[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips August 23, 2002

Clips August 23, 2002

ARTICLES

Growing Threat of Computers In, Poison Out [IT Recycling]
Secret Court Rebuffs Ashcroft
Plans to Computerize Personal Data Ignite Firestorm in Japan
She Wants P2P for the People [Berman Bill]
Group Suggests Its Workforce Rules
OPM will seek proposals to enhance USAJobs
Russian Coding Firm Back for More [DMCA]
Regional emergency system prepped
Feds doing elementary e-gov
Project to test digital watermarks [DRM]
Army picks firm for IT support
DOD gives biometrics a workout
Secret Service: Prevention, not arrests, is key to cybersecurity
Experts see ounce of prevention key to cyber cure
Denmark to push EU data-retention law
Microsoft Warns of Security Risks in Office, IE
FBI raids consulting firm that hacked into military computers
'Reply-all' button can be hazardous to your job
Spam crusaders slog it out in court
Setting a trap for laptop thieves
Unix group calls for more Open Source use in govt
Copy-proof CDs soon, claims Israeli company


******************************
New York Times
Growing Threat of Computers In, Poison Out
Near and far, scrap from electronics is an environmental problem.
By MARK MURRAY
Mark Murray is executive director of Californians Against Waste.

High-tech trade association lobbyists are working overtime in the California Legislature, seeking to add a perverse corollary to the famous "Moore's Law." The lobbyists' formula: Although computing power increases exponentially every 18 months, the technology we use to manage our discarded electronics retreats a couple of centuries in the same period.

In February, we saw tape and photos of Chinese laborers disassembling discarded U.S. computers and terminals with hammers (technology that goes back millenniums) and simple levers (even older). A report issued that month by the environmental groups Basel Action Network and Silicon Valley Toxics Network documented that toxic electronic scrap from the U.S. was being exported to developing countries such as China, India and Pakistan, where hundreds of thousands of laborers, working without protective gear or safety awareness, break down components by hand. The results? Drinking water supplies so badly polluted that water has to be trucked in from other regions and alarming reports of health problems, especially among children.

The picture in California is also grim, but legislation now being debated in the state Capitol could help. The electronics industry should get behind this effort instead of arguing for ineffective voluntary programs. Obsolete electronics, including microcomputers, are among the fastest-growing portions of our waste stream, increasing at almost three times the rate of the rest of our municipal garbage.

According to European governmental studies, this equipment contains a number of toxic substances. The glass in computer video and TV screens--the cathode ray tubes, or CRTs--contain lead to protect users from radiation dangers, according to the California Integrated Waste Management Board. Last year, the state Department of Health Services affirmed that CRTs contained hazardous levels of lead and banned their disposal in municipal and private solid-waste landfills.

The sheer volume of electronic scrap is threatening to overcome our existing waste management programs. Here in California, about 10,000 computers and TVs become obsolete every day. What happens when more of us get around to cleaning out our garages, closets and storage sheds?

We've seen the development of a sophisticated and effective system for recycling beverage cans and bottles, but the infrastructure for electronics waste remains weak, underfunded and inconsistent.

Some computer manufacturers, including IBM and Hewlett-Packard, have recently established voluntary "pay as you throw" programs for consumers, charging between $15 and $35, depending on the size of the unit. But the high cost, as well as low consumer awareness, has discouraged large-scale participation.

Some large markets, such as the European Union, have already begun to require that manufacturers take responsibility both for the design and long-term handling of their products. We must start doing a better job of that in the U.S.

Given how well computer marketers advertise the speed of new systems, and how well companies roll out new product, the failure to provide good information and support to consumers is inexcusable. It is reminiscent of another failed product stewardship effort--used tires. Some fly-by-night recyclers pocketed fees paid by well-meaning consumers, then stacked up the old tires and eventually abandoned them--leaving taxpayers to clean up the mess.

According to estimates from Californians Against Waste, our state's total cost of properly handling obsolete computers and TVs could be $75 million to $150 million annually. That's a steep cost, but we can't keep ignoring the problem. The high-tech industry should take steps to avoid inevitable--and justly deserved--blame by supporting legislation proposed by state Sen. Byron Sher (D-Stanford) that would establish a front-end fee to pay for easy-to-use collection programs at no further cost to consumers. A companion measure by Sen. Gloria Romero (D-Los Angeles) would set state goals to increase computer and other electronics waste recycling and consumer education measures.

Lobbyists from the Electronics Industry Assn. and other industry trade associations oppose Sher's measure, calling it a "tech tax." It is not. Industry groups also oppose Romero's timetable and standards for recycling programs while refusing to work in good faith with consumer groups and environmental advocates on national legislation.

The electronics industry should stop being the problem and start being part of the solution, or it will earn itself a reputation as a global environmental polluter of the worst order.
***********************
Washington Post
Secret Court Rebuffs Ashcroft
Justice Dept. Chided On Misinformation
By Dan Eggen and Susan Schmidt

The secretive federal court that approves spying on terror suspects in the United States has refused to give the Justice Department broad new powers, saying the government had misused the law and misled the court dozens of times, according to an extraordinary legal ruling released yesterday.

A May 17 opinion by the court that oversees the Foreign Intelligence Surveillance Act (FISA) alleges that Justice Department and FBI officials supplied erroneous information to the court in more than 75 applications for search warrants and wiretaps, including one signed by then-FBI Director Louis J. Freeh.

Authorities also improperly shared intelligence information with agents and prosecutors handling criminal cases in New York on at least four occasions, the judges said.

The department discovered the misrepresentations and reported them to the FISA court beginning in 2000.

Given such problems, the court found that new procedures proposed by Attorney General John D. Ashcroft in March would have given prosecutors too much control over counterintelligence investigations and would have effectively allowed the government to misuse intelligence information for criminal cases, according to the ruling.

The dispute between the Justice Department and the FISA court, which has raged behind closed doors until yesterday, strikes at the heart of Ashcroft's attempts since Sept. 11 to allow investigators in terrorism and espionage to share more information with criminal investigators.

Generally, the Justice Department must seek the FISA court's permission to give prosecutors of criminal cases any information gathered by the FBI in an intelligence investigation. Ashcroft had proposed that criminal-case prosecutors be given routine access to such intelligence information, and that they be allowed to direct intelligence investigations as well as criminal investigations.

The FISA court agreed with other proposed rule changes. But Ashcroft filed an appeal yesterday over the rejected procedures that would constitute the first formal challenge to the FISA court in its 23-year history, officials said.

"We believe the court's action unnecessarily narrowed the Patriot Act and limited our ability to fully utilize the authority Congress gave us," the Justice Department said in a statement.

The documents released yesterday also provide a rare glimpse into the workings of the almost entirely secret FISA court, composed of a rotating panel of federal judges from around the United States and, until yesterday, had never jointly approved the release of one of its opinions. Ironically, the Justice Department itself had opposed the release.

Stewart Baker, former general counsel of the National Security Agency, called the opinion a "a public rebuke.

"The message is you need better quality control," Baker said. "The judges want to ensure they have information they can rely on implicitly."

A senior Justice Department official said that the FISA court has not curtailed any investigations that involved misrepresented or erroneous information, nor has any court suppressed evidence in any related criminal case. He said that many of the misrepresentations were simply repetitions of earlier errors, because wiretap warrants must be renewed every 90 days. The FISA court approves about 1,000 warrants a year.

Enacted in the wake of the domestic spying scandals of the Nixon era, the FISA statute created a secret process and secret court to review requests to wiretap phones and conduct searches aimed at spies, terrorists and other U.S. enemies.

FISA warrants have been primarily aimed at intelligence-gathering rather than investigating crimes. But Bush administration officials and many leading lawmakers have complained since Sept. 11 that such limits hampered the ability of officials to investigate suspected terrorists, including alleged hijacking conspirator Zacarias Moussaoui.

The law requires agents to be able to show probable cause that the subject of the search is an agent of a foreign government or terrorist group, and authorizes strict limits on distribution of information because the standards for obtaining FISA warrants are much lower than for traditional criminal warrants.

In Moussaoui's case, the FBI did not seek an FISA warrant to search his laptop computer and other belongings in the weeks prior to the Sept. 11 attacks because some officials believed that they could not adequately show the court Moussaoui's connection to a foreign terrorist group.

The USA Patriot Act, a set of anti-terrorism measures passed last fall, softened the standards for obtaining intelligence warrants, requiring that foreign intelligence be a significant, rather than primary, purpose of the investigation. The FISA court said in its ruling that the new law was not relevant to its decision.

Despite its rebuke, the court left the door open for a possible solution, noting that its decision was based on the existing FISA statute and that lawmakers were free to update the law if they wished.

Members of the Senate Judiciary Committee have indicated their willingness to enact such reforms but have complained about resistance from Ashcroft. Chairman Patrick J. Leahy (D-Vt.) said yesterday's release was a "ray of sunshine" compared to a "lack of cooperation" from the Bush administration.

