[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips May 19, 2003



Clips May 19, 2003

ARTICLES

Spy Plan Faces Critical Deadline  
Mass. bill aimed at blocking spam
Internet Dreams Turn To Crime 
IRC operators may out-hack Fizzer 
Bush Online: Smiles, Spin and a Dog as Tour Guide
Open source in the stars for NASA? 
Broadband Growth In Doubt, Study Hints 
Outsourcing popular internationally
White House sets new policy on remote-sensing systems 
E-gov chief 'very happy' with progress on initiatives 
Defense, Homeland officials seek bids on security devices 
Giuliani, Netanyahu and Woolsey speak out on terror and technology
More Jobs Than Security Clearances 
IBM in first deal to supply digital police cameras
The scent of an illness

*******************************
Wired News
Spy Plan Faces Critical Deadline  
02:00 AM May. 19, 2003 PT

As college students across the country rush to finish their final papers, the Pentagon is preparing to turn in its final report on the Total Information Awareness project in hopes of getting a passing grade from Congress. 

More than a college transcript is at stake for the program, however. Its continued existence likely will turn on the report's reception.

The report, which is due Tuesday, must outline the project's privacy implications and detail the scope of the system intended to catch terrorists by combing through Americans' travel records and credit card purchases. 

In January, the Senate unanimously approved a spending bill amendment which ordered the Pentagon, the CIA and the Justice Department to report on the project to Congress. Failure to do so would cost the program its future funding. 

The amendment, introduced by Sen. Ron Wyden (D-Ore.), survived House-Senate negotiations. President Bush signed the bill Feb. 20, making Tuesday the report's deadline. 

Wyden warned the Senate on March 13 not to attempt to undo the oversight requirements. 

"The TIA technology will give the federal government the capability to operate the most massive domestic surveillance program in the history of our country," putting the financial, medical and other details of Americans' private lives in the hands of tens of thousands of bureaucrats, he said. "The American people have the right to know if the federal government intends to deploy this technology against them, when it will do so and how, and Congress should preserve its oversight over the program." 

Privacy groups say they aren't sure what to expect from the report, mainly because of the secretive nature of the agencies involved. 

They don't even know how or to whom the report will be delivered. Typically reports to Congress are delivered to the president of the Senate. 

However, this question is complicated by another question -- namely, whether the report will be classified or not. 

Last week, an ideologically diverse coalition of privacy advocates, including the Electronic Frontier Foundation, the Free Congress Foundation, the American Civil Liberties Union and Americans for Tax Reform, sent letters to the Defense Advanced Research Projects Agency, the CIA and the Justice Department asking that the report be made public and that it be posted on the agencies' websites. 

The groups have not yet received any official response to the letters. However, DARPA, which heads the Pentagon effort to develop the system, has indicated that at least some of the report will be available to the public. 

"We anticipate making the report public after it has been provided to Congress," said Jan Walker, a DARPA spokeswoman. 

Many people and some news accounts assumed that Wyden's amendment had terminated the controversial program.

However, while the amendment did stipulate that the Total Information Awareness project could not investigate Americans without the approval of Congress, it did not prohibit further research. 

Statements of work and award letters obtained from DARPA by the Electronic Privacy Information Center show that DARPA has awarded 26 contracts to private companies and universities which will provide components of the.

One of the largest contracts -- worth more than $19 million -- was awarded to Hicks & Associates, a consulting firm that will be responsible for testing the system and coordinating the integration of the system's components. The system underwent its first test in February, but the test reports are not publicly available, according to Walker. 

Privacy advocates expect Tuesday's report to lead to another round of public and congressional debate. 

"I hope this report is the start of a fruitful dialogue about the implications of this technology for privacy, civil liberties and due process," said Lara Flint, staff counsel for the Center for Democracy & Technology. 

"The concern is that the proposal will be reduced to a palatable pill that we can swallow and then later it will expand," said Jay Stanley, communications director of the ACLU's Technology and Liberty Program. 

"The report is likely to create more angst in Congress," said Chris Hoofnagle, an attorney at EPIC. Hoofnagle said he thinks the report is likely to trigger more legislation, such as a general ban on government data-mining programs. 

But DARPA has taken steps in the last few months to address the program's critics. 

In February, the agency appointed an internal oversight committee and an external advisory board to oversee the program. In April, the Palo Alto Research Center signed a $3.5 million contract with the agency to build a privacy appliance that would keep databases from exposing undue amounts of personal information. 

DARPA director Tony Tether said in congressional testimony May 6 that the program would search only through disparate databases to find out more about connections to a specific suspect or to answer questions such as, "Are there foreign visitors to the United States who are staying in urban areas, buying large amounts of fertilizer and renting trucks?" 

DARPA also reframed the program's mission in its 2003 strategic plan: "Terrorists must engage in certain transactions to coordinate and conduct attacks against Americans, and these transactions leave signatures (form patterns) that may be detectable. For this research, the TIA project will only use data that is legally obtainable and usable by the U.S. government." 

Those limitations don't mollify Flint, who said the Patriot Act grants the government wide powers to access records for terrorism investigations. 

"There are few limits to what the government can obtain legally," she said. "They can get medical records, travel records, phone records, Internet transactional records and credit reports." 

"DARPA thinks people have misunderstood the program. Dr. Tether is saying what we are really doing is this," said Flint. "But we haven't misunderstood. It's the 'this' that we have been worried about."
*******************************
Boston Globe
Mass. bill aimed at blocking spam
Measure would mandate warnings
By Chris Gaither, Globe Staff, 5/19/2003

Massachusetts legislators are rallying behind a bill that would allow the state, Internet service providers, and consumers to sue spammers for as much as $500 for each unwanted e-mail message not identified as an advertisement or adult-oriented message.

The bill, sponsored by state Attorney General Thomas F. Reilly, is expected to receive the backing of the state Senate's Science and Technology Committee next month. If passed into law, the measure would force e-mail marketers to include ''ADV,'' for advertisement, and ''ADV:ADLT,'' for adult advertisement, in the subject line of unsolicited messages sent to Bay State residents or from computer networks in Massachusetts.

''We are learning to regulate to allow for the freedoms the Internet was intended to provide us, while at the same time guard against undeserved incursions on our privacy, like the ones spammers make,'' said state Senator Jarrett Barrios, a Cambridge Democrat who drafted the bill.

Opponents argue the proposed law would hurt the ability of genuine e-mail marketers to send advertisements to new and existing customers by making it too easy to block their messages with filters. They warn the most egregious spammers, who hawk everything from herbal sexual stimulants to get-rich-quick schemes, won't follow the rules. Even supporters of the bill wonder how officials can enforce the new laws in the face of the growing tide of unwanted e-mail flooding the Internet.

''It's a step in the right direction, but it's not a perfect bill and it's not going to solve the problem overnight,'' said Jere Doyle, CEO of Prospectiv Direct, a Woburn company that sends e-mail ads for companies like Shaw's Supermarkets to customers who sign up.

Measures to fight spam have gained strength across the nation in recent months, as state and federal lawmakers tune into the growing discontent with the spam scourge. The volume of unwanted e-mail has soared recently. Internet service providers like America Online Inc. and Microsoft Corp. say they now block as many as 2.4 billion unsolicited e-mails a day. Many more sneak through, cluttering the in-boxes of frustrated computer users.

But with 27 states already passing anti-spam laws before Massachusetts, the local regulations are creating a patchwork of laws that make it increasingly difficult for legitimate businesses to follow each state's rules for sending e-mail, says the Direct Marketing Association. The New York-based trade group and others are lobbying for federal legislation, which in turn leaves states worried that new national laws would undercut the local penalties.

''We are making it clear to our congressional delegation that we're concerned that federal legislation would preempt what we're doing here,'' said Tim Murtaugh, a spokesman for Virginia Attorney General Jerry Kilgore. A new law taking effect there July 1 imposes stiff fines and prison sentences of one to five years for high-volume spammers who send fraudulent e-mails.

The Massachusetts bill takes a softer approach. It says advertisers must write ''ADV'' or ''ADV:ADLT'' at the beginning of the subject line unless the recipient has specially requested e-mail advertisements from the sender. The bill also requires a simple way to opt out of future mailings, prohibits false information in the subject line or text, and bans the practice, known as e-mail spoofing, of using software to mask the sender's e-mail address with one borrowed from a stranger.

As written, the law would apply to spammers who send unsolicited e-mail from computers based in Massachusetts, via Internet service providers with equipment in the state, or to people whom the sender ''knows or should know'' are in Massachusetts.

''We feel that, once we get legislation in place, we can do enforcement in short order and try to set the standard for the industry and how they should act,'' said Alice Moore, chief of the Public Protection Bureau in the attorney general's office.

Reilly's office has sued only one spammer to date. Using existing antifraud laws, the state in 2001 persuaded a Suffolk Superior Court judge to shut down the bulk e-mailing of a Woburn-based company, RT Marketing, and impose a $5,000 fine for making false claims about ''detective software'' and ''free grant giveaway'' programs.

New York state authorities last week arrested a Buffalo man and charged him with using forgery and identity theft to send 825 million spam e-mails that pitched herbal sexual stimulants, cable descrambling devices, and bulk e-mail lists. If convicted of the most serious charge, Howard Carmack, 36, faces up to seven years in prison. He pleaded not guilty and is due in court today.

Louis Mastria, the Direct Marketing Association's director of public and international affairs, said brazen spammers like Carmack will never tailor their e-mails to the proposed Massachusetts law.

''Who will? It will be the guys who have a reputation, a company, a brand to protect,'' Mastria said. ''It's so counterproductive.''
*******************************
New York Times
A Ruling Makes E-Mail Evidence More Accessible
By LANDON THOMAS Jr.

UBS Warburg was ordered this week to pay for the search and recovery of e-mail messages requested by a plaintiff, giving aggrieved investors a new legal tool to support their cases against investment banks.

Shira A. Scheindlin, a judge in the southern district of New York, said that UBS had to dig into its archives and pay for the restoration of a limited batch of e-mail messages sought by a former employee who is suing the firm for sexual discrimination and retaliatory dismissal.

Judge Scheindlin's opinion, delivered on Tuesday, is already being referred to by lawyers representing investors and investment banks as a definitive piece of jurisprudence. It suggests that investment banks will have to take responsibility and pay for the recovery of e-mail messages as long as plaintiffs can demonstrate that the evidence sought is relevant to their cases.

Arbitration lawyers say that Judge Scheindlin's decision will change the economics of arbitration cases involving investors seeking damages from investment banks over fraudulent research.

"The decision is very significant and will help customers get crucial evidence for their cases," said Jacob H. Zamansky, a leading arbitration lawyer. "As long as you can make a showing that the evidence you are asking for is relevant, the banks must bear the cost for searching through the e-mails."

Investment banks have cited the technical challenge and cost involved in retrieving old e-mail traffic as a reason to dismiss arbitration claims, many of which are frivolous, bank and arbitration lawyers agree. (Under industry rules, most customer and employee complaints must be resolved by arbitration, rather than in court.) In the UBS case, lawyers for the bank stated that if the plaintiff, Laura Zubulake, wanted the additional files, which were stored on tape and not readily accessible, she should pay the $175,000 it would cost to retrieve them.

Ms. Zubulake, who has not worked since her dismissal in October 2001, could not afford to pay such a sum, her lawyers say. In her decision, Judge Scheindlin ordered UBS to turn over 5 of the 94 files that were stored on backup tapes and additional e-mail messages on optical disks, which will cost much less than the original request.

"We are pleased that we won this motion, which significantly limited the scope of discovery and prevented an unjustified fishing expedition," a spokesman for UBS Warburg said yesterday.

Much of the opinion's legal punch comes from its author: Judge Scheindlin will be the presiding judge over a seminal class-action suit contending that 55 investment banks and executives at technology companies defrauded investors by artificially inflating the prices of hot initial public offerings.

The outcome of that suit, which could cost investment banks billions of dollars, will depend largely on what kind of e-mail evidence plaintiffs can secure from the banks.

"It's very important for our case," said Melvyn I. Weiss, whose law firm, Milberg Weiss Bershad Hynes & Lerach, is leading the suit. "Judge Scheindlin has set the standard. She has made it clear that she will force the defendants to make available all material that otherwise would be difficult to obtain."

In her opinion, which spanned 38 pages and quoted Henry David Thoreau in its introduction, Judge Scheindlin argued that federal standards governing the discovery process are outdated and were written before the flowering of e-mail as the primary means of corporate communication.

She set new standards, which effectively give plaintiffs the right to ask that investment banks provide expanded levels of e-mail traffic that may take a significant effort to retrieve, if the plaintiff proves that the messages are relevant to the case. The investment bank would then be responsible for bearing the cost.

"This will be the law of the land when it comes to arbitrations," said James A. Batson, of Liddle & Robinson, who is representing Ms. Zubulake. "Defendants can no longer hide behind the cost factor." 

More than 7,000 arbitration cases were filed against investment banks last year, most of them involving investors contending that fraudulent research from Wall Street wiped out their investments. Many were dismissed by arbitrators because of the lack of e-mail evidence.

If plaintiffs wanted such evidence, banks argued, they should pay the costs themselves. Given that e-mail recovery operations can be expensive, plaintiffs have often dropped their cases.

The Scheindlin opinion, lawyers say, will be a powerful new weapon in their continuing attempts to extract fresh e-mail evidence from the investment banks.

Analysts estimate that investment banks could have hundreds of millions of dollars of potential exposure to arbitration claims. Banks have become more aggressive in contesting such claims and agreeing to settle fewer of them. One of their most effective defenses has been to hold the line on broad requests for e-mail traffic.

Ms. Zubulake, a former institutional equities saleswoman at UBS Warburg, hopes to use the e-mail messages to support her contention that she was fired in retaliation for filing a claim with the Equal Employment Opportunity Commission. In that claim, she asserted that she had been passed over for promotion because of her gender.

She then filed suit against UBS for gender discrimination and illegal retaliation.

Ms. Zubulake's lawyers at Liddle & Robinson originally made a broad request: they wanted all e-mail traffic concerning Ms. Zubulake and any UBS official, which would have required UBS to delve deep into its e-mail archives for the recovery and restoration of 94 e-mail files.

Such a request is typical in cases between private parties and corporations and is generally seen to be an attempt to pressure the defendant into settling, say lawyers for investment banks that have opposed Liddle & Robinson in other cases. Liddle & Robinson is a leading law firm known for aggressive suits by bankers and brokers against their former employers.

UBS lawyers responded that the bulk of these e-mail messages had been stored on tapes, that they were not relevant to the case and that to restore them would be unduly expensive and time-consuming. Ms. Zubulake's lawyers asked for a more limited trove of e-mail messages and got them.

In ordering UBS to produce only 5 of the 94 files for Ms. Zubulake, Judge Scheindlin also asked that the bank include an affidavit of the cost.

While this decision has thrilled arbitration lawyers, executives at investment banks point out that Judge Scheindlin decreed that UBS provide only a small fraction of the plaintiff's request. And on June 17, Judge Scheindlin will hear arguments to decide whether UBS or Ms. Zubulake would have to pay for the recovery of any more files.
*******************************
Washington Post
Internet Dreams Turn To Crime 
Russian Start-Up Firm Targeted U.S. Companies 
By Ariana Eunjung Cha
Sunday, May 18, 2003; Page A01 

First of three articles 

CHELYABINSK, Russia -- Vasiliy Gorshkov did not set out to be a thief.

Relatives and friends say he had wanted to build a dot-com like those he had read about on the other side of the world -- the Amazon.coms, eBays and Yahoos that were becoming household names even in this industrial expanse of dilapidated tenements and factories.

But in the spring of 2000, just three months after he sank his inheritance into a quixotic start-up to build Web sites for corporations, Gorshkov was getting squeezed. Few merchants here wanted to hear about the Internet, much less invest in it. What's worse, Gorshkov told several associates, local crime bosses had started to demand that he hand over a percentage of his earnings to avoid smashed windows, theft of merchandise and broken bones.

Gorshkov, then 24, didn't have the cash. Business associates recalled that he didn't even have enough money to keep paying his four programmers.

But one of those programmers, 19-year-old Alexey Ivanov, said he knew how to raise the protection money, according to lawyers familiar with the conversation. Goshkov could offer a protection service of his own. To online businesses. Six thousand miles away in the United States.

Soon, U.S. prosecutors said, Gorshkov and Ivanov were scouring the Internet looking for security vulnerabilities in the computer networks of American corporations. When they found a way in, they would steal credit card numbers or other valuable information. They would then contact the site's operator and offer to "fix" the breach and return the stolen data -- for a price.

Within a few months, banking, e-commerce and Internet service providers across the country, including Central National Bank of Waco, Tex.; Nara Bank NA of Los Angeles; and Internet service provider Speakeasy Inc. of Seattle, became victims. The hackers also used online payment service PayPal Inc. to turn pilfered credit card numbers into cash by setting up phony accounts. The men would eventually expose American businesses to perhaps tens of millions of dollars in losses, the prosecutors said.

Gorshkov and Ivanov are two of the hundreds, perhaps thousands, of virtually untraceable hackers who are overwhelming cyberspace. Hackers have stolen customer databases, company blueprints and credit card numbers. They have unleashed viruses, crashed computer systems, placed phony orders for merchandise, rerouted e-mail communications and committed various other mischief.

Over the past few years, the U.S. Justice Department, the FBI, the Secret Service and other government agencies have accelerated efforts to counter cybercrime. Last week, Attorney General John D. Ashcroft said one joint operation resulted in the arrest of more than 130 people suspected of using the Internet to defraud 89,000 consumers and businesses of $176 million since the beginning of the year.

Businesses are expected to spend $25 billion this year to fend off online intruders, according to market researcher IDC Corp. About 65 percent of all online attacks originate overseas.

"The Internet makes moving money across continents faster, less of a hassle -- and easier to hide," said Louise I. Shelley, director of the Transnational Crime and Corruption Center at American University.

International law is often ill-suited to deal with the problem, with conflicting views on what constitutes cybercrime, how -- or if -- perpetrators should be punished and how national borders should be applied to a medium that is essentially borderless.

"We don't think about the FBI at all," Gorshkov told a potential business partner. "Because they can't get us in Russia."

Gorshkov was wrong. The events that led to his and Ivanov's arrest open a window on the elusive and lucrative world of computer hacking -- where many perpetrators no longer fool with computers just because they are bored or want to make political statements. They're in it for the money. 

The events were reconstructed from interviews with relatives, friends, co-workers, classmates and acquaintances of the hackers. Key details were corroborated by court records, prosecutors, defense lawyers and government intelligence officials. Gorshkov answered several questions in a letter; Ivanov declined to be interviewed.

Their case is unusual only because they were caught. Most online thieves, computer security investigators and prosecutors said, get away with it.

Chelyabinsk might be the most polluted place on earth, because of an explosion in a nuclear-bomb-making factory in the 1950s that dumped radiation through its Ural Mountain river valley but was kept secret for decades. Monuments to Stalin's industrial push dominate the city of 1.2 million. During the Cold War, many residents lived well, working in state-of-the-art military installations that were so secret they were known only by their numbers. But since the collapse of the Soviet Union, the region has struggled and many residents have had trouble finding work comparable to what once was available.

Gorshkov and Ivanov grew up here, though they didn't know each other until they were adults. Gorshkov is described as outgoing, with a gift for talking people into anything. He graduated from the area's top school, Southern Ural State University, with a mechanical engineering degree. Unlike most of his urbanite peers, who favored clothes in black and gray, Gorshkov -- a thin, muscular guy with a chiseled face -- would occasionally shock friends by showing up at gatherings wearing orange and purple shirts.

Ivanov's life was more troubled. He left home at 16 and lived in a small fourth-floor apartment attached to the local prison. He is described as a computer whiz, having had the opportunity when he was very young to play with machines in the office of his mother, who is a history teacher. Ivanov briefly studied computers at Southern Ural State University, but he was kicked out after twice failing freshman exams, according to school officials.

Children in Chelyabinsk play on an old tank. Since the collapse of the Soviet Union, many residents have had trouble finding work compatible to what once was available there. Pavel Smertin for The Washington Post 
Gorshkov's company and its Web site, known as tech.net.ru, were born in February 2000 when he quit his auto-parts job and struck out on his own, plunking down $40 for the first month's rent for Room No. 502 at the Chelyabinsk Textile Factory. It was a shoestring operation. Desks were built from scrap materials. The chairs were hand-me-downs from a Coca-Cola marketing campaign. But his programmers were first-class.

The first few months he was in business, Gorshkov negotiated contracts to build Web sites for two companies. But he did the work at a severely discounted price and it wasn't long before Gorshkov's money began to run out and Ivanov introduced him to a group called the Expert Group of Protection Against Hackers.

The group was made up of several dozen loosely affiliated hackers at any given time, 12 to 15 in Chelyabinsk and others in Russian cities including Moscow and St. Petersburg, though it is unclear how many people in all were involved. There were lots of good programmers scattered throughout the country, but very few good jobs for them. In Chelyabinsk, a programmer might earn $200 to $300 a month, but the jobs available were anything but the cutting-edge perches for programmers in the biotech, telecom and Internet companies in other countries. So some of them looked for other ways to put their skills to work.

Gorshkov set up his Internet company in a textile factory. From there, he and his employees eventually hacked into U.S. Web sites. Pavel Smertin for The Washington Post 
The hackers typically worked in groups of twos and threes, according to U.S. law enforcement officials. Sometimes members knew each other only by their online aliases. Some did not know each other at all.

Each group or cell operated somewhat independently -- using its own methods and determining its own targets for online hacking -- but paid 30 percent of what it collected to a krisha, or "protector" whom no one was willing to identify. "I don't know and I don't want to know," said one person involved with the group.

Gorshkov suddenly found himself in a profitable business.

He, Ivanov and another programmer, Michael -- a 19-year-old Siberian and college classmate of Ivanov's -- were one cell. Each had a distinct role, Michael said. Gorshkov was the coordinator, Ivanov the hacker. Michael poked around the exposed computer systems, hunting for data that might be useful.

The tech.net.ru computers were meticulously organized to make the crimes as efficient as possible, investigators said. Each victim's information was kept in its own file; the hacking programs were placed in a folder labeled "badstuff."

At first, the target companies were chosen pretty much at random, said Michael, who is known online as Hermit and spoke on the condition that his real name not be used.. They could be any e-commerce or banking companies that sounded like they had money.

Ivanov created a program that would search on Google for keywords such as "bank" or "casino" or "electronics" to find targets. They would then run potential victims through a program that scanned the companies' networks for known vulnerabilities.

The group had only one rule about choosing victims: Stay away from Russian businesses.

"You may go to jail and that's the best case," Michael said. "More likely, you'll be killed."

The main way they broke into corporate Web sites was through a well-known vulnerability in the widely used Microsoft NT server software. Often, they only had to type in the default username and default password created by the manufacturer and then, just like that, they were inside the network, said security consultant Kevin Mandia, a cybercrime consultant who helped U.S. law enforcement agencies investigate Gorshkov and Ivanov.

Their attacks were brazen. The hackers rarely bothered to cover their tracks. Mandia described their technique as akin to "storming a bank with a machine gun."

"You could take five months to plan a super-secret operation, but if your chances of getting caught were minimal why bother?" Mandia said.

The first contact between the hackers and their victims would typically be an e-mail sent to the company's chief executive or systems administrator. It was a form letter that Ivanov had shown to a lawyer to make sure it was legal under Russian law.

It was in rough but polite English. "Hello Mr.," it began. "We are a security consulting group specialized in banking and credit card services, big online shops, insurance companies. Due to our job we have to work on the territory that can't be controlled by U.S. authorities. Our government and laws are loyal to that kind of computer activities." It then listed the number and a description of insecure computers on the company network and offered their security services. The group typically signed off with an ominous warning: "YOUR SITE IS TOTALLY INSECURE!!!. It's not just bluff. Any user on the net can get ALL the personal information concerning any account."

Russian hacker Alexey Ivanov. Federal Court Filings 
As later detailed in court documents, Ivanov would follow up with another e-mail, an online chat request or a phone call, and say he used stolen calling card numbers or had commandeered satellite voice systems, talking leisurely with the cell's victims.

Ivanov was so bold he sometimes sent his résumé -- and even photos -- to prove that he was a serious security consultant. The documents listed his home phone number and detailed his previous experience, noting that he was an expert in a half-dozen computer languages and that he had a passport but needed "visa support."

The hackers asked for as little as a few hundred dollars from some start-ups and several hundred thousand dollars from corporations that sounded rich.

In an interview, Michael claimed that his group made as much as $500,000 during one nine-month period, much of it wired to accounts in the Russian Federation, Romania and Cyprus. U.S. authorities have only been able to account for about $10,000 of the extortion fees paid to the hackers. 

It's unclear how many of the tens of thousands of stolen credit card numbers Gorshkov and Ivanov used. The "Expert Group" traded files of credit card numbers with each other and with other associates and sold the information, prosecutors say, making it a difficult if not impossible task to assess who used them. A U.S. spot-check found that nearly 1,300 of the credit card numbers on tech.net.ru were used for fraudulent purchases in Canada, France, Guatemala, Israel and many other countries.

Reaction to the hackers varied widely among their victims. Some cursed them and others befriended them.

Speakeasy, a company that started as an Internet cafe and then expanded to offer network services to homes and businesses, was among the most troublesome. The company refused to pay up even after Ivanov threatened, deleted files and posted customer information on a Web site. In online chat, Max Chandler, a systems administrator for Speakeasy, was tough, telling Ivanov that hacking is illegal, according to court documents.

Ivanov was unmoved and typed in this response: "If you want put me to jail you never can do it because laws in my country is not work and my country don't have strong computer crime laws."

Later on in the conversation, however, Ivanov sounded almost child-like as he asked Chandler for career advice.

Ivanov: I need job only because I need money. Okay? . . . 

Ivanov: What name of companies where you have friends?

Chandler: Well, Microsoft of course . . . Amazon. . . . 

Ivanov: Hey hey. Cool company. I'm steal a lot of CD/DVD/books from Amazon. . . . Max, is it possible to get job in Microsoft or Amazon?

Chandler: Sure. They're hiring all the time.

Ivanov: I mean for me?

Chandler: Well, you need to send them a résumé but I can put a word for you in certain departments.

Ivanov: Okay. Please do it.

Some companies treated the extortion demands as regular business transactions. When Brian Miller, chief executive of Cambridge, Mass.-based Internet service provider Channel 1 Communications, heard from Ivanov about a breach in its computer systems, he concluded that it would be better to have Ivanov on his team than to fight with him. He wired $250 to an account that Ivanov provided and thanked him for his help.

"I had a lot of sympathy for him," Miller said. "He seemed like a bright kid who just wanted to make some money and get out of his country. I thought maybe he would move on to better things." 

Gorshkov, meanwhile, still believed he could get his legitimate business off the ground. He paid his programmers $150 a month to pursue projects that he hoped would change the way Russians use the Internet in the same way the Silicon Valley dot-coms were transforming American culture. One employee was working on a more robust e-mail filtering system. Another person was trying to set up an Internet dating service. Yet another person was programming an online auction site.

Two of Gorshkov's programmers, Maxim Semenov and Denis Bukarov, who U.S. authorities say were not involved in the extortion scheme, said they loved working for the company because of its ambition. Their boss encouraged them to spend part of their time tinkering with new technologies.

"It's a problem to find an interesting job like the one I had" at tech.net.ru, Bukarov said.

Michael said the hackers felt invincible, and in some ways they were. He described nights when none of the other programmers were around and the three of them would sit drinking vodka and singing songs. Ivanov loved tunes from old Russian movies and would begin to belt them out, off key. Gorshkov and Michael would join in.

The more happy and playful their mood, he said, the more generous they would be to their would-be victims.

Take the U.S.-based network administrator for a Singapore Internet service provider. Michael said he threatened to crash her system unless she paid up but she sounded so nice online that they felt bad about the whole thing. He told her that if she called up on the phone and sang "Happy Birthday" they would leave her alone. She did and he kept his promise to drop the extortion demand.

No one would say what the group did with all its money. To friends and relatives, the changes in the men's lifestyles were subtle. They apparently didn't splurge on lavish dinners or buy expensive clothes. Ivanov wore secondhand jeans and old scruffy boots, said his grandmother, Raisa Gorshkova, 73. "He even smoked very cheap brand of cigarettes. Nobody smokes these anymore."

Ivanov, though, bought a used car and a $1,000 cell phone. Gorshkov got an apartment for himself and his fiancee, Masha Milegova, who he met on a trolley on the way home one night and who was pregnant with their first child.

The hackers also used the credit card numbers they had purloined from companies that refused to pay their fee. Once, they ordered 15 DVD players and had them delivered to a mailbox across the border in Kazakhstan, less than an hour from their homes. They also ordered music CDs, movies, laptops, cell and satellite phones and other electronics. They also abused the PayPal system to turn the stolen credit card numbers into cash by setting themselves up as seller and buyer in online auctions. (PayPal officials said they have since taken steps to reduce the chances that perpetrators of that type of scam will succeed.)

Later, in November 2000, Gorshkov threw a housewarming party for himself. One of the half-dozen or so close friends in attendance, a medical student named Yvgenia Peleskova, recalled that they drank beer and watched "Gone in 60 Seconds," a movie about ingenious car thieves who could break any lock, get past any alarm and never get caught.

Peleskova remembered that it was a "big hit" with the people in the room.

But while Gorshkov and Ivanov were laughing about their good fortune, they had become the target of a manhunt originating in America. Some of the companies the hackers thought were cooperating with them were actually working for the FBI.

Part II of the Series http://www.washingtonpost.com/wp-dyn/articles/A7774-2003May18.html
*******************************
CNET News.com
IRC operators may out-hack Fizzer 
By Robert Lemos 
May 16, 2003, 3:01 PM PT

Administrators of Internet relay chat networks believe they might be able to eradicate the Fizzer virus, but the methods may run them afoul of cybercrime laws, said a legal expert Friday. 
Several postings on an IRC-Security list debated the merits of trying to shut the computer virus down, and one operator, QuakeNet security team member Daniel Ferguson, warned that manipulating the worm could be illegal. Despite that, he believes that several IRC operators will likely attempt to shut down the computer viruses running on PCs connected to their networks. 

"You can't really blame them," Ferguson said. "When there is nothing else (they) can do to solve a problem like this, then they are left with little choice. The worms (and) trojans not only use their bandwidth, costing them money, but are a danger to the general IRC and Internet infrastructure."


Since Monday, Fizzer has been causing problems for IRC networks. The virus, which spreads mostly through e-mail but also through file-sharing service Kazaa, connects to a random chat network and awaits commands. The virus activity caused headaches for the operators of several smaller IRC networks, which typically haven't had to deal with such so-called IRC bots. 

Now the operators are finding ways to take out the program. Unknown members of the IRC-Security mailing list discovered that the virus can be crashed by typing a long string of characters into the chat room to which the program is connected. 

Another discovery was that the Fizzer virus goes to a specific Web address on Geocities daily to update itself with any code found there. No one had reserved that address, so one IRC operator did, and posted a program that would apparently cause the virus to uninstall itself. The code to uninstall the worm has been taken down, however, since initial tests determined that it wasn't working, according to posts on the IRC-Security list. 

Such measures are likely illegal under a technical reading of the Computer Fraud and Abuse Act, said Jennifer Granick, clinical director of Stanford Law School Center for Internet and Society. 

"I think it definitely falls afoul of that statute," Granick said. "But I don't think it will be something that will be pursued, because that statute is over broad." 

A member of the U.S. Department of Justice's Computer Crime and Intellectual Property Section refused to comment on the issue, so it's uncertain whether prosecutors would attempt to make a case against IRC operators acting in good faith. 

Sending commands that crash the worm could be legal, as long as shutting down the worm had no other effect on the victim's computer, Granick explained. In that case, the command in and of itself wouldn't be considered damaging code, one test for violations of the computer crime statue. 

"The worm is operating from the victim's computer," Granick said. "There is a justification for a strike back that stops an attack, but if it takes down the entire computer, then that would be a crime." 

Another part of the statute makes it illegal to exceed authorization on a computer across state lines, something that it could be argued the IRC operators are doing. The operators may be protected, however, if they can claim status as service providers. 

In any event, the network administrator aren't willing to stand idly by, said Ferguson. 

"The alternative is to do nothing and leave the bots to be used for whatever the owner sees fit."
*******************************
New York Times
Bush Online: Smiles, Spin and a Dog as Tour Guide
By ELISABETH BUMILLER

WASHINGTON -- One of the prominent features on the White House Web site this past week was an online chat with Eric Draper, George W. Bush's chief photographer. He revealed that while the president doesn't take the time to approve the photographs posted on the Web site, he is nonetheless "very interested" and always takes a look at a "photos of the week" book prepared especially for him. A few clicks away were gorgeous offerings of official White House pictures, many of them showing the president with men and women in uniform or grinning at cheery children.

A few more clicks and visitors could take a video tour of the White House cabinet room with Andrew H. Card Jr., the White House chief of staff, or see a picture of Ofelia, a pet longhorn on Mr. Bush's ranch in Crawford, Tex., or spin along in a 360-degree panoramic view of the chandelier and French mahogany furniture of the Blue Room.

Not least, there were also newsy-sounding items  "President Bush Honors Military in Weekly Radio Address" was the lead article yesterday afternoon  as well as an ominous-sounding analysis under the heading "Judicial Crisis." The accompanying article heatedly outlined the White House argument that the Senate had confirmed "only 53 percent" of the president's appeals court nominees, and that it had "a constitutional responsibility to hold an up or down vote on judicial nominees and to do so within a reasonable time after nomination."

This is www.whitehouse.gov, the latest political tool in a White House communications operation that is trying to reach over the heads of the traditional news media to get the president's message directly to the 133 million Americans now online. Once it was a no-frills government site with little to offer the general public  Jimmy Orr, the director of White House Internet operations, refers to the Bush site's early days as the "stone age." It was equally rudimentary when it began in the Clinton administration. But now it has woofers and tweeters, with what Democrats would call heavy-duty propaganda mixed in with pictures of Barney, the presidential terrier.

Mr. Orr said that page views of the site have grown from an average of one million a day at the start of the administration to 13 million or 14 million a day now, with a record of 44 million page views on Sept. 11, 2001. 

The White House does not track actual visitors to the site, but Nielsen//NetRatings does and reports that last month 1.5 million people visited at least once. In April 2002, Nielsen reports, 1.2 million people visited the site, representing an increase over the last year of 25 percent. 

Admittedly, the White House Web site was no match for the most-visited government site in April. The Treasury Department, which includes irs.gov (no pictures of Mr. Bush and cheery children there), was No. 1 with 11 million visitors, according to Nielsen. The runner-up was the Department of Defense, with 9.3 million visitors. Popular news media sites include CNN.com, which Nielsen said had 26 million visitors in March 2003, and MSNBC.com, which had 24 million in the same period.

Unlike the other government sites, the White House site offers no services, just information about itself. "It is basically its own brand," said Max Heineman, a Nielsen//NetRatings spokesman. Nonetheless, he said, "I've noticed that it's pretty jam-packed with a lot of stuff."

Indeed it is, from video of Ari Fleischer's daily press briefings to a picture of Lynne Cheney at the White House Easter Egg Roll. Mr. Orr keeps the site updated all day long, treating it like a White House news service that offers the ultimate White House access and of course the ultimate White House spin. Mr. Orr runs live video of the president's major speeches, slaps up transcripts and "news" about daily developments, and makes sure that every public word the president has ever uttered can be located within seconds in a database.

In an effort to increase traffic, Mr. Orr has come up with the BarneyCam, a video tour of the White House Christmas decorations by the president's dog. More recently he instituted "Ask the White House," half-hour online chats with administration celebrities like Mr. Draper. The questions go through Mr. Orr, who insists he filters out only obscene e-mail queries, not tough ones.

Mr. Card, the chief of staff, provided the debut performance for "Ask the White House" and created some news when he said that he thought Saddam Hussein was dead. But for the most part, administration officials are no more forthcoming with regular citizens in "Ask the White House" than they are with reporters, and sometimes less.

When Lori from Corpus Christi asked Alberto R. Gonzales, the White House counsel, if he had found a good Tex-Mex restaurant in Washington (evidently not one of the tough ones Mr. Orr was letting through), he never named an establishment, saying only that he missed Texas and that he and his family "look forward to the day we can return to my beloved state. Go Astros!"

Mr. Orr said he had many plans for the site, including "Barney Goes to Crawford."
*******************************
CNET News.com
Open source in the stars for NASA? 
By Robert Lemos 
May 16, 2003, 3:51 PM PT

An analyst for NASA recommended in a recent paper that the agency move some software development to an open-source model. 
The paper, published in late April and featured on Slashdot on Friday, argues that developing software under open-source licenses will improve development, lead to better collaboration and enhance efficiency. 

"We recognize that some software, because of export control, ownership or commercialization concerns, may not be suitable for open source," Patrick Moran, a staff member of the National Aeronautics and Space Administration's Ames Research Center, said in the paper. "Nevertheless, we expect that many NASA projects would be appropriate for, and would greatly benefit from, an open-source distribution." 

The report is the latest to propose that government agencies more fully consider open-source software. Last October, nonprofit government contractor MITRE recommended that the government recognize the critical role that open-source software is already playing in both civilian and military agencies. 

That report found that open-source software "plays a more critical role in the (Department of Defense) than has been generally recognized" and argued that, if open source were banned, the military's information security would plummet and costs would rise sharply. 

In the most recent report, Moran notes that open-source software is easier to evaluate firsthand because the code is available. Moreover, an agency like NASA could step in and keep an open-source project alive, if necessary. Such a move would be difficult with proprietary software. 

"This is not to say releasing software open source magically means that programmers will step in when needed--many open-source projects die in obscurity--but when the technology is important enough...then the motivation will be there," Moran said. 

Moran also points out that the agency frequently creates software aimed at educators for use in the classroom--most of which must be cost-sensitive. 

In the end, the paper recommends that NASA consider the Mozilla Public License for that agency's open-source development initiatives, since the license is recognized by the Open Source Initiative, requires that derivative works also be open source (but not the same license) and was developed with input from legal and technical experts.
*******************************
Washington Post
Broadband Growth In Doubt, Study Hints 
57% of Respondents Are Uninterested 
By Yuki Noguchi
Monday, May 19, 2003; Page E05 

The number of people with high-speed Internet connections to their homes increased 50 percent in the 12 months ended March 31, but that rate of growth shows signs of slowing, according to a study on U.S. Internet usage by the Pew Internet & American Life Project.

Roughly 31 million Americans -- about 31 percent of whom use the Web at home -- access the Internet through cable modems, digital subscriber lines (DSL) or satellite dishes, according to the study, which surveyed 1,495 people in March and which was released yesterday. In less than three years, the number of people with high-speed connections increased fivefold, it said.

But there are indications that interest may be waning. In a survey done in October 2002, 57 percent of people who still access the Internet through dial-up lines said they had no interest in upgrading to a faster connection, even if they live in areas where it is available.

That could spell a business slowdown for providers of such high-speed, or "broadband," service.

Take Caryn Gottlieb, a lawyer who lives in the District and found both a job and a boyfriend over her dial-up connection. 

"It's slower, but it's not so much slower that it makes a difference," she said of dial-up service. She already pays more than $50 a month for cable service, and has monthly bills for other things such as cell phones. "When I saw the cost, I balked, frankly," she said of broadband.

Even if the cost drops, she's not likely to sign up. "For me, personally, I don't see the overall need."

There is still interest, however, among those who say they don't have easy access to high-speed service. The October 2002 study found that 61 percent of such dial-up users said they would subscribe to either a cable or DSL service if it were available.

Unlike South Korea or Canada, where nearly half the population has high-speed connections, the U.S. broadband market looks as though it may start to stall, said John B. Horrigan, senior researcher at the Pew project, and author of the study. 

"The biggest barrier is still availability," Horrigan said.

Price is another issue for some prospective customers, which is why Verizon Communications Inc. last week announced it will reduce prices for DSL service, a move that Horrigan said could spur cable companies to lower their prices, and stimulate more people to buy broadband. 

Most broadband users, about 21 million, get their service through a cable modem, compared with 9 million who have DSL at home. There are about 1.4 million satellite-Internet users in the United States.
*******************************
New York Times
May 19, 2003
Deal May Raise Napster From Online Ashes
By AMY HARMON

Napster, the online music service that unleashed an era of music piracy before filing for bankruptcy last year, may be about to make a legitimate comeback.

The Universal Music Group and Sony Music Entertainment are close to a deal to sell Pressplay, their joint online music service, to the company that bought Napster's name and assets last November at a bankruptcy auction, people close to the negotiations said. 

That company, Roxio, which is best known for its CD-recording software, would pay about $30 million, in cash and stock, for the Pressplay service under the terms of the proposed deal.

The value of such a deal would be harder to measure. Universal and Sony, which analysts say have each poured about $30 million into Pressplay, started the service three years ago in an effort to provide a legal alternative to the frenzy of unauthorized copying of digital music files that Napster pioneered. 

The record industry still blames Napster for promoting a cultural acceptance of online piracy that record companies say is largely responsible for a prolonged decline in CD sales. Just last week Universal filed a lawsuit against Bertelsmann for investing in Napster and thus enabling it to stay afloat for longer than it might have done otherwise.

But the Roxio deal would highlight how difficult it has been for Universal and Sony to attract customers to a service that critics say is hampered by restrictions intended to thwart piracy. Analysts say the three-year-old Pressplay, which charges a monthly fee of at least $9.95 for access to an online music library, has garnered fewer than 50,000 subscribers. The restrictions include limits on how many copies a customer can make of the songs he or she buys and, in some cases, the inability to transfer the music to a portable device. 

MusicNet, a similar online subscription service formed by the other three major record companies and RealNetworks Inc., has not fared much better. 

Record industry lawsuits forced Napster to shut down in July 2001, but millions of people every day use slightly different services that succeeded Napster as a way to copy music files online without paying for them. A federal judge in Los Angeles ruled recently that two of the file-swapping networks that became popular post-Napster  Grokster and Morpheus  were not illegal.

Industry executives said the successful introduction of Apple Computer's less-restrictive online service earlier this month helped persuade Universal and Sony that they needed to take a significant step to appeal to more customers. Apple's service, which allows users to download songs and copy them to CD's and portable devices, sold more than two million tracks in its first two weeks.

Under the proposed deal, which could be announced as early as today, Universal and Sony would take an equity stake in Roxio. Roxio, would get access to more than 300,000 tracks from the music libraries of the major labels, and the Pressplay distribution system. 

Roxio, which hired Shawn Fanning, the founder of Napster, as an adviser earlier this year, is expected to revamp the service with some of Napster's technology and capitalize on the extraordinary name-recognition the Napster brand still enjoys. 

Executives at Universal, Sony, Roxio and Pressplay declined to comment.

"It's still clearly the most powerful name in online music," one person close to Roxio said of Napster, citing focus groups that showed a 98 percent awareness of Napster, compared with only about 12 percent for Pressplay.
*******************************
Federal Computer Week
Outsourcing popular internationally
BY Michael Hardy 
May 16, 2003

Outsourcing is an increasingly popular practice for governments around the world, according to a new study by Accenture.

The study examined 22 countries, including the United States, and found that while almost all of them are increasing their outsourcing activities, their definitions of outsourcing and the areas they are most likely to outsource vary widely.

For example, the U.S. government tends to define outsourcing as any job that a private-sector firm takes over from the government's workforce.

Some agencies also include new work that was never done by government employees. In the United Kingdom and Australia, government agencies use the term "outsourcing" when the private sector takes over a process or function, but not as often for short-term projects.

The study found that governments outsource to add value to their operations rather than to lower costs. Among the countries studied, 88 of the government officials who responded cited cost reduction as a reason, making it the seventh-ranked objective. Improving service speed or quality, gaining access to expertise and gaining access to new technology were the top three reasons cited.

Information technology applications comprised the most common area to be outsourced, with IT infrastructure and Web site design ranking second and third. Outsourcing of business processes, including human resources, supply chain management and training, is still relatively rare, Accenture found.

The study's findings are consistent with the observations of other groups. Alan Chvotkin, senior vice president at the Professional Services Council, identified several reasons that the U.S. government, and governments in general, would outsource.

"The government is trying to keep up with the rapid pace of technology, and a better way to do that is to acquire it, to have a vendor responsible for upgrades," he said. "The second is budget constraints. The third is workforce capabilities. The highly trained competent federal workforce, there are fewer and fewer of them, for various reasons."
*******************************
Federal Computer Week
NIST releases draft security standard
BY Diane Frank 
May 16, 2003

The National Institute of Standards and Technology's Computer Security Division today released the draft of a new Federal Information Processing Standard, FIPS 199, which dictates how agencies should categorize their systems based on the security risk faced by each.

The standard is the first step in several requirements generated by NIST under the Federal Information Security Management Act (FISMA) of 2002, all aimed at setting minimum security requirements for all government systems not related to national security.

The draft outlines three categories of risk, which are based on the potential impact of a breach in three areas: the confidentiality, integrity and availability of the information in the system.

NIST chose to focus on impact because every federal system faces some level of threat, and that threat changes every day, said Ed Roback, chief of the NIST Computer Security Division. Therefore, the most prudent path to follow is to base categorization on the potential harm to the agency and to the people whose information is stored in the system, he said.

Comments on the draft are due within 90 days, and can be submitted to fips.comments@xxxxxxxxx

The next steps for NIST will be to issue guidance on how different types of information -- such as medical, judicial and geospatial -- align with the three categories, and to then set guidance for the minimum security steps to be taken based on the categories, Roback said.
*******************************
Federal Computer Week
DHS poised for mock terror attacks
BY Judi Hasson 
May 6, 2003

SAVANNAH, Ga. -- The information technology team at the Homeland Security Department (DHS) will be working around the clock next week to monitor an exercise simulating a terrorist attack on Seattle and Chicago, the department's chief information officer said today.

Steve Cooper said his team of top-level IT officials would be looking for any cybersecurity lapses and actions that should have been taken but were not.

"We'll be watching for lessons learned: Is there something we missed? Do we need to fill a gap?" he told Federal Computer Week at the semiannual CIO Summit, sponsored by FCW Media Group.

The five-day exercise, known as TopOff 2 (Top Officials 2), will begin May 12. It will include DHS and the State Department working in conjunction with federal, state, local and Canadian officials. The exercise will analyze the response to a terrorist attack.

The operation includes a sequence of events that would happen in a terrorist campaign with weapons of mass destruction. The operation will simulate a radiological device explosion in Seattle and a covert biological attack in Chicago, and evaluate how authorities respond to these incidents.

Some 25 agencies and the American Red Cross will be involved in the exercise, DHS Secretary Tom Ridge said May 5 in discussing the event.
*******************************
Government Computer News
05/16/03 
White House sets new policy on remote-sensing systems 
By Dawn S. Onley 

The White House has released a national policy governing the licensing and operation of remote-sensing space systems that are used to collect imagery and geospatial data. 

To address the government?s increased need for and reliance on privately owned commercial space systems to protect national security, the U.S. Commercial Remote Sensing Space Policy stresses that private systems should be built to meet security standards set forth by the National Oceanic and Atmospheric Administration and the Defense Department. 

The policy, signed April 25 but released Tuesday, also spells out the levels of foreign access to U.S. commercial remote-sensing space capabilities, as well as government-to-government intelligence, and defense and foreign policy relationships involving remote sensing. The term remote-sensing space capabilities refers to spacecraft, ground stations, data links and associated command and control facilities. 

The policy also directs Defense Secretary Donald Rumsfeld and George J. Tenet, director of central intelligence, to: 


Determine which needs for imagery and geospatial products and services can be met by commercial remote-sensing space capabilities 


Communicate current and projected needs to the commercial remote-sensing space industry 


Competitively outsource functions to commercial industry to fill imagery and geospatial needs 


Give the National Imagery and Mapping Agency primary responsibility for acquiring and disseminating commercial remote-sensing space products and services for all national security requirements and, in consultation with the State Department, all foreign-policy requirements 

The policy places controls on the export of sensitive information or systems to foreign nations, saying that export of that information would be approved ?only rarely on a case-by-case basis.? 

The policy puts Secretary of State Colin Powell, Rumsfeld and Tenet in charge of maintaining a Sensitive Technology List that defines what?s covered by the export controls. 

The White House issued the last commercial remote-sensing space policy in March 1994.
*******************************
Government Executive
May 16, 2003 
E-gov chief 'very happy' with progress on initiatives 
By Maureen Sirhal, National Journal's Technology Daily 

Electronic government is becoming a staple of the Bush administration's underlying agenda for transforming the federal government. But the work involves more than simply posting documents online. To Mark Forman, the first director of the new E-Government Office at the Office of Management and Budget, it is about fundamentally changing the way government functions and leveraging technology to enhance those operations. Forman recently talked with Maureen Sirhal of National Journal's Technology Daily. Here are excerpts of that interview: 


Q: Some people have criticized the various aspects of the 24 e-government initiatives, specifically Project Safecomwhich aims to make wireless public-safety systems able to communicate with each otherand the e-authentication initiative, suggesting that they are lagging. What do you say in response? 


A: Well, first of all, I'm very happy with the progress of not just the 24 e-government initiatives but the whole expanding e-government President's Management Agenda initiative. I look at some of these metricsfor example, the Nielson Net ratings that's now tracking the federal government usage. In [January] over 49 percent of American businesses were online with us. ...That's a real milestone for us. I look at how we restructured Firstgov.gov to be more citizen-friendly and [require just] three clicks to service. ... Last year we had 37 million users, and that's an awful lot of citizens. ... 


Safecom, I'm very comfortable now with this, the way it is being integrated into the Department of Homeland Security. ... The big change for us continues to be the need for voice and data as opposed to just a voice-radio system. ... So, the next step ... is [to determine] what are the requirements for voice and data in those interactive public-safety wireless devices. 


Q: How much money has been allocated by the federal government for cybersecurity in fiscal 2003?

A: In 2003, $4.2 billion. That's for our internal cybersecurity. There's more money than that for external. ... And that's a huge jump. I believe it was $2.5 [billion] in [fiscal 2002]. 


Q: How do you work with the Bush administration's cybersecurity adviser, Howard Schmidt? How will that role be filled when he leaves? 


A: I can't talk too much about how it will be filled when he leaves or how the effect will be, but I can tell you how we've been operating, and a lot of this will obviously be made public as details are fleshed out. 


The director of OMB is responsible for federal agency IT security. ... NIST, the National Institute for Standards and Technology, defines the technology standards. OMB issues the guidance and we do the follow up. ... Basically, we had to say what percentage of the systems are secured now that need to be properly secured. We're around 60 [percent], and we need to be 80 [percent] by the end of this year. ... We've made terrific progress, but we're not done. 


The second prong is to be able to respond to vulnerability and threats within 24 hours. We need an instant-response capability. One of the things that was set up ... was the [Cyber Warning Information Network]. ... As it turns out, most of the cyberthreats attack the WhiteHouse.gov Web site. ... [P]eople use that as a virtual attack on the president. And so I get early alerts, we then alert the [federal chief information officer], and we've got the cycle time [from] the CIO council [to the Federal Computer Incident Response Center] down to 90 minutes or less. ... We've been able to make it work in as fast as 24 hours. 


Q: Do you need more of a focal point within OMB on cybersecurity, the way you would on privacy? 


A: We have three times the amount of people working on cybersecurity than we do on privacy. Both are major initiatives. We have a management philosophy difference in the center. My view on this is that cybersecurity has to be integrated with an architectural one. The way you address [cyber] vulnerabilities is with systems architecture and systems operators who can manage the architecture. ... We have to get the cybersecurity folks with the people who are managing the infrastructure; otherwise, you get ... people in the cybersecurity arena crying that the sky is falling because they are not in charge. And that doesn't help us. 


Q: What has OMB done on "open source" software? 


A: Federal agencies have invested a lot in the open-source capabilities ... [especially] at the mid-tier [computer]-server level. The issue for us is cost. A lot of people say you have to use open source because it's free, but the operations and support cost is not free for open source. ... I don't see us saying we're not going to use open source, and I don't see us saying we must use open source. Our policy is to use it where it is appropriate, and we are seeing that play out with a fairly growing demand ... in servers. 


Q: How confident are you that companies without a big presence in Washington are going to have a chance to get at the e-government information technology pie? 


A: I want to encourage them to come and engage in the competition. We have to get more value for the $58 billion that we are spending, and we are going to have to get a lot more people given the dramatic increase over the last couple years in IT spending. If we don't put in more people, we end up paying more per hour, which I don't think is a good deal for the taxpayers. So we're looking for ways to pull people in, but by the same token, the vendors have to understand that the government doesn't do a good job being the integrator. We need to be a solutions buyer.


Q: Does that mean companies need to go out and get the subcontractors together and come to you and say this is what we've got? 


A: It depends. It's hard to talk in generalities, but what it means is that when new companies come in the marketplace, they should be looking at the IT data that we put up with the budget. What are the agencies buying? What are some of the performance measures they are looking? Vendors should come in understanding that we're a fairly intelligent customer but that in some ways it is difficult for us to deal with new ideas unless somebody can relay how the new idea affects our needs. 


Q: Where is the clearinghouse for new innovative e-government technology? 


A: The marketplace. I don't believe the government can create a clearinghouse per se. Everybody has to do market research. ... [W]e're becoming smarter about how we do market research. But the bottom line is we have to do a better job at identifying our requirements. That's why I maintain an open-door policy. Virtually all the [agency] CIOs maintain an open-door policy for ideas. But the other thing that we're doing is making out requirements that are known. 
*******************************
Government Executive
May 16, 2003 
Defense, Homeland officials seek bids on security devices 
By William New, National Journal's Technology Daily 

Homeland Security and Defense department officials on a Friday panel discussed the development and acquisition of transportation security technologies.

Jeffrey David, a deputy Defense director for anti-terrorism technology, announced that the Homeland Security Technical Support Working Group has issued a new call for ideas on explosives-detection equipment.

The solicitation is posted on a working group Web site. The department is seeking devices for chemical, biological, radiological and nuclear countermeasures. Such requests generally get a large response, with the last one generating about 12,000 submissions. Of the thousands of one-page bids, only a few ultimately will be funded. The bid request contains 50 requirements, including that proposals include a secure, authenticated mobile-communications system and an improved mass-transit surveillance and early-warning system.

David said cybersecurity is important to every agency. "Almost everyone's worried about that, and should be," he said. "It's a serious problem." But he said the biggest goal of the agency is to find a technology that can detect bombs and other threats from a distance.

Sergio Magistri, president and CEO of InVision Technologies, described his company's detection equipment, which is ubiquitous in airports. He said his company's goal of the future is to develop detection equipment that is not seen by those it is scanning. 

Lyle Malotky, chief scientific adviser at the Transportation Security Administration's Office of Security Technology, also named distant, transparent detection as a top goal of his office's Atlantic City, N.J.-based laboratory. The Defense Advanced Research Projects Agency has been given the task of identifying scientific endeavors that have the greatest possibility of solving the distance problem. 

The Atlantic City lab has invested about $250 million in research in recent years, Malotky said. Still, he predicted that the development of new technologies would be slow. "I would expect [it] to be evolutionary rather than revolutionary," he said. 

He also noted barriers such as privacy issues. A full-body scanner, for example, can show gender-specific body parts, which the public may not be ready for, he said. "The real obstacle to deployment of this technology is the privacy issue." 

The lab has about 70 scientists and engineers, he said, but he could not predict how it would work with scientists and engineers of Homeland Security's science and technology directorate. "What's going to happen under Homeland Security is very much up in the air," Malotky said.

He said after the panel discussion that his lab would be "a child organization to what's going to be happening" at Homeland Security.

At an earlier session, Deborah Wince-Smith, president of the Council on Competitiveness, said one vulnerability that could lead to requirements is software patching. 

Randall Kroszner, member of the President's Council of Economic Advisors, said the White House prefers that the private sector take the lead on security measures, but if it does not, steps will have to be mandated. 

David Wyss, chief economist at Standard and Poor's, said it is difficult to apply cost-benefit analysis to security because it is based on the probabilities of a terrorist attack. 
*******************************
Computerworld
Giuliani, Netanyahu and Woolsey speak out on terror and technology
The three men warned of the dangers of inaction 
By DAN VERTON 
MAY 16, 2003

In a series of speeches this week, two well-known political figures and a former CIA director warned of the dangers of inaction and lack of preparedness when it comes to cyberterrorism and homeland security. 

"We're in a very dangerous century. The power of the few to terrorize the many has grown by leaps and bounds precisely because of technology," former Israeli Prime Minister Benjamin Netanyahu said during an interview broadcast Tuesday as part of the Terror and Technology Online conference, sponsored by IDPartners LLC. 

"A few people can deliver a lot of damage," said Netanyahu, referring specifically to the threat of cyberterrorism, or the ability of international terrorist organizations to physically destroy key cyberbased infrastructures or attack those infrastructures using the Internet. 

When asked what can be done to meet the threat, Netanyahu's answer offered a stark contrast to the current thinking by the Bush administration, which has been committed to a nonregulatory approach to cybersecurity and critical-infrastructure protection in the private sector. "The only way you can deal with it is through security systems and security norms that are enforced by governments," said Netanyahu. 

Although he didn't address the specific roles of government and private sector, former CIA Director R. James Woolsey, now a vice president with the Global Strategic Security practice of Booz Allen Hamilton Inc. in McLean, Va., said networks and systems that play a role in homeland security will have to be designed in a fundamentally different way in the future. 

The networks and systems that power the U.S. economy "were put together by businesspeople ... with an eye toward openness and ease of access, and were not put together with a single thought in most cases ... to terrorism," said Woolsey. 

"All of the networks that serve us have the functional equivalent of flimsy cockpit doors," he said, making a reference to the ease with which terrorists were able to enter and take over the cockpits of four commercial airliners on Sept. 11, 2001. "They have things that need to be fixed so that they cannot be taken over and used to kill thousands of people. This is a matter of some urgency." 

Speaking at an invitation-only dinner reception sponsored by The McGraw-Hill Cos. on Wednesday in Arlington, Va., former New York Mayor Rudolph Giuliani urged the government and the private sector to "prepare relentlessly" for the full spectrum of possible terrorist attacks. 

"Recognize it, accept it, deal with it and make the changes that are necessary so that we provide appropriate security," said Giuliani. "Private institutions have to do some of this themselves. Security planning is vital now as a mission for private organizations." 

According to Giuliani, the businesses located in and around the World Trade Center that had developed and exercised disaster plans were the ones that survived the attacks. "Those that had business continuity plans so that they had a backup for the systems that went down at the site of the World Trade Center were able to resume business that day or the next day and not have a significant interruption and a major economic catastrophe," he said. 

"We should plan for all the things that we can anticipate," said Giuliani. "The terrorists that we are facing will attempt to do the unanticipated again. And the only way you can deal with the unanticipated is to prepare for everything you can think of." 

As an example, Giuliani pointed to a system called the Syndromic Surveillance System, a symptom-monitoring system that the City of New York had developed in 1996 -- five years before the recent series of anthrax attacks conducted through the mail. 

"When the anthrax attacks took place, I was able to go back through the syndromic surveillance report, and I could see that we didn't have an epidemic," said Giuliani. "The country needs [that type of capability] now. We need to create systems to collect this information and do the best we can to anticipate an attack." 

For Netanyahu, however, technology development is not the reason that he remains optimistic about the outcome of the war on terrorism. "I don't think that technology is what makes me optimistic," he said. "The presence of will in free societies to defeat terrorism is what makes me optimistic. Technology without will is meaningless." 
*******************************
Washington Post
More Jobs Than Security Clearances 
By Amy Joyce
Monday, May 19, 2003; Page E01 

As the technology downturn accelerated in October 2000, WamNet Government Services Inc. in Herndon received some great news: It won a seven-year, $7 billion subcontract from Electronic Data Systems Corp. to help design, build and operate the Navy and Marine Corps intranet. 

The only problem was that the 20-person company would have to hire more than 700 new employees, all with security clearances. 

That job is proving to be as much of a challenge as creating a secure intranet for the military. 

"It's a daunting task for a small firm," said Michael J. Barbee, WamNet's president, who will be constantly searching for more qualified employees until the seven-year contract is complete. 

With the demands created by the federal effort to improve homeland security, the worldwide war on terrorism, and the need to lock down even the most ordinary government offices, more employers than ever are looking for recruits who already have federal clearances. But just as during the dot-com recruiting boom of the late 1990s, government, technical and defense firms now are aggressively seeking and competing against each other for qualified candidates. "There's a huge shortage, and there's a backlog of people waiting to get their clearances," said Palmer Suk, president of Snelling Personnel Services, a recruiting firm in Vienna. "I'd say we have a need every moment for those types of people. If I have the top security- cleared people, it would be a matter of a handful of phone calls before you have an interview set up for them. Demand is so much higher than supply."

But there's a Catch-22 quality to the hot job market. To get hired, you have to have clearance. To get clearance, you have to be hired. The conundrum is as tricky for employers as employees. Here's how it works:

An applicant for a federal security clearance, whether confidential, secret, top secret or sensitive, must already be employed at a government agency or contractor.

The employer files paperwork that states the background check will be performed, and then sends it on to be processed and adjudicated. The procedure can take several months to a year, depending on the level of clearance and the length of the backlog. Currently, there are 237,816 security clearance applications pending at the Defense Security Service, the agency that handles clearances. 

Some employees at WamNet are hired as clearable, but do not yet have clearance. Those employees work on assignments that do not need security clearances, until their paperwork goes through. 

The number of clearances has gone up substantially since Sept. 11, 2001. Many clearances are held by the military. But there were 107,513 requests for clearances from industry from October 2000 through September 2001. That increased by about 40,000 the next year. The number of requests from October 2002 to April 2003 was 86,727.

The attempt to find cleared workers for companies so desperate for them is "a shell game," Suk said. Even if a company successfully hires an employee with the proper clearances, it's likely that person left another company that will have to fill a clearance-required job.

So companies are getting creative. Some, like Northrop Grumman Corp., are starting a practice of acquiring smaller companies that are filled with cleared employees.

"When they buy that company, they buy that capability," said Bruce Phinney, a vice president who runs the critical infrastructure practice with search firm Paul-Tittle Search Group in McLean. 

Companies are hiring search firms to seek out the right employees, and offering bonuses to those employees who refer a friend with the right clearance. Other companies hire employees with minimal clearance, with the hopes of getting them clearance at the higher level that the employer really needs. 

Much like the companies that tried to make up for lost business when the tech boom went bust, search firms have begun to focus extensively on government contracts and clearances. Paul-Tittle has been in business since 1974, with a major focus on the commercial sector. With jobless rates reaching 6 percent, there are plenty of clients. But, Phinney added, the "tremendous backlog" for security clearances is what is keeping employers from good employees.

"Corporations are clamoring to get people of this ilk. It's not that they're not out there, it's just cumbersome," Phinney said.

WamNet, founded in 1994 as a wholly owned subsidiary of WamNet Inc. in Eagan, Minn., was formed to handle networks for federal agencies. WamNet's job now is to network the infrastructure for about 310,000 computers on 300 Navy and Marine bases. 

WamNet doubled in size last year. The company needs to have about 420 people in place for the contract at the end of this year, and it is about halfway there. But the hiring is done in small numbers: January brought 35 new employees, 50 came on board in February, 79 arrived in March, 72 in April, and 22 thus far in May. 

Barbee said the company was and still is on a constant search for Cisco-certified network engineers. Which, said Barbee, is a "pretty small community. And put security clearance on top of that, it's even smaller."

Ten percent of WamNet's new hires are military, who already have clearances. The company is recruiting as much as possible in and around military organizations, job fairs and in military publications. But once the wars in Afghanistan and then Iraq started, those who were set to retire and perhaps think about a job at a place like WamNet were pulled back into the service. 

John Heller, program manager in charge of the ramp-up, decided at the beginning of the year that WamNet needed to hire professional recruiters. The company started with three this year, and now has eight. Heller himself was hired to work on the new hiring. Every day, Heller checks in with the recruiters for a count of hires, potential hires and new résumés. 

The biggest source of new employees comes through Internet job sites such as Monster.com and HotJobs. Those and other job sites are relatively simple to search for the right employees, because résumés that mention security clearances are easy for a recruiter to find. 

The other huge source of employees is through personal references. When one person is hired, he or she usually has a friend or two who also are cleared and may be interested in a new contract. To encourage those personal referrals, employees can earn $2,000 to $3,000 for each referral that is hired at WamNet. "That gets a buzz in the company because that's real money," said Barbee. 

And because of the need to attract and retain good employees, the firm is willing to change itself. Barbee said once candidates started to turn down offers, company officials began to ask why. They realized they were losing candidates because they did not offer to match employees' 401(k) retirement plan contributions. "I thought we were too small for that," he said. 

Instead, the company looked at its benefits, and decided some needed to be enhanced. 

Heller said the company gets 20 to 100 résumés for any position. But once candidates are screened, there are usually just one or two who end up being "very qualified." 

On what was a typical day in early spring, Heller sat in on a conference call with WamNet recruiters in Minnesota. When a new base that needs to be hooked up to the intranet comes online, new jobs open up. This day, the recruiters chatted about the Norfolk Network Operations Center, and how many jobs were open, how many offers went out, and how many new résumés had come to their attention. 

The company had 180 positions open that particular day, 18 at the operations center. The best news from the meeting was that eight offers were out to potential hires for the center. 

"This is a much bigger task than anyone anticipated," Barbee said. 
*******************************
USA Today
IBM in first deal to supply digital police cameras

SAN FRANCISCO (Reuters)  Police in Yakima, Washington are installing a first-of-its-kind system of computers in cruisers designed to record and store pictures of every encounter they have likely to end up in court, everything from traffic stops to high-speed chases.
Under the deal announced Thursday by the company, IBM will install the "in car" digital video systems in 32 cruisers for the Yakima police department.

The price tag is $463,000, said Yakima Police Captain Jeff Schneider.

While police departments around the nation have equipped their cruisers with camera systems to provide evidence in arrests and to protect themselves from lawsuits, IBM said it believed that the Yakima system was the first to use computers to record and store such data.

Local and national law enforcement have increased spending on surveillance since the attacks of Sept. 11, 2001, helping technology providers at a time when other technology companies are suffering from corporate spending cutbacks amid a broader economic downturn.

IBM said it has pilot programs for its digital system with seven other police departments across the country.

Yakima officers will plug a portable hard drive into a computer mounted in between the front seats of a patrol car. A microphone and a bi-directional camera mounted on the visor will record continuously, but will save only 3 minutes to 4 minutes at a time, Schneider said.

When the officer turns on the "pursue" lights on the top of the car, the system automatically saves and stores the last few minutes and whatever comes next, until the system is turned off, he said.

Unlike analog video recording systems, which usually aren't turned on until after a violation has occurred, the digital system allows police to capture the events leading up to then, potentially recording the alleged infraction, according to Schneider.

"We are under a little heat on the racial profiling issue," he said. "That's one of the driving forces behind this type of thing and why prerecording is so important."

A microphone on the officer's belt allows officers to record conversations from outside of the car, as well.

Once the shift is done, the officer takes the hard drive to the police headquarters and uploads all the stored data to a central server, which is capable of storing 3.5 terabytes of data, roughly equal to 800,000 full-length novels, IBM said.

Under Washington law, officers are required to inform people that they are being recorded, Schneider said.

The Seal Beach police department in California is using Cisco Systems equipment to remotely monitor  from inside a cruiser  video feeds from a local bank and plans to put small wireless video cameras on officers' lapels.
*******************************
Los Angeles Times
The scent of an illness
A device that identifies chemical 'signatures' is being used to diagnose diseases.
By Jane E. Allen
May 19, 2003

Just as the human nose interprets a whiff of smoke as a warning of fire, electronic noses can detect the unique "scent signatures" of diseases, from bacterial infections to lung cancer. 

Consisting of arrays of chemical sensors, these high-tech noses distinguish the breath, urine and blood of the sick from those of the healthy. Most devices are still in the experimental stages, with some being tested on patients with suspected pneumonia and other lung diseases, sinus infections, diabetes and cancer. The technology could screen and diagnose diseases and monitor any recurrence right in the doctor's office or at the patient's bedside.

"What you're seeing is the emergence of the technology to be a diagnostic tool," said Steve Sunshine, chief executive of Cyrano Sciences in Pasadena, which makes an electronic nose undergoing tests at several medical centers.

The practice of diagnosing illness through breath smells dates at least to Roman times, when doctors called the musky breath of kidney failure patients fetor hepaticus. Doctors today liken the distinctive breath of diabetics with dangerously high blood sugar to the scent of a popular brand of chewing gum.

In the last few decades, scientists worldwide have been developing ways to detect the chemical signatures of food spoilage, pollution and biological attacks, and several teams have been zeroing in on medical applications. Because diseases create distinct changes in the gases we exhale and in the gases emitted by bacteria infecting our blood and urine, electronic noses can be programmed to sense their chemical signatures.

So far, only one electronic nose has been approved in this country for commercial use. In November 2001, the U.S. Food and Drug Administration said Osmetech of Crewe, England, could market the Osmetech Microbial Analyser for detecting the urinary tract infections that plague millions of Americans each year. The device, based on technology developed at the University of Manchester, analyzes gases from bacteria in urine within hours; bacterial cultures take days.

In January of this year, Osmetech announced that the device had also been approved for diagnosis of bacterial vaginosis. Using vaginal fluids, it distinguishes bacterial vaginosis, an infection linked to miscarriage and premature delivery, from other common vaginal infections. 

A team of Caltech researchers was among pioneers of electronic noses. Its device uses chemical sensors made of special polymers, which change electrical resistance when they come into contact with gases. Computers identify the gases by the patterns of electrical changes. The team has formed Cyrano Sciences Inc., which pairs chemical sensing and interpretation in an $8,000 device dubbed Cyranose, named after Edmond Rostand's "Cyrano de Bergerac," the 1897 play about a character with an enormous nose. Sunshine said his company is about a year from seeking FDA approval to market its device for medical purposes.

On Sunday, researchers from the Cleveland Clinic reported at the American Thoracic Society meeting in Seattle that the Cyranose had differentiated the breath of 14 lung cancer patients from that of 20 healthy people and 25 patients with other lung ailments. (Their presentation followed a May 10 report in New Scientist magazine that an electronic nose developed at the University of Rome accurately picked out 35 cases of lung cancer from among a group of 60 hospital patients and was easier on patients than bronchoscopy, which involves inserting a lighted tube into the lungs). 

Electronic noses have also shown great promise in screening for pneumonia. Last November, researchers at the University of Pennsylvania reported that Cyranose accurately and quickly detected pneumonia cases when used on 415 critical-care patients on ventilators. The device speeds treatment by distinguishing quickly between viral or bacterial pneumonia.

"It will save money by preventing unnecessary prescription of antibiotics and by catching the disease earlier in its course," said lead author Dr. C. William Hanson III, a Penn anesthesia professor who said he foresees using the device more widely in a year or two. He said Cyranose could reduce unnecessary antibiotic use that contributes to resistance. 

In other studies, Dr. Erica Thaler, an ear, nose and throat specialist at Penn, has used Cyranose to pinpoint which cases of sinusitis require antibiotics. She also has found that the device can distinguish between drainage of normal nasal fluids and the dangerous leakage of spinal fluid, which requires immediate attention.
*******************************