[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips June 10, 2002 More detail on Technology and Homeland Security Plans

Clips June 10, 2002


ARTICLES

Unintended Tasks Face New Security Agency
Hill Confronts Reorganization
State, local officials praise Bush plan
Making Spam Go Splat
Web audit pings Army
Study: Software Piracy Up for Second Straight Year
TSA awards baggage screening contract to Boeing
North Dakotans to Vote on Bank Privacy Rules
Private Effort to Fight Digital Theft
Racing's Online Bet
S.Africa Sticks to Plan to Control Internet Names
Internet Movie Site Is On, Then Off Again
New hopes for a security lockdown - An international standard could close gaps
DOD's market power
Privacy law experts for hire
Bush seeks 'big picture'
A department in the making
Technology-related initiatives in the Homeland Security Department proposal
New hope for spam relief
2 Tinkerers Say They've Found a Cheap Way to Broadband
Trying to Cash In on Patents
World Cup website breaks record
Online gaming set to explode
Virtual doctor is only a click away
Hyperlinking takes center stage in court case
Problems plague FAA's new air traffic control system, IG says
Government starts internet emergency centre (Netherlands)
Opening the Open-Source Debate
Email containing royal visit details goes astray
China on Alert for 'Chinese Hacker' Virus
Going After Tech, Not Tech Users
Adaptive Web Systems and Teachable Search Engines
Report: Device Makers Hold Keys to Home Networking
Ultimate Computer Security Devices


*******************
Washington Post
Unintended Tasks Face New Security Agency

To hear President Bush tell it, the new Department of Homeland Security will improve government's "focus and effectiveness," but the confusion attending many aspects of his proposal suggests that government may be headed for a prolonged period of bureaucratic chaos before things are sorted out.

Late last week Agriculture Secretary Ann M. Veneman wondered whether she could "define the parameters of legislation" so that Congress would not transfer all of the Animal and Plant Health Inspection Service to the new department. The agency does research on plant and animal pathogens, a key concern in biological warfare defense, but it also enforces the Animal Welfare Act to make sure pet store owners aren't abusing their charges.

Other changes -- some of them even more radical -- do not appear to have been carefully thought out, critics say. They say virtually all of the changes risk serious unintended and probably unwelcome consequences, and could provoke ill will between Homeland Security and existing departments.

The plan calls for the Department of Homeland Security to grab several entire agencies besides the Animal and Plant Health Inspection Service. These include the Secret Service, the Coast Guard, the Immigration and Naturalization Service, the Customs Service, the Transportation Security Administration and the Federal Emergency Management Agency.

In this endeavor, the new department can count on taking on a lot more than it may want. Homeland Security will be rescuing drunken boaters in heavy surf, airlifting blankets to flood victims in Iowa, confiscating stolen antiquities smuggled from Cambodia and inducing counterfeiters to sell their product to undercover cops.

For every aspect of the big reshuffle, knowledgeable officials expressed both a wish that the new department succeed and misgivings that the bureaucratic hurdles might be so difficult to overcome that the move might end up crippling homeland security and agencies' regular business.

At Customs, several officials and inspectors said the move to homeland security appeared "logical," as the agency has become so focused on homeland defense since the attacks of Sept. 11.

But Dennis Murphy, assistant commissioner for public affairs, suggested that if Homeland Security wants the anti-terrorism expertise, it ought to take the rest of the agency as well. "Things are so intertwined -- the trade portion, the investigative portion, the intelligence," he said. "If you tried to separate out a function, the way we work, it would be essentially like trying to separate Siamese twins."

Dual Control


But in other agencies, the Homeland Security Department will take control of different functions, imposing what amounts to a "two-masters" structure in bureaucracies accustomed to one.

One spot where this will happen is the Health and Human Services Department, where Homeland Security will control the budget -- and thereby set the agenda -- for the agency's biological warfare defense research, worth more than $1 billion in Bush's 2003 proposed budget.

"We think a good piece is grant money," said HHS spokesman Kevin Keane. "We're not going to have people packing up and moving to another department." Instead, Homeland Security would set priorities and fund the nation's biodefense research by contracting with HHS.

The concern, Keane said, is that "in some cases you're splitting persons. At CDC [Centers for Disease Control and Prevention] you have infectious disease specialists who also do bioterrorism. Homeland Security just wants the bioterrorism."

Other departments, however, do not appear destined for this type of cherry-picking. The president's 2003 budget would give the Defense Department $1.07 billion for chemical and biological warfare defense research, with the money tied up in more than 160 programs ranging from decontaminating buildings to developing pocket sensors for biological pathogens.

Sources at the White House's Office of Homeland Security said the relationship between Defense and the new department "has not been worked out yet," but it does not appear to involve any transfer of infrastructure or existing budget authority.

It does, however, envision that DOD will lose $420 million that the president's budget had earmarked for the creation of a National Biological Warfare Defense Analysis Center and for the development of state-of-the-art chemical and biological warfare defense systems in four urban areas, including Washington.

As recently as two months ago, Anna Johnson-Winegar, deputy assistant to the secretary of defense for chemical and biological warfare, said "the Army will run the center" and the "test beds." But Homeland Security sources in the White House said Friday these functions will all pass to the new department.

For agencies such as Defense, the FBI or the CIA, where Homeland Security will not exercise power of the purse, it is not clear how the new department will ensure the kind of seamless cooperation that the president envisions.

The package "does nothing to change the mind-set of the FBI and the CIA with respect to their reluctance to talk to each," said Rep. David R. Obey (Wis.), the top Democrat on the House Appropriations Committee. "The CIA was created to be the Central Intelligence Agency. Instead it becomes just another agency funneling information into another layer of bureaucracy."

Mission Diluter?


The Coast Guard has the distinction of already having shifted to a new department. Its transfer from Treasury to Transportation in 1967 was an elegantly handled move in which details -- down to the telephone books on employees' desks -- had been worked out before DOT opened for business.

"It was the best job I've seen in designing and activating a federal department," said Alan Dean, a National Academy of Public Administration fellow and retired government official who helped move the Coast Guard to DOT, "and I've been involved in department organizations since 1947."

But Dean suggested that moving the agency again might be a bad idea, for, although "the Coast Guard, with its cutters and so on, has a role in homeland defense, its primary function is marine safety."

Moving, he added, risks dilution of the guard's mission and effectiveness in time-honored tasks ranging from buoy installation and maintenance, to search and rescue, and setting ship standards and mariner qualifications.

But Commander Jim McPherson, a Coast Guard spokesman, noted that the agency enforces U.S. law at sea and at borders, stopping illegal migrants and drugs. Its agents have arrest powers, carry weapons and participate in wars -- in Bosnia and the Persian Gulf, for example. "We're the lead in maritime homeland security," he said.

Maybe so, said Dean, but can the Coast Guard maintain its effectiveness if it becomes part of a new Department of Homeland Security? "There is no government organization that cannot be made worse by a bad reorganization," he said. "That's the danger here."

For other agencies, however, there appears to be nowhere to go but up. The Immigration and Naturalization Service has long been considered one of the most dysfunctional bureaucracies in the federal government, damned repeatedly for being unable to clear backlogs, mistreating clientele and failing to keep track of foreign visitors well enough to know which ones are violating visas.

Recently, the agency was criticized for a series of gaffes, including the March mailings of approval notices for changes in the visa status of two of the dead Sept. 11 hijackers.

Sins past and present contributed to the House's approval in April of a bill to dismantle the INS and split it into two agencies. In this context, incorporation into the new Department of Homeland Security was the equivalent of a life ring.

The Bush proposal "will preempt all other restructuring plans," INS Commissioner James W. Ziglar told his 39,000 employees in a statement. "We can now work toward what will be the final INS structure," Ziglar said.

Elsewhere, the plan caught some agencies off balance. The new Transportation Security Administration has only just begun to fulfill its huge mandates, having hired barely 1,000 of the more than 40,000 new federal airport security employees who must be on the job by November, and having purchased only several hundred of the thousands of explosion detection machines that must be deployed by the end of the year.

"The only concern they have is time passing," said Richard Marchi, a senior vice president of Airports Council International-North America, which represents the nation's airport owners. Several airports worried whether TSA could remain focused on its task while moving to a new department.

Other installations could have different problems. They would be getting trimmed and sliced, often without any prior consultation: C. Bruce Tarter, director of the Lawrence Livermore National Laboratory, issued a statement saying "we have not yet received any official details" on Bush's plan to bring the lab under the Homeland Security Department.

Homeland security sources put the lab in the "two masters" category: The new department will be interested in everything that Lawrence Livermore does with chemical-, biological-, radiological- and nuclear-threat research, but wants nothing to do with stewardship of the nuclear weapons stockpile. "We plan to lease that back to the Energy Department," a homeland security source said.

Another type of challenge emerged at the Federal Emergency Management Agency, a one-time poor relation that has become one of the federal government's hot bureaucracies under former president Bill Clinton and current Director Joe M. Allbaugh, who served as Bush's 2000 presidential campaign manager.

Allbaugh "wholeheartedly" endorsed moving the agency to a new department, despite a diverse portfolio that traditionally has focused on natural disasters. Mere enthusiasm, however, is not likely to mitigate the turf war between FEMA's newly created Office of National Preparedness, which is assigned the chore of managing the consequences of an incident, and the Justice Department, which handles the crisis itself.

Insects and Security


Almost all the agencies involved in the move, while they have clear homeland security mandates, also have an often bewildering array of functions totally unconnected to the new department.

The Animal and Plant Health Inspection Service routinely monitors the activities of creatures like the glassy-winged sharpshooter, a half-inch long insect that spreads Pierce's disease, a leading scourge of California's grape vineyards.

The Agriculture Department's Plum Island Animal Disease Center, another agency that would be headed for Homeland Security, is the nation's leading researcher of hoof-and-mouth disease. On the other hand, USDA's National Veterinary Services Laboratories, the nation's leading anthrax research facility, will not move.

White House Homeland Security Director Tom Ridge dismissed concerns about irrelevant functions, in a discussion with reporters about the Secret Service and its function within the Treasury Department to seek out counterfeiters.

"The fact that an organization may have different people assigned to different missions does not detract in any manner, shape or form from the notion that those within . . . who have a primary responsibility to secure the homeland, can do it and will do it much better in an agency who shares its primary goals as well," Ridge said.

Democrats scoffed at such characterizations. "I don't think you could put together a plan that undermines the ability of this government to fight terrorism more than this," said Scott Lilly, minority staff director at the House Appropriations Committee.

The Seat of Power


Allowing the Department of Homeland Security to analyze intelligence would make it a CIA competitor, Lilly said, creating "a parallel analysis" even as it increased the number of people with access to sensitive information.

And Obey, the Democrat from Wisconsin, suggested that confusion over overlapping responsibilities within the scientific community could eventually turn spiteful. Having different groups of infectious-disease researchers working for HHS and Homeland Security "is as if you set up two fire departments in the same town and assigned one to handle arson and another fires caused by accidents."

Potential bureaucratic pitfalls may even lurk in as fundamental an issue as whether and where the new department will have its headquarters. "A decision has not been made," said homeland security spokesman Gordon Johndroe. "We're developing a transition plan, but it's premature to discuss details of a location."

This is not simple housekeeping. The plan calls for 37 agencies to move, and everyone from members of Congress to federal labor unions and thousands of federal workers have a stake in where a Homeland Security Department might go, especially if security concerns prompt the president to look outside Washington.

But even after that decision is made, Customs spokesman Murphy suggested, the department will have to merge a crazy quilt of bureaucratic cultures, some of them, like Customs, dating to the dawn of the republic.

"You're going to come in and have a new badge," Murphy said. "You're going to walk into your office and there will be a new nameplate on the door. Little things, but they mean a lot. It's doable, but it's not going to happen overnight."
**************************
Roll Call
Hill Confronts Reorganization
Turf Battles Erupt Over New Dept.
By Mark Preston and Susan Crabtree

With Congress facing its most dramatic reorganization in more than 50 years to deal with the President's call for a Cabinet-level Department of Homeland Security, a dizzying array of options were being floated on Capitol Hill late last week.
"We are going to have to sit down and talk about it with our expert staffs, the Parliamentarian and [Democrats]," Senate Minority Leader Trent Lott (R-Miss.)said. "We are starting with, I think, a blank sheet of paper."

Indeed, there was little consensus about how Congress should proceed in the immediate aftermath of President Bush's nationally-televised address, and battle lines were already being drawn among committees of jurisdiction in both chambers.

Several Members, including Speaker Dennis Hastert (R-Ill.), were discussing the possibility of creating new select committees and a 14th appropriations panel to handle the issue, while some even suggested Bush's move could lead to the demise of an existing committee.

Getting the two chambers on the same page may prove to be the greatest difficulty.

"I care what the House does since we have the majority over there," Lott said. "But generally speaking the Senate does its thing and the House does its thing."

And, with a critical midterm election looming, a senior Senate Democratic aide scoffed at Bush's insistence that Congress move quickly on creating the new department, noting that the White House failed to keep Congress informed about its plans.

"Things rarely get rubber stamped in Congress," said the aide.

Bush's move puts intense pressure on the Senate to not only approve the agency but also confirm its secretary before the end of the year.

The debate over the final composition of the agency and the nomination hearings will serve as a backdrop for an internal jurisdictional fight that is likely to pit members of the Governmental Affairs Committee against the Judiciary Committee, as Senators try to take ownership of this issue.

Out of the gate, Governmental Affairs Chairman Joe Lieberman (D-Conn.) immediately said he wants his committee to be in charge of handling the creation of the new panel.

"Ipresume our committee will have the jurisdiction over the adoption of the creation of the new agency," said Lieberman, who already has authored a bill to create a Cabinet-level Department of Homeland Security.

But Senate leaders on both sides suggested last week that legislation creating the new agency will initially be disbursed among several committees as the Senate hashes out the responsibilities. Senate Majority Whip Harry Reid (D-Nev.) said there will likely be a "joint referral" of the bill, and Lott concurred.

"In the end I think it is going to have to be referred to a committee with some sequential referrals to other committees," Lott said.

Turf battles are sure to follow.

"This is a major reorganization," Lott said. "It is moving jurisdictions around within the government and how the Congress deals with that is going to have to be considered, too.

"I think Congress is going to have to look and say, 'OK, what committees will have jurisdiction in the first instance and are we going to have to have some sort of realignment of our own committees.' "

Sen. Pat Roberts (R-Kan.) said the answer to avoiding these time-consuming and often-fractious turf battles is to create a select committee to handle this issue. Roberts said he plans this week to promote a resolution he originally offered in October that would create a select committee to oversee homeland security and terrorism issues.

"You are not going to get the Senate to give up jurisdictions, but you might get the Senate to agree to have at least a central point," he said.

Roberts' proposal calls for the select committee to be jointly led by Senate Majority Leader Thomas Daschle (D-S.D.) and Lott, with a chairman and ranking Member appointed by the leadership who would be in charge of the day-to-day operations of the panel. The select committee, Roberts said, would serve as a central point for the various committees of jurisdiction and the White House to hash out their needs.

"It could actually lead to more consulting with Congress," Roberts said.

But several of Roberts' colleagues were cool to the idea, either because they are careful to protect their own turf or outright oppose creating a new panel.

"Absolutely not," said Sen. Arlen Specter (R-Pa.) when asked about creating a new committee. "We have too many committees."

"Iam not a big advocate of creating committees," Lott said. "We might want to even eliminate one."

Still, senior members of Governmental Affairs and Judiciary committees said they believe that each of their respective panels is best suited to handle the new agency.

"Governmental Affairs has the advantage of having a broad jurisdiction that it may be the appropriate committee because everyone else is going to have a more specialized approach," said Sen. Susan Collins (R-Maine), who is in line to be the ranking Republican on this panel next year. "It might avoid some fighting over jurisdiction between other committees if it were assigned to Governmental Affairs."

Sen. Dianne Feinstein (D-Calif.), a Judiciary member, said a majority of the agencies already report to that panel, and it might be a logical committee to oversee the new agency.

"I don't see where you necessarily need a whole new committee structure," Feinstein said. "I think we just have to figure out where most of the jurisdictions rest and put it in that committee. My own view is that it would fall under the Judiciary Committee."

As of late Friday, no meetings had been scheduled between Daschle and Lott to discuss the new situation, but aides predicted those would begin this week.

Armed Services Committee Chairman Carl Levin (D-Mich.) said talk about turf struggles might be premature and noted there are current examples of multiple committees having jurisdiction over a federal department.

"We do this now with the Department of Energy," Levin said. "The Energy Committee obviously has principle jurisdiction over the Department of Energy, but the Armed Services Committee has a certain responsibility and certain jurisdiction over the Department of Energy budget. So it is not unheard of to have just one more committee involved in the authorization process or the oversight process."

Forewarning the likelihood that the next secretary will be sought after by almost every committee chairman and ranking Member, Sen. Orrin Hatch (R-Utah) remarked, "The minute it becomes a Cabinet position, his butt will be here all day long, every day."

Early Friday morning more than a dozen lawmakers met with Bush at the White House to discuss jurisdiction over the proposed department.

The meeting included Lieberman, Select Intelligence Committee Chairman Bob Graham (D-Calif.), Senate GOPAppropriators Judd Gregg (N.H.) and Specter as well as Reps. Saxby Chambliss (R-Ga.), Jim Gibbons (R-Nev.), Jane Harman (D-Calif.), Rob Portman (R-Ohio), Mac Thornberry (R-Texas) and Chris Shays (R-Conn.).

"Bush is very eager to get this legislation moving quickly and have the new secretary in place ASAP,"Portman said in an interview after the meeting. "It was a meeting to talk as allies about how to get this critical project done. But no one in the room underestimated the enormity of the task."

On Friday, Hastert was floating one potential solution along the lines of Roberts' proposal for the Senate: that the House would create a Select Committee on Homeland Security to sort out the jurisdictional issues and process legislation authorizing the creation of the agency.

But Hastert spokesman John Feehery cautioned that the idea was just one of many and the result of preliminary discussions.

"Change is hard around here," Feehery said. "The first thing you have to do is create the Department and that ain't going to be easy."

The Select Committee scenario circulating among leadership offices in the House late last week would make a Member of the leadership team the chairman of the panel with committee chairmen with jurisdiction manning it. After the jurisdictional battles are fought and decided, the special panel would become another permanent standing committee.

Under this loose plan, spending matters would be decided much the same way: with the creation of a new Appropriations subcommittee on homeland security.

So far, Rep. David Obey (D-Mich.)has been the White House plan's sharpest critic in Congress. Yesterday he released two lists of different government agencies' non-security related roles - such as the Department of Agriculture's eradication of the screworm and bollweevil - that would now fall under the auspices of Homeland Security.

On the other side of the aisle, House GOP leaders were getting an earful from Transportation and Infrastructure Committee Chairman Don Young (R-Alaska) who is concerned about losing jurisdiction over the Coast Guard and the Transportation Security Administration.

"While he thinks that the President's proposal is a very well-thought out proposal ... he believes the issues now needs to be discussed between the committee chairmen and the House leadership," said Young spokesman Steve Hansen.

Still other lawmakers envisioned a compromise where at least some Committees could retain control over their current jurisdiction on issues unrelated to the security of the country.

"[Judiciary subcommittee on crime chairman] Lamar Smith [R-Texas] will still be responsible for the FBI in my opinion. This [new committee] is going to be a cross-cut or a hybrid that will have authority to look at homeland security,"said Rep. Pete Sessions (R-Texas), a member of the Rules panel, the main arbiter of committee turf battles that occur on a regular basis.

GOP Conference Chairman J.C. Watts (R-Okla.) strongly supports the idea of forming a separate Homeland Security panel. Based upon his experience with the Oklahoma City bombing and subsequent investigation, a year and a half ago Watts called for the creation of a separate committee on domestic security to solve what he called the "lack of coordinated federal policy" to guard against terrorist assaults.

"I think establishing a select committee is the best way to handle this,"Watts said. "We've had well over 150 hearings on terrorism and all you get from those hearings is information, but you don't get a coherent strategy for how to combat any threats."

By Thursday evening, House Majority Leader Dick Armey's (R-Texas) name was surfacing as a leader with the unique credentials to handle the job of chairman of a select committee or task force. According to several GOP sources, during a meeting of House Republicansleaders on the creation of the new agency Thursday, Armey's name was discussed as a strong possibility.

One lawmaker cited Armey's intention to retire at the end of this session and the independence that would give him as one of his best assets.

"Armey has the time, the focus and the knowledge to accurately devise an organization,"the lawmaker said Friday. "And it would be an incredible swan song."

Others pointed to the basic mechanics of Armey's job, that he works directly with committee chairmen nearly every day to decide the schedule of bills on the House floor.

"He has been the most prominent person to referee jurisdictional issues over the years," one GOPleadership aide remarked.

Democrats immediately took issue with the idea of creating a special committee, arguing that the House should solve the matter through regular order and pass the issue along to the Government Reform and Oversight Committee if they want to expedite the matter as quickly as possible.

In a radio address scheduled for Saturday, House Minority Leader Dick Gephardt (D-Mo.) planned to call on Congress to finish its work on the issue by the one-year anniversary of the tragedy, Sept. 11.

"If you create another committee, you've got to appoint members, hire staff," one Democratic leadership aide noted. "That's an awfully time-consuming process."

Some House Republicans aides and lawmakers said they were open to following regular order and letting the Government Reform and Oversight panel take up this issue with the help of a leadership-appointed task force. One lawmaker suggested that following regular order would provide the possibility of the House and Senate quickly producing a bicameral product.

Because Lieberman has already shepherded a bill to establish an agency for Homeland Security through the panel, the lawmaker suggested the House could quickly pass the President's version of the bill and work out the differences in Conference.

"That is assuming that Lieberman is open-minded to making some changes,"the lawmaker said.

But a number of Republicans aides expressed concern over charging Government Reform with the complicated duty of divvying up jurisdiction and questioned whether chairman Dan Burton (R-Ind.) was up to the task.

"Government Reform hasn't passed a bill out of committee in six years," one aide commented.

House Appropriations Committee spokesman John Scofield said no matter what plan House GOP leaders decide to use, the appropriations process will not be sidetracked by the sweeping changes at the federal government. The White House has pledged to rely on money already designated for homeland security in the House-passed budget to create the new agency.

"Let the authorizers work their will. We own all the turf,"he said. "We're not going to delay the appropriations process to wait for the authorizers to work their will. If we did that, we'd be here 'til December."

Ben Pershing contributed to this report.
********************
Federal Computer Week
State, local officials praise Bush plan


State and local government officials are applauding President Bush's proposal for a Cabinet-level Homeland Security Department, which would better coordinate defense efforts and put a spotlight on technology programs and projects.

Under the White House proposal, at least 22 existing agencies and offices and likely more would be housed under the one department. Several, such as the Federal Emergency Management Agency, the Critical Infrastructure Assurance Office and Lawrence Livermore National Laboratory, have strong relationships with state and local governments.

"If I had to look at it from Kentucky's perspective, right now, when we interact with many of the agencies, we actually go to multiple places for either information or requirements that the states may have," said Aldona Valicenti, Kentucky's chief information officer. "I think having that focused in one area will certainly make it easier from an interaction, there's no doubt about that.

"When we talk about information technology, that tends to be one infrastructure that we're talking about, and when you're talking to multiple agencies, that is not always well understood," she continued. "It would appear to me if and when this is centralized in one Cabinet-level position and one agency, hopefully the technology issues would be better focused."

Valicenti, a past president of the National Association of State Chief Information Officers and still a member of its executive committee, said the group has been following legislation calling for the creation of such a department. She said the White House proposal, which she said is "a step in the right direction," sounds similar to what Sen. Joe Lieberman (D-Conn.) has proposed.

Bryan Gold, a spokesman for Public Technology Inc. the technology arm of the National Association of Counties (NACo), the National League of Cities and the International City/County Management Association said the change could make it easier for municipalities to deal with one central agency than having to contend with several programs scattered throughout the federal government.

"You've got it under one umbrella instead of having to hunt and peck," he said. "It casts the projects and programs and what people really need to know in a much brighter light becauseÖit could be buried three or four layers deep in another department."

Edwin Rosado, NACo's legislative director, said technology is going to be "key" in this new department.

"They're going to have responsibilities that range from border and transportation security, information analysis and infrastructure protection, preparedness response, bioterrorism, nuclear/chemical threats, and technology is going to be able to provide them the increased communication that they need to be able to get decisions done quickly and take actions faster," he said. "Not only that but be able to help to provide whatever new critical telecommunications infrastructure may need to be developed."

Rosado said that is critical for the protection of America's 3,066 counties, 75 percent of which are rural.

"And it's important that those rural areas be protected just as much as the urban ones," he said. "We have a lot of critical infrastructure, a lot of big possible, potential targets dams, bridges, etc. that are located in remote areas."
*******************
Washington Post
Making Spam Go Splat
Sick of Unsolicited E-Mail, Businesses Are Fighting Back
By Caroline E. Mayer and Ariana Eunjung Cha

The e-mail with the titillating subject line -- "funny sexy screensaver" -- arrived one recent afternoon in the computers of at least 100 politicians and businessmen. It claimed to be from R. James Woolsey, former director of the Central Intelligence Agency.

But Woolsey didn't send it. It was generated by a "spam" virus, the kind that hijacks someone's online account and sends out messages in the owner's name. "It was like a small version of identity theft," Woolsey, now a partner with Washington law firm Shea & Gardner, said in an interview.

All e-mail users know about spam. It's those unsolicited commercial messages that arrive in your e-mail inbox. Spam has become so ubiquitous that it has also become a verb, as in "spamming" someone, or inundating a person with unwanted e-mail. And millions of e-mail users have been caught by this latest spam twist. They've either had their online identity stolen and used to send messages, or they themselves have mistakenly opened messages that seemed to come from people they knew -- but turned out to be from, say, a sex hotline.

Electronic mailboxes were already being flooded with a growing number of electronic offers of weight-loss pills, sexual aids, travel coupons, low-interest mortgages and other solicitations. Now these fraudulent messages only add more time -- and aggravation -- to e-mail reading, prompting many consumers to reconsider their reliance on e-mail. "People will tell you e-mail has become the biggest burden in their online lives. There's a real frustration level there," said Jeffrey I. Cole, a professor at the University of California at Los Angeles who oversees a long-term study looking at the effects of the Internet on society.

Like many of those caught by this latest abuse, Woolsey blames spam for turning what used to be an enjoyable task -- reading his e-mail -- into a dreaded chore. "You can no longer believe" what you read, said Woolsey, who now scrutinizes every piece of mail with suspicion, much the way Americans approached mail delivered by the Postal Service after the anthrax attacks last fall.

Some computer users, like Indianapolis surgeon Olaf Johansen, have abandoned e-mail entirely. "You get a lot of things on e-mail that you don't need, and I find I'm more productive without it," he said.

To avoid offensive mail, many users are simply deleting large batches of messages with a single stroke without reading them, even though mail they want could also be lost.

In a desperate attempt to control the flood of spam coming through their systems, more than a few corporate computer administrators have blocked e-mail from outside the United States, since much bounced spam seems to be from foreign computers. That limits the spam, but it also limits the Internet's potential as a global communications medium.

Brightmail Inc. is one of the nation's largest anti-spam firms, hunting for the unsolicited and the unwanted through a network of decoy e-mail accounts designed to attract spam. The San Francisco company's researchers surf the Web using those e-mail addresses; they browse Web sites, read newsgroups, sign up for newsletters and do other things a regular user might do.

The result is that Brightmail has detected a 600 percent increase in spam. In April 2001, the network counted a little under 700,000 spam "attacks," in which hundreds of versions of a message are sent to e-mail accounts around the world in one shot. This past April, Brightmail counted 4.3 million such attacks.

"Spam is outpacing the growth of e-mail," said Enrique Salem, president of Brightmail, whose filters are used by Internet service providers to block millions of unsolicited messages daily.

It's not just the number of unsolicited messages that is causing alarm, but also their content. "What most people are noticing is its aggressive nature -- it's more adult-themed," with people constantly "trying to sell you something," said America Online spokesman Nicholas Graham.

And often it's hard to tell -- even after you open the message -- whether the sales pitches are from legitimate firms or individuals, or from questionable operations made to look like well-known firms or people the recipient knows, as in Woolsey's case.

Filtering the Filth
One popular way of dealing with the problem is to set up a filter or create a mailbox that accepts mail only from predesignated addresses. At Hotmail.com, for instance, about 16 percent of customers have selected "exclusive" mailboxes that accept mail only from people in each user's electronic address book, but even this approach wouldn't necessarily protect consumers from fraudulent messages sent from a friend's address.

A step beyond that is to sign up for an Internet service that forces an unknown e-mail sender to go through "handshake verification," a two-step challenge/response process based on the premise that a spamming program will not follow through. MailCircuit.com offers free e-mail accounts using this technology, and for $10 a year provides a fuller service. MailCircuit used to get one or two new customers per week; now it's averaging 30 to 40 a day, according to a spokesman.

Still other consumers are signing up for disposable e-mail addresses that can be turned off when spam becomes overwhelming. Customers of Spamex.com can pay $10 a year to obtain access to 500 active disposable addresses. You can use several at a time, close them if they become inundated with spam and hop to a new address. The 16-month-old service, which hasn't advertised itself, says registrations have increased tenfold in the past three months.

At Rockville start-up Panacea Pharmaceuticals Inc., Chief Operating Officer Kasra Ghanbari takes charge of most of the firm's e-mail. Each morning he goes through the 100 to 120 messages that arrived the previous night, and he separates legitimate business queries from spam, forwarding the "real" e-mails to the appropriate people.

As for the spam messages, "some of them are creative, and those I don't mind as much," he said. "But then there are the nasty ones -- the ones that are image-heavy or pop up windows all over your computer screen just because you opened it."

Ghanbari tackles e-mail head-on, but some people take a different approach. Eric Brynjolfsson, co-director of the Center for eBusiness at MIT, said he knows of several top executives at high-tech companies who have their secretaries sort their e-mail. "They're names you'd recognize," he said. "They don't want to deal with it."

These defensive measures may spell trouble for reputable Internet retailers, electronic publishers and other companies that rely on e-mail for conducting business. Not only do these firms find that they, too, are inundated with unwanted mail -- one electronic publisher said he recently received 172 e-mails overnight, and all but three were "junk" -- but they also have found themselves wrongly accused of generating spam.

Special filters set up by Internet service providers such as Yahoo and Hotmail, for example, can detect bulk e-mailings. What the filters cannot do is tell whether the e-mails are junk messages or a bulk delivery of, say, this week's online newsletter requested, and maybe even paid for, by its readers. Many of these are rerouted to users' special "junk mail" folders, where they then may be overlooked by the account-holders.

Even more drastic, sometimes these messages are completely blocked by an ISP and never arrive in the intended inbox. Under normal circumstances, that could be a good thing. But last December, Dulles-based America Online, the world's largest online service, bounced back early-admission notices from Harvard University that the filter had deemed "junk."

Naoki Yamamoto, who runs a company that uses a Web server in Silicon Valley, experienced a similar problem. She was recently awakened in the middle of the night by a client in Japan who was furious about not being able to send some page proofs to her. It turned out that all Asian e-mail was being rejected by the company hosting Yamamoto's Web site because of a flood of spam from the region. It took 10 hours to get Yamamoto's account back online.

"It was like getting a death sentence without a trial," said Yamamoto, most of whose business comes from Asia.

In Woolsey's case, the spam filters did an even more disturbing thing. A number of his associates reported that the fraudulent message that bore his name got through their filters -- but then the filters blocked the warning message Woolsey subsequently sent out because it had the word "porn" in it. "It was truly ironic," Woolsey said.

Even legitimate commercial messages are increasingly lost in the crowd -- prompting response rates to drop dramatically. People who send newsletters by e-mail, for example, say mailings that used to generate 10 responses now garner only one or two.

"The problem is spammers are using a lot of the same terminology as legitimate firms: 'You stopped at our Web site,' 'You signed up for our newsletter,' 'Here's the information you requested.' So all the e-mail sounds alike and consumers don't know who's telling the truth and who's not," said Paul Myers, editor of TalkBiz.com, an e-newsletter on small business with 41,000 subscribers. "Consumers get so disgusted they just start deleting everything that's not from Mom or their close friends."

Myers said he has been able to survive the spam epidemic by carefully crafting a newsletter that can be distinguished from other incoming mail. But, he added, he knows of dozens of small publishers who have had to shut down. In fact, he recently purchased two firms -- each had more than 25,000 subscribers -- at a "fire-sale price" because their revenue couldn't keep up with the cost of maintaining their e-mail lists.

The pitfalls of spam are haunting even traditional firms that have turned to e-mail as a marketing tool. Last month, Consumer Reports used an independent firm to send out electronic promotions. The e-mail was supposed to go to Consumer Reports online subscribers, but it went to others as well. "We were looking for ways to drum up business, and e-mail is less costly than traditional mail," explained spokeswoman Linda Wagner. But within a few days, the magazine received a handful of "Is this really you?" queries.

"When you try new things you learn about things you didn't anticipate," Wagner said.

Still, Amazon.com and shoe manufacturer Steve Madden, which send out what Madden calls "e-mail blasts" to customers who sign up for them, say the spam glut hasn't lowered the effectiveness of their campaigns. Amazon spokeswoman Patty Smith says she is still optimistic about e-mail marketing.

"We can be much more targeted" with e-mail than with other types of advertising, she said. Still, the company recently announced that it would begin supplementing its marketing strategy with television ads.

The low cost of e-mail is one of the biggest reasons for the rapid rise of spam. "It's practically free," only a fraction of a cent -- far less than direct-mail promotions sent through the post office, said Brightmail's Salem. The sluggish economy may have also spurred some of spam's rapid growth because traditionally, that's when get-rich-quick deals and cure-your-credit programs proliferate.

But technology is probably the chief culprit. New software programs can scan the World Wide Web's vast expanse and extract e-mail addresses from employee directories, sports team rosters and other lists. They also can create lists of possible e-mail addresses by automatically adding @yahoo.com, @msn.com or @aol.com to every word in a dictionary, so someone who never purchased anything online might still receive unwanted messages.

"Spammers are getting cagier and wilier and they're hitting everyone," said Steve Dougherty, director of systems-vendor management for EarthLink Network, one of the nation's largest Internet service providers. A year ago, about 15 percent to 20 percent of the e-mail that managed to get through EarthLink's sophisticated filter was considered spam. Today, "we're seeing 20 to 30 percent getting through."

Individuals are expected to receive, on average, 1,800 pieces of unsolicited e-mail this year, according to Jupiter Media Metrix Inc., an Internet research firm. By 2006, Jupiter expects that number to grow to more than 3,800.

The Law Clicks In
Some lawmakers are trying to curb spam. About two dozen states have enacted laws to control it; many place restrictions only on misrepresentation in e-mails, but a few go so far as to require companies to have toll-free numbers and e-mail addresses where consumers can complain and ask to be taken off marketing lists.

In Virginia, it is illegal to send unsolicited bulk e-mail containing falsified routing information, such as using others' domain name without their permission or including a false or misleading subject line in the address. Violators risk fines of $10 for each piece of unsolicited bulk mail, or $25,000 a day. In Maryland, a similar law goes into effect in October, and violators may be liable for damages of at least $500. The District has no law regarding spam.

Congress is considering legislation to restrict spam, but so far the idea has made little headway. But even if a national anti-spam law were enacted, Internet experts are skeptical that it would reduce spam, and it certainly wouldn't eliminate it. "The way the spamming world works, they'll just go offshore" to escape U.S. oversight, said Brightmail's Salem.

Law enforcement officials are also targeting spam, with federal and state officers filing a number of suits against fraudulent sites and large-scale e-mail marketers.

Brynjolfsson of MIT likens spam to an arms race. "Companies come up with measures and countermeasures to identify and filter out spammers, and the spammers always think of new ways to get around them. . . . As far as I can tell, this will only get worse -- to the point that [electronic] communications will be almost zero."

Said Ray Ozzie, the creator of Lotus Notes, one of the nation's largest e-mail systems: "E-mail is more or less a victim of its own success."

Staff researcher Richard Drezen contributed to this report.
******************
Federal Computer Week
Web audit pings Army

An audit by the Defense Department's inspector general found that the Army's publicly accessible Web sites contained "inappropriate information" and recommends numerous steps the service should take to remedy the situation.

The audit, conducted from May 2001 through January of this year and released June 5, included findings from DOD's Joint Web Risk Assessment Cell, in addition to DOD IG Web site reviews.

From June through August of last year, the joint cell identified 77 public Army sites that contained inappropriate information, including:

* 14 examples of operational plans.

* 4 cases of personal information.

* 48 instances of policies and procedures on military operations.

* 11 documents marked "For Official Use Only."

The IG examined Web site administration at the Army Forces Command, the Army Training and Doctrine Command (Tradoc) and 11 other organizations and found that "sites under the control of both commandsÖcontained information prohibited by Army Web policy."

Examples included Forces Command sites containing birth dates, family information, personal e-mail addresses, new equipment fielded, exercise data or inappropriate links to commercial sites, and Tradoc sites with similar breaches, as well as inappropriate language.

Officials told the DOD IG that the information would be removed.

The report includes numerous recommendations for the Army chief information officer's office, including:

* Require major commands to document periodic policy compliance reviews of publicly accessible Web sites, report those findings to the CIO and establish a follow-up system to resolve discrepancies identified.

* Coordinate with Tradoc to establish a training requirement and curriculum for Army Web administrators and require that administration personnel be trained before being assigned Web duties.

The Army's director of enterprise integration, Miriam Browning, responded on behalf of the service, although the report does not name her by name, referring only to her title and responses from "the director" or "she."

Browning partially concurred with the recommendation that commands periodically review their public sites but said it was unnecessary for major commands to report results of those reviews to the CIO.

Instead, she advocated that report submissions go "through the chain of command from organizations that have been notified of specific violations on their Web sitesÖthe requirement of ad hoc reporting to the [CIO] on the violations that have been identified would be continued."

Browning generally agreed with the other recommendations.

The DOD IG released a report with similar findings earlier this year on the Air Force, although it did commend the Air Force for its Web training program as a "lesson learned" in the Army report.
******************
Reuters
Study: Software Piracy Up for Second Straight Year
Mon Jun 10, 4:48 AM ET

LONDON (Reuters) - Global software piracy increased for the second straight year in 2001 due to lax laws and the growing availability of bootlegged software on the Internet, watchdog group Business Software Alliance said on Monday.


The alliance said in its annual study, now in its eighth year, that it lost nearly $11 billion in sales to software piracy in 2001.

A more telling statistic, it said, was that 40 percent of all new software installed by businesses last year was obtained on the black market, up from 37 percent in 2000.

"In the seven years that we have conducted this study, this is the first time piracy has increased for two years in a row," said Beth Scott, vice president for the group in Europe.

"This is particularly disturbing in light of the fact that more and more software companies are moving their distribution systems to the Internet."

The software alliance, formed in 1988 to tackle software piracy, saw declining world-wide piracy rates through the mid-1990s. Piracy levels picked up in 2000 though, just as illicit software became widely available on the Internet.

The movie, music and video game industry has also been hit hard by piracy. The availability of bootlegged media on the Internet, particularly in file-sharing networks such as Kazaa and Morpheus MusicCity, has eaten into sales, industry leaders say.

CALLS TO GET TOUGH

Scott told Reuters that the group's education tactics are not working. It needs to be tougher with violators, she said, who tend to be small and mid-sized businesses that look for cheap or free software to run their computer operations.

This year, the alliance will push ahead with efforts to lobby politicians to toughen piracy laws, which do not exist in most nations or carry only a small fine for offenders, she said.

The global industry group consists of 46 software makers including Microsoft Corp., Symantec Corp. and Adobe Systems Inc. .

Scott noted that software piracy rates in France and Germany increased last year despite the group's increased vigilance in Europe, where in 2001 it issued over one million notices to companies to alert them they might have run afoul of software copyright infringements.

The more traditional piracy havens of Eastern Europe and Latin America topped the charts again, with piracy rates of 67 percent and 57 percent, respectively, the alliance reported.

North America, where the copyright infringement laws are toughest and awareness is the highest, saw piracy increase from 24 percent to 25 percent, still the lowest regional rate in the world, the alliance said.

In Asia, piracy rose in Malaysia, India and the Philippines, though the region as a whole was down slightly.
*****************
Washington Post
Terror Risk Cited For Cargo Carried On Passenger Jets
2 Reports List Security Gaps

By Greg Schneider
Washington Post Staff Writer
Monday, June 10, 2002; Page A01


Security for cargo carried on passenger planes is "easily circumvented," the Transportation Department's inspector general has warned in a draft report that has yet to be made public.

The risk of a terrorist bomb in air cargo has increased because the federal government is focused almost exclusively on screening passengers and luggage, Transportation Security Administration staffers and consultants concluded in similar reports.

Both sets of documents, obtained by The Washington Post, describe an air-cargo system that includes no routine scrutiny of packages and serious gaps in efforts to ensure shippers follow security procedures.

The inspector general's draft report was completed in January, but has not yet been issued to Congress. TSA staffers followed up in March by laying out urgent plans for improvement, according to the documents and interviews.

The steps they outlined, however, have not been put into action as the agency scrambles to meet congressional deadlines for screening passengers and luggage.

"Cargo is likely to become -- and may already be -- the primary threat vector in the short term," one of the internal TSA reports said.

There is a 35 percent to 65 percent likelihood that terrorists are planning to put a bomb in cargo on a passenger plane, another TSA document said, citing year-old intelligence reports.

The agency needs to "improve [cargo] security and reduce risk as soon as possible," the TSA's "Cargo Security Discussion Document" said, boldfacing the last four words for emphasis.

The most obvious solution is to physically inspect all cargo as it comes into an airport, but both the inspector general and the TSA determined that would be impossibly expensive and time-consuming. According to TSA computer models, breaking down all containers, inspecting and reassembling them would allow airports to process only 4 percent of the freight they receive daily.

The TSA documents and the inspector general's report also caution that any changes causing expense or delay in the air-cargo system could cause widespread disruption to U.S. business, which has grown dependent on moving goods rapidly.

The TSA's discussion document and a follow-up titled "Short-Term Cargo Security Enhancement Plan" lay out a series of less-disruptive steps to begin addressing cargo security. Those methods include performing high-profile "blitz audits" of lax freight companies and immediately subjecting 5 percent of all air cargo to physical searches.

Instead, agency leadership decided to pursue a more methodical route, devising methods for measuring cargo security, painstakingly building up a staff of inspectors and awarding contracts for developing databases to monitor companies.

"There is certainly no hesitation or lack of intent or even moving slowly on the part of TSA on cargo security," spokeswoman Mary Kay Eder said. "It is a high priority for an agency that is brand new and has multiple high priorities that it is addressing simultaneously."

The agency has made a decision to focus first on gathering information about the relationships among the entities that send and handle packages, said Bill Wilkening, who recently joined the TSA after 13 years working in cargo security at the Federal Aviation Administration.

Physically screening the cargo put into passenger planes is an enormous task that would take more time and resources to study, he said. The agency may come under pressure to move more rapidly on screening, however; its lawyers are determining whether the transportation security act Congress passed last year requires that cargo be subjected to the same end-of-the-year deadline for explosives screening that checked baggage must meet.

Almost all passenger flights carry cargo alongside luggage in the belly of the plane. It can be anything from pallets of computer chips to refrigerated cartons of chicken; about 22 percent of all air cargo loaded in the United States in 2000 was carried on passenger flights, the Federal Aviation Administration said.

Airlines are financially dependent on cargo, which carries higher profit margins than passengers, who need costly extras that include leg room and hot meals.

The air-cargo system involves numerous participants that all require some level of security oversight. Generally, a shipper takes packages to a freight forwarder, who consolidates packages from many shippers into containers. The forwarder then uses trucks, either his own or hired, to deliver the bulk freight to commercial air carriers for transport.

The government oversight system is based on the "known shipper" regime, which means that the person or business sending a package has an established reputation.

The government banned unknown shippers from commercial airlines immediately after Sept. 11. Inspector General Kenneth M. Mead told Congress that was a significant step, but he has urged the TSA to go further.

The problem with relying on the known shipper regime, according to the inspector general's report, is that it allows approved cargo to fly on passenger planes with only a "visual inspection of the package exterior for tampering or leakage. . . . We found that a terrorist could easily circumvent known shipper policy and ship cargo such as explosives and incendiaries on commercial aircraft without being identified or the cargo being screened."

TSA investigators found that it would be easy for someone to fake known shipper status. Shipments rely on two documents for authentication and both could be easily counterfeited, the agency's discussion document said. To pass through the system, both require only a known shipper's registration number, which is not kept secret.

Another loophole in the system was created last year when the FAA ruled that the person who requests a shipment of cargo could be considered the shipper, according to the inspector general's report. If a restaurant in Chicago ordered mushrooms from a farm in Seattle, for example, the restaurant was listed as the shipper, the report said. The mushroom grower sending the cargo was never identified and the cargo was never screened.

Such loopholes were created "as concessions to commerce," the report said, adding that "this practice . . . defeats the intent of the program and jeopardizes the security of the public." It also said that the loophole "continues to exist after the recent changes to security programs."

Wilkening disagreed, saying federal rules "prevent the wrong person from being considered the shipper." He declined to elaborate.

A step farther along the distribution chain are freight forwarders, who consolidate cargo from multiple shippers. It is up to the freight forwarder to certify that all the cargo came from known shippers, so the reliability and truthfulness of the forwarder is crucial.

The inspector general's office, which conducted its investigation from January to November 2001, found that it would be easy for a terrorist to become a government-approved freight forwarder. In May 2001, the inspector general's office posed as a bogus company and was approved as a freight forwarder within 15 days.

The TSA has begun to address that issue, Wilkening said. It bought a database from Dunn & Bradstreet Inc. and is checking freight forwarders against the database for authentication.

The inspector general's report also complained that only a small percentage of such businesses are inspected by the government each year. Some forwarders "have never been, and may never be, assessed for compliance with cargo security requirements," the report said.

Inspectors visit about 1,500 locations a year, Wilkening said, or about 15 percent of all known freight-forwarder operations. They try to focus inspections on the busiest forwarders, he said.

While freight forwarders are required to train cargo handlers in security procedures, the government has not issued any guidance on what constitutes proper training, the TSA discussion document said.

Even if a freight forwarder is fully inspected and compliant, the forwarder can hand over the shipment to an unknown trucking company to take to the airport. There is no requirement for background checks of truckers or employees at freight-forwarding companies.

George Rodriguez, who oversees land and maritime cargo security for the TSA, said that several trucking companies have embarked on their own programs to step up employee identification.

The inspector general's report made 14 broad recommendations for improving the overall system. Suggestions included developing a method for measuring the success of cargo security and tightening oversight of freight forwarders. The TSA agreed with all of them.

In March, the TSA's staff cast the problem as so urgent that it must be addressed immediately. "A full-court press in the short term will help protect us while longer term measures are developed," investigators wrote.

The TSA staff recommended the immediate random screening of 5 percent of all cargo put on passenger planes. TSA should deploy an "absolute minimum" of 200 trace-detection machines, which identify residue of explosives, to cargo operations at certain selected airports, perhaps diverting equipment being used for baggage screening, the staffers wrote.

They also suggested outfitting 10 to 15 mobile cargo-screening units that would travel to airports, increasing uncertainty for terrorists. To keep tabs on truckers who deliver cargo to airports, the TSA should immediately buy 50 to 100 machines that verify driver's li- censes. The information should be stored in a database, and deployment should be highly publicized, they said.

Air carriers and freight forwarders should be required to do an ID check for every delivery and keep the information on file for 90 days. The agency also proposed requiring air carriers and freight forwarders to immediately submit lists of all known shippers for the proposed cargo profiling database.

"Issuing this [data] requirement would send a loud and clear message that the government is watching much more closely, and would encourage [carriers and freight forwarders] to increase their compliance and vigilance as well," the TSA wrote, adding that "the freight forwarder industry historically has a reputation for a lax attitude towards regulation and security."

The TSA staffers wanted to quickly increase security inspections but worried that hiring 208 inspectors authorized by recent legislation would take too long. In the interim, they recommended tapping a variety of temporary hires, from failed air marshals to laid-off airline employees, in an all-out push to get things moving.

One of the TSA reports urged the agency to launch, and publicize, a 15-day "blitz audit" of freight forwarders who have run afoul of security regulations in the past, as well as a 60-day blitz audit of all cargo carriers.

The series of those audits have not been done, although Wilkening said the TSA would continue the FAA's practice of performing four special inspections a year, calling in agents from around the country to focus on a single city's cargo security and performance in handling dangerous goods.

The agency has decided against making temporary hires to bolster inspection crews. It makes more sense, Wilkening said, to hire and train permanent inspectors as rapidly as possible. He noted that the training facility in Oklahoma City can accommodate only 20 people at a time.

Trace-detection equipment is being tried on cargo in an unspecified region of the country, in cooperation with one airline on a specific type of cargo, Wilkening said. For security reasons, he declined to elaborate.. Nor would he say how much cargo is being inspected.

Many of the fixes urged by TSA staffers in March were "labor-intensive," Wilkening said, and physical inspection of cargo is not the point of current efforts. "The focus has been on revalidating customers, and revalidating the relationships between airlines and their customers" through visits and discussions with industry, he said. "If these relationships can't be revalidated, the cargo can't fly."
******************
Government Executive
TSA awards baggage screening contract to Boeing
By Shane Harris
sharris@xxxxxxxxxxx

The Transportation Security Administration Friday awarded a contract to Boeing Service Company to oversee the deployment of up to 1,100 explosive detection machines in every U. S. airport.


The award was expected months ago, but internal disputes among TSA officials over the influence of the agency's new acquisition division stalled the final award, according to sources familiar with the contract negotiations.


Boeing will direct the installation of all the explosive scanners, as well as the installation of 4,800 to 6,000 explosive trace-detection machines, which are smaller and less expensive than the full-screening machines. The full-screening machines use radiation to see inside passenger luggage and can detect specific explosives.


The company will oversee regular maintenance of the devices and will provide training for the 21,500 federal baggage screeners who will operate the machines, according to a TSA statement. Boeing has employed more than a dozen other firms as subcontractors.


"This issue is a very high priority for the Bush administration and for the Department of Transportation," said John Magaw, Transportation's undersecretary for security. "We continue to work toward meeting the mandates of [new security laws]."


The 2001 Aviation and Transportation Security Act signed by President Bush in November requires TSA to be searching every piece of luggage by Dec. 31, but the agency has said for the past several months that it would be unable to meet that deadline without using a combination of trace-detection and scanning equipment.


Only two firms, L-3 Communications of New York and InVision Technologies of Newark, Calif., currently meet Federal Aviation Administration standards for the manufacture of explosive-detection systems for luggage. Working at full capacity, company officials have said both firms could produce only 90 units a month.


TSA also announced Friday that federal employees would begin screening baggage at airports in Louisville, Ky. and Mobile, Ala., by June 25. Federal employees have already begun screening baggage at Baltimore-Washington International Airport.
***************
New York Times
North Dakotans to Vote on Bank Privacy Rules

FARGO, N.D., June 6 North Dakota voters on Tuesday will be the first in the country to make their own choice about how to regulate financial privacy. A statewide referendum will decide if banks and other financial institutions can continue to share or sell data without obtaining customer permission.

A disparate coalition seeking tighter privacy restrictions, reaching from labor and the American Civil Liberties Union to a small conservative organization, the Constitution Party, forced the referendum on the ballot. There are unusual allies on the other side, too: the banks and credit unions, which often fight each other on financial regulation.

A previous state law required financial institutions to obtain permission before sharing data. But last year the legislature voted for a new system that allows banks and credit unions to sell data. It does not require them to obtain permission. Customers can prevent the distribution of data by objecting.

The referendum allows voters to keep the new system by voting yes, or to return to the stricter system by voting no.

As part of a general overhaul of banking laws in 1999, Congress allowed financial institutions to share data without obtaining permission. That law did allow states to impose stricter rules. A handful of states, including Vermont, Alaska and Illinois, have retained strict rules, known as opt-in.

In a debate here last week, Charlene Nelson, head of the Constitution Party and a group favoring the stricter rules, Protect Our Privacy, made the emotional case for tighter privacy. "If you believe, as I do, that your private information belongs to you, that it is your private property and you have a right to protect it without taking extraordinary measures," she said, "then vote no."

Gov. John Hoeven, a Republican and a former banker, outlined an argument, which he conceded was complicated, for keeping the 2001 law. He said in an interview in Bismarck that the difficulty of attracting business to this remote, cold state, especially the financial businesses that have provided many new jobs, would be further complicated by banking laws that differ from regulations in most of the country.

Privacy advocates in Washington see Tuesday's vote as very important. The A.C.L.U. gave $25,000 this week to help the campaign for stricter privacy rules. Evan Hendricks, editor of the newsletter Privacy Times, said: "It's huge. It's the first time Americans have had a chance to vote" on the issue. If the "no" side wins, he said, "I think it's going to lead to petition drives in other states."

Paula Bruening of the Center for Democracy and Technology said North Dakota was a leader in an effort spurred by the perception that the federal law "didn't address consumer concerns adequately."

Under the basic federal privacy protections in place in most states, financial institutions send out descriptions of their privacy policies annually and provide customers an opportunity to opt out of having their information shared.

Since the majority of those notices are ignored by customers, the default position, which allows information sharing here and in most states, dominates. As Heidi Heitkamp, a Democratic former attorney general whom Mr. Hoeven defeated in 2000, asked, "Why should every person in North Dakota have to watch their mail with an incredible diligence to protect their privacy rights?"

In the debate here, each side is making its case on what even its opponents concede are rational fears.

North Dakota bankers insist that they do not sell consumer information, and that to do so would immediately lose them customers. State Representative Jim Kasper, who fought the new law in the legislature, recently said at a Rotary lunch in Jamestown Tuesday that he did not believe the state's banks were selling data. But he said he did not want to rely on promises, any more than a bank would loan him money for a car if he said: "Hey, I promise I'll pay the loan. What do I have to sign documents for?"

A poll taken for bankers showed that most North Dakotans trust their own bankers. The state's population of 650,000 makes it possible for managers and tellers to know customers personally. But many voters also know that U.S. Bank, a Minnesota institution that does a lot of business here, paid several million dollars in 2000 to settle lawsuits charging that it violated customers' rights by selling data to telemarketers.

Many who oppose tighter privacy restrictions concede that they do not know for sure that such rules would hurt the state's economy.

But State Senator Deb Mathern, who runs a 2,388-member credit union with $15 million in assets here, said that because "we work very hard to make this an attractive place for business to thrive," no chances should be taken. Even though she got a $25 check in the U.S. Bank settlement, she said, the privacy issue does not trouble her. She argued that very little privacy is left, and that most of the information she has on customers, including loan applicants, could be found elsewhere by determined marketers.

About four months ago, the North Dakota Bankers Association arranged through the Financial Services Coordinating Council, a Washington-based alliance of financial trade associations, to have a poll taken. The poll found that about half the voters opposed the new law, with its looser privacy protections, while about three-tenths favored it and one-fifth were undecided.

But according to defenders of the law who have seen the data, which they would not release, the poll also showed opportunities. It found that North Dakotans feared being isolated economically. That finding led to one widely broadcast television commercial, showing a suddenly advancing wall cutting off the state's boundaries, even slicing through bridges.

The poll also suggested that North Dakotans might distrust banks in general, but not their own bankers. So bank employees have been writing to customers, talking up the issue at work. State Representative Bob Martinson, now the paid chairman of Citizens for North Dakota's Future, closes his debate appearances by saying:

"Go down to your local bank, go down to your local credit union, go down to the person who has helped your son get his first car loan, your daughter get a little extra money for college, the person that has helped you with your checking account when it has been a little off kilter. Ask that person, ask the person you have done business with for the last 10, 15 or 20 years, ask them what they feel about this issue. Then I believe that you will vote yes not to make North Dakota an island, not to build a wall around us."

The poll, which has been kept secret here, provided the major outside help for the law's defenders. They see no advantage in tying the issue to the outside banking interests that have been devil figures in North Dakota politics for many years, and indeed led to the creation in 1919 of the North Dakota State Bank, which Governor Hoeven used to head.

For weeks the defenders had the only advertising campaign going, although radio personalities like Ed Schultz, a talk-show host heard statewide, argued hard for "no" votes, to throw out the less restrictive law. Mr. Martinson said he expected the campaign to cost $150,000 or $160,000.

But when the American Civil Liberties Union contributed $25,000, a sum in the same ballpark as the cost of the poll taken for the bankers, Protect Our Privacy began a heavy radio advertising campaign.

"Banks can legally sell your private records without even asking you," one commercial says. "Voting no on Measure 2 cancels Senate Bill 2191 and gives your privacy rights back to you. Protecting your privacy won't build any walls around North Dakota, but it might help you get through supper without a telemarketer trying to sell you something."
******************
New York Times
Private Effort to Fight Digital Theft

MEMBERS of a ring suspected of Internet credit card theft received rude surprises last week when they opened U.P.S. packages to look for loot they had ordered online at Laptops4Now.com. Instead of the Sony Vaios and Microsoft Xboxes they had ordered, they received old John Grisham paperbacks and other random items signifying that they had just been caught in a sting.

The twist is that this sting operation was carried out not by law enforcement groups, but by a private antifraud company called CardCops.com, one of a small but growing number of private organizations acting as digital security forces against cyberthieves.

After sorting through the 29 leads they received from the sting, CardCops officials forwarded the information to law enforcement agencies.

"It's a little bit controversial, setting traps," said Dan Clements, CardCops.com's chief executive. "But there's no other way to catch hackers and carders. You don't read about any of the authorities going after them and getting them."

Concerned Internet citizens have long aided the federal authorities in their quest to track down originators of computer viruses and perpetrators of child pornography and credit card theft, but until recently the practice has typically been limited to passing on clues they gather, not setting snares for suspects.

Federal law officials say they welcome the shift to more aggressive private policing, as long as the investigators do not put themselves in jeopardy or break the law. Legal experts say that the F.B.I. and other law enforcement agencies can use evidence from private sting operations in court without having to adhere to the higher standards that govern official sting operations.

CardCops.com, based in Malibu, Calif., is a year-and-a-half-old antifraud business financed by fees from credit-card issuers and online merchants. In late May, CardCops set up Laptops4Now.com after identifying Internet chat rooms it said were forums for credit card thieves.

Mr. Clements said Laptops4now ostensibly sold laptop computers and other goods that are popular among credit card thieves because they can be easily resold on the black market. Members of the CardCops.com team then logged on to the chat rooms, which Mr. Clements declined to identify, and spread word that Laptops4Now had lax procedures for verifying the validity of credit card accounts.

"Our guys floated this information to the chat rooms at 5 p.m., and within 12 hours we got 16 orders for about $27,000 worth of product." None of the credit card accounts were actually charged for the transactions.

Logs of site traffic that help determine the location of the people placing the orders indicated that the would-be buyers were in Indonesia, Bulgaria and other foreign locations. "But they had U.S. shipping addresses," Mr. Clements said. Foreign credit card rings often operate with assistants in the United States, he said, because many e-commerce sites closely scrutinize foreign orders for fraud.

Mr. Clements said the aliases, e-mail addresses and other information gleaned about the people who placed the Laptops4Now orders pointed to the probable existence of a coordinated group of credit card thieves. He said the evidence his team gathered was now in the hands of the F.B.I., the United States Secret Service, the United States Postal Inspector's office and the Los Angeles district attorney's office. With the exception of the Secret Service, those offices declined to confirm that they had received the information.

"We're still seeing which way we want to go with it," James Todak, the assistant special agent in charge at the Secret Service's Los Angeles High Tech Crimes Task Force, said of the CardCops leads.

Mr. Todak declined to say whether he would like CardCops to conduct additional stings. But Robert Pocica, supervisor special agent in the new cyber division of the F.B.I. in Washington, commended private online stings. "I'm glad people want to take the initiative," he said.

Mr. Pocica expressed concern that private citizens with little experience in antifraud efforts "might put themselves in harm's way or violate the law," but said he had more confidence in "associations and companies that maybe have more tools, resources and training to conduct this type of activity."

Despite the F.B.I.'s recent efforts to beef up the agency's computer-related crime force the goal is 700 agents, compared with 270 now Mr. Pocica said that if private citizens "can do a lot of the front end of the investigations, it's a lot easier for us."

David Nesom, who directs the national emergency response service team for another private online antifraud firm, Internet Security Systems, in Atlanta, said the field was ripe for companies like his because "law enforcement won't take it or they don't have the time to follow up on it."

"It's not a knock against them," Mr. Nesom said. "They're just overburdened. When the F.B.I. looks at a caseload, they'll take the most expensive, high-profile cases they can get, and ignore the ankle-biters."

Like CardCops, Internet Security Systems has used sting operations to help put suspects into the authorities' hands. Last October, for instance, it set a trap in London to catch a hacker who had broken into the system of an American bank in the Midwest, stealing debit card numbers and then demanding $50,000 from the bank in exchange for information about how he had hacked into the system.

The network intruder was from an Eastern European country Mr. Nesom declined to identify. Rather than fix the security hole and let the hacker walk free, Mr. Nesom lured him to England, which has an extradition treaty with the United States. When the hacker showed up, expecting a clandestine meeting with the bank's chief executive, he was arrested by Interpol and F.B.I. agents armed with a warrant issued on the strength of evidence provided by Internet Security Systems.

Virtually all of Mr. Nesom's 75 or so investigators have backgrounds in criminal law enforcement, he said, so they know how to avoid engaging in illegal entrapment that might render their investigations worthless.

But Jennifer S. Granik, clinical director at Stanford Law School's Center for Internet and Society, said that entrapment issues were not a big concern anyway for private organizations acting independently from government law-enforcement officials "because if there is no government agent involved, you have no entrapment defense."

Ms. Granik, who also serves as a defense lawyer for suspects in computer hacking cases, said some courts were allowing defense lawyers to argue what is called a "derivative entrapment defense," when the government acts through a private citizen to snare a suspect. But even then, she said, the standard to show entrapment "is extremely difficult to meet."

Some online merchants say they welcome the rise of private antifraud investigators. That includes executives at CDUniverse.com, which was broken into by hackers in 1999 and which estimates that 5 to 8 percent of its orders come from people with stolen credit cards. Charles Beilman, CDUniverse's chief executive, said the company had not been reporting any of the fraudulent orders "because I've gotten the impression that nobody cares or that nothing would happen."

When told about the CardCops.com sting, Mr. Beilman said: "It sounds nice. We haven't seen the Secret Service or anybody really work it hard, so we've just had to suck it up when it comes to credit card fraud."
********************
Racing's Online Bet
The chairman of the state horse racing board worries that online wagering will lead to the sport's demise
By DAVID COLKER

If horse racing is indeed the sport of kings, everyone in California who has a home computer now lives in a castle.

Internet betting on horse races became legal for California adults in January. All types of track bets--including exacta, pick 6 and daily double, as well as the traditional win, place and show--can be placed online. The races also can be watched live on streaming video.

Bets are placed and paid off through credit card accounts. As chairman of the California Horse Racing Board, veteran TV and film producer Alan Landsburg has overseen the leap of the sport into the digital world. A longtime horse owner, he was appointed to the board by Gov. Gray Davis in 2000.

But Landsburg, 69, whose TV credits include the "Undersea World of Jacques Cousteau," "That's Incredible" and "In Search Of..." series, did not willingly jump on the bandwagon. He was one of two board commissioners to vote against the granting of Internet betting licenses.

Question: What were your reservations about the move onto the Internet?

Answer: I was not sure we were ready to take such an important step. If it goes wrong and we end up lessening the on-site audience for racing, it could threaten the very existence of the sport.

We are already facing difficult times. Over the last 15 years or so, there has been a definite graying of the audience, and no one has figured out yet how to get around this. Millions have been spent on all kinds of surveys and marketing. But on Sunday [June 2]--a perfectly pleasant day to be out at the track--the attendance at Hollywood Park was about 9,000. In the old days, that might have been 30,000 or 35,000.

We don't want to cannibalize that number further by having some of those people who came out just go onto the Internet. We have to do this carefully.

Q: What's the difference? The track and the horse owners still get a cut, and it might increase the amount bet.

A: Then you are in danger of eliminating the audience completely and running the race in what is essentially a television studio with the sound of hoofs and a simulated audience roaring as background. That would be terrible.

Q: With your long history in production, you would be the man for the job.

A: I would definitely not come out of retirement for that.

The problem with sitting at home, alone, and making a bet is that when you win there is no one to poke in the ribs and say, "I did it!" Don't go thinking that is not the most important part of being at the racetrack. It is a social thing.

Q: Could Internet betting boost interest in the sport and thus track attendance?

A: That is the hope. And I think it could work if we go after two extremely important classes of potential customers: the lapsed bettor and the new bettor. It should be a carefully conceived campaign by hard-nosed marketers.

Q: Where do you find a new audience for the sport?

A: If we are to have a future, we will have to start to pay attention to the 15-and-younger crowd.

Q: But they can't bet.

A: If you ask most people my age how they got involved in horse racing, they will tell you, "My dad took me" or "We used to go as a family." This is not something that you just get interested in all of a sudden. Horse racing is more complicated than the stock market--no one should go into it casually.

Q: What are the upsides of betting online for the serious bettor, besides not having to get dressed and go to the track?

A: There is so much information available for quick reference by computer. It should be like the fantasy sports leagues that got such a boost from being online.

Q: What is it going to take to re-energize horse racing if online betting does not work out?

A: Wagering is the lifeblood, but it's not enough anymore. Vegas realized that and they overcame it with gaudy shows. You have to try and make it more entertaining. If you just rely on wagering, horse racing will go the way of the street craps game.

We have to find a way to give people another reason to come out to the track for a fun afternoon. Racetracks, themselves, have done little or nothing about this because they can't see beyond today's $2 wager.

Q: Does online wagering provide a dangerous opportunity for problem gamblers?

A: The number of people addicted to gambling and involved in horse racing is a lot smaller than those who go to Vegas and go bust on emotional betting. But to the addict, gambling in any form is a lure.

As part of the regulations set by the board, no one is allowed to make more than one deposit, per day, into the account they use for racing.

Q: There is no limit on how much they can deposit, however.

A: Yes, but they can't go higher than their credit card limit.

Q: Have you made online bets?

A: Just three times to try it out.

Q: Was it fun?

A: Not really. I didn't have any trouble because I have been using computers for 15 years and I know my way around the Internet.

But for me, simply making a bet is not what it's about. I have to see the whole panorama of the race--I want to see the horses walk by on parade, warm up and get into the gate. I want to see if they are showing pride or fear, how their legs look, their ankles.

You can't really see all that on a computer screen.
*******************
Reuters
S.Africa Sticks to Plan to Control Internet Names
Fri Jun 7, 8:35 AM ET
By Brendan Boyle

CAPE TOWN (Reuters) - South Africa's parliament gave initial approval on Friday to a law designed to expand access to the Internet, but which critics say could force the network to shut down in the country.


The Electronic Communication and Transactions Bill adopted by the National Assembly gives legal status to Internet communications, contracts and trades.

But it also proposes to take over the administration of South African Internet domains, identified by the ".ZA" suffix in addresses, without seeking the approval of the international authority that administers the Internet roadmap.

Nkenke Kekana, chairman of the parliamentary committee that approved the draft, told legislators the management of the Internet could not be left to individuals.

"Change is imperative...We need a stable, representative and democratic model of domain naming and allocation in our region," he said.

Opposition legislator Dene Smuts accused the government of nationalizing the administration of the ".ZA" suffix that identifies all South Africa Web sites and addresses, saying the government was obsessed with "empire building and control."

Referring to warnings from Internet administrators that violation of international conventions on domain name management could see the South African section of the network shutdown, she told parliament:

"This bill fails to avert the danger that we will lose South Africa's major connection to the Internet itself...This net grab simply nationalizes domain name administration," she said before voting against it.

Domain names -- the .com and .uk type suffixes of addresses and Web sites -- are the foundation of Internet navigation. They have been subject to fierce competition with early users trying to claim addresses and domains that might become valuable.

EQUAL ACCESS

Communications Minister Ivy Matsepe-Casaburri said the Bill would allow the drafting of regulations to ensure that more and more South Africans would be able to access the Internet.

"For e-commerce to make an impact on sustainable economic growth, all South Africans should become active participants in electronic communication and transactions," she said.

Matsepe-Casaburri dismissed criticism of the proposed domain-name takeover, telling parliament: "The sometimes hysterical and irrational debate on the issue of the domain name...is indicative of mindsets that have not yet come to terms with the democratic government in existence today."

The ZA domain name is administered under a mandate from the international Internet Corporation for Assigned Names and Numbers (ICANN (news - web sites)) by local Internet pioneer Mike Lawrie.

Lawrie told Reuters earlier this week he was keen to be rid of the domain name administration he has handled without pay for a decade, but insisted it had to be done under ICANN rules.

He said a law making his administration illegal would conflict with ICANN rules requiring him and the Internet community of South Africa to approve redelegation of the role.

"If it becomes illegal for me to do the job under South African law and if I am not authorized by ICANN to hand over the administration, the ZA domain will have to shut down until the issue is cleared up," he said in an interview.

Lawrie oversees a series of computer files that are central to the South African Internet roadmap and would have to hand these to any future administrator. Without them, the South African network would have to be rebuilt from scratch.

The bill proposes that Matsepe-Casaburri should appoint a panel to choose a board for a new non-profit company that will take over the so-called "namespace administration."

It does not provide for approval by ICANN, acknowledged around the world as the global administrator of domain names.

The independent Media Africa group estimates around 2.4 million of South Africa's 44 million people had access to the Internet by the end of 2000, leaving most of the black majority out of the network.
*******************
Los Angeles Times
Internet Movie Site Is On, Then Off Again
By JON HEALEY
June 8 2002

The third time definitely was not the charm for Film88.com, a renegade online film site offering hit movies on demand for $1.

Already shut down twice, the service reemerged for a few hours Friday only to have its computers in Holland seized by representatives of the major Hollywood studios. The seizure came at the behest of a Dutch judge acting on a request from the Motion Picture Assn., the studios' international trade group.

The company, which previously operated as Movie88.com, has lost more than 20 expensive computer servers to seizures. In February, Movie88.com was knocked offline and its servers seized by Taiwanese authorities, whose investigation is continuing. Film88.com enabled consumers to watch hundreds of hit movies and classic TV programs online in near-VHS quality, charging $1 a viewing. The video equivalent of an Internet jukebox, it was far easier to use than other unauthorized outlets of downloadable movies on the Net.

The company didn't obtain the studios' permission to offer the movies. Nor did it pay for them, although a spokesman said the company planned to split its profit with the films' owners.

After getting shut down in Taiwan, the company launched Film88.com this week in Iran--mainly because Iran doesn't recognize foreign copyrights. But it put its digital libraries of movies on computers in Holland, using the Dutch Internet service provider TrueServer to connect at high speed to the Net.

On Thursday, TrueServer cut off Film88.com's Internet connection after the Motion Picture Assn. complained that its members' films were being pirated. The site went back up in a limited capacity Friday, prompting the MPA to obtain a court order to seize Film88.com's computers, said Mark Litvack, the association's director of legal affairs and worldwide anti-piracy efforts.

Film88 wasn't represented in the Dutch court, Litvack said.

"TrueServer stepped back in and worked again with us to assist in stopping the piracy," Litvack said. "They are a legitimate business who have acted in an upright manner."

Executives at Film88, who have defended their actions as providing a new revenue stream for studios, could not be reached for comment.

The Web site pledged to be back in business in a few days after "our new lines ... take place."

Said Litvack, "This is a true pirate who has indicated that even with criminal seizures and ISPs shutting him down, he will attempt to continually violate the law. And violate our members' copyright. That is not something we will idly stand by and watch occur, be that in the Netherlands or elsewhere."
**********************
Federal Computer Week
New hopes for a security lockdown - An international standard could close gaps created by commercial software

Beginning July 1, the Defense Department will require a broad group of commercial software suppliers to evaluate their products using a standard known as Common Criteria. Products that fail to pass Common Criteria muster, according to DOD, cannot be sold to the department. Pentagon officials hope the criteria will give new life to their efforts to close security holes in systems that are created using commercial products. Too often, government agencies buy security problems, experts say, by purchasing commercial products with inherent or potential security flaws. The policy could have broad ramifications, because it is not directed just at information assurance products, such as firewalls or intrusion-detection systems, but at any "information assurance-enabled products" such as Web browsers, operating systems and databases.

An international group developed the Common Criteria guidelines, which provide a standard methodology for evaluating products and uncovering problems. After eight years of use around the world, the standard is being promoted by experts as one of the best ways to make agencies and companies more confident about the products they buy.

Of course, a standard is only as good as its enforcement. Earlier efforts to enforce security standards in commercial products generally failed because vendors did not see a commitment to such standards by agencies, even in security- conscious DOD.

But that appears to be changing. John Gilligan, the Air Force's chief information officer, noted that DOD is taking information assurance much more seriously. "There is no doubt about that," he said.

Government agencies outside DOD are not taking the same hard-line approach to Common Criteria. But with the increasing security consciousness in civilian agencies, the standard is starting to have the impact its creators intended.

"We think the Common Criteria, just by the nature of what it is, will take a foothold in becoming the standard for information security products," said Ron Ross, director of the National Information Assurance Partnership (NIAP), the U.S. government's lead organization for the standard. NIAP is a collaboration between the National Institute of Standards and Technology and the National Security Agency.

Marshaling Support

The international community developed Common Criteria in 1996 to improve standards efforts in Europe and the United States, including DOD's Trusted Computer System Evaluation Criteria.

That standard, more commonly known as the Orange Book, fizzled after a lack of demand within DOD eventually led to general disinterest on the part of industry leaders, which in turn extinguished any momentum there had been.

Proponents of Common Criteria believe it will avoid that fate. DOD's tough policy is a good start. With the Orange Book, DOD granted so many waivers that vendors stopped taking the process seriously, observers say. In contrast, DOD has not issued any waivers under Common Criteria.

The outlook for Common Criteria in the federal government improved in January 2000 with the National Security Telecommunications and Information Systems Security Policy 11.

The policy requires all national security organizations within the federal government to use Common Criteria to evaluate information assurance products by July 1. And top DOD officials and House Armed Services Committee members say there will be no easy waivers this time.

"This is a very, very important goal that we hope to see realized," said Robert Lentz, director of the DOD Information Assurance Directorate, at a conference for Wall Street analysts last month.

Furthermore, the provision could end up having the force of law. The House version of the Defense authorization bill, passed last month, included a provision that would require DOD to buy certified products.

The situation is different among civilian agencies. Although NIST has issued guidelines encouraging agencies to use Common Criteria, there's no mandate.

But agencies are beginning to include the standard in their own security policies. Most experts consider the Federal Aviation Administration to be at the front of the pack because of its clearly stated policy and newly completed guidelines for developing systems acquisition requirements based on Common Criteria (see "FAA puts Common Criteria to work," Page 24).

Although the FAA and other agencies will likely not duplicate the DOD model, DOD's policy could make it easier for the standard to be commonly accepted. "There could be a very positive ripple effect," NIAP's Ross said.

The international angle of Common Criteria should also help. Participating countries have agreed that certifications given by one country will be recognized by the others. Not only will this speed the availability of certified products, it will also create a broad market that should spark interest among software vendors.

Members of that arrangement include the United States, Australia, Canada, France, Germany and the United Kingdom, among others.

Earning Trust

Still, as DOD's July 1 deadline approaches, industry vendors are waiting to see how the new rule plays out.

Some vendors, having spent years and millions of dollars to get their products certified, are concerned that DOD will not follow through on its own policy.

Mary Ann Davidson, chief security officer for Oracle Corp., noted that when DOD was using the Orange Book, many vendors avoided the rigors that come with getting NIAP certification and sought waivers instead.

DOD must make security a top priority in buying decisions because it is difficult to add security later if it is not built into a product from the start, she said.

Despite the impending deadline, the DOD policy has gone almost unnoticed in some corners, even though it could have broad implications for information technology buys. Several large IT integrators, when called for comments, were unfamiliar with the policy.

John Lainhart, a partner with PwC Consulting who heads the company's information assurance sector, said that although he was not surprised, he found the lack of knowledge frightening.

And just weeks before the policy is supposed to take effect, there are still significant unanswered questions.

"This is not a new process," said Shannon Kellogg, vice president of information security programs for the Information Technology Association of America, an industry group. But he noted that ITAA and its vendors are still waiting for additional guidance from DOD about the policy.

Perhaps the preeminent concern among DOD organizations is the very real possibility that they will have a limited selection of products to choose from in some technology areas.

"In some cases, there is only one product," Gilligan said. "In other cases, there may not be any products."

DOD has formulated a process that enables Defense organizations to buy products that are not NIAP certified if they are going through the certification process, said Eustace King, technology team leader for the Defensewide Information Assurance Program.

However, one former senior government IT executive, who spoke on the condition on anonymity, warned that certification is not the be-all and end-all because it only covers a particular version of a product.

"As soon as they change the code or add new features, that all changes. Plus, it has to do with how they configure the box," the former executive said. "This is only assurance at the time it was evaluated."

Even if products are certified, it will be even more important that they are integrated correctly, Lainhart said.

"Each package by itself may have information assurance integrity," he said. "When you put them all together, you need to make sure that they maintain that integrity."

Gilligan said that the Air Force will be working to implement the policy. "We're going to try to make this work," he said. But he suggested that the model DOD is using establishing criteria and then mandating that products meet those criteria may not work in the long run.

"Is there a way to make this less costly to the vendors with less [DOD] oversight?" he asked. One possibility would be to establish security standards sponsored by government and industry.

It was because of concerns about how the Common Criteria policy would play out that the House Armed Services Committee decided to include the policy in legislation.

Committee members have long been concerned about DOD not adhering to its own policies, one staff member said. "When [a policy] gets 'waivered' to death, it just has no credibility," the staff member said.

In general, past DOD policies have not been implemented in a cohesive manner, the staff member said, and the committee has not seen many details about how DOD is going to implement this policy.

Generating Awareness

If awareness of Common Criteria in the Defense community is low, it is even worse in civilian agencies.

"Everyone has become sensitized to the importance of information security, but I don't think there is enough sensitivity to the Common Criteria within civilian agencies," said Craig Janus, vice president of the Center for Information Systems at Mitretek Systems, a nonprofit company that provides technical expertise to the government.

"The CIOs are not saying, 'No, we don't want to hear about it.' They're saying, 'What the hell is it?'" Janus said of the reaction when his center works with civilian agencies on the standard.

NIAP officials realize they must address this failure.

"We have not done a good enough job of doing the marketing on this whole policy, and now we're faced with kind of a catch-up situation," Ross said.

NIAP officials have done the usual circuit of conferences, meetings and talks, he said. But in the past, other concerns took agencies' attention away from information security. And even now that the focus on security is increasing, Common Criteria is "really not on their radar scope yet."

DOD's emphasis on security should help to a certain extent, but experts fear it could be short-lived, lasting only until the deadline passes, and that it could be ignored by those who believe national security concerns could never apply to them.

Common Criteria "needs to get to the point where people, by default, include it in their planning," Mitretek's Janus said.

However, according to several commercial security consultants, even when awareness is there, Common Criteria guidelines are often too complex and daunting for most users to understand.

"If they want to establish real security guidelines, they have to have clear, easily understood statements that anyone could follow," said one consultant, who asked not to be named.

One hope is that homeland security will raise awareness of Common Criteria along with the rest of information security, Janus said.

NIAP has started a new project aimed specifically at this issue, developing protection profiles which outline user requirements for evaluating products for many of the key technologies agencies are using, including operating systems, firewalls, biometric tools and public-key infrastructures.

NIST and NSA will develop two or three protection profiles for each technology area, defining basic, extended and advanced protection levels, Ross said. Different agency applications will need different levels of assurance, but if everyone uses the same protection profiles, it will increase the confidence that the evaluated products will satisfy their particular needs, Ross said.

The project, led by NIAP senior technical adviser Stuart Katzke, has working groups for each technology area and assurance level. The groups include people from every community in government to ensure that the protection profiles will reflect the requirements of various agency users, Ross said.

Some agencies are already interested.

Ron Miller, CIO at the Federal Emergency Management Agency, said he only recently came across Common Criteria but is very interested in seeing how the standard can help his agency and the entire government.

"Any time you have a standard to which manufacturers can build and customers can buy, you increase the probability of increasing security within the organizations," Miller said.

As the CIO Council's security liaison, "I would like to do a serious evaluation of Common Criteria," he said. "If there are merits to it, and people just haven't had the time to sit down and address them, that is a service the council could provide."

This is part of a larger effort he hopes to lead within the council to investigate existing capabilities across government for raising the level of security, he said.

Miller also said he will talk with Office of Management and Budget officials and other leaders in the federal IT management community to find out why Common Criteria has not come up more often, even though interest in security standards spiked during the past two years with the increase in widespread computer viruses and the focus on homeland security.

Within FEMA, Miller has asked his chief security officer, Steve Schmidt, to look at the standard and find potential uses for it at the agency. Schmidt is expected to finish a report on the subject by the end of June, Miller said.

NIST is also in the middle of a major project that could have a lasting impact on agencies' awareness and use of Common Criteria, fitting it into their security policies through the oversight process, Ross said. As the lead information security source for civilian agencies, NIST develops several "special publication" guides every year.

By the end of June, a new publication will be available that outlines a governmentwide security certification and accreditation process, based on Common Criteria. This new process will ensure that all systems, even those that include evaluated products, provide the appropriate level of security within an agency's network, Ross said (see related story, Page 42).

And in September, the FAA and contractor Mitre Corp., a nonprofit, federally funded research organization, will sponsor a workshop on Common Criteria, said Joe Veoni, principal information security engineer in the communications and information systems department of Mitre's Center for Advanced Aviation System Development.

At the workshop, FAA and Mitre officials will promote the idea of adopting Common Criteria across government, using the FAA template to demonstrate the benefits of the standard, Veoni said.

A better understanding of how Common Criteria can be used to further security efforts in an agency's services and mission is crucial in the coming months if the standard is going to become a useful tool for civilian agencies, said Marshall Potter, the chief scientist for IT in the FAA CIO's office.

"The difficulties that are associated with the Common Criteria from a civilian agency perspective is that our business is not only security, we have a mission requirement," and the use of Common Criteria must fit into that environment, he said.

***

Defining common ground

Common Criteria will provide a standard that will enable users to define functional requirements for security- enabled products and systems, and allow vendors to define assurance requirements for their products and development methods.

Users create protection profiles to outline requirements that vendors' products can be tested against, such as data integrity, user access and authentication.

Developers create security targets to define their products' features and the steps they take to develop a secure product, such as configuration management, guidance documents and life cycle support.

There's a caveat, experts warn: A system or network composed of evaluated products will not ensure a secure system. Under Common Criteria, each product is evaluated independently, not based on how it fits or works with other products. So all products must be used within an overarching security plan and must be evaluated again as part of the larger system or network.
*********************
Federal Computer Week
DOD's market power

The Defense Department's latest effort to strengthen the security of its information systems and networks is largely an economic gambit and one that will succeed or fail based on the department's ability to follow through on the initial premise.

Beginning July 1, many key commercial software products including Web browsers, operating systems and databases must be certified as secure using an international standard known as Common Criteria. If a product fails, it's off-limits to DOD buyers.

DOD is sending a message to two audiences. Ostensibly, the policy is intended to ensure that, on a case-by-case basis, Defense organizations do not buy commercial products that come with security gaps that hackers might exploit.

But the department also is attempting to exercise its considerable buying powers to influence the information technology market. By threatening to ban products that have not been certified, DOD officials are hoping to spur development of more secure software.

Its influence, though not what it was before the last IT market boom, is still significant. Microsoft Corp., among other vendors, has made changes to its core software products to accommodate DOD requirements. Vendors often would rather invest money in making changes than lose millions of dollars of potential business.

But that approach does not guarantee success. For many years, DOD required vendors to have their software certified under the Trusted Computer System Evaluation Criteria. Many vendors, though, were granted waivers, and those who actually invested the time and money to have their products certified found little interest from their customers.

In playing the economic card this time around, the department needs to convince both buyers and sellers that it intends to enforce the policy. If enforcement were lax and loopholes plentiful, contracting officers would quickly resort to old habits. If that happens, and vendors do not see sufficient returns on their investments, they will not play along.

DOD's clout is only as good as its will is strong.
*********************
Federal Computer Week
Privacy law experts for hire

From the Internet to banking, from health records to consumer spending habits, Congress is pondering a profusion of laws that aim to protect privacy.

At least nine new laws have been introduced this year, adding to the more than 30 introduced in 2001.

This passion for privacy is spawning a new industry contract privacy practitioners.

Enter Paul Paez. Former president of the Privacy Council, a Texas-based consulting firm, Paez has launched Privastaff, a "specialty staffing firm" that provides businesses and government agencies with temporary privacy specialists from lawyers and database architects to application developers and privacy technologists.

Paez, who is setting up offices in San Jose, Calif., San Francisco and Washington, D.C., said laws such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the USA Patriot Act passed last fall require businesses and agencies to adhere to a multitude of new rules regarding privacy.

HIPAA, for example, spells out standards for keeping personal health data private when it is handled and transmitted in electronic form. The Patriot Act, on the other hand, rolls back some privacy protections, making it easier for government authorities to collect personal information by tapping phone lines, monitoring Internet activities and issuing subpoenas.

The effect of the Patriot Act "is the opposite of most privacy legislation," Paez said. "Thus, it compounds the problem of guarding the privacy of transactions while still meeting government requirements to track transactions."

Are agency officials and business leaders following all of this? Paez expects that they aren't and bets that many of them will be eager for expert assistance.

"Lots of work needs to be done at the agencies," Paez said, from "simple nuts-and-bolts compliance requirements" to ambitious business practice re-engineering. "I suspect most government agencies are understaffed or don't have the special resources needed to address" the proliferation of privacy problems.

"Government agencies are trying to comply. Everyone wants to comply, but actually, complying is hard," he said.

Hard enough, he hopes, that Privastaff will flourish.

But government hiring rules may place Privastaff's personnel off-limits for most agency jobs, according to Henry Wong, a contracting specialist in the Office of Personnel Management.

"We don't do a lot of that," Wong said when asked whether agencies hire temporary workers.

Short-term workers typically work for companies that have been hired for specific projects, such as installing a new computer system. Occasionally, an agency will hire some temporary workers such as secretaries, but it's unusual, he said.

Might the plethora of privacy legislation change that?

"It's generating a whole new industry," said attorney Jim Harper. "A lot of the new regulations don't actually protect privacy, but they generate a lot of work for lawyers and others" in the privacy business, said Harper, who is editor of the Web-based privacy think tank Privacilla.org.

Ironically, he said, while congressional concerns about privacy are rising, the public's apprehension has peaked. Consumers have moved beyond the point of being outraged that so much of their personal information is collected, analyzed and sold, and have accepted the fact.

If more privacy legislation passes, it will probably "be too much, too late," he said. But it probably will be a boon for Paez and Privastaff.
******************
Federal Computer Week
Bush seeks 'big picture'
Homeland Security Department would serve as central data clearinghouse

If it works as envisioned, the Homeland Security Department will be the center of a torrent of intelligence data.

At least eight major agencies and numerous smaller ones will funnel information to the Homeland Security Department, which will serve as a "central clearinghouse to collect and analyze" data related to terrorism, according to the Bush administration.

Documents released by the White House say that the Homeland Security Department will be responsible for developing a "big-picture view" of the terrorist threats that so far has been conspicuously missing.

Today, "multiple intelligence agencies analyze their individual data, but no single government entity exists to conduct a comprehensive analysis of all incoming intelligence information and other key data regarding terrorism in the United States," the White House documents say.

That will be the job of the Homeland Security Department.

Intercepted phone conversations, surveillance reports, financial records, travel data and much more will inundate the new counterterrorism agency. Information will pour in from the CIA, the FBI, the National Security Agency and the Immigration and Naturalization Service.

To keep from drowning in this deluge of data, the new agency will have to rely heavily on automating analysis, technology experts say.

But with the right analytic architecture, the vast volume of data can yield dramatic returns, said Allen Shay, president of Teradata, a data warehousing division of NCR Corp.

Data mining and analysis will enable the department to compare the contents of vastly diverse databases. Comparing student visa information, travel data, financial transactions, terrorist watch lists and other data, for example, could provide new insight into terrorist movements and activities, Shay said.

The government has never before had an organization able to collect and analyze so much information from so many agencies. With sophisticated analytical systems, intelligence analysts should be able to develop predictive analysis, Shay said.

It is not a great technological challenge, said Harris Miller, president of the Information Technology Association of America. "There's plenty of technology out there."

Much of the groundwork has already been done, according to Bill Connor, president and chief executive officer of the security software company Entrust Inc. The federal government already possesses "some of the best capabilities in the world, they have just not been integrated to make a quilt instead of a patchwork," he said.

Among the "best-in-class capabilities" are systems used to track money laundering and drug trafficking, Connor said. Such systems are likely to prove useful to the department.

After months of resisting calls to elevate the Office of Homeland Security to a federal agency, President Bush reversed his position June 6 and urged Congress to accept his plan for a Cabinet-level Homeland Security Department.

The new agency would be created from parts of existing agencies, absorbing the Coast Guard from the Commerce Department, INS from the Justice Department, the Customs Service from the Treasury Department, the Federal Emergency Management Agency and smaller divisions from a number of agencies.

It would inherit 169,000 federal workers and a budget of $37.5 billion.

Bush said it would be the biggest government reorganization since 1947, when the Defense Department was created.

But simply moving various parts of different agencies into the Homeland Security Department may do little to improve the nation's ability to detect and prevent future terrorist attacks, said French Caldwell, a vice president at market research firm Gartner Inc.

"My question was, 'What does this agency do to actually improve security?' Security could be improved by improving collaboration on intelligence," Caldwell said. "I don't see what [an] agency does to improve collaboration."

Another potential problem is that the Homeland Security Department will depend on other agencies for the intelligence it will analyze. "Most of the resources are going to be outside the department's control," Caldwell said.

And the CIA, the FBI and other agencies will undoubtedly continue to do their own intelligence analyses, so Caldwell questions what will happen when their analyses conflicts with those done by the Homeland Security Department.

"If that's not resolved, this is just another agency giving advice to the White House," Caldwell said.

Bush unveiled his plan as congressional investigations into intelligence failures before the Sept. 11 terrorist attacks were getting under way.

Better intelligence sharing is a key element of the president's plan for a Homeland Security Department. "Information must be fully shared so we can follow every lead to find the one that may prevent tragedy," Bush said in a televised address.

But information sharing has been a technical and cultural problem for government agencies. Agencies such as the FBI and INS have been unable to share data because of incompatible databases. For the FBI and the CIA, their information sharing difficulties have often been attributed to competing cultures of secrecy and jurisdiction protection.

A senior administration official said the technical problems that impede information sharing could be overcome by developing an enterprise architecture for the new department.

"One of the advantages of having one department is that the question of whether or not INS, Customs, Coast Guard and [the Transportation Security Administration] have one or more different platforms, computers, software, is resolved by the secretary," the official said.

And some of the cultural problems may be eliminated by putting the federal entities that fight terrorism into a single department, Rep. Tom Davis (R-Va.) said.

The Homeland Security Department would reorganize the government "along more rational, strategic lines," said Davis, who is chairman of the House Government Reform Committee's Technology and Procurement Policy Subcommittee.

Mindful that the president was once against big government but now appears to be expanding its size, White House officials stressed that the new agency would, in fact, "reduce redundant information technology spending."

Within its $37.5 billion budget, the Homeland Security Department would fund development of new technologies, "both evolutionary improvements" to current technology and "revolutionary new capabilities," administration officials said.

Among them would be new means for detecting the movement of nuclear materials and "a national system for detecting the use of biological agents within the United States."

Diane Frank and Judi Hasson contributed to this article.
********************
Federal Computer Week
A department in the making

Major components of the proposed Homeland Security Department are:

Chemical, biological, radiological and nuclear countermeasures

Civilian biodefense research programs (HHS)

Lawrence Livermore National Laboratory (DOE)

National Biological Warfare Defense Analysis Center (new)

Plum Island Animal Disease Center (USDA)

Information analysis and infrastructure protection

Critical Infrastructure Assurance Office (Commerce)

Federal Computer Incident Response Center (GSA)

National Communications System (DOD)

National Infrastructure Protection Center (FBI)

National Infrastructure Simulation and Analysis Center (DOE)

Border and transportation security

Immigration and Naturalization Service (Justice)

Customs Service (Treasury)

Animal and Plant Health Inspection Service (USDA)

Coast Guard (DOT)

Federal Protective Service (GSA)

Transportation Security Administration (DOT)

Emergency preparedness and response

Federal Emergency Management Agency

Chemical, biological, radiological and nuclear response assets (HHS)

Domestic Emergency Support Team (Justice)

Nuclear Incident Response (DOE)

Office for Domestic Preparedness (Justice)

National Domestic Preparedness Office (FBI)

Secret Service (Treasury)

Source: White House
***********************
Federal Computer Week
Technology-related initiatives in the Homeland Security Department proposal

* Communications interoperability: Developing systems for real-time communications among federal, state and local emergency personnel.

* Border security technology: Developing a central information sharing clearinghouse and compatible databases to support all aspects of border control, including the issuing of visas.

* Information sharing and analysis: Enhancing the fusion and analysis of information from all available government law enforcement and intelligence sources. Also, developing threat modeling and simulation tools, led by the National Infrastructure Simulation and Analysis Center.

* Cybersecurity infrastructure protection: Unifying the activities of the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center. Also, augmenting those capabilities with the Federal Computer Incident Response Center and incorporating the National Communications System.

* Research and development: Coordinating all science and technology research and development to detect and counter chemical, biological, radiological and nuclear threats.

* Bioterrorism detection and response: Developing a national system to monitor public and private health databases for indications that a bioterrorist attack has occurred. Also, creating a sensor network to detect and report the release of pathogens in densely populated areas.

*********************
Federal Computer Week
New hope for spam relief

A federal court decision issued last week dealt a major blow to congressional efforts to curtail access to adult-content Web sites. The decision involved a challenge by public libraries, library users and Web content providers to a congressionally mandated funding scheme where public libraries that provide Web access for patrons must agree to run Web filtering software on terminals that the public uses.

The court ruled the program unconstitutional because it impermissibly infringed on the library patron's right to access a designated public forum i.e., Internet terminals. The court determined that the patron's right to receive communications freely is entitled to the same protection under the First Amendment as the more traditionally recognized right to speak freely.

Moreover, according to the court, because the regulation at issue is content-based that is, it requires filtering only for adult content it is subject to judicial "strict scrutiny." Under this standard, the government must prove that the restriction is narrowly tailored to promote a compelling government interest and that no less restrictive alternative would further that interest.

The court had no difficulty in recognizing several government-protected interests as compelling, including interests in protecting the terminal users from accidental viewing of unwanted images and protecting minors from accessing inappropriate sites. However, the court found that the restrictions did not adequately promote those interests, because filtering software simply does not work.

According to the court, all filtering software is subject to technical limitations inherent in Web design. Any filter that blocks a large percentage of illegitimate sites will also block many legitimate sites. On the other hand, any filter that allows access to most legitimate sites will also allow access to many illegitimate sites. These practical considerations doom to constitutional failure any regulatory scheme based on mandatory filtering technology.

However, the court's decision also points the way to a much more effective, and constitutionally permissible, way to protect Internet users from unwanted material. As the court noted, content- neutral rules are subject to a different, "rational-basis" standard of review. Under this standard, the challenged rule need only be reasonable, the government interest need not be compelling, the restriction need not be narrowly tailored and the restriction need not be the most reasonable.

Under that standard, the government could forbid outright the sending of unsolicited bulk e-mail, known as spam, regardless of its content. Such a rule would be constitutional. It also would strike at the real problem much more directly, by prohibiting unscrupulous people from foisting their repugnant material onto people who don't want it, without stopping people who want the information from using the Web to find what they want.
*******************
Federal Computer Week
NIST to set security standard

The National Institute of Standards and Technology is creating a process to provide a standard way for agencies to certify the security level of their systems and networks.

The new process, which is expected to be released at the end of June as a NIST special publication, will measure the confidentiality, integrity and availability of a system and whether it attained a high, medium or low rating.

The process also will provide an accurate way to compare the security of systems within an agency and with other systems across government, said Ron Ross, a supervisor within the security metrics and testing group at NIST's Computer Security Division. This is particularly important as data sharing and cross-agency systems become the norm.

For instance, the FBI and the Immigration and Naturalization Service are integrating systems and want to be sure that the appropriate security is in place on each side, Ross said. Connecting a system accredited at a high level for data integrity with a system that is accredited at a low level is not good because the data in the low-level system may be untrustworthy, he said.

Agency policies and the Office of Management and Budget's Circular A-130 require that every information system in government go through a security certification and accreditation process. However, only the defense and national security communities have a common method for performing those evaluations.

The new NIST process, which is designed for civilian agencies, will be modeled after the Defense Information Technology Security Certification and Accreditation Process. It will be based on the internationally accepted Common Criteria security standard for products, Ross said.

NIST and the National Security Agency, through the National Information Assurance Partnership, are encouraging the use of the Common Criteria standard within civilian agencies for procuring and developing secure products [see "New hopes for a security lockdown"].

Because using evaluated products does not guarantee a secure network, agencies must also perform certification and accreditation to ensure confidence in each system and that's what the NIST process will attempt to address.

Common Criteria "does not prescribe an end-to-end solution for information security; it's merely standardizing some of the equipment," said Craig Janus, vice president of the Center for Information Systems at Mitretek Systems.

"There's a systems integration requirement between the Common Criteria and the holistic solution for an agency that needs to be met," he said, "and that is usually met by an overarching security plan."

***

New credentials

The National Institute of Standards and Technology will provide a standard methodology to accredit and certify agency systems and networks. The security of the systems will be rated on the level of confidentiality, integrity and availability provided.

The certification can be done in-house or by a third party familiar with the process. The result will help agencies involved in data sharing or cross-agency projects know the security level of the systems to which they are connecting.
*********************
New York Times
2 Tinkerers Say They've Found a Cheap Way to Broadband

CUPERTINO, Calif., June 7 Anyone looking for the next big thing in Silicon Valley should stop here at Layne Holt's garage.

Mr. Holt and his business partner, John Furrier, both software engineers, have started a company with a shoestring budget and an ambitious target: the cable and phone companies that currently hold a near-monopoly on high-speed access for the "last mile" between the Internet and the home.

At the core of their plan is the inexpensive wireless data standard known as Wi-Fi or 802.11b, which is already shaking up the communications industry, threatening to undermine the business plans of cellular phone companies by offering a much cheaper method for mobile access to the Internet.

The pair's company, known as Etherlinx, has taken the 802.11b standard and used it to build a system that can transmit Internet data up to 20 miles at high speeds enough to blanket entire urban regions and make cable or D.S.L. connections obsolete.

Their secret weapon is a technology known as a "software-designed radio," which has permitted them to create an inexpensive repeater antenna that can be attached to the outside of a customer's home. The device, which the Etherlinx executives said they believe can be built in quantity for less than $150 each, would communicate with a central antenna and then convert the signals into the industry-standard Wi-Fi, or wireless fidelity, signal for reception inside the home.

Because of the staggering costs of wiring the nation's homes for high-speed networking, only 7 percent, or 7.5 million homes, now have high-speed Internet access, according to a February report from the Federal Communications Commission.

The two Etherlinx executives say they have a religious fervor to change that by making broadband available widely and cheaply.

"We're bandwidth junkies, and I can't imagine a world in which people don't have broadband," Mr. Furrier said. "That's our mission."

Without venture capital backing, in a garage just six blocks from the garage where Steven P. Jobs and Stephen Wozniak launched Apple Computer 26 years ago, Mr. Holt is making his clever and inexpensive radio repeater by modifying inexpensive Wi-Fi cards, the circuitry that sends and receives the signals.

Although he has partially broken with the Wi-Fi standard, he argues he is doing just what the unlicensed radio spectrum was originally set aside to encourage innovative wireless network designs.

Mr. Holt, a 54-year-old software designer and engineer who began his career at the Lockheed Corporation in Sunnyvale, Calif., replaces the software that supports the Wi-Fi 802.11b standard with his own code, thereby dramatically extending the range of the cheap, mass-produced hardware. Each repeater contains two cards one that Mr. Holt has enhanced and another that is able to speak the 802.11b standard to a home computer.

Today, while most of the Wi-Fi industry is working on a more complex technology known as "mesh routing," which involves lashing together hundreds or even thousands of short-range transceivers, the Etherlinx developers believe they have found a crude, cost-effective approach that is capable of leapfrogging the last-mile problem.

"A French engineer would say this isn't the most elegant solution," Mr. Furrier said, "but we didn't care about that. We took advantage of these cheap commodity chips and we just wanted to make it work."

In doing so, they say they believe they not only will be able to skate around the cable and phone companies but dodge the growing industry fears of congestion in the unlicensed Wi-Fi radio band, which is also supporting competing uses such as Bluetooth, an alternative, short-range wireless standard, as well as some wireless telephones.

"The Wi-Fi industry is heading for a train wreck," Mr. Furrier said.

The Etherlinx technology has been operating in a small for-pay trial in Oakland, Calif., for a year. The company began trials here last month using an antenna atop a high-rise building in neighboring Campbell, Calif., where the company has its corporate offices.

Etherlinx is already beginning to attract serious attention from both government officials who are interested in last-mile solutions and corporate executives who believe the lack of high-speed Internet connections is the biggest obstacle to growth in the computer industry.

"We have a huge incentive to see the last mile open up," said Graham Wallace, chief executive of Cable and Wireless P.L.C., one of the world's largest Internet backbone companies.

To attract industry attention, Etherlinx cobbled together a demonstration antenna on the back of a Jeep Cherokee and took it to an industry conference in Southern California last month. Parked in front of the conference hotel, the founders were able to show Intel's chief executive, Craig R. Barrett, that their technology was capable of offering Internet access to the entire hotel as well as to the homes on a ridge behind the conference center.

"I don't think there is a method that has emerged yet as a winner," said Leslie Vadasz, a veteran Intel executive who heads the company's venture arm, "but we are talking to these guys. What they have done is a very smart way of reusing engineering that has been done for other purposes."

Etherlinx began the for-pay trial in Oakland last year after the company failed to get venture capital in Silicon Valley. The company is now selling Internet service commercially to about a dozen customers.

"The V.C.'s are licking their wounds and they don't believe us," said Mr. Furrier, a 36-year-old networking engineer. "That's why we have taken a go-to-market approach."

So far, the company has been run on about $200,000 in private investment far less than the tens of millions of dollars that have been poured into other Wi-Fi startups.

Etherlinx is not the only company taking new approaches to sending wireless data over longer distances in the unlicensed portion of the radio spectrum. The communications and computer industry is now at work on a second-generation standard known as 802.16, which is intended to address longer-distance communications challenges.

The latest efforts follow the collapse of an earlier attempt to establish a commercial wireless industry based on line-of-sight technology known as the Multipoint Microwave Distribution System, or M.M.D.S. Giant companies like A T & T, Sprint and WorldCom and startups like Winstar and Teligent all developed M.M.D.S. service, but they have either halted development on their systems or declared bankruptcy.

Industry experts said the M.M.D.S. technology failed in part because it required the receiver to be within sight of the transmitter, but also because it required expensive installation and a huge upfront investment to license the spectrum from the government.

"The cost of the license for the spectrum killed them," Mr. Holt said.

Etherlinx is by no means alone in its approach.

Several other companies are also beginning to explore alternatives not requiring line-of-sight that they believe will be more resistant to interference and will be easy for customers to install without expensive on-site help.

Nokia has a research group in Silicon Valley that has been trying to develop such technologies, and Iospan Wireless Inc. of San Jose, Calif., and Navini Networks in Richardson, Tex., are selling products that are along the lines of the Etherlinx approach.

However, Mr. Furrier said he hoped that speed would outweigh size or capital in determining the success of a business in the market. In addition to the company's Oakland trial, Etherlinx is planning to offer commercial service in Campbell, which is not currently served with D.S.L., and in wealthy surrounding suburbs such as Los Gatos and Saratoga.

He argues that the absence of venture funding has actually been an advantage for his company.

"What we've hit on is a low-cost design point and used our fast design to get to market first," he said.
*******************
New York Times
Trying to Cash In on Patents

ROYALTIES from inventions now earn an estimated $150 billion globally a year. With that amount expected to climb 30 percent annually for the next five years, it is little wonder that a number of patent licensing boutiques have sprung up to cash in on the action.

Perhaps the most prominent of these is ipValue, a firm that helped British Telecommunications dust off a controversial 13-year-old patent in its portfolio that the company asserts covers hyperlinking, a concept so basic that Web browsing would be impossible without it.

Similar to ipValue, albeit a smaller venture, is the General Patent Corporation, which is based in Suffern, N.Y., and run by Alexander Poltorak, a Jewish Russian dissident who fled the Soviet Union with his young family in 1982.

Unlike ipValue and others, which help large companies transmute idle patents into royalties or arrange technology swaps, Dr. Poltorak's company specializes in helping cash-strapped independent inventors pursue their patent claims against the big guys.

Last month, for example, Dr. Poltorak's company secured a licensing agreement between General Motors and John Mickowski, who claims to have invented a die-casting process that greatly reduces waste in the manufacture of machine parts. General Patent is also currently helping Mr. Mickowski with a patent-infringement lawsuit against Visi-Trak, a maker of factory equipment.

Dr. Poltorak said he learned the hard way about capitalism and the lot of many independent inventors in America. In the mid-1980's, Dr. Poltorak, who had been trained in Russia as a theoretical physicist, started his own computer company, Rapitech Systems, which developed "smart connectors," now known as PC cards the little devices that allow a laptop computer to be hooked up to a modem, say, or these days, a DVD player.

As Dr. Poltorak recalls it, his company spent a year and a half working with Hayes Microcomputers, which was the dominant modem manufacturer at the time but subsequently went bankrupt.

When it came time to commercialize the invention, the Hayes relationship went sour. But the board of the fledging Rapitech, worried that a lawsuit would drain the company of cash, refused to pursue legal action.

Instead, in 1989 Dr. Poltorak acquired four patents from Rapitech three that had been granted to his colleague Steven Farago and one granted to another colleague, Randy Brand and formed a new business to defend them in the computer industry.

It was slow going at first. "I wrote 65 notices of infringement and offers to license our technology," Dr. Poltorak said. "We did not get a single response."

After signing up with a law firm on a contingency basis and filing more than 10 lawsuits in the last six years, Dr. Poltorak said, he has managed to license the invention to 90 percent of the computer industry, including Motorola and I.B.M., for "millions of dollars." I.B.M. and Motorola confirmed that they had signed licensing agreements but declined to elaborate.

He is continuing to press his claims against other companies, filing suits last week against two California companies, AmbiCom Inc. and Askey Digital, as well as Askey's Taiwanese parent, Askey Computer.

"The unfortunate reality is that industry doesn't respect intellectual property rights," Dr. Poltorak said. "What they respect is power. If they see that an individual inventor has a patent but doesn't have any money they will routinely infringe the patent."

There are two kinds of patent licensing operations: the carrot variety and the stick approach. Dr. Poltorak acknowledges that he uses a stick, by suing or threatening to sue corporations.

"It's like having your big brother with you in the playground when the bully pushes you," said Emmett Murtha, president of Fairfield Resources International, a patent-licensing firm in Stamford, Conn. Mr. Murtha describes Fairfield as more of carrot company, although its sometimes forms strategic alliances with Dr. Poltorak.

The average cost of litigation in a patent infringement case is $2 million, which makes the system fundamentally unfair, according to Dr. Poltorak. Unless the inventor has deep pockets, he said, a patent is "really not much more than a nice certificate that you can frame and put on the wall and tell your children about."

"When Motorola and I.B.M. are in litigation against each other it works very well," he said. "It's an even playing field, it's the best system in the world. But not when it is David against Goliath."

Mark Lemley, a professor of law at Boalt Hall School of Law at the University of California, in Berkeley, said that while he was not familiar with Dr. Poltorak's company, it sounded like a natural heir of Jerome H. Lemelson. Mr. Lemelson was an independent inventor who was granted more than 500 patents during his lifetime and whose estate continues to receive patents based on applications he submitted before he died five years ago.

Mr. Lemelson, who established the $500,000 M.I.T.-Lemelson invention prize and endowed an invention center at the Smithsonian, had long asserted that many of his inventions were stolen by companies. Much of his and his estate's wealth stemmed from the "machine vision" and bar-code technology that, after extensive litigation, was licensed to more than 900 companies for more than $1 billion.

Dr. Poltorak, for his part, is uncomfortable with any comparison between himself and Mr. Lemelson.

"Jerry Lemelson would keep his patent application in the office for 20 years or more," Dr. Poltorak said. "He had long chains of applications almost ad infinitum. What that allowed him to do was see which way the industry was going and write the patents in such a way that they clearly covered this new industry. It wasn't necessarily fair because nobody knew about these patents. Mr. Lemelson saw what was happening in the industry and was simply writing around it. Those patents always irked people because they were designed to actually trap people into infringement."

That was a criticism that others also made of Mr. Lemelson while he was alive, but Gerald Hosier, the lawyer for Mr. Lemelson's estate, disputes it.

"There are instances where an applicant might game the system and manipulate it but the patent office is supposed to guard against this," Mr. Hosier said. "If there is an indictment here it is against the Patent Office. Frankly, Jerry Lemelson would have been a lot better off if his patents had issued in a timely way. He didn't see revenues until five years before he died."
*******************
BBC
World Cup website breaks record

The World Cup is proving a big hit with surfers, as the official website clocks up a record number of page views.
Day eight of the football championships, when England defeated Argentina, saw a staggering 106 million clicks on Fifaworldcup.com.

This is a new milestone in internet coverage of sporting events, making the Fifa site the most successful sports event website ever, with 464 million page views since the beginning of the tournament.

The previous record for sports websites was held by the Salt Lake City Olympic Games website, with 350 million page views over the course of the games.

English-speaking success

Fans of England, Ireland and the USA - all teams that have done better than expected in the World Cup - seem particularly keen to follow the progress of their heroes.

Half of all page views come from the English-speaking section of the Fifa site.

Unsurprisingly, Japanese is in second place as the host country shows its enthusiastic interest in the World Cup.

One of the most popular sections of the website is the football memorabilia online auction site for Unicef.

The first auction, for an Italian team jersey signed by all the team, reached £1,900.

It is not just the official website that is benefiting from World Cup fever.

Record-breaking

On 6 June, BBC Sport Online registered 16 million page impressions, an all-time daily record for the site.

In the first week of the tournament, the site chalked up 70.8 million page impressions.

"We knew the World Cup would be a busy time for us but the response has been fantastic," commented BBC News Online editor Pete Clifton.

"We more than tripled our serving capacity for the event and thank goodness we did," he added.

The two most popular pages on the BBC's World Cup site have been a desktop scorecard with live scores and the live text commentary pages.

It has not just been the progress of the England and Ireland teams that have prompted interest from surfers.

"It is heartening to see big peaks in traffic on other days, for instance, when the USA beat Portugal," said Mr Clifton.

"We went out of our way to make the World Cup site a genuinely global proposition and not just obsessed by England, so it's excellent to see so many users coming to us from around the world."
*********************
BBC
Online gaming set to explode

The number of people playing games on the internet is set to explode over the next five years.
About 114 million people are forecast to be gaming online by the year 2006, says a report by US market researchers DFC Intelligence.

The gaming industry sees playing against opponents over the internet as the industry's new growth area.

But online gaming is still in its infancy, with experts saying it will be some time before it becomes part of the mainstream.

Making money online

"Online games should garner significant usage over the next few years," said DFC President David Cole. "The major question mark is whether individual companies will be able to monetize that usage."

The report points out that the top online games are now able to generate revenue in excess of $100m each.

"The end of 2001 saw another major success story with the release of Mythic Entertainment's Dark Age of Camelot, one of the fastest selling online games of all-time," said Mr Cole.

"This could bode well for some of the big budget online games being released in 2002."

Console wars

Up to now, most people have been playing online games through their computers.

But game console manufacturers are looking to muscle into this market. Microsoft has already announced ambitious plans to launch a global interactive gaming network for its Xbox, at a cost of $2bn.

And electronics giant Sony is offering a network adapter for the PlayStation 2, allowing for both low and high-speed internet connections.

The DFC report predicts that about 23 million consumers worldwide will be playing console games online by 2006.

"Microsoft's Xbox Live service is probably the biggest investment in online games yet. It is likely to be a major indicator of the future of console online gaming," said Mr Cole.

Some analysts are cautious about the potential for online gaming.

They say that online games will take years to become more than a niche market as they are largely dependent on the availability of broadband.
******************
USA Today
Virtual doctor is only a click away
A small but growing number of health plans and patients are beginning to use the Web for virtual house calls.

The development makes medical advice more accessible but challenges the basic belief that physicians should charge only for advice dispensed face to face.

"We are accustomed to picking up the phone and talking to our attorney or our accountant and getting bills for that encounter," says Harvard internist Daniel Sands, manager of a Web site about doctor-patient electronic communication. "We're not used to getting that sort of thing from our doctor."

Advocates expect the popularity of virtual house calls to grow as insurers recognize their value and start reimbursing physicians for them.

For now, availability, reimbursement and patient charges vary as health insurers study online consultations:

Blue Shield of California doctors charge patients their standard $5 or $10 co-pay, but the plan doesn't yet routinely pay anything to doctors.

First Health Group, the country's largest for-profit network of doctors, pays its physicians $25 for Web consultations; patients now pay nothing.

Medem, a Web service started several years ago by the American Medical Association and other major doctor groups, expects patients to foot the $20 to $30 charge for its just-launched product: Online Consultations.

About 1,000 physicians have learned how to use Medem's Online Consultations, CEO Edward Fotsch says. On average, Fotsch says, they expect to do five to 10 online consultations per week.

Proponents say virtual house calls meant to take place within a doctor-patient relationship established in person are designed to replace unnecessary office visits, not quick phone calls or e-mails that still will be handled for free.

Patients log onto a secure Web site. If required to pay, they provide a credit card number and answer questions about their complaint. A doctor reviews the answers and replies, generally within a business day. If the doctor decides the patient needs to come in after all, there usually is no charge for the Web exchange.

Family practitioner Michael Good of Middletown, Conn., says patients like virtual house calls for non-serious matters. The patient "is saying, 'It's not really that bad. I don't want to take a half day off of work just to come in and be told I'm fine,' " he says.
*******************
USA Today
Hyperlinking takes center stage in court case

By The Associated Press

Nicolai Lassen considers linking such a fundamental element of the World Wide Web that he sees nothing wrong with creating a service around linking to news articles at more than 3,000 other sites.

Danish publishers, however, equate such linking with stealing and have gone to court to stop it.

The case, scheduled for hearings in Copenhagen later this month, is among the latest to challenge the Web's basic premise of encouraging the free flow of information through linking.

Requiring permission before linking could jeopardize online journals, search engines and other sites that link which is to say, just about every site on the Internet.

If the Web's creators hadn't wanted linking, "they would have called it the World Wide Straight Line," said Avi Adelman, a Web site operator involved in a dispute over linking to The Dallas Morning News.

Most of the court cases and legal threats have been over a form of hypertext-connecting called deep-linking, by which you simply connect users to a specific page rather than a site's home page.

Such disputes reflect "a frustration certain people have with a loss of control" once they post something, said Michael Geist, law professor at the University of Ottawa.

Lassen's Newsbooster service tries to make news stories easier to find by presenting links to items with keywords of a user's choosing. It's much like a search engine, except Newsbooster charges a subscription fee and lets users choose to automatically receive links by e-mail.

"From the home page down to the actual story you want to read can be a very, very long way," said Lassen, Newsbooster's editor-in-chief. "By using a technology such as Newsbooster, you save a lot of time."

The Danish Newspaper Publishers' Association believes Newsbooster should either shut down or negotiate payments.

"We consider it unfair to base your business upon the works of others," said Ebbe Dal, the group's managing director.

Not that opponents of deep-linking always object to it.

Dal thinks it is OK for a newspaper to offer a deep link or two accompanying an article, or for search engines to help users navigate.

Belo Corp. likewise prohibits deep-linking to its sites, including the Morning News. But one of its newspapers, the Providence Journal, maintains an online journal that deep links to other sites.

Belo spokesman Scott Baradell was quoted by several news organizations as saying the company isn't against all deep-linking. But he would not offer specifics on why it objects to deep links to Morning News articles on Adelman's non-subscription site, which covers local Dallas affairs. Contacted by The Associated Press, Baradell said he would have no additional comment.

Reasons for opposing linking vary.

In a federal lawsuit, Homestore.com complains that Bargain Network, by deep linking to Homestore's real estate listings, interferes with its opportunities to sell advertising.

Others, like the Council of Better Business Bureaus, worry that a link deep or otherwise can imply endorsement, even if it reaches nothing more than a page with tips. The organization has persuaded thousands of sites to remove links to its Web pages, citing trademark claims.

But to Web purists, a link is no more than a footnote or a page reference. To ban deep-linking, they say, is to prohibit newspaper readers from going straight to the sports pages because they might miss advertising in the front section.

Beside, linking is a way for sites to boost traffic.

"Historically at least, there has been a tradition that if you put something up on the World Wide Web, it would be a public resource," said Matt Cutts, a software engineer at Google. He said Google removes links when asked, though few sites request it as most want to be found.

Early U.S. court decisions have sided with deep-linking. Exceptions are in cases of framing, where a site tries to make information from other sites appear as its own, and ones involving links to tools that circumvent anti-piracy measures built into commercial software.

"It was one of those issues that people thought was more or less settled," said Jorge Contreras, vice chairman of the Internet Law Group at Hale and Dorr firm. "For whatever reason, these last couple of months, a spate of new disputes have come up."

If they are resolved in favor of plaintiffs opposed to deep-linking, legal experts say that could encourage more lawsuits and more moats going up around certain Web sites.

Several sites, including the Belo papers, Overnite Transportation, ACNielsen research firm and KPMG International, ban all or some deep-linking. The International Trademark Association and The Washington Post reserve the right to prohibit it on a case-by-case basis.

The Albuquerque Journal and American City Business Journals have attempted to charge for the right to deep link. Although editors acknowledge they won't take action against casual deep-linkers, they say a handful have been willing to pay $50 in Albuquerque's case.

"There are some companies that would rather pay to get a piece of paper and get that blessing," said Donn Friedman, the Albuquerque paper's assistant managing editor for technology.

Technology exists for sites that truly want to block deep-linking.

For example, the news site for The Associated Press, The WIRE, checks what site a user comes from. If it isn't a site authorized to use deep links, the user is automatically directed to a default page and required to enter through one of the AP's member newspapers or broadcasters.

Other sites can require registration or paid subscriptions.

Though Web site operators don't always like technical blocks, they prefer that to a legal environment where a ban is presumed and permission must be sought each time.

Weldon Johnson of LetsRun.com, involved in a dispute this spring with Runner's World magazine, said that as long as sites keep the doors open, "it's totally wrong for them to say you have to link to certain pages."
*****************
Government Executive
Problems plague FAA's new air traffic control system, IG says
By George Cahlink
gcahlink@xxxxxxxxxxx

The Federal Aviation Administration's new air traffic control system has numerous technical problems and needs more testing before it is deployed to busy airports, according to the Transportation Department's inspector general.


FAA Administrator Jane Garvey disputed the IG's findings in a letter June 5, saying the system is the "most rigorously tested and seasoned software [system] the FAA has ever deployed."

The FAA is replacing its current air traffic control system with a new, $1.7 billion computer system known as the Standard Terminal Automation Replacement System (STARS). The system is years behind schedule, has cost nearly twice the original estimate, and has been plagued with technical problems. But over the past year, STARS has been improved and installed at a handful of smaller airports. In November, the system will be deployed at its first high-traffic airport, Philadelphia International Airport.


"We have little doubt that STARS hardware and software can be 'installed' by November, but, in our opinion, it is doubtful that it will be operationally suitable by November to control live traffic in Philadelphia and replace [the current systems]," said Transportation Inspector General Kenneth Meade in a June 3 memo to Garvey.


The memo highlighted several concerns about deploying the system at the Philadelphia airport, including:


FAA's failure to address dozens of technical problems that could keep the system from operating effectively. So-called "critical trouble reports" highlight problems discovered during testing. "FAA has been unable to resolve this issue, and it is not clear whether FAA will allow this situation to go uncorrected at Philadelphia," the IG's memo said.


FAA's delay in independently testing the system until after it's installed in Philadelphia. "Independent testing provides the final assurance that the product is safe, effective and suitable for full-time use in the real world," the IG said.


FAA's increased spending on the system in recent months to have it ready by November. The IG says it is concerned that the agency may have made "tradeoffs" in the system's capabilities to have it ready by the fall.

According to Garvey, the agency's trouble reports were a sign of rigorous testing and an aggressive management approach. Garvey said in her reply to the IG that no problems have been identified that cannot be fixed, and any problems that could hamper the system's operation will be corrected before the system is installed in Philadelphia.


"On Nov. 17, the FAA will go operational in Philadelphia with a STARS system that is far superior to the legacy system it replaces. All critical trouble reports will be resolved. The system will be thoroughly tested, and will be proved safe, efficient and maintainable," Garvey wrote.
**********************
Government Executive
New department may help craft cybersecurity stragegy

By Liza Porteus, National Journal's Technology Daily


The United States faces a very real cyber threat, experts said Friday, and many people in government and industry are waiting to see if President Bush's proposed homeland security reorganization may help form a national cybersecurity strategy.

The Cabinet-level Homeland Security Department Bush proposed Thursday would have the responsibility of, among other things, protecting critical infrastructures and computer systems, and providing a central clearinghouse for intelligence analysis. Many sections of current departments and agencies that address cybersecurity, such as the Commerce Department's Critical Infrastructure Assurance Office (CIAO) and the FBI's National Infrastructure Protection Center, likely will be included in the reorganization.

Bush said Friday that he will direct White House Homeland Security Director Tom Ridge to testify before Congress about the need for the new department.

Mike Lombard, senior coordinator for infrastructure security analysis at CIAO, said during a conference Friday that coordinating the nation's data systems and centers will be a huge challenge. He said there is a proposal to create an Information Integration Program Office within CIAO that would be in charge of determining where information technology can be most useful in government.

"It's still in the think tank," Lombard said. "It's not ready for prime-time yet."

Douglas Beason, deputy associate director for defense threat reduction at the Los Alamos National Laboratory in New Mexico, said about 50,000 white papers from businesses and organizations that envision ways to boost security are "floating around Washington."

With all these piecemeal efforts, "there must be a national strategy for cyber security," said Eli Primrose-Smith, vice president for global security solutions at IBM. She said Bush's proposal "hopefully" would facilitate the effort.

A cybersecurity strategy is becoming increasingly important as more technologies become interoperable and interdependent, and the nation's computer vulnerabilities increase, said Casey Dunlevy of the CERT Coordination Center at Carnegie Mellon University.

"We're not talking about a cyber Pearl Harbor" but something more "insidious and harmful," Dunlevy said, such as terrorists integrating a cyber component into traditional warfare. And "it's not a question of if, but when. ... It's only a matter of time until they [terrorists] recognize that as a weapon."

Dunlevy said academia can play a "vital role" as a cybersecurity information clearinghouse and a "middleman" between private industry and government, particularly because industry often hesitates to share information on computer weaknesses. "The problem is too big for any one organization or sector to solve," Dunlevy said.

"This is all about economic security and risk management," said Electronic Industries Alliance President David McCurdy. "If you have a plug ... you're vulnerable. ... This is where we're only as strong as our weakest link."
********************
Nando Times
Musicians cheer return of Garageband.com

By MICHAEL P. REGAN, Associated Press


NEW YORK (June 7, 2002 12:46 p.m. EDT) - Folk singer David Grossman's lifestyle and the term "rock star" typically aren't uttered in the same sentence.

Although the 36-year-old musician from Arizona plays hundreds of gigs a year, most are in small bars and coffee shops - he once even played to "a few barbers and their customers" in a hair salon.

So it's no surprise Grossman differs radically on free music downloads from the Metallicas and Dr. Dres of the world, who have fought it in and out of court as sales-damaging copyright infringement.

Grossman is one of thousands of musicians cheering the return of Garageband.com, a Web site that showcases songs of up-and-coming and going-nowhere acts through free downloads and streaming, peer reviews and rankings.

The site, launched with industry heavyweights like Beatles producer George Martin and Talking Heads member Jerry Harrison as consultants in 1999, went offline in February after failing to meet operating expenses.

Tom Zito, a former Washington Post music critic who helped found Garageband Records, hoped to resurrect the site with a distribution deal to put Garageband albums in stores, but that never materialized.

Finally, some of the site's users and employees scraped together enough money to bring it back online.

The site's return last month is welcome news to Grossman and the tens of thousands of his peers whose music can be found on it. Besides providing information about how to buy his CDs, it helps Grossman land gigs by bringing his music to the attention of club owners and party planners who prowl the Net looking for local entertainers. Someone who heard his songs on Garageband even e-mailed to tell him he had a fan club - in Norway.

"The people who are complaining about (free downloads), they're backward," Grossman said. "They would see the wheel as a threat, and say 'What's going to happen to sandal companies when the wheel comes out?' I think (the Internet) is a huge opportunity for artists."

Though sites like Garageband are popular with indie musicians, turning a profit off of the obscure music has proven elusive.

The Internet Underground Music Archive was nearly derailed last year before the online music company Vitaminic acquired it.

"(IUMA.com) was sort of on the verge of breaking even" when cutbacks from EMusic forced it to turn away new acts in February 2001, said IUMA founder Jeff Patterson.

Part of the problem is that Web surfers eager to hear unknown acts don't necessarily buy their CDs.

Record sales were "a very small percentage of our revenue," Patterson said. "I'd guess less than 100 units a month."

CD Baby, a small company in Portland, Ore., which sells discs only on the Internet, handles record sales for both IUMA and Garageband.com. And though CD Baby bills itself as the second-largest online seller of independent music after Amazon.com, its success has been modest.

The company's revenue has increased consistently, from $100,000 in 1999 to $1.4 million in 2001, according to vice president John Steup. It has turned a profit since 1997 when founder Derek Sivers would bike to the post office with a backpack full of discs.

CD Baby lets the artists set the price for their record, including those sold through Garageband. Typically, the bands sell discs for about $10-$12. CD Baby keeps $4 per CD sold, and the band keeps the rest. The artists don't sign any contracts so they are free to sell their discs anywhere else they want.

CD Baby says that in a record deal with a major label, musicians only make $1-$2 per disc.

Clearly, record sales alone won't keep operations like Garageband and IUMA afloat, so the sites are searching for new ways to make money. Much of IUMA's revenue came from concerts featuring the site's most popular acts, said Patterson, adding that IUMA is also considering charging users to download songs but would leave the decision to the individual bands.

Garageband plans to continue permitting free uploads and downloads, but also is planning for-pay services for musicians, said Patrick Koppula, spokesman for the company's new owners. They're still determining what exactly the services will be, he said, but he categorized them as "information, advice, opportunities within the Web site" to help musicians advance their careers.

Gone will be the lucrative recording contracts - originally worth $250,000, but later reduced to $5,000 - that Garageband once awarded.

"We're trying to move the business forward in a much less capital intensive way," Koppula said.

Analysts were once optimistic about sites like Garageband, but after the dot-com bust the chances they can make money is still regarded with some wariness.

"What percentage (of site visitors) are willing to pay? I think it's pretty small," said Melanie Posey, an analyst with International Data Corp.

In any event, the musicians strumming away in bars and garages are more than happy to continue posting songs for free.

"I guess if they really like me, they're going to come back for more," said Jennie DeVoe, an Indiana singer with songs on Garageband. "How I'll look at (free downloads) farther down the road, who knows."
*******************
Euromedia.net
Government starts internet emergency centre
06/06/2002 Editor: Joe Figueiredo

The Dutch government has spent some E300,000 on an emergency centre to warn private and smaller business internet users of "incidents" such as computer viruses, network break-ins or denial-of-service attacks.

The centre, which is expected to start sometime this year, is to use the traditional media, as well as e-mail , SMS messaging and the web to communicate.

In addition to informing and warning internet users, the centre also plans to offer advice on preventing problems, and assistance in resolving them. Tracking down and dealing with internet criminals, however, will remain a police matter.

This initiative was presented on June 5 at the inauguration of the "Computer Emergency Response Team Rijksoverheid" (CERT-RO) , which the Interim Minister for Large Cities and Integration, Roger van Boxtel, describes as a "Ministry of Defence for the Internet."

CERT-RO, based on the CERT model of Carnegie-Mellon University in the US, is a kind of "flying squad" for preventing and dealing with ICT-related security incidents at government agencies.
*****************
Sydney Morning Herald
Opening the Open-Source Debate
By David F. Skoll

Recently, an obscure Washington think-tank, the Alexis de Tocqueville Institution (AdTI), posted a press release promising a study which "outlines how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems."

The report has yet to be released, so in this article, I comment only on what I've seen so far in the press, and on replies to questions I posed to the author of the paper and the head of the AdTI. If I manage to get a copy of the actual report, I will post further commentary.

Who Funded the Report?

The first and most obvious question that the discerning reader should ask him or herself is "who funded the report?" Think tanks don't think for free; they are commissioned to do studies. And very often, who funds a study has a strong effect on the conclusions of the study.

When I questioned him about the funding source, Gregory Fossedal, head of AdTI, replied "it isn't our general policy to discuss who does and doesn't fund de Tocqueville, except in the case of qualified press or public officials who are willing to make symmetrical disclosures."

Well, OK; here's my disclosure: I write a monthly Linux column for a local computer magazine, for which I am paid. I also run Roaring Penguin Software Inc., a consulting company specializing in Linux. Therefore, I have a vested interest in the success of Linux and open-source software. Nevertheless, no-one paid me to write this opinion piece.

When I pressed further, Mr. Fossedal replied: "Lookit [sic]: I've told you our policy about discussing our donors; you may think it's appropriate or you may think it's wrong-headed, but that's it."

However, it is a matter of public record that Microsoft funds the AdTI. It's also a matter of public record that Microsoft strongly opposes the GPL, the license under which Linux is released.

And, coincidentally, the author of the AdTI study seems particularly perturbed by the GPL.

So putting two and two together, I believe it's fairly safe to say that Microsoft has funded the study, and I'll henceforth refer to it as "The M Study."

How is Open-Source a Security Risk?

The study isn't out yet, so we don't know. But what's been mentioned so far is the following (quoting Ken Brown, author of the M Study):

Brown explained that while ADTI believes pooled talent is highly beneficial in software development, it is naive to allow "bad guys" as well as "good guys" into that talent pool. "This volunteer community of people is as good as a group of people that's been screened for security? Screened for credibility? Screened for reliability?" he asked.

If you don't bother to analyze the problem in detail, then Brown's position has a veneer of plausibility. When you look into it in depth, however, it's clear that Brown is wrong.

First of all, are all of Microsoft's thousands of employees screened for security, credibility or reliability? Is such screening foolproof?

Were the Russian hackers who cracked Microsoft's network and had access to source code screened for security, credibility or reliability? Ironically, if you look at the ratio of "black hats" who have seen Windows source code to the total number of people who have seen it, that ratio is probably much, much higher than for open-source software, simply because so many "white hats" have an opportunity to see open-source code.

Secondly, Brown fails to understand the "hacker" community. When a cracker breaks the security of a piece of software, he (typically) does not keep it to himself. Rather, the sense of accomplishment comes from publicizing his cleverness. The exploit is quickly published on underground web sites and mailing lists, and often in legitimate venues like Bugtraq and 2600.

Hackers and crackers understand the virtues of sharing information and code; that's why exploits spread so quickly. The only effective way to combat black-hat crackers is to adopt the open, sharing culture of hackers and propagate information and fixes freely and quickly.

Just as it takes only one black-hat to cause havoc by distributing an exploit, it takes only a single white-hat to calm things down by distributing a fix. In the closed-source world, the black-hats operate with their usual culture of sharing and rapid propagation, whereas white-hats have their hands tied---they are unable to propagate fixes. And vendors often drag their feet.

According to the internetnews.com article, "He [Brown] also raised the specter of back doors and viruses woven into critical software patches."

In fact, there have been some trojans placed in open-source software. They have usually been discovered and neutralized very quickly. By contrast, closed-source products have a sad history of spyware, "Easter eggs", and questionable material, placed by people who have (presumably) been "screened."

An interesting back-door was one in Borland's closed-source Interbase product. This back-door lay undetected for years, but was revealed within weeks of the product being open-sourced.

Questionable material in Microsoft software may have helped spur a Peruvian bill to promote free software in government. The author of the bill says that open-source software provides a better guarantee of "security of the State and citizens" than proprietary software, an analysis which is 180 degrees out of phase with the M Study.

Straight from the Horse's Mouth

To investigate further, I asked Kenneth Brown (author of the M Study) and Gregory Fossedal (Chairman of the AdTI) eight questions, all of which they declined to answer. The eight questions are as follows:

How much did Microsoft pay you?
Do you actually believe anything in the white paper, given the overwhelming consensus in the computer security field that security by obscurity is useless?
Why do you run the Alexis de Tocqueville Institution Web site on the open-source Apache server?
Please check my malware graphs and tell me why that open-source server is bombarded by attacks from closed-source Windows machines.
Please respond to the Mitre Report.
Please explain why NSA distributes security-enhanced Linux but not any closed-source system.
Explain this statement by noted security expert Bruce Schneier:
We pick on [Microsoft] because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems.
Please explain the web-site defacement statistics which show that closed-source software has a history of defacement totally out of proportion to its market share.

Mr. Fossedal saw fit to respond to my e-mail (if not my questions), and he included this statement:

(E.g., a worm was introduced into most of our computers, apparently through our web site. He [AdTI's IT manager] claims no well-run server would allow this to happen. Is he right?) I am not saying there is any connection to Apache; I really don't know; but since you raise the question, it makes me wonder.

AdTI's server runs Apache on a MIPS/IRIX architecture, out-sourced to Verio. As far as I can determine, the machine hosts many Web sites for many different organizations. Mr. Fossedal was unable to explain how a worm could jump from a MIPS/IRIX Apache server to a Windows/Intel PC. None of the other organizations co-hosted on the same machine seem to have had difficulties.

Mr. Brown also responded to the e-mail (though again, sadly, not the questions.) Here's what he said:

No software is invulnerable. Thus all software inherently has security problems
Those with motivations to crack a software for bad reasons, etc. will do so, regardless whether the product is os or proprietary.
OS is a sound, credible approach for creating systems for the Internet, etc. however, its basis is upon sharing. While we understand that all OS does not have to be shared a majority of it whether it is commercial or non-commercial is shared. GPL and GPL licensed applications are over 80% of popular OS products today. GPL and LGPL stipulate that sharing must occur.
National security systems must be secret. Anything or anyone that poses any type of indiscreet sharing of intimate information about our government's IT infrastructure is an inherent threat.

Let's take those point-by-point.

Of course, no software is invulnerable. Probably, all software does have security problems. But that doesn't mean that some software isn't much worse than other software. Were one simply to assume that all software is insecure, one might as well run air-traffic control systems on first-year computer science term projects. Mr. Brown's first point, therefore, adds nothing to the debate.
Mr. Brown's second point seems to negate the purpose of the M Study (that is, to discourage the use of open-source software.) If bad people will crack software whether it's proprietary or not, then citing a security risk for open-source over proprietary software is incorrect.
Mr. Brown's third point is merely a restatement of Microsoft's opposition the the GPL. It has nothing to do with security.
Mr. Brown's fourth point, once again, has the superficial appearance of plausibility. While security through obscurity does not work, even I will admit that all things being equal, the less an attacker knows about your systems, the more obstacles there are to your systems being cracked. However:
Even with closed-source software, an attacker can very quickly find out enough information to plan an attack. Relying on technical knowledge you believe your attacker to lack is a serious mistake. After all, crackers have been known to obtain detailed network topology maps of military networks.
It's important to keep the right things secret. Encryption algorithms should not be kept secret; they should be publicly known, and more importantly, tested and peer-reviewed. Encryption keys, of course, should be kept secret. Password authentication programs should not be secret; passwords should. In general, it's easier to keep a small amount of information (like a key or a password) secret than a large amount (like a body of source code.) If you rely on the secrecy of a large amount of information for security, you are insecure.
Finally, the GPL and LGPL do not require the distribution of source-code changes unless you distribute binaries. It would be perfectly legal for the U.S. government (or anyone else) to modify GPL-licensed software for its own internal use, providing it did not distribute modified binaries. Therefore, the author of the M Study has an unjustifiable fear of those licenses.

The Patriotism Card

In his final paragraph to me, Mr. Brown plays the patriotism card:

Microsoft and people's hate for Microsoft is irrelevant. True patriots will come to grips with the reality that really bad people want more information about our nation's computer systems; and giving bad people indiscreetly any information about our systems is reckless.

I am Canadian, not American, but I have family and friends in the United States, and I am naturally concerned for the security of both of our countries. Therefore, I see it as an act of patriotism to speak out against political interference in the software-selection process, and to speak out against the M Study. If the M Study were to hamper the use of open-source software in security-sensitive situations, we could be beset by a host of security problems.

A Note on Research

I am a fairly busy owner of a small business and the father of two small children. I put this article together in a few hours based on my own knowledge and some Internet searching. Imagine how much better a well-funded think-tank full of Ph.Ds (or, better yet, MCSEs) could do.
********************
Sydney Morning Herald
Email containing royal visit details goes astray

An email containing secret details of a visit to Poland by Britain's Prince Charles was mistakenly sent to a businessman, according to a report in The Times of London yesterday.

The email was said to contain details of where Charles would stay and the cars he would use.

The Foreign Office has admitted this was true, according to reports at Yahoo!

A Foreign Office spokeswoman said "it was an unfortunate leak,"

"We take the Prince of Wales' security very seriously and in light of this incident we are taking steps to ensure email procedures are carefully followed," she said.

Charles leaves for a private visit to Poland on Wednesday.
********************
Peoples Daily  China
China on Alert for 'Chinese Hacker' Virus

A warning of a seemingly destructive computer virus is on release, which is reportedly spreading quickly through intronet. It is temporarily named "Chinese Hacker", since it seems to be out of a Chinese hand.



Beijing Rising Technology Co., Ltd issued an urgent warning on June 7 against a newly found virus which spreads quickly through intronet. It is temporarily named "Chinese Hacker", since it seems to be out of a Chinese hand.

Rising's global computer virus supervision and control center captured the virus on June 6.

According to Rising anti-virus engineers, the virus spreads through e-mail system and is capable to start up by itself.

Once being clicked in the Outlook mail system, the virus would copy itself under the category of Windows system 32 and named it Runouse.exe, and then start the file immediately.

As soon as it enters one of computers of an intronet, the virus will automatically search for shared file folders within the workgroup and create ".eml" files named after the infected computer, and finally making all intronet computers infected.

The virus spreads very fast and enters computer's internal memory, and can not be killed by ordinary anti-virus software, according to Rising company.

Rising engineers believe this is a rare "intellectual" virus made by Chinese following the "Win32.WantJob", which is as evil as the imported viruses, such as "Nimda" and "Red Code".

The captured virus is just the lower version without attached destroying program, Rising said.

But the program is ready and would be very dangerous once the destructive program attached, according to the company.



By PD Online Staff Member Li Heng
*******************
Wired News
Going After Tech, Not Tech Users

Cari Burstein likes television. It's the commercials she hates.

So when Sonicblue began selling its ReplayTV 2020 digital video recorder (DVR) in 1999, she bought one. The set-top box, a souped-up VCR that allows people to instantly skip forward 30 seconds, was the ideal solution for her.

It's all fine and dandy too, except for one little problem.

According to the entertainment industry, Burstein and millions of consumers like her using computer-driven technology to watch movies, listen to music, and share their experiences with friends around the globe are thieves.

Not that Burstein's going to jail, or facing a hefty $150,000 copyright infringement fine. Movie studios and record labels can't afford to sue their customers.

But the entertainment industry may yet get its wish and stop Burstein -- and everyone else -- from enjoying options such as skipping commercials or e-mailing shows to her friends, says the Electronic Frontier Foundation.

Instead of suing people, these big corporations are going after the technology companies -- like SonicBlue -- which make the devices consumers use to tape show, rip CDs, and trade files.

"These (entertainment) companies are adjudicating what your rights are as a consumer," said Fred von Lohmann, EFF senior staff attorney. "If they win, you lose your fair use rights without ever having your day in court because you don't have tools to do what might have been a fair use. This would be copyright owners way to get around the fair use laws."

So the EFF gathered up a handful of consumers who use ReplayTVs, went to a judge in Southern California, and asked the court to clarify whether people like Burstein are breaking the law. The goal of the suit, which should heat up later this summer, is to remove the threat of legal action against companies that create new consumer technologies.

"If we win, then we've pushed the poles out and companies like ReplayTV get to build devices up to the line where consumers agree are fair use," said von Lohmann. "Listen, making an MP3 of a CD you already own ought to be legal, but there is nothing on the books that says that is legal. Same with skipping commercials. That's a bad situation."

Wednesday's suit came in response to three lawsuits filed last November by the major movie studios, represented by the Motion Picture Association of America trade organization, along with the television and media conglomerates. The claim alleges the ReplayTV DVR would wipe out the advertising market that drives the entertainment industry.

The three suits want to remove ReplayTV from the shelves, while disabling the thousands of set-top boxes already on the market.

Lost in the shuffle of the lawsuits are Cari Burstein and her husband Mike. They own both a ReplayTV and a Tivo, which turned television viewing into a more pleasurable experience because they were no longer tied to the rigid TV schedule.

"I watch more television than I used to, although I don't channel surf," said Burstein. "I loved Daria, the cartoon on MTV, but the network would run the shows at such weird times that I'd never have seen it. Now, my box just goes out and finds the shows and I've never missed an episode, which something I wouldn't have done with a VCR."

Consumer happiness has had little effect on the entertainment industry, which has recently began adding digital rights management to its releases which limits how and where people can use their files.

Michael McKay ended up buying a DVD player in his house that came with copy-protection software that prevented him from watching and listening to some legally purchased entertainment since the software doesn't work with every stereo or DVD player.

"DVD copy protection was snuck into my home," McKay wrote in an e-mail. "I'm now aware and enraged enough that it won't happen again. The only way I'm paying for a product with DRM is if it offers two or three orders of magnitude improvement (either better, cheaper, or more convenient, whatever) than what we currently have."

Consumers' rights have been indirectly under attack for some time, said von Lohmann. The Recording Industry Association of America, the music industry trade group, tried to scuttle Diamond Multimedia's sale of the first portable MP3 player in 1998, suing the company for violating copyright law.

Today, millions of portable players saturate the marketplace. Of course, if DRM continues to proliferate, McKay's home experience could soon be replicated by anyone with a portable players as well.

The reason for all the security and lawsuits is simple economics. The movie and music industries brought in $23 billion collectively last year. Neither wants to turn its profits over to pirates who make their living off selling other people's work. SonicBlue's DVR -- like Diamond's portable music player -- represent a perceived threat to their livelihood.

The entertainment industry has tossed out doomsday predictions before. From the days of the player-piano rolls -- which would surely destroy sheet music -- to the rising popularity of digital entertainment, the refrain has been the same.

In 1982, MPAA president Jack Valenti said the VCR would destroy the movie and television industries by allowing people to record movies and shows, sharing them with their friends and skipping commercials. One year later, Alan Greenspan predicted home taping would bring about the end of the music industry.
*******************
NewsFactor Network
Adaptive Web Systems and Teachable Search Engines

A few weeks back in this space, I got to riffing on adaptive Web systems -- information architectures that deliver a customized user experience. Specifically, what I proposed was a search engine that was, for lack of a better word, teachable.

For the full story, see http://www.newsfactor.com/perl/story/18128.html
********************
NewsFactor Network
Report: Device Makers Hold Keys to Home Networking

While the home-networking market has focused primarily on technology providers as the driving force behind establishing integrated residential IT systems, service providers and device makers hold the keys to expanding this emerging market. For the full story, see: http://www.newsfactor.com/perl/story/18083.html
********************
NewsFactor Network
June 4. 2002
Ultimate Computer Security Devices

Biometrics have long been the basis of the ultimate security technologies in science fiction -- but can these safeguards, which rely on fingerprints, eyeballs and other personal traits to authenticate users, really secure the enterprise? For the full story, see: http://www.newsfactor.com/perl/story/18052.html
********************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx