[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips September 19, 2002

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, akuadc@xxxxxxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;
Subject: Clips September 19, 2002
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Thu, 19 Sep 2002 10:12:20 -0400

Clips September 19, 2002

ARTICLES

US Groups Urge China Crackdown on Product Piracy
HAGAN ALLOWED TO KEEP HIS DUCK
Online 'Smiley Face' :-) Turns 20
New system keeps phone lines open
Four agencies achieve interoperable PKI
White House balks at Senate confirmation for e-gov chief
Cybersecurity Draft Plan Soft on Business, Observers Say
Computer attacks by insiders deemed most dangerous
Withdrawing Into Our Cells [Cellphones]
A Gathering of Big Crypto Brains
Can Bon Jovi Foil the Pirates?
Programmer charged under anti-terror law

*****************************
Reuters
US Groups Urge China Crackdown on Product Piracy
Wed Sep 18, 3:28 PM ET
Doug Palmer

WASHINGTON (Reuters) - U.S. entertainment companies, software developers, book publishers and drug manufacturers told the Bush administration on Wednesday that China's poor enforcement of laws against copying their products was costing them billions of dollars a year.

Eric Smith, president of the International Intellectual Property Alliance, said Chinese penalties were too weak to discourage widespread piracy of music CDs, movie DVDs and other copyrighted goods.

"Until China wakens to the reality that it must move criminally against pirates with significant deterrent penalties ... we do not see China's piracy rates dropping significantly, as has happened in other countries in the region," Smith said told an interagency panel.

Piracy levels in most of the copyright sectors in China are around 90 percent, costing foreign firms $1.9 billion in losses annually, he said.

Unless Beijing takes dramatic steps soon to thwart piracy, "trading partners will have no other choice but to challenge (China) under the WTO," he said.

Smith was one of about a dozen industry representatives to testify before the panel at a hearing to assess how well China has honored its commitments since joining the World Trade Organization ( news - web sites) in December 2001.

In what will be an annual exercise for years to come, the Bush administration must submit its own report card on China's performance to Congress by Dec. 11.

US SEES SOME BACKSLIDING

Wendy Cutler, assistant U.S. trade representative for North Asian affairs, opened the hearing by saying China had made progress in a number of areas, such as reducing tariffs on industrial and agricultural goods and increasing opportunities for foreign firms to compete in its services sector.

However, "progress has not always been as smooth or as evident as we had hoped," Cutler said. "We also recognize in some areas there has been evidence of backsliding as well."

Robert Kapp, president of the U.S.-China Business Council, told the administration officials that China has compiled a mixed, but generally positive, record so far.

"I see the glass more than half full," he said.

While China has adopted a host of laws and regulations to implement its commitments, there have been signs of continuing discrimination against foreign goods and services, he said.

If that discrimination persisted in 2003, it "would be a matter of real concern," he said. "I think the second year (of implementation) is extremely important."

Joseph Damond, associate vice president of the Pharmaceutical Research and Manufacturers Association, said the industry conservatively estimated counterfeit drugs cost U.S. companies about 10-15 percent of annual revenue in China.

He also warned that the increasing supply of counterfeit drugs was "a disaster waiting to happen" because of the potential for them to cause illness and death.

Many of the industry witnesses said Beijing needed to establish a central agency with final authority over implementation of its WTO commitments.

They complained that bureaucratic infighting had undermined the ability of China's Ministry of Foreign Trade and Economic Cooperation (MOFTEC) to ensure implementation. ************************ The Columbus Dispatch HAGAN ALLOWED TO KEEP HIS DUCK Wednesday, September 18, 2002

Timothy F. Hagan's noisy, irreverent duck remains afloat on the Internet -- for the time being.

The Democratic gubernatorial candidate's third "TaftQuack.com'' ad, mocking Republican Gov. Bob Taft, popped onto the Internet yesterday, just hours before U.S. District Court Judge Kathleen O'Malley denied American Family Life Assurance Co.'s motion that the duck be plucked from Hagan's Web site.

"TaftQuack 1, AFLAC 0,'' Hagan adviser Gerald J. Austin quipped after a hearing in Cleveland federal court.

O'Malley, who served as chief of staff for ex-Attorney General Lee Fisher, a Democrat, set an Oct. 10 hearing in AFLAC vs. TaftQuack.

In refusing to issue a temporary restraining order, O'Malley indicated that Hagan's ad did not constitute copyright infringement, as AFLAC alleged, because it is protected political speech and is not for commercial gain.

The Georgia insurer wanted Hagan to change the color, the sound and the "nasality'' of Hagan's TaftQuack character.

Hagan's campaign countersued yesterday in federal court, claiming that AFLAC is violating his First Amendment rights.

The new three-minute, 10-second ad mixes TaftQuack -- a character with Taft's head and a duck's wings and bill -- with footage of Hagan slamming Taft's record in office. It cost about $5,000 to produce.

"You've got to be kidding,'' Hagan said in the ad. "Ohio is in trouble. We are the seventh most populous state, but we rank 48th of 50 in the development of new businesses and last in the Midwest in median household income, the percentage of college graduates and family poverty. That's Bob Taft's legacy.''

Taft spokesman Orest Holubec would not comment on the court action, but said the Taft campaign is "pleased our opponent is playing our entire campaign commercial in his Internet ad.''

Taft's campaign Web site is www.GovernorTaft.com; Hagan's is www.taftquack.com.

Hagan said his ads have attracted more than 500,000 hits by Internet users.

He jumped to the Internet because he lacked the campaign cash to advertise on television. But yesterday, he indicated for the first time that he might be on the tube in the 10 days before the Nov. 5 election.

Hagan said his fund-raising has picked up recently -- $275,000 was raised last week during former President Clinton's Cleveland visit -- and might help pay for a television commercial featuring a team of Democratic candidates. He offered no details.

At a Statehouse news conference earlier yesterday, Hagan fielded questions on a number of topics, including proposals to allow law-abiding Ohioans to carry concealed weapons.

Hagan said he strongly opposes a concealed-carry bill pending in the Ohio General Assembly.

But he said he would consider such a law if it contained satisfactory restrictions. Hagan cited similar laws in New York and Pennsylvania.

Holubec accused the Democrat of flip-flopping on the weapons issue. He said Hagan originally opposed concealed-carry, but waffled during a recent appearance at the Glandorf Rod and Gun Club in Putnam County, where he indicated he might sign a law with acceptable restrictions.

"It seems that candidate Hagan is trying to have it both ways,'' Holubec said.

Taft has consistently opposed a concealed-carry law unless it has the support of law enforcement. Thus far, that has not happened.

ajohnson@xxxxxxxxxxxx
************************
News.com
SparkList confirms e-mail address theft
By Steven Musil
September 18, 2002, 7:30 PM PT

E-mail management company SparkList.com has confirmed that customer e-mail addresses were stolen from its database, allowing some customers' mailing lists to be bombarded with spam. An internal investigation into complaints about spam revealed that the lists were compromised in March, SparkList COO Steven Brown said in an e-mail to clients on Tuesday.

"This incident does not appear to be a technical, widespread compromise of SparkList servers, due to the fact that most lists were not compromised," Brown said.

SparkList, which was acquired by Lyris Technologies in August, said it suspected former employees were responsible for the theft of addresses because only a small portion of the database was compromised. "An outside entity would not limit itself to a small subset of the addresses available," Brown said.

After the acquisition, Lyris hired only three of SparkList's 20 to 25 employees, Brown had said previously.

SparkList said the organization sending the spam was a "well-known spammer" and that it was exploring its legal options in relation to anti-spam laws. It also said it was assisting law enforcement officials in the investigation.

The company hired Word to the Wise, an outside consulting firm, to investigate the matter after current and former Lyris customers complained last week that recipients of their e-mail newsletters have been receiving spam.

SparkList executives were not immediately available for comment.

Security vulnerabilities on the Web are not a new thing. A hack at Amazon.com-owned Bibliofind last year compromised nearly 100,000 customer records, including credit card numbers. A security breach at Egghead temporarily exposed the records of 3.7 million of its customer records in late 2000.

Spam, or unsolicited e-mail, has been overwhelming the servers and in-boxes of many Net users, forcing some companies and organizations to take drastic measures to block it. In August, Yahoo found its stores site blacklisted by Mail Abuse Prevention System, an organization whose lists of suspected spammers are used by other companies to block Web or e-mail access. *************************** Reuters Online 'Smiley Face' :-) Turns 20 Thu Sep 19,12:58 AM ET By Andy Sullivan

WASHINGTON (Reuters) - It was 20 years ago today that Scott Fahlman taught the 'Net how to smile.

The IBM researcher has devoted his professional life to artificial intelligence, the practice of teaching computers how to think like humans.

Fahlman is known for his work with neural networks -- a computer technique designed to mimic the human brain -- and helping develop Common Lisp, a computer language that uses symbols instead of numbers, but the bearded scientist is perhaps best known for a flash of inspiration that helped to define Internet culture, in all of its ungrammatical glory.

On Sept. 19, 1982, Fahlman typed :-) in an online message.

The "smiley face" has since become a staple of online communication, allowing 12-year-old girls and corporate lawyers alike to punctuate their messages with a quick symbol that says, "Hey, I'm only joking."

Fahlman's innovation has since inspired countless other "emoticons" like ;-) to signify a wink or :-0 to show surprise.

"I've certainly spent 10 times as much time talking with people about it as I did coming up with it in the first place," Fahlman said from his Pittsburgh home. "Hopefully my actual research career will add up to more in the long run."

In the early 1980s, computer networks were rarely found outside university science departments and secretive government facilities.

But even then, discussions on primitive online "bulletin boards" could quickly turn nasty when touchy users misinterpreted remarks meant to be taken lightly.

After a particularly tangled joke about mercury contamination in an elevator, users of a Carnegie Mellon University bulletin board proposed a variety of markers for humorous comments, including *, %, &, (#) and \__/.

Fahlman suggested :-), along with the admonition to "read it sideways." Before long, other bulletin board users were placing the smiley face in their messages. The practice spread as Internet users found the symbol useful as a rough approximation of a twinkle in the eye.

A FEW FROWNS

Predictably, the smiley face encountered a few frowns as the online population exploded.

"Humans have managed to communicate with the written word for thousands of years without strewing crudely fashioned ideograms across their parchments. It is as if the written word were a cutting-edge technology without useful precedents," groused Neal Stephenson in the New Republic in 1993.

Fahlman stands by his creation. "If Shakespeare were tossing off a quick note complaining about the lack of employee parking spaces near the Globe Theater, he might have produced the same kind of sloppy prose that the rest of us do," Fahlman writes on his Web site.

Yahoo!, Microsoft and America Online all incorporate emoticons into their instant-messaging systems, while telecom firms, jewelry makers and online retailers have filed trademark applications for products and slogans that incorporate Fahlman's smiley face.

But Fahlman has never seen a dime from his creation.

"If it cost people a nickel to use it, nobody would have used it. This is my little gift to the world, for better or worse," he said. ************************** Federal Computer Week Cyber strategy: A starting point BY Diane Frank Sept. 18, 2002

The National Strategy to Secure Cyberspace that the Bush administration released today is a draft -- a roadmap that will become more detailed as comments are returned and expertise evolves within government and the private sector, according to the document.

Parts of the draft strategy, developed by the Critical Infrastructure Protection Board in cooperation with the private sector, are more detailed than others. Recommendations for the federal government sector include:

* That the CIO Council and relevant agencies consider creating a "cyberspace academy" to link federal cybersecurity and computer forensics training programs.

* That the Office of Management and Budget establish an Office of Information Security Support Services within the proposed Homeland Security Department to pool security resources from across government to support smaller and less-experienced agencies.

* That the government examine the idea of certifying private-sector security providers, based on the certifications being performed by the national security community. This could lead to limiting contract awards for security services to certified companies.

The Critical Infrastructure Protection Board executive branch Information Systems Security Committee, the Office of Federal Procurement Policy and the Federal Acquisition Regulation Council are also examining how to improve security in the systems and solutions that agencies procure from vendors. They are reviewing the National Infrastructure Assurance Program's security accreditation process -- as well as its mandated implementation at the Defense Department -- to determine the possible impact of extending the DOD requirement to civilian agencies.

"The federal government recognizes that past efforts such as this have failed, but believes that the heightened level of government and consumer concerns over significant flaws in information technology products warrants renewed efforts," the draft states.

That review will be completed by the fourth quarter of fiscal 2003.

The committee also plans to examine the viability of establishing uniform security practices for different categories of programs and services, falling into high, medium and low levels of risk.

The draft also includes recommendations developed by and for industry and academia, including:

* That Internet service providers should consider adopting a "code of conduct" governing their security practices and interactions.

* That colleges and universities should enhance their security capabilities by considering the establishment of one or more information sharing and analysis centers, empowering their chief information officers, adopting best practices, and creating model awareness and training materials.

The entire draft strategy is available online at www.securecyberspace.gov, and the board is asking for comment through that Web site by Nov. 18. The board also plans to hold eight more town hall-style meetings across the country to solicit comment and reaction. All of that information will be incorporated into the draft to create a complete strategy that will be approved by President Bush. ************************* Federal Computer Week New system keeps phone lines open BY Dibya Sarkar Sept. 18, 2002

The devastation that followed the terrorist attacks on the World Trade Center a year ago included severe disruptions of telephone network systems that choked wireless and landline calls among individuals, companies and first responders.

Now, Ascendent Telecommunications Inc. has developed a system that mirrors an organization's telephone network system, enabling seamless communications in case of outages and disruptions, even if part of the system is destroyed.

The company's new Continuity of Government solution -- called AscendentCOG is a derivative of its core technology and allows individuals to perform desktop telephone functions from wireless remote devices, whether cellular, satellite, or voice over IP, said Stephen Forte, co-founder and chief executive officer of the 9-year-old Los Angeles-based company.

"The idea is people would need to communicate using the same methods they're used to?and allow them to continue their operations and address the recovery crisis," he said.

The way it works, he said, is that an AscendentCOG server is integrated into an agency's private branch exchange (PBX) or Centrex switch. When a call is received, the COG server acts like a redundant system to the PBX network. If something happens to the PBX, the COG will take over so that people can still make and receive calls to their office phones by using wireless remote devices.

But the technology also goes a step further.

Forte said if the core facility was completely destroyed, a recovery server, located in a remote facility, would be updated in real time with replica of the dial plan from the COG up to the point of outage. Calls coming from the public switched telephone network would automatically be re-routed to the recovery server, which routes the calls to satellites and the Internet.

The new system also has a roll call feature enabling one person to send interactive notifications via voice, e-mail or short messaging service to an entire company if need be, said Forte, eliminating the phone tree system of people calling people. Those receiving the message can then enter some type of response.

"If we send out 5,000 notifications and we get 4,500 replies, we now know there are 500 people to account for still," he said. "This happens in minutes rather than hours."

The system is also extending the Defense Department's Multi Level Precedence and Preemption classification to wireless devices. For example, during a crisis, a senior military official, who is getting a busy phone signal, can enter a code signaling one of the parties to terminate the conversation or simply break into the call.

But he said the new system shouldn't be considered an "insurance policy. We can perform a massive service to any enterprise in the form of continuity, but have a product that can add to the day-to-day return on investment," he said.

The new technology has been so well received, Forte said, that its patent is being accelerated through executive order. The company has installed the system in several commercial enterprises but also in the U.S. Agency for International Development and at a couple of Marine Corps and Army installations.

Pricing depends on a government's size, and the new systems start at $20,000 to $30,000, he said. ************************** Government Computer News Four agencies achieve interoperable PKI By Dipka Bhambhani

After five years of work, the General Services Administration's Federal Bridge Certification Authority has made the public-key infrastructures of four agencies interoperable. For the first time in history, federal agencies will accept each other's digital certificates through the bridge.

"That is where the rubber meets the road," said Judith Spencer, chairwoman of the Federal PKI Steering Committee. "They can communicate in a trusted fashion, verify each other's credentials in different trusted domains."

The bridge, part of the PKI Steering Committee and the Federal PKI Policy Authority, is a collection of hardware, software, policies and procedures that help make federal PKIs interoperable.

The Defense and Treasury departments, NASA and the Agriculture Department's National Finance Center are the first four agencies to cross-certify and accept one another's digital certificates.

"In a way, we've only just begun," Sandra Bates, commissioner of GSA's Federal Technology Service, said at the FBCA Cross Certification Ceremony today at the White House Conference Center.

It has been difficult getting consensus within DOD to do this, said R. Michael Green, director of DOD's Public-Key Infrastructure Program Management Office.

"We are honored to be amongst the four members in the bridge," he said.

"It's the end of the beginning," Spencer said. "We will cross-certify with other entities."

So far, the GSA's Access Certificates for Electronic Services is set to become part of the bridge. "That will automatically bring in the Social Security Administration, the Environmental Protection Agency and the Federal Emergency Management Agency" because those agencies use ACES certificates, Spencer said.

The state of Illinois is finalizing its policy to become part of the bridge.

"We are excited about Illinois," said Mayi Canales, Treasury's acting CIO and assistant deputy secretary for information systems. "Treasury touches every citizen, business and government around."

There are other agencies that would like to be part of the bridge but don't yet qualify, Spencer said. The Health and Human Services, Labor and Veterans Affairs departments, Patent and Trademark Office and National Institute of Standards and Technology are among them. **************************** Government Exeuctive White House balks at Senate confirmation for e-gov chief By Jason Peckenpaugh jpeckenpaugh@xxxxxxxxxxx

The White House generally supports legislation that would create an e-government chief's position at the Office of Management and Budget, but Bush officials are balking at a provision that requires the official to be confirmed by the Senate.

The legislation, known as the E-Government Act (H.R. 2458), passed the Senate in June and is awaiting action in the House. Besides creating the e-government positionwhich mirrors the current role of Mark Forman, assistant director for information technology and e-government at OMBthe measure also requires agencies to protect the privacy of citizens using federal Web sites and reauthorizes the 2000 Government Information Security Reform Act, which is set to expire Nov. 29.

OMB supports these measures, but opposes Senate confirmation for the e-government chief, in part because of the lengthy confirmation process for presidential appointees, said Mark Everson, deputy director for management at OMB.

"We think it's time for executive branch officials to be able to get on the job quicker," he said at a hearing of the House Government Reform Subcommittee on Technology and Procurement Policy on Wednesday. "People coming from the private sector are used to fast-moving change, not six-month delays," he said.

When asked by a reporter if he would recommend that President Bush veto the bill over the confirmation provision, Everson demurred. "I haven't thought of that," he said. "But that's the one provision about which we're most concerned."

Industry officials strongly urged the committee to create a position for a federal chief information officer who would be capable of streamlining duplicative IT systems at federal agencies. Roger Baker, a former CIO at the Commerce Department who is now executive vice president at CACI International, said Commerce spends an average of $7,000 each year in IT support costs for every desktop computer at the department. Simply consolidating the numerous help desks in the department into one infrastructure could save more than $130 million annually, he said.

OMB has resisted creating a federal CIO with powers equal to the agency's deputy director for management, but Forman has led an effort to crack down on duplicative IT spending at agencies slated to move to the proposed Homeland Security Department.

The e-government bill also provides a statutory foundation for the federal Chief Information Officers Council, which is made up of agency CIOs. It requires agencies to conduct "privacy impact assessments" before collecting information from visitors to government Web sites, a technique that has already been used by the Postal Service and Internal Revenue Service.

The bill also requires agencies to make sure that people without internet access can still access government information. Roughly 46 percent of the U.S. population was not using the internet in September 2001, according to testimony from Linda Koontz, director of information management issues at the General Accounting Office.

Rep. Tom Davis, R-Va., chair of the Technology and Procurement Policy Subcommittee, praised the e-government bill but said he would look to add measures to simplify information technology acquisition and improve IT training for federal employees. ************************** Government Executive Foreign student tracking system may not be fully ready by January

By Kellie Lunney
klunney@xxxxxxxxxxx

The Immigration and Naturalization Service needs to properly train agency employees and step up oversight of contractors if it hopes to fully implement a new automated system for tracking foreign students living in the United States by its January deadline, the Justice Department's inspector general said Wednesday.

The INS has said its Student and Exchange Visitor Information System (SEVIS) will be fully implemented by Jan.30, but the IG and education officials said there are not enough resources to get the system working efficiently by that time.

"While SEVIS will be technically operational by that date, we have concerns about whether the INS will be able to complete all the steps necessary to ensure full and proper implementation by Jan. 30," Justice IG Glenn Fine said at a hearing of the House Judiciary Subcommittee on Immigration, Border Security and Claims.

"We are firmly on track to meet the January deadline," said Janis Sposato, assistant deputy executive associate commissioner for INS' immigration services division. "We are determined to meet that deadline."

SEVIS is designed to replace the paper-based system the agency now uses to track foreign students in the United States, eliminating delays in notification by informing all parties simultaneously once an INS decision on a visa application is completed. Although the State Department is responsible for issuing student visas to foreign students who want to study in the United States, the INS must monitor each student's stay in the country and determine which schools are eligible to accept foreign students.

About 900 schools are already using SEVIS. Under the system, when a foreign student applies to enroll at a school, the institution enters the student's information into the electronic system. Designated INS officials, school officials, certain State Department employees and law enforcement authorities will have access to SEVIS to monitor foreign students' attendance records and other activities while they are studying in the country.

In July, the INS published rules in the Federal Register allowing certain accredited private and public schools that enroll foreign students to begin using the system. All schools that enroll foreign students must be reviewed and recertified by the agency by the end of January.

Sposato told the House panel that the agency would conduct on-site visits to all schools enrolling foreign students to make sure the schools are accredited and that school officials know how to use SEVIS. The agency has also hired three contractors to conduct the investigations, she said.

But Fine said he is concerned about the INS' ability to adequately train employees and oversee contractors conducting the visits. A May IG report found that designated INS employees in four district offices were spending only 20 percent or less of their time certifying and monitoring schools, Fine said. He also said the looming deadline could lead to shoddy on-site visits by contractors.

Sposato said the agency is trying to get the system up and running as quickly as possible without sacrificing quality. She said the agency would prioritize site visits, going first to schools whose accreditation credentials might not be up to par with more established institutions. Some schools, depending on their accreditation and reputation, will be able to fully use the system before the contractor conducts an on-site investigation.

Catheryn Cotten, director of the international office at Duke University, said Duke did not have enough staff to enter all the data about its foreign students into SEVIS in time to meet the deadline. "We only have five people working on that project," she said. Duke University, which participated in the SEVIS pilot program, has more than 1,200 foreign students and 1,000 foreign professors and researchers.

Sposato said to meet the Jan. 30 deadline, schools only need to worry about entering information about new foreign students into the system. She said the agency expects it will take the better part of the year for schools to enter data about students continuing their education.

Cotten and Fine both praised the INS for the progress it has made so far to work out the kinks in SEVIS and get the system up and running quickly, but said the lack of training and guidance from the agency worries them.

"Unless the INS devotes sufficient resources and effort to implement and use SEVIS effectively, many of its current problems in tracking and monitoring foreign students who come to the United States to attend school would continue to exist," Fine said. *************************** Computerworld White House cyberdefense plan gets mixed reaction By DAN VERTON SEPTEMBER 18, 2002

The White House's National Strategy to Secure Cyberspace, released today in draft form, was barely two hours old when many private-sector experts were suggesting dentures to replace the teeth that had been ripped from its pages. "Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who requested anonymity.

While most of those present at the unveiling ceremony today at Stanford University applauded the government's effort to raise awareness of security issues, and its willingness to take a leadership role, many were surprised by the lack of tough enforcement language in the document. In fact, many private-sector experts and a White House source acknowledged that major changes, such as the removal of "politically sensitive language," were made to the plan in the last 24 hours of preparation.

"What happened here?" asked Wyatt Starnes, CEO of Tripwire Inc., a Portland, Ore.-based global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."

For example, although the strategy calls on corporate CEOs to establish enterprise security councils to integrate cybersecurity, physical security and privacy into their daily operations -- and urges major Internet service providers to adopt a "code of good conduct" governing their cybersecurity operations -- real change in the private sector remains voluntary.

Russ Cooper, surgeon general of TruSecure Corp. in Herndon, Va., is not happy with the strategy as it currently exists. In particular, Cooper said the administration has removed language that would have offered a definition of liability and an assignment of responsibility for Internet security.

"It's time that the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."

James Lewis, director of the Council on Technology and Public Policy at the Center for Strategic and International Studies in Washington, agreed that linking real change in cybersecurity to a voluntary system can't work in the long run. "The administration hopes market-driven solutions, rather than new regulations, will be enough for security," said Lewis.

"The report has many good ideas, but cybersecurity is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behavior when there are both market forces and legislation that cover security failures."

Despite the disappointment voiced by some, others said they view the strategy as a critical starting point that includes examples of solid government leadership.

"You have to look at this as a good starting point," said Scott Crenshaw, vice president of business development at NTRU Cryptosystems Inc., a security firm in Burlington, Mass. "For example, the section on assessment of current gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."

Scott Charney, chief security strategist at Microsoft Corp., also applauded the strategy as a critical starting point. "It's really important to get the vision piece right," said Charney. "People need time to sit down with the document to debate the pros and cons." He was referring to the two-month review period before the final version is sent to the president for approval. All reasonable recommendations will have an impact on the shape and direction of the strategy, he said.

That may have been part of the plan all along, said a business executive who requested anonymity. It could very well be that releasing the strategy in draft form was a calculated move by Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, to gauge the reaction of the private sector and determine if there is enough political support to put real teeth into the recommendations, the executive said.

Clarke is very skilled at dealing with both the government and private sector, said Gene Hodges, CEO of Network Associates Inc. "Richard [Clarke] is walking a fine line between patting people on the back and kicking them in the butt," he said.

Join Computerworld's discussion on the Bush administration's plan for cybersecurity. ************************** Washington Post Cybersecurity Draft Plan Soft on Business, Observers Say By Brian Krebs washingtonpost.com Staff Writer Thursday, September 19, 2002; 12:00 AM

The Bush administration's draft cybersecurity plan offers plenty of recommendations for how home users should protect their systems, but critics say intense lobbying from the high-tech industry has pulled nearly all the teeth from the plan when it comes to steps the technology industry should take.

The White House strategy, unveiled Wednesday at a Stanford University gathering attended by government and industry leaders, omits several recommendations contained in earlier drafts that prompt industry to take more responsibility for Internet security. For example, cut from the plan were proposals to ask technology companies to contribute to a security research fund and for Internet service providers to bundle firewall and other security technology with their service.

White House cybersecurity adviser Richard Clarke said the changes were made in the hopes that the IT industry would adopt the recommendations voluntarily, instead of being forced to adapt to more government regulation.

Critics say that the result is a draft that asks consumers to shoulder too much responsibility for improving the nation's cybersecurity posture.

"Consumers aren't likely to pay attention to Clarke or this effort, and to rely on them is flawed," said Russ Cooper, an executive with Reston-based TruSecure Corp. "Most consumers didn't buy a computer to become geeks. The majority of them are still trying to learn how to buy things from eBay."

Alan Paller, research director of the SANS Institute, said industry has not stepped up to do its part.

"They're whining, and that resonates with an administration that is business-oriented," he said. "As long as this can be done in smoke-filled rooms, then industrial pressure can continue affect national policy."

But Paller said he believes the 60-day public comment period will help to show who has worked hardest to weaken the plan.

"The whiners will now have a spotlight shone on them," he said.

The Bush administration's approach to winning cooperation from the private sector is loosely based on the model put in place during the Clinton administration to prepare critical computers systems for the Y2K rollover.

In that effort, the federal government took the lead in fixing its own systems, built an effective information-sharing network with the private sector, and gave companies an incentive to ready their own systems for the date turnover.

But in a departure from the Y2K approach, people involved in assembling early drafts of the Bush administration's cybersecurity plan say Clarke's team failed to circulate their recommendations among the industry officials who were originally solicited for input. When industry insiders saw what was to be a final strategy, many balked, prompting the administration to cut key recommendations.

The only concrete proposals left in Wednesday's version of the report appear to be for the government, said Bill Conner, president and CEO of Entrust Inc.

"It looks as though a PhD wrote the government items, but it reads like someone a year out of grade school wrote the rest of the plan," he said.

Conner added that the Y2K model fails in today's environment because companies no longer have money to throw at security risks as they did before 2000.

"It's not enough to just upgrade their infrastructure, because we're in different economic times today," he said. "Now more than ever the administration needs to prove why this makes good business sense for companies."

The administration may need to do more than just worry about how its recommendations could affect bottom lines in the business world. As officials have discovered, corporations don't want to approve anything that might put them on the legal hot seat as well.

Since last year's terrorist attacks, the White House has stepped up an aggressive outreach effort to the companies that control 90 percent of the nation's critical infrastructures in an attempt to convince them to share information on vulnerabilities and attacks with the federal government. The majority of more than 80 recommendations in the latest cybersecurity draft are aimed at improving communication between the two sectors in order to prevent and respond to major cyberattacks.

Yet, many companies remain reluctant to share such information for fear of being sued by shareholders or customers when they report flaws.

"Industry does not want to head down the road of tort liability," said Jim Dempsey, deputy director of the Center for Democracy and Technology. "This has produced for the administration a sort of policy paralysis."

Bruce Schneier, chief technology officer and co-founder of Counterpane Internet Security, said that without liability and disclosure requirements, the administration's plan will have "absolutely zero effect."

"You really have to ask why CEOs would bother to follow any of these recommendations, particularly at a time when most companies' earnings are down 20 percent," Schneier said. "The fact is, companies aren't rewarded for altruism; they're rewarded by the strength of their stock price."

TruSecure's Cooper said Internet service providers and technology manufacturers will improve their security practices and the integrity of their products only when they are held liable for failing to do so.

"From the looks of what's happening, what we'll get in 60 days will be even more watered down and with less teeth," he said.

Phil Lacombe, senior vice president for cyberassurance at Arlington-based systems integrator Veridian Inc., said that sharing threat information between the private sector and government raises "a number of very tricky issues ... and in that regard it is a wise idea to get industry's input on the actual wording."

But many business groups - particularly security outfits that cater to large entities like the federal government - hailed the latest draft as a step in the right direction.

"The more aggressive the federal government is in deploying these recommendations the greater likelihood there will be a bleed-through to the larger Internet and e-commerce community," said Michael Aisenberg, director of public policy for VeriSign, a company that sells digital authentication technology.

Christopher G. Caine, vice president of governmental affairs for IBM, praised the administration for putting the strategy out for further scrutiny, but said those expecting a quick fix from the White House should not hold their breath.

"I think the administration is trying to find a balance, one that allows for progress to be made in a complex area that involves private and public sector organizations that are at very different stages of IT use and implementation," Caine said. "It's like Y2K without the clock, and I think we all have to understand that cybersecurity is a continuing process, not a thing you do and get done with." ************************** USA Today Computer attacks by insiders deemed most dangerous

By Julie Moran Alterio, Gannett News Service

Strange things began to happen at AskIt.com in February.

The e-mail servers of the Manhattan computer consulting company were flooded with thousands of messages containing pornographic images.

Some customers calling into the voice mail system were directed to a telephone sex service.

What caused the chaos? Computer virus? Software bug?

Nope. The man arrested in the case was the former chief technology officer.

He had a beef with the company over severance and used his behind-the-scenes knowledge to get retribution, according to the U.S. Attorney for the Southern District of New York.

It isn't every day that computer experts turn against their employers, but when they do the results can be devastating.

"The attacks that are most damaging are from the insiders because an insider knows where the weak points are and then goes after them," said Sushil Jajodia, founding editor of the Journal of Computer Security and director of the Center for Secure Information Systems at George Mason University in Fairfax, Va.

Computer administrators have authorization to change passwords and can lock a company out of its own system. They can access sensitive files. They can even delete software vital to the business, which is what happened at Omega Engineering in 1996.

Earlier this year, a former computer network administrator was sentenced to 41 months in prison for setting a "time bomb" that permanently deleted all of the company's sophisticated manufacturing software programs. The attack cost the company $10 million.

While teen hackers break into systems for the thrill, insiders attack for revenge, said Donald K. Stern, partner in the litigation area at Bingham McCutchen and former U.S. attorney for the District of Massachusetts. "People sometimes think the only risk comes from the outside, when another threat might be the employee they fired yesterday or the consultant whose contract was terminated," he said.

After Sept. 11, worries about computer security mostly highlighted the risk of an outsider hacking into the networks that power electricity or transmit financial data. But experts warn that disgruntled employees are vulnerable to recruitment by business rivals, foreign governments even terrorists. "Even a low-level employee could pass on information about network security," Stern said.

Though computer attacks are a crime, many perpetrators don't see themselves as criminals. People who wouldn't dream of embezzling money feel free to send threatening e-mail or throw a virtual wrench in the computer works. "There is a sense of anonymity with hacking which emboldens people to do things indirectly through the computer that they wouldn't do directly," Stern said.

Companies often choose not to call in law enforcement because they want to avoid bad publicity, Stern said. As a result, insider attacks don't get as much attention in the news as computer virus outbreaks. Less attention means less is being done to prevent insiders from causing mayhem.

Though there's plenty of firewall and antivirus software out there to ward off attacks by outsiders, the techniques that prevent insider attacks are less refined.

"This is one of those hard problems, and not a lot has been done here," said Joe Giordano, technical adviser for the Defensive Information Warfare Branch at the Air Force Research Laboratory in Rome, N.Y., one of the few government agencies looking at the problem.

One of the best ways to prevent employees from causing harm is to limit access to just the programs and data they need to do their job. An administrative assistant at a bank, for example, probably doesn't need access to credit card records.

That solution only works if the system monitors behavior to detect what's out of bounds. An employee who normally uses just a word processor and spreadsheet, for example, would be flagged if he or she opened a different program.

"That is good in theory, but you still have false alarm rates that are too high," Giordano said.

After all, people might legitimately need to use different programs from time to time. This strategy is even harder to employ with computer administrators, who have vast areas of permission.

Monitoring every employee's activity at a large organization is a big job, said Bob Blakley, chief scientist for security and privacy for IBM Tivoli Software. "The sheer amount of stuff that goes on in a big, complicated system requires you to do a lot of data collection," Blakley said.

But companies aren't always willing to pay for the technology. "They don't really know how much real, honest-to-God, quantifiable business loss they are suffering," Blakley said. **************************** Los Angeles Times Withdrawing Into Our Cells Rampant use of mobile phones is affecting how we communicate--and fail to--in our private and public lives By MARTIN MILLER September 19 2002

Wireless technology has made it easier than ever to learn more about a perfect stranger's life. The task isn't accomplished through computer wizardry or high-tech listening devices. It's nothing illegal, nothing inappropriate--at least on your part. Nope. All you have to do is to walk around in the 21st century in any industrialized nation in the world and listen for "cell yell."

The condition afflicts cell phone users and can strike anywhere, any time, but mostly seems to overcome people in crowded public places such as restaurants, public transport and even the workplace. Under its sway, the caller will speak in a voice at twice, maybe triple, the volume of a normal conversation. And the things they talk about! Bounced checks, strange rashes, lovers' spats.

Cell yell is just one of the many unanticipated consequences of a cell phone planet. Its massive electronic tentacles are influencing more than just our relationship with others, though it is doing precisely that, but it's also changing our personal behavior in broad and subtle ways never envisioned.

And more than anything, we are discovering just how far and wide mind and body can be separated--because now we can be where we aren't, no matter where we are.

"What it's done is to change our view of reality," asserts John Petersen, founder and president of the Arlington Institute, a future-oriented think thank in Arlington, Va. "You remember not so long ago when making a long-distance phone call was a big deal? You'd say, 'I'm calling long distance,' and you were supposed to drop everything? Now it's not a big deal anymore to get a call from anywhere on the globe."

More change is certainly on the way. Within five years, futurists predict cell phones will continue to shrink in size but expand in capability. The hand-held device will not only be able to make phone calls but will also function as a computer and perhaps even as a television. From there, they say, who knows--but don't rule out the possibility of a communications chip implanted in the body.

But even now the world is a much smaller place because of the ubiquity of the cell phone. In the United States, among the slowest of the industrialized nations to adopt the cell phone, nearly two in three, or about 137 million, people use the device.

Little more than a decade ago, market studies by telecommunications companies indicated that, at best, cell phone users in America would top out at 3 million, according to Michael Zey, a sociologist at Montclair State University in New Jersey. At first, people claimed to value their privacy too much to have it interrupted without warning by a cell phone, according to Zey.

"Focus groups said, 'I would never accept a cell phone in my car because it's one of the few private places where the boss, my spouse, my kids can't reach me,' " Zey said. "Well, that changed."

In the workplace, cell phones are the latest tech tool to blur the line between office and home. The cell phone--some call it an electronic leash--has made it easier than ever for a boss to reach a worker any time, anywhere with the tacit understanding that there are few viable excuses for missing the call.

The cell phone even eliminated the few precious minutes of mental preparation time provided by its predecessor, the pager. Now, when the cell phone rings, the worker has only seconds to collect his or her thoughts and recognize the caller, then answer. The result is that many workers feel pressure to be on call 24/7.

"The expectation because of this technology is: Now I have to know what my boss is thinking before I get to work," Zey said. "The workday never ends."

Cell phone users can also face stiff challenges in focusing on the conversation. On a land line, callers are usually in familiar surroundings and thus less distracted by their environment and can more easily concentrate. With a cell phone, however, caller and receiver can easily miss an important detail as they multitask their way through traffic, a grocery store or the disapproving stares of fellow restaurant patrons.

Leaving even more room for miscommunication are newer cell phones with the capability of sending and receiving e-mails. "We always had bosses who had difficulty writing a memo," Zey said. "Well, multiply that by 1,000 times."

In the workplace, cell phones have created other unexpected problems among co-workers, especially in offices with closely spaced desks and cubicles.

For some workers, the office phone isn't enough--they need a private, personal line. Thus cell phones have begun creeping into the workplace, and there's no doubt the calls aren't all business or even for legitimate personal business.

"One of the main reasons it gets under people's skin is that when people talk on a cell phone, it's as if everyone around them ceases to exist, and that's very insulting," said Carol Page, a Boston public relations consultant and founder of CellManners.com. "Also, I think people just can't stand to overhear inane personal conversations."

As some cities and states have banned cell phone use in cars and restaurants, some are talking about similar restrictions in the workplace. With the annoying rings, loud conversations and the fact that the worker is usually sitting by an office phone, it may not be long until cell phone users join smokers outside--where the reception would be better anyway.

Page, whose Web site promotes civility between cell phone users and those around them, said banning cell phones at work isn't necessary. Workers should put their phones on vibrate and take personal calls away from their desks if they are within earshot of others.

Cell phones are also reshaping our social habits and attitudes, say sociologists. The portable phones, depending on their usage, can by turns be a shield against loneliness or create isolation. At one end of a restaurant, a patron dining alone places his or her order, then dials a friend--alone but not alone. At the other end of the restaurant, a cell phone conversation interrupts a face-to-face dinner conversation--leaving one party dining alone.

It's easy to see similar dynamics at parties. On the one hand, a cell phone can help make a party all the merrier by easily summoning other partyers to the scene. On the other, a cell phone can discourage users from reaching out to other party guests. Where once they would have been forced by circumstance to strike up a conversation, cell phones now provide a socially acceptable way to be at the party ... but not.

"They can reduce the need to create bridges," Zey said. "It allows people to exclude the people who may be in front of them and to interact with people they already know who are someplace else."

Cell phones have also encouraged a sudden urgency to connect with friends and family with little regard to the content of the conversation. Cell phone conversations, as anyone who has ridden public transportation, walked through a shopping mall or been to the beach can attest, are usually not about much. A recent three-panel cartoon in the New Yorker jokes around with some cell phone users' apparent need to always be on the phone. The first panel shows a businessman entering a train talking on a cell phone with the caption, "I'm boarding the train." In the next, which shows the man on the train, he says, "I'm on the train." And in the last one, showing the cell phone user leaving, he says: "I'm leaving the train."

"I think people have become more dependent on being in constant touch with others," said Edward Tenner, author of the 1997 book "Why Things Bite Back: Technology and the Revenge of Unintended Consequences." "If you're not always accessible, people get anxious."

So where are cell phones taking us, and what may be next?

Within the next five years, the much-talked-about idea of "convergence" will probably transform today's cell phones into one super machine. In addition to phone capabilities, the device will also have e-mail, computer and video abilities. It may take five years after that, says Petersen, for the price of the all-in-one device to come down enough for widespread usage.

"Cell phones and what is coming is what is driving globalization," says Petersen, a former staff member of the National Security Council at the Reagan White House. "I think what we're seeing is an almost biological evolution of the species. I think we're building a global nervous system and brain."

And if that happens, perhaps we won't have to put up with cell yell anymore.
****************************
Wired News
A Gathering of Big Crypto Brains
By Karlin Lillington

NAAS, Ireland -- In a lush country hotel 20 miles south of Dublin, the barroom conversation turns to steganography and database vulnerabilities, encryption algorithms and biometric scanners, SWAP files and cookie poisoning.

Not your average pub denizens, the speakers are some of the best-known names in cryptography and security, gathered for one of the industry's best-kept secrets: the annual COSAC conference, held every fall in Ireland.

For nine years, the low-profile, high-caliber event has drawn the cream of the crypto crowd, people like Sun engineer and public key cryptography inventor Whitfield Diffie and Michael Wiener, the man who broke the once widely used encryption algorithm known as Data Encryption Standard (DES).

Attendance is limited to just over 100, sessions are small and participants consider it a COSAC virtue that many speakers never make it through their formal presentations because of enthusiastic audience participation.

COSAC organizer David Lynas said the conference was born out of a desire to gather all the security pros he most wanted to see in one room together.

"You go to one of the big conferences and if you're lucky, maybe one person says something really interesting and makes the conference worthwhile," said Lynas, whose day job is director of global service development for British computer security firm QinetiQ. "I thought that I'd invite each of those 'one persons' that I'd seen."

Now some of the sharpest minds in the computer security business come to COSAC to pick each other's brains. "It's the only environment in which they actually learn," Lynas said.

Speakers also give hands-on demonstrations. In a conference highlight, Yokohama National University professor Tsutomu Matsumoto and some of his graduate students showed how easy it is to trick biometric fingerprint-scanning systems with fake fingers.

Matsumoto recently got international attention when he proved that gelatin "gummy fingers" could unlock biometric scanners.

With moisture content similar to that of live fingers, the gummy fingers fooled the scanners nearly every time. More devastatingly, Matsumoto also showed that a fingerprint could be lifted from a pane of glass and overlaid on a fake finger using an electron microscope, an inkjet printer and Photoshop software.

At the conference, Matsumoto's students demonstrated that adding carbon black, a conductive material made from industrial carbon-based powder, enabled silicone fingers to fool the scanners too.

The four-day event covered a smorgasbord of other relevant topics, including forensics, wireless security and the persistent head-in-the-sand mentality of business when it comes to security.

Computer forensics expert and director of Inforenz, Andy Clark, explained how "evidence eliminator" software that is used to wipe files from computers doesn't do its purported job.

Such programs don't pose a serious hurdle for forensic investigators, he said. "They get in the way, but they certainly do not remove all traces of activity. In fact, they can be more of a pain for the user."

Instead, Clark advised, add encryption to your PC "if you really want to make our life hard."

As the conference wound up over lunch last week, many delegates were already planning for next year. COSAC has a return rate of about 90 percent. *************************** Wired News Can Bon Jovi Foil the Pirates? By Noah Shachtman

Hair-rock mastodons Bon Jovi may have actually done something cool this decade.

The 1980s megastars have a new, Web-based scheme to discourage their soon-to-be-released disc from being pirated. And computer security experts think the program just might work.

On the inside of the packaging of Bon Jovi's Bounce is a 13-digit, randomly generated serial number. By entering that code on the group's website, fans enroll in a program that puts them "first in line" for concert tickets and allows them to listen to unreleased tracks from the band.

"The idea is to make anyone who's file sharing or burning feel like they're missing out by not buying a real copy of the CD," said Larry Mattera, a new-media executive at Island Def Jam, Bon Jovi's label.

The company tried a similar program with Rusted Root and Willie Nelson. But the system was seriously flawed, Mattera said. It relied on Gracenote's CD Key technology, which embedded the access code in the disc itself.

Anyone who burned a copy of the album got the code along with the music. So there was no benefit to buying the record legitimately.

The new system isn't foolproof, either. A record store employee could open the CD and pass the membership on to pirates.

But with over 137 billion possible combinations to the 13-digit number, the chances of guessing the Bon Jovi code are pretty low, Symantec security expert Elias Levy said.

To obtain a working code, a hacker could write a program that generated random serial numbers. Then, accessing the Bon Jovi site through a proxy (or third-party Web server) in order to mask his identity, the hacker could then stream an endless number of these codes until one worked. The process is known as "brute forcing" in security jargon.

"If (the Bon Jovi site) continued to accept the connections, it could take an hour to a day to find a code that worked," a hacker called The Pull, who works at a mainstream computer security firm, wrote in an e-mail. "With a large enough network, say, a 50,000 node, one could do a lot of hits at once. It wouldn't stand very long against distributed cracking."

Once several codes had been obtained, hackers could then figure the algorithm that created the Bon Jovi serial numbers, The Pull added. And then, it's open season.

But that's a pretty cumbersome process, considering the reward is priority tickets to an acid-washed-jeans flashback. Few hackers would be willing to go through the effort, the security experts said.

The Pull added, "I would have to say this would be relatively secure, considering the merchandise is not all that valuable." *************************** Sydney Morning Herald Programmer charged under anti-terror law London September 19 2002

Police have arrested a computer programmer and charged him with collecting information that could be used to plan a terrorist attack, Scotland Yard said yesterday.

Mohammed Abdullah Azam, 32, from Luton, 48km north of London, was arrested Sunday and has been charged under the anti-terrorism laws, a Scotland Yard spokesman said.

He said Azam had been charged under Section 58 of the Terrorism Act with collecting information "of a kind likely to be useful to a person committing or preparing an act of terrorism, or had in his possession documents or records containing information of that kind".

The police spokesman would give no further details about Azam or the case, and said he had no information about whether the suspect was linked to any specific group or organisation.

Azam is due to appear at Bow Street Magistrates Court in London.

Three other men, two aged 21 and one aged 23 were also arrested under the Terrorism Act on Sunday in Luton, but were released yesterday.

On September 6, David Veness head of Scotland Yard's anti-terrorist squad, said there was no known specific threat to Britain and encouraged people to carry on "business as usual".

Speaking as the anniversary of the September 11 terrorist attacks on the United States approached, he said, "We shouldn't underestimate these individuals.

"An individual is not incapable of causing serious impact and that is something we are alert to. Our intention is to enhance the deterrent," he said.

Security forces and police were better prepared to deal with any terror attacks than they were a year ago and his officers had received advice following September 11 from police in other countries with more experience of suicide bombers, he said.

On the September 11 anniversary, radical Muslims praised Osama bin Laden, leader of the al-Qaeda terrorist network blamed for the attacks, during a gathering at a London mosque that is widely regarded as a centre of radical Islam in Britain.

They denied having ties to Al Qaeda.

Among those at the gathering were Sheik Omar Bakri Mohammed, head of Al Muhajiroun, a militant group that recruits on university campuses and encourages members to join armed struggles abroad.

It says its goal is to make Britain an Islamic state.
*******************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx

Prev by Date: ACM TechNews - Wednesday, September 18, 2002
Next by Date: Clips September 23, 2002
Previous by thread: ACM TechNews - Wednesday, September 18, 2002
Next by thread: Clips September 23, 2002
Index(es):
- Date
- Thread