[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips June 17-19, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;
- Subject: Clips June 17-19, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 19 Jun 2003 14:07:16 -0400
Clips June 17-19, 2003
ARTICLES
Anti-Spam Proposals Get Tougher
Online Sex Offender Registry Debated
U.S. shouldn't meddle in running Internet economy
'Little Brother' could be watching you, too
TSP record-keeping system up and running, finally
California financial privacy bill dies
OMB developing rules for IT privacy assessments
Senator Hatch advocates destroying PCs of music downloaders
Vietnam Internet Dissident Jailed for 13 Years
Court Bolsters FCC Area Code Effort
State (of Maryland) OKs $9M for research sites
Democrats' Online Appeal
Firms Told to Save Instant Messages
Guess Inc. Agrees to Tighten Web Security
Lawmakers mad at response to killing privacy bill
Wireless security entangles HIPAA
Charting tactics in the war on spam
Homeland Security Network Poses Challenge
TSP Web glitches hinder launch of new recordkeeping system
Delta Air plans RFID bag-tag test
Converted military jobs could go to contractors
Beyond Kazaa, a Grand Plan
*******************************
Washington Post
Anti-Spam Proposals Get Tougher
By Jonathan Krim
Tuesday, June 17, 2003; Page E01
A bipartisan group of legislators and some citizen groups, concerned that current legislative proposals to combat e-mail spam are inadequate, are engaged in a major push for tougher alternatives.
The moves come amid intensified lobbying and political maneuvering over the issue. With outrage over spam at fever pitch, Congress is widely expected to pass the first national anti-spam law this year.
In the House, a new bill is likely to be introduced this week that its sponsors promise is tougher than legislation offered last month by Reps. W.J. "Billy" Tauzin (R-La.) and F. James Sensenbrenner Jr. (R-Wis.). Although Tauzin and Sensenbrenner head the two House committees that any spam legislation must pass through, their bill was widely criticized by anti-spam activists after revelations that lobbyists from the marketing, retailing and Internet-provider industries helped craft it.
The new bill, by Reps. Heather A. Wilson (R-N.M.) and Gene Green (D-Tex.), contains broader enforcement powers for federal and state authorities, tighter restrictions on marketers and an anti-pornography provision, according to a draft obtained by The Washington Post.
Whereas other legislation focuses on spammers that use deception and peddle scams and pornography, Wilson said her bill recognizes that any unwanted commercial e-mail is spam.
"This is a business that is always looking for the next loophole," Wilson said in an interview. "We take out a lot of the loopholes."
The bill has the support of Rep. John D. Dingell (D-Mich.), the senior Democrat on the Energy and Commerce Committee, who in the past has combined with Tauzin on key telecommunications legislation. Dingell said he is having ongoing "friendly" discussions with Tauzin about working out differences between the bills.
In the Senate, the Commerce Committee is scheduled to meet Thursday to work on a bill by Sens. Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.). The bill shares many provisions with House bills, including requiring marketers to let consumers "opt out" of receiving unsolicited advertising, and criminalizing deceptive practices favored by spammers, such as disguising the origin of the e-mail.
But another Senate bill, by Sen. Charles E. Schumer (D-N.Y.), has received a major boost in recent days. Schumer's approach, which would create a national do-not-spam registry and require labeling of unsolicited commercial e-mail with "ADV" (for advertisement), was endorsed by the Christian Coalition of America, which was attracted to special labeling that Schumer would require for pornographic spam.
"When it comes to the family, you have to put your differences aside," said Roberta Combs, president of the coalition, referring to the group's unusual political alignment with a liberal Democrat. Schumer's bill also was endorsed yesterday by one of the leading anti-spam activist groups, the Coalition Against Unsolicited Commercial E-Mail, or CAUCE.
John Mozena, CAUCE's co-founder, said that the group likes the portion of Schumer's bill that allows consumers to sue marketers that continue to spam them despite efforts to opt out, a provision that has been ardently opposed by the retail and advertising industries.
CAUCE also breaks with several consumer and privacy groups by supporting Schumer's do-not-spam list, which is akin to the national do-not-call list for telemarketing that the agency is launching this summer.
Consumer groups fear that such a registry would be the Fort Knox of e-mail addresses and vulnerable to hacking. The Federal Trade Commission has said it does not think it can manage such a list.
But Mozena said e-mail account providers and corporations could simply enter a global opt-out of all users of a certain Internet domain, such as "all users @xyz.com."
Thus, no individual e-mails would be listed, and consumers who want certain advertising could request it from marketers separately.
So far, key Internet industry groups have not thrown their weight behind any individual bill, although America Online has expressed support for the Tauzin and Burns-Wyden bills.
*******************************
Los Angeles Times
Online Sex Offender Registry Debated
Assembly Republicans want to post addresses, but Democrats are wary of possible vigilantism. Future of Megan's Law in California is at stake.
By Nancy Vogel
June 17, 2003
SACRAMENTO -- SACRAMENTO An effort to publish California's list of convicted sex offenders on the Internet has stalled as Assembly Republicans and Democrats tussle over precisely how to pinpoint a sex offender's home.
Republicans want to post home and work addresses on the Internet. But some Democrats prefer a more vague description of where a sex offender lives to guard against vigilantism. There is an urgency to the dispute because the California law to make sex offender information public known as Megan's Law expires at the end of the year unless renewed by the Legislature.
The Assembly's dominant Democrats have watered down or killed several bills that sought to identify sex offenders by specific addresses. Republicans have responded by redoubling their efforts, and at a news conference Monday accused Democrats of allowing Megan Kanka to die in vain. The 7-year-old New Jersey girl was raped and killed in 1994 by a neighbor who, her parents discovered later, was a convicted sex offender.
"The liberal Democrats in the Assembly are more concerned about protecting sex offenders and where they live than protecting children," said Assemblyman Todd Spitzer (R-Orange). He and other Republicans argued that Democrats should not hesitate to release detailed information about sex offenders in light of a U.S. Supreme Court decision in March supporting the disclosure of sex offenders' names and addresses on the Internet.
Assemblyman Mark Leno (D-San Francisco), chairman of the Assembly public safety committee, said an issue weighty enough to be considered by the nation's highest court should be navigated carefully by lawmakers.
"We're trying to balance the needs of the community and the privacy rights of individuals who committed horrible, obnoxious crimes, but who have served their time and have been deemed by a court to be safe enough to be returned to the community," he said. Leno said he is willing to support a bill that puts the state's registry of 100,000 convicted sex offenders on the Internet for all to see. But he does not want addresses published because he fears vigilantism against those registered. "You've got to look at the worst-case scenarios," he said.
Every state has adopted some version of a Megan's Law to publicize information about registered sex offenders. More than 30 states provide such information on the Internet.
Californians older than 18 can view the registry at police and sheriff's stations, or they may call a special state Department of Justice line (900) 448-3000 and pay a fee to get information about individuals whose name and other forms of identification they know. The fee is $10 for every two individuals.
The information available on CD-ROM at police stations includes the county and ZIP code of a sex offender's last registered address, as well as a photograph. The convictions for which a person must register include rape, child molestation and kidnapping with intent to commit specified sex offenses.
Assemblywoman Nicole Parra (D-Hanford) is carrying a bill, AB 488, that would extend Megan's Law and put the existing registry information on the Internet. The bill was amended in Leno's committee to locate the residences of registered sex offenders within a quarter-mile grid. That amendment was deleted in the Assembly appropriations committee because of cost.
When the bill reached the Assembly floor for a vote June 5, Parra put it on the "inactive" file so she could continue working on it, said Parra spokeswoman Nicole Winger. Republicans protested the move, saying they wanted to debate the issue.
"We are pursuing other vehicles to get all of the language moving forward," Winger said. "We think it's important to at least get the Megan's Law database on the Internet."
Meanwhile, Assembly Republicans said they would attempt to amend a bill, AB 402, in the Senate to extend Megan's Law and publish the registry on the Internet by July 2005. The registry would include home and work addresses and a description of a sex offender's vehicle.
"This will be my No. 1 legislative priority," said Assemblywoman Bonnie Garcia (R-Cathedral City). In her Imperial County district, she said, some people must drive 50 miles to view the sex offender registry.
State Atty. Gen. Bill Lockyer supports making home addresses available to the public, said spokeswoman Christina Klem. But he is most concerned about getting existing information from police station databases on the Internet, she said. Lockyer's office has estimated the cost at $1 million initially and $400,000 a year for maintenance.
*******************************
Detroit News
U.S. shouldn't meddle in running Internet economy
Technology titans' coalition wants the government to put its competitors at a disadvantage: Washington should adopt a hands-off policy on the issue, saying no to special interests
By Rep. John Conyers Jr. / Special to The Detroit News
One of the wonderful things about public life is the regular occurrence of irony. The successful ascendancy of congressional Republicans in 1995 helped reassure President Bill Clinton's re-election in 1996. Democrats -- who arguably sublimated the issue of budget deficits in the 1980s -- have now become the Capitol's deficit hawks.
But rarely have we seen an irony so delicious as the one we are seeing in the telecommunications industry today. In fact, the irony is so stark that it compels me to do something which is in itself ironic: write a commentary on behalf of deregulation.
For nearly a decade, a "hands-off" policy has been the mantra of much of the high-tech industry. Indeed, the debate over the proper government role in the tech industry hit a crescendo when the Department of Justice sued Microsoft, accusing it of misusing its monopoly in operating systems by configuring them to disadvantage, if not cripple, software and applications competitors. This type of abuse in a critical nerve center of the information economy, the government argued, could destroy competition and innovation.
Microsoft and its allies countered that the software giant was a prime innovator in computing technologies and so the government would best foster innovation by simply staying out. "Unwarranted discrimination against unaffiliated competitors was not only fictional but not in our self-interest," was Microsoft's often heard argument against a backdrop of raised fists. In such a "modular" industry, the success of Microsoft's operating systems depends on its ability to add value by attracting new applications and services, the argument would invariably continue.
So where is the irony?
Fast-forward 10 years. Now comes the Coalition for Broadband Users and Innovators -- whose members include Microsoft, Amazon.com and Yahoo! -- urging the government to prospectively regulate the Internet economy to prevent a theoretical threat to its "openness." At a recent, sparsely attended press conference, with a few other tech titans in tow, the CBUI announced its support for the seemingly innocuous notion of "network neutrality." While unable to define specifically the moniker's meaning, the CBUI nevertheless urged its adoption.
What the coalition seems to be ambling toward is getting the government to adopt rules ensuring that high-speed cable modems be configured to allow interconnection with equipment of end users for such services as WiFi, that broadband subscribers have unimpeded access to Web sites and portals and that cable operators be prevented from giving better shelf space to affiliated applications and services -- relationships similar to those regularly entered into by CBUI members.
In short, the coalition seems to be asking the government to handcuff its competitors, preventing them from practicing business strategies that its members themselves often practice.
Now, we all want to see an Internet economy where competitors can use different platforms to bring new services to the marketplace. But we also want to ensure that the government is not commandeered on behalf of special interests in the putative name of openness. So before the coalition gets too carried away with a newfound affection for regulation, it should study the record and examine the vast differences between the histories and practices of the cable operators on the one hand and industries the government has historically sought to regulate on the other.
For instance, unlike the cable industry, the publicly switched Bell telephone monopoly facilities were literally gifted to the Bells by the federal government in 1984 when the old Ma Bell was dissolved. Their subsequent investment in maintenance and upgrades is but a fraction of the total value of their federal inheritance. And by controlling more than 90 percent of business and residential phone lines, these companies have unparalleled monopoly leveraging ability. But even here, the government has recently eliminated most of the regulations that apply to the Bells' DSL broadband services.
By contrast, the cable industry was not built with government welfare, but rather with hundreds of billions of dollars of privately raised risk capital, including $70 billion in such private capital for necessary upgrades since 1996 alone -- a none too insignificant difference. And while cable broadband service may have solid market share, Bell company DSL subscriptions are growing more rapidly. Other emerging technologies such as WiFi, WiMax and electrical grids wait in the wings as potential, vibrant competitors.
Most important, the cable modems have shown no signs of abusing or potentially abusing their offering. Cable modem consumers can now choose from more than 300 cable modems and as many as 69 equipment manufacturers for interconnecting products. Cable modem online users can freely navigate the web unimpeded from any site. Notwithstanding the fact of its private financing, and that cable broadband is a zero-sum "shared system," cable operators are starting to provide carriage for unaffiliated Internet service providers.
And cable operators are smart enough not to poison their platform by restricting when and where consumers can surf on it. In the case of cable modems, the competitive pressures of a free marketplace seem to be taking hold.
At best, the coalition's proposal is a solution in search of a problem. At worst, it is a cynical ploy by some tech titans to employ the federal government on their behalf to disadvantage competitors.
The government is better off staying out of this one.
U.S. Rep. John Conyers Jr., D-Detroit, is the ranking member of the House Judiciary Committee. Write letters to The Detroit News, 615 W. Lafayette, Detroit, MI 48226, or fax to (313) 222-6417 or e-mail letters@xxxxxxxxxxxx
*******************************
BBC Online
Italian piracy ring smashed
One of Europe's largest net piracy rings has been shut down by Italian police.
More than 180 people have been charged in connection with piracy and another 10,000 are still being investigated.
The Italian police seized more than 118m euros (£83m) of illegal software in raids to break up the pirate ring.
The raids were carried out in more than 30 regions across Italy as police uncovered the scale of the counterfeiting organisation.
Sophisticated sellers
Italy's Guardia di Finanza staged "Operation Mouse" over the last six months to smash the sophisticated counterfeiting and sales organisation.
The huge network was uncovered by investigators following up a tip off about a single e-mail address.
Now the Guardia has evidence of more than 95,000 suspect e-mail addresses and a net-based sales network that was capable, it is estimated, of an annual turnover of 2bn euros (£1.41bn).
Pirated goods bought by customers from a network of websites were sent out by post.
Raids mounted in 30 Italian provinces to break up the pirate ring netted thousands of copies of fake software, films and music as well as PCs, CD and DVD writers and video recorders.
Fake software from Adobe, Autodesk, Macromedia and Microsoft was being offered by the pirates as well as albums by Madonna and Robbie Williams and Italian versions of recently released movies such as Gangs of New York and Die Another Day.
The Business Software Alliance and the Federation Against Music Piracy helped Italian police with the investigation and the raids.
So far 181 people have been charged under Italian copyright laws and more than 10,000 others who produced, sold or bought counterfeit goods are also being investigated.
*******************************
Washington Post
Cybersecurity Starts in the Office
Survey Finds Workers Doubting Peers' Savvy on the Issue
By Ellen McCarthy
Washington Post Staff Writer
Tuesday, June 17, 2003; Page E05
When the office networks crash and work comes to a halt, there's probably an irresponsible co-worker somewhere in the building to blame. That's the sentiment many employees expressed in a survey on individual cybersecurity competence released today.
Sixty-four percent of American workers referred to themselves as "interested and proactive" in protecting their office computer systems, but employees have significantly less confidence in their peers, according to a survey by the Information Technology Association of America and Brainbench, a Chantilly firm and ITAA member company that sells skill tests online. About 760 people responded to the Internet-based survey distributed in May, including 403 Americans.
When asked about the contributions co-workers are making to protect workplace networks, only 35 percent of Americans said their peers know what to do and are doing it. The rest believe their peers are not aware of the issue, don't know how to deal with it or just won't bother.
"Security is a function of people, processes and technology," said Mike Russiello, president of Brainbench. "Everybody recognizes that people are the weakest link."
Two-thirds of employees believe their co-workers are a bigger threat to customer security than hackers, according to a survey of 500 people released earlier this month by Harris Interactive Inc. And even though 74 percent of those surveyed by Harris said the security protecting customer information on their companies' networks was secure, very secure or extremely secure, about 45 percent also said it would be easy, very easy or extremely easy for someone at work to remove sensitive customer data from the network.
More than half of U.S. workers said their employers do an adequate job providing information about cybersecurity threats and protection methods, the Brainbench/ITAA poll said, but only 39 percent said their own knowledge of the issue was accrued on the job.
In February, the Bush administration released a strategy for combating network attacks and viruses that suggests information sharing and cooperation among private corporations.
To push corporations to take greater responsibility for employee training, the ITAA and Brainbench are introducing a new certification program requiring individuals to pass an Internet-based test on cybersecurity procedures. Once 90 percent of the employees have taken the test -- and 85 percent of those workers pass it -- the firm receives an Information Security Awareness Certification.
"If people say, 'Oh, cybersecurity is important,' but then don't train people who are sitting at their desks or train them but don't test them, I don't think they are really indicating a serious commitment," said Harris N. Miller, ITAA president. "We want to give corporations and individuals the chance, through taking this test and getting this certification, to show they are really focused on cybersecurity."
*******************************
USA Today
'Little Brother' could be watching you, too
By Janet Kornblum, USA TODAY
June 15, 2003
Next time you go out for a walk, don't forget to smile for the camera. In these times of heightened security awareness and rapidly falling technology costs, it's no longer just banks and grocery stores that are using hidden surveillance cameras a growing number of Americans are installing them, as well as using secret "nanny-cams" in their homes and even carrying tiny cameras in cell phones and other devices.
It once was just Big Brother that privacy-minded people had to worry about, but now "it's Little Brother," says Howard Rheingold, a technology watcher and author of Smart Mobs: The Next Social Revolution. "It used to be that you thought only the state had the power and technology to do surveillance. But now that's democratized. It could be your neighbor, your relative."
These days, miniature spycams are so small and inexpensive that they could be anywhere: someone pointing a cell phone or a pen at you might have one; they can even be hidden in sunglasses. Tiny cameras can be purchased in stores or over the Internet for as little as $100, and easily hidden in boom boxes, Kleenex boxes, and other items.
cell phone cameras, still somewhat of a novelty in the USA, have become so popular elsewhere that gyms in Australia and Hong Kong are reportedly banning them from pools and locker rooms for fear of secret pictures being taken and transmitted to anyone on the planet.
Security cameras also are becoming ubiquitous.
San Jose police last week disseminated pictures from a neighbor's home surveillance camera showing a man following 9-year-old Jennette Tamayo into her home and then screeching off in a car. While the video did not necessarily play a major role in the arrest of the suspect, it did show that cameras are now watching even when humans are not.
Privacy experts are still more concerned about government surveillance, but Big Brother can get ahold of private images, too. While law enforcement officials have to safeguard the public's constitutional rights, private companies and individuals can focus their cameras in public spaces without the same worries, says David Sobel of the Electronic Privacy Information Center.
Whether you can use legal means to stop somebody from taking pictures of you depends on the circumstances. But "when you're in public and in plain view particularly when the person taking the picture is a private person there's not a lot of recourse," he says.
"You can't assume any place you go is private because the means of surveillance are becoming so affordable and so invisible," Rheingold says. "The idea that your spouse or your parents don't know where you are at all times may be part of the past. Is that good or bad? Will that make for better marriages or worse marriages? I don't know."
It is the classic trade-off security vs. privacy, says James Katz, a professor of communications at Rutgers University in New Brunswick, N.J. Right now, security is winning.
"The good that comes from safety and security outweighs the losses to freedom of speech and freedom of association that tend to be dampened when people are monitored," Katz says.
Ever since British au pair Louise Woodward was convicted in 1997 of killing her 8-month-old charge, parents have been snapping up "nanny cams" at the Counter Spy Shop and Spyzone's seven stores worldwide, says spokeswoman Arielle Jamil. "It woke up the baby boomers and parents who don't have the money to hire a permanent nanny (with full background checks) but can buy a $500 covert video system."
Many systems are simply there to catch a thief. Even churches have security cameras, says Rich Maurer of New York security firm Kroll Inc.
Whatever the reason, Americans are certainly filming each other.
Kent, Wash.,-based X10 Wireless Technology, Inc., whose ads for its wireless camera pop up when you surf the Web, says that more than a million of its cameras are in circulation. (Intended for home security use, the cameras also can be used to spy.)
And while home systems are not nearly as common as business surveillance, experts say they will proliferate as prices drop to as little as $75 for a camera that works with a cheap computer.
Not everybody thinks this will necessarily make society safer.
"Rather than make us more secure, this is going to pander to our security obsession," says Paul Saffo of the Institute for the Future in Menlo Park, Calif.
But like it or not, cameras are a fact of life. Maurer estimates that in a 10-mile stretch in any major city, your image will be captured on 30 to 40 private security cameras. That doesn't include cameras in homes or those carried by individuals.
"We're being spied on all the time," Saffo says. "Not only are we spying on each other, we're spying on ourselves. And we're all going to discover that we've all become unwitting stars of our own really boring reality TV program."
*******************************
Government Executive
June 16, 2003
TSP record-keeping system up and running, finally
By Tanya N. Ballard
tballard@xxxxxxxxxxx
The long-awaited modernized computer system for the 401k-style Thrift Savings Plan was up and running Monday afternoon, according to TSP board officials.
?We are turning the system on and making it available to participants as of noon today,? Lawrence Stiffler, director of TSP?s Office of Automated Systems, told TSP board members Monday morning.
The new system, which comes after several years of stops and starts, will work more like private-sector 401k accounts, allowing federal employees to make changes to their retirement accounts on a daily basis and access up-to-date balance information. The new system will also allow TSP account holders to more easily withdraw money, apply for loans and make changes to their contact information.
?This is an enormous feat to get this thing up,? said Andrew Saul, TSP board chairman. ?Our participants should know a lot of work went in to this thing. It just didn?t happen overnight.?
The new record-keeping system has been in the works since May 1997 when the TSP board awarded American Management Systems a $30 million contract to install a computer system that would allow federal employees to more easily control their accounts. The board fired the company in July 2001 after frequent delays and a tripling of the project?s estimated cost. The board paid AMS $51 million for the failed project before firing the contractor and lodging a lawsuit against it for $350 million. AMS sued the board for breach of contract. The lawsuits are pending.
Board officials brought in a new company, Materials, Communication & Computers Inc., to get the system up and running, spending another $32 million and another two years before finally starting the system up Monday afternoon.
?A lot of people poured their heart and soul in this thing to get it up and running,? Stiffler said.
Stiffler said TSP participants who submitted fund transfer requests up until June 15 can view those changes to their accounts through the TSP Web site Tuesday. Stiffler also warned that high traffic on the Web site during the first few days after the launch might cause the system to be slow.
Three million participants have about $112 billion invested in the TSP?s five funds, which have all shown positive returns during the past three months. Gary Amelio, the new TSP executive director, said one of his agenda items included aggressively educating federal employees about the benefits of investing in the TSP and the various investment options offered.
?The one charge that the board members and I have on a fiduciary basis by statute is to act on the behalf of the members and that?s one thing that I will remember every minute that I am here,? Amelio said.
*******************************
Computerworld
Hacker tips CERT's hand on Linux/PDF flaw
Confidential CERT information was also leaked in March
By Paul Roberts, IDG News Service
JUNE 16, 2003
Confidential vulnerability information managed by the CERT Coordination Center at Carnegie Mellon University has again been leaked to the public, following a flurry of such leaks in March.
The latest information concerns a flaw in Portable Document Format (PDF) readers for Unix that could allow a remote attacker to trick users into executing malicious code on their machines, according to a copy of the leaked vulnerability report.
As with confidential CERT information that was leaked in March, the latest report was posted to a vulnerability discussion list by an individual using the name "hack4life." The leaked information was taken from communication sent from CERT to software vendors affected by the PDF problem, according to Jeffrey Carpenter, manager of CERT. The information appears to be from a vulnerability report submitted to CERT by a Cincinnati security researcher by the name of Martyn Gilmore.
Gilmore didn't respond to requests for comment, and CERT wouldn't comment on how it obtained the PDF vulnerability information or on Gilmore's relationship with the Pittsburgh-based software vulnerability monitoring organization.
In the report, Gilmore describes a problem in the way that PDF viewing programs for the Unix platform process hyperlinks within valid PDF documents. When processing hyperlinks, common PDF readers use the Unix "shell" command (sh -c) to launch and pass commands to external programs. For example, clicking on a hyperlink for a Web page would launch the associated Web browser, according to the report.
However, Gilmore found that such programs don't properly check the syntax of such commands, enabling arbitrary shell commands to be executed on the vulnerable machine.
Although attackers are limited by the privilege level of the user clicking the malicious link, the vulnerability could enable a remote attacker to use shell commands to delete files from the user's hard drive or perform other actions without the knowledge of the victim, the report said.
Adobe Systems Inc.'s Acrobat Reader 5.06 is affected by the problem, as is the open-source reader Xpdf 1.01, according to the report.
CERT declined to discuss the details of the vulnerability.
The vulnerability information was scheduled to be released by CERT on June 23, according to an e-mail message purporting to be from hack4life that prefaced the leaked report.
The release date was also obtained from CERT communications with its vendors, but CERT declined to comment on whether it would be releasing an advisory regarding the PDF problem on June 23, according to Carpenter.
Hack4life cited "college and exams" for the lull in leaked CERT information in recent months and hinted at the likelihood of more disclosures in the future. "I'll have plenty of time to keep you all up to date with what those fools at CERT are up to once college is finished," hack4life wrote.
In March, someone using the same name posted information to the Full Disclosure vulnerability discussion list on four vulnerabilities that CERT was then investigating (see story). Those posts included sensitive information on a vulnerability in the Kerberos Version 4 protocol and a problem reported by Microsoft Corp. regarding spammers' abuse of Web redirectors, which forward users of Web portals such as MSN IP addresses close to their geographic location.
The PDF information was disclosed to CERT after the vulnerabilities were leaked in March, Carpenter said.
Contacted by e-mail in March, hack4life denied any affiliation with CERT and said that the reports were "stolen in a recent computer intrusion."
Hack4life cited "fun and amusement" as the primary motivation for stealing and leaking the vulnerability reports. A secondary motivation that hack4life cited via e-mail was anger over CERT's perceived failure to publish vulnerability information in a timely manner. At the time, CERT officials cast doubt on hack4life's assertion that the reports were hacked, saying that the information was most likely leaked by a member of one of the development teams CERT works with to evaluate vulnerabilities.
The latest incident reaffirms CERT's belief that the problem lies with its vendors rather than with its own systems, Carpenter said. While CERT doesn't yet know which vendor is responsible for the leak, the organization said it's confident that an insider threat or compromise at one of the companies it deals with is responsible for the leaks.
CERT is communicating with vendors about the problem, but Carpenter wouldn't comment on whether CERT is working with law enforcement to catch the person responsible for the leaks. "I'm not going to get into those specifics at this point," he said.
CERT plans to consult with affected vendors and discuss how to proceed now that the information is public, he said.
*******************************
Mercury News
California financial privacy bill dies
By Michael Bazeley
Mercury News
June 18, 2003
A hotly debated financial privacy measure died in the state Assembly on Tuesday, clearing the way for a possible March ballot measure that would ask consumers whether they want even tougher restrictions on the sharing of their personal information.
The Assembly Banking and Finance Committee voted 4-3 against the bill. Four committee members, all moderate Democrats, declined to vote.
The bill, SB 1 by Sen. Jackie Speier, D-San Mateo, is technically not dead. Speier said she would ask the committee to reconsider the measure, a courtesy the committee chair appeared ready to grant.
But it appeared unlikely Tuesday that the two sides would be able to bridge their differences on the issue. Consumer groups said they considered the vote a defeat and would move ahead with efforts to place their financial privacy initiative before voters in March.
``It was a bad day for consumers in California, but it wasn't the last day for consumers in California,'' said Speier, who supports the ballot measure.
The vote was a big, but not unexpected, victory for banks, insurance companies and other financial institutions, which have lobbied relentlessly for three years to block restrictions on the ways in which they share their customers' personal information.
Speier's bill would have required them to obtain customers' written permission before sharing or selling personal information with third parties.
Gov. Gray Davis recently endorsed the bill, but his support wasn't enough to win the seven needed votes.
Although some industry representatives could be seen exchanging high-fives in the hallway during the vote, lobbyists tempered their enthusiasm afterward, noting that the bill could be resurrected.
Far from over
``I would be surprised if this is the end point of this discussion,'' said Fred Main, lobbyist for the California Chamber of Commerce. ``It's far from over. It's maybe the second act of a four-act play.''
Federal law allows institutions such as banks and insurance companies to share customer information with third parties until a customer asks them to stop.
Speier's bill would require the financial institutions to ask for permission before sharing or selling the information with outside companies. Affiliated companies could have access to the information without permission.
``This is a simple bill,'' Speier told the committee. ``If you believe that the financial information that a consumer provides is information that belongs to the consumer, then you should vote for this measure. If you believe that this information is the property of the financial institutions, then you should vote against the bill.''
Speier made a flurry of last-minute changes to the bill, trying to garner votes on the Assembly committee without alienating the consumer groups who helped her craft the measure. John Dutra, D-Fremont, the leader of moderate Assembly Democrats, vowed to lobby the committee for support last week if Speier made several ``technical'' changes. But the changes turned out to be more than technical, and the two sides never reached agreement on key issues.
``We have bent over backward to address the concerns,'' said Shelley Curran, lobbyist for Consumers Union, one of the sponsors of the initiative. ``It was clear that the Assembly does not want Californians to have control over the sharing of their information.''
Industry representatives complained that the bill remained riddled with problems and that some of the amendments made it ``even more confusing for consumers and businesses.''
This bill ``is neither workable nor reasonable,'' Main told the committee. ``It creates different rules for businesses,'' he said, based on their size and corporate structure. That would give some institutions an unfair competitive advantage.
Other lobbyists said the form that banks and other companies would have to send to customers informing them of their privacy choices would confuse them.
``This could lead to a notice more complex and harder to understand for consumers wanting to make that choice,'' said John Mangan of the American Council of Life Insurers.
Assemblyman Juan Vargas, D-Chula Vista, said his main privacy concerns -- fraud and identity theft -- are already being handled with other laws. He said SB 1 would cost businesses millions of dollars, costs that would ultimately be borne by consumers.
``I don't want those costs shifted to me, and certainly not to the poor,'' said Vargas, who did not vote on the bill. ``I think that's what will happen with this bill.''
This was the third year in a row that Speier has failed to move a privacy bill through the Legislature. Many observers believed that this year's bill stood the best chance. It was widely believed that the looming threat of an initiative would force lawmakers to find a compromise bill.
Unmoved by threat
But industry representatives and lawmakers appeared unmoved by the possibility of a much stricter ballot measure.
``That is a threat, we think, that is more leverage than reality,'' Main said.
A coalition of consumer and other groups has collected about 200,000 of the 373,000 needed to qualify a financial privacy initiative for the ballot.
The initiative would prohibit financial institutions from sharing any customer information with any companies -- affiliates or otherwise -- without first getting written permission.
``Once again, members of the Assembly have chosen to put special interests ahead of everyday Californians,'' said Curran of Consumers Union. ``It's becoming clear that Californians will need to decide this issue for themselves.''
*******************************
Government Computer News
OMB developing rules for IT privacy assessments
By Jason Miller
By late summer, the Office of Management and Budget plans to issue privacy regulations that most likely will affect only new systems.
The E-Government Act of 2002 requires OMB to update its existing regulations and codify how the executive branch secures citizen information collected through the Web, said Eva Kleederman, an OMB policy analyst.
OMB has not yet decided if the guidance will ask for privacy assessments of legacy systems that have new front-end Web links, Kleederman said.
The goal is to have the guidance in place to help agencies during the fiscal 2005 budget process. Agencies have until early September to submit business cases for systems that will require funding in 2005.
?The guidance does not provide a template for agencies to follow,? Kleederman said. ?We don?t want to prescribe a method or tool. Agencies should perform privacy assessments throughout their project?s lifecycle.?
A handful of agencies are reviewing a draft of the guide, she said last week at the E-Gov 2003 Conference in Washington.
Kleederman said the final directive will touch on five items about the mandatory assessments:
What triggers one
What type is needed
What content must be covered, such as details about data collected and how it is used
How in-depth each review must be, which will depend on a system?s size and complexity
Who will review them and how they will be made public.
The guidance also will require agencies to describe in detail their Web privacy policies, such as what information their sites collect and whether posted privacy policies can be easily understood by visitors.
*******************************
Seattle Post Intelligencer
Senator Hatch advocates destroying PCs of music downloaders
By TED BRIDIS
ASSOCIATED PRESS WRITER
June 18, 2003
WASHINGTON -- The chairman of the Senate Judiciary Committee said Tuesday he favors developing new technology to remotely destroy the computers of people who illegally download music from the Internet.
The surprise remarks by Sen. Orrin Hatch, R-Utah, during a hearing on copyright abuses represent a dramatic escalation in the frustrating battle by industry executives and lawmakers in Washington, D.C., against illegal music downloads.
During a discussion on methods to frustrate computer users who illegally exchange music and movie files over the Internet, Hatch asked technology executives about ways to damage computers involved in such file trading. Legal experts have said any such attack would violate federal anti-hacking laws.
"No one is interested in destroying anyone's computer," replied Randy Saaf of MediaDefender Inc., a secretive Los Angeles company that builds technology to disrupt music downloads. One technique deliberately downloads pirated material very slowly so other users can't.
"I'm interested," Hatch interrupted. He said damaging someone's computer "may be the only way you can teach somebody about copyrights."
The senator, a composer who earned $18,000 last year in song writing royalties, acknowledged Congress would have to enact an exemption for copyright owners from liability for damaging computers. He endorsed technology that would twice warn a computer user about illegal online behavior, "then destroy their computer."
"If we can find some way to do this without destroying their machines, we'd be interested in hearing about that," Hatch said. "If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize" the seriousness of their actions, he said.
"There's no excuse for anyone violating copyright laws," Hatch said.
Sen. Patrick Leahy, the committee's senior Democrat, later said the problem is serious but called Hatch's idea too drastic a remedy to be considered.
"The rights of copyright holders need to be protected, but some Draconian remedies that have been suggested would create more problems than they would solve," Leahy, D-Vt., said in a statement. "We need to work together to find the right answers, and this is not one of them."
Rep. Rick Boucher, D-Va., who has been active in copyright debates in Washington, urged Hatch to reconsider. Boucher described Hatch's role as chairman of the Judiciary Committee as "a very important position, so when Senator Hatch indicates his views with regard to a particular subject, we all take those views very seriously."
A spokesman for the Recording Industry Association of America, Jonathan Lamy, said Hatch was "apparently making a metaphorical point that if peer-to-peer networks don't take reasonable steps to prevent massive copyright infringement on the systems they create, Congress may be forced to consider stronger measures." The RIAA represents the major music labels.
Some legal experts suggested Hatch's provocative remarks were more likely intended to compel technology and music executives to work faster toward ways to protect copyrights online than to signal forthcoming legislation.
"It's just the frustration of those who are looking at enforcing laws that are proving very hard to enforce," said Orin Kerr, a former Justice Department cybercrimes prosecutor and associate professor at George Washington University law school.
The entertainment industry has gradually escalated its fight against Internet file-traders, targeting the most egregious pirates with civil lawsuits. The Recording Industry Association of America recently won a federal court decision making it significantly easier to identify and track consumers - even those hiding behind aliases - using popular Internet file-sharing software.
Kerr predicted it was "extremely unlikely" for Congress to approve a hacking exemption for copyright owners, partly because of risks of collateral damage when innocent users might be wrongly targeted.
"It wouldn't work," Kerr said. "There's no way of limiting the damage."
*******************************
Reuters Internet Reports
Vietnam Internet Dissident Jailed for 13 Years
Wed Jun 18, 7:22 AM ET
By Christina Toh-Pantin
HANOI (Reuters) - A Vietnamese doctor, accused of publishing anti-government texts on the Internet including a translation of a U.S. essay on democracy, was jailed for 13 years on Wednesday for spying.
"Pham Hong Son was sentenced to 13 years in prison for espionage and he will be subjected to three years of administrative detention at his residence after serving the prison sentence," the Hanoi People's Court said in a statement.
The case, heard under tight security, was closely tracked by human rights groups and diplomats as a fresh sign of Hanoi's intolerance of political dissent. Two dissidents were jailed last year for cyberspace criticism of the communist government.
One western diplomat called Wednesday's sentence "abnormally tough." The American embassy in Hanoi had no immediate comment but said a statement was expected to be issued on Thursday.
The New York-based Committee to Protect Journalists said in a statement on June 16 that Son's prosecution was "part of a broader effort by the Vietnamese government to control the Internet."
The Son case has parallels with similar prosecutions in communist neighbor China, where four Internet activists were jailed for up to 10 years on subversion charges in May for posting essays critical of Beijing.
Son, 35, was arrested in March last year and charged with espionage after he "took the initiative" to phone and email "political opportunists" in Vietnam and abroad, Human Rights Watch said in a statement, citing an April 10, 2003 indictment.
Last December the same Hanoi court jailed a 47-year-old Vietnamese man for 12 years for espionage.
Son, who worked for a foreign pharmaceutical company, was accused of translating into Vietnamese and posting on the Internet an article entitled "What is Democracy?" from the State Department's Web Site.
The sidewalks outside the court were barricaded off on Wednesday morning, and police repeatedly turned away foreign journalists and a group of six diplomats who sought to attend the hearing.
A van parked outside the gates blared loudspeaker warnings ordering journalists to move away from the entrance.
The diplomats included a U.S. embassy representative. They said they had applied for permission to attend the trial but had received no reply. Foreigners are not normally given free access to Vietnamese courts.
Hanoi has been tightening control on media including restricting public access to satellite television and policing Internet cafes, which are an increasing challenge to its media monopoly and have raised concerns in the one-party state.
About a million of Vietnam's 80 million population surf the Net. Many use Internet cafes because of the high cost of personal computers and telecoms charges.
Human rights group say a total of five Vietnamese are being punished for being cyber-dissidents. Hanoi is frequently criticized for curbing social freedoms including religious practice and self-expression, which it denies.
The cyberspace dissident charges include spreading anti-government propaganda, undermining national unity and carrying out actions aimed at overthrowing the government.
Lawyer Le Chi Quang and literature professor Tran Khue upset authorities last year when they published on the Internet criticisms of border agreements with China, which some dissidents believed received too many concessions.
*******************************
Los Angeles Times
Court Bolsters FCC Area Code Effort
In another setback for wireless carriers, judges' decision opens the door to cell-phone-specific area codes.
By Jube Shiver Jr.
June 18, 2003
WASHINGTON A federal appeals court cleared the way Tuesday for the Federal Communications Commission to allow new area codes exclusively for cellular phones and pagers, rejecting industry arguments that the practice may unfairly burden wireless carriers and their customers.
The decision, the second court setback for the wireless industry in recent weeks, was seen as bolstering the FCC's efforts to slow the explosion of costly and disruptive changes to existing area codes, even though the court upheld the FCC mostly on technical grounds.
The three-judge panel of the U.S. Court of Appeals for the District of Columbia ruled that the legal challenge raised by carrier Sprint Corp. wasn't valid because the FCC had not authorized any new cell-phone-specific area codes yet.
"We hold that this challenge is not ripe for judicial review," Judge Judith Rogers wrote. "By declining to decide Sprint's general challenge now, we preserve our own ability to decide intelligently, not only Sprint's challenge but any future challenges to specific specialized overlay proposals."
The same court this month struck down an attempt by the wireless industry to delay or eliminate a Nov. 24 deadline set by the FCC for the wireless industry to allow subscribers to keep their mobile phone number when they switch carriers.
Sprint spokesman James Fisher said company lawyers were studying the latest ruling and had no comment. Representatives of Cingular Wireless, which joined Sprint in the lawsuit, could not be reached for comment.
The FCC has been trying to find ways to conserve phone numbers for more than a decade, hoping to avert a conversion to an 11-digit dialing system that the agency told the court could cost as much as $150 billion.
A decade-long surge in the number of electronic gadgets such as fax machines, modems and cell phones has rapidly depleted the available pool of phone numbers. Simultaneously, a growing number of telephone carriers seeking large blocks of numbers to serve new customers also contributed to red-hot demand that threatened to exhaust all area codes by 2010.
California, which intervened in the case to support the FCC, is among the hardest hit by phone number demand. The state has added 14 area codes since 1991, and some experts say a run on phone numbers in the Los Angeles-area 310 code and in San Bernardino County's 909 area code might trigger more additions, pushing the state's area code total to more than 25.
*******************************
Baltimore Sun
State (of Maryland) OKs $9M for research sites
2 UM-affiliated centers would help Md. compete for technology jobs; 'This puts us in the game'; Aim is to buy property in College Park, build on vacant land in city
By A Sun Staff Writer
Originally published June 18, 2003
Hoping to persuade technology companies to expand in the state, Maryland lawmakers agreed yesterday to spend $9 million to help launch major university-affiliated research centers in Baltimore and College Park.
The state Legislative Policy Committee, made up of the General Assembly's ranking members, approved $4 million for a health sciences research park at the University of Maryland, Baltimore.
The money would go toward the first of eight buildings planned on 4.6 vacant acres on West Baltimore Street, west of Martin Luther King Boulevard. The research park could provide a boost to the Poppleton neighborhood, which it would adjoin.
At the University of Maryland, College Park, lawmakers approved $5 million to help purchase land for a 130-acre technology research center near the College Park Metro station. At 2.8 million square feet, the center would be the largest of its kind in the state, officials said.
Maryland economic development officials said construction of the two facilities would allow the state to compete for well-paid jobs and benefit from a strategy used successfully by universities elsewhere.
"This puts us in the game," said Vernon J. Thompson, deputy secretary of the Department of Business and Economic Development. "We have been challenged by lack of available space to locate companies that had relationships with universities. This puts us in the business of having something to sell, rather than having a dilemma to overcome."
The state money comes from the Sunny Day fund, which provides investments to businesses for job growth and expansion. Typically, the state lends money to a corporation, which repays it. But officials said the agreements approved yesterday are the first of their kind: investments with no timetable for repayment.
Economic development officials said they expect to recoup their investment by receiving proceeds as the research parks are constructed and occupied.
State funds provide only part of the money needed for the projects.
In College Park, the university is negotiating with a development team composed of Manekin LLC, Corporate Office Properties Trust, the Ken Michaels Co. and the Presidents' Round- table, which would contribute $18 million toward the $35 million needed to buy the land. The total construction cost, to be paid by private developers, is estimated at $375 million.
For the Baltimore project, the city is expected to donate land worth $1.4 million, and private companies would invest up to $30 million.
In Baltimore, state money will directly benefit up to a dozen biotech companies that agreed to move into the first building in the park, a school official said. The groundbreaking for the first 120,000-square-foot building is expected in the fall, and it is expected to open by the end of next year.
"The Sunny Day money is being used very specifically to build lab space and office space for tenants as they move into the building. The shell of the building is being privately financed and we're in negotiations with developers now," said James L. Hughes, vice president of research and development at University of Maryland, Baltimore.
"For instance, if a biotech company wants 10,000 square feet of space, it will take $650,000 to build that space. It's expensive to build lab space," he said. "Early-stage biotech companies have limited resources and they'll be able to get good-quality lab space and have the state pick up the initial cost for that."
The companies will pay the money back to the state once they are generating revenue. That could take one to eight years, Hughes estimated.
In return, the state will add high-paying jobs and the university will get an outlet for research conducted by its faculty and students, as well as positions for them, he said. Start-up companies also can help a university attract top-flight "star" researchers, a study done last year for UMB said.
An economic-impact study conducted for the university projects that when completed in the next decade, the park will generate 3,000 jobs and infuse $290 million into the economy. The first building is expected to produce 350 to 400 jobs if it lives up to expectations.
The city has another biotech park under development adjacent to the Johns Hopkins University medical complex on the east side. Hughes thinks there is enough business to go around.
As they praised the concept - House Speaker Michael E. Busch, an Anne Arundel County Democrat, called the public-private partnerships involving universities "the wave of the future" - lawmakers expressed some concern with the risk involved.
Sen. Thomas M. Middleton, a Charles County Democrat and chairman of the Senate Finance Committee, said he hopes state and university officials will work on coordination among the technology parks.
"We've got all these stand-alone projects," Middleton said. "Where are we going to go with coordinating them? That's something I'm going to be looking at."
*******************************
Washington Post
Democrats' Online Appeal
By Harold Meyerson
Wednesday, June 18, 2003; Page A25
As revolutions go, this one began with remarkably little fanfare.
Last Thursday MoveOn.org sent out an e-mail to its members -- all 1.4 million of them -- asking if they'd like to take part in an online Democratic presidential primary later this month. Candidates would answer questions that MoveOn put to them, and if one of them managed to pull a majority of the members' votes, the organization would endorse him.
This is no straw poll: MoveOn does real politics. Founded by some Silicon Valley entrepreneurs as a way for liberals and others to electronically register their rage at the impeachment lunacy of 1998, MoveOn has already become a force in American politics. It has coordinated its members to lobby Congress on a host of issues, was a center of opposition to the Iraqi war, and has proved itself as a source of grass-roots campaign contributions ($4.1 million in 2002) to progressive candidates.
Last fall MoveOn made a special pitch to its members to help out Minnesota Sen. Paul Wellstone, then embroiled in a tight reelection contest.
Within a couple of days Wellstone's campaign had an unexpected windfall of more than $600,000 in hard-money contributions. "Now our membership is nearly three times as big as it was then," MoveOn President Wes Boyd notes. (Membership skyrocketed during the run-up to the war.)
In last Thursday's e-mail, MoveOn stated that one reason it wanted to try for an endorsement now was to help its endorsee, should one emerge, rake in some megabucks before the June 30 contribution reporting deadline. It also mentioned that preliminary polling of its members showed that Howard Dean, John Kerry and Dennis Kucinich had the lion's share of early support.
The candidate with the most backing from MoveOn members (though by no means necessarily a majority) is Dean. Not surprisingly, winning this primary has emerged as the Dean campaign's chief focus in the next several weeks. The former Vermont governor has clawed his way into the first tier of Democratic candidates in part through his campaign's unparalleled success in waging a candidacy online. In its last financial statement, the campaign reported $750,000 in online contributions; campaign manager Joe Trippi says that figure now totals roughly $1.25 million.
The campaign already claims 33,000 online Dean supporters who came together through MeetUp.com, a Web site that enables people of like interests to, well, meet up. Trippi is urging his MeetUppers to join the MoveOners but acknowledges that 33,000 new members would just be a drop in MoveOn's bucket.
Both Trippi and the MoveOn leaders think that winning 50 percent support this early in the process will be an arduous task. The thing about an online election, however, is that it's no big deal to hold another one 30 or 60 days later -- a process to which MoveOn seems committed until an endorsement emerges. Still, Dean's legions are filled with highly educated, Internet-savvy young people, and that's a pretty good description of MoveOn's members as well.
How much money such an endorsement would be worth to its recipient is one of the hottest topics in liberal America today. MoveOn's staff offers only the most cautious projections, but political operatives sound awestruck as they contemplate what the numbers could be. "If Dean has their support and wins Iowa," says one longtime liberal strategist who's no Dean partisan, "what people don't realize is that MoveOn could get him $30 million in the next two days."
This is a topic to which Trippi has given a lot of thought. A "mature Internet," he says, could be the link that earlier insurgent candidates missed. "If Gary Hart had had the Internet in 1984, you have to wonder if Mondale would have won the nomination," says Trippi, who worked for Mondale that year. "Hart had no way to raise the money to go national after he won New Hampshire and had to compete immediately in a nationwide Super Tuesday." With the added technology, the Eugene McCarthys and John McCains of this world might well have gone farther.
And so, two pre-primary primaries loom large this summer: MoveOn's, in which passionate young voters may reward a seemingly passionate candidate such as Dean, and the AFL-CIO's, in which pragmatic labor leaders may give the nod to a more conventionally pragmatic candidate such as Dick Gephardt.
There is no Vietnam War dividing these two groups into irretrievably opposed camps -- indeed, many labor leaders I've spoken with are quite enthused by MoveOn's emergence -- but the potential for a rift remains.
Zack Exley, MoveOn's organizing director, says that the advantages of MoveOn's move into presidential primaries clearly outweigh the downside.
"We're trying to allow the voices of ordinary voters, the 1.4 million MoveOn members, to chime in at this crucial early stage in the process, when so much is being determined by high-dollar donors, pollsters, pundits and political elites," he says. In a world where money talks, MoveOn is handing the Democrats' liberal base a large megaphone.
*******************************
Washington Post
Firms Told to Save Instant Messages
NASD Orders Them Kept for 3 Years
By Brooke A. Masters
Washington Post Staff Writer
Thursday, June 19, 2003; Page E02
NEW YORK, June 18 -- Securities brokers and dealers that use computer instant messages to contact clients and fellow employees must save such communications for at least three years, NASD, the industry's self-regulatory body, said today.
The advisory recognizes the growing importance of instant messages by requiring that members firms treat them with the care they already give e-mail and paper communications.
Many instant messaging programs for consumers do not allow the communications to be retained. But NASD and Wall Street officials said the technology is improving and firms that want to use the messages should not have trouble finding software that would allow them to comply.
"NASD recognizes that instant messaging is becoming increasingly popular as a real-time method of communicating and we want to be clear about our expectations for its use," Mary L. Schapiro, NASD vice chairman, said in a prepared statement. "Firms have to remember that regardless of the informality of instant messaging, it is still subject to the same requirements as e-mail communications."
The rules are likely to have relatively little effect on Wall Street's major firms, because they either already save instant messages or prohibit employees from using them, representatives of several banks said. Several firms banned instant messages after they were fined by NASD for not saving e-mail.
The Securities and Exchange Commission has said that all business-related communications must be preserved, regardless of their form, spokesman Herb Perone said.
James D. Spellman, a spokesman for the Securities Industry Association, said the NASD advisory might lead more firms to use the technology because the rules for its use are clearer.
"It gives firms the comfort level to begin using this technology," he said.
*******************************
Associated Press
Guess Inc. Agrees to Tighten Web Security
Wed Jun 18,10:17 PM ET
By DAVID HO, Associated Press Writer
WASHINGTON - Clothing marketer Guess Inc. will tighten security for its Web site to resolve federal charges that it failed to protect customer credit card information from computer hackers.
The Federal Trade Commission said Wednesday that Guess misled visitors to its Web site with promises that personal information would always be protected in a secure form that couldn't be read by hackers. The FTC said the information was vulnerable to common hacker attacks and last year one Internet intruder accessed customer credit card numbers.
"Companies have an obligation, particularly when they promise security, to take steps to make sure that obvious vulnerabilities aren't there," said Howard Beales, director of the FTC's Bureau of Consumer Protection. "They need to lock the doors."
The Guess Web site has been vulnerable to attack since at least October 2000, the FTC said.
"There are relatively easy fixes that Guess could have done," Beales said. "They just didn't until after it was brought to their attention by the FTC."
Guess said in a statement that no consumers were harmed by the hacker attack last year.
"Since that time, we have upgraded our site to best ensure the security of our consumers' personal information," the company said. "We will continue to monitor and upgrade our site in order to safeguard the privacy of our consumers."
By settling, Guess doesn't acknowledge breaking any law.
Under the settlement, Guess must create a new security program that is certified annually by an independent expert. The company also is banned from making false claims about its security.
The settlement is the third FTC case involving misleading Internet privacy or security claims. Past cases involved Microsoft Corp.'s Passport Internet service and drug maker Eli Lilly and Co., which mistakenly released the e-mail addresses of more than 600 people taking Prozac.
*******************************
San Francisco Gate
Extreme lobbying upsets Assembly
Lawmakers mad at response to killing privacy bill
June 19, 2003
Sacramento -- A consumer group's unorthodox response to losing an Assembly vote on a financial privacy bill became a rallying point Wednesday for some lawmakers who hope to crack down on aggressive lobbying, which some say is "over the top. "
The latest episode to anger legislators was a decision by the Foundation for Taxpayer and Consumer Rights to post on the Internet partial Social Security numbers of lawmakers who did not support the latest attempt to increase protections on personal financial information.
"We should be free to vote our conscience and not be threatened or harassed if we choose to vote contrary to people who are lobbying for special legislation," said Assemblyman Ed Chavez, D-La Puente, one of the lawmakers whose partial number was published.
The consumer group said it had bought the numbers on the Internet for $26 and was merely demonstrating the need for stronger privacy protections.
Eight of the Assembly Banking Committee's 12 members on Tuesday either voted against or abstained from voting on a bill that would have increased protections for private financial information.
The group posted the first four numbers of the legislators' Social Security numbers -- information that is more and more available to anyone using Internet research services.
But some annoyed lawmakers questioned whether the Web posting was illegal and cited it as yet another example of high-pressure lobbying that has taken hold in the era of term limits.
'BORDERING ON EXTORTION'
Assemblywoman Patricia Wiggins, D-Santa Rosa, the chair of the Assembly Banking Committee where the privacy bill died, wrote a letter to Assembly Speaker Herb Wesson, D-Los Angeles, saying the tactic "borders on extortion" and asked to have it probed.
Jamie Court, the executive director of the consumer protection group, said the organization was not seeking to influence the vote, noting that the numbers were posted after the bill was defeated. He also said that only the first four numbers were released rather than the full nine.
"We're trying to demonstrate how vulnerable everyone's privacy is, and it's simply a public education message," he said.
Assemblyman Dario Frommer, D-Glendale, called it "the kind of over-the-top behavior" that he is seeking to curb. He proposed reforms in response to an incident two weeks ago in which a prominent lobbyist used verbal threats to push a bill.
Under Frommer's proposals, lobbyists who also manage political campaigns would be barred from attempting to influence lawmakers they have helped elect.
People caught trying to influence lawmakers on the Assembly floor would also face tougher penalties under his proposal.
STIFF PENALTIES PROPOSED
Lobbyists are already barred from the Assembly floor, but there have been several instances in which unregistered advocates enter the chambers to attempt to sway legislators on bills.
While that activity is already banned, the only penalty is removal from the chamber. Under the new proposal, people who have been found to violate the rule could be fined $2,000 and banned from the chambers for two years.
The debate over lobbyists' behavior was sparked after Sacramento lobbyist and political consultant Richie Ross threatened the chiefs of staff to two lawmakers. Witnesses said he threatened to have one Assembly woman's bills killed in the Senate and allegedly said another was "dead, in my eyes" after the two did not vote for a farmworker measure he supported.
"Individuals should not be trying to trade on their status as a political consultant and then turn around and lobby," Frommer said. "It's dangerous and unseemly, and a definite conflict of interest."
The proposals take direct aim at the unique dual role Ross has carved out for himself, working as both a campaign manager helping to get Democrats elected and as a lobbyist representing labor, lawyers and other interest groups. Few others, if any, have pursued the same business model.
Since the incident, critics have said that dual role creates the potential for Ross to have undue influence over the politicians he has helped elect.
Ross has issued a blanket apology to Assembly members and said he was reacting to the tense atmosphere around the bill and around the Capitol in general, where a budget crisis has put everyone on edge.
The reform proposals have the potential to set up a fight between Democratic factions of the Legislature. During the last campaign season, Ross was paid to manage the campaigns of 10 current legislators, including Wesson, the speaker of the Assembly.
Ross could not be reached for comment Wednesday.
Frommer's reform proposal would also create a code of conduct for lobbyists that would bar acts of intimidation intended to influence votes on legislation.
After complaints from lawmakers about increasingly aggressive tactics employed by lobbyists, and Ross in particular, Wesson agreed last week to appoint a committee headed by Assemblywoman Wilma Chan, D-Alameda, to study the issue.
Frommer sent his proposal to Chan one week ago. Rachel Richman, Chan's chief of staff, said the group has not yet met or laid out a timetable for its work.
A spokesman for the speaker said the issue is a priority, though he has given no further direction to the committee since it was created 10 days ago.
Other legislators are not waiting for the committee to do its work. Assemblywoman Lois Wolk, D-Davis, is crafting her own proposal that would mirror the policy used by the Los Angeles City Council.
Under those rules, any lawmakers who have a business relationship with someone seeking to influence the lawmakers would have to recuse themselves from voting. The measure would be designed to negate the influence of political campaign consultants who are also retained by special interests for political advice, but who do not register as lobbyists.
"There can never be too many efforts to clean up this place," Wolk said through her chief of staff, Craig Reynolds.
E-mail Christian Berthelsen at cberthelsen@xxxxxxxxxxxxxxxx
*******************************
Federal Computer Week
Wireless security entangles HIPAA
BY Dibya Sarkar
June 18, 2003
Although most health organizations still have another 22 months to comply with new federal security standards, securing wireless networks may pose a problem as they near the deadline.
"There are so many security issues around wireless and the [security] rule gives you no substantial guidance on how to secure wireless," said Marne Gordon, director of regulatory affairs at TruSecure Corp., referring to the Health Insurance Portability and Accountability Act of 1996 guidelines on security.
HIPAA, as it's known, is a far-reaching federal law that, among other things, is supposed to strengthen privacy procedures involvinb personal patient health and medical information, simplify administrative codes and standards for electronic data interchange and improve security of networks handling such data.
"Privacy is all about the rights to use information and how information is used. Security is about how to protect the confidentiality, availability and integrity of the information," said W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance Inc., a nonprofit consortium of public- and private-sector groups working on HIPAA issues.
"The really hot buttons in security right now are secure e-mail and wireless. So we'll be spending a lot of time in the next couple of years as the security regulation gets ready for April 2005. But it's really kicking into gear now because people need some of the security measures to implement privacy and they're still implementing those," he said, adding the consortium has developed a gap analysis tool for security.
The final published security rule was issued in February and does not provide specific solutions to affected health care agencies because they are varied in terms of their technology.
Gordon, whose company provides consulting on HIPAA-related practices, said wireless wasn't even a factor when standards were being considered several years ago.
"I know a lot of doctors in their own hospitals are looking to see what steps wireless can save them. There are so many security issues around wireless and the rule gives you no substantial guidance on how to secure wireless. A lot of organizations are looking for 'How do I secure that,' because that's the weakest link," she said.
Aldona Valicenti, chief information officer for Kentucky, said states also have to consider whether their cybersecurity measures will be compliant with what they need to do for HIPAA.
"You've got to understand we're making security investments now," she said. "What I think we don't want to happen is make security investments now that are inappropriate.
"So that's really sort of our challenge right now," she continued. "We are in a very depressed fiscal situation, we're going to lose workers or positions or both, and we have a continued requirement to. . .beef our security up, make sure that we're compliant, make sure we deal with homeland security, and by the way, what we're doing is going to comply with HIPAA."
*******************************
CNET News.com
Charting tactics in the war on spam
By Paul Festa
Staff Writer, CNET News.com
June 18, 2003, 4:00 AM PT
Christine Gregoire knows she can't win.
The attorney general of Washington state has long been at the vanguard in the battle against spammers, and if there's one thing she's learned about her opponents, it's that when one falls, 10 will rise to take their place.
Still, Gregoire has led her state's charge against unsolicited commercial e-mail, helping establish the constitutionality of Washington state's groundbreaking antispam law and lodging the state's first suit against an offender. She took the stand Tuesday with Microsoft executives heralding that company's legal assault on spammers from California to the United Kingdom.
Gregoire spoke to CNET News.com from Redmond, Wash., about her state's spam battle, offering advice for legislators around the country and specifically to politicians residing in the other Washington, whose laws could pre-empt those of the states.
Q: When did spam first come to your attention, as the attorney general?
A: Our law was passed about three years ago, but it was immediately challenged when we took an enforcement action. It was declared constitutional two years ago, so there was no enforcement tool until two years ago this month. We were the first state in the nation to have a constitutional challenge under free commerce and First Amendment grounds, and our case wound up going to the Supreme Court, which denied cert. (A term that refers to a decision by the Supreme Court to hear an appeal from a lower court.) Our state Supreme Court held the law to be constitutional, and that set the pace around the rest of the county. People were in kind of a stand-down mode, waiting for the outcome of the challenge to our law.
