[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips September 24, 2002



Clips September 24, 2002

ARTICLES

Northern Va. Group One Step Closer to Managing Dot-Org [ICANN]
Montgomery Says General Election Will Be Smoother
CDC outlines IT needs for emergency vaccination clinics
INS will tighten registration of Saudi visitors
Lab to sample Linux for weapons work
DARPA seeks 'total information awareness'
Justice Department formalizes information sharing guidelines
FBI cyber chief heralds interagency cooperation
Demand for U.S. IT workers remains soft, survey shows
Military, Private Sector Rush to Adopt High-Tech Security Technology [Biometrics]
FBI Fingerprint Research Helps Spawn an Industry [Biometrics]
Warner to Enable the CD Burning of Its Songs
Plea Bargain Riles Scorned Public Defenders [ID Theft]
More-Engaging Online Content Urged
Internet replacing the college library
U.S. puts money on World Bank "hacktivists"
Judge reserves decision on spam fighter trial
Unguarded moments - why cyber security is on the rise
Library Of Congress Goes Grid


****************************
Washington Post
Northern Va. Group One Step Closer to Managing Dot-Org
By David McGuire
Monday, September 23, 2002; 5:06 PM

Global Internet addressing authorities today reiterated their recommendation that a Reston, Va.-based nonprofit group should assume control over the valuable "dot-org" Internet domain.

After sifting through a hundreds of comments from the Internet addressing community, the Internet Corporation for Assigned Names and Numbers (ICANN) reaffirmed its recommendation that the Internet Society (known as "ISOC") take over management of dot-org starting in 2003.

ICANN's international board of directors has final say over whether to accept the ICANN staff's recommendation. The board is expected to make its decision next month.

In its final staff report, ICANN dismissed suggestions that ISOC is financially and technologically unfit to operate dot-org, the world's fifth largest Internet domain. ICANN manages the Internet's worldwide addressing system under agreements with the U.S. government.

"We're very pleased with the final staff report, particularly that ICANN chose to go ahead and thoroughly review any concerns and criticisms," ISOC spokeswoman Julie Williams said today. "I think it's really to their credit that they've tried to make it an open process and to make it as fair as possible."

Earlier this year, 11 organizations from around the world submitted bids to take control of dot-org when Mountain View, Calif.-based VeriSign Inc. relinquishes its hold on the domain in December.

After ICANN gave the preliminary nod to ISOC last month, several competiting organizations took issue both with ICANN's selection process and with ISOC's qualifications to operate the massive Internet domain.

"The final report is relatively unchanged despite rather serious flaws that were brought to their attention by NeuStar and others," NeuStar Director of Business Development Ken Hansen said today.

But in its report, ICANN largely dismissed the argument that ISOC's shaky fiscal past would make the organization an unstable home for dot-org. ICANN noted that ISOC's proposal calls for dot-org to be run by a newly created entity call Public Interest Registry (PIR) that will have no direct fiscal link to ISOC.

Concerns about ISOC's financial stability are not "applicable," ICANN said.

Hansen disagreed, saying that by ignoring the financial concerns, ICANN was "unnecessarily putting the timely transition and management of dot-org at risk."

"The (ICANN) board is going to have an opportunity to base their decision on the criteria and not on the flawed staff report," Hansen added.

ICANN spokeswoman Mary Hewitt pointed out that none of the dot-org bids were evaluated based on the submitting organization's financial model. Rather, the evaluation process gave greater significance to the overall operational experience and capabilities of the organizations, she said.

Founded in 1991, ISOC serves as the institutional home for two key Internet standards-setting bodies, the Internet Engineering Task Force and the Internet Architecture Board. It has members in more than 100 countries.

Accounting for more than 2.3 million Internet addresses worldwide, dot-org represents a substantial revenue stream for the organization that wins the registry contract. As the current domain operator, or "registry," VeriSign charges Internet address retailers (called "registrars") $6 per-year for every dot-org name they sell. Registrars in turn charge varying retail prices to individual users.

Mountain View, Calif.-based VeriSign is set to give up its management of dot-org in December as part of a deal it cut with ICANN last year to maintain its control of the lucrative dot-com domain.
*****************************
Washington Post
Montgomery Says General Election Will Be Smoother
Votes Were Counted Slowly in Primary
By Annie Gowen
Washington Post Staff Writer
Tuesday, September 24, 2002; Page B04



Two weeks after a primary night meltdown in Montgomery County, elections officials promised County Council members yesterday that better training and procedures for a computerized voting system would correct the problems that delayed election results for hours.


By election night, more judges with better training will be in place and procedures will be streamlined to avoid a repeat of the confusion of Sept. 10, pledged Montgomery County Board of Elections Director Margaret A. Jurgensen.

That night, it took hours to produce results in several key races, including the hotly contested Democratic primary in the 8th Congressional District, as many judges struggled to tally votes and then hand-delivered them to the Board of Elections.

"You could send the Gutenberg Bible in the Gobi desert in a nanosecond," council member Howard A. Denis (R-Potomac-Bethesda) said after the hearing before a council subcommittee. "I don't understand why we can't plug into the election results from Bethesda to Rockville."

Denis said, though, that he felt the elections officials would probably be able to fix the problems in the coming weeks. "I think that they have a high sense of urgency," he said. "It was really embarrassing election night. We were the last to come in."

Council member Philip Andrews (D-Rockville) said he was most concerned that 43 of 237 polling places did not open on time. Jurgensen said two precincts opened as late as 7:30 a.m. and the rest between 7:05 a.m. and 7:20 a.m. At Parkland Middle School, 30 voters waited more than a half-hour before leaving without having voted, according to the county.

At some precincts, the voting booths were not set up, while others lacked technical support workers or enough election judges, she said. In November, county workers will be on hand beginning at 11:30 p.m. the night before the election to see that all of the polling booths are ready to go this time, Jurgensen told the committee.

Jurgensen said the county was woefully understaffed with election judges for the primary, short some 400 judges of the 3,200 needed. She hopes to attract 600 more judges through senior citizen and volunteer organizations for the Nov. 5 general election.

More than 200 judges who had trouble tabulating results and closing down machines on primary night will have to be retrained, she said.

The Sept. 10 primary was the official debut for the computerized voting system -- expected to be statewide in 2006 -- in Montgomery, Prince George's, Dorchester and Allegany counties.

Although all counties experienced some technical problems during the debut, only Montgomery had trouble tabulating its returns. Results from Dorchester and Allegany were completed by 10:30 p.m.; Prince George's results were online by midnight.

In Montgomery, by contrast, chaos reigned: Inaccurate results were posted on the Web site while judges in precincts struggled through complicated forms and tabulation process. Some were so frustrated with the new machines that many were simply loaded into cars and dumped unceremoniously at the Board of Elections after the polls closed.

Elections officials are to meet today with schools officials to see which polling places could use school fax and modem lines to transfer their election results electronically, as was done in Prince George's. On primary night, only one legislative district in Montgomery sent results in by modem. That pilot was dubbed a success.
**************************
Government Computer News
CDC outlines IT needs for emergency vaccination clinics
By William Jackson


The government is offering to help state and local governments design IT components of smallpox vaccination clinics in the event of an outbreak of the disease.

