Clips October 4, 2002

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips October 4, 2002

ARTICLES

Company Asks Judge to Throw Out Law Student's Suit [DMCA]
Busboy: I Stole IDs of Rich Via Web
WorldCom Glitch Causes Internet Delays
UUNet troubles spread over Net
Malaysia Questions Origin of Bugbear Computer Virus
GSA successfully tests E-Authentication gateway prototype
Customs will learn law enforcement via satellite
Senate cybersecurity bill hits snag
Tech leaders unveil top computer security weaknesses
Government releases top 20 vulnerability 'hit list'
Bills Would Bolster the Right to Copy [DMCA Bills]
A homeless guy finds a refuge on the Internet
Congress asked to unpick copy lock laws [DMCA Bills]
Microsoft Discloses Security Flaws
New alerts have analysts doubting Microsoft security
Teen saved after online suicide bid
What Spies Beneath [Privacy]
Open Standards Play Big In Motown

*****************************
Chronicle of Higher Education
Company Asks Judge to Throw Out Law Student's Suit
By ANDREA L. FOSTER

The Internet filtering company N2H2 Inc. is asking a judge to dismiss a 
lawsuit that a Harvard University law school student brought against the 
firm. The student, Benjamin G. Edelman, wants a judge to clear the way for 
him to obtain and disseminate the list of Web sites that N2H2 blocks.

The Seattle-based company filed a motion to dismiss the case on Monday in 
U.S. District Court in Boston. The motion argues that Mr. Edelman has no 
standing to sue because the company has never threatened him with legal 
action.

Mr. Edelman's suit is a preemptive strike against N2H2. He says he fears 
that the company will take action against him under the Digital Millennium 
Copyright Act if he proceeds with research on bypassing the company's 
encryption, which restricts access to its list of blocked sites. He says he 
wants to publish his results. The digital-copyright act makes it a crime to 
circumvent a technology designed to control access to a copyrighted work.

Mr. Edelman's suit, filed in July, asks the judge to interpret his research 
as a fair-use exception to the act, or to declare as unconstitutional the 
portion of the act that would inhibit his research. (See an article from 
The Chronicle, August 9.)

But in its motion, N2H2 says Mr. Edelman is asking the court "to engage in 
futile speculation."

"It is impossible to know whether Edelman's ill-defined future activities 
will or will not violate N2H2's standard license, the [digital-copyright 
law], or any other law, or if N2H2 ever will choose to enforce any of those 
rights against him," the motion reads.

The company's argument is similar to the one the recording industry made 
last year as it sought to defend itself against a lawsuit brought by Edward 
W. Felten, a Princeton University computer scientist. Mr. Felten had said 
that he feared the recording industry would sue him under the 
digital-copyright law if he and other researchers proceeded with research 
on encryption that limits access to digital music.

The judge in that case sided with the recording industry, saying there was 
no conflict between the litigants. (See an article from The Chronicle, 
December 14, 2001.)

The American Civil Liberties Union, which is representing Mr. Edelman, 
believes N2H2, however, will have a harder time than the recording industry 
convincing a judge that no conflict exists between the litigants.

In a filing in August with the Securities and Exchange Commission, N2H2 
stated that it will take legal action against those who threaten its trade 
secrets.

And while the recording industry had backed down on its threat to sue Mr. 
Felten, N2H2 has made no such retreat, says Ann Beeson, an ACLU lawyer who 
is representing Mr. Edelman.

Mr. Edelman quotes from the SEC filing, and says he's had "multiple clear 
reasons to feel threatened of a suit in response to his research."
**************************
Associated Press
Busboy: I Stole IDs of Rich Via Web
Thu Oct 3, 7:14 PM ET
By DEVLIN BARRETT, Associated Press Writer

NEW YORK (AP) - A restaurant busboy pleaded guilty Thursday to stealing the 
identities of numerous wealthy American celebrities and executives in a bid 
to loot their bank accounts. But he told the court he acted out of a sick 
compulsion, not greed.

"I wish I could say that this was all about money, then I'd have a reason 
to explain why I've ruined my life," Abraham Abdallah said in Manhattan 
federal court.

Abdallah was arrested in March 2001 on charges he used the Internet and a 
dog-eared copy of Forbes magazine about "The 400 Richest People in America" 
to compile the Social Security ( news - web sites) numbers, home addresses 
and birth dates of 217 CEOs, celebrities and tycoons.

Prosecutors said he used the information to gain access to credit card 
accounts and attempted to transfer millions of dollars from such figures as 
Steven Spielberg, Warren Buffett ( news - web sites), Martha Stewart, Oprah 
Winfrey, Ross Perot and Ted Turner. Prosecutors say he attempted to steal 
more than $22 million, but was largely unsuccessful.

At the time of his arrest, authorities called Abdallah one of the most 
ambitious identity thieves they had ever seen.

The career con artist, who served time in the 1990s for passing counterfeit 
checks in the Virgin Islands, pleaded guilty to wire fraud, credit card 
fraud and identity theft, blaming his crimes on mental illness and an 
overpowering compulsion to beat the system.

"It always has to do with my ability to control my compulsion," he told 
Judge Loretta Preska. "If there's anyone on earth who wants it to stop, I do."

Before his plea, the 32-year-old high school dropout reeled off a list of 
seven prescription medications he was taking to treat depression, bipolar 
disorder and obsessive-compulsive behavior.

Abdallah used a combination of mail boxes, voice mail accounts and Web 
sites to pull the personal information together.

The scheme unraveled when an e-mail request to transfer $10 million from a 
Merrill Lynch account belonging to Thomas Siebel, founder of Siebel 
Systems, raised red flags, police said.

Siebel said he never made the request, and Merrill Lynch contacted 
authorities.

Abdallah's lawyer said most of the private information was never used to 
steal money.

Spielberg's representative said his client's funds were never violated. 
Turner's spokesman said he was unavailable for comment. Representatives for 
Perot and Stewart had no immediate comment. Winfrey and Buffett could not 
be reached by telephone.

With his plea, prosecutors said they believe Abdallah's prison sentence 
should be about 11 years.
***************************
Washington Post
WorldCom Glitch Causes Internet Delays
Botched Software Upgrade At UUNet Unit Blamed
Friday, October 4, 2002; Page E01

Internet traffic across the nation snarled yesterday, slowing or stalling 
access to Web pages and e-mail messages for millions of users, because of a 
failed software upgrade on WorldCom Inc.'s network.

WorldCom's Ashburn-based UUNet unit, which carries roughly half the 
nation's Internet traffic, was upgrading software for its routers yesterday 
morning when the network began having problems. About 20 percent of the 
company's customers, and an unknown number of Internet users outside 
WorldCom's network, were affected until service was restored in the late 
afternoon, said WorldCom spokeswoman Jennifer Baker.

The slowdown was the biggest in years, according to analysts and Internet 
service providers, and was magnified because WorldCom is a major backbone 
provider to other Internet services, as well as to businesses and individuals.

Baker said WorldCom technicians in several locations were installing 
software on the network's routers -- equipment that directs data from one 
location to another -- around 8 a.m. Eastern time when failures and 
slowdowns began. It took until late afternoon before the traffic began 
returning to normal levels, and automated online monitors showed glitches 
in some circuits into the evening.

The Internet will operate even if a major provider's lines fail. But 
providers are dependent on one another, so if the network from a busy route 
such as New York to Boston gets disrupted, traffic is forced through 
smaller, alternative channels that are less equipped to handle a high 
volume of traffic, said Seth Libby, an analyst with the Yankee Group market 
research firm in Boston.

AT&T Corp. had trouble all day handing off traffic to and from UUNet's 
network. AT&T's customers experienced delays downloading Web sites or were 
unable to access sites at all, said David Johnson, an AT&T spokesman.

"I would not say this is a common event, and I don't remember one this 
large or this significant," he said.

Network engineers at Cable & Wireless USA Inc. noticed as the workday 
started yesterday that more traffic was getting rerouted through other 
exchanges, jamming less-traveled routes, said Chad Couser, a Cable & 
Wireless spokesman. Though it didn't significantly affect the flow of 
traffic in Cable & Wireless's network, it did disrupt Internet access at 
the company's Washington public relations agency, he said.

"It's another reason why companies need to get contingency plans," so that 
traffic can get rerouted when these outages happen, Couser said.

Statistically, network outages occur at a lower rate than they did a decade 
ago, when construction workers routinely cut lines and disrupted traffic 
about once a month, said Herschel Shosteck, founder of industry research 
firm the Shosteck Group in Wheaton. But rival companies have since laid 
more fiber-optic cable in the ground to create parallel networks, he said.

"The networks have become so robust it's surprising that it still does 
happen," he said.

Public concern over outages like yesterday's is heightened because of the 
poor financial health of major carriers such as WorldCom, Global Crossing 
Ltd. and Williams Communications Inc., although the network outage was 
unrelated to WorldCom's bankruptcy, the spokeswoman said.

It's unlikely that a major problem such as this one was caused by a lack of 
personnel, said Frank Dzubeck, president of Washington-based consultancy 
Communications Network Architects Inc.

"Networks aren't dependent on a group of human beings anymore; computers 
generally talk to one another" and run networks' day-to-day operations, he 
said.
****************************
USA Today
UUNet troubles spread over Net
By Andrew Backover, USA TODAY

WorldCom's UUNet network, one of the world's biggest carriers of Internet 
traffic, suffered a major outage Thursday that slowed or disrupted service 
for customers, Internet providers and rival carriers across the globe.

From about 7 a.m. until 5 p.m. ET, many Web sites hosted by UUNet were 
inaccessible or slow. Financial transactions were delayed or aborted. 
E-mail and file transfers were snarled. Foreign Internet providers saw 
traffic snarls at UUNet's connections in Washington and Los Angeles. 
Regional Internet service providers, which connect to UUNet, were shut down 
for hours.

At times, more than 20% of the Internet traffic handed to UUNet's U.S 
backbone was rejected or had to be resent, says Tom Ohlsson of Matrix 
NetSystems. It monitors the Internet for large corporations.

"For businesses that rely on the Internet, (it) was the kind of day they 
don't ever want to have again," he says.

While outages are common, this one underscored how key one company can be 
to global communication. WorldCom operates 30% of the capacity on the 20 
largest U.S. backbone routes. That's more than the combined capacity of the 
next four biggest providers, research firm TeleGeography says.

The outage also got extra scrutiny because of WorldCom's financial woes and 
legal problems. Six of the 10 biggest Internet backbone carriers, including 
WorldCom, are financially struggling.

Customers are already jittery about WorldCom's ability to deliver good 
service as it operates under bankruptcy protection. Customer losses could 
hamper its comeback.

What's more, WorldCom announced more than 20,000 job cuts this year, 
leaving some customers to wonder if that is having an impact.

Shortly after 5 p.m., WorldCom said service was restored. The problem: 
Network routers gave wrong directions to traffic. It affected about 20% of 
UUNet's customers, WorldCom said.

"We are completely in the dark," says Joe DePalo, director of customer 
support for netVmg, which sells products that switch customers to backup 
carriers during outages. "I had no notification of the outage ... no 
notification of the status." Ten netVmg customers that use UUNet had to 
switch to other carriers. NetVmg moved 70% of its UUNet traffic to Level 3.

Even non-UUNet customers felt the impact if their Internet providers handed 
traffic to UUNet. Rival AT&T said some customers struggled to reach Web 
sites hosted by UUNet. "We, like everyone else, have to await their ability 
to identify and repair the problem," AT&T spokesman Dave Johnson said.

Cable & Wireless spokesman Chad Couser says the outage hammers home the 
reason customers should have backup carriers.
****************************
Reuters
Malaysia Questions Origin of Bugbear Computer Virus
Fri Oct 4, 3:33 AM ET

KUALA LUMPUR, Malaysia (Reuters) - Malaysian cyber detectives tracking a 
new computer worm that disables security software said Friday there was no 
proof it came from Malaysia, as some reports suggest, or that it was being 
used for credit card fraud.



Anti-virus firms warned computer users Monday that the 'Bugbear' worm opens 
up a backdoor in the computers and logs keystrokes.

A British-based technology news Web Site, vnunet.com, reported earlier this 
week that the worm was first detected in Malaysia, and had the ability to 
steal password and credit card details.

The infamous "Love Bug" and "Nimda" worms both originated in the 
neighboring Philippines.

"We are analyzing the worm but we find no justification to the claim that 
it was discovered in Malaysia or may have even originated here," said Raja 
Azrina Raja Othman, deputy director of the government's National 
Information, Communications Technology Security and Emergency Response 
Center (NISER).

She said there was also no evidence that the worm had been used by credit 
card fraudsters.

"There is a lot of credit card abuse already on the Net and it is not 
necessarily caused by worms," Raja Azrina told Reuters.

"The person who invented the Bugbear may have had that in mind but we don't 
see the worm exploiting that feature very much," she added.

Raja Azarina said initial investigations by NISER showed Bugbear was 
"easily spreading."

"We find it has very similar characteristics to the KLEZ," she said, 
referring to an earlier virus which sends e-mails with randomly named 
attachments and subject fields.

The Bugbear worm takes advantage of a known vulnerability in Microsoft 
Corp's Internet Explorer, said Vincent Gullotto, vice president of the 
anti-virus response team at Network Associates Inc.

It shuts down anti-virus and firewall software designed to block out 
intruders and can spread by dropping copies of itself into folders on 
shared networks, which are commonly used at corporations and large 
organizations, he said.

The worm, which was seen in the United Kingdom, Poland, Finland, India and 
the United States, seems to have leveled off, Gullotto said.

MessageLabs, a UK-based e-mail outsourcing provider, said that it had seen 
1,200 copies of the worm and that the first copy it received was from Malaysia.
*************************
Washington Post
Investors Smell Green in Government IT Sector
Government Contractors Take Advantage of Tech Bust To Actively Court Wall 
Street

By Cynthia L. Webb
washingtonpost.com Staff Writer
Friday, October 4, 2002; 12:00 AM


Dendy Young, chairman and chief executive of GTSI Corp., used to have a 
tough time getting the investment community to notice his company.

"A year ago it was frankly difficult to get in and see people," said Young, 
whose Chantilly-based company resells computer software and hardware to 
local, state and federal government agencies. "I would try and take trips 
to New York and I would get one or two appointments set up and it would be 
difficult to get others."

But as the broader technology sector continues to flail, GTSI Corp. [GTSI] 
and other firms in the government contracting space are winning newfound 
respect from investors seeking out companies with real customers and cash flow.

"Nowadays if I go to New York, I'm making five six calls a day," Young said.

Market analysts are taking note of the expected flood of information 
technology spending by the federal government. According to FSI, an IT 
market research firm in McLean, roughly $52.5 billion of President Bush's 
proposed fiscal year 2003 budget is slated for IT-related systems and 
services. That is an increase from $44.9 billion pegged in the budget 
submitted for fiscal year 2002.

Higher government spending on technology was prompted in part by the Sept. 
11 terrorist attacks. A good deal of that money is expected to be spent on 
cybersecurity efforts and high-tech weapons and the systems that make them 
work. Moreover, the government's war on terrorism is requiring bureaucrats 
to link diverse computer systems -- from the CIA and Defense Department to 
the Customs Service and newly formed Transportation Security Administration 
-- to better share information and mine data.

Investment experts know the government will turn to private firms to carry 
out many of these tasks. And with so much work potentially available to the 
sector, the stock performances and bottom lines of defense and IT services 
firms servicing the government have shown promise.

Case in point: Two years ago, GTSI's shares were trading in the $3 range. A 
year ago, the stock was trading at below $6.50 and it has climbed to the $8 
to $9 range recently. GTSI logged nearly $784 million in revenue last year 
-- almost a 16 percent hike from 2000. The company has been profitable 
year-over-year since 1998, and it has seen its employee roster grow from 
574 workers in 2000 to 671 today.

"The government sector was not a golden child to Wall Street for a number 
of years," said Marylourdes Petty, who heads GTSI's investor relations. 
Founded in 1983, GTSI went public in 1991, but its name is just now getting 
more traction.

"[S]uddenly we are the golden children," Petty said.

It doesn't hurt, however, that GTSI has ramped up its investor and public 
relations efforts. Three years ago, the company didn't even have an 
investor relation's department. The company started making a concerted 
effort to woo big investors about two years ago, Young said. His schedule 
is now filled with meetings to pitch investment clubs, the National 
Stockbroker's Association and analysts.

Even larger players in government contracting circles have put a premium on 
courting Wall Street. American Management Systems Inc. [AMSY] of Fairfax, 
for example, has increased its focus on investor relations as part of the 
information technology consulting company's recent management changes, said 
spokeswoman Anne Burt.

Outreach is more active in both directions between the investment community 
and contractors, said Doug Coffey, vice president of communications of 
Arlington-based United Defense [UDI], a producer of combat equipment and 
precision munitions. "We are certainly answering more of their questions 
and there are more calls coming in," Coffey said.

IPOs Evidence of Sector's Strength

Since last December, five Washington-area IT services companies have gone 
public, according to New York-based IPO.com. United Defense went public in 
December 2001, the only IPO in the industry last year, followed quickly 
this year by Anteon International Corp. [ANT], SRA International Inc. 
[SRX], Veridian Corp. [VNX] and ManTech International Corp. [MANT] Outside 
the region, MTC Technologies [MTCT] of Dayton, Ohio, and Integrated Defense 
Technologies Inc. [IDE] of Huntsville, Ala., also went public this year.

More IPOs are expected soon in the IT and defense contractor sector; SI 
International Inc. of McLean and Vertex Aerospace Inc. of Madison, Miss., 
have already filed their intent to go public.

Another research firm that tracks IPOs, New York-based Dealogic, said $821 
million has been raised so far this year in the sector, compared with $446 
million in 2001. The $821 million raised this year amounts to 4 percent of 
total IPO volume, compared to the 1 percent figure racked up by United 
Defense's sole IPO last year (Dealogic does not include Veridian's IPO in 
its figures for the sector. Veridian went public on the New York Stock 
Exchange in June after filing earlier this year, raising an estimated $216 
million.).

The IPOs have caused a pick-up of investor relations activity, said William 
R. Loomis, a Legg Mason managing director who covers the IT services 
industry. He noted that investor relations shops for firms like GTSI are 
making more calls to analysts like himself and to investment houses to drum 
up interest in their companies.

"There is more activity and part of the reason for that is there are more 
public companies in the government IT space compared to a year ago and 
certainly compared to two years ago," agreed Wayne Johnson III, a director 
at SunTrust Robinson Humphrey in Atlanta.

Johnson has noticed an uptick in unsolicited calls from companies. 
Investors also have taken more of a liking to the sector as the government 
has streamlined its procurement practice. And investors recognized that 
there is a high-rate of recurring revenue in the sector, as firms win 
multi-year contracts from government agencies, Johnson said.

All the IPO activity and pickup in business for contractors has helped to 
create more interest in the sector, said Noreen Centracchio, senior vice 
president of investor relations of Anteon, whose main client is the federal 
government.

In the past, Centracchio said, it was regional investors who typically 
tapped into firms like Anteon. But now major underwriters are also 
interested in investing in the sector. Her phone calls get answered a lot 
quicker than they used to, helped in part by getting executives on more 
panels and in more meetings with analysts than before the company went 
public. The number of analysts on the company's earnings calls has grown 
substantially, she said.

Arlington-based CACI International Inc. [CAI], another defense IT 
contractor, started an active outreach program to Wall Street nearly three 
years ago, initially to target funds with an interest in small-cap 
companies, said Stephen L. Waechter, CACI's chief financial officer.

Waechter said there's been a noticeable change in feedback. "Two years ago, 
we were going out seeking them out. Today, they are actually seeking us out."

CACI, like other companies, has a full schedule of events to speak to 
investors, with some 20 conferences and events on the calendar, Waechter said.

PEC Solutions Inc. [PECS] of Fairfax said it was lucky to get four calls a 
week from analysts and other investors when it first went public in April 
2000. Now the company gets 30 to 40 a week, said John McNeilly, PEC 
Solution's manager of media and investor relations. The company also has 
two to three meetings a week with institutional investors, compared with a 
handful a month in prior years, he said.

More Outreach Expected

Hunter Thompson, chairman of the board of Richmond-based independent 
brokerage firm Thompson Davis & Co., decided to invest in GTSI after an 
investor relations firm GTSI hired, The Equity Group of New York, contacted 
him. His company initially bought between 50,000 and 100,000 shares of 
GTSI, he said. "These guys were very unique because most of the other 
technology companies ... are doing so poorly," said Thompson, who plans to 
invest in other IT contractors as government spending ramps up.

Smaller-cap companies, like many of the newer publicly traded government IT 
contractors, might have more work ahead to get the word out about their 
companies, said Devin Sullivan, a senior vice president at The Equity Group.

"You have to knock on a lot more doors, work that much harder to get the 
message out. Everybody knows Lockheed Martin ... but people on Wall Street 
don't necessarily know [the smaller companies.] That is beginning to change."

Still, with IT contracting firms becoming investors' new darlings, the 
proof will still be in the staying power of the industry.

No matter what story is shopped around to investors or how many calls are 
returned, "it's being able to perform," Anteon's Centracchio said. "We 
don't want to stub our toe at all ... and I know the entire [industry] 
feels the same way."

Cindy Webb's e-mail address is cindy.webb@xxxxxxxxxxxxxxxxxxx
******************************
Government Computer News
GSA successfully tests E-Authentication gateway prototype
By Jason Miller

The General Services Administration's prototype of the E-Authentication 
gateway last week passed its initial test and is being geared up to handle 
transactions for five or six other projects by Dec. 31.

Stephen Timchak, the E-Authentication program manager, said his group 
tested the model gateway with the time and attendance application of the 
Agriculture Department's National Finance Center.

GSA is the managing partner of E-Authentication, one of the Office of 
Management and Budget's 25 e-government initiatives.

GSA assessed the prototype by logging users on to NFC's system using 
digital certificates within a public-key infrastructure that also had PIN 
and password security. When a user with only PIN and password access tried 
to log into the PKI access section of the system, the gateway recognized 
that the user was missing a digital certificate and denied access.

"The test showed the gateway can discriminate between different levels of 
authentication," he said. "The test went well, and the gateway worked 
flawlessly."

Many observers consider the E-Authentication gateway the key component to 
the entire e-government process, making the successful test an important 
milestone.
***************************
Government Computer News
Customs will learn law enforcement via satellite
By Preeti Vasishtha

Customs Service employees will receive law enforcement training via a 
private satellite TV network under a one-year, $1.1 million contract 
awarded to Primedia Workplace Learning.

Customs will receive programming from Primedia's Law Enforcement Television 
Network at 350 locations. The training includes techniques in critical 
emergency response, homeland security, safety and health.

Installing the equipment for satellite reception has been completed, 
according to a spokesman for Primedia Inc. of New York, the parent company 
of Primedia Workplace Learning. The contract includes programming from the 
law enforcement network, as well as Primedia's Fire and Emergency Training, 
and Health and Sciences Television networks.

The programming covers:
Law enforcement training, news and information
Antiterrorism and homeland security training
Customs' communications such as press conferences and live events

Primedia provides the law enforcement network to about 175,000 federal, 
state and local law enforcement personnel from 2,000 agencies, according to 
the company.
**************************
Government Executive
Senate cybersecurity bill hits snag
By William New, National Journal's Technology Daily

An effort to quickly move through the Senate a bipartisan bill authorizing 
$903 million over five years for cybersecurity research has snagged on an 
anonymous Republican "hold," sources said. GOP aides on Thursday said the 
issue of concern has been resolved and the hold will be lifted, but at 
presstime, the Senate Democratic cloakroom said it is still active.

"It is our understanding there is a hold on it from the Republican side," 
said Carol Guthrie, the spokeswoman for bill sponsor Ron Wyden, D-Ore. 
"This is particularly distressing in light of Senator Wyden's policy of 
publicly announcing when he puts a hold on a piece of legislation." 
Publicly announcing a hold is "a step toward resolving differences in a 
bipartisan manner."


A Republican aide, however, said the delay is not a formal hold but rather 
one Republican office "taking a closer look" the legislation.


The bill, S. 2182, was "hotlined" for senators' review on Monday evening, a 
step designed to hasten floor action, but it has not moved since. The 
reason for the hold is not clear, but sources said it arose from Bush 
administration concerns about a management provision that the Senate 
Commerce Committee placed in the measure.


In a speech before the National Academy of Sciences earlier Thursday, House 
Science Committee Chairman Sherwood Boehlert, R-N.Y., who led the push for 
easy passage of a similar House bill, H.R. 3394, said he is optimistic 
about the legislation's prospects.


"The Senate is likely to pass a slightly revised version that we've worked 
out with them by unanimous consent today, and then the House should send it 
on to the president next week," Boehlert said.

The measure would authorize grants for basic research, to be managed by the 
National Science Foundation, and industry partnership programs, to be 
managed by the National Institute of Standards and Technology. The draft 
set for Senate action represents a compromise reached by Senate and House 
staff last week.


The tech industry has taken note of the latest Senate maneuvering. "If the 
bill is formally delayed, we will wonder why and the tech industry will be 
concerned," said Shannon Kellogg, vice president of information security at 
the Information Technology Association of America.


"It would be a real shame if the bill were delayed because there is 
consensus on the aims and substance of the legislation," added Mario 
Correa, vice president at the Business Software Alliance. "I think members 
have worked hard to move this quickly before Congress recesses."


Correa said the bill is of particular interest to the technology industry. 
"We are seeing other legislation of interest to the tech industry such as 
the [homeland security] bill delayed, so we're hoping to make progress on 
other fronts such as this bill."
***************************
Government Executive
Tech leaders unveil top computer security weaknesses
By Maureen Sirhal, National Journal's Technology Daily

The federal government and information security experts on Wednesday 
identified what they called the top 20 vulnerabilities in computer networks 
and tools to help officials mitigate those weaknesses.

Two weeks after the Bush administration released a national cybersecurity 
strategy, the General Services Administration's (GSA) Federal Incident 
Response Center (FedCIRC), the National Infrastructure Protection Center 
and the SysAdmin, Audit, Networking and Security Institute updated the list 
of vulnerabilities that threaten Unix and Microsoft's Windowstwo prevalent 
operating systems that could leave countless government machines open to 
hackers and computer viruses.

Securing computer networks and information requires pre-emptive action, 
White House cybersecurity adviser Richard Clarke said. "You need to get on 
the job before the threat comes in," he told federal information technology 
administrators. "Begin to look at your own system the way an attacker 
would. ... The tools that we are announcing today will allow federal 
agencies to look for vulnerabilities in a much easier way than they ever 
have in the past."

About 70 organizations and vendors collaborated to identify the most 
critical vulnerabilities, which include commonly known and newly discovered 
holes in software such as Microsoft's Internet Explorer and SQL Server, as 
well as Unix-based services such as the Apache Web server and the Sendmail 
e-mail program.

Five technology firms pledged to provide tools to enable government 
agencies to search their systems for the vulnerabilities. Cybersecurity 
officials in the United Kingdom and Canada also are unveiling the 
vulnerability list as part of a global effort.

GSA is developing a system for agencies to easily obtain security repairs 
or "patches" for their computer and information networks. But Clarke warned 
that individuals who discover new vulnerabilities must not publicly declare 
their findings lest they encourage more hacking.

"It is irresponsible when you find a new vulnerability to tell everyone in 
the world about it," he said. "As soon as you post in a chatroom or on the 
Web ... it is going to spread like wildfire through the hacker community."

Instead, he said agencies should alert NIPC, FedCIRC and technology vendors 
to develop a patch for the security hole. But if all else fails, "call me," 
he told federal attendees.

Howard Schmidt, vice chairman of the White House Critical Infrastructure 
Protection Board, is studying whether to issue the policy in writing, 
Clarke said.

Sallie McDonald, GSA's assistant commissioner for information assurance and 
critical infrastructure protection, said the new tools create an 
architecture that will help agencies comply with federal laws to perform IT 
security assessments.

GSA plans to award a contract to an unnamed company to develop the 
security-patch system. Agencies would enroll in the system, receive alerts 
when a security hole is discovered and subsequently receive necessary 
software to repair the hole.
****************************
Computerworld
Government releases top 20 vulnerability 'hit list'
By DAN VERTON
OCTOBER 03, 2002
The U.S. General Services Administration, with the help of other federal 
and private-sector security organizations, yesterday unveiled a target list 
of the top 20 Internet security vulnerabilities, along with specific 
products and programs designed to help companies search out and destroy 
those flaws.

This is the third such list compiled in as many years by the Bethesda, 
Md.-based nonprofit SANS Institute Inc. and the FBI's National 
Infrastructure Protection Center (NIPC). However, in addition to updating 
the list of vulnerabilities, this year marks the first time that security 
vendors offered product upgrades specifically targeting the 
vulnerabilities. In addition, the GSA announced its SafeGuard contracting 
program, which federal agencies can use to test for the Top 20 
vulnerabilities and get technical help in removing them.


"This announcement raises awareness of the most critical vulnerabilities 
that affect everyone's information systems," said Sallie McDonald, 
assistant commissioner for Information Assurance and Critical 
Infrastructure Protection at the GSA's Federal Technology Service. "This 
will go a long way to help prevent more serious computer security incidents."


Each of the top 20 vulnerabilities stems from software that shipped with a 
set of one or more programming errors that, if left unfixed, allow hackers 
to gain remote control of systems.


Bill Murray, a spokesman for the NIPC, said the list is based on what's 
called the 80-20 model. "It's the 20 vulnerabilities that are causing about 
80% of the serious intrusions," said Murray. "The important thing is that 
now we have vendors that will allow people to actually test for these 
vulnerabilities," he said. "In the past, companies have been on their own."


Although the last two versions of the top 20 list were successful in 
focusing attention on the most common security holes exploited by hackers, 
they failed to get the results that the SANS Institute and the other 
sponsors had hoped for, said Alan Paller, director of the institute. The 
lack of results was a byproduct of the lack of "commercial tools, and, even 
more importantly, commercial services, to allow people to focus on them," 
he said.


This year's list, however, comes with specific product upgrades from 
Foundstone Inc. and Internet Security Systems Inc. that target the new top 
20 vulnerability list. In addition, Qualys Inc. announced a free online 
scanning service that looks for the top 20 vulnerabilities without 
installing new software on an organization's network. Likewise, free 
open-source scanning products were made available from The Nessus 
Organization, an online security scanner project, and Vienna, Va.-based 
Advanced Research Corp.


"For the first time, organizations that do not have big security staffs can 
get at the top 20," said Paller. "The key is you don't have to have 
in-house expertise on running and tuning a scanner, and the upfront 
investment is small enough that everyone can do it."


The affordability of the scanning tools is a critical component of this 
latest announcement, said John Gilligan, CIO of the U.S. Air Force and 
co-chairman of the Federal CIO Council's Security Committee. "None of us 
can afford the cost of a continual race against would-be cyberattackers 
using the current find-and-patch approach to deal with latent 
vulnerabilities in commercial software packages," said Gilligan. "Simply 
the economic cost of this find-and-patch mode of operating is enormous."


Gilligan also reiterated demands that he and other government officials, 
such as Richard Clarke, chairman of the President's Critical Infrastructure 
Protection Board, have made in the past -- that the software industry take 
more proactive measures to improve baseline security and the reliability of 
their products.


"It is clear that the quality of software design and testing in the past 
does not measure up to the needs of the present and the future," said 
Gilligan. "I challenge the leaders in the software industry, especially in 
the wake of the physical attacks on this nation, to work together to 
establish new standards of software quality, as well as effective methods 
to reduce the impact of current vulnerabilities."


Dan Ingevaldson, team leader of the X-Force at ISS, one of the more than 70 
organizations that collaborated on devising the vulnerability list, said 
the top 20 list offers companies "a good place to start" assessing their 
network vulnerability. He agreed that the "patch-centric model is a very 
difficult thing to do, especially for large enterprises."
*******************
Computerworld
Secret Service 'war driving' for unsecure WLANs
By BOB BREWIN
OCTOBER 03, 2002

The U.S. Secret Service has hooked up Pringles cans to notebook computers 
equipped with wireless LAN access cards and begun "war driving" around 
Washington and other cities in an effort to sniff out unsecured WLANs.
That puts the Secret Service, whose primary mission is to guard the 
president, in the company of hobbyist WLAN war drivers who cruise cities 
and towns around the world to detect and map unsecured WLAN systems.

(The term war driving is derived from the "war-dialing" exploits of the 
teenage hacker character in the 1983 movie WarGames, who has his computer 
randomly dial hundreds of numbers and eventually winds up tapping into a 
nuclear command-and-control system. )

Brian Marr, a Secret Service spokesman, said the agency conducts its war 
drives as part of its protective mission and is searching for unsecured 
WLAN systems in venues in "close proximity" to its protective assignments, 
including hospitals, convention centers and hotels. Besides Pringles cans 
-- which Marr said make "fairly good" antennas -- Secret Service agents 
also use commercial high-gain antennas to sniff out unsecured LANs.

When the agents from the Secret Service Electronic Crimes Task Force detect 
an unsecure WLAN, they contact the enterprise operating the system, 
identify themselves and inform the business of any vulnerabilities they 
have detected. Marr described this as a "community outreach program," in 
the same spirit as local police officers going door to door in a 
neighborhood to talk to residents about physical vulnerabilities.


Sarosh Vesuna, chairman of the technical committee for the Wi-Fi Alliance 
(formerly the Wireless Ethernet Compatibility Alliance) in Mountain View, 
Calif., viewed the Secret Service war driving as a good idea. "It raises 
the bar for security," he said.

Vesuna, who is also director of strategic alliances at Symbol Technologies 
Inc. in Holtsville, N.Y., said the Secret Service war-driving and 
notification project is the electronic version of a police officer "telling 
someone their door is unlocked."

The Secret Service will soon have a lot of war-driving competition. A 
loosely organized band of WLAN sniffer hobbyists plans to conduct what it 
bills as the "World-Wide War Drive" from Oct. 26 through Nov. 2. So far, 
hobbyists covering a wide swath of the U.S. and Canada -- as well as in 
Barcelona, Spain; Germany; Wellington, New Zealand; and Perth, Australia -- 
have indicated that they plan to participate in the exercise.

Using notebooks equipped with WLAN cards and sniffing freeware, such as 
NetStumbler, the hobbyists detected and precisely mapped (using Global 
Positioning System receivers) 9,374 WLAN access points in the first 
World-Wide War Drive, which ran from Aug. 31 to Sept. 7. Almost 70%, or 
6,549 of the access points, didn't have the simplest form of WLAN security, 
Wired Equivalent Protocol, turned on.
*************************
Washington Post
Bills Would Bolster the Right to Copy
House Proposals Counter Attention Paid to Hollywood's Piracy Concerns
Friday, October 4, 2002; Page E05

Two bills introduced this week in the House sought to redefine consumer 
rights in the digital era, a departure in a congressional session during 
which more attention has been paid to protecting copyrighted works from 
computer-aided piracy.

A bill introduced Wednesday by Rep. Zoe Lofgren (D-Calif.) would establish 
that it is legal for people to make backup copies of digital content 
(movies, music, pictures and so on), display it on whatever device they 
want, and sell or transfer copies of legally acquired digital content.

Lofgren said yesterday that her bill would legalize what people already do 
with non-digital media. "My bill doesn't expand existing rights," she said. 
"It just applies them to the digital age."

A bill introduced yesterday by Rep. Rick Boucher (D-Va.) and John T. 
Doolittle (R-Calif.) would permit circumventing copy-protection technology 
in digital content for "fair use" such as including a movie excerpt in a 
school project.

Boucher said yesterday that the Digital Millennium Copyright Act -- a 1998 
law that has been at the heart of several recent lawsuits -- makes it 
illegal for consumers to perform many actions they might assume were legal, 
such as figuring a way to skip over the commercials on some DVD movies. His 
bill would amend that act.

The two bills follow a wave of legislative proposals this year to protect 
the rights of copyright owners.

One such bill, offered in March by Sen. Ernest F. Hollings (D-S.C.), would 
require anti-piracy chips or software to be installed in personal 
computers, handheld organizers and other electronic equipment. Another, 
introduced by Rep. Howard L. Berman (D-Calif.), would suspend anti-hacking 
laws for copyright owners attempting to stop their property from being 
distributed over file-sharing networks.

While consumer groups and electronics industry representatives are united 
in their dislike of the Hollings and Berman bills, they don't all agree on 
the two proposed laws.

The Business Software Alliance -- an early opponent of the Hollings bill -- 
opposes the Lofgren and Boucher-Doolittle bills, arguing that they would 
make it easier for software thieves to develop the tools of their trade.

Emery Simon, a lawyer for the Washington-based trade group, said, "The 
changes they have proposed wouldn't do a whole heck of a lot for consumers 
and would undo the value of the DMCA."

Consumer groups were more favorable. "It doesn't fix all the problems in 
the intellectual-property universe, but it fixes several of the important 
ones," said Fred von Lohmann, a lawyer for the Electronic Frontier Foundation.

Hollywood, meanwhile, reiterated its opposition to measures that might make 
it easier to bootleg its products.

"Both these bills make it impossible for us to do any protection," said 
Jack Valenti, president and chief executive of the Motion Picture 
Association of America. "All we want is to be able to protect our movies in 
a sturdy fashion, knowing that 100 percent protection is not possible."

Both bills are too late to have much chance of moving forward this year, 
the authors conceded, but they said introducing them now would change the 
debate in the next session of Congress.

"I think that getting these bills out at this point will help spur the 
discussion," Lofgren said. "It's been a bit one-sided lately." She said she 
has received hundreds of e-mails from constituents in support of her bill.

"I am confident that Congress will change the law to reaffirm fair-use 
rights," Boucher said. "I will not predict the date on which that change 
will occur, but it eventually will happen."
**************************
USA Today
A homeless guy finds a refuge on the Internet
By Janet Kornblum, USA TODAY

He sits in a secluded corner at the Nashville Public Library, next to a 
window that overlooks glass-and-steel buildings and a small park. In front 
of him is a computer screen, which is a different kind of window  a window 
into the world where he sends his words, his thoughts, his ideas.

He writes about God, Jung and the symphony. But mostly he writes about what 
he knows best: life as a homeless man in urban America, a world so far 
beneath the social radar that many step right over it.

By day, Kevin Barbieux writes in the free-form diarist style of Web 
logs  known in Internet circles as "blogs"  as "The Homeless Guy." His Web 
site (www.thehomelessguy.blogspot.com) has developed a worldwide following.

By night, the balding, blue-eyed 41-year-old stays in a shelter, a car or 
sometimes a new spot that he has heard might be safe.

Writing about his life is not new to Barbieux, who has lived on and off the 
streets for 20 years. In 1997 he started a newspaper about the homeless, 
but it lasted only two issues. Over the ensuing five years, he spent much 
of his time on computers in cafes and at the public library. Then, on Aug. 
20, he became a blogger, using free software offered through a Web service 
called Blog Spot.

Since then, more than 38,000 people have visited his site, and the number 
continues to grow. Barbieux's goal is to shed light on the plight of the 
homeless: "If more people knew what was really going on, what it was really 
like to be homeless, more people would get involved. There's so much I want 
to say."

Barbieux became homeless in 1982, when "for reasons I did not understand at 
the time, I had an irresistible urge to leave San Diego," he says in his 
blog. "After a particularly bad day, I loaded up my car with the few 
valuables I had and headed east."

He got as far as Nashville, where he ran out of money and began living in 
his car. One frigid February night, he ran out of gas while trying to stay 
warm. "It was then that I decided to seek out shelter at the rescue 
mission," he says. "I was 21 years old, yet I had no idea how to take care 
of myself in this world."

Since then, Barbieux says, he has tried to live a conventional life, but he 
has had limited success. He says he has severe social anxiety, and its 
physical and psychological symptoms have prevented him from keeping a job 
or attending school regularly.

He has held a few part-time jobs and has worked as a photographer. But 
Barbieux says he was booted from the Navy after a short stint. He briefly 
attended college, but his grades failed as he was overwhelmed by social 
life. He even was married for 6 1/2 years and has two children, ages 9 and 
12. But he has become estranged from them because of his situation.

"I've never really had close friends," he says. "No one invites me over for 
dinner or to watch the game. Yes, I know a lot of people, but it's all 
rather superficial."

He has received hundreds of e-mail messages, positive and negative. Like 
many fans of Barbieux's blog, Jordon Cooper, a pastor from Saskatoon, 
Saskatchewan, came across the site one day while surfing the Internet and 
was drawn in by the writing. He also was curious, he says, about "someone 
who could obviously write at a fairly competent level but (who) is homeless."

Some of the more charitable visitors drop money into an online "tip jar," a 
button on his site that allow viewers to make donations using electronic 
payments. But others, including Julie Lessard of St. Cloud, Minn., are 
critical of the feature. Lessard, who was homeless for a year, says 
Barbieux's tip jar is a form of begging. She calls his blog "dangerous" 
because she says it doesn't give people enough information about how he 
became homeless and thus does not tell people how to avoid a similar plight.

Barbieux concedes he has made some poor decisions, but he considers the tip 
jar a way to make a living, not begging. "(Tippers) are not paying me to be 
homeless; they are paying me for making this blog. If I could get paid to 
be homeless, I'd just go outside."

Many readers also question why a man who is able to put together a Web page 
and write so eloquently cannot apply those skills toward getting a job.

"He seems very learned," says Hanna Girgis, a business analyst from Houston 
and a frequent reader. "He seems to be able to apply himself and set up his 
blog. If all that were possible, it would be possible to not be homeless. I 
pass people who are curled up under newspapers. That is (my) vision of 
someone who is homeless. I don't envision someone who can sit in the 
library and do HTML coding and interact with people all over the world."

That's because people want to see homelessness as a black-and-white issue, 
says the Rev. Charles Strobel, executive director at the Campus for Human 
Development, which provides services for Nashville's homeless. "Everybody 
wants it to be simple, but is your life simple?"

Barbieux's situation shows that homeless people are as diverse as anyone, 
says Strobel, who has known him for several years. "There are some 
devastating things that happen that even our best resources sometimes can't 
overcome. If everyone could be exposed to various stories, people would be 
less inclined to stereotypically dismiss them."

When Barbieux started his blog, his aspirations were small; he simply hoped 
to communicate with a few people. But now that he has attracted the 
attention of thousands, he's hoping for something bigger  such as a way out 
of homelessness for himself and maybe for others as well. "I have heard 
some say that they choose to be homeless," he says, but "I have never seen 
a homeless person turn down a place to stay off the streets."

He dreams of writing a book. He also hopes to run his own shelter one day. 
"It is my goal to have a home, a respectable dwelling, a place with room 
for my kids," he says.

In the meantime, Barbieux continues to sit in the library and document his 
life. "Online, the only thing that can be judged by others is your 
communication, your voice, your opinion," he says. "Before anyone says a 
thing, all people on the Internet are considered equal. It's a level of 
equality so pure it creates a tension that's hard to deal with.

"Idiots are easily exposed as such, and those with something real to say 
can say it, uninterrupted."
*****************************
CNET News
Congress asked to unpick copy lock laws
By Declan McCullagh
October 3, 2002, 4:44 PM PT

A proposal to defang a controversial copyright law became public on 
Thursday, after more than a year of anticipation and months of closed-door 
negotiations with potential supporters.

Formally titled the Digital Media Consumers' Rights Act, the new bill 
represents the boldest counterattack yet on recent expansions of copyright 
law that have been driven by entertainment industry firms worried about 
Internet piracy.

The bill, introduced by Reps. Rick Boucher, D-Va., and John Doolittle, 
R-Calif., would repeal key sections of the 1998 Digital Millennium 
Copyright Act (DMCA). It would also require anyone selling copy-protected 
CDs to include a "prominent and plainly legible" notice that the discs 
include anti-piracy technology that could render them unreadable on some 
players.



"There is a tidal wave of support growing across the country for 
rebalancing copyright laws to dignify the rights of users," Boucher said in 
an interview Thursday. "I see that every day. The support is growing. We 
have fashioned this squarely to address the concerns that users are 
addressing and the technology industry is raising."

Boucher, the most outspoken opponent of the DMCA on Capitol Hill, has spent 
more than a year rallying support for this measure. After Dmitry Sklyarov, 
a Russian programmer visiting the United States, was arrested in Aug. 2001 
on charges of violating the DMCA, Boucher called the prosecution "a broad 
overreach." In January, Boucher wrote an opinion article for CNET News.com 
in which he said: "We need to rewrite the law for the benefit of society as 
a whole before all access to information is irreversibly controlled."

In May, Boucher said that he was waiting for a critical mass of support to 
build and predicted his bill would be introduced "in the next month."

That never happened. But the delay allowed Boucher and Doolittle to 
convince an impressive number of companies to show up at a press conference 
on Thursday to endorse the bill. Among them: Intel, Verizon Communications, 
Philips, Sun Microsystems and Gateway.

Boucher and Doolittle also rallied nonprofit groups such as the American 
Library Association, the Association of American Universities, Consumers 
Union and the Home Recording Rights Coalition, which have lent their support.

"I could have introduced this bill a long time ago," Boucher said. "I had 
this draft in basically the form we introduced it today, two years ago. 
I've been working with a broad number of technology companies and public 
interest organizations to build a consensus. That takes time."

The fiercest opposition to the bill is likely to come from the ranks of 
traditional copyright enthusiasts: the Recording Industry Association of 
America, the Motion Picture Association of America, and the Association of 
American Publishers.

What it does
Currently the DMCA says that nobody may sell or distribute any product that 
"is primarily designed or produced for the purpose of circumventing a 
technological measure." Some limited exceptions apply to librarians, 
police, people conducting reverse engineering, and encryption researchers.

But when Linux programmers wrote the DeCSS.exe utility to play DVDs on 
their computers, eight movie studios sued and a federal judge said the 
program violated the DMCA. Ed Felten, a Princeton University computer 
scientist, and his co-authors were also threatened with legal action by the 
music industry if they published a paper describing flaws in a digital 
watermark system.

"I think there's no doubt that there are appropriate fair uses which the 
DeCSS code would be facilitating," Boucher said. "For example, if someone 
simply wanted to get by the string of commercials at the start of a DVD so 
you could watch it without being subjected to all the advertising, DeCSS 
would allow that. It seems reasonable to me to allow the use of the code 
for that purpose."

The Boucher-Doolittle bill would make three changes to the DMCA, all 
designed to permit people to bypass copy-protection schemes for legitimate 
purposes:

? An exemption would be created saying anyone who "is acting solely in 
furtherance of scientific research into technological protection measures" 
would be able to distribute his or her code. That would permit Felten and 
other researchers--such as a programmer being represented by the American 
Civil Liberties Union (ACLU) in a current lawsuit--to publish their work 
without the threat of lawsuits.

? Bypassing technological protections would be permissible if done for 
legitimate "fair-use" purposes. The bill says it would not be a violation 
of federal law to "circumvent a technological measure"--as long as it does 
not lead to "an infringement of the copyright in the work."

? Creating a utility like DeCSS.exe might become legal. The bill says it 
would be legal to "manufacture, distribute, or make noninfringing use of a 
hardware or software product capable of enabling significant noninfringing 
use of a copyrighted work."

Jessica Litman, a professor at Wayne State University who specializes in 
copyright law, says the bill echoes a landmark 1984 Supreme Court case, 
Sony v. University City Studios, that permitted the sale of VCRs. "It seems 
to restore the Sony test that if you're making legitimate technology that 
also has a circumvention application, it's only illegitimate to distribute 
it if the legitimate application is not significant," Litman said.

Litman, who is a critic of the DMCA, says its anti-circumvention sections 
have not actually been used to thwart online piracy. "So far it's been used 
chiefly in cases where no copyright infringement has been alleged or 
proved," she said. "So far it doesn't seem to have been a very important 
bulwark against infringing behavior in the first place."

Copy-protected CDs
If the Boucher-Doolittle bill were to take effect, anyone selling 
copy-protected CDs would be required to include a "prominent and plainly 
legible" notice that it follows a modified format that may not play 
properly on all devices and may not be reproduced. Such CDs would also be 
required to sport detailed descriptions of return policies, minimum 
software required to play on a PC, and any restrictions on ripping songs to 
MP3 files, for instance.

The bill amends an existing law titled the Federal Trade Commission Act and 
grants the Federal Trade Commission the power to regulate labels on audio 
CDs. Under existing law, the FTC already may regulate false advertising, 
"Made in America" labels and all other "unfair methods of competition."

The FTC would develop regulations "to require the proper labeling" of CDs, 
and proscribing the removal or mutilation of any label. The restrictions 
would not apply to video DVDs, but they would cover DVD audio discs and the 
new Super Audio Compact Disc format.

James Gattuso, a lawyer at the conservative Heritage Foundation, says he 
has mixed feelings about the Boucher-Doolittle proposal. "It's neither 100 
percent good nor 100 percent bad," Gattuso said. "The core of it, putting 
in a fair-use exemption for the DMCA, seems to make a lot of sense. But 
then it also contains a number of provisions putting new regulations on the 
marketplace."

"What it does is require a lot more disclosure, which sounds good," Gattuso 
said. "But in reality it means a lot more unread and useless warnings and 
disclosures that consumers will have to wade through. There's a cost to 
that. It could raise prices. It could take away from more important 
information that consumers really do want."

In September, a music industry group called the International Federation of 
the Phonographic Industry proposed a logo identifying copy-protected CDs. 
But, as previously reported by CNET News.com, record labels have already 
begun to shy away from the idea.

Next steps
It is a near certainty that the Boucher-Doolittle bill will not be enacted 
this year. Congress is about to recess before the fall elections, and the 
bill will receive a frosty reception by some key legislators if it is 
reintroduced in the new congressional session that begins in Jan. 2003.

Boucher's strategy is simple: to bypass the copyright enthusiasts who serve 
on the House Judiciary committee. After Sklyarov was arrested last year, 
Rep. Howard Coble, R-N.C., who is chairman of the House Judiciary 
subcommittee on intellectual property, said, "The law is performing the way 
we hoped."

On Thursday, the Boucher-Doolittle bill was referred to the House Commerce 
committee, which could be more sympathetic. "The committee on commerce is 
far more friendly and receptive in arguments on behalf of user rights than 
is the committee on the judiciary," said Boucher, who is a member of both 
panels. "The committee on the judiciary is more a venue for copyright 
owners to advance their arguments."

On Wednesday, Rep. Zoe Lofgren, D-Calif., introduced a similar bill that 
also would amend the DMCA to permit fair use and allow consumers to copy 
digital files "for archival purposes."
******************
Information Week
Microsoft Discloses Security Flaws
Oct. 4, 2002
Problems could let attackers gain control of a user's system.
By The Associated Press



REDMOND, Wash. (AP)--Microsoft Corp. disclosed several security flaws 
Thursday, including "critical" problems in many versions of its Windows 
operating system.

The flaws were detailed in four security bulletins, which urged users to 
download software patches from Microsoft's Web site.

The flaws in most versions of Microsoft Windows occur in the help function 
and could allow attackers to gain control of the user's system. Microsoft 
reported other flaws, which range from moderate to critical severity, in 
some versions of Microsoft Windows, SQL Server, and other software 
programs. [ story, see http://www.informationweek.com/story/IWK20021004S0001
***************************
Info Week
New alerts have analysts doubting Microsoft security
By Paul Roberts
October 3, 2002 3:00 pm PT

A STRING OF new security alerts from software maker Microsoft this week has 
prominent industry analysts and security experts predicting that the 
company's goal of making its software secure may remain elusive. 
[http://www.infoworld.com/articles/hn/xml/02/10/03/021003hnmsnewalerts.xml?s=IDGNS]
*************************
CNN Online
Teen saved after online suicide bid
Friday, October 4, 2002 Posted: 9:37 AM EDT (1337 GMT)

SEATTLE (Reuters) -- In what may be the Internet's first attempt at a 
public suicide, a young Indiana man posted his efforts to kill himself with 
drugs on a Web discussion board, sparking a flurry of sympathy and taunts 
before he was located and saved by police.

The teen survived after a Seattle woman reading the discussion board 
intervened and alerted authorities.

As more people flock to the Internet in search of communities and 
companionship, it was inevitable that an online suicide attempt would 
occur, psychologists said.

After tracking down the identity of the suicidal teen, Jennifer Martini of 
Seattle, who works as a moderator of an online game, said she was able to 
call police in Highland, Indiana, where he lives, and alert them.

Pete Nelson, of the Highland Police Department, confirmed that a suicide 
incident involving a minor had happened, but declined to provide further 
details.

The incident began Monday night with postings by "Vegas (Cats)", the teen's 
"handle", or screen name on a gaming discussion board for the fantasy world 
game Ultima that involves online role-playing gamers.

"I'm not scared anymore. Tears and sweat are joining my face which is 
completely soaked."

"I have said all my goodbyes...the only thing I am sorry for is the person 
that has to walk in and see me....cold....and dead. 16 pills down the 
drain...."

".... miss ya guys," he wrote.

The posting sparked a flurry of replies, similar to a crowd gathering 
underneath a suicidal jumper, with responses ranging from sympathy to 
encouragement to the Internet cries of "Jump."

"There really is no point man, no point at all," wrote one online 
participant., "Whatever problems you have, like all others, are only 
temporary."

Another wrote: "Kill yourself in the forest so you decompose. Really the 
way to go."

Others were more clinical.

"Obviously you want someone to talk you out of it because you are posting 
about this here," someone else wrote. "Don't be so selfish as to kill 
yourself and ruin the lives of those around you."

Another posting consisted merely of a smiley face graphic waving goodbye.

Plea for help
"I didn't know what to do," Martini said, "I was aware that it might be a 
potential hoax but I decided to try and risk making a fool out of myself 
because someone could have died."

Other online participants also suspected a hoax, as they made their own 
investigations into the real identities of those involved.

But Martini said she was later contacted by a Highland police officer who 
found the teen still alive and able to talk. He was taken to the hospital 
and treated for a drug overdose.

After returning home, the young man immediately reconnected with his online 
community to track down his rescuer, according to Web postings.

"We've recognized that teens have a degree of intimacy of communicating 
over the Internet that is astounding," said Eric Trupin, a juvenile and 
adolescent psychology professor at the University of Washington.

"It doesn't totally surprise me that this youth was having this kind of 
interaction," he said.

Trupin agreed that the public Web posting was very similar to a plea for 
help, very much like a suicidal person standing on a bridge or high-rise 
building.

The online incident, and the reaction it got from the community, was 
reminiscent of a suicide attempt in Seattle in August of last year.

A young woman leapt off a 160-foot-high (49-metre-high) bridge after 
passing motorists, tangled up in the traffic snarls she created, yelled 
things like, "Jump, bitch, jump!".

The woman lived, but ignited remorse in a city that once prided itself on 
being free from big-city woes.

"People view the Internet as faceless, and it is really easy to dismiss 
people and dehumanize them, but there is a caring community there," Martini 
said.
********************
CNN
What Spies Beneath
Have you checked your PC for spyware lately? National security could be at 
stake. Your privacy too
BY CHRIS TAYLOR

Monday, Oct. 07, 2002
Chances are you haven't read the Bush Administration's "National Strategy 
to Secure Cyberspace." Since it weighs in at a hefty 65pages, who can blame 
you? Still, a surprising amount of the draft report is aimed at 
home-computer owners. Here's the gist: the more dependent we become on the 
Internet, the more damage can be done by taking down large portions of it. 
And it doesn't take a criminal genius to realize that PC users, with their 
increasingly high-speed connections and low-grade security setups, are the 
easiest on-ramp for any kind ofattack.

Though the report doesn't tap terror groups by name, theimplication is 
clear: if youdon't practice good PC hygiene now, al-Qaeda or some 
organization like it could one day hijack your hard drive. That's not just 
homeland-security hype. In 2001, viruses and other malicious code caused 
$12 billion worth of damage to the U.S. economy with the aid of 
unsuspecting users. How to stop that from happening? Most of the 
suggestions in the cybersecurity report are pretty familiar: don't open 
strange email attachments; do install a firewall; choose passwords that 
aren't easy to crack.

But here's one important security measure the report failed to mention: 
check your hard drive for spyware. Spyware is any kind of program installed 
in your computer without your consent to gather information about you or 
your organization. A typical piece of spyware will watch over your shoulder 
while you browse the Web, record your mouse clicks and broadcast all that 
information back to another computer (ostensibly for marketing purposes). 
It's part of a class ofincreasingly surreptitious software that includes 
adware (which serves up commercials you didn't ask for  as if pop-up ads 
weren't enough), stealware (which leeches sales commissions away from small 
websites in affiliate programs) and scumware (which alters the origin of 
links on a Web page so that, for example, an innocent news headline will 
direct you to a porn site).

How does this stuff get onto your machine? Most often, it hides behind 
other software as you download it. Ifyou're a heavy user of post-Napster 
file-sharing programs like Morpheus or Kazaa, both known distributors of 
spyware, you're probably already infected. Sometimes spyware masquerades as 
cookies, those little files websites leave on your computer so you don't 
have to type your name and password every time you visit. Once on your PC, 
spyware can sequester itself deep inside your operating system in what are 
called registry files. Anti-virus software won't spot it, because it looks 
like something you chose toinstall.

Luckily, it's easy to check your computer for spyware. If you own a Windows 
machine, just go to lavasoftusa.com and download a free utility called 
Ad-Aware. Install it, hit the scan button and be prepared for a shock. Mac 
owners can try Spring Cleaning, which is $50 from Aladdin Systems.

I consider my PC to be pretty well protected  virus free and firewalled. 
Yet the first time I ran Ad-Aware, it spent 15 minutes turning up and 
removing a dozen nasty little programs with names like Xupiter Toolbar, 
Gator Trickler and Bargains.exe. And when I ran it again a few weeks later, 
five more pieces of spyware showed up.

SpyChecker.com runs a handy database that lists more than a thousand of 
these programs and tells you what each one does. Spywareinfo.com and 
Counterexploitation (at cexx.org) are also hot on the spyware trail. But 
this kind of malicious code is proliferating faster than it can be 
catalogued, so there's often no telling how a particular program is being 
used, what kind of sensitive information it is broadcasting or what other 
programs it might have secretly installed on your machine. If dotcoms can 
slip this stuff past our defenses, just imagine what a terrorist could do.

None of this stuff is good for you or your privacy. Clean it out, and 
you'll instantly feel more secure. You might even feel a little patriotic.

What to Watch For
AUREATE The original spyware, Aureate opens a back door into your PC, 
through which it pushes advertising banners  recording which ones you click on.

B3D When you download a copy of Kazaa's file-sharing software, Brilliant 
Digital quietly installs a copy of B3D. This funnels your PC's spare 
computing power to Brilliant's network, the use of which can then be leased 
out.

RED SHERIFF From a company of the same name, this Java applet reports all 
your Web-surfing habits for as long as you have your browser open.

RADLIGHT This anti-antispyware, created in the Slovak Republic, disables 
Ad-Aware, a program that tries to protect your PC against spyware.

Questions? Concerns? You can e-mail Chris at
****************************
Earth Web
Open Standards Play Big In Motown
By Brian Morrissey

NEW YORK -- The auto industry is not often thought of as a hotbed of 
high-tech but General Motors (NYSE:GM) CTO Tony Scott told attendees at 
Wednesday's Internet World keynote address that Detroit is helping drive 
technology standards.

Scott told internetnews.com that he sees a silver-lining in the current 
economic malaise: the software industry is more amenable to standards in an 
era of tight IT budgets.

"The environment has changed some," he said. "The battles of the past 
occurred in a period of growth that was unparalleled and ultimately 
unsustainable. There was no penalty to coming up with something proprietary."

However, with more scrutiny paid to all technology choices, Scott said CTOs 
now hold a distinct advantage in driving industry leaders to agree on 
standards that operate more efficiently.

And for its part, GM would use its influence in standards bodies like the 
Liberty Alliance, as well as with its huge supplier and vendor networks, to 
push this goal, he explained.

The biggest leverage Scott employs is GM's sheer size: 9 million vehicles 
produced last year, 365,000 employees, and a $3 billion annual IT budget. 
With those kinds of resources, Scott said GM has earmarked open standards 
as a priority for the company, in a shift from the traditional proprietary 
approach taken by the both the auto and tech industries.

"Ours is an industry where each of us tries to get proprietary advantage by 
coming out with the next big thing," Scott said. "We're going to have to go 
to industry standards, not just across our industry."

Yet, despite its $3 billion IT budget, GM is constrained to spending only 
20 to 40 percent of it on new development, Scott explained, with the rest 
going to maintenance and upgrades of current systems.

Internally, Scott said GM pinned high hopes on Web services helping the 
company continue to reduce its IT costs by eliminating inefficiencies and 
redundancies.

"We've been on a journey since 1996 to take out costs and reduce the 
complexities of GM systems," he explained. Since then, GM has cut the total 
cost of its IT budget by $1 billion, through taking systems out.

Now, with the advent of Web services, Scott said the company has turned its 
attention to linking up the company's IT systems.

This year, GM has begun pilot projects to use Web services in its major 
groups. Next year, Scott said Web services projects would become more 
widespread.

As an example, GM has implemented Web services in its GMAC commercial 
mortgage group, which has investors holding a portfolio of investments in 
various real estate properties. However, many different companies managing 
the properties, Scott said capturing all the information for investors was 
difficult, time consuming and expensive. GM has used Web services to link 
together the various systems to gather the information seamlessly.

Scott said he was encouraged by the possibilities the approach holds for 
GM's larger tech challenges, such as tracking the vehicle identification 
number (VIN) of cars through the manufacturing, distribution and financing 
processes. With a Web service created around the VIN, Scott said the 
company could do away with the problems created when a business rule that 
governs the distribution of the VIN changes.

Despite the optimism, Scott said Web services were still a few years off 
from delivering on their great promise, simply due to budget constraints.

"You only get a certain amount of new development dollars a year," he said. 
"Even if you converted it all to Web services, it would take five years or 
more."
*****************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx


From owner-technews@xxxxxxxxxxxxxxxxx Fri Oct  4 15:36:51 2002
Received: from sark.cc.gatech.edu (sark.cc.gatech.edu [130.207.7.23])
	by cleon.cc.gatech.edu (8.11.6/8.11.6) with ESMTP id g94Japs03173
	for <goodman@xxxxxxxxxxxxxxxxxxx>; Fri, 4 Oct 2002 15:36:51 -0400 (EDT)
Received: from postel.acm.org (postel.acm.org [199.222.69.7])
	by sark.cc.gatech.edu (8.11.6/8.11.6) with ESMTP id g94JaoS12810;
	Fri, 4 Oct 2002 15:36:50 -0400 (EDT)
Received: from postel (postel.acm.org [199.222.69.7])
	by postel.acm.org (8.9.3/8.9.3) with ESMTP id PAA13188;
	Fri, 4 Oct 2002 15:34:03 -0400
Received: from LISTSERV2.ACM.ORG by LISTSERV2.ACM.ORG (LISTSERV-TCP/IP release
         1.8d) with spool id 0017 for TECHNEWS@xxxxxxxxxxxxxxxxx; Fri, 4 Oct
         2002 15:12:08 -0400
Approved-By: technews@xxxxxxxxxx
Received: from hq.acm.org (hq.acm.org [199.222.69.30]) by postel.acm.org
         (8.9.3/8.9.3) with ESMTP id PAA12046 for
         <technews@xxxxxxxxxxxxxxxxx>; Fri, 4 Oct 2002 15:11:09 -0400
Received: by hq.acm.org with Internet Mail Service (5.5.2656.59) id <4GFW7R22>;
         Fri, 4 Oct 2002 15:13:24 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: text/plain; charset="iso-8859-1"
Message-ID:  <95537E2AB3BDD311B6FD00A0C9A31A510247AAE1@xxxxxxxxxx>
Date:         Fri, 4 Oct 2002 15:13:21 -0400
Sender: ACM TechNews Early Alert Service <TECHNEWS@xxxxxxxxxxxxxxxxx>
From: technews <technews@xxxxxxxxxx>
Subject:      ACM TechNews - Friday, October 4, 2002
To: TECHNEWS@xxxxxxxxxxxxxxxxx
Content-Length: 9689
Status: RO
X-Status: 
X-Keywords:                 
X-UID: 302

Dear ACM TechNews Subscriber:

Welcome to the October 4, 2002 edition of ACM TechNews,
providing timely information for IT professionals three times a
week.  For instructions on how to unsubscribe from this
service, please see below.

ACM's MemberNet is now online. For the latest on ACM
activities, member benefits, and industry issues,
visit http://www.acm.org/membernet

Remember to check out our hot new online essay and opinion
magazine, Ubiquity, at http://www.acm.org/ubiquity

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ACM TechNews
Volume 4, Number 407
Date: October 4, 2002

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Site Sponsored by Hewlett Packard Company ( <http://www.hp.com> )
    HP is the premier source for computing services,
    products and solutions. Responding to customers' requirements
    for quality and reliability at aggressive prices, HP offers
    performance-packed products and comprehensive services.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Top Stories for Friday, October 4, 2002:
http://www.acm.org/technews/current/homepage.html

"Government Releases Top 20 Vulnerability 'Hit List'"
"Congress Asked to Unpick Copy Lock Laws"
"More Patents, Please!"
"Robotic Vision"
"Quantum System Keeps Secrets Safe"
"The Mac OS That Can't Be Tweaked"
"U.N.: Robots Could Lighten Load of Household Chores"
"Invisible Circuits in a Flash"
"Upgrades to Boost SETI@home Alien Search"
"Super Goop"
"Working in IT: Where Has All the Fun Gone?"
"A Moment of Clarity"
"From Humble Materials, a Burst of Power for Batteries"
"Where the Girls Aren't"
"Prospects Dim for Future Tech Pros Prepping for Spring Job Scramble"
"Sounds Could Make Smart Devices Smarter"
"Welcome to Feedback Universe"
"Fighting Terrorism With Technology"
"Data Extinction"

******************* News Stories ***********************

"Government Releases Top 20 Vulnerability 'Hit List'"
The U.S. General Services Administration (GSA) on Wednesday
issued its third annual target list of the top 20 Internet
security flaws, which was compiled by the SANS Institute and the
FBI's National Infrastructure Protection Center (NIPC).  This ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item1

"Congress Asked to Unpick Copy Lock Laws"
Reps. Rick Boucher (D-Va.) and John Doolittle (D-Calif.)
introduced legislation on Thursday calling for amendments to the
Digital Millennium Copyright Act (DMCA) that would allow
consumers to circumvent anti-copying technology measures for ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item2

"More Patents, Please!"
Technology companies are pushing their staffs to produce more
patents, which can boost the bottom line with licensing fees and
strengthen their competitive edge; many firms are trying to
encourage patent generation by offering engineers incentives such ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item3

"Robotic Vision"
Engineers at Caltech and the University of Southern California
(USC) are investigating a form of robotic vision known as
selective-attention modeling, which is based on neuroscientific
research that suggests the human brain's recognition of salient ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item4

"Quantum System Keeps Secrets Safe"
British scientists report in this week's issue of Nature that
they successfully transmitted encryption keys on a weak beam of
light between two mountaintops in Germany across a distance of 14
miles--the longest distance yet for a transmission of this type, ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item5

"The Mac OS That Can't Be Tweaked"
Apple Computer has reversed its tact of letting individual users
make changes to the Macintosh operating system with the new OS X.
Although the company published the application program interfaces
of previous operating systems, CEO Steve Jobs has stopped the ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item6

"U.N.: Robots Could Lighten Load of Household Chores"
The U.N. Economic Commission for Europe's World 2002 Robotics
Report issued on Thursday suggests that robots could soon ease
the burden of housework from homeowners, thanks to falling
prices, rising labor costs, and technological advancements.  The ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item7

"Invisible Circuits in a Flash"
Scientists in Japan have discovered a transparent material that
acts as an electric conductor when exposed to ultraviolet light,
paving the way for invisible computer chips.  Such chips could be
unnoticeably integrated into LCDs and other optical devices.  ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item8

"Upgrades to Boost SETI@home Alien Search"
SETI@home, the grid computing effort that recruits home users to
help search for signs of intelligent extraterrestrial life, will
be upgraded with new software and switch to a telescope that can
scan a greater area of sky.  The first software release will be ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item9

"Super Goop"
MR fluid is liquid material that stiffens into a more clay-like
consistency when it is subjected to a magnetic force, and
researchers are studying potential applications in robotics and
building stability, among other things.  The substance is already ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item10

"Working in IT: Where Has All the Fun Gone?"
The image and purpose of IT has changed significantly since the
late 1990s, when insatiable demand for high tech and IT
professionals made it cool to be a tech enthusiast and for
companies to invest heavily in new technology, observes ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item11

"A Moment of Clarity"
MIT researchers say a new anti-glare coating could lead to
innovation in optic technologies.  Although traditional
anti-glare coatings allow for the near-complete transmission of
light--which is important in solar cell panels and optical ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item12

"From Humble Materials, a Burst of Power for Batteries"
The lithium cobalt oxide most rechargeable batteries use is
relatively expensive, and this has prompted research into cheaper
alternatives.  Dr. Yet-Ming Chiang of MIT reports in the October
issue of Nature Materials that his team has successfully raised ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item13

"Where the Girls Aren't"
For over 10 years, educators have tried to get girls interested
in pursuing computers, math, and science as a course of study and
a possible career using a broad range of programs, and now
researchers at North Carolina State University are studying ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item14

"Prospects Dim for Future Tech Pros Prepping for Spring Job Scramble"
People who earn bachelor's degrees in technology fields this year
will have an even tougher time finding jobs.  The National
Association of Colleges and Employers says companies are planning
to hire fewer college graduates this year compared to last year. ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item15

"Sounds Could Make Smart Devices Smarter"
Parham Aarabi of the University of Toronto says he is
incorporating sound navigation into electronic devices, and he
predicts that it will be five to 10 years before such
communications devices are offered to consumers.  Aarabi claims ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item16

"Welcome to Feedback Universe"
A feedback loop--a closed system in which the results of an event
send back data that helps shape the event in the future--is being
applied to practically every aspect of life.  Feedback, in its
most basic form, is either negative--progressing toward balance ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item17

"Fighting Terrorism With Technology"
Harvard University professor Lewis M. Branscomb says that
industry and government must work together so that an effective
IT counterterrorism strategy can be implemented.  He co-chaired
the National Academies' Committee on Science and Technology for ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item18

"Data Extinction"
The built-in obsolescence of digital technologies threatens the
preservation of data--photos, documents, video, etc.--especially
since decoding programs are rendered out-of-date by evolving
computer languages and operating systems.  Migration is one of ...
http://www.acm.org/technews/articles/2002-4/1004f.html#item19


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- To review Wednesday's issue, please visit
http://www.acm.org/technews/articles/2002-4/1002w.html

-- To visit the TechNews home page, point your browser to:
http://www.acm.org/technews/

-- To unsubscribe from the ACM TechNews Early Alert Service:
Please send a separate email to listserv@xxxxxxxxxxxxxxxxx
with the line

signoff technews

in the body of your message.

-- Please note that replying directly to this message does not
automatically unsubscribe you from the TechNews list.

-- To submit feedback about ACM TechNews, contact:
technews@xxxxxxxxxx

-- ACM may have a different email address on file for you,
so if you're unable to "unsubscribe" yourself, please direct
your request to: technews-request@xxxxxxx

We will remove your name from the TechNews list on
your behalf.

-- For help with technical problems, including problems with
leaving the list, please write to:  technews-request@xxxxxxx

----
ACM TechNews is sponsored by Hewlett Packard Company.