Now there are some 33 other states that have passed antispam laws; and just three years ago, when we passed ours, we were No. 2 in the nation. That shows you how quickly legislators have stepped up in light of huge consumer concern.
What would be your advice to the U.S. Congress in its deliberations over a spam law for the nation?
I would say you have to have a piece of federal legislation that has real teeth. The solution, in my mind, is changing the economics of spam. We have to change it so that it costs the spammers more to spam us than they stand to profit from it. So the law has to carry an economic consequence so spammers have to think twice before violating the law.
Secondly, I think the major concern we have right now is that this is such a dynamic area that one of the major solutions to this is in technology. We can't have federal legislation that isn't visionary enough to let technology develop.
Is there that risk with the legislation being considered?
Absolutely. We have looked at most of the legislation that's pending before Congress, and we're concerned about it viewing the problem through glasses that are only useful for today's problem. And we need to think about it as an evolving field with evolving technology.
We're in the race for the ISPs (Internet service providers), because every time they come up with some filtering mechanism, sure as I'm standing here the spammers find a way around it. And every time we come up with ways to investigate them, they find new ways to hide.
I'm not sure I understand in what ways the federal laws under consideration might hinder that kind of technological innovation.
They're basically saying you have to identify the e-mail as e-commerce, that you have to have an opt-out, when, in fact, the potential for tomorrow's e-commerce has to be recognized and the technology to filter it out has to be well-understood. We have consumers who want to receive ads, but also the ability to say, "Don't give it to me anymore." That option needs to be thought through.
And we need a technology option that's very consumer friendly, so the consumer could say on their computer, "I don't want advertisements from anyone I haven't done business with." We need to make sure that we allow technology that would allow that. What we don't need is federal legislation that's outdated the day it's signed.
Can you say more about what concerns you about the federal legislation?
Virtually all the legislation pre-empts the states. I wouldn't say that I would never entertain a pre-emption idea, but based on what's there now, I would be reluctant to. One specific area is that most of the laws say consumers have no private right of action, and I just think that's a mistake. We need right of action by the states, the federal government, ISPs and private consumers. And there's no reason to take away from any of those entities.
In the press conference you mentioned things consumers could do to protect themselves.
The biggest thing they can do is be careful about the use of their e-mail address. When filling out registration forms or surveys, or purchasing something online, they need to decide whom they're willing to give that address to and protect it as personal information. They need to help themselves with signing up with an ISP that has good filtering systems and software that has the additional ability to filter out spam. In the case of Washington state, they can contact ISPs and disclose that it's a Washington e-mail address, because that puts everyone on notice that we have a law that protects them.
That brings up another point that came up in the press conference, which is the difficulty of prosecuting spam offenses across borders. How successful have you been in Washington state, in that respect?
We've been successful: All four of the suits we have brought have been against out-of-state spammers. But it will be a considerable challenge to us as a state if it's from another country. So that's why we're partnering with the ISPs, especially Microsoft, for the international part of the problem.
Say more about your relationship with private industry on this issue, particularly with Microsoft.
We've been working with them on the federal legislation and how it can be developed with allowances for technology to move forward. We've been encouraging them to bring actions like those announced Tuesday. Only if ISPs are willing to do that is the message going to go out that if you send spam it's not only the state attorneys general you have to deal with. And we've partnered with the Federal Trade Commission in a national effort to try to bring enforcement actions in every state in the country. I hope to do more of those. But we can't do it alone. We need to work with the private sector, with private lawyers, so we can get our arms around it and change the economics of spam.
*******************************
Associated Press
Homeland Security Network Poses Challenge
Thu Jun 19, 8:22 AM ET
By STEVEN K. PAULSON, Associated Press Writer
COLORADO SPRINGS, Colo. - It's a task that would challenge even the sharpest of computer geeks: set up a hacker-proof computer network for 190,000 government workers across the country fighting terrorism.
That's the challenge facing computer experts building a new system for the Homeland Security Department while keeping the existing network operational and secure.
Technology will be a key to the success of the new system, which is expected to take years to complete, said Edward Kinney, director of information technology for Customs & Border Protection.
Kinney spoke Wednesday at a conference that put government and private computer company representatives together to discuss security. He declined to provide specifics about the network.
The Homeland Security Department became operational in February in the largest government reorganization since 1947. It merged 22 agencies scattered across the nation and in some foreign countries.
The new department is charged with patrolling borders, analyzing U.S. intelligence, responding to emergencies and guarding against terrorism, among other tasks.
Computer experts have had to figure out ways for employees to share critical information while protecting that information from prying eyes that could compromise national security and trade secrets, Kinney said.
"Now we can communicate securely and we can share information and documents with confidence," he said.
But watchdog groups remain worried.
The government needs to make sure information is protected because the new network creates serious privacy issues by allowing "virtual dossiers" to be compiled on employees, said Wayne Madsen, a senior fellow at the Electronic Privacy Information Center.
"Until they have a mechanism to make sure there are no abuses, they should go slow putting this information into a database," he said.
Department officials routinely test the networks to make sure they are hacker-proof, Kinney said.
They also are focusing on government employees stationed overseas, such as U.S. Customs workers who must inspect cargo headed for the United States.
"If we cannot bring goods and services across our borders, our economic security will be significantly impaired," Kinney said.
Officials said it also has been a challenge to change the computer culture among government workers. For example, after the Sept. 11, 2001, attacks, computer managers had to tell federal workers to stop e-mailing pictures of waving flags from unauthorized sites to their colleagues.
"It was a bad habit people got into, downloading from unauthorized sites," Kinney said.
*******************************
Government Executive
June 18, 2003
TSP Web glitches hinder launch of new recordkeeping system
By Tanya N. Ballard
tballard@xxxxxxxxxxx
A problem with the Thrift Savings Plan?s Web site is preventing participants in the 401k-style retirement plan from accessing the new automated record-keeping system that was launched on Monday, TSP board officials confirmed Wednesday.
?The record-keeping system is functioning, but the Web site is having issues,? TSP spokesman Tom Trabucco said Wednesday. ?When some people go in and make inquiries, it?s resulting in a loop within the computer system, and when you do that it slows everything down because you can?t go forward.?
Trabucco said computer technicians were monitoring the system and manually terminating those ?loops,? as well as looking for the bug that causes the problem.
?We haven?t found the bug yet, but we do have a quick fix that we hope to get in this afternoon that will allow quick access for those who just want to go in and check their account balance,? Trabucco explained. ?But we are very cognizant of the issues that people are having getting through on the Web and we are working diligently on it and we apologize for the inconvenience.?
In the interim, TSP participants are able to access the new record-keeping system and make changes to their accounts by telephone at 504-255-8777.
The new system opened for business on Monday, after several years of delays. Using the automated system, federal employees can access up-to-date balance information and swap money from one fund to another. The new system also allows TSP account holders to more easily withdraw money, apply for loans and make changes to their contact information.
Three million participants have about $112 billion invested in the TSP?s five funds and the new system processed nearly $25 million worth of interfund transfer requests Tuesday night, according to Trabucco. Another $1.2 billion of interfund transfers was processed Monday night.
?Obviously, with a new system we have to be aware there are going to be hiccups,? TSP Board Chairman Andrew Saul said during the board?s monthly meeting on Monday. ?This is not the cure for cancer . . . there?s no perfect system.?
The General Accounting Office has recommended that the board be held more accountable to Congress because of problems with the original contractor hired to install the new computer system. The TSP Board and American Management Systems have been locked in a series of legal battles since the board fired the Fairfax, Va.-based contractor in July 2001.
*******************************
Computerworld
Delta Air plans RFID bag-tag test
The airline has ordered 40,000 RFID tags for a 30-day trial
By Bob Brewin
JUNE 18, 2003
Delta Air Lines Inc. today announced that it plans to test the use of radio frequency identification (RFID) bag tags this fall on selected flights from Jacksonville, Fla., through its Atlanta hub -- a move seen by analysts and suppliers as potentially boosting the use of RFID bag tags throughout the airline industry.
Atlanta-based Delta said the 30-day test, conducted in coordination with the Transportation Security Administration (TSA), would involve more than 40,000 disposable 900-MHz RFID tags provided by Matrics Inc. in Columbia, Md., and SCS Corp. in San Diego. Delta's decision to test RFID bag tags comes a week after Wal-Mart Stores Inc. said it plans to require its top 100 suppliers to use RFID tags on shipping pallets and cases by January 2005 (see story).
Deepak Shetty, an analyst at Frost & Sullivan in San Jose, said he views the Delta test and Wal-Mart's embrace of the technology as catalysts for the widespread use of RFID, which "has been waiting for some killer apps" to become a reality.
John Shoemaker, vice president of business development at Matrics, agreed, adding that