[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips March 25, 2003

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;
Subject: Clips March 25, 2003
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Tue, 25 Mar 2003 11:02:36 -0500

ARTICLES

Data Expert Is Cautious About Misuse of Information
Beacon Glitch May Have Led to Shootdown
Planners tout weapons' high-tech precision but admit mistakes are made
Agencies work e-gov health standards
Accused Adviser's Web Operator Is Arraigned
Plan pulls Net into search for kids
IRS Online Tax Filing Tops 2M Users
U.S. EBay Seller Refuses Sales to Anti-War Countries
Banks target terror funds [Austrialia]
Dunnington replaces Holcomb as NASA CIO
Mailblocks antispam service promises end to spam
Fourth CERT document is leaked online
Justice Dept.: FBI database info no longer has to be accurate

*******************************
New York Times
March 25, 2003
Data Expert Is Cautious About Misuse of Information
By STEVE LOHR

SCOTTSDALE, Ariz., March 24 As the government gears up its domestic security program, the chief executive of a venture capital firm founded by the Central Intelligence Agency warned today of the danger of amassing a large, unified database that would be available to government investigators as some technology executives have advocated.

"I think it's very dangerous to give the government total access," said Gilman Louie, chief executive of In-Q-Tel, a venture fund established by the C.I.A. in 1999.

Besides, the real lesson learned from the Sept. 11 terrorist attacks, Mr. Louie said, was that the intelligence failure was not so much that the government had too little information but that the information held by different government agencies was not linked, shared and analyzed.

It is already clear that a part of the vast amounts of personal and commercial data housed in government and corporation will increasingly be used in terrorist-related government investigations. But there is a vigorous debate over what data should be collected and how it should be used to balance the interests of national security with personal privacy and individual freedom.

Speaking at the PC Forum, an annual gathering of corporate technology executives, entrepreneurs and venture capitalists, Mr. Louie said there were two different paths being pursued toward data surveillance by the government.

First, there is what he termed the "data mining or profiling" approach. This involves collecting large amounts of data like credit card and air travel information and then sorting the data by names, buying habits or travel plans looking for patterns.

The data mining approach, Mr. Louie said, results in the "watch lists" used by law enforcement authorities. If used as the main tool of surveillance, the data mining approach is too blunt an instrument, in Mr. Louie's view, and one likely to needlessly undermine individual freedom. "The policy has not been defined for how you get on or off these watch lists," he said.

Mr. Louie said that he had friends who after the terrorists attacks have been interrogated at length and sometimes missed flights because they matched certain characteristics that put them on a watch list. "They have Arabic names," he said, "they are naturalized citizens and because they are investment bankers they buy one-way tickets."

The second way to use database technology to detect threats is what he called the data analysis approach. The alternative, which Mr. Louie supports, starts with some kind of investigative lead and then uses software tools to scan for links between a person under investigation and known terrorists, in terms of where they live, recent travel and other behavior.

Las Vegas casinos, for example, use data analysis software called NORA, for Non-Obvious Relationship Awareness, for tracking threats to their business links between some patrons and sometimes employees with money launderers, known card counters and individuals with criminal records. The company that developed the NORA software, Systems Research and Development, is one of the companies in which In-Q-Tel has invested.

Data mining, Mr. Louie said, can play a useful role. But he argues that relying on data mining as the principal way to use database technology in fighting terrorism would be a mistake. "This is an ongoing argument," Mr. Louie said, "a big debate right now in government."

In-Q-Tel was established by the C.I.A., in an effort to inject new thinking and technology into the agency. The agency's handling of information had been shaped by the cold war concerns of big power confrontations where the weapons were tanks and missiles, and the security risks tended to be spies and moles.

Information, noted Mr. Louie, a former computer game designer and software executive, was kept in separate database silos so it would not leak or any leak could be quickly contained. Speed of information flow across databases was not a priority.

Yet in a world of quickly shifting terrorist threats, Mr. Louie said, "the agency realized that this stove-piping of information was a security model that was really vulnerable."

Today, In-Q-Tel has invested in 25 companies. At the same time, the Defense Department's advanced research projects agency, or Darpa, and the government's National Imagery and Mapping Agency, or Nima, have also supplied financing to In-Q-Tel for specific programs.

Before Sept. 11, Mr. Louie said, In-Q-Tel was seen within government as an intriguing experiment. "Now, this isn't an experiment," he said. "This is a necessity."
*******************************
Associated Press
Beacon Glitch May Have Led to Shootdown
Tue Mar 25, 3:42 AM ET
By JIM KRANE, AP Technology Writer

Problems with an electronic identifying beacon on a British Tornado fighter may have led a U.S. air defense crew in Kuwait to shoot down the plane by mistake.

The U.S. Patriot 3 missile battery seems to have identified the Tornado, which was returning Sunday to Ali al-Salem air base in Kuwait, as hostile.

It was unclear whether the Patriot's radar identified the fighter as an aircraft or mistook it for an incoming missile, which travels far faster.

The shootdown may be linked to a malfunctioning electronic "identify friend or foe," or IFF, beacon, an encrypted signal that is supposed to tell air defenses the Tornado is an allied aircraft,

Defense Secretary Donald Rumsfeld suggested as much on Sunday, without providing details. Other U.S. military officials said they couldn't discuss the incident because it was still under investigation.

The downing was the first confirmed "friendly fire" death in the U.S.-led war on Iraq (news - web sites).

Otherwise, Patriot missile defense batteries have performed well in this war, downing some half-dozen incoming Iraqi ballistic missiles as of Monday night. The Patriot batteries failed to stop dozens of Iraqi missiles during the 1991 Gulf War (news - web sites).

The failure of the IFF system could have resulted from an incompatible beacon on the British plane whose signal wasn't recognized or able to be decrypted by the radar on the U.S. missile battery in Kuwait, analysts said. Or the plane's transponder could have been broken or switched off.

"This is precisely the type of thing that can happen in crowded airspace with a multinational coalition," said Clark Murdock, a former Air Force planner now with the Center for Strategic and International Studies in Washington.

Several coalition radar systems blanket airspace over Iraq and neighboring countries. The Air Force scans Iraqi airspace with AWACS planes as well as Pentagon (news - web sites)'s satellites, which monitor the globe for telltale heat emissions from ballistic missiles.

And the Navy has more than a dozen destroyers and cruisers in the Persian Gulf and Mediterranean Sea carrying Aegis radar, which is sensitive enough to track birds, said Lt. Garrett Kasper, a Navy spokesman with the 5th Fleet in Bahrain.

It is unclear whether the British jet may have been correctly identified as a coalition aircraft on other radars in the region.
*******************************
New York Times
Planners tout weapons' high-tech precision but admit mistakes are made.
By Kim Murphy and Alan C. Miller
March 25, 2003

RIYADH, Saudi Arabia -- In a squat aluminum building deep in the desert, U.S. Air Force Col. Doug Erlenbusch oversees a team of men and women who recommend the targets to be bombed in Baghdad, more than 650 miles away.

Erlenbusch and his crew at the $45-million Combined Air Operations Center weigh which houses and office buildings in the Iraqi capital belonging to Saddam Hussein's leadership will be turned to rubble and, consequently, who lives and who dies.

The staff of the 28,400-square-foot air combat nerve center is guided by artificial eyes: more than 3,000 computers, bristling nests of antennas, walls of huge video screens, satellite links and 128,000 feet of high-speed-data cable.

Most of the thousands of pounds of munitions that have fallen on Baghdad since Thursday have hit their targets.

But Pentagon officials warn that even the highest-tech targeting, in a war that already has involved more than 6,000 combat missions, will occasionally go wrong -- and the wrong people will die.

"Sooner or later, it's close to inevitable you're going to hit something with serious collateral damage when you drop this many guided weapons," said Franklin C. "Chuck" Spinney, a tactical air analyst at the Pentagon.

Iraq says at least three civilians have been killed and hundreds injured in the airstrikes on Baghdad.

Commanders of the U.S.-led forces face a daunting challenge in targeting Baghdad, a city of nearly 5 million people.

They seek to inflict enough damage to compel the most entrenched Iraqi forces to surrender while avoiding civilian casualties, which would inflame antiwar sentiment at home and anti-Americanism abroad.

Erlenbusch says the media images of the bombing of Baghdad in the opening hours of the air war provided the world with barely a hint of the size of the attack. "You have no idea of the vastness of that attack," he said. "Looking out of the window of a hotel is like looking through a soda straw."

The targets hit in the opening days of the war have been in Pentagon planners' sights for years. Since the conclusion of the 1991 Gulf War, Iraq has remained a potential theater of operations for U.S. military planners, and specific bombing sites have been identified, analyzed, measured and mapped.

"We already knew where the Iraqi military headquarters were. It wasn't a pull-it-out-of-the-seat-of-your-pants thing," said Erlenbusch, a 1979 graduate of Cal State Fullerton and a former fighter pilot who commands the 609th Combat Plan Squadron.

Erlenbusch reports to Lt. Gen. T. Michael Moseley, commander of U.S. Central Command Air Forces, who is running the air war from his "battle cab" on the second floor of the air operations center. From their perch, senior officers look out a glass window to the hubbub and flashing electronic screens of the operations floor below.

Erlenbusch and his Guidance Apportionment and Targeting Team arrived at the air operations center in February with a full set of potential targets that they then had to analyze: Were they still legitimate targets? How close were they to civilian structures? What was the minimum level of explosive necessary to destroy them? Could the U.S.-led forces afford to cripple them, rather than destroy them? How would the necessary tankers, airlift, transport and support planes be factored into the battle plan on a minute-by-minute basis?

"The humanitarian piece, the collateral damage piece, I think it would probably blow the minds of a lot of folks to think how much time and effort goes into minimizing the weaponeering," Erlenbusch said.

The team has worked seven days a week, 12 to 15 hours a day to refine targets, along with the weapons, aircraft and, in some cases, the flight paths necessary to take them out.

Air Force officials have declined to discuss their techniques to avoid schools, homes and hospitals that may be near intended targets, but one key aspect is a computer program. The process begins with precise coordinates of the proposed target -- beamed electronically to the air operations center from surveillance aircraft, unmanned aircraft, ground observers or other intelligence.

The program produces a "weaponeering solution," which calculates the precise effects likely to occur on the target and surrounding properties, depending on what kind of explosive is used.

Navy Lt. Cmdr. Jeff Hubert said planners calculate the expected radius of the bomb blast and then make sure an area up to 10 times larger is clear of civilians. New technology also helps protect noncombatants.

"One of the primary things you need to remember, I was over here in '91, and the generation of weapons that has evolved since '91 is a magnitude of accuracy higher," said Navy Capt. Russ Penniman, who is Erlenbusch's night-shift counterpart in combat planning.

To reduce problems in case the bomb falls long or short of the target, planners sometimes specify which angle bombers must use.

"That's not to say there's not going to be accidents, there's not going to be a car driving by or a weapon that doesn't guide, but those accidents are a part of war," Erlenbusch said.

Once the target team comes up with a set of proposals, they go to another team to develop the master attack plan.

Starting with Moseley's overall strategy for the day, the teams look at which aircraft are available and then develop a plan.

Sometimes, the best-laid plans have to be set aside for a sudden opportunity.

On the eve of the start of the air war, target planners got wind that Hussein might be at a presidential compound in Baghdad -- which forced the operations center team to rapidly process targeting information and assign aircraft.

"That was intelligence that gave us the ability to strike at that target. It was done in a matter of hours," Erlenbusch said.

"Those first strikes were totally off the cuff. From the point where units were called who were in crew rest, 'Get an airplane, do you have the planes loaded?' 'No, we don't. Yeah, we do.' 'OK, brief it, fly it.' And it happens. That quick. We're talking hours."

Unlike the 1991 Gulf War, when only about 10% of the weapons used were precision-guided, on the first night in Baghdad only precision-guided munitions were used, an Air Force spokesman said. Overall, the weapons make up more than 90% of the munitions dropped in the war.

Current and former defense officials say that as the air campaign in Baghdad and elsewhere proceeds, and the target list widens, the probability of one or more devastating misfires will rise.

Some Pentagon officials said that though the precision-guided missiles are far more accurate than conventional bombs most of the time, when they malfunction they are prone to going farther off course.

The greatest danger, they say, is a mechanical or electrical failure or human mistake that sends the weapon far from its intended destination. Some defense analysts refer to these as "gross errors."

In Afghanistan, for instance, a U.S. Special Forces air controller inadvertently gave his own hilltop coordinates in his global positioning unit in December 2001. As a result, a B-52 dropped a 2,000-pound satellite-guided bomb on his position, killing three Green Berets and 25 Afghan allies and wounding Hamid Karzai, who was named the country's interim prime minister later that day.

Even when the right target is hit, the results can be catastrophic. During the 1991 Gulf War, the U.S. struck a building believed to be a military command and control bunker in Baghdad. The Iraqis were using it as a residential bomb shelter, and hundreds of civilians were killed.

In 1999, a U.S. pilot mistakenly bombed the Chinese Embassy in Belgrade based on a bad map. The intended target was the Yugoslav Federal Directorate of Supply and Procurement.

"The bottom line is this: You can never guarantee you're not going to have civilian casualties," said retired Air Force Gen. Charles A. Horner, who commanded the U.S. air campaign in the 1991 Gulf War.

"You never know who's in the building. We do everything that's within our power to mitigate unintentional damage and civilian casualties. But war is ugly and messy."

Murphy reported from Riyadh, Saudi Arabia, and Miller from Washington
*******************************
Federal Computer Week
Agencies work e-gov health standards
BY Sara Michael
March 24, 2003

Several agencies are coordinating the use of the first set of uniform standards for the electronic exchange of health information to be used across the federal government.

The departments of Health and Human Services, Defense and Veterans Affairs announced March 21 the effort to standardize the information exchange, part of the Consolidated Health Informatics (CHI) initiative, one of the Bush administration's 24 e-government initiatives.

The standards, including privacy and security protections, will make it easier for health care providers to share patient information and identify emerging public health threats. It will also facilitate the creation of portable electronic medical records.

"With appropriate privacy protections for personal health information, consumers and patients will benefit when their health information is available to their doctors and other health care providers when it is needed such as the emergency room," HHS Secretary Tommy Thompson said in a statement.

Under the new standards, agencies will use a common coding system to coordinate care and exchange information. Currently, agencies use different coding systems.

"E-gov is focused on simplifying bureaucracy, and the CHI work in health data standards is an excellent example of how simplification can improve quality and reduce health care costs in America," Mark Forman, associate director for information technology and electronic government at the Office of Management and Budget, said in a statement.

Under this announcement, all agencies will adopt the following standards:

*Health Level 7 messaging standards to ensure each agency can share information such as order entries, scheduled appointments and tests, and coordination of admittance, discharge and transfer of patients.

*Certain National Council of Prescription Drug Programs standards for ordering drugs. The standards were adopted under the Health Insurance Portability and Accountability Act of 1996, and the new announcement will ensure that parts of the three agencies not covered by the act use the same standards.

*Institute of Electrical and Electronics Engineers 1073 series of standards to allow providers to plug medical devices into information systems.

*Digital Imaging Communications in Medicine standards to enable images and diagnostic information to be retrieved from various devices.

*Laboratory Logical Observation Identifier Names and Codes to standardize the exchange of clinical results.
*******************************
New York Times
March 25, 2003
Accused Adviser's Web Operator Is Arraigned
By ANDY NEWMAN

The man who ran the Web site for a penny-stock adviser accused of using information from the F.B.I. to manipulate stock prices was himself arraigned yesterday on securities fraud charges in federal court in Brooklyn.

The Web operator, Robert Hansen, is accused of making more than $100,000 on trades using information illegally obtained by the stock adviser, Amr Ibrahim Elgindy.

Mr. Elgindy sold tips through two Web sites, AnthonyPacific.com and Insidetruth.com. His subscribers paid hundreds of dollars a month for exclusive information about pending criminal investigations into small companies.

Mr. Elgindy obtained the information from F.B.I. agents and used it both to extort money from the companies and to profit by selling the companies' stocks short with the hope that they would decline, prosecutors have said. He has pleaded not guilty and is awaiting trial along with several others, including a former F.B.I. agent and a current one.

Mr. Hansen, 41, of Melbourne, Fla., had extensive access to Mr. Elgindy's tips, the government said. As an indication of Mr. Hansen's degree of involvement in the conspiracy to use F.B.I. information, prosecutors said yesterday that he admitted to a federal grand jury last October that one of his duties was to purge the archives of AnthonyPacific.com of any mention that information there was obtained through the F.B.I.

In a complaint unsealed yesterday, the United States attorney's office also submitted transcripts of computer conversations between Mr. Elgindy and Mr. Hansen. The complaint states that on Feb. 11, 2001, shortly before Mr. Elgindy was scheduled to make an online appearance in AnthonyPacific's chat room, he sent this message to Mr. Hansen: "anytime i mention any gov't agency other than the S.E.C. delete it." "ok," Mr. Hansen replied.

At another point, the government says, Mr. Elgindy whimsically typed "fbi fbi fbi fbi fbi," then the name of a company he thought was under investigation, then "whatchya gonna do when they come for you." This prompted Mr. Hansen to answer, "dang, now i have to edit the log again."

Mr. Hansen was released on $200,000 bail. Efforts to reach his lawyer last night were unsuccessful.
*******************************
CNET News.com
Plan pulls Net into search for kids
By Dawn Kawamoto
March 24, 2003, 1:30 PM PT

The move to take Amber Alerts from interstates to the Internet is accelerating.
California State Sen. Dean Florez, D-Shafter, unveiled a proposal Monday to include Amber Alerts on all state-funded Internet sites. Introduced almost a decade ago, Amber Alerts use highway billboards to post child abduction notices and to enlist public help. The state Senate bill is the latest effort to expand the alerts to Internet sites.

"In our increasingly high-tech society, more and more people get on the information superhighway every day," said Florez in a statement. "This will be the equivalent of a flashing road sign for computer users to broaden the search for kidnap victims."

Last October, America Online announced plans to post Amber Alerts on its Web site. Since starting its program, AOL has signed up 135,000 of its members and AOL Instant Messenger users to receive Amber Alerts via e-mail updates, as pop-up screen messages, or via pagers and cell phones, said Nicholas Graham, an AOL spokesman.

And as early as next week, popular search engine Google is expected to sponsor a link to the Amber Alerts on the California Highway Patrol's Web site, according to Florez's office. Google representatives declined to comment on their plans and referred calls to Florez's office.

Under Florez's SB 406 proposal, all agencies that receive California state funding and operate a Web site will be required to prominently display a scrolling bar with details of current Amber Alerts. People who click on the scrolling alert notice will be connected to the California Highway Patrol's Web site.

The proposal by Florez comes at a time when Congress is considering creating a national Amber Alert notification system.

Currently, Amber Alerts are posted under voluntary agreements between local law enforcement agencies and private companies to disseminate information about child kidnappings, typically using electronic billboard signs on highways and media broadcasts. The program--named after a 9-year-old Texas girl who was kidnapped and murdered--has been credited with aiding in the rescue of dozens of children since the mid-1990s.
*******************************
Associated Press
IRS Online Tax Filing Tops 2M Users
Tue Mar 25, 5:17 AM ET
By MARY DALRYMPLE, AP Tax Writer

WASHINGTON - More than 2 million people have used free tax preparation services offered through the Internal Revenue Service (news - web sites) this tax season, surpassing the agency's goal for the program's first year.

The program encourages electronic filing by giving taxpayers access to the computer tools they need to send their returns. The IRS expects about 53 million of the more than 130 million returns that will be filed this year to come in electronically, eclipsing last year's record 47 million.

But despite the ease of filing electronic returns, one in five of all taxpayers will probably wait until the last minute to file.

Most of the procrastinators owe the IRS. Last year, 61 percent of the tax dollars owed arrived after the deadline. The agency is now encouraging those people to file early electronically, and then authorize electronic payment of their bill on the April 15 deadline.

"People don't have to wait until 11:59 on April 14," said Terry Lutes, director of IRS Electronic Tax Administration.

To choose that option, taxpayers must file electronically through a tax preparer or a special software program and then authorize payment by an electronic bank withdrawal or by credit card.

For taxpayers who would normally compute their own taxes the old fashioned pen-and-paper way, the IRS free filing program may make the job a little easier.

The service makes free tax preparation software provided by private companies available through the IRS Web site to qualified users, in a bid to get 80 percent of all returns filed electronically by 2007.

The 17 participating companies allow qualified taxpayers to prepare their returns using the software free of charge, then transmit the return electronically to the IRS.

Most free filing options target low-income taxpayers, including those who may qualify for a refund under the Earned Income Credit (EIC). Those individuals and families can prepare their returns without paying a tax professional and get their refunds faster, said Scott Gulbransen, spokesman for TurboTax software, which is offering free filing services for taxpayers who make less than $27,000 or qualify for the EIC.

After an individual prepares the return, the company sends the information to the IRS over secure lines.

"We take that very seriously," said Cammie Greif, vice president of marketing at 2nd Story Software Inc., which offers free TaxACT preparation services for taxpayers with more than $50,000 in income.

Most taxpayers will qualify to use one of the free filing services, based on eligibility requirements that consider income, age and military service. A quick questionnaire at www.irs.gov points taxpayers to appropriate services.

Electronic filing offers other benefits to taxpayers, including a confirmation that the IRS received their return. Some of the free filing software also can offer the same advice given by professional tax preparers and can find tax advantages that might otherwise be overlooked.

Perhaps the biggest advantage of electronic filing is a faster check for anyone expecting a refund. A taxpayer can expect a refund within two weeks if filing electronically, but it can take up to eight weeks if the IRS receives the return by mail during the last weeks of the filing season.
*******************************
Wired News
U.S. EBay Seller Refuses Sales to Anti-War Countries
02:00 AM Mar. 25, 2003 PT

VANCOUVER, British Columbia -- On eBay, the highest bid wins -- unless the item on sale is a laser printer from CompAtlanta and the bidder happens to be Canadian.

That's what a tax consultant discovered last week when he tried to buy a printer over eBay, but was refused by the vendor when it was discovered he lived in Vancouver.

David Ingram received notification that his winning bid of $24.50 had been canceled, along with this message: "At the present time, we do not ship to, or accept bids from Canada, Mexico, France, Germany or any other country that does not support the United States in our efforts to rid the world of Saddam Hussein. If you are not with us, you are against us."

Ingram's .ca address sparked the notice from CompAtlanta, based in Lawrenceville, Georgia. Canada is one of a number of countries that said it would not support an American invasion of Iraq without United Nations' approval.

"I've made a winning bid,'' Ingram said. "To discriminate against me because I'm a Canadian is ridiculous."

Sid Mitchell, CompAtlanta's president, could not be reached for comment. However, an e-mail exchange between Ingram and Mitchell clearly laid out the company's policy: "What part of this listing do you not understand?" Mitchell wrote Ingram. "This item will not be shipped outside the USA, and we do not accept bids from Canadians. Both are plainly stated."

That didn't stop Ingram from trying again over the weekend. He bid for the laser printer a second time, offering $107.50 to avoid being outbid and specifying delivery to an American address. In a separate message, he informed Mitchell that he wanted the printer shipped stateside.

Judging by Mitchell's reply, however, Ingram isn't likely to get his printer from CompAtlanta: "You are obviously trying to get around the fact that you are Canadian," Mitchell wrote to Ingram, "and we will not honor your bid or ship to any location for you."

Ingram said Mitchell lacks a good business reason for not shipping to a Canadian who uses an American address. "If they're going to do that,'' Ingram said, "then they shouldn't sell to the 50 percent of Democrats and the 20 percent of Republicans that aren't supporting the war, either."

CompAtlanta is one of a small number of companies boycotting countries opposed to the war. The German newspaper Deutsche Welle reported late last week that a German shoe-supply manufacturer lost a contract with an American firm over Germany's stance on the war. There have also been reports of American consumers boycotting French wine and cheese.

But the boycotts aren't widespread yet. JoAnn Dupont, a customer service representative with eBay vendor IkeSound.com of Florida said her company's policy of shipping to Canada and other countries has not changed as a result of the war.

And some eBay vendors selling such items as Saddam Hussein "terrorist hunting licenses" and dart boards will ship them anywhere in the world.

Andre Lemay, a spokesman for the Canadian department of Foreign Affairs and International Trade in Ottawa, said he wasn't aware of any reverse boycott. Nor did he believe such a boycott would be an issue since Canada and the United States remain each others' two largest trading partners. "We still believe our relationship with the U.S. is good -- in fact, enviable,'' he said.

EBay spokesman Kevin Pursglove said CompAtlanta was the only eBay merchant he knew of that is boycotting buyers for reasons related to the war. He said sellers can decide with whom they want to do business, but eBay frowns on posting overtly political messages. Pursglove said eBay ordered CompAtlanta to remove the auction item and to modify its message to bidders from Canada, Mexico, France and Germany.

But CompAtlanta's message is still more or less intact, which incenses Ingram. He says he plans to pursue the matter with eBay.

He may also take it up in person with CompAtlanta. If he doesn't receive his printer before a scheduled trip south of the border later in the fall, Ingram says he'll pay the computer vendor a visit.

"If they don't send it,'' he said, "sometime in September or October I will park outside their store with a sign saying they discriminate against Canadians."
*******************************
Austrialian IT
Banks target terror funds
Kelly Mills
MARCH 25, 2003

ONE of Australia's big four banks is in discussions about a multimillion-dollar anti-money-laundering package that could prove vital in tracking down cash that may be used for international terrorism.

The move comes as other banks tighten up their procedures to combat money laundering.
An ANZ spokeswoman, for example, said an application used in the US to check payments for suspicious names was being deployed throughout the bank's worldwide operations.

A Westpac spokesman said they were adding filters to current systems to comply with domestic and foreign legislation against money laundering.

A National Australia Bank spokeswoman said it was upgrading existing systems and "creating, testing and implementing additional software applications".

The Commonwealth Bank declined to comment.

The moves by Australian banks to beef up their anti-money-laundering capability follows a call by the US government to hunt down $US6 billion ($10 billion) reputedly salted away by Iraqi dictator Saddam Hussein.

SAS Institute Australia financial services general manager Malcolm Lister said Australian banks did not have the IT systems analytics to detect money laundering. "Australian banks could probably put a particular flag on the types of transactions coming through, but they would also need to be able to screen and pick up names," he said.

"One would imagine, in the case of Saddam Hussein or al-Qa'ida, it would be unlikely they would have account names or transactions linked to obviously Arabic names."

Mr Lister said any filter would need to be able to pick up a range of text, different patterns and links between accounts. "The banks aren't equipped to handle that," Mr Lister said.

A lack of strong legislation, such as the US Patriot Act, had also hindered the deployment of anti-money-laundering systems, he said.

Justice and Customs Minister Chris Ellison, rejected these suggestions, saying Australia was a "world leader" in the area.

"Australia's system of international funds transfer monitoring and account signatory information requirements are more comprehensive than required by US legislation, including the Patriot Act," Senator Ellison said.

Mr Lister said tough legislation, such as the US Patriot Act, anti-money-laundering initiatives by the UK Financial Services Authority and similar directives in the European Union had increased the sense of urgency about monitoring and analysis of financial transactions.

The US Patriot Act holds international banks responsible for understanding who customers are, the purpose of transactions, the business of client companies and the destination of any transaction involving US dollars, irrespective of where the transaction started.

"The level of transaction and process review and scanning isn't sufficient in any Australian banks to comply with the requirements of the Patriot Act," Mr Lister said.

Australian banks needed to set up rules for known money-laundering patterns and a series of profiling to build up statistics across accounts and transaction, he said.

"Then they need an advanced level of analytics, which will obviously involve taking information from their scanning, comparing it against known data models and where there are matches, being able to improve the level of business skills they are using for the first filter," he said.
*******************************
Government Computer News
03/25/03
Dunnington replaces Holcomb as NASA CIO
By Vanessa Jo Roberts

NASA has tapped its deputy systems chief to take over as CIO.

Sean O?Keefe, the space agency?s administrator, this week announced the promotion of Patricia L. Dunnington to the systems post.

Dunnington had been deputy CIO since August 2002. She first came to work at NASA in 1982 as a presidential management intern in the Office of Aerospace Technology. She moved up the ranks of the agency?s systems management, including a stint as CIO for the Langley Research Center in Hampton, Va.

?She has an intimate knowledge of the agency, and she will be a key leader, planner and manager as we continue to apply cutting edge IT to NASA,? O?Keefe said.

Dunnington replaces Lee Holcomb, who left the agency last summer to work with the White House homeland security team and is now a member of the new Homeland Security Department systems staff. Since Holcomb left for the White House job, Paul Strassman, special assistant to the administrator for information, has been acting CIO.

Strassman will retire, O?Keefe said.

?Paul has given us a much needed road map to address our IT needs for the future. He?s introduced contemporary business practices and a game plan that will help us fully implement the plan," O?Keefe said.

O?Keefe had lured Strassman back into public service from his first retirement. Strassman was one of the government?s original CIOs, leading IT management at the Defense Department during the 1990s.

Although she?s been a career government employee, Dunnington took a recent turn in industry, participating in the government?s Senior Executive Service Candidate Development Program. Just before her assignment as deputy CIO, she worked at Cisco Systems Inc. of San Jose, Calif.

Dunnington has a bachelor?s degree from Catholic University of America and a master?s of general administration from University of Maryland.
*******************************
Computerworld
Mailblocks antispam service promises end to spam
By TODD R. WEISS
MARCH 24, 2003

A new antispam service initially aimed at consumers launched today with two huge promises to users: a total end to annoying spam and no false positives to hang up wanted e-mail.

Begun by Phil Goldman, a former Microsoft Corp. vice president and a co-founder of WebTV Networks Inc., the new Mailblocks Inc. service forgoes common spam-prevention filtering methods, such as heuristics and blacklisting, with something called ?challenged response.? Similar to other methods where the protected user?s e-mail account automatically asks the sender to verify an initial e-mail message, the challenged response sends a generated message asking the sender to type in a provided seven-digit number into a box in the e-mail. Since only an authentic sender can type in the number correctly, and a computer-generated spam mailer can?t issue such a response, the e-mail is then perceived to be authentic and added to the recipient?s accepted senders list.

?We?ve turned the problem around,? said Goldman, the CEO of Los Altos, Calif.-based Mailblocks. ?We?re defeating the spammers? computers. We?re not allowing them to send spam to you.?

The service will cost $9.95 per year for standard service with 12MB of storage, or $24.95 a year for up to 50MB of storage. Attachments of up to 6MB can be sent with each message. New standard-service subscribers will get two free years of service as a bonus as an incentive with the service?s debut.

The difference between Mailblocks and other response-generated e-mail services, Goldman said, is that other services can be tricked by spammers through the issuance of a Perl script automated response, which isn?t possible using the seven-digit code.

The service can be accessed through Mailblocks? Web page or by using Microsoft Outlook, Outlook Express or Eudora e-mail clients.

Other benefits include immediate access to a user?s in-box upon log-in, rather than to ad-filled home pages with free e-mail alternatives, such as Yahoo Mail and Hotmail.

The ?challenged response? technology has been patented by Mailblocks, and the company is actively searching for partners to license it and bring its capabilities to enterprise e-mail systems such as Microsoft Exchange and Lotus Notes, Goldman said.

Tim Bajarin, an analyst at Creative Strategies Inc. in Campbell, Calif., said Goldman's no-spam, no-errors claims are perhaps over the edge. "There's no question, it's a stretch," he said. "But Goldman's learned a lot during his WebTV days" about what customers want and how they want to use e-mail and the Web, Bajarin added.

"While the vision is rather grand, if there's any guy who can design something that can minimize spam, I've got to say that Phil's as good a guy as any," he said.

Even if Goldman's claims are accurate, spammers will likely figure out a way to defeat the seven-digit code system in Mailblocks, Bajarin said. That means Goldman will need to be proactive in staying a step ahead of them with other methods to stop spam.

"His goal is to provide spam-free mail,? Bajarin said. ?In the cases of Hotmail and these others, that's not their goal.?
*******************************
Computerworld
Fourth CERT document is leaked online
By Paul Roberts, IDG News Service
MARCH 24, 2003

In what appears to have been the fourth such incident last week, an individual using the name "hack4life" sent another internal CERT Coordination Center memo to an online discussion list on March 21, detailing a product vulnerability that hadn't yet been disclosed.
The leaked e-mail message, from Ian Finlay, an Internet systems security analyst at CERT, concerned a message from Microsoft Corp. to the Pittsburgh-based organization regarding a vulnerability in Web redirectors, which forward a visitor from one Internet domain to another.

Microsoft is concerned that such sites are being used by organizations and individuals to disguise the source of spam e-mail, making it look like it comes from legitimate sources, according to Finlay's message. In addition, the widespread exploitation of such redirection servers, which are calibrated to handle an expected volume of traffic, could constitute a denial-of-service attack against the organizations that use those servers, Finlay wrote.

In a note that preceded the leaked e-mail, the individual responsible for posting the message apologized to the hacker community for the low severity level of the reported problem. "Your mileage with this vulnerability may vary; some people will think it's irrelevant; some may be able to make use of it," hack4life wrote. "CERT obviously thinks it's worth while, so I've take [sic] the choice out of their hands too and released it anyway," the note said.

The leaked e-mail regarding the Web page redirect problem follows three similar posts, apparently from the same individual, on March 16. Those vulnerabilities concerned security problems being researched by CERT but not yet disclosed to the public:

A buffer-overflow vulnerability in a software library used by many Unix and Linux operating systems and applications.

A technique for attacking and breaking encryption on Web servers that use Secure Sockets Layer (SSL) encryption.

Cryptographic vulnerabilities in the Kerberos Version 4 protocol that could allow an attacker to impersonate a user in a Kerberos realm and gain privileged access.
CERT said it believes that all of the leaks came from information shared with vendors. "The particular text that he posted was taken directly from e-mail messages sent to the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT.

The organization customarily shares such information with vendors when it's developing vulnerability notices and alerts, Hernan said. The organization had narrowed its focus to "a fairly sizeable group" of those vendors with which CERT has long-standing relationships, Hernan said.

CERT encrypts correspondence about vulnerabilities when it sends that information to vendors. Each vendor maintains its own unique encryption key for deciphering and viewing the information after it's received. To view information in the message, an intruder would have to defeat the Pretty Good Privacy or SSL keys used to encrypt the comment, which Hernan said was "highly unlikely." If the messages were stored in decrypted form on a compromised e-mail server, an intruder could also obtain the information that way.

The most likely scenario, however, is that the culprit was in a position to obtain the decrypted information, possibly as part of a development team assigned to evaluate or fix the problems, Hernan said. He discounted that a CERT employee leaked the information, saying CERT insiders have access to more sensitive issues that would be more attractive targets for premature disclosure than the items published by hack4life.

CERT is working with the software vendors that are most likely to be affected by the premature disclosures and is taking other measures to respond to the leaks, Hernan said. If the person responsible for the leak is a "maverick" employee of one of the vendors CERT is communicating with, however, it may be difficult to prevent future disclosures.

CERT wouldn't comment on whether law enforcement authorities had been contacted concerning the leaks, but the difficulty in determining the location of the person responsible for the leaks could complicate any criminal investigation, Hernan said.

The organization, which is affiliated with Carnegie Mellon University, said it will continue to thoroughly research the leaked issues before publishing an alert. "We feel there's a real benefit in making sure issues are properly scoped and researched before they are made public," Hernan said.

However, the premature disclosures changed the priority of those issues, he said. Publishing product vulnerabilities before a patch is available doesn't send a message about the benefits of full disclosure, but means that research on more important vulnerabilites must be postponed so that vendors can address the leaked problems, he said.

"I have no quarrel with the full disclosure community, but I do have a quarrel with the stupid disclosure community," Hernan said.
*******************************
Washington Post
Justice Dept.: FBI database info no longer has to be accurate
March 25, 2003

WASHINGTON (AP) The Justice Department lifted a requirement Monday that the FBI ensure the accuracy and timeliness of information about criminals and crime victims before adding it to the country's most comprehensive law enforcement database.

The system, run by the FBI's National Crime Information Center, includes data about terrorists, fugitives, warrants, people missing, gang members and stolen vehicles, guns or boats.

Records are queried increasingly by the nation's law enforcement agencies to help decide whether to monitor, detain or arrest someone. The records are inaccessible to the public, and police have been prosecuted in U.S. courts for misusing the system to find, for example, personal information about girlfriends or former spouses.

Officials said the change, which immediately drew criticism from civil-liberties advocates, is necessary to ensure investigators have access to information that can't be confirmed but could take on new significance later, FBI spokesman Paul Bresson said.

The change to the 1974 U.S. Privacy Act was disclosed with an announcement published in the Federal Register.

The Privacy Act previously required the FBI to ensure information was "accurate, relevant, timely and complete" before it could be added to the system.

"It's a pretty big job to be accurate and complete," said Stewart Baker, a Washington lawyer who specializes in technology and surveillance issues. "On the other hand, these are potentially very significant records for people, and if it's not accurate and complete, it can mean trouble."

Critics urged Congress to review the change, arguing that information in the computer files was especially important because it can affect many aspects of a person's life.

"This is information that has always been stigmatizing, the type of data that can prevent someone from getting a job," said Marc Rotenberg of the Washington-based Electronic Privacy Information Center. "When you remove the accuracy obligations, you open the door to the use of unreliable information."

Critics have noted complaints for years about wrong information in the computer files that disrupted the lives of innocent citizens, and the FBI has acknowledged problems. In one case, a Phoenix resident was arrested for minor traffic violations that had been quashed weeks earlier; in another, a civilian was misidentified as a Navy deserter.

The system "is replete with inaccurate, untimely information, but everybody does their best to keep it up to date," said Beryl Howell, former general counsel to the Senate Judiciary Committee. "That's a goal we shouldn't just throw out."

In the change, the Justice Department said earlier restrictions on information "would limit the ability of trained investigators and intelligence analysts to exercise their judgment in reporting on investigations and impede the development of criminal intelligence necessary for effective law enforcement."

It added that, because the system collects its data from so many other organizations, "it is administratively impossible to ensure compliance."
*******************************

Prev by Date: Clips March 24, 2003
Next by Date: Clips March 26, 2003
Previous by thread: Clips March 24, 2003
Next by thread: Clips March 26, 2003
Index(es):
- Date
- Thread