Clips April 15, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips April 15, 2003

ARTICLES

Lawsuits by AOL Escalate Fight Against Junk E-Mail 
Court blocks security conference talk 
Activists assail antipiracy proposal
Gateway opens another door for cross-agency authentication 
Privacy Threat in Primary Colors  
Rumsfeld issues transformation guide

*******************************
Washington Post
Lawsuits by AOL Escalate Fight Against Junk E-Mail 
By Jonathan Krim
Tuesday, April 15, 2003; Page A01 

America Online Inc. has launched an intensified legal assault on junk e-mail by filing five lawsuits against more than a dozen individuals and companies accused of being major purveyors of "spam."

AOL, the nation's largest Internet service provider, with 27 million subscribers, said the targets of its suits were responsible for sending its members an estimated 1 billion pieces of spam that resulted in more than 8 million complaints. The unsolicited messages contained such things as pornographic images, body-enhancement offers, and diet and financial schemes.

The barrage of lawsuits reflects a heightened industry, legal and legislative effort to combat spam, which has grown so rapidly that it accounts for nearly 40 percent of e-mail traffic and is estimated to cost U.S. businesses $8 billion to $10 billion a year.

"Clearly, our anti-spam message is made more audible when the volume is turned up," said AOL spokesman Nicholas J. Graham. For the first time, Graham said, AOL is using member complaints about spammers as the basis for legal action. 

The defendants in the lawsuits "are some of the leadership targets in the war against spam," he said. "They operate the command and control facilities in the ongoing fight to get spam into the inboxes of our members."

Most of the major Internet providers, including EarthLink Inc., Microsoft Corp., Yahoo Inc. and AOL, have sued or are suing spammers and their affiliates. But as individual and corporate computer users get increasingly irate at the rising tide of spam, many Internet providers say they are ramping up their legal efforts, even invoking federal anti-racketeering statutes.

The AOL suits, filed in federal court in Alexandria, seek a total of $10 million in damages and a halt to the spammers' e-mail activities under a number of state anti-spam and federal computer-fraud laws. Four of the suits were filed yesterday; one was filed late Friday. The suits single out two spammers by name, including one Maryland-based seller of quick-weight-loss products and anti-virus computer software, and an alleged affiliated spammer in Washington state. Other defendants are as yet unidentified because AOL isn't certain who they are; spammers often disguise their ownership of computers that generate spam.

Spammers, who send out hundreds of thousands of e-mail messages at almost no cost, rely on increasingly sophisticated tactics to find computer users. Even those Internet users who avoid advertising their e-mail addresses may not avoid spam, because some spammers use computer programs to randomly generate likely addresses. 

Atlanta-based EarthLink also has been active on the legal front, with lawsuits pending against more than 100 spammers. In one case decided last year, the company won a $25 million judgment against a Tennessee-based spammer.

Microsoft, which has focused legal efforts on stopping spammers from using software to "harvest" e-mail addresses from Web sites, said it plans significantly increased legal action this year.

Efforts to get Congress to pass the first federal anti-spam legislation also have kicked into high gear.

Last week, Sens. Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.) reintroduced anti-spam legislation that failed in the last congressional session amid opposition by the direct-marketing industry. 

The bill, which has the support of the major Internet service providers, would impose criminal penalties if bulk e-mailers disguise their identities and do not provide valid means of unsubscribing from e-mail lists. Currently, when users click the "unsubscribe" link in hopes of removing themselves from e-mail lists, they often are merely confirming their e-mail address for spammers to use later or to sell to other bulk e-mailers.

Sen. Charles E. Schumer (D-N.Y.) is preparing similar legislation, but his bill also would create a national do-not-spam registry akin to a do-not-call telemarketers' list that the Federal Trade Commission recently set up to battle unsolicited telephone sales.

Schumer said the telemarketing registry has been a major success and his bill would make it equally easy for computer users to place themselves on a list that would bar bulk e-mailers from sending them unsolicited commercial e-mail.

House bills are also expected.

The Direct Marketing Association, which lobbies for many companies that send commercial e-mail, wants fraudulent spammers stopped. But the industry worries about any legislation that would infringe on the ability of legitimate marketers to get their messages out.

So far, the association has praised Burns and Wyden for starting the debate on the issue and has said it will support some form of anti-spam legislation. But the group stopped short of endorsing the Burns-Wyden bill.

On the flip side, many technologists in the anti-spam community argue that only a ban on all unsolicited commercial e-mail will make a dent in the problem.

Most online marketers, and some of the Internet providers themselves, currently operate with an "opt-out" system in which users must actively choose not to receive commercial e-mail. So far, these firms have opposed moving to an "opt-in" system, whereby unsolicited mail would not be sent unless users specifically asked for it. 

In the suits filed yesterday, AOL alleges that George A. Moore Jr., head of Maryland Internet Marketing Inc. in Linthicum, sent spam for cut-rate mortgages and packages of anti-virus software through another alleged spammer named in the suits, Michael Levesque of Washington state.

The suit alleges that Levesque also sent an extensive amount of porn-related spam. He could not be reached for comment. 

Moore, who also sells health and weight-loss products such as Fat-N-Emy and Extreme Colon Cleanser, said he had not yet seen the lawsuit.

But he said that recent harassment by anti-spam vigilantes, including several death threats, is causing him to get out of the online sales business.

Moore gained notoriety when his home address and other information were posted on the Internet by an Ellicott City man who urged people to sue known spammers.

Moore then went to court to get the site pulled down because of the harassment that resulted, but last week a Maryland district court judge refused.

"It's just not worth it anymore," Moore said.
*******************************
CNET News.com
Court blocks security conference talk 
By John Borland 
April 14, 2003, 6:13 PM PT

A pair of students were blocked by a federal court from presenting information at a Georgia security and hackers' conference on how to break into and modify a university electronic transactions system. 
Washington D.C.-based education software company Blackboard successfully convinced a Georgia state court to block the students' presentation, which was scheduled to be given at the Interz0ne conference in Atlanta last weekend. 

Blackboard argues that the restraining order blocked the publication of information gained illegally, which would have harmed the company's commercial interests and those of its clients. But conference organizers contend that the students' free speech rights were abridged.


"The temporary restraining order pointed out that the irreparable injury to Blackboard, our intellectual property rights and clients far outweighed the commercial speech rights of the individuals in question," said Michael Stanton, a Blackboard spokesman. 

The company claims that the speech being blocked is commercial speech because the students were a "small competitor" to Blackboard. One of the students, Georgia Institute of Technology's Billy Hoffman, had threatened to give away code allowing any computer to emulate Blackboard's technology, the company claims. 

Programmers' rights to publish or present information that would help break security technology has been an increasingly controversial issue over the past few years. 

Much of the controversy has focused on the Digital Millennium Copyright Act, which contains a provision making it illegal to break technological security measures protecting copyrighted works, or even to publish information explaining how to do so. 

The best-known case in this area had to do with Princeton University professor Edward Felten's attempts to present information on how to break protections created by the now-defunct Secure Digital Music Initiative. Felton said that SDMI attorneys told him he would be violating copyright law if he presented his work. The Recording Industry Association of America (RIAA), a key part of the SDMI effort, denied making legal threats. 

Although an initial cease and desist letter sent to the Interz0ne conference organizers hinted that the students may have violated the DMCA, the complaint that resulted in the temporary restraining order did not touch on that copyright law. 

Instead, the restraining order was grounded largely in federal and Georgia state antihacking laws and a state trade secrets act. 

The information set to be presented was gleaned after one of the students had physically broken into a network and switching device on his campus and subsequently figured out a way to mimic Blackboard's technology, the company told the judge. Because that alleged act would be illegal under the federal and state laws, publication of the resulting information should be blocked, it argued. 

The state judge agreed, at least temporarily. A hearing on a permanent injunction against publication or presentation of the work will be held in Georgia state court Wednesday. 

The students, Hoffman and the University of Alabama's Virgil Griffith, could not immediately be reached for comment. 
*******************************
Boston Globe
Activists assail antipiracy proposal
Argue civil rights would be violated under Mass. law
By Hiawatha Bray, Globe Staff, 4/15/2003
A plan to enact tough digital antipiracy legislation in Massachusetts has run into fierce opposition from technologists and civil libertarians who say the new law would violate civil rights and ban some common computer security techniques.

The Massachusetts bill, sponsored by state Representative A. Stephen Tobin, Democrat of Quincy, is based on a proposal drawn up by the Motion Picture Association of America, the trade group representing the major Hollywood studios. The association has lobbied legislators in all 50 states to pass similar laws, to give the movie companies a powerful tool to use against people who steal video signals from cable and satellite television providers. Already several US states have enacted such laws, but technology activists nationwide have begun to organize against the proposal.

Dozens of opponents attended a recent State House hearing on the bill, and Tobin has been bombarded with angry phone calls and e-mails. ''There's been a lot of shouting, a lot of accusations,'' Tobin said. As a result, the Motion Picture Association says it will modify the language of the bill to address the concerns of the critics.

The legislation is intended to outlaw the production, use, or sale of devices that enable the theft of telecommunication services, particularly cable and satellite TV signals. Violators would be subject to fines of up to $3,000 and prison sentences of up to 2 1/2 years.

But critics contend the legislation goes too far. Sarah Deutsch, associate general counsel for Verizon Communications, says the law covers much of the same ground as the federal Digital Millennium Copyright Act. But that law has an explicit provision exempting Internet providers from liability if customers use them to exchange illegally obtained digital files. The Massachusetts law doesn't have this exemption, said Deutsch. As a result, she said, ''we could be liable if one of our customers did something that violated the act.''

Edward Felten, a computer science professor at Princeton University, said the law contains language that forbids Internet users from employing technologies that conceal their identity and location. This would outlaw services such as ''anonymous remailers'' that are designed to let people send e-mail anonymously to protect their privacy. Felten said it would also ban a variety of common security measures, such as firewalls that conceal the locations of particular computers in a corporate data network.

In addition, Felten said, the law would expose computer users to liability for using any device that could be used to crack a cable TV system, even if the device was not obtained for this purpose. ''If the device is even capable of an illegal use, it would be banned,'' said Felten.

John Palfrey, executive director of the Berkman Center for Internet and Society at Harvard Law School, testified against the Massachusetts bill. As originally drafted, Palfrey said, it would outlaw the publication of information on how to build a device that could be used to steal telecommunications signals. A computer scientist who published a report on weaknesses in telecom security systems could be prosecuted under the law, Palfrey said.

Vans Stevenson, senior vice president for state legislative affairs at the Motion Picture Association, says the law is merely intended to give movie makers a way to prosecute video pirates in state courts. He said the association was modifying its model statute, on which the Massachusetts bill is based. The new version will specify that its provisions would apply only to people acting with criminal intent, Stevenson said. The revisions will probably be added to the Massachusetts version of the bill, which is now in committee.

Verizon's Deutsch said her company was working with the association to add language to the bill that would exempt Net service providers from liability when customers abuse firms' networks.

But Palfrey was unimpressed. He said the crimes addressed by the bill are already illegal, and adding another layer of legislation is a waste of time. ''I've never heard anybody -- not a prosecutor, not anybody in law enforcement -- saying we need these laws,'' Palfrey said. ''The only people I hear saying we need these laws are the Motion Picture Association.''


Hiawatha Bray can be reached at bray@xxxxxxxxxx
*******************************
Government Computer News
04/14/03 
Gateway opens another door for cross-agency authentication 
By William Jackson 
GCN Staff 

SAN FRANCISCOThe Federal e-Authentication Gateway has been cleared for government operation. 

"I have authorization to operate in a live environment," Stephen Timchak, e-Authentication project manager for the General Services Administration, announced at the RSA 2003 Conference. 

The gateway is a tool that will provide a common way to authenticate users of e-government applications. It is being created to support the 24 other e-government initiatives identified under the President's Management Agenda, so that each agency does not have to develop its own authentication application. 

"All of these require authentication of the user," said Tice DeYoung, NASA's project leader for the e-Authentication Gateway architecture project. "We think if we support the 24 initiatives, we have taken a large step toward supporting much broader electronic government." 

Timchak said certification and accreditation for the gateway, required for all federal IT systems, was completed last week. He expects the gateway to begin full production services by early next year. The Office of Management and Budget is expected to issue policy for four levels of authentication assurance soon. This will be used to establish trust standards for credential issuers. Each credential will be mapped to one of the assurance levels, and e-government applications will decide which level of assurance it will require from users. A list of trusted credentials will be maintained on the gateway, which is hosted by Mitretek Systems Inc. of Falls Church, Va. 

The e-Authentication Gateway is separate from the Federal Bridge Certification Authority, which provides cross-certification of certificates for public-key infrastructures. Authentication for PKI will be a subset of the e-Authentication Gateway's work. GSA's Judith Spencer, chief of the Federal PKI Steering Committee, said the Federal Bridge will provide a validation path for the gateway for certificates at the higher levels of assurance. Authenticationverifying the identity of someone using electronic servicesis the key to enabling e-government services. Before transactions can take place over the Internet, citizens, companies, agencies and organizations must be sure of whom they are dealing with. This lack of assurance foiled the Social Security Administration's efforts in 1997 to make its Personal Earnings and Benefits Statements available online. "We have had limited success with electronic services" since PEBES was taken offline in April 1997, said Kent Weitkamp, senior!
  analy
st in SSA's office of electronic services. 

Users who access an e-government application will be redirected to the gateway for authentication, said Monette Respress, senior engineer for Mitretek. The company is testing four gateway architectures supporting different protocols and technologies. 

"We always envisioned that 'single gateway' is a virtual term, not a physical one," Respress said. "We have brought in multiple architectures and multiple protocols" that will interoperate. 

The Federal Bridge, which is now operating with NASA, the Agriculture Department's National Finance Center and the departments of Defense and Treasury, expects to add its first nonfederal entities in the coming months. Illinois has nearly completed the cross-certification process and the Canadian government is in the process, Spencer said. "I believe by midsummer we will be able to announce we have cross-certified both of these organizations," she said. 

Spencer said the PKI Steering Committee this year is funding agency development of PKI-enabled and Federal Bride-aware applications. She said projects have been funded at NFC, Defense, GSA and the Health and Human Services Department.
*******************************
Wired News
Privacy Threat in Primary Colors  
04:53 PM Apr. 14, 2003 PT

SAN FRANCISCO -- While the U.S. terrorism threat alert level is still stubbornly stuck at orange, a watchdog group says the risk that citizens face of intrusions to privacy remains at a less worrisome yellow. 

Such is the initial reading of the Privacy Threat Index, a color-coded ranking system unveiled late Monday by the Electronic Privacy Information Center that attempts to measure the level at which the government is employing its surveillance powers.

The index, modeled after Department of Homeland Security's familiar color-coded security advisory system, ranks threat levels as green, blue, yellow, orange or red. Blue marks the lowest risk level, while red signifies a severe threat. The current level, yellow, signifies a "guarded" risk. 

"We're hoping that this new scheme will make it easier for people to understand the threats to privacy," said Marc Rotenberg, EPIC's executive director, who said the group used a similar system in the late '90s to characterize threats to cryptography deployment. 

In determining the current threat level of yellow, Rotenberg said index developers took into account a number of trends and policy changes privacy advocates view as disturbing. These include expanded use of the Foreign Intelligence Surveillance Act, privacy-inhibiting provisions of the proposed Domestic Security Enhancement Act (dubbed by some as Patriot II) and ongoing efforts by the FBI to extend wiretap rights to Internet telephony. 

But a number of developments that privacy activists viewed as positive kept the index below the more alarming orange level. Among them, EPIC cited Congress' suspension of the controversial Total Information Awareness program pending an investigation, the rejection of a proposal to create a national ID card, and increased scrutiny of the airplane passenger profiling system known as CAPPS II. 

Jim Bidzos, chairman of the RSA Conference, being held this week in San Francisco, took credit in a speech Monday for coming up with the initial idea for the privacy threat index. Bidzos said he was particularly intrigued by the possibility of finding a correlation between increases in perceived terrorism threats and privacy risks. 

Rotenberg, for his part, said he hopes no such correlation comes out in the color-coded rankings, although he did note that surveillance increased following the terrorist attacks of Sept. 11. 

"Our hope is that the threat to privacy remains low, even as the threat of terrorism fluctuates," he said. 
*******************************
New York Times
April 15, 2003
E-Mail Is a Big Factor in Recovery
By JOE SHARKEY

HENRY H. HARTEVELDT knows a whole lot more about online travel booking than I'll ever know, but on the other hand Mr. Harteveldt doesn't have to wade through my e-mail in basket. 

For example, I was traveling most of last week. When I got back, I spent two hours sorting out the e-mail messages I wanted to read from a five-day accumulation of spam, working my delete key like a machine-gun trigger. 

In all, there were more than 900 desperate junk-mail spams, ranging from those with message lines that wink with coquettish come-ons ("I really enjoyed last night!") to those that, taken together, seem to imply that the receiver is a swashbuckling sybarite, as well a prime candidate for male and female anatomical enlargements and/or reductions, not to mention a debt-ridden, obese loner who gambles excessively but is nevertheless sufficiently flush to attract trusting offers from various relatives of Mobuto Sese Seko who require help in laundering $70 million in cash that's been laying around since the fall of Kinshasha. 

So the old eyebrow shot up recently at a travel industry conference when I heard Mr. Harteveldt, the principal travel analyst at Forrester Research, assert, "E-mail is the most important tool in the travel industry's recovery."

Sure, I thought. And the Three Tenors? Those guys are all at the top of their game.

But then I remembered the last e-mail sort-through I'd done, dispatching all those spams to the delete bin. When I was finished, the only advertising e-mail messages that remained were a handful of promotional offers, or heads-up messages about travel, from various airlines and hotels.

According to Mr. Harteveldt, airlines, hotels and other travel suppliers have discovered something remarkable about frequent travelers, who tend to be people who are also high users of the Internet (and subscribers to broadband Internet services). We actually want to get e-mail messages from these companies. 

E-mail is proving to be "the most immediate vehicle you have to reach out to customers, to segment and communicate with customers in a relevant, compelling and timely manner," Mr. Harteveldt told industry suppliers at the Travel Commerce conference in New York earlier this month. 

"The e-mail-engaged traveler," said Mr. Harteveldt, doesn't much like pop-up ads or big ad displays that eat up the whole screen. These travelers want marketing information, not jive. They are, he said, people who book a lot of travel online and who "like receiving e-mail" about travel offers. The lesson to suppliers: "E-mail is no longer an acquisition tool; it is a retention tool, too, to facilitate your relationship with your customer," he said.

Travel advertising e-mail messages that are welcomed rather than spurned appear to be one unanticipated outgrowth of the most profound change in travel-buying behavior in at least a generation  the surge in online travel booking, which got traction a few years ago and now represents about one of every four domestic travel reservations. Last year, out of a total of $73.2 billion spent on e-commerce, online consumer travel bookings alone  the vast majority of that by leisure travelers  accounted for $30.2 billion, up 56.3 percent from the previous year, said Graham Mudd, an analyst at ComScore Networks.

According to Mr. Harteveldt's research, business travelers booked $13 billion in travel online last year, about equally divided between managed bookings on corporate-sponsored online travel sites and unmanaged bookings by individuals. That figure will rise to $27 billion in 2007, he estimated. Airlines got about $7.7 billion of last year's total, while hotels accounted for about $4.5 billion, he added. (The rest went to car-rental firms and Amtrak.)

Business and leisure travelers were the first consumers to accept e-commerce, lured by the almost perfect universe of information, especially for air fares, available online. In the last two years, corporate travelers fed up with paying sky-high standard business fares have been avidly researching, and booking, cheaper air fares online, which is one of the major reasons for the current state of near collapse in the finances of major airlines.

To date, while they are moving to aggressively cut costs and trim services, none of the major airlines have tackled the fundamental business-fare-structure problem, though most have selectively reduced business fares on certain competitive routes. As a result, a business traveler still faces a bewildering range of fares on many routes, and a growing challenge in trying to figure out how much it really costs to get from here to there, and under what conditions. 

"The continuing disparity in the marketplace for the corporate travel market isn't a perception, it is real; there is huge pricing chaos," said Krista Pappas, the senior vice president of FareChase, a company that provides search-engine technology for corporate travel departments.

With the Internet, and the constant flood of information it offers, the airline business has changed forever. "Business travelers have become far too smart" to allow airlines to return to the days of business fares that routinely cost five to seven times more than leisure fares on the same trip, Ms. Pappas said.

Meanwhile, corporate travel managers are battling to keep their well-informed employees booking through the company site, where in-house travel management policies and accounting are easier to monitor. To assist them, FareChase markets a weekly Web survey that evaluates fares in 350 domestic business markets from all Web sites and other sources. The idea is to provide a reliable, easy way for corporate travel managers to compare fares, not just always for the cheapest price but for other variables like schedule convenience.

"The Internet is knowledge, and it's giving business travelers more power every day," she said. "I truly believe that the more sophisticated the travel buying public becomes, there is no way they'll go back to saying, I'll pay $2,200 to fly on a ticket that the person in the seat beside you may have paid $600 for."
*******************************
Federal Computer Week
Rumsfeld issues transformation guide
BY Dan Caterinicchia 
April 14, 2003

Defense Secretary Donald Rumsfeld recently issued his Transformation Planning Guidance, a road map designed to help the Defense Department transform its personnel, business processes and military forces.

The 34-page document, which was released earlier this month, is based on four pillars of implementation: 

* Strengthening joint operations and linking integrated architectures, including material solutions, doctrine, organization and training needs.

* Exploiting U.S. intelligence advantages, including the integration of assets via the Global Information Grid, shard awareness systems, and transformed command, control and communications systems.

* Rapid, joint concept development and experimentation, including war gaming, modeling and simulation, the Joint National Training Capability, and operational lessons learned.

* Developing transformational capabilities in research, development, test and evaluation; a joint rapid acquisition program; training and more.

Rumsfeld said the guidance not only provides the approach for transforming DOD, but assigns roles and responsibilities for promoting that effort. It "depicts the outcome we must achieve: fundamentally joint, network-centric, distributed forces capable of rapid decision superiority and massed effects across the battlespace," he said.

The document also lays out numerous transformation tasks and their due dates, some of which must be completed within the next two months. 

By May 1, the chairman of the Joint Chiefs of Staff will lead the combatant commanders, military service leaders and the Office of Force Transformation's director in developing "one overarching joint operations concepts" document that describes future joint warfighting. By June 1, the services and combatant commands must have developed four cornerstone joint operating concepts, and by July 1, the Joint Forces Command, along with other Pentagon leaders, must develop an "integrated interoperability plan" for achieving all stated priorities within the decade.

Jack Spencer, senior policy analyst at the Heritage Foundation, a Washington, D.C., think tank, said he endorsed the ambitious timetables included in the transformation guidance because without them, things often don't get done.

"If there are not aggressive time lines, people tend to ignore them," Spencer said. "Especially with transformation issues, given the immensity of the proposition to transform the Defense Department into a different kind of Defense Department, I'm all for putting as much pressure on that process as necessary...to protect the nation from the myriad of unpredictable threats we face over the next 100 years."

Spencer also said DOD leaders should not have too much trouble meeting the required due dates since they have been "thinking along these lines since Secretary Rumsfeld became a vociferous proponent of transformation" a few years ago. 

Loren Thompson, a defense analyst at the Lexington Institute, an Arlington, Va., think tank, said the third deadline will be the toughest for DOD to meet because it "requires [changing] a series of technology and architecture decisions that go back a generation or more."

"Joint interoperability is the hallmark of the transformation process," Thompson said. "It requires them to substantially change the operational culture of the services, warfighting technical architectures, and the concept of operations. That is a very complicated thing. But they have been giving this a lot of thought since Rumsfeld took over."

Rumsfeld acknowledged that there is no end state for transformation, but the guidance will help prepare DOD now and in the future.

"There will be no moment at which the department is 'transformed,'" he said. "Rather, we are building a culture of continual transformation, so that our armed forces are always several steps ahead of any potential adversaries."
*******************************