[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips July 15, 2002
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, akuadc@xxxxxxxxxxx;
- Subject: Clips July 15, 2002
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Mon, 15 Jul 2002 16:56:11 -0400
Clips July 15, 2002
ARTICLES
Higher tobacco taxes encourage smuggling
Study: Bush Security Plan Risky
Cyberterror test checks connections
OMB may freeze homeland projects
Online Bets Are Becoming Harder to Collect
E-Tailers Wary of Credit Card Fraud
Blue Ridge team nabs pedophiles
China Internet Portals Sign Pact
Judge Bars Firm From Deploying Unauthorized Pop-up Ads
Hacker Group Targets Countries That Censor Internet
Many college students can't pass up free music
High-Tech Strategy Guides Pentagon Plan
Spam attacks growing
Hackers Raise Hell in Name of Security
DOJ strategic tech plan spells out major change
OMB updates security guidelines
Tech firms could get homeland coverage
Security regs drive shipping firms online
Feds get carded
DOD demands faster, better cyber intell
New reasons to get thin-client computing
OMB gives agency e-gov work a passing grade
White House position on FOIA exemption attracts critics
New specs released for wireless speech, text delivery
***************************
Associated Press
Higher tobacco taxes encourage smuggling
NEW YORK As state after deficit-ridden state ratchets up cigarette
taxes, authorities are bracing for some unwelcome consequences in the form
of more aggressive smuggling and bolder use of the Internet as a
tax-evading tobacco shop.
Never before have so many states 17 this year alone approved
cigarette-tax increases in such a short time. Anti-smoking advocates call
it a win-win situation, enabling states to reduce smoking and budget
deficits simultaneously.
In many legislatures, even tax-averse conservatives have supported
the increases expected to generate $2.2 billion annually in new
revenue as budget woes and anti-smoking militancy transform cigarette
buyers into America's easiest-to-tax constituency.
With prices as high as $7 a pack in New York City, and more than $4
in many states, some smokers are trying harder than ever to quit. Those
unwilling or unable to kick the habit are left with several options legal,
quasi-legal and illegal for getting a nicotine hit without a tax hit.
Those who choose the illegal route often are successful. The Bureau
of Alcohol, Tobacco and Firearms estimates state and federal authorities
lose more than $1.5 billion annually in evaded cigarette taxes.
The ATF concentrates on major interstate smuggling operations
involving at least 60,000 cigarettes. The workload has increased steadily
in recent years; ATF now has about 150 active cigarette-smuggling cases.
"There's no question some large-scale organized crime gangs are
involved," said ATF spokesman John D'Angelo. "Not only are these criminals
depriving state and federal governments of tax revenue, they're using their
profits for other criminal activity."
The primary sources of smuggled cigarettes are tobacco-growing states
with low taxes for example, Virginia, whose tax of 2½ cents per pack is
the lowest in the nation, and Kentucky, whose tax is 3 cents per pack.
In Ohio, where the tax recently rose 31 cents per pack, officials
plan to monitor the Kentucky border for smugglers, and police are being
trained to check for Ohio tax stamps on packs sold at stores. A carton of
name-brand cigarettes in Ohio costs about $40, compared with about $25 in
Kentucky.
In Maryland, where the tax rose to $1 per pack in June, authorities
are on alert for more smuggling from Virginia. Maryland had only five
arrests for cigarette smuggling in 1997, but more than 50 so far this year.
The Internet thus far accounts for only a small fraction of cigarette
sales, but it may pose a bigger long-term threat to tax collectors than
smuggling. The hefty tax increases may prompt more smokers to order in bulk
from online merchants, who in turn may resist state efforts to collect taxes.
Under federal law, online cigarette vendors are required to report
the names and addresses of out-of-state customers, but the law is widely
flouted.
"Most vendors aren't turning over their customer list, so the
Internet is becoming a hotbed of tax evasion," said Kurt Ribisl, a
professor at the University of North Carolina School of Public Health.
Mr. Ribisl oversaw a study this year that identified 195 Internet
cigarette vendors, up from 88 a year earlier. He said most advertise
low-tax cigarettes and indicate they won't report to any authorities.
"We're definitely unprepared right now. We don't have the tools to
get the states their proper revenue," he said. "You need federal
legislation, because a patchwork approach from individual states is going
to bog down."
In Congress, Rep. Martin T. Meehan, Massachusetts Democrat, is
leading an effort to tighten regulation of Internet cigarette sales. Mr.
Meehan's chief of staff, Bill McCann, predicted bipartisan legislation
would be drafted this year aimed at enforcing existing requirements that
Internet merchants block sales to minors and report out-of-state buyers.
Some states already are sending tax bills to smokers who patronized
the Internet.
"They've thumbed their noses at us," said Gene Gavin, Connecticut's
tax commissioner, "and they're right, because we don't do anything."
One legal complication is that many of the Internet sites are run by
American Indians. Sales of cigarettes on Indian reservations are exempt
from state and local taxes, and some Indian merchants contend their
Internet sales also should be tax-exempt.
Larry Ballagh, a Seneca Indian from upstate New York, sells tax-free
cigarettes over the Internet. "Adults who have been smoking for a number of
years, they're not going to quit smoking," he said. "But they will shop
around."
Tom Ryan, a spokesman for Philip Morris USA, said the tobacco company
supports a crackdown on tax evasion. "The people really hurt by all this
are the retailers who are doing business legitimately." he said. "Jobs are
on the line."
John Singleton, a spokesman for R.J. Reynolds Tobacco Co., questioned
whether law enforcement agencies, stretched thin by anti-terrorism duties
and tight budgets, have the resources to combat cigarette smuggling.
"It's extremely profitable for those willing to break the law to
drive to a low-tax state, load up a van, drive to a state with high taxes
and sell them out of the back of a truck," he said.
Cigarette taxes can be a reliable revenue source for states if the
taxes are "reasonable," Mr. Singleton said, "but with taxes at what a lot
of smokers view as an unreasonable level, the states aren't going to get
the revenues they're projecting and will find themselves with increasingly
hard-to-enforce legal problems."
*************************
Washington Post
Study: Bush Security Plan Risky
Proposed Homeland Dept. Is Too Large, Report Says
By Bill Miller
Sunday, July 14, 2002; Page A05
President Bush's proposal to create a Department of Homeland Security
"merges too many different activities into a single department" and should
be significantly scaled back if it is to have any chance of success,
according to an independent study.
The Brookings Institution, a Washington think tank, urged Congress to move
cautiously as it considers the White House proposal to merge all or parts
of 22 agencies into a department with a $38 billion budget and
approximately 170,000 employees. Its report comes as Congress is moving at
an unusually fast pace to act on the reorganization, with the House and
Senate preparing separate versions of a bill for votes late this month.
"The question is no longer whether to reorganize but how and to what
extent," the report contended. "Congress is clearly moving toward creation
of a new department, but it can still choose what kind of department -- how
large and how comprehensive."
Building such a massive department has many risks, the report warned.
"The danger is that top managers will be preoccupied for months, if not
years, with getting the reorganization right -- thus giving insufficient
attention to their real job: taking concrete action to counter the
terrorist threat at home," the report said.
The study, conducted by a team of veteran policy analysts, recommended that
the White House plan be stripped down to focus on border and transportation
security, intelligence analysis and protection for the nation's critical
infrastructure. It called for leaving the Federal Emergency Management
Agency out of the department and keeping biological research under the
control of the Department of Health and Human Services.
FEMA responds to natural and man-made disasters and functions well as a
free-standing agency, the report said.
According to the Brookings team, the core elements of a new department
should be the Coast Guard, the Customs Service, the Immigration and
Naturalization Service and the Transportation Security Administration. All
are part of Bush's plan.
The study also recommended that a Homeland Security Department should have
more access to raw intelligence information than the White House is
seeking. Instead of creating a center that receives and analyzes
information gathered by the CIA, the FBI and other agencies, the new
department should take over an FBI unit that specializes in terror-related
intelligence analysis, the report said.
The report was prepared by an eight-member Brookings team that included Ivo
H. Daalder, senior fellow in foreign policy studies; Paul C. Light, vice
president and director of governmental studies; James B. Steinberg, vice
president and director of foreign policy studies; and James Lindsay, senior
fellow in foreign policy studies.
Their recommendations mirror some of the changes proposed by congressional
committees and critics in recent weeks. Last week, numerous House
committees recommended revisions to the president's plan that included
leaving the Coast Guard and FEMA out of the department and strengthening
civil service, union and whistle-blower protections for workers who would
staff the agency.
Those recommendations were forwarded to the House Select Committee on
Homeland Security, a specially created nine-member panel that will prepare
a House version of the bill for floor debate. The committee, led by
Majority Leader Richard K. Armey (R-Tex.), is scheduled to hold a series of
hearings this week, starting Monday with testimony from Homeland Security
Director Tom Ridge.
The committee plans to complete its work by Friday and forward a bill for
debate on the House floor during the week of July 22.
In the Senate, the Governmental Affairs Committee, headed by Sen. Joseph I.
Lieberman (D-Conn.), plans to draft a version of the bill at a hearing set
for July 24. The full Senate will consider it before lawmakers begin a
month-long recess Aug. 2.
Many congressional leaders are pushing to approve a final version of the
homeland security bill by the one-year anniversary of the Sept. 11 attacks,
though some lawmakers have grumbled about the rapid pace of deliberations.
The tight time frame, the Brookings scholars said, is another reason to
scale back the White House plan. Other agencies could be merged into the
department after more extensive consideration, they said.
***********************
Federal Computer Week
Cyberterror test checks connections
For the first time ever, federal, state and local government officials are
partnering with representatives from the private sector and the utilities
community in a exercise designed to identify the links between them in
responding to and defending against cyberterror.
Operation Dark Screen, the brainchild of Rep. Ciro Rodriguez (D-Texas), is
a three-phase exercise that will help all the players involved better
understand their roles in preparing for, recovering from, and protecting
the nation's critical infrastructure in case of a cyberattack.
"A lot of people think about chemical, biological and nuclear attacks, but
very few people think about the cyber," Rodriguez said. "Anyone that is
going to hit us, it's going to be a combination of those."
The program's first phase will be a tabletop exercise in September, where a
yet-to-be-determined cyberattack will be played out and all participants
will respond, said Gregory White, technical director for the Center for
Infrastructure Assurance and Security (CIAS) at the University of Texas at
San Antonio, which is leading the planning and execution of Operation Dark
Screen.
The Air Force Air Intelligence Agency, Lackland Air Force Base, Texas, has
assumed a leadership role in bringing together the various stakeholders,
which include representatives from San Antonio, Bexar County, the Army, the
Air Force, the state attorney general's office, the FBI, the private sector
and many others, Rodriguez said.
The second phase of Dark Screen will focus on implementing the "lessons
learned" from the tabletop exercise, and the third phase, which will take
place in May 2003, will be a live exercise and include actual attempts to
penetrate networks, White said.
"We can do it on paper, but by bringing everybody together at one time, we
can see who is prepared to do that," White said, adding that so far
participants have paid their own way through the planning stages, but
attempts to secure federal and private funding are ongoing.
*********************
Federal Computer Week
OMB may freeze homeland projects
The Office of Management and Budget may freeze funds for information
technology projects at agencies slated to join the proposed Homeland
Security Department.
Officials aim to save money by identifying redundant plans for core IT
systems and networks at the nearly two dozen agencies folding into the new
department.
"If we do this smartly, this will create some savings through
consolidations," Mark Forman, OMB's associate director for IT and
e-government, told Federal Computer Week.
Officials expect to release an initial IT architecture framework for the
department this week, along with guidance for the affected agencies, Forman
said.
The consolidation outlined in the framework could save hundreds of millions
of dollars, OMB Director Mitchell Daniels Jr., said at a July 12 press
briefing.
The new department must have the best possible communications, and all of
the pieces of the department need to be on one network, he said.
The Transportation Security Administration may find its key project
jeopardized for other reasons. Funding for TSA's planned $1.4 billion IT
infrastructure procurement is held up in Congress, which may force the
agency to postpone the contract award, Daniels said.
"I am concerned," Forman said, because employees need at least a basic IT
infrastructure to function.
*************************
New York Times
Online Bets Are Becoming Harder to Collect
By MATT RICHTEL
Online casinos are finding it ever more difficult to cash out.
Indeed, these Web sites are likely to feel an indirect, but not
insignificant, impact from the announcement last week that the online
auctioneer eBay intends to acquire PayPal, a system people use to make
payments over the Internet.
Among the merchants that rely heavily on PayPal are online casinos; as much
as one-twentieth of all online gambling transactions are processed by the
company, according to Christiansen Capital Advisers, a market research
firm. But not much longer: eBay, citing the murky regulatory and legal
issues involved in online gambling, said it would disallow use of PayPal
for gambling if and when its acquisition closed.
The announcement comes as online casinos are struggling to find ways to
handle payments in light of the decision by many banks to prevent the use
of their credit cards for online gambling. It also comes as PayPal,
according to company officials, was subpoenaed by the New York attorney
general's office about use of its service for gambling.
The move to limit credit card payments caused the Christiansen group
earlier this year to lower 2002 revenue projections for the online gambling
industry to $3 billion, from $3.5 billion. The problem has forced some
casinos to close, and others may follow, analysts say.
Now it is a matter of debate how much more the industry could suffer with
the apparent departure of PayPal, based in Mountain View, Calif.
Some casino operators say the difference will be substantial, though the
Christiansen group did not further lower its industry projections after the
PayPal announcement.
"It's going to be a short-term impact, but it's just going to be another
hiccup," said Sue Schneider, chairwoman of the Interactive Gaming Council,
an industry trade group. She said the casinos were now accustomed to
scrambling for new payment sources, and several were emerging, including
the increasing use of online debit and online A.T.M. cards.
Indeed, the other indirect impact of the eBay deal is an increase in the
effort to find alternative payment systems, said Sebastian Sinclair, an
analyst with Christiansen.
Mr. Sinclair said that during the last year he received virtually no
business plans for new online casinos but more than 100 business plans from
people looking to find a way around the payment problem. "The opportunity
to create the better payment mousetrap is just huge," he said.
*************************
New York Times
E-Tailers Wary of Credit Card Fraud
AMERICAN e-commerce companies that believed the World Wide Web translated
to a planet full of potential customers are finding their businesses to be
much more provincial these days. Online merchants have been quietly cutting
back on sales to foreign customers, rather than expose themselves further
to credit card and shipping fraud.
"In some cases companies are saying `forget it it's not a big enough
business for me to be worried about,' " said H. Robert Wientzen, the chief
executive of the Direct Marketing Association, a trade group representing
mass mailers, catalog sellers and Internet merchants. Mr. Wientzen says
that decision, while often necessary, is costly. "There are companies that
could be eliminating 1 to 2 percent of sales by not operating in some
fairly big foreign markets," he said, "and that's a lot of money."
CD Universe, an online music, movies and games retailer, is among the Web
sites that have scaled back their overseas businesses. According to the
company's chief executive, Charles Beilman, the Web site has stopped
sending orders to Romania, Bulgaria and Indonesia, among others, because of
the high rate of credit card fraud he has encountered with customers from
those countries.
"It's unfortunate," Mr. Beilman said. "I'm sure we had handful of
legitimate customers in Romania," he said. "But when eight out of every 10
orders are frauds, I just can't keep doing it."
That is because Mr. Beilman and other online merchants end up paying the
bill for so-called charge backs, which are passed along to e-tailers by
credit card companies when legitimate card holders report that fraudulent
purchases have been made on their monthly statements.
Mr. Beilman said he believed "it is the norm" for CD retailers and other
sellers of compact, but valuable merchandise, to turn away customers from
some foreign countries.
Buy.com is another example. According to Brent Rusick, the company's chief
operating officer, Buy.com stopped shipping to all but 25 foreign nations
in March and implemented stiff rules for customers on the list of 25,
chiefly because of fraud concerns.
Countries that did not make the list include all those in Eastern Europe
and the former Soviet republics, as well as Indonesia, the Koreas and
China. Some of the nations on the authorized list include Britain, France,
Taiwan, Japan and Australia.
"We're extremely conservative about our export business," Mr. Rusick said.
He noted that international customers must spend $500 or more on goods, and
they cannot use their credit cards to order merchandise. Rather, they must
wire money to Buy.com before the company will ship their orders.
Mr. Rusick said the company did not accept credit cards on overseas orders
because foreign credit card issuers do not have address verification
systems. "So we can't verify that, yes, indeed, the person making the order
matches the information the bank has on them," he said.
Credit card issuers in this country are using verification codes that are
typically printed, not embossed, on the cards, and which help merchants
determine if the customer is actually holding the credit card, not just a
card number they have stolen.
But that system will not be available in Europe "for another couple of
years," Mr. Rusick said, leaving merchants like him staring at foregone
revenues, which he admits could be substantial. Right now, he said,
revenues from exports "are not a significant piece of our business."
"There's certainly a lot of business out there that's available, but
there's also a lot of risk, too," Mr. Rusick said. "I want to go after that
business, but I've got to go after it very cautiously."
Other online retailers, like Bertelsmann's CDNow, will take orders and ship
them to nearly all foreign countries. But when orders come from countries
with historically high fraud levels, the company sends the orders to its
security department for additional fraud screening. According to Melinda
Meals, a company spokeswoman, about 8 percent of its orders are sent to
this next level of screening of which 88 percent are eventually approved
for shipment.
While acknowledging that the additional screening reduces the profitability
of those orders, Ms. Meals said it was not a big enough bite to make the
company reconsider its shipping policies for those countries. "It affects
such a small percentage of the orders that it doesn't really affect CDNow
financially," Ms. Meals said.
As to whether non-governmental shippers like United Parcel Service or FedEx
might offer shipping alternatives, Ms. Meals said the shipping fees would
probably be cost-prohibitive for customers.
Mr. Wientzen, of the Direct Marketing Association, said he believed
shipping fraud represented a bigger obstacle to the growth foreign sales
than credit card fraud. "Government officials in some eastern European
countries have acknowledged concerns ensuring packages will get delivered,"
Mr. Wientzen said.
Mr. Wientzen declined to name those countries specifically, but said he
recently visited Moscow's postmaster general, "who was pretty straight with
some of the concerns they had." Still, Mr. Wientzen said he left the
meeting quite pleased with the position Russian officials had taken, on
their plans to eradicate shipping fraud.
Ms. Meals, of CDNow, says her company will not ship to customers in
Lithuania and Iran because CDNow cannot guarantee the packages will reach
the customer. She would not speculate on whether that was because of theft
within the postal services of those nations or whether those postal
services might deem certain types of music illegal.
John Flick, a spokesman for United Parcel Service's international division,
agreed that shipping charges may represent a problem for customers. "The
biggest problem is with the customers," he said.
Foreign customers who find a Patsy Cline CD on sale for $9 from a Web site
in the United States might find that U.P.S. must collect another $40 in
taxes and tariffs at the door, Mr. Flick said. In other cases, the goods
can be barred because of illegal labels or content. "It's the old `don't
shoot the messenger' situation, literally," he said.
United Parcel Service is trying to develop technology that would allow
customers and the Web sites they do business with to determine which goods
are allowed in which countries, and the total costs of shipping, Mr. Flick
said. But that is a monumental task, given that the import policies of the
roughly 200 countries it delivers in are in nearly constant flux.
"We were an Olympic sponsor in the 90's, and we came up with envelopes with
athletes on them," Mr. Flick said. "We had to cover them up, because they
had pictures of women track stars leaping over hurdles, and that wasn't
accepted in Muslim countries. When you're getting into this, there is no
universal template."
****************************
Washington Times
Blue Ridge team nabs pedophiles
Jerry Seper
BEDFORD, Va. Sheriff's Lt. Mike Harmony is often mistaken for a
13-year-old girl. It's an unlikely description for the veteran law
enforcement officer and former military policeman, but then, he works on it.
And the hundreds of suspected pedophiles nationwide who have sought
to "date" him after a chat on the Internet could tell you that he's very
good at his job.
Lt. Harmony is a key member of what Bedford County Sheriff Michael
Brown calls "Operation Blue Ridge Thunder," a unique law enforcement
cyber-program aimed at catching and prosecuting sexual predators who
troll the Internet for young boys and girls.
He and other Blue Ridge Thunder task force members diligently work
through the 100,000 Web sites as well as countless chatrooms and message
boards devoted to child pornography. The team searches for predators by
focusing on what the experts refer to as a "traveler" someone willing to
cross state lines to have sexual relations with a child.
"I've seen just about everything there is to see regarding man's
inhumanity to man, but that pales in comparison to what they're doing to
the kids," said Sheriff Brown, a retired Treasury Department senior special
agent who was elected Bedford County's top law enforcement officer in 1996.
"The exploitation of children on the Internet is a huge and growing
problem. The public just doesn't realize how bad it is," he said. "I
discovered that our people had the ability to do something about it, and we
went after it."
Operating out of a donated log cabin in this rural Virginia
community, Blue Ridge Thunder is one of the nation's more successful law
enforcement programs in what has become a newly-declared war against
cyber-predators.
Since 1998, when the program began, the task force has arrested 38
sexual predators in Virginia, with a 100 percent conviction rate. Even more
amazingly, the task force has made 600 criminal referrals to other
jurisdictions nationwide all with enough evidence for police in those
jurisdictions to make arrests and prosecute the suspects.
"The Internet has a dark side, and it's getting darker," said Lt.
Harmony. "How many children have we saved, I don't know, but we think we
have saved some."
Blue Ridge Thunder's reason for being is a 1998 investigation by the
Sheriff's Department involving a 13-year-old Forest, Va., girl who
discovered that her former boyfriend had put her face on the body of a
naked woman and posted it online.
The site included the girl's telephone number and home address, which
attracted calls from a Florida child pornographer who wanted the girl to
come to that state to make a movie. He reminded the girl he knew where she
lived and told her he would hurt her and her family if she refused. The
girl's mother called for help after reading in her daughter's diary about
the threats and fearing for her safety.
"The Internet was very new to me at that time, and I just didn't
believe what I was seeing. I was stunned," said Sheriff Brown. "We
discovered some of the most horrible images you can imagine: kids as young
as 18 months being sexually abused. It'll tear your heart out.
"Even after you see it, it's hard to fathom that this is going on
today," he said. "But I knew we had to do something about it."
Sheriff Brown immediately assigned deputies to investigate the case
and other incidents of child pornography he had disovered on the Internet.
Some Bedford County deputies even worked on the cases during their off- time.
Although no charges were filed in the Florida case, within three
months Sheriff Brown's office had gathered enough evidence to arrest
several pornographers locally and across the country. The investigation had
so stirred the sheriff that he immediately sought help in funding a
full-time effort at targeting Internet sexual predators.
It was at that point he turned to the Justice Department in
Washington, and with the help of a grant proposal painstakingly put
together by the sheriff and several deputies including Sgt. Sergio
Kopelev, who has since left the department for law school in
California Bedford County was one of just 10 law enforcement agencies
nationwide to win a $200,000 grant from the Justice Department's Office of
Juvenile Justice and Delinquency Prevention.
The grant was part of the $2.4 million "Internet Crimes Against
Children" program. Bedford County, with 68 employees at the time, was the
smallest agency to receive grant funds the next in line having 1,500
employees.
"I knew we had the quality of people who could do this, and they had
the desire to get it done," Sheriff Brown said.
The Blue Ridge Thunder task force got its name from the powerful
storms that sweep through the nearby Blue Ridge Mountains and across
Bedford County. It was a metaphor for what Sheriff Brown said was going to
be an effort to "hit these pedophiles, child pornographers and molesters as
hard as we could."
The task force made headlines in 1999 when it arrested a top aide to
former West Virginia Gov. Gaston Caperton. The aide, Tom Rice, then 59, had
driven to Bedford to meet a "boy," actually a deputy, with whom he had
chatted online.
Also in 1999, a North Carolina man known on the Web as "DrEvil" drove
from Charlottesville to Bedford to meet a young girl actually another
deputy for sex. When police arrested the man, identified as Ray Cannup,
they found an ax handle, paring knife and duct tape in his truck. Both men
have been sentenced to prison.
With an ongoing string of convictions and referrals, Sheriff Brown
has pledged to continue the task force locally despite pending cuts in
federal funding.
"Mike Brown will find a way to keep this program going," said Lt.
Harmony. "He believes it's everyone's job to protect these children. And I
assure you, he'll be knocking on whatever doors it takes to see that the
program continues."
Like Lt. Harmony, the Bedford County deputies who play roles in the
effort to catch perverts have heard what Sheriff Brown called a long list
of "sick rhetoric." Many of the cyber-criminals ask the young "boys and
girls" to whom they think they are talking for photos preferably
nudes and boast of other sexual conquests.
One man sent a picture of his genitals.
"Surprised at what I have seen? Never. Everyday I see something vile
and disgusting, and while I thought I was well-versed in the ways of the
world, I am overwhelmed," said Lt. Harmony. "But these are our children and
they need to be protected."
************************
Reuters
Hacker Group Targets Countries That Censor Internet
Sun Jul 14, 5:18 PM ET
By Eric Auchard
NEW YORK (Reuters) - Some of the world's best-known hackers unveiled a plan
this weekend to offer free software to promote anonymous Web surfing in
countries where the Internet is censored, especially China and Middle
Eastern nations.
An international hacker group calling itself Hactivismo released a program
on Saturday called Camera/Shy that allows Internet users to conceal
messages inside photos posted on the Web, bypassing most known police
monitoring methods.
In addition, "Mixter," an internationally known German hacker, said
Hactivismo was preparing in coming weeks to launch technology, which if
adopted widely could allow anyone to create grassroots, anonymous networks
where Internet users worldwide could access and share information without a
trace.
"(Hackers) are looking for something a little more meaty to work with,"
spokesman "Oxblood Ruffin" said of the new social activist push by a group
formerly known for creating software that used by other hackers to attack
undefended computers.
The Hactivismo announcement, the result of a two-year project among leading
hackers worldwide, was made at H2K2, a three-day conference ending Sunday.
The bi-annual event attracts an estimated 2,000 security professionals and
computer activists, including the U.S. hacker elite.
Mixter's software -- known as a "protocol" in technical terms -- would
allow ordinary computer users to set up a decentralized version of virtual
private networks (VPNs). VPNs are used by governments and many companies to
create secure networks that are fenced off from the public Internet.
"It's important for anyone whether they live in totalitarian country or a
Western country to be anonymous," said Mixter, who lives in Munich, of his
motivation to take part in the project.
Hactivismo software works to bypass national firewalls that allow only
partial access to global computer networks. A firewall is software that
prevents access to certain types of addresses banned on internal corporate
networks as well as nations that restrict citizens' access to the global
Internet.
Hactivismo says it can defeat attempts to restrict Web surfing to
controversial Internet news and human rights sites by disguising such sites
to make them look innocuous.
The group hopes to encourage other software developers to embed the code
for "Six/Four" protocol into their own programs in order to accelerate the
spread of the technology worldwide. The effort will only succeed if
millions of computer users begin using the programs as part of their
everyday Internet Web use, providing cover to individual surfers, its
proponents said.
FROM PIRACY TO FREE-SPEECH ACTIVISTS
The move is likely to heat up the battle between free speech activists and
government censors in the 20 or so countries that restrict public access to
the Web. It may also raise concerns among Western police agencies, who fear
the technology could be used by criminals to swap child pornography or by
Osama bin Laden ( news - web sites)'s Al-Qaeda network to plot new attacks
around the globe.
Hactivismo, or hacker activism, is just one of several grassroots software
projects -- including Peekabooty and Privaterra -- launched recently by
computer activists that seek to enable human rights workers to access
censored Web sites or communicate securely.
Six/Four protocol designer "Mixter" told Reuters that the system is named
in honor of the date when Chinese authorities cracked down on democracy
activists in Tiananmen Square on June 4, 1989.
Six/Four is designed so that each computer user that uses software running
the protocol becomes part of the shared capacity of the network, taking a
page from so-called "peer-to-peer" sharing network that gave birth to
Napster ( news - web sites) and other music sharing programs such as
Gnutella ( news - web sites).
"This is going to be a guerrilla information war," Oxblood Ruffin said.
"Sites will pop up for a few days and then be taken down," he said as he
described a "moving war," in which computer activists react quickly to
government efforts to block such programs.
In countries such as China, the Internet poses an unprecedented threat to
the control that the Chinese Communist Party exercises over all other forms
of media.
In the world's most populous country, where most people can't afford PCs,
millions turn to Internet cafes, despite a long-running crackdown on the
free-wheeling establishments by the Chinese government.
The tightening of restrictions has accelerated recently since several
deadly fires, including one in a Beijing Internet cafe that killed more
than 20 students in June.
Sensitivity to potential sources of civil instability have been heightened
by the looming leadership transition at the top of the Chinese government
set for later this year.
Hactivismo is made up of 40 or so hackers including members of the Cult of
the Dead Cow, the group behind Back Orifice, which can be used by malicious
hackers to gain unauthorized access to unsecured computers running
Microsoft's Windows software.
Mixter developed software that was used by another teenager to launch
denial of service attacks ( news - web sites) on major e-commerce sites in
early 2000.
Group members have focused more recently on harnessing the energies of the
computer underground to promote electronic democracy on the Internet.
In the future they plan to develop programs that will allow anonymous
direct email, file trading and untraceable chat programs that bypass
conventional Internet monitoring.
The latter is especially important in places like China, where online chat
is more popular than Web surfing. The group's work can be found on the
Internet at .
Hactivismo leaders said that Camera/Shy was immediately available for
download and being using from its site. The program would allow visitors at
public Internet cafes, popular in many countries where computers are
scarce, to install the 1.2 megabyte program using a simple floppy disk.
The user simply installs the program on a computer, surfs the Web, then
removes the program, leaving no electronic records kept of what sites were
visited, said its southern California-based designer, who goes by the
hacker name "Pull."
"What this is for is for pre-suspects," Pull said. "You never become a
suspect if you are using this kind of thing."
(Additional reporting by Jonah Greenburg)
************************
Associated Press
China Internet Portals Sign Pact
Mon Jul 15, 2:28 AM ET
By CHRISTOPHER BODEEN, Associated Press Writer
BEIJING (AP) - Internet portals ( news - web sites) in China, including
Yahoo!'s Chinese-language site, have signed a voluntary pledge to purge the
Web of content that China's communist government deems subversive,
organizers of the drive say.
The "Public Pledge on Self-discipline for China Internet Industry" has
attracted more than 300 signatories since its launch March 16, said a
spokeswoman for the Internet Society of China, who identified herself only
as Miss Sun.
The pledge's main aims appear fairly benign: promotion of Internet use,
prevention of cyber crime, fostering healthy industry competition, avoiding
intellectual property violations.
Other clauses, though, seem less innocent given China's tight control over
information and the government's extreme sensitivity to criticism or
political challenges. New regulations on Internet publishing take affect
Aug. 1 "to promote the healthy development of Internet publications," the
official Beijing Morning Post reported Monday.
Those who sign the pledge must refrain from "producing, posting or
disseminating pernicious information that may jeopardize state security and
disrupt social stability." The prohibition also covers information that
breaks laws and spreads "superstition and obscenity." Members must remove
material deemed offensive or face expulsion from the group.
Signers also pledge to monitor content of foreign-based Web sites and block
those containing unspecified harmful information.
The pledge conforms closely to government policies making Internet service
providers responsible for content posted on Web sites they host. It's a
strategy to give the Internet enough room to blossom while keeping
operators on notice not to push the envelope politically.
China has aggressively promoted the Internet for commercial purposes. As of
April, China had more than 38 million Internet users and nearly 280,000 Web
sites, according to the official Xinhua News Agency.
Yet the Communist Party is determined to curtail the Web's role as a forum
of free discussion and source of information not available in the entirely
government-controlled media.
A special police force monitors Web sites and sifts e-mail searching for
messages promoting causes such as greater political openness, the banned
Falun Gong ( news - web sites) spiritual movement and independence for
minority regions. Web sites of human rights groups and Western and
Taiwanese media are frequently blocked.
Internet cafes are required to track sites their users visit and report
attempts to open those deemed subversive. Long prison sentences have been
given to people accused of reproducing or forwarding information from such
sites.
"They're trying to have it both ways. It's a difficult game to play, but
they seem to be doing a not inconsiderable job of it," said Jack Balkin, a
Yale University law professor who studies the Internet.
China has also closed thousands of Internet cafes since a fire June 16 at a
cafe in Beijing that killed 25 people.
The Beijing-based Internet Society of China describes itself as a private,
national self-governing body for the Chinese Internet sector. Its 140
members drawn from private companies, schools and research institutes,
according to the society's Web site.
A spokesman for Yahoo!'s China office in Beijing confirmed the company had
signed the pledge but refused to comment further. Yahoo!'s public relations
agency in the United States, where the company cultivates an image of
freedom and anarchic creativity, responded to an e-mail seeking comment by
saying no spokesman was available.
Other portals ( news - web sites) the society listed as having signed the
pledge include the popular Chinese Websites Sina.com and Sohu.com, as well
as Peking and Tsinghua universities, online media and technology companies
and government offices.
*************************
Washington Post
Judge Bars Firm From Deploying Unauthorized Pop-up Ads
A federal judge in Virginia has temporarily barred a California company
from creating unauthorized advertisements on the Web sites of several
prominent media companies.
U.S. District Judge Claude Hilton in Alexandria granted a motion for a
preliminary injunction in a lawsuit filed by 10 media companies against
Gator Corp., a Redwood City, Calif., software company.
Gator produces pop-up advertisements that appear when computer owners who
have downloaded the company's software browse Web sites targeted by Gator's
advertisers. The injunction issued Friday stops Gator from creating the
unauthorized ads on sites owned by the plaintiffs.
The plaintiffs, including The Washington Post, The New York Times, Dow
Jones and Knight-Ridder, claim Gator's software lowers their advertising
revenue by creating pop-up ads that direct Internet surfers to competitors'
sites, hide legitimate ads and offer deals in direct competition with those
presented by the site's paid advertisers.
No date has been set for trial.
Janet Collum, an attorney for Gator, said company officials would decide
whether to appeal the judge's order after they had reviewed it.
"Obviously, we would prefer not to be enjoined," she said. "I believe that
when we have the opportunity to put on a full showing (at trial), we will
demonstrate that the company should not be enjoined. We believe strongly
that the facts and the law are on our side."
The judge's preliminary ruling indicates that he views the case
differently, said Terence P. Ross, an attorney for the plaintiffs.
"One of the legal standards the judge has to evaluate in considering
whether to grant a preliminary injunction is whether the plaintiff's case
is 'likely to succeed on the merits,' " Ross said. "The fact that he
granted the injunction is an indication that the judge thinks our case does
have merit."
Ross said his clients want to stop Gator from inserting unauthorized ads on
their sites not only because they are losing advertising revenue but also
because it "causes a loss of content control." Ads created by Gator's
software might conflict with stories on the Web sites, potentially creating
an appearance of journalistic bias or incompetence, he said.
The issue stems from a software package offered by Gator, called eWallet,
that helps Internet users automatically remember passwords and fill in
information forms on Web pages. However, when users download the software,
additional computer files are also stored on the user's computer that run a
separate program called OfferCompanion, which stores information on the
user's Web-browsing history and generates advertising based on the user's
Internet habits.
Those ads are designed to "pop up" on the computer screen when the user
visits a Web site that features advertising from one of Gator's
advertisers' competitors. For example, when an Internet user is about to
make an online purchase from a Web site, a pop-up ad may appear that offers
the same item at a lower price from a competing Web site that pays Gator
for ads.
Some of Gator's pop-up ads are designed to appear on the computer screen as
if they are part of the Web site being visited, in some cases deliberately
concealing ads that are part of the site.
The software also sends Gator information on the computer owner's
Web-browsing habits, generally without the owner's knowledge, for Gator's
own use in tracking users' Internet-browsing habits and for resale to other
marketing companies.
Last August, Gator filed a lawsuit in California against the Interactive
Advertising Bureau a group that represents several large,
advertising-heavy Web sites claiming that the group had unlawfully
disparaged its products and services. The interactive group had objected to
Gator's practice of selling ads designed to conceal advertisements on
members' sites.
That lawsuit was dismissed in February.
***********************
Washington Post
Hacker Group Targets Countries That Censor Internet
NEW YORKSome of the world's best-known hackers unveiled a plan this weekend
to offer free software to promote anonymous Web surfing in countries where
the Internet is censored, especially China and Middle Eastern nations.
An international hacker group calling itself Hactivismo released a program
Saturday called Camera/Shy that allows Internet users to conceal messages
inside photos posted on the Web, bypassing most known police monitoring
methods.
In addition, "Mixter," an internationally known German hacker, said
Hactivismo was preparing in coming weeks to launch technology, which if
adopted widely could allow anyone to create grassroots, anonymous networks
where Internet users worldwide could access and share information without a
trace.
"(Hackers) are looking for something a little more meaty to work with,"
spokesman "Oxblood Ruffin" said of the new social activist push by a group
formerly known for creating software that used by other hackers to attack
undefended computers.
The Hactivismo announcement, the result of a two-year project among leading
hackers worldwide, was made at H2K2, a three-day conference ending Sunday.
The bi-annual event attracts an estimated 2,000 security professionals and
computer activists, including the U.S. hacker elite.
Mixter's softwareknown as a "protocol" in technical termswould allow
ordinary computer users to set up a decentralized version of virtual
private networks (VPNs). VPNs are used by governments and many companies to
create secure networks that are fenced off from the public Internet.
"It's important for anyone whether they live in totalitarian country or a
Western country to be anonymous," said Mixter, who lives in Munich, of his
motivation to take part in the project.
Hactivismo software works to bypass national firewalls that allow only
partial access to global computer networks. A firewall is software that
prevents access to certain types of addresses banned on internal corporate
networks as well as nations that restrict citizens' access to the global
Internet.
Hactivismo says it can defeat attempts to restrict Web surfing to
controversial Internet news and human rights sites by disguising such sites
to make them look innocuous.
The group hopes to encourage other software developers to embed the code
for "Six/Four" protocol into their own programs in order to accelerate the
spread of the technology worldwide. The effort will only succeed if
millions of computer users begin using the programs as part of their
everyday Internet Web use, providing cover to individual surfers, its
proponents said.
**************************
USA Today
Many college students can't pass up free music
By Mackenzie Warren and Michelle Poblete, Gannett News Service
Brian Pollock is like a lot of college students. He parties between
cramming for exams. His dorm room looks like it was hit by a tornado.
And his computer's hard drive holds thousands of music files acquired free
on the Internet.
"On a good day, I'll download 100 songs," said Pollock, 20, a junior
physics major at Miami University in Oxford, Ohio. He gets his tunes in the
compressed MP3 format favored by most downloaders.
For Pollock and others like him, Napster used to be the ultimate free music
source. But it is effectively extinct because the recording industry shut
it down on charges of copyright violation.
Filling the void: so-called peer-to-peer sites such as Morpheus and
Gnutella, where millions of PC users come together at any given time to
swap music files that sit on their PC hard drives.
Because peer-to-peer (P2P) networks exist only virtually, it is harder for
record labels to target specific lawsuits, and federal agents can't
practically enforce copyright rules.
For college students who enjoy nearly universal access to the high-speed
connections ideal for Internet downloading the abundance of P2P networks
means there's little that's digital, whether it's music, videos or
software, that's not available free.
Economics and opportunity
To many students, fast and free is the way they've come to consume music
and video.
"Why would I ever spend money on music when I can get it for free?" asks
Sara Melillo, 20, a sophomore journalism major at Northwestern University
in Evanston, Ill. "Do I feel bad for the artist? Of course. But that
doesn't mean I'm not going to take advantage of a free opportunity."
Michael Asuncion, an 18-year-old sophomore at the University of Southern
California-Los Angeles, uses music-swapping services and a CD burner to
make portable replicas of real albums.
"Downloading a song takes less than three minutes," he said. "Before you're
done typing in your next request, you've got the file."
Many students say they periodically download music, usually a few songs at
a time while a few do it by the hundreds.
Sometimes, it just comes down to economics. Many students want to save the
$15 to $20 a CD costs.
"It's out there, so why not take advantage of it?" said Matthew O'Neill,
22, a senior at Syracuse University in New York. "I feel like I've overpaid
for music in the past, so I can rationalize burning CDs now. But I'm still
shocked we're able to do it totally free."
When Napster opened for business in 1999, colleges debated intellectual
property issues. But since last year, many universities said their main
task was to optimize network performance to keep pace with academic and
recreational demands.
At Duquesne University in Pittsburgh, for example, tech managers use
"packet-shaping" software that limits the amount of network resources music
and video file types can occupy. Such restrictions are eased on nights and
weekends, when there are fewer academic demands on the network.
Movies next?
Still, solving the bandwidth shortfall created by music may beget a new
problem with video.
"If you thought Napster clogged up networks, wait till "Spider-Man" gets
out," said Casey Green of the Los Angeles-based think tank Campus Computing
Project. It studies college computer networks.
Video downloading is slowly gaining popularity but not nearly as fast as
MP3s did. Students said that's because, even with compression technology,
files take too long to download and occupy too much space on hard drives.
Thorvaldur Einarsson, 25, an electrical engineering graduate student at the
University of Maryland, waited all night to download what he thought was
part of Star Wars, Episode II: Attack of the Clones. I managed to find part
one of the movie and after a long download, we tried to watch it. It turned
out that the file did not include Star Wars at all but a repeated showing
of the trailer for The Scorpion King, starring pro-wrestling icon The Rock.
But devoted collectors, with desire and patience, are out there. "There is
a student down my hall who has every movie you can imagine," said Giselle
Mammana, 20, a sophomore at Northwestern. "Instead of walking four blocks
to Blockbuster, I walk four doors to his room." Mammana downloads several
TV shows a month and four to 10 songs a day. She has made about 20 custom
CDs containing more than 340 MP3s.
Power shift
Even as new technology makes it easier to get more music free, ethical
questions remain. And not every student feels entitled to free music. D.D.
Zhou, a 21-year-old junior at Georgia Tech in Atlanta, uses music-swapping
services to filter out bad music so she can purchase the good stuff.
"Before, I would just buy an album without knowing how good or bad the
songs are on it," Zhou said. "When I find the really good music, I'll go
and buy it."
Some students argue that file sharing helps independent artists compete
with big-label bands.
"The whole Napsterization of music has taken the power of music from record
label executives and put it back into artists' hands," said Sherkhan Khan,
19, a freshman at Goucher College in Baltimore.
"Now, good musicians who aren't manufactured like 'N Sync and Britney can
reach a large audience. Without Napster, I would have never heard of
Tenacious D."
***********************
Los Angeles Times
High-Tech Strategy Guides Pentagon Plan
Military: The Cold War era is left behind in the secret document, which
stresses a long-range approach to a new breed of enemies.
By JOHN HENDREN
TIMES STAFF WRITER
July 13 2002
WASHINGTON -- A secret Pentagon plan for the next five years directs the
military to focus more of its spending to combat Afghanistan-style threats
and weapons of mass destruction and to develop even greater
precision-strike capabilities, according to a document reviewed by The Times.
The "Defense Planning Guidance" for 2004 to 2009 puts into action the
Pentagon's plan to replace a Cold War-era strategy of being able to fight
two major-theater wars at the same time with a more complex approach aimed
at dominating air and space on several fronts.
The annually updated five-year plan, the first since the Sept. 11 terrorist
attacks, represents an acceleration of the shift toward the high-tech
gadgetry of warfare on which the Pentagon has relied since the Persian Gulf
War of 1991. The classified document requires the military services to
further develop the capability to launch "unwarned" preemptive strikes, a
new doctrine President Bush outlined in a May graduation address at the
U.S. Military Academy at West Point, N.Y.
The document appears to emphasize the kind of nontraditional enemy American
soldiers have faced in Afghanistan, rather than a peer-to-peer war with
large numbers of conventional troops and weapons against such possible foes
as North Korea and China.
The plan directs the armed services to spend their money on five areas:
countering terrorists and weapons of mass destruction, intelligence,
cyber-warfare, airstrike capabilities and military systems in space.
It also sets specific goals, such as the development of a squadron of a
dozen unmanned fighter jets by 2012 and a "hypersonic missile" that can
travel 600 nautical miles in 15 minutes--capable of taking out mobile
missile launchers before they can be moved--by 2009.
The more than 50-page document is detailed in The Times' Sunday editions by
defense analyst and columnist William M. Arkin.
Defense officials said the plan codifies the military transformation that
Defense Secretary Donald H. Rumsfeld has touted since he took over the
Pentagon.
It places emphasis on capabilities such as surprise "high-volume precision
strikes," and calls for laser- and microwave-powered weapons and
nuclear-tipped "bunker buster" bombs capable of striking deeply buried cave
complexes such as those in the mountains of Afghanistan.
The weapons called for in the plan enhance the military's ability to launch
stealthy preemptive strikes against a new breed of enemy, which the Bush
administration has suggested could include North Korea and Iraq.
In his June 2 address announcing his "strike first" policy, Bush said U.S.
forces need to be "ready to strike at a moment's notice in any dark corner
of the world."
"We face a threat with no precedent," he said.
"Containment is not possible when unbalanced dictators with weapons of mass
destruction can deliver those weapons on missiles or secretly provide them
to terrorist allies."
The emphasis on high-tech warfare appears to benefit the Air Force most and
the Army least, a senior defense official said on condition of anonymity.
That may have an effect on the way the document is received by each of the
military services. The document calls for the services to make
cyber-warfare a "core competency."
That includes protecting critical U.S. computer networks and destroying or
sleuthing the enemy's networks.
The policy blueprint outlines a shift from a "threat-based" strategy, aimed
at combating major adversaries such as China or Russia, to a
"capabilities-based" system, designed to develop the ability to "deter,
deny and defeat adversaries who will rely on surprise, deception and
asymmetric warfare to achieve their objectives."
Some defense analysts expressed a concern that the plan would send the
message that wars can be fought with few casualties by "push-button warfare."
"It's this concept that we can sit in our air-conditioned bunkers and push
buttons," said Ivo Daalder, a defense analyst at the Brookings Institution.
"That leads to the absurd decision to fight a Kosovo war without a ground
component. It leads to relying on insurgents and precision strikes to
overthrow Saddam. It's absurd to think that that's the way we ought to
fight warfare in each and every circumstance....
"Wars are still fought and won in the old-fashioned way: by killing more of
the others than they kill of you. And by taking territories."
Nevertheless, some of the technologies envisioned in the plan could be used
in traditional large-scale wars, said Anthony Cordesman, a former Pentagon
official at the Center for Strategic and International Studies, a
Washington foreign policy think-tank.
The paper indirectly criticizes U.S. intelligence performance, calling for
major changes.
"It is also essential over the midterm period that we transform
intelligence capabilities to provide sufficient warning of an impending
crisis, identify critical targets" and develop new ways to monitor military
campaigns and measure their success, the report says.
The edict follows criticism that the intelligence community had too little
information on Al Qaeda operatives before Sept. 11, and often failed to
communicate what it had with other government agencies.
***********************
San Francisco Gate
Spam attacks growing
Three one-hundredths of a penny -- that's the per-message cost for sending
out spam e-mail. To put it a more realistic way, you can hit 25 million
mailboxes for a mere $7,999.
At least that was the price MonsterHut.com, a spammer based in Niagara
Falls, N.Y., used to charge for its Grand Slam Package. That particular
deal may not be available any longer, though. A few weeks ago New York
Attorney General Eliot Spitzer sued MonsterHut for fraud, and now its Web
site is down and its phone number is out of service.
There's no shortage of other junk mailers offering similar rates or of
customers eager to hire them. After all, the economics are attractive: If
you were peddling a product with, let's say, a margin of $5 per unit, you'd
more than cover your costs if just one of every 15,000 recipients bought
one. Any other sales would be gravy.
That's assuming you were doing an honest business. If you were trying to
get someone to, say, pass along his bank account information, a single
sucker out of 25 million people might make the whole investment worthwhile.
(Of course, a large percentage of the addresses on spammers' lists are no
doubt bogus, so you'd need a somewhat higher hit rate among real
recipients, but the principle is the same.)
That's why the volume of spam continues to soar. According to the latest
monthly data from Brightmail, a San Francisco company that attempts to stop
the flood for corporate customers (including The Chronicle) and Internet
service providers, the rate of unique spam attacks measured by the
company's network of decoy addresses has increased more than five-fold
during the past year -- from less than a million in June 2001 to more than
4.8 million last month. Each of those attacks could involve thousands or
millions of users.
RULES ON AVOIDING SPAM: So what can you do to keep all that annoying,
offensive clutter out of your inbox? The first step is to follow some
common- sense, but too-often ignored guidelines about e-mail usage. You can
find such tips at dozens of Web sites, but there's a clear and simple set
at Spam Recycling Center (www.spamrecycle.com/antispamthings.htm).
To summarize:
1. Never respond to spam.
2. Don't post your address on your Web site.
3. Use a second e-mail address, not your main one, if you post to newsgroups.
4. Don't give out your e-mail address without knowing how it will be used.
5. Use a spam filter. (More on that in a moment.)
6. Never buy anything advertised in spam.
I know a few people who have managed, by dint of good luck and strict
adherence to such rules, to keep their inboxes spam-free for years.
Unfortunately, they're rare exceptions. One way or another, spammers seem
to catch up with most folks sooner or later.
That's why there's increasing demand for spam-blocking software and
services -- and a steady stream of startups racing to meet it. Many of
these tools are, like Brightmail's, server-based and marketed to IT
managers and ISPs, and I'm not qualified to evaluate them.
Even if your network administrators are doing their best to fight the
problem, odds are plenty of spam is getting through to you, so it's worth
considering how you can beef up your defenses.
Nowadays, some spam-fighting weapons are built into almost every e-mail
program and service. Generally, however, they're not turned on by default,
so they're no benefit unless you do it yourself. That can be a little
complicated,
and the details are different for each program and service, but you should
be able to find instructions in your software's electronic help system.
You can also find concise, step-by-step guidance for most common mail
programs at a site run by the University of Texas, www.utexas.
edu/computer/security/users/avoid_spam.html. For America Online, just go to
keyword Mail Controls, or see
howto.lycos.com/lycos/step/1,,110+23614+13831,00. html.
NEW TOOLS: There's also a growing selection of spam-fighting services for
individual users, including several that make it easy to create temporary
e- mail aliases -- known as DEAs, for disposable e-mail addresses. When you
give one out, the recipient never sees your real address, yet any responses
sent to the aliases can be routed to your actual mail box unless you opt to
kill the
DEA.
I haven't tried any of these services, but PC magazine recently evaluated
them (www.pcmag.com/article2/0,4149,137955,00.asp). One that scored
especially well with the reviewer and users is MailShell
(www.mailshell.com), a full- featured filtering, forwarding and DEA service.
During the past month, two promising new anti-spam programs have appeared:
SpamNet, offered free by Cloudmark (www.cloudmark.com) in San Francisco,
and ChoiceMail, a $30 utility from DigiPortal Software (www.digiportal.com).
Still in beta testing, SpamNet currently works only with Microsoft Outlook
2000 or XP on Windows 98 or later. A version for Outlook Express is coming
soon.
Conceived by Napster co-founder Jordan Ritter and open-source developer
Vipul Ved Prakash, the program takes a unique peer-to-peer, or
community-based approach. Its users collectively determine what messages it
will flag as spam and shunt off to a new folder called Spam.
If a message you consider spam shows up in your Outlook inbox, you can
select it and click a Block button SpamNet installs in Outlook's toolbar.
That not only moves the message to your Spam folder, but also generates a
signature identifying the message and sends it to Cloudmark. Cloudmark then
forwards that information to other SpamNet users. If they later receive a
copy of the same message, it'll be automatically tagged as spam.
Conversely, if a message that's not spam to you gets put in the Spam folder,
you have only to click an Unblock button in the Outlook toolbar, and it
will be returned to your inbox and its new status will be reported to
Cloudmark and other users.
I've been using the program for several weeks now, mostly in combination
with Outlook rules I'd previously set up to get rid of messages Brightmail
had tagged as spam. (There's no rule against using multiple defenses
simultaneously; in fact, it's a good idea.)
To see how it would do by itself, I shut off my Outlook rules and relied
entirely on SpamNet for a day. During those 24 hours, it moved 73 messages
from my inbox to its spam folder. Of those, 71 were unambiguously spam and
two came from mailing lists I've signed up for. (In fairness, one of the
latter looked a lot like spam.) The program overlooked 11 pieces of spam
that reached my mailbox that day.
By way of comparison, if I'd been using my previous tools -- Outlook
filtering based on Brightmail tagging -- and not SpamNet, six of the 11
spam messages SpamNet missed would have been removed from my Inbox. On the
other hand, 21 of those SpamNet filtered out for me would have been left
for me to delete manually.
All told, with just my old system, I'd have had 26 pieces of junk in e-mail
versus the 11 that SpamNet left. True, I wouldn't have had to retrieve the
two false positives that the latter quarantined. But I check what
Brightmail tags anyway, even though it rarely tags something it shouldn't,
so the only extra work with SpamNet was one "Unblock" click for each of the
two messages.
When the program began last month, with heavy publicity (including a story
by my colleague Carrie Kirby), users reported several significant bugs. The
company responded quickly, and the most serious problems were apparently
solved. It's working smoothly for me.
Bottom line: SpamNet wasn't perfect, but it did appreciably better than my
Brightmail-based system -- even though the former is barely a year old and
has been available to the general public for less than a month, whereas
Brightmail has been polishing its technology for four years.
Because of SpamNet's peer-to-peer architecture, it should get steadily more
accurate as more users contribute to it.
I couldn't do a real test of DigiPortal's ChoiceMail, the other new Windows
program that's generating a buzz among spamhaters, because it works only
with POP mail clients such as Outlook Express and Eudora, and I don't have
a spam- laden mailbox accessible via POP.
From my limited testing, though, ChoiceMail looks like a slick solution
for POP mail users, but with at least two major caveats: It's designed for
people who always check their mail from the same PC, and it's not a very
good match for those of us who regularly receive mail from total strangers
and want it to come through without hassle for the sender.
Those conditions are a problem because ChoiceMail turns the usual approach
to fighting spam on its head: Instead of trying to block spam, it keeps out
all messages except those sent by people on an A-list of authorized
correspondents.
If a message comes from a source you've already rejected, it's
automatically deleted.
If it's from an unfamiliar address, ChoiceMail puts the message on hold and
automatically sends a reply asking the sender to go to a DigiPortal-run Web
site to fill out a form requesting your permission to send e-mail to you.
You're then notified of the request. If you approve, the message is
delivered; if not, it's deleted.
The program does a nice job of creating an A-list for you from your address
book, but if an e-mail comes from a legitimate sender you've never dealt
with before, he or she will have to fill out the form, and you'll have to
approve it -- a fair bit of bother if you get many such messages.
Because ChoiceMail stores your list on the machine where it's installed,
rather than relying on a server, it can't do its thing if you're checking
your mail from elsewhere.
********************
Reuters
Hackers Raise Hell in Name of Security
Mon Jul 15, 3:50 PM ET
By Eric Auchard
NEW YORK (Reuters) - Barry "The Key" Wels picks locks for the sport of it,
but also to make a broader point.
He fiddles with tumblers and cracks safes for fun, and to alert the
security industry to the weaknesses of many locks, which serve as a bulwark
of our physical safety. Locks, whether keyed or combination, melt like
butter in his hands.
Lock pickers, safecrackers and computer hackers often bond on the Internet,
sharing tips and exposing "vulnerabilities." The fraternity of security
violators surfaced at a rare meeting of the U.S. computer underground in
New York recently that drew 2,000 Internet enthusiasts and security
professionals.
"It's real easy, it's real addictive ... to open a lock in two or three
pops," said The Key, who is also an active computer hacker and cryptology
buff.
He's just one of the scores of speakers to spill in intimate detail about
how one can beat the security systems found on computers, networks,
telephones, radios, encryption, office security cards, keypads as well as
doors and bank safes.
The event has a curriculum of borderline criminal computer skills like no
school on earth. For it's not every conference where a speaker asks his
audience: "How many people have written a computer virus before?" and
several hands shoot up.
This all may strike the casual observer as a school for scandal in the
spirit of Moliere or Dickens.
But the event is seen by many sober-minded computer experts who attend it
as essential information-sharing, a shock test of the health and security
of an open society.
The logic here goes that the best way to defend against viruses is to learn
how to write one. Such frank discussion of security vulnerabilities is
viewed as the final defense against really dangerous computer attacks or
online privacy ( news - web sites) invasions.
"It tells you where the state of the art is, or at least where 90 percent
of mainstream hackers are headed," said a U.S. Navy ( news - web sites)
computer intelligence officer, who goes by the online pseudonym of "NetSquid."
The three-day conference known as H2K2 -- short for Hackers on Planet Earth
-- was organized by the publishers of 2600, a magazine sold in suburban
bookstores that celebrates the culture of computer hacking. To preserve
anonymity and draw the largest crowd, no names are taken at registration.
"There is no other meeting in the world where you run into more elite
hackers," the Navy computer expert said, who asked that his real name not
be used. "What really startled me is how upright they are. Quirky, a little
odd sometimes, but very, very smart," he said.
The agenda is located on the Web at http:/ www.h2k2.org.
SKIP THE CAFFEINE, I NEED ACCESS
The hacker crowd draws lots of teenagers and twentysomethings, some with
blue hair, others with peach-fuzz still on their cheeks. They mix with
50-year-old hippies who in some cases got their start breaking into old Ma
Bell phone systems, years before computers went mainstream. Men (and boys)
outnumber women (and girls) roughly 20 to 1 at the event.
Participants share a love of all things electronic and gadgety. Many say
their interest in computers started young, when alienated from a wider
culture that lacks their easy facility with complex numbers. They found
meaning and community online, in the cloak and dagger world of computer
security.
The audience drinks in computer screens, with a passion that most people
reserve for slurping a first cup of coffee in the morning.
"I've got to get on a computer or I'm going to die," one fish-out-of-water
complains as he hurries between meetings.
Mike Glaser, a sale's representative in the access control device industry,
stands out from the slacker crowd with his slick-backed hair and two-piece
suit. He cautions listeners during a presentation on his latest product
line-up that, "Everything has it's weaknesses. If you can find it, you are
going to be a very rich, or a very jailed person."
"You didn't hear it from me," said Glaser after revealing a security detail
known largely only to industry insiders.
Noticeably absent is any sign of the police, although participants commonly
believe that there are government agents circling in their midst. The
conference program warns: "This hotel is our home for the weekend and there
will be more authority types in proximity than you can imagine."
STUDY CRIMES, TO THWART THEM
But the participants are defensive about being labeled bad guys, just
because they like to break in to places.
"We explore and you call us criminals...Yes, I'm a criminal, my crime is
that of curiosity," said "Mentor," a hacking pioneer whose real name is
Lloyd Blankenship. The Texan wrote "Conscience of a Hacker," which has
become a kind of credo for young hackers since he wrote the essay in 1986.
He gives an inspirational pep talk to hundreds of adoring spectators, some
of whom were not yet born when he wrote his passionate defense of the art
of exploring computer systems.
But for all their efforts to whip up positive feelings about the art of the
break-in, there is a level of paranoia that goes with the territory.
"It's best to change all your passwords after you leave this conference," a
teenage hacker helpfully advises a bystander at the conference.
*************************
Reuters
FBI, U.S. Military Probe Hawaii Computer File Theft
Fri Jul 12, 9:49 PM ET
HONOLULU (Reuters) - FBI ( news - web sites) and military authorities are
investigating the theft of classified computer files that were stolen when
four military officers left them in their car while swimming last month at
a popular Oahu beach, officials said on Friday.
But a spokesman for the U.S. Pacific Command at Camp Smith, also said that
all the missing files "had been accounted for."
"We are satisfied that all the missing material has been accounted for,"
Navy Capt. John Singley said. "I can't go beyond that."
Singley would not discuss the content or classification level of the
computer files, which were stored on discs.
The files were among items taken from the trunk of a car being used by the
officers when they went to Waimea Bay on June 14. Singley declined to
identify the Hawaii-based officers by name or rank but they are members of
the Army and Air Force.
"Obviously, a military investigation is continuing to look into the
circumstances surrounding the handling of this material," Singley said.
"Possible disciplinary action could result, depending on what the
investigation finds out."
Kevin Rickett, an FBI spokesman in Hawaii, would not comment on the
progress of the investigation. The FBI is investigating because the stolen
items were government property, he said.
************************
Reuters Internet Reports
AT&T Warns Workers Not to Be Duped by Hackers
Fri Jul 12, 6:25 PM ET
NEW YORK (Reuters) - AT&T Corp. has warned employees not to be tricked into
surrendering sensitive information about its network to hackers posing as
colleagues or customers this weekend, a spokeswoman said on Friday.
The warning, sent in an e-mail to AT&T staff, came ahead of a major hackers
convention in New York where some of the attendees plan to give a
demonstration of "social engineering" techniques -- ways of getting
information that can be used to break into computer networks from the
people who run them.
AT&T workers in past years were tricked into giving out sensitive
information over the telephone to people pretending to be other employees
or customers, according to the internal AT&T e-mail dated on Thursday.
Recorded telephone calls based on those exchanges have been sold as
instructional videos to would-be hackers at the HOPE (Hackers on Planet
Earth) conference, the e-mail said.
This year's conference, dubbed H2K2, started on Friday and runs through
Sunday in New York City.
"There is a very high likelihood that AT&T will be a target again" on
Sunday afternoon, when a social engineering contest is scheduled, the
e-mail said.
"Remember, you do not want to be the lucky guest of honor on a telephone
call from the hacker conference this weekend with thousands of hackers
listening to you and attempting to scam AT&T out of proprietary
information," the e-mail warned. "Please be on guard."
Cindy Neale, a spokeswoman for New York-based AT&T, told Reuters it is not
unusual for the company to send out such internal notices.
On Friday, attendees of one conference session learned how to get access to
telephone company caller ID systems. In front of a packed room of several
hundred, a hacker calling himself "Lucky225" tricked several operators at
Vancouver, British Columbia-based Telus Corp. , Canada's second largest
telephone company, into giving him access to the network by saying simply,
"I'm an engineer."
************************
BBC
Villagers try out net on wheels
Villagers in rural India who have never even seen a computer or even made a
telephone call are getting their first taste of the internet thanks to an
innovative project.
For the Computer on Wheels trials, a technician visits rural villages on a
motorcycle, carrying a laptop computer.
The villagers can then look at pages which have been downloaded from the
internet.
"Much like the post office, where the post man delivers letters once or
twice a day, we are delivering the internet to people once or twice a day,"
explained Satish Jha of the development organisation, Digital Partners.
Web on demand
The pilot project to create a mobile internet service has just started in
the Telangana region of the southern Indian state of Andhra Pradesh.
The trial will run for a year. If it is successful, it could be extended to
cover the whole state.
The funding is coming from a small seed grant from Digital Partners.
This Seattle-based non-profit organisation sees it as a possible way of
involving India's millions of rural dwellers in the internet revolution.
"Why should a whole section of population who don't have telephones, who
don't have electricity, be left behind", Mr Jha told the BBC programme Go
Digital.
"70% of villagers do not have access to telephones or electricity so how
can they use computers? We need to find ways of taking the computer to them."
Since there are no net connections in the villages, any relevant webpages
are first downloaded onto a laptop. A technician then drives out on a
motorcycle, perhaps twice a day.
Villagers are able to ask for services, like government forms or check
current information such as crop prices in regional markets or the latest
news from their area.
Early days
So far, the Cow project has generated a lot of interest among villagers.
"There is an element of curiosity," said Mr Jha. "As soon as they hear the
sound of the motorbike and know the laptop is coming, between 50 and 100
people will collect around it."
Mr Jha says this is the way technology has often reached villagers and
likens it to the early days of cinema, when villagers would crowd around a
screen to catch a peek of the moving pictures.
The project is still in its early days. But the organisers are hopeful it
could prove one way of overcoming the lack of a communications
infrastructure in the countryside.
************************
Federal Computer Week
DOJ strategic tech plan spells out major change
A "strategic" technology plan being circulated through the Justice
Department last week says that the department can no longer tolerate 39
separate "fiefdoms," each "doing their own thing" with computer systems and
networks.
Vance Hitch, the department's new chief information officer, said he is
determined to craft an agencywide information technology architecture and
require that new computer systems be used by several, and in some cases by
all, divisions within the department.
It's the kind of reform IT experts say is needed, but likely will be hard
to implement at the department, which is notorious for the independence and
insularity of its subsidiary agencies, such as the FBI, the Immigration and
Naturalization Service and the Drug Enforcement Administration.
Three months into his job, Hitch, who spent 28 years at the consulting firm
now known as Accenture, depicts the department as a fragmented agency
hobbled by aged computers and incompatible systems.
The security of the department's computer systems is so bad that Hitch said
he wanted to hire a deputy CIO and a cadre of IT security specialists whose
sole focus would be to fix "security holes."
"There are hundreds or thousands of them" in the department's computer
systems, Hitch said. To say that security must be improved "is an
understatement," he said, speaking at a breakfast sponsored by Federal
Sources Inc., a market research firm in McLean, Va. Security is so poor it
would be "very easy to take out a lot of our infrastructure."
The FBI, one of the department's most technologically troubled, is ill
prepared to deal with IT security holes, he said. "They did not even have a
good handle on how many systems they had," let alone what their security
problems are, Hitch said.
The state of security "is embarrassing," he said.
Poor security and many other IT problems can be traced to the department's
organization and its lack of a departmentwide IT architecture, Hitch said.
The department comprises 39 agencies, from such well-known ones as INS and
the FBI to lesser-known entities such as the National Institute of
Corrections and the U.S. Parole Commission.
"They all did their own thing" when it came to developing computer and data
systems, Hitch said. Even when they hired the same vendors to assemble
similar systems, the various components did not end up with systems that
were interoperable, he said.
"It is not the culture of the Justice Department" to operate as a single
agency, he said. Computer and data systems "developed in 39 stovepipes with
loose coordination, if any."
But the department has a new mission counterterrorism and President Bush
and Attorney General John Ashcroft are emphasizing greater information
sharing, increased information security, and a streamlined and simplified
approach. The role for IT is being refocused to emphasize mission
accomplishment, Hitch said.
The department plans to spend $2 billion on IT in 2003, and Hitch said he
aimed to modernize and unify the department's IT infrastructure.
Hitch said that Ashcroft has assured him that he will have a degree of
influence over the agencywide IT budget, but Hitch said he also wanted "to
be a part of the components' IT process."
Making changes won't be easy, said Roger Baker, former CIO at the Commerce
Department, and now an executive vice president at CACI International Inc.
Hitch's plan is "a great initial reaction," Baker said. "Any good
private-sector person who comes into government would say exactly the same
thing." But soon enough, "you figure out that the system is built exactly
to prevent you from doing what you know you should do."
Alan Balutis, another veteran of government technology management, is a bit
more optimistic. "It's doable," but only if Hitch can convince the
department's agency directors and CIOs to support his plan, said Balutis,
who is executive director of the Federation of Government Information
Processing Councils.
Even then, change is likely to come slowly, said Balutis, who was a deputy
CIO at Commerce and then director of the Advanced Technology Program at the
National Institute of Standards and Technology until early 2001.
***
Pulling it together
Among the goals Vance Hitch, chief information officer of the Justice
Department, has for his department are:
* Developing a departmentwide public-key infrastructure to enable different
agencies within the department to securely share information.
* Adopting common systems and solutions to facilitate collaboration.
* Saving money by adopting a departmentwide financial system.
* Searching for ways technology can change and improve department
operations. In the past, technology has been adapted to operations.
***************************
Federal Computer Week
OMB updates security guidelines
Agency officials could be held accountable for inadequately securing their
information systems under new guidelines issued by the Office of Management
and Budget.
The key change in the guidelines, released July 2, are the criteria for
evaluating the performance of federal officials with security responsibilities.
Developed in response to agency requests, the performance measures examine
the percentage of systems that have an up-to-date security plan, the
security budget for each system and the number of employees who received
specialized security training. Poor results could impact an agency's budget.
Early security rules and regulations have established measurements for
security systems, but few have focused on the performance and
accountability of the managers overseeing those systems, experts say.
"We're really in the elementary stages here, but you have to start
somewhere and this is an excellent start," said Sallie McDonald, assistant
commissioner for information assurance and critical infrastructure
protection at the General Services Administration.
The guidelines build on information garnered from the reports agencies
first submitted last year under the Government Information Security Reform
Act of 2000. GISRA requires federal chief information officers and
inspectors general to annually evaluate agency information security
practices and report the results to OMB.
Mark Forman, OMB's associate director of information technology and
e-government, said the baseline reports from last year are a good start,
but don't go far enough. "We need to track progress on improving the
baseline?but we don't want to make this a rote exercise," he said.
The performance measures will help OMB track the outcomes, Forman said.
"This allows us to track the results, not just the actions they've completed."
This year, reports must include an evaluation of agency officials based on
the criteria OMB has provided. The performance measures represent a minimum
required response, according to the guidelines.
For example, agencies must create "plans of action and milestones," which
outline how officials plan to fix vulnerabilities discovered during the
evaluations. Such plans were incorporated into the fiscal 2003 budget
request, and future plans will continue to be part of the budget
development process, according to the guidelines.
Agencies will be assessed on their progress in managing information
security at the department level and at the bureau, agency or office level.
Performance measures provide needed direction for agency accountability,
but they are not as stringent as they might be, McDonald said.
The guidance "makes clear to agencies the areas they need to concentrate
on," she said. "OMB did an excellent job. I don't think they are
particularly onerous, and I think that they're good measures and ones we
can deal with."
Capt. Sheila McCoy, who leads the Navy Department CIO's information
assurance team, said the guidelines have "more specifics in terms of
numbers," but they are in line with what was expected.
But at least one security expert thinks OMB's guidelines are emphasizing
the wrong issue.
The guidelines assume that "lengthy risk assessments need to be done before
basic security actions are taken," said Alan Paller, director of research
at the SANS Institute, an education and research organization for IT
security professionals based in Bethesda, Md. Agencies delay taking simple
critical steps to protect their systems from common risks while staff and
consultants conduct lengthy risk assessments, he said.
The first step is to ensure that "each system passes minimum configuration
benchmark testing," Paller said. "If systems are attached to the Internet
before they are protected in conformance with the benchmarks, any security
action will generally be too late."
It might seem logical to place risk assessment as the first step, but it's
the wrong approach, Paller said. "It's like putting a bank in a rough
neighborhood. Even before you do that, you put a good lock on the door. You
don't need a separate study" to tell you that.
The Navy is in the process of finalizing the criteria the service will use
to assess its security measures, McCoy said. "These may or may not be the
same things OMB chooses to use," but they will encompass OMB's questions.
"We know that doing this report is part of the process," she added.
GISRA expires on Nov. 29, 2002, but several efforts under way in Congress
seek to extend its authority, most notably the Federal Information Security
Management Act, introduced by Rep. Tom Davis (R-Va.).
Christopher J. Dorobek and Rutrell Yasin contributed to this story.
**************************
Federal Computer Week
Tech firms could get homeland coverage
Bill would provide liability insurance
A House panel approved a proposal July 11 that would require the federal
government to step in and provide liability insurance for information
technology companies working on homeland security contracts.
The provision, drafted by Rep. Tom Davis (R-Va.), chairman of the House
Government Reform Committee's Technology and Procurement Policy
Subcommittee, would guarantee that IT companies have sufficient liability
coverage in the event of a catastrophe.
The committee tacked the provision on to the Homeland Security Act (H.R.
5005), which is making its way through congressional committees.
The pitch is simple: Contractors are arguing that companies developing new
anti-terrorism technologies with life-or-death consequences could be driven
out of business if they are sued because of a product failure.
Although private companies are able to purchase their own insurance plans,
many fear they would not be able to get enough coverage to protect them
against lawsuits that could force them into bankruptcy.
"The potential liabilities associated with homeland security-related
activities can be enterprise-threatening and may well cause many
cutting-edge firms not to compete for homeland security contracts without
adequate protections," Davis said in a statement. Davis' amendment would
require companies, on a case-by-case basis, to shop around for the best
insurance and would provide additional guaranteed coverage from the government.
David Marin, Davis' spokesman, said there is one law that protects
companies from risks in the event of a disaster relating to national defense.
But the law covers contractors working at specific agencies, not the
proposed Homeland Security Department, the CIA, the Justice Department or
the U.S. Postal Service, a quasi-governmental agency. And it does not cover
claims when technology is sold to commercial establishments or state and
local governments.
The legislation is "based on the premise that Congress should ensure the
availability of technologies that could make people and facilities across
the nation less vulnerable to terrorist threats," Marin said.
Many companies have already hesitated to bid on homeland security contracts
because of the liability problem, according to David Colton, vice president
of strategic initiatives at the Information Technology Association of America.
"The blue-chip technology and integration companies have elected not to
participate because of the fear that they would be exposing the entire
corporation by participation," Colton said. "This legislation is designed
to make sure the very best technology companies and contractors are able at
least to submit bids for homeland security."
Nevertheless, consumer groups see the proposal as another way to protect
corporate America's pocketbooks.
"Being liable to the public is important," said Bob Hunter, director of
insurance for the Consumer Federation of America. "Suppose you are grossly
negligent you're supposed to put in something that monitors for bombs, and
you put in something that monitors for pizza. Why should the taxpayer be
liable for gross negligence?"
The legislation now goes to the House Permanent Select Intelligence
Committee's Terrorism and Homeland Security Subcommittee, which will merge
various parts of the legislation requested by the Bush administration to
overhaul government and protect America.
***
Homeland security action
Highlights of amendments in the Homeland Security Act of 2002 (H.R. 5005)
made by the House Government Reform Committee include:
* An amendment, based on H.R. 2435, that promotes voluntary information
sharing about threats to the nation's critical infrastructure.
* Language that mirrors H.R. 3844, the Federal Information Security
Management Act of 2002, which permanently reauthorizes and strengthens the
Government Information Security Reform Act.
* A new section based on H.R. 4629 that will help the government evaluate
homeland security technologies and reward private-sector innovation.
* An amendment that expands and clarifies the proposed Homeland Security
Department's authority to manage its real property holdings.
* Procurement reform language similar to H.R. 4694 that gives the proposed
department the tools and flexibility it needs to acquire critical goods and
services quickly and efficiently, while maintaining important safeguards.
******************
Federal Computer Week
OMB to post IT checklist
Managers expected to cross-check list before budget request
The Office of Management and Budget's message to agencies is clear: Don't
ask for money to fund an information technology system if a similar system
already exists.
This week, OMB plans to post a list of governmentwide information systems
that support business operations and public services. Federal managers are
to use this list to find similar services or systems before making an IT
budget request.
If managers find a service or program that is similar in the so-called
business reference model, OMB officials want managers at the respective
agencies to work together to use or build a single system, thereby reducing
the amount of redundant spending on IT.
The business reference model, a fundamental piece of the Bush
administration's E-Government Strategy, "depicts, from a process view,
truly the entire enterprise of the federal government," said Norman
Lorentz, OMB's chief technology officer.
OMB plans to post the model July 18 in time for IT managers to use it to
make budget requests for fiscal 2004. OMB will begin formulating the fiscal
2004 budget request for the Bush administration this fall.
The business reference model splits the business of government into three
areas, Lorentz said: citizen services, support services and government
enterprise operations. Under each area of business are the many
subfunctions that are the agency applications and services.
The business reference model is part of the federal enterprise
architecture, which Debra Stouffer began to assemble while on detail to OMB
in January. "They're taking what I built, and applying it to making smart
budget decisions," said Stouffer, now CTO at the Environmental Protection
Agency.
The work on the enterprise architecture and the business reference model
continues with the Solutions Architects Working Group, which is overseen by
Bob Haycock, who is on detail as chief architect at OMB from the Interior
Department.
The working group is developing two key pieces of the business reference
model: a management and oversight plan that will ensure consistency in
updates and new releases, and a business performance reference model, which
will be the framework that OMB will use to measure investment outcomes.
Other reference models, such as those for data, applications and
technology, are at various points of development and will be released in
the coming months, he said.
The business reference model will be available on a Web site accessible
only by agency personnel, although parts of it likely will be released to
the public in time, Lorentz said.
This year, OMB pulled together the information in the business reference
model from agencies' fiscal 2003 budget requests. However, in the future,
agencies will be expected to update and manage their portions of the model
themselves, Lorentz said.
All enterprise architecture work will be done through the Enterprise
Architecture Management System (EAMS), a Web-based repository structured
around the business reference model, Lorentz said. Many agencies are
already using Extensible Markup Language-based capital planning tools such
as the IT Investment Portfolio System, but OMB also is developing an XML
schema to integrate all agency capital planning information into EAMS,
Lorentz said.
***
Building blocks
Timeline for the pieces of the federal enterprise architecture:
Business reference model -- Available July 18
Business performance reference model -- Draft due mid-August
Data reference model -- Under development
Application capability reference model -- Draft due mid-September
Technology reference model -- Draft due mid-September
**************************
Federal Computer Week
Security regs drive shipping firms online
In the face of heightened terrorist alerts, shipping companies are being
required to meet tougher rules and regulations to move cargo around the
world. And many of them are using Web-enabled services to ease the way.
The United States is not the only country to tighten cargo security
regulations in the wake of the Sept. 11 terrorist attacks, but every nation
has different rules, according to Greg Stock, vice president of marketing
for Vastera Inc., a global technology solutions firm.
"What's happened since [Sept. 11] is that every company recognizes that
they need to do their part to fight terrorism [and make] sure they are not
doing business with potential terrorists," Stock said. "You need to know
who your customers are."
Vastera uses Web-enabled technology to help shippers determine the rules in
every port of call and what forms they need to file electronically before
loading or unloading their cargo.
Vastera's product manages the system for shipping companies that lack the
staff or technical knowledge to do it on their own, and it keeps track of
all cargo, so a shipment does not sit idle and vulnerable to being used to
smuggle contraband.
George Weise, former Customs commissioner and now Vastera's vice president
of global trade compliance, said customs agencies worldwide have been
performing more risk assessments of cargo in light of growing terrorist
threats.
"The only way to look at it is not transaction by transaction, but by risk
factors and get to know your importer," he said.
The risk of contraband or weapons of mass destruction being smuggled aboard
a ship is growing even though an estimated 80 percent of world trade is
handled by 20 percent of importers, he said.
"You need to know where your goods are at every point of the process and
have security measures in place all the way through," he added.
Rob Quartel, a former Customs official and now chairman and chief executive
officer of FreightDesk Technologies LLC, a technology company with a
transportation management application, describes it as a case of self-policing.
"Customs is very much asking the industry?to voluntarily deal with these
issues," he said. "That is necessary, but it is absolutely not sufficient.
This is a process that the government has to be very much involved in. You
really need to gather the data well before it actually moves."
To help companies do their own screening along the way, Vastera provides
profiles of countries that manufacture products that terrorists could use.
A Vastera profile of Brazil, for example, cautions that the South American
country has developed biological material that could be deadly, and Libya
and Iraq reportedly have been interested in Brazil's ballistic missiles.
Concerns about the country's biological and missile programs mean there
will be "a restrictive attitude toward the export of biological and
missile- related technology from the European Union and the United States,"
according to the profile.
"No one wants to be the next CEO who makes the mistake of sending goods to
a known terrorist," Stock said.
To keep that from happening, Vastera has a database of more than 400 names
from the State Department and other sources that includes terrorists and
drug felons and traffickers so companies can run the names against customer
lists.
"Companies are going to find that trade in this new paradigm is much
harder," he said. "But with the Web technology, companies are able to
update changes every day and tap into ways to automate the process of
getting goods across borders."
Even before Sept. 11, Vastera was developing technology to ease the way for
shippers and other kinds of cargo carriers. The company provided management
services that helped companies navigate the complex maze of trade and
tariff rules, calculate the real cost of importing and exporting, and
supply the required electronic documents.
Adrian Gonzalez, an analyst with the Arc Advisory Group Inc., a market
research and consulting firm, said Vastera is part of a growing trend of
merging technology with managed services.
"Vastera is a good example of how [it plays] out in the realm of
international trade," Gonzalez said. "When you look at international trade,
technology by itself has limited value. It's really about people,
processes, technology."
Vastera's customers include Nortel Networks Ltd., Lucent Technologies and
Dell Computer Corp.
"If you are shipping a camera from the United States to Germany, there are
12 to 15 documents that have to accompany the camera," Stock said. "Our
software figures out the right classification [and] tells you what it
costs, because when goods get to customs, you don't want it to sit there
for long."
*************************
Federal Computer Week
Feds get carded
Agencies turn to smart cards to tighten security
Two years ago, smart cards were something of a novelty for federal
agencies. But times have changed, and the events of Sept. 11 have boosted
their worth as a tool for tightening security and providing a way to
control access to buildings and computer networks.
New laws are adding to the urgency. For example, the Border Security Act,
signed by President Bush in May, mandates development of a
machine-readable, tamper-resistant biometric method of monitoring
foreigners as they enter and exit the country. Smart cards are likely to be
the only feasible way of doing that by the October 2004 deadline.
And technical developments are pushing aside some past objections to smart
cards. Late last month, the National Institute of Standards and Technology
published an interoperability specification described by some as the
cornerstone of future government smart card programs. If adopted by
agencies, the specification will enable different vendors' cards and
readers to work with one another, which is seen as an important step in
convincing agencies to use the technology.
Still, doubts persist. Slow buy-in by top agency managers, concerns about
costs in an era of ever-tightening budgets and suspicions about the
reliability of the technology have so far kept a lid on what might
otherwise have been a rapid deployment of smart cards.
"I do think the rate of interest has increased after Sept. 11, but the
knowledge level [about smart card technology] is marginal at best," said
Mike Brooks, director of the General Services Administration's Center for
Smart Card Solutions. "We are working on educating people on the attributes
of [smart cards] and about the multiple applications that can be put onto
them."
Because smart cards include relatively powerful microprocessors and some
local memory, they can work with agency applications while carrying such
information as biometric identifiers of the card's user and digital
certificates that can be used with an agency's public-key infrastructure.
Many agency officials say they would move to smart cards if they had the
money, said Mickey Femino, director of GSA's Center for Innovative Business
Solutions. "Otherwise, they have to take the funds from current line items,
and then it becomes difficult. Beginning pilot programs is easy, but to
fully develop programs, they need to see the [specific] dollars in their
budgets."
Brooks said GSA officials are working to convince agencies of the long-term
savings smart cards will bring so that they will be less reluctant to
redirect current resources to fund a smart card program.
Problem Solved
Nevertheless, Brooks feels the tide is turning. "Before Sept. 11, smart
cards were a solution looking for a problem," he said. "We have the problem
now, and we need to promote the use of smart cards as one of the tools
people can put into their security toolbox."
A report from GSA's Office of Electronic Government shows that agencies
have issued slightly more than 1.4 million smart cards and projects that
usage will increase to more than 4.3 million cards during the next year or
so. The report covers programs at 24 agencies, ranging from large military
deployments to small-scale pilot programs such as the one under way at the
U.S. Patent and Trademark Office.
USPTO had 15 cards in use when the research for the report was conducted,
but officials expect to reach a full deployment of around 8,500.
The biggest government project is the Defense Department's Common Access
Card (CAC) program, designed to provide a new military identification card
and a means for securing access to military facilities, computers and
networks. More than 800,000 cards have already been issued, and plans call
for a total of up to 4.5 million to be issued by the end of 2003.
The scope of the program is truly global, with around 900 sites in 13
countries involved in issuing the cards. But the program is nearly a year
behind schedule, mainly because of problems associated with handling such a
widely distributed system rather than issues with the technology itself,
according to Gordon Hannah, a spokesman for the CAC program.
"The initial goal was aggressive and deliberately so, in order to keep
people moving along," he said. "The bad news is that we haven't been able
to expand it as quickly as we would like, but some negative issues in a
program of this size are inevitable. And going from the initial tasking to
converting all of the issuance workstations in around a year is really
working at Internet speed for a government agency."
As many as 13 million smart cards could end up being issued under the
program. The final number will be determined by such factors as how many
military family members are also DOD employees and how many military
retirees still need access to facilities. However, there is no formal
requirement to go beyond the initial target population of around 4 million,
Hannah said.
On a smaller scale, State Department officials began looking at smart card
technology more than seven years ago. They are in the process of capturing
photographs and data on the 20,000 employees in the department's National
Capital Region for cards that will be used to gain access to the
department's buildings. That project should be completed by the end of July.
However, the cards have always been intended for other uses as well, said
Lolie Kull, program manager for the Bureau of Diplomatic Security's smart
card project. State's PKI office will place digital certificates on more
than 2,000 cards by the end of the year, she said, and a number of programs
under consideration would use the cards for access to computer systems.
Eventually, all State employees will use smart cards.
Culture Change
Perhaps the hardest part has been getting buy-in from the department's
upper management. There has been interest, "but no strong support," Kull
said. "So far, it's been a difficult way to do this. We've had to justify
all of our steps, why we needed more money for this and that, and so on."
She believes a cultural change is necessary if State is to make full use of
smart cards' capabilities, and that could take five years.
But a slow approach might be the right way to go, according to Randy
Vanderhoof, acting president and chief executive officer of the Smart Card
Alliance, an industry organization.
"We are very pleased at the aggressive position the government has taken to
stop researching [smart cards] and actually start putting them in place,"
Vanderhoof said. "And the proof that it can be done and done effectively is
the DOD CAC program."
But he feels agencies might be moving too fast. "I am not in favor of
getting the technology out there just to get it in place quickly," he said.
"I think the government is doing what it can to get the pieces in place,
but there needs to be a way to get it done in a decent fashion so that
things work well and policy decisions can keep up with the technology
deployments. Otherwise, we could have public relations problems."
Although none of the programs under way at agencies were begun as a result
of the events of Sept. 11, most of them were affected by them; if nothing
else, the terrorist attacks prompted a change in the initial focus of
existing smart card programs. Most now stress the initial use of smart
cards for physical access to buildings.
One program that is a direct result of the terrorist attacks is the
Transportation Worker Identification Card (TWIC) initiative at the newly
formed Transportation Security Administration. TWIC, which will begin with
several pilot projects this fall, will be used as an ID and building access
card by workers at airports, seaports and other transportation hubs.
Eventually, TSA could issue up to 13 million cards.
The Federal Aviation Administration has issued a request for proposals for
a smart card program that will serve as the initial pilot project for the
TWIC effort. That pilot project will last for about nine months, said
Michael Brown, director of the FAA's Office of Information Systems
Security. Officials will begin procuring cards for agencywide distribution
shortly afterward, with the goal of issuing smart cards to the FAA's 50,000
or so employees and a similar number of contractors.
Problems may still lie ahead for this and other programs, but most
observers agree that there is no longer any question about whether smart
cards have a future in North America, and the U.S. government is leading
the way.
"It was the case several years ago that we saw the government was moving
but just not fast enough," said Paul Beverly, vice president of smart cards
at SchlumbergerSema, one of the world's major suppliers of smart cards, and
chairman of the board at the Smart Card Alliance. "But over the past year,
I think the government has taken a real leadership role."
However, inertia is a problem at many agencies, according to GSA's Femino.
Although the terrorist attacks have pushed officials to reconsider their
approaches to security, many agencies already have systems in place and
question why they should change them, he said.
According to Brooks, one solution could be an executive order requiring
agencies to adopt smart card technology, along the lines of what the DOD
brass did for that department's smart card program. In fact, officials from
GSA and other agencies with a strong interest in smart cards recently
visited the Office of Management and Budget to make their case for having
the Bush administration issue such an order.
OMB officials will say only that they are reviewing the need for a public
statement on the use of smart cards by government agencies. Brooks is more
confident and predicts "an 80 percent chance" that such an order will be
issued soon.
Robinson is a freelance journalist based in Portland, Ore. He can be
reached at hullite@xxxxxxxxxxxxxxx
****************
Federal Computer Week
DOD demands faster, better cyber intell
Striking a balance between the Defense Department's dwindling human
intelligence resources and its advancing information technology tools and
acting quickly on the information gathered is essential to protecting the
armed services against cyberattacks and succeeding in the war on terrorism,
according to military leaders.
Lt. Gen. David McKiernan, director of Army operations, said cyberwarfare is
a threat that the armed services must monitor daily because "a modern or
future opponent can get into our decision-making through the cyber domain."
It is especially difficult to defend against these attacks, he added,
because strikes can originate from anywhere.
But the hardest part comes when that enemy is no longer online. "At some
point, if the opponent is blended in with the local culture, tribe or city
and is not talking on signals or with computers...then you have to gather
intelligence through human sources," McKiernan told Federal Computer Week
after testifying at a July 11 hearing of the House Special Oversight Panel
on Terrorism. "We need to develop the full range of capabilities and the
right regional expertise, and do it over the long haul."
Air Force Maj. Gen. Randall Schmidt, assistant deputy chief of staff for
Air and Space Operations, said that coordinating the intelligence,
surveillance and reconnaissance network in Afghanistan internally, and
among the services, took "ingenuity and cooperation." He added that the
process must be speeded up and tightened for continued success.
At a similar hearing last month before the same oversight panel, Navy and
Marine Corps officials also agreed on the importance of faster intelligence
and information sharing. Marine Corps Lt. Gen. Emil Bedard, deputy
commandant for plans, policies and operations, said that real-time
intelligence sharing has improved throughout the operations in Afghanistan
but is still not perfect.
Bedard said that Operation Enduring Freedom has illustrated the
"reach-back" capabilities that technology provides. He used the example of
an Afghanistan-based Marine commander receiving terrain, landing zone,
route and the latest enemy situation data from intelligence officials in
Quantico, Va., in less than four hours.
"Having direct feeds [from] the intelligence-gathering platform to the
people working the mission we need to get better at that," Bedard said.
Rear Adm. Joseph Krol Jr., assistant deputy chief of naval operations for
plans, policy and operations, agreed. "Speed is [what] we need to
concentrate on," he said at last month's hearing. "Our in-theater ability
to operate with our allies has been successful, but needs to get better. We
need more plug-and-play situations."
Rep. Jim Saxton (R-N.J.), chairman of the terrorism panel, and ranking
member Rep. Jim Turner (D-Texas) expressed concern about the military's
ability to share information with the intelligence community, namely the CIA.
Krol said that the Navy receives information collected by spies
"eventually, but we're not 100 percent sure what the source is." He added
that the service works that data into operations when it can, but that
process takes longer than it should because of the unknown source of the
information.
At last week's hearing, Rep. Jim Gibbons (R-Nev.) asked the DOD officials
for their "most significant intelligence need," and they answered that they
needed to increase the development of the same technology: unmanned aerial
vehicles, such as the Air Force's Predator, which has been successfully
deployed in Afghanistan (see box).
"The ability to provide that asset to operational and tactical commanders,
now and in the future...and put it into the hands of the warfighter...is
absolutely critical," the Army's McKiernan said.
"This all points to the importance of the detection of intelligence to [the
time] where it can be actioned," said the Air Force's Schmidt. "The value
of intelligence is only as good as how you action it."
***
'Enduring' successes
Defense Department officials outlined several of the services' technology-
aided intelligence successes in Operation Enduring Freedom, including:
* Using prototypes of the Prophet system, a new ground-based surveillance
system that enables commanders in the field to intercept radio frequency
signals generated by many kinds of electronic equipment.
* Trojan SPIRIT, or Special Purpose Integrated Remote Intelligence
Terminal, which can carry high volumes of secure intelligence from national
agencies and Army headquarters to commanders in the field. The tool was
used within hours after the Sept. 11 terrorist attacks and has supported
subsequent national security events, including the Super Bowl. A
lightweight, portable version has been deployed in Afghanistan.
* The Air Force's Predator, an unmanned aerial vehicle that uses radar, a
television camera and an infrared camera for surveillance, reconnaissance
and targeting.
************************
Federal Computer Week
New reasons to get thin-client computing
Telecommuting, post-Sept. 11 priorities renew interest in thin-client computing
Two years ago, the General Services Administration Public Buildings
Service's New England region assembled its employees in a town hall
meeting. Such get-togethers, aimed at uncovering problems and soliciting
suggestions, are not unusual for the agency.
But as Jim LeVerso, chief information officer of the region, listened to
the proceedings, it occurred to him that this meeting was different. In the
past, employees lobbied the administration to allow them to do more work
away from the office. "This time, it was the administration that was
saying, 'We want you to telecommute. Tell us what we need to do to make
that possible,'" LeVerso said.
Telecommuting appears to be changing from merely a convenience for workers
to a strategic goal for some agencies. Similarly, the technology that
LeVerso chose to enable the telecommuting program server-based computing
(SBC, also called thin-client computing) is taking on a more important role.
In SBC, software applications from word processing programs to accounting
applications run centrally on a server, and only the user interface and
necessary files and data are transmitted to users' PCs or other Web-
connected devices. This approach makes it an effective platform for
telecommuting. SBC backers say that its approach also makes it well-suited
for two new post-Sept. 11 priorities: enabling more data sharing by
agencies and helping agencies to continue running in case disaster strikes.
Catching On
SBC has been available for several years, but David Friedlander, an
industry analyst with Giga Information Group Inc., said that the biggest
change in government as well as commercial usage is the increase in the
size of installations.
"During the past two years, SBC has been moving steadily upstream from its
start as a workgroup solution to enterprisewide deployments," he said. He
pointed out that more robust management tools and performance enhancements
have encouraged agencies with large numbers of users, such as the GSA
Public Buildings Service, to consider SBC.
Before choosing an SBC solution, LeVerso and his colleagues laid out the
requirements for the future telecommuting program. A good system would
enable employees to:
n Access all applications from any PC.
n Run applications at home, on the road or at a client site, even if it
meant connecting to the office server via low-speed dial-up lines.
n Start work at one location and pick up where they left off at a different
location with no loss of data.
It was already a tall order when GSA officials added, "'Figure out how to
make it happen. And by the way, we can't offer you any additional resources
or people,'" LeVerso said.
Unfortunately, the office's applications were too resource-intensive to run
efficiently on a wide-area network. The plan might work if information
technology administrators paid a lot of attention to network resources and
required employees to use only high-bandwidth lines. But that did not fit
the telecommuting program's "anywhere with any connection" requirements.
What did fit the bill was SBC technology that LeVerso had seen demonstrated
by Citrix Systems Inc. of Fort Lauderdale, Fla. With Citrix MetaFrame now
installed in their data center, 300 employees of the Public Buildings
Service's New England region and some users at the other regions can launch
applications from anywhere, just as they would if the applications ran on
their PC or a local-area network by clicking on an icon.
That mouse click launches MetaFrame software on the server, which runs the
business application the user wants to access and manages the
communications session. To users even those on a dial-up connection from
home the application runs about as fast as it would on a LAN-attached PC,
LeVerso said.
The 128-bit encryption Secure Sockets Layer protocol is used to protect
communication between the client and server. And because each user's files
are maintained on the server, the machine the employee happens to be using
is irrelevant, as long as it can connect to the application server via the
Internet or a network.
"For years, the goal of IT was to make computing a utility, like switching
on a light," LeVerso said. "With this architecture, I think we finally did it."
New Drivers
Don Leckrone, director of Defense Department accounts at Santa Cruz,
Calif.-based Tarantella Inc., sees two new security concerns pushing
federal agencies to consider SBC.
The first is disaster recovery. Users who must evacuate buildings can
simply go to PCs in other offices and pick up where they were interrupted.
And the decentralized nature of the Internet, built that way to withstand
an attack, means the network will always be available. Also, the server,
the most vulnerable component of SBC, can be protected easily through
standard backup practices such as mirroring, which involves creating a
replica of the primary system at another site.
Second, new homeland security procedures require new types of
collaboration. "Many people are starting to have to work on applications
that their agencies don't own," Leckrone said. SBC is an easy way to
authorize new users without having to load software on their PCs or even
take into account the operating system they are using.
Another driver is the increased popularity of Web portals.
"Workers want more consolidated and personalized access to all their
applications," Friedlander said.
In fact, consolidated access to applications is one reason that officials
at the Interior Department's National Business Center (NBC) decided to use
Citrix MetaFrame to develop an SBC solution for financial reporting.
"We provide a single point of entry to all our applications through a Web
page," said Mike Sciortino, a system manager at NBC. That approach "makes
it very easy for our users to configure their workstations and connect to
the system."
Interior has used MetaFrame since June 2000 to provide access to financial
reporting software and other applications, including Microsoft Excel and a
text editor. About 250 people use the system.
Sciortino said that before moving to SBC architecture, Interior had
problems with large amounts of data clogging its network. As a result,
users suffered with poor performance connections and corrupted databases.
Now that program files and data files are centrally located on two
side-by-side servers, the applications run more smoothly and data
corruption does not occur, he said.
Another advantage of SBC, according to Sciortino, is that software upgrades
are much easier to manage. Before using MetaFrame, NBC would have to
install full upgrades on each PC that accessed the system and struggle with
the inevitable compatibility problems. Now software upgrades only have to
be installed on the central application server. As soon as users log off
and back on, they're working with the latest version.
SBC may be the right technology at the right time. Security considerations,
new collaboration requirements and budgetary constraints are forcing
agencies to seek new ways to launch and manage applications.
SBC, which is finally becoming enterprise-ready, may be one solution to
those problems.
Stevens is a freelance journalist who has written about IT since 1982.
***
Three other perks The primary advantages of server-based computing (SBC)
are reduced costs, easier administration and increased security. But there
are other advantages, according to Christa Anderson, author of "The
Definitive Guide to Citrix MetaFrame XP." According to her: * SBC helps
bring more people into the fold. Many agencies have employees who use
non-Microsoft Corp. Windows operating systems on their computers, primarily
the Apple Computer Inc. Mac OS or Linux. Those users usually have to move
to a Windows machine to access the agency's enterprise applications. SBC
automatically extends the applications to all platforms. * SBC delays
hardware upgrades. "A hidden cost in any software upgrade is the cost of
replacing all the hardware [that] no longer works well with the new
application," Anderson said. SBC removes hardware considerations from any
upgrade project. * SBC ensures more efficient use of computing resources.
For resource-intensive applications, SBC architecture can provide more bang
for the buck. An application accessed by, say, five people on a server uses
less memory and processing power than the total resources for the same
application run on five separate PCs, Anderson said.
****************************
Government Computer News
OMB gives agency e-gov work a passing grade
By Jason Miller
In the last four months, 16 agencies, led by the National Science
Foundation, have made significant progress toward President Bush's
e-government goal, the Office of Management and Budget said today.
OMB released a midyear report card showing agencies' status toward meeting
the five categories of goals laid out in the President's Management Agenda.
The report card comes five days after Bush sent a memo to department chiefs
commending agencies who have actively engaged in e-government and urging
those who have not "to follow their lead."
OMB evaluated the 26 major agencies using a green, yellow and red scoring
approach. Green means agencies have met all standards for success; yellow
means agencies have achieved some, but not all the criteria; and red means
there are some serious problems.
Agencies showed the most progress in the e-government and financial
management areas. OMB gave 16 green and 10 yellow scores under e-government
and 16 green, nine yellow and one red under financial management. Agencies
showed less progress under the other subjects: 12 green for human capital,
13 green for competitive sourcing and nine green for budget and performance
integration.
For e-government efforts, only NSF improved its current status, to green
from yellow. It had already received a green score for financial management
when OMB issued the first round of scores in February. OMB said the agency
met "all of its core criteria" and developed "a process to implement
corrective action plans for program level information technology security
weaknesses."
"The federal CIO Council had strategic planning off-site in April, and we
committed to making major progress on the 24 e-government initiatives over
the next 12 months and helping each other through cross-agency budgets,"
said Mayi Canales, co-chairwoman of the CIO Council's E-government
Committee and acting CIO of the Treasury Department. "You will find at the
CIO level a continued planned progression toward green."
Five other agencies also saw changes in their current status. The Energy
Department improved under human capital to yellow, the Labor Department
earned a yellow score for its improvements in financial management and the
Social Security Administration advanced to yellow under budget and
performance integration. NASA and the Small Business Administration were
downgraded to red under financial management.
**************************
Government Executive
White House position on FOIA exemption attracts critics
By Drew Clark, National Journal's Technology Daily
The Bush administration this week endorsed a Freedom of Information Act
(FOIA) exemption for data about computer networks and other security issues
that appears to yield little ground to environmentalists and open-record
advocates.
The issue of how extensive such an exemption should be granted has stirred
partisan disagreement, with many Democrats questioning the need to exempt
voluntarily submitted information from FOIA disclosure.
But in a win for the technology industry, united with utilities, financial
services firms and manufacturers, the White House weighed in with draft
language that includes both elements.
A draft of the bill prepared by the House Select Committee on Homeland
Security has included the FOIA exemption, the potential limitation of
liability, and language that provides an antitrust exemption for businesses
that share information deemed vital for "critical infrastructure security."
The text of the applicable provisions in the Select Committee's draft
mirrors those drafted by Rep. Tom Davis, R-Va., and passed late Thursday
night by the House Government Reform Committee. The committee accepted an
amendment by ranking member Henry Waxman, D-Calif., clarifying that the
exemption did not apply to lobbying activities.
Many Democrats have been skeptical because of an aggressive campaign
against the exemptions by environmental groups. The bill creating a
Homeland Security Department authored by Senate Government Affairs
Committee Chairman Joseph Lieberman, D-Conn., contains no similar provisions.
The antitrust exemption in the Davis bill passed on Thursday differs from
previous versions in that it gives the president the authority to declare
that private-sector centers established to share such information receive
an existing antitrust exemption found in the 1950 Defense Production Act. A
Davis spokesman said Friday that the administration is supportive of that
approach.
Although administration officials failed to return calls seeking
clarification, in May, John Malcolm, deputy assistant attorney general in
the criminal division, raised questions about both the antitrust exemptions
and the provisions that information disclosed to the Homeland Security
Department could not be used "in any civil action arising under federal or
state law if such information is submitted in good faith."
Open records activists have voiced a similar fear. "How, in a week where
Congress is focused on corporate wrongdoing, malfeasance, and scandal,
could you present in a serious manner measures that give [businesses] a get
out of jail free card?" questioned Gary Bass, executive director of OMB Watch.
Spokesmen for other public interest groups presented scenarios in which
businesses voluntarily release information about security vulnerabilities
in the expectation that it will then not be used against them.
Business groups and legislative supporters paint such scenarios as
far-fetched, and said that the bill will not impede regulatory
investigations. "This amendment is very narrowly defined, and only seeks to
address information that is deemed essential to the economy and to national
defense," said Davis spokesman David Marin.
They argue that the measures are necessary to create a "good Samaritan"
exception that would encourage businesses to strengthen computer security,
said Mario Correa, director of Internet and network security policy for the
Business Software Alliance.
**************************
Computerworld
New specs released for wireless speech, text delivery
By TODD R. WEISS
The continuing development of text-to-speech capabilities for wireless
devices received a promising boost today with the release of the first
specifications by the industry-led SALT Forum.
In an announcement, the SALT Forum, the group of companies that's been
working since last year to establish Speech Application Language Tags
(SALT) to accelerate text-to-speech capabilities in wireless devices, said
its first specifications have been assembled and submitted to an unnamed
standards group for consideration.
Once the first specifications receive the nod from the standards group, the
SALT Forum members hope that developers begin using them to create new
applications and hardware with new speech capabilities.
Rob Kassel, product manager for emerging technologies at SpeechWorks
International in Boston, one of the SALT Forum companies, said that by
having clear specifications and support from a standards group, SALT hopes
to encourage the next round of innovation in speech and text features in
wireless devices.
Already there are voice XML standards for voice capabilities on desktop
computers. But the SALT specifications seek to add advanced capabilities
for smaller, portable wireless devices such as personal digital assistants,
laptop computers and the latest wireless phones, Kassel said.
The first Version 1.0 specs are available at the SALT Forum Web site.
"The SALT 1.0 specification provides application developers with a
documented way to leverage existing Web markup languages," said Daniel
Miller, senior vice president of Voice & Wireless Commerce at The Kelsey
Group, in a statement. "Its release by the SALT Forum marks a major
milestone that should accelerate integration of automated speech,
multimodal and telephony applications."
The SALT Forum, created in 2001, has developed specifications that define a
set of lightweight tags as extensions to commonly used Web-based
programming languages such as HTML, XHTML and XML, while incorporating
existing standards from the World Wide Web Consortium and the Internet
Engineering Task Force. This allows developers to add speech interfaces to
Web content and applications using familiar tools and techniques.
Philip Marshall, an analyst at The Yankee Group in Boston, said the SALT
specifications will eventually bring more developers and companies into the
emerging market segment as users seek new capabilities for their wireless
devices.
The SALT Forum, based in Boston, includes Cisco Systems Inc., Intel Corp.,
Microsoft Corp., Aliant Telecom, Cambridge VoiceTech, Carnegie Mellon
University, Fonix Corp., InfoTalk Corp., Multi-Modal Technologies,
SnowShore Networks and Verizon Wireless.
The group is working to develop a royalty-free standard that works with
existing Web markup languages to provide spoken access to many forms of
content through a wide variety of devices.
Announcement, see: http://www.saltforum.org/press.asp
SALT Version 1.0, see: http://www.saltforum.org/salt.1.0.FinalSpecification.doc
***************************
MSNBC
Virus tempts with peek at passwords
'Frethem' spreading around Internet quickly
By Bob Sullivan
MSNBC
July 15 A new computer virus with the tempting subject line "Re: Your
password!" began worming its way around the Internet Monday. Dubbed
"Frethem," the virus is rated a medium risk by most researchers because it
is spreading relatively quickly. According to antivirus firm Symantec
Corp., Frethem has already infected computers inside 25 companies since its
initial discovery early Monday.
A computer specialist at the National Institute of Standards and
Technology, Joe Matusiewicz, said Frethem was hitting the agency very
hard one copy of the worm was arriving every minute, he said. Fortunately,
systems there were stripping the worm off e-mails before they were sent to
recipients.
Still, Frethem is not expected to reach outbreak status on the
level of Melissa, or even the more recent Klez worm. Infection rates are
not dramatic. Vincent Gullotto, senior director of McAfee's Avert Labs,
said his firm has received about 100 submissions of the worm; Symantec says
it has received word of 112 individual computers that have been infected.
But that number might be a little deceiving, says Steve Trilling, director
of research at the Symantec.
"It's pretty significant that 25 different corporations have been
hit by this thing," said Steve Trilling, director of research at Symantec.
"For any one of those, they may only submit one report, but that could
reflect many, many infections inside the company." Symantec rates the
worm's threat as a 3 on a scale of 1 to five.
Frethem was actually released in its initial form several weeks
ago, Gullotto said. But during the weekend, four variants of the worm were
released, including "Frethem.L," which hit Sunday night. That's the variant
which seemed to click, and began spreading fast in Asia a little after
midnight PT, Gullotto said. Still, while McAfee raised its risk rating to
medium at that point, Gullotto thinks the worm will cause only scattered
problems.
"It's well under control now," he said at about noon PT. "I do not
see an outbreak happening."
Apparently, many Internet users have been tempted to peek at the
worm because of its enticing subject line, suggesting it offers some kind
of secret password information.
The body of the message says:
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The e-mail includes two attachments a harmless text file named
Password.txt, and the worm Decrypt-password.exe.
But the worm takes advantage of an old flaw in Microsoft Outlook
that allows it to execute even if the victim doesn't open the infected
attachment. (MSNBC is a Microsoft - NBC joint venture.) Merely previewing
the message in an unpatched Outlook system is enough to cause an infection.
A free patch to protect against that vulnerability is available at
Microsoft's Web site.
But even users who have patched their systems against that flaw can
still become infected if they open Decrypt-password.exe.
But the message body should be enough to tip off users that the
e-mail is suspicious, Trilling says.
"The message itself ought to seem a little odd," he said. "People
should realize that passwords are not things anyone other that ought to be
sending you information about. ... and nobody should be asking for your
password."
On the other hand, the message seems to suggest that it offers a
password that might open files and unlock secrets for a recipient willing
to open, a temptation some apparently can't resist.
"I suppose in the same way people wanted to open a picture of Anna
Kournikova," Trilling said, referring to another successful virus that
appealed to Net users desire to see pictures of the heartthrob Russian
tennis star.
Frethem can clog up corporate e-mail systems with extra messages,
but the worm doesn't seem to do anything else malicious to infected
computers. Only Windows systems are at risk; the worm won't infect Linux,
Unix, or Macintosh systems, according to Symantec.
Consumers can protect themselves by updating their antivirus software.
The Associated Press and Reuters contributed to this report.
**************************
Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx