[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips July 15, 2002

Clips July 15, 2002

ARTICLES

Higher tobacco taxes encourage smuggling
Study: Bush Security Plan Risky
Cyberterror test checks connections
OMB may freeze homeland projects
Online Bets Are Becoming Harder to Collect
E-Tailers Wary of Credit Card Fraud
Blue Ridge team nabs pedophiles
China Internet Portals Sign Pact
Judge Bars Firm From Deploying Unauthorized Pop-up Ads
Hacker Group Targets Countries That Censor Internet
Many college students can't pass up free music
High-Tech Strategy Guides Pentagon Plan
Spam attacks growing
Hackers Raise Hell in Name of Security
DOJ strategic tech plan spells out major change
OMB updates security guidelines
Tech firms could get homeland coverage
Security regs drive shipping firms online
Feds get carded
DOD demands faster, better cyber intell
New reasons to get thin-client computing
OMB gives agency e-gov work a passing grade
White House position on FOIA exemption attracts critics
New specs released for wireless speech, text delivery

***************************
Associated Press
Higher tobacco taxes encourage smuggling

NEW YORK As state after deficit-ridden state ratchets up cigarette taxes, authorities are bracing for some unwelcome consequences in the form of more aggressive smuggling and bolder use of the Internet as a tax-evading tobacco shop.

Never before have so many states 17 this year alone approved cigarette-tax increases in such a short time. Anti-smoking advocates call it a win-win situation, enabling states to reduce smoking and budget deficits simultaneously.
In many legislatures, even tax-averse conservatives have supported the increases expected to generate $2.2 billion annually in new revenue as budget woes and anti-smoking militancy transform cigarette buyers into America's easiest-to-tax constituency.
With prices as high as $7 a pack in New York City, and more than $4 in many states, some smokers are trying harder than ever to quit. Those unwilling or unable to kick the habit are left with several options legal, quasi-legal and illegal for getting a nicotine hit without a tax hit.
Those who choose the illegal route often are successful. The Bureau of Alcohol, Tobacco and Firearms estimates state and federal authorities lose more than $1.5 billion annually in evaded cigarette taxes.
The ATF concentrates on major interstate smuggling operations involving at least 60,000 cigarettes. The workload has increased steadily in recent years; ATF now has about 150 active cigarette-smuggling cases.
"There's no question some large-scale organized crime gangs are involved," said ATF spokesman John D'Angelo. "Not only are these criminals depriving state and federal governments of tax revenue, they're using their profits for other criminal activity."
The primary sources of smuggled cigarettes are tobacco-growing states with low taxes for example, Virginia, whose tax of 2½ cents per pack is the lowest in the nation, and Kentucky, whose tax is 3 cents per pack.
In Ohio, where the tax recently rose 31 cents per pack, officials plan to monitor the Kentucky border for smugglers, and police are being trained to check for Ohio tax stamps on packs sold at stores. A carton of name-brand cigarettes in Ohio costs about $40, compared with about $25 in Kentucky.
In Maryland, where the tax rose to $1 per pack in June, authorities are on alert for more smuggling from Virginia. Maryland had only five arrests for cigarette smuggling in 1997, but more than 50 so far this year.
The Internet thus far accounts for only a small fraction of cigarette sales, but it may pose a bigger long-term threat to tax collectors than smuggling. The hefty tax increases may prompt more smokers to order in bulk from online merchants, who in turn may resist state efforts to collect taxes.
Under federal law, online cigarette vendors are required to report the names and addresses of out-of-state customers, but the law is widely flouted.
"Most vendors aren't turning over their customer list, so the Internet is becoming a hotbed of tax evasion," said Kurt Ribisl, a professor at the University of North Carolina School of Public Health.
Mr. Ribisl oversaw a study this year that identified 195 Internet cigarette vendors, up from 88 a year earlier. He said most advertise low-tax cigarettes and indicate they won't report to any authorities.
"We're definitely unprepared right now. We don't have the tools to get the states their proper revenue," he said. "You need federal legislation, because a patchwork approach from individual states is going to bog down."
In Congress, Rep. Martin T. Meehan, Massachusetts Democrat, is leading an effort to tighten regulation of Internet cigarette sales. Mr. Meehan's chief of staff, Bill McCann, predicted bipartisan legislation would be drafted this year aimed at enforcing existing requirements that Internet merchants block sales to minors and report out-of-state buyers.
Some states already are sending tax bills to smokers who patronized the Internet.
"They've thumbed their noses at us," said Gene Gavin, Connecticut's tax commissioner, "and they're right, because we don't do anything."
One legal complication is that many of the Internet sites are run by American Indians. Sales of cigarettes on Indian reservations are exempt from state and local taxes, and some Indian merchants contend their Internet sales also should be tax-exempt.
Larry Ballagh, a Seneca Indian from upstate New York, sells tax-free cigarettes over the Internet. "Adults who have been smoking for a number of years, they're not going to quit smoking," he said. "But they will shop around."
Tom Ryan, a spokesman for Philip Morris USA, said the tobacco company supports a crackdown on tax evasion. "The people really hurt by all this are the retailers who are doing business legitimately." he said. "Jobs are on the line."
John Singleton, a spokesman for R.J. Reynolds Tobacco Co., questioned whether law enforcement agencies, stretched thin by anti-terrorism duties and tight budgets, have the resources to combat cigarette smuggling.
"It's extremely profitable for those willing to break the law to drive to a low-tax state, load up a van, drive to a state with high taxes and sell them out of the back of a truck," he said.
Cigarette taxes can be a reliable revenue source for states if the taxes are "reasonable," Mr. Singleton said, "but with taxes at what a lot of smokers view as an unreasonable level, the states aren't going to get the revenues they're projecting and will find themselves with increasingly hard-to-enforce legal problems."
*************************
Washington Post
Study: Bush Security Plan Risky
Proposed Homeland Dept. Is Too Large, Report Says
By Bill Miller
Sunday, July 14, 2002; Page A05


President Bush's proposal to create a Department of Homeland Security "merges too many different activities into a single department" and should be significantly scaled back if it is to have any chance of success, according to an independent study.

The Brookings Institution, a Washington think tank, urged Congress to move cautiously as it considers the White House proposal to merge all or parts of 22 agencies into a department with a $38 billion budget and approximately 170,000 employees. Its report comes as Congress is moving at an unusually fast pace to act on the reorganization, with the House and Senate preparing separate versions of a bill for votes late this month.

"The question is no longer whether to reorganize but how and to what extent," the report contended. "Congress is clearly moving toward creation of a new department, but it can still choose what kind of department -- how large and how comprehensive."

Building such a massive department has many risks, the report warned.

"The danger is that top managers will be preoccupied for months, if not years, with getting the reorganization right -- thus giving insufficient attention to their real job: taking concrete action to counter the terrorist threat at home," the report said.

The study, conducted by a team of veteran policy analysts, recommended that the White House plan be stripped down to focus on border and transportation security, intelligence analysis and protection for the nation's critical infrastructure. It called for leaving the Federal Emergency Management Agency out of the department and keeping biological research under the control of the Department of Health and Human Services.

FEMA responds to natural and man-made disasters and functions well as a free-standing agency, the report said.

According to the Brookings team, the core elements of a new department should be the Coast Guard, the Customs Service, the Immigration and Naturalization Service and the Transportation Security Administration. All are part of Bush's plan.

The study also recommended that a Homeland Security Department should have more access to raw intelligence information than the White House is seeking. Instead of creating a center that receives and analyzes information gathered by the CIA, the FBI and other agencies, the new department should take over an FBI unit that specializes in terror-related intelligence analysis, the report said.

The report was prepared by an eight-member Brookings team that included Ivo H. Daalder, senior fellow in foreign policy studies; Paul C. Light, vice president and director of governmental studies; James B. Steinberg, vice president and director of foreign policy studies; and James Lindsay, senior fellow in foreign policy studies.

Their recommendations mirror some of the changes proposed by congressional committees and critics in recent weeks. Last week, numerous House committees recommended revisions to the president's plan that included leaving the Coast Guard and FEMA out of the department and strengthening civil service, union and whistle-blower protections for workers who would staff the agency.

Those recommendations were forwarded to the House Select Committee on Homeland Security, a specially created nine-member panel that will prepare a House version of the bill for floor debate. The committee, led by Majority Leader Richard K. Armey (R-Tex.), is scheduled to hold a series of hearings this week, starting Monday with testimony from Homeland Security Director Tom Ridge.

The committee plans to complete its work by Friday and forward a bill for debate on the House floor during the week of July 22.

In the Senate, the Governmental Affairs Committee, headed by Sen. Joseph I. Lieberman (D-Conn.), plans to draft a version of the bill at a hearing set for July 24. The full Senate will consider it before lawmakers begin a month-long recess Aug. 2.

Many congressional leaders are pushing to approve a final version of the homeland security bill by the one-year anniversary of the Sept. 11 attacks, though some lawmakers have grumbled about the rapid pace of deliberations.

The tight time frame, the Brookings scholars said, is another reason to scale back the White House plan. Other agencies could be merged into the department after more extensive consideration, they said.
***********************
Federal Computer Week
Cyberterror test checks connections

For the first time ever, federal, state and local government officials are partnering with representatives from the private sector and the utilities community in a exercise designed to identify the links between them in responding to and defending against cyberterror.

Operation Dark Screen, the brainchild of Rep. Ciro Rodriguez (D-Texas), is a three-phase exercise that will help all the players involved better understand their roles in preparing for, recovering from, and protecting the nation's critical infrastructure in case of a cyberattack.

"A lot of people think about chemical, biological and nuclear attacks, but very few people think about the cyber," Rodriguez said. "Anyone that is going to hit us, it's going to be a combination of those."

The program's first phase will be a tabletop exercise in September, where a yet-to-be-determined cyberattack will be played out and all participants will respond, said Gregory White, technical director for the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio, which is leading the planning and execution of Operation Dark Screen.

The Air Force Air Intelligence Agency, Lackland Air Force Base, Texas, has assumed a leadership role in bringing together the various stakeholders, which include representatives from San Antonio, Bexar County, the Army, the Air Force, the state attorney general's office, the FBI, the private sector and many others, Rodriguez said.

The second phase of Dark Screen will focus on implementing the "lessons learned" from the tabletop exercise, and the third phase, which will take place in May 2003, will be a live exercise and include actual attempts to penetrate networks, White said.

"We can do it on paper, but by bringing everybody together at one time, we can see who is prepared to do that," White said, adding that so far participants have paid their own way through the planning stages, but attempts to secure federal and private funding are ongoing.
*********************
Federal Computer Week
OMB may freeze homeland projects

The Office of Management and Budget may freeze funds for information technology projects at agencies slated to join the proposed Homeland Security Department.

Officials aim to save money by identifying redundant plans for core IT systems and networks at the nearly two dozen agencies folding into the new department.

"If we do this smartly, this will create some savings through consolidations," Mark Forman, OMB's associate director for IT and e-government, told Federal Computer Week.

Officials expect to release an initial IT architecture framework for the department this week, along with guidance for the affected agencies, Forman said.

The consolidation outlined in the framework could save hundreds of millions of dollars, OMB Director Mitchell Daniels Jr., said at a July 12 press briefing.

The new department must have the best possible communications, and all of the pieces of the department need to be on one network, he said.

The Transportation Security Administration may find its key project jeopardized for other reasons. Funding for TSA's planned $1.4 billion IT infrastructure procurement is held up in Congress, which may force the agency to postpone the contract award, Daniels said.

"I am concerned," Forman said, because employees need at least a basic IT infrastructure to function.
*************************
New York Times
Online Bets Are Becoming Harder to Collect
By MATT RICHTEL

Online casinos are finding it ever more difficult to cash out.

Indeed, these Web sites are likely to feel an indirect, but not insignificant, impact from the announcement last week that the online auctioneer eBay intends to acquire PayPal, a system people use to make payments over the Internet.

Among the merchants that rely heavily on PayPal are online casinos; as much as one-twentieth of all online gambling transactions are processed by the company, according to Christiansen Capital Advisers, a market research firm. But not much longer: eBay, citing the murky regulatory and legal issues involved in online gambling, said it would disallow use of PayPal for gambling if and when its acquisition closed.

The announcement comes as online casinos are struggling to find ways to handle payments in light of the decision by many banks to prevent the use of their credit cards for online gambling. It also comes as PayPal, according to company officials, was subpoenaed by the New York attorney general's office about use of its service for gambling.

The move to limit credit card payments caused the Christiansen group earlier this year to lower 2002 revenue projections for the online gambling industry to $3 billion, from $3.5 billion. The problem has forced some casinos to close, and others may follow, analysts say.

Now it is a matter of debate how much more the industry could suffer with the apparent departure of PayPal, based in Mountain View, Calif.

Some casino operators say the difference will be substantial, though the Christiansen group did not further lower its industry projections after the PayPal announcement.

"It's going to be a short-term impact, but it's just going to be another hiccup," said Sue Schneider, chairwoman of the Interactive Gaming Council, an industry trade group. She said the casinos were now accustomed to scrambling for new payment sources, and several were emerging, including the increasing use of online debit and online A.T.M. cards.

Indeed, the other indirect impact of the eBay deal is an increase in the effort to find alternative payment systems, said Sebastian Sinclair, an analyst with Christiansen.

Mr. Sinclair said that during the last year he received virtually no business plans for new online casinos but more than 100 business plans from people looking to find a way around the payment problem. "The opportunity to create the better payment mousetrap is just huge," he said.
*************************
New York Times
E-Tailers Wary of Credit Card Fraud

AMERICAN e-commerce companies that believed the World Wide Web translated to a planet full of potential customers are finding their businesses to be much more provincial these days. Online merchants have been quietly cutting back on sales to foreign customers, rather than expose themselves further to credit card and shipping fraud.

"In some cases companies are saying `forget it it's not a big enough business for me to be worried about,' " said H. Robert Wientzen, the chief executive of the Direct Marketing Association, a trade group representing mass mailers, catalog sellers and Internet merchants. Mr. Wientzen says that decision, while often necessary, is costly. "There are companies that could be eliminating 1 to 2 percent of sales by not operating in some fairly big foreign markets," he said, "and that's a lot of money."

CD Universe, an online music, movies and games retailer, is among the Web sites that have scaled back their overseas businesses. According to the company's chief executive, Charles Beilman, the Web site has stopped sending orders to Romania, Bulgaria and Indonesia, among others, because of the high rate of credit card fraud he has encountered with customers from those countries.

"It's unfortunate," Mr. Beilman said. "I'm sure we had handful of legitimate customers in Romania," he said. "But when eight out of every 10 orders are frauds, I just can't keep doing it."

That is because Mr. Beilman and other online merchants end up paying the bill for so-called charge backs, which are passed along to e-tailers by credit card companies when legitimate card holders report that fraudulent purchases have been made on their monthly statements.

Mr. Beilman said he believed "it is the norm" for CD retailers and other sellers of compact, but valuable merchandise, to turn away customers from some foreign countries.

Buy.com is another example. According to Brent Rusick, the company's chief operating officer, Buy.com stopped shipping to all but 25 foreign nations in March and implemented stiff rules for customers on the list of 25, chiefly because of fraud concerns.

Countries that did not make the list include all those in Eastern Europe and the former Soviet republics, as well as Indonesia, the Koreas and China. Some of the nations on the authorized list include Britain, France, Taiwan, Japan and Australia.

"We're extremely conservative about our export business," Mr. Rusick said. He noted that international customers must spend $500 or more on goods, and they cannot use their credit cards to order merchandise. Rather, they must wire money to Buy.com before the company will ship their orders.

Mr. Rusick said the company did not accept credit cards on overseas orders because foreign credit card issuers do not have address verification systems. "So we can't verify that, yes, indeed, the person making the order matches the information the bank has on them," he said.

Credit card issuers in this country are using verification codes that are typically printed, not embossed, on the cards, and which help merchants determine if the customer is actually holding the credit card, not just a card number they have stolen.

But that system will not be available in Europe "for another couple of years," Mr. Rusick said, leaving merchants like him staring at foregone revenues, which he admits could be substantial. Right now, he said, revenues from exports "are not a significant piece of our business."

"There's certainly a lot of business out there that's available, but there's also a lot of risk, too," Mr. Rusick said. "I want to go after that business, but I've got to go after it very cautiously."

Other online retailers, like Bertelsmann's CDNow, will take orders and ship them to nearly all foreign countries. But when orders come from countries with historically high fraud levels, the company sends the orders to its security department for additional fraud screening. According to Melinda Meals, a company spokeswoman, about 8 percent of its orders are sent to this next level of screening of which 88 percent are eventually approved for shipment.

While acknowledging that the additional screening reduces the profitability of those orders, Ms. Meals said it was not a big enough bite to make the company reconsider its shipping policies for those countries. "It affects such a small percentage of the orders that it doesn't really affect CDNow financially," Ms. Meals said.

As to whether non-governmental shippers like United Parcel Service or FedEx might offer shipping alternatives, Ms. Meals said the shipping fees would probably be cost-prohibitive for customers.

Mr. Wientzen, of the Direct Marketing Association, said he believed shipping fraud represented a bigger obstacle to the growth foreign sales than credit card fraud. "Government officials in some eastern European countries have acknowledged concerns ensuring packages will get delivered," Mr. Wientzen said.

Mr. Wientzen declined to name those countries specifically, but said he recently visited Moscow's postmaster general, "who was pretty straight with some of the concerns they had." Still, Mr. Wientzen said he left the meeting quite pleased with the position Russian officials had taken, on their plans to eradicate shipping fraud.

Ms. Meals, of CDNow, says her company will not ship to customers in Lithuania and Iran because CDNow cannot guarantee the packages will reach the customer. She would not speculate on whether that was because of theft within the postal services of those nations or whether those postal services might deem certain types of music illegal.

John Flick, a spokesman for United Parcel Service's international division, agreed that shipping charges may represent a problem for customers. "The biggest problem is with the customers," he said.

Foreign customers who find a Patsy Cline CD on sale for $9 from a Web site in the United States might find that U.P.S. must collect another $40 in taxes and tariffs at the door, Mr. Flick said. In other cases, the goods can be barred because of illegal labels or content. "It's the old `don't shoot the messenger' situation, literally," he said.

United Parcel Service is trying to develop technology that would allow customers and the Web sites they do business with to determine which goods are allowed in which countries, and the total costs of shipping, Mr. Flick said. But that is a monumental task, given that the import policies of the roughly 200 countries it delivers in are in nearly constant flux.

"We were an Olympic sponsor in the 90's, and we came up with envelopes with athletes on them," Mr. Flick said. "We had to cover them up, because they had pictures of women track stars leaping over hurdles, and that wasn't accepted in Muslim countries. When you're getting into this, there is no universal template."
****************************
Washington Times
Blue Ridge team nabs pedophiles
Jerry Seper

BEDFORD, Va. Sheriff's Lt. Mike Harmony is often mistaken for a 13-year-old girl. It's an unlikely description for the veteran law enforcement officer and former military policeman, but then, he works on it.
And the hundreds of suspected pedophiles nationwide who have sought to "date" him after a chat on the Internet could tell you that he's very good at his job.
Lt. Harmony is a key member of what Bedford County Sheriff Michael Brown calls "Operation Blue Ridge Thunder," a unique law enforcement cyber-program aimed at catching and prosecuting sexual predators who troll the Internet for young boys and girls.
He and other Blue Ridge Thunder task force members diligently work through the 100,000 Web sites as well as countless chatrooms and message boards devoted to child pornography. The team searches for predators by focusing on what the experts refer to as a "traveler" someone willing to cross state lines to have sexual relations with a child.
"I've seen just about everything there is to see regarding man's inhumanity to man, but that pales in comparison to what they're doing to the kids," said Sheriff Brown, a retired Treasury Department senior special agent who was elected Bedford County's top law enforcement officer in 1996.
"The exploitation of children on the Internet is a huge and growing problem. The public just doesn't realize how bad it is," he said. "I discovered that our people had the ability to do something about it, and we went after it."
Operating out of a donated log cabin in this rural Virginia community, Blue Ridge Thunder is one of the nation's more successful law enforcement programs in what has become a newly-declared war against cyber-predators.
Since 1998, when the program began, the task force has arrested 38 sexual predators in Virginia, with a 100 percent conviction rate. Even more amazingly, the task force has made 600 criminal referrals to other jurisdictions nationwide all with enough evidence for police in those jurisdictions to make arrests and prosecute the suspects.
"The Internet has a dark side, and it's getting darker," said Lt. Harmony. "How many children have we saved, I don't know, but we think we have saved some."
Blue Ridge Thunder's reason for being is a 1998 investigation by the Sheriff's Department involving a 13-year-old Forest, Va., girl who discovered that her former boyfriend had put her face on the body of a naked woman and posted it online.
The site included the girl's telephone number and home address, which attracted calls from a Florida child pornographer who wanted the girl to come to that state to make a movie. He reminded the girl he knew where she lived and told her he would hurt her and her family if she refused. The girl's mother called for help after reading in her daughter's diary about the threats and fearing for her safety.
"The Internet was very new to me at that time, and I just didn't believe what I was seeing. I was stunned," said Sheriff Brown. "We discovered some of the most horrible images you can imagine: kids as young as 18 months being sexually abused. It'll tear your heart out.
"Even after you see it, it's hard to fathom that this is going on today," he said. "But I knew we had to do something about it."
Sheriff Brown immediately assigned deputies to investigate the case and other incidents of child pornography he had disovered on the Internet. Some Bedford County deputies even worked on the cases during their off- time.
Although no charges were filed in the Florida case, within three months Sheriff Brown's office had gathered enough evidence to arrest several pornographers locally and across the country. The investigation had so stirred the sheriff that he immediately sought help in funding a full-time effort at targeting Internet sexual predators.
It was at that point he turned to the Justice Department in Washington, and with the help of a grant proposal painstakingly put together by the sheriff and several deputies including Sgt. Sergio Kopelev, who has since left the department for law school in California Bedford County was one of just 10 law enforcement agencies nationwide to win a $200,000 grant from the Justice Department's Office of Juvenile Justice and Delinquency Prevention.
The grant was part of the $2.4 million "Internet Crimes Against Children" program. Bedford County, with 68 employees at the time, was the smallest agency to receive grant funds the next in line having 1,500 employees.
"I knew we had the quality of people who could do this, and they had the desire to get it done," Sheriff Brown said.
The Blue Ridge Thunder task force got its name from the powerful storms that sweep through the nearby Blue Ridge Mountains and across Bedford County. It was a metaphor for what Sheriff Brown said was going to be an effort to "hit these pedophiles, child pornographers and molesters as hard as we could."
The task force made headlines in 1999 when it arrested a top aide to former West Virginia Gov. Gaston Caperton. The aide, Tom Rice, then 59, had driven to Bedford to meet a "boy," actually a deputy, with whom he had chatted online.
Also in 1999, a North Carolina man known on the Web as "DrEvil" drove from Charlottesville to Bedford to meet a young girl actually another deputy for sex. When police arrested the man, identified as Ray Cannup, they found an ax handle, paring knife and duct tape in his truck. Both men have been sentenced to prison.
With an ongoing string of convictions and referrals, Sheriff Brown has pledged to continue the task force locally despite pending cuts in federal funding.
"Mike Brown will find a way to keep this program going," said Lt. Harmony. "He believes it's everyone's job to protect these children. And I assure you, he'll be knocking on whatever doors it takes to see that the program continues."
Like Lt. Harmony, the Bedford County deputies who play roles in the effort to catch perverts have heard what Sheriff Brown called a long list of "sick rhetoric." Many of the cyber-criminals ask the young "boys and girls" to whom they think they are talking for photos preferably nudes and boast of other sexual conquests.
One man sent a picture of his genitals.
"Surprised at what I have seen? Never. Everyday I see something vile and disgusting, and while I thought I was well-versed in the ways of the world, I am overwhelmed," said Lt. Harmony. "But these are our children and they need to be protected."
************************
Reuters
Hacker Group Targets Countries That Censor Internet
Sun Jul 14, 5:18 PM ET
By Eric Auchard

NEW YORK (Reuters) - Some of the world's best-known hackers unveiled a plan this weekend to offer free software to promote anonymous Web surfing in countries where the Internet is censored, especially China and Middle Eastern nations.

An international hacker group calling itself Hactivismo released a program on Saturday called Camera/Shy that allows Internet users to conceal messages inside photos posted on the Web, bypassing most known police monitoring methods.

In addition, "Mixter," an internationally known German hacker, said Hactivismo was preparing in coming weeks to launch technology, which if adopted widely could allow anyone to create grassroots, anonymous networks where Internet users worldwide could access and share information without a trace.

"(Hackers) are looking for something a little more meaty to work with," spokesman "Oxblood Ruffin" said of the new social activist push by a group formerly known for creating software that used by other hackers to attack undefended computers.

The Hactivismo announcement, the result of a two-year project among leading hackers worldwide, was made at H2K2, a three-day conference ending Sunday. The bi-annual event attracts an estimated 2,000 security professionals and computer activists, including the U.S. hacker elite.

Mixter's software -- known as a "protocol" in technical terms -- would allow ordinary computer users to set up a decentralized version of virtual private networks (VPNs). VPNs are used by governments and many companies to create secure networks that are fenced off from the public Internet.

"It's important for anyone whether they live in totalitarian country or a Western country to be anonymous," said Mixter, who lives in Munich, of his motivation to take part in the project.

Hactivismo software works to bypass national firewalls that allow only partial access to global computer networks. A firewall is software that prevents access to certain types of addresses banned on internal corporate networks as well as nations that restrict citizens' access to the global Internet.

Hactivismo says it can defeat attempts to restrict Web surfing to controversial Internet news and human rights sites by disguising such sites to make them look innocuous.

The group hopes to encourage other software developers to embed the code for "Six/Four" protocol into their own programs in order to accelerate the spread of the technology worldwide. The effort will only succeed if millions of computer users begin using the programs as part of their everyday Internet Web use, providing cover to individual surfers, its proponents said.

FROM PIRACY TO FREE-SPEECH ACTIVISTS

The move is likely to heat up the battle between free speech activists and government censors in the 20 or so countries that restrict public access to the Web. It may also raise concerns among Western police agencies, who fear the technology could be used by criminals to swap child pornography or by Osama bin Laden ( news - web sites)'s Al-Qaeda network to plot new attacks around the globe.

Hactivismo, or hacker activism, is just one of several grassroots software projects -- including Peekabooty and Privaterra -- launched recently by computer activists that seek to enable human rights workers to access censored Web sites or communicate securely.

Six/Four protocol designer "Mixter" told Reuters that the system is named in honor of the date when Chinese authorities cracked down on democracy activists in Tiananmen Square on June 4, 1989.

Six/Four is designed so that each computer user that uses software running the protocol becomes part of the shared capacity of the network, taking a page from so-called "peer-to-peer" sharing network that gave birth to Napster ( news - web sites) and other music sharing programs such as Gnutella ( news - web sites).

"This is going to be a guerrilla information war," Oxblood Ruffin said. "Sites will pop up for a few days and then be taken down," he said as he described a "moving war," in which computer activists react quickly to government efforts to block such programs.

In countries such as China, the Internet poses an unprecedented threat to the control that the Chinese Communist Party exercises over all other forms of media.

In the world's most populous country, where most people can't afford PCs, millions turn to Internet cafes, despite a long-running crackdown on the free-wheeling establishments by the Chinese government.

The tightening of restrictions has accelerated recently since several deadly fires, including one in a Beijing Internet cafe that killed more than 20 students in June.

Sensitivity to potential sources of civil instability have been heightened by the looming leadership transition at the top of the Chinese government set for later this year.

Hactivismo is made up of 40 or so hackers including members of the Cult of the Dead Cow, the group behind Back Orifice, which can be used by malicious hackers to gain unauthorized access to unsecured computers running Microsoft's Windows software.

Mixter developed software that was used by another teenager to launch denial of service attacks ( news - web sites) on major e-commerce sites in early 2000.

Group members have focused more recently on harnessing the energies of the computer underground to promote electronic democracy on the Internet.

In the future they plan to develop programs that will allow anonymous direct email, file trading and untraceable chat programs that bypass conventional Internet monitoring.

The latter is especially important in places like China, where online chat is more popular than Web surfing. The group's work can be found on the Internet at .

Hactivismo leaders said that Camera/Shy was immediately available for download and being using from its site. The program would allow visitors at public Internet cafes, popular in many countries where computers are scarce, to install the 1.2 megabyte program using a simple floppy disk.

The user simply installs the program on a computer, surfs the Web, then removes the program, leaving no electronic records kept of what sites were visited, said its southern California-based designer, who goes by the hacker name "Pull."

"What this is for is for pre-suspects," Pull said. "You never become a suspect if you are using this kind of thing."

(Additional reporting by Jonah Greenburg)
************************
Associated Press
China Internet Portals Sign Pact
Mon Jul 15, 2:28 AM ET
By CHRISTOPHER BODEEN, Associated Press Writer

BEIJING (AP) - Internet portals ( news - web sites) in China, including Yahoo!'s Chinese-language site, have signed a voluntary pledge to purge the Web of content that China's communist government deems subversive, organizers of the drive say.



The "Public Pledge on Self-discipline for China Internet Industry" has attracted more than 300 signatories since its launch March 16, said a spokeswoman for the Internet Society of China, who identified herself only as Miss Sun.

The pledge's main aims appear fairly benign: promotion of Internet use, prevention of cyber crime, fostering healthy industry competition, avoiding intellectual property violations.

Other clauses, though, seem less innocent given China's tight control over information and the government's extreme sensitivity to criticism or political challenges. New regulations on Internet publishing take affect Aug. 1 "to promote the healthy development of Internet publications," the official Beijing Morning Post reported Monday.

Those who sign the pledge must refrain from "producing, posting or disseminating pernicious information that may jeopardize state security and disrupt social stability." The prohibition also covers information that breaks laws and spreads "superstition and obscenity." Members must remove material deemed offensive or face expulsion from the group.

Signers also pledge to monitor content of foreign-based Web sites and block those containing unspecified harmful information.

The pledge conforms closely to government policies making Internet service providers responsible for content posted on Web sites they host. It's a strategy to give the Internet enough room to blossom while keeping operators on notice not to push the envelope politically.

China has aggressively promoted the Internet for commercial purposes. As of April, China had more than 38 million Internet users and nearly 280,000 Web sites, according to the official Xinhua News Agency.

Yet the Communist Party is determined to curtail the Web's role as a forum of free discussion and source of information not available in the entirely government-controlled media.

A special police force monitors Web sites and sifts e-mail searching for messages promoting causes such as greater political openness, the banned Falun Gong ( news - web sites) spiritual movement and independence for minority regions. Web sites of human rights groups and Western and Taiwanese media are frequently blocked.

Internet cafes are required to track sites their users visit and report attempts to open those deemed subversive. Long prison sentences have been given to people accused of reproducing or forwarding information from such sites.

"They're trying to have it both ways. It's a difficult game to play, but they seem to be doing a not inconsiderable job of it," said Jack Balkin, a Yale University law professor who studies the Internet.

China has also closed thousands of Internet cafes since a fire June 16 at a cafe in Beijing that killed 25 people.

The Beijing-based Internet Society of China describes itself as a private, national self-governing body for the Chinese Internet sector. Its 140 members drawn from private companies, schools and research institutes, according to the society's Web site.

A spokesman for Yahoo!'s China office in Beijing confirmed the company had signed the pledge but refused to comment further. Yahoo!'s public relations agency in the United States, where the company cultivates an image of freedom and anarchic creativity, responded to an e-mail seeking comment by saying no spokesman was available.

Other portals ( news - web sites) the society listed as having signed the pledge include the popular Chinese Websites Sina.com and Sohu.com, as well as Peking and Tsinghua universities, online media and technology companies and government offices.
*************************
Washington Post
Judge Bars Firm From Deploying Unauthorized Pop-up Ads

A federal judge in Virginia has temporarily barred a California company from creating unauthorized advertisements on the Web sites of several prominent media companies.

U.S. District Judge Claude Hilton in Alexandria granted a motion for a preliminary injunction in a lawsuit filed by 10 media companies against Gator Corp., a Redwood City, Calif., software company.

Gator produces pop-up advertisements that appear when computer owners who have downloaded the company's software browse Web sites targeted by Gator's advertisers. The injunction issued Friday stops Gator from creating the unauthorized ads on sites owned by the plaintiffs.

The plaintiffs, including The Washington Post, The New York Times, Dow Jones and Knight-Ridder, claim Gator's software lowers their advertising revenue by creating pop-up ads that direct Internet surfers to competitors' sites, hide legitimate ads and offer deals in direct competition with those presented by the site's paid advertisers.

No date has been set for trial.

Janet Collum, an attorney for Gator, said company officials would decide whether to appeal the judge's order after they had reviewed it.

"Obviously, we would prefer not to be enjoined," she said. "I believe that when we have the opportunity to put on a full showing (at trial), we will demonstrate that the company should not be enjoined. We believe strongly that the facts and the law are on our side."

The judge's preliminary ruling indicates that he views the case differently, said Terence P. Ross, an attorney for the plaintiffs.

"One of the legal standards the judge has to evaluate in considering whether to grant a preliminary injunction is whether the plaintiff's case is 'likely to succeed on the merits,' " Ross said. "The fact that he granted the injunction is an indication that the judge thinks our case does have merit."

Ross said his clients want to stop Gator from inserting unauthorized ads on their sites not only because they are losing advertising revenue but also because it "causes a loss of content control." Ads created by Gator's software might conflict with stories on the Web sites, potentially creating an appearance of journalistic bias or incompetence, he said.

The issue stems from a software package offered by Gator, called eWallet, that helps Internet users automatically remember passwords and fill in information forms on Web pages. However, when users download the software, additional computer files are also stored on the user's computer that run a separate program called OfferCompanion, which stores information on the user's Web-browsing history and generates advertising based on the user's Internet habits.

Those ads are designed to "pop up" on the computer screen when the user visits a Web site that features advertising from one of Gator's advertisers' competitors. For example, when an Internet user is about to make an online purchase from a Web site, a pop-up ad may appear that offers the same item at a lower price from a competing Web site that pays Gator for ads.

Some of Gator's pop-up ads are designed to appear on the computer screen as if they are part of the Web site being visited, in some cases deliberately concealing ads that are part of the site.

The software also sends Gator information on the computer owner's Web-browsing habits, generally without the owner's knowledge, for Gator's own use in tracking users' Internet-browsing habits and for resale to other marketing companies.

Last August, Gator filed a lawsuit in California against the Interactive Advertising Bureau a group that represents several large, advertising-heavy Web sites claiming that the group had unlawfully disparaged its products and services. The interactive group had objected to Gator's practice of selling ads designed to conceal advertisements on members' sites.

That lawsuit was dismissed in February.
***********************
Washington Post
Hacker Group Targets Countries That Censor Internet

NEW YORKSome of the world's best-known hackers unveiled a plan this weekend to offer free software to promote anonymous Web surfing in countries where the Internet is censored, especially China and Middle Eastern nations.

An international hacker group calling itself Hactivismo released a program Saturday called Camera/Shy that allows Internet users to conceal messages inside photos posted on the Web, bypassing most known police monitoring methods.

In addition, "Mixter," an internationally known German hacker, said Hactivismo was preparing in coming weeks to launch technology, which if adopted widely could allow anyone to create grassroots, anonymous networks where Internet users worldwide could access and share information without a trace.

"(Hackers) are looking for something a little more meaty to work with," spokesman "Oxblood Ruffin" said of the new social activist push by a group formerly known for creating software that used by other hackers to attack undefended computers.

The Hactivismo announcement, the result of a two-year project among leading hackers worldwide, was made at H2K2, a three-day conference ending Sunday. The bi-annual event attracts an estimated 2,000 security professionals and computer activists, including the U.S. hacker elite.

Mixter's softwareknown as a "protocol" in technical termswould allow ordinary computer users to set up a decentralized version of virtual private networks (VPNs). VPNs are used by governments and many companies to create secure networks that are fenced off from the public Internet.

"It's important for anyone whether they live in totalitarian country or a Western country to be anonymous," said Mixter, who lives in Munich, of his motivation to take part in the project.

Hactivismo software works to bypass national firewalls that allow only partial access to global computer networks. A firewall is software that prevents access to certain types of addresses banned on internal corporate networks as well as nations that restrict citizens' access to the global Internet.

Hactivismo says it can defeat attempts to restrict Web surfing to controversial Internet news and human rights sites by disguising such sites to make them look innocuous.

The group hopes to encourage other software developers to embed the code for "Six/Four" protocol into their own programs in order to accelerate the spread of the technology worldwide. The effort will only succeed if millions of computer users begin using the programs as part of their everyday Internet Web use, providing cover to individual surfers, its proponents said.
**************************
USA Today
Many college students can't pass up free music

By Mackenzie Warren and Michelle Poblete, Gannett News Service

Brian Pollock is like a lot of college students. He parties between cramming for exams. His dorm room looks like it was hit by a tornado.

And his computer's hard drive holds thousands of music files acquired free on the Internet.

"On a good day, I'll download 100 songs," said Pollock, 20, a junior physics major at Miami University in Oxford, Ohio. He gets his tunes in the compressed MP3 format favored by most downloaders.

For Pollock and others like him, Napster used to be the ultimate free music source. But it is effectively extinct because the recording industry shut it down on charges of copyright violation.

Filling the void: so-called peer-to-peer sites such as Morpheus and Gnutella, where millions of PC users come together at any given time to swap music files that sit on their PC hard drives.

Because peer-to-peer (P2P) networks exist only virtually, it is harder for record labels to target specific lawsuits, and federal agents can't practically enforce copyright rules.

For college students who enjoy nearly universal access to the high-speed connections ideal for Internet downloading the abundance of P2P networks means there's little that's digital, whether it's music, videos or software, that's not available free.

Economics and opportunity

To many students, fast and free is the way they've come to consume music and video.

"Why would I ever spend money on music when I can get it for free?" asks Sara Melillo, 20, a sophomore journalism major at Northwestern University in Evanston, Ill. "Do I feel bad for the artist? Of course. But that doesn't mean I'm not going to take advantage of a free opportunity."

Michael Asuncion, an 18-year-old sophomore at the University of Southern California-Los Angeles, uses music-swapping services and a CD burner to make portable replicas of real albums.

"Downloading a song takes less than three minutes," he said. "Before you're done typing in your next request, you've got the file."

Many students say they periodically download music, usually a few songs at a time while a few do it by the hundreds.

Sometimes, it just comes down to economics. Many students want to save the $15 to $20 a CD costs.

"It's out there, so why not take advantage of it?" said Matthew O'Neill, 22, a senior at Syracuse University in New York. "I feel like I've overpaid for music in the past, so I can rationalize burning CDs now. But I'm still shocked we're able to do it totally free."

When Napster opened for business in 1999, colleges debated intellectual property issues. But since last year, many universities said their main task was to optimize network performance to keep pace with academic and recreational demands.

At Duquesne University in Pittsburgh, for example, tech managers use "packet-shaping" software that limits the amount of network resources music and video file types can occupy. Such restrictions are eased on nights and weekends, when there are fewer academic demands on the network.

Movies next?

Still, solving the bandwidth shortfall created by music may beget a new problem with video.

"If you thought Napster clogged up networks, wait till "Spider-Man" gets out," said Casey Green of the Los Angeles-based think tank Campus Computing Project. It studies college computer networks.

Video downloading is slowly gaining popularity but not nearly as fast as MP3s did. Students said that's because, even with compression technology, files take too long to download and occupy too much space on hard drives.

Thorvaldur Einarsson, 25, an electrical engineering graduate student at the University of Maryland, waited all night to download what he thought was part of Star Wars, Episode II: Attack of the Clones. I managed to find part one of the movie and after a long download, we tried to watch it. It turned out that the file did not include Star Wars at all but a repeated showing of the trailer for The Scorpion King, starring pro-wrestling icon The Rock.

But devoted collectors, with desire and patience, are out there. "There is a student down my hall who has every movie you can imagine," said Giselle Mammana, 20, a sophomore at Northwestern. "Instead of walking four blocks to Blockbuster, I walk four doors to his room." Mammana downloads several TV shows a month and four to 10 songs a day. She has made about 20 custom CDs containing more than 340 MP3s.

Power shift

Even as new technology makes it easier to get more music free, ethical questions remain. And not every student feels entitled to free music. D.D. Zhou, a 21-year-old junior at Georgia Tech in Atlanta, uses music-swapping services to filter out bad music so she can purchase the good stuff.

"Before, I would just buy an album without knowing how good or bad the songs are on it," Zhou said. "When I find the really good music, I'll go and buy it."

Some students argue that file sharing helps independent artists compete with big-label bands.

"The whole Napsterization of music has taken the power of music from record label executives and put it back into artists' hands," said Sherkhan Khan, 19, a freshman at Goucher College in Baltimore.

"Now, good musicians who aren't manufactured like 'N Sync and Britney can reach a large audience. Without Napster, I would have never heard of Tenacious D."
***********************
Los Angeles Times
High-Tech Strategy Guides Pentagon Plan
Military: The Cold War era is left behind in the secret document, which stresses a long-range approach to a new breed of enemies.
By JOHN HENDREN
TIMES STAFF WRITER

July 13 2002

WASHINGTON -- A secret Pentagon plan for the next five years directs the military to focus more of its spending to combat Afghanistan-style threats and weapons of mass destruction and to develop even greater precision-strike capabilities, according to a document reviewed by The Times.

The "Defense Planning Guidance" for 2004 to 2009 puts into action the Pentagon's plan to replace a Cold War-era strategy of being able to fight two major-theater wars at the same time with a more complex approach aimed at dominating air and space on several fronts.

The annually updated five-year plan, the first since the Sept. 11 terrorist attacks, represents an acceleration of the shift toward the high-tech gadgetry of warfare on which the Pentagon has relied since the Persian Gulf War of 1991. The classified document requires the military services to further develop the capability to launch "unwarned" preemptive strikes, a new doctrine President Bush outlined in a May graduation address at the U.S. Military Academy at West Point, N.Y.

The document appears to emphasize the kind of nontraditional enemy American soldiers have faced in Afghanistan, rather than a peer-to-peer war with large numbers of conventional troops and weapons against such possible foes as North Korea and China.

The plan directs the armed services to spend their money on five areas: countering terrorists and weapons of mass destruction, intelligence, cyber-warfare, airstrike capabilities and military systems in space.

It also sets specific goals, such as the development of a squadron of a dozen unmanned fighter jets by 2012 and a "hypersonic missile" that can travel 600 nautical miles in 15 minutes--capable of taking out mobile missile launchers before they can be moved--by 2009.

The more than 50-page document is detailed in The Times' Sunday editions by defense analyst and columnist William M. Arkin.

Defense officials said the plan codifies the military transformation that Defense Secretary Donald H. Rumsfeld has touted since he took over the Pentagon.

It places emphasis on capabilities such as surprise "high-volume precision strikes," and calls for laser- and microwave-powered weapons and nuclear-tipped "bunker buster" bombs capable of striking deeply buried cave complexes such as those in the mountains of Afghanistan.

The weapons called for in the plan enhance the military's ability to launch stealthy preemptive strikes against a new breed of enemy, which the Bush administration has suggested could include North Korea and Iraq.

In his June 2 address announcing his "strike first" policy, Bush said U.S. forces need to be "ready to strike at a moment's notice in any dark corner of the world."

"We face a threat with no precedent," he said.

"Containment is not possible when unbalanced dictators with weapons of mass destruction can deliver those weapons on missiles or secretly provide them to terrorist allies."

The emphasis on high-tech warfare appears to benefit the Air Force most and the Army least, a senior defense official said on condition of anonymity.

That may have an effect on the way the document is received by each of the military services. The document calls for the services to make cyber-warfare a "core competency."

That includes protecting critical U.S. computer networks and destroying or sleuthing the enemy's networks.

The policy blueprint outlines a shift from a "threat-based" strategy, aimed at combating major adversaries such as China or Russia, to a "capabilities-based" system, designed to develop the ability to "deter, deny and defeat adversaries who will rely on surprise, deception and asymmetric warfare to achieve their objectives."

Some defense analysts expressed a concern that the plan would send the message that wars can be fought with few casualties by "push-button warfare."

"It's this concept that we can sit in our air-conditioned bunkers and push buttons," said Ivo Daalder, a defense analyst at the Brookings Institution.

"That leads to the absurd decision to fight a Kosovo war without a ground component. It leads to relying on insurgents and precision strikes to overthrow Saddam. It's absurd to think that that's the way we ought to fight warfare in each and every circumstance....

"Wars are still fought and won in the old-fashioned way: by killing more of the others than they kill of you. And by taking territories."

Nevertheless, some of the technologies envisioned in the plan could be used in traditional large-scale wars, said Anthony Cordesman, a former Pentagon official at the Center for Strategic and International Studies, a Washington foreign policy think-tank.

The paper indirectly criticizes U.S. intelligence performance, calling for major changes.

"It is also essential over the midterm period that we transform intelligence capabilities to provide sufficient warning of an impending crisis, identify critical targets" and develop new ways to monitor military campaigns and measure their success, the report says.

The edict follows criticism that the intelligence community had too little information on Al Qaeda operatives before Sept. 11, and often failed to communicate what it had with other government agencies.
***********************
San Francisco Gate
Spam attacks growing

Three one-hundredths of a penny -- that's the per-message cost for sending out spam e-mail. To put it a more realistic way, you can hit 25 million mailboxes for a mere $7,999.

At least that was the price MonsterHut.com, a spammer based in Niagara Falls, N.Y., used to charge for its Grand Slam Package. That particular deal may not be available any longer, though. A few weeks ago New York Attorney General Eliot Spitzer sued MonsterHut for fraud, and now its Web site is down and its phone number is out of service.

There's no shortage of other junk mailers offering similar rates or of customers eager to hire them. After all, the economics are attractive: If you were peddling a product with, let's say, a margin of $5 per unit, you'd more than cover your costs if just one of every 15,000 recipients bought one. Any other sales would be gravy.

That's assuming you were doing an honest business. If you were trying to get someone to, say, pass along his bank account information, a single sucker out of 25 million people might make the whole investment worthwhile. (Of course, a large percentage of the addresses on spammers' lists are no doubt bogus, so you'd need a somewhat higher hit rate among real recipients, but the principle is the same.)

That's why the volume of spam continues to soar. According to the latest monthly data from Brightmail, a San Francisco company that attempts to stop the flood for corporate customers (including The Chronicle) and Internet service providers, the rate of unique spam attacks measured by the company's network of decoy addresses has increased more than five-fold during the past year -- from less than a million in June 2001 to more than 4.8 million last month. Each of those attacks could involve thousands or millions of users.

RULES ON AVOIDING SPAM: So what can you do to keep all that annoying, offensive clutter out of your inbox? The first step is to follow some common- sense, but too-often ignored guidelines about e-mail usage. You can find such tips at dozens of Web sites, but there's a clear and simple set at Spam Recycling Center (www.spamrecycle.com/antispamthings.htm).

To summarize:

1. Never respond to spam.

2. Don't post your address on your Web site.

3. Use a second e-mail address, not your main one, if you post to newsgroups.

4. Don't give out your e-mail address without knowing how it will be used.

5. Use a spam filter. (More on that in a moment.)

6. Never buy anything advertised in spam.

I know a few people who have managed, by dint of good luck and strict adherence to such rules, to keep their inboxes spam-free for years. Unfortunately, they're rare exceptions. One way or another, spammers seem to catch up with most folks sooner or later.

That's why there's increasing demand for spam-blocking software and services -- and a steady stream of startups racing to meet it. Many of these tools are, like Brightmail's, server-based and marketed to IT managers and ISPs, and I'm not qualified to evaluate them.

Even if your network administrators are doing their best to fight the problem, odds are plenty of spam is getting through to you, so it's worth considering how you can beef up your defenses.

Nowadays, some spam-fighting weapons are built into almost every e-mail program and service. Generally, however, they're not turned on by default, so they're no benefit unless you do it yourself. That can be a little complicated,

and the details are different for each program and service, but you should be able to find instructions in your software's electronic help system.

You can also find concise, step-by-step guidance for most common mail programs at a site run by the University of Texas, www.utexas. edu/computer/security/users/avoid_spam.html. For America Online, just go to keyword Mail Controls, or see howto.lycos.com/lycos/step/1,,110+23614+13831,00. html.

NEW TOOLS: There's also a growing selection of spam-fighting services for individual users, including several that make it easy to create temporary e- mail aliases -- known as DEAs, for disposable e-mail addresses. When you give one out, the recipient never sees your real address, yet any responses sent to the aliases can be routed to your actual mail box unless you opt to kill the

DEA.
I haven't tried any of these services, but PC magazine recently evaluated them (www.pcmag.com/article2/0,4149,137955,00.asp). One that scored especially well with the reviewer and users is MailShell (www.mailshell.com), a full- featured filtering, forwarding and DEA service.

During the past month, two promising new anti-spam programs have appeared: SpamNet, offered free by Cloudmark (www.cloudmark.com) in San Francisco, and ChoiceMail, a $30 utility from DigiPortal Software (www.digiportal.com).

Still in beta testing, SpamNet currently works only with Microsoft Outlook 2000 or XP on Windows 98 or later. A version for Outlook Express is coming soon.

Conceived by Napster co-founder Jordan Ritter and open-source developer Vipul Ved Prakash, the program takes a unique peer-to-peer, or community-based approach. Its users collectively determine what messages it will flag as spam and shunt off to a new folder called Spam.

If a message you consider spam shows up in your Outlook inbox, you can select it and click a Block button SpamNet installs in Outlook's toolbar. That not only moves the message to your Spam folder, but also generates a signature identifying the message and sends it to Cloudmark. Cloudmark then forwards that information to other SpamNet users. If they later receive a copy of the same message, it'll be automatically tagged as spam.

Conversely, if a message that's not spam to you gets put in the Spam folder,

you have only to click an Unblock button in the Outlook toolbar, and it will be returned to your inbox and its new status will be reported to Cloudmark and other users.

I've been using the program for several weeks now, mostly in combination with Outlook rules I'd previously set up to get rid of messages Brightmail had tagged as spam. (There's no rule against using multiple defenses simultaneously; in fact, it's a good idea.)

To see how it would do by itself, I shut off my Outlook rules and relied entirely on SpamNet for a day. During those 24 hours, it moved 73 messages from my inbox to its spam folder. Of those, 71 were unambiguously spam and two came from mailing lists I've signed up for. (In fairness, one of the latter looked a lot like spam.) The program overlooked 11 pieces of spam that reached my mailbox that day.

By way of comparison, if I'd been using my previous tools -- Outlook filtering based on Brightmail tagging -- and not SpamNet, six of the 11 spam messages SpamNet missed would have been removed from my Inbox. On the other hand, 21 of those SpamNet filtered out for me would have been left for me to delete manually.

All told, with just my old system, I'd have had 26 pieces of junk in e-mail versus the 11 that SpamNet left. True, I wouldn't have had to retrieve the two false positives that the latter quarantined. But I check what Brightmail tags anyway, even though it rarely tags something it shouldn't, so the only extra work with SpamNet was one "Unblock" click for each of the two messages.

When the program began last month, with heavy publicity (including a story by my colleague Carrie Kirby), users reported several significant bugs. The company responded quickly, and the most serious problems were apparently solved. It's working smoothly for me.

Bottom line: SpamNet wasn't perfect, but it did appreciably better than my Brightmail-based system -- even though the former is barely a year old and has been available to the general public for less than a month, whereas Brightmail has been polishing its technology for four years.

Because of SpamNet's peer-to-peer architecture, it should get steadily more accurate as more users contribute to it.

I couldn't do a real test of DigiPortal's ChoiceMail, the other new Windows program that's generating a buzz among spamhaters, because it works only with POP mail clients such as Outlook Express and Eudora, and I don't have a spam- laden mailbox accessible via POP.

From my limited testing, though, ChoiceMail looks like a slick solution for POP mail users, but with at least two major caveats: It's designed for people who always check their mail from the same PC, and it's not a very good match for those of us who regularly receive mail from total strangers and want it to come through without hassle for the sender.

Those conditions are a problem because ChoiceMail turns the usual approach to fighting spam on its head: Instead of trying to block spam, it keeps out all messages except those sent by people on an A-list of authorized correspondents.

If a message comes from a source you've already rejected, it's automatically deleted.

If it's from an unfamiliar address, ChoiceMail puts the message on hold and automatically sends a reply asking the sender to go to a DigiPortal-run Web site to fill out a form requesting your permission to send e-mail to you.

You're then notified of the request. If you approve, the message is delivered; if not, it's deleted.

The program does a nice job of creating an A-list for you from your address book, but if an e-mail comes from a legitimate sender you've never dealt with before, he or she will have to fill out the form, and you'll have to approve it -- a fair bit of bother if you get many such messages.

Because ChoiceMail stores your list on the machine where it's installed, rather than relying on a server, it can't do its thing if you're checking your mail from elsewhere.
********************
Reuters
Hackers Raise Hell in Name of Security
Mon Jul 15, 3:50 PM ET
By Eric Auchard

NEW YORK (Reuters) - Barry "The Key" Wels picks locks for the sport of it, but also to make a broader point.



He fiddles with tumblers and cracks safes for fun, and to alert the security industry to the weaknesses of many locks, which serve as a bulwark of our physical safety. Locks, whether keyed or combination, melt like butter in his hands.

Lock pickers, safecrackers and computer hackers often bond on the Internet, sharing tips and exposing "vulnerabilities." The fraternity of security violators surfaced at a rare meeting of the U.S. computer underground in New York recently that drew 2,000 Internet enthusiasts and security professionals.

"It's real easy, it's real addictive ... to open a lock in two or three pops," said The Key, who is also an active computer hacker and cryptology buff.

He's just one of the scores of speakers to spill in intimate detail about how one can beat the security systems found on computers, networks, telephones, radios, encryption, office security cards, keypads as well as doors and bank safes.

The event has a curriculum of borderline criminal computer skills like no school on earth. For it's not every conference where a speaker asks his audience: "How many people have written a computer virus before?" and several hands shoot up.

This all may strike the casual observer as a school for scandal in the spirit of Moliere or Dickens.

But the event is seen by many sober-minded computer experts who attend it as essential information-sharing, a shock test of the health and security of an open society.

The logic here goes that the best way to defend against viruses is to learn how to write one. Such frank discussion of security vulnerabilities is viewed as the final defense against really dangerous computer attacks or online privacy ( news - web sites) invasions.

"It tells you where the state of the art is, or at least where 90 percent of mainstream hackers are headed," said a U.S. Navy ( news - web sites) computer intelligence officer, who goes by the online pseudonym of "NetSquid."

The three-day conference known as H2K2 -- short for Hackers on Planet Earth -- was organized by the publishers of 2600, a magazine sold in suburban bookstores that celebrates the culture of computer hacking. To preserve anonymity and draw the largest crowd, no names are taken at registration.

"There is no other meeting in the world where you run into more elite hackers," the Navy computer expert said, who asked that his real name not be used. "What really startled me is how upright they are. Quirky, a little odd sometimes, but very, very smart," he said.

The agenda is located on the Web at http:/ www.h2k2.org.

SKIP THE CAFFEINE, I NEED ACCESS

The hacker crowd draws lots of teenagers and twentysomethings, some with blue hair, others with peach-fuzz still on their cheeks. They mix with 50-year-old hippies who in some cases got their start breaking into old Ma Bell phone systems, years before computers went mainstream. Men (and boys) outnumber women (and girls) roughly 20 to 1 at the event.

Participants share a love of all things electronic and gadgety. Many say their interest in computers started young, when alienated from a wider culture that lacks their easy facility with complex numbers. They found meaning and community online, in the cloak and dagger world of computer security.

The audience drinks in computer screens, with a passion that most people reserve for slurping a first cup of coffee in the morning.

"I've got to get on a computer or I'm going to die," one fish-out-of-water complains as he hurries between meetings.

Mike Glaser, a sale's representative in the access control device industry, stands out from the slacker crowd with his slick-backed hair and two-piece suit. He cautions listeners during a presentation on his latest product line-up that, "Everything has it's weaknesses. If you can find it, you are going to be a very rich, or a very jailed person."

"You didn't hear it from me," said Glaser after revealing a security detail known largely only to industry insiders.

Noticeably absent is any sign of the police, although participants commonly believe that there are government agents circling in their midst. The conference program warns: "This hotel is our home for the weekend and there will be more authority types in proximity than you can imagine."

STUDY CRIMES, TO THWART THEM

But the participants are defensive about being labeled bad guys, just because they like to break in to places.

"We explore and you call us criminals...Yes, I'm a criminal, my crime is that of curiosity," said "Mentor," a hacking pioneer whose real name is Lloyd Blankenship. The Texan wrote "Conscience of a Hacker," which has become a kind of credo for young hackers since he wrote the essay in 1986. He gives an inspirational pep talk to hundreds of adoring spectators, some of whom were not yet born when he wrote his passionate defense of the art of exploring computer systems.

But for all their efforts to whip up positive feelings about the art of the break-in, there is a level of paranoia that goes with the territory.

"It's best to change all your passwords after you leave this conference," a teenage hacker helpfully advises a bystander at the conference.
*************************
Reuters
FBI, U.S. Military Probe Hawaii Computer File Theft
Fri Jul 12, 9:49 PM ET

HONOLULU (Reuters) - FBI ( news - web sites) and military authorities are investigating the theft of classified computer files that were stolen when four military officers left them in their car while swimming last month at a popular Oahu beach, officials said on Friday.



But a spokesman for the U.S. Pacific Command at Camp Smith, also said that all the missing files "had been accounted for."

"We are satisfied that all the missing material has been accounted for," Navy Capt. John Singley said. "I can't go beyond that."

Singley would not discuss the content or classification level of the computer files, which were stored on discs.

The files were among items taken from the trunk of a car being used by the officers when they went to Waimea Bay on June 14. Singley declined to identify the Hawaii-based officers by name or rank but they are members of the Army and Air Force.

"Obviously, a military investigation is continuing to look into the circumstances surrounding the handling of this material," Singley said. "Possible disciplinary action could result, depending on what the investigation finds out."

Kevin Rickett, an FBI spokesman in Hawaii, would not comment on the progress of the investigation. The FBI is investigating because the stolen items were government property, he said.
************************
Reuters Internet Reports
AT&T Warns Workers Not to Be Duped by Hackers
Fri Jul 12, 6:25 PM ET

NEW YORK (Reuters) - AT&T Corp. has warned employees not to be tricked into surrendering sensitive information about its network to hackers posing as colleagues or customers this weekend, a spokeswoman said on Friday.
The warning, sent in an e-mail to AT&T staff, came ahead of a major hackers convention in New York where some of the attendees plan to give a demonstration of "social engineering" techniques -- ways of getting information that can be used to break into computer networks from the people who run them.

AT&T workers in past years were tricked into giving out sensitive information over the telephone to people pretending to be other employees or customers, according to the internal AT&T e-mail dated on Thursday.

Recorded telephone calls based on those exchanges have been sold as instructional videos to would-be hackers at the HOPE (Hackers on Planet Earth) conference, the e-mail said.

This year's conference, dubbed H2K2, started on Friday and runs through Sunday in New York City.

"There is a very high likelihood that AT&T will be a target again" on Sunday afternoon, when a social engineering contest is scheduled, the e-mail said.

"Remember, you do not want to be the lucky guest of honor on a telephone call from the hacker conference this weekend with thousands of hackers listening to you and attempting to scam AT&T out of proprietary information," the e-mail warned. "Please be on guard."

Cindy Neale, a spokeswoman for New York-based AT&T, told Reuters it is not unusual for the company to send out such internal notices.

On Friday, attendees of one conference session learned how to get access to telephone company caller ID systems. In front of a packed room of several hundred, a hacker calling himself "Lucky225" tricked several operators at Vancouver, British Columbia-based Telus Corp. , Canada's second largest telephone company, into giving him access to the network by saying simply, "I'm an engineer."
************************
BBC
Villagers try out net on wheels

Villagers in rural India who have never even seen a computer or even made a telephone call are getting their first taste of the internet thanks to an innovative project.
For the Computer on Wheels trials, a technician visits rural villages on a motorcycle, carrying a laptop computer.

The villagers can then look at pages which have been downloaded from the internet.

"Much like the post office, where the post man delivers letters once or twice a day, we are delivering the internet to people once or twice a day," explained Satish Jha of the development organisation, Digital Partners.

Web on demand

The pilot project to create a mobile internet service has just started in the Telangana region of the southern Indian state of Andhra Pradesh.

The trial will run for a year. If it is successful, it could be extended to cover the whole state.

The funding is coming from a small seed grant from Digital Partners.

This Seattle-based non-profit organisation sees it as a possible way of involving India's millions of rural dwellers in the internet revolution.

"Why should a whole section of population who don't have telephones, who don't have electricity, be left behind", Mr Jha told the BBC programme Go Digital.

"70% of villagers do not have access to telephones or electricity so how can they use computers? We need to find ways of taking the computer to them."

Since there are no net connections in the villages, any relevant webpages are first downloaded onto a laptop. A technician then drives out on a motorcycle, perhaps twice a day.

Villagers are able to ask for services, like government forms or check current information such as crop prices in regional markets or the latest news from their area.

Early days

So far, the Cow project has generated a lot of interest among villagers.

"There is an element of curiosity," said Mr Jha. "As soon as they hear the sound of the motorbike and know the laptop is coming, between 50 and 100 people will collect around it."

Mr Jha says this is the way technology has often reached villagers and likens it to the early days of cinema, when villagers would crowd around a screen to catch a peek of the moving pictures.

The project is still in its early days. But the organisers are hopeful it could prove one way of overcoming the lack of a communications infrastructure in the countryside.
************************
Federal Computer Week
DOJ strategic tech plan spells out major change

A "strategic" technology plan being circulated through the Justice Department last week says that the department can no longer tolerate 39 separate "fiefdoms," each "doing their own thing" with computer systems and networks.

Vance Hitch, the department's new chief information officer, said he is determined to craft an agencywide information technology architecture and require that new computer systems be used by several, and in some cases by all, divisions within the department.

It's the kind of reform IT experts say is needed, but likely will be hard to implement at the department, which is notorious for the independence and insularity of its subsidiary agencies, such as the FBI, the Immigration and Naturalization Service and the Drug Enforcement Administration.

Three months into his job, Hitch, who spent 28 years at the consulting firm now known as Accenture, depicts the department as a fragmented agency hobbled by aged computers and incompatible systems.

The security of the department's computer systems is so bad that Hitch said he wanted to hire a deputy CIO and a cadre of IT security specialists whose sole focus would be to fix "security holes."

"There are hundreds or thousands of them" in the department's computer systems, Hitch said. To say that security must be improved "is an understatement," he said, speaking at a breakfast sponsored by Federal Sources Inc., a market research firm in McLean, Va. Security is so poor it would be "very easy to take out a lot of our infrastructure."

The FBI, one of the department's most technologically troubled, is ill prepared to deal with IT security holes, he said. "They did not even have a good handle on how many systems they had," let alone what their security problems are, Hitch said.

The state of security "is embarrassing," he said.

Poor security and many other IT problems can be traced to the department's organization and its lack of a departmentwide IT architecture, Hitch said.

The department comprises 39 agencies, from such well-known ones as INS and the FBI to lesser-known entities such as the National Institute of Corrections and the U.S. Parole Commission.

"They all did their own thing" when it came to developing computer and data systems, Hitch said. Even when they hired the same vendors to assemble similar systems, the various components did not end up with systems that were interoperable, he said.

"It is not the culture of the Justice Department" to operate as a single agency, he said. Computer and data systems "developed in 39 stovepipes with loose coordination, if any."

But the department has a new mission counterterrorism and President Bush and Attorney General John Ashcroft are emphasizing greater information sharing, increased information security, and a streamlined and simplified approach. The role for IT is being refocused to emphasize mission accomplishment, Hitch said.

The department plans to spend $2 billion on IT in 2003, and Hitch said he aimed to modernize and unify the department's IT infrastructure.

Hitch said that Ashcroft has assured him that he will have a degree of influence over the agencywide IT budget, but Hitch said he also wanted "to be a part of the components' IT process."

Making changes won't be easy, said Roger Baker, former CIO at the Commerce Department, and now an executive vice president at CACI International Inc.

Hitch's plan is "a great initial reaction," Baker said. "Any good private-sector person who comes into government would say exactly the same thing." But soon enough, "you figure out that the system is built exactly to prevent you from doing what you know you should do."

Alan Balutis, another veteran of government technology management, is a bit more optimistic. "It's doable," but only if Hitch can convince the department's agency directors and CIOs to support his plan, said Balutis, who is executive director of the Federation of Government Information Processing Councils.

Even then, change is likely to come slowly, said Balutis, who was a deputy CIO at Commerce and then director of the Advanced Technology Program at the National Institute of Standards and Technology until early 2001.

***

Pulling it together

Among the goals Vance Hitch, chief information officer of the Justice Department, has for his department are:

* Developing a departmentwide public-key infrastructure to enable different agencies within the department to securely share information.

* Adopting common systems and solutions to facilitate collaboration.

* Saving money by adopting a departmentwide financial system.

* Searching for ways technology can change and improve department operations. In the past, technology has been adapted to operations.

***************************
Federal Computer Week
OMB updates security guidelines

Agency officials could be held accountable for inadequately securing their information systems under new guidelines issued by the Office of Management and Budget.

The key change in the guidelines, released July 2, are the criteria for evaluating the performance of federal officials with security responsibilities.

Developed in response to agency requests, the performance measures examine the percentage of systems that have an up-to-date security plan, the security budget for each system and the number of employees who received specialized security training. Poor results could impact an agency's budget.

Early security rules and regulations have established measurements for security systems, but few have focused on the performance and accountability of the managers overseeing those systems, experts say.

"We're really in the elementary stages here, but you have to start somewhere and this is an excellent start," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration.

The guidelines build on information garnered from the reports agencies first submitted last year under the Government Information Security Reform Act of 2000. GISRA requires federal chief information officers and inspectors general to annually evaluate agency information security practices and report the results to OMB.

Mark Forman, OMB's associate director of information technology and e-government, said the baseline reports from last year are a good start, but don't go far enough. "We need to track progress on improving the baseline?but we don't want to make this a rote exercise," he said.

The performance measures will help OMB track the outcomes, Forman said. "This allows us to track the results, not just the actions they've completed."

This year, reports must include an evaluation of agency officials based on the criteria OMB has provided. The performance measures represent a minimum required response, according to the guidelines.

For example, agencies must create "plans of action and milestones," which outline how officials plan to fix vulnerabilities discovered during the evaluations. Such plans were incorporated into the fiscal 2003 budget request, and future plans will continue to be part of the budget development process, according to the guidelines.

Agencies will be assessed on their progress in managing information security at the department level and at the bureau, agency or office level.

Performance measures provide needed direction for agency accountability, but they are not as stringent as they might be, McDonald said.

The guidance "makes clear to agencies the areas they need to concentrate on," she said. "OMB did an excellent job. I don't think they are particularly onerous, and I think that they're good measures and ones we can deal with."

Capt. Sheila McCoy, who leads the Navy Department CIO's information assurance team, said the guidelines have "more specifics in terms of numbers," but they are in line with what was expected.

But at least one security expert thinks OMB's guidelines are emphasizing the wrong issue.

The guidelines assume that "lengthy risk assessments need to be done before basic security actions are taken," said Alan Paller, director of research at the SANS Institute, an education and research organization for IT security professionals based in Bethesda, Md. Agencies delay taking simple critical steps to protect their systems from common risks while staff and consultants conduct lengthy risk assessments, he said.

The first step is to ensure that "each system passes minimum configuration benchmark testing," Paller said. "If systems are attached to the Internet before they are protected in conformance with the benchmarks, any security action will generally be too late."

It might seem logical to place risk assessment as the first step, but it's the wrong approach, Paller said. "It's like putting a bank in a rough neighborhood. Even before you do that, you put a good lock on the door. You don't need a separate study" to tell you that.

The Navy is in the process of finalizing the criteria the service will use to assess its security measures, McCoy said. "These may or may not be the same things OMB chooses to use," but they will encompass OMB's questions.

"We know that doing this report is part of the process," she added.

GISRA expires on Nov. 29, 2002, but several efforts under way in Congress seek to extend its authority, most notably the Federal Information Security Management Act, introduced by Rep. Tom Davis (R-Va.).

Christopher J. Dorobek and Rutrell Yasin contributed to this story.
 **************************
Federal Computer Week
Tech firms could get homeland coverage
Bill would provide liability insurance

A House panel approved a proposal July 11 that would require the federal government to step in and provide liability insurance for information technology companies working on homeland security contracts.

The provision, drafted by Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee's Technology and Procurement Policy Subcommittee, would guarantee that IT companies have sufficient liability coverage in the event of a catastrophe.

The committee tacked the provision on to the Homeland Security Act (H.R. 5005), which is making its way through congressional committees.

The pitch is simple: Contractors are arguing that companies developing new anti-terrorism technologies with life-or-death consequences could be driven out of business if they are sued because of a product failure.

Although private companies are able to purchase their own insurance plans, many fear they would not be able to get enough coverage to protect them against lawsuits that could force them into bankruptcy.

"The potential liabilities associated with homeland security-related activities can be enterprise-threatening and may well cause many cutting-edge firms not to compete for homeland security contracts without adequate protections," Davis said in a statement. Davis' amendment would require companies, on a case-by-case basis, to shop around for the best insurance and would provide additional guaranteed coverage from the government.

David Marin, Davis' spokesman, said there is one law that protects companies from risks in the event of a disaster relating to national defense.

But the law covers contractors working at specific agencies, not the proposed Homeland Security Department, the CIA, the Justice Department or the U.S. Postal Service, a quasi-governmental agency. And it does not cover claims when technology is sold to commercial establishments or state and local governments.

The legislation is "based on the premise that Congress should ensure the availability of technologies that could make people and facilities across the nation less vulnerable to terrorist threats," Marin said.

Many companies have already hesitated to bid on homeland security contracts because of the liability problem, according to David Colton, vice president of strategic initiatives at the Information Technology Association of America.

"The blue-chip technology and integration companies have elected not to participate because of the fear that they would be exposing the entire corporation by participation," Colton said. "This legislation is designed to make sure the very best technology companies and contractors are able at least to submit bids for homeland security."

Nevertheless, consumer groups see the proposal as another way to protect corporate America's pocketbooks.

"Being liable to the public is important," said Bob Hunter, director of insurance for the Consumer Federation of America. "Suppose you are grossly negligent you're supposed to put in something that monitors for bombs, and you put in something that monitors for pizza. Why should the taxpayer be liable for gross negligence?"

The legislation now goes to the House Permanent Select Intelligence Committee's Terrorism and Homeland Security Subcommittee, which will merge various parts of the legislation requested by the Bush administration to overhaul government and protect America.

***

Homeland security action

Highlights of amendments in the Homeland Security Act of 2002 (H.R. 5005) made by the House Government Reform Committee include:

* An amendment, based on H.R. 2435, that promotes voluntary information sharing about threats to the nation's critical infrastructure.

* Language that mirrors H.R. 3844, the Federal Information Security Management Act of 2002, which permanently reauthorizes and strengthens the Government Information Security Reform Act.

* A new section based on H.R. 4629 that will help the government evaluate homeland security technologies and reward private-sector innovation.

* An amendment that expands and clarifies the proposed Homeland Security Department's authority to manage its real property holdings.

* Procurement reform language similar to H.R. 4694 that gives the proposed department the tools and flexibility it needs to acquire critical goods and services quickly and efficiently, while maintaining important safeguards.
******************
Federal Computer Week
OMB to post IT checklist
Managers expected to cross-check list before budget request

The Office of Management and Budget's message to agencies is clear: Don't ask for money to fund an information technology system if a similar system already exists.

This week, OMB plans to post a list of governmentwide information systems that support business operations and public services. Federal managers are to use this list to find similar services or systems before making an IT budget request.

If managers find a service or program that is similar in the so-called business reference model, OMB officials want managers at the respective agencies to work together to use or build a single system, thereby reducing the amount of redundant spending on IT.

The business reference model, a fundamental piece of the Bush administration's E-Government Strategy, "depicts, from a process view, truly the entire enterprise of the federal government," said Norman Lorentz, OMB's chief technology officer.

OMB plans to post the model July 18 in time for IT managers to use it to make budget requests for fiscal 2004. OMB will begin formulating the fiscal 2004 budget request for the Bush administration this fall.

The business reference model splits the business of government into three areas, Lorentz said: citizen services, support services and government enterprise operations. Under each area of business are the many subfunctions that are the agency applications and services.

The business reference model is part of the federal enterprise architecture, which Debra Stouffer began to assemble while on detail to OMB in January. "They're taking what I built, and applying it to making smart budget decisions," said Stouffer, now CTO at the Environmental Protection Agency.

The work on the enterprise architecture and the business reference model continues with the Solutions Architects Working Group, which is overseen by Bob Haycock, who is on detail as chief architect at OMB from the Interior Department.

The working group is developing two key pieces of the business reference model: a management and oversight plan that will ensure consistency in updates and new releases, and a business performance reference model, which will be the framework that OMB will use to measure investment outcomes.

Other reference models, such as those for data, applications and technology, are at various points of development and will be released in the coming months, he said.

The business reference model will be available on a Web site accessible only by agency personnel, although parts of it likely will be released to the public in time, Lorentz said.

This year, OMB pulled together the information in the business reference model from agencies' fiscal 2003 budget requests. However, in the future, agencies will be expected to update and manage their portions of the model themselves, Lorentz said.

All enterprise architecture work will be done through the Enterprise Architecture Management System (EAMS), a Web-based repository structured around the business reference model, Lorentz said. Many agencies are already using Extensible Markup Language-based capital planning tools such as the IT Investment Portfolio System, but OMB also is developing an XML schema to integrate all agency capital planning information into EAMS, Lorentz said.

***

Building blocks

Timeline for the pieces of the federal enterprise architecture:

Business reference model -- Available July 18

Business performance reference model -- Draft due mid-August

Data reference model -- Under development

Application capability reference model -- Draft due mid-September

Technology reference model -- Draft due mid-September
**************************
Federal Computer Week
Security regs drive shipping firms online

In the face of heightened terrorist alerts, shipping companies are being required to meet tougher rules and regulations to move cargo around the world. And many of them are using Web-enabled services to ease the way.

The United States is not the only country to tighten cargo security regulations in the wake of the Sept. 11 terrorist attacks, but every nation has different rules, according to Greg Stock, vice president of marketing for Vastera Inc., a global technology solutions firm.

"What's happened since [Sept. 11] is that every company recognizes that they need to do their part to fight terrorism [and make] sure they are not doing business with potential terrorists," Stock said. "You need to know who your customers are."

Vastera uses Web-enabled technology to help shippers determine the rules in every port of call and what forms they need to file electronically before loading or unloading their cargo.

Vastera's product manages the system for shipping companies that lack the staff or technical knowledge to do it on their own, and it keeps track of all cargo, so a shipment does not sit idle and vulnerable to being used to smuggle contraband.

George Weise, former Customs commissioner and now Vastera's vice president of global trade compliance, said customs agencies worldwide have been performing more risk assessments of cargo in light of growing terrorist threats.

"The only way to look at it is not transaction by transaction, but by risk factors and get to know your importer," he said.

The risk of contraband or weapons of mass destruction being smuggled aboard a ship is growing even though an estimated 80 percent of world trade is handled by 20 percent of importers, he said.

"You need to know where your goods are at every point of the process and have security measures in place all the way through," he added.

Rob Quartel, a former Customs official and now chairman and chief executive officer of FreightDesk Technologies LLC, a technology company with a transportation management application, describes it as a case of self-policing.

"Customs is very much asking the industry?to voluntarily deal with these issues," he said. "That is necessary, but it is absolutely not sufficient. This is a process that the government has to be very much involved in. You really need to gather the data well before it actually moves."

To help companies do their own screening along the way, Vastera provides profiles of countries that manufacture products that terrorists could use. A Vastera profile of Brazil, for example, cautions that the South American country has developed biological material that could be deadly, and Libya and Iraq reportedly have been interested in Brazil's ballistic missiles.

Concerns about the country's biological and missile programs mean there will be "a restrictive attitude toward the export of biological and missile- related technology from the European Union and the United States," according to the profile.

"No one wants to be the next CEO who makes the mistake of sending goods to a known terrorist," Stock said.

To keep that from happening, Vastera has a database of more than 400 names from the State Department and other sources that includes terrorists and drug felons and traffickers so companies can run the names against customer lists.

"Companies are going to find that trade in this new paradigm is much harder," he said. "But with the Web technology, companies are able to update changes every day and tap into ways to automate the process of getting goods across borders."

Even before Sept. 11, Vastera was developing technology to ease the way for shippers and other kinds of cargo carriers. The company provided management services that helped companies navigate the complex maze of trade and tariff rules, calculate the real cost of importing and exporting, and supply the required electronic documents.

Adrian Gonzalez, an analyst with the Arc Advisory Group Inc., a market research and consulting firm, said Vastera is part of a growing trend of merging technology with managed services.

"Vastera is a good example of how [it plays] out in the realm of international trade," Gonzalez said. "When you look at international trade, technology by itself has limited value. It's really about people, processes, technology."

Vastera's customers include Nortel Networks Ltd., Lucent Technologies and Dell Computer Corp.

"If you are shipping a camera from the United States to Germany, there are 12 to 15 documents that have to accompany the camera," Stock said. "Our software figures out the right classification [and] tells you what it costs, because when goods get to customs, you don't want it to sit there for long."
*************************
Federal Computer Week
Feds get carded
Agencies turn to smart cards to tighten security

Two years ago, smart cards were something of a novelty for federal agencies. But times have changed, and the events of Sept. 11 have boosted their worth as a tool for tightening security and providing a way to control access to buildings and computer networks.

New laws are adding to the urgency. For example, the Border Security Act, signed by President Bush in May, mandates development of a machine-readable, tamper-resistant biometric method of monitoring foreigners as they enter and exit the country. Smart cards are likely to be the only feasible way of doing that by the October 2004 deadline.

And technical developments are pushing aside some past objections to smart cards. Late last month, the National Institute of Standards and Technology published an interoperability specification described by some as the cornerstone of future government smart card programs. If adopted by agencies, the specification will enable different vendors' cards and readers to work with one another, which is seen as an important step in convincing agencies to use the technology.

Still, doubts persist. Slow buy-in by top agency managers, concerns about costs in an era of ever-tightening budgets and suspicions about the reliability of the technology have so far kept a lid on what might otherwise have been a rapid deployment of smart cards.

"I do think the rate of interest has increased after Sept. 11, but the knowledge level [about smart card technology] is marginal at best," said Mike Brooks, director of the General Services Administration's Center for Smart Card Solutions. "We are working on educating people on the attributes of [smart cards] and about the multiple applications that can be put onto them."

Because smart cards include relatively powerful microprocessors and some local memory, they can work with agency applications while carrying such information as biometric identifiers of the card's user and digital certificates that can be used with an agency's public-key infrastructure.

Many agency officials say they would move to smart cards if they had the money, said Mickey Femino, director of GSA's Center for Innovative Business Solutions. "Otherwise, they have to take the funds from current line items, and then it becomes difficult. Beginning pilot programs is easy, but to fully develop programs, they need to see the [specific] dollars in their budgets."

Brooks said GSA officials are working to convince agencies of the long-term savings smart cards will bring so that they will be less reluctant to redirect current resources to fund a smart card program.

Problem Solved

Nevertheless, Brooks feels the tide is turning. "Before Sept. 11, smart cards were a solution looking for a problem," he said. "We have the problem now, and we need to promote the use of smart cards as one of the tools people can put into their security toolbox."

A report from GSA's Office of Electronic Government shows that agencies have issued slightly more than 1.4 million smart cards and projects that usage will increase to more than 4.3 million cards during the next year or so. The report covers programs at 24 agencies, ranging from large military deployments to small-scale pilot programs such as the one under way at the U.S. Patent and Trademark Office.

USPTO had 15 cards in use when the research for the report was conducted, but officials expect to reach a full deployment of around 8,500.

The biggest government project is the Defense Department's Common Access Card (CAC) program, designed to provide a new military identification card and a means for securing access to military facilities, computers and networks. More than 800,000 cards have already been issued, and plans call for a total of up to 4.5 million to be issued by the end of 2003.

The scope of the program is truly global, with around 900 sites in 13 countries involved in issuing the cards. But the program is nearly a year behind schedule, mainly because of problems associated with handling such a widely distributed system rather than issues with the technology itself, according to Gordon Hannah, a spokesman for the CAC program.

"The initial goal was aggressive and deliberately so, in order to keep people moving along," he said. "The bad news is that we haven't been able to expand it as quickly as we would like, but some negative issues in a program of this size are inevitable. And going from the initial tasking to converting all of the issuance workstations in around a year is really working at Internet speed for a government agency."

As many as 13 million smart cards could end up being issued under the program. The final number will be determined by such factors as how many military family members are also DOD employees and how many military retirees still need access to facilities. However, there is no formal requirement to go beyond the initial target population of around 4 million, Hannah said.

On a smaller scale, State Department officials began looking at smart card technology more than seven years ago. They are in the process of capturing photographs and data on the 20,000 employees in the department's National Capital Region for cards that will be used to gain access to the department's buildings. That project should be completed by the end of July.

However, the cards have always been intended for other uses as well, said Lolie Kull, program manager for the Bureau of Diplomatic Security's smart card project. State's PKI office will place digital certificates on more than 2,000 cards by the end of the year, she said, and a number of programs under consideration would use the cards for access to computer systems. Eventually, all State employees will use smart cards.

Culture Change

Perhaps the hardest part has been getting buy-in from the department's upper management. There has been interest, "but no strong support," Kull said. "So far, it's been a difficult way to do this. We've had to justify all of our steps, why we needed more money for this and that, and so on."

She believes a cultural change is necessary if State is to make full use of smart cards' capabilities, and that could take five years.

But a slow approach might be the right way to go, according to Randy Vanderhoof, acting president and chief executive officer of the Smart Card Alliance, an industry organization.

"We are very pleased at the aggressive position the government has taken to stop researching [smart cards] and actually start putting them in place," Vanderhoof said. "And the proof that it can be done and done effectively is the DOD CAC program."

But he feels agencies might be moving too fast. "I am not in favor of getting the technology out there just to get it in place quickly," he said. "I think the government is doing what it can to get the pieces in place, but there needs to be a way to get it done in a decent fashion so that things work well and policy decisions can keep up with the technology deployments. Otherwise, we could have public relations problems."

Although none of the programs under way at agencies were begun as a result of the events of Sept. 11, most of them were affected by them; if nothing else, the terrorist attacks prompted a change in the initial focus of existing smart card programs. Most now stress the initial use of smart cards for physical access to buildings.

One program that is a direct result of the terrorist attacks is the Transportation Worker Identification Card (TWIC) initiative at the newly formed Transportation Security Administration. TWIC, which will begin with several pilot projects this fall, will be used as an ID and building access card by workers at airports, seaports and other transportation hubs. Eventually, TSA could issue up to 13 million cards.

The Federal Aviation Administration has issued a request for proposals for a smart card program that will serve as the initial pilot project for the TWIC effort. That pilot project will last for about nine months, said Michael Brown, director of the FAA's Office of Information Systems Security. Officials will begin procuring cards for agencywide distribution shortly afterward, with the goal of issuing smart cards to the FAA's 50,000 or so employees and a similar number of contractors.

Problems may still lie ahead for this and other programs, but most observers agree that there is no longer any question about whether smart cards have a future in North America, and the U.S. government is leading the way.

"It was the case several years ago that we saw the government was moving but just not fast enough," said Paul Beverly, vice president of smart cards at SchlumbergerSema, one of the world's major suppliers of smart cards, and chairman of the board at the Smart Card Alliance. "But over the past year, I think the government has taken a real leadership role."

However, inertia is a problem at many agencies, according to GSA's Femino. Although the terrorist attacks have pushed officials to reconsider their approaches to security, many agencies already have systems in place and question why they should change them, he said.

According to Brooks, one solution could be an executive order requiring agencies to adopt smart card technology, along the lines of what the DOD brass did for that department's smart card program. In fact, officials from GSA and other agencies with a strong interest in smart cards recently visited the Office of Management and Budget to make their case for having the Bush administration issue such an order.

OMB officials will say only that they are reviewing the need for a public statement on the use of smart cards by government agencies. Brooks is more confident and predicts "an 80 percent chance" that such an order will be issued soon.

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@xxxxxxxxxxxxxxx
****************
Federal Computer Week
DOD demands faster, better cyber intell

Striking a balance between the Defense Department's dwindling human intelligence resources and its advancing information technology tools and acting quickly on the information gathered is essential to protecting the armed services against cyberattacks and succeeding in the war on terrorism, according to military leaders.

Lt. Gen. David McKiernan, director of Army operations, said cyberwarfare is a threat that the armed services must monitor daily because "a modern or future opponent can get into our decision-making through the cyber domain." It is especially difficult to defend against these attacks, he added, because strikes can originate from anywhere.

But the hardest part comes when that enemy is no longer online. "At some point, if the opponent is blended in with the local culture, tribe or city and is not talking on signals or with computers...then you have to gather intelligence through human sources," McKiernan told Federal Computer Week after testifying at a July 11 hearing of the House Special Oversight Panel on Terrorism. "We need to develop the full range of capabilities and the right regional expertise, and do it over the long haul."

Air Force Maj. Gen. Randall Schmidt, assistant deputy chief of staff for Air and Space Operations, said that coordinating the intelligence, surveillance and reconnaissance network in Afghanistan internally, and among the services, took "ingenuity and cooperation." He added that the process must be speeded up and tightened for continued success.

At a similar hearing last month before the same oversight panel, Navy and Marine Corps officials also agreed on the importance of faster intelligence and information sharing. Marine Corps Lt. Gen. Emil Bedard, deputy commandant for plans, policies and operations, said that real-time intelligence sharing has improved throughout the operations in Afghanistan but is still not perfect.

Bedard said that Operation Enduring Freedom has illustrated the "reach-back" capabilities that technology provides. He used the example of an Afghanistan-based Marine commander receiving terrain, landing zone, route and the latest enemy situation data from intelligence officials in Quantico, Va., in less than four hours.

"Having direct feeds [from] the intelligence-gathering platform to the people working the mission we need to get better at that," Bedard said.

Rear Adm. Joseph Krol Jr., assistant deputy chief of naval operations for plans, policy and operations, agreed. "Speed is [what] we need to concentrate on," he said at last month's hearing. "Our in-theater ability to operate with our allies has been successful, but needs to get better. We need more plug-and-play situations."

Rep. Jim Saxton (R-N.J.), chairman of the terrorism panel, and ranking member Rep. Jim Turner (D-Texas) expressed concern about the military's ability to share information with the intelligence community, namely the CIA.

Krol said that the Navy receives information collected by spies "eventually, but we're not 100 percent sure what the source is." He added that the service works that data into operations when it can, but that process takes longer than it should because of the unknown source of the information.

At last week's hearing, Rep. Jim Gibbons (R-Nev.) asked the DOD officials for their "most significant intelligence need," and they answered that they needed to increase the development of the same technology: unmanned aerial vehicles, such as the Air Force's Predator, which has been successfully deployed in Afghanistan (see box).

"The ability to provide that asset to operational and tactical commanders, now and in the future...and put it into the hands of the warfighter...is absolutely critical," the Army's McKiernan said.

"This all points to the importance of the detection of intelligence to [the time] where it can be actioned," said the Air Force's Schmidt. "The value of intelligence is only as good as how you action it."

***

'Enduring' successes

Defense Department officials outlined several of the services' technology- aided intelligence successes in Operation Enduring Freedom, including:

* Using prototypes of the Prophet system, a new ground-based surveillance system that enables commanders in the field to intercept radio frequency signals generated by many kinds of electronic equipment.

* Trojan SPIRIT, or Special Purpose Integrated Remote Intelligence Terminal, which can carry high volumes of secure intelligence from national agencies and Army headquarters to commanders in the field. The tool was used within hours after the Sept. 11 terrorist attacks and has supported subsequent national security events, including the Super Bowl. A lightweight, portable version has been deployed in Afghanistan.

* The Air Force's Predator, an unmanned aerial vehicle that uses radar, a television camera and an infrared camera for surveillance, reconnaissance and targeting.
************************
Federal Computer Week
New reasons to get thin-client computing
Telecommuting, post-Sept. 11 priorities renew interest in thin-client computing

Two years ago, the General Services Administration Public Buildings Service's New England region assembled its employees in a town hall meeting. Such get-togethers, aimed at uncovering problems and soliciting suggestions, are not unusual for the agency.

But as Jim LeVerso, chief information officer of the region, listened to the proceedings, it occurred to him that this meeting was different. In the past, employees lobbied the administration to allow them to do more work away from the office. "This time, it was the administration that was saying, 'We want you to telecommute. Tell us what we need to do to make that possible,'" LeVerso said.

Telecommuting appears to be changing from merely a convenience for workers to a strategic goal for some agencies. Similarly, the technology that LeVerso chose to enable the telecommuting program server-based computing (SBC, also called thin-client computing) is taking on a more important role.

In SBC, software applications from word processing programs to accounting applications run centrally on a server, and only the user interface and necessary files and data are transmitted to users' PCs or other Web- connected devices. This approach makes it an effective platform for telecommuting. SBC backers say that its approach also makes it well-suited for two new post-Sept. 11 priorities: enabling more data sharing by agencies and helping agencies to continue running in case disaster strikes.

Catching On

SBC has been available for several years, but David Friedlander, an industry analyst with Giga Information Group Inc., said that the biggest change in government as well as commercial usage is the increase in the size of installations.

"During the past two years, SBC has been moving steadily upstream from its start as a workgroup solution to enterprisewide deployments," he said. He pointed out that more robust management tools and performance enhancements have encouraged agencies with large numbers of users, such as the GSA Public Buildings Service, to consider SBC.

Before choosing an SBC solution, LeVerso and his colleagues laid out the requirements for the future telecommuting program. A good system would enable employees to:

n Access all applications from any PC.

n Run applications at home, on the road or at a client site, even if it meant connecting to the office server via low-speed dial-up lines.

n Start work at one location and pick up where they left off at a different location with no loss of data.

It was already a tall order when GSA officials added, "'Figure out how to make it happen. And by the way, we can't offer you any additional resources or people,'" LeVerso said.

Unfortunately, the office's applications were too resource-intensive to run efficiently on a wide-area network. The plan might work if information technology administrators paid a lot of attention to network resources and required employees to use only high-bandwidth lines. But that did not fit the telecommuting program's "anywhere with any connection" requirements.

What did fit the bill was SBC technology that LeVerso had seen demonstrated by Citrix Systems Inc. of Fort Lauderdale, Fla. With Citrix MetaFrame now installed in their data center, 300 employees of the Public Buildings Service's New England region and some users at the other regions can launch applications from anywhere, just as they would if the applications ran on their PC or a local-area network by clicking on an icon.

That mouse click launches MetaFrame software on the server, which runs the business application the user wants to access and manages the communications session. To users even those on a dial-up connection from home the application runs about as fast as it would on a LAN-attached PC, LeVerso said.

The 128-bit encryption Secure Sockets Layer protocol is used to protect communication between the client and server. And because each user's files are maintained on the server, the machine the employee happens to be using is irrelevant, as long as it can connect to the application server via the Internet or a network.

"For years, the goal of IT was to make computing a utility, like switching on a light," LeVerso said. "With this architecture, I think we finally did it."

New Drivers

Don Leckrone, director of Defense Department accounts at Santa Cruz, Calif.-based Tarantella Inc., sees two new security concerns pushing federal agencies to consider SBC.

The first is disaster recovery. Users who must evacuate buildings can simply go to PCs in other offices and pick up where they were interrupted. And the decentralized nature of the Internet, built that way to withstand an attack, means the network will always be available. Also, the server, the most vulnerable component of SBC, can be protected easily through standard backup practices such as mirroring, which involves creating a replica of the primary system at another site.

Second, new homeland security procedures require new types of collaboration. "Many people are starting to have to work on applications that their agencies don't own," Leckrone said. SBC is an easy way to authorize new users without having to load software on their PCs or even take into account the operating system they are using.

Another driver is the increased popularity of Web portals.

"Workers want more consolidated and personalized access to all their applications," Friedlander said.

In fact, consolidated access to applications is one reason that officials at the Interior Department's National Business Center (NBC) decided to use Citrix MetaFrame to develop an SBC solution for financial reporting.

"We provide a single point of entry to all our applications through a Web page," said Mike Sciortino, a system manager at NBC. That approach "makes it very easy for our users to configure their workstations and connect to the system."

Interior has used MetaFrame since June 2000 to provide access to financial reporting software and other applications, including Microsoft Excel and a text editor. About 250 people use the system.

Sciortino said that before moving to SBC architecture, Interior had problems with large amounts of data clogging its network. As a result, users suffered with poor performance connections and corrupted databases.

Now that program files and data files are centrally located on two side-by-side servers, the applications run more smoothly and data corruption does not occur, he said.

Another advantage of SBC, according to Sciortino, is that software upgrades are much easier to manage. Before using MetaFrame, NBC would have to install full upgrades on each PC that accessed the system and struggle with the inevitable compatibility problems. Now software upgrades only have to be installed on the central application server. As soon as users log off and back on, they're working with the latest version.

SBC may be the right technology at the right time. Security considerations, new collaboration requirements and budgetary constraints are forcing agencies to seek new ways to launch and manage applications.

SBC, which is finally becoming enterprise-ready, may be one solution to those problems.

Stevens is a freelance journalist who has written about IT since 1982.

***

Three other perks The primary advantages of server-based computing (SBC) are reduced costs, easier administration and increased security. But there are other advantages, according to Christa Anderson, author of "The Definitive Guide to Citrix MetaFrame XP." According to her: * SBC helps bring more people into the fold. Many agencies have employees who use non-Microsoft Corp. Windows operating systems on their computers, primarily the Apple Computer Inc. Mac OS or Linux. Those users usually have to move to a Windows machine to access the agency's enterprise applications. SBC automatically extends the applications to all platforms. * SBC delays hardware upgrades. "A hidden cost in any software upgrade is the cost of replacing all the hardware [that] no longer works well with the new application," Anderson said. SBC removes hardware considerations from any upgrade project. * SBC ensures more efficient use of computing resources. For resource-intensive applications, SBC architecture can provide more bang for the buck. An application accessed by, say, five people on a server uses less memory and processing power than the total resources for the same application run on five separate PCs, Anderson said.
****************************
Government Computer News
OMB gives agency e-gov work a passing grade
By Jason Miller

In the last four months, 16 agencies, led by the National Science Foundation, have made significant progress toward President Bush's e-government goal, the Office of Management and Budget said today.

OMB released a midyear report card showing agencies' status toward meeting the five categories of goals laid out in the President's Management Agenda.

The report card comes five days after Bush sent a memo to department chiefs commending agencies who have actively engaged in e-government and urging those who have not "to follow their lead."

OMB evaluated the 26 major agencies using a green, yellow and red scoring approach. Green means agencies have met all standards for success; yellow means agencies have achieved some, but not all the criteria; and red means there are some serious problems.

Agencies showed the most progress in the e-government and financial management areas. OMB gave 16 green and 10 yellow scores under e-government and 16 green, nine yellow and one red under financial management. Agencies showed less progress under the other subjects: 12 green for human capital, 13 green for competitive sourcing and nine green for budget and performance integration.

For e-government efforts, only NSF improved its current status, to green from yellow. It had already received a green score for financial management when OMB issued the first round of scores in February. OMB said the agency met "all of its core criteria" and developed "a process to implement corrective action plans for program level information technology security weaknesses."

"The federal CIO Council had strategic planning off-site in April, and we committed to making major progress on the 24 e-government initiatives over the next 12 months and helping each other through cross-agency budgets," said Mayi Canales, co-chairwoman of the CIO Council's E-government Committee and acting CIO of the Treasury Department. "You will find at the CIO level a continued planned progression toward green."

Five other agencies also saw changes in their current status. The Energy Department improved under human capital to yellow, the Labor Department earned a yellow score for its improvements in financial management and the Social Security Administration advanced to yellow under budget and performance integration. NASA and the Small Business Administration were downgraded to red under financial management.
**************************
Government Executive
White House position on FOIA exemption attracts critics
By Drew Clark, National Journal's Technology Daily


The Bush administration this week endorsed a Freedom of Information Act (FOIA) exemption for data about computer networks and other security issues that appears to yield little ground to environmentalists and open-record advocates.

The issue of how extensive such an exemption should be granted has stirred partisan disagreement, with many Democrats questioning the need to exempt voluntarily submitted information from FOIA disclosure.

But in a win for the technology industry, united with utilities, financial services firms and manufacturers, the White House weighed in with draft language that includes both elements.

A draft of the bill prepared by the House Select Committee on Homeland Security has included the FOIA exemption, the potential limitation of liability, and language that provides an antitrust exemption for businesses that share information deemed vital for "critical infrastructure security."

The text of the applicable provisions in the Select Committee's draft mirrors those drafted by Rep. Tom Davis, R-Va., and passed late Thursday night by the House Government Reform Committee. The committee accepted an amendment by ranking member Henry Waxman, D-Calif., clarifying that the exemption did not apply to lobbying activities.

Many Democrats have been skeptical because of an aggressive campaign against the exemptions by environmental groups. The bill creating a Homeland Security Department authored by Senate Government Affairs Committee Chairman Joseph Lieberman, D-Conn., contains no similar provisions.

The antitrust exemption in the Davis bill passed on Thursday differs from previous versions in that it gives the president the authority to declare that private-sector centers established to share such information receive an existing antitrust exemption found in the 1950 Defense Production Act. A Davis spokesman said Friday that the administration is supportive of that approach.

Although administration officials failed to return calls seeking clarification, in May, John Malcolm, deputy assistant attorney general in the criminal division, raised questions about both the antitrust exemptions and the provisions that information disclosed to the Homeland Security Department could not be used "in any civil action arising under federal or state law if such information is submitted in good faith."

Open records activists have voiced a similar fear. "How, in a week where Congress is focused on corporate wrongdoing, malfeasance, and scandal, could you present in a serious manner measures that give [businesses] a get out of jail free card?" questioned Gary Bass, executive director of OMB Watch.

Spokesmen for other public interest groups presented scenarios in which businesses voluntarily release information about security vulnerabilities in the expectation that it will then not be used against them.

Business groups and legislative supporters paint such scenarios as far-fetched, and said that the bill will not impede regulatory investigations. "This amendment is very narrowly defined, and only seeks to address information that is deemed essential to the economy and to national defense," said Davis spokesman David Marin.

They argue that the measures are necessary to create a "good Samaritan" exception that would encourage businesses to strengthen computer security, said Mario Correa, director of Internet and network security policy for the Business Software Alliance.
**************************
Computerworld
New specs released for wireless speech, text delivery
By TODD R. WEISS

The continuing development of text-to-speech capabilities for wireless devices received a promising boost today with the release of the first specifications by the industry-led SALT Forum.
In an announcement, the SALT Forum, the group of companies that's been working since last year to establish Speech Application Language Tags (SALT) to accelerate text-to-speech capabilities in wireless devices, said its first specifications have been assembled and submitted to an unnamed standards group for consideration.

Once the first specifications receive the nod from the standards group, the SALT Forum members hope that developers begin using them to create new applications and hardware with new speech capabilities.

Rob Kassel, product manager for emerging technologies at SpeechWorks International in Boston, one of the SALT Forum companies, said that by having clear specifications and support from a standards group, SALT hopes to encourage the next round of innovation in speech and text features in wireless devices.

Already there are voice XML standards for voice capabilities on desktop computers. But the SALT specifications seek to add advanced capabilities for smaller, portable wireless devices such as personal digital assistants, laptop computers and the latest wireless phones, Kassel said.

The first Version 1.0 specs are available at the SALT Forum Web site.

"The SALT 1.0 specification provides application developers with a documented way to leverage existing Web markup languages," said Daniel Miller, senior vice president of Voice & Wireless Commerce at The Kelsey Group, in a statement. "Its release by the SALT Forum marks a major milestone that should accelerate integration of automated speech, multimodal and telephony applications."

The SALT Forum, created in 2001, has developed specifications that define a set of lightweight tags as extensions to commonly used Web-based programming languages such as HTML, XHTML and XML, while incorporating existing standards from the World Wide Web Consortium and the Internet Engineering Task Force. This allows developers to add speech interfaces to Web content and applications using familiar tools and techniques.

Philip Marshall, an analyst at The Yankee Group in Boston, said the SALT specifications will eventually bring more developers and companies into the emerging market segment as users seek new capabilities for their wireless devices.

The SALT Forum, based in Boston, includes Cisco Systems Inc., Intel Corp., Microsoft Corp., Aliant Telecom, Cambridge VoiceTech, Carnegie Mellon University, Fonix Corp., InfoTalk Corp., Multi-Modal Technologies, SnowShore Networks and Verizon Wireless.

The group is working to develop a royalty-free standard that works with existing Web markup languages to provide spoken access to many forms of content through a wide variety of devices.

Announcement, see: http://www.saltforum.org/press.asp
SALT Version 1.0, see: http://www.saltforum.org/salt.1.0.FinalSpecification.doc
***************************
MSNBC
Virus tempts with peek at passwords

'Frethem' spreading around Internet quickly

By Bob Sullivan
MSNBC

July 15 A new computer virus with the tempting subject line "Re: Your password!" began worming its way around the Internet Monday. Dubbed "Frethem," the virus is rated a medium risk by most researchers because it is spreading relatively quickly. According to antivirus firm Symantec Corp., Frethem has already infected computers inside 25 companies since its initial discovery early Monday.
A computer specialist at the National Institute of Standards and Technology, Joe Matusiewicz, said Frethem was hitting the agency very hard one copy of the worm was arriving every minute, he said. Fortunately, systems there were stripping the worm off e-mails before they were sent to recipients.
Still, Frethem is not expected to reach outbreak status on the level of Melissa, or even the more recent Klez worm. Infection rates are not dramatic. Vincent Gullotto, senior director of McAfee's Avert Labs, said his firm has received about 100 submissions of the worm; Symantec says it has received word of 112 individual computers that have been infected. But that number might be a little deceiving, says Steve Trilling, director of research at the Symantec.
"It's pretty significant that 25 different corporations have been hit by this thing," said Steve Trilling, director of research at Symantec. "For any one of those, they may only submit one report, but that could reflect many, many infections inside the company." Symantec rates the worm's threat as a 3 on a scale of 1 to five.
Frethem was actually released in its initial form several weeks ago, Gullotto said. But during the weekend, four variants of the worm were released, including "Frethem.L," which hit Sunday night. That's the variant which seemed to click, and began spreading fast in Asia a little after midnight PT, Gullotto said. Still, while McAfee raised its risk rating to medium at that point, Gullotto thinks the worm will cause only scattered problems.
"It's well under control now," he said at about noon PT. "I do not see an outbreak happening."
Apparently, many Internet users have been tempted to peek at the worm because of its enticing subject line, suggesting it offers some kind of secret password information.
The body of the message says:
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The e-mail includes two attachments a harmless text file named Password.txt, and the worm Decrypt-password.exe.
But the worm takes advantage of an old flaw in Microsoft Outlook that allows it to execute even if the victim doesn't open the infected attachment. (MSNBC is a Microsoft - NBC joint venture.) Merely previewing the message in an unpatched Outlook system is enough to cause an infection. A free patch to protect against that vulnerability is available at Microsoft's Web site.
But even users who have patched their systems against that flaw can still become infected if they open Decrypt-password.exe.
But the message body should be enough to tip off users that the e-mail is suspicious, Trilling says.
"The message itself ought to seem a little odd," he said. "People should realize that passwords are not things anyone other that ought to be sending you information about. ... and nobody should be asking for your password."
On the other hand, the message seems to suggest that it offers a password that might open files and unlock secrets for a recipient willing to open, a temptation some apparently can't resist.
"I suppose in the same way people wanted to open a picture of Anna Kournikova," Trilling said, referring to another successful virus that appealed to Net users desire to see pictures of the heartthrob Russian tennis star.
Frethem can clog up corporate e-mail systems with extra messages, but the worm doesn't seem to do anything else malicious to infected computers. Only Windows systems are at risk; the worm won't infect Linux, Unix, or Macintosh systems, according to Symantec.
Consumers can protect themselves by updating their antivirus software.

       The Associated Press and Reuters contributed to this report.
**************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx