Clips April 29, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips April 29, 2003

ARTICLES

Do-Not-Spam Plan Draws Critics
Web Sites Shut Down in Spam Fight
Student Pleads Guilty in DirectTV Scam
A Behind-the-Scenes Force for Privacy 
TSP computer system slated to debut in June 
Licensed to War Drive in N.H.
Federal managers adapt to virtual workplace 
Wrong E-Mail Tells People They Won Prize 
DFAS officials rethink outsourcing deal
Privacy laws may not cover key systems
Navy shoots down report on HR system
DOD urged to share outsourcing lessons
Boot camp-style training catches on
Homeland Security will accept electronic signatures 
N.Y. Sen. Schumer to introduce do-not-spam list legislation
A dearth of dollars for technology has many police in the dark
Orange County Might Go High-Tech on Election Day
U.S. has big spending plans for Silicon Valley
*******************************
Wired News
Do-Not-Spam Plan Draws Critics
02:00 AM Apr. 29, 2003 PT

Spam -- scourge of e-mail inboxes nationwide -- is beginning to make enemies in the hallowed halls of Congress. 

After years of leaving the bulk of enforcement to state governments, federal legislators are turning up the heat in the fight against spam, with two recent Senate proposals that would subject chronic spammers to criminal charges.

The latest plan, introduced this week by Sen. Charles Schumer (D-N.Y.), is an attempt to curtail what its author describes as an "epidemic" of junk mail that takes residents of New York City alone more than 4 million hours a year to eliminate. 

In addition to authorizing fines and prison time for "severe repeat offenders," Schumer wants to create a national no-spam registry, modeled after do-not-call list legislation enacted this year that enables people to avoid getting calls from telemarketers. 

Schumer's legislation differs slightly from the Can-Spam Act of 2003, introduced earlier this month by Senators Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.). The Burns-Wyden bill does not call for a do-not-spam list, but does propose fines, along with prison terms of up to one year, for spammers who knowingly send unwanted mail with false or misleading headers. 

The proposals come as market research data indicates the junk e-mail problem is getting serious. 

Marten Nelson, an analyst with Ferris Research, a San Francisco firm, estimates that corporations in the United States will incur costs of approximately $10 billion this year due to lost productivity, network expense and tech support inquiries resulting from spam. 

But although the principle behind proposed federal legislation is drawing a warm reception from anti-spam activists, many doubt its practicality. While it's easy to outlaw spam, it's rather difficult to catch the outlaws who send it. 

"Pinning down a spammer is like trying to nail down Jell-O," said Robert Bulmash, president of the privacy rights group Private Citizen. Bulmash said he is skeptical that a do-not-spam list would be as effective as the anti-telemarketing registry. 

Spammers tend to hide originating information, send messages from computers that are not their own, and point to websites that disappear a few days after a mass mailing. Moreover, bulk e-mailers often operate overseas, making it easier to evade the long arm of the law. 

Bulmash was more supportive of proposals to sentence the most virulent spammers to jail time, saying it would send a message to unscrupulous e-mail marketers. 

Another problem with the do-not-spam list idea, said Ferris' Nelson, is that it could expose e-mail addresses to hacks by unethical spammers. Bulk e-mailers would see such a list as a gold mine, because all the addresses it contained presumably would be valid. 

Such concerns haven't stopped legislators outside the federal government from considering the list approach. Legislation introduced in both Colorado and Missouri would create a central database of residents who don't want to receive unsolicited e-mail. 

The Colorado Junk E-Mail Law would require companies to pay an annual fee of up to $500 to access the registry. It also would award consumers $10 plus attorney's fees for each unwanted message they receive, assuming they are willing to take the spammer to court. 

In Missouri, companies would have free access to the list, but residents would be able to sue marketers for up to $5,000 for violating it. 

In order for anti-spam suits to work, however, judges must show consistency in how they interpret the law, said Bennett Haselton, a Washington resident who has filed dozens of cases against spammers under a state anti-spam statute. He claims to have received widely differing interpretations of state law from judges who've heard his cases in small claims court. 

Haselton said he "applauded" efforts by Schumer and other legislators to reduce spam, but was doubtful that new laws alone would be much help, since spammers are notoriously difficult to track down and prosecute. 

"If anti-spam laws were easy to enforce in court, the problem would already be taken care of," he said.
*******************************
New York Times
April 29, 2003
Web Sites Shut Down in Spam Fight
By SAUL HANSELL

Scores of Web sites were taken off the Internet over the weekend because of new pressures on a commercial Internet service provider to stop unwanted marketing e-mail, or spam, and the companies that use it. 

Most of the Web sites that were shut down had no relation to the company accused of sending spam other than having the same Internet service provider for their Web site. But in the escalating spam battles, some anti-spam groups seem to care little about collateral damage. 

On Sunday afternoon, 89 Web sites operated by US Moneywerx, a Bryan, Tex., company that operates Web sites for small businesses, were disconnected.

They were cut off because Server Beach, the San Antonio company that actually houses US Moneywerx's server computer, reacted to complaints by the public and an anti-spam group who said that a site that had US Moneywerx as its host was sending spam.

Richard Yoo, the president of Server Beach, said he evaluated information provided by the group called the Spam Prevention Early Warning System that runs a Web site called Spews.org. That site added to its list of spammers a small Los Angeles company called NetGlobalMarketing, which was a client of US Moneywerx.

Many Internet service providers block e-mail not only from sites identified on the Spews.org list but from any company that provides Web services for those companies.

Executives of NetGlobalMarketing were quoted in an article in The New York Times last week on the efforts by e-mail companies to block spam. The article quoted company executives saying that all of the e-mail messages they send are to people who have requested e-mail offers. Nonetheless, the company has received thousands of angry and threatening e-mails and telephone messages over the last week. And personal information about company executives has been placed on anti-spam Web sites.

"I am not a spammer, and we do not spam," said Alyx Sachs, the company's co-founder. "I run a marketing company, and we use e-mail the way we use radio or print."

Don Wood, president of Childwatch of North America, an organization that tries to prevent abduction of children, said he sometimes hired NetGlobalMarketing to send e-mails to parents inviting them to events where their children can be photographed and fingerprinted.

Ms. Sachs said the company does work for dozens of well-established companies, including some in the travel, insurance and entertainment industries. But, she said, they do not wish to be identified because of the current reaction against spam. 

"People are being wrongfully accused of spamming based on rumor, gossip and innuendo," she said. 

Ms. Sachs expressed particular frustration with the Spews site, because there is no way to talk to anyone from that organization to protest being placed on that list.

The site is registered in Russia, and its operators are anonymous and offer no telephone number, address or e-mail address to contact them. Nonetheless, their list is widely used by Internet service providers looking to block spam.

Now even some other anti-spam activists have started to say that Spews is going too far.

"Spews is very aggressive," said Steve Linford, who runs the Spamhaus Project, another organization, based in Britain, that runs a list of known spammers.

Spamhaus, he said, tries to respond to complaints that it has unfairly put a company on its list, something that he said Spews did not do.

"They don't care what is blocked and will block anything around a spammer," he said. The effect has been powerful, he added, saying that "Spews has brought fear" to Internet service providers that house spammers. 

The Spews site also does not appear to be very precise. Bhavin Chandarana, who runs a Web services company in India called Indialinks, said his firm has been listed by Spews because it has an Internet address similar to that of US Moneywerx.

Mr. Yoo, the owner of Server Beach, said that Spews has "a shoot-first-and-ask-questions-later mentality." But, he said that spam had become so much of a problem that it required what amounts to rough justice.

But caught in that pursuit of rough justice are companies like KWA Ecological Science, a Seattle consulting firm that specializes in salmon preservation. Its Web site and e-mail account are served by US Moneywerx and were shut down on Sunday.

"If someone took an action to cut spam out, I am a great supporter of that," said Keith Wolf, the Seattle company's owner.

"But this is not good for me, as I do most of my business working with large groups of people collaborating by electronic mail," he added.
*******************************
Associated Press
Student Pleads Guilty in DirectTV Scam 
Mon Apr 28, 8:25 PM ET

LOS ANGELES - A University of Chicago student pleaded guilty Monday to stealing trade secrets of DirecTV's most advanced anti-piracy technology, which later surfaced on a hacker Web site. 

   

Igor Serebryany, 19, could be sentenced to as much as 10 years in prison, but the plea deal recommends probation, said Nina Marino, Serebryany's attorney. Prosecutors were also seeking up to $146,000 in restitution to DirecTV Inc., Marino said. 


"It is in the discretion of the court, however, at this offense level, imprisonment is unlikely," Marino said. 


Two other counts against Serebryany  for duplicating the documents and for transmitting them  were dropped as part of the plea agreement. 


Serebryany admitted stealing digital copies of hundreds of secret documents pertaining to DirecTV's most advanced access card while he was working in the Los Angeles office of a law firm representing the satellite programming provider, according to the U.S. attorney's office. 


The documents were being reviewed by the law firm as part of a civil suit. Serebryany got access to them while working part time for an imaging firm hired to make electronic copies of court papers. 


The college sophomore stole copies of the documents on computer disks and then forwarded them to a Web host for a hacker Web site, said Assistant U.S. Attorney James W. Spertus. 


"His intent was to have the material posted and made available to the hacking community," Spertus said. 


The documents, which included details about the design and architecture of DirecTV's "Period 4" cards, began showing up in October on underground Web sites and discussion groups that specialize in defeating the devices. The card is plugged into a viewer's satellite box and controls which movie and sports channels each of the company's 11 million subscribers can watch. 


The technology behind the cards is so sensitive that DirecTV kept the information encrypted in company computers. DirecTV said it spent more than $25 million to develop it. 


Serebryany remained free on bond Monday. His sentencing is set for Sept. 8. 


"He took full responsibility for his actions," Marino said. "He has learned a life-altering lesson, which carries permanent consequences to his future and the loss of his civil liberties." 
*******************************
Seattle Times
FCC chief says rule barring media cross-ownership likely to be dropped 

By Brier Dudley 
Seattle Times technology reporter 

Against the backdrop of Seattle's brewing newspaper battle, Federal Communications Chairman Michael Powell yesterday defended his plan to allow media companies to own newspapers and television stations in the same city. 

Powell said it's likely the FCC will drop the rule when it meets June 2, ending a 28-year ban on media cross-ownership. 

"I think a change is likely, but I won't say definitely," he told reporters after speaking at the Newspaper Association of America convention at the Sheraton Seattle Hotel and Towers. 

Cross-ownership is one of several media rules the FCC is revising in light of the less regulatory approach favored by Powell (the son of Secretary of State Colin Powell), who was named chairman in 2001 by President Bush. 

Powell said new technologies and a new regulatory approach will break the "stranglehold" on the marketplace and bring benefits to the people. As examples, he described the proliferation of long-distance providers, wireless phone services and cable television offerings that resulted when the FCC loosened up the telecommunications business. 

"The FCC never means to, but there's sort of this unbelievable tendency in history to try to protect and cut things off that seem new and strange and unusual, only to find out later that those were things that are really going to bring value," he said. 

But watchdog groups, some lawmakers and even several members of the FCC fear that the cross-ownership change will have the opposite effect and result in further consolidation of the media. 

The most outspoken critics say consolidation will harm democracy and the public interest. 

Concentration of media ownership would allow owners to exert more influence over the public, reduce local news and diminish the watchdog role, according to a December report by the Consumer Federation of America. 

"Every major paper is going to try and buy or be bought by a TV station; certainly the major chains will just go hog wild," said Mark Cooper, research director at Consumer Federation of America in Washington, D.C. 

Already ownership of newspapers and TV stations has fallen from about 1,500 to 600 entities since the 1970s. It could fall to as low as 300 owners if Powell's rule change takes effect, according to a December report by the federation. 

Seattle could see further media consolidation if the rule passes. 

The Seattle Times and the Seattle Post-Intelligencer are haggling over a joint publishing agreement that could lead to the shutdown of one paper. The papers may simultaneously be exploring relationships with local TV stations. 

Times Publisher Frank Blethen yesterday reiterated his belief that the P-I's owner, New York-based Hearst Corp., wanted to buy KOMO-TV when it was for sale recently. The Times has not disclosed any plans to acquire a station, but it has formed a small alliance with KING-TV. So far, the paper jointly produces a weather page with the station owned by Dallas-based Belo Corp. Blethen, who has lobbied against the cross-ownership rule change, was a rare critic of Powell at the convention of newspaper publishers. 

"It's amazing to hear somebody use so many words to say nothing," Blethen told reporters after Powell's speech. "He's focused on technology and not news and how news serves our democracy, and the loss of the diversity of voices we're seeing through concentration of ownership." 

Gregg Jones, publisher of the Greeneville Sun in Tennessee, told Powell the regulations handicapped newspapers by preventing them from buying TV and radio stations. "Had we been in the game, there might have been more local ownership, less radio consolidation, resulting very likely in more local news and information," he said. 

Asked if he's concerned that the rule change could hurt competition in two-newspaper cities like Seattle, Powell said the regulations are primarily focused on who can own television stations. 

The NAA also hosted Secretary of Commerce Donald Evans, who touted the president's economic stimulus plan as the ticket out of the recession. He also said plans to repeal the so-called death tax, which taxes the estate when a person dies, were off the table for now. 

Evans paid special attention to the cornerstone of the stimulus plan, the proposed tax cut, saying that Bush will pursue at least a $550 billion reduction, down from the $726 billion he originally pushed. Brushing off critics' claims that the cut amounts to a tax break for the rich, he said it will most benefit people looking for jobs. "There are three reasons to pass the president's economic plan: the first one is jobs, the second one is jobs, and the third one is jobs," he said. 
*******************************
Washington Post
A Behind-the-Scenes Force for Privacy 
For Leader of D.C.-Based Project, Protecting Confidentiality of Medical Records Is 'Lifelong Endeavor' 
By Avram Goldstein
Monday, April 28, 2003; Page A21 

As she stood at the lectern, Janlori Goldman basked in the moment. After working behind the scenes for years to protect the confidentiality of medical records, here she was introducing President Bill Clinton as he officially created a federal right to privacy in personal health information.

At the December 2000 ceremony, Clinton issued rules to prevent health care workers from sharing confidential information that could wind up in the wrong hands and be misused to deny people jobs, promotions, health benefits, credit or social acceptance. After President Bush took office, he put the Clinton administration rules on hold, but ultimately allowed most of them to go forward.

The final rules, hammered out by government officials, civil liberties groups and the health care industry in the two years since Goldman's speech, give consumers the right to limit access to some of their confidential information and to learn who has seen their records. Patients can inspect and add notes to their own medical records if they find errors in them. The new federal policy sets a minimum national standard for the states, which have a range of privacy laws.

The regulations have many other facets, but the most noticeable effect is that health care providers are having patients sign acknowledgments of their privacy policies. 

Goldman had formed the District-based Health Privacy Project, the nation's only consumer advocacy group devoted exclusively to the subject, in 1997. The work of the five-member team has been dominated by the Health Insurance Portability and Accountability Act (HIPAA).

The privacy project became central to the advocacy during the rulemaking process by organizing a coalition of 100 consumer groups, including representatives of disabled people, seniors, AIDS patients, and the mentally ill. The coalition's constituents generated more than 30,000 of the 52,000 comments on the proposed rules that were filed with the Department of Health and Human Services. 

Goldman says the project will be working on tightening up the new regulations, which took effect earlier this month. She sees numerous challenges ahead, including monitoring HIPAA enforcement and protecting confidential health data held by employers, such as employee assistance plan records and pre-employment physicals.

Goldman's focus on health data comes after a brief stint as a social worker and many years as a staff attorney for the American Civil Liberties Union in Minnesota. She arrived at ACLU headquarters in Washington in 1986 to tackle the issue of privacy and computer databases. After 1992, she worked at other electronic data privacy groups, and was a visiting scholar at Georgetown University Law Center. 

There is widespread agreement in the medical community that the new privacy law is important in a world where medical information is computerized and could easily be misused, although some have complained about added layers of paperwork. And when the rules took effect April 14, Goldman said, she was nervous and excited.

"I realized something was going to come into being that was long in the making, but I also knew there would be a lot of moaning and groaning about it" from doctors' offices that had to process privacy notices for each patient, she said.

Goldman, 43, said any complaining will probably fade, but her pursuit of additional federal protections won't. She expects that mission to last the rest of her career because HIPAA -- which she considers a valuable jumping-off point for more protections -- has many holes.

"It's my lifelong endeavor," she said, adding that she needs help from a lot more activists. "The medical privacy issue certainly could use a few people devoting their lives to it."

She frets about what HIPAA doesn't address, such as the growing flow of health care data to bioterrorism surveillance systems. Such systems use computerized information about patient care to watch for early signs of outbreaks. Such systems could, in theory, provide private medical data on patients to third parties without running afoul of the new law, she said.

Goldman says she has always felt one shortcoming is that HIPAA does not allow individuals to sue privacy violators in federal court -- a limit set by Congress. Those responsible for enforcing the law are in HHS's Office of Civil Rights, and they expect to process about 21,000 complaints each year.

When Bush took office, he was urged by industry groups to shelve the rules, but he kept them -- with changes that were not finalized until last summer. 

Those changes were interpreted by federal officials to allow a practice that Goldman calls "repugnant," in which drug makers and other marketers can sidestep HIPAA and pay doctors or pharmacies to perform targeted mailings on their behalf to patients with specific diseases.

Another key change was the loss of a patient's right to withhold consent for disclosure of personal data to people not involved in their treatment or processing of health insurance payments, such as marketers and researchers.

Instead, the Bush administration required health care providers just to notify patients of the provider's privacy policy, dismaying advocates such as Goldman and the consumer group Public Citizen.

Still, Donna E. Shalala, who was secretary of health and human services under Clinton, argues that the most important regulations survived the Bush revisions.

"Here was one of the most important changes in health policy, and it basically worked," said Shalala, now president of the University of Miami. "But I wouldn't assume that it isn't going to be changed as we learn more. There is nothing that complex that you get right the first time."

Many doctors are annoyed by the minutiae. Michelle Rivera, an Arlington dermatologist, said her staff handles about 150 patient notices a week. 

"It's great that patients know how their information could be abused or disseminated," she said. "But the burden is on us as physicians. It's just another piece of paperwork we have to deal with, so we're growling about that."

Others, such as Alan G. Wasserman, chairman of the department of medicine and president of the faculty medical practice plan at George Washington University, welcome the change.

"As we enter a more sophisticated medical era with genetics and more research, it's going to be important that patients have privacy," he said. "I don't think that the regulations being imposed on physicians are onerous."

Goldman is especially interested in preventing misuse of genetic information.

"I still find it staggering that [a law barring discrimination based on genetic information] wasn't passed years ago while we're spending billions of dollars mapping the human genome," she said. "We're trying to encourage people to get genetic testing and counseling, but they're afraid they'll lose their jobs."

She has notable allies on the Health Privacy Project board, including John D. Podesta, who was Clinton's chief of staff and described by his former boss as a medical privacy "fanatic"; former ACLU leader Mort Halperin; and Kathy Hudson, a genetics and bioethics expert at Johns Hopkins University. 

The whole enterprise cheers one District man who won a $250,000 jury verdict against Washington Hospital Center in 1999 after his HIV-positive status was released improperly to his co-workers by a hospital receptionist.

"I think it's long overdue," the man said. "There are a lot of cases where people's rights are violated. Hospitals just don't have the safeguards in place to insure privacy. . . . Would you want your relative's information being passed on like this?"
*******************************
Government Computer News
April 28, 2003 
TSP computer system slated to debut in June 
By Tanya N. Ballard
tballard@xxxxxxxxxxx 

Participants in the 401k-style Thrift Savings Plan should be able to access their balances and other information online by mid-June, according to TSP officials.


Testing to verify that the much-delayed new system can handle large numbers of TSP transactions simultaneously is complete, and an aggressive training and implementation plan has been drafted, Lawrence Shiffler, director of TSP?s Office of Automated Systems, told TSP board members Monday.


?There are some minor, cosmetic bugs, but barring any unforeseen problems with the software, the system will be ready to launch in June,? Stiffler said. ?I don?t see any problems at this point.?


Once up and running, the new system would give the more than 3 million TSP members more control over their accounts by offering more ways for participants to withdraw money and providing online service for loans and withdrawals. The new system would also show account balances in shares as well as dollars. Under the current system, the value of TSP accounts is updated monthly rather than daily, and some transactions take several weeks to process.


The TSP board spends $1 million on postage per mailing, and anticipates saving money once TSP members are able to opt for online and, eventually, electronic statements rather than paper statements. 


The June launch date is the seventh debut date for the new system, which underwent numerous delays and an escalating budget over the last six years. The board hired American Management Systems in 1997 to modernize the computer system and give federal employees more tools to manage their 401k-style retirement accounts. The $30 million project was supposed to be completed by May 2000, but when the implementation date was moved back four times and the budget tripled, the board fired AMS in July 2001. The board sued the Fairfax, Va.-based company for $350 million in damages and AMS has filed a breach of contract suit against the board. The lawsuits are pending. 


While the legal battles rage on, the board has held off on assessing TSP member accounts for $41 million in expenses from the AMS contract. Board officials plan to use proceeds from the lawsuit to offset the $41 million, rather than charge the debt to TSP members. On Monday, Ernst & Young, TSP?s auditor, told board officials their actions in regard to assessing the accounts were reasonable. Labor Department officials have questioned the board?s decision not to assess member accounts. 


TSP officials will send participants a statement with information about the changes once the new system is ready to go online. 
*******************************
Wired News
Licensed to War Drive in N.H.
02:00 AM Apr. 29, 2003 PT

DURHAM, New Hampshire -- A land where white pines easily outnumber wireless computer users, New Hampshire may seem an unlikely haven for the free networking movement. 

But the state, known for its Live Free or Die motto, could become the first in the United States to provide legal protection for people who tap into insecure wireless networks.

A bill that's breezing through New Hampshire's legislature says operators of wireless networks must secure them -- or lose some of their ability to prosecute anyone who gains access to the networks. 

House Bill 495 would, experts say, effectively legalize many forms of what's known as war driving -- motoring through an inhabited area while scanning for open wireless access points. 

Increasingly popular with businesses and consumers, wireless networks use radio waves to transmit data between computers in a network. The convenient, low-cost equipment often is deployed to allow employees or household members to share a single Internet connection. 

To simplify installation, wireless systems typically ship without any security features enabled. Because the radio waves broadcast by wireless base stations are relatively powerful, it's not uncommon for residential neighbors or adjacent businesses to inadvertently connect to each other's wireless networks. 

Some wireless owners leave their access points unsecured on purpose. A grassroots effort known as the open network movement is attempting to create a worldwide grid of Internet-connected wireless access points. A computer enthusiast with a DSL or cable modem at home may, for example, intentionally provide free wireless access to the connection while he's away at work. 

New Hampshire's proposed wireless law was hailed as "enlightened" by the Electronic Frontier Foundation, a California-based digital rights advocacy group. 

Lee Tien, a lawyer for the EFF, said the bill would help clarify the legality of the open networking movement. 

"It seems like a fairly clean way of accommodating the geek-culture practice of having open wireless access points without doing anything bad for security," said Tien. 

The appeal of tapping into free Internet connections while on the go has led to an activity known as war chalking, in which wireless fans scratch special markings on pavement to indicate open connections. Thousands of wireless "hotspots" offered by hotels, restaurants and other commercial establishments also are listed in online databases such as 80211hotspots.com. 

To understand the genesis of New Hampshire's proposed law, just boot up a wireless-enabled laptop at the Fusion Internet Cafe and Espresso Bar on Elm Street in Manchester, the state's largest city. 

Fusion has been offering free wireless access to coffee drinkers for the past four months. But co-owner Carlos Pineda said he sometimes turns on his laptop at the cafe and finds himself connected instead to a wireless local-area network, or WLAN, operated by the CVS drugstore located across the street. 

"I don't even think their employees are aware the signal from their Internet is being broadcast outside of their space," said Pineda. "That means I have access to their (Internet protocol) address so I can break into their system. Personally I can't, but other, more-savvy people could do it." 

The legality of such inadvertent wireless network intrusions is murky. Last year, a Texas man was indicted, but later cleared, on charges that he illegally gained access to the wireless network of the Harris County district clerk. 

Like most state and federal computer crime laws, New Hampshire's existing statute says it is a crime to knowingly access any computer network without authorization. By analogy, just because someone leaves his house unlocked doesn't mean you are authorized to walk inside, sit on the couch or help yourself to the contents of the fridge.

But HB 495 turns that thinking upside down, experts said. It defines an operator's failure to secure a wireless network as a form of negligence. According to the proposed amendment, "the owner of a wireless computer network shall be responsible for securing such computer network." 

What's more, if an alleged intruder can prove he gained access to an insecure wireless network believing it was intended to be open, the defendant may be able to get off the hook using an "affirmative defense" provision of the existing law.

As a result, some legal experts contend that New Hampshire's proposed amendment to its computer laws could make it harder to throw the book at criminals who take advantage of insecure wireless systems. 

"If (wireless network operators) want to be able to prosecute people for hacking into their wireless networks, they need to have done something to have secured the networks," said Mark Rasch, a former head of the Justice Department's computer crime unit. 

Despite repeated warnings from experts, at present many wireless users haven't secured their systems. 

A 10-minute war drive down the main business district of Manchester earlier this month using a laptop with a standard wireless card revealed nearly two dozen open wireless access points, including some operated by banks and other businesses. 

A variety of techniques can deter, if not eliminate, unauthorized access to wireless networks. For example, enabling a technology called Wired Equivalent Privacy, or WEP, can provide some security by encrypting wirelessly transmitted data. Wireless networks also can require users to provide a password before connecting. Another technique, called MAC address filtering, only allows access to computers on a designated list. 

But according to Jeff Stutzman, CEO of ZNQ3, a provider of information security services, such security techniques are beyond the ken of many home and small-business users. 

"When I do a vulnerability assessment for a client, one of the first things I do is test for open (wireless) access points. And I've been in places where every access point I've picked up is un-WEPed," said Stutzman. 

Pineda said the salesman at Best Buy who sold Fusion Internet Cafe its wireless gear didn't even bring up the subject of enabling security features. 

"People talk about wireless technology but no one talks about the security problems ... people stealing the signal, hacking your system," said Pineda. "That's not their concern. Their concern is to push a product out of the store." 

Passed by the New Hampshire House last month, HB 495 currently is being reviewed by the state's Senate Judiciary Committee. If signed into law, it would take effect in January 2004. 

Committee Chairman Andrew Peterson said the goal of the proposed law is to protect those who innocently stumble upon insecure wireless networks. But Peterson said the committee is open to arguments from anyone who believes the bill could undercut existing protection for victims of wireless hacking. 

"We want to be sure that it wasn't the case that, through trying to protect people under certain circumstances, we were opening up greater opportunity for criminal activity," said Peterson.
*******************************
Government Executive
April 28, 2003 
Federal managers adapt to virtual workplace 
By Tanya N. Ballard
tballard@xxxxxxxxxxx 

As the number of federal workers participating in telework programs increases, many managers are finding that out of sight does not mean out of mind. 


?It really all comes down to good management,? said Stan Kaczmarczyk, director of the General Services Administration?s Innovative Workplaces Division. ?Manage the results, not the process and not the day-to-day activities of the people. If you manage the results and you have milestones along the way, you don?t need to manage people on a daily and hourly basis.?


Kaczmarczyk was a panelist last week at an online seminar sponsored by the International Telework Association & Council (ITAC), where members discussed how to have successful telework arrangements and manage the performance of remote workers. 


Rep. Frank Wolf, R-Va., pushed through legislation three years ago that required agencies to expand their efforts to create teleworking opportunities for federal employees. Now, according to a Jan. 2003 report by the Office of Personnel Management, 5 percent of the federal workforce participated in teleworking programs during 2002, an increase from 4.2 percent in 2001. 


In the OPM study, management resistance, usually the main culprit cited for the lack of federal teleworking, fell from the top of the list of barriers to expanding telework programs in the federal workplace. OPM found that agencies used internal training to gain acceptance from managers. That training was needed to help move beyond what one seminar participant described as ?eyeball management,? where managers feel if they can see the employee and the employee appears to be working, then that employee has earned his salary. 


?A lot of that approach of eyeball management is really the follow up of the legacy of the farm and the factory,? the participant said. ?We have to break that legacy and rethink our ideas about what management is about.?


Managers should demand responsibility from teleworkers, as well as define expectations so there is a clear understanding of what needs to be done. Communication and trust are also key to managing in a virtual environment, as well as a good sense of what technology is needed to support the work employees are expected to do at remote locations. ?You don?t need to pay for an extra phone line or high speed modem access if it isn?t needed,? Kaczmarczyk said. 


Finally, if managers are still struggling to supervise teleworking employees, they need to leave the office. 

?If you are a manager and you can?t figure out how to manage people when you can?t see them, then the best thing to do is to telework yourself, because now, all of a sudden, you can?t see anybody,? Kaczmarczyk said.
*******************************
Associated Press
Wrong E-Mail Tells People They Won Prize 
Tue Apr 29,12:34 AM ET

BATTLE CREEK, Mich. - Kellogg Co. said a computer glitch involving its American Airlines online sweepstakes resulted in several thousand people being informed erroneously by e-mail that they had won a grand prize of 25,000 of the airline's frequent-flier miles.


American spokeswoman Laura Mayo said Monday that all were customers who take part in the AAdvantage loyalty program. They received the erroneous notification sometime over the weekend, she said. 


The Kellogg's-American Airlines 25,000 Miles-a-Day Sweepstakes started April 7 and continues through June 5. Only 60 grand prizes  one per day  were supposed to be awarded. Each grand prize has a retail value of $700. 


Kellogg spokeswoman Christine Ervin said the glitch was corrected and the contest is continuing, she said. 


As a goodwill gesture, Kellogg will issue credits for 500 AAdvantage miles to each household that received the erroneous message, she said.
*******************************
Federal Computer Week
DFAS officials rethink outsourcing deal
BY Matthew French 
April 28, 2003

Defense Finance and Accounting Service officials are re-evaluating a 2-year-old outsourcing contract after an audit detemined the work could have been performed more efficiently in-house. 

DFAS officials awarded a contract, potentially worth $346 million over 10 years, to Affiliated Computer Services Inc. (ACS) to process monthly payments for retirees and spouses of deceased retirees. The contract was awarded after a public/private competition and affected 650 jobs held by DFAS employees.

A Defense Department inspector general report released March 21 found that DFAS overestimated what it would have cost the government to perform the work.

According to the IG report, "a calculation error" made the in-house estimate appear $31.8 million higher than it should have. An independent consultant hired by DOD to evaluate the contracts miscalculated personnel costs and improperly adjusted for inflation. The contract was awarded to ACS based on the perception that the vendor's proposal would cost $1.9 million less. 

DFAS officials argue that employees and retirees both benefited in the long run from the contract. "In the first year of operation, America's military retirees and annuitants indicated that their customer satisfaction improved, according to a customer service survey independently conducted by the Office of Personnel Management," said DFAS spokesman Bryan Hubbard. "Also in the first year of operation, DFAS also spent about $5 million less than anticipated in the cost comparison on our contract with Affiliated Computer Services."

Hubbard said everyone from the Cleveland facility who was displaced either accepted an early retirement package, went to work for ACS, or both.

Stan Soloway, president of the Professional Services Council, said the IG's report was "incomplete and inadequate" and that the numbers have been correct all along. He said the consultant who evaluated the two bids acted properly by factoring in wage increases for federal workers' bid, but not for ACS' bid.

"This was a fixed-price, fixed-labor-rate bid that ACS submitted," Soloway said. "At no time are the employees from ACS entitled to wage increases for work performed on this contract. But the government does increase its workers' wages every year. So whether by intent or default, they did get the number right."

Lesley Pool, a spokeswoman for ACS, said the company is happy with the level of service it has provided to DFAS and expects to remain on the contract.

The IG report urges DFAS to reevaluate the award to see if the situation can be rectified or if it can save money by bringing the process back in-house.

DFAS officials have said they will evaluate "all available options and will be conducting an independent analysis."
*******************************
Federal Computer Week
Privacy laws may not cover key systems 
BY Diane Frank 
April 28, 2003

Information systems that search private data, including the controversial Total Information Awareness (TIA) program, may not be covered under privacy laws, experts inside and outside government said last week.

The Office of Management and Budget is developing guidance to instruct agencies on how to carry out laws designed to protect Americans' privacy.

The E-Government Act of 2002 includes the first major revisions to federal information privacy mandates since the Privacy Act of 1974, which limits federal collection and use of personal information. One change under the E-Government Act requires all new federal systems used for agency-conducted information collection activities to undergo a thorough assessment of how those systems address privacy protection.

But those requirements only apply to information held in databases operated by federal agencies, while more agencies are proposing to tap into private-sector sources for information and analysis, particularly for homeland security. For example, the proposed TIA system, a Defense Advanced Research Projects Agency pilot program, would sift through individual financial data  for example, information held in databases operated by private banks  to find anomalies that could point to possible terrorist activity.

Resolving the issue of whether agencies can search private data will be the real test for the guidance that OMB is now developing to help agencies follow the new privacy mandates, said Peter Swire, a law professor at Ohio State University and chief privacy counselor at OMB under the Clinton administration.

The OMB guidance will address areas such as how to conduct an assessment, how to circulate an agency's privacy policies and how to secure the information collected. But Swire said the protocol should also address the government's use of private-sector systems and databases, where there is no real precedent. "It seems to me that's where the action is and there ought to be guidance," he said.

Increasingly, agencies have hired contractors to run federal systems, complicating whether those systems fall under the privacy provisions of the E-Government Act, said Ari Schwartz, associate director for the Center for Democracy and Technology.

The courts decided that the 1974 Privacy Act applies only to the collection of information on behalf of an agency, said Franklin Reeder, chairman of the National Computer Systems Security and Privacy Advisory Board, which advises both OMB and the National Institute of Standards and Technology.

The courts, however, have also ruled in the past that the act does not apply to agency use of private databases, which is the controversy with many current systems, Reeder said.

The E-Government Act explicitly states that the privacy policies apply to systems that are developed or bought by federal agencies. OMB still intends to address the subject in its guidance, said Dan Chenok, branch chief for information policy and technology at the agency.
*******************************
Federal Computer Week
Navy shoots down report on HR system
BY Matthew French 
April 28, 2003

Navy officials are refuting a Defense Department inspector general's report that recommends the service stop developing its own $470 million human resources system and make plans to move to a DOD-wide system, which is currently under development.

The March 2003 report said the Navy should halt development of its Navy Standard Integrated Personnel System (NSIPS) and support a more comprehensive, DOD-wide system  the Defense Integrated Military Human Resources System (DIMHRS), slated to be online by the end of fiscal 2005.

Navy Capt. Peggy Feldmann, the Navy's NSIPS program manager, said that the Navy disagrees with the IG's recommendation and that its system will provide essential Navy applications that eventually can be included in DIMHRS. 

The Navy "requires further development of functionality [that] will not be included in DIMHRS, [such as] in-service record maintenance, training record inputs and additional interfaces," Feldmann said. "Thus, the department must address these Navy unique applications that are not accommodated under the DIMHRS program."

The Navy has been developing NSIPS since 1995. It is designed to be an interim human resources system bridging four Navy legacy HR systems with DIMHRS.

But the program's cost in the past eight years  and additional anticipated expenses until the Navy makes the transition to DIMHRS  does not warrant further development of the program, according to the IG report. 

"By the time the Navy system reaches full operating capability in the second quarter of fiscal 2003, the Navy will have spent $265 million on development," according to the report. "Further, the Navy intends to spend an additional $201.8 million on the system after it reaches full operating capability."

Navy officials say NSIPS will smooth the transition to DIMHRS, rather than the service simply eliminating legacy applications and being thrust into the new HR system.

Feldmann argued that NSIPS predates DIMHRS and is already being used by nearly 500,000 sailors and officers ashore and at sea.

"The Defense Science Board Task Force that recommended DIMHRS also recommended that the Navy continue pursuing development and deployment of NSIPS," she said. "It has been used extensively for the mobilization and demobilization of reserves since Sept. 11, 2001."

DIMHRS is "the foundation for cleansing the Navy's personnel and pay data."

Lockheed Martin Corp., the lead systems integrator on the NSIPS project, deferred all questions regarding the report to the Navy. PeopleSoft Inc., which provided the software on which both the NSIPS and DIMHRS applications are built, said the Navy's decision to go forward with PeopleSoft's applications was intended to resolve issues that would later arise with legacy applications.

"Clearly the Navy purchased our software to improve their operations, efficiencies and cost," said Steve Swasey, a PeopleSoft spokesman. "They were running disparate systems, and our software will help them consolidate."

Feldmann said PeopleSoft has helped the Navy get ahead of the game by providing clean, authoritative personnel and pay data.

"No matter how good the system is, if the data is bad, there will be problems," Feldmann said.

The Navy is using PeopleSoft 8, the same version as DIMHRS, and officials say that doing so will better align the service with DIMHRS' eventual deployment. 

The goal of NSIPS is to move the Navy from paper to electronic records, putting personnel and pay documents into a format accessible via a portal on the service's intranet. The current version of NSIPS is based on a client-server model, with field-level servers that connect to Navy and DOD servers at several locations. The Web-enabled version is nearly finished, but the completion date for the entire system remains unclear.
*******************************
Federal Computer Week
DOD urged to share outsourcing lessons
BY Dan Caterinicchia 
April 28, 2003  

The Defense Department is doing a good job of applying commercial best practices to its information technology outsourcing programs, but DOD must improve the process of sharing and using those lessons learned, according to a General Accounting Office report.

In the report, "Information Technology: DOD Needs to Leverage Lessons Learned from its Outsourcing Projects," GAO noted that if DOD could capture how it applied industry best practices to outsourcing projects, the information could help similar projects in other agencies.

"Although currently there is no such DOD-wide mechanism, such as an electronic tool, to easily share and leverage lessons learned, DOD IT and acquisition officials agreed that a departmentwide effort to identify, capture and disseminate lessons learned could offer valuable insights and new ideas that would benefit others," according to the report, which was released April 25. 

The report reviewed five projects that used various solicitation methods, including holding a public/private competition and carrying out a negotiated competitive procurement.

Among the five projects, the types of services being outsourced varied from help-desk services to enterprisewide information services. The contract terms covered a span of five to 15 years, and estimated contract values ranged from $23 million to $8.8 billion. 

GAO acknowledged that developing a lessons learned mechanism would not be easy and said senior management support and resources are keys to success. "Without such support driving the capture and dissemination of lessons learned, DOD is losing an opportunity for wider application of leading practices and thus better ensuring that its IT outsourcing efforts are successful."

The report made two recommendations, calling for the undersecretary of Defense for acquisition, technology, and logistics, in conjunction with the assistant secretary of Defense for command, control, communications and intelligence, to:

* Provide management support and adequate resources to implement an electronic tool to capture and disseminate lessons learned from IT outsourcing projects. 

* Ensure that the method used to gather information for the electronic tool incorporates the main elements of a lessons-learned process -- namely, collection, verification, storage and dissemination.

DOD officials received a draft copy of the report last month, and Margaret Myers, DOD's deputy assistant chief information officer, responded to the recommendations in an April 8 letter. Myers agreed that capturing IT outsourcing lessons learned is important to continued success in DOD programs, but said that picking a specific method to do that is premature.

"Before the department commits to a specific means of provision, we intend to explore a variety of mechanisms by which we can exploit lessons learned in IT outsourcing initiatives," Myers' letter said.
*******************************
Federal Computer Week
Boot camp-style training catches on
But particpants say it's not for everyone
BY Michael Hardy 
April 21, 2003

They don't yell "ten hut!" at Intense School, but they might as well. The training center, based in Fort Lauderdale, Fla., specializes in immersive training methods for information technology professionals. In a bid to catch more federal business, the school is one of several taking the "boot camp" approach.

The 5-year-old school opened a branch in Washington, D.C., about 18 months ago to serve federal agencies and private-sector customers, said Ron Rubens, the school's chief financial officer and chief operating officer, who was at the FOSE conference in Washington, D.C., two weeks ago. Since then, federal business has begun to grow.

"We're in the security space, and the government's spending money on security," he said. "A large part of our business comes from repeat and referral business. The boot camps have been frowned on in the past, but they're more accepted today."

The government accounts for less than 20 percent of Intense School's business, but Rubens expects that to increase. The firm has trained staff from the Energy and Defense departments and the National Security Agency, he said. He is counting on homeland security and infrastructure protection to send more federal business his way. 

Intense School offers a variety of training courses (see box). The Bethesda, Md.-based SANS Institute is Intense School's strongest competitor, Rubens said.

About 20 percent of students at SANS courses come from the federal government, according to a SANS spokeswoman. "SANS has always worked closely with federal agencies and recently has been facilitating the enrollment and payment process, which should make it easier for federal employees to take SANS training and is likely to increase the percentage of federal students," she said.

Earlier this month, a D.C.-area security firm called TruSecure Corp. announced that Intense School is one of the partners approved to train students for the company's TruSecure ICSA (TICSA) Certified Security Associate certification.

Although most of the schools on the TICSA partner list don't use the boot camp approach, TruSecure chief technology officer Peter Tippett said the method is effective and increasingly common.

"I've been a pilot for 35 years, and in flying, these same two techniques are used. The data shows the training is just as good if it comes immersive as if it comes slow," he said. 

TICSA covers basic IT security skills and therefore doesn't require detailed specialized training, Tippett said. "The idea of getting certified under TICSA is we want to make sure people who manage e-mail or Web sites or [local-area networks] know enough about security to do a good job," he said.

Many training courses offer daylong seminars or short conferences intended to help IT professionals learn more about specific aspects of their field, he said. Immersive training is more structured and comprehensive than most conferences, but the concepts are related.

"I think it is going to become more common," he said. "We've moved to a world of fast-food cooking. In terms of live training, these intense things are going to be the norm."

Immersive training is most suitable for IT professionals who already have some experience in the area they're training for, said Tom Madden, chief information security officer at the Centers for Disease Control and Prevention in Atlanta.

He has taken courses at both Intense School and the SANS Institute and recently sent 15 staff members to Intense School's six-day Certified Information Systems Security Professional (CISSP) training. The courses are good for refreshing students' knowledge but not for teaching them something new, he said. 

"If you come to the table with the basic knowledge, it's an effective tool to get the basics drilled down," he said. "You get refreshed on the things you take the test on. On the other hand, I think there are people who use it as a sole source of knowledge, and I think that cheapens the certifications. I don't think the information is long-lasting."

Madden said that in the courses he has taken, he found that he retained more information than he realized, so that when that information came up later in a conversation or another training course, it was familiar.

"If you're not at least fundamentally rounded, it's the wrong way to get the knowledge," he said. "What I had to do was focus 15 years of knowledge into what the exam was going to cover. It was good for that. If you're trying to take Joe off the street and make him a security expert through an immersive training, I don't think that's smart."

Fourteen of the 15 staff members Madden sent to Intense School passed the CISSP exam, he said. 

However, professionals who sign up for the boot camp shouldn't expect to enjoy the experience, he cautioned. 

"It is not a fun way to spend a few days," he said. "I've never had a great time at a SANS course or at the Intense School. You go home with homework and a headache."

***

At a glance

Intense School's boot camps are more appropriate for experienced students. The school offers accelerated training courses, teaching subjects such as computer forensics in three days, Microsoft Certified Database Administrator in 14 days and Cisco Certified Security Professional in 12 days.

For students who can't attend classes in person, the school offers several virtual boot camps, including the Virtual Cisco Certified Network Associate program. This online program consists of eight hours of lecture Saturdays and Sundays for two weekends that students take from home. Students will have access to Cisco Systems Inc. routers and switches throughout the course.
*******************************
Government Computer News
04/29/03 
Homeland Security will accept electronic signatures 
By Wilson P. Dizard III 

The Homeland Security Department?s Bureau of Immigration and Customs Enforcement today issued an interim final rule clearing the way for applicants to submit electronic signatures on immigration benefit documents. 

Last week, the BICE unveiled plans to begin accepting two immigration forms online, and today?s action is part of the bureau?s plan to convert more immigration forms to online transactions. 

The Interim Final Rule signed by HSD secretary Tom Ridge does not require that applicants use electronic signatures. BICE said in its Federal Register notice announcing the rule that the electronic signature regulation will help the department comply with the Government Paperwork Elimination Act. 

The regulation does not specify what technology BICE will adopt to accept electronic signatures. It does state that BICE clients will receive confirmation numbers electronically to acknowledge that the bureau has received the online documents. 

The bureau said that it does not have the technology to implement online signatures yet, but will begin to deploy it in fiscal 2004.
*******************************
Government Computer News
04/29/03 

Auburn IT prof says true interoperability is in system design 

By Dawn S. Onley 
GCN Staff

SALT LAKE CITYThe reason top brass still struggles with interoperability in Defense Department communications systems are many: too many organizations designing command and control systems, too many systems, and a missing software architecture, said an associate professor at Auburn University. 

True interoperability is defined through software, said J.A. "Drew" Hamilton Jr., director of the Information Assurance Laboratory and associate professor of computer science and software engineering at Auburn. 

What is desperately needed is requirements engineering, which will ensure systems are designed and built to be interoperable, Hamilton said. This can best be achieved through prototyping and simulation, he added. Hamilton defined software architecture as the "high-level design developed from the requirements." 

"We have to design software to be interoperable," Hamilton said yesterday during the 15th annual Software Technology Conference in Salt Lake City. "If you are serious about network-centric warfare, you have to be serious about interoperability." 

Only a few interoperability problems in fielded systems can be solved, Hamilton said. Successful joint interoperability lies in future system design. 

Hamilton is retired from the Army where he served as the first director of the Joint Forces Program Office and on the staff and faculty of the U.S. Military Academy. 

"The further down the stream you make changes, the more difficult [change] becomes," Hamilton said. "Prototyping lets a potential user know how software is going to work." 

Simulation can be used as a prototype, Hamilton said. "It gives a better feel for whether the system being proposed can actually meet the requirements." 

Software is also the dominant means for developing interfaces between systems, Hamilton said. 

"You have to design for interoperability. It relies on the future system side because all we can do is patch," Hamilton said.
*******************************
Computerworld
N.Y. Sen. Schumer to introduce do-not-spam list legislation
By TODD R. WEISS 
APRIL 28, 2003

Spurred on by constituents angry about in-boxes full of spam, Sen. Charles Schumer, (D-N.Y.), plans to introduce new antispam legislation that would create a national "no e-mail" list similar to the recently enacted do-not-call lists aimed at curbing telemarketers. 
In an announcement yesterday, Schumer said his proposal envisions the creation of a no-spam list under the authority of the U.S. Federal Trade Commission. Citizens could register their e-mail addresses for inclusion on the list, which commercial e-mail senders would be required to check before sending mass e-mails. 

The proposal, expected to be introduced in the Senate by next week, would also require mandatory subject line identification of spam so recipients could quickly determine whether to look at messages or delete them if they make it into their in-boxes. The Schumer legislation will require all commercial mass e-mails and advertisements to have the letters "ADV" in the subject line, indicating that the messages contain commercial content. 

Other requirements will include full disclosure in e-mail headers and addresses, banning of false sender names, inclusion of working Unsubscribe mechanisms and a ban on automated e-mail address harvesting. 

Phil Singer, Schumer's communications director in Washington, said the proposed bill will address concerns from constituents and the general public in dealing with a growing problem. "It's becoming an increasingly bigger issue in the industry." 

This is believed to be the first time that antispam legislation has been pursued that will model the do-not-call laws designed to protect consumers from telemarketing calls in the last year, Singer said. 

Two other senators, Conrad Burns, (R-Mont.), and Ron Wyden, (D-Ore.), earlier this month reintroduced the CAN-SPAM bill, which would require all unsolicited marketing e-mail to have a valid return e-mail address so recipients can easily ask to be removed from mass e-mail lists. Marketers would also be prohibited under that bill from sending any further messages to a consumer who has asked them to stop. The CAN-SPAM bill -- or the Controlling the Assault of Non-Solicited Pornography and Marketing Act -- has been introduced in Congress before but has not been passed into law. 

The Schumer bill would enact stiff civil and criminal penalties, including prison time of up to two years for severe repeat offenders. About $75 million would be set aside for the creation of the system as well as for the FTC registry and enforcement. 

Schumer issued a separate report (download PDF) outlining the widespread problems of unwanted spam. 

According to Schumer, a new study found that New York City residents receive 8.25 million junk e-mails a day and spend 4.2 million hours a year eliminating spam messages. 

"Spam is not just a little nuisance, it's an epidemic, and getting rid of it is not as simple as hitting the delete button," he said in a statement. "Spam costs New Yorkers millions of dollars per year and hurts businesses large and small. As more and more communication is done through e-mail, the cost of spam is only going to grow and grow. My plan blocks spam at the source and for the first time imposes serious penalties for the people and companies that send it. 

"I have two daughters - including one still in junior high school - who use e-mail every day for school and to talk to their friends," Schumer said. "Some of the unsolicited messages they get are selling products or services that are appalling and utterly inappropriate for young women their age, and like most parents I want to protect them from this." 
*******************************
USA Today
Dollars and lives: The costs of shoddy software
April 28, 2003

NEW YORK (AP)  When his dishwasher acts up and won't stop beeping, Jeff Seigle turns it off and then on, just as he does when his computer crashes. Same with the exercise machines at his gym and his CD player. 

"Now I think of resetting appliances, not just computers," says Seigle, a software developer in Vienna, Va. 

Malfunctions caused by bizarre and frustrating glitches are becoming harder and harder to escape now that software controls everything from stoves to cell phones, trains, cars and power plants. 

Yet computer code could be a lot more reliable  if only the industry were more willing to make it so, experts say. And many believe it would help if software makers were held accountable for sloppy programming. 

Bad code can be more than costly. Sometimes its repercussions can be quite serious: 

A poorly programmed ground-based altitude warning system was partly responsible for the 1997 Korean Air crash in Guam that killed 228 people. 
Faulty software in anti-lock brakes forced the recall of 39,000 trucks and tractors and 6,000 school buses in 2000. 
The $165 million Mars Polar Lander probe was destroyed in its final descent to the planet in 1999, probably because its software shut the engines off 100 feet above the surface. 
Of course, more deaths are caused by human error than by bad software, and modern society would be unthinkable without Web servers, word processors and autopilot. 

But software's usefulness means people tolerate it even when quality is not the best. 

Last year, a study commissioned by the National Institute of Standards and Technology found that software errors cost the U.S. economy about $59.5 billion annually, or about 0.6% of the gross domestic product. More than half the costs are borne by software users, the rest by developers and vendors. 

Most software is thrown together with insufficient testing, says Peter Neumann, principal scientist at SRI International's Computer Science Laboratory in Menlo Park, Calif. 

"The idea that we depend on something that's inherently untrustworthy is very frightening," he says. 

When Neumann's group worked with NASA on software for the space shuttle, developers were so careful about bugs that they produced just three lines of code per day, an unthinkable pace in an industry where a major application may have a million lines of code. 

Developers say defects stem from several sources: software complexity, commercial pressure to bring products out quickly, the industry's lack of liability for defects, and poor work methods. 

Programmers typically spend half their time writing code and the other half looking for errors and fixing them. 

That approach may have worked in the infancy of computers, when programs were small, says Watts Humphrey, former director of programming quality at IBM. But as demands on software balloon, the size of programs seems to double every year and a half  just like microprocessor speeds, says Humphrey, now with Carnegie Mellon University's Software Engineering Institute. 

Most programs in testing have five to 10 defects per 1,000 lines of code, or up to 10,000 bugs in a million line program. It would take 50 people a year to find all those bugs, Humphrey says. 

Consequently, Humphrey teaches engineers to plan and pay attention to details early, and reject aggressive deadlines. 

Echoing such ideas, Microsoft's Trustworthy Computing initiative held up coding for 10 weeks last year to teach employees to spend "more time in planning stages and thinking about quality," says Microsoft vice president S. Somasegar. 

Windows Server 2003, now being released, is the first software product affected by the initiative, Somasegar says. Its launch was delayed by a year. 

"It took a much longer time because we did the right thing on security and reliability," Somasegar says. "We hope our customers will see a huge improvement." 

Unfortunately, Microsoft customers won't know how well the software works until they've tried it. That's something the Sustainable Computing Consortium wants to remedy. 

The problem, says consortium director Bill Guttman, is that unlike other engineers, programmers have no way of measuring the reliability of their designs. 

"It always takes us by surprise when the rocket blows up or the ATM goes down," Guttman says. 

The consortium wants to create automated tools that analyze software and rate its reliability. 

But others say bugs would be greatly reduced if software makers were held legally responsible for defects. 

"Software is being treated in a way that no other consumer products are," said Barbara Simons, former president of the Association for Computing Machinery. "We all know that you can't produce 100% bug-free software. But to go to the other extreme and say that software makers should have no liability whatsoever strikes me as absurd." 

Software developers are hard to sue for shoddy products because regulators have been afraid to rein in what was, for a long time, the nation's fastest-growing industry, said Cem Kaner, a professor of software engineering at the Florida Institute of Technology. 

Microsoft contends that setting standards could stifle innovation, and the cost of litigation and damages could mean more expensive software. 

But Kaner favors making companies liable only for bugs not disclosed to customers, and for limited damages. 

"If we are not going to make manufacturers stand behind their products, we could at least force them to give enough info to make appropriate buying choices," Kaner says. 

If software makers haven't done the best job, consumers are hardly blameless. We have long favored flashy products over reliable ones. 

"That's what we pay for," Guttman says. "We say: 'Give me the phone that takes the picture. Don't give me wireless security!' " 
*******************************
USA Today
A dearth of dollars for technology has many police in the dark
April 28, 2003

HARTFORD, Conn. (AP)  Madison Police Chief Paul D. Jakubson sees a not-too-distant future in which police officers can look up a suspect's criminal, prison and driving records, review his court attendance and restraining orders, and find out whether he is a registered sex offender or a resident alien. All from the side of the road, and all with the touch of a button. The technology exists, and officers say it's the future of law enforcement. But it's not cheap, and despite all the talk of homeland security, the technology grants that traditionally paid for such upgrades are harder to come by.

"It all costs money," Jakubson said last week as police chiefs from around the state toured an exhibition hall full of the latest in police technology. 

Jakubson, the Connecticut Police Chiefs Association's technology guru, said only a handful of departments will be able to spring for upgrades this year: those lucky enough to have found grant money, and those who can justify replacing old equipment. 

In the next 18 months, the state will institute two major technology programs that will both change the face of policing and force many departments to find money for new technology. 

The first will come in September, when the state's $10 million Offender Based Tracking System goes online. The second is the Automated Fingerprint Identification System, a complete overhaul of the current program that is expected to be operational sometime next year. 

The tracking system will connect every state judicial agency, giving police, prosecutors, probation officers and judges immediate access to everything in a person's criminal record. 

That's how the system should be working now, and police say most people probably believe officers already have that kind of information at their fingertips. 

"They don't," said Enfield Deputy Chief Raymond Bouchard, whose department is one of several participating in an OBTS pilot program. "That's the reality of it. We're just now getting there. The software is just beginning to equal the hardware." 

There is no clearinghouse for state criminal data. Individual agencies have their own databases stored on their own computer systems. Some are compatible. Some are not. 

A traditional background check falls short in many areas. Officers are not alerted if a driver is a registered sex offender prohibited from having a child passenger. A traffic stop usually will not reveal a restraining order, even if the driver is pulled over across from the house he has been ordered to stay away from. 

"The data is generally out there," said Jim McGavin of Sierra Systems, a state contractor working on the new system. "But there's not any one way to go and get it." 

That will all change in September, with the $6 million version of OBTS. An additional $4 million in upgrades will follow. 

"I think that finally, where people have thought we were, we will be," Bouchard said. 

Departments will not be charged for the system upgrade, but only those with mobile computers in their cruisers will have roadside access to the network as it expands. Buying them is up to towns. 

Federal grants for technology upgrades were commonplace in the 1990s, when Enfield began buying its laptops. Now, such grants are drying up. 

"The homeland security money right now is being kept at the state level," said Jakubson, the Madison chief who has equipped about half his fleet with laptops. 

The fingerprint system in most booking rooms still relies on ink. If officers want a criminal history based on fingerprints, they mail the card to the state police. A few days later, they get the results back. 

By that time, the suspect is usually long gone. 

When the new AFIS system is released, departments will get that data in real time. And it won't be limited to state information; FBI fingerprint records will be available, too. 

Such convenience comes at a cost. The $2 ink pads will be history, replaced by electronic fingerprint scanners that cost between $30,000 and $60,000. 

Some cities, the ones that generate the most arrests, already have state-funded machines. But many departments will have to find the equivalent of one officer's salary to buy their own machines. 

"It's a substantial cost," said Bouchard, who said his department is fortunate because it received a scanner from the state. "And the grants just aren't there like they used to be." 

State Police Sgt. Dan Fialla, who is part of the effort to overhaul the fingerprint system, said the state is looking for a vendor to provide the technology. Once the funding for the $5 million to $10 million project is lined up, he said, the arduous task of scanning every town's fingerprint cards begins. 

Police are counting on the technology paying off. 

"Right now, it's days at best," Fialla said. "We're talking minutes. Being able to positively identify the person you have in custody is a big advantage."
*******************************
Los Angeles Times
Orange County Might Go High-Tech on Election Day
Supervisors are to decide today whether to buy electronic voting devices. Funds would come from federal and state coffers.
By Stuart Pfeifer
April 29, 2003

Voters in Orange County won't have to worry about dimpled, dented or hanging chads if the Board of Supervisors approves a contract today to buy thousands of electronic voting devices from a Texas company.

The board is considering a $26.1-million contract to install an electronic voting system before the primary election in March. The price includes 9,000 electronic voting tablets, training of poll workers and a public relations effort to familiarize voters with the system.

The move is a byproduct of the 2000 presidential election in which punch-card machines, similar to those used in Orange County, were blamed for thousands of disqualified ballots in Florida. 

Results of that election were on hold during 36 days of recounts and court battles that ended with the U.S. Supreme Court awarding the election to George W. Bush. At issue was what to do with thousands of ballots on which voters did not completely punch out the paper rectangles, or chads.

Orange County's interim registrar of voters, Steve Rodermund, said the new system will be easy to use and highly accurate. He said the entire cost will be absorbed by state and federal funds. In October, President Bush signed the "Help America Vote Act," which allocated $3.9 billion to upgrade voting equipment throughout the country. Orange County expects to receive $10 million, plus an additional $16 million in state funds. 

Some officials question whether a purely electronic system is safe, considering the finicky nature of computers.

California Secretary of State Kevin Shelley has assembled a task force to study the security of electronic voting systems. One issue being discussed is whether the state will require electronic voting systems to produce paper receipts for elections officials, a safety net in case the computer systems fail. 

Orange County officials selected a voting system manufactured by Hart InterCivic Inc. of Austin, Texas, whose biggest customer to date has been Harris County, Texas, which includes the city of Houston. The equipment Orange County hopes to buy can be modified  at additional cost  to produce paper receipts, Rodermund said. 

Harris County officials used the equipment in the November election and were pleased with the results, said John German, an elections administrator. "We've had an overwhelmingly positive response from the public," he said.

Rodermund spent much of the last week talking to Orange County supervisors about the new system. Although some remain concerned about the need for a paper trail, others say the county might be better off without it. Supervisor Bill Campbell said he believes the electronic memory is sufficient and that a paper record is not worth the cost, which he said could be $5 million or more.
*******************************
San Francisco Gate
U.S. has big spending plans for Silicon Valley 

The Bush administration's top technology official said Tuesday that Silicon Valley can expect more business opportunities with the federal government's push to build a more sophisticated tech infrastructure. 

Citing the administration's proposed $59 billion in information technology investments, Phillip Bond, undersecretary of commerce for technology, said Washington can become an important customer for the industry as it reels from the decline in corporate spending. 

"We need to engage those folks," Bond said in an interview. "A lot of people tend not to sell to the federal government because they had other healthy customers . . . (but) it's clear times are rough. . . . What we've told them is we need all the best companies regardless of size." 

Bond met Monday with executives from Silicon Valley companies such as Borland, Sybase and Salesforce.com. 

He said the Bush administration is focused on building a more efficient and secure IT system within the civilian federal government network as well as the military and security agencies. 

Bond also stressed the importance of cybersecurity, which he said must be viewed as a necessity by both government and the private sector. 

"It's critical for people to realize that it's not just an expense," he said. "Increases in security can also mean increases in productivity. We've got to make that case." 

Bond underscored the need for the technology and telecommunications industries to get back on their feet and for the United States to focus on the growing competition in new arenas, particularly nanotechnology. 

"All around the globe, we see countries getting serious about that," Bond said, citing the challenge from Japan and European countries. 
*******************************


From owner-technews@xxxxxxxxxxxxxxxxx Wed Mar  5 13:51:48 2003
Return-Path: <owner-technews@xxxxxxxxxxxxxxxxx>
Received: from sark.cc.gatech.edu (sark.cc.gatech.edu [130.207.7.23])
	by cleon.cc.gatech.edu (8.12.8/8.12.8) with ESMTP id h25Ipl6B001227;
	Wed, 5 Mar 2003 13:51:47 -0500 (EST)
Received: from postel.acm.org (postel.acm.org [199.222.69.7])
	by sark.cc.gatech.edu (8.12.8/8.12.8) with ESMTP id h25IpTQj020465;
	Wed, 5 Mar 2003 13:51:31 -0500 (EST)
Received: from postel (postel.acm.org [199.222.69.7])
	by postel.acm.org (8.9.3/8.9.3) with ESMTP id NAA42142;
	Wed, 5 Mar 2003 13:36:16 -0500
Received: from LISTSERV2.ACM.ORG by LISTSERV2.ACM.ORG (LISTSERV-TCP/IP release
          1.8d) with spool id 0011 for TECHNEWS@xxxxxxxxxxxxxxxxx; Wed, 5 Mar
          2003 13:17:41 -0500
Approved-By: technews@xxxxxxxxxx
Received: from hq.acm.org (hq.acm.org [199.222.69.30]) by postel.acm.org
          (8.9.3/8.9.3) with ESMTP id NAA39968 for
          <technews@xxxxxxxxxxxxxxxxx>; Wed, 5 Mar 2003 13:16:40 -0500
Received: by hq.acm.org with Internet Mail Service (5.5.2656.59) id <17NTZD7D>;
          Wed, 5 Mar 2003 13:31:54 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: text/plain; charset="iso-8859-1"
Message-ID:  <8DFA8DABC2E6FA438EDCFD26881380A5D379F6@xxxxxxxxxx>
Date:         Wed, 5 Mar 2003 13:31:47 -0500
Sender: ACM TechNews Early Alert Service <TECHNEWS@xxxxxxxxxxxxxxxxx>
From: technews <technews@xxxxxxxxxx>
Subject:      ACM TechNews - Wednesday, March 5, 2003
To: TECHNEWS@xxxxxxxxxxxxxxxxx
Content-Length: 8252
Status: 
X-Status: 
X-Keywords:                   

Dear ACM TechNews Subscriber:

Welcome to the March 5, 2003 edition of ACM TechNews,
providing timely information for IT professionals three times a
week.  For instructions on how to unsubscribe from this
service, please see below.

ACM's MemberNet is now online. For the latest on ACM
activities, member benefits, and industry issues,
visit http://www.acm.org/membernet

Remember to check out our hot new online essay and opinion
magazine, Ubiquity, at http://www.acm.org/ubiquity

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ACM TechNews
Volume 5, Number 465
Date: March 5, 2003

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - -
Site Sponsored by Hewlett Packard Company ( <http://www.hp.com> )
     HP is the premier source for computing services,
     products and solutions. Responding to customers' requirements
     for quality and reliability at aggressive prices, HP offers
     performance-packed products and comprehensive services.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - -

Top Stories for Wednesday, March 5, 2003:
http://www.acm.org/technews/current/homepage.html

"Major Internet Vulnerability Discovered in E-Mail Protocol"
"Europe Hacker Laws Could Make Protest a Crime"
"Hello, Tech Designers? This Stuff Is Too Small"
"Keynoter Presents an Exercise in Imagination"
"Klez Won't Stop Making Net Rounds"
"Time for a New Internet Protocol?"
"New System Recovers and Reuses Electronic Wastes"
"Tangled Threesome Opens Door to Quantum Computer"
"Scientists Question Electronic Voting"
"Bush's Cyberstrategery"
"Cyber-Warfare: Latest Weapon in Military Arsenal"
"Quantum Computing Catches the Bus"
"Now Complete, Grid Computing Spec Is Proposed"
"Inching Toward Mobile IM"
"Serial SCSI Promises Faster I/O in Servers"
"Knotty Calculations"
"Taking a Look at TTS"

******************* News Stories ***********************

"Major Internet Vulnerability Discovered in E-Mail Protocol"
Fixing a major buffer overflow vulnerability in the
sendmail mail transfer agent (MTA) has been the goal
of intense, clandestine collaboration between the
Department of Homeland Security (DHS), the White ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item1

"Europe Hacker Laws Could Make Protest a Crime"
The justice ministers of the European Union approved
legislation last week designed to prevent computer
hacking and the proliferation of computer viruses,
but legal experts warn that they could also legalize ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item2

"Hello, Tech Designers? This Stuff Is Too Small"
As technology gadgets such as cell phones, PDAs, and
digital cameras continue shrinking in size, usability
complaints are growing in number and volume.
Technology designers such as Dennis Boyle of Ideo are ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item3

"Keynoter Presents an Exercise in Imagination"
Philips Research Laboratories' science program
director Emile Aarts delivered a keynote speech at
the Design, Automation, and Test in Europe (DATE)
conference in Munich in which he reported on the ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item4

"Klez Won't Stop Making Net Rounds"
The Klez email virus continues to linger some 11
months after it was first spotted, and it remains at
the top of most antivirus companies' threat lists.
SecurityFocus columnist George Smith says Klez's ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item5

"Time for a New Internet Protocol?"
Internet Protocol version 6 (IPv6) offers significant
advantages over the current IPv4 standard, including
greater IP address space and end-to-end security and
configuration preferences that address ever-growing ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item6

"New System Recovers and Reuses Electronic Wastes"
Researchers at the Georgia Institute of Technology
have developed a "reverse production" system in which
all the materials contained in electronic waste such
as discarded computers and monitors are reclaimed and ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item7

"Tangled Threesome Opens Door to Quantum Computer"
Physicists at the University of Michigan on Tuesday
announced that they have successfully entangled three
electrons, which represents a significant step toward
the development of a quantum computer.  Professor ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item8

"Scientists Question Electronic Voting"
A debate is brewing over whether Santa Clara County,
Calif., should make the transition to touch-screen
voting, or opt instead for a digital balloting
solution that leaves a paper trail to ensure the ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item9

"Bush's Cyberstrategery"
Brendan Koerner writes that the White House's
National Strategy to Secure Cyberspace is overblown,
and its promotion by government IT experts only
serves to continue the practice of raising alarms on ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item10

"Cyber-Warfare: Latest Weapon in Military Arsenal"
President Bush reportedly signed an order last July
for the government to concoct a cyber-warfare
strategy the military would use to aid battlefield
tactics and disrupt the enemy's communications ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item11

"Quantum Computing Catches the Bus"
National Institute of Standards and Technology (NIST)
researchers have devised a way to more quickly and
accurately link components in future quantum
computers.  These links are analogous to the ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item12

"Now Complete, Grid Computing Spec Is Proposed"
While actual implementations of grid standards are
few, many such protocols are being developed through
groups such as the Global Grid Forum.  Sun
Microsystems, Intel, and a host of other vendors ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item13

"Inching Toward Mobile IM"
If mobile instant messaging is to become a killer
app, carriers' delivery systems must be compatible,
and a number of deals have been made to deploy IM
interoperability between mobile communications ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item14

"Serial SCSI Promises Faster I/O in Servers"
The new serial SCSI specification is set for approval
by the second quarter of this year, according to the
International Committee for Information Technology
Standards' T10 technical committee.  Maxtor and ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item15

"Knotty Calculations"
California Institute of Technology physicist Alexei
Kitaev and Microsoft Research mathematician Michael
Freedman proposed in a February paper that knot
theory can be used to close the gap between quantum ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item16

"Taking a Look at TTS"
At the SpeechTEK 2002 conference, 10 vendors related
how well their text to speech (TTS) systems were able
to vocalize the following text sentence:  "From
Laurel Canyon Blvd., turn left onto Mulholland Dr.; ...
http://www.acm.org/technews/articles/2003-5/0305w.html#item17


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- To review Monday's issue, please visit
http://www.acm.org/technews/articles/2003-5/0303m.html

-- To visit the TechNews home page, point your browser to:
http://www.acm.org/technews/

-- To unsubscribe from the ACM TechNews Early Alert Service:
Please send a separate email to listserv@xxxxxxxxxxxxxxxxx
with the line

signoff technews

in the body of your message.

-- Please note that replying directly to this message does not
automatically unsubscribe you from the TechNews list.

-- To submit feedback about ACM TechNews, contact:
technews@xxxxxxxxxx

-- ACM may have a different email address on file for you,
so if you're unable to "unsubscribe" yourself, please direct
your request to: technews-request@xxxxxxx

We will remove your name from the TechNews list on
your behalf.

-- For help with technical problems, including problems with
leaving the list, please write to:  technews-request@xxxxxxx

----
ACM TechNews is sponsored by Hewlett Packard Company.