[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips June 4-5, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;
- Subject: Clips June 4-5, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 05 Jun 2003 11:53:01 -0400
Clips June 4-5, 2003
ARTICLES
Davis Backs Privacy Measure[CA]
Supreme Court rules in copyrights dispute
Age Limit for Violent Video Games Struck Down
CIA backing image-search software
Broadband Internet Use Has Its Risks, Study Finds
Request Rejected in Music Download Case
Congressional scrutiny of Homeland official steps up
Girls Teach Teen Cyber Gab to FBI Agents
Downer backs biometric passports
Pentagon launches Internet voting effort for overseas Americans
How PKI Works
U.S. VISIT system on fast track
Army awards General Dynamics $2 billion contract
Metallica's MP3 Conversion
DOD getting GIG together
Software builds 'virtual armories'
Better data sharing key to fighting terrorism, former CIA boss says
PKI momentum builds, program manager says
Online security clearance forms on track for June debut
Computer security officials discount chances of 'digital Pearl Harbor'
*******************************
Los Angeles Times
Davis Backs Privacy Measure
The bill would limit firms' ability to sell consumers' personal financial information.
By Gregg Jones
June 4, 2003
SACRAMENTO After ducking three years of legislative debate on financial privacy, Gov. Gray Davis waded into the fray Tuesday by endorsing a bill that would sharply limit the ability of banks and insurance companies to sell their customers' personal financial information.
Davis announced his support for SB 1 by state Sen. Jackie Speier (D-Hillsborough) as the legislation faces a key Assembly vote Monday. The bill, which won Senate approval in March, died in the Assembly last year amid intense industry opposition.
"I believe this bill is properly balanced," Davis said at a Capitol news conference. "It affords legitimate consumer rights to the citizens of this state and still allows commerce to be conducted in an open fashion."
Consumer advocates agreed, even with amendments demanded by Davis, which would limit some of the restrictions Speier sought to impose on companies.
"Today is a good day for California consumers," said Consumers Union policy analyst Shelley Curran.
The California debate over consumer privacy is being watched closely by financial institutions, members of Congress and state lawmakers across the country, consumer advocates said.
Speier described the governor's support as critical as the fight over financial privacy heats up before the Assembly's Banking and Finance Committee hearing Monday.
Both Davis and Speier predicted a tough fight in the Assembly, where the bill last year fell three votes short of the 41 needed for passage after banking and insurance firms hired dozens of lobbyists to pressure lawmakers.
Business groups on Tuesday continued to voice concerns with the amended bill.
"I think that they've made some progress in the bill," said Fred Main, senior vice president of the California Chamber of Commerce. "Whether they've made enough, that's what we're trying to think about."
Main, however, conceded that the governor's public support "makes it more likely that the bill gets to his desk."
Public opinion polls show strong support for restrictions on the use of personal financial information, which includes the sale of such information as Social Security numbers, income and bank account balances.
The Consumers Union and other groups are gathering signatures for a March 2004 ballot initiative aimed at restricting the trade in personal financial information, in the event that the Legislature fails once again to act. With the fate of the Speier bill uncertain in the Assembly, Davis urged initiative supporters to continue gathering signatures.
Seeking Support
For Davis, the decision to embrace a major bill still pending in the Legislature something he does sparingly comes as he attempts to shore up flagging popular support in the face of a Republican-led effort to remove him from office. Davis downplayed the timing of Tuesday's announcement, saying there was "no grand strategy" but rather that he and Speier had worked out some of their differences.
In fact, while Davis has avoided taking a public position on the Speier bill over the last three years, senior aides have been engaged in lengthy negotiations with the senator and her staff. The governor's support was sealed with Speier's agreement to accept amendments that will continue to allow companies to share personal financial information with their affiliated companies, with notable restrictions, Davis and Speier aides said.
Speier praised Davis for risking the anger of business groups by announcing his support and pledging to throw the weight of his office behind SB 1 in the Assembly.
"It's been a day I've been hoping for for a very long time," said Speier, with Davis standing beside her. "It takes a lot of guts to do what [Davis] is doing here today."
Under the amendments accepted by Speier, which will be made public today, financial institutions still would be able to share personal financial information with affiliated companies if they meet four tests: the affiliated firm is a wholly owned subsidiary; the company is in the same line of business; it bears the same brand name; and it is regulated by the same government entity.
This would allow State Farm's automobile insurance subsidiary, for example, to share information with its homeowners insurance subsidiary without giving consumers the right to block the transfer of that information. But State Farm's insurance subsidiaries would have to seek consumer approval to transfer personal financial information to its banking arm or other subsidiaries in different lines of business, a Speier aide said.
The sale or transfer of medical information still would be subject to consumer approval under the amended bill, the aide said.
"We still are concerned that the language doesn't go far enough on the affiliate sharing," said Main.
Still, he added, "we think we can get a workable, reasonable bill."
Companies caught mishandling information could be fined $2,500 per customer and up to $500,000 for mass violations unless the offenses were deliberate in which case there would be no limit. If an incident results in the theft of a consumer's identity, penalties would double.
Davis defended the amended bill as practical and said it "does not disrupt the information-age economy," as some opponents charge.
"Californians don't want their private, personal information bought and traded like baseball cards," he said. "This measure will allow consumers to have much more control over their bank accounts, their spending habits and their personal financial information."
Related Bill Pending
Another Senate bill on consumer privacy is pending in the Assembly. SB 27, by Sen. Liz Figueroa (D-Fremont), would require businesses to reveal the source and nature of personal financial information they have on a customer.
The Speier bill seeks to give consumers control over the use and sharing of their personal financial information, going well beyond federal law. All financial institutions would be required to send a form to customers every year in which consumers would be allowed to deny a company the right to sell or otherwise share that information, except in the case of affiliated companies covered by the amendments.
Last week, in a preemptive strike against pending changes in financial privacy laws, lawyers for Bank of America Corp. and Wells Fargo & Co. asked an Oakland federal judge to prevent local governments from restricting banks from sharing customers' information with telemarketers. The banks are challenging financial privacy measures passed by Daly City, San Mateo County and Contra Costa County that are set to take effect Sept. 1.
*******************************
USA Today
Supreme Court rules in copyrights dispute
By Joan Biskupic USA TODAY
June 4, 2003
WASHINGTON Justice Antonin Scalia turned a dispute over whether a video company wrongly copied vintage World War II footage into a lively affair Monday by invoking Bizet's Carmen and cola wars.
The Supreme Court ruled 8-0 that U.S. trademark law does not prevent unaccredited copying of a work after the copyright has expired. The ruling voids a judgment against Dastar Corp. for repackaging and selling the footage without crediting 20th Century Fox. The footage was first used by Fox in the 1949 TV series Crusade in Europe, which was based on Gen. Dwight Eisenhower's book.
Monday's decision gives individuals wide latitude to use materials not covered by copyright law. And it makes clear that once a work has lost its copyright protection, it generally cannot be shielded by a trademark statute known as the Lanham Act.
The Lanham Act was designed to protect consumers from confusion about a product's source. Lower courts had ruled that the substantial copying of an earlier work without credit necessarily misleads the public.
Scalia, writing for the court, said that judges had interpreted too broadly the act's coverage for original works and that requiring attribution of uncopyrighted materials could pose serious practical problems: "A video of the MGM film Carmen Jones, after its copyright has expired, would presumably require attribution not just to MGM, but to Oscar Hammerstein II (who wrote the musical on which the film was based), to Georges Bizet (who wrote the opera on which the musical was based), and to Prosper Mérimée (who wrote the novel on which the opera was based)."
Scalia said determining origin in the Dastar case is tricky, too, because the footage first came from military and other battleground sources. He said that when Dastar took the tapes of the original Crusade series and edited them into its own set called World War II Campaigns in Europe, Dastar became the "origin" of the product sold, under the terms of the Lanham Act.
"It forbids, for example, the Coca-Cola Co.'s passing off its product as Pepsi-Cola," Scalia wrote. "But the brand-loyal consumer who prefers (one cola over the other) ... surely does not necessarily believe that that company was ... the very first to devise the formula." He said consumers do not automatically assume that the brand-name company is the same entity that came up with the idea for the product."
Justice Stephen Breyer did not participate; his brother, U.S. District Judge Charles Breyer, was involved in an earlier phase of the case.
USACM signed a Brief in this case, see: http://www.acm.org/usacm/Briefs/DastarCorpBrief.htm
*******************************
Los Angeles Times
Age Limit for Violent Video Games Struck Down
From Bloomberg News
June 4, 2003
A federal appeals court Tuesday threw out a Missouri county's ban on the sale of violent video games to minors, siding with the video game industry by ruling that the law violates the U.S. Constitution.
The Interactive Digital Software Assn., which represents video game companies including Take-Two Interactive Software Inc. and Electronic Arts Inc., argued that the video game industry has the same rights to free speech as filmmakers and publishers.
"There is no justification for disqualifying video games as speech simply because they are constructed to be interactive," wrote Judge Morris Sheppard Arnold for the U.S. 8th Circuit Court of Appeals in St. Louis.
The St. Louis County law made it illegal for anyone to knowingly sell, rent or make available graphically violent video games to minors without the consent of a parent. A federal judge last year upheld the law, ruling that video games aren't a protected form of speech under the 1st Amendment.
A call to St. Louis County Executive George R. Westfall wasn't immediately returned.
The St. Louis County Council, which adopted the law in October 2000, had refrained from implementing it until the legal challenges were resolved. The ordinance was based on a similar law passed in Indianapolis, which a federal appeals court in Chicago last year invalidated.
The U.S. 8th Circuit Court also found that St. Louis had failed to establish that there is a compelling state interest in regulating the sale of games to minors on behalf of parents, and that there was insufficient evidence to prove that violent video games cause psychological harm.
Washington state passed a similar law last month targeting games that depict violence against police officers. The Interactive Digital Software Assn. has said it intends to challenge that law as unconstitutional.
*******************************
San Francisco Gate
CIA backing image-search software
Tom Abate, Chronicle Staff Writer
June 4, 2003
Pssst. The CIA is backing a local startup that has invented a program to sightlessly scan millions of digital images, winnowing this visual chaff to present human analysts with only those pictures likely to contain a threat.
In-Q-Tel, a CIA-funded venture firm based in Alexandria, Va., said Tuesday that it is making an unspecified investment in PixLogic, a software firm in Los Altos.
Created in 1999, In-Q-Tel is a nonprofit venture firm that uses CIA funds to back promising technologies with national security applications. PixLogic, which recently won U.S. Patent 6,563,959 to cover its new image-searching technology, is a 10-person startup.
"The CIA does not want us to speculate at all on how they are using the software," said Bob McKee, vice president for business development at the tiny firm.
But it doesn't take a top-secret clearance to guess the CIA's interest in PixLogic, whose patented software can detect patterns by analyzing the pixels of digital image files -- without printing out the pictures and having a person or computerized camera "look" at the images.
The software ultimately could be used for everything from helping authorities scan digital pictures or videos for threats, to allowing Web browsers to find images on the Internet.
"Today we take it for granted that we can search for text, but we can't do the same thing for images," In-Q-Tel spokesman Greg Pepus said.
Text-search programs can find any word -- as long as it is spelled correctly -- because words always appear the same. But images are variable, PixLogic's McKee said. What the company has invented is a mathematical formula that analyzes the raw pixels in a digital file, detects patterns in these pixels, and then matches these patterns against a database of known images.
McKee offered this example. Say the PixLogic database already had studied an image of the Eiffel Tower. Then say the software was fed thousands of digital images of Paris, and tasked with picking out only those that contain the famed landmark. McKee said the program could probably make the correct pick 80 percent of the time.
But he said the program still has great difficulty matching faces with any degree of confidence because people can disguise themselves very easily with facial hair or glasses.
"We do pick up faces in a crowd," he said, adding that the program could find all the people with blond hair and red shirts in a morass of digital images, and thus narrow down the task for human investigators looking for a particular red-shirted blond.
Beyond any potential national security uses, PixLogic hopes to sell its software to commercial photography firms, media companies, film studios, and any firm with a large library of digital images that need to be searched or categorized.
McKee said several commercial firms, which he was not at liberty to disclose, are evaluating the PixLogic software. Financial terms of the In-Q- Tel investment were not disclosed.
Email Tom Abate at tabate@xxxxxxxxxxxxxxxx
*******************************
New York Times
June 4, 2003
Broadband Internet Use Has Its Risks, Study Finds
By LAURIE J. FLYNN
Besides speed, the most coveted feature of a broadband connection is that it is always on. But according to a study that is scheduled to be released today, those two advantages are exposing broadband customers to far greater risk than most of them realize.
The study, conducted by the National Cyber Security Alliance, highlights the chasm between the assumptions of consumers about the security of their Internet connection and the reality. The result is a high risk of hacking, viruses and identity theft, according to Keith Nahigian, the spokesman for the alliance and a consultant to the Office of Homeland Security.
The study of 120 broadband users, conducted last month, showed, for example, that although nearly half the users had young children who use the computer, only 3 percent have parental controls to shield children from pornography.
More than 40 percent of the users lacked a firewall to protect their computers from intrusion from the outside, though 77 percent said they considered their systems protected from hackers and 86 percent said their systems were protected from online threats.
Despite the lack of controls, the vast majority of broadband users 86 percent kept sensitive information on their PC's, including medical information and financial data. Nearly four-fifths used the Internet to conduct financial or medical transactions.
"The disconnect means we have to do more to educate people," Mr. Nahigian said.
The survey also showed that while most users said they used antivirus software, most of them did not regularly update the programs, leaving them exposed to hundreds of new viruses every month.
Dial-up Internet users are exposed to similar risks but to a far lesser extent, if only because they are connected for shorter periods of time. "When you have your connection open all day and all night, it's easier for hackers to get in," Mr. Nahigian said. Because of the fast connection, broadband users tend to do far more file-sharing than dial-up users, further exposing them to hacking and viruses.
*******************************
CNET News.com
Legal action hits SCO Web site
By Stephen Shankland
Staff Writer, CNET News.com
June 3, 2003, 9:25 PM PT
SCO Group, the company that has warned major companies that using Linux could get them in legal trouble, has shut down its German Web site after a Linux advocacy group in the country obtained a restraining order.
Lawyers representing LinuxTag, the German Linux group, told SCO on May 23 that the Lindon, Utah-based company was engaging in unfair competitive practices when it sent to 1,500 large companies letters that said using Linux could pose legal problems because SCO proprietary Unix source code had been copied into Linux, according to a statement from the group.
"SCO must not be allowed to damage its competitors by unsubstantiated claims, to intimidate their customers and to inflict lasting damage on the reputation of GNU/Linux as an open platform," LinuxTag's Michael Kleinhenz said in the statement. LinuxTag demanded SCO make its evidence public by May 30, or retract its claims.
SCO removed copies of that letter from its Web sites as a result, but later, LinuxTag succeeded in obtaining a temporary restraining order against SCO, said Ryan Tibbitts, SCO's newly appointed chief legal counsel. Because SCO hasn't been able to see the actual contents of the order, the company shut down the entire site to be on the safe side, he said.
"We didn't want to run afoul of the court," Tibbitts said. "I haven't seen the length and breadth of the temporary restraining order to see what it is we're precluded from doing. In an abundance of caution we just took down the whole German Web site."
The move was a victory, albeit minor, in Linux fans' efforts to counter the SCO actions, which attack the legal and philosophical underpinnings of the fiercely independent open-source movement. SCO's actions stemmed from investigations of the Linux source code undertaken for its $1 billion lawsuit against IBM, alleging that Big Blue allegedly broke its contract with SCO by misappropriating trade secrets when moving technology from Unix into Linux.
A more significant setback for SCO took place earlier last week, when Novell, which owned Unix rights before selling some to SCO's predecessor, said it never sold SCO the Unix copyrights and patents.
SCO says it plans this plans to show the source code it says was copied from Unix into Linux, sometimes obfuscated to disguise its origin. However, it has said it will show the code to some, such as industry analysts who sign nondisclosure agreements, but not to the public. It also has said it could reveal the code as part of its case against IBM.
SCO previously hired outside attorneys to serve as its chief legal counsel, but about 10 days ago hired Tibbitts, who has experience in litigation. Previously he worked at Center 7, a management software company that like SCO includes the Canopy Group as a major financial backer.
"The Canopy Group said SCO has got to hire somebody in-house to manage the IBM litigation," Tibbitts said. "My background is litigation. With the firestorm that has started, they need someone who can manage and oversee the litigation."
High-profile attorney David Boies and his firm still are handling SCO's Unix legal action, SCO said. SCO is paying Boeis' firm with a contingency agreement, under which lawyers are typically paid not by the hour, but with a percentage of their client's case winnings.
*******************************
Associated Press
Request Rejected in Music Download Case
Wed Jun 4,10:48 PM ET
By TED BRIDIS, AP Technology Writer
WASHINGTON - A federal appeals court on Wednesday rejected a request by Verizon Communications Inc. to delay turning over the names of four of its Internet subscribers suspected of illegally offering free music for downloading.
Verizon said the latest legal loss, in the U.S. Court of Appeals for the District of Columbia Circuit, means its lawyers will identify the four subscribers in the next 24 hours to the Recording Industry Association of America (news - web sites), the trade group for the largest music labels.
The association said it has not decided how it will proceed against those customers or whether it will identify them publicly. The organization's president, Cary Sherman, said the decision "confirms our long-held position that music pirates must be held accountable for their actions."
Wednesday's decision was the latest in a series of court rulings that mean consumers using dozens of popular Internet file-sharing programs can more easily be identified and tracked by copyright owners. Even for consumers hiding behind hard-to-decipher aliases, that could result in warning letters, civil lawsuits or even criminal prosecution.
"Given that an epidemic of illegal downloading is threatening the livelihoods of artists, songwriters and tens of thousands of other recording industry workers who bring music to the public, we look forward to Verizon's speedy compliance with this ruling," Sherman said in a statement.
Verizon said it already has warned its four subscribers, who were accused by the association of illegally offering hundreds of copyrighted songs over the Internet.
"We continue to have concerns about how the RIAA and other copyright owners might abuse this process," said Verizon's associate general counsel, Sarah B. Deutsch. "It doesn't provide sufficient protections for people who may have done nothing wrong."
The association had sought the names of the subscribers under the 1998 Digital Millennium Copyright Act (news - web sites). It permits music companies to force Internet providers to turn over the names of suspected music pirates upon subpoena from any U.S. District Court clerk's office, without a judge's signature required.
Critics of the procedure contend judges ought to be more directly involved, given the potential privacy issues involved when a corporation is asked to reveal personal information about customers over an allegation of wrongdoing.
Verizon has challenged the constitutionality of such copyright subpoenas. Arguments in the appeals court are set for Sept. 16.
*******************************
Government Computer News
06/04/03
Congressional scrutiny of Homeland official steps up
By Patience Wait and Wilson P. Dizard III
Post Newsweek Tech Media
Following news reports that a senior official at the Homeland Security Department appears to have obtained her academic degrees from an unaccredited diploma mill, several members of Congress are seeking to learn how background checks and security clearances failed to flag the questionable credentials.
Rep. Carolyn Maloney, D-N.Y., chairwoman of the Democratic Caucus? Homeland Security task force, sent a letter June 4 to HSD secretary Tom Ridge asking for a full investigation.
?What is troubling to me is that a senior official in the Department of Homeland Security in the office of the CIO would have a questionable degree in computer information systems from a university that has been denied accreditation by the U.S. Department of Education,? Maloney?s letter read. ?If this press report is true, how could one of the highest senior officials in your Department make it through a background check while allegedly misleading the Department about her educational background??
The official under scrutiny, Laura Callahan, senior director in the office of the CIO, lists on her official resume that she received a bachelor?s degree in computer science in 1993, a master?s degree in computer science in 1995, and a Ph.D. in computer information systems in 2000all from Hamilton University. The organization, located in Evanston, Wyo., is not accredited by any body recognized by the Education Department. It sells degrees based on applicants? life and work experience but requires no coursework.
?I trust that you will have a full investigation into this matter. When this investigation is complete, I would hope that you will share your findings with Congress,? Maloney wrote. ?In the interim, I trust that you will give your highest attention to the verification of employee biographies and an emphasis on having candidates who have received their training from accredited institutions of higher learning.?
At the same time, a spokesman for Rep. Jo Ann Davis (R-Va.), chairwoman of the House Government Reform Subcommittee on Civil Service and Agency Reorganization, said that Davis also is concerned.
?We are leaning toward having the General Accounting Office look at this situation,? said Robert White on behalf of Davis. ?We want to let the investigation go where it leads. The allegation that someone would have falsified their academic credentials is worrisome.?
And a spokesman for Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, said that his office sent a letter to the Office of Personnel Management concerning the issue, and that he has requested details on the Callahan matter from HSD.
Sen. Susan Collins (R-Maine), chairwoman of the Governmental Affairs Committee, was the first to ask HSD to investigate the matter. In a June 3 letter, Collins said, ?I have written ? to DHS in order to determine whether this official did in fact breach the government?s trust and, if so, what actions the department plans to take.?
Callahan, her boss, CIO Stephen Cooper and his boss, assistant secretary for management Janet Hale, have declined to comment.
HSD Science and Technology Directorate spokeswoman Michelle Petrovich said June 4 that the department is investigating.
?We?re collecting facts. We are concerned about the issue; we are taking it seriously,? Petrovich said. ?We?re going through the process.?
*******************************
Washington Post
Girls Teach Teen Cyber Gab to FBI Agents
Md. Students Help Catch Pedophiles On the Internet
By Phuong Ly
Wednesday, June 4, 2003; Page A01
As undercover assignments go, posing as a teenage girl online to catch pedophiles has its share of challenges for the typical FBI agent.
Should he ever capitalize words in instant messages?
Is it okay to say you buy your clothes at 5-7-9?
And what about Justin Timberlake? Is he still hot or is he so two years ago?
For those investigative details, the FBI calls on Karen, Mary and Kristin -- Howard County eighth-graders and best friends.
During the past year, the three have been teaching agents across the country how to communicate just like teenage girls, complete with written quizzes on celebrity gossip and clothing trends and assigned reading in Teen People and YM magazines. The first time the girls gave a quiz, all the agents failed.
"They, like, don't know anything," said Mary, 14, giggling.
"They're, like, do you like Michael Jackson?" said Karen, 14, rolling her eyes at just how out of it adults can be.
Probably the youngest instructors ever in an FBI classroom, the girls have become an invaluable help to Operation Innocent Images -- an initiative that tries to stop people from peddling child pornography or otherwise sexually exploiting children, FBI officials said. The Washington Post agreed to withhold the girls' last names to protect them from harassment on the Internet and elsewhere.
Yesterday, at their middle school graduation ceremony, the girls each received a silver-framed letter of commendation signed by FBI Director Robert S. Mueller III. In the letter, Mueller thanked them for developing the lessons that have directly helped catch pedophiles, despite their "busy 8th grade schedule."
Operation Innocent Images was launched by the Baltimore FBI field office in 1995, and agents looked into 113 suspects in the first year. Over the years, Internet pedophiles have become savvier and more suspicious about whether they are chatting with a law enforcement agent or a real teenager. Many of the suspects question the chatters on trends and pop culture, trying to catch the FBI agents off guard.
Karen, Mary and Kristin -- honor roll students, PacSun shoppers and aficionados of pink toenail polish -- have kept the FBI a step ahead, said Gary M. Bald, special agent in charge of the Baltimore office.
The girls were recruited after one of their fathers, an agent involved in the pedophile investigations, watched her instant messaging a friend and couldn't understand what she was typing. He realized that FBI training wasn't enough.
"We can teach agents how to be careful and make sure they're following the law and how to arrest people," Bald said. "But how to convince people they're a 13-year-old is something we need help on."
Agents estimate that at any given time, 20,000 pedophiles are online worldwide, trolling chat rooms after school hours for vulnerable teenagers. About two dozen agents and analysts handle such cases in the Baltimore and Washington region, working from computer cubicles in a Calverton office building. The program has led to the convictions of about 2,200 people across the country for swapping child pornography or arranging to meet minors for sex.
Around the FBI offices, Karen, Mary and Kristin have become like the agents' adopted daughters, getting hugs and high-fives from their students. But naturally, the adults often think they know best.
One agent kept insisting that he was right when he answered on a quiz that Justin Timberlake was more popular than Destiny's Child. Another was miffed when the girls told the class that Led Zeppelin was just not cool. Some kept wondering why "l2m" in instant messaging couldn't be "love to meet," instead of "listen to music."
And the younger female FBI agents assumed that teenage girls would think actor George Clooney is cute.
"We're, like, no," said Mary, making a face.
"He's, like, 50," Karen exclaimed.
In a couple of years, the girls will be too old to teach the classes and the FBI may find other teenagers to take their place. But the girls say they are interested in continuing in law enforcement. Karen wants to be a forensic investigator. Mary thinks being a lawyer would be fun, "to put the bad guys in jail." And Kristin, 13, the quiet one, says she'll write about their exploits.
Most of their classmates did not know about their FBI work until yesterday, when Bald commended them on their achievements. Thanks to the girls, Bald said, the FBI has gathered such valuable information as: never begin a chat with "hello"; never use proper grammar in instant messages; and "pos" stands for "parent over shoulder."
After the ceremony, several parents talked excitedly about finally finding out what "pos" meant.
Karen shot Mary a worried look: "Our classmates are going to kill us."
*******************************
Australian IT
Downer backs biometric passports
JUNE 05, 2003
AUSTRALIA could become the first country in the world to adopt facial recognition software to help prevent passport fraud, Foreign Minister Alexander Downer said today.
Mr Downer said Australia could introduce the technology as soon as next year following a decision by the International Civil Aviation Organisation to adopt facial biometrics as the worldwide standard for travel documents.
"The decision means that all countries intending to use biometrics for enhanced passport security must use the same biometric system to ensure worldwide interoperability," he said.
"Australia's plans to incorporate facial recognition biometrics into passports are well-advanced following the allocation of $6.5 million to test the technology in the past two years."
The technology will use a person's passport photo to create a detailed electronic portrait of their face.
The portrait will be stored electronically on a tamper-proof microchip inside the passport, where it will be retrieved by computer and matched to the person's face at border crossings.
But there have been questions over whether the technology is as accurate or reliable as fingerprint or iris scanning.
Mr Downer said the biometric passports were the most effective and least intrusive way to boost passport security.
"The use of biometric-enhanced passports should speed up movements through airport controls, boost aviation security and curtail identity theft," he said.
"It should also prove invaluable in the fight against terrorism, people smuggling and other transnational crimes."
He said the new system, which has been tested by his department for some time, could be added to Australian passports in the second half of 2004.
*******************************
MSNBC
Pentagon launches Internet voting effort for overseas Americans
Civilians as well as military to be eligible
By Alan Boyle
June 3 Thousands of overseas Americans are expected to be able to cast ballots from their home computers in the 2004 elections, the Pentagon said Monday. Military personnel and civilians alike will be eligible to take part in the federal government?s most ambitious experiment yet in Internet-based voting.
THE PROJECT known as the Secure Electronic Registration and Voting Experiment, or SERVE builds on a smaller-scale effort in the 2000 elections. This time around, the system will incorporate digital certificates as an added security measure.
?Security is everyone?s first question about Internet voting, so we made security the driving factor in the SERVE system design,? Polli Brunelli, director of the Federal Voting Assistance Program, said in a written statement. ?We are working closely with state and local election officials to build a secure system and ensure that the integrity of the electoral process is maintained.?
Although FVAP is part of the Defense Department, overseas civilians as well as military personnel will be allowed to register beginning next year, assuming their state and county back home are taking part in the federal program.
The voting system was drawn up by a government-industry team headed by Accenture, a consulting and technical services company, under FVAP?s direction. The Pentagon said FVAP expected at least 10 states to be represented in the experiment: Arkansas, Florida, Hawaii, Minnesota, North Carolina, Ohio, Pennsylvania, South Carolina, Utah and Washington.
However, local legislative action is still needed before some of those states can take part.
One such state is Washington, where the required bill died during the regular session. However, legislators could revisit the subject during a special session due to begin this week, said Trova Hutchins, a spokeswoman for the Washington state secretary of state?s office.
?We?re hopeful they?re going to take up the issue again, but we?re still hanging,? she told MSNBC.com. ?Our office supports the legislation because of the opportunity it provides.?
Postal-based absentee voting is already popular in Washington state: In the 2002 general election, 66 percent of the votes cast were absentee.
Pentagon spokesman Glenn Flood said the project?s biggest hurdle was satisfying state and local election officials.
?They have to buy in on this thing,? he told MSNBC.com, ?because they?re the ones doing the counting and [have to] make sure it?s 100 percent secure.?
HOW IT WORKS
The congressionally mandated project builds on the Pentagon?s experience with the digital-signature program for federal employees known as Public Key Infrastructure, or PKI [http://www.fcw.com/fcw/articles/2000/0605/tec-esigext-06-05-00.asp]. Eligible voters or would-be voters (you can also register to vote using the system) would be issued digital signatures, which are already being distributed to military personnel under the PKI program. These signatures would be used to verify the identity of voters as they submit their ballots online.
Flood said he could not estimate how many voters might participate. He said ?there is a potential for some 6 million voters? but that figure takes in the entire overseas electorate, and only a fraction of the 6 million would satisfy the experiment?s eligibility requirements.
Just 84 voters participated in the Pentagon?s first e-voting experiment, in 2000. That effort cost $6.2 million, leading to criticism that the Pentagon was spending $74,000 on each ballot.
SKEPTIC SPEAKS OUT
Not everyone is sold on the idea of Internet voting, even when digital certificates are added to the system.
?This does not in any way guarantee that their ballots will be collected correctly on the other end,? said Rebecca Mercuri, a research fellow at Harvard University?s Kennedy School of Government. ?All this digital signature and encryption does is protect the packet and authenticate it in the middle, while it?s in transit.?
Mercuri, a computer scientist who has long raised concerns about e-voting, pointed out that Internet balloting could be vulnerable to denial-of-service attacks and other computerized skulduggery as well as the problems that currently bedevil dedicated electronic voting systems.
?We don?t want our voting in our election system to turn into some hokey ?American Idol? thing,? she said. ?What we want is a system where you can cast your votes secretly and securely, where they?re protected in the middle during sending, where they?re received correctly and also tabulated correctly.?
She pointed to the questions already being raised about electronic voting machines including last year?s Florida [http://www.securepoll.com/Archives/Archive107.htm#Reno] voting controversies and concerns being raised in Wisconsin [http://www.spectrum.ieee.org/techalert/may03/ta051403.html#3] and California [http://www.spectrum.ieee.org/WEBONLY/wonews/apr03/calevot.html] Mercuri and other critics favor a system in which a paper ballot sheet is printed as a backup to the electronic system and such a ?paper trail? provision is contained in a bill introduced by U.S. Rep. Rush Holt, D-N.J.
?There is a growing undercurrent of concern, not only among computer scientists, but also among individuals and state election officials who are very concerned that the integrity of the voting process would be compromised,? Mercuri said.
Michael Alvarez, a political science professor at the California Institute of Technology and co-director of the MIT-Caltech Voting Technology Project, said the SERVE system involved a ?very high level of security? and would address a specific, ?very disenfranchised? subset of eligible voters. Alvarez is part of a team that will evaluate how well next year?s e-voting experiment works out.
More information on the experiment is available at the SERVE Web site. http://www.msnbc.com/site_elements/404_page.asp?http://stacks.msnbc.com/news/www.serveusa.gov
*******************************
Federal Computer Week
How PKI Works
BY William Matthews
June 05, 2000
For electronic government to work, agencies and individuals must be convinced that transactions can be carried out privately and that documents are authentic. The paper world relies on signatures. The computer world needs an electronic equivalent.
Personal identification numbers and passwords have proven to be relatively insecure. Smart cards and biometrics (retina, iris and fingerprint scans, for example) are possibilities, but expensive. For now, the federal government is promoting PKI public-key infrastructure.
PKI is a system for encrypting, decrypting, signing and verifying the authenticity of information that is transmitted over the Internet.
It works by providing each Internet user with two "keys" one that is public and one that is private. The private key is available only to the user. The public key is available to anyone a bank, an agency case worker, a sales clerk on a publicly accessible World Wide Web site.
When an individual transmit a document that he or she wants to remain private, such as a sales contract, tax information or a bank statement, he or she encrypts it with the public key of the recipient. That way, only the recipient has the correct private key to decrypt it.
PKI includes functions that enable message recipients to verify that documents have not been changed and to determine which keys have been used to encrypt and decrypt documents. Another PKI feature is a digital signature to positively identify the sender. Thus, PKI ensures that documents are authentic and that the people involved in a transaction really are who they say they are.
Federal security experts believe PKI will provide the level of confidence needed for the public to widely accept electronic government, according to the General Accounting Office.
*******************************
Federal Computer Week
U.S. VISIT system on fast track
BY Sara Michael
June 4, 2003
Immigration officials are pushing forward with an aggressive schedule to implement a border security system and plan to call on industry soon for support.
Robert Mocny, deputy director of the Homeland Security Department's U.S. Visitor and Immigrant Status Indication Technology, said today the U.S. VISIT system is on track to meet the Dec. 31 deadline for implementation at all airports and seaports and will include feature the use of biometrics.
Officials originally planned to start using biometrics in the immigration systems by October 2004, but the timeline was recently accelerated. Mocny said officials have been studying hand geometry, facial recognition and voice recognition and how those technologies can be scaled for use in the massive system.
The department also plans to have land-based border crossings on board with the system by the fall of 2004 and all remaining ports of entry online by December 2005. To meet those deadlines and ensure the overall vision of the program, DHS will need a systems integrator, Mocny said.
Homeland Security officials plan to hold an industry day in the next few weeks to gain insight and direction from leaders in biometric and border technologies. The department will be ready to issue a request for proposals from companies by mid-fall and aims to award a contract around May 2004.
"We need and want industry involved," Mocny said, speaking today at the BiometricsWorld conference in Washington, D.C., sponsored by IDG World Expo.
Jim Williams, director of U.S. VISIT, emphasized that point. "We want to begin working extremely closely with industry to put together an RFP with you. We need to go through the procurement process and we need to do it well."
*******************************
Government Computer News
06/04/03
Army awards General Dynamics $2 billion contract
By Patience Wait
Post Newsweek Tech Media
A $2 billion Army contract to provide rugged computer workstations to the Army, Marine Corps and Air Force was awarded to a unit of General Dynamics Corp.
The 10-year Common Hardware/Software III contract provides tactical computer users with next-generation commercial and ruggedized workstations, associated hardware and software.
All other federal agencies are also eligible to purchase computer products and services under the contract, won by the Falls Church, Va., company?s C4 Systems business unit, and announced today.
The unit is the incumbent contractor for the Army?s CHS-2 contract, and is in the ninth year of that program. The total value of the CHS-2 contract, awarded in 1995, now stands at $888 million, the company said.
General Dynamics is teaming with Sun Microsystems Inc., Santa Clara, Calif., Cisco Systems Inc., San Jose, Calif., and DRS Technologies Inc., Parsippany, N.Y.
At the time the contract award was announced, General Dynamics also received an initial $8.3 million delivery order which finances the packaging and qualification of new products to be offered.
*******************************
Associated Press
MGM Mirage Scraps Online Casino Operation
Wed Jun 4,11:34 PM ET
LAS VEGAS - After investing millions of dollars to build the first Internet gambling site operated by a major U.S. casino company, MGM Mirage Inc. plans to discontinue the site at the end of the month.
"Unfortunately, even in light of a successful working model, the legal and political climate in the U.S. and several countries around the world remains unclear," Terry Lanai, MGM Mirage's chairman and chief executive, said in a statement Wednesday.
The company will take a $5 million loss in the second quarter to dissolve its MGM Mirage Online division.
MGM Mirage introduced the site in September 2001, and said it succeeded in showing that Internet gambling could be regulated in a fashion similar to land-based casinos.
The site was based in the Isle of Man, a small island-nation off the cost of Britain that created Internet gambling regulations to offset a declining tourism economy.
The Web site contained security verification technology that pinpointed where gamblers were located to block wagers from the United States, where Internet gambling is illegal. It accepted bets from a few countries that allowed Internet gambling, primarily the United Kingdom.
The move won't have a significant effect on efforts to legalize Internet gambling in the United States, experts say.
"You're not going to see any U.S. companies taking advantage of (online gambling) if there's no clarity coming soon," said Sue Schneider, president of River City Group, a St. Louis-area Internet gambling consultant.
MGM Mirage's actions follow a string of other closures by Internet operators who have struggled to make a profit operating under a more regulated framework than the hundreds of Web casinos that now accept bets from U.S. gamblers.
The MGM Mirage site wasn't intended to be an instant moneymaker, company spokesman Alan Feldman said. However, the lack of regulation in the United States where up to 70 percent of Internet gamblers are located make it difficult to compete, he said.
"There may be a business outside of the U.S. but the cost of doing this when you're complying with U.S.-style regulations is significant," Feldman said. "To lock out 70 percent of the market while you're operating on a cost basis that's so high means it's not a viable business in the long term."
MGM Mirage could quickly re-enter Internet gambling if it becomes legal in the United States, but Feldman said the mood in Congress would have to change. Lawmakers are pursuing a bill to ban online gambling by outlawing the financial transactions used to place bets.
*******************************
Washington Post
Lobbying War Breaks Out Over Internet Gambling Bill
By Juliet Eilperin
Washington Post Staff Writer
Thursday, June 5, 2003; Page A08
A House bill aimed at curtailing Internet gambling has ignited a lobbying war among groups as disparate as convenience store operators, Indian tribes and horse track owners.
The measure, which could reach the House floor next week, is Congress's latest effort to crack down on Web-based gambling, which rakes in $6 billion a year, lawmakers say.
While popular in many circles, an Internet betting ban has eluded lawmakers for years. Gambling officials and politicians have disagreed on whether a ban could be imposed without undermining forms of legal betting that economically sustain many local communities.
Under a law dating to the 1960s, people are prohibited from using a "wire connection facility" to place a bet across state lines. The Justice Department says this prohibition applies to the Internet, but some gambling promoters have disagreed and the practice has flourished. Several gambling operations have set up offshore facilities that reach U.S. Internet users while avoiding federal prosecution.
Justice Department officials have asked Congress to explicitly ban online betting.
The bill under consideration would bar credit card and wire transfer companies from processing Internet bets involving offshore operations. But it would allow people to wager on state-licensed Internet operations, including those involving state lotteries and horse racing.
"If you stop the money, you stop the activity," said Rep. Spencer Bachus (R-Ala.), the bill's author. When it comes to illegal gambling, he said, "you never stop it, but you can make it harder."
A coalition of horse and dog track owners, jai alai operators and some family values groups back Bachus's bill. They say it would preserve regulated betting while cracking down on illegal gambling.
But Native American casino operators oppose it, saying it would prevent them from participating in the same kind of Internet gambling that horse track owners and other groups would enjoy. They are particularly worried about commercial casinos going online. "Tribes are going to be left out in the cold," said John Harte, general counsel for the National Indian Gaming Association.
House GOP leaders tried to bring up the bill Tuesday under rules reserved for non-controversial matters that require a two-thirds majority for passage. But after two committee chairmen protested, leaders retreated. When the bill reaches the floor, it will be subject to a debate and will require a simple majority to pass.
Rep. John E. Sweeney (R-N.Y.), co-chairman of the Congressional Horse Caucus, called the bill "the single most important piece of legislation" affecting the horse industry this year.
Noting that Internet betting on horse racing has escalated in recent years, Sweeney said there is no need to restrain it. "This is a highly regulated industry that's part of the economic engine in many significant parts of the nation," he said.
Financial Services Committee Chairman Michael G. Oxley (R-Ohio) said he did not understand why Indian-run casinos oppose the bill. "Unless they're involved in illegal gambling," he said, "they shouldn't be concerned."
But Resources Committee Chairman Richard W. Pombo (R-Calif.) wants to amend the bill, saying it should explicitly provide the tribes the same exemption that horse racing and state lotteries would enjoy.
Rep. Jim Leach (R-Iowa), who wrote his own version of an Internet gambling bill, said he is not surprised by the heavy lobbying. "America's gambling industry is very powerful and a behind-the-scenes player with a large role in American politics," he said.*******************************
CNET News.com
Group drafts truce in security dispute
By Robert Lemos
June 4, 2003, 5:30 PM PT
A security coalition has published draft guidelines for issuing bug alerts, a bid to temper a hot debate over when and how alerts should be released.
The draft rules were released Wednesday by the Organization for Internet Safety (OIS), a group composed of software companies and security firms, which have found themselves on opposite sides of the debate.
Scott Culp, senior security strategist for Microsoft, said the document is intended to keep both researchers and software makers honest.
"You have a situation, where--on both sides--the lack of a standardized process presents a chance of confusion and the possibility of problems," he said. "Confusion, when dealing with vulnerabilities, ends up hurting the people we are trying to protect--the users."
The OIS guidelines call on application makers to respond within seven days to a researcher's notification of a vulnerability in their software and to attempt to create a patch for that flaw within 30 days.
On the other side, the proposed rules require researchers to keep details of a flaw secret for at least 30 days after the release of a software patch for it.
The OIS was formed almost two years ago to put pressure on security researchers to publish information about software flaws in a responsible manner.
In the early 1990s, several researchers and hackers revolted against the secrecy that software companies maintained regarding the security of their products by releasing flaw information to the public. Because application makers were generally slow to respond to security problems, such news of a vulnerability would frequently be published before any patch had been issued.
During the past few years, software makers have put a higher priority on security, yet some researchers are still releasing information about flaws without giving the companies adequate time to fix the problems--possibly hurting the software's users.
"You have some researchers who think that if a vendor can't fix things right away, they think they are lazy," said Mary Ann Davidson, chief security officer for database maker Oracle. "They don't always understand that sometimes the fix can take longer than a few days."
Oracle is a member of the OIS, which includes security firms @stake, BindView, Foundstone, Guardent, Internet Security Systems, Network Associates and Symantec as well as software companies Microsoft and SGI.
The draft guidelines were posted to the OIS Web site Wednesday for a monthlong comment period. The rules are expected to be released at the Black Hat Briefings security conference in Las Vegas at the end of July.
Despite the concentration of security companies in the OIS, some researchers don't believe that the draft rules, in having them wait 30 days after a patch is released before publishing a bug alert, make for good security.
"If we don't have details, we are just going on the word of the software vendors and a small group of trusted companies," said Marc Maiffret, chief hacking officer at security firm eEye Digital Security. "That's not good. You are hoping that these few people are doing it right."
Maiffret argues that additional information about a flaw can help system administrators to gauge whether a vulnerability affects their computers and, when a patch is applied, whether the fix works properly.
Oracle's Davidson disagrees. "If you don't put in enough information, then the researchers are critical, not the customers," Davidson said. "My job is not to keep the researchers in business, but to protect the customers."
*******************************
Washington Post
Metallica's MP3 Conversion
By Mike Musgrove
Thursday, June 5, 2003; Page E01
What a difference a few years make: Heavy-metal band Metallica once waged a high-profile legal campaign against the online service Napster, claiming it was cheating artists by allowing people to swap songs free. Now it is Metallica putting free material on the Web and Napster that is being retooled to become a for-pay service.
Today, the band is kicking off an experiment to try to prove it isn't afraid of the digital era. Fans who purchase its new CD, "St. Anger," will find an access code tucked inside the case allowing them to go online and download live recordings and other content not available elsewhere.
At launch, the band's MetallicaVault.com site will feature six to seven hours' worth of Metallica's music. The site may eventually hold hundreds of hours of content.
"Our dream is to make this the yellow pages of Metallica," said Bob Pfeifer, who worked with the band on the site. "We'd like it to be a highly organized, high-quality listing of everything. I'd like this to be the temple of Metallica."
Though the music industry and the consumer tech industry have usually been on the opposite ends of struggles over digital rights and copyright issues, the two have been inching toward each other lately in an effort to establish new business models and promotional vehicles. Rare these days is the musical act that does not have a Web site offering samples of its music and videos. Other companies have gotten into the act, too. Speakeasy Inc., the Internet service provider hosting Metallica's new site, says it hopes offerings such as MetallicaVault.com will lead more consumers to try its high-speed Internet service.
The two industries have yet to produce their first breakout hit together, though a new music service created by Apple Computer Inc. could turn out to be the first success story; iTunes Music Store saw sales of 2 million music tracks in its first two weeks. Napster is also ready for a comeback: Roxio Inc., which makes CD-burning software, recently announced plans to release its fee-based version of the once-popular service.
In 2000, Metallica filed the first of a series of copyright-infringement lawsuits by the music industry against Napster, which led to Napster's closing At the height of the conflict, Metallica's drummer, Lars Ulrich, delivered to Napster's headquarters the names of 300,000 users he said were illegally trading the band's songs, demanding that they be kicked off the Napster service.
Phil Leigh, digital media analyst at Raymond James & Associates, regards Metallica's latest promotional strategy largely as an effort to rekindle interest among the 22-year-old band's following. Though Metallica has sold about 80 million albums since its formation in 1981, "St. Anger" is the band's first new studio album since 1997's "Reload."
"Any artist that hasn't had a new album out in so long has got to be as nervous as a cat with deaf kittens right now," said Leigh, who confessed that he prefers Elton John ballads over old-school speed-metal classics from Metallica such as "Creeping Death" or "Leper Messiah."
"They've got to want to do anything they can to build interest in the new album -- and at the same address the lingering hostility that may exist with the kids who might've found their names on the list that Lars Ulrich delivered to Napster," he said.
Artists who have spoken or acted out against illegal distribution of digital music have occasionally seen their actions backfire among fans. Earlier this year, Madonna's record label posted decoy versions of her new songs onto the free file-sharing services; when users downloaded the files, they were treated to tracks with the star cursing at them for trying to listen to her music without paying for it. Shortly afterward, hackers defaced Madonna's Web site with expletives of their own and posted downloadable files of other then-unreleased songs from the singer.
Metallica is racing to get its new CD in stores before the Web is saturated with its new songs. The band's new album was originally scheduled for release next week, but on Monday, Metallica's label, Elektra Records, moved up the release of "St. Anger" by five days, citing "the prevalence of substandard versions" of tracks already circulating on the Internet -- the first time the label has changed a release date as a result of such concerns.
In online discussion groups dedicated to Metallica, anticipation for the new album, which arrives in stores today with a list price of $18.98, and includes a DVD of live performances, mixes closely with cynicism about the band and its record label. "Soooo, are we to actually believe that if the St. Anger rips [or tracks on the CD] were of higher quality, this wouldn't be an issue?" asked one fan.
For a band that has expressed so much concern about protecting its copyrights, the security protocols at MetallicaVault.com are surprisingly liberal. Metallica's new service will let users log on and download songs from any Internet-connected computer, as long as they enter a valid security code.
Rather than using a secure or streaming-media format, which cannot be easily copied, the band chose to post material on its new Web site in the MP3 format -- the most popular digital music format by far, but one that has been controversial in the recording industry because of the ease with which users can trade and copy files.
"We wanted kids to be able to download it and burn it onto a CD if they want to and drive around," Pfeifer said.
Pfeifer said he has already gotten phone calls "from two managers of very big bands" about the Web site. If MetallicaVault.com is a success with fans, "it's very possible that this will be the trend," with other major acts, he said.
Of course, even if Metallica has the best site on the World Wide Web, it won't matter much if the new album turns out to be a flop. Some fans expressed disappointment at Metallica's slower-moving later albums, which they regarded as the band moving away from its high-speed, heavy metal roots.
But "St. Anger" has already earned some positive reviews. Spin magazine recently called the new album "an inspired return to the complex savagery of old."
*******************************
Federal Computer Week
DOD getting GIG together
BY Matthew French
June 3, 2003
The Defense Department must think about its network-centric enterprise strategy rather than allow ad hoc networking to continue, according to the department's deputy chief information officer.
Priscilla Guthrie, speaking at a Federal Sources Inc. breakfast meeting today, said the different components of the Global Information Grid are starting to come together, and the department is close to seeing real results from the work.
"We have to stop thinking about [the Joint Tactical Radio System] as just a radio," she said. "It all starts with the GIG Bandwidth Expansion and the satellites, and we use the JTRS as the last-mile connectivity. We have to make sure everything is compatible with the Navy Marine Corps Intranet and at every post, camp and station. It must be a seamless, end-to-end network."
Guthrie said DOD will conduct a series of pilots this summer to show the progress of the network-centric enterprise services, and determine what has yet to be done.
Guthrie also said that the office of the CIO is redoubling its efforts to push transformation throughout the department in order to achieve network-centricity and secure the network with a comprehensive information assurance plan.
But none of it is proving to be particularly easy. Guthrie said the three things that keep her up at night are information assurance, operations across the entire DOD enterprise and governing the structure throughout its lifecycle.
"We absolutely have to solve the IA problem, and we have to do it in a network-centric world," Guthrie said. "We have to do it in real time, with ongoing, persistent IA."
Guthrie said that background checks performed on individuals when they were first hired no longer serve a useful purpose, and that some form of updated, real-time check needs to evolve.
"What if, instead of relying on a background check performed five years ago, we do an instant credit check on somebody as they logged in," she asked. "I'm not sure I like that particular idea [of a credit check], but something like that in real time that's up-to-date."
Beyond IA, she said, the department needs to take a serious look at its communications and determine how it will operate the GIG across the enterprise.
"Industry operates [network operations centers] and knows how communications are supposed to work," she said. "But because of bureaucratic and political reasons, that has not been brought into the department."
"We still work across boundaries and hedgerows," she said.
*******************************
Federal Computer Week
Software builds 'virtual armories'
BY Dibya Sarkar
June 3, 2003
When a crisis strikes, government officials sometimes scramble to find things they need, so a Chicago software company has developed a Web-based system that enables agencies to build a searchable, centralized database of resources that can be mobilized swiftly.
"To an emergency manager, it may be a coil of rope or a generator or a pump, anything that can be used to mitigate a disaster," said Bob Gerometta, chief executive officer of the Emergency Asset Management System (EAMS), a division of GBUCs LLC, a software company where he serves as chief operating officer. "The advantage is you make it easy enough to do everything beforehand?rather than waiting until the poop hits the fan."
Jim Graham, EAMS' chief operating officer, said emergency management departments have underutilized modern technology. But moving to an Internet-based system from a reliance on paper would promote coordination and communication among agencies -- a finding supported by a National Emergency Management Association report, he said.
EAMS provides emergency managers and other first responders a way to view and track all assets and services. It includes such information as descriptions, model names and numbers, quantities, associated monetary value, shipping terms and options, and contact information, among other things.
In essence, "virtual armories" are created, said Gerometta, who also is a former commissioner of the New York City Department of Records and Information.
Donors who offer the use of assets in case of emergency fill in applicable fields and receive confirmations and periodic e-mails to ensure that the items are still available and information is up-to-date. "It's very much like eBay in the sense it's very easy to learn, it's very intuitive," Gerometta said.
Within a city or state government, permitted users would be able to manage, assign, trade and move emergency assets among themselves. They can even set up different emergency scenarios -- for example, a bioterrorism attack or hazardous material spill -- and the different assets needed for each one. To avoid any confusion, an asset used during an emergency is immediately taken off the list so the system's users will see only what is available.
A public EAMS system also can be linked to the government system. In that version, donors are invited only to register and list what they want to donate. They cannot search or conduct any other functions. Depending on the established criteria, the system also can deny their donation and point them to a service association, such as the Red Cross, or deny their donation with a thank you message.
Gerometta said he envisions agencies and different jurisdictions linking their systems together to create a larger network of databases of assets that can be shared across the country. He said the company donated the system to New York City after Sept. 11, 2001. He said the company is also close to announcing deals with several cities and states.
The cost of an initial EAMS license starts at $50,000 for 25 users and depends on customization, training and data upload programming among other things. An additional 25 users costs $5,000. A maintenance fee of 20 percent of the purchase price is billed quarterly.
*******************************
Government Computer News
/04/03
Better data sharing key to fighting terrorism, former CIA boss says
By Lloyd Batzler
Post Newsweek Tech Media
Top-notch intelligence ?is truly a first line of defense? against terrorist attacks, and federal agencies must make greater efforts to collect, digest and share data, a former CIA director said today.
Stansfield Turner, speaking at an industry-sponsored conference in Washington, blended broad recommendations for better intelligence gathering with observations of evolving U.S. foreign policy and how they relate to fighting terrorists.
?What we want to do is cut them off at the pass. We don?t want to wait until a 9-11 has happened,? Turner said. ?That means we need to know who they are, when they are going to operate, where and against what.?
Echoing recent congressional criticism, he said the new Homeland Security Department ?doesn?t really address this problem, or at least it doesn?t address the most fundamental problem of our intelligence apparatus today: The lack of coordination in the exchange of data.?
Turner, director of the CIA from 1977 to 1981, said, ?We don?t have enough money in support for our firefighters and hospital personnel, and we don?t have a way yet ? of integrating those people into our antiterrorist network.?
For example, he said, thousands of state and local police officers have ?to be brought into a network so that a little clue here, of a person being arrested for speeding in Montana, can be tied in with a little clue over here of something going on that was nefarious.?
While HSD is ?off to a good start,? Turner said, ?we?ve not made much progress on keeping track of foreign visitors to our country.?
Turner, now a senior research scholar at the University of Maryland?s Center for International Security Studies, spoke at the close of a three-day IT security conference sponsored by Gartner Inc. of Stamford, Conn.
*******************************
Government Computer News
06/04/03
PKI momentum builds, program manager says
By Lloyd Batzler
Post Newsweek Tech Media
A dozen years after the start of the federal push for a public-key infrastructure, the technology is gaining momentum, and more agencies will be using PKI in a matter of months, a federal program manager predicts.
By year?s end, Tim Polk estimated, eight to 10 agencies will be heavily engaged in PKI, nearly twice the number involved today.
Polk, the PKI program manager at the National Institute of Standards and Technology, spoke today at a conference on IT security in Washington sponsored by the research and advisory firm Gartner Inc. of Stamford, Conn.
?We?re going to have some very interesting, very useful applications come online,? Polk said. ?There isn?t a killer app right now. Secure e-mail is not the killer app. Custom applications are emerging.?
As governments and businesses move from paper to electronic documents, PKI holds promise as an effective way to protect and validate those documents and verify identities. PKI also is being used with employee identification smart cards.
In a signal of rising interest in PKI, ?communities of interest are emerging,? including in education and aerospace, Polk said.
Private-sector bridges, such as one being developed for aerospace companies, are expected to help with speeding certifications and, ultimately, the exchange of information among government agencies, businesses and citizens, Polk said.
A certification authority issues the electronic credentials, or digital certificates, needed to make PKI work, and a bridge helps translate the certificates between different systems. A Federal Bridge Certification Authority, established two years ago, is the hub designed to let different agency PKIs work together.
?We would much prefer to cross-certify with the aerospace bridge, not with individual aerospace companies,? he said.
He acknowledged that certificate policies are difficult. ?Agencies hate to write them.?
A number of factorsfrom cultural inertia to differing standards to fundinghave hobbled PKI efforts in public and private sectors. One state at the forefront, Illinois, expects that cost-savings from reduced paperwork processing will help offset costs of PKI, Polk said.
*******************************
Government Executive
June 4, 2003
Online security clearance forms on track for June debut
By Amelia Gruber
agruber@xxxxxxxxxxx
As promised in March, federal workers will be able to file security clearance forms electronically by the end of June, an Office of Personnel official said Wednesday.
The e-clearance project, one of 24 electronic government initiatives supported by the president?s management agenda, is running on schedule, according to Norm Enger, project manager for human resources-related electronic government projects at OPM. Electronic filing is one component of the three-part e-clearance project.
Enger could not provide an exact date for when the electronic filing system would be ready, but said it would be done by June 30 at the latest. When the new automated clearance system is in place, federal workers will be able to complete and file SF-86 forms online. Employees use SF-86 forms to apply for government security clearances.
The new SF-86C form, which allows workers to renew security clearances by filling out a two-page form, rather than one 13 pages long, will also be available for electronic filing. Currently, the form is only available in a paper version and can be obtained from agencies? human resource offices.
A second component of e-clearancetechnology allowing agencies to form digital images of investigative filesis already finished, Enger said. Several agencies began using the imaging technology in May, he said, and eventually all agencies will change over to the new system for storing files. The new system will save time and space, allowing OPM to process an annual average of roughly 2 million new background investigations more efficiently.
OPM has also made progress on the Clearance Verification System, the third major component of e-clearance, Enger said. The system will allow agencies to access the results of background investigations or view employees? clearance forms by searching in a single database.
Until recently, most civilian agencies tracked employees? clearance histories in separate databases. To date, OPM has transferred 90 percent of background check and clearance files to the new database, according to Enger.
OPM has not been able to provide estimates of how much the e-clearance project will cost, but has said the initiative will save taxpayers $258 million over the next 10 years, as the streamlined security clearance system will process forms in one-tenth of the time that the current process takes.
*******************************
Government Executive
June 3, 2003
Computer security officials discount chances of 'digital Pearl Harbor'
By Drew Clark, National Journal's Technology Daily
The notion that the cyberterrorism against the United States could create a "digital Pearl Harbor" is fading faster than the stock prices of dot-com startups did at the start of the decade, three computer-security experts agreed on Tuesday.
"The first time I saw the phrase 'digital Pearl Harbor' was 1995," Jim Lewis, a Clinton administration technology policy official now with the Center for Strategic and International Studies, said during a keynote panel discussion at an information security summit. "There have been more than 1,800 international terrorist attacks" since then.
"But you haven't seen the big headlines" about cyberterrorism during the comparable period, he added. "Just as you had had inflated stock valuations, you had inflated valuations of risk."
A top computer-security official at Carnegie Mellon's Software Engineering Institute (SEI) and a Gartner Group analyst also on the panel agreed with Lewis that disgruntled insiders, not foreign terrorists, pose the greatest cybersecurity threat to companies.
Companies should implement "best practices" of information management on their networks to guard against the theft of data and intellectual property by individuals who seek either to profit or to vandalize from security weaknesses, they said.
"Being a victim of cybercrime is like being a victim of sexually transmitted diseases in the 1940s," Gartner analyst Richard Hunter said. "It certainly happens to a lot of people, but you don't want anyone to know about it."
But Hunter said businesses need to share information about computer vulnerabilities, and he jokingly suggested that the time is right for public-service advertisement featuring white-coated doctors reassuring chief executives and top security officers that "the very best companies get cracked all the time."
"Do I accept [the notion of a] cyber Pearl Harbor? No, I don't," said Casey Dunlevy, senior member of the technical staff at SEI, which runs the oldest coordination center for computer emergencies. "But could [cyber terrorism] be a force multiplier in terrorist attacks" by, for example, disabling all traffic lights after a bombing? "I think we have to consider that."
In an interview after the discussion, Dunlevy said the al Qaeda terrorist group exhibited a curious mix of high-tech and low-tech tactics by, for example, creating compacts discs with instructions to operatives even as they distributed the discs by hand. He said he had examined computers recovered from Afghanistan demonstrating the terrorist group's use of steganography, a technique for embedding secret data within pictures or text.
"We will eventually see a cyber element to terrorist activity," Dunlevy said. But both he and Hunter said terrorist groups also are likely to continue to engage in money laundering and cybercrime as a means of purloining resources.
Companies must educate employees to be on guard against "social engineering," the practice of over-the-phone deception by skilled information thieves, Hunter said. The most successful ways for foreigners to steal U.S. secrets is to use such practices or to buy U.S. companies in possession of secrets, he said, adding that computer hacking constitutes only 6 percent of theft attempts.
*******************************