The Centers for Disease Control and Prevention released its smallpox bioterrorism response plan Monday. The Smallpox Vaccination Clinic Guide for large-scale clinics is part of Version 3 of the Smallpox Response Plan and Guidelines. The clinic guide is available online at www.cdc.gov. The full version of the response plan will be available soon.

The 48-page plan deals with the logistical and organizational concerns of setting up clinics capable of vaccinating 1 million people in 10 days in the event of a smallpox outbreak. It describes a clinic set up to treat 100,000 people a day in two eight-hour shifts. Among the estimated 117 people needed to staff each shift is one IT support person.

IT requirements specified in the guide are 12 desktop or notebook computers, each with an Internet connection if Web-based databases are used. The government will provide technical assistance in designing databases and developing vaccine-tracking systems. The amount of assistance available would depend on the scope of the emergency.

IT staff members would also oversee the five telephone lines and one fax line a large clinic would require.
****************************
News.com
Need Biowarfare Agent? Hop Online
By Kristen Philipkoski


The genome sequence of a potential biowarfare agent called Brucella is freely and publicly available to anyone with Internet access.

A frightening thought, perhaps, considering terrorists certainly have Internet access. But experts say it's highly unlikely they would also have the scientific sophistication to use the information to make a weapon.

Although it's controversial, many scientists believe making the pathogen's blueprint publicly available can lead to more good than harm. Sharing the genome sequence, which was deciphered by researchers at The Institute for Genomic Research (TIGR), will help scientists develop vaccines and find faster ways to identify the bacteria.

"The more we know about (Brucella's genome), the easier it is to defend against it," said Mark Wheelis, senior lecturer in microbiology at the University of California at Davis.

"Although (dangers) are certainly there -- I would say they're greatly outweighed by the benefits that knowing the sequence will bring to people doing important basic research in the organism," he said.

In humans, initial symptoms of Brucella infection are somewhat flu-like, making early detection difficult. Although it's rarely fatal, it can incapacitate its victims by making them feverish and disoriented, and can cause severe long-term illnesses, such as arthritis, heart disease and brain damage.

It can only be treated with large amounts of expensive antibiotics administered for one year.

The lead researcher on the study, Ian Paulsen, a TIGR associate investigator, described one incidence of the disease: "He was found wandering around his front yard delirious in his underpants not knowing what was going on. If it was used against a military unit, it's not likely the men could actually fight."

People can contract the disease by handling the tissues of infected animals, eating contaminated foods or inhaling the pathogen. It is only rarely passed between humans.

During the 1950s and '60s, the U.S. Army developed artillery shells and bombs armed with Brucella. The stockpile was destroyed in 1969 when the government halted its biowarfare program.

However, other countries developed Brucella weapons during the Cold War, too. And while most experts doubt terrorists are sophisticated enough to use the genomic information now available online, it's possible a state-supported biowarfare effort could be.

"Iraq could do that, for instance," Wheelis said. "But terrorists, no."

To alleviate public concern, the National Academy of Sciences and other organizations are in the process of drawing up guidelines to determine if some genome sequence information should not be made public.

For now, researchers are focusing on the public health benefits of having the information accessible.

"Now that we have the genome sequence, we can use genomics-style technology such as microarray technology to detect the presence or absence of the pathogen, and also fingerprint the strains," Paulsen said.

Knowing which strain an individual is infected with will be key to eventually treating people who develop brucellosis.

Paulsen and his colleagues sequenced a strain that mostly infects pigs, known as Brucella suis, which can also infect humans. They compared it to the goat version, known as Brucella melitensis.

The next step for the TIGR lab is to sequence a strain of Brucella that's virulent in sheep but not humans. Comparing the two should point out the specific genes responsible for causing human sickness.

A surprising finding, of interest mainly to evolutionary biologists, was the fundamental similarity between the swine Brucella genome and plant pathogens.

"It shows they had a common ancestor more recently than we would have thought," Paulsen said. "They probably all came from some ancestral soil organism tens of millions of years ago."
******************************
Washington Times
INS will tighten registration of Saudi visitors


A program that requires registration of foreign visitors from some countries in the Middle East and North Africa is being expanded to include men from Saudi Arabia, a U.S. ally and the home country of 15 of the 19 September 11 hijackers.

An Immigration and Naturalization Service memo obtained by Associated Press directs immigration inspectors registering aliens to include men, ages 16 to 45, from Saudi Arabia, Pakistan and Yemen, starting Oct. 1.

A Saudi foreign policy adviser, Adel Al-Jubeir, noted that nationals of other countries also could be subject to registration and Saudis were not being singled out.

The Justice Department had begun registering visitors from Iran, Iraq, Sudan and Libya on the anniversary of the terrorist attacks. As part of the registration, the foreigners are required to provide fingerprints, photographs and details about plans while in the United States.

"It is imperative that the officers remain vigilant and verify the age of all males from these three countries in order to identify properly those who are subject to special registration," says the Sept. 5 memo, sent by Johnny Williams, the INS head of field operations.

The memo was sent to INS offices to explain how to implement the Justice Department policy known as the National Security Entry-Exit Registration System.

Justice Department spokeswoman Susan Dryden said she could not comment on the internal INS document. But, she said, "Saudi Arabia is an ally in the war on terrorism and they are not treated as state sponsors of terrorism in our enforcement efforts."

James Zogby, president of the Arab American Institute, said the registrations should be conducted at consulates, not at ports of entry where the process will create long waits and three lines one for citizens, one for non-citizens and one for Arab-Americans.

Registration is required on arrival in and departure from the United States. The foreigners also must be interviewed at an INS office for stays of more than 30 days and notify the INS within 10 days of any change of residence, employment or academic institution.

The memo says inspectors also can register visitors for national security reasons who they determine are worth monitoring. The memo says inspectors should consider whether the visitor has made an unexplained trip to Iran, Iraq, Libya, Sudan, Syria, North Korea, Cuba, Saudi Arabia, Afghanistan, Yemen, Egypt, Somalia, Pakistan, Indonesia or Malaysia, or whether the visitor's explanation for the trip lacks credibility.

Among other things, inspectors will be told to consider registering foreign visitors who previously overstayed a U.S. visa or whose behavior, demeanor or answers indicate that the person may be a security threat, according to the memo.

The additional scrutiny for Saudi nationals follows introduction of stricter rules for Saudis who apply for visas to the United States. The visa paperwork formerly handled by travel agents now requires interviews at consular offices. The scrutiny also comes as President Bush tries to build support for a U.S. attack on Iraq, for which Saudi Arabia has said it will not allow use of its territory unless the attack is under U.N. auspices.

Rep. George Gekas, Pennsylvania Republican, chairman of the House Judiciary immigration subcommittee, said the registration program seeks to weed out people that Saudi Arabia and other countries are cracking down on and arresting.

"It's a natural extension of what is already occurring with respect to the war on terrorism, which is separate and apart from our relationships with the governments that are involved in this new round of alien registration," Mr. Gekas said.
************************
News.com
Lab to sample Linux for weapons work
By Stephen Shankland
Staff Writer, CNET News.com
September 23, 2002, 4:50 PM PT



Los Alamos National Laboratory is buying a $6 million, 2,048-processor Linux supercomputer to run its nuclear weapons simulation software, an effort that will test the limits of these less expensive megamachines.
The lab has been a pioneer in building inexpensive supercomputers made out of ordinary computing components and the Linux operating system. Thus far, however, LANL's nuclear weapons simulation software runs on more expensive systems from SGI and Hewlett-Packard such as HP's $215 million "Q" now under construction.


A $6 million price tag may sound like a bargain in comparison, but software must be reworked to run using less expensive clusters of Linux machines. Though the new system will run unclassified programs such as predicting the properties of new materials, those tests will serve as a proxy to predict how well nuclear weapons simulation software works, said lab spokesman Jim Danneskiold.


The lab's central mission is ensuring that U.S. nuclear weapons will work as planned, despite aging and the current ban on actual nuclear tests. LANL has software that simulates the physical effects such as the extreme pressure and intense X-rays that accompany nuclear explosions.


Intel-based supercomputers are becoming less exotic, having escaped academia and found buyers in the private sector such as Companie General de Geophysique for oil and gas exploration work and MTU Aero Engine for engine design.

The new system, called the "Science Appliance" and built by Salt Lake City-based Linux NetworX, uses a cluster of 1,024 interconnected servers, each with two 2.4GHz Intel Xeon processors. It's a close relative to another cluster at LANL's sister laboratory, Lawrence Livermore National Laboratory.

The Science Appliance, due by the end of the year, will be capable of a peak computational speed of 10 trillion calculations per second, Linux NetworX said. The computing nodes will be stacked 50 to a rack, with 27 racks taking up a patch of floor space about 18 by 25 feet. The nodes are connected with a high-speed switch from Myricom.

There are future expansion options in the LANL deal, said Clark Roundy, vice president of marketing at Linux NetworX.

There's a major difference compared with Livermore system, though: The Los Alamos machine has no hard drives. Instead, each computer fires up using software pulled over the network with the assistance of software called LinuxBIOS developed by LANL programmer Ron Minnich and others. LinuxBIOS also dramatically speeds the startup process to about two seconds, said Jason Lowry, Linux NetworX's product manager for cluster management tools.

Shunning hard drives cuts cost and power consumption, but more importantly, it improves reliability, Roundy said.

"If you think about what things are going to fail in a system, it's the hard disk or fan or power supply or something with moving parts," Roundy said.

Linux NetworX could benefit greatly from convincing the Los Alamos and Livermore labs that Linux clusters are worthwhile. The labs are funded by the Energy Department's Advanced Simulation and Computing program, which has spent hundreds of millions of dollars to advance supercomputing using machines made of comparatively inexpensive components.

The DOE program has underwritten many of the world's fastest computers, according to university researchers who monitor raw calculation speed at the Top500 organization. The program has underwritten Nos. 2, 6, 7, 9, 11, and 15 on the most recent ranking. *************************
Government Computer News
DARPA seeks 'total information awareness'
By Patricia Daukantas


Biometric, language processing, predictive modeling and database technologies are all key areas of the Defense Advanced Research Projects Agency's revamped strategy to assist homeland security.

The goal of what DARPA calls its total information awareness programs is to prevent terrorist attacks, said Robert L. Popp, deputy director of the agency's Information Awareness Office. Popp spoke yesterday at a conference in Arlington, Va., sponsored by the Biometric Consortium

DARPA created the Information Assurance Office early this year to develop new technologies for extracting and analyzing data that could help the war on terrorism, Popp said.

Among the initiatives that the office has launched this year is Genisys, which seeks new ways to design ultralarge information repositories for counterterrorism efforts while protecting the privacy of innocent people, Popp said.

Translingual Information Detection, Extraction and Summarization, or TIDES, will help English-speaking analysts understand intercepted messages in other languages, Popp said. DARPA's initial efforts with TIDES will focus on Arabic and Chinese, as will a related program to improve the accuracy of speech recognition.

DARPA's Human Identification at a Distance program is wrapping up a new round of tests on various facial recognition products, program manager Jonathon Phillips told conference attendees. Phillips, on detail at DARPA from the National Institute of Standards and Technology, said that results of HID tests are scheduled for posting on www.frvt.org in November.
***************************
Government Executive
Justice Department formalizes information sharing guidelines
By Drew Clark, National Journal's Technology Daily


Attorney General John Ashcroft on Monday released guidelines designed to formalize the way in which federal prosecutors share information, including data obtained from electronic surveillance, with the CIA and other intelligence officials.

The guidelines flow from last October's sweeping anti-terrorism bill, which empowered prosecutors to share information obtained through grand jury testimony or through electronic, wire or oral interception of information.

Prior to passage of the landmark anti-terrorism legislation, known as the Patriot Act, prosecutors were specifically barred from sharing such information to intelligence, protective, immigration, defense or national security officials.

Justice Department officials said the changes were designed to institutionalize a procedure for sharing information collected in the course of criminal investigations. Prior to the passage of the Patriot Act, sharing of grand jury and surveillance information was barred "even if that information indicated that terrorists were planning a future attack, unless such officials were assisting with the criminal investigation itself," according to a department press release.

Because information collected and presented to a grand jury has not been subject to the cross-examination and other checks and balances associated with a criminal trial, guarding the secrecy of such information has long been a hallmark of the protections that suspects have been granted under U.S. criminal law.

Section 203 of the Patriot measure allowed the sharing of such grand jury information so long as information identifying U.S. citizens is labeled as such before its disclosure to intelligence officials. But Justice officials said that any information identifying a U.S. citizen should be labeled before being passed to intelligence agents.

And while the identity of such U.S. citizens may be passed to intelligence officials, a top level Justice official said in a background briefing that the names must be deleted prior to any subsequent usage. But an exception is made if its disclosure is necessary to understand the context of the information.

In April, Ashcroft issued a directive to Justice Department officials regarding procedures for such information sharing, and Monday's guidelines formalize them for the department's communication with intelligence, homeland security and other federal officials.
****************************
Government Executive
FBI cyber chief heralds interagency cooperation
By Bara Vaida, National Journal's Technology Daily


Ron Dick, the director of the FBI's National Infrastructure Protection Center, said the FBI's new effort to partner with the Secret Service on investigating cyber crimes is aimed at marshalling resources.

At the launch of the national cybersecurity protection plan last week, the FBI and Secret Service announced a new pilot program where several field offices of both agencies agreed to work together on investigating cyber crimes to determine who is behind a particular attack.

"If you look at what we've done with the Infragard program and what they've done with the Electronic Crimes Task Force...we can leverage the capabilities of both staffs," said Dick in an interview with National Journal's Technology Daily.

Infragard, created in 1996, enables the private sector and federal government to share information about cyber crimes confidentially. The Secret Service created a national electronic crimes task force in 1995 in its New York field office to investigate electronic financial crimes.

"There is a shortage of resources and skills and ability to investigate [security breaches], so if we blend the two [programs]," there will be strengths in different areas, he said.

Separately, Dick defended the administration's decision not to have regulations in the national cybersecurity plan. Some critics of the plan have charged that it is weak because it relies on private sector cooperation with the government.

"It's the current administration's position not to use regulation or statutory changes to secure cyberspace ... because 80 percent [of it] is owned and operated by the private sector, and this has to be a partnership not mandated by regulation but by good practices," Dick said. "The whole crux for infrastructure protection comes down to one word: trust."

When asked if there is date by which the nation's computer networks should be secure, Dick said, "No ... but if we still don't have protection of the system ... then the government would step in. But we aren't even close to that. The right model is to attempt to do this with a trusted partnership and see if it works."

Dick said since last year's terrorist attacks, information sharing efforts by federal agencies and within the private sector has improved. He noted that the CIA has detailed a staff member to the NIPC and there is an interagency group, which includes the NIPC, Treasury, Justice and the Defense departments aimed at sharing investigative efforts.

"I have seen nothing but willingness of agencies to share information," he said.

The majority of the NIPC is slated to move to the Homeland Security Department when Congress approves its creation. The training, outreach and strategy and analysis portions of the NIPC are scheduled to move to the new department, while the investigative component is to remain within the FBI, Dick said.
***************************
Computerworld
Demand for U.S. IT workers remains soft, survey shows
By THOMAS HOFFMAN
SEPTEMBER 23, 2002


Although the U.S. IT workforce has grown by 1%, or 85,000 jobs, since the beginning of the year, the short-term hiring outlook continues to remain bleak, according to an updated report being released today by the Information Technology Association of America and Dice Inc.
Telephone interviews conducted in July and August with hiring managers at 84 IT vendor companies and 216 non-IT companies revealed that "the original optimistic hiring forecast at the beginning of the year has been tempered by the economy," said Scot Melland, president and CEO of Dice, a New York-based provider of online recruiting services for technology professionals.


Many unemployed IT workers are shifting the blame elsewhere. Computerworld regularly receives letters from disgruntled IT professionals who claim that they have in-demand skills such as C++, Java and Oracle training and yet haven't been able to find work for months. Many of them point the finger at H-1B visa holders and offshore programming outfits, where a growing number of companies are shifting their development and maintenance work to reduce costs.

Influence From Overseas

Earlier this month, the U.S. General Accounting Office (GAO) announced plans to study whether and to what extent the H-1B visa program is costing Americans jobs (see story). The results of that study are due out next year.

But some IT professionals say offshore outsourcing is having a more significant and longer-term impact on U.S. IT workers.

Outsourcing not only leads to job cuts; it also allows corporations to avoid paying unemployment taxes when demand for labor slackens, said Norman A. Lane, president of Aztech Professional Services Inc., a Phoenix-based consulting and contracting firm. Lane contends that to prevent tax losses to the federal government, U.S. companies that engage in offshore outsourcing should pay a levy "on every outsourced job to compensate U.S. taxpayers."

ITAA President Harris Miller has been a lightning rod for H-1B critics, since the Arlington, Va.-based trade association is largely made up of technology vendors such as IBM, Cisco Systems Inc. and others who have made extensive use of foreign IT specialists. While he said he believes the economy has been the biggest culprit, even he acknowledges that offshore programming "is having an impact" on the U.S. IT job market.

"The real challenge is offshore programmingnot the few thousand [IT workers] that come to the U.S., but the workers in Ireland and South Africa and India that are paid much less to do the work," said Miller. "I think there is more work going offshore in part due to the pressure to keep costs down, and there's huge downward pressure on software vendors to keep their labor rates down," he added.

"So much work is going offshore, we're putting ourselves at a substantial [intellectual capital and security] risk," said Linda McInnis, an independent contractor and head of the hiring initiative at BostonSPIN, an Acton, Mass.-based group of 1,200 Boston-area software professionals.
***************************
Washington Post
Military, Private Sector Rush to Adopt High-Tech Security Technology
By David McGuire
Tuesday, September 24, 2002; 12:00 AM


Deep in the Pentagon, an Army officer approaches a gray box affixed at roughly eye-level beside a wooden office door. The officer stares at the box, training his eye on a circular mirror about the size of a half-dollar. "Identification is completed," purrs a computerized female voice as the lock clicks, permitting the officer to pass.

The slick plastic box, a device that scans iris patterns and compares them to a database of iris images taken from personnel who are cleared for entrance, is just one of a widening array of products designed to identify individuals by their unique physical characteristics.

Such technology hardly seems out of place in the heart of America's military industrial complex. But after the Sept. 11, 2001, terrorist attacks, the iris-scanning device and other security technologies that focus on physical characteristics are cropping up more and more in civilian life -- at office complexes, grocery stores, schools and fitness centers across the country.

The science underpinning such devices is "biometrics," a field long mired in controversy, but one that has enjoyed a makeover during the past year.

Unlike access cards, the body parts that biometrics devices read cannot be easily lost, sold or traded among conspirators, and unlike security codes, they can't be forgotten. The appeal of such a reliable identifier has grown in the post-Sept. 11 environment, but the use of biometrics for security purposes has raised questions about potential privacy intrusions and whether the technology is sufficiently reliable.

Army Pushes Biometrics
Squatting across the road from a tiny regional airport in rural West Virginia, the U.S. Army's Biometric Fusion Center isn't the gleaming testament to scientific advancement one might expect. The building -- a smallish, low-slung structure of textured concrete and faded brown siding - offers few clues that it's the setting for leading-edge research into advanced biometrics technologies.


Past the outer door, however, the center starts to hint at its purpose. Barring entry to the main floor is an iris scanner identical to ones recently installed in the Pentagon.

Director Paul Howe said the iris scanner, one of several biometric devices in use throughout the building, serves two purposes: securing the facility, and giving staffers an opportunity to experience daily life with the device before recommending it for use throughout the military.

A device that is effective but annoying isn't an ideal solution, Howe said. "Part of it is saying, 'If I had to use it, would I really like it?'"

The Bridgeport, W.Va., center was founded in 2000 by the Army's then-fledgling Biometric Management Office (BMO), which is charged with spurring the deployment of biometric security devices throughout the military. The center has since become the testing ground for all commercial biometric products considered for use by the U.S. armed forces.

Howe said Bridgeport was a logical choice to serve as home to the Biometric Fusion Center. In 2000, West Virginia University boasted one of the nation's few academic biometrics programs, and the nearby town of Clarksburg is home to the FBI's massive fingerprint database.

Center officials signed the lease on the dowdy two-story property in August 2000, and eventually engaged a staff of more than 30 contractors, working under the management of Howe, a civilian employee of the Defense Department.

Since its launch, the center has reviewed about 50 devices, clearing about a dozen for use in military applications, Howe said. "This is kind of a new industry. What we like to focus on are those very mature products that might be useful right away."

On the top floor, a small laboratory is strewn with tens of thousands of dollars worth of commercial biometric devices. Tiny fingerprint identification cards that can be plugged into laptops share limited desk space with chunky hand scanners and slick iris cameras. Devices deemed not ready for prime time rest forgotten beside those already cleared for use in military installations and those still facing a battery of tests.

Some super-secure military facilities use custom-made biometric devices not available to the public (or, for that matter, to the staff of the Biometric Fusion Center), but many mid-level secure military facilities rely on commercially available biometrics to provide an "added layer of security," Howe said.

One of the most recent installations was the Pentagon Officers Athletic Club, where the management office has placed iris scanners at the entrance to the popular gym.

Managers there say that, beyond creating a simplified mechanism to allow entrance to the athletic club, the placement of the biometric device in such a central location will help familiarize military personnel with technology that is likely to become far more prevalent in their lives in the coming years. Fitness-conscious military personnel of all ranks and security-clearance levels pass through the athletic center, BMO Senior Analyst Margo English said.

Placing biometric devices in such high-traffic places will ultimately acclimate not just military personnel, but the general public to the devices, allowing most people to get comfortable with biometrics, Howe predicted. "You're always going to have some people who find it awkward, just as my mother finds it awkward to remember a password," Howe said.

Reliability
Biometric devices perform one of two basic functions: verifying a person's identity ("authentication") and picking subjects/suspects out of a crowd ("identification").


Authentication devices -- including finger, iris and hand scanners -- are used to confirm the identities of people who have clearance to enter secure areas, log onto sensitive computers, or perform any other sort of restricted function. By contrast, identification technologies like face scanners take a more scattershot approach, picking subjects out of crowds by spotting their unique physical characteristics. Although a less commonly known application, face scanners can also be used for more traditional authentication purposes.

Biometric devices may come in many flavors, but all of them share the underlying recipe for recording and comparing physical characteristics.

Whether scanning fingerprints, facial ridges, iris patterns or hand contours, all modern biometric devices first obtain "samples" by recording unique points on a target body part.

The samples are then converted to digital templates, which can be compared and contrasted at varying speeds and accuracy based on the level of detail included in the original samples and the thoroughness of the series of mathematical calculations (or "algorithms") programmed into the device that are used for processing comparisons.

Raj Nanavati, whose company International Biometric Group of New York tests devices for reliability, says the technology has gotten faster, smoother and more accurate in recent years. "The false rejection [and] false acceptance rates for finger, iris and hand are very low," he said.

Bill Voltmer, the president and chief executive of Moorestown, N.J.-based Iridian Technologies Inc., said iris scanners using Iridian's proprietary algorithm can reduce false acceptance rates (instances of unauthorized people being cleared for access) to almost zero.

But Voltmer conceded that the devices aren't completely foolproof, which highlights a recurring question about relying solely on biometrics to protect secure areas. The comparatively high reliability and seemingly tamperproof nature of the devices could lull users into a false sense of security, according to critics.

That danger was demonstrated earlier this year when a team of Japanese scientists released findings of a study in which they used gelatin and other simple household products to create "gummy fingers" capable of fooling fingerprint scanners.

But proponents of biometrics say that the devices aren't intended to replace armed guards or manned security checkpoints. Rather, the devices should be used to replace access cards and memorized security codes, which they say are much easier to defeat than comparable biometrics.

"Most of the access control systems today verify authorized pieces of plastic, when what they really want to do is verify authorized people," Recognition Systems Inc. spokesman Bill Spence said. Recognition Systems, a Campbell, Calif.-based unit of Ingersoll-Rand, is the world's largest developer of hand geometry scanners.

Richard M. Smith, a private Internet security consultant based in Cambridge, Mass., said biometric companies still face a tough task in selling their products to the public.

"These systems can do a good job of doing access control," Smith said. "The trouble is that they compete with other technologies like cards and key codes [that] tend to be less expensive and easier to deploy than a biometric solution."

Biometrics Sales Grow
Posting an anemic $20 million in sales in 1995, the biometrics industry will sell upwards of $200 million in devices this year, said International Biometric Industry Association (IBIA) Executive Director Richard Norton, citing IBIA sales projections. The biometrics industry posted sales of $170 million in 2001, and IBIA predicts annual industry sales of $2 billion by 2006.


Hand, finger, face and iris scanners account for most of the biometrics products sold, but companies are in the process of developing technologies to identify people based on their voice patterns, body heat signatures and keyboard-use characteristics, Norton said.

Biometrics companies say that the private sector is only a few steps behind the military in adopting biometric technologies.

The sector is small by most standards and has felt the pinch of shrinking corporate information-technology budgets, but many biometrics companies continue to post growing sales despite a languishing economy.

And beyond the fiscal evidence of the industry's growth over the past few years, biometrics executives say the post-Sept. 11 security concerns have created unprecedented interest in their products.

"The direct impact [of the terrorist attacks] was the realization that crime and terror is actually a reality in our country and they pose a threat. It's a wake-up call," said Joseph Atick, president and chief executive of Identix Inc., a Minnetonka, Minn.-based firm that is one of the largest in the biometrics sector. "The wake-up call as a result of the shock of Sept. 11 has led people to accept any identification technology, within reason of course."

Increased acceptance is critical for Identix, which deals in perhaps the most controversial breed of biometrics: face recognition. Critics of face scanners call the technology unreliable, questioning the ability of modern biometrics to accurately pick people out of crowds.

Biometrics "are very good authentication tools. They are terrible identification tools," said Bruce Schneier, president of Cupertino, Calif.-based Counterpane Internet Security and author of the monthly security newsletter, "Crypto-Gram."

"Where the industry is really overreaching is where they say, 'We can pick terrorists out of crowds,'" Schneier said.

"One-to-one" biometrics devices -- like the Pentagon iris scanners -- have a more proven track record, according to industry observers. Facing few roadblocks and riding a wave of heightened security concerns, manufacturers of those technologies are looking to ramp up deployment.

Schneier cautioned against over-reliance on the devices. "There are many circumstances in which biometrics aren't appropriate. That doesn't mean they're bad ... it just means they aren't the right tool," he said.

Howe, of the Army's biometrics center in West Virginia, said that use of the devices will continue to proliferate.

"They are getting slicker. They are getting less intrusive," Howe said. "They'll be as ubiquitous as credit cards."

Tomorrow: Civil liberties groups warn that biometric security devices pose serious threats to privacy rights.
*******************************
Washington Post
FBI Fingerprint Research Helps Spawn an Industry
Tuesday, September 24, 2002; 12:00 AM


To a large extent, the modern biometrics industry was born out of efforts to commercialize the Federal Bureau of Investigation's groundbreaking fingerprint scanning technology.

In the mid-1960s, the FBI asked researchers at the National Bureau of Standards (now the National Institute of Standards and Technology) to study the feasibility of using technology to "read" the unique ridges and whorls of human fingerprints, said Robert Last, a computer specialist and acting section chief in the FBI's national fingerprinting division.

Delivered to the FBI in 1972, the first prototype device based on that research was several feet tall, nearly as wide and "extremely slow," Last said. The device couldn't run comparisons and was only capable of scanning fingerprints and converting the ridge and whorl patterns into empirical data points.

By today's standards, the machine's capabilities were extremely limited, but it laid the groundwork for devices capable of scanning and comparing human fingerprints Last said.

The FBI fingerprinting technology caught its first criminal in March 1979, when the scanning devices identified a match that had been overlooked by investigators using traditional fingerprint comparison procedures, Last said.

Continuing advances in fingerprint scanning technology led to the 1999 completion of the FBI's Integrated Automated Fingerprint Identification System, which greatly accelerated the speed and level of automation with which the FBI could run fingerprint comparisons.

-- David McGuire, washingtonpost.com
**************************
Los Angeles Times
Warner to Enable the CD Burning of Its Songs
Internet: Company will make recordable format standard and offer more of its catalog as singles.
By JON HEALEY
TIMES STAFF WRITER


September 24 2002

In the latest record-industry concession to consumer demand, Warner Music Group plans to offer tens of thousands of songs through the Internet in a format that can be burned to CD.

The announcement by Warner and online distributor RioPort Inc. is a significant change for Warner. Not only is it making more of its catalog available as singles--more than 30,000 songs instead of the current 300--it is enabling CD burning as a standard feature.

Warner's move mirrors announcements this year from Universal Music Group and Sony Music, which pledged to make tens of thousands of songs available as downloadable singles in formats that allow burning. Songs from all three companies also are expected to sell for 99 cents to $1.50, less than the labels initially sought to charge for downloadable music.

Burgeoning Internet piracy is pushing the labels to offer consumers something more compelling than their initial online collections. Consumers showed little interest in the major labels' first downloadable singles, largely because of the high price, limited selection and cumbersome electronic locks that prevented songs from being copied, moved to portable devices or recorded onto CD.

The new lineup of Warner songs will still have electronic locks, but buyers will be able to record the songs onto a standard CD, effectively removing the limitations. The label expects to make available all songs to which it has digital rights, which probably will leave out Madonna and a few other top artists.

The songs are slated to hit the market this month through RioPort's online retail partners, which include BestBuy.com, MTV.com and HP.com.
**************************
Los Angeles Times
Plea Bargain Riles Scorned Public Defenders
Justice: State attorneys group to seek a tougher sentence for a lawyer who allegedly used a stolen identity to chastise her colleagues in an online chat room.
By MONTE MORIN
September 24 2002


Criminal defense lawyers make their living in part by pleading for forgiveness on behalf of their clients. But in the case of Ana Maria Patino, members of the California Public Defender Assn. are crying out for blood.

Patino is a Santa Ana attorney who used the organization's closed Internet chat room to attack other members with a stream of angry missives, association officials say.

After being booted out of the group last year, Patino reemerged surreptitiously, using the online identity of a young law school graduate, prosecutors said. This prompted an investigation by the FBI and local police that resulted in charges of identity theft and forgery.

Prosecutors, however, have agreed to dismiss the charges if Patino apologizes, performs community service and pays $1,500 in fines.

The deal has members of the association crying foul, saying that Patino victimized them and avoided jail time by hiring a well-connected defense lawyer. They say prosecutors are letting her off too easily. They also complain that as the "victims" of the crime, they were never consulted about the plea deal.

"I'm astounded. Clearly the D.A. doesn't care about identity theft," said association board member Don Landis, who is an Orange County deputy public defender. "They're really interested in victims' issues when they want to be tough on some indigent client who pocketed something at Mervyn's, but when it comes to dealing with an Orange County lawyer, it's a different matter. It's hypocritical."

Members of the group--which is open to all defense attorneys--plan to take the unusual step of asking a judge next month to scuttle the plea bargain and demand stiffer punishment for Patino.

Patino, a defense lawyer who specializes in appeals cases involving immigration law, was the chat room's most active participant.

Firing off 10 to 15 critical messages a day on a variety of criminal-defense topics, Patino would sometimes sign her electronic missives as "Xena" or "Lady Anne."

Chat-room users say many lawyers felt the heat of Patino's flames, but the 54-year-old attorney allegedly crossed the line when she picked fights with the leader of the Orange County Bar Assn.

"I really don't know why you would think anyone would care what you think," Patino wrote to then-Orange County Bar President Jennifer Keller.

"You never have ceased to amaze me in your pretentious sense of power which you choose to gloat over people."

Patino also took aim at association director Michael Cantrall, cursing him and vowing to "bring you down and everyone else associated with you."

The defenders group responded by stripping Patino of her chat-room privileges and terminating her membership in the association.

But in June of last year, just weeks after she was bounced from the chat room, Patino reemerged under a false identity, the association said. Using the name and a bar license number of a 28-year-old law school graduate, Patino reportedly resumed her electronic chats as Lianna Figueroa.

The alleged ruse worked for several months, association officials said, until Patino began to complain to the site's Webmaster about service. The Webmaster reportedly recognized Patino's confrontational style and telephoned the real Lianna Figueroa to ask whether she was dissatisfied with the Web site.

"I had no clue what they were talking about," Figueroa said. "I just finished law school. I never applied to them for an account."

Authorities eventually charged Patino with identity theft, forgery and fraud. Patino hired powerhouse Orange County defense lawyer Alan Stokke, who discussed a plea deal with prosecutors.

Deputy Dist. Atty. Susan Riezman said Stokke's political connections played no role in the deal. "This is an appropriate agreement based on the totality of the circumstances, and the non-seriousness of the crime," Riezman said. "The victim suffered no financial loss nor any loss of reputation."

Riezman noted the matter would also be investigated by the State Bar of California.

Patino insists that she has done nothing wrong and is being persecuted by the association. "I am innocent," Patino said. "I do not know anything about Lianna Figueroa. I don't know her and I don't know anything about an apology."

She insists that the public defenders are out to get her. As an appeals lawyer, she said, she regularly exposes the sloppy work of public defenders.

"Their motivation is to get back at me," Patino said. "I make them look bad. They're motivated by envy."

Figueroa, the lawyer whose identity Patino allegedly used, said she has been troubled by the experience. She said prosecutors should hold Patino to a higher standard because she is a lawyer.

"I have no idea what this person was telling people under my name, and I'm worried people will think it's me who said it," Figueroa said.

"Nobody seems to care. I went to the police and they said, 'Big whoop, nobody lost any money.' I want somebody to take this seriously."
**************************
Los Angeles Times
More-Engaging Online Content Urged
By JUBE SHIVER Jr.
September 24 2002


WASHINGTON -- A White House panel studying ways to boost demand for high-speed Internet access is expected next week to encourage Hollywood and others to offer more online content. The report also will recommend that more workers use high-speed lines to telecommute from home.

After intense lobbying by industry groups, the President's Council of Advisors on Science and Technology sidestepped calls for an overhaul of the nation's telecommunications networks, such as backing the regional Bell phone companies' bid to scale back laws that regulate their ability to compete in the market for high-speed Internet access, or broadband.

Instead, the blue-ribbon panel of industry executives and academics hopes to encourage the development of more online entertainment, as well as online government and educational services, as a way to lure more of the 70 million Americans now online to upgrade to broadband, which is four to 30 times faster than a standard dial-up modem.

"We think this report will be a very significant move forward," said Claudia Jones, a spokeswoman for AT&T Corp., which has been following the issue closely.

A spokeswoman for the White House Office of Science and Technology Policy declined to comment on the report.

The Bush administration has been under pressure from Silicon Valley to implement tax incentives and change the rules governing the phone and cable TV industries to help boost the number of high-speed Internet connections amid an industrywide financial meltdown.

Only about 10 million homes have high-speed Internet access, which is more complex to install and twice as costly as traditional dial-up Internet access.

Many consumers see no compelling reason to pay extra for broadband, according to a study released Monday by the Commerce Department. The average $40 to $50 monthly fee for broadband is cited by many consumers as the main reason they aren't upgrading to faster access, the Commerce Department said.

Three industry sources who have seen draft copies of the president's council report said the group generally recommends a laissez-faire and low-key approach to broadband.

Besides supporting the development of more content, the report is expected to call for more research and development of high-speed technologies, including wireless data networks. The report also will recommend the government use its clout as a big purchaser of technology to promote online services that could benefit from a fast Internet connection, such as distance learning and telemedicine.

In calling for more engaging content, the report could put the White House at odds with Hollywood and other powerful forces seeking greater government protection for creative works online.

Although government has little broadband content to offer, a report to be released today by a unit of the Progressive Policy Institute suggests one novel approach: encourage the nation's public broadcasting stations to put their television shows online.
*************************
San Francisco Gate
Internet replacing the college library


Washington -- Just because that college junior still has not found his way to the campus library does not mean he is an academic slacker. Almost three-quarters of U.S. college students now use the Internet more than the library, and a strong majority said the Net has been an asset to their educational experience,

according to a recent report.

The study, conducted by the Pew Internet & American Life Project, found that 86 percent of college students have gone online, compared with 59 percent of the general population.

"One of the things that jumped out was the degree to which college students have integrated the Internet into their everyday life. They are used to high- speed, instant access. They treat it like they would any utility -- water, telephones, television," said Steve Jones, the study's author and head of the Communications Department at the University of Illinois at Chicago.

The study is based on more than 2,000 surveys from undergraduate students at 27 U.S. colleges and universities, as well as observational research done at 10 schools in the Chicago-area. The research was conducted from March to June and has a margin of error of plus or minus 2 percentage points.

"This is such an interesting generation," Jones said. "We've known anecdotally that students are using the Internet a lot, but we didn't have any hard numbers. Nobody has ever gone out to find out for sure what is really happening."

Students are using the Net for research purposes, but also to communicate with professors and other students outside the classroom. Almost half of the students said they were better able to share thoughts and ideas with professors through e-mail than in person, and 75 percent have used the Internet to communicate with peers about academic projects.

The study also found that 85 percent of college students own their own computer and that most prefer to search the Web from the comfort of home.

Computers have not yet revolutionized the university experience in the radical ways many predicted. Of the 6 percent of students who chose to take a class online, only slightly more than half found it to be worthwhile. And interaction between teachers and pupils on message boards and instant- messaging programs remains low.

Nearly three-quarters of students check e-mail at least once a day but not always in anticipation of a new homework assignment. Forty-two percent of college students use the Internet primarily as a vehicle for social communication, and almost all students use e-mail to keep in touch with friends and family at least once a week.
**************************
News.com
U.S. puts money on World Bank "hacktivists"
By Matthew Broersma
September 24, 2002, 6:00 AM PT


The U.S. government is advising system administrators to monitor their systems for computer attacks planned this week, ahead of the Washington, D.C., meeting of the World Bank and the International Monetary Fund.

The meetings have spurred protests in previous years, but this year anti-globalization activists are expected to step up their plans, possibly attempting to block traffic on the city's streets on Friday. The U.S. government's National Infrastructure Protection Center (NIPC) said Monday that those planning physical disruption might also use computer attacks to "enhance the effects of the physical attack or to complicate the response by emergency services to the attack."

Although there have been no specific cyberthreats issued against the IMF and World Bank meetings, the center warned that "several hacker groups" could be planning Internet protests.

The center said that computer attacks could be carried out either by idealistic hackers or simply by publicity seekers. "Cyberprotestors can engage in Web page defacements, denial-of-service attacks, misinformation campaigns, and the like," the NIPC said in a statement.

The center recommended that system administrators monitor their own computer networks to prevent hackers from either staging attacks on their own networks, or using the network as a jumping-off point to attack a third party.

Administrators were also urged to review their security procedures, including limiting unnecessary inbound traffic, changing passwords and login names and keeping up-to-date with software patches. Suspicious activity can be reported to FBI offices, the NIPC or other authorities, the NIPC said.

Last summer a European Union summit in Gothenburg, Sweden, was marred by running battles between police and protesters, causing the World Bank to cancel a planned Barcelona meeting and turn it into an online videoconference.

The NIPC dates online activism from 1998, when Electronic Disturbance Theater endorsed a series of attacks on the Web site of the Mexican government.

ZDNet U.K.'s Matthew Broersma reported from London.
*****************************
Sydney Morning Herald
Judge reserves decision on spam fighter trial
By Perth
September 24 2002





A judge has reserved his decision on whether a "fearless spam fighter" should face trial for disrupting the $1,000-a-day business of a company which sends junk email, or "spam".

Perth man Joseph McNicol had lodged an application to strike out a civil action against him by The Which Company, the parent company of direct-marketing business t3 direct, which sends bulk unsolicited email.

The Which Company alleges it lost $43,000 in business after Mr McNicol, annoyed at receiving its emails, `outed' t3 direct by posting its IP details on the internet.

The West Australian District Court was told yesterday day the IP address was noted by a not-for-profit group called SPEWS - Spam Prevention Early Warning System - which blocks spam emails from getting to addresses on the Internet.

T3 alleges Mr McNicol, described in court as a self-styled "fearless spam fighter", told SPEWS that t3 was spamming - which caused SPEWS to block the company's emails.

But Mr McNicol's lawyer Jeremy Malcolm said there was no evidence of any contact between Mr McNicol and SPEWS.

Deputy Registrar Richard Hewitt suggested SPEWS could provide information on who tipped them off.

However, Mr Malcolm said contacting SPEWS would prove difficult.

"SPEWS is a totally anonymous body and nobody knows who they are," Mr Malcolm said.

T3 said Mr McNicol's vendetta against spam, and his outing of t3, made it likely the Perth man did pass the information to SPEWS.

This should be tested in court, the direct marketer said.

Mr Hewitt said t3 was asking for permission to proceed so it could get access to the information "locked up in the mind of the defendant".

"At the moment you don't have any evidence to prove your case (but) we have a demonstrated level of hostility between the defendant and your client," Mr Hewitt said.

Mr McNicol has previously alleged, outside court, that Internet users would have to find an alternative to email if marketing companies got the green light to send junk email.

Deputy Registrar Hewitt has reserved his decision until October 7.
**************************
Sydney Morning Herald
Unguarded moments - why cyber security is on the rise
By Kim Zetter
September 24 2002

The spike in computer crime in the past two years has been matched by a parallel spike in the number of security consultants and companies popping up to relieve organisations of their worries and their budgets.

With promises to plug holes, monitor traffic and chase down criminals, Managed Security Services can appeal to IT departments too taxed with administration to maintain security and to companies too small to hire specialist staff.

Knowing what to do yourself - and what to contract out and to whom - is a common difficulty.

The advantages of outsourcing are many. It's less expensive to pay a fee for expert services than to hire and train dedicated staff. Security providers are aware of the latest vulnerabilities, patches and products. And if they're monitoring your traffic full-time, they can respond to attacks in progress rather than a day or week later when your regular administrators get around to analysing the network logs.

What's more, MSS providers have more experience to respond to attacks against your system since they are more likely to have seen similar attacks on others.

But not all offer the same services or quality and not all are financially stable.

According to industry researchers at Giga Information Group, there are more than 80 MSS providers in the United States operating nationally - down from 125 last year - a figure that analysts expect to drop to 60. So you should choose wisely if your security provider goes belly-up.

When it comes to picking a provider, the managed security label can be misleading since it encompasses a variety of services, from one-time vulnerability assessments to 24-hour network monitoring.

Some companies that call themselves MSS providers are actually only product resellers.

Steve Hunt, a research analyst with Giga, says there are six categories of MSS:

On-site consulting to develop a security plan and infrastructure.
Vulnerability testing.
Product sales of security hardware and software.
Remote perimeter management, which involves installing, configuring and managing a virtual private network.
Network monitoring, a 24x7 service to watch network traffic for suspicious activity and intrusions.
Compliance monitoring to ensure employees comply with company policies.
Some providers offer a single service, others a smorgasbord. Costs can range from $US250 ($A474) a day for consulting to $US12,000 a month for network monitoring.


Small Sydney provider Kyberguard, for instance, has 50 clients including Nippon Telephone and Telegraph and international engineering group Montgomery Watson Harza.

It charges $250 a month for small companies, which includes the cost and installation of a firewall and IDS hardware as well as 24-hour monitoring of perimeter activity. For 100 to 150 employees they charge $950 a month for hardware and monitoring of internal-external traffic. They also install and configure VPNs.

Canberra-based 90East, which has offices around the country, charges $7000 to $10,000 a month for network monitoring. It also offers server hosting and VPN services.

The company is new to the commercial market after securing government systems for several years. The founders were government contractors who built a complex firewall system for federal agencies, then formed 90East when the government decided to outsource security.

Their clients include 35 federal departments, state governments and legal firm Minter Ellison.

The company recently acquired Application Service Provider Peakhour.

Giga's Steve Hunt says that before choosing any MSS, you should assess your business risks and needs to decide what you can do in-house and what you should outsource. But no company should hand over all security to an outsider.

Greg Nelson, information security manager for chip maker Advanced Micro Devices, says companies should retain control of security management.

"You can outsource specific tasks but you can't outsource responsibility for the security of your company," he says.

Bruce Schneier, founder of United States network monitoring service Counterpane, recommends outsourcing labour-intensive tasks such as vulnerability assessment, network monitoring, consulting and forensics.

Schneier says companies cannot effectively monitor their own networks.

"Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic," Schneier says. "Attacks against a single organisation don't happen often enough to keep (staff) engaged and interested.

"The choice is not outsourcing or doing it yourself. Goldman Sachs can do it themselves. But nobody else can."

AMD, which has 14,000 employees worldwide but only three security staff in the US, hired Counterpane after trying unsuccessfully to track more than 100 Internet servers.

"We were always a day behind in analysing results and we could never catch anything as it was happening," AMD's Nelson says.

Counterpane monitors AMD's systems around the clock, while another undisclosed company runs penetration tests twice a month. Nelson says the decision was also an economic one.

Counterpane charges about $US12,000 a month, as opposed to the $100,000 to $200,000 a month it would cost most companies to hire five or six specially trained employees to monitor their systems around the clock.

AMD at least recognised the need to monitor their networks. But according to Tim Cranny, senior consulting engineer with 90East, many companies do not even make the attempt.

"You'd be astonished at the number of companies that have an intrusion-detection system or firewall but no one watching them," he says.

Although it might be tempting to hire an all-in-one MSS for your needs, Counterpane's Schneier says you should avoid companies that have a conflict of interest, such as those that sell products and offer to manage them or those that offer device management plus monitoring.

If the monitoring staff discover an intrusion to a system that the device-management team should have secured, they're likely to fix it quietly without telling you about the mistake. Companies that sell products and do vulnerability assessments also have an obvious interest in finding problems their products will solve.

He believes it is better to hire a company that does one thing well and to hire others for separate tasks.

Giga's Hunt says that penetration tests can sometimes be useless as they can be used to get an organisation to sign on for other services or by IT departments to justify larger budgets.

"And all the reports say the same thing," Hunt says. "You have crappy passwords, you have open ports, your operating system lacks the latest patches."

Hunt says before authorising a test you should shore up your network with basic steps such as secure passwords and closed ports and then test only to find serious problems you would have missed on your own.

In the end, the best providers are leaders in their field and have a good history behind them. Hunt suggests talking to other companies with security needs similar to yours and asking analysts for solid security consultants and companies that will be around for a while.

Before hiring Counterpane, Nelson narrowed AMD's choices to five companies but by the time they came to make a final decision three of them were already out of business.
****************************
Earth Web
Library Of Congress Goes Grid
By Paul Shread


Grid computing technology may soon be used to preserve such priceless artifacts of American history as films of the Spanish-American War and the 1906 San Francisco earthquake, the photographs of Matthew Brady and Ansel Adams, and Walt Whitman's notebooks.

The Library of Congress is evaluating Grid technology developed at the San Diego Supercomputer Center to archive and preserve these works and the Library's other digital collections.

The Library has assembled numerous important digital collections such as American Memory, a treasure trove of films, recordings, photos and documents from U.S history and culture. The collection, "rich primary source materials on the history and culture of the United States," contains more than 7.5 million digital items on more than 100 topics from the collections of the Library and other repositories. Items include encoded text, images, and audio and video files varying in size from 25 kilobytes to 5 megabytes each, for a total of some 8 terabytes of digital data.

Powerful data Grid technologies such as the Storage Resource Broker (SRB) developed at the San Diego Supercomputer Center (SDSC) for scientific computing are showing promise of being able to preserve these digital holdings. SDSC and the Library are collaborating to evaluate the SRB data Grid software to preserve and manage priceless national digital collections.

"We're interested in how the SRB can be applied to the task of building a repository for managing Library of Congress digital holdings," said Martha Anderson of the Library's Office of Strategic Initiatives.

'Repurposing' Collections

"We're entering an era in which digital libraries can be used to preserve intellectual capital," said Reagan Moore, co-director of the Data and Knowledge Systems program at SDSC. "And beyond preservation, the ability to discover the information and knowledge content within digital holdings will add even greater value to these collections."

The researchers will investigate the capabilities of the SRB to manage and "repurpose" Library of Congress collections. Repurposing a collection involves giving users the ability to generate new views of the digital holdings. For example, a user might want to gather the material in the American Memory collection that is relevant to a landing on Mars. This material might involve NASA material on the mission and space vehicle, Congressional material on the budget debates involving the funding, and other material that puts the mission in historical context.

The collaboration will involve the installation at the Library of Congress of the SRB software and the Metadata Catalog, which keeps track of each digital object. Library of Congress staff will then build a test collection and use it to evaluate the capabilities of the SRB data Grid middleware to preserve both the collection and descriptive information about the collection; to enable a naming convention that spans the entire collection, no matter where its components are located; to merge different collections seamlessly into new virtual collections; and to control access.

Library of Congress researchers are also interested in evaluating the ability of the SRB to interoperate with other systems using open standards.

"We're looking forward to the research opportunities this collaboration will give us to understand how digital library, data Grid, and persistent archive technologies can all be integrated in support of preservation of digital holdings," said Moore. "This will help extend our ability to preserve intellectual capital."
*************************


Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx