[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips June 11, 2002
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, Charlie Oriez <coriez@xxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;
- Subject: Clips June 11, 2002
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Tue, 11 Jun 2002 14:03:31 -0400
Clips June 11, 2002
ARTICLES
U.S. Should Control Internet Body, Senator Says
House puts terrorism information sharing bill on fast track
New law takes aim at ID theft
Rust Belt States Try High-Tech
Terra Lycos Unveils New Online Music Service
White House Stressing Unorthodox in IT Security Fight
Internet Cafes Face Crackdown
Israeli Device Detects Cell Phones Acting as Bugs
Powerline networks your home
Net the newest place to hawk stolen goods
Long-lost password discovered
Proposed agency will focus more attention on cybersecurity
IBM reports storage breakthrough
Flaw reported in IE browser
Webcasters win one battle in war over internet radio
New domain name regime to go live on July 1
Boom to bust for domain name claims
Govt gives free software a run
Russians create 3D power map
Opening the Open Source debate - II
Browsing Around for New Targets
New E-Waste Solution a Mine Idea
'Grid' Computers to Simulate Terror Scenarios
IBM To Announce Chip Technology That Drains Less Power
China, Japan Signed Memorandum on Internet Technology Cooperation
Israeli companies not adequatedly prepared for disaster
Mass. roundtable panelists talk up broadband, Web security
Clarke: Homeland security revamp to help cybersecurity
EU: MS Passport is under investigation
Blind gain free access to 53 newspapers online
******************
Reuters
U.S. Should Control Internet Body, Senator Says
By Andy Sullivan
WASHINGTON (Reuters) - A U.S. senator said he would try to rein in the
group that oversees the Internet's traffic system, calling for a more
direct U.S. government role in the ostensibly international and independent
body.
Sen. Conrad Burns, a Montana Republican, on Monday said he likely would
introduce a bill to require the Internet Corporation for Assigned Names and
Numbers, also known by its acronym ICANN ( news - web sites), to give the
U.S. government more influence in managing the domain-name system. The
system lets Internet users navigate the Web with easy-to-remember names
like " www.example.com."
If ICANN failed to cooperate, Burns said, it could be stripped of its
authority when its contract comes up for renewal this fall.
In a statement released two days before a Senate subcommittee is scheduled
to hold hearings on the global body, Burns said the change was necessary
because ICANN has exceeded its authority, does not operate in an open
fashion, and is dangerously unaccountable to Internet users, businesses and
other key interest groups.
"The U.S. needs to ensure ICANN operates with the same sort of internal
processes as in any other federal agency," he said.
ICANN is not a part of the U.S. government, but operates under a 1998
contract with the Department of Commerce that requires it to meet several
conditions before it assumes full control of the domain-name system.
But it is uncertain whether ICANN will ever meet those conditions and
obtain full control, according to a congressional investigator's prepared
testimony obtained by Reuters.
Criticism of ICANN comes from many quarters, not just U.S. politicians.
Dozens of other governments have charged ICANN with being too dominated by
U.S. interests, while the domain-name industry and grass-roots
"cybercitizens" have raised their own grievances.
PROGRESS SLOW ON MANY FRONTS
ICANN has introduced competition into the domain-name business, driving
down Web-site registration prices from around $50 to $10, according to
testimony prepared by Peter Guerrero, a director of the General Accounting
Office ( news - web sites), the investigative arm of Congress.
But it has made little progress toward fulfilling other requirements such
as boosting security of the domain-name system and setting up an inclusive
governance process, Guerrero said.
ICANN has made little progress in formalizing relationships with other
volunteer groups that oversee aspects of the domain-name system, he said.
"Until these issues are resolved, the timing and eventual outcome of the
transition effort remain highly uncertain, and ICANN's legitimacy and
effectiveness as the private-sector manager of the domain-name system
remain in question," Guerrero said in his written testimony.
Guerrero also took the Department of Commerce to task for what he called
its informal, hands-off approach to ICANN oversight, and recommended that
Commerce issue periodic progress reports.
ICANN President M. Stuart Lynn declined to comment on Burns' proposal,
saying he would wait until the bill was actually introduced.
"We respect Sen. Burns' interest in ICANN, and we'll have to see what
evolves," said Lynn, who is scheduled to testify on Wednesday before the
Senate science, technology and space subcommittee, on which Burns sits.
Lynn said Commerce exercises considerable oversight, noting that the group
cannot add new "top-level" domains to join the likes of ".com" without the
federal agency's approval.
A Commerce official declined to comment ahead of the hearing, when
Assistant Secretary Nancy Victory is also scheduled to testify.
ICANN has struggled over the past several years to figure out exactly how
it should function and who should participate. After direct elections open
to any Internet user filled five of 19 board seats, the board of directors
in March ruled out further elections.
An official reform committee released its blueprint last week, which will
be considered when ICANN next meets at the end of the month in Romania.
*******************
Government Computer News
House puts terrorism information sharing bill on fast track
By Wilson P. Dizard III
The Bush administration and leaders of both parties in the House are
working with the Judiciary Committee to rush through a bill that would
require the CIA, the FBI and other federal intelligence agencies to share
information with state and local police.
The Judiciary Subcommittee Committee on Crime, Terrorism and Homeland
Security approved the Chambliss-Harman Homeland Security Information
Sharing Act June 4, two days before President Bush unveiled his plans for a
Homeland Security Department. The full committee is set to mark up HR 4598
at 10 a.m. Thursday.
The bill would eliminate stovepipes that prevent information sharing among
state and federal agencies charged with fighting terrorism, its House
sponsors said.
Rep. James Sensenbrenner (R-Wis.), Judiciary chairman; Rep. Nancy Pelosi,
(R-Calif.), the Democratic whip; and 28 other lawmakers have endorsed the
bill. Rep. Saxby Chambliss (R-Ga.) co-authored the legislation with Rep.
Jane Harman, (D-Calif.). Neither of the bill's authors serves on the
subcommittee, but both are members of the House Permanent Select Committee
on Intelligence's Subcommittee on Terrorism and Homeland Security.
The bill also would direct the attorney general and the CIA director to
develop procedures for information sharing via existing networks, such as
the National Law Enforcement Telecommunications System, after stripping
intelligence data about sources and methods. Further, it would increase the
number of security clearance investigations at the state and local levels
to ease concern about distributing classified information.
The bill would mandate the use of declassification methods similar to those
now used to share intelligence with NATO and Interpol members.
"While we have enhanced the capabilities of the federal, state and local
officials to prepare and respond [to terrorism], as a nation, we still lack
a coherent, effective and efficient way to share sensitive intelligence and
law enforcement information among those who need to know," Chambliss said
at the subcommittee hearing. "Our police officers, firefighters, sheriff's
offices, medical personnel and elected officials must be informed of
threats that exist in their communities so that they are able to protect
the citizens in their own towns."
The Office of Homeland Security and the CIA helped draft the bill.
*******************
San Francisco Gate
New law takes aim at ID theft
Businesses nationwide are scrambling to comply with a new California law
that sharply limits the use of Social Security numbers to identify customers.
The law, which takes effect July 1 for most companies, is designed to
thwart identity theft. Another provision of the law makes it easier for
consumers to alert credit bureaus when they think their identity is at risk.
Beginning Jan. 1, a third provision will let consumers temporarily freeze
all access to their credit reports.
Under SB168, companies cannot:
-- Post or display SSNs.
-- Print them on identification cards or badges.
-- Print an SSN on anything mailed to a customer unless it's required by
law or the document is a form or application.
-- Require people to transmit an SSN over the Internet (through e-mail, for
example) unless the connection is secure or the number is encrypted.
-- Require people to log on to a Web site using an SSN without a password.
Although the SSN restrictions apply only to accounts opened in California
after June 30, many companies are adopting the new rules for all customers
-- old and new, in every state.
Companies say it's simpler to have a single system. Also, companies that
continue using SSNs for old accounts must give customers an annual
opportunity to opt out. Finally, it's only a matter of time before other
states -- and possibly the federal government -- follow suit. Four states
have bills pending that would restrict the use of SSNs.
The California law has several exceptions:
-- Health care and insurance companies have until Jan. 1 to comply with the
new rules (except the one prohibiting SSNs on ID cards) for individual
policy holders. After Jan. 1, 2004, they must comply with all the SSN
restrictions for new individual policy holders and new group polices. By
July 1, 2005, they must comply with all restrictions for all existing
policies.
-- The law does not apply if a state or federal law requires an SSN on a
document. That means SSNs will still appear on federal and state tax forms
and employee pay stubs.
-- Private schools and colleges have to comply, but public ones don't.
However, the University of California and the California State University
systems are already moving away from using SSNs as student ID numbers.
-- Companies may still use SSNs to identify customers internally.
The American Benefits Council, which represents large employers that
sponsor health and pension plans, recently held a conference call to
educate members about the new law.
"It had the biggest response to any call we've ever had," says John Scott,
the council's director of retirement policy. "This is a big issue. The use
of SSNs is pervasive in retirement plan administration. To modify your
systems to comply with this law is a huge effort."
J.P. Morgan/American Century Retirement Plan Services began preparing for
the law in November and hopes to finish testing its new system this week.
It will continue using SSNs to identify all customers internally, but not
externally, using a product known as an invisible font.
"The printer prepares an index for us on CD-ROM that's sorted by Social
Security number. No Social Security number will show up on the statement
sent to individuals. But if someone calls in with a question, we can look
up the account on the CD-ROM," says Robert Holcomb, a vice president with
the firm.
Scott says other companies are using truncated or encrypted SSNs. He says
at least one is embedding customer SSNs in the middle of a bar code that
will appear on customer statements.
Many small companies "are only now trying to figure out how to comply,"
Scott says.
He says there could be some mistakes as companies switch to a new system,
"especially at the rollout. There's also the possibility of people being
overly cautious and not sending all the information that should be sent out."
Companies that fail to comply with SB168 are subject to general unfair-
business-practice penalties.
SECURITY ALERTS
SB168, sponsored by Sen. Debra Bowen, D-Marina del Rey, also establishes
uniform requirements when consumers post a security alert to their credit
file.
A security alert warns lenders that a person may be a victim of identity
theft.
This provision, which also takes effect July 1, requires the three major
credit bureaus to provide a provide a toll-free telephone number for people
to place security alerts and to place the alert in a consumer's credit file
within 72 hours of receiving it.
The alert must remain in place for at least 90 days, and credit bureaus
must offer consumers a free credit report at the end of 90 days.
The toll-free numbers for the credit bureaus are Experian, (888) 397-3742;
Equifax, (800) 685-1111; and Trans Union, (800) 888-4213.
A security alert is advisory only. It encourages but does not require
lenders to take extra precautionary measures to verify a person's identity.
Sen. Bowen has sponsored a new bill, SB1730, that would force businesses
that access a credit report to take certain steps to communicate with a
person who placed a security alert to make sure he or she is not an
identity thief. That bill passed the Assembly Banking Committee 8-3 Monday
and now moves to the Assembly judiciary committee. It passed the Senate 24-11.
CREDIT REPORT FREEZE
Beginning Jan. 1, SB168 will let consumers freeze access to their credit
reports.
The freeze prevents thieves from getting credit in your name, even if they
have your SSN, address, birth date and other identifying information. It
also prevents unwanted companies from prying into your credit report.
But it also could prevent you from getting a loan because most lenders
won't extend credit without a credit report.
If you're going to be shopping for a loan and you have a freeze on, you can
allow your credit report to be released during a specific period of time,
to specific lenders or to lenders who have a secret code you give them.
It could take up to three business days to have a freeze lifted, so if you
get a weekend whim to buy a Mini Cooper, you could be out of luck.
To read SB168 or SB1730, go to democrats.sen.ca.gov/senator/bowen/ and
click on Legislation.
*******************
Associated Press
Rust Belt States Try High-Tech
Mon Jun 10,10:03 PM ET
By BEN DOBBIN, Associated Press Writer
ROCHESTER, N.Y. (AP) - Early in his career at Bell Labs in New Jersey,
Wayne Knox tethered the speed of light, determining how to make a laser
beam flash on and off in eight quadrillionths of a second.
That achievement helped speed digital communications, and earned Knox
mention in the Guinness Book of Records.
Lured back to his hometown and alma mater a year ago, Knox is now viewed as
a brainy beacon who could help play a vital role in widening New York's
slice of America's high-tech pie. Already, the University of Rochester
professor has hired three topflight researchers in biomedical and
communications optics.
State capitols from Albany to Lansing, Mich., duking it out to build the
next money-spinning research hub, are actively recruiting star scientists
like Knox as they lay down heavy bets on optoelectronics, bioinformatics
and other odd-sounding hybrid industries they hope will be their ticket to
success in the 21st century.
New York alone is investing a record $250 million this year to build four
"Centers of Excellence" geared to link up top talent in industry and
academia and serve as magnets for investment.
Some regard the strategy as crucial in helping struggling cities
re-engineer Rust Belt economies at a time when manufacturing is in free
fall. For its part, New York lost 40,000-plus manufacturing jobs from 1997
to 2000, more than any state.
Nationwide, state government sponsorship of high-tech research became much
more substantial in the early 1980s as global competition forced big
companies to dispense with discovery-level research and rely more heavily
on academia.
Great Lakes states began putting aside up to $20 million a year to begin
the often painful switch from smokestacks to science. But the biggest wave
of state investment carried nearly all states with it in the late 1990s.
Using tobacco settlement funds, Michigan is investing $1 billion over 20
years to create a life-science corridor between Detroit and Ann Arbor.
Pittsburgh, Atlanta, Indianapolis and Kansas City are trying to carve out
niches in the life sciences.
Although slowed by the recession, state ventures have remained vigorous and
varied, funded in myriad ways: technology incubators, venture capital
programs, tax credits, improved access to higher education.
Some regions look to mimic models like Research Triangle Park in North
Carolina, which drew much of its success from commercializing technology
developed by academia. Others hope just to keep pace.
Failures are inevitable but "if you don't make the investment, clearly
you're not going to go anywhere," said Dan Berglund of the State Science
and Technology Institute in Westerville, Ohio. "Even if the research
doesn't pan out you're going to have a work force that's better educated,
has a higher level of skills and will be able to compete in the global
economy."
States that offer a comprehensive package of incentives are likely to come
out on top, he said.
Two years ago, the newly created New York State Office of Science,
Technology & Academic Research quickly dispensed $102 million to establish
13 academic research centers, eight focusing on biotechnology.
Its Centers of Excellence will involve dozens of universities focusing on
regional strengths nanoelectronics in Albany, information technology on
Long Island, photonics in Rochester, bioinformatics in Buffalo and draw
much of their funding from industry led by titans like IBM and Eastman Kodak.
One linchpin, most agree, is getting universities to move bright ideas to
the marketplace. The University of Rochester boosted its
technology-transfer revenues from $3 million in 1999 to $40 million last year.
Another is recruitment, where science stars like Knox come in.
Born in 1957, Knox designed his first ultrafast laser at age 17 while
working a summer job at the University of Rochester. A year after joining
Bell Labs in 1984, he generated the world's shortest laser pulse.
Think of the milestone this way: In just over a second, light can race from
Earth to the moon; each time Knox's experimental laser blinked, the light
had traveled a mere one-tenth the thickness of a human hair.
The more on-off repetitions in a fiber optic system, the backbone of
digital telecommunications networks, the more rapidly information can be
transmitted.
In 1997, Knox achieved further distinction. His research team sent 1,021
separate wavelengths of light traveling down a single optical fiber 64
times the number used by most commercial networks today.
"The world will have to prepare for a time when everybody has a high-speed
connection," said Knox, who heads the University of Rochester's venerable
Institute of Optics, mixing teaching with research with the help of a $1
million state grant.
Knox is a firm believer in the economic power of the broadband revolution.
"Some people think if we all had broadband it could be worth $300 billion
or $400 billion a year. This by itself could pull the entire U.S. economy
out of recession."
*******************
Associated Press
Danish Publishers in Court Over Links
Mon Jun 10, 7:27 AM ET
By ANICK JESDANUN, AP Internet Writer
Nicolai Lassen considers linking such a fundamental element of the World
Wide Web that he sees nothing wrong with creating a service around linking
to news articles at more than 3,000 other sites.
Danish publishers, however, equate such linking with stealing and have
gone to court to stop it.
The case, scheduled for hearings in Copenhagen later this month, is among
the latest to challenge the Web's basic premise of encouraging the free
flow of information through linking.
Requiring permission before linking could jeopardize online journals,
search engines and other sites that link which is to say, just about every
site on the Internet.
If the Web's creators hadn't wanted linking, "they would have called it the
World Wide Straight Line," said Avi Adelman, a Web site operator involved
in a dispute over linking to The Dallas Morning News.
Most of the court cases and legal threats have been over a form of
hypertext-connecting called deep-linking, by which you simply connect users
to a specific page rather than a site's home page.
Such disputes reflect "a frustration certain people have with a loss of
control" once they post something, said Michael Geist, law professor at the
University of Ottawa.
Lassen's Newsbooster service tries to make news stories easier to find by
presenting links to items with keywords of a user's choosing. It's much
like a search engine, except Newsbooster charges a subscription fee and
lets users choose to automatically receive links by e-mail.
"From the home page down to the actual story you want to read can be a
very, very long way," said Lassen, Newsbooster's editor-in-chief. "By using
a technology such as Newsbooster, you save a lot of time."
The Danish Newspaper Publishers' Association believes Newsbooster should
either shut down or negotiate payments.
"We consider it unfair to base your business upon the works of others,"
said Ebbe Dal, the group's managing director.
Not that opponents of deep-linking always object to it.
Dal thinks its OK for a newspaper to offer a deep link or two accompanying
an article, or for search engines to help users navigate.
Belo Corp. likewise prohibits deep-linking to its sites, including the
Morning News. But one of its newspapers, the Providence Journal, maintains
an online journal that deep links to other sites.
Belo spokesman Scott Baradell was quoted by several news organizations as
saying the company isn't against all deep-linking. But he would not offer
specifics on why it objects to deep links to Morning News articles on
Adelman's non-subscription site, which covers local Dallas affairs.
Contacted by The Associated Press, Baradell said he would have no
additional comment.
Reasons for opposing linking vary.
In a federal lawsuit, Homestore.com Inc. complains that Bargain Network, by
deep linking to Homestore's real estate listings, interferes with its
opportunities to sell advertising.
Others, like the Council of Better Business Bureaus, worry that a
link deep or otherwise can imply endorsement, even if it reaches nothing
more than a page with tips. The organization has persuaded thousands of
sites to remove links to its Web pages, citing trademark claims.
But to Web purists, a link is no more than a footnote or a page reference.
To ban deep-linking, they say, is to prohibit newspaper readers from going
straight to the sports pages because they might miss advertising in the
front section.
Beside, linking is a way for sites to boost traffic.
"Historically at least, there has been a tradition that if you put
something up on the World Wide Web, it would be a public resource," said
Matt Cutts, a software engineer at Google. He said Google removes links
when asked, though few sites request it as most want to be found.
Early U.S. court decisions have sided with deep-linking. Exceptions are in
cases of framing, where a site tries to make information from other sites
appear as its own, and ones involving links to tools that circumvent
anti-piracy measures built into commercial software.
"It was one of those issues that people thought was more or less settled,"
said Jorge Contreras, vice chairman of the Internet Law Group at Hale and
Dorr firm. "For whatever reason, these last couple of months, a spate of
new disputes have come up."
If they are resolved in favor of plaintiffs opposed to deep-linking, legal
experts say that could encourage more lawsuits and more moats going up
around certain Web sites.
Several sites, including the Belo papers, Overnite Transportation Co.,
ACNielsen research firm and KPMG International, ban all or some
deep-linking. The International Trademark Association and The Washington
Post reserve the right to prohibit it on a case-by-case basis.
The Albuquerque Journal and American City Business Journals have attempted
to charge for the right to deep link. Although editors acknowledge they
won't take action against casual deep-linkers, they say a handful have been
willing to pay $50 in Albuquerque's case.
"There are some companies that would rather pay to get a piece of paper and
get that blessing," said Donn Friedman, the Albuquerque paper's assistant
managing editor for technology.
Technology exists for sites that truly want to block deep-linking.
For example, the news site for The Associated Press, The WIRE, checks what
site a user comes from. If it isn't a site authorized to use deep links,
the user is automatically directed to a default page and required to enter
through one of the AP's member newspapers or broadcasters.
Other sites can require registration or paid subscriptions.
Though Web site operators don't always like technical blocks, they prefer
that to a legal environment where a ban is presumed and permission must be
sought each time.
Weldon Johnson of LetsRun.com, involved in a dispute this spring with
Runner's World magazine, said that as long as sites keep the doors open,
"it's totally wrong for them to say you have to link to certain pages."
*******************
Reuters
Terra Lycos Unveils New Online Music Service
Tue Jun 11,12:07 AM ET
By Reshma Kapadia
NEW YORK (Reuters) - Spanish Internet media company Terra Lycos on Tuesday
launched an online radio-style music subscription service that will offer
music from four major record labels.
Terra Lycos said it partnered with Listen.com to create the new Web
service, Lycos Rhapsody, which will offer access to more than 10,000
albums. The service does not let users download the music or record it on
CDs, but plans to offer that capability later.
"This is another step in the evolution of the digital music market," said
Gartner2Media Research Director P.J. McNealy.
Online music efforts by record companies have not resonated strongly with
Web surfers. After being spoiled by the range of artists and possibilities
that online-music swapping service Napster ( news - web sites) offered for
free, many Web surfers have been turned off by the price and limits of the
services backed by record labels.
Listen.com has struck deals with Bertelsmann AG ( news - web sites)'s BMG,
Sony Corp ( news - web sites).'s Sony Music Entertainment, EMI Group Plc (
news - web sites)'s EMI Recorded Music and AOL Time Warner Inc.'s Warner
Music Group, as well as many independent labels.
Listen.com Chief Executive Scott Ryan said the company was also in talks
with Vivendi Universal's Universal Music unit .
Like many Internet media companies, Terra Lycos is feeling the sting from
the sharp downturn in advertising spending. Lycos Rhapsody is the company's
latest effort to shift away from ad revenues toward paid services.
Internet media companies "are looking for any add-on service that means
more revenues, and every single (Internet media) company is trying to
transform their business into an entertainment source, not a data source.
Music is the first step," said McNealy.
Listen.com's Ryan said the company would introduce CD-burning capability
later this year.
"We are working with Lycos on that," Ryan said. "For right now, there are a
substantial amount of people who listen online, and we have to address them."
When the service does offer CD-burning capability, Listen.com will have to
renegotiate the licenses with the record labels. Ryan said he was already
engaged in such talks.
Terra Lycos will give Web surfers free access to the service until June 30.
After that, users will be able to choose one of three tiers of service. The
free tier will offer 20 different radio stations with FM-quality sound.
The second tier, which company executives likened to "basic" cable, will
let users access more than 50 commercial-free radio stations with
CD-quality sound and the ability to skip tracks, at a cost of $5 a month.
The last tier will cost about $10 a month and allow for unlimited music via
more than 50 commercial-free radio stations with CD-quality sound and the
ability to skip tracks and save them to a library.
"It's building on the base of music services we've offered in the past,"
said David Pritchard, senior director of music, TV and film for Terra
Lycos. "Obviously, we have to keep running and so we want to stay on the
leading edge of music services that are being offered online.
********************
Washington Post
White House Stressing Unorthodox in IT Security Fight
Brian Krebs
The Bush administration is playing "dirty" with the private sector in a
roundabout attempt to fortify the nation's computer security defenses, the
White House's cybersecurity czar said today.
Richard Clarke, the president's special adviser for cyberspace security,
said unorthodox approaches may be needed to get the attention of companies
that own and operate the infrastructure of the Internet yet do not respond
to the administration's self-regulatory, hands-off approach to cybersecurity.
The administration has been talking to insurance firms about the idea of
writing cybersecurity insurance for companies, Clarke said, offering an
example of one carrot-and-stick approach.
The catch, however, is that the coverage would only be available to
companies that meet certain criteria developed by the insurance industry
and the private sector.
"Some of what we do may be a little dirty, but we're doing it," Clarke said
at the Networked Economy Summit in Reston, Va.
Clarke's office also has been quietly talking about the possibility of
fostering a private sector certification program for information technology
security companies.
"How do you know - when you hire an IT security company to do a
vulnerability assessment - that they know what they're doing?" Clarke
asked. "Maybe there should be an outside process to certify those vendors."
The proposals come as the Bush administration is preparing its "national
strategy" for protecting the nation's most vital computer networks from
cyberattack.
Clarke and his advisers have been conducting town meetings across the
country meetings to raise awareness about the issue, and last week his
group met with three dozen university officials to discuss their role in
protecting the nation's critical infrastructures and to gather input on the
administration's plan.
The White House had earlier said it would release its national plan by
mid-summer. But Clarke said today the release date would be pushed back to
the end of the summer or mid-September.
Administration officials are currently focused on realigning responsibility
for cybersecurity within the new proposed Homeland Security Department.
Clarke said the administration hopes the new cabinet-level agency will be
the future home of several federal cybersecurity programs, including the
FBI's National Infrastructure Protection Center, the Commerce Department's
Critical Infrastructure Assurance Office, the Government Services
Administration's FedCIRC, and the Defense Department's National
Communications System.
********************
Los Angeles Times
Internet Cafes Face Crackdown
Safety: After shooting death, officials in Garden Grove say they'll step up
enforcement.
By DANIEL YI
TIMES STAFF WRITER
June 11 2002
After the weekend murder of a 14-year-old boy who had visited a local
Internet cafe, Garden Grove officials said Monday they will step up
regulation of such businesses and consider further restricting their operation.
Police also said they would patrol the cyber cafes more carefully.
"We will put some teeth into our ordinance," said Garden Grove Mayor Bruce
Broadwater, who met with council members Sunday in an emergency session to
discuss the issue. "We are going to be very, very tough" on cyber cafes.
The cafes, also called PC rooms, have grown in popularity across the
country, especially with young people, who play computer games and surf the
Internet for hours.
But officials in Garden Grove and elsewhere say the establishments also
attract violence.
Early Saturday morning, Edward Fernandez, whom relatives described as an
average boy who loved sports, was gunned down near his home after he was
apparently followed from I.C.E. Internet Cafe on Brookhurst Street.
In December, a 20-year-old was stabbed to death outside another Garden
Grove Internet cafe.
The City Council passed an ordinance in January that restricted hours of
operation and put a moratorium on new cyber cafes. The city has about 20.
Cyber cafes must close by 2 a.m., and, among other things, install security
cameras to monitor customers, the ordinance says. No minors are allowed
during school hours, past 10 p.m. Fridays and Saturdays and past 8 p.m. on
other days. The city also has a 10 p.m. curfew for minors.
Police say Edward and some friends were at I.C.E. past curfew time. The
cafe's manager and part owner, Quang Nguyen, said the boys had been there
earlier in the evening but left before 10 p.m.
He said he does not allow minors after hours and that he told Edward and
his friends when they returned shortly before midnight that they had to leave.
Police said Edward and the friends exchanged dirty looks with the
passengers in a black car outside I.C.E. The car followed Edward and three
friends who had taken a cab.
Witnesses said a passenger from the black car shot Edward several times as
he was preparing to pay the cab driver.
Police are still searching for the suspects.
I.C.E. has a security video system, but when detectives asked for the tapes
from late Friday, Nguyen was unable to provide them. City officials said
I.C.E. will be fined for that violation and for allowing minors in the
business past 10 p.m.
Nguyen said Monday the lack of tape was an oversight.
"That was a mistake on our part," he said, saying the cafe uses its
security cameras sporadically. "There were a lot of things going on that
night."
Among other things, Nguyen said, suspected gang members were loitering in
front of his cafe about 11 p.m. He called police, but when they arrived,
the young men left. Nguyen said police found no minors in his cafe, which
has signs warning youngsters about the time restrictions. More regulation,
he said, is not the solution.
"The kid happened to be here," Nguyen said of Edward. "He could have been
anywhere else. He could have been coming back from the movies and kids who
didn't like him would have followed him."
Broadwater disagreed.
"We don't see this as a fluke anymore," he said referring to the two
killings associated with cyber cafes.
The City Council next week will consider further curtailing hours of
operation for Internet cafes and creating a task force to study ways to
enforce the law.
"We cannot post an officer on every cafe," police Sgt. Scott Hamilton said.
"The kids are smart. They know which managers are lax."
Still, Hamilton said his department will increase patrols around cyber cafes.
*******************
Los Angeles Times
Computer Users' Time on Internet Up 13%
Bloomberg News
June 11 2002
The time computer users spent online in the last year rose as the number
and length of Internet sessions increased. Time spent on the Internet each
month rose almost 13% to 9 hours and 17 minutes from 8 hours and 15 minutes.
The average number of sessions per month in 21 countries increased to 18
sessions from 16 sessions in the year ended April 2002, according to
Nielsen/NetRatings.
*********************
New York Times
Israeli Device Detects Cell Phones Acting as Bugs
TEL AVIV (Reuters) - Imagine your company is holding secret talks to buy
another firm when your main competitor suddenly snaps it up from under your
nose, apparently aware of all the details of the negotiations.
While you instigate a widespread investigation, the culprit could be
nothing more sinister than a cell phone ``accidentally'' left in the corner
of the room, placed in a plant pot or taped under the boardroom table.
With a slight modification, cell phones become high-quality bugs. An owner
can call the phone from anywhere in the world without it emitting a ringing
tone while its screen remains blank, apparently turned off.
``The beauty of the cell phone as a bug is that it's an innocent looking
and ubiquitous object,'' said Ben Te'eni, co-founder of Netline
Communications Technologies, which has developed a device for detecting
cell phone communications, especially from cell phones in apparently
dormant mode.
``People trust cell phones, but modified and left in idle mode the cell
phone can be used as a transmitter for up to a week. If it's connected to a
power supply it can provide endless intelligence. Professional bugsweepers
will ignore the cell phone frequency since the phones are so common and not
suspicious.''
The drawback for cell phones and what enables Netline to catch them out,
however, is that they periodically transmit a signal to their base station.
With Netline's small Cellular Activity Analyzer (CAA) device left in a
boardroom before or during crucial meetings, cell phone activity is
detected and recorded with a visual and audio warning emitted.
``I can leave the CAA in the office before important meetings and it will
tell me if there's a cell phone in the room,'' Te'eni said. ``I can also
leave it in the room overnight or for a number of days (after a meeting) to
see if a bug has been left behind.''
INTELLIGENCE BACKGROUND
Like many Israeli high-tech company heads in the telecoms sector,
33-year-old Te'eni and his co-founder Gil Israeli, 34, are graduates of an
army intelligence unit. Te'eni was unwilling to elaborate on his army
service or Netline's client list.
Having worked for state-owned Israel Aircraft Industries after leaving the
army, the pair decided to branch out on their own and set up Netline in 1998.
Their first product was a jamming device which prevents cell phone calls in
chosen areas of a building or in the open air, which Te'eni said has been
sold to defense agencies of ''blue chip governments'' around the world.
``The jammer can be used by bomb squads or VIP security services to prevent
the detonation of bombs by cell phones,'' Te'eni said.
``We have also sold to prisons because top criminals are known to continue
their operations or coordinate testimony using smuggled-in cell phones. In
Brazil, riots were synchronised in five prisons using cell phones and in
Paris a prisoner escape was coordinated using cell phones.''
Te'eni compared the innocent-looking and simple cell phone with the
cardboard cutters used by hijackers of the planes used in the September 11
attacks in the United States.
Both have non-lethal and everyday uses that are positive, but can also make
life easier for criminals.
``A phone can remotely activate a bomb or be used for tactical
communications such as a terrorist act, bank robbery, hostage situation or
kidnapping,'' Te'eni said. ``There are so many negative ways for using cell
phones which is why the ability to jam them is crucial.''
PASSIVE MARKETING
Describing Netline's marketing as ``passive'' -- ``customers come to us
rather than us going to them'' -- Te'eni said much of the firm's sales were
from word-of-mouth recommendations.
``There are many security consultants and they know how to find us,'' he
said cryptically, adding that Netline had sales last year of $1 million-$2
million.
As for the future, Te'eni said Netline, like many technology firms in the
current global slump, was not ``dreaming big dreams'' but looking for
steady growth as security officers become more open to questioning
long-standing operational methods following the September 11 attacks on the
United States.
``We want to find foreign strategic partners for selling our solutions
worldwide to defense and espionage agencies. Security people are
second-guessing themselves all the time now so the future looks good,''
Te'eni added.
*******************
San Francisco Gate
Powerline networks your home
Imagine that all the hassle associated with computer networking --
adapters, cables and the configuration issues -- suddenly disappeared, and
all you had to do to connect multiple PCs to each other and to the Internet
was to plug their power cords into an ordinary AC wall outlet.
We haven't reached that happy state yet, not by a long shot. But this
spring, the networking industry has taken a long step in that direction,
with a new generation of gear that finally makes what's known as "powerline
networking" a reality.
Based on a year-old specification called HomePlug, these new products turn
the AC wiring already built into the walls of your home or office into a
local- area data network. You still need to add an adapter to each computer
you want to connect -- HomePlug doesn't, at least for now, work through the
same cable and power supply that provide the juice to run the machine.
But you don't need to open the box -- just plug a videocassette-sized
external device into a USB or Ethernet port, then into a separate wall
jack. And once you've done that, the adapter will translate the data coming
from your computer into a signal that travels over the AC wires, using a
different frequency than -- and not interfering with -- the ordinary
current coursing through the same wire.
This isn't exactly a new idea -- three years ago, I reviewed an earlier
generation of products that were supposed to do the same thing. But those
were slow and unreliable and soon disappeared from the market, whereas the
products I tried this time -- the Instant PowerLine series, from Linksys, a
well-known vendor of home and small-office networking gear -- create a
speedy and, as far as I've been able to tell, rock-solid connection, even
in my 96-year-old home.
And while the early products were based on proprietary technology from
small companies, HomePlug is a standard that's been adopted by scores of
vendors, including such heavyweights as Cisco Systems, Motorola and Texas
Instruments -- not to mention the RadioShack chain. I tested only the
Linksys products, which were first to market, but other vendors are also
supporting the HomePlug standard, and the trade association behind the spec
-- the HomePlug PowerLine Alliance -- certifies products based on it to
ensure they work together.
If you have more than one computer at home or in the office, there are many
reasons you might want to network them -- to share files and printers, for
example. But for most people the case gets compelling only when you have a
high-speed Internet connection -- once you've got everything networked,
users can enjoy the benefits of broadband from any of the connected machines.
Remember, though, that simply linking your machines to each other, over AC
or anything else, doesn't get them on the Internet -- for that you have to
have a cable or DSL line and modem, and if you want multiple machines
connected it, you need another device called a router. Powerline networking
comes into play after you've got all that set up, when you want to provide
fast Internet access for other computers that aren't already wired up to
the router.
Suppose, for example, that you have a DSL line hooked up to a router in a
downstairs den and a PC in the same room plugged into the router. That way,
your connection is plenty zippy. The only problem is that your kids keep
grabbing the machine away from you, because they're fed up with the slow
speed of the dial-up connection they have to use when they're on their own
PC in the upstairs bedroom.
What powerline provides is a painless way to give them access to the same
high-speed connection you use. All you have to do is plug a powerline
Ethernet bridge into the router and into an AC outlet in the den, then
connect a USB PowerLine adapter or a second Ethernet bridge to the kids'
computer.
(Eventually, Linksys and other vendors will offer routers with a HomePlug
powerline connector built in, so you'll need a separate powerline adapter
only for the computer you want to connect. Linksys won't have such a combo
device until this fall, though, and as far as I know, no other company has
released one yet.)
CONSIDERING THE ALTERNATIVES
Granted, there are already several other good ways to create a home or
small-office network, but powerline has some advantages over each of them:
-- Compared with the classic approach -- running Ethernet cabling -- the
big benefit of powerline is obvious: no new wires required, so no need to
rip open floors or walls or to leave cables exposed. And as long as your
computer has a USB port or two, you don't even need an Ethernet adapter.
-- Compared with wireless networking, based on the hot Wi-Fi (802.11b)
standard, the big difference is range. Wireless LANs normally work within a
radius of 100 to 200 feet from their base station or access point, but if
there's a lot of obstruction -- from appliances or metal file cabinets, say
-- the actual coverage area may be less, and often deteriorates toward the
outer limits of the range.
HomePlug powerline gear, by contrast, is supposed to work at distances of
up to 1,000 feet. My house is nowhere near big enough to test that claim,
but I had no problems creating powerline connections in corners of my home
that are beyond the range of my wireless equipment.
Powerline networks are also faster than Wi-Fi -- HomePlug is supposed to
move data at 14 Mbps, compared with a maximum of 11 Mbps under the 802.11b
standard. You won't notice any difference when surfing the Web because both
technologies offer far more bandwidth than even the fastest standard cable
or DSL connection. But if you spend a lot of time moving big files around
your home network -- say, copying MP3 files from one PC to another --
HomePlug will definitely cut the wait perceptibly.
In addition, powerline networking seems to be free of the security concerns
that have cast a shadow over the Wi-Fi world. Passers-by outside your home
can't simply tap into an AC LAN, as they can with an unprotected wireless
network. And to protect your data from anyone who does manage to plug into
your wiring, the HomePlug specification includes 56-bit DES encryption.
Perhaps some hacker or grad student will eventually find flaws in this
spec, as happened with 802.11, but there have been no such vulnerabilities
reported yet.
Wi-Fi, on the other hand, has a couple of big pluses over powerline
networking: First, notebook owners can add Wi-Fi just by installing a
credit card-sized PC card inside their machine. It's not yet possible to
make a HomePlug adapter that small, so the only choice is an external box.
It's not big as computer gizmos go, but it's not something you'd want to
carry around with your notebook.
Second, Wi-Fi works in appropriately equipped laptops even when they're not
plugged into an outlet. That's a pretty compelling advantage.
Altogether, if the only machine you're trying to network is a notebook, Wi-
Fi is probably the better choice.
(If you want to connect two or more desktop machines plus a laptop, you can
easily combine Wi-Fi and powerline networks.)
-- It's also possible to build a data network over your existing phone
wiring -- the HPNA (for Home Phoneline Networking Alliance) standard makes
it possible for computers plugged into your phone jacks to share
information even when you're talking on the phone. Products based on
version 2.0 of that spec work quite well.
There are two good arguments for preferring powerline, though. Most
obviously, many rooms don't have phone jacks, but almost every room has an
AC outlet. Second, in many homes, phone jacks in different rooms are wired
for different numbers, but HPNA networking works only among outlets that
share the same circuit.
If those are not issues in your situation, you can save a little money by
opting for HPNA. The list price for both of the Linksys Instant PowerLine
products -- the USB Adapter and the EtherFast 10/100 -- both have a list
price of $150, but they're widely available for about $100 each, and
bargain hunters can find them on the Web for less than $80. USB adapters
for HPNA are down to $50 or even less, while for those willing to open
their PCs, HPNA PCI cards are even cheaper than that.
A note to my Mac friends: Linksys' USB powerline adapter doesn't work at
all with Apple hardware, but the Ethernet bridge does -- I tried it right
out of the box with my iMac, and it worked fine. Since all Macs have had
Ethernet ports for years, that's not much of a problem.
There's just one caveat. All Linksys powerline devices ship with the same
encryption password, so they can talk to each other. But if you're
concerned about the possibility of an intruder tapping into your powerline
network, it makes sense to change the password (as long as you do so for
all the powerline devices on your network).
To do that, you have to run a small program called the Security
Configuration Utility, and that's available only for Windows. But if you
have access to even one Windows PC, you can change the password on all your
powerline devices there. Then connect them back up to the Mac, and they'll
continue to work normally.
IF COMPUTERS ARE SO SMART . . .
A passing thought, completely unrelated to powerline networking: If
computers are so smart, how come 99 percent of the registration and
ordering forms I'm constantly filling out on the Web make me enter city,
state and ZIP code when they want my address? Why can't I just enter the
ZIP and let the machine look up the city and state?
**********************
Government Computer News
FHWA awards a tech services pact
By Preeti Vasishtha
GCN Staff
The Federal Highway Administration has awarded a 10-year, $175 million
contract to Indus Corp. to secure the agency's databases.
Under the Federal Highway Administration Information Technology Support
Services contract, Indus will also help the agency with its enterprise
architecture, network infrastructure, help desk, document management and
telecommunications services.
The Vienna, Va., company will lead a team of subcontractors that include
Centech Group Inc. of Arlington, Va.; PricewaterhouseCoopers LLP of New
York; Signal Corp. of Fairfax, Va.; and York Telecom of Eatontown, N.J.
*******************
Mercury News
Net the newest place to hawk stolen goods
ONLINE AUCTION BUYERS LEFT BURNED
By Mary Anne Ostrom
Mercury News
Sharon Cooney couldn't have been happier with the new WinBook laptop she
had bought on eBay -- until she learned it was stolen property. Today, the
Marin County woman is out $1,075, the victim of a Maryland seller who
allegedly unloaded $350,000 in hot goods through eBay.
The reach and anonymity of the Internet have helped turn online auctions
into the newest way to fence stolen property.
``There's no need for the pawnbroker. Internet auctions have suddenly
become a really easy way to fence stuff,'' said Frank Dudley Berry Jr., who
prosecutes high-tech crimes for the Santa Clara County District Attorney.
Perpetrators range from sophisticated Silicon Valley high-tech theft rings
that used eBay to fence up to $1 million in goods to a maid hawking a
digital camera snatched from her client's home.
Cases include Michigan teenagers auctioning off stolen high-school band
equipment and Marshall Field's window designers selling Judith Lieber
handbags and other luxury goods taken from the Chicago department store.
Executives of San Jose-based eBay said the sale of stolen goods on the
site, which typically has 7 million items offered, is ``a minor issue.''
Berry, the prosecutor, called eBay ``remarkably'' diligent in helping
authorities track down criminals. Other online auction sites, including
Yahoo, and specialized Internet bulletin boards are also used to sell
stolen goods, but most reported cases occur on eBay, which accounts for
about 80 percent of U.S. online auctions.
Although there's no public data on the number of stolen property auctions
on the Web, interviews with police and other investigators reveal how
criminals exploit the breadth and anonymity of online auctions to unload
stolen goods.
High-tech rings
EBay is also a good place for authorities and burglary victims to look for
purloined items. Silicon Valley companies now regularly scan online
auctions looking for missing equipment. ``We find something fairly often,''
said Mark Kerby, a private investigator for high-tech companies. ``But
whether we can make a case is something else.''
A tipster recently led police to an eBay seller of flash memory cards
stolen from Sunnyvale data storage company SanDisk by an employee. By the
time police got involved, the thief's accomplice had sold more than nearly
$210,000 worth of memory cards on eBay.
``EBay is a haven for fencing because it's easy to sell stolen property and
remain kind of anonymous,'' said James Healey, a member of REACT, a Bay
Area law enforcement group who went undercover to bid on the memory cards.
Sometimes Internet-savvy theft victims instinctively check eBay when they
find their property is missing.
After a golfer reported his stolen clubs were listed for auction on eBay,
the Norman, Okla., police joined the bidding, bought the clubs and solved
the mystery behind the region's rash of golf club thefts.
Brian Roberge, another victim, retrieved an old putter after the Norman
bust but his set of Callaway Big Bertha clubs disappeared in cyberspace.
``At $1,000, I can't afford to replace them,'' he said.
Unlike more common types of auction fraud that are typically reported to
authorities and auction sites, such as non-payment or failure to deliver
goods, the fact merchandise is stolen may only be known by the thief or an
accomplice.
``There is not much the consumer can do. It's next to impossible to tell if
something online is stolen,'' said Holly Anderson of the National Consumer
League, which helps track auction fraud for federal authorities. ``As we
always say, if the deal is too good to be true, it usually is.''
In Sharon Cooney's case, she meticulously researched the WinBook's fair
market value and spent a few weeks checking the eBay seller's feedback
ratings from other successful bidders. Reviews were glowing.
Her winning bid -- less than $200 below retail -- seemed fair. Three weeks
later, after calling WinBook about adding memory, the company, which had
noted the machine's serial number, informed her it was stolen.
``I guess I was the fool for trusting eBay,'' Cooney said.
After returning the machine to WinBook, she now hopes for restitution from
the Maryland seller. Most of the seller's loot came from a FedEx accomplice
who pilfered packages en route to delivery.
EBay executives called experiences like Cooney's ``not at all usual.''
Anti-fraud efforts
Law enforcement authorities say eBay runs sophisticated anti-fraud
operations and not only helps nab criminals but also will assist
prosecutors building legal cases by sending notices to other bidders who
may have bought stolen goods.
Legally, the courts have ruled eBay does not fall under auction-house
rules, exempting the company from liability over an item's authenticity,
value and origin. EBay insurance -- which typically covers buyers for
non-delivery -- does not cover purchases of stolen goods.
Rob Chesnut, a former prosecutor who is the company's deputy general
counsel, said eBay is among the most public of arenas and for that reason
is not a good place to unload stolen goods.
``If you're the bad guy, you want to be discreet and low key. You would use
a pawnshop or flea market, not a public site like eBay,'' he said.
Authorities with subpoenas and search warrants have access to virtually all
eBay trading records.
Yahoo director of auctions Brian Fitzgerald said fencing stolen goods is
``a not a significant problem.''
Yet, online auctions can offer more anonymity than other fencing methods.
Legitimate pawnbrokers, for example, must fingerprint people on whose
behalf they sell items. Police routinely patrol flea markets.
EBay admits it can be stumped by bogus seller registration information and
it is not uncommon for criminals to have several accounts to move large
amounts of merchandise surreptitiously.
The Santa Clara County DA's office recently prosecuted a former San
Francisco hotel worker who pleaded no contest to two counts of receiving
stolen property obtained in heists of high-tech companies.
Mitchell Li had eight different eBay accounts. At Li's recent trial, Frank
Berry showed the judge eBay records detailing how over 18 months Li
conducted 1,682 auctions for goods worth more than $1 million.
Li's attorney, Bernard Bray, said his client ``unfortunately may have come
into possession of some stolen goods, but he is not a thief.''
Recently, eBay has stepped up its anti-fraud activity. New initiatives
include forming a separate trust and security department, which will be run
by a former prosecutor with the U.S. attorney's office. It has also
installed fraud detection software designed to search for patterns that
might suggest illegal activity.
``Every day, there's $36 million in sales on eBay, and the great majority
of purchases are legitimate,'' said company spokesman Kevin Pursglove. ``If
anything makes the user suspect, do not hesitate to e-mail the seller and
ask for background information.''
********************
MSNBC
Long-lost password discovered
Norwegian history database cracked with help from the Web
By Robert Lemos
June 10 A Swedish game programmer won the race to discover the password to
a Norwegian history museum's database, the museum's director said Monday.
The password had been lost when the database's steward died without
revealing it.
OTTAR GREPSTAD, director of the Ivar Aasen Center for Language and
Culture, said in an interview that Joachim Eriksson, a programmer for
Swedish game company Snowcode, sent the correct password just five hours
after the museum's call for help. The center had posted the database file
on its Web site, asking for help in opening it.
"He used one hour to solve everything," Grepstad said. "It is a
story with a happy end."
Eriksson's e-mail the first received by the center not only had
the correct password, it also included the unencrypted files of the
database. Later submissions also had the correct password.
The database serves as a digital catalog to a collection of more
than 11,000 books and manuscripts, and the password "ladepujd" turned out
to be the backward spelling of the last name of the researcher who
assembled the collection.
The center had publicly requested aid from security experts on the
Web last week after its employees were unable to open the digital catalog,
obtained from the family of Reidar Djupedal after his death in 1989.
Djupedal was a professor and an expert on Ivar Aasen, an itinerant
Norwegian researcher who, in 1850, established a new language for Norway
that bridged all the country's dialects.
The New Norwegian, or Nynorsk, is spoken regularly by about 20
percent of the country and is the main language in Western Norway, where
nearly 25 percent of newspapers use it. The widely used Dano-Norwegian
language, or Bokmål, a written language based on Danish, makes up the other
80 percent, according to the center.
Nine years ago, an archivist transferred bibliographic information
on 11,000 of Djupedal's 14,000 titles to a database created with DBase III
and IV, but the archivist died before the collection and the catalog
reached the center, taking the password with him and leaving the catalog
inaccessible. Djupedal himself had died earlier.
"We have no known information from (the archivist) which can help
us solve the problem," the center lamented on the Web site, calling for
help from anyone who could break the encryption on the database or find the
password.
E-mail messages from more than 100 people began flooding the center
on Thursday afternoon after the organization's call for aid was picked up
by the media. The online request attracted a lot of attention and,
reportedly, even had some parapsychologists calling to offer aid.
Previously, the center had tried to get other Norwegian librarians
to help, and when that failed, hired professional computer technicians. "We
tried some expert help," said Grepstad, "but it turned out not to be so
expert."
That's when the center hit upon the idea of using the Web. After
posting the encrypted database on its site, the center had more than
400,000 hits.
It's unknown how Eriksson retrieved the password by decrypting the
database, using a flaw in the database's security to obtain access to the
data, or simply by guessing. Eriksson could not be immediately reached for
comment Monday.
************************
Government Executive
Proposed agency will focus more attention on cybersecurity
By Bara Vaida, National Journal's Technology Daily
Richard Clarke, special adviser to the president on cyberspace security,
said Monday that the proposed new Homeland Security Department would
increase the government's focus on cybersecurity.
Clarke said that the new Cabinet-level department would house the FBI's
National Infrastructure Protection Center, the Commerce Department's
Critical Infrastructure Assurance Office, the General Services
Administration's FedCIRC and the Defense Department's National
Communications System, hence increasing the cooperation among the agencies.
"It will concentrate our focus and result in better cooperation," Clarke
said at George Mason University's Networked Economy Summit.
He did not comment on whether the Office of Cyberspace Security, currently
located within White House offices, would be moved to the Homeland Security
Department.
Clarke also noted that the government continues to work on a strategy for
protecting the nation's critical infrastructure but said the date for
public release has slipped to late summer or mid-September. Originally, the
plan was to be released in mid-summer, around the same time as the release
of White House Homeland Security Director Tom Ridge's security plan. Ridge
released a part of that plan last week when President Bush announced the
plan for the new department.
The critical infrastructure plan will include input from the private
sector, including the academic community. Clarke said he met last week in
Seattle with 35 university officials and 150 faculty members to discuss
their role in protecting critical infrastructure.
The meeting also included discussion of the president's cyber corps
program, which provides scholarships for students to study cybersecurity.
Clarke said the 35 universities have agreed to provide cybersecurity
programs, and the 150 faculty members attending the Seattle meeting endured
"boot camp" training in how to teach cybersecurity.
Clarke also outlined other actions the government is taking to boost
cybersecurity. Because 85 percent to 95 percent of the Internet is operated
by the private sector, Clarke's staff has been meeting with boards of
corporations, insurance companies and auditors to underscore the importance
of cybersecurity. In addition, his staff has been meeting with information
technology customers to educate them on vulnerabilities in computer
software and hardware.
"We are asking these customers if they know about the security flaws and
asking them why they put up with that from the IT vendors," Clarke said.
He also said his staff is working on whether a non-government entity could
become an authority to certify security products so companies would have
better information on whether their products properly protect their
systems. "The biggest role the government can play is be a nudge" in
getting the private sector to focus on security, he said.
In addition, to improve government security, Clarke said the president has
asked for $5 billion in IT security products for government agencies in
fiscal 2003, and "it looks good" for Congress to pass legislation that
would authorize the spending.
********************
CNN
IBM reports storage breakthrough
'Millipede' similar to old punch cards
NEW YORK (AP) -- Researchers at IBM Corp. announced Tuesday the development
of an ultra-dense storage technology that resembles the old computer punch
cards -- except that the latest version shrinks the perforations to a
molecular scale.
The technology, developed under the code name "millipede," was conceived by
two scientists at IBM's Zurich research labs, who discussed the idea over
beer after the company's weekly soccer games, said Peter Vettiger, the
storage project's leader and one of those who conceived it.
The millipede lab prototypes can store as much as 20 times the data of the
magnetic storage media used in today's computers, cramming as much as 25
million printed textbook pages of data on a surface the size of a postage
stamp, the company said.
If IBM decides to manufacture millipede-based storage cards -- it has no
current plans to do so -- the storage could begin replacing the current
silicon-based flash memory cards in handheld computers and mobile phones by
the end of 2005, Vettiger predicted.
"We see these devices in the mobile arena, in the handheld arena," Vettiger
said. "There is strong desire for an increase in storage capacity, beyond
what flash memory can store. There is a requirement for low power, for
small size and for low cost."
Trillion pieces of data
IBM said the millipede devices can store one terabit, or a trillion pieces,
of data per square inch. The data are stored in tiny sheets of plastic
polymer film as tiny indentations just 10 nanometers, or millionths of a
millimeter, in diameter.
Unlike punch cards, the new devices are re-writeable, meaning they can be
erased and refilled over and over. Vettiger said IBM's tests have erased
and refilled them hundreds of thousands of times.
Although described as a relative to the primitive punch card, Vettiger said
the new memory technology is closer in design to the atomic force
microscope, invented in 1986 by millipede co-designer Gerd Binnig, the
Nobel prize winning co-inventor of the scanning-tunneling microscope.
Vettiger said the storage technology doesn't appear beset by the data
density limits of flash memory chips, and could cram 10 to 15 gigabytes of
data into a tiny format that would fit in a multifunctional wristwatch.
**************************
CNN
Flaw reported in IE browser
Microsoft says it is investigating the claim
REDMOND, Washington (AP) -- A security flaw in Microsoft's Internet
Explorer browser could allow a hacker to take control of a remote computer
if its user clicks a link to an outdated Internet protocol, a computer
security firm says.
Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the
security hole on May 20 but the software giant has yet to produce a
software patch to fix the problem, the Toronto Star reported Tuesday.
A Microsoft spokesman who refused to be identified said Tuesday that the
company is "moving forward on the investigation with all due speed" and
will take the action that best serves its customers.
The problem concerns Gopher, an Internet protocol that predates the World
Wide Web with pages like Web pages except that they are unable to store
audio and video content.
Although Gopher is considered an outdated format for Internet content, it
is still supported by Internet Explorer and most other browsers.
According to Oy Online, a hacker could take over a user's computer simply
by having the user click on a link to a "hostile Gopher site." That one
click would install and run any program the hacker chose on the victim's
computer, and the victim might never know.
"The program could, for example, delete information from the computer or
collect information and send it out from the computer," Oy Online said in a
release. "(It) could also install a so-called backdoor (program) that would
enable the hostile attacker to access the computer later."
Various versions vulnerable
All versions of Internet Explorer are believed to be vulnerable, the Star
reported.
Refusing to confirm the security flaw, the Microsoft spokesman said the
company "feel(s) strongly that speculating on the issue while the
investigation is in progress would be irresponsible and counterproductive
to our goal of protecting our customers' information."
And the spokesman added, "Responsible security researchers work with the
vendor of a suspected vulnerability issue to ensure that countermeasures
are developed before the issue is made public and customers are needlessly
put at risk."
After being embarrassed on an almost regular basis by security flaws in its
products -- including a debilitating problem found in its latest Windows XP
operating system just days after its release -- Microsoft began a
companywide training program on security issues earlier this year.
In January, Microsoft Chairman Bill Gates instructed employees to make
software security a top priority.
******************
Euromedia.net
Webcasters win one battle in war over internet radio
As the webcasting industry waits for the US Librarian of Congress's
decision on internet radio royalty rates, there are some signs that
Recording Industry Association of America (RIAA) is looking to
significantly change its original proposal to the benefit of webcasters.
One of the main issues still outstanding is what information webcasters
have to give about the music they play and how often they have to report it.
In early February, the US Copyright Office announced a set of reporting
requirements for webcasters that use copyrighted music that favored the
music industry and threatened to make it very difficult for webcasters.
The reporting requirements were called "Notice and Recordkeeping for Use of
Sound Recordings Under Statutory License."
They required webcasters to provide 18 pieces of information to copyright
holders for every song streamed, including such obscure information as the
"numeric designation of the place of the sound recording within the
program," "the ISRC code of the recording," and the UPC code and catalog
number of the retail album.
The Copyright Office requirements also included an RIAA request that many
thought was an invasion of privacy of the user.
Webcasters had to supply at least seven additional pieces of information,
including the date and time the user logged in and out of the stream, the
country and time zone of the listener, and a "unique user identifier." This
information had to be collected for every track, for every listener.
Tracking and reporting this information would have put a tremendous burden
on webcasters and would require significant cost and massive effort and
time to provide.
Webcasters claimed that they do not have access to much of that type of
information and many simply would not be able to comply. It was considered
to be another nail in the webcasters' coffin.
But in what can definitely be thought of as a step in the right direction
for webcasters, the Librarian of Congress has issued a statement saying
that these requirements are to be significantly reduced from 18 down to
five when officially announced with royalty rates on June 20.
All of the five required data points are readily available to the webcaster
and include: the name of the artist, the title of recording, the name of
the album if it's available, the recording's label if it's available, and
the number of times the recording is played during the reporting period.
Also of great benefit to the webcaster is how often the information is
required. The announcement indicated that the information would be required
on a sampling basis, that is, "for a certain period of time during each
calendar quarter." Copyright holders (such as record labels and artists)
had asked for "census" reporting (every song, every listener).
These are called "interim" reporting requirements. A vague time period of
"several months" was given for the announcement of the "final
requirements," which could include more comprehensive reporting.
************************
Sydney Morning Herald
New domain name regime to go live on July 1
auDA today announced that the new domain name regime for com.au, net.au,
asn.au, org.au and id.au will go live on July 1.
Final testing of the new registry, built by AusRegistry Pty Ltd, was
completed on 7 June 2002. Two independent reports (one from international
registry Liberty RMS) have provided auDA with confirmation that the
registry has been completed pursuant to the technical specification in the
Registry Licence Agreement.
The go live date has been set to ensure enough time for an orderly
transition of data from the existing registries and to allow the
provisionally accredited registrars to complete auDA's Registry-Registrar
interface test.
After a series of transition tests, actual data transition will take place
on the weekend of June 29 and 30. During this period the domain name space
will continue to operate normally but it will not be possible to register
new domain names or re-delegate domain name servers.
******************
Sydney Morning Herald
Boom to bust for domain name claims
By Nicole Manktelow
It's a population in decline. More domain names are expiring than are being
registered or renewed. Falling, too, is the perceived value of a prime
website address.
Despite efforts to reinvigorate the market, the big shrink is a growing
concern for the world's registration companies.
"The problem is decreased revenue to the registers," META Group analyst
John Brand says.
"As people recognise the value of a domain name is decreasing every day,
the value of the business is decreasing every day. So the question is where
does that leave them?
"People will work out (that) the ability to register a domain name is a
basic service."
Tom Valenta, investor relations adviser for Australian registrar Melbourne
IT, says the number of domain names has been shrinking for six months.
"In some areas, it has shrunk from the land rush that occurred during the
year 2000. Certainly since the September quarter, there has been a slowing
down."
The number of registered domain names reportedly doubled in 1999 and
tripled in 2000, but the domain name industry journal State of the Domain
reported the tally of .com, .net and .org names shrunk by 378,000 in March
alone. The publication estimates that in the previous six months, these
groups lost about 2.5 million names or 12.3 per cent.
Valenta says new domain variants such as .biz, .info and .name could help.
"They are growing at an encouraging pace. The new domains are helping -
.info is approaching nearly three-quarters of a million registrations, but
.name is still very small at about 68,000."
However, META Group's Brand disagrees, saying the appeal of the new domain
names is limited: "We advised our client base not to enter into that at
all," he says. "The value of a brand can be diluted by the number of sites
around it. What you need is something simple that stands out."
In the glory days of the domain name game, speculators grabbed domains
bearing brands and key words to auction to the highest bidder. Now, experts
believe a "prime" domain name is becoming less important.
"As search engines and location services have improved, the reliability of
search has lessened the relevance of a domain name," Brand says. "All
that's really necessary is one domain with a strong brand - one strong
entry point."
Companies that once bought many variations of a name are now streamlining
their portfolios. Scalpers are letting some of their stock expire, and for
others, what seemed like a good idea at the time is now hardly worth the
renewal fee.
Melbourne IT gets about 58 per cent of its revenue from outside Australia
and is the fourth-largest registrar of domains in the world, yet it has
suffered less than its American counterparts. Valenta says Melbourne IT has
fewer "totally speculative" names because of stricter registration policies.
Like others in the industry, Melbourne IT is hopeful that the declining
number of names is a market correction, the natural death of opportunistic
names registered in the boom.
Brand says speculators were the first group to start shrinking.
"A lot of them bought huge numbers of domains and are now letting them
lapse," he says. "I know an Australian company that was offered a variation
of their brand name in a .com. The initial asking price was $5 million.
They took it as a joke. The next offer was $80,000. Eventually, the name
was allowed to lapse and the company bought it for $250."
But while some generic names remain prime property, few if any can hope to
be sold for record-breaking prices.
"Anyone paying anything more than $50,000 is paying too much," Brand says.
Many companies have stopped registering variations of their brands to
thwart imposters or exert some control over their online publicity, he
says. "They have realised that people still say what they want to. Just
having the domain name is no protection," he says.
Brand says that names bought for personal ego or reasons of poor strategy
are also likely to be on the expiry pile.
"A lot of domains were bought for new products that were supposed to
revolutionise the world - and didn't."
********************
New Zealand Herald
Govt gives free software a run
By RICHARD WOOD
The e-government unit of the State Services Commission has surprised the
Open Source community by implementing Open Source directory software in one
of its projects.
Directory software holds the basic identity information to verify a
computer user's identity.
Open Source software is developed co-operatively by individuals and
businesses around the world and provided free for use, to modify and
redistribute.
Open Source will also get a look-in against competing vendors' products
when the e-government unit considers which software to use for
authenticating business and public access to Government services online.
NZ Open Source Society spokesman Peter Harrison said Open Source usually
missed out on Government deals because the software did not have an
associated vendor to respond to requests for information.
"I'm impressed that some of these Government departments are looking beyond
vendors," said Harrison. "The Government purchasing guidelines do not
specify looking at Open Source."
The e-government unit supports the email side of the Government's Secure
Electronic Environment (SEE) system for interdepartmental communication.
Program architect Brendan Kelly said the SEE Mail project required a
directory so agencies could find who was using the secure email service.
OpenLDAP, the software being used by the commission, has been tested
running on Open Source operating system Red Hat 7.1 Linux.
An e-government online report said the unit was "very impressed with the
stability, consistency and reliability of the product", but OpenLDAP is
mentioned only as a stopgap measure.
The report said an Open Source directory presented a "viable starting point
deferring the need to select a particular directory vendor, allowing
valuable experience to be gained in the implementation and usage of a
directory for minimal outlay."
Kelly said OpenLDAP was a viable option for further use within the Government.
Unit head Brendan Boyle said the e-government unit considered Open Source
software every time it needed a solution.
He said looking at Open Source was not just about cost.
"Cost would be an implication obviously, but the bottom line is that
whatever we do has to meet the need."
Kelly said the use of OpenLDAP was not intended to replace any existing
Government department's directories and the unit had consulted major
vendors to ensure the system was inter-operable.
"In developing the policy we worked with Microsoft, Novell and Solnet to
cover the major flavours of types of directories," he said.
"All three vendors were confident it would not cause them problems." "
Boyle said the expertise gained from using OpenLDAP would also be useful
for the wider authentication system that would be required for
government-to-business and government-to-citizen systems.
That is a deal all the major directory vendors will be wanting to win.
Peter Revell, country manager of one such vendor, Novell, said he was not
familiar with OpenLDAP capabilities but it had not been a serious challenger.
"In the debates and strategic thinking with [our] customers regarding meta
directory strategies and identity management, OpenLDAP is not on the radar
screen at all."
The Inland Revenue Department has Novell software providing authentication
for 16,000 employers. That deal was talked about last year as being able to
be extended to the general taxpayer.
Boyle said that although having one directory for public access was the
most efficient, any arrangement was more likely to involve a number of
directories due to privacy considerations.
S.E.E. Directory: Paper 1 - Viability of open source options in the
directory space, see
http://www.e-government.govt.nz/docs/see-directory-paper-1/
*******************
New Zealand Herald
Russians create 3D power map
By RICHARD WOOD
Transpower is one year into a long-term project to survey its power lines
nationwide and turn the results into a three-dimensional computer model.
A Russian company is using a laser system that measures the location of the
lines in three dimensions from a helicopter.
The system monitors the reflection off the wire at 50,000 times a second
and combines that data with information from a highly sensitive gyro
stabilisation and satellite positioning package in the helicopter.
The result, once processed in Russia, is a computer-aided design file
modelling the power lines in 3D.
Transpower uses the information to identify the height of wires above
ground. The more power sent down a line, the more it heats and sags.
But there is a maximum limit a line is allowed to sag for public safety
reasons.
Transpower's general manager, service delivery, Kieran Devine, said the
company used sensing equipment to measure wind speed, air temperature,
solar radiation at its substations and other sites as required.
"Out of that we do a calculation which tells us what the maximum sag on the
line will be and that tells us either the capacity we've got left in it or
that we are over capacity," he said.
"As we get more experienced, we may put measuring gear at specific sites
midway on the line.
"If we have a particularly tight line with a known constriction, we can put
the measuring gear right at the point and therefore run it a bit closer to
the limit."
The whole project could take three or four years to complete as the company
works through the network.
The first benefit is that Transpower will be able to identify where it is
cost-effective to make physical changes such as tightening lines to lift
them higher.
The ultimate goal is a "variable line rating" system, whereby the rated
capacity that each line can handle can be adjusted frequently depending on
environmental factors.
At present, lines simply have a summer and winter rating. Some critical
lines could ultimately have a rating that changes every 10 minutes,
maximising their throughput when required.
This system will use high-tech, point-to-point radio systems which are
being produced by Wellington firm 4RF.
*********************
Sydney Morning Herald
Opening the Open Source debate - II
By David F. Skoll
The Alexis de Tocqueville Institution (AdTI) has finally published its
white paper entitled "Opening the Open Source Debate". My earlier comments
were based on media reports and e-mail correspondence with the paper's
author. This document was written after I read the actual white paper. (The
original link seems not to work; I managed to grab a copy of the paper
before AdTI pulled it. This link may work.)
The AdTI's very weak and poorly-researched paper opens no debate. It simply
confirms that Microsoft paid AdTI to come up with something - anything - to
stem the growing adoption of open-source (especially GPL'd) software by
business and government.
Let's take a look at the paper in detail.
I. In the Beginning
Section I, "In the Beginning", gives an overview of proprietary vs. free
software. It's reasonably accurate, although the author is given to rather
ludicrous depictions of source code as a "secret formula" and a "map to a
buried treasure."
II. GPL Open Source The Gift That Keeps Taking
Section II is where Microsoft vents its anger. Take a look at this gem:
The GPL is one of the most uniquely restrictive product agreements in the
technology industry.
Why does Microsoft... excuse me, the AdTI... say that? They say that because:
The GPL requires that if its source code is used in any type of software
product (commercial or non-commercial) for any reason, then the entire new
product (also known as the derivative) becomes subject to terms of the GPL
open source agreement.
This is not quite true; if you do not distribute your derived product, then
you do not need to distribute the source code. But for the most part, the
statement is accurate.
But so what? Suppose you derive a product from Microsoft Windows or some
other proprietary code. Then you are breaking all kinds of license
agreements. Furthermore, proprietary vendors would demand and get the
rights to your derived product, leaving you with nothing.
The GPL is no more restrictive than the most liberal of proprietary
licenses, and a good deal less restrictive than most. So Microsoft's...
excuse me, the AdTI's... complaints are groundless.
Another quote:
David Wheeler, publisher and expert in Washington on open source and
proprietary source comments, without licensing the source code in a
multi-license format, (referring to other more permissive licenses), it is
impossible for GPL to work for a proprietary business model.
Perhaps the AdTI misses the point. GPL advocates do not care if GPL'd
software can be made to work in a proprietary business model. It's not our
problem. There's no God-given right for proprietary software vendors to
make money; they have to compete. And if the rules of the marketplace
suddenly change and make it difficult for them, well - tough. Adapt or die.
Don't moan.
III. The Myth of a Public Software Community
Section III attempts to debunk the "myth" of a public software community.
The AdTI hints that open-source advocates abandon their principles when
they smell money:
Widespread support for GPL open source lies in the IT community's
frustration with competitive, closed proprietary software. But in fact, it
is quite common that programmers experiment with open source until they see
an opportunity to capitalize on an idea, then embrace proprietary
standards. One could joke that open source has been a bridesmaid but never
a bride. The story of the web browser is an example of this reality.
AdTI uses the story of Netscape "killing" the open-source Mosaic. Well,
Mosaic was never GPL'd. If it had been, Netscape would have been unable to
kill it. Furthermore, AdTI says of Mosaic:
Through a commercial partner, Spyglass, NCSA began widely licensing Mosaic
to computer companies including IBM, DEC, AT&T, and NEC.
Conspicuously absent from AdTI's list is another licensee: Microsoft. Yes,
Spyglass's browser formed the basis for Internet Explorer. And revealed
here is Microsoft's reason to fear the GPL: It cannot make use of the work
of thousands of dedicated programmers for free, locking the work up in a
proprietary product. It did that with early versions of its TCP/IP stack,
derived from the Berkeley stack. But as more free software is GPL'd,
Microsoft's cherry-picking opportunities diminish. Isn't it sad?
The AdTI never quite gets around to saying why the open-source community is
a "myth". Apparently, the hundreds of collaborators who gave the world the
Linux kernel are mythical. Perhaps the outstanding KDE desktop environment
was written by unicorns. And one supposes that GNOME, another outstanding
desktop environment, was produced by, well, gnomes. Apache - it's a myth.
PHP - doesn't exist. Mozilla - pshaw.
Even in my own modest software development, I've had contributions from
dozens of people around the world to my software packages. I've had
suggestions, fixes, enhancements and pieces of wisdom donated to me which
would never have happened in a proprietary development environment.
IV. The Government and the GPL
This is where politicking gets into high gear.
However, the use of the GPL has the potential to radically alter a very
successful model for partnership, particularly when most large commercial
entities do not readily embrace the GPL.
Once again, the white paper is worried about "large commercial entities."
Well, some large commercial entities like HP/Compaq, IBM, Dell and Sun are
quite willing to use, produce and/or distribute GPL'd software. To those
large commercial entities who wish to stop GPL'd software, I say: "Tough.
Adapt or die."
Needless to say, the government could not depend on patches for software
glitches to wander in from the public. Likewise, the government could only
use open source code that it could independently service in case of an
emergency. Agencies without extensive staff to maintain its internal
operations cannot afford to use hapless and untested software without
accountability, warranties or liability.
This is a complete red herring. Patches don't "wander in" from the public
for open-source products. Rather, they come straight from the authors, or
sometimes from distributors such as Red Hat. Furthermore, they tend to come
in with a lot more alacrity than fixes from commercial vendors.
With open-source, the government at least has an option to be able to
"independently service" the software in case of emergency. With proprietary
software, the government does not even have this choice. Therefore, the
AdTI's objections on this ground are spurious.
Another consideration for the U.S. government is that all source code
developed under the GPL could have mirrored availability to the public.
This poses unlimited security issues.
AdTI loves this refrain, but has yet to prove it. In my other article, I
debunked the myth that source code availability necessarily introduces
security issues, and demonstrated that in fact, it can often enhance
security. I was interviewed by AdTI for my opinions on the matter; they
neglected to include my comments in the paper.
For example, if the Federal Aviation Agency were to develop an application
(derived from open source) which controlled 747 flight patterns, a number
of issues easily become national security questions such as: Would it be
prudent for the FAA to use software that thousands of unknown programmers
have intimate knowledge of for something this critical? Could the FAA take
the chance that these unknown programmers have not shared the source code
accidentally with the wrong parties? Would the FAA's decision to use
software in the public domain invite computer hackers more readily than
proprietary products?
Again, a ludicrous example. No-one simply sits down and "develops" such an
application by starting with free software. Even if the FAA did develop an
open-source flight-control application, AdTI has not demonstrated at all
that it would have significantly-different security issues than a
closed-source one. Sure, AdTI asks a bunch of rhetorical questions. But
that's not how one conducts a logical argument. So let's answer the
rhetorical questions with some of our own:
Would it be prudent for the FAA to use software that thousands of unknown
programmers have intimate knowledge of for something this critical?
Is it prudent for any federal agency to use Microsoft software, given that
it is a matter of public record that Russian hackers illegally broke into
Microsoft's network and had access to source code? Is it prudent for any
federal agency to use software which is not freely-available for peer
review? Is it prudent for any federal agency to take the word of a
proprietary vendor that its software is secure, given that the vendor is
attempting to make a sale?
Could the FAA take the chance that these unknown programmers have not
shared the source code accidentally with the wrong parties?
Will the FAA ban the use of Microsoft software, given that it is a
certainty that Microsoft source code has been shared "accidentally with the
wrong parties"?
Would the FAA's decision to use software in the public domain invite
computer hackers more readily than proprietary products?
Will the AdTI comment on why proprietary Web servers seem to be cracked far
more often than open-source ones, even though they have smaller market share?
Reverse Engineering
Experts differ on whether the primary focus for security should source code
or binary code. Andrew Sibre, a programmer with over twenty years of
experiences insists, "Having a license for binaries only gives you a black
box : you don't know what it's doing, or how, unless you want to go insane
trying to reverse-engineer it with a debugger (illegal under the term of
most licenses)" Having the source lets you see what it's doing, how it does
it, and permits you to modify it to meet your particular requirements
(including security related ones). To this extent, government officials
should be concerned that threat may not just be an adversary cracking their
system, but inadvertently educating adversaries about their security
systems. Sibre continues, "Depending on code without the source is quite
similar to depending on a complex mechanical or electronic system without
the benefit of shop and parts manuals."
Naturally, having access to source code eases reverse-engineering. However,
the vast majority of security exploits are found without access to the
source code. As I wrote to Ken Brown, the author of the report:
The entire premise of computer security and encryption is as follows:
A security system must be resistant to attack *even if* the attacker has
all the details about how it works. I refer you to:
"Applied Cryptography", Bruce Schneier, John Wiley and Sons, Inc, page 3:
"All of the security in these algorithms is based on the key (or keys);
none is based in the details of the algorithm. This means that the
algorithm can be published and analyzed. Products using the algorithm can
be mass-produced. It doesn't matter if an eavesdropper knows your
algorithm; if she doesn't know your particular key, she can't read your
messages."
I refer you also to:
"Practical UNIX and Internet Security", Simson Garfinkel and Gene Spafford,
O'Reilly and Associates, pages 40-45:
"... This is especially true if you should find yourself basing your
security on the fact that something technical is unknown to your attackers.
This concept can even hurt your security."
I refer you to an Internet draft on security through obscurity:
http://www.ietf.org/internet-drafts/draft-ymbk-obscurity-00.txt
A few more links on why security through obscurity does not work:
http://www.zdnet.com.au/developer/standards/story/0,2000011499,20265619,00.htm
http://www.treachery.net/~jdyson/toorcon2001/
http://www.counterpane.com/crypto-gram-0205.html
http://online.securityfocus.com/columnists/80
http://www.vnunet.com/Analysis/1126488
Is Reverse-Engineering That Hard?
Before I started Roaring Penguin Software Inc., I worked at Chipworks, a
company which does reverse-engineering for a living. From first-hand
experience, I know that hardware and software security can be broken more
easily than most vendors believe, and much more cheaply, too.
Back-Doors
Ken Brown raises the old back-door bogeyman:
Another security concern is that the primary distribution channel for GPL
open source is the Internet. As opposed to proprietary vendors, open source
is freely downloaded. However, software in the public domain could contain
a critical problem, a backdoor or worse, a dangerous virus.
The following material is taken straight from my other article, where I
already covered the back-door issue:
In fact, there have been some trojans placed in open-source software. They
have usually been discovered and neutralized very quickly. By contrast,
closed-source products have a sad history of spyware, "Easter eggs", and
questionable material, placed by people who have (presumably) been
"screened." In fact, one of Microsoft's own security updates was infected
with a virus, something which (to my knowledge) has never happened in the
open-source world.
An interesting back-door was one in Borland's closed-source Interbase
product. This back-door lay undetected for years, but was revealed within
weeks of the product being open-sourced.
And another interesting little "easter egg" is on the AdTI's very own Web
site.
Questionable material in Microsoft software may have helped spur a Peruvian
bill to promote free software in government. The author of the bill says
that open-source software provides a better guarantee of "security of the
State and citizens" than proprietary software, an analysis which is 180
degrees out of phase with the AdTI Study.
The real "victims" of the GPL
The government's productive alliance with private enterprise is also
relevant particularly when its decision to use GPL source code would
inherently turn away many of its traditional partners. Security, as well as
other impracticalities make GPL open source very unattractive to companies
concerned about intellectual property rights. In effect, the government's
use of GPL source code could inevitably shut out the intellectual property
based sector.
The Government must choose software to maximize national security and
minimize government expenditure. It owes absolutely nothing to the
"IP-based sector" or any other corporation. What was it I said before? Oh,
yes: "Tough. Adapt or die."
This has a number of ramifications. Immediately, it would limit the number
of qualified vendors to choose from to deliver products.
Tough. Adapt or die.
The GPL's wording also prevents the equal use of software by members of the
IP community and the GPL open source community.
This is a lie. If the "IP community" (whatever that is) respects the terms
and conditions of the GPL, it's as free as anyone else to use and
distribute GPL'd software. If it doesn't like the terms of the GPL, that's
the "IP community's" problem, not the GPL's problem.
A worse consideration is that use of GPL could inadvertently create legal
problems. IP community members could argue that the government's choice of
open source is restrictive and excludes taxpaying firms from
taxpayer-funded projects. Adverse impact would include a discontinued flow
of technology transfer from government-funded research to the technology
sector. Without value, it becomes highly likely that government funding for
research would slow as well.
Here, AdTI is delivering a veiled threat on behalf of Microsoft. First of
all, if "IP community members" could argue that, they already would have.
They have not made the argument because they know it is specious. In fact,
there's a very good argument for requiring the fruits of government-funded
research to be GPL'd so that all citizens can benefit.
Furthermore, the "IP community members" have benefited from government
research as much as (or more than) government has benefited from private
research. So to pull out of government partnerships out of pique over
software licensing would only hurt proprietary vendors and no-one else. V.
Intellectual Property Left
This is a rewording of "Free Software is Communism" and merits about the
same amount of serious attention.
U.S. intellectual property (IP) statutes have been a beacon for inventors
around the world. The U.S. model for motivating, compensating and
protecting innovators has been successful for almost 200 years. GPL source
code directly competes with the intellectual property restrictions, thus it
is vital to analyze its impact.
The GPL does not in any way "compete" with U.S. copyright law. It uses U.S.
copyright law in a perfectly legitimate and reasonable way.
There are two groups of programmers that contribute to the open source
community. The first group consists of professionally hired programmers by
day, who freely contribute code. The second group consists of original
equipment manufacturers (OEMs) that are hiring open source programmers for
their products. However, open source principally perpetuates itself because
there is an avid pool of experts and enthusiasts willing to spend their
spare time to provide fixes and modifications to open-source software. This
volunteer system works well as an academic model, but not as a business one.
Who cares about business models? We have Linux, Apache, Mozilla, Gnome,
KDE, Perl, Python, PHP, FreeBSD, OpenBSD, NetBSD, and so on in spite of the
supposed lack of a business model. What we see here is more whining from
proprietary vendors about how free software is hurting their business
model. Let's hear the refrain: "Tough. Adapt or die."
As mentioned earlier, open source code is not guaranteed nor does it come
with a warranty.
Neither does most proprietary software, so this is a red herring. If you
want a warranty, most open-source vendors will be happy to provide one if
you pay for it.
Open source products are often distributed without manuals, instructions or
technical information. While a commercial developer is obligated to produce
manuals, diagrams and information detailing the functionality of their
products, open source programmers are not. In addition, open source
developers cannot be expected to create software manuals with the vigor of
private firms that are obligated to produce them. Producing technical
specifications (in soft or hard copy format) is time-intensive and
expensive. But this is not just a customer service issue.
Some open-source software comes with poor documentation, just like some
proprietary software. Other free software comes with excellent
documentation. It's a matter of customer choice: Choose software that has
what you need.
All of my free software products come with complete manual pages. Most
serious developers do not consider software finished until the manuals are
finished.
Innumerable questions surround the distribution of technical information in
the copyleft environment, particularly because the Free Software Foundation
has a copyleft license for its documentation as well. Issues include: Who
should have the right to alter software manuals? Who is the final editor or
is there one? How should changes be regulated? Are manuals copyright
protected documents? What is the process for making changes? What body
regulates these changes? How can organizations guarantee that information
in manuals is always accurate?
More rhetorical questions. With proprietary software, if the manuals are
inaccurate, you're out of luck. With free software, you at least have a
chance to correct them.
Again, we see the unease of the proprietary vendors who want bodies to
"regulate" changes. They are unable to wrap their minds around the new
reality of free software. Rather than changing their ways, they dig in
their heels. They may need another reminder: Tough. Adapt or die.
Today, software impacts a firm's financial health in an intimate fashion.
It becomes unrealistic for a firm to depend too much on the trust of an
anonymous community that does not have anything at stake financially to
keep important technical documents current.
On the contrary, it is imperative that businesses rely solely on free
software for access to critical information. Only in this way can they
guarantee access to their data, and not be held hostage by proprietary file
formats and proprietary vendors. To quote Dr. Edgar David Villanueva Nunez,
a Peruvian legislator:
To guarantee the free access of citizens to public information, it is
indispensable that the encoding of data is not tied to a single provider.
The use of standard and open formats gives a guarantee of this free access,
if necessary through the creation of compatible free software.
To guarantee the permanence of public data, it is necessary that the
usability and maintenance of the software does not depend on the goodwill
of the suppliers, or on the monopoly conditions imposed by them. For this
reason the State needs systems the development of which can be guaranteed
due to the availability of the source code.
To guarantee national security or the security of the State, it is
indispensable to be able to rely on systems without elements which allow
control from a distance or the undesired transmission of information to
third parties. Systems with source code freely accessible to the public are
required to allow their inspection by the State itself, by the citizens,
and by a large number of independent experts throughout the world. Our
proposal brings further security, since the knowledge of the source code
will eliminate the growing number of programs with *spy code*.
In the same way, our proposal strengthens the security of the citizens,
both in their role as legitimate owners of information managed by the
state, and in their role as consumers. In this second case, by allowing the
growth of a widespread availability of free software not containing *spy
code* able to put at risk privacy and individual freedoms.
In fact, Villanueva's eloquent and well-written letter handily demolishes
most of AdTI's premises and conclusions; it's well worth a read.
More on Reverse Engineering
The reliance on reverse engineering is probably one of the biggest
conflicts between the IP and the GPL open source community. To keep GPL
products relevant and up to date, GPL enthusiasts must perpetually reverse
engineer intellectual property.
Reverse-engineering is required only if hardware manufacturers keep the
details of their software/hardware interfaces secret. The vast majority of
hardware manufacturers do not keep them secret. Some which do keep them
secret provide (binary-only) drivers for free software systems.
Reverse-engineering is necessary only for the small minority of hardware
devices which are secret.
Reverse engineering has a number of implications. It harbors very close to
IP infringement because and has staggering economic implications.
Reverse-engineering is perfectly legal. In fact, the European Union has a
law guaranteeing the legality of reverse-engineering for the purpose of
creating compatible software or devices. AdTI implies that
reverse-engineering is "close to IP infringement", but they never say why
(and their sentence doesn't even parse.)
If software is freely re-engineered, it will inevitably impact the value of
software on the market. If the price of software is adversely impacted,
salaries and inevitably employment of software programmers would be
negatively affected as well.
This is correct. If software is freely re-engineered, it destroys
monopolies and brings back a sense of free market to the industry. Yes,
software prices go down. And yes, consumers benefit.
The whole paragraph is simply a thinly-hidden Microsoft lament about the
success of products like Samba which enable companies to run
Microsoft-compatible file sharing without exorbitant Microsoft licensing
fees. VI. Is the GPL Cost-Beneficial?
This is a restatement of the tired old "TCO" straw-man.
Discussing the economic implications of open source, Andre Carter,
President of Irimi Corporation, a technology consulting firm in Washington
comments, "The question of open source code is about whether the software
developer wants to make available to the world the blueprint of what they
built or simply the benefits of what they built. The notion of open source
software has nothing to do with free software. The purchase price of
computer software is only a fraction of the total cost of ownership. So
even if the price tag reads free , it can end up being more expensive than
software you buy. This is especially true for the typical consumer. If it
requires technical know-how to operate, doesn't offer built-in support, and
demands constant attention, it won't feel free for very long."
Lot's of "if's" and weasel-words in there. If it requires technical
know-how to operate, etc, etc. Nowhere does Carter say that free software
does in fact require any more technical know-how than proprietary software.
Furthermore, proprietary software often has hidden costs which can come
back later to haunt you.
The success of an A-Z open source environment would expectedly impact the
software sector as a viable entity. If software is freely available, but PC
s, servers and hardware maintain their value, we can only predict that the
value of software companies will plummet. Hardware will come with more and
more free software. Second, we can only expect that the revenues and value
of the software sector will transfer to the hardware sector. Although the
software sector has seen growth almost every year, it is questionable
whether the GPL model will enable the software industry to continue its
exceptional growth particularly when the growth in the software sector is
tied to proprietary products, something the GPL is anxious to eliminate.
In the 1800s, black-smithing was a pretty good profession. In the 1960s and
1970s, 8-track tapes did a pretty good business. The fact is that the
black-smith industry and the 8-track tape industry failed to heed the iron
rule of the market: Adapt or die. If free software means the death of
proprietary software vendors, it will be on those vendors heads who fail to
adapt.
Businesses must be concerned about the perception of the GPL. For example,
experts assess the value of intellectual property when completing
valuations of firms. Because GPL open source literally erases the
proprietary and trade secret value of software, it can be expected that
firms concerned about valuations will be very concerned about using GPL
open source.
This is only of concern to firms producing software. The vast majority of
firms consume software, and for them, in-house software production is a
cost, not a revenue source. For the vast majority of firms, free software
will save them lots of money. For those few firms planning on building a
business model around proprietary software, I offer my old refrain: Adapt
or die. What's good for proprietary software vendors is not necessarily
good for the citizen.
There are all types of consumers with ranges of needs and abilities. The
guys in the lab at MIT don't need install wizards, plug and play drivers,
voice based technical support and big picture manuals as part of their
software. However, the elderly couple e-mailing their grandkids or the
mother of two managing accounts on a PC in the kitchen does.
Carter clearly has a stereotyped view of consumers. My elderly parents, who
enjoy e-mailing their grandkids, use only free software. They are quite
happy to use Linux and Netscape. Furthermore, the choice of free software
eases my support burden: If my parents need help, I can SSH into their
machine and fix it remotely. With all of Microsoft's "wizards" and other
gimmicks, they still do not provide a convenient means for remote
administration on their consumer-level systems.
People believe free software is hard to use because they've never used it.
Just as the AdTI showed that people who've actually worked with MCSEs have
a higher opinion of them than people who haven't, people who've actually
bothered to use free software have a higher opinion of it than people who
haven't.
VII. GPL Open Source and the Courts
Once GPL code is combined with another type of source code, the entire
product is GPL. Subsequently, this change could occur deliberately, but it
could also occur accidentally. There are unlimited scenarios for accidents
to occur, the license could be lost in the source code's distribution, or
maybe unreadable due to a glitch in its electronic distribution. Another
potentially litigious issue is whether the use of GPL tools used to
manipulate code subject software to the GPL. Theoretically, a GPL tool
could subject new software to GPL restrictions. This too will have to be
interpreted by a judge. Regardless, unknowing users of GPL might have one
intention for use of the license and find out later that it inadvertently
infringed upon copyright protected work. Legal questions relevant to such
an event intersect the legal arenas of intellectual property rights,
contract law and liability.
AdTI is very good at offering up red herrings. Let's suppose you
"accidentally" included part of Microsoft Windows in a product. Do you
suppose Microsoft would be easier on you than copyright holders of a GPL'd
product?
The fact is that any software license has terms and conditions which must
be obeyed. The GPL is no different; if you do not like its terms, don't use
GPL'd software. Microsoft's agenda is transparent here.
The proprietary software industry entreats you to diligently track
licenses, and offers harsh retribution against those who violate their
licenses. Most GPL violations are settled amicably, and those which result
from an accident are usually settled merely by removing the offending code
from distribution.
The rest of Section VII is simply speculation and not even worth commenting
on. VIII Conclusion
Open source as a development model is helpful to the software industry. For
example, software distributed under the BSD license is very popular. The
BSD license (see Appendix 9) enables companies, independent developers and
the academic community to fluidly exchange software source code.
English translation: The BSD license is good because it allows corporations
to benefit from other people's work without offering them any compensation,
and without having to allow third parties to benefit from derived work.
The GPL's resistance to commonplace exchange of open source and proprietary
has the potential to negatively impact the research and development budgets
of companies.
English translation: The GPL doesn't let corporations benefit for free from
others' work.
The GPL has many risks, but the greatest is its threat to the cooperation
between different parties who collaborate and create new technologies.
Today, government, commercial enterprise, academicians, etc. have a system
to converge. Conversely, the GPL represents divergence; proposing to remove
the current infrastructure of intellectual property rights, enforceable
protection and economic incentive.
English translation: The GPL threatens Microsoft's business model. You know
my response by now: Tough. Adapt or die.
While GPL advocates are quite active in their promotion of copyleft, few
would disagree that its widespread adoption would present a radical change
to an industry sector responsible for almost 350 billion dollars in sales
annually worldwide (see Appendix 10).
Few would disagree that the automobile all but wiped out blacksmithing as a
profession. Few could argue that cassettes didn't decimate the 8-track
market. Few would be surprised at my response: Tough. Adapt or die.
AdTI's Numbered Points and my Counterpoints
1- Engineering software has become considerably complicated and rigorous.
It is not unusual for software to include millions of lines of source code.
If the incentive to develop software is changed, we can subsequently expect
the quality and efficiency of software to change.
Yes, with luck, we'd expect the quality to improve. The security records of
systems like OpenBSD, Linux, and FreeBSD are vastly superior to that of
Windows. While there is no real cause-and-effect relationship, empirical
evidence suggests that open-source software is more reliable and of higher
quality than most commercial-grade proprietary software.
2- There remains considerable differences within the GPL open source
community. It is questionable whether these groups will continue to be
proponents of the GPL in its current form or opt for changes in the
immediate future.
Even if true, this point is irrelevant. Once software has been licensed
under the GPL, the license cannot be retracted. Your rights cannot be
withdrawn retroactively (unless you violate the license), unlike some
proprietary software licenses.
3- Open source has successfully been used in proprietary software. In
addition, academic and government projects have been successful
particularly because of commercial interest. Private enterprise offers
unique efficiencies for the success of government funded research.
Simply another attack on the GPL. Nothing worth reading; let's move on.
4- Open source GPL use by government agencies could easily become a
national security concern. Government use of software in the public domain
is exceptionally risky.
A bold assertion, and totally unproven. This assertion is contradicted by
empirical evidence. Also, the NSA seems quite comfortable with the security
of GPL'd software.
5- Reverse engineering, perpetuated by GPL proponents, threatens not only
the owners of intellectual property, but also the software industry itself.
This is an out-and-out lie. Reverse-engineering is critical for the
continuation of a healthy software industry. Without legitimate
reverse-engineering, there would be no market forces to oppose the
development and maintenance of monopolies, and the software market would
become even more unfair than it is today.
Attempts to ban reverse-engineering are simply money-grabs by greedy
monopolies who wish to hang on to their power.
6- Use of GPL open source creates a number of economic concerns for firms.
For example, the valuation of a software company could be significantly
effected if it uses source code licensed under the GPL for the development
of its products.
If that is of concern (and it is not for the vast majority of
corporations), then the corporation is perfectly free not to use GPL'd
software.
Using proprietary software for development of products can also
significantly lower a company's valuation, especially if the owner of the
original proprietary software demands royalties or part-ownership of the
resulting IP.
7- The courts have yet to weigh in on the General Public License. Without
legal interpretation, the use of the GPL could be perilous to users in a
number of scenarios.
If corporations have concerns about legal interpretations of the GPL, they
should consult qualified lawyers. IBM, for example, has a massive and
top-notch legal team, and they seem to have no qualms about using, creating
and distributing GPL'd software. If the AdTI would give us concrete
examples of legal concerns, we could discuss them, but as it is, all we are
given is conjecture, hand-waving and supposition. Roaring Penguin's
Conclusions
The AdTI claimed that the GPL is "acquisitive", yet fails to note that even
the most liberal of proprietary licenses is far more restrictive and places
far more encumbrances on derived products than the GPL (if, in fact, it
even permits derived products in the first place.)
The AdTI says that the free software community is a "myth", but fails to
explain the tens of millions of lines of high-quality code produced by this
mythical community.
The AdTI promised to show how using GPL'd software could threaten security,
but failed to deliver. Rather, Microsoft's own Jim Allchin admitted under
oath that flaws in Microsoft software, if disclosed, could endanger
national security.
The AdTI claims that free software damages members of the "IP community"
(by which it means proprietary software vendors), but then fails to show
how such damage occurs. Even if free software does damage proprietary
software vendors, AdTI fails to show why that is a bad thing for citizens
in general.
AdTI raises the hoary old "Total Cost of Ownership" issue, but does not
demonstrate that proprietary software is more cost effective. AdTI ignores
studies like the one from CyberSource or even Roaring Penguin's own case
studies in Free Software in the Real World.
The entire AdTI study is a commercial funded by Microsoft, whose sole aim
is to counter the growing adoption of GPL'd software. The report contains
nothing constructive or useful. It is a sham.
Link to the article
http://www.smh.com.au/articles/2002/06/11/1022982836568.html
Link to Open the Open Source debate - I
http://www.smh.com.au/articles/2002/06/10/1022982813264.html
Alexis de Tocqueville Institution white paper on Open Source Software
http://www.adti.net/html_files/defense/opensource_whitepaper.pdf
********************
Wired News
Browsing Around for New Targets
Jeffrey Zeldman and the Web Standards Project are back with a wake-up call
for Web developers everywhere: The problem today isn't Microsoft or
Netscape - it's you.
The Web Standards Project, or WaSP, was founded in 1998 by a group of
high-profile Web developers -- including Zeldman -- who were tired of
building different versions of every page to support a plethora of
incompatible browsers from Microsoft, Netscape and others.
"The term 'Web standards' didn't even exist back then," Zeldman said from
New York, where he still works as a Web consultant.
But succeeding versions of browsers became more compatible with standards
and each other, and WaSP scaled back operations in 2000.
Now, Zeldman says the time has come to address the other, possibly tougher
roadblock to universal Web accessibility: those who build sites, not
browsers. "Though today's browsers support standards, tens of thousands of
professional designers and developers continue to use outdated methods" for
architecting and building online content, says the mission statement on a
new version of the WaSP site to be launched Tuesday.
The result, according to WaSP's statement, is a locked-out audience:
"Highly paid professionals continue to churn out invalid, inaccessible
sites" unreadable by surfers using off-brand browsers, wireless Web devices
or special-access technology for surfers with disabilities.
As site owners become more concerned about government-mandated
accessibility (known colloquially in the United States as "Section 508,"
after the relevant section of the Rehabilitation Act amended by Congress in
1998), Zeldman says businesses are simultaneously looking for ways to reach
a wider market - meaning customers not sitting at a desktop computer -
without spending on additional coding projects.
By conceiving and coding Web content in line with standards defined by the
World Wide Web Consortium (aka W3C), Zeldman says, "You don't have to build
three or four versions of each page. You don't have to make
printer-friendly versions. That's important on the $40,000 contracts we're
getting today," as opposed to multimillion-dollar sites built during the
dot-com boom.
But compared to getting a few companies to play along, convincing an
industry of consultants to focus on standards compliance may be more of an
uphill task for the resurrected WaSP. "It's a long battle to convince
people who are billing by the hour to change the way they work," Zeldman
said in a phone interview from Manhattan.
"We plan to lovingly guide our peers toward accessibility and standards
compliance," he said. "And if that fails, we plan to guilt-trip them. And
if that fails, we will ridicule them mercilessly, as we once ridiculed
Netscape and Microsoft."
If developers won't listen to Zeldman, they might pay more attention to a
newer member of the WaSP's steering committee: Tim Bray, who co-invented
XML for the W3C in the late 1990s and now runs Vancouver-based Antarcti.ca
Systems, a company that does XML-based data visualization.
"I'd like (Web developers) to look at the reality of the modern Web," Bray
wrote in an e-mail. "Standards-compliant browsers with beautiful rendering,
ADA section 508, the Internet Explorer monoculture under assault from Gecko
and non-PC-form-factor devices, Web Services. I'd like them to conclude
that the only sane, sensible, affordable way forward is to go
standards-based on all their content."
"At one time standards were an optional extra; I just don't think that's
true any more."
Bray agrees with Zeldman that a tighter economy should make Web consultants
think about their methodologies. "The U.S. Federal Government is one of the
good guys in what they say, if (unfortunately) not always in what they do,"
he said. "But at the end of the day, I think the leadership comes from the
market: It's safer, cheaper and better to build your Web presence in a
standards-based way rather than otherwise."
Even some of the WaSP's former targets support the renewed efforts. "WaSP
is right in pointing out that websites are behind in using standards that
are supported by all current browsers," said Håkon Lie, CTO of Opera
Software in Norway. "Most major websites can also be improved by removing
intricate table layouts and superfluous markup. There is absolutely no need
to use font elements anymore."
But one HTML contractor, who asked not to be named, illustrated the uphill
battle the WaSP faces in getting programmers to lay aside their old
browser-specific tricks: "Do you know how much I get paid for knowing this
stuff?"
******************
Wired News
New E-Waste Solution a Mine Idea
Mark Small has a radical solution for dealing with the glut of old
computers, cell phones, DVDs and other electronic waste: mining.
Rather than allowing electronic junk to simply amass in landfills, Small
wants to deposit huge volumes of e-waste into abandoned open pit mines.
Using the same techniques that miners use to process copper ore, valuable
materials such as copper, iron, glass, gold and plastic could be extracted
from electronic scrap.
"The products that we make (in the electronics industry) are made in an
incredibly efficient way," said Small, vice president of corporate
environment, safety and health for Sony Electronics. "We have to use that
same type of philosophy in dealing with the end-of-life issue."
There are more than 550,000 abandoned hardrock mines in the nation. A
single open pit mine has the capacity to hold 72 billion computers, Small
said.
Instead of viewing obsolete computer monitors and televisions as defunct
sources of cathode ray tubes, "We should look at it as a commodity," Small
said.
Mining is the "best, most efficient way to process materials with low value
content (like e-waste)," Small said. "There's essentially no cost in this."
Electronic waste isn't that big in terms of quantity or volume. In fact,
mining produces approximately 300 times more waste than electronics does
every year, Small said.
E-waste is often richer in rare metals than virgin materials, containing 10
to 50 times higher copper content than copper ore. A cell phone contains
five to 10 times higher gold content than gold ore, Small said.
Small's solution could be an alternative to small-scale regional recycling
programs that are employed today.
While some vendors have employed successful domestic computer take-back
programs, other manufacturers ship electronic junk overseas to China, India
and Pakistan.
By using mining techniques, "there's no need to ship e-waste overseas,"
Small said. "You can process it right here."
E-waste mining can take place anywhere. The process could be done on a
large concrete pad, rather than an old pit mine.
Small says e-waste mining is both economically and environmentally
sustainable. The method could be used only in mines that are void of
groundwater problems.
"It would be foolish to process in an area that could cause a contamination
problem," Small said.
But the cost of collecting and transporting material limits the sheer
volume of e-waste that is ready to be processed.
"The big issue is we don't have enough material now," Small said. "As soon
as we get more material, this could be done."
Only a system that allows for mass production will be able to address the
proliferation of new technologies that may soon become obsolete, Small
said. "We need a system to handle the 20-30 million TVs that are produced a
year," Small said.
Small's idea could mark a dramatic shift from the traditional method of
disassembling electronics.
"It's definitely out-of-the-box thinking," said Steve Changaris, northeast
region manager for the National Solid Wastes Management Association.
Still, it could take 5 to 10 years to accumulate enough materials to be mined.
If a huge volume of e-waste material can be aggregated to reach a critical
mass and mining can be implemented cost-effectively, then Small's proposal
could succeed.
"Some state or some jurisdiction is going to try this," Changaris said. "I
believe there's a distinct possibility that this could work."
But while Small's idea could be less costly than traditional electronics
recycling, critics say that it could add to the mining industry's
devastating impact on the environment.
"I don't believe that the environmental community would allow us to dump
our electronics and add to the mining waste," said Robin Ingenthron, vice
president of ElectroniCycle Inc.
Small's proposal "shines a light on how atrocious the standards for mining
are," Ingenthron said.
Even improper recycling poses less of an environmental threat than mining
raw materials to produce the rare metals found in electronics, Ingenthron
said.
According to the Environmental Protection Agency's 2000 Toxics Release
Inventory, the hardrock mining industry is the nation's largest toxic
polluter. In 2000, the mining industry released 3.34 billion pounds -- or
47 percent -- of all toxics released by U.S. industry.
"Pound for pound, open pit mining is the most-subsidized, most-polluting,
lowest-employment-generating business in the world," Ingenthron said.
Mining precious materials from the Earth requires 30 percent more energy
than recycling them from old computers. Those economics have caused
recycling practices to constantly improve as nations develop.
"Sure, we need to shut down a few lazy recyclers," Ingenthron said. "But
even the worst recycling sites are superior to mining. Mining is much
harder to remediate and make right. It's fairly easy to recycle correctly."
The General Mining Law of 1872 established current mining standards. The
law allows companies to mine publicly owned minerals for free and pay no
more than $5 an acre for mineral-rich lands. If that law is repealed, then
mining for e-waste might be more costly.
"The only reason why (mining e-waste) sounds like a good idea is because of
how cheap it is to meet the standards of the 1872 law," Ingenthron said.
"As long as the 1872 Mining Law gives the gold, copper, silver and lead
away for free, we will have to charge a fee to recycle that material from
used electronics. We should be able to recycle for free, on the value of
the rare metals."
Although Small's idea would produce less waste than getting raw material
out of hard rock, re-use in secondary material in glass and plastics would
be lost, Ingenthron said.
"Of course recycling would be cheaper if we lowered our standards to those
of the mining industry. You could drop monitors into open pits of arsenic
and cyanide, and walk away from the residue after you got the copper and
gold out. But it makes more sense to raise mining up to the standards of
recycling."
********************
NewsFactor
'Grid' Computers to Simulate Terror Scenarios
Researchers say a futuristic computing technology will help government
agencies prepare for worst-case scenarios involving terrorist attacks. For
the complete story, see: http://www.newsfactor.com/perl/story/18168.html
********************
NewsFactor
IBM To Announce Chip Technology That Drain Less Power
IBM recently designed a chip for Cisco that contains more than 35 million
"gates," or logic circuits. IBM claims it is the most complex custom-made
semiconductor ever built. For the complete story, see:
http://www.newsfactor.com/perl/story/18140.html
********************
Peoples Daily China
China, Japan Signed Memorandum on Internet Technology Cooperation
The Chinese and Japanese governments have signed a memorandum of
understanding Thursday in Tokyo on Internet technology cooperation.
The Chinese and Japanese governments have signed a memorandum of
understanding Thursday in Tokyo on Internet technology cooperation.
Headed by Wang Chunzheng, deputy-director of the Chinese State Development
Planning Commission (SDPC), the Chinese economic delegation exchanged views
with Japanese officials on macroeconomic policies, social development, as
well as economic and technological cooperation of the two countries during
its visit to Japan on June 5-6.
After one-year discussion, the SDPC and the Japanese Ministry of Economy,
Trade and Industry have reached a common view on internet technological
development and cooperation and signed the memorandum of understanding on
internet Ipv6 technology cooperation.
This marks the new development on information technology cooperation
between the two countries.
According to the memorandum, concerned departments and enterprises of the
two countries will input a total investment of some 4 billion Japanese Yen
(125 Japanese Yen =1 US dollar) for developing the Ipv6, a new generation
internet technology.
*******************
The Jerusalem Post
Israeli companies not adequatedly prepared for disaster
By SHARON BERGER
Despite the dramatic events of September 11, companies have not taken
certain lessons to heart, in particular the need for backing up information
at alternative locations and implementing a data continuity plan.
Israeli technology companies, which are heavily involved in research and
development, would appear to be an obvious choice for making great efforts
to ensure the security of their intellectual property and the smooth
functioning of their operations even under problematic conditions.
Portfolio companies of venture capital funds are being increasingly
encouraged to ensure their data is safely backed up on a regular basis. Yet
at least one local lawyer believes that Israeli companies are not only
exposing themselves to unnecessary risk but are also opening themselves up
to be sued for not taking preventive action.
International business development lawyer Abraham Sofer, from Tel-Aviv
based Lipa Mier and Co., notes that under common law companies can be
liable for not exercising good business judgment, which includes management
not preparing for steps they should have foreseen. Although Sofer considers
such
a case highly unlikely he did not discount shareholders of
American-registered companies holding companies liable for having put their
management in jeopardy if war breaks out in the region.
In such a case the successful operating of the company could be endangered
and therefore the
shareholders may have a case said Sofer.
Furthermore, Sofer noted that companies have a legal requirement to
implement a contingency plan to avoid financial losses. "Any companies not
taking steps to prevent such disasters are not exercising business
judgement," he said. He noted that many insurance companies offer discounts
to companies which have comprehensive recovery capabilities. In the US
following September 11 companies looking to renew their policies were
strongly encouraged by their insurance companies to implement such plans so
as to minimize their exposure to future potential disruptions. Included in
these contingency plans are the need for off-site back up capabilities.
Although the continuing violence between Israelis and Palestinians has not
abated, and the threat of increased escalation exists with a possible
attack by the US on Iraq, few experts believe that companies here need to
go so far as to back up information outside of the country.
Motorola which has over 2,000 engineers in Israel, has "no framework for
backup abroad," said spokesman, Uri Ginosar. However a number of local
companies do have back-up storage in remote locations, such as the desert.
Sofer explains that with the technical capabilities available to avoid
lengthy computer downtime, those who do not take adequate steps open
themselves up to a potential wave of litigation. He has a checklist for
companies of suggested steps including: management involvement, a detailed
plan in writing, which has been tested, back up on a daily basis with at
least one copy off site, an understanding of contracts with outside sources
and their liabilities in case of disaster, as well as having alternate
sources lined up.
Back-up services, standard IT procedure in larger companies, are generally
provided by conglomerates such as IBM, Sony, Hitachi, on hard drives and
other large storage devices.
They are designed to protect companies from
problems such as fires, flooding, electricity black-outs, earthquakes, etc.
to the physical site, which could cause disturbances in their data
continuity. Particularly for companies that need continuous access to their
data, such as online trading sites, disruptions can be disastrous warned
Michael Beldie, a business consultant for Partners 500. The rather "unsexy"
field of data storage recovery is expected to grow to $4.7 billion
worldwide by 2005 he said.
The need for back-up services was heightened by the September 11 attacks,
but local business consultants note that particularly in large
organizations, it is also necessary for cases of former angry employees,
who are also capable of causing extensive damage. Israel Kahana, director
of business continuity solutions at E&M Computing in Ramat Gan, also warned
of "fingeritis" where employees accidentally disable applications or delete
vital information, particularly common in the process of installing new
software. This is in addition to more mundane difficulties such as system
failure or security violations leading to corruption of data.
Beldie notes that some 60% of most companies' downtime results from
hardware problems.
According to Beldie and Kahana, in order to ensure an adequate plan for
business continuity it must be implemented not only be technical staff, but
include the involvement of top level management.
"Enlightening management or the board of directors must come first in order
to kick start the process.
They are the ones with the authority to resign resources, both financial
and human."
Beldie refers to a study by the Gartner Group that shows that although some
85% of large corporations have some kind of disaster recovery plan, only
15% have some kind of business continuity plan. Of those most have only an
outline rather than a detailed response plan.
"There is a large gap between perception and what steps actually need to be
taken." Sofer warns that companies must not only have these plans in place
but they must ensure that they actually work.
He admitted, "September 11 bought disaster recovery to the forefront of
people's minds. Now corporations are looking at all kinds of preparation."
Kahana believes some 60-70% of the Israeli market is now considering
implementing some sort of back up information plan, but warned that this
realization would take a while to translate to increased business. Beldie
and Kahana recommend that all companies examine what would be the impact of
a disruption to their data services.
*******************
Computerworld
Mass. roundtable panelists talk up broadband, Web security
BOSTON -- Massachusetts IT leaders had two main messages yesterday for
Bruce Mehlman, the U.S. Department of Commerce's assistant secretary for
technology policy: They want to see universal broadband access and greater
IT security.
Panelists at a Mass eComm roundtable discussion here yesterday said that
broadband could change the commercial landscape of the country by breaking
traditional telecommunications companies' hold over the flow of information.
Economic growth depends on access to broadband connections, said Dan
Bricklin, founder and chief technology officer of Concord, Mass.-based
Trellix Corp. He criticized the telecommunications industry for its
restrictive practices in the past, noting that touch-tone phones were
introduced in 1964 but people had to pay 90 cents per month to use them.
That seemed like more of an attempt to make money off consumers than to
advance technology, Bricklin said.
Cambridge, Mass.-based ChannelWave Software Inc. President and CEO Chris
Heidelberger cited his own experience. He recently moved from a community
with high-speed Internet access to one that didn't. Before the move, his
entire family used the Web for almost all its needs, from shopping to
banking. In their new home, the family has only a slower dial-up account --
and has reverted to its pre-Internet lifestyle.
According to Heidelberger, if business is going to really develop on the
Web, it will need broadband to do so.
Linked with that access is the need for better security. Panelists at the
session told Mehlman that their biggest concerns are attacks on the IT
infrastructure that would damage consumer confidence and erode gains
already made in the public's acceptance of e-commerce.
Although some panelists said they fear another massive Sept. 11-type
attack, others, such as Simson Garfinkel and Bricklin, are more worried by
the Web's brittleness.
"We shouldn't live in a monoculture," said Garfinkel, author of several IT
books and CTO at Sandstorm Enterprises Inc., a security company in
Cambridge, Mass. Garfinkel said there is an overdependence on Microsoft
Corp.'s products. The Windows operating system has its place in the world,
he said, but to be truly safe, businesses and the IT infrastructure as a
whole need diversity. This means more Linux- and Macintosh-based
operations, he said.
Bricklin echoed Garfinkel's call and said many security measures put forth
by companies and vendors remind him of the man who searched for his wallet
under a lamppost because the light was better -- even though he lost it
somewhere else.
Garfinkel was even more direct, saying he seldom flies anymore -- not
because he fears a terrorist attack, but because of what he called
meaningless exercises in airport security designed more for show than
preventing an attack.
He and Michon Schenck, president and chief operations officer at Concord,
Mass.-based Financial Fusion Inc., both noted the massive amount of
security around the World Trade Center to show how security can be
circumvented.
Garfinkel said his backpack was searched every time he went into the
building -- even though the 1993 attack on the World Trade Center came from
a truck bomb. That type of security, he argued, was wasteful and ultimately
useless.
"We didn't see an attack in civil aviation; we saw an attack on a
building," he said of the pre-Sept. 11 preparations.
Panelists said the same could be said about the approach many people take
to IT security. "Inconvenience people, and they will think you are doing
something," Garfinkel said.
He and the others warned that future cyberattacks could be more devastating
because worms and viruses have so far been designed to cause minor
disruptions and serve as a nuisance. However, they said, if such attack
carried more deadly payloads, the damage to the nation's economy could be a
lot worse.
"The people who are really good at doing this don't have the incentive, and
the people who have the incentive usually don't have the knowledge,"
Garfinkel said.
He also chided Internet service providers for not doing enough in terms of
security screening and scanning for viruses, worms and other attack agents.
Curt Lefebvre, founder of NeuCo Inc. in Boston, said consumers also have to
get involved by demanding that businesses take security more seriously.
The government also has a role to play, said Financial Fusion's Schenck.
Noting that federally-chartered banks must meet regulatory criteria to stay
in business, she said there aren't any federal criteria to measure security
for online banking.
"Online banking is not even on the list," she said.
***************
Computerworld
Clarke: Homeland security revamp to help cybersecurity
RESTON, Va. -- White House cybersecurity chief Richard Clarke said today
that a plan to reshuffle the federal government's cybercrime agencies into
a new cabinet-level homeland security department will improve federal
coordination with the private sector.
"It will concentrate our forces, it will concentrate the skilled staff that
we have and will ensure better cooperation and better coordination both
within the government and the private sector," said Clarke.
In a proposal outlined by President Bush late last week, the new department
would include the FBI's National Infrastructure Protection Center and the
U.S. Department of Commerce's Critical Infrastructure Assurance Office.
Both agencies work extensively with the private sector.
Clarke, speaking here at the Networked Economy Summit sponsored by George
Mason University, also warned that the dangers posed by worms, viruses and
system intrusions are as urgent as ever -- and on the rise.
"Digital Pearl Harbors are happening every day, they are happening to
companies all across the country," he said. According to Clarke, such
cyberincidents cost the economy $15 billion last year.
Clarke and other federal officials have been holding a series of meetings
around the country to raise awareness and gather information for a planned
national strategy due out by mid-September. That strategy, which is being
developed with the help of industries representing critical sectors such as
finance, energy and transportation, is intended to map out a plan for
improving security protection.
But the government awareness campaign has also been "a little dirty,"
Clarke told his audience, many of whom work for IT companies in Northern
Virginia.
In particular, federal officials have been going to private-sector
companies and telling them to pressure vendors to improve security with
this message: "Why aren't you using security offerings as a discriminator
among the people from whom you buy?"
Clarke said he has also been meeting with insurance companies about writing
cybersecurity insurance for firms that meet certain criteria.
A key goal is improving the security of federal agencies, which have
frequently been found to be lacking by the congressional watchdog agency,
the U.S. General Accounting Office.
In that regard, the Bush administration's proposed budget for next year
includes $5 billion in new funding to improve security at federal agencies.
Clarke said the private sector won't take the federal government seriously
as long as the government itself has problems.
This was good news for the vendors at the conference.
"There is a tremendous opportunity for private-sector involvement in
homeland security areas," said Rep. Tom Davis (R-Va.), who predicted
"billions of dollars" of new federal IT spending on homeland-related security.
The bulk of this new spending "is not going to new federal employee
manpower, but is going to contractors, innovators, information technology
companies," said Davis.
The proposed homeland office reorganization won the endorsement of one
vendor, Jack London, chairman and CEO of CACI, a Northern Virginia-based IT
firm. He said it will allow the government to produce "a single data
picture of threats against our homeland."
But one technology effort that "should command early focus" is development
of interoperable identification control systems that would allow federal
agencies to work with law enforcement, as well as the private sector, to
correlate potential terrorist activity and threats.
Virginia's economy relies heavily on the tech sector, which employs about
325,000 people in the state. It's also home to numerous military bases and
network hubs that handle Internet traffic.
"Virginia is a target-rich state," said the state's governor, Mark Warner.
"Literally, half of the Internet traffic in the world flows through
Northern Virginia. A disruption to that traffic could have worldwide
implications."
************************
ZDNet
EU: MS Passport is under investigation
BRUSSELS--The European Union is examining charges that Microsoft's .NET
Passport system breaks EU rules on data privacy, a European Commission
official said on Tuesday.
The official said he expected member states to make a formal announcement
after July 1.
The official was commenting after Microsoft called a news conference to
deny the Commission or any EU state was formally investigating the .NET
Passport system of collecting personal data from Internet users.
"Not one of the 15 member states or the European Commission is
investigating Passport," Peter Fleischer, senior attorney for law and
corporate affairs at Microsoft, told reporters.
He was referring to reports last month that the EU was looking into whether
the system complied with strict EU rules on data protection.
The Commission official confirmed no formal investigation had yet started
but suggested action may be in the pipeline.
"It is correct to say there is no formal investigation at the moment," he
said.
"But the issue is under consideration and we are hoping for some kind of
announcement from the member states after July 1."
EU national privacy controllers, the officials charged with monitoring
compliance with EU privacy laws, are due to meet on July 1, the official
added.
Privacy matters
Earlier this month the EU executive said in a letter to a member of the
European Parliament it was "a matter of priority" for it to look into
Microsoft's .NET Passport service in co-operation with EU member states.
Several national privacy controllers said last month that associations
aimed at protecting privacy had been asking governments to open an
investigation and could get their way.
Fleischer said Microsoft company was in a "constructive dialogue" over this
issue with the Commission and EU states, but would not give details of what
specific concerns the Commission had about .NET Passport.
Under EU data privacy rules, customers' personal data can only be used by a
firm or passed on to others with prior consent from the individual.
While the Commission has authority to help member states interpret EU law,
legal action would be launched by the individual member states.
Privacy groups and their allies argue that Microsoft's free .NET Passport
service collects personal information while consumers are making purchases,
playing games or doing bank transactions on line.
Richard Purcell, Microsoft's Corporate Privacy Officer, denied the
allegations, saying that customers give data on a voluntary basis. Such
data normally include usernames, passwords, email addresses and, in some
cases, phone numbers.
Any investigation would be separate from a probe by the competition arm of
the Commission, which is looking into Microsoft's Windows operating system,
alleged to work better with its own server software than those of its rivals.
Microsoft said last month it had also supplied information to the Federal
Trade Commission in Washington, which has received similar complaints.
***********************
Sunspot.net
Blind gain free access to 53 newspapers online
Program: The blind are now able to dial an 800 number and have dozens of
newspapers read to them by computer.
There was a time when Michael Baillif, a tax attorney in Washington who is
blind, would have to ask the person who reads for him at work to spend the
first few minutes of the day reciting the sports pages.
Or when he felt he had to scramble to keep up with news on the radio,
rather than having access to the newspaper at his leisure.
"If I was going to read anything at all, I'd have to pay a reader to do
it," Baillif said. "And what's more, I'd have to do it on their schedule."
Those days are long gone, thanks to technology at the National Federation
of the Blind that allows people to dial into a computer and have the paper
read to them by the machine.
It's part of the Baltimore-based federation's free Newsline program, which
has spread nationwide.
That means blind people around the country can dial an 800 number and have
any of 53 newspapers read to them by computer. Before the program went
national, listeners could hear news only from papers in their area or had
to pay for a long-distance call to use the service.
Baillif uses Newsline to listen to The Sun, the Washington Post, the New
York Times and, sometimes, USA Today and the Wall Street Journal.
"I've got a lot more flexibility," said Baillif, 35. "At work I often enjoy
grabbing lunch at my desk and listening to the paper over lunch."
Here's how Newsline works:
The National Federation of the Blind gets an electronic feed from each
newspaper with that day's articles (advertisements are not included), which
is then translated into a computer-generated voice. It takes six to 15
minutes for the computer to translate the feed into a voice.
Users can then call a server at the center and navigate through the system
using their telephone keypads. They can choose what paper to listen to,
then what section. The voice tells them how many articles are in a section
and begins to read the first article in the section.
The users have the option of skipping ahead to other stories,
fast-forwarding or going back in a story, searching for a word in an
article or having a word spelled out for them. Newspapers for the current
and previous day are available in the system, and the Sunday editions are
stored for a week.
"We wanted to build something that could provide instant access, timely
access and with a minimum amount of effort," said Peggy Chong, program
manager for Newsline.
Newsline began as a pilot program in 1994, with USA Today as the only
newspaper participating. The paper was accessible by calling a local number
in Baltimore. In 1996, the program expanded to include a half-dozen
newspapers that could be heard by calling servers in Louisiana and Minnesota.
As the program grew, newspapers were fed into local servers in different
regions. Chong said the servers were kept anywhere the National Federation
of the Blind could find to house them - from public libraries to an
insurance company to a laundry room in a nursing home.
Each server was limited to seven papers. If an area had no servers, people
had to call long-distance to use the system.
This year, Newsline went national with the help of a $4 million grant from
the Institute of Museum and Library Services.
Chong said that when the program began it was a challenge to persuade
newspapers to participate. Some worried that circulation would go down
because people would use the service instead of buying the paper, she said.
But the number of participating papers is rising, as is the number of
users. Newsline is hoping to have 75 to 100 papers online by the year-end,
and the program has more than 36,000 participants, Chong said. Newsline is
also hoping that users will gain access to government documents through the
service.
Leon Rose, 77, who is blind, lives in Columbia and plans to move with his
wife to Nevada for the winters. He said the national reach of Newsline
would help him stay on top of Maryland news from his second home.
"I will be able to continue to stay in touch with what's going on in
Maryland on a toll-free basis," he said.
Baillif, the tax attorney who used to have his reader at work read the
sports section to him, said he feels the same way about Newsline as he does
about cellular phones.
He had vowed never to get a cell phone, but now that he has one, Baillif
says he couldn't live without it. Similarly, he hardly noticed the lack of
access to information before he used Newsline, but now that he uses the
technology, he finds it's a fundamental part of his life.
"What's tremendous about it," he said, "is it's a wholly independent way
that I can obtain access to information the way everyone else does."
*********************
Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx