[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips July 16, 2002

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, akuadc@xxxxxxxxxxx;
Subject: Clips July 16, 2002
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Tue, 16 Jul 2002 14:10:47 -0400

Clips July 16, 2002

ARTICLES

E-Mails Shed Light On WorldCom's Goals
President To Detail Security Strategy
House Votes to Stiffen Cybercrime Penalties
Agency management scorecards still in the red
FDIC faulted for weak IT security
Going once, going twice, FirstGov sold on auctions
New education site targets Hispanics
China's E-Mail Going Postal
Virus Distributes Via E-Mail
Talks Weigh Big Project on Wireless Internet Link
Point. Click. Think?  (Student research on the Internet)
Digital TV deadline set
Hackers could face life in jail (BBC take on just passed Cybercrime bill)
No fear? (Editorial on new law to protect federal whistle blowers)
FAA taps Harris for telecom overhaul
Cybersecurity checklist for federal agencies under consideration
More hurdles await e-government
Biometrics Slow To Catch On In Networks
Internal Security Breaches More Damaging


************************
Washington Post
E-Mails Shed Light On WorldCom's Goals
Officials Sought to Bolster Bottom Line
By Jonathan Krim

Congressional investigators probing accounting improprieties at WorldCom Inc. released fresh evidence yesterday of a company struggling to prop up its bottom line in the face of a rapidly eroding telecommunications business.

Internal company e-mails dating back to July 2000 show ongoing discussions among finance officers about plunging profit margins and stock prices as excess network capacity and cutthroat competition combined to force WorldCom to cut prices to customers. At the same time, the company was continuing to invest in its network to give it an advantage over rivals.

In response, officials of the long-distance and Internet data giant discussed different ways of cutting expenses to maximize its bottom line, including reclassifying some expenses as capital costs and examining whether it was entitled to tax exemptions on certain network costs.

"Why does a company do this?" asked Rep. James C. Greenwood (R-Pa.), who heads the oversight and investigations subcommittee of the House Energy and Commerce Committee. "The answer is that a company's stock price follows its earnings . . . and top people have a lot of stock."

WorldCom announced on June 25 that it had improperly accounted for $3.9 billion in expenses, the latest in a string of accounting scandals at several firms that have rocked the nation's financial markets. The company fired Chief Financial Officer Scott D. Sullivan and forced Controller David Myers to resign, blaming them for the irregularities and vowing to cooperate with the numerous investigations now underway.

Yesterday, the company went to court to try to reclaim a $795,000 bonus it had paid to Myers as part of an extensive retention program for senior executives. It previously sued to reclaim a $10 million bonus paid to Sullivan.

The company also skipped a $74 million interest payment on its bonds, another sign it is close to filing for bankruptcy, according to bankers familiar with the matter. Chief executive John W. Sidgmore has said he hopes to avoid bankruptcy but has acknowledged it might be unavoidable.

Several banks sued WorldCom on Friday, charging that it exercised a $2.6 billion line of credit in late May when it knew it faced serious accounting irregularities that could constitute fraud. A hearing is set for today in New York. If the judge sides with the banks, it would force the company into bankruptcy quickly, banking sources said.

A WorldCom spokesman declined to comment in detail on the new documents released by Rep. W.J. "Billy" Tauzin (R-La.), who heads the Energy and Commerce Committee.

"We're the ones supplying the documents to the various investigative bodies so they can determine the facts," said Brad Burns, spokesman for WorldCom.

The documents shed no new light on what if anything WorldCom founder and former chief executive Bernard J. Ebbers knew about efforts to use accounting maneuvers to burnish the company's bottom line.

But the material shows a determined effort to make the company's finances conform to bottom-line targets set by senior management.

"David [Myers] stated the [expense] amounts were booked based on what they thought the margins should be," according to a memo from Cynthia Cooper, an internal auditor who discovered the improper books during a review of the company's capital expenditures.

And in an e-mail to Myers dated March 6, 2001, a lower-level official mentioned a conversation with Sullivan: "I asked Scott what numbers he wanted and I would see what could be done to get them."

The documents also show that auditors from Arthur Andersen LLP, which approved the company's books for the five quarters when the expenses were improperly booked, were asked about the propriety of the tactic. A former Andersen official who handled the WorldCom account previously had said the firm was unaware of the accounting practices.

"Andersen auditors were told about this issue in the third quarter of 2000," said Andersen spokesman Patrick Dorton. "They promptly discussed it with senior WorldCom financial management and were told it was being corrected."

Tauzin said his committee is talking to current and former WorldCom employees and that irregularities might date back to 1999. *********************** Washington Post President To Detail Security Strategy Plan Seeks Public, Private Teamwork On Array of Threats

By Bill Miller and Christine Haughney

The nation's first homeland security strategy, to be unveiled by President Bush today, calls for dramatic action by government and private industry to prevent a "new wave of terrorism" in the United States, an open society that "presents an almost infinite array of potential targets."

Nine months in the making, President Bush's grimly worded plan urges that security be hardened against "catastrophic threats," such as nuclear, radiological, biological and chemical weapons, as well as cyber-attacks and more conventional weapons.

"Unless we act to prevent it, a new wave of terrorism, potentially involving the world's most destructive weapons, looms in America's future," according to the 88-page blueprint distributed to news organizations yesterday. Preventing such attacks "is a challenge as formidable as any ever faced by our nation," the document states.

The administration has been criticized for proposing a Department of Homeland Security before it put forth a new security strategy. Homeland Security Director Tom Ridge told Congress yesterday that the strategy is a "comprehensive statement of what needs to be done." The creation of a new department is the cornerstone of the overall plan, and Ridge testified that it is critical to sharpening the federal government's response to terrorism.

Bush will release the report on the third day of hearings by a select committee of House members, who are debating the merits of the proposed department. A host of House committees last week suggested changes to the president's plan to merge all or parts of 22 agencies into the new department.

The report identifies three key objectives: preventing terrorist attacks within the United States; reducing the nation's vulnerability to terrorism and minimizing the damage while speeding the recovery from attacks that do occur. Much of the work would be coordinated by the new department that Bush wants Congress to create.

In coping with such threats, the strategy relies heavily on science and technology. The White House is calling for research on new vaccines and antidotes, the creation of standardized biometric travel documents for foreign visitors and the development of screening tools to predict human behavior, such as "hostile intent."

The strategy also calls for the federal government to greatly expand the use of sensors to detect nuclear and radiological devices at borders, ports and major highways. The government would fund research to improve the capabilities of sensors designed to detect bio- logical and chemical weapons.

Under the strategy, governments and businesses would constantly probe for weaknesses. Within the federal government, the White House wants to deploy trouble-shooting "red teams" of federal workers who would play the part of terrorists to expose the nation's most glaring vulnerabilities, a tactic now used by the nuclear power industry.

"One fact dominates all homeland security threat assessments: terrorists are strategic actors," the report states. "They choose their targets deliberately based on the weaknesses they observe in our defenses and our preparedness.

"We must defend ourselves against a wide range of means and methods of attack. Our enemies are working to obtain chemical, biological, radiological and nuclear weapons for the purpose of wreaking unprecedented damage on America."

Dealing with terrorism will require substantial costs for years to come, the strategy notes. Governments and businesses are now spending more than $100 billion a year on homeland security, with more than half the money coming from the private sector, it said.

Paul C. Light, vice president and director of governmental studies for the Brookings Institution, which on Sunday urged Congress to pare back Bush's plan for a homeland security agency, said the new strategy included "much to admire," such as details about how the pieces of the nation's security network will fit together.

But he also criticized the plan for not paying enough attention to training workers to handle their complex and expanding duties.

White House officials said the release of a national strategy will put the reorganization plan in a broader perspective. The new, 170,000-person department would take the lead in border and transportation security, protecting the nation's infrastructure and coordinating the federal response to terrorist strikes. It also would be responsible for analyzing intelligence from the FBI, CIA and other agencies and issuing terrorism alerts to states, cities, industries and the general public.

The strategy incorporates many initiatives already underway, such as improving the FBI's counterterrorism capabilities; bolstering intelligence collection and analysis; strengthening protections against cyber-attacks and overhauling computer systems so information can more easily be shared throughout government and industry.

But it also looks ahead, saying that the White House will seek significant new money for the FBI and Coast Guard and focus more heavily on issues such as port security. More than 16 million shipping containers enter the United States each year, and better technology would help ensure that they are carrying no weapons, the report said.

In the legislative arena, the strategy calls for making exceptions to the Freedom of Information Act to prevent the release of sensitive threat assessments provided by the private sector. State governments are urged to come up with minimum standards for the issuance of driver's licenses and to update antiquated laws concerning quarantines.

The White House is also seeking federal legislation to expand the list of crimes covered by extradition laws, so that more suspects arrested overseas could be brought to the United States for trial.

The strategy organizes the anti-terror campaign into what it calls six "critical mission areas" -- intelligence and warning; border and transportation security; domestic counterterrorism; protecting critical infrastructure and key assets; defending against catastrophic threats and emergency preparedness and response.

Ridge, the former Pennsylvania governor who was named homeland security director in October, has been working on the plan since he took the post. Yesterday he spent nearly two hours fielding questions from the House Select Committee on Homeland Security, the nine-member panel that has promised to assemble the House's version of the reorganization bill by the end of this week.

The Senate Governmental Affairs Committee plans to craft the Senate version next week. House and Senate leaders are still hoping to pass a bill by the one-year anniversary of the Sept. 11 attacks.

Many of the questions for Ridge centered on the logistics of the Homeland Security Department absorbing large agencies such as the Coast Guard, with more than 43,000 employees and a wide range of responsibilities. Rep. Rob Portman (R-Ohio) said he feared that agencies no longer would have the money to complete non-terror duties, but Ridge maintained that would not be a problem.

Ridge spent much of his time urging the select panel to reject some of the recommendations made by other House committees last week, such as taking the Coast Guard and Federal Emergency Management Agency out of the proposed new department.

A senior administration official said yesterday that organizations such as Osama bin Laden's al Qaeda terror network have strategies, too. "If there is any constant about terrorist strategies, it is that they seek surprise and they target our weaknesses," he said. "As we get strong in an area, they shift to another." ****************************** Reuters House Votes to Stiffen Cybercrime Penalties Mon Jul 15, 8:06 PM ET By Andy Sullivan

WASHINGTON (Reuters) - Spurred by worries about electronic terrorism, computer viruses and other Internet intrusions, the U.S. House of Representatives voted on Monday to increase online surveillance and stiffen penalties for computer crime.

By a vote of 385 to 3, the House approved a bill that seeks to better coordinate efforts to fight cybercrime while increasing recommended sentences for those found guilty.

Under current law, punishments for cybercrimes are based on the economic damage they cause, which often results in little or no jail time. The author of the "Melissa" computer virus, which caused $1.2 billion in damage, was sentenced in May to 20 months in prison and a $5,000 fine.

The House directed the U.S. Sentencing Commission to take into account the perpetrator's intent and other factors, such as whether sensitive government computers were the target.

Computer criminals who put human lives at risk, either knowingly or through "reckless" behavior, could face life in prison under the legislation.

The House also loosened surveillance restrictions on Internet service providers, allowing them to report suspicious activity on their networks, even if it did not pose an immediate threat, and protecting them from lawsuits when they did so.

Current law prohibits service providers from reporting user activity unless it presents an immediate risk of death or injury, and allows users to sue for damages if their privacy is violated.

Providers would face penalties if they did not store electronic records, such as customer e-mails, for at least 90 days. The Justice Department ( news - web sites) would report after one year how many times Internet providers had reported suspicious activity.

The bill has drawn support from Internet providers, who say current law places them in the awkward position of determining the gravity of threats made in their chat rooms or contained in customer e-mails.

But civil-liberties groups have said it could encourage law enforcement agencies -- or any government agency -- to pressure Internet providers to turn over their records without a search warrant, further eroding electronic privacy.

The Senate has not yet taken up a computer-crime bill.

The White House said in a statement that it did not object to the measure, except for one provision that would make the Office of Science and Technology Policy, which advises the president on science and technology issues, independent of the National Institute of Justice, the research arm of the Department of Justice ( news - web sites).

"The Administration urges that the Office of Science and Technology remain, as it is today, part of the NIJ," the statement said. ************************* Government Executive Agency management scorecards still in the red

By Tanya N. Ballard
tballard@xxxxxxxxxxx

Most agencies are still struggling to implement key pieces of the president's management reform plan, despite a few improvements over the past year, Office of Management and Budget officials said Monday.

"We've seen significant progress in some cases, and there are some cases where we're not pleased with our progress," Office of Management and Budget Controller Mark Everson said during a budget briefing Monday following the release of the administration's mid-session budget review.

The review measured the ability of agencies to overhaul themselves in five key management areas set forth in the president's management agenda: human capital management, competitive sourcing, financial management, electronic government and linking performance to budgets. The administration devised a "traffic light" grading system--green for success, yellow for mixed results and red for unsatisfactory--and released its first red-light dominated scorecard in February. The mid-year review includes 109 red lights, 19 yellow lights and two green lights.

The National Science Foundation, which scored a green light in financial management during the first review and was the only agency at that time to score a green light in any category, earned a second green light in e-government for fixing its information security problems. The Social Security Administration and the Departments of Energy and Labor managed to climb up a notch to yellow in at least one area.

SSA improved in performance-based budgeting by creating a new budget system that is connected to its financial management system, OMB said. Energy officials aggressively developed and implemented a strategic workforce plan, leading to improvements in the agency's human capital management score. Corrections to financial systems helped the Labor Department move from red to yellow in the financial management category.

But two agencies, NASA and the Small Business Administration, lost ground, dropping from yellow to red in the financial management category after receiving poor audits in fiscal 2001.

Everson cautioned observers from reading too much into the ratings, as agencies were merely shifting from writing to implementing plans in this last cycle.

"Some of this will take multiple years," he said.

OMB Director Mitch Daniels also pointed to the fact that President Bush chose the five worst areas of government to target for his management agenda.

"He didn't pick anything that was susceptible to a quick kill," said Daniels. "We set the goals, tried to be as clear as possible about them ? but the how, we expect them to figure out."

Daniels remained resolute about the possibility of repercussions at agencies that take their time getting to green.

"There will be economic repercussions," he stressed. "Programs doing well will be reinforced. Programs that are failing will see their resources shifted somewhere else." ************************* Computerworld FDIC faulted for weak IT security

WASHINGTON -- A federal agency created in the 1930s to help restore economic confidence during the Great Depression isn't winning the confidence of a congressional watchdog agency for its information security practices. The Federal Deposit Insurance Corp. was faulted by the U.S. General Accounting Office for access policies that give hundreds of end users privileges that allow them to modify financial software, as well as read, modify and copy financial data, the GAO said in a report (download PDF) today.

Many end users had access to "powerful" systems commands, including 26 help desk employees and 14 database staffers who didn't need access to these commands, the GAO said.

The FDIC has been previously faulted by the GAO for IT security. But the GAO acknowledged that the FDIC has taken steps to improve its operations, including the use of a guard service to provide security surveillance to its computer rooms and an assessment of data to determine the level of security needed to protect it.

The FDIC, in a written response, said the GAO's findings will help it improve security.

The FDIC insures deposits in excess of $3.2 trillion for about 10,000 financial institutions. *********************** Government Computer News Going once, going twice, FirstGov sold on auctions By Jason Miller

Watch out eBay, here comes FirstGov.

The General Services Administration today added a shopping and auctions section to its FirstGov portal. The new firstgov.gov feature also is the first milestone for the Federal Asset Sales e-government initiative managed by GSA.

GSA divided what people can buy into eight categories, letting users participate in federal auctions for government property from cars and boats to computers, furniture and paint. Visitors also can buy souvenirs and gifts from agencies and shop at specific agency auctions or sites. ********************** Government Computer News New education site targets Hispanics By Preeti Vasishtha

The Bush administration today launched a new Web site to help Hispanics get information about getting a college education.

The White House Initiative on Educational Excellence for Hispanic Americans led the development of the bilingual site, at www.YesICan.gov.

The administration last year created the initiative office, which provides support to the President's Advisory Commission on Educational Excellence for Hispanic Americans, to help Hispanics participate in federal education programs.

The White House initiative team worked with Collegeboard.com Inc. of New York and Tormont Publications Inc. of Montreal to develop the site and provide content.

The Education Department reported that in a recent study 96 percent of Hispanic parents surveyed expected their children to go to college, but 66 percent of the parents failed to answer four out of eight basic questions about what it takes to get a college education.

"YesICan.gov offers parents and students resources on how they can make [a college education] a reality," said Leslie Sanchez, director of the White House organization. ************************* Wired News China's E-Mail Going Postal By Steve Friess

It almost sounds like a cool idea, until you remember whose idea it is.

China's postal agency launched a new service this week that will enable computer users to have e-mails delivered in hard-copy form to recipients who don't have e-mail. The e-mails will be printed out by postal employees, placed into envelopes, and sent with the rest of the mail to the sender's assigned destination.

Oh, and it won't be read by anyone. A spokeswoman for China Post says so.

"Mail is a private matter," the spokeswoman says. "There would be no reason for anybody to read it."

No reason, indeed. Even the Chinese regime's own followers assume that, in a nation where the government asserts that the open exchange of opinions will cause societal instability, somebody at China Post will be reviewing what is passed along.

This is, after all, a nation that blocks most major Western news media Internet sites, including CNN, the BBC, Voice of America and The Washington Post.

AOL member sites are also inaccessible in an effort to minimize the public's exposure to alternative views on Tibet, Taiwan, Falun Gong and the 1989 Tiananmen Square massacre.

And hundreds of Internet cafes are shut down each year for failing to put filters on computers that would keep users from looking up information on those hot-button political topics and from viewing sexually explicit material.

"All the Chinese know that their mail can be opened and read at any time anyway, so we must assume they will look this over, too," says Xu Jun, a political science professor at Fudan University in Shanghai. "Why wouldn't they? What if there was something in a letter that the government should object to?"

Nonetheless, the concept of a hybrid of e-mail and snail mail is intriguing in a vast nation where 34 million people have Internet access -- and more than 1.2 billion do not. This "mixed mail service," as dubbed by China Post, will at first allow domestic letter-writers to send mail to recipients in 18 major cities.

Yet just as the Internet itself is prohibitively expensive for the Chinese public, mixed mail service won't be cheap either. Users, expected to be mainly small businesses and entrepreneurs at first, must spend almost $60 for special software from the post office and buy a prepaid usage card of about $4 in "e-postage," the spokeswoman said.

That software enables the user to send the e-mail to China Post at any time of day. A postal employee prints it out during the next business day and charges 25 cents to print and deliver the first page. Additional pages cost another 6 cents each, but there's a three-page maximum.

The China Post spokeswoman seemed excited about the venture, but the agency's Chinese-language website mentioned it only vaguely in a confusing diagram. Personnel at two different branches in Shanghai last weekend said they'd never heard of the service, even though China Post claimed to have started offering it in that city last year in a test run. ************************ InternetWeek.com Virus Distributes Via E-Mail

A new e-mail-borne worm discovered Monday targets Microsoft Windows and sends messages to addresses found in the Windows Address Book.

The worm arrives by mail with the subject line "Re: your password!" and exploits vulnerabilities to execute when the recipient reads or previews the file. The worm sleeps for several hours, and then copies itself to a Windows directory so it can be executed each time Windows is started.

The worm is called W32.Frethem.K@mm. It uses its own Simple Mail Transfer Protocol engine to send itself to e-mail addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. It doesn't affect Unix, Macintosh, or Linux systems.

Security software vendor < ahref="http://securityresponse.symantec.com/avcenter/venc/data/w32.frethem.k@xxxxxxx";>Symantec rates its potential damage low, but distribution high because of the possibility of large-scale e-mail distribution. ************************** New York Times Talks Weigh Big Project on Wireless Internet Link By JOHN MARKOFF

SAN FRANCISCO, July 15 Several leading computer and telecommunications companies are discussing the joint creation of a wireless data network that would make it possible for users of hand-held and portable computers to have access to the Internet at high speeds nationwide.

The Intel Corporation, I.B.M., AT&T Wireless and several other wireless and Internet service providers including Verizon Communications and Cingular are exploring the creation of a company to deploy a network based on the increasingly popular 802.11 wireless data standard, known as WiFi, according to several people close to the talks.

The discussions, which are code-named Project Rainbow and have been going on for the last eight months, envision a nationwide service that would provide on-the-go professionals and other Web surfers a unified way to reach the Internet from a wide range of "hot spots" like airports and other public places. It is not intended to supply broadband connections to customers' homes, an executive involved in the discussions said.

Intel has been a leading force in the project, according to several industry executives. The company, which established a communications division 18 months ago, has said publicly that it plans to make 802.11 a standard capability of all of its microprocessors offered for mobile computing beginning next January.

The company has also said that it will bring the wireless data standard to 20 million portable computers in 2003 and an additional 40 million portable and desktop computers the following year. In addition to Intel, I.B.M.'s Global Services Division, which is one of the leaders in the deployment of 802.11 wireless access points, would be involved in establishing the actual wireless access points and developing the technology to link the network together nationally.

Officials of Intel and I.B.M. refused to comment on the planned project, but an industry executive who is involved in it said the companies would decide in several months whether there is a workable business model.

There have already been a number of ad hoc efforts and several national start-ups trying to lash the hodgepodge of 802.11 networks together into a usable national network. Companies like Boingo Wireless and Joltage Networks are trying to sell services that would let a computer user sign up once and use wireless access points around the country.

But the companies involved in the talks anticipate a more ambitious effort based on building a new wireless communications infrastructure that would also tie in the nation's cellular carriers, offering a seamless transition from low-speed cellular data standards to 802.11.

"There are a lot of moving parts that need to be tied together," said Richard Miller, a wireless data industry consultant at Breo Ventures in Palo Alto, Calif. "The big issue in my mind is that will they have a nice smooth service that can hand over the customer from wide area to local area."

Such a service would require a nationwide mechanism that would support multiple data standards and could automate billing moving between high-speed and low-speed networks, he said.

Other longtime industry analysts warned that the challenge in such a wireless data service would be in getting all of the different aspects right from the consumer's perspective.

"I think it could jump-start the industry if all the components are in place," said Alan Reiter, publisher of Wireless Internet and Mobile Computing, a wireless data newsletter and consulting firm in Chevy Chase, Md. "That has been the problem with wireless: everything has to work well or consumers will reject it. You need the right pricing, the right devices and right locations."

The rapid emergence of the 802.11 standard has been a remarkable phenomenon that has so far been unplanned and moved forward largely without the backing of major corporate service providers. About 7 million wireless cards were sold last year, a number the technology market research firm IDC expects to grow to 25 million by 2005.

Part of the challenge is that 802.11 networks were not originally intended to be used in the way that the Project Rainbow discussions now envision. Originally the technology was conceived as a replacement for wired Ethernet office networks over ranges of several hundred feet.

The standard, however, has quickly gained a large following of small companies and hobbyists who have extended it to cover "hot spots" in urban neighborhoods.

The new wireless network would be welcomed by millions of computer users, but it might find a less enthusiastic audience among cellular carriers, who have been hoping that wireless data would be a crucial component in next-generation networks which are starting to be deployed.

It might also not be greeted warmly by current providers of high-speed D.S.L. and Internet cable data service, who are worried about competition in delivering data connections to homes and businesses.

There are also a number of industry executives and technical experts who say that the question of wireless data standards is still very much up for grabs.

For example, the Motorola Corporation has not been a major player in the 802.11 marketplace. In June the company introduced a competing wireless data technology called Canopy, which is intended to permit service providers a competitive way to transmit high-speed Internet data over ranges of up to 10,000 feet. *********************** Washington Post Point. Click. Think? As Students Rely on the Internet for Research, Teachers Try to Warn of the Web's Snares By Laura Sessions Stepp

It is 2 a.m. and Daniel Davis, a University of Maryland freshman, has not even started his English paper on biological warfare, due that day.

No problem. He'll just do what he has done before a dozen times or more. He sits down at his computer in his dorm room, signs on to Yahoo's search engine and begins his quest. Six hours and several bags of chips later, the paper pops out of his printer, complete.

He doesn't consider visiting the campus library or opening a book. Why should he? "You can find whole pages of stuff you need to know on the Web, fast," he says.

So Davis is a procrastinator. So what? Professors are used to that. But six hours? That's a whole new kind of extreme.

Welcome to the world of Net thinking, a form of reasoning that characterizes many students who are growing up with the Internet as their primary, and in some cases, sole source of research. Ask teachers and they'll tell you: Among all the influences that shape young thinking skills, computer technology is the biggest one.

"Students' first recourse for any kind of information is the Web. It's absolutely automatic," says Kenneth Kotovsky, a psychology professor at Carnegie-Mellon University who has examined the study habits of young people.

Good? Bad? Who knows? The first popular Internet browser, Netscape, came out only about a decade ago. What we do know after millennia of training minds in scholarly disciplines is that something has changed and it's not apt to change back.

On the good side, Net thinkers are said to generate work quickly and make connections easily. "They are more in control of facts than we were 40 years ago," says Bernard Cooperman, a history professor at the University of Maryland.

But they also value information-gathering over deliberation, breadth over depth, and other people's arguments over their own.

This has educators worried.

"Seven years ago, I was writing about the promise of digital resources," says Jamie McKenzie, a former school superintendent and library director who now publishes an e-zine on educational technology. "I have to say I've been disappointed. The quality of information [on the Internet] is below what you find in print, and the Internet has fostered a thinner, less substantial thinking."

The problem is no longer plagiarism of huge downloaded blocks of text -- software can detect that now, when a teacher enters a few lines of a paper. The concern is the Internet itself.

Marylaine Block, a librarian and Internet trainer in Iowa, is blunt: "The Internet makes it ungodly easy now for people who wish to be lazy."

In the Shallows Jeffrey Meikle, chairman of the American studies department at the University of Texas, sees the new world every time he walks into the main library on the Austin campus. There, where the card catalogue used to be, sit banks of computer terminals.

"My students are as intelligent and hardworking as ever," he says, "but they wouldn't go to the library if there weren't all those terminals."

All Web resources are not equal, of course.

What aficionados call "the deep Web," including subscription services such as Nexis and JSTOR, enables students to find information that is accurate, thorough and wide-ranging.

"I think the Internet encourages intellectual thinking," says Nora Flynn, a junior at Maryland. "You can go to so many sources, find things you never heard of. It forces me to think globally."

But many students don't have access to these costly, sophisticated resources or don't know how to use them. This leaves them relying on the free Web, a dangerous place to be without a guide.

Anyone can post anything on the free Web, and anyone frequently does. A student who typed "Thomas Jefferson" into the Google search engine would get 1.29 million hits; rap star Eminem would bring up 1.37 million. Narrowing one's search to certain words may not help. The gamelike quality of screen and mouse encourages students to sample these sources rather than select an appropriate text and read deeply into it or follow an argument to its conclusion. The result is what Cooperman, who teaches both Davis and Flynn at Maryland, calls "cocktail-party knowledge."

He's the model of a man of books: short-sleeve shirts, glasses, slight stoop, a pensive air. "The Web is designed for the masses," he says. "It never presents students with classically constructed arguments, just facts and pictures." Many students today will advance an argument, he continues, then find themselves unable to make it convincingly. "Is that a function of the Web, or being inundated with information, or the way we're educating them in general?"

Entering the Web If students cannot come up with their own ideas, cut-and-paste technology allows them to lift someone else's sentences or phrases with ease.

Jeana Davis, a ninth-grade teacher in Arlington, says students frequently don't see anything wrong with this. "They'll say, 'I changed the words around.' And I'll say, 'But it's not your original thought.' "

Superficial searching habits can have tragic consequences, illustrated last year at Johns Hopkins University. A physician-researcher performed a test of lung function on a healthy 24-year-old woman, administering a large dose of a particular chemical. The woman then died of lung and kidney failure. The doctor had searched online for information about the drug but had failed to turn up any literature warning of its dangers -- information that medical librarians later did find online after the woman died.

Students can avoid such mistakes by asking for help from those trained to give it, but some young inquirers say they've done that and are merely waved over to the digital section of a library. Librarian Marylaine Block concedes that can happen, particularly since staff positions at many libraries have been cut.

Bonnie Kunzel, teen specialist at the Princeton Public Library, says students "will walk into our library and spend 30 minutes on the Internet trying to find out how a cobbler worked in Colonial America. I'll walk over and ask, 'Want to try a book now?' "

When students do come across something of interest, they may not be able to detect the author's bias because Web prose, unlike the writing in serious books and journals, often appears with only the slimmest of attribution, if any. This can introduce a certain naivete into their writing.

The Net has a kind of magical quality that leads younger students to say to librarians such as Block, "It has to be true. If it weren't true, they wouldn't let it be there." Says Block, "I have to tell them there is no 'they.' "

History teacher Davis, at Washington-Lee High School, recalls sitting down at the computer with a student who was researching Christopher Columbus's effect on the Americas. The student had found a convincing essay by an author taking Columbus to task for his treatment of Native Americans.

"Then we found another essay contradicting that," Davis says. "I asked the student, 'Who is right?' He couldn't tell, and neither could I."

Teachers like Davis spend class time teaching their Net thinkers how to read and think more critically. "I tell them, 'Don't take any Web site for granted. Who was the author? What authority does he or she have? Does the author have an agenda?' "

Maryland's Cooperman engaged a group of summer school students in a similar discussion earlier this month. The course was titled "History of the Jews I" and covered the period from the Bible through the Middle Ages.

Find a scholarly article on an issue in Jewish history, he told the students, suggesting that the best way to do that would be to visit the campus library and "touch books."

After receiving teacher approval of their articles, Cooperman's students summarized and evaluated the articles' arguments and then used the Web to find further sources. Cooperman told them to evaluate the usefulness of the Web sources compared with the scholarly material.

Their Web work turned up contradictions, errors and extraneous material. Nora Flynn, exploring the female Talmudic scholar Beruriah, noted in class that the scholarly article talked about Beruriah as a late invention, a composite of several women scholars. Web sources that she found through the popular search engine Google referred to Beruriah as one woman, she said.

Student Lauren Steely said the Internet sites he looked at presented lots of facts but got the dates wrong. Amy Newman, researching anti-Semitism in Europe at the time of the Black Death, brought up more than 2,000 sites on Google, "but the first 30 were useless. Just poems and songs. Then there was one story that looked like a kindergartner had written it."

"Or maybe it was a basketball player from Duke," Cooperman quipped, drawing a laugh from everybody who roots against Maryland's arch-rival.

Daniel Davis noted that several popular search engines place at the top of their lists the sources that have paid them the most money. This would be like a library prominently displaying only those books whose publishers paid for the privilege, and Davis knows it. But it doesn't stop him from using those search engines.

It only makes him, and young people like him, skeptical about information sources wherever they're found, including books.

"College students are quite aware that they can't trust what they read," says Meikle at Texas. "They're drawn to sites that are ironic or sarcastic, poking fun at perceived truths."

Not that long ago, Meikle continues, a person who wrote a book was assumed to be an authority. "Now, when anybody can have a Web site on any topic, then everybody is an expert, which means nobody is."

Cooperman says this is not necessarily a good thing for students. They "assume everyone is a liar." Shallow thinking is one result, he says. Another is the unwillingness among some students to take a strong position themselves lest they be battered by classmates for their ideas.

Students who are not urged to "touch books" often don't realize how much information is not on the Internet. According to Block, only about 15 percent of all information -- books, periodicals, government documents -- is found there. The full texts of articles from most academic journals, for example, are not online nor are most current books. Because of copyright laws, a lot of information may never make it to the Net, Block says, which is why she and other librarians worry about lawmakers who slash library budgets or propose eliminating libraries altogether, saying, "Why do we need them? Everything's on the Internet."

And so the problem feeds on itself, encouraged by legislators.

Net Gains Even the most vocal Net critics say it has aided learning in some ways. Students no longer have to wrestle with microfilm machines or wait at the circulation desk for books placed on reserve. Instead, they wander through the information landscape. Jamie McKenzie calls them "free-range students." Philosopher John Dewey, the proponent of student-driven education, would be proud.

Allison Druin, an education professor who runs the human-computer interaction lab at Maryland, says even younger children can create something new on their own Web sites. In her laboratory, children ages 7 to 11 work with professors designing software that kids their age can use when querying the Internet.

"The Internet is a tool, but it's also something they can make an addition to," says Druin. "That's pretty powerful stuff for a kid."

"I see kids much more able to construct on their own," she continues. "They used to look at us and ask, 'What's our next step?' Now we say, 'Here's the goal, here are our resources, here's our timeline,' and they take off.'"

Meikle, at the University of Texas, observes the same phenomenon. His best undergraduates come up with new takes on old subjects as quickly as graduate students did years ago, he says. "I don't think you can come up with something original unless you have an array of things to look at, and the Internet certainly gives you that," he says. "It isn't collaging, it's building something new."

Book Learnin' One would like to think that this self-confidence and creativity will produce adult citizens eager to participate in society and tackle its problems.

When Jeana Davis at Washington-Lee makes an assignment, she directs students to Web sites they might not know about but that she has already approved. If students want to use another site, they must win Davis's approval.

She requires students to use at least three books on any assignment, not including encyclopedias. She checks their work during each project, looking for originality and depth.

Cooperman at Maryland suggests books, first, to any student who asks him for help. He also offers extra credit to students who do research in the library, according to Daniel Davis, who likes getting bonus points for doing what students took for granted only a decade ago.

"Sitting in the library is a lot better than sitting on the Internet," he says, even though he's not exactly a frequent visitor to the main campus library. "If you go into the library, you have to take apart a topic and you become sort of an expert. Sitting on the Internet you don't actually learn anything."

The place he does visit, as a music major, is the performing arts library. "I can sit for hours there looking at books and things, with no particular goal in mind."

That's post-Net thinking, says McKenzie, a realization that digital is not enough, that grazing is good, but great ideas require deep reading, incubation and contemplation. He believes today's students are headed in that direction if grown-ups take seriously their assigning, as well as advising, role.

"For decades we've been doing topical research," he complains. "Schools say, 'Go find out all about Molly Pitcher.' That's an invitation to scoop it up, to write stuff they already know. We should be encouraging kids to research the difficult truth. Let's tell them a woman has been diagnosed with breast cancer and has five doctors recommending different treatments. What would they do?"

But do school systems really want students using the same tools to question current proprieties and conventional wisdom? Teach kids to be critical thinkers and they'll be sending it right back at the teacher in the classroom.

There is much to worry about.

Up to a point. Libraries have a longstanding appeal that goes beyond the antique, baby's-breath smell of books and the sense of exploration, spelunking through the stacks. Few students can get through college untouched by this experience, whether they know it or not.

"There's something in a library that makes you feel like an intellectual," said Amy Newman. "You can wear glasses, look like Dr. Cooperman. When you read, the books have such nice writing." *********************** USA Today S. Korean activists plan cyber attack against USA

SEOUL, South Korea (AP) Activists threatened on Tuesday to launch cyber attacks on the White House, U.S. Embassy and military Web sites to protest the deaths of two South Korean girls fatally struck by a U.S. armored vehicle.

The South Korean activists planned to try to incapacitate the Web servers by flooding them with a massive number of simultaneous "hits" or visits of the sites on Wednesday.

"Our aim is to temporarily shut down the servers to show our anger," said Yoon Su-keun, an organizer of the anti-U.S. protest.

Yoon said activists want an apology from President Bush and punishment for the two soldiers who were in the vehicle that struck the girls on a narrow road north of Seoul on June 13.

Anti-U.S. protests have taken place almost daily since then.

About 130 student activists, shouting "Yankee go home," rallied on Tuesday near the U.S. Embassy, demanding that the two soldiers be tried in a South Korean court.

About a dozen protesters briefly scuffled with riot police, who blocked them from entering the embassy building to deliver a protest letter. No arrests or injuries were reported.

Earlier this month, the U.S. military indicted Sgt. Mark Walker and Sgt. Fernando Nino on charges of negligent homicide for trial in a U.S. military court in South Korea. If convicted, they could face up to six years in prison.

The U.S. military had initially said it had no plan to court-martial the two soldiers. Lee Ferguson, a spokeswoman for the U.S. military command in Seoul, said enough evidence was later found to prosecute them on criminal charges.

Maj. Gen. Russel L. Honore, commander of the 2nd Infantry Division, visited the victims' parents Tuesday and said the U.S. military would build a memorial near the accident site to honor the two girls.

Walker and Nino, both from the 2nd Infantry Division, were on a training mission near the border with North Korea when their armored bridge carrier hit two 14-year-old girls on a public road. The soldiers' home towns were not released.

South Korea last week requested that the U.S. military give up jurisdiction over the two soldiers. The military has yet to respond.

Under a treaty, the military can allow South Korea to try American soldiers involved in accidents while on duty. If convicted in a South Korean court, the soldiers could face up to five years in prison.

Occasional accidents and crimes by U.S. soldiers have prompted demands from South Korean activists that Washington give Seoul more legal power in cases involving American troops. Some activists have also demanded the withdrawal of the U.S. troops.

Since the 1950-1953 Korean War, about 37,000 U.S. soldiers are stationed in South Korea as a deterrent against the communist North. ************************* USA Today Digital TV deadline set

WASHINGTON (AP) The chairman of the House Commerce Committee has set a September deadline for agreement between the technology and entertainment industries on how to deliver the crisper pictures and interactive features of digital television.

Rep. Billy Tauzin, R-La., said Monday that congressional hearings and round-table discussions have brought some progress, but he worries that the process will drag on past Congress' 2006 deadline for digital television to reach all Americans.

"We got a lot of work done, but they simply haven't crossed the finish line," Tauzin said in an interview. "They have one last chance between now and September to close the final gaps between all the different issues that they haven't yet agreed upon. Otherwise we're going to begin the process of legislating."

Several industries, including companies that make consumer technology products like televisions and DVD players, computer makers, cable companies and television and movie companies are contending over how to make digital TV attractive to consumers while protecting it from pirates.

Harris Miller of the Information Technology Association of America, a trade group that includes Intel and Hewlett-Packard, was skeptical of the September deadline.

"Nothing is going to get finalized in a matter of a couple of months," Miller said. "You can't simply snap your fingers and make the technical issues go away."

The various sides have agreed on one major issue, a new technology called a "broadcast flag" that would be embedded into television shows and movies. That flag could tell DVD recorders and other devices not to record those programs.

But there are many nagging questions, such as whether the broadcast flag should work with existing DVD players and computers and how to protect the right to make a copy for personal use.

The chairman of the Motion Picture Association of America, Jack Valenti, praised Tauzin's announcement.

"We are near the edge of an agreement on remaining technical aspects of the broadcast flag, and we're anxious to avoid further delay," Valenti said in a statement. "We hope to resolve these remaining matters in the very near term so that we can move forward with implementing the broadcast flag as expeditiously as possible." ************************* BBC Hackers could face life in jail

Malicious computer hackers could soon face life in prison for some computer crimes. The US House of Representatives has approved a bill that inflicts harsh penalties for computer crimes that harm people or endanger America's critical infrastructure.

The same law rewrites the rules on surveillance and lets US police forces and law enforcers install wiretaps if there is an ongoing attack deemed to threaten national security.

Civil liberty groups criticised the legislation and said it trampled on rights to privacy, was hastily drawn up and punished people too severely.

Jail time

The Cyber Security Enhancement Act was endorsed by a huge majority in the US House of Representatives on Monday.

The Act was drawn up in response to a series of well-publicised attacks on high-profile websites.

Last year's attacks in New York contributed to its support by US politicians.

Earlier this year Lamar Smith, one of the Congressmen sponsoring the bill, said: "A mouse can be just as dangerous as a bullet or a bomb."

The CSEA asks for the revision of sentencing guidelines for crimes that are committed with, or by, a computer.

It calls for a maximum life sentence for those who put lives at risk by breaking into computer systems and changing them or by recklessly misusing a computer.

'Sweeping and harsh'

The Act also gives law enforcement organisations more powers to investigate hack attacks.

It lets police forces and federal investigators install wiretaps without prior approval of a court if the attack is thought to be a threat to national security or is "ongoing".

The bill also obliges net service providers to tip off the police if they notice any suspicious activity on their network.

Civil liberties groups such as the Electronic Frontier Foundation, said the legislation was too sweeping and the penalties it invoked were too harsh.

The Act still has to go before the Senate before it becomes law and some opponents are hoping that there will not be enough time to consider it before the current political sessions end in October. *********************** Federal Computer Week No fear? Bureaucratus

On May 15, President Bush signed the No FEAR Act into law. The legislation is a bipartisan measure that attempts to make federal agencies more responsible for whistle-blower and discriminatory actions.

According to the General Accounting Office, discrimination complaints by federal employees grew tremendously in the 1990s. The number of complaints to the Equal Employment Opportunity Commission in fiscal 1999 was more than double the number in 1991. GAO also reported that complaints by employees alleging retaliation for their participation in the complaint process had increased.

According to the New York Times, the No FEAR law (which stands for Notification and Federal Employee Anti-Discrimination and Retaliation) will change the way the government operates. Why? Because under this law, managers in federal agencies found guilty of discrimination will "no longer find it easy to avoid responsibility for their actions," presumably because the law requires agencies to pay for the consequences of managerial misconduct.

The No FEAR Act requires agencies to pay settlements against them in whistle-blower and discrimination cases out of their own budgets, not from a general governmentwide fund. By attacking the purse strings of offending agencies, supporters of the No FEAR Act think this provision will hold discriminators accountable for their culpable behavior.

In addition, the bill requires agencies to notify employees of their rights under various whistle-blower and anti- discrimination laws. That requirement is intended to prevent discrimination and harassment by making employees and managers aware of the rules.

The bill also requires agencies to report to Congress on the number of cases alleging intolerance, the disposition of those cases, the cost of the judgments to American taxpayers and the number of employees disciplined for discrimination, harassment or retaliation.

Though I strongly support all of the objectives of the law, I seriously doubt that anything will change as a result of its passage. Does anyone honestly believe that passing out a memo to all employees notifying them of their whistle-blower protection rights is going to change behavior within government agencies? And as for the reporting requirements, Congress already gets more reports than it can possibly handle, so how is yet another report going to help?

Another ridiculous notion is that federal agencies will be economically affected. In my opinion, any agency that encounters a shortfall because it has to foot the bill for judgments brought against it will simply ask for a supplemental appropriation. All agency officials have to do when they request such funds is explain why they need them. If the proper justification is submitted, the request is approved. There needn't be any mention of the No FEAR Act.

So will this legislation change anything? I'll bet you a cup of coffee that it doesn't.

Zall is a retired federal employee who since 1987 has written the Bureaucratus column for Federal Computer Week. He can be reached at milt.zall@xxxxxxxxxxxx ************************ Government Computer News FAA taps Harris for telecom overhaul By Preeti Vasishtha

The Federal Aviation Administration has awarded a five-year, $1.7 billion contract to Harris Corp. to modernize and manage the telecommunications infrastructure for air traffic control.

Under the FAA Telecommunications Infrastructure contract, the Melbourne, Fla., company will work with the agency to phase out old communications systems and replace them with a backbone provider responsible for operating and maintaining the FTI network.

If FAA exercises all options under the performance-based contract, the FTI deal could run 15 years and be worth $3.5 billion.

The backbone network will provide voice, data and video services and replace FAA-owned multiplexing and switching networks, as well as other telecom services leased from multiple providers.

"FTI is a critical element of our overall plan to modernize the national airspace system," FAA administrator Jane F. Garvey said.

FAA officials estimate that it will take five to six years for FTI to absorb the services and systems now provided under existing contracts.

The new network will support FAA, Defense Department and Coast Guard air traffic facilities, connecting 5,000 locations over 14,000 separate connections and replacing more than 30,000 circuits.

Harris bested Lockheed Martin Corp. and WorldCom Inc. to win FTI.
**************************
Government Executive
Cybersecurity checklist for federal agencies under consideration

By William New, National Journal's Technology Daily

Under a tentative agreement between members of the high-tech industry and key senators, federal agencies would be required to use a checklist for cybersecurity risk developed by the National Institute of Standards and Technology (NIST).

The agreement represents a compromise on language in a bill, S. 2182, offered by Sen. Ron Wyden, D-Ore., to increase cybersecurity research, coordinate research efforts of government, academia and industry, and educate more cybersecurity researchers in the future. S. 2182 would provide $978 million in grant funds to create research programs at NIST and the National Science Foundation.

The Wyden bill is the Senate version of the House-passed H.R. 3394, introduced by House Science Committee Chairman Sherwood Boehlert, R-N.Y. The Senate version would have to be reconciled with Boehlert's version. Senators are hopeful they can get agreement without having to go to formal conference with the House on the bill, one staffer said.

The language in question is based on a bill, S. 1900, offered by Sen. John Edwards, D-N.C., that would have required agencies to adopt benchmark security standards developed by NIST.

But several members of the tech industry, particularly the Business Software Alliance and the Information Technology Association of America, expressed concern that the standards would be overly restrictive. Both trade associations have signed off on the new version, sources said.

The modified language specifically states that NIST would develop a checklist instead of establishing benchmark standards. But this approach still will help ensure federal agencies improve cybersecurity practices, an aide to Edwards said Monday.

"It gets everyone up to speed by forcing them to look at this checklist," the Edwards aide said. "A lot of agencies lack the resources to do security checks themselves. This means NIST will do it for them."

But while agencies would have to use the checklist, the adoption of best practices included in the bill would not be mandatory, the aide noted. However, if agencies choose not to follow the NIST best practices, they would have to explain their alternative. Reporting on cybersecurity efforts is a requirement under the Government Information Security Reform Act (GISRA), which is up for renewal this year.

The Wyden-Edwards substitute amendment contains another provision different from the House version, drawing from another Edwards bill, S. 1901. The provision sets up a scholarship program to increase the number of faculty teaching cybersecurity courses at the university level, and provides funding to universities to establish online courses. ************************ News.com More hurdles await e-government


By Margaret Kane
Staff Writer, CNET News.com
July 16, 2002, 8:30 AM PT

Federal agencies are making progress on the Bush administration's goals for electronic government, but they haven't yet cleared all the hurdles, according to the Office of Management and Budget. Of 26 agencies reviewed, the National Science Foundation has done the best job, making "significant progress in fixing identified information security problems" and developing a plan for all of the administration's initiatives, according to the OMB review, an annual budget update sent to Congress.

The review analyzed agencies' progress on the president's management agenda, which includes a plan to expand electronic government. That initiative requires agencies to focus IT spending on "improving mission performance, reducing duplication, ensuring information security and cooperating across traditional agency" lines.

The OMB ranked agencies on both their current status and their progress toward meeting the agenda's goals. All the agencies got a "green" or "yellow" ranking on progress, indicating they were either on target for achieving their goals or had only minor problems.

But the report noted that agencies now face issues related to linking fragmented applications.

"To become fully successful in this initiative, more agencies must actively partner to simplify government processes and integrate IT investments around citizen needs," the report said.

The report also highlighted accomplishments such as the relaunch of the Firstgov portal and the debut of the GovBenefits site, which helps citizens determine their eligibility for government benefits. ************************ Earthweb Biometrics Slow To Catch On In Networks By Cynthia Flash

BioPay makes fingerprint security systems for retailers that cash checks. Some 200 merchants use the Herndon, Va., company's biometrics fingerprint scanners to verify a check casher's identity in an attempt to reduce fraud.

But just because BioPay sells biometrics systems doesn't mean its employees use one. BioPay has neither an external biometrics system that secures building access nor an internal system to secure access to its computer network.

"We're looking into using biometrics to open our front door," says communications manager Robyn Porter. "It's in the development stage to make sure (the) biometrics device can handle different weather. We don't use them in our office. Access to our computer system is with user name and passwords."

BioPay is not alone. Government institutions and national entry points like airports increasingly are using biometrics devices like fingerprint, iris, palm and face scanners as outside security devices that take the place of keys and key-cards. Yet few of these entities -- and even fewer large companies -- are using such technology for network security.

Despite the hype, the technology just isn't there yet.

Small Rollouts And Trials

"Biometrics is being used in physical access and covert surveillance, but we're not seeing it translate into network security," says Jackie Fenn, vice president and research fellow of emerging technologies with Gartner in Lowell, Mass. "In our client base, it's mostly trials and small departmental rollouts. They're not rolling it out to thousands of employees at this point."

Earl Perkins, senior program director, global networking strategies with META Group, Inc., in New Orleans, predicts biometrics as a network security system won't catch on until 2005. And when it does, he expects fingerprint and iris scanning technology to dominate.

"Today user-IDs and passwords are common," Perkins says. "Looking forward to the day where biometrics will be used routinely as an additional layer of security to supplement or replace passwords and user IDs is a ways away."

Today, it's still possible to fool the computers that are supposed to verify personal identification. A 2002 study by researchers at the Yokohama National University in Japan found that they could create fake fingers using materials bought at grocery or hobby stores and fool commercial fingerprint scanners. The researchers tested 11 scanners and found more than a 68% chance of acceptance of the fake fingers.

There are also cultural issues involving iris scanning. Some countries have religious or cultural prohibitions against people looking directly into the eye, Perkins says. Also unresolved is the issue of cleanliness and how close one can get to the scanner for it to work.

Perhaps most important is the issue of standards. There are no universal standards, leaving companies to wonder if the system they install today will work with tomorrow's technology.

The industry is working on standards and software companies are pushing in that direction. Microsoft, for example, has integrated biometrics interfaces into its newest operating systems. But it will take large companies years before they deploy the new systems.

Obstacles To Overcome

Before biometrics catch on as a viable form of network security, several key things must occur. Computer makers must embed scanners directly into their devices. This is starting to happen, with Acer announcing in May that its TravelMate 740 laptop will include a fingerprint image sensor.

"A key indicator that biometrics is beginning to be considered seriously is what the key PC manufacturers like Dell, IBM, HP and Compaq are doing," Perkins says.

Questions of privacy -- not only in the United States but also abroad -- must also be addressed.

"If you have a multinational company that wants to use biometrics as a strong authentication method in their company, you'll have to examine privacy laws in countries to determine whether you can store biometrics information," Perkins says. "There will have to be provisions made on a country by country basis and database by database basis to determine the rules."

Then there's the question of price. It currently costs $100 to $150 per scanner peripheral. Companies must determine if it's worth the money or whether to wait for the price to come down.

Perkins sees biometrics as network security being used in conjunction with smart card technology rather than as a stand-alone system. Individuals could store all of their personal information on a smart card. Then they would need to scan their fingerprint into that card to access that information.

"If the card can be locked or unlocked with biometrics, not only would you have an encrypted key in the card that defined access, you would have a way to unlock that key through biometrics," he says.

Look to the financial services -- companies like BioPay and more traditional financial institutions -- and health care industries to take the lead.

Any company considering jumping out front in this area should be aware of what they're getting into, Fenn says.

"Make sure you know what your motivation is. It can work. There are certain advantages, but these are early days," he says. "It's changing. There are not huge established vendors in the fragmented marketplace. It's high-risk, and you need a tactical reason for taking it. Make sure you know why you're moving to that solution."

Freelance writer Cynthia Flash covers business and technology from Bellevue, Wash. She can be reached at cynthia@xxxxxxxxxxxxxxxxxxxxxxx ********************** Earthweb Internal Security Breaches More Damaging By Drew Robb

Medieval kings knew exactly how to ensure security. Just build a big stone wall around the city, surround that with a moat and make everyone enter over a guarded drawbridge.

It used to be that simple for IT managers as well. Only a select few had access to the data center and intruders were unlikely to know how to do any harm even if they did pick the locks.

But that is no longer the case for either physical or data security. The nation has 12,248 miles of porous overland borders, another 20,000 miles of coastline and thousands of planes landing from overseas. And, while trillions of dollars in defense spending have protected the country from external threats for the last 60 years, the two biggest attacks -- those on the Oklahoma City Federal Building and the World Trade Center -- came from within our borders.

Computer security similarly must take care of threats both from within the company and without. The seventh annual Computer Crime and Security Survey released in April by the Computer Security Institute (CSI) and the FBI's Computer Intrusion Squad in San Francisco found that 90% of respondents had detected computer security breaches. The losses are staggering. The 223 survey respondents willing to quantify their losses reported total damage at over $455 million.

And that's just the tip of the iceberg. The CERT Coordination Center at Carnegie Mellon University in Pittsburgh received more than 52,000 security incident reports last year, more than double the previous year. Some estimate total losses worldwide may top $100 billion annually. According to Dave McCurdy, executive director of the Arlington, Va.-based Internet Security Alliance (www.isalliance.org), three attacks -- Code Red, SirCam and Love Bug -- cost corporations more than $13 billion.

Within These Walls

While external attacks are serious enough, the threat posed by one's own employees can often be much worse. "An external attacker is not motivated to do much damage, doesn't know what to look for and is more likely to stumble into an intrusion detection system," explains Marcus J. Ranum, chief technology officer of NFR Security, Inc. "The attacks that hurt are from a disgruntled employee who is motivated to come after you."

In the CSI survey mentioned above, for example, one-third of respondents said their internal systems were a frequent point of attack. Another study of 146 companies by Activis, a security company based in Reading, England, paints a grimmer picture: 81% of security breaches originated internally, another 13% percent came from ex-employees and 6% from external hackers. It's these disgruntled current or former employees who steal trade secrets, sell employee lists to headhunters or plant "time bombs" to bring down the network months after they leave.

In addition to deliberate attacks, employees can compromise a system inadvertently. Seventy-eight percent of the respondents in the CSI survey reported employee abuse of Internet access privileges such as downloading pornography or pirated software. While this represents an improper use of company time and resources, it exposes the company to huge fines from the Business Software Alliance (BSA) (www.bsa.org), a group formed by the likes of Microsoft, Adobe and Autodesk to stem the billions of dollars lost through piracy. To date, the BSA has collected more than $70 million in penalties, in addition to requiring the offending companies to get up to date in license fees.

Keeping Guard

While the security or license non-compliance threats posed by employees seem quite different, both can benefit from tighter software management. While automated tools that inventory hardware/software and monitor licensing have been with us for some time, a new breed has evolved that adds remote deployment of software and updates. Updates/upgrades, in particular is a thorny problem for IT. Its neglect leaves the drawbridge wide open to would be snoopers.

Interestingly, 99% of all attacks come from known vulnerabilities. Though readily preventable, IT personnel are typically too overloaded to keep pace with the traffic. The sheer volume of OS updates, application upgrades and security patches means that IT rarely makes timely server updates, never mind plugging up gaping security holes at every desktop throughout the enterprise. Despite knowing about the threat, the time involved in manual updates makes it impossible for IT to keep up.

"Managing software licenses and updates is a serious problem for administrators," said Paul Mason, group vice president of Infrastructure Software Research at IDC. "Any tool that can automate software inventory management and keep the technology current and performing these actions remotely will save companies enormous amounts of money."

Software vendors have developed a variety of approaches to this problem. Oftentimes, these come packaged within a larger systems or desktop management suite. For mid-sized Windows shops, for example, Microsoft System Management Server 2.0 (SMS) offers a relatively low-cost method of desktop/systems management that includes inventory and deployment capabilities. Its main strength lies in creating application packages for remote installation. At the same time, however, it has a reputation for complexity, and you have to first manually install SMS agents on every server and workstation before it affords you any remote deployment functionality.

Other possible desktop management packages that come with deployment and asset management functions include Novadigm, Inc.'s Radia, Intel's LANDesk and Marimba, Inc.'s Change Management suite.

Alternatively, those enterprises already utilizing a management framework have the option of buying additional modules for inventory and deployment. IBM's Tivoli Configuration Manager, Hewlett-Packard Co.'s OpenView Software Distributor, or Computer Associates, Inc.'s Unicenter TNG Asset Management and Software Deployment Options.

As most of the above products, however, go beyond licensing/deployment/inventory and get into such functions as remote help desk and overall systems management, they can be expensive and often entail substantial consultant/vendor fees for installation, configuration, and maintenance.

For an immediate and simple response to the threats posed by lax software management, specialized inventory/deployment tools offer a less expensive and easy-to-deploy option. Sitekeeper by Executive Software, Inc., for example, is designed for Windows networks (NT 4.0 or higher). It takes about an hour to download, install and configure for the network.

Unlike SMS, which requires manual agent installation, this tool does everything from a single workstation or server, with no need to walk from client to client to install the software. Sitekeeper automatically inventories all hardware and software, creating a directory tree interface. Administrators can run reports to determine which machines need updates. It takes a few clicks to deploy patches or virus signatures on all machines.

Just Do It

Whichever approach one decides to take to the software management problem, the essential action is actually to just do it. There is no excuse for being hit with a $150,000 fine from the BSA because you failed to spot illegal software downloaded by employees. Nor is there any excuse for leaving security holes exposed when patches have been made available by vendors and can be remotely deployed in minutes.

So which of the above options is right for you? Favor those that offer simplicity of operation, rapid install and as little work as possible for the IT department. With the current budget crunch, IT is being told to do even more with much less. Therefore, there is no point in choosing a tool which will only add to the workload or that will require a time consuming implementation period.

But whatever tool you choose, install it fast and put it to work policing internal software usage, catching piracy, tracking licensing, and rapidly pushing updates out to all nodes in order to minimize the risk of attack from without or within. ****************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx

Prev by Date: Clips July 15, 2002
Next by Date: Clips July 17, 2002
Previous by thread: Clips July 15, 2002
Next by thread: Clips July 17, 2002
Index(es):
- Date
- Thread