods Web site, a program called eDective noticed that the shipping address she gave was in a different state from the billing address for her card. This raised a red flag for IKEA fraud manager John Barry. He noticed, too, that the cell-phone number she gave as a contact was in yet a third state. He launched the probe that ended in her arrest for possession of stolen property. She pleaded guilty, apparently to a lesser charge (the case is sealed). But Barry counted it a win for his software. "Anybody who hangs their sign out front to do business on the Web takes a tremendous amount of risk," he says. "The Web gives the thief the edge. We can't see your body language, hear the tone of your voice, see the sweat on your palms."
Fraud has always been a problem for businesses. The Internet has made it easier. According to Visa USA, the rate of online credit-card fraud is three to four times higher than fraud overall. Some industries are peculiarly vulnerable, such as telecommunications. "In the entire telecom industry, the current estimate is that $15 [billion] to $20 billion of fraud happens on an annual basis," says Peter Smith, manager of AT&T's global fraud-management center.
But new technologies enable companies to fight back. Given the sheer volume of e-commerce today, software is the only solution. "You may have a suspicion that something is going on, but even if you do see some, it may only be the tip of the iceberg," says Colin Shearer, vice president of data mining at statistical-software company SPSS. "In areas like e-commerce, it's way beyond human capability to check each one of [the transactions]."
One widely used tool is known as rule-based-detection software. Merchants who use it create what is sometimes called a "negative file," stating the criteria each transaction must meet. These might include price limits and matches of the cardholder's billing address to the shipping address for the purchase. The rules might flag an order for an unusually high number of a single item. And they should always maintain current lists of stolen credit-card numbers. The software then screens incoming orders and uses the rules to approve or reject purchases.
A related tool is predictive-statistical-model software. It examines mountains of data from previous transactions to create mathematical descriptions of what a typical fraudulent transaction looks like. It then looks at incoming orders and assigns each one a "risk value" based on its resemblance to the prototypical fraud. AT&T, for example, uses predictive models to sort through its more than 350 million calls a day, identifying a thousand cases of questionable activity. An average of 50 investigators are on duty at any given time examine them to find the 200 cases of actual fraud. "You're literally trying to find the needle in the haystack," says Smith. " [But] if you don't find that needle... you could end up losing tens of millions of dollars within hours." It's worth the effort and expense, though: Smith estimates that AT&T's software blocks "at least" 100 frauds for every one it lets through.
Consumer fraud is not the only threat. In such industries as auto insurance and health insurance, service providers often file fraudulent claims. A body shop, for example, may include in its estimates repairs the car doesn't need. In health care, according to estimates by the Center for Medicare and Medicaid Services, $100 billion a year is lost in health care to fraud from physicians, hospitals and other agencies that might, for example, use false diagnostic codes in their electronic filings to suggest costlier procedures than were actually done. Detection software can be "tuned" to flag frauds characteristic of a particular industry. "Ninety-six percent of the estimates we review are changed, and the average percent or reduction is anywhere from 11 to 13 percent," says Eric Seidel, president and CEO of eAutoclaims Inc., whose software lets auto-insurance firms track claims and repair estimates.
Outside help is available. "It's valuable to have a trusted network outside your company, because that's where the expertise will be," says David Fisher, manager of the Verizon Communications fraud-prevention center. Few companies can afford expertise in fraud prevention on the scale of AT&T, so turning elsewhere makes sense. For example, Experian, one of the three big credit-reporting companies in the United States, has developed a cross-industry fraud database. Member companies can check credit applications against problems reported by other members. One of the clients recently ran a week of tests, checking credit applications against the database. "That client had a 2 percent hit rate on the national fraud database," says vice president of fraud solutions Lyn Porter. "We identified around $50,000 in savings a day."
Of course, all the software in the world will be ineffective if the enemy is within. A national retail chain found that its Dallas store suddenly went bankrupt after hiring a new manager. He was diverting sales revenues to himself through an elaborate combination of false invoices and doctored credit-card charges. His inside knowledge helped him sidestep the company's detection software. "He got away with it for 18 months," says John Wiechman, president of TLSI Inc., the computer-forensics firm hired to find the evidence. "The company was being run, but it wasn't being watched real close. [Corporate management] walked into the Dallas warehouse and it was empty." Even the best systems won't work for people asleep at the on-off switch.
*************************
CNN
Workplace e-mail is not your own
Employers have legal right to snoop online

SAN FRANCISCO, California (CNN) -- If you work on a personal computer, you'd better get used to it -- there's no such thing as private e-mail on a company system.

Analysts say this high-tech monitoring is a growing trend for employers, particularly as the technology makes it increasingly easy to implement on a large scale.

"Legally, they're not required to tell you if they're monitoring the e-mail," says Shari Steele of the Electronic Frontier Foundation. "Legally the equipment that you're using when at work belongs to your employer. And therefore the employer can do anything they want to with the equipment."

Businesses can customize the software to identify senders and scan for keywords that send up a red flag. They can also choose from a set of keywords associated with viruses or unsolicited e-mail, or "spam."

Once a policy is set, the company chooses what happens next, whether that's to quarantine the e-mail for review, divert it or send it to the trash.

"Well, it's not 1984 ... this is 2002 ... and yeah, this is Big Brother," says Jeff Smith, chief executive officer at Tumbleweed Communications, which makes e-mail monitoring software used by 100 of the Fortune 500 companies.

Companies like Tumbleweed tout their products as ways for businesses to track how employees may be wasting time recreationally surfing the Web and to filter out harmful e-mails that could launch a costly virus or worm.

Tightening the Net
So how common is e-mail monitoring?

According to an industry survey in 2001, nearly 47 percent of large corporations store and review e-mail messages -- three times more companies than in 1997. What can't be quantified, however, is the number of e-mails mistakenly screened-out.

CNN showed Smith an e-mail that got bounced back to the sender by his software, a memo arranging a meeting for a charity fund-raiser. It did have dollar signs and financial company names, but other appeared to be completely innocuous.

"It could have been kicked-out for compliance violation," says Smith. "Or alternatively, the software could have concluded that it was spam."

Legitimate concerns and a hard line -- administered by software.
*********************
CNN
Aerospace workers arrested for hacking
Firms temporarily banned from NASDA bids

TOKYO, Japan (AP) -- Three workers at a major Japanese aerospace company were arrested Thursday for allegedly hacking into the computer network of Japan's space agency to spy on a rival company, a Tokyo Metropolitan Police spokesman said.

Shunsuke Migita, 28, Shoichi Motohashi, 44, and Masao Amano, 40 -- all employees at NEC Toshiba Space System Co. -- were charged with illegally obtaining Mitsubishi Electric Corp.'s antenna designs for a high-speed Internet satellite from a computer at the National Space Development Agency in December, the spokesman said on condition of anonymity.

Police believe Migita figured out the password to gain access to the agency's computer system.

NASDA discovered the breach in February when Migita sent an e-mail to a list of more than 80 people boasting about it. The list included Motohashi and Amano, the agency said.

NEC Toshiba Space System, a joint venture set up by Japanese electronics giants NEC Corp. and Toshiba Corp., is developing its own satellite for superfast Internet connections. NEC and Toshiba have evenly divided work on the project.

Following the discovery of the break-in, NASDA banned both NEC and Toshiba from bidding for agency-related projects for one month.
*****************
Computerworld
Security Under the Gun

After Bruce Lobree, an information security engineer and a 20-year IT veteran, lost his job in October, he decided to work for contracting firms such as RHI Consulting in Menlo Park, Calif., while waiting out the recession. Since then, Lobree has met client after client who wants a jack-of-all-trades - someone who can administer any brand and version of firewall and intrusion detection, is network-savvy, can code and is versed in new technologies like XML, .Net and wireless.
Clients also want someone who can speak in terms of return on investment to sell projects to executives and who knows everything about the client's business, including its regulatory issues.

"I have peers going back for their MBAs," says Lobree, who has spent six months charting cross-industry regulations and standards affecting security and privacy to meet his clients' needs.

Everyone predicted that IT security jobs would be hot after the Sept. 11 terrorist attacks, but the reality is quite the opposite. Would-be employers say that their security budgets are flat, that risk and threats are rising, and that they're being asked to do more with less because of staffing shortfalls elsewhere within their IT organizations.

For example, in addition to network monitoring and intrusion detection, a security analyst might also have the security responsibilities of laid-off Windows NT and Unix administrators, explains David Foote, president and chief research officer at Foote Partners LLC, an IT workforce research firm in New Canaan, Conn.

So rather than focusing on hiring people for their specific security skills, corporate IT managers are looking inside their IT organizations for the right combination of technology and business acumen and then training workers in the ways of computer forensics, intrusion detection and incident response.

"Certifications and technical security expertise aren't my first criteria in placing a security specialist," says Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "I'm looking for other important factors: Do you understand how the business works? Can you put this in perspective of easier, better, faster and then sell it to the company? Are you a team player? Do you understand the technology basics so I can teach you the rest?"

Monitoring and Response

As at other firms, hiring at OppenheimerFunds is flat overall. But that doesn't stop Hager from dedicating existing resources to new security problems. For example, he has sent two of his team members to the University of Denver to study database security.

Hager has been assigning more training in intrusion detection and incident handling, a move that's consistent with what other firms are doing, says Bill Kasko, division director at RHI Consulting's staffing office in Dallas. Although security jobs are scarce, Kasko says he's seeing more client requests for administrators with knowledge of how to handle cyberattacks, network monitoring and intrusion-detection programs.

"Companies are looking at vulnerabilities across every bit of their organizations, even in their wireless systems," he says. "That takes a basic understanding of network topology in addition to an understanding of legal and compliance issues, which must trickle all the way down to the security analyst level."

Despite the specialized technical nature of IT security work, employers are more concerned with soft skills. For John Hartmann, vice president of security and corporate services at Cardinal Health Inc. in Dublin, Ohio, key skills include the ability to learn, build relationships and understand business requirements.

Hartmann has provided his staff with training in security policy development and implementation, compliance (particularly with the Health Insurance Portability and Accountability Act) and best practices that are the foundation of the company's vulnerability assessment program. Because he possessed the core skills Hartmann considers prerequisites, Ed Daniels was propelled from telecommunications networking manager to information protection director two years ago at Cardinal, a $49 billion medical supplies and services conglomerate. His networking management work put him in daily contact with other business units, so critical relationships already existed. On top of that, Daniels has a passion for learning, says Hartmann.

Daniels builds his own staff using a similar approach. The company's intrusion-detection analyst, who transferred from Cardinal's pharmaceutical automation group, was picked for his diverse systems and customer service background. The vulnerability assessor came from another Cardinal division, where she provided Unix and database support. She was hired for her writing and relationship-building skills. Even the two analysts hired from outside the firm had little security background.

"All my analysts have diverse backgrounds that would add something to the team," says Daniels.

Cardinal and OppenheimerFunds aren't alone in their approaches to skills building. Because of layoffs and budget cuts, IT managers are being forced to retrain existing staff on security issues, says Alan Paller, director of research at the SANS Institute in Bethesda, Md. More than 12,000 students went through the SANS Global Information Assurance Certification program last year, and Paller said he expects that number to be about 16,000 this year.

Meanwhile, the roles of senior-level security managers are also expanding, according to Tracy Lenzner, founder and CEO of security executive search firm Lenzner and Associates in Las Vegas. As is the case with other IT positions, there's very little hiring of security managers going on, she says, and those who still hold security jobs are picking up global responsibilities, particularly where government liaison and international legal issues are concerned. Security professionals with these types of responsibilities are earning salaries of $150,000 to $300,000 per year, says Lenzner, who adds that a handful of executive-level jobs even command seven-figure salaries.

"Security executives must be expert in government regulations, cyberterrorism protection, private-/public-sector partnerships like the critical infrastructure and homeland security, even physical security," she says. "So a lot of these candidates come from government backgrounds."

One such person is Charles Neal, vice president of managed security services for business hosting provider Exodus, a unit of Cable & Wireless PLC. Neal, who was promoted to the position six months ago, having joined Santa Clara, Calif.-based Exodus as director of its cyberattack "tiger team," had been a special agent in the FBI's computer crime squad in Los Angeles.

"There's great expectations within the FBI to work with embassies around the world, a necessity in the borderless Internet world," says Neal. "There's a lot of carry-over from the FBI to the private sector that people wouldn't expect."

Like his peers at Cardinal and OppenheimerFunds, Neal also looks for business and soft skills from his technical team. When he finds articulate security professionals who are good at relationship-building and have a strong work ethic, he mentors them to take over some of his own workload.

Team-building through mentoring and training are critical first moves in preparing a staff and building loyalty for what Foote predicts will be a "hiring bubble" in the first half of next year. That's when he expects CEOs, under pressure from shareholders, to fund more information security, he says. But with a short supply of IT security professionals who are savvy in both business and technology, IT security leaders should be planning their hiring strategies now, he adds.

Says Foote, "If you're not putting your rebranding plan together in security right now, that small pool of talent of hybrid security workers will be long gone when your CEO is ready to sign that check."
*******************
News.com
Pop-under ads may hit publisher wallets
By Stefanie Olsen
Staff Writer, CNET News.com

Pop-under advertisements, the oft-annoying windows that spring up after a requested Web page, might pack a financial punch to the publishers supporting them if one dot-com has its way.
ExitExchange, an ad-technology provider that is claiming rights to the invention dating back to 2000, had its patent application published by the U.S. Patent Office last week. The filing broadly covers any systematic delivery of a window launched after another, including those on devices such as cell phones. If its application is approved, ExitExchange will have rights to collect royalties on the use of pop-under ads.

That would be a direct hit to the pocketbooks of Web publishers such as NYTimes.com and ad networks such as DoubleClick, which have adopted the imposing ad format, among many other types, to better lure marketers during a tough economy. Yahoo, for example, started running pop-under ads last year amid concerns about its weakening online advertising revenue.



Pop-unders have become a kind of calling card for companies such as X10, a seller of tiny surveillance cameras, and travel site Orbitz because they can blanket the Internet with promotions at a cheaper price than direct mail. The ads are also thought to get higher response from consumers than standard display ads on Web sites.

Some ad industry executives are quick to point out that claiming rights to the invention may be a tall order, given the history of experimentation in online advertising. But patent experts say the ephemeral nature of the Internet could make it a cinch to pass the Patent Office's approval process.

Greg Aharonian, who publishes the Internet Patent News Service and works with law firms to vet patent claims, said that anyone who wants to debunk ExitExchange's application would have to find a technology or reference to the practice before 2000, or what's called prior art. This might be tricky, he said, because the descriptions for inventions or practices often change.

A Web site operator of an adult site, for example, may have used pop-under advertising prior to 2000, but the technology may not have been documented. Someone would have to find reference to such a practice in an article or journal to undermine the patent claim.

Such a daunting task is the primary reason many patent applications go unchallenged and are easily approved by the Patent Office, which only has a couple hours to review each application before making a decision, Aharonian said. Critics say this has caused a great number of patents to be passed that are based on simple, commonsense ideas that merely capitalize on the system. A child, with the help of his patent attorney father, recently seized on a patent for swinging sideways on a playground swing, for example.

"A lot of these ideas are indeed stupid, and if you have some manner of time you can find something to kill it," Aharonian said. "In fields like software, there is an abundance of prior art. But if the examiners don't have the time then they'll have to issue it."

A "more polite" ad
Andrew Vilcauskas, founder and CEO of ExitExchange, said he thought of the idea while owning and operating an Oregon-based Internet service provider in the late '90s. He said he saw several complaints from ISP customers about pop-up advertising, or ads that launch over a Web page. This gave him the idea to create a "more polite" form of advertising, which would be triggered once the Web surfer was done viewing a page. He said testing for this form of marketing began in 1998 and his company ExitExchange launched the ads in 2000.

ExitExchange has a network of about 40,000 publishers that display pop-under ads, Vilcauskas said.

"The importance of this is that pop-unders have become the flagship offering of the major portals," he said. "Our ultimate hope is that we would bring our licensees to all agree to a standard for behavior for these ads that would be palatable for the surfers out there."

FastClick, another pop-under technology provider founded in April 2000, started running the ads in October of the same year. The company has an ad network of about 4,000 publishers running the promotions.

Dave Gross, CEO of FastClick, said the company is looking into the patent claim but would not comment further.

New York Times Digital said it could not comment on the patent application. It did say that it had not heard of ExitExchange and was not aware of the application. DoubleClick and Yahoo could not be immediately reached for comment.

According to its patent application, ExitExchange is claiming rights on pop-under advertising since May 2000. Specifically, the invention "is directed to a post-session advertising system that may be used in media such as computers, personal digital assistants, telephones, televisions, radios and similar devices," according to the filing.

"A viewer initiates a load-triggering event and in response, a post-session platform is opened to display a post-session display in the background of the media," the filing reads.

Preparing to make them pay
Karen Oster, patent attorney for ExitExchange, said the company is confident that no one can claim prior art on the invention.

"All these people that are infringing--if the patent is approved the way it was published, then they would be liable for a reasonable royalty from the date at which they had actual notice of the published patent application," Oster said.

The back payments would be required by a relatively new law, the American Inventor's Protection Act, which was enacted in November 1999 and came into effect the following year. It allows for the publication of inventors' patent applications, a common practice in foreign countries, and it grants rights to the approved patent going back to the time its application was published.

This means that if the patent is approved, which could take anywhere from a year to several years, companies regularly delivering pop-unders, including DoubleClick and NYTimes.com, would need to pay royalties on the ads from the time the patent was published, Feb. 14, 2002.

Still, marketing technology companies may have a strong incentive to find a prior instance of pop-under advertising.

"That's what it's going to come down to: the claim on that one window popping up after another," Aharonian said.
************************


Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711