[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips August 14, 2002

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, akuadc@xxxxxxxxxxx;
Subject: Clips August 14, 2002
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Wed, 14 Aug 2002 10:23:23 -0400

Clips August 14, 2002

ARTICLES

Princeton Disciplining Staff for Yale Web Site Break-Ins
Sex.com case turning dirty
Fortified by Defense Dollars
Is Now a Good Time To Be a Hacker?
Military maps out homeland help
Roster Change
IRS reaches deal to offer free e-filing
Bush Stresses Need for Broadband Deregulation
Florida ready to move past chad of 2000 election
Students tackle simulated rescue with 'robotics war game'
Computer 'bloodhound' finds hard-to-see features in images
White-Hat Hate Crimes on the Rise
Glitch blacks out FBI's Web sites
10% of the world's population now have internet access
Sleeping with the enemy

************************
New York Times
Princeton Disciplining Staff for Yale Web Site Break-Ins
By KAREN W. ARENSON

Princeton University said yesterday that it planned to allow its two top admissions officials to remain at the university despite their lapses in judgment involving a break-in by admissions officials into Yale University's computer system.

In announcing the findings, Princeton's president, Shirley M. Tilghman, said that Stephen E. LeMenager, the admissions official who first broke into a Yale Web site for college applicants, would be moved to another job at Princeton.

She said Princeton would also allow Fred Hargadon, its longtime dean of admission and Mr. LeMenager's boss, to remain in place until next June, when he will retire as previously planned. She said yesterday that Mr. LeMenager, the associate dean and director of admission, had told Mr. Hargadon of the unauthorized entry and that Mr. Hargadon failed to recognize its significance, to prevent other such entries or to report the break-in.

Dr. Tilghman also said that everyone involved in the break-ins including those who knew about them and did not report them would be disciplined, though she would not say how many people were involved or how they would be disciplined.

"These actions were wrong," Dr. Tilghman said yesterday during a news conference to report on what Princeton had found in its own investigation and the steps it was taking.

Mr. Hargadon issued a statement yesterday saying that he accepted responsibility for the "inappropriate actions" of staff members and for not calling attention to the misbehavior. He pledged "to restore the complete integrity" of the office in his remaining months.

Theodore O. Rogers Jr., a lawyer for Mr. LeMenager, said neither he nor his client would comment.

Dr. Tilghman said the university's investigation had found that the actions were motivated by a desire to check out the Yale Web site's security and by simple curiosity. The admissions process was not affected, she added.

In April, on the day the Ivy League universities notify applicants of their decision, Mr. LeMenager entered the Yale Web site using birth dates and Social Security numbers from Princeton applicants who had also applied to Yale. He then told his boss and others in the admissions office, some of whom also entered the site.

The Yale site stated specifically that it was intended only for the applicants, not their friends, relatives or anyone else.

Dr. Tilghman said yesterday that she did not yet know whether any legal actions would be taken against Princeton. She said that the university had contacted the students whose information was misused and received indications "that they were satisfied with our apologies." And she said Princeton was cooperating with federal authorities investigating the matter.

Yale's president, Richard C. Levin, said in a statement yesterday that he was impressed by the thoroughness of Princeton's investigation, which was conducted by a former federal prosecutor. Dr. Tilghman said that Princeton would assess all its privacy policies and also the security of its information systems, and that it planned to hire a technology security director.

"One of the lessons of this experience is that even individuals with a high degree of sensitivity to ethical principles in traditional settings can fail to be equally sensitive when technology is involved," she said, "as when someone who would never open a sealed envelope addressed to another person enters a secured Web site."

She said the admissions office was known for not being technologically oriented. "That does not excuse what happened," she said, "but it helps explain their failure to recognize that what happened was wrong."

Similarly, when Mr. LeMenager told a Yale admissions official of his ability to enter the Yale Web site at a meeting of Ivy League admissions officials in May, Dr. Tilghman said, the ensuing discussion at the meeting was about security issues, not about the impropriety of the action.

Dr. Tilghman has asked Nancy Malkiel, dean of the college at Princeton, to oversee a training program for all members of the admissions staff on the privacy and confidentiality of applicants.

"We will learn from this and make changes," she said, "and move on as a better place." ******************** News.com Sex.com case turning dirty By Lisa M. Bowman

Although it's an arcane case about property rights in the digital age, the Sex.com saga has all the trappings of a juicy pulp fiction novel: a fugitive on the lam in Mexico, would-be bounty hunters and porn.

Now justices in the 9th Circuit Court of Appeals are hoping to sort out at least one of the issues: whether domain name registrar VeriSign can be held responsible for turning the Sex.com name over to someone who sent the company a forged letter requesting the transfer.

The case offers more than a glance into the prurient world of Net porn. It could have important legal implications for companies that administer domain names, including determining the duties and liabilities for domain name registrars that handle Web addresses. In addition, the case could help settle how domain names are treated under property law.

On Tuesday, a three-judge panel heard arguments from lawyers representing Gary Kremen, the businessman who lost and then won back the rights to the Sex.com domain name from VeriSign, which turned over the domain name; and from Stephen Cohen, the man who tricked VeriSign into giving him the name for five years and now apparently is hiding out in Mexico.

In this phase of the legal saga, which has gone on for more than six years, the appellate judges are trying to decide VeriSign's culpability in the case.

The Sex.com name is one of the most lucrative sites on the Web because it's become a natural destination for those looking for porn. Kremen originally registered the name in 1994. Soon afterward, Cohen sent Network Solutions (which is now owned by VeriSign) a fraudulent letter authorizing the transfer of the name to him.

Kremen sued, and last year he won the name back from Cohen, but he has yet to see the $65 million in damages a judge ordered Cohen to pay him. However, the court also ruled that Kremen cannot sue VeriSign for the transfer because a domain name isn't tangible property. Now Kremen's hoping the appellate panel will overturn that ruling.

During Tuesday's hearing, the judges seemed to cast doubts on VeriSign's claims that it's not responsible for turning the name over to Cohen after receiving his forged letter.

Judge Alex Kozinski wondered how VeriSign's DNS database of domain names was any different from a stock certificate, which he said connects an owner with some property.

David Dolkas, an attorney at Gray Cary Ware & Freidenrich, the firm representing VeriSign, said that if the judges were asking "is the DNS database somehow representative of an ownership right, the answer is no."

"Why not?" Kozinski replied. "Why isn't that exactly what it is?"

Judge Margaret McKeown also grilled Dolkas, asking him if the company is claiming that it has no responsibility at all in the case.

Dolka reiterated claims that VeriSign shouldn't be held liable, saying the database is simply a neutral translator between Web addresses and domain names.

He said a ruling against his company would "create a world of hurt," opening the floodgates for all types of suits, including contract and property claims from people whose domains are down for just a short while. Dolkas said people who feel they've been wronged in the domain name process already have a variety of private dispute resolution remedies. "There's no hole that needs to be plugged," he said.

James Wagstaffe, a Kremen attorney, argued that VeriSign broke an implied contract that gave his client ownership of the name. "They didn't do what they said they were going to do," he told the court. Wagstaffe said the whole case could have been avoided if VeriSign had simply phoned or e-mailed Kremen and asked him if he approved the transfer. "They do it now. They should have done it then," he said.

The judges will issue a ruling on the matter sometime in the coming weeks or months.

The lively court hearing also touched on a variety of other issues, including Cohen's whereabouts.

At one point, the judges chastised Cohen's attorney for his characterization of the federal judge who ruled against his client. Mike Mayock said the judge was "sucker punched" and "blindsided" by Kremen, an assertion that didn't go over well with the judges.

"You're really standing there telling us he's a fool?" wondered an incredulous Kozinski. "I don't think it's appropriate for you to call a district judge a sucker."

Meanwhile, Kremen said he's planning to reinstate a $50,000 bounty he offered last year for information leading to Cohen's arrest. Cohen apparently fled to Mexico and has failed to appear at several court hearings. ************************ Washington Post Fortified by Defense Dollars Government Contractors Help Stabilize Region's Economy By Renae Merle and Neil Irwin

When the local commercial technology sector collapsed, government contractors got a new title: savior.

While telecommunications and software companies laid off thousands of employees over the past two years, government contractors added to their payrolls. When investors abandoned the highfliers of the new economy, causing their market values to collapse, the companies that worked on federal contracts kept plugging along.

Now, as the local economy regroups after the end of the boom, the brightest regional star is also one of the oldest. More than half of the economic activity in the region can be traced, directly or indirectly, to federal spending, according to the George Mason University Center for Regional Analysis. The massive ripple effect of government spending, filtered through these technology-oriented contractors, is the main reason that the Washington area economy hasn't staggered as badly as other areas that placed big bets on technology have.

"Washington is holding up very well compared to some of the other large tech regions, like Silicon Valley," said Christine Chmura, president of Chmura Economics and Analytics. "The key reason is the influence of the federal government and those contracts."

"Washington didn't get hit nearly as bad as other technology centers because of defense spending," agreed Steven Cochrane, chief regional economist of consulting firm Economy.com. "Defense work is really increasingly tied into telecommunications and Internet infrastructure, and all sorts of weaponry needs millions of lines of software code."

The 11 largest defense contractors in the nation employ more than 48,000 people here, significantly more than companies in telecommunications or software or biotechnology. The shares of the nine largest locally based defense contractors were worth $49.2 billion as of July 31, far exceeding the worth of local companies in the other sectors.

These companies benefited from the boom, as did the WorldComs and MedImmunes, but their boom wasn't nearly as large. Employment rose by about 3,500 jobs between March 2000 and July 31, 2002. While the value of companies in the other sectors were tumbling during that period, the market capitalization of the largest locally based defense contractors rose by more than $29 billion.

But if government contractors find themselves cast in the role of savior, they are not playing the role of miracle worker.

"Federal spending is having an effect on the local economy, but it's obfuscated by the fact that non-federally related technology is still in decline," said Anirban Basu, chief economist of Towson University's Regional Economic Studies Institute. "The net effect is a decline."

So far, federal spending for the war on terrorism has not created enough jobs to keep the region's total employment from falling.

The flood of homeland security spending expected to boost the industry has yet to appear. So far, money has been allocated for just nine contracts out of 12,000 proposals sent to the Defense Department earlier this year. The administration has proposed spending $52 billion more for technology, a 16 percent increase over the current budget.

"I think there were unrealistic expectations that the money being put forth would be a windfall for lots of companies and it's been slower to develop," said Jim Kane, head of marketing firm Federal Sources Inc.

It's a turnabout from the early 1990s, when fears of declining defense spending led contractors to diversify. In 1999, SRA International Inc. launched an emerging-technologies unit to commercialize some of its applications.

"In the mid-1990s as the dot-com [craze] was at a fever pitch, there was a strong market pull to commercial," said Edward Legasey, chief operating officer of SRA.

Now with federal spending expected to hit new heights, SRA is closing down the unit, which reported an $6 million loss last year.

Still, some firms have already experienced an increase in work related to homeland security, although it comes at a cost.

DynCorp Corp. planned to spend three to five years on a $51 million Federal Bureau of Investigation contract to update the agency's computer systems. But after Sept. 11, the FBI decided to condense the contract to 12 months.

That meant an unexpected boost in current earnings, but the firm must fill a future gap in projected revenue, said Paul Lombardi, chairman and chief executive.

Much of the significant homeland security spending is expected to be allocated in the fiscal 2003 budget, which is still being debated by Congress, and may take even longer as policies are developed, industry observers said.

"A lot of the government spending on defense and homeland security is still a projection. It hasn't actually been spent yet, so it hasn't dramatically affected companies in this region," said Jerry Grossman, managing director of investment bank Houlihan Lokey Howard & Zukin.

That hasn't dampened investor enthusiasm for the sector. Six government contractors have been able to raise more than $1.1 billion since Sept. 11, according to research by RBC Capital Markets.

That has helped keep local unemployment rates down, a marked contrast to other tech-heavy parts of the country. But tech workers may also find themselves rebuffed by the federal sector without the right credentials.

Since being laid off by telecommunications equipment firm Tellabs Inc. 10 months ago, Lance Choi, a veteran electronics engineer has seen more form rejection letters than he cares to count -- and those are just the ones from the would-be employers nice enough to bother sending rejection letters.

Government agencies and contractors often need workers with security clearances, he complains, but won't hire a person without one and then put him through the process of receiving clearance.

The skills needed for government work don't always translate from the commercial sector, local firms said. And many executives of government contractors say that there is a disconnect -- in culture and in technical ability -- between the old-line contractors and the johnny-come-latelies to government work.

In part, it's the same culture clash of a few years ago, when multibillion-dollar companies doing "boring" government work lost out in the competition for workers, investment dollars and public attention to firms that ultimately proved ephemeral. But it's also true that someone trained in telecommunications or software development may not be qualified to design computer networks for large government agencies.

"We have had hundreds of companies doing commercial business come to us in the last year," said Michael A. Daniels, a senior executive with government contractor Science Applications International Corp. "They've never done any business with the federal government, but they come in and tell us that all their skills and capabilities ought to be transferable to that world.

"But when you look at those skills, they're just not transferable. They all want to believe it is. But 75 percent of those commercial companies don't have the skills to do government work."

Coleman Raphael was chief executive of Atlantic Research, a company that makes rockets for missiles, in the 1980s. During the boom, he advised a start-up Internet company. When he urged executives of the company to have a clear plan for how and when it would become profitable, rather than continue open-ended spending on advertising, they dismissed him as a "dinosaur," he recently recalled. The company is no longer in business.

Anteon is inundated with applications for its more than 200 openings, and Pat Dawson, Anteon's senior vice president of administration, said he fields six calls a week from headhunters. It is quite a turnabout from 2000 when start-ups lured employees away with 20 percent raises and stock options, pushing its turnover rate to more than 20 percent. The rate is back down to 10 percent and Anteon has rehired about 90 employees who left.

But Dawson foresees cultural differences as a potential barrier for some tech employees. Applicants used to tons of stock options or a higher pay scale may be surprised by Anteon's more restrained approach, Dawson said.

"We don't have the high margins that would allow us to lavish people with foosball tables," Dawson said. "Our margin levels in the government sector require us to be more conservative with those type of employee benefits." ************************ NewsFactor Is Now a Good Time To Be a Hacker?

Clark told an audience at the annual Black Hat Security convention in Las Vegas that he blames the lax security of ISPs, hardware makers, wireless network users and the government itself for creating an unstable Internet environment that is ripe for attack. [For the complete story see: http://www.newsfactor.com/perl/story/19011.html#story-start] ************************ Federal Computer Week Military maps out homeland help

The four main military branches are working on a memorandum of agreement to define what technologies and services they use and how they will work together to support other first responders and the proposed Homeland Security Department.

Michael Albarelli, director of homeland security at the Army Communications-Electronics Command, said a working group, which also includes members from the Air Force, the Navy and the Marine Corps, met last week at Hanscom Air Force Base in Lexington, Mass., to iron out the details of the memorandum.

The Defense Department military services are looking at what technologies, processes and equipment they have that first responders could use in the event of a natural disaster or other national emergency. Lessons learned from last year's terrorist attacks provide the foundation for the memo, which also includes governance on "how we operate jointly in those types of" events, Albarelli said.

Once a final copy of the memorandum is ready, the working group will submit it to the Office of the Secretary of Defense, where officials will review it before submitting it to the proposed Homeland Security Department, he said.

"Everyone has a copy of it, and we're moving out," Albarelli said. "It should be signed in about a month."

DOD is not looking for a leadership role in homeland security, but rather is concerned with how the military services can best support the proposed department, other civilian agencies and first responders in a disaster situation, he said.

"We believe we can help them," Albarelli said.
************************
Federal Computer Week
Roster Change

Daryl White, the Interior Department's former chief information officer, will retire from the federal government Aug. 15. After four years as Interior's CIO, White became the Bureau of Reclamation's special assistant for technology in June. W. Hord Tipton, previously CIO at the Bureau of Land Management, took over the Interior CIO position.

For more, please see "Former Interior CIO retiring"

***

Federal Aviation Administrator Jane Garvey said goodbye to the airspace agency earlier this month, and a senate confirmation hearing for her designated replacement, Marion Blakey, has been postponed until after Labor Day. Monte Belger, formerly Garvey's deputy, is now acting in her stead, delaying plans to retire.

***

Tammy DiBlasi has been appointed as federal account manager for Okena Inc., a developer of intrusion prevention security software, the company announced Aug. 6.

DiBlasi will be responsible for providing Okena's StormWatch and StormFront host-based intrusion prevention security solutions to federal agencies, including management of existing deployments in the Army, Air Force, Defense Information Systems Agency, Defense Logistics Agency, and departments of State, Treasury, Energy and Justice.

DiBlasi joins Okena with more than 10 years of experience providing technology solutions to the federal government. DiBlasi previously served as federal account manager for Symantec Corp. *********************** Government Executive IRS reaches deal to offer free e-filing From National Journal's Technology Daily

The Internal Revenue Service and a consortium of private-sector firms have reached a deal that will enable approximately 78 million Americans to electronically file their taxes on the Internet free of charge.

Under the proposed agreement, announced by the Treasury Department and Office of Management and Budget, a group of firms including American Express, AT&T and H&R Block will collaborate to enable citizens to file taxes online free of charge at an IRS Web portal.

However, the system applies to 60 percent or more of taxpayers who meet certain qualifications. Treasury will post those criteria in the Federal Register at a later date.

Federal officials seek to have the system up and running by year's end for the 2003 tax-filing season.

The new system fulfills one of President Bush's 24 e-government mandates, and it is designed to increase the speed with which taxpayers receive their refunds. ************************** Computerworld FAA moving to enhance integration with Norad By DAN VERTON

WASHINGTON -- The Federal Aviation Administration is providing the Pentagon's North American Aerospace Defense Command (Norad) with FAA control systems, specifically radar and voice, to improve military air defense operations in the event of another terrorist hijacking. Although FAA officials said the systems will enable military planners to see the same picture as FAA air traffic controllers and should help improve civilian-military cooperation during any future emergency, the current FAA system for coordinating a governmentwide response to a potential hijacking remains surprisingly low-tech.

A basic voice teleconferencing link established on the morning of Sept. 11 has evolved into what the FAA calls "an events network" and remains in place today as the primary emergency communications network for senior government officials and FAA tactical decision-makers, said Dave Canoles, director of emergency operations and communications at the FAA.

Canoles, who served as manager of air traffic evaluations and investigations during last year's terrorist attacks, spoke to reporters yesterday at FAA headquarters for the first time about the events of Sept. 11. He was responsible for establishing the voice network now in place.

The teleconferencing line is similar to a 24-hour, always-open party line, with coordination and data exchanges "continuously" taking place, said Canoles.

"It's a means of enhancing communications between the FAA, Defense Department, Office of Homeland Security and the Transportation Security Administration," he said.

Meanwhile, the Defense Department has also asked that the FAA send permanent air traffic control liaisons to various military air bases as an additional means of enhancing coordination, said Bill Peacock, director of air traffic at the FAA. "They want several air traffic controllers in their facilities, in some cases 24 hours per day and in other cases 16 hours per day," said Peacock.

Despite the seemingly low-tech nature of the network now in place to provide coordination across the nation's airspace, the FAA on Sept. 11 managed in just three and a half hours to clear the skies over the entire U.S. of more than 4,500 commercial flights. During that time, there were at least 11 "suspect airplanes" that officials feared could have been hijacked; four of those aircraft did, in fact, take part in the attacks.

Although the hijackings that day were not the classic hijackings FAA officials have trained for and experienced over the years, "the calls to Norad were timely. We were all kind of coming to the same conclusion at the same time," said Peacock, despite the apparent lack of IT-enabled understanding among various regional air traffic control centers about what was happening.

However, there were still problems getting the word out to the civilian general aviation community, Peacock said, noting that several general aviation flights took off from civilian airstrips that day despite the grounding of all flights. "They either didn't get the word or they ignored it," he said.

Meanwhile, FAA officials are studying ways to make it harder for hijackers to turn off the aircraft transponders that tell air traffic controllers the current location of the aircraft on radar -- a situation that significantly complicated coordination and response efforts on Sept. 11, said Peacock. He could not provide details on what new technologies might be considered.

"There were a couple of little clues [on Sept. 11] that said the airplane[s] were forcibly taken off-line," said Canoles, referring to the difficulty of deciphering how and why the transponders on the four hijacked aircraft shut down.

The standard operating procedure now is to "treat everything with suspicion," said Linda Schuessler, FAA manager of air traffic evaluations and investigations and someone who was in the FAA tactical operations center in Herndon, Va., on Sept. 11.

The bottom line, said Peacock, is that the FAA is still counting on air traffic controllers to spot the loss of a transponder and determine whether it's the result of a hijacking, said Peacock. ************************* Washington Post Bush Stresses Need for Broadband Deregulation By Brian Krebs

In perhaps the clearest indication of the White House's stance on broadband policy to date, President Bush today praised federal regulators for pursuing a plan to deregulate the market for high-speed Internet services.

"The Federal Communications Commission is focusing on policies to encourage high-speed Internet service for every home and every business in America," Bush said at an economic forum in Texas. "The private sector will deploy broadband. But government at all levels should remove hurdles that slow the pace of deployment."

Administration officials have so far been careful not to endorse FCC proposals or legislation in Congress designed to scale back laws that restrict the incumbent Baby Bell regional telephone monopolies from serving the long-distance broadband market.

In the coming months, the FCC is expected to vote on a proposal to classify telephone-based broadband access as an information service rather than a telecommunications service, a move that would free the major phone companies from a host of open-access requirements. The commission tentatively reached the same conclusion for cable-based broadband service in a separate proceeding earlier this year.

Traditional dial-up Internet service providers say those regulatory moves could prevent them from offering high-speed Internet services over the networks controlled by the phone and cable industries. Consumer groups also broadly oppose the apparent policy shift, arguing that it will drive smaller competitors out of business, effectively limiting consumer choice. ********************** USA Today Florida ready to move past chad of 2000 election By Deborah Sharp, USA TODAY

DELRAY BEACH, Fla The "butterfly ballot" threw him for a loop two years ago, but Edward Japalucci needed only moments to master the new touch-screen machine that many Florida voters will use in next month's primary.

It will take a lot longer for his hard feelings to fade over the 2000 presidential election, when voting mishaps made his county a national punch line and led ultimately to statewide voting changes.

"It wasn't very funny," says Japalucci, 73. "If you're a Democrat, it wasn't very funny at all."

On Sept. 10, the Florida primary will mark the first statewide election since the voting debacle of November 2000. Florida has made broad changes since then. The 30-year-old punch-card technology that was used is now banned. Voter education has increased. And recount rules are standardized.

Election supervisors have been busy demonstrating the touch-screen voting machines at malls, senior centers and small civic gatherings. The screens resemble bank ATMs.

At the Elks lodge here, Japalucci and 26 others turned out recently for a demonstration by Palm Beach County Elections Supervisor Theresa LePore. There were only a few glitches.

"It's a computer. I know that scares a lot of people, especially older people," LePore says. She compared it to other touch-screens, from microwaves to video poker. "Don't be afraid of it."

But with the old punch-card technology, Florida put the outcome of the presidential election on hold through 36 days of recounts, court battles and protests. The U.S. Supreme Court finally settled the stalemate. Of 5.8 million ballots cast in Florida for the Republican and Democrat candidates, George W. Bush beat Al Gore by an official margin of 537 votes.

Florida bore the brunt of national scrutiny of voting methods. But the narrow outcome revealed voting system flaws nationwide. Some 101 million Americans voted in the presidential election.

Researchers from the California Institute of Technology and the Massachusetts Institute of Technology studied the nation's voting technology after the 2000 election. They concluded that between 4 million and 6 million Americans were unable to vote, or their votes were uncounted:

At least 1.5 million presidential votes were lost due to faulty equipment or confusing ballot design. Registration mix-ups accounted for 1.5 million to 3 million lost votes. Polling place foul-ups led to 1 million lost votes. Most Americans were surprised to discover vast numbers of votes are routinely uncounted in a system hobbled by everything from voter error to flawed technology. If victory margins are wide, the spoiled votes rarely become an issue. But in a close race, the shortcomings are revealed.

Which is why a nation learned, through the Florida recounts, about the once-obscure chad. Chad not "chads" are tiny bits of paper that result after a voter makes selections on a punch-card ballot. Sometimes the chad does not fully separate from the ballot, those are called hanging, pregnant or dimpled chads.

Nearly every state filed election reform measures after Florida's fiasco: a staggering 3,561 bills. By early July, only 440 provisions had passed, according to the National Conference of State Legislatures.

A handful of states, besides Florida, made major changes, including Georgia, Maryland and California.

"Obviously, some momentum has been lost. Congress hasn't produced a bill in almost two years. It's an absolute outrage," says Doug Lewis, of the non-profit Election Center. The center represents about 6,800 election supervisors in counties and other jurisdictions nationwide.

The House has passed a bill to provide up to $2.65 billion over three years to set minimum standards for national elections that would include modernizing voting equipment, improving voter education and training election administrators and poll workers. The effort has hit a snag in the Senate, however, over the insistence of Republicans that first-time voters be required to show photo ID or other documentation to vote.

In Palm Beach County, LePore has held more than 500 demonstrations with the county's $14.4 million voting machines. Fifteen of Florida's 67 counties purchased touch-screen machines. The other counties opted to use optical scan ballots, in which voters pencil in ovals next to a candidate's name, as with standardized school tests.

With touch screens, voters select a candidate by touching a circle next to the person's name. The technology allows voters to review their selections. It also includes some fail-safe measures. For example, it won't allow voters to mistakenly mark more than one candidate in a single race or skip marking a particular race. Such "over-votes" or "under-votes" were a problem in 2000.

The equipment had a rocky debut in Palm Beach County this winter. Problems in two municipal elections led losing candidates to file lawsuits and demand recounts. One of the suits has been dropped.

LePore says touch-screen problems were minimal. This year, some 65,000 people voted in 20 municipal elections, she says, and about twice that number have tried the new technology at demonstrations. The county has 700,000 registered voters.

"The equipment has worked just fine," says LePore, 47, who is serving a second term.

LePore was pilloried in 2000 for the design of the butterfly ballot. It listed the candidates on facing pages instead of down one page. She did it to make the ballot easier for seniors to read, but many voters were confused about which hole to punch for their candidate.

She says she doesn't like to relive those days after the 2000 election, when she received death threats and had to have a security detail.

But memories of that time still divide county voters. Many Democrats say victory was stolen from Gore, while many Republicans say a rightful Bush win was unfairly tainted by protests and recounts.

Bud Harvey, 79, an Elks member and a Republican, praised the new technology after his tryout: "The Republicans are going to win again. This time, without any problems." ************************* Nando Times Students tackle simulated rescue with 'robotics war game'

By SCOTT R. BURNELL, United Press International

WASHINGTON (August 13, 2002 3:44 p.m. EDT) - Students gathered Monday around a cardboard mockup of Washington's train station to try their hand at using robots to search for and assist terrorism victims.

The mission was to explore Union Station in the aftermath of an explosion. The teams were assembled from a collection of students, from elementary school through college, who were given a variety of modular pieces from which to create their robot. The exercise controllers threw in various complications, including having complete beginners operate the robots via laptop computers and other controls.

The student "robotics war game," and a parallel simulation where businessmen tested out solutions to rapidly move technology, are preludes to the Naval-Industry Research and Development Partnership Conference, said David Brown, a professor at the Defense Acquisition University.

The organizers specifically looked at bringing young children into the exercise because of their imagination and lack of experience with knowing what can't be done, Brown told United Press International. Combining that thinking with the applications knowledge of older students can be very enlightening, he said.

"There will be some injured people, but there might be terrorists or other threatening people that have to be discriminated from the 'friendlies,'" Brown said. "The biggest part of the challenge is (the physical) gaps in the mockup. It's not a smooth, laid-out course."

Brown ran the exercise at the Ronald Reagan International Trade Center in conjunction with technical experts from the University of South Florida's Center for Robot Assisted Search and Rescue and the New York City Police Department.

At the same time in the room next to the Union Station mockup, groups of business managers and technology developers were going through a parallel war game, focused on delivering new tools to the searchers.

"What we're looking at from the acquisition side is speeding up the development cycle - bringing what today might be eight years down to maybe three or four years," Brown said. "There may be some very good lessons learned if you say, 'You only have three or four hours to do it,' and walk through it."

"A big part of this will be to look at interoperability between different systems built by different people from different parts of the country," Brown said. "We want to see if we can create an integrated system that can actually perform the mission."

The business war game covered such concepts as ensuring a system's software can be easily altered in the field to meet unexpected missions, said Thomas Kowalczyk, a manager at the Office of Naval Research who oversaw both simulations. The program is meant to help companies better integrate their research activities into the Department of Defense's acquisition process, he said.

"Since a significant dollar volume of the government's money is put through the industrial base, the better the industry is at finding and deploying technology, the better the government will be," Kowalczyk said.

Robin Murphy, a USF professor of computer science and engineering and CRASAR's director, opened the exercise with the center's real-world experiences in using robots in the rubble of the World Trade Center. A narrow-minded focus on "what the robot can do" hurts both technology builders and operational teams, she said.

For example, operators might think in terms of "one robot, one person" when in reality two or more people might be needed to carry the robot to a search site or possibly recover the system with ropes, Murphy said. Prior to Sept. 11, some robot makers didn't place a high priority on waterproofing their systems, thinking the robots would "only be involved in searching," she said. During the World Trade Center operations, they discovered exposure to human remains and bodily fluids required the robots to be decontaminated with water and bleach, she said. *********************** Nando Times Computer 'bloodhound' finds hard-to-see features in images

By SUE VORENBERG, Scripps Howard News Service

ALBUQUERQUE, N.M. (August 13, 2002 4:54 p.m. EDT) - Los Alamos National Laboratory has found a new solution to the sort of puzzle found in the famous "Where's Waldo?" books: Let the computer do it.

The lab has created a computer program that can pick hard-to-see features out of a larger image. It could be used to find the small character out of the Waldo children's books, but more practical applications include emergencies, planetary exploration and medical science.

"One of the problems we face is that we're inundated with more and more kinds of data - especially in satellite images," said Jeff Bloch, a Los Alamos scientist.

"This works a little like a blood hound," Bloch said. "You give it a piece of clothing from somebody you're looking for and hopefully it picks up a scent and finds other traces of that person."

The program can analyze data 10 to 100 times faster than the human eye could, Bloch said. It also uses a unique programming structure, called a genetic algorithm, that lets it learn and modify itself to get better results.

"The system actually generates its own computer code," he said. "It's a computer program that creates other computer programs, sort of like (how) a population of deer evolves in the wild. It may create 100 programs to help it find a specific feature. The fittest ones survive, the rest are erased. Then the ones that survive are used to create a new generation of programs that perform the task even better."

The program, called GENIE (GENetic Imagery Exploration), was used in New Mexico after the Cerro Grande Fire to determine where the most severe fire damage occurred. A person loads an image into the system and teaches it how to find specific features in a test landscape.

"It's a paint program," Bloch said. "You look at an image and paint in red the things you don't want and green the things you do want. Then an algorithm looks at it and picks things out and asks you if it got the reds and greens right. It refines the process from there."

An algorithm is a systematic mathematical way to solve a problem that many computer programmers incorporate into software.

The initial training of the system often takes an hour or two, and when it's done the program can pick all the key features from a satellite or other aerial image of a large area within a day.

The software was also used to map debris after the Sept. 11 terrorist attacks. The computer can see colors much more distinctly than the human eye can, and it can see things the human eye can't, such as infrared or ultraviolet light.

"After the World Trade Center went down there were satellite images of the damage, but to the visual eye they looked just like Manhattan with a large plume of smoke," said Nancy Ambrosiano, a lab spokeswoman. "We ran GENIE on it and it was able to distinguish the smoke plume, debris field underneath, the hot spots and what was just a shadow from the smoke."

The Sept. 11 use was just a test, Ambrosiano said, but if the debris were toxic, the software could have been used to create a safe radius for emergency workers. It could also show them where the most damage was or where the largest amount of debris had fallen.

The lab is talking to several companies interested in licensing GENIE for a variety of uses. The lab also plans to continue developing it to make it even more efficient and versatile, Bloch said.

"We've only just scratched the surface with GENIE," Bloch said. "There are new applications appearing every month. There are so many new things you get to learn about working on this - it has applications for biomedical imaging, even planetary science and finding features on other planets. It gives glimpses into so many areas. It's amazing." ********************** News Factor Protecting Personal Information on the Internet

The details of your life may be only a click away - your birthday, your address, your mother's maiden name. The increasing sophistication and power of Internet search engines, along with growing numbers of online databases, have made finding personal information as easy as typing a name in the computer - yours. [For the complete story see: http://www.newsfactor.com/perl/story/18880.html#story-start] *********************** Wired News White-Hat Hate Crimes on the Rise

When hackers broke into Ryan Russell's server and plastered his private e-mails and other personal files on the Internet last week, Russell tried to shrug it off as a harmless prank.

But Russell, editor of Hack Proofing Your Network and an analyst with SecurityFocus.com, also seemed shaken by the incident.

"There's a group out there whose goal in life is to show they're smarter than you and they have the tools to do it," said Russell, a "white-hat" hacker who goes by the nickname "BlueBoar."

The break-in at Russell's Thieveco.com site, which is hosted by a Canadian ISP, appears to be the latest in a series of attacks against white hats and prominent figures in the information security profession.

Claiming responsibility for the attacks is a shadowy group named el8. Earlier this year, members launched Project Mayhem, a campaign designed to "cause worldwide physical destruction to the security industry infrastructure," according to an article published last month in el8's online magazine.

While the authors of el8's e-zine have an obvious penchant for tongue-in-cheek hyperbole and black humor ("Going to Defcon or Blackhat? Initiate a napalm strike," urges one recent article), most victims of Project Mayhem are not amused.

OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.

While de Raadt wouldn't comment on whether there were any suspects in the case, the lead article in the latest el8 newsletter, published in early July, contains an obvious smoking gun. The article begins with several lines of screen-display from what appears to be an OpenBSD.org system. The "w-command" output suggests that attackers had access to one of de Raadt's accounts.

According to Steve "Hellnbak" Manzuik, co-moderator of the VulnWatch security mailing list, hacker feuds are nothing new, and Project Mayhem isn't the first time that security professionals have been attacked by "script kiddies," or inexperienced hackers.

"The only real difference is that the el8 guys are not script kiddies. Nothing has changed, other than the bar has been raised," Manzuik said.

Much of Project Mayhem's modus operandi appears borrowed from Hollywood. The group's newsletter cribs heavily from the 1999 movie Fight Club, starring Brad Pitt and Edward Norton, which depicts disaffected young males who find release in punching each other out and contemplating the complete and total destruction of society.

"They are referencing it constantly. They're like a copycat of the movie, only moved to the hacker scene," said Thor "Jumper" Larholm, a white-hat security researcher with Pivx Solutions.

Indeed, some of Project Mayhem's recent victims appear to be honoring a recurring line in Fight Club: "The first rule of Project Mayhem is you do not ask questions."

Shane "K2" Macaulay, a member of a hacking counter-attack think tank called the Honeynet Project, had several recent e-mail conversations with Honeynet founder Lance Spitzer, as well as other colleagues, intercepted by hackers and mockingly reproduced in the latest el8 zine. Macaulay declined interview requests.

Other Honeynet members refused to comment on el8's published threats against their project, although one Honeynet participant conceded that "there are people in the movement that may be able to make some of their claims come true."

Why so much venom against white hats, the hackers who ostensibly break software in order to help make the Internet safer? The el8 zines don't clearly spell out the group's motivations, but Project Mayhem appears to be a violent incarnation of the "anti-sec" movement, a campaign to persuade hackers not to publish information about the security bugs they uncover.

"Why be targeted by us when you can join us? Why post info, codes, or bugs when the end result is your entire system, family, and friends being owned? Doesn't it look like more fun to be a black hat than a white hat?" asks el8 in its latest newsletter.

According to Eric "Loki" Hines, founder of Fate Research Labs, el8 members are frustrated by white hats who spill the beans about security vulnerabilities, thereby enabling vendors to create patches and protect users.

"You've got to realize that these people are walking around with exploits that vendors haven't even heard of yet. They're pissed and they've got this almost God-like power that enables them to break into any network that they want," Hines said. He reported that FateLabs.com was knocked offline last week by a denial-of-service attack immediately after the security firm published an advisory about a security bug.

Mark "Simple Nomad" Loveless, a senior security analyst with Bindview Corporation, said el8's stance is just an extreme version of that shared by many disillusioned hackers.

"The commercial security industry is feeding off of white-hat hackers, and with the amount of fear, uncertainty and doubt being slung in the industry, I am not surprised by this feeling from el8," Loveless said.

One recent Project Mayhem victim says being attacked by el8 "made me realize the errors of my ways." Christopher "Ambient Empire" Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. A message in the newsletter announced that a CD-ROM of his files would be available for purchase at the Defcon hacker convention.

"Not all that glitters is white hat," said Abad, whose new website includes a message that says "Support Hacker Reform ... The rights of the people come before the rights of the corporation and the government."

Other hackers said they are sympathetic toward Project Mayhem, although they were quick to distance themselves from the recent attacks on white hats.

Members of one group, which has recently taken over an Internet relay chat channel named #phrack, last week co-authored a mission statement saying that white hats will be "hunted down" if they continue to publicize information about security bugs.

"If they do not change they will continue to be targeted, and it sucks to get owned, fired, physically beaten," said the #phrack manifesto, which was posted, along with the contents of Russell's home directory, at the website of one of the #phrack channel's operators, a 16-year-old who uses the nickname "gayh1tler."

But Hines said the constant threats he receives from angry black hats will not frighten Fate Research Labs into sitting on vulnerabilities it discovers.

"One of these days, these kids are going to have to pay a mortgage and get a job. And they're not going to become lawyers or doctors -- they're going to do what they're good at. And that means getting a career in the security industry," Hines said. *********************** MSNBC Glitch blacks out FBI's Web sites Outage blamed on accidental misconfiguration By Declan Mccullagh

WASHINGTON, Aug. 13 The FBI accidentally pulled the plug on its own Web sites on Tuesday morning. A misconfiguration in the bureau's domain name setup meant that many visitors to FBI.gov could not get through. As of 2 p.m. ET, the FBI's configuration problem had been fixed. The apparent error also wiped out the online presence of the FBI's high-tech crime unit, the National Infrastructure Protection Center, at NIPC.gov. AN FBI SPOKESMAN said earlier Tuesday that the glitch was accidental and was not the result of a malicious attack. "The server is down," said Paul Moskal. "It's an internal issue here. That's the good news, as opposed to some attack or something." Early on Tuesday, the FBI's domain name servers started sending empty replies when visitors tried to reach the site. Some Internet service providers kept a temporary copy of the correct information, meaning that FBI.gov and NIPC.gov were occasionally reachable. The FBI receives its Internet connectivity through Akamai, a Cambridge, Mass.-based company with about 13,000 servers that store data on behalf of clients. "This has nothing to do with the services that Akamai provides FBI.gov," said Jeff Young, a spokesman for Akamai. "We obviously are continuing to support them however we can." FBI.gov is an alias for FBI.edgesuite.net, which continued to operate normally. Edgesuite is an Akamai product marketed for e-government use. Jon Lasser, a Baltimore-area system administrator and author of "Think Unix," said the FBI's mistake was likely "some sort of server misconfiguration. Their host stopped returning the addresses of their Web servers. That's not good." Easily recognizable names like FBI.gov are translated into numeric addresses through the Domain Name System (DNS). Microsoft made a similar DNS blunder in January 2001 that knocked out its Web sites for a full day. An embarrassing series of problems centering on a collection of routers in Canyon Park, Wash., took out dozens of Microsoft properties including Hotmail.com, MSN.com, Microsoft.com, and MSNBC.com. Moskal blamed the bureau's woes on "an internal crash that we all experience occasionally." ********************** Euromedia.net 10% of the world's population now have internet access Editor: Cathy O'Sullivan

10 per cent of the world's population, or 580.78m people, have internet access, according to Nua. com's 2002 Global Internet Trends report.

The figure represents an increase of 173.68m since December 2000 when 407.1m people were online.

The report shows that for the first time ever, Europe has the highest number of internet users in the world. There are now 185.83m Europeans online, compared to 182.83m in the US and Canada.

The number of internet users in Asia/Pacific has also risen dramatically over the last couple of years and there are now 167.86m people with access to the net in the region.

The Nua study indicates that if anything, the digital divide between developed and developing nations is as wide as it ever was. While Europeans account for 32 per cent of global internet users, only six per cent of the world's internet users are based in Latin America, and just one per cent each in the Middle East and Africa.

In fact, France has double the number of internet users than either Africa or the Middle East. While both regions have seen a slight increase in the numbers of people who can access the internet, the lack of telecoms infrastructures in these regions means that most citizens remain unconnected.

Nua forecasts that over one billion people will be online by the end of 2005.
***********************
Sydney Morning Herald
Sleeping with the enemy
By Kim Zetter

A good hacker is hard to find, or so it seemed during the dot-com boom. Companies, particularly in the United States, were making the rounds of hacker conferences and IRC channels willing to pay $150,000 for a security guru who was still going through his voice change.

Even the American assistant secretary of defence showed up last year at the hacker blowout in Las Vegas known as Def Con to recruit "the best of the best" for a cyber-terrorism unit.

But as computer security has become more specialised and training has improved, legitimate pros have elbowed aside the teens.

So it seems odd that only 43 per cent of Australian organisations would be willing to hire former hackers to help secure their networks; only 14 per cent of US organisations said they would do the same.

Perhaps it all depends on who you are calling a hacker.

Some of the most respected names in computer security are also some of the most respected names in the hacking community.

And many tools used for testing the security of networks (and, well, for cracking them) were designed by hackers.

Massachusetts-based security firm @stake is composed of former members of the L0pht hacking group, which developed a password-cracking tool called L0phtCrack. Peiter Zatko (aka Mudge), the company's pony-tailed founder, even testified before the US Congress on computer security.

Then there's Chris Goggans (aka Erik Bloodaxe) of Security Design International, who served as editor of the notorious hacker zine Phrack, a cornucopia of illegal tips and tricks. And Rain Forest Puppy (he prefers not to have his real name published), another security pro, has found many holes in Microsoft products and has developed a respectful relationship with that company. But he has also developed an anti-IDS Web scanning tool called Whisker that hackers use to ferret out their prey.

Most hackers working in security are either reformed black-hat hackers or people who never dirtied their hats beyond grey. That is, they may have cracked systems but didn't cause destruction or steal data. Or at least they did not get caught doing it.

Hackers with a criminal record or who admit to still hacking are rarely trusted with a job these days, although, incredibly, at one time they were.

The hiring of the latter type of hackers in the US has, thankfully, fallen out of fashion, says Giga analyst Steve Hunt. "You can hire someone who is an expert at defending resources or who is an expert at violating them. They both have the same fundamental skills. But just one has a professional ethic and a legacy of honour and service."

The risks of hiring a known hacker are obvious. But you face the same risks with any disgruntled employee or with a closet hacker who does a little unauthorised sleuthing through your system.

Companies that claim to oppose hiring hackers are probably unwittingly hiring them, says William Knowles, editor of security news list InfoSec, who notes that today's hackers have little to distinguish them from traditional security administrators.

"A few years ago at Def Con I saw a lot of familiar faces in the hacking crowd, but I didn't know why they were familiar. Then I realised they were the same faces I'd seen at security conferences. Companies have been hiring hackers for years, they just don't realise it," he says.

Mario Duarte, a former administrator of the now-defunct Zuma, a San Francisco-based host for e-commerce sites, considered himself brilliant for hiring Optyx a few years back.

Optyx was a skinny, 19-year-old hacker with blue hair and ties to Cult of the Dead Cow, makers of a Trojan horse called Back Orifice.

Duarte says Optyx was invaluable for showing him holes in Zuma's systems that he was sure didn't exist.

But he had sleepless nights over the next couple of months, wondering if the hacker would turn on him.

As it happened, it was another hacker hired by Duarte at Optyx's request who proved a liability when a bad attitude and personal problems made it clear the teen didn't belong in a corporate environment.

But how do you fire a hacker? Pretty easily, it turned out. Optyx, who took pride in Zuma's servers as his personal domain, made it clear to his departing friend the possible consequences of seeking revenge: "Don't even think about it, dude. I'll hunt you down and kill you." ************************** Broadband Networking Regulatory News Senator McCain Introduces Broadband Deregulation Bill Senator John McCain (R, AZ) proposed a new Consumer Broadband Deregulation Act of 2002 (S.2863) that would deregulate the retail provision of residential broadband services and dictate a hands-off approach to the deployment of new facilities by telephone companies while maintaining competitors' access to legacy systems. The senator said the proposed legislation would put the federal government in the role of stimulator, rather than regulator, of broadband services. The bill would also seek to ensure that local and state barriers to broadband deployment are removed, to facilitate wireless technology as a platform for broadband services, to encourage deployment of broadband services to rural and underserved communities, to ensure access to broadband services by people with disabilities, and to enhance the enforcement tools of the FCC.

Some highlights of McCain's Consumer Broadband Deregulation Act of 2002 (S.2863)

A consumer broadband service provider would not be required to provide Internet Service Provider access to its facilities or services for the purpose of offering a consumer broadband service, except where such access is already being provided. The exception would have a 5 year sunset, unless the FCC found that further continuance of ISP access were necessary to protect competition. State and local governments would not be allowed to seek compensation from consumer broadband service providers for access to, or use of, public rights-of-way that exceeds direct and actual costs for access to and use of the rights of way. Incumbent local exchange carriers would be required to provide any requesting telecommunications carrier with non-discriminatory access to unbundled network elements at any technically feasible point. But the duty to provide this access would not require the ILEC to provide access to a fiber loop or a fiber feeder sub-loop, unless the ILEC has removed or rendered useless the existing copper loop. ILECs would not be required to provide collocation in a remote terminal FCC penalties would be substantially increased. The federal government would promote broadband through e-government activities, including video streaming of public events, online education initiatives, access to public documents, etc. Full text can be found online at: http://mccain.senate.gov/acrobat/rbroadbill.pdf (Adobe Acrobat format, 17 pages) ***************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx

Prev by Date: Clips August 13, 2002
Next by Date: ACM TechNews - Wednesday, August 14, 2002
Previous by thread: Clips August 13, 2002
Next by thread: ACM TechNews - Wednesday, August 14, 2002
Index(es):
- Date
- Thread