Sen. Charles E. Grassley (R-Iowa), another committee member, said the legal opinion will "help us determine what's wrong with the FISA process, including what went wrong in the Zacarias Moussaoui case. The stakes couldn't be higher for our national security at home and abroad."

The ruling, signed by the court's previous chief, U.S. District Judge Royce C. Lamberth, was released by the new presiding judge, U.S. District Judge Colleen Kollar-Kotelly.

FBI and Justice Department officials have said that the fear of being rejected by the FISA court, complicated by disputes such as those revealed yesterday, has at times caused both FBI and Justice officials to take a cautious approach to intelligence warrants.

Until the current dispute, the FISA court had approved all but one application sought by the government since the court's inception. Civil libertarians claim that record shows that the court is a rubber stamp for the government; proponents of stronger law enforcement say the record reveals a timid bureaucracy only willing to seek warrants on sure winners.

The opinion itself -- and the court's unprecedented decision to release it -- suggest that relations between the court and officials at the Justice Department and the FBI have frayed badly.

FISA applications are voluminous documents, containing boilerplate language as well as details specific to each circumstance. The judges did not say the misrepresentations were intended to mislead the court, but said that in addition to erroneous statements, important facts have been omitted from some FISA applications.

In one case, the FISA judges were so angered by inaccuracies in affidavits submitted by FBI agent Michael Resnick that they barred him from ever appearing before the court, according to the ruling and government sources.

Referring to "the troubling number of inaccurate FBI affidavits in so many FISA applications," the court said in its opinion: "In virtually every instance, the government's misstatements and omissions in FISA applications and violations of the Court's orders involved information sharing and unauthorized disseminations to criminal investigators and prosecutors."

The judges were also clearly perturbed at a lack of answers about the problems from the Justice Department, which is still conducting an internal investigation into the lapses.

"How these misrepresentations occurred remains unexplained to the court," the opinion said.
**************************
Washington Post
Plans to Computerize Personal Data Ignite Firestorm in Japan
Citing Privacy, Municipalities Defy Effort
By Doug Struck

TOKYO -- The first stop for new residents of a Japanese neighborhood is the local government office, where they dutifully report their presence and give details of their family. Soon after, the police may stop by to politely ask again who is living there.

On moving out, they must again notify local authorities and get a report to take to the ward office of the next place they reside. This official tracking is accepted with equanimity by most Japanese, as is the requirement for an even more detailed "family registry" that lists everything from divorces to births, deaths and domicile.

So the government was surprised when a move to put some of this information on a computer network to streamline the process -- and to assign an 11-digit identification number to everyone -- erupted into a grass-roots revolt.

At least four local municipalities have defied the government and refused to be a part of the computer network that started earlier this month. Others have waffled, saying their residents' participation was voluntary.

Protesters, wonderfully decorated as bar codes, have taken to the streets. Public opinion polls show huge opposition to the system. And a nationally respected journalist has organized a league of influential Japanese to try to get it abolished.

"We didn't anticipate this," acknowledged an official of the Ministry of Public Management. "We really don't think the criticisms are justified."

The objections to the network and the national identification number would seem a bit quaint in other technologically advanced countries, where people long ago resigned themselves to the pervasiveness of computerized information.

It is even more surprising in Japan, whose residents are the first to admit they readily submit to dictates of authority.

"I am afraid the Japanese people will become more docile" in the face of government encroachments on their privacy, said Yoshiko Sakurai, the journalist who is leading a national movement against the network. "Our people tend to be much more quiet than your people."

Sakurai argues that giving every one of the 126 million Japanese an identification number will shackle "the freedom and independence of the spirit, and the energy that is produced by an independent sprit. Numbering people somehow suppresses this."

She also argues that the computerized network, coupled with the extensive personal information the government already collects, will make the nation and its people vulnerable to crime.

"Japan has quite a lot of money. It will become a very attractive target for criminal organizations and foreign governments by numbering everyone from politicians to technology experts and medical experts, and collecting the personal data under one number," she said. "It is like making all of us naked and putting all of us in a glass container."

Concerns about the safety of personal data is at the root of objections by the municipalities. Leaks could happen at the central government or any of the connected municipalities, they say. They argue that the late prime minister Keizo Obuchi promised in 1999 the network would be accompanied by tough privacy legislation outlawing misuse of the data. The government introduced a bill, but it was shelved this year.

"We think it is the central government that is breaking the law, not us," said Nobuo Hoshino, mayor of Kokubunji, a city in Tokyo's western suburbs that held a "disconnecting ceremony" to defy the law and cut the city's link to the network. "The law stipulates there will be legislation to protect personal privacy. When that law is in place, we will participate in the system."

The government's Ministry of Public Management argues it has met the requirements by introducing privacy legislation in parliament, and even if the measure is stalled, the network contains built-in safeguards.

"We don't see any privacy problem with this network," contended Tsuyoshi Takahara, head of the ministry's planning office for the network, called Juki Net. He said the opposition is much ado about nothing; the only information that would now be in the network is routine -- names, addresses, sex and age, all of which is already available to the public.

The system is intended to streamline the cumbersome paper records kept in 3,300 local offices by computerizing them in a nationwide network. It would eliminate the requirement that people who move visit their ward offices to get a physical "exit form" to take to their new locality.

"Everything is now done by exchanging papers. We are trying to make it more convenient," Takahara said.

But many people are suspicious that the long reach of the Japanese bureaucracy is at work and Juki Net will gradually grow. They fear it could become a giant record-keeping system with the ubiquity of U.S. social security numbers combined with Japan's personal records.

Polls show huge majorities are against the system. And while critics say they fear hackers and other criminals, one of their chief concerns is misuse of the data by their own government.

"The problem is, the people don't trust the government," said Hiroshi Yamada, the mayor of Suginami, another ward of Tokyo that has balked at participation in Juki Net.

"We've conducted a survey, and only 10 percent of the people want it," he said. "We've had several people move into Suginami" because of the ward's refusal to join the network.

There is plenty of grist for public suspicion of bureaucrats. In May, the Defense Agency admitted it had drawn up a list with names, backgrounds and political views of citizens who had asked for public information from the agency. Twenty-nine agency officials were punished. Last month, defense contractor Fujitsu said it had gotten a blackmail demand from men who had obtained personal information on military officers leaked from the company's computers.

And just as Juki Net started up, embarrassed officials in the city of Moriguchi in Osaka acknowledged they had sent personal information about 2,584 individuals to the wrong people.

"The Ministry of Public Management doesn't answer these concerns," said Mayor Yamada. "The minister keeps saying it's safe and they'll go ahead with it. That just fans the anxiety of people even more."
****************************
Wired News
She Wants P2P for the People

They're already calling her the Weblog Candidate.

Real estate agent Tara Sue Grubb is fed up with what she calls "individual rights sacrificed for big corporate politics." Grubb, 26, is running as a Libertarian candidate against North Carolina's Howard Coble, the 71-year-old Republican congressman whose public opposition to P2P file-sharing networks has made him the target of an online backlash.

Even her own party says Grubb's chances of winning are slim. Yet political pundits cite her online popularity as proof of techies' growing involvement in government, rather than their dismissal of it.

"This is historical because it's not happening in the lab, it's happening in the field. This lady is getting money right now," said Ed Cone, a columnist for the News & Record, the major newspaper in Coble's district. "It's going to be replicated across the country."

Grubb's campaign -- and the national interest in her -- centers on Coble's support of a bill introduced by Rep. Howard Berman (D-Calif.) that would allow copyright holders to act against consumers' computers in order to remove or disable pirated materials.

Coble also signed a letter to Attorney General John Ashcroft urging him to act against P2P networks.

"I wouldn't call myself a one-issue candidate," Grubb said from her home in High Point, North Carolina. "But I'm tired of watching the government come in and throw their weight around."

Characterizing Coble's position as "It's OK to hack as long as you contribute to my campaign," Grubb added, "Howard's biggest supporters are in Hollywood. There's no Hollywood in North Carolina. I really don't have any clue what his concern is here."

Coble's concern -- and the donations to his coffers from Hollywood industry groups and lawyers -- centers around his role as chairman of the House Subcommittee on Courts, the Internet and Intellectual Property. As chairman, the 18-year congressman has overseen debates on matters ranging from the terms of rock stars' recording contracts to privacy issues with the whois database.

Coble's chief of staff, Ed McDonald, told Wired News that Coble and the subcommittee plan to hold hearings this fall with both proponents and critics of the Berman bill. "He'll be the first to tell you he does lean toward the copyright holder," McDonald said of his boss. "But it doesn't mean to the detriment of someone else's privacy issues."

"People are overreacting to hyperbole they're reading on the Internet," he added. "We support the broad concept of Mr. Berman's bill. That doesn't mean we're going to support it in its final form. The purpose of this bill is to protect copyrighted material. It's not to give Hollywood and the record companies carte blanche to go into someone's computer and look around and do what they want."

But News & Record columnist Cone also said McDonald recently told him that the congressman "wouldn't even know how to turn on the computer" -- a typical statement that exacerbates the feeling among digital rights advocates that Hollywood studios are dictating technology legislation to politicians who don't understand what they're dealing with.

"He's thumbing his nose at us," said Silicon Valley analyst and writer Hal Plotkin. "It's a wonderful example of how little we really matter. Imagine if someone was going to pass legislation on the auto industry and admitted he couldn't drive. Detroit would be all over him."

In contrast to Coble, Grubb won an instant fan club by setting up her own weblog this week. "I'm not a techie," she said. "I was looking at Ed Cone's weblog and some others, and they were saying, 'Well, what's keeping her from downloading [weblog editing software] radio?' So I did. It was the easiest thing in the world."

Still, it's unclear whether Grubb's candidacy will have any effect on Coble or P2P legislation. Libertarian Party press secretary George Goetz was realistic about her chances. "It's really tough even to get a seat in the state legislature," he said. "As far as third parties getting into Congress, I think you'd have to go back 80 years."

Aside from Grubb, Coble remains unopposed for re-election this fall. A spokesman for the North Carolina Democratic Party said the party doesn't recruit candidates. Aspiring contenders have reason to balk: Redistricting in the area has removed many traditionally Democratic neighborhoods from Coble's 6th congressional district.

Add to that the lack of a partisan base for digital rights crusaders. Coble is a Republican, but both Berman and Sen. Fritz Hollings, author of the controversial Consumer Broadband and Digital Television Promotion Act, are Democrats.

Besides, digital rights issues will eventually move from Coble's hands into those of the next subcommittee chair, which may make running against the man, rather than the issue, futile.

Plotkin, who has written frequently on what he sees as a lack of political effectiveness in the technology sector, thinks the geeks who decry Hollywood's donations to politicians should stop looking for clever hacks around the system and start making donations of their own.

"We don't show up at the fundraising events, and nobody's made a $100,000 contribution on this issue," he said. "Other people do that regularly on things like whether diapers should go into landfills. Where is Scott McNealy? Where is Steve Jobs? Where is anyone that has the juice to get things done? They're all busy looking out for their stock options."
*****************************
Washington Post
Homeland Dept. System Offered
Group Suggests Its Workforce Rules
By Bill Miller

A group of federal executives is urging the White House to use its pay and personnel system as a model for the proposed Department of Homeland Security, saying the rules now covering the Senior Executive Service would protect workers' rights while giving managers plenty of freedom to reward, discipline and move employees.

The Senior Executives Association, which represents the top rung of the government career ladder, said its proposal could resolve the dispute over how the projected 170,000-member workforce would be managed. President Bush has said the head of the department must have management flexibility, but union leaders and some lawmakers are resisting changes they say would erode civil service and union rights.

The department, proposed by Bush in June, would include all or parts of 22 federal agencies. All have their own personnel systems, and Bush has said that an overhaul is needed so the department can respond quickly to threats.

Under the White House's proposal, workers coming into the new department would keep their civil service rights, benefits and union membership for at least a year during a transition. Basic protections covering civil rights, equal employment opportunity guarantees and whistle-blowers would not be changed, officials said.

But after the transition period, the new secretary, working with the Office of Personnel Management, could make adjustments in the personnel system.

In a letter to Bush this week, the association said core civil service protections would remain in place if the new department adopted the Senior Executive Service's system. At the same time, the group said, managers would be able to reassign employees, adjust their pay levels, award bonuses and set "performance plans."

"We decided we needed to issue something that would be crystal clear and would hopefully provide a way out of this stalemate," said Carol A. Bonosaro, president of SEA, which represents about 6,000 top career employees.

The House passed a homeland security bill in July that would allow the White House to create a new civil service system for the department, affecting such areas as pay, job performance and labor-management relations. But a Senate version, which will be debated next month, would keep intact current civil service rights. The Senate bill also would make it more difficult for the president to remove workers from unions for national security reasons; Bush has threatened to veto such a bill.

Bonosaro said adopting the rules covering current government executives would remove much of the uncertainty now facing federal employees.

"When you have no idea of what's coming down the pike, it's not too hard to be skeptical about it," she said.

An official with the Office of Personnel Management said the association's proposal fails to give the White House enough leeway to restructure the bureaucracy. The House bill remains the best approach, the official maintained.

Jacqueline Simon, public policy director of the American Federation of Government Employees, said the association's suggestions were a helpful starting point. But she and other union leaders said that many details remain to be worked out.

"Maybe this will get the conversation going in a way that hasn't happened yet," said Colleen M. Kelley, president of the National Treasury Employees Union.
***************************
Government Computer News
OPM will seek proposals to enhance USAJobs
By Jason Miller

The Office of Personnel Management in early September will release a request for proposals for a commercial system to enhance its USAJobs.opm.gov portal.

OPM wants to outsource the day-to-day operations and maintenance of the system, said an agency spokesman. Improving USAJobs is part of the E-Recruitment e-government initiative the agency is managing (www.gcn.com/21_17/inbrief/19170-1.html).

The RFP follows a request for information OPM issued in June for the online federal job site. The RFI asked vendors to streamline how users find vacancies, enhance online resume submission and allow applicants to track the status of their resumes through the entire hiring process.

The agency in late September also plans to announce the two or three agency federal payroll systems that will consolidate 18 disparate systems, the spokesman said. OPM in May issued a request for responses to agencies as a part of the E-Payroll e-government project it also is managing.
***********************
Wired News
Russian Coding Firm Back for More

You would think that the owners and programmers of Moscow software company ElcomSoft would want to stay as far away from electronic books as possible.

After all, it was an ElcomSoft application for Adobe eBooks that enmeshed the company in a lengthy, international legal battle that catapulted a programmer named Dmitry Sklyarov into worldwide prominence and, ElcomSoft owners say, proceeded to drain the company's financial and emotional resources.

But despite the courthouse angst, ElcomSoft plans to continue to market exactly the sorts of products that led to their entanglement with the U.S. legal system.

"We have serious plans for the eBook market," Vladimir Katalov, managing director of ElcomSoft, says. "All perfectly legal, of course."

At least, Katalov hopes the new software his company intends to offer for Adobe and Microsoft eBooks is legal. He said no one at Adobe or Microsoft will discuss it with him.

"We tried to contact Microsoft ... describing the software we're going to release, and asking what do they think about that.... Will that violate any Microsoft patents, copyrights, licenses or whatever," Katalov said. "(Microsoft) responded that, 'Microsoft's legal department does not give advice to third parties.'"

Microsoft did not respond to requests for comment.

Much the same situation exists with Adobe, Katalov said.

"Even if they do have problems (with the products), they have not informed us," he said.

Katalov said without guidance, it's difficult to know which ElcomSoft products might be illegal in other countries. The application that launched ElcomSoft's legal battle, the "Advanced eBook Processor" for Adobe eBooks, is indeed perfectly legal in Russia.

Software users are entitled by Russian law to make backup copies of software and electronic documents, exactly what the eBook processor allows owners of Adobe eBooks to do. But since doing that also involves tinkering with electronic copyright restrictions, the eBook processor is forbidden under the U.S. Digital Millennium Copyright Act.

Sklyarov, One of the Advanced eBook Processor's programmers, was arrested and jailed on DMCA charges after attending a U.S. computer security conference on July 16, 2001. Charges against Sklyarov were later dropped, but ElcomSoft still faces criminal charges.

The company was notified on Tuesday that the trial date, which had been set for Monday in San Jose, California, has been re-scheduled for Oct. 21, due to a conflict in U.S. District Court Judge Ronald Whyte's calendar.

"The problem is that (ElcomSoft) develops products that could be put to illegal use," explained Manhattan Criminal Attorney Edward Hayes. "But the programs also have valid legal uses. It's difficult to fault a company for what a product's user does with it. A knife can be used to cut your dinner or stab your date."

Apart from its eBook products, ElcomSoft also offers two dozen or so password recovery programs that can comb through various applications and reveal passwords and users' login names.

ElcomSoft's Advanced Outlook Express Password Recovery can be used to recover logins and passwords for Microsoft Outlook Express users' e-mail and newsgroup accounts.

The Advanced Internet Explorer Password Recovery application can retrieve users' website passwords and login names, and any personal information they may have entered onto website forms.

Katalov said ElcomSoft recently added a key-search attack feature to its Advanced PDF Password Recovery Pro, an application that can remove password-enabled restrictions from Adobe Acrobat PDF files.

The attack feature can be used to quickly discover user passwords, which can be used to block others' from opening a PDF document.

PDF owner or master passwords do not affect a user's ability to open and view a PDF file, but can prevent a user from editing (changing) the file, printing it, and/or selecting text and graphics and copying them into the clipboard, among other restrictions.

"Fortunately, there is no need to discover that password at all. Instead, our software can just remove it (decrypt the file), so the resulting document will not have any restrictions," Katalov said.

Adobe spokeswoman Layla McHale responded to a request for comment with a statement outlining Adobe's "official position."

"Security is an ongoing effort at Adobe. We are committed to strengthening the security of our products by using sophisticated, industry-standard levels of software encryption. We also continue to work with the software community, including 'White Hat' security experts.... However, no software is 100-percent secure from determined hackers."

Katalov said ElcomSoft's products are not hacking tools, but provide features that users need or want. The password recovery programs are used in legal investigations and to recover passwords and user names that have been forgotten or are inaccessible by other means - as in the case of employees who may be on medical leave, quit or were laid off.

Despite the ongoing legal issues, Katalov said that for the most part, it's been business as usual at ElcomSoft.

"We have lost some corporate customers, but got a few more 'home' ones, so the total sales are about the same as a year ago -- maybe just a bit better," he said. "But our legal expenses, of course, are very high, and so we had to cut our investments into research and development."

He also regretted that nagging legal concerns have put some constraints on the sorts of deep code explorations of other companies' products that could lead to interesting new ElcomSoft applications.

"But there's nothing we can do about that -- at least for now," he said.
**************************
Federal Computer Week
Letter to the editor
Angered over personnel system

I have been working for the past eight years as an information systems manager, including the past five working for the federal government. I was recruited for civilian service right out of college and into a position helping to manage a multidomain Air Force information infrastructure.

The Air Force personnel system chose to classify my job as an electronics engineer series (GS-0855). Since that time, I have taken and passed several certification exams all on my on dime. I am currently a Microsoft Certified Systems Engineer and a Cisco Certified Network Associate.

This year, I was shocked and angered when the Air Force personnel system stated that I was not qualified for an information systems job series (GS-2210) because I lacked the one year experience at the lower grade level.

Basically, because I don't have a number in my career brief, I am not qualified to do a job I have been doing for eight years. Because of this fact, I cannot get anyone in the personnel center to look at my qualifications. I was hired because of my qualifications stated on my rÈsumÈ. Now, that I am part of the system, my rÈsumÈ will only be looked at if the numbers in my career brief match the numbers of the job I am seeking.

I find this kind of hiring practice ludicrous. I wonder how many other qualified civilians have been screwed out of a job because a number was not in their career brief?

The Air Force personnel systems should be scrapped. If a person is qualified for a job, you won't find out by looking at numbers. You will find out by looking at the qualifications posted on a resume.

Robert Cameron
Electronics engineer
*****************************
Federal Computer Week
Regional emergency system prepped

Police, fire, ambulance, and transportation officials from Maryland, Virginia and Washington, D.C. are closer to developing an interoperable and real-time wireless data communications system.

IBM Corp. announced on Aug. 22 that it has been chosen as the systems integrator for the $20 million Capital Wireless Integrated Network (CapWIN) project.

CapWIN, which spun off from a Transportation Department project about two years ago, will provide a communications bridge for emergency responders across jurisdictions to effectively respond to daily incidents as well as events such as last year's terrorist attack on the Pentagon.

An estimated 40 state, local and federal agencies will communicate with each other via the network using laptops, personal digital assistants and other devices.

Sponsors of the project (www.capwin.org), which is managed by the University of Maryland's Center for Advanced Transportation Technology, include the National Institute of Justice and the Public Safety Wireless Network. An executive committee composed of local, state, and federal officials governs the project.

"CapWIN is revolutionary thinking," said Fred Davis, CapWIN's deputy program director. "People have got to change the way they do business. The days of 'this is my turf and you can't play' well, those days are over."

The open-architecture system will be built using commercial, off-the-shelf technology that has been already developed, Davis said. IBM has a number of subcontractors - including Templar Corp., PB Farradyne Inc., TeleCommunications Systems and PelicanMobile Computers Inc. - to help with implementation, which will occur in several phases. The system will interface with existing disparate legacy systems.

By February, Davis said mobile computing capability would be provided to those agencies that don't have such systems and interfaces will be developed for transportation centers in Maryland and Virginia that collect traffic information useful to officials.

In addition, disparate mobile systems will be connected among agencies. Databases maintained by different agencies will be linked and only appropriate information will be shared, Davis said. For example, transportation officials would not have access to criminal databases.

Eventually, the project will provide Web-based incident command systems for first responders to effectively manage and deploy personnel and equipment at an emergency. When the system is fully developed, it will be easier for transportation and other emergency officials to redirect traffic in case of an overturned truck, for example, he said.

Although agencies from across jurisdictions will have to sign memorandums of understanding, Davis doesn't anticipate a problem. "The basic fundamental concept of CapWIN is partnerships," he said. "If we don't have partnerships we can't move forward."
***************************
Federal Computer Week
Feds doing elementary e-gov

A survey of federal government Web sites revealed that most agencies still offer little more than the most basic elements of electronic government. More complex features, such as interactive forms and e-commerce applications, remain relatively scarce.

The San Francisco State University survey showed that 87 percent of federal Web sites still fail to meet accessibility standards despite being required by law for the past 14 months.

Professor Genie Stowers studied 148 federal agency Web sites and discovered that most offered basic information and documents, and elementary services such as employment information. But only about half offered such useful items as downloadable forms, and even fewer still offered interactive forms and interactive databases. Only 12.8 percent offered e-commerce applications and only 8.8 percent offered direct links to e-government services.

Stowers, a professor of public administration and associate dean at San Francisco State, studied federal Web sites between January and April for the PricewaterhouseCoopers Endowment for the Business of Government.

A key finding, she said, is that many government Web sites do a poor job of making information and services readily available to those who are least familiar with government agencies.

Too many federal Web sites are "designed so that only those who really understand government and how it works can successfully navigate them," she said in a 44-page report, "The State of Federal Web Sites: The Pursuit of Excellence," released Aug. 21.

The prevalence of poor design creates a whole new digital divide, she said. To bridge it, agencies must design Web sites that are easier to use.

"Federal Web sites have enormous audiences and the potential for significant impact," Stowers said. "It is crucial that federal Web managers develop and implement sites that are user-friendly as well as stocked with useful information."

In general, federal Web sites should offer more features to help users, Stowers said. Although most sites include a search function, and about half offer a site map, only a third offered answers to frequently asked questions, only 31 percent asked for user feedback, 27 percent offered a "help" feature and 25 percent offered a site index, Stowers discovered.

Stowers did single out a few federal Web as examples of excellence. Her top five are:

* The U.S. Patent and Trademark Office (www.uspto.gov), which she said "provides a vast amount of useful content and a comprehensive set of aids to the user." The site offers several means of finding information and offers help with key subjects such as how to apply for a patent. It offers access to a number of searchable databases of patents and trademarks. However, it flunks the accessibility test, meaning it is not fully usable by people with disabilities such as blindness.

* The Department of Health and Human Services (www.hhs.gov) wins praise for providing "enormous amounts of information and types of services for many types of users." For example, the department offers fact sheets on subjects ranging from aging and mad cow disease to genetic testing and teen pregnancy, Stowers said.

* The Education Department site (www.ed.gov) ranked high for the plethora of services it offers from applications for financial aid to information arranged for various audiences. But the site lost points for opening with a "splash page in a somewhat confusing format."

* The Treasury Department (www.treas.gov) scored points for e-commerce services such as savings bond and other investment sales, and souvenirs such as "$1 Texas Lone Star notes" and "$1 Year of the Horse notes." The site scores for "all kinds of forms" that can be downloaded and automatic e-mail notification of law enforcement actions, interest rate statistics and policy papers.

* The Navy Web site (www.navy.mil) "is a gateway to considerable content" and offers valuable navigation tools, Stowers said. A part of the site devoted to information on housing, legal assistance pay and benefits is "very useful for military personnel and their families," she said.

In addition to the top five, Stowers also cited the federal Web portal, FirstGov for its "thoughtful and effective design and content." The portal is intended to serve as a guide to government information and services.
************************
Federal Computer Week
Project to test digital watermarks

The Air Force Research Laboratory (AFRL) Information Directorate announced this week that it has selected Digimarc Corp. to collaborate on a research and development project using digital watermarking to combat fraud and enhance security.

Digital watermarking ensures the security and authenticity of digital photographs by embedding an encrypted image over the photograph, similar to the watermarks used on the redesigned $20, $50 and $100 bills.

The project will explore the use of digital watermarking as a security feature for identifying fraudulent or altered identity documents, said Bruce Davis, chairman and chief executive officer of Digimarc. The contract was awarded last week and is supported by the Air Force's research and development funding, but the Tualatin, Ore.-based company would not provide further financial details.

In cooperation with AFRL, Digimarc will produce sample identification cards and deploy them as part of a security access system at a law enforcement assessment facility in Rome, N.Y., where the AFRL Information Directorate is located. The facility is visited by military, federal government and law enforcement representatives from across the nation. Digital watermarking will be used on the cards to combat fraud and enhance security, according to a spokesperson for the company.

Raymond Urtz, director of the AFRL Information Directorate, said there are "broad implications for addressing the problem of document counterfeiting and forgery through digital watermarking technology," and the AFRL is looking forward to collaborating with Digimarc on the research project. Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee, said he was excited that a portion of the $4.5 million Information Authentication/Digital Watermarking research and development project that he helped secure for Rome last year contributed to the formation of the partnership. The combined talents and expertise of the AFRL and Digimarc "is great news for homeland security and for future information assurance R&D efforts in central New York," Boehlert said.
**************************
Federal Computer Week
Army picks firm for IT support

The Army Test and Evaluation Command (ATEC) announced this week that it has selected STG Inc. to provide information technology support services at three U.S. locations.

Under terms of the contract, which was awarded Aug. 9, STG will operate, maintain and enhance the enterprisewide IT infrastructure that supports ATEC in carrying out its mission of testing, experimentation and evaluation. The award, a seven-year task order valued at $53 million, was issued under the Commerce Department Information Technology Solutions contract.

ATEC is responsible for ensuring equipment and systems used by the Army meet standards and safety requirements. The command plans, conducts and integrates developmental testing, independent operational testing, independent evaluations, assessments, simulations and experiments to provide information to decision-makers.

STG's four focus areas are customer support, enterprise network management, IT logistics and administrative services.

The Fairfax, Va.-based company has begun providing those services at ATEC's headquarters in Alexandria, Va.; the Army Evaluation Command's location in Aberdeen, Md.; and the Operational Test Command headquarters in West Fort Hood, Texas, according to an STG spokesperson.
***************************
Federal Computer Week
DOD gives biometrics a workout

The Defense Department Biometrics Management Office (BMO) is in the middle of a three-phase "quick look" project using iris scan technology to gain access to the Pentagon Athletic Club.

The first phase involved educating the athletic club's staff about iris scan technology via a demonstration. The second phase, which began July 23, involves one month of enrolling members into Iridian Technologies Inc.'s IrisAccess 2200, said Maj. Steve Ferrell, executive officer for the Biometrics Fusion Center, the testing and evaluation facility for the BMO.

The quick-look projects involve testing and evaluating commercial, off-the-shelf biometric products for a specific DOD security access requirement. If the testing determines that the product satisfies the requirement and if resources are available, the tool can undergo more aggressive testing as a Biometrics Fusion Center pilot project. The pilot determines whether the product will be deployed at a service, agency or command.

Enrollment for the Pentagon project is voluntary and involves capturing data from the member's identification card and iris, Ferrell said.

"It takes no more than 2 minutes to enroll and verify a new user, which includes downloading the new template to the server," Ferrell said in an e-mail message. The enrollee can then gain access to the athletic club with the iris scan and a member ID card. The goal of the project is to eliminate the member ID-based system and move secure access procedures to biometric technology.

The IrisAccess system detects an individual approaching the imager. Once the person's eye is 3 to 10 inches from the mirror in the unit, a camera captures an iris image, which is digitally processed into a 512-byte IrisCode template, according to officials from the Moorestown, N.J.-based company.

A search function performs real-time database matching at the remote unit. When an iris matches a valid IrisCode template in the database, access is granted almost instantaneously. Moving from member IDs to the iris scan system will enable not only secure access to the facility for members but also "promote convenience for them since they will not have to carry anything on their person," said Linda Dean, director of the BMO, adding that it also aids the Pentagon staff in verifying the identity of people attempting to gain access.

The project has 100 enrollees with more people being enrolled daily, which is promising because the Pentagon Athletic Club has about 8,000 members, according to Ferrell.

The third phase of the quick look is scheduled to begin Aug. 30 and will involve using IrisAccess 2000 as the sole tool for access into the athletic club. The cost of the project is "restricted data," Ferrell said.

Feedback has been positive. "The members can't wait to not have to use their ID card when they are running," he said.
***************************
Federal Computer Week
Letter to the editor
Laptop theft alarming

I found considerable information of interest in the article on laptops gone missing from the Justice Department ["Laptops lost, stolen at Justice," FCW, Aug. 12]. One of my laptop computers was stolen from a hotel room while I was on business travel in Europe a few years ago.

I noted in the article that, except for bar codes and scanners, the two lists of proposals to alleviate the problem contain no technological solutions. I know there are several such solutions.

It occurred to me several years ago that there must be a simple deterrent to the casual or opportunistic laptop thief. For that reason, I patented, through my company, a motion-sensor alarm built into laptops that is set and reset by a combination on an external keypad. ("Portable Computer with Integrated Alarm System," U.S. Patent No. 5760690 issued on June 2, 1998.) To my knowledge, no one has yet produced one. Maybe the time has come.

PS: I'd like to tell you that my laptop was stolen before the patent was issued, but such was not the case. It would have made an interesting headline: "Holder of U.S. patent for laptop alarms has laptop stolen."

Roger Allan French

Former security program office manager
Digital Equipment Corp./Compaq Computer Corp.
Londonderry, N.H.
****************************
Government Computer News
Secret Service: Prevention, not arrests, is key to cybersecurity
By William Jackson

In its efforts to combat cybercrime, the Secret Service is learning from law enforcement mistakes made in the war on drugs.

"Enforcement controlled the agenda, and prevention was a small part of it," said Special Agent John Frazzini, who is helping to organize a nationwide electronic crimes task force.

That approach did not work very well against drugs and will not work against hackers, Frazzini said during a panel discussion on cyberterrorism at the Sector5 cybersecurity conference in Washington.

"We're not going to arrest our way to security," he said. "The concept of the task force is analogous to the neighborhood watch program," in which members of a community look out for each other to prevent crime. So the Secret Service is moving from a posture of secrecy toward one of public engagement.

The national task force was mandated by the U.S. Patriot Act and is based on the New York Electronic Crimes Task Force, a multiagency effort in which the Secret Service is a leading participant. A similar task force has been set up in Washington.

The consensus of the panel of government, industry and academic experts was that cooperation and information exchange, both within and between organizations, is key to protecting networks and systems. Technology cannot keep up with the task of finding and fixing new vulnerabilities in hardware and software.

"Security is getting worse faster than it can ever be fixed," said Jeff Moss, a self-described hacker and now chief executive officer of Black Hat Inc. of Seattle, which organizes cybersecurity training sessions and conferences. "Now we have to figure out how to live with it."

But the future is not necessarily bleak, Moss said. "It's been this way for 10 years, and we're still here."
****************************
Government Executive
Experts see ounce of prevention key to cyber cure
By Maureen Sirhal, National Journal's Technology Daily

The increasing number of attacks on business computer networks means that organizations and government agencies should change their cybersecurity mindset to one of prevention, a panel of experts warned Thursday.

"Security is getting worse faster than it will ever be fixed," said Jeff Moss, the CEO of Black Hat, a Seattle-based cybersecurity training firm. "That fundamental view isn't going away."

But Moss and other panelists, speaking before a cybersecurity conference in Washington, noted that while there may never be a silver bullet for information security, organizations can reduce cyber risks by creating a mindset of prevention.

Security firm Riptech estimates that over the last six months, organizations have suffered from more than 180,000 cyberattacks. "The data do not speak well," Georgetown University information security professor Dorothy Denning said. But "98 percent of those attacks could have been prevented. There is a lot of room for improvement ... given the right incentives and tools."


John Frazzini a special agent with the U.S. Secret Service, described how the agency's Electronic Crimes Task Force, which focuses on cyber crimes and terrorism, is promoting prevention as a means of reducing the risks.

He compared the approach that most organizations take to cybersecurity with the government's efforts to curtail drug trafficking. Over time, Frazzini said, those efforts have shifted from enforcement to prevention in order to reduce the demand for drugs. The challenge of cybersecurity is similar, he said.

"It is really a matter of creating an environment where prevention is the hallmark of what we do," he added.

The key to prevention is monitoring change, and sharing key information, such as "best practices" in cybersecurity, said Saul Wilen, CEO of the San Antonio, Texas-based consulting firm International Horizons Unlimited. The biggest problem, he noted, is that organizations and government groups do not effectively communicate their approaches to business and security. The business plan has become isolated from the security plan, Wilen said. "It's almost like the two will never meet."

But Frazzini also suggested that domestic hackers demonstrate unpatriotic and even criminal behavior when they engage in activities that actually may be innocently intended.


"The issue of information security really can become an issue of national security ... depending on how you look at it," he said. "It's almost unpatriotic if you're in the U.S. and you're still causing damage to our networks."

Denning also said that training courses for responding to cyberattacks present a real problem by adding to the body of knowledge that could bolster hackers' skills. "It's something we absolutely have to pay attention to," he said.

But Wilen called the courses a "necessary risk." "We have more to lose by not engaging other people than by what we put on the Web," he said.
**************************
Computerworld
Denmark to push EU data-retention law

BRUSSELS -- Denmark, holder of the European Union's six-month rotating presidency, will try to push through a law that would force Internet and telecommunications service providers throughout the EU to store their customers' data traffic for more than a year.
The Danish initiative will be discussed at the committee level with 14 other EU members next month, a European Commission spokesman said. It comes less than three months after the EU passed a controversial data-protection law that opened the door for prolonged data retention.

In May, the European parliament passed a new data-protection law that allows EU states to force Internet service providers and telecommunications providers to retain data on their customers' online and phone activity beyond the one or two months this information is usually stored for billing purposes.

The Danish initiative would take this one step further by specifying that such data would have to be retained for a period of more than a year. The initiative was proposed to harmonize data-retention policies across the EU and to help fight international crimes such as terrorism, human trafficking and pedophilia, according to the EC spokesman. But to European online privacy advocates and telecommunications operators, the new initiative confirms their worst fears.

"The traffic data of the whole population of the EU -- and the countries joining -- is to be held on record. It is a move from targeted to potentially universal surveillance," said Tony Bunyan, an editor for the civil liberties group Statewatch.

When the directive on data protection for telecommunications was passed in May, Internet service providers warned that it would be followed by more draconian legislation that would enhance justice authorities' rights to snoop on e-mail and Internet users.

"This is the beginning, not the end of data retention," Joe McNamee, European affairs manager for industry group EuroISPA, said at the time.

"Now we know that all along they were intending to make it compulsory across Europe," said Bunyan in reaction to the latest legislative initiative.

Internet service providers and telecommunications operators fear being left to foot the bill for extended storage times for everyday traffic data and for the retrieval mechanisms needed to make this data accessible to the authorities.

The data to be retained if the new law is passed would include information identifying the source, destination and time of communication, as well as the personal details of the subscriber to any communications device.

Access to this information by law enforcement officials would require a warrant from a court.

Britain's Investigatory Powers Act allows law enforcement and intelligence agencies to access personal communications data without any court or executive warrant. This law may have to be softened to fit in with the proposed law, a commission spokesman said.
*******************************
Computerworld
Secret Service expands cybersecurity task forces

WASHINGTON -- Businesses in large cities across the U.S. soon will have a chance to send their IT specialists to quarterly government-sponsored meetings to compare notes with their peers on cybersecurity.
Companies need not worry that they might risk exposing secrets about their systems or about successful attacks against their systems, say members of the government organization facilitating the meetings. That organization is the U.S. Secret Service, and it prides itself on secrecy.

Nine Secret Service offices across the country, including those in Boston, Chicago, Los Angeles and Miami, are preparing to roll out their own Electronic Crimes Task Forces (ECTF), patterned on New York's, which has been in place for seven years, said Secret Service officials who participated in Sectors, a cyberterrorism conference in Washington, this week.

The task forces operating in New York and in Washington (see story) are designed to foster open discussions on security and to help companies tighten cybersecurity through cooperation with other companies, academics and government IT specialists, said Bob Weaver, the assistant special agent in charge of the task force in New York.

The task forces have worked so well that Congress mandated that they be set up in every major U.S. city under the Patriot Act, passed earlier this year in response to the Sept. 11 terrorist attacks, Weaver said. In addition, an appropriations bill now awaiting President Bush's signature includes $17 million in additional money for the Secret Service to fund the first set of new task forces.

The quarterly meetings held by the New York task force have brought together as many as 500 participants, and the Washington meetings have seen as many as 250, said Secret Service special agent Bryan Palma. Companies are encouraged to send no more than two representatives and to prepare for a general session that is open to reporters, Palma said.

"But when something has to be kept secret, we know how to do it," Palma said. "Our name proves we know how."

The task forces are the "only vehicle of their kind" in law enforcement, said special agent John Frazzini. He acknowledged that the business community might consider the Secret Service an unlikely partner in the struggle against cyberterrorism. But the task forces show that law enforcement is trying to do business differently by actively working with companies to prevent and prepare for cyberterrorism, he said. Frazzini views this as a change within the service that places more emphasis on education and prevention.
***************************
Washington Post
Microsoft Warns of Security Risks in Office, IE
Reuters
By Reed Stevenson

SEATTLE (Reuters) - Microsoft Corp. said on Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers.

The world's No. 1 software maker said that an attacker, using e-mail or a Web page, could use Internet related parts of Office to run programs, alter data and wipe out the hard drive as well as view file and clipboard contents on a user's system.

Office is a software product that runs on Windows and is used to write documents and crunch numbers.

"Microsoft is committed to keeping customers' information safe, and is providing a patch that eliminates three vulnerabilities in Office Web Components," Microsoft Security Program Manager Christopher Budd said in an e-mail.

In addition, Microsoft reported vulnerabilities in the three latest versions of its dominant Internet Explorer browser software that allows infiltrators to read files.

Microsoft urged users to fix the glitches by downloading software patches from Microsoft's TechNet Web site (http://www.microsoft.com/technet).

"It's important that users get the patch," said Russ Cooper, head of security at TruSecure Corp., a computer security company, and editor of NTBugTraq.

"Typically with these types of issues it will be six to nine months until we see a massive attempt to start exploiting it," Cooper said, adding that a preemptive patch was critical.

Since Office is used by at least 100 million users, the risk of widespread attacks was significant, Cooper said.

The security warnings are the latest headaches for the Redmond, Washington-based software company.

Microsoft, shaken by break-ins to its system and vulnerabilities in its software, launched a "trustworthy computing" campaign earlier this year to improve the security of all of its software.

Since that initiative, which chairman Bill Gates said had cost the company $100 million so far this year, Microsoft has issued at least 30 security bulletins for flaws in its software.

Last week, security experts reported serious flaws in the Internet Explorer browser and a complementary encryption program that could expose credit card and other sensitive information of Internet users.

The Office-related programs vulnerable to attacks include Microsoft Office 2000, Office XP, Money 2002, Money 2003, Project 2002 as well as server software related to such client software, Microsoft said.

Microsoft said it is not aware of any specific security breaches or the amount of any potential damage that might have occurred due to vulnerabilities in its software.
*****************************
USA Today
FBI raids consulting firm that hacked into military computers

SAN DIEGO (AP) The FBI raided the offices of a consulting firm after a newspaper trumpeted the company's claims that it found security loopholes in U.S. military computers.


In demonstrating how easy it was to penetrate sensitive military computers, four-month-old ForensicTec Solutions may have violated federal law prohibiting unauthorized intrusions. The FBI raided the offices of the San Diego firm over the weekend.

ForensicTec said it identified 34 military sites where they said network security was easily compromised, including Army computers at Fort Hood, Texas; NASA's Ames Research Center in Northern California and Navy facilities in Maryland and Virginia.

The company reportedly used free software to identify vulnerable computers and then peruse hundreds of confidential files containing military procedures, e-mail, Social Security numbers and financial data.

The company's president, Brett O'Keeffe, told The Washington Post that its goal was to call attention to the need for better security and "get some positive exposure" for the fledgling firm.

Hours after the claims were reported Friday in The Post, the FBI began searching the firm's offices.

A spokesman for ForensicTec did not immediately return a phone call Thursday from The Associated Press.

The FBI confirmed the search, but a spokesman declined to discuss the case. Army investigators also joined the investigation.

"Regardless of the stated intent, unauthorized entry into Army computer systems is a federal offense," said Marc Raimondi, spokesman for the Army Criminal Investigation Command in Virginia. "If there is an intrusion and we are notified or we detect it, then we lauch a criminal investigation into the act."

Even though the raid may look to some like retribution, Mark Rasch, the Justice Department's former top computer crimes prosecutor, said ForensicTec stepped over the line.

"Just because you can break into Army computers doesn't mean you either should do it, have a right to do it, or can avoid criminal liability for doing it," Rasch said.

ForensicTec should have gotten permission from the Army before probing their computers, Rasch said.

"They thought they were doing a public service," Rasch said. "What they did, at best, was exercised a monumental lack of judgment."
***************************
USA Today
'Reply-all' button can be hazardous to your job
By Chad Graham, Gannett News Service

Maybe my brain just locked up. Maybe it was a case of Idiotic Stupiditis.


Picture it: Hollywood trade paper two years ago. One of the pushiest, meanest editors on Earth is on the instant message system tearing into me for no apparent reason for the 10th time that day.

I snap and message one of my co-workers also a target of the editor's wrath. My message includes the English translation of "%&!$" and concludes with a prediction that our boss will probably be piloting the next boat to hell.

I push "send," and the message is delivered to the boss.

Rats!

After the color completely drains from my face, I discover said boss has stepped out of the office and hasn't seen the message. In a pure "Mission: Impossible" moment, I sneak into her office and in a second delete the e-mail. My heart still pounds at the thought of getting caught and probably canned.

Others aren't so lucky.

The "reply all" button can be evil.

At a major Des Moines employer several years ago, a couple of employees were having extramarital activity nights. One sent an e-mail to the other saying she could no longer continue and the get-togethers had to stop. A slight problem: She hit the "reply all" button by mistake and in seconds all of her co-workers knew about the end of the affair.

A friend of mine accidentally sent family reunion pictures to a boss, who had the same last name as her uncle. Another friend accidentally zapped a raunchy joke to the entire office ironically, a joke about forwarded messages. Other friends have sent biting messages about co-workers, only to have 15 people read their running commentary.

"It's happening all over," said Dana May Casperson, a business etiquette consultant based in Santa Rosa, Calif.

Casperson, the author of Power Etiquette: What You Don't Know Can Kill Your Career, tells the story of the worker who accidentally e-mailed extremely personal information about the boss to the entire office.

"I would think that every person by now would know the potential of what can happen with e-mail," she said. "You're spreading gossip. It's a tragedy."

Casperson's solution to a nasty e-mail sent to the boss? Fess up as soon as possible.

Don't ramble, either. Prepare what you are going to say, maybe explaining that the incident was a slip of the mind, and apologize.

"It takes a lot of courage to go face-to-face, but you'll gain respect," she said. "You still might lose your job or damage your promotion."

What about the Chad Graham solution of tinkering with the boss's e-mail system?

"That ranks right up there with industrial espionage," said a laughing Dale Cyphert, coordinator of the University of Northern Iowa's business communication program. "That really strikes me as not being a safe move."

If a young worker has a grievance with his or her boss, Cyphert's advice is to pick the battle. Office newbies need to know when to keep their traps shut and adjust to the company, such as hating the dress code, and when a problem is serious enough to go to the boss or human resources department.

To find out how to maneuver through the politics, Cyphert advises finding a trusty mentor who has worked at the company for years. That person may not tell you what you want to hear, but run the complaint by the person first. It's safer than firing off an angry e-mail.

Meanwhile, no more e-mail shenanigans for me. I'm sticking with the old stand-by of talking behind co-workers' backs.

There's no electronic record. Only plausible deniability.

Chad Graham writes for The Des Moines Register
**********************************
New York Times
Ford Settles Domain Name Lawsuit
By THE ASSOCIATED PRESS

DETROIT (AP) -- Ford Motor Co. and a local entrepreneur have reached a settlement over two Internet domain names -- fordfield.com and fordfield.net.

In 1999 and 2000, Michael Ouellette secured the Internet addresses as well as the corporation name Ford Field Inc. for his small T-shirt and grass seed business in Troy.

Now with the $350 million Detroit Lions stadium named Ford Field set to open Saturday, the automaker has paid Ouellette for the Web addresses and corporation name.
Neither side would disclose terms of the deal, which ends a nearly yearlong dispute between Ford and Ouellette.

Ford filed a federal lawsuit against Ouellette last year, accusing him of trademark infringement and cybersquatting -- hoarding of potentially valuable Internet addresses and hoping for a payout.

``It's an acceptable and practical resolution for both parties,'' Ford spokeswoman Kathleen Vokes told The Detroit News for a Thursday story.

Ouellette said his business' name was inspired by a Clinton Township public baseball diamond named Ford Field, where he used to play. He said his business was established before the name of the new Lions stadium was revealed in November 1999.

Ouellette said he ``was happy and very satisfied with the settlement. The litigation was getting pretty intense.''
****************************
News.com
By Paul Festa
Spam crusaders slog it out in court
Staff Writer, CNET News.com
August 23, 2002, 4:00 AM PT

When Joel Hodgell took a Florida steroids marketer to court for violating Washington state's anti-spam statute, he thought he might make some money while striking a blow against junk e-mail.
Instead, he was hit last month with a nearly $7,000 judgment to pay the spammer's legal fees.

Hodgell is one of a small and slowly growing cadre of spam activists who are attacking spam using the state laws that have sprung up over the past five years to restrict or outlaw the sending of unsolicited commercial e-mail. Some compare these activists' suits to the anti-smoking legal trailblazers who 20 years ago started paving the way for the recent multibillion-dollar judgments against the tobacco industry.


Hodgell ascribed the judgment to a technical error he made before he got a lawyer and dismissed it as a minor setback in a longer fight against the steroids marketer and spammers in general. But the Seattle litigant is hardly alone in finding that the road to courtroom spoils from spam is strewn with hazards.

In recent months, a Utah man found his hard drive subpoenaed in a class-action spam suit against Sprint--a subpoena the judge in the case ultimately refused to enforce. In addition, successful spam plaintiffs everywhere have found it easier to win judgments than to collect on them from often shadowy defendants.

Anti-spam litigants, often equipped with nothing more than a business or technology background and a sense of outrage, are finding themselves thrust into a temperamental justice system that is struggling to achieve consistency in a volatile new area of the law.

The Hodgell case vividly illustrates the pitfalls of bringing on individual cases against junk e-mailers, giving pause to anti-spam plaintiffs who are already distrustful of the legal system.

"There is continued frustration among anti-spam litigants," said Bruce Miller, one of the first recipients of a spam settlement. Miller cited significant differences of opinion among judges at the King County District Court in Washington state over jurisdiction and over factual errors in the court's informational Web site, and warned potential spam litigants: "Where the judges are being real nitpicky about enforcing rules and laws, the information from the court itself can lead people to think things that are not true and that will not be upheld in court."

Much of the legal fire from individuals comes in small claims court, which imposes maximum judgments of a few hundred dollars. Many spam litigants are representing themselves in court and taking a crash course in the law.

Some, like Hodgell, are taking their cases to higher courts in search of bulkier judgments. With his current legal team, Hodgell plans to re-file his case in either federal district court or state superior court in hopes of winning a judgment between $500,000 and $1 million.

With the risk of expensive counter-judgments and other obstacles warding individual spam recipients away from the courts, the real impact from spam law may wind up coming from corporate lawyers, state attorneys general and federal commissions.

Big boys on the battlefront
Internet service providers, for example, have met with significant successes on the anti-spam legal battlefield. AOL Time Warner's America Online unit, for example, in April won an injunction and secured a "significant" monetary settlement against a spammer; EarthLink last month secured a more than $24 million judgment in a comparable case.

In state capitals, attorneys general are also on the legal warpath against senders of unsolicited commercial e-mail.

In New York, Attorney General Elliot Spitzer in May sued an outfit called MonsterHut for sending unsolicited messages to New Yorkers. Washington's attorney general, Christine Gregoire, this year sued two alleged spammers in Minnesota.

California Attorney General Bill Lockyer has been soliciting specimens of junk e-mail from anti-spam mailing lists to lay the groundwork for lawsuits.

"What we're looking for is examples of spam that is illegal," said Hallye Jordan, a representative for the attorney general. "We are actively pursuing companies that are violating California's anti-spam laws, and if we find that there are companies that we can track and prove that they are violating the law, we will take appropriate action."

At the federal level, the Federal Trade Commission early this year warned that it is preparing to go after spammers in court. But the commission's threats have yet to be manifested in legal action.

Meanwhile, some individuals--variously bold, litigious and idealistic--are pursuing spammers, at once aided and confused by a growing patchwork quilt of state laws.

Twenty-six U.S. states have some sort of law restricting or banning unsolicited e-mail, according to the Spamlaws Web site, maintained by David Sorkin, an associate professor of law at The John Marshall Law School in Chicago, Ill.

A paramount concern for spam law trailblazers is having to learn the quirks and eccentricities of the law and of temperamental judges in a far-from-settled legal terrain.

A fellow King County resident seconded Miller's account of the court system there.

"The biggest obstacle was that the three judges at the local district court had three different views of what the law said and how to bring these cases, so I had to learn a different set of rules for each one judge," said Bennett Haselton, who has brought more than 50 anti-spam cases to court in Washington state. "And since judges don't say in advance what rules they're following--each of them says that their different version of the rules is 'the law'--I had to learn each of their rules just by trial and error."

Haselton, the anti-content filtering and anti-spam activist behind the Peacefire Web site, has been taking spammers to court for much of the year, racking up $5,000 in judgments against them.

But he has yet to see the bulk of his awards, having collected less than $1,000 so far.

Haselton is not alone among spam litigants to have met with mixed success in court. A California woman who took the online delivery service Kozmo to court for spamming her wound up failing to collect on a judgment against the company because it went out of business first.

Legal loopholes
But as one of the most experienced veterans of Washington's spam law battlefield, Haselton reserved his biggest complaints for the vagaries of the legal system.

Haselton criticized what he called "the wild inconsistencies in judges' handling of these cases, not just on the anti-spam law but on basic questions of courtroom procedure. This is a serious impediment to the effectiveness of anti-spam laws, and it has to be addressed before calling for more laws will make any difference."

Courtroom consistency aside, legal academics question the degree to which the law can thwart spam.

"Based on our mailboxes, we know the laws aren't having a very good deterrent effect," said Eric Goldman, assistant professor at Marquette University Law School in Milwaukee, Wis., and former chief counsel for Epinions. "And not many lawsuits are being brought under the laws. So what effect have they had? Or were the laws just a way for the legislators to slap each other on the back, go home after a hard day of work, and self-delusionally think they made a difference?"

Spamlaws' Sorkin took a somewhat brighter view of the law's effectiveness but agreed that it alone would be insufficient to stem the spam tide.

"Lawsuits have been somewhat successful in addressing the most extreme instances of spamming, and a number of jurisdictions have enacted specific laws in an attempt to regulate spam," Sorkin wrote in a USF Law Review article. "But legal approaches in general seem to have been no more successful than technical responses to the spam problem, and the primary result to date is a great deal of uncertainty surrounding spam. Ultimately, a consensus approach that coordinates legal and technical responses is likely to provide the only effective solution."

One of the reasons spam litigants are only just getting started is that laws against unsolicited e-mail have wended so slowly through legislatures and legal challenges.

Washington state's law, for example, was passed nearly four years ago but spent much of the intervening time tied up in the courts before the state's high court upheld it last year.

Another hurdle is the wide disparity of restrictions state by state. That has spam litigants agitating for a national law that would supercede state laws--but an effort to pass such legislation has stalled in Congress.

Steps against spam
Meanwhile, anti-spam litigants--aspiring or actual--have a growing list of resources on the Web to assist them in their legal exploits. The Spamcon Foundation's Law Center (formerly Suespammers Project) keeps track of laws and individual cases and hosts a discussion forum. Peacefire has its own page recommending legal anti-spam action; and Miller maintains a page advising Washington residents how to sue spammers.

While waiting for law to settle out, spam litigants warn that going to court is not for the faint of heart--or those looking to earn a quick buck.

"I would not recommend being a trailblazer to anyone who wants to do it for profit," Haselton said. "I would only recommend it to someone if a) they're idealistic enough to want to help fight spam without making enough money to pay for their time, or b) they want some practice in how to use the legal system.

"Once the trailblazing is done, however, and courts have begun to handle the cases more consistently, I hope that enough Washingtonians will become aware of their rights and bring more of these cases, either by themselves or through a lawyer, and take some spammers' money until the spammers back off," Haselton continued. "The winnings won't be enough to make a living off of--and, no, nobody is making a living off of it now--but it will be enough to motivate people who are not as idealistic as the people doing it now."

Others pursuing spammers in court sounded a similarly community-minded note.

"Bringing a spam lawsuit can be frustrating and hazardous, if done in a court where attorney fees apply," said Miller, who 20 years ago was a "nonsmoker's rights" activist. "But bringing them is a part of the necessary process of shifting public policy. Shifting public policy takes time. But you can probably help join the social movement to clean up Internet e-mail and get a few bucks along the way."
*************************
News.com
Setting a trap for laptop thieves
By Sandeep Junnarkar

Notebook computers are small, powerful, increasingly affordable--and easily stolen. Now, new services being offered by major PC makers could help track down pilfered systems.
A spate of publicity in recent months over misplaced laptops at government agencies, such as those missing from the FBI, the Internal Revenue Service and the Pentagon, has drawn attention to the problem of notebook computer theft.

"At one time, people stole televisions; then they stole VCRs. Now, laptops are the most stolen article of property in San Francisco," said Richard Leon, an inspector in the San Francisco Police Department burglary detail. "We get reports of hundreds of laptops stolen each month."



Looking to stem that problem--and to gain some badly needed revenue--leading notebook makers IBM, Hewlett-Packard and Dell Computer are offering software with their new notebooks that's the PC industry's equivalent of the LoJack stolen car tracking system.

But instead of using a hidden transmitter--as LoJack does--software from companies like Absolute Software and zTrace Technologies is embedded on notebook hard drives, allowing systems to be tracked as soon as they are connected to the Internet.

IBM, which offers Absolute's ComputracePlus, said it is seeing growing demand from laptop buyers in the education and enterprise markets. Vancouver, British Columbia-based Absolute said it saw a nine percent growth in sales in 2001 but expects growth of between 35 percent and 50 percent this year.

IBM has a variety of packages for the tracking service, ranging from a $49, 12-month agreement for one license, to site licenses that cover 20 notebook systems for $2,999 for 48 months.

zTrace, which is available on HP laptops, is priced similarly. A one-year contract for a single notebook costs $49.95. A 20-user license is $2,499 for 48 months.

A call to action
When a laptop is loaded with Absolute's ComputracePlus application, tracking-agent software silently connects with the company's monitoring center whenever the device is connected to the Internet. If that notebook is reported stolen or lost, its location is tracked and local law enforcement is called in to recover the stolen property.

Leon said the software is very effective. "One time we were tracking a laptop broadcast as we approached an apartment to serve a warrant," he said. "When we knocked on the door, this guy answers and over his shoulder we could see the laptop all lit up and connected to the phone line."

The technology works over analog phone lines, as well as digital broadband connections. If the laptop is calling over a phone line, the software uses technology that allows Absolute to identify the phone number. If the device connects to the Internet over a T1 line, a cable modem or DSL, the location is traced using the IP (Internet protocol) address.

"We take the address to the ISP (Internet service provider)--AOL or whoever it happens to be--and get the account information associated with that IP address," said John Livingston, Absolute's chief executive.

But like most computer security products and services, analysts warn, these tracking systems have vulnerabilities.

"A lot of people steal laptops for commercial espionage--to get the data that resides on them," said Alan Promisel, a portable computer analyst at research firm IDC. "Those people will steal them without ever intending to go online."

SFPD's Leon agrees, noting that businesses users are often less interested in retrieving the laptop and more worried about the confidentiality of the data on their systems. A benefit to these tracking systems is that a customer can request a signal be sent to the notebook that would delete all the information on the hard drive.

Another weakness of the tracking systems is that in some cases a thief could reformat and configure the hard drive in a way that bypasses the tracking agent.

"We'll survive a reformat of the hard drive, but where it gets tricky is when people reinstall operating systems on top of each other. It also depends on what OS is being loaded," Absolute's Livingston said.

Specifically, the software will survive a reformat and reinstallation of any Windows 9X operating system. Installing Windows XP or 2000 can create problems, depending on how the system is configured.

"Someone can wipe the drive everywhere except where we are loaded, because we're working at such a low level in the system--that is, below the Windows operating system at the hardware level," Livingston said.

Experts say this type of tracking security would work best if it is part of a larger theft-prevention strategy. Other devices, such as cable locks, can prevent the theft from occurring in the first place, as can motion detectors that sound an alarm if the notebook is removed beyond a certain perimeter.

Some information technology managers said that in certain situations, such as in a business setting or on a college campus, warning notices posted in conspicuous places can also serve as a deterrent.

"Before we got the service, we had two or three laptops disappear from each campus," said Richard Scaletti, director of networks and telecommunications for North Shore Community College's three campuses in Massachusetts. "We installed the software and put up signs--not one has disappeared yet."
***************************
Sydney Morning Herald
Unix group calls for more Open Source use in govt

The Australian UNIX and Open Systems User Group (AUUG, Inc.) has called on the Federal government to adopt more IT solutions based on Open Source solutions such as Linux and BSD.

In a media release, the AUUG said the Government deserved praise for its recent progress in adopting Open Source solutions.

There were two recent instances, the first when CentreLink, the world's 12th largest processing organisation, announced that it had established a world class Linux Laboratory in collaboration with IBM to reduce costs and raise the flexibility of the agency's IT systems and the second when the Federal Department of Veterans' Affairs decided to move its file and print services for all branch offices to an IBM zSeries mainframe running Linux.

The group called on the Government to review all areas of IT procurement and information standards and ensure there was no bias against Open Source solutions based on open standards.

Government IT managers would be able to calculate the true return on investment for each acquisition and deployment - enabling the comparison of open and proprietary solutions, a comparison that the group believes will show that Open Source can win and, in the long run, save tax dollars.

AUUG's call comes ahead of its annual national conference, to be held in Melbourne from September 1 to 6. Details of the conference are available here. http://www.auug.org.au/conf/auug2002/
****************************
Sydney Morning Herald
Copy-proof CDs soon, claims Israeli company

An Israeli company, Doc-Witness, has developed a means of copy protection for CDs/DVDs that, it claims, will prevent copying, sharing, counterfeiting and faking IDs.

The technology, OpSecure, works by turning an ordinary CD drive into a smart card reader. A smart card embedded in the CD unlocks the disc's encrypted content.

A photodetector at the CD's edge turns the drive's laser into electrical pulses which request the key from the embedded smart card. If the card judges that the request is legitimate, it returns the key as an electronic signal that an onboard light-emitting diode converts into light and beams back to the drive.

The CD can be copied but without the smart card, it will not run. Instructions in the smart card can also prevent the software on the disc being installed on more computers than intended.

Doc-Witness claims OpSecure is impractical to crack since it is hardware-based and is based on dynamic protection. Unlike competitors, the company claims it is not based on passive protection (that is easily cracked) or remote activation (that is both offensive to customer's privacy and easily cracked).
*****************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx