[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips November 12, 2002
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, akuadc@xxxxxxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;
- Subject: Clips November 12, 2002
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Tue, 12 Nov 2002 13:38:05 -0500
Clips November 12, 2002
ARTICLES
Bexar County [Texas] officials to launch inquiry into voting problems
States to Vote Today on Internet Sales Tax Plan
Weapons inspectors count on new technology
Eyes become IDs for refugees, air travelers
Baking Soda, Vinegar, and Measuring Cups Become Lab Materials for Online
A Networked World's Final Frontier: The Airplane
Bridex worm bites computer security company
Meeting to mull privacy standard's next step
IT still iffy on Web services
Supreme Court to Decide Internet Library Filters
Her picture became a porn ad
Fighting for online rights
'Duty' of telecoms to assist snooping
FCC Allocates Spectrum for Advanced Wireless Services
FCC Spectrum Policy Task Force Recommends New Regulatory Approach
U.S. technology companies are helping China build its Big Brother Internet
*********************************
Houston Chronicle
Bexar County officials to launch inquiry into voting problems
Associated Press
SAN ANTONIO -- Bexar County officials planned to launch an inquiry this
week into voting problems that delayed the tabulation of General Election
results. Officials will also consider the fate of embattled elections
administrator Cliff Borofsky.
At least two commissioners have called for Borofsky to be fired because of
the sluggish vote counting, which took nearly 30 hours to complete.
Bexar County commissioners and members of the county Elections Commission
were scheduled to meet Monday.
"I have been accused of exercising no leadership and no planning, and it's
not the case," Borofsky said Monday, vowing to defend the actions he took
before the election and during tabulation of the results.
By the time the polls closed at 7 p.m. on Nov. 5, one-third of the 127,595
early voting ballots cast in the election had been counted. Early ballots
are usually counted and prepared to report to the public by that hour.
The Elections Commission, made up of the county judge, tax
assessor-collector, county clerk and the local chairmen of the Democratic
and Republican parties, were scheduled to discuss Borofsky's fate Thursday.
"I'm interested in convincing Commissioners Court and the Elections
Commission that there was a pretty significant planning element that went
into this election," he said in Tuesday's editions of the San Antonio
Express-News. "That we had difficulties because things were planned, but
not executed, was not my specific fault."
*****************************
Washington Post
States to Vote Today on Internet Sales Tax Plan
Uncertain Prospects for Approval by Republican Congress
By Brian Krebs
Tuesday, November 12, 2002; 12:00 AM
As the holiday shopping season shifts into high gear, revenue-hungry states
will vote today on a plan to tax all Internet sales.
Tax officials and legislators from 31 states -- including Maryland,
Virginia and the District -- are meeting in Chicago today to vote on a
proposal to simplify their tax laws and enter into a voluntary pact to
collect online sales taxes.
"This is a 21st century system that will dramatically improve the morass
that currently exists," said Utah Gov. Mike Leavitt (R), a key leader in
the states' effort. "I'm confident that this agreement will be approved by
a majority of the states and will mark the beginning of a new phase of this
process."
The plan up for consideration today is part of a bid to win approval from
Congress for a mandatory online sales tax collection regime.
The states participating in the tax effort -- known as the Streamlined
Sales Tax Project -- plan to ask Congress to make their proposed tax system
mandatory nationwide when at least 10 states representing 20 percent of the
U.S. population have amended their laws to implement the program, said R.
Bruce Johnson, commissioner of the Utah state tax commission and co-chair
of the implementing states group.
"We think that once these states have simplified their systems it will be
appropriate for the federal government to reward that effort," Johnson
said. "We're doing everything we can to make it clear that the states can
work together."
Currently, 45 states and the District of Columbia levy sales taxes, with
rates varying from state to state -- and often from town to town.
Under the Streamlined Sales Tax Project proposal, states would be required
to establish uniform definitions for taxable goods and services, and
maintain a single statewide tax rate for each type of product.
The project also seeks to simplify tax reporting requirements for online
sellers, said Jason Feuchtwanger, spokesman for the National Governors
Association.
"We're trying to move from a situation where a nationwide vendor is
responsible for potentially 7,500 returns to a system where they can just
submit a single return to each state and let (the state) handle the
disbursements," Feuchtwanger said.
Today's vote is a welcome development for the nation's largest main street
retailers, who have argued for years that the current system gives online
vendors an edge over so-called "bricks-and-mortar" stores.
"Our ultimate goal is that everybody will have to play by the same rules,"
said Maureen Riehl, state and industry relations counsel for the National
Retail Federation, a trade group that represents nearly 1.4 million stores.
And for states facing rising budget deficits, the stakes are huge. The U.S.
General Accounting Office has estimated states lose nearly $13 billion each
year on untaxed Internet transactions. That figure will more than triple to
$45 billion by 2006, according to a 2001 University of Tennessee study
conducted for the Institute of State Studies.
More Paperwork for Businesses
Despite the apparent critical mass behind today's vote, several unanswered
questions loom large, including how to win support for the system from
online retailers.
Most states have "use tax" laws that require people to file a special form
for reporting the sales taxes they owe on items bought online, but such
laws are notoriously difficult to enforce, and few people actually comply
with them.
Rather than going after use taxes, all of the participating states plan to
entice online merchants to collect sales taxes voluntarily by sharing with
them a portion of the tax revenues that they remit. Currently, one-third of
all states share sales tax revenues with online retailers, with
reimbursement rates ranging from a half percent to 1.75 percent of the
total taxes collected.
Revenue sharing aside, small and large Internet businesses that maintain a
physical presence in just a handful of states while selling to customers
nationwide are likely to balk at the costs of collecting sales taxes, said
Richard Prem, director of global indirect taxation for Amazon.com.
A unified revenue-sharing model envisioned in the states' plan fails to
"come anywhere close to scratching the surface of the cost" of complying
with the system, he said.
Internet vendors would likely bear substantial costs just in terms of the
tax preparation needed to file as many as 45 separate tax returns each
year, experts contacted for this story said.
Under the states' plan, online sellers would be required to purchase
approved software to compute the appropriate state and local taxes or to
certify with the state any in-house calculation systems already in place.
E-tailers could choose to outsource tax collection to a certified
third-party under the states' plan.
So far, participating states have conducted only one tax software pilot,
involving four states, three technology vendors, and one online seller.
Of the technology vendors participating in the pilot, just one -- Salem,
Mass.-based Taxware, working in conjunction with Hewlett-Packard -- managed
to get a system up and running.
The online store in that pilot was O.C. Tanner Co., the Salt Lake
City-based company that forged the medals for the 2002 Winter Olympic Games.
O.C. Tanner tax manager Jake Garn said Taxware's software worked well, but
wondered whether the system would function as smoothly when subjected to a
much larger volume of queries from all 45 participating states.
"[T]his was very small transaction volume compared to the level of traffic
our main business generates," Garn said.
Neither supporters nor opponents of the plan have a clear idea how much the
whole collection and remittance package would cost the average Internet
merchant, though the participating states plan to conduct a comprehensive
study in the coming months. They also are planning to run another tax
technology pilot.
Aside from the cost considerations, though, opponents of the plan say it
would be tough to enforce and could infringe on consumer privacy.
"Whether I'm buying prescription drugs or sex toys online, someone is going
to have to keep track of what I bought so they can figure out how to tax
it," said Grover Norquist, president of Americans for Tax Reform. "How do
you do this without massive violations of privacy?"
Under the states' plan, certified software vendors and service providers
would calculate and report taxes without retaining the consumer's
personally identifiable information. According to the proposal, that
information would be kept only for items that are deemed exempt from
taxation, a qualification that varies from state to state.
The sales tax effort may also pit small Internet sellers against larger
operations. Larger Internet retailers that maintain offices or sales forces
in the majority of the states stand the most to gain from the states' plan,
the NRF's Riehl conceded. Larger retailers also are more likely to already
have built in-house tax collection and remittance systems.
"The (sales tax) simplifications alone are going to amount to a net cost
savings for our members," she said. "We see the reimbursements as a long
overdue acknowledgement that there's a substantial cost to doing this."
Questionable Fate in GOP Congress
Streamlined Sales Tax Project supporters said they expect states
representing a fifth of the U.S. population to pass implementing
legislation by June 2003, the end of the fiscal year for most states.
"I think by the middle of next year at least 10 states will have passed the
necessary legislation, particularly when they start noticing the millions
of dollars it will take to settle their deficit situations," said Neil
Osten, communications director for the National Conference of State
Legislatures, which fully supports the simplification effort.
It remains unclear, however, whether or when the Republican-controlled
Congress would recognize the compact.
The current legal block to online sales taxes dates back to 1992, when the
U.S. Supreme Court ruled that merchants cannot be required to collect sales
tax unless they have a physical location in the state where the customer is
located. The court said it would be unfair to require out-of-state sellers
to comply with thousands of state and local tax jurisdictions across the
nation. But the high court also ruled the Congress has the authority to
allow states to require remote sellers to collect taxes.
In 1998 and again last year, Congress debated tying legislation to reward
the states' efforts -- should enough of them simplify their tax systems --
to a bid to extend a ban on Internet-specific taxes, such as taxes on
Internet access fees. In each case, Congress voted to extend the ban
without including the simplification incentives.
A least one influential opponent of the effort is already planning
legislation that would keep the Internet access tax ban from being "taken
hostage" as a vehicle for considering the states' proposal.
Sen. George Allen (R-Va.) said the first piece of legislation he will
introduce next year would be a standalone bill to permanently extend the
ban on new Internet-specific taxes.
"If the states want to come up with their own simplification schemes,
that's fine. But that still doesn't make it right to require someone who
has no representation in your state to pay taxes there," said Allen, who
heads the Senate Republican High-Tech Task Force.
Leavitt and other supporters of the proposal disputed arguments such as
Allen's.
"It ignores the fact that sales and use taxes aren't imposed on people who
collect them, they are paid by the people doing the buying," Leavitt said.
In the meantime, online retailers would be wise to seize the
revenue-sharing incentives included in the states' plan before it's too
late, O.C. Tanner's Garn said.
"If the states are right, and enough business shifts online that it creates
a much larger cost disadvantage, the states may then have the political
muscle they need to get Congress to back this without any" revenue sharing
for retailers, he said. "Maybe it's a good thing to try to see the future
and work for a mutual solution."
******************************
Associated Press
U.S. Cracks Case of British Hacker
Mon Nov 11, 5:49 PM ET
By TED BRIDIS, Associated Press Writer
WASHINGTON (AP) - Federal authorities have cracked the case of an
international hacker who broke into roughly 100 unclassified U.S. military
networks over the past year, officials said Monday.
Officials declined to identify the hacker, a British citizen, but said he
could be indicted as early as Tuesday in federal courts in northern
Virginia and New Jersey. Those U.S. court jurisdictions include the
Pentagon (news - web sites) in Virginia and Picatiny Arsenal in New Jersey,
one of the Army's premier research facilities.
The officials declined Monday to say whether this person was already in
custody, but one familiar with the investigation, who spoke only on
condition of anonymity, said investigators consider the break-ins the work
of a professional rather than a recreational hacker.
Authorities planned to announce details of the investigation Tuesday
afternoon.
Officials said U.S. authorities were weighing whether to seek the hacker's
extradition from England, a move that would be exceedingly rare among
international computer crime investigations.
Officials said this hacker case has been a priority among Army and Navy
investigators for at least one year. One person familiar with the
investigation said the hacker broke into roughly 100 U.S. military
networks, none of them classified. Another person said the indictments were
being drafted to reflect break-ins to a "large number" of military networks.
In England, officials from the Crown Prosecution Service, Scotland Yard and
the Home Office declined comment Monday.
A civilian Internet security expert, Chris Wysopal, said that a
less-skilled, recreational hacker might be able to break into a single
military network, but it would be unlikely that same person could mount
attacks against dozens of separate networks.
"Whenever it's a multistage attack, it's definitely a more sophisticated
attacker," said Chris Wysopal, a founding member of AtStake Inc., a
security firm in Cambridge, Mass. "That's a huge investigation."
The cyber-security of U.S. military networks is considered fair, compared
to other parts of government and many private companies and organizations.
But until heightened security concerns after the Sept. 11 attacks, the
Defense Department operated thousands of publicly accessible Web sites.
Each represented possible entry-points from the Internet into military
systems unless they were kept secured and monitored regularly.
It would be very unusual for U.S. officials to seek extradition. In
previous major cyber-crimes, such as the release of the "Love Bug" virus in
May 2000 by a Filipino computer student and attacks in February 2000 by a
Canadian youth against major American e-commerce Web sites, U.S.
authorities have waived interest in extraditing hacker suspects to stand
trial here.
Once, the FBI (news - web sites) tricked two Russian computer experts,
Vasily Gorshkov and Alexey Ivanov, into traveling to the United States so
they could be arrested rather than extradited. The Russians were indicted
in April 2001 on charges they hacked into dozens of U.S. banks and
e-commerce sites, and then demanding money for not publicizing the break-ins.
FBI agents, posing as potential customers from a mock company called Invita
Computer Security, lured the Russians to Seattle and asked the pair for a
hacking demonstration, then arrested them. Gorshkov was sentenced to three
years in prison; Ivanov has pleaded guilty but hasn't been sentenced.
But the Bush administration has toughened anti-hacking laws since Sept. 11
and increasingly lobbied foreign governments to cooperate in international
computer-crime investigations. The United States and England were among 26
nations that last year signed the Council of Europe Convention on
Cybercrime, an international treaty that provides for hacker extraditions
even among countries without other formal extradition agreements.
There have been other, high-profile hacker intrusions into U.S. military
systems.
In one long-running operation, the subject of a U.S. spy investigations
dubbed "Storm Cloud" and "Moonlight Maze," hackers traced back to Russia
were found to have been quietly downloading millions of pages of sensitive
data, including one colonel's e-mail inbox. During three years, most
recently in April 2001, government computer operators watched as reams of
electronic documents flowed from Defense Department computers, among others.
In 1994, two young hackers known as "Kuji" and "Datastream Cowboy" were
arrested in England on charges they broke into the U.S. Air Force's Rome
Laboratory. They planted eavesdropping software that allowed them to
monitor e-mails and other sensitive information.
*******************************
Washington Post
U.S. Hopes to Check Computers Globally
System Would Be Used to Hunt Terrorists
By Robert O'Harrow Jr.
Tuesday, November 12, 2002; Page A04
A new Pentagon research office has started designing a global
computer-surveillance system to give U.S. counterterrorism officials access
to personal information in government and commercial databases around the
world.
The Information Awareness Office, run by former national security adviser
John M. Poindexter, aims to develop new technologies to sift through
"ultra-large" data warehouses and networked computers in search of
threatening patterns among everyday transactions, such as credit card
purchases and travel reservations, according to interviews and documents.
Authorities already have access to a wealth of information about individual
terrorists, but they typically have to obtain court approval in the United
States or make laborious diplomatic and intelligence efforts overseas. The
system proposed by Poindexter and funded by the Defense Advanced Research
Projects Agency (DARPA) at about $200 million a year, would be able to
sweep up and analyze data in a much more systematic way. It would provide a
more detailed look at data than the super-secret National Security Agency
now has, the former Navy admiral said.
"How are we going to find terrorists and preempt them, except by following
their trail," said Poindexter, who brought the idea to the Pentagon after
the Sept. 11, 2001, terrorist attacks and now is beginning to award
contracts to high-technology vendors.
"The problem is much more complex, I believe, than we've faced before," he
said. "It's how do we harness with technology the street smarts of people
on the ground, on a global scale."
Although formidable foreign policy and privacy hurdles remain before any
prototype becomes operational, the initiative shows how far the government
has come in its willingness to use information technology and expanded
surveillance authorities in the war on terrorism.
Poindexter said it will take years to realize his vision, but the office
has already begun providing some technology to government agencies. For
example, Poindexter recently agreed to help the FBI build its
data-warehousing system. He's also spoken to the Transportation Security
Administration about aiding its development of a massive
passenger-profiling system.
In his first interview since he started the "information awareness"
program, Poindexter, who figured prominently in the Iran-contra scandal
more than a decade ago, said the systems under development would, among
other things, help analysts search randomly for indications of travel to
risky areas, suspicious e-mails, odd fund transfers and improbable medical
activity, such as the treatments of anthrax sores. Much of the data would
be collected through computer "appliances" -- some mixture of hardware and
software -- that would, with permission of governments and businesses,
enable intelligence agencies to routinely extract information.
Some specialists question whether the technology Poindexter envisions is
even feasible, given the immense amount of data it would handle. Others
question whether it is diplomatically possible, given the sensitivities
about privacy around the world. But many agree, if implemented as planned,
it probably would be the largest data-surveillance system ever built.
Paul Werbos, a computing and artificial-intelligence specialist at the
National Science Foundation, doubted whether such "appliances" can be
calibrated to adequately filter out details about innocent people that
should not be in the hands of the government. "By definition, they're going
to send highly sensitive, private personal data," he said. "How many
innocent people are going to get falsely pinged? How many terrorists are
going to slip through?"
Former senator Gary Hart (D-Colo.), a member of the U.S. Commission on
National Security/21st Century, said there's no question about the need to
use data more effectively. But he criticized the scope of Poindexter's
program, saying it is "total overkill of intelligence" and a potentially
"huge waste of money."
"There's an Orwellian concept if I've ever heard one," Hart said when told
about the program.
Poindexter said any operational system would include safeguards to govern
the collection of information. He said rules built into the software would
identify users, create an audit trail and govern the information that is
available. But he added that his mission is to develop the technology, not
the policy. It would be up to Congress and policymakers to debate the issue
and establish the limits that would make the system politically acceptable.
"We can develop the best technology in the world and unless there is public
acceptance and understanding of the necessity, it will never be
implemented," he said. "We're just as concerned as the next person with
protecting privacy."
Getting the Defense Department job is something of a comeback for
Poindexter. The Reagan administration national security adviser was
convicted in 1990 of five felony counts of lying to Congress, destroying
official documents and obstructing congressional inquiries into the
Iran-contra affair, which involved the secret sale of arms to Iran in the
mid-1980s and diversion of profits to help the contra rebels in Nicaragua.
Poindexter, a retired Navy rear admiral, was the highest-ranking Regan
administration official found guilty in the scandal. He was sentenced to
six months in jail by a federal judge who called him "the decision-making
head" of a scheme to deceive Congress. The U.S. Court of Appeals overturned
that conviction in 1991, saying Poindexter's rights had been violated
through the use of testimony he had given to Congress after being granted
immunity.
In recent years, he has worked as a DARPA contractor at Syntek Technologies
Inc., an Arlington consulting firm that helped develop technology to search
through large amounts of data. Poindexter now has a corner office at a
DARPA facility in Arlington. He still wears cuff links with the White House
seal and a large ring from the Naval Academy, where he graduated at the top
of his class in 1958.
As Poindexter views the plan, counterterrorism officials will use
"transformational" technology to sift through almost unimaginably large
amounts of data, something Poindexter calls "noise," to find a discernable
"signal" indicating terrorist activity or planning. In addition to
gathering data, the tools he is trying to develop would give analysts a way
to visually represent what that information means. The system also would
include the technology to identify people at a distance, based on known
details about their faces and gaits.
He cited the recent sniper case as an example of something that would have
benefited from such technology. The suspects' car, a 1990 Chevrolet
Caprice, was repeatedly seen by police near the shooting scenes. Had
investigators been able to know that, Poindexter said, they might have
detained the suspects sooner.
The office already has several substantial contracts in the works with
technology vendors. They include Hicks & Associates Inc., a national
security consultant in McLean; Booz Allen Hamilton Inc., a management and
technology consultant in McLean; and Ratheon Corp., a technology company
that will provide search and data-mining tools. "Poindexter made the
argument to the right players, so they asked him back into the government,"
said Mike McConnell, a vice president at Booz Allen and former director of
the NSA.
The office already has an emblem that features a variation of the great
seal of the United States: An eye looms over a pyramid and appears to scan
the world. The motto reads: Scientia Est Potentia, or "knowledge is power."
*************************
Mercury News
Weapons inspectors count on new technology
By Lisa M. Krieger and Dan Stober
Some of the world's best scientific detectives soon will be shipped off to
one of the planet's harshest environments, with the prospect of war hanging
over every move they make.
Armed with some of the latest sleuthing technologies, international
inspectors will be searching through Iraq, looking for weapons that may or
may not exist.
What they discover amid Iraq's heat, dust and hostility could not only
determine whether that country comes under attack from the United States,
but also could have global implications for arms control and the
proliferation of weapons of mass destruction.
Inspectors will come equipped with state-of-the-art sensors -- but they
will face challenges never confronted in a scientific lab. There could be
delays, obstructions, bugging, obscured evidence and a succession of
manufactured crises designed to complicate a search. They have a deadline:
They must report back to the United Nations within three months. It will be
hot and dirty, with electricity in short supply. The stakes will be global,
the pressure intense. It's like no other science project.
The U.N. Security Council on Friday backed a tough resolution that gives
the inspectors ``immediate, unimpeded and unconditional'' rights to search
anywhere for weapons of mass destruction, including Iraqi President Saddam
Hussein's presidential palaces. An advance team of U.N. weapons inspectors
will arrive in Baghdad the last week of November. Iraq denies it has any
such weapons.
``The tougher the inspection, the greater will be its chance of success,''
said Joseph Cirincione, director of the Non-Proliferation Project of the
Carnegie Endowment for International Peace in Washington, D.C. ``And,
perhaps paradoxically, the tougher the inspections, the greater the
likelihood that war can be avoided. If it's easy for Iraq to evade
inspection, the more likely it is that Americans will think it's all a sham
-- and will feel that our only recourse is to go to war.''
There are many new detection tools available to the inspectors since they
last visited Iraq in 1998, then left after repeated disputes about access
to suspected sites, prompting Desert Fox, a U.S. bombing campaign. These
include:
? Permanent stationary cameras that will monitor everything from Iraqi
stores of natural uranium ore to tests of short-range rockets.
? Portable X-ray devices that can instantly determine the composition of
specialized metal parts, which may be a tipoff to the true use of a piece
of industrial machinery.
? Hand-held detectors that use advanced Polymerase Chain Reaction
technology to identify anthrax and other organisms.
? Laptop computers equipped with global-positioning systems to help the
inspectors get around the desert quickly, while encrypted communications
allow them to plan surprise inspections without the Iraqis eavesdropping.
Old-fashioned intelligence work is just as important, answering questions
such as: Who are Iraq's key scientists? Where do they work? Where were they
trained?
While there are many places to hide a lab in a nation the size of
California, relatively few people know the inner workings of these labs.
Since inspectors last visited, the CIA says, there is good evidence that
Iraq has maintained its chemical weapons efforts, energized its missile
program and invested more heavily in biological weapons. How quickly Iraq
will obtain its first nuclear weapon depends on when it acquires sufficient
weapons-grade material.
Some production facilities are thought to be concealed; others may be
mobile. Still others are likely to be dual-use, meaning they can be readily
diverted from peacetime chemicals to chemical weapons production.
``A realistic goal of the U.N. inspection regime is not to eliminate every
last weapon, which is probably impossible, but to deny Iraq a militarily
significant weapons capability, which I believe is probably do-able,'' said
Jonathan Tucker, a senior fellow at the United States Institute of Peace
and a 1995 biological weapons inspector in Iraq, at a Washington, D.C.,
press briefing last month.
Once in the field, inspectors will seek evidence of:
Nuclear weaponsIraq retains its cadre of nuclear scientists and
technicians, its program documentation and sufficient dual-use
manufacturing capabilities to support a reconstituted nuclear weapons
program, according to the CIA. It has growing access to nuclear-related
technology and materials and potential access to foreign nuclear expertise.
The nuclear inspection teams are ultra-specialized. First, they will look
for familiar faces -- are the Iraqi nuclear scientists still working
together, and where? Although President Bush has publicly drawn attention
to satellite photographs of new construction near former Iraqi nuclear
sites, the action team places as much importance on face-to-face
conversations with Iraqi scientists as on construction sites.
``They fly around in helicopters with radiation detectors, but it's of
limited value,'' said one U.S. intelligence analyst, who asked that his
name not be used. ``They would only find large, industrial-scale nuclear
process, which Iraq is not dumb enough to have.''
On the ground, he added, ``hand-held radiation detectors aren't that
useful. The chances of accidentally stumbling upon something with a
radiation detector are nil. . . . Carrying a radiation detector is extra
weight in the backpack.''
So, inspectors will look for the 40-odd specific components in nuclear
bomb-making, such as uranium-processed fuel or certain types of machinery.
And they will establish monitoring stations to sample air, water and
vegetation for signs of radiation.
Chemical warfare Baghdad is presumed to have begun renewed production of
chemical warfare agents, probably including mustard gas, sarin, cyclosarin
and VX. While some capability was reduced during past inspections and it is
probably more limited now than it was at the time of the gulf war, VX
production and agent storage life probably have been improved.
Certain chemicals that can be used to make weapons are completely
off-limits because of an international ban, said Fred Milanovich of
Lawrence Livermore National Laboratory, who headed up the program to
develop detectors in the early 1990s.
More complicated will be how to handle the hundreds of tons of chemical
warfare agents thought to hide within Iraq's civilian chemical industry,
such as the chlorine and phenol plants at the Fallujah II facility near
Baghdad. Both chemicals have legitimate civilian uses -- but also are raw
materials used to produce blister and nerve agents.
The installation of closed-circuit video cameras and air-sampling devices
by U.N. inspectors at these facilities could monitor the use of these labs.
The U.N. teams also will track chemical procurement efforts both inside and
outside Iraq by Iraqi diplomats abroad. They suspect that many covert
transactions have occurred between Iraq and hundreds of private companies
from more than 40 countries.
Biological weapons Iraq acknowledged in 1995 that prior to the gulf war, it
had produced large quantities of anthrax spores, botulin toxin and a fungal
poison called aflatoxin; filled them into at least 166 aerial bombs and
Scud missile warheads; and stockpiled them, ready for use.
Although Iraq claimed to have destroyed its biological arsenal after the
war, U.N. inspectors believe that Iraq may still be hiding a cache of
anthrax spores and germ-filled warheads, or planning to make more.
The country's castor oil production plant, for example, can produce ricin
toxin. The toxin can cause multiple organ failure within one or two days
after inhalation. Iraq admitted to the U.N. Special Commission on Iraq that
it manufactured ricin and field-tested it in artillery shells before the
gulf war.
Because biological weapons are so potent, yet much cheaper and easier to
produce than nuclear weapons, they have been called ``the poor man's atomic
bomb.''
Like chemical weapons, biological weapons can be produced in legitimate
medical and agricultural labs. Iraq has the capability to quickly convert
vaccine and bio-pesticide plants to biological warfare production.
For example, UNSCOM learned that during 1988 alone, Iraq had imported
nearly 39 tons of a complex growth medium suitable for growing large
quantities of bacteria such as anthrax -- but could only account for 22
tons of the medium in Iraq, leaving 17 tons unexplained. This provided
strong circumstantial evidence for large-scale production of anthrax and
other biological agents.
Further, biological agents are abundant in nature, making detection more
difficult, Milanovich said. ``A lot of the stuff is naturally occurring,
right? . . . So detection of biological weapons is just a little more
difficult.''
Therefore, any detection system is dependent on knowing the signatures of
organisms likely to be used in biological weapons. These signatures are
telltale bits of DNA unique to pathogens.
It is equally important to rule out the hordes of harmless germs -- often
the close relatives of pathogens. So scientists also are characterizing
natural microbial backgrounds, collecting background microbial samples in
air, water and soil, as well as in human blood, urine and saliva.
Since the last time inspectors visited Iraq, biological weapon detection
tools have gotten faster and more definitive, said Pat Fitch, director of
Lawrence Livermore's Chemical and Biological National Security Program.
``They've gotten smaller, they can do more tests, and they typically are
cheaper and easier to operate,'' he said. ``They don't require a
three-letter degree after your name.''
Scientists are also working with the Santa Clara-based company Affymetrix
to develop gene chips similar to computer chips that can store genetic
information on unique diagnostic regions for various pathogen strains,
allowing for quick analysis of unknown agents.
``This time around, it should be possible to do much more rapidly, to see
what kind of organism they're dealing with and get much more definitive
answers,'' said Stanford biophysicist Steven Block, a senior fellow at the
Institute for International Studies and a biochemical weapons expert.
``The more accurately you can measure,'' Block said, ``the more you can
say, `Something was here yesterday but might have been removed.' ''
******************************
Seattle Times
Eyes become IDs for refugees, air travelers
By Porus P. Cooper
Knight Ridder Newspapers
Thousands of refugees in an ancient, war-scarred corner of the world are
being tracked with identification technology so new it isn't in widespread
use anywhere.
The refugees are Afghans in Pakistan, seeking to go home, and the
iris-recognition technology is provided by Iridian Technologies, a
Moorestown, N.J., company that is virtually alone in this field.
Cameras and readers are used to detect refugees who have been straining
United Nations resources by coming back for multiple helpings of aid
instead of going home.
Each iris, the colored portion of the eye around the pupil, has a unique
texture, much as a fingerprint does, but with more details. The Iridian
process involves taking an electronic, close-up picture of an iris and then
digitally coding its texture. The data are stored for future matching.
It is quick and relatively unobtrusive, said Jerry Ruddle, head of sales
for Iridian.
The technology has obvious security uses.
The Pentagon and a small but increasing number of ports of entry, such as
Schiphol Airport in Amsterdam, the Netherlands, and some terminals at New
York's JFK Airport and London's Heathrow Airport, have installed
iris-identification devices to sift trusted visitors or frequent fliers
from others. Iridian recently concluded a deal with Canadian authorities to
install such devices at Toronto and Vancouver, B.C., airports.
Financial strain
It was the financial strain of handling hundreds of thousands of refugees
from Afghanistan in the past year that prompted the United Nations' refugee
agency to set up a test program this month at a refugee camp outside
Peshawar, Pakistan.
The agency found that about 20 percent of the refugees were improperly
seeking benefits, many of them returning repeatedly for assistance instead
of going home.
Returning refugees get food and provisions, such as bags of wheat and hand
tools. Each also receives up to $30 for truck or bus transport to his or
her hometown, said Jack Redden, a spokesman for the U.N. refugee operation
in Pakistan.
About 2,000 refugees were processed every day in the first few days of the
iris-recognition test. The number is closer to 1,000 now, Redden said,
because the weather is turning cold, discouraging many refugees from
attempting the rugged journey. The repatriation camp is likely to close for
the winter at the end of the month, he said.
Even the smaller numbers, however, constitute one of the largest real-world
tests of the Iridian technology. In another significant test earlier in the
year, Saudi Arabia installed iris-recognition devices to monitor about
25,000 pilgrims making the hajj, or journey to Mecca. Some American prison
systems have also been using the technology to prevent erroneous releases
of inmates.
These are among the largest field tests of the technology, though half a
million visitors tried it out at an exhibit at the Millennium Dome in
London in 2000.
The use of the technology by the hajj authorities and the United Nations
validates it "as a viable alternative," said Bill Willis, chief technology
officer at Iridian.
Biometric family
Iris recognition vies for attention in the field of so-called
biometric-identification technologies that include fingerprinting, hand
geometry and face and voice recognition.
Iridian, which received a $33.3 million investment from a group led by GE
Equity two years ago, will not divulge its annual revenue. But the company,
which has 25 employees in Moorestown, is profitable, Ruddle said.
It once employed many more but has since changed its business model. It now
licenses its software to equipment manufacturers such as Panasonic and
contractors such as BioID.
"The Iridian people will claim that iris recognition is the most accurate
biometric, but the problem is that iris recognition has not been installed
in as large a database as fingerprints," said Anil Jain, an expert in
pattern-recognition technologies at Michigan State University in East
Lansing, Mich.
Privacy concerns are a big reason why the adoption of iris-recognition and
other electronic-identification databases has lagged in the United States
and Europe.
"In Germany and Holland, for example, it would be inconceivable to store
biometric information in computer databases," said Machiel van der Harst,
chief operating officer of BioID, which has offices in Langhorne, Pa.;
Geneva, Switzerland; and Riyadh, Saudi Arabia. The company is licensed to
use Iridian's software.
The project at Schiphol Airport, for instance, involves a few thousand
passengers who opt to carry smart cards bearing their iris data. There is
no central database of the information.
"In the Middle East, there is less of that concern, which facilitates
larger rollouts," van der Harst said.
BioID is financed by Saudi Arabian investments and uses a variety of
identification technologies, van der Harst said.
Not a single hajj pilgrim declined the iris check, he said.
Somewhat to his surprise, the U.N.'s Redden said, he, too, has seen no one
reject the check in the dusty repatriation camp in the shadow of the Khyber
Pass.
The refugees, like the pilgrims, are Muslims, and the women usually are
veiled.
"I thought they might be nervous or suspicious," Redden said, and some
refused to be photographed for traditional documents. "But even the women
with chadors had no problem lifting (the veils) for an iris check."
As for privacy concerns, Redden said nothing was recorded besides the
digital code of the iris, and even that information is not linked to any
other information. The software was changed to make it incapable of
recording any other personal information, he said.
"All we care about is whether or not a given iris shows up twice."
********************************
Chronicle of Higher Education
Baking Soda, Vinegar, and Measuring Cups Become Lab Materials for Online
Chemistry Course
By DAN CARNEVALE
Two science professors have cooked up a way for distance-education students
to fulfill their science-lab requirements -- by turning their kitchens into
chemistry labs. The professors say their approach, currently being
fine-tuned, can help provide online students with laboratory courses, which
are often required for undergraduate degrees.
Instead of using test tubes and beakers, the students make do with
measuring cups and saucepans. The professors say the students come out with
an understanding of introductory chemistry comparable to that of their
on-campus peers.
Doris R. Kimbrough, an associate chemistry professor at the University of
Colorado at Denver, and Jimmy Reeves, an associate professor of chemistry
at the University North Carolina at Wilmington, developed the course.
"Virtually all basic-studies programs require a lab science," Mr. Reeves
says. "The problem with doing a lab-science course online is, of course,
How do you do the lab?"
The course was financed by a four-year, $400,000 grant from the U.S.
Department of Education. This is the third year that the professors have
been offering the online chemistry lab. So far, nobody's house has blown up
or burned down. "All my students still have all their fingers and toes,"
Ms. Kimbrough says. "It's going well."
The professors say the experiments are safe, and that most of them use
items found in a typical household kitchen, such as milk, nuts, vinegar,
baking soda, and matches. Students need to get a quality scale, which they
can buy online for about $40. But the rest of the material can be purchased
from the local grocery store or a Wal-Mart.
At the University of North Carolina at Wilmington, the course is offered
entirely online to first-semester science majors, who enroll in the course
through nearby Cape Fear Community College. Students can seek help on the
Cape Fear campus if they have trouble following the instructions for the labs.
At the University of Colorado at Denver, meanwhile, the home-laboratory
course is offered to non-science majors. Students attend the course's
lectures in a traditional classroom but conduct the lab experiments in
their kitchens. Ms. Kimbrough wants to keep a portion of the course
face-to-face while the bugs are being worked out in preparation for
converting the entire course to an online format in the future, possibly
this coming summer.
The precaution proved necessary. The first time students tried to run the
experiments at home, many of them became confused by the printed
instructions. They sought help during the following lecture period.
Ms. Kimbrough tries to keep the experiments simple and fun. "These are
pretty science-phobic folks here," she says.
In one experiment, the student sticks a pin into a nut, such as a walnut or
pecan, and ignites the nut with a match.
The oil in the nut begins to burn. The student heats water with the flame
from the nut and measures the rise in the water's temperature. Then the
student uses the temperature difference to calculate how many calories the
nut contained.
The results are usually not very accurate, Ms. Kimbrough says. The students
will come up with calorie counts that are three to four points different
from those offered on the nutrition label on the nuts' packaging, which is
typically more precise. But the results in an on-campus chemistry lab are
usually just as badly skewed, she says.
"The experiment has some flaws," Ms. Kimbrough says. "You've got this
charred form of former nut, but it probably has some combustibles left in it."
Also, the flame is heating the air around it, in addition to the water. So
students are instructed to figure out how to design a better experiment.
She says the answers the students give are often creative, such as running
the experiment in a high-oxygen environment or doing it on one of the space
shuttles.
Even though a lot of the suggestions "are not really realistic
experiments," Ms. Kimbrough says, "it shows they're thinking about it."
Ms. Kimbrough says students enjoy the mix of experiments they get to do.
"We've gotten a lot of mileage out of baking soda and vinegar," she says.
"It's a cute reaction because it gives off gas."
In that experiment, students are asked to mix the two ingredients together
and measure the weight loss as the chemicals react, giving off carbon
dioxide. "You can actually see the weight loss on the balance as the
chemical reaction takes place," Mr. Reeves says.
While students have fun making smoke and fire, Mr. Reeves says, they are
also learning at least as much as they would learn in an on-campus
chemistry lab. Online students outperformed on-campus students on the final
exams and on the in-lab practical exams that Mr. Reeves gave on the campus
to some of the distance-education students to see how they stacked up
against the campus students.
Despite the success, Mr. Reeves says, he does not believe chemistry majors
should take courses in the discipline online after their first semester.
Students in advanced courses need to learn complex skills and how to use
specialized equipment. "Those kinds of skills can't be taught outside the
laboratory setting," he says.
But the online course helps non-science majors and first-semester students
get a taste of chemistry while working comfortably in their own kitchens.
"It really gives them the sense that chemistry is not just something that
happens in a chemistry lab -- that it goes on all the time," Ms. Kimbrough
says. "And as a science teacher, that's pretty exciting."
*******************************
New York Times
A Networked World's Final Frontier: The Airplane
By SUSAN STELLIN
On a recent flight from New York to Oakland, Calif., Madeline Duva worked
her BlackBerry pager with the intensity of a pinball player, right up until
the second of four announcements from the flight crew reminding passengers
that all electronic devices must be turned off.
Ms. Duva, a vice president with a San Francisco financial-data company,
Sector Data, complied with the request, but said the communications
blackout during the six-hour flight left her worrying about a last-minute
directive to a colleague. "Now I'm sitting here and I'm thinking, `I hope
that order went in,' " she said.
Despite her anxiety over the status of the deal and whether a friend had
gotten World Series tickets she resisted the urge to download e-mail
messages to her BlackBerry for the duration of the flight. "You want to
play by the rules, because you don't know if it could cause a problem," she
said.
Like many gadget-toting business travelers, Ms. Duva regularly inhabits
what might be described as the eye of the information hurricane: in an era
of information overload, air travel remains a unique exception to an
increasingly networked world. Not only can passengers not get information
about whether a deal went through or who is ahead in the bottom of the
seventh inning, they cannot seem to get a satisfying explanation for why
they cannot use their cellphones, BlackBerries or a host of other
electronic devices in the air.
In the meantime, there is a continuing face-off between passengers who
surreptitiously and sometimes, blatantly use gadgets to send text
messages or even make voice calls, and flight crews who must keep an eye
out for thumbs tapping away under a tray table (and then determine whether
a particular device can safely be used for other tasks with its phone
feature shut off).
Indeed, two flight attendants on the same Oakland-bound flight said that on
every flight a handful of passengers have to be asked to turn off
electronic devices, and that travelers were not always willing to oblige.
"At least we have passengers who tell us people are trying to do it behind
our backs," said one flight attendant, who insisted that her name not be
used, adding that part of the problem is that travelers do not believe that
these devices cause interference with the aircraft's communications system.
Whether electronic gadgets that emit radio signals do in fact compromise
the safety of the aircraft is a matter of some debate, one complicated by
the public perception that many people have illicitly used a cellphone or
pager in an aircraft from time to time, and so far, no plane has crashed
because someone's phone rang.
"Most of the time, nothing ever goes wrong," said Joe Burns, an Airbus
captain who serves as director of flight standards and technology for
United Airlines. "When passengers see that, it builds up the opinion in
their mind that these things are safe. But we do have some documented
evidence that these things can cause problems on specific aircraft."
Part of Captain Burns's job is to evaluate which technology can safely be
used on planes, both in the cabin and in the cockpit. In the past, he said,
manufacturers had to demonstrate that their technology was safe to use in
the air; now the burden of proof has in some sense shifted to the airline
industry to determine which emerging technologies cause interference.
"Our real concern moving forward is the proliferation of these PDA's with
wireless communication devices built in," he said. "We have to keep on the
leading edge to determine which devices are actually transmitting."
Another complicating factor is confusion over who is responsible for making
the rules. The ban on cellphone use in aircraft was issued by the Federal
Communications Commission, not out of concern for passengers' safety, but
because using cellphones in the air can cause problems with wireless
networks on the ground.
Paul Takemoto, a spokesman for the Federal Aviation Administration, said
the F.A.A. itself did not ban the use of specific portable electronic
devices, but prohibited the airlines from allowing passengers to use them
unless the carriers can prove the devices do not interfere with
communications systems. Although Mr. Takemoto said the agency was looking
closely at the multitude of wireless devices that are becoming popular, the
burden has fallen on the airlines to police the issue.
Of course, it has not helped matters that plans to offer air travelers
Internet access or messaging capabilities, tantalizingly within reach a
year and a half ago, have been suspended as the airlines focus on other
priorities, like new security measures and profitability.
Two of the leading initiatives to bring enhanced communication services to
aircraft are testing their technologies with international carriers and
private jets, but no one is willing to guess when America's airlines will
have the money for this type of investment.
Connexion by Boeing, a division of Boeing that delivers a broadband
Internet connection to aircraft, will start a trial with Lufthansa in
January on a 747 flying from Frankfurt to Dulles International Airport near
Washington. A month later, British Airways will test the technology on a
similar aircraft flying between Heathrow in London and Kennedy in New York.
The company also announced an agreement with Japan Airlines and currently
has government and corporate clients in the United States.
Using the Connexion by Boeing service, passengers can plug in their
laptops, open a Web browser and enter a credit card number to pay a fee of
$25 to $35 per flight segment for unlimited Internet access but not
anytime soon between, say, New York and Los Angeles.
Stan Deal, Connexion by Boeing's director of sales, said although American
carriers continued to express interest in the technology, "The main issue
for the U.S. is some level of economic stability and recovery." He added,
"There are too many unknowns out there to predict exactly when yet."
That perspective is echoed by John Wade, executive vice president for
strategic planning at Tenzing, a competing service that has developed
technology to offer Internet access in aircraft as well as a separate
messaging service that uses seat-back entertainment systems.
The messaging service, installed on one Virgin Atlantic aircraft, charges
passengers $2.50 to send a text message to a phone number or e-mail address
(passengers cannot receive replies yet). Tenzing's Internet service,
available on 30 Cathay Pacific aircraft, charges passengers $9.95 to give
them access to their e-mail accounts for viewing the sender and header of
unread mail (reading the entire e-mail costs an additional $1 for each
message).
Mr. Wade expects more airlines will opt for some type of messaging service
over high-speed Internet access, but declined to predict a time frame for
American carriers. "I think it would be unrealistic to give a date because
no airline has committed to it," he said. "But we are seeing renewed interest."
****************************
Federal Computer Week
Call for nominations
Editorial
Nov. 11, 2002
This week, Federal Computer Week begins the annual call for nominations for
the Federal 100 awards program.
The Fed 100, now in its 14th year, recognizes those individuals in
government and industry who played pivotal roles in the federal world of
information technology in 2002. As always, the key to winning is
demonstrating clearly that the nominee had an unusual impact on the IT
community because of uncommon dedication, inspirational ideas or
risk-taking. The awards recognize actions, ideas and visions that go beyond
the daily responsibilities of the individuals' jobs.
The winners, chosen by a panel of judges picked from top managers in
government and industry, are part of an all-star team, recognized for their
2002 accomplishments, not for lifetime achievements.
The awards are not a popularity contest, but recognize bold thinking and
actions that not everyone will think of as positive. Controversy is
expected, but everyone can agree that the winners had an impact on how
federal IT was used, bought or managed in 2002.
When making nominations, think of the key trends, events and ideas that
helped shape the direction of federal IT management and procurement. What
were the hot topics and imaginative procurement and managerial concepts
that shaped IT policies and use? It could be a new way of buying and
financing IT programs, or the judges could choose someone who developed a
new set of guidelines or policies that changed the IT landscape.
What IT programs broke new ground? Real people were behind those ideas and
changes. Those people will in all likelihood make good candidates for the
Fed 100 awards.
So, as we have done so many times in the past, we invite our more than
86,000 readers to visit our Web site at www. fcw.com, click on the Federal
100 logo and fill out the electronic form to nominate a government or
industry employee who made a difference.
The deadline for nominations is Jan. 3, 2003. So nominate early and often.
****************************
Computerworld
SpamWars
By MELISSA SOLOMON
NOVEMBER 11, 2002
You know from looking at your e-mail lately that it's possible to be
debt-free, have perfect skin and be a babe magnetwith a little help from
your new friends.
But at least employees at Stamford, Conn.-based Xerox Corp. are shielded
from such revolutionary offersthough the process hasn't been easy. Last
summer, Xerox's firewall team was blocking 150,000 spam e-mails a month. By
early fall, it was 60,000 messages a day, seven days a week, says Linda
Stutsman, manager of corporate information security and risk management.
In the past year, spam has moved beyond personal e-mail accounts, invading
business systems and graduating from societal pest to corporate enemy.
Companies are stockpiling their arsenalslists of legitimate senders and
known spammers, tools that pick up on spamlike content or behavior, digital
fingerprints and decoy e-mail addressesto fight this invasion. On the other
side, however, new and resourceful recruits lured by spam's promise of big
financial returns are constantly devising counterattacks.
"There's 10 times as much [corporate] spam this year as there was last
year," says Joyce Graff, an analyst at Stamford, Conn.-based Gartner Inc.
"It's mind-blowing. And the economics are on the spammers' side."
And, says Jason Catlett, president of Junkbusters Corp., a Green Brook,
N.J.-based antispam organization, the problem is getting worse. "Spam is
growing at a slightly faster rate than e-mail traffic," he says.
Weapons of War
The spam weapons that Graff finds most difficult to defend against are
harvesting tools. For $39.95, marketers can buy a "spambot" that searches
message boards and lists, culling up to 100,000 e-mail addresses in an
hour. Spambots also get into the relay game with organizations' message
transfer agents (MTA) by sending messages to, for example,
georgebrown@xxxxxxxxxxxxxx, georgebuckley@xxxxxxxxxxxxxx and so on, until
they find matches.
To combat these spambots, Graff says, organizations need to set up their
MTAs so they automatically disconnect as soon as they detect harvesting
attacks.
But, says Steve, a Washington-based spammer who asked to be identified by
only his first name, spammers are continually findingand sharingnew ways to
hide their identities. For instance, he's created a filter-evading script
that randomizes subject lines and source addresses so they're not easily
identified as bulk mail. Big-time spammers buy servers that can randomize
entire domains, says Steve.
Spammers scan the Internet for open relays in foreign countries so their
messages will be hard to trace. Or they set up free e-mail accounts and
dump them before they're caught. Spammers can blast out hundreds of
thousands of messages, each with customized content and source addresses,
and then quickly log out, says Mark Bruno, enterprise product manager at
Brightmail Inc., a San Francisco-based vendor that got its start filtering
e-mail for service providers but has since shifted its focus to corporations.
Spammers also write programs that load in multiple accounts so when one
account is terminated, another automatically kicks in, says Dan Clements,
CEO of CardCops.com, a Malibu, Calif.-based online credit card and
advertising fraud watchdog group.
It typically takes about two or three months from the time companies
install antispam software until they can effectively pick up on patterns.
But once they do so, some systems can weed out 90% of spam with a less than
1% false-positive rate, says Joe Fisher, senior product manager at
Tumbleweed Communications Corp., a Redwood City, Calif.-based messaging
security firm. And then vendors and their clients need to keep updating the
tools to stay ahead of the spammers.
"They're just making my job harder," says Steve. "But for them to stop
spammers is almost impossible. There's always going to be some guy who
knows how to build a new application, and everyone's going to get it."
Some antispam systems claim to stop virtually all spam, which accounts for
34% of all e-mail. These systems contain a variety of components:
? Blacklists that compile and distribute IP addresses of known spammers.
There are also whitelists, which companies can build to identify legitimate
senders.
? Content-analysis tools that look for keywords.
? Behavioral-analysis tools that look for patterns such as large numbers of
recipients or blind copies.
? Address-validation tools that do reverse Domain Name System lookups to
ensure the sender isn't trying to cloak his identity.
? Digital fingerprints developed with algorithms and heuristics, to
identify and block or filter common spam patterns.
? New products that can scan for graphics such as skin tones to combat
pornography, but those tools are still in their infancy, says Mark Levitt,
an analyst at IDC in Framingham, Mass.
Brightmail's probe networks, which are getting high marks from analysts and
antispam watchdogs, consist of dummy accounts set up through various
Internet service providers and corporate clients to attract spammers.
Brightmail monitors those networks to detect new tricks of the trade and
continually evolves its antispam rule book. New rules are distributed and
updated in clients' systems every 10 minutes, says Ren Chin, director of
product development at Brightmail.
After going through the battery of antispam indicators, a good filter will
assign percentages rating the probability that messages are spam, says
Graff. Depending on the comfort level of the organization, messages above a
certain level can be automatically deleted, while others can be stored in
spam folders for IT staff or users to review.
"This is not a perfect science," says Graff. "If some product claims to do
100%, run away from it, because they don't know what they're doing."
Xerox keeps pace with new commercial tools, but so far it has stuck with
its homegrown antispam system, says Stutsman. Xerox also subscribes to
blacklists. About 75% to 80% of Xerox's spam is blocked at the gate, and an
additional 20% of the remaining spam is later filtered out, says Stutsman.
Staying Alert
When 25% or more of Norfolk Southern Corp.'s inbound e-mail was being
identified as spam, Tony Samms knew something had to be done.
"It was a very hostile environment," says Samms, director of information
security at the Norfolk, Va.-based freight, natural resources and
telecommunications holding company. "Messages showed pictures of people
having sex right in the e-mail."
There were also the drains on employee productivity, bandwidth and storage
to consider. With close to 10,000 users and an average of 30,000 e-mails
per day, spam had become a big financial problem.
So at the end of last year, Norfolk Southern installed IronMail from
CipherTrust Inc. in Alpharetta, Ga. The tool sits on Norfolk Southern's
gateway and uses an array of filtering strategies. Even with the filter,
though, spam has managed to get into Norfolk Southern's system, so
employees have been building a local deny list by sending addresses to be
blocked to the information security department.
The biggest challenge has been avoiding false positives, says Samms. "We
don't want to block good e-mail, so we have to be careful," he says. For
instance, one employee's last name is Rape, so the company can't add that
to its list of words to be filtered out.
Samms says the 25% spam rate has been reduced to about 1% or 2%.
Santa Clara, Calif.-based Macrovision Inc. has opted for a voluntary
spam-fighting program, letting end users decide whether they want to use
the PerlMx filters from Vancouver, British Columbia-based ActiveState
Corp., which the company installed last spring. Then they customize their
filter settings, so the sales representatives can keep getting newsletters
peppered with terms like invest and bargain, for example, and the mailroom
clerks can keep solicitations to a minimum, according to Macrovision system
administrator Mike Stevens.
Stevens hasn't calculated the return on the $10,000 investment, but he says
productivity has jumped. "You get your return on investment back in a
relatively short time," he says.
*******************************
Computerworld
Bridex worm bites computer security company
By Paul Roberts, IDG News Service
NOVEMBER 11, 2002
In a bold move, a group of hackers launched a successful attack on the Web
server of Russian computer security company Kaspersky Labs Ltd., managing
to implant and distribute a copy of the recently discovered Bridex worm in
the company's e-mail newsletter.
The successful exploitation of Kaspersky's e-mail list followed what the
company described in a statement as a "massive attack" against its Web
server Friday evening, according to Denis Zenkin, head of corporate
communications at the Moscow-based company.
A statement posted on Kaspersky's Web site said the attack began Thursday
night.
According to Zenkin, the attackers used a sophisticated and "exotic" attack
to compromise the company's Web server and gain access to a folder
containing mail messages sent out by Kaspersky.
From those messages, the attackers were able to obtain the distribution
list for the company's e-mail newsletter. A copy of that newsletter was
distributed to Kaspersky's customers along with an attached executable file
containing the Bridex worm.
"Our IT security people were amazed that hackers got the idea for this kind
of hack attack," Zenkin said.
Zenkin refused to provide details on the attack, citing concerns that other
hackers would use that information to carry out further attacks. Zenkin did
disclose that Kaspersky's Web server runs the FreeBSD operating system,
which is a version of Unix, and the common Postfix e-mail server software.
Hackers weren't able to gain access to Kaspersky's e-mail address book, nor
were they able to penetrate areas of the Web server containing virus
signatures for Kaspersky's antivirus software, Zenkin said.
Zenkin declined to say whether antivirus definitions were posted in a more
secure area of the server, however, saying only that they were located in
different "territories" of the server that weren't affected by the attack.
Kaspersky's virus definitions use digital signatures that are verified by
the company's software before they are installed and used. Tampering with
Kaspersky's virus definitions -- for example, attempting to substitute
malicious code for a signature -- would be detected and rejected by the
company's software, Zenkin said.
According to Zenkin, Kaspersky knows of no customers who were infected by
the newsletter. Nonetheless, the company advised users to install the
IFrame-vulnerability patch available from Microsoft Corp.
Kaspersky staff first noticed the attack and took corrective action within
minutes of the exploit, Zenkin said. Nevertheless, the attack produced the
unusual scenario of an antivirus vendor's software being used to thwart an
attack launched from its own servers. It was an embarrassing fact that more
than a few of Kaspersky's customers brought to the company's attention,
Zenkin admitted.
Since the attack, Kaspersky has closed the security loophole exploited by
the attackers and taken other steps to ensure that future attacks are
unsuccessful. In addition, the company inspected the entire contents of its
Web server and claimed that the e-mail newsletter was the only affected
component of its Web site, Zenkin said.
The company traced the attacks to a group of hackers in Mexico, but so far
it has no concrete evidence pointing to specific individuals, Zenkin said.
The Bridex worm, also known as "W32/Braid.A" or "I-Worm.Bridex," was first
identified early this month and arrives in an e-mail message, typically
contained in an attachment named README.EXE.
When recipients double-click on the attachment, the worm copies a variant
of the FunLove virus to the local system with the name BRIDE.EXE, alters
the machine's system registry so that the virus is relaunched each time
Windows starts, scans the user's Outlook address book and e-mails copies of
itself to any addresses it finds.
Antivirus software vendors including Kaspersky have published updated virus
signatures to detect Bridex.
*******************************
Computerworld
Meeting to mull privacy standard's next step
By PATRICK THIBODEAU
NOVEMBER 11, 2002
WASHINGTON -- The The Platform for Privacy Preferences (P3P) was released
in April, and so far about 18% of the top 500 Web sites are using it. But
the rate of new adoptions of this privacy specification is glacial -- about
1% a month among top sites -- and financial services, the industry that
handles some of the most sensitive personal information, has a much
lower-than-average P3P adoption rate.
This week the people and companies behind the World Wide Web Consortium's
(W3C) P3P standard will meet to talk about the future of the spec and
whether a version 2.0 is needed or whether some tweaking to Version 1.0 can
address issues raised by industry groups.
One concern is that the spec's "vocabulary" isn't rich enough to allow
exact translation of a written privacy policy into a machine-readable one.
Because of that problem, the Financial Services Roundtable's BITS
technology group, a Washington-based industry association representing some
of the largest financial services companies, wants the W3C "to state
explicitly" that P3P statements "are not meant to be legally binding
documents," according to a position paper prepared for this week's meeting
at America Online Inc.'s facilities in Dulles, Va.
The legal uncertainty of P3P is a big issue, said Lorrie Cranor, a
principal technical staff member at AT&T Labs-Research and chairman of the
P3P Specification Working Group. But the W3C "can't give a definitive
answer, because we don't write the laws."
Only 11% of top finance and investing Web sites have adopted P3P, vs. 18%
overall for the top 500 sites, according to Ernest & Young LLP, which began
reporting on P3P adoption in August.
At the current rate, it will take eight years or so for P3P to get fully
adopted, said Brian Tretick, a principal at Ernest & Young. One reason for
the sluggish rate of adoption is the economy, since some companies are
interested in it but don't want to spend the money. Another is uncertainty
about how P3P policies will be enforced.
At this week's meeting, the P3P working group may look at the idea of
developing negotiation ability into P3P, said Cranor. As it stands, when a
P3P-capable Web browser interacts with a Web site, the browser reacts based
on the user's privacy preferences in a yes/no manner. Negotiation ability
would allow a company to interact with the user and, for instance, offer a
coupon in exchange for privacy information. This would also complicate
things, requiring varying privacy policies to handle the results of any
negotiations, she said.
Despite various issues to be hammered out, Tretick believes that as long as
Internet Explorer and Netscape support P3P, the specification isn't going
away and that firms will have to deal with it or risk losing some of their
ability, for instance, to use persistent cookies with some customers.
*********************************
Computerworld
IT still iffy on Web services
By CAROL SLIWA
NOVEMBER 11, 2002
Web services clearly will play a role in the application integration plans
of many IT shops. But how big a role, and when that will happen, is
anybody's guess.
Several IT managers attending Gartner Inc.'s recent Application Integration
and Web Services conference in Chicago said they have yet to determine in
what ways, if any, they will use Web services to address their integration
needs.
"I think it will play a large part over time. We're looking at using it in
isolated cases to get some experience," said Bill Genn, a site architect at
London Life Insurance Co. in London, Ontario.
Genn said one such effort might involve aggregating information from
disparate applications to a portal. Although the portal would be used for a
wide range of business functions, it would also help with integration, he
said.
Hugh Jurkiewicz, a corporate architect technologist in the Wellesley Hills,
Mass., office of Sun Life Financial Services of Canada Inc., said he can
foresee Web services technology complementing his firm's integration work
in situations where security and transaction needs aren't high.
Jurkiewicz said he also hopes that Web services will drive integration
broker vendors to lower the high price of their software.
"For more mission-critical application integration needs, we may not wish
to experiment with Web services," he said.
As has been the case for some time, IT managers continued to express
concerns about the immaturity of Web services standards, particularly in
the area of security.
"The security issues, I think, are going to be a big issue with our
company. The standards aren't all there yet," said Tim Lienemann, a senior
technical designer at Pittsburgh-based U.S. Steel Corp., whose internal
development staff does much of its integration work.
Janelle Hill, an analyst at Meta Group Inc. in Stamford, Conn., said only a
small percentage of IT shops are currently incorporating Web services into
their integration strategies or requirements because of confusion over what
Web services are and where they might be used in their application portfolios.
A 'Thin Veneer'
Hill said that during the next five years, integration vendors and IT shops
will experiment by wrapping a "thin veneer" around their applications, in
the form of Web Services Definition Language (WSDL) interfaces.
However, Hill predicted that it will take at least five years for companies
to re-engineer their core applications to be service-oriented and gain
interoperability "without a whole lot of transformation being required in
the middle."
Roy Schulte, an analyst at Gartner, said very few applications will run
entirely free of Web services, if for no other reason than "because every
vendor in the world has built it into their products."
Schulte recommended that companies building new applications from scratch
employ a service-oriented architecture and use WSDL to document the
interfaces. That will make it easier to integrate those applications with
existing legacy and purchased applications, because it will have "nice,
defined calls," he said.
Companies can then wrap their older applications with WSDL interfaces and
write the code needed to transform the data. Or they can purchase an
integration broker from specialized vendors such as Tibco Software Inc.,
webMethods Inc., SeeBeyond Technology Corp., Mercator Software Inc. and
Vitria Technology Inc., or from large vendors such as IBM and Microsoft Corp.
Schulte said that only a small percentage of IT shops now use integration
brokers, but he predicted that more will use them as Web services help
drive down the high cost of the adapters that are needed to make
connections between different applications.
"If you put in Web services and you cut the cost of the adapters in half,
then you've cut the entire project cost by a quarter, and suddenly projects
that you couldn't cost-justify before, you can now cost-justify," he said.
But it may take some time for the impact to trickle down to IT shops. One
IT manager at a large retail chain, who requested anonymity, said he isn't
interested in the Web services strategies of integration brokers "because
it's still in the big-hype cycle."
"With Web services, it's going to be a long buy-in phase," he said.
********************************
Reuters Internet Report
Supreme Court to Decide Internet Library Filters
1 hour, 17 minutes ago
By James Vicini
WASHINGTON (Reuters) - The U.S. Supreme Court (news - web sites) agreed on
Tuesday to decide whether it violates free-speech rights to require public
libraries to install filtering software on personal computers in an effort
to protect children from Internet pornography.
The high court said it would hear a U.S. Justice Department (news - web
sites) appeal defending the Children's Internet Protection Act, which
mandates that libraries use the filters or else lose federal funding for
Internet access.
The law, signed by President Bill Clinton in 2000, says a library must
install a "technology protection measure" such as filters to prevent access
to obscenity, child pornography or visual depictions considered "harmful to
minors."
The justices will review a ruling by a special three-judge federal court
panel in Philadelphia that the filtering provisions caused libraries to
violate the First Amendment constitutional rights of their patrons.
The ruling found the filters erroneously prevented access to harmless Web
sites while allowing access to some pornographic sites. It said libraries
could use less restrictive alternatives and blocked the law's enforcement.
The law was challenged by a coalition of libraries, library patrons and Web
site operators, led by the American Civil Liberties Union (news - web
sites) and the Chicago-based American Library Association.
The case marked the third time the Supreme Court has considered efforts by
Congress to shield children from online pornography.
The high court first struck down the Communications Decency Act of 1996. In
May, the court ruled on the Child Online Protection Act of 1998, saying
community standards could be used to determine material harmful to minors,
but sending the case back for a decision on unresolved free-speech problems.
INDEPENDENT JUDGEMENT
In appealing to the high court, Solicitor General Theodore Olson said the
ruling "deprives all the nation's public libraries ... of the ability to
make their own independent judgement concerning how to avoid becoming a
conduit for illegal and harmful material."
Before Congress adopted the law, 7 percent of the nation's libraries used
filtering software on all of their computers, the Justice Department lawyer
said.
"A library that refuses to make available to its patrons pornographic
magazines or XXX videos may also refuse to make available comparable
material through those computers," Olson said, adding that only a handful
of libraries collect Hustler magazine or sexually explicit movies.
Olson said the only way for a library to comply with the ruling may be to
refrain from adopting any Internet policy and leaving access decisions in
the hands of its patrons.
The American Civil Liberties Union, the American Library Association and
others who challenged the law said the ruling was plainly correct.
They said the law, forcing libraries to install filters, could risk
changing librarians from information providers into censors.
Lawyers for the groups argued that use of filters, blocking Internet access
to certain sites, was the same as the library buying an encyclopedia or
magazine and then tearing out or deleting some of its content.
Because the case presented First Amendment issues of national importance,
they did not oppose the government's request for full review by the Supreme
Court.
The justices will hear arguments in the case next year, with a decision due
by the end of June.
*********************************
MSNBC
Her picture became a porn ad
Scam artist stole her photo, used it in fake personals
By Bob Sullivan
Nov. 11 "Don't put your picture online" was a common warning in the early
days of the Internet. Sound paranoid in the era of online dating? Don't
tell that to Laura, who 18 months ago put up an online personals ad for one
month. Since then, her photo has been stolen and used in dozens of fake
personals ads soliciting hard-core sex and pornography. "You have no
control," she said. "What's hardest is you have no idea who's seen it. What
if someone really believes those things?"
ONLINE PERSONALS ADS are all the rage, and it seems everyone is
doing it. a recent survey by Jupiter Research indicated some 34 million
people have at least taken a peek at the Internet's dating scene. But
taking such personal matters into such a public place has risks. In
September, MSNBC.com revealed a widespread scam that has infiltrated all
the major services. Someone is peppering sites like Match.com and Yahoo.com
with tempting fake personal ads, almost exclusively women seeking men. The
fraudster even engages legitimate ad posters in e-mail conversations,
offering to strike up relationships, inviting them to online chats all to
lure the unsuspecting would-be lovers onto expensive porn Web sites.
But now, it's clear men aren't the only victims. Real women's
pictures are apparently being stolen and used in the fake ads.
The personals firms have been playing cat-and-mouse with the con
artists for months, taking down advertisements that are obvious porn ploys.
So the con artists have taken to stealing photos from real personal ads and
using them to make the fake ads look genuine enough to slip under the radar.
HOW DID THIS HAPPEN?
Laura's picture was pilfered by just such a con artist in March of
2001, when she signed up for a free month of Yahoo's dating service. Her
story also shows that the scam has been evading dating sites' monitors for
at least 18 months, far longer than the 6 months initially suggested by
MSNBC.com's September story.
Laura, not her real name, requested that MSNBC.com obscure her
identity, but wanted to reveal details of her ordeal to help other women
who might have suffered the same fate.
"I did everything I could think of to make it a safe experience. I
started a new e-mail address. I didn't use my real name," she said. She
went on a couple of dates, but decided online dating wasn't for her.
The trouble started almost immediately, when one of her prospective
online dates ran across her pilfered photo.
"A month later I got a reply from someone I'd been corresponding
with, saying 'What's going on with you? First you tell me you're 26 from
Chicago, now it says you're 23 from Connecticut." She also got a second
note, from a different suitor who guessed what was happening:
"I got an e-mail saying, 'Do you realize someone is using your
picture in an unflattering way?' So I look, and there's my picture, but
that's not my listing. And I think 'Oh my God, that's me but I didn't post
this. How did this happen?"
It kept happening. Laura provided MSNBC.com with a 3-inch thick
pile of paper, documenting dozens of personals ads using her photo.
In one, she was "Firecracker_heaven007" a 22 year old from
Woodsville, N.H. In another, "lil_spank_spank," a 23 year old from Denver
who expected "breakfast in bed" after the first date. In still another, she
was "Chocolate_Starfish_0," who promised to "bring you the danger that
firecrackers have" and invited men to "send me your e-mail and a pic of
yourself. Who knows, maybe I'll make you explode."
In fact, many of the fake ads played on the firecracker theme,
Laura said, making them relatively easy to find. So, last April, she began
a near-obsessive journey to investigate the porn purveyor and stop the abuse.
NOWHERE TO TURN
She called Yahoo, which initially responded well to her plight. The
firm removed the first two ads quickly because they didn't conform to site
policies, she said. Apparently, the company was aware of the scam.
"When I called Yahoo, I was told 'It happens all the time. You're
just the first person who's discovered their picture was being used," Laura
said.
But after a while, the Yahoo abuse monitors insisted that she fax a
photo ID and a written statement for each instance of her photograph,
something Laura refused.
"They say it's my job to prove I am who I say I am," Laura said. "I
understand that they need to not be deleting random things ... but if they
make procedure so difficult, they know no one will reasonably follow it."
Yahoo didn't respond to a request for an interview for this story,
but issued an e-mail statement:
"Yahoo has a strong track record of enforcing its Terms of Service
and property Guidelines. The Yahoo! Personals Guidelines clearly outline
what is and is not acceptable use of the service and Yahoo has strict
processes in place to help ensure the proper use of our service and tools.
We take appropriate action on all violations of our Terms of Service and
Guidelines," the statement read.
Laura struck out on her own, attempting to identify and stop the
abuse. Consultations with privacy rights advocates and lawyers bore little
fruit.
"Everyone is sympathetic, but no one is able to do anything," she
said.
Lawyers weren't interested because Laura couldn't prove actual
financial harm; and without subpoenas to perform IP address traces at
Internet service providers, privacy advocates couldn't stop the anonymous
criminal. Law enforcement didn't help, either. Three months into the
ordeal, an officer from the Illinois Computer Crime spent two hours
interviewing Laura, but in the end concluded she didn't have a case because
she couldn't prove threat to her well-being or financial loss. When he
left, Laura remembers him saying "I hope I don't sound like a father, but I
hope that you'll think twice before you put your picture on the Internet."
With nowhere to turn, Laura began to be depressed over the
situation. Things only got worse when she became a victim of the economic
downturn and lost her job. That gave her ample free time to chase down her
abuser. Searching for new ads with her picture became an obsession. Her
counselor warned her she was "going a little overboard."
All the while, Laura kept copious notes, and even did her own
undercover investigating. She set up anonymous e-mail addresses and started
to respond to ads that included her picture, noting IP addresses and Web
site invitations that came back. She even believes she has a good lead on
the criminal but no law enforcement agency would take on the case.
Five months later, depression overcame her, and she checked herself
into a hospital.
"The thing that was most suffering was my self esteem and (the
stolen image) played a major part in that," she said. "Imagine suddenly
discovering you can't afford to pay your rent, but someone else is making
money off your picture. It seemed like a really big injustice ... and I was
wondering, if it's this easy to make money, why did I bother going to
school? I could be making money off my picture. It's like being valued as a
piece of meat."
'HOW'S THE PORN STAR'
When she emerged from treatment, Laura realized she had to follow
her counselor's advise and "let it go." Around the same time, Yahoo changed
its personals service from free to fee-based, so new ads with her picture
were appearing much less frequently. She has new work now, as a teacher,
and she tries not to poke around Yahoo looking for her image, but
occasionally, she finds it most recently, two months ago.
"My friends walk up to me and say, 'Hey, how's the porn star?' We
joke about it but only because I have to have a sense of humor about it.
But then sometimes I have to say, 'OK stop, that's too much.' I'm still
upset about it," she said.
Laura also plays in a rock band, and she's worried that someone
might recognize her in a picture and approach her at a show some day.
"Guys get enough strange ideas when you are in a bar at 5 a.m.,"
she said. "I am not extremely frightened, but I really have no idea who saw
that and got the wrong idea.
"You can think, 'Well, no no one's ever going to see it, they are
putting up ads and locating them in different cities, so who would
recognize me?' But still, if two other guys who e-mailed me found this
right away, and took the time to e-mail me, I have to wonder how many other
people have seen it? ... I just have this nagging suspicion in my mind that
that someone will walk up to me and say, 'Hey, you're into S&M. And I'll
have to say, 'No, I'm into graphic design.' "
I DON'T KNOW IF THERE'S AN ANSWER
Linda Foley, executive director of the Identity Theft Resource
Center, said that it's common for women to discover their picture is being
used in some unsavory way online. Most of the time, though, it's not quite
as anonymous: for example, an ex-boyfriend seeking revenge posts images of
his former girlfriend along with claims like "she likes it rough."
Foley was at a loss to recommend advice for anyone in Laura's
situation, other than to avoid posting pictures with online dating service
altogether.
"I don't know what the answer is. I don't know that there is an
answer," she said.
That's because the Internet has been designed, from the start, to
make it easy to share and swap information like images, said Rob Douglas,
CEO of American Privacy Consultants, Inc.
"You can right click on any picture and copy it over to anything
you want. ... It's the rarity that you see a Web site that takes any
technological countermeasures to prevent copying of their material," he
said. "Unfortunately, this is just one more example of how cautious we have
to be in anything we put on the Internet. There's just so much nonsense
going on, and so much that can go wrong."
For now, Laura has nearly stopped searching for personals ads with
her picture attached, but she is still looking for satisfaction. When law
enforcement wouldn't help, she started working through the privacy advocacy
groups, like the Privacy Rights Clearinghouse. She's also interviewed with
a lengthy list of legal assistance agencies. She's received little more
than sympathy. Most recently, in August the DePaul Legal Clinic turned down
her request for assistance, saying it would be hard for her to prove
statutory damages, and it didn't have the resources to pursue cases
involving monetary damages.
But she thinks the person who stole her picture is likely to be
responsible for many of the fake ads that are now peppering all the major
online dating sites an issue that is now looming over the otherwise
booming services. One informal MSNBC.com survey revealed that about 5
percent of the ads in the Seattle area were fakes.
Her theory fits with what FreeNetPass operator Dave Anderson told
MSNBC.com in September. FreeNetPass is a service that lets Net users pay a
single fee for access to thousands of pornography Web sites, and Anderson
claims a single scam artist is using online personals to trick would-be
daters into signing up for FreeNetPass, then collecting commissions.
Anderson says online personals services have a pretty good idea of who's
behind the scam.
Laura believes a suspect will eventually be caught. In the
meantime, she's moving on with her life, and still uses the Internet as
much as ever.
"It's not that I've made peace with it," she said "It's just that
I'm extremely patient. What goes around comes around. Sooner or later this
is going to get resolved, and in some way I'll be compensated. Even if it's
just the satisfaction of me having been so meticulous that he got in trouble."
*********************
MSNBC
How al Qaeda put Internet to use
From Britain, Webmaster kept 'the brothers' abreast on terror
By Andrew Higgins, Karby Leggett and Alan Cullison
THE WALL STREET JOURNAL
Nov. 11 In February 2000, an Egyptian merchant here in Guangzhou, the
commercial hub of southern China, asked a local Internet firm for help in
setting up a Web site. After lengthy haggling over the fee, he paid $362 to
register a domain name and rent space on a server.
CHEN RONGBIN, a technician at Guangzhou Tianhe Siwei Information
Co., and an aide went to the Egyptian's apartment. They couldn't fathom
what the client, Sami Ali, was up to. His software and keyboard were all in
Arabic. "It just looked like earthworms to us," Mr. Chen says.
All he could make out was the site's address: "maalemaljihad.com."
Mr. Chen had no idea that meant "Milestones of Holy War." Nor that China,
one of the world's most heavily policed societies, had just become a
launchpad for the dot-com dreams and disappointments of Osama bin Laden's
terror network.
In the months that followed, Arab militants in Afghanistan, a
radical cleric living on welfare in London, a textile worker in Karachi,
Pakistan, and others pitched in, laboring to marry modern technology with
the theology of a seventh-century prophet. Their home page, featuring two
swords merging to form a winged missile, welcomed visitors to the "special
Web site" of Egyptian Islamic Jihad, a violent group at the core of al
Qaeda. A few clicks led to a 45-page justification of "martyrdom
operations," jihad jargon for kamikaze terrorism. It explained that killing
"infidels" inevitably caused innocent casualties because "it is impossible
to kill them separately."
Since the Sept. 11 attacks, radical Islam's use of technology has
stirred both scrutiny and fear. The White House has warned that video
footage of Mr. bin Laden could hold encrypted messages. The Federal Bureau
of Investigation has called for vigilance against hacking into the
computers that control vital services. Some experts have wondered if
terrorism might even lurk in pornographic Web sites, with instructions
embedded in X-rated photos.
The Milestones of Holy War site signals much more modest
cyber-skills. Al Qaeda operatives struggled with some of the same tech
headaches as ordinary people: servers that crashed, outdated software and
files that wouldn't open. Their Web venture followed a classic dot-com
trajectory. It began with excitement, faced a cash crunch, had trouble with
accountants and ultimately fizzled.
But the project also illuminates the elusive contours of al Qaeda's
strengths: far-flung outposts of support, a talent for camouflage and a
knack for staying in touch using tools both sophisticated and simple.
Though driven from Afghanistan, al Qaeda still has many hiding places, many
channels of communication and boasts Mr. bin Laden's senior lieutenant,
Egyptian Islamic Jihad chief Ayman al-Zawahri many means of attack.
Al Qaeda chiefs communicate mainly by courier, say U.S. officials.
But their underlings make wide use of computers: sending e-mail, joining
chat rooms and surfing the Web to scout out targets and keep up with
events. Since late last year, U.S. intelligence agencies have gathered
about eight terabytes of data on captured computers, a volume that, if
printed out, would make a pile of paper over a mile high. The rise and
eventual demise of maalemaljihad.com pieced together from interviews,
registration documents and messages stored on an al Qaeda computer The Wall
Street Journal obtained in Kabul provides an inside glimpse of this
scattered, sometimes fumbling, but highly versatile fraternity.
Using Microsoft Front Page and other software, militants in
Afghanistan devised graphics and assembled content, packaging hundreds of
text, audio and video files for display on the Web. Because of primitive
conditions there, they handed some technical tasks to confederates in China
and later Pakistan. To upload content, they turned to an ally in Britain,
using messengers to deliver compact discs to a shabby rented home in west
London.
TRACKING JIHAD
The Central Intelligence Agency and other security services have
tracked Egyptian Islamic Jihad closely for nearly a decade, monitoring Dr.
Zawahri's activities alongside Mr. bin Laden in Sudan, Yemen and
Afghanistan. Egyptian Jihad's Web site, however, began far from any
well-known bastion of Islamic militancy, and beyond the reach of the CIA.
Mr. Ali, the Egyptian trader who registered the site in China, lived in
Jingui Garden, an upscale complex on Liberation North Road, a few miles
from Guangzhou's international airport and a short boat ride from Hong Kong.
A tall, heavyset man with thin, straight hair that dangles over his
eyes, Mr. Ali, who also uses the name Mohammed Ali, arrived in China in
1997. To Chinese who met him, he was just another foreign businessman
scrambling to cash in on China's vibrant economy. He was a Muslim but
didn't seem particularly observant. He paid his rent on time, stayed out of
trouble and socialized mainly with fellow Arabs.
Contacted by the Journal in August, Mr. Ali denied any knowledge of
Egyptian Islamic Jihad or its Web site. But the site's registration
records it is registered in Beijing name him as the registrant and give
the fifth-floor apartment where he lived at the time as a contact address
for maalemaljihad.com.
Chinese police say they began monitoring Mr. Ali's movements and
phone calls after Jingui property managers told them of inquiries by the
Journal. Three days after a reporter's visit, Mr. Ali canceled his two
mobile phones and disappeared. Police say he moved in with an Arab friend
in Guangzhou but won't discuss his current whereabouts.
There's no evidence Mr. Ali was directly involved in terrorism. His
role in the Web venture, however, suggests a hitherto-unknown jihad support
network in southern China and shows how legitimate business can serve as a
cover, even unwittingly, for al Qaeda activities.
Before he moved, Mr. Ali told the Journal that he ran his own
machinery trading company called ZMZM General Trading. Officials at China's
Industrial and Commercial Bureau say they have no record of a company under
this name.
A housing rental agreement signed by Mr. Ali in 2000 names a
different Guangzhou concern, Almehdhar Trading Co., as his place of work.
Mr. Chen, the technician who helped set up maalemaljihad.com, says
Almehdhar arranged his first meeting with Mr. Ali, and they met several
times at its office. Almehdhar trades garments out of a cramped room in a
downtown Guangzhou building. The firm's owner, a Yemeni named Abubakr
Almehdhar, left China late last year, staff members say. Another Yemeni,
Ayman Alwan, runs the office. He says Mr. Ali sometimes visited but wasn't
an employee. Mr. Alwan says he knows nothing of the Web site.
In the spring of 2000, after negotiating a price with Mr. Ali, Mr.
Chen's tiny Guangzhou firm contacted a big Beijing Internet company,
Sinonets Information Technology Co., to arrange server space. Sinonets
provided Mr. Ali with a facility that let him set up password-controlled
mailboxes inside the Web site. "None of us even knew what 'jihad' meant,"
says George Chen, Sinonet's U.S.-educated president. "We never had any
reason to be suspicious."
Nor, say Chinese officials, did China's vast security apparatus.
Shortly after the Sept. 11 attacks, Guangzhou police made a sweep through
Jingui Garden, checking the documents of foreign residents. Mr. Ali's were
in order. China, though efficient at crushing Muslim separatists in its
northwestern Xinjiang region as well as other dissents, has prickly
relations with foreign intelligence services. In contrast to some Asian
nations, China has uncovered no suspected al Qaeda activists, despite
evidence militants have slipped in and out of China for years.
In the mid-1990s, a senior Egyptian Jihad operative made several
trips to southern China posing as a businessman, according to documents
seized by Russian police who arrested Dr. Zawahri and two confederates in
late 1996 as they tried to enter Chechnya. Russian investigators found
details of an account at the Guangzhou headquarters of the Bank of China.
Still active, it belongs to an Arab friend of Mr. Ali.
Four months after its Chinese genesis, Egyptian Jihad's Web site
put down roots in more-traditional Islamist terrain. In July 2000,
maalemaljihad1.com, a sister site, was registered in the Pakistan port city
of Karachi, a hotbed of Islamic militancy.
Egyptian Jihad, a group that announced a united front with Mr. bin
Laden against America in 1998 and whose operatives figured prominently in
the upper echelons of al Qaeda's operational command, often faced technical
troubles. It may have used two Web sites as a precaution, says Yasser
al-Sirri, a London Islamist who recently revived his own site, after being
cleared of helping arrange the murder of the anti-Taliban Afghan warlord
Ahmed Shah Massoud days before Sept. 11.
Registration records show maalemaljihad1.com was set up in July
2000 by a Karachi Web-design company called Advanced Learning Institute &
Development Center. Its manager, Muhammed Ali Aliwan, says he registered
the site on behalf of Ahmed Bakht, who worked in a local textile factory.
Reached by phone in Karachi, Mr. Bakht initially denied any
knowledge of the jihad Web site. But later he said he had helped set it up
on behalf of someone else, whom he wouldn't name. Soon after the call from
a reporter, Mr. Bakht, too, vanished. His relatives say he left on a trip.
With technical foundations laid, militants in Afghanistan set about
providing content for the Milestones of Holy War sites. The hard drive of
the computer found in Kabul last winter contained the building blocks:
statements by Mr. bin Laden and Dr. Zawahri, religious tracts, a photo
album of "martyrs" and back issues of al-Mujahidoon, an often-vituperative
Islamist newsletter.
NEWS DIGESTS
The Kabul computer also contained news digests, including video
recordings of bulletins from al Jazeera and other TV stations with the
faces of unveiled female news readers blacked out. U.S. officials say Mr.
bin Laden shut down his satellite phone following news-media reports that
the CIA was listening to his calls to his mother.
While fiercely hostile to any religious or social norms tinged by
modernity, Islamists "have no problems with technology," says Omar Bakri, a
radical cleric from Syria who lives in Britain. "Other people use the Web
for stupid reasons, to waste time. We use it for serious things." (U.S.
officials say Islamists weren't always so earnest: Many computers the CIA
recovered from suspected al Qaeda operatives in Afghanistan and elsewhere
contained pornographic material.)
In the fall of 2000, someone using the computer the Journal obtained
in Kabul drafted an e-mail to Abu Qatada, a Palestinian preacher who had
lived in Britain since 1993. It said a computer disk would be sent to him
and asked him to upload its contents onto maalemaljihad.com.
The unsigned message gave punctilious instructions. It notified Abu
Qatada of a password and told him to create an internal mailbox under the
name Aljihad. "It is extremely important to establish this mailbox," said
the message. Abu Qatada also known as Omar Mohamed Othman was also asked
to "please write to the brothers" via Hotmail.
Abu Qatada took pride in his computer skills, fellow Islamists say.
Besides helping out with maalemaljihad.com, he ran his own Web site and
frequently joined chat-room debates. He would spend hours each day tapping
at his computer in the front room of his rented house on a quiet street in
Acton, west London. Neighbors say he kept the curtains closed and rarely
spoke to them but often received bearded visitors.
In an interview late last year, Abu Qatada denied any terrorist
links, describing himself as an honest preacher with "a big mouth and a big
belly." But messages on the Kabul computer to and from Abu Qatada indicate
extensive contacts with operatives in Afghanistan. European investigators
say Abu Qatada acted as both a spiritual guide and a liaison officer,
passing messages between scattered al Qaeda cells.
Last December, shortly before Britain adopted a new antiterrorist
law, Abu Qatada vanished from his Acton home, stiffing his landlord and
owing $700 on his cellphone service. He would turn up in London again later.
A few weeks after the drafting of the first e-mail message to Abu
Qatada in late 2000, a militant in Kabul code-named Fat'hi wrote a
follow-up note to be delivered to the cleric by courier. "The bearer of
this message is a brother we trust," said Fat'hi, an alias used by Tariq
Anwar al-Sayyid Ahmad, a veteran associate of Dr. Zawahri, the Egyptian
Jihad leader and Mr. bin Laden's righthand man. "He will be the link
between us and you. He has the CD we promised to send you containing our
products. Please add some of the products to our site." Most important, he
said, was transferring audio and video files to the site.
What these files contained wasn't specified. The Kabul computer
held sermons and recruitment videos, including footage of militants taking
potshots at a lifesize image of Bill Clinton. Clips from Walt Disney
cartoons and wildlife films were spliced with hard-core jihad films, a
technique apparently used to help conceal the content of al Qaeda videos
and make it easier for traveling operatives to carry copies through customs.
Appended to Fat'hi's note was a shopping list for tools needed in
Web-site construction, such as Ulead Cool 3D, for animation and
three-dimensional effects, and WebPainter, for animation and graphics.
"Please make sure you buy the latest," wrote Fat'hi, adding that the
courier must return with them quickly to Kabul.
Relations were sometimes testy. "The Web site is OK until now,
thank God, but it would have been better if you had done what I asked,"
said a message bearing the name of Abu Qatada in London, who complained of
trouble uploading "the doctor's words," an apparent reference to statements
by Dr. Zawahri.
Much of the software on the Kabul computer was pirated. This
included a program that muttered Bism Allah ("in the name of God") each
time the machine was booted up. Al Qaeda apparently ignored a request from
the program's designers in Pittsburgh for a $24.95 registration fee. The
program had been unregistered for 81 days when Kabul fell last Nov. 13.
Also tight-fisted was Mr. Ali, the Egyptian who registered
maalemaljihad.com in China. In February 2001, the Internet company hired
the prior year informed Mr. Ali that his contract for server space would
expire unless he paid an additional fee. Mr. Ali, says his Chinese
translator, declined to pay.
His reluctance to cough up was motivated in part by dissatisfaction
with the Chinese site's erratic operation, e-mail traffic stored on the
Kabul computer indicates. "I want you to try to enter and use the site. If
you are able to do so I will call the company and pay the renewal fees,"
says an unsigned message from the same Hotmail account Abu Qatada had been
told to use to contact the "brothers." A few weeks later, Mr. Ali decided
to renew the account after all, paying an additional $120 to Chen Rongbin,
the technician who visited his apartment earlier. Mr. Chen sent it to
Sinonets in Beijing.
But now the bookkeepers messed up. Sinonets says the accounting
department mislaid Mr. Ali's money. The renewal order was never processed.
Maalemaljihad.com crashed.
The site's Pakistan-registered twin staggered on for several months
but then crashed in the summer of 2001 after Mr. Bakht failed to pay
renewal charges. Islamists still had many communications outlets
sympathetic to Mr. bin Laden and Dr. Zawahri, but not the "special Web
site" supervised from al Qaeda headquarters in Afghanistan.
Fat'hi, the Egyptian Islamic Jihad veteran who helped organize the
Web sites' content, died in a U.S. bombing raid in Afghanistan. Those who
set up the Web sites vanished, but one figure stayed in touch. At a London
gathering of Islamic radicals in July, the organizer read a statement of
support he said he'd received via the Web from an absent champion of global
jihad: Abu Qatada.
Late last month, British police raiding a south London public
housing block seized the Palestinian cleric. He has not been charged but is
being held as a terror suspect under a new British law introduced after the
Sept. 11 attacks that permits the detention without trial of foreigners
deemed a danger to national security.
Held in a high-security jail, he has not responded publicly to his
arrest. But Islamist supporters denounced his detention, mostly via
statements on the Internet such as "May Allah secure his rapid release."
********************************
Sydney Morning Herald
Fighting for online rights
November 12 2002
The man who set up the Web site windows1984.com says he did it to increase
community awareness about issues which "threaten to bring us closer to the
dystopian nightmare of George Orwell's novel, 1984".
Shane Caple, who lives in Darwin, said the site did not merely aim to
educate people about Palladium and Digital Restrictions Management. "I set
up the site to draw attention to the cause of online rights, and to warn
about the effects of technologies and laws which threaten to erode those
rights," he said.
He said he intended to host articles about copyrights laws, both in
Australia and abroad, to highlight the adverse impact they had and their
harsh nature. He also planned to document Microsoft's "ongoing propaganda
campaign" against Linux and Open Source software.
Asked why he had registered the domain in France and hosted the site in the
UK, Caple said it was only economic reasons that drove him to do this. "The
domain name registrar I used charges $24 for a one-year lease, compared
with $70 from MelbourneIT for the same period."
He said he was quite confident that his site could not be shut down.
"Microsoft could lodge a dispute with ICANN, but I doubt that this would
work to Microsoft's advantage. The Web site isn't going to go away. In
fact, I am in the process of setting up a number of mirror sites to help
cope with the anticipated traffic."
Caple urged Australians to monitor the Web site of Electronic Frontiers
Australia, a non-profit national organisation representing Internet users
concerned with online freedoms and rights.
"Earlier this year, the EFA raised concerns about a Senate bill which would
have allowed agencies to intercept and "read" email, voice mail and SMS
messages that are stored on a service provider's equipment pending delivery
to the intended recipient. Fortunately the bill was defeated," he said.
Caple said he sought to have "offline" rights to privacy and free speech
preserved online.
******************************
New Zealand Herald
'Duty' of telecoms to assist snooping
13.11.2002
By FRANCESCA MOLD
The Government has introduced new legislation requiring telecommunications
companies to help the police and security agencies snoop on emails and
listen in on mobile phone calls.
The Telecommunications (Interception Capability) Bill, tabled in Parliament
yesterday, will mean telephone and internet service providers will be
legally obliged to ensure their systems are capable of isolating and
intercepting suspect emails and mobile calls while still protecting the
privacy of others.
The companies will have a "duty to assist" the police, the Security
Intelligence Service (SIS) and the Government Communications Security
Bureau if they have a warrant to intercept calls or emails.
The new legislation will not increase or change the existing powers of
police and security agencies to intercept telecommunications.
The bill said that changes in telecommunications technology meant
surveillance agencies were now unable to intercept some communications
despite having the legal authority to do so. "Organised criminals are aware
of this and these proposals are necessary to prevent law enforcement and
national security capability being seriously eroded."
The Government will pay $3 million towards modifying telephone networks so
they are capable of eavesdropping on suspicious conversations. Most of that
money is expected to be spent on upgrading Telecom and Vodafone services
over the next 18 months.
Telecommunications companies will have to pay the cost of upgrading their
internet and email services themselves.
They have been given five years to implement the changes needed to meet the
requirements of the new law.
The Government claimed giving the organisations five years would reduce the
financial impact on the industry because it would gradually be replacing
equipment over that time anyway.
Neither Telecom nor Vodafone returned calls from the Herald yesterday about
the new legislation.
Green MP Keith Locke said the cost was a concern for the telecommunications
companies.
But he said there were more serious concerns such as the impact the new
legislation would have on people's right to privacy.
He said the proposed new law and another bill amending the Crimes Act to
allow police to hack into computers and intercept emails gave security
agencies a dangerously high level of power to intrude into the lives of New
Zealanders.
The Green party was unlikely to support the bill when it was debated in
Parliament, Mr Locke said.
********************************
Network Digest
FCC Allocates Spectrum for Advanced Wireless Services
[]The FCC acted to allocate an additional 90 MHz of spectrum in the
1710-1755 MHz and 2110-2155 MHz bands that can be used to provide new
advanced wireless services, i.e. 3G or IMT-2000. Two contiguous 45 MHz
bands could be used by current licensees to expand their wireless voice and
data services or it could be used by new entrants to support the
development of entirely new applications. The spectrum was previously used
by the federal government, microwave licensees and multipoint distribution
services. In addition, the FCC is seeking comment on what geographic
boundaries should be used to license this spectrum, and whether the bands
should be divided into blocks of particular size.
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-228237A1.pdf
FCC, 07-Nov-02
*****************************
Network Digest
FCC Spectrum Policy Task Force Recommends New Regulatory Approach
The FCC Spectrum Policy Task Force presented its recommendations to
modernize the rules that guide how the nation's spectrum is managed and
utilized and to evolve from a traditional "command and control" regulatory
model to a more consumer-oriented approach. The Task Force concluded that
the current spectrum policies are out of date and unable to keep pace with
the demands of the market. Some spectrum bands are heavily used, while
others are used only part of the time. This creates an opportunity for new
services in the "white spaces." Similarly, software-defined radios also
present new spectrum policy challenges. Among the recommendations:
Provide incentives for efficient spectrum use by both licensed and
unlicensed users through flexible rules and by facilitating secondary
spectrum markets.
Adopt quantitative standards to provide interference protection, i.e.,
adopt a new "interference temperature metric" to establish maximum
permissible levels of interference on a band-by-band basis. Improve access
through the time dimension in addition to the current dimensions of
frequency, power and space, in order to permit more dynamic allocation and
assignment of spectrum usage rights.
Balance future spectrum policy on three spectrum rights models: an
exclusive use approach, a commons approach, and to a lesser extent, a
command-and-control approach.
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-228242A1.pdf
FCC, 07-Nov-02
****************************
Red Herring
Up Against the Firewall
U.S. technology companies are helping China build its Big Brother
Internet--the political fallout has already begun.
By Ethan Gutmann
November 8, 2002
January 2001: Network Associates Technology, Symantec, and Trend Micro gain
entry to the Chinese market by donating 300 live computer viruses to the
Public Security Bureau--China's state police--raising Pentagon concerns
about China's information warfare capabilities.
December 2001: A human rights activist accuses Nortel Networks of
coperating with China's police by enhancing digital surveillance networks
and transferring to the Chinese Ministry of State Security technology
developed for the FBI.
[Story http://www.redherring.com/insider/2002/11/firewall110802.html]
*********************************
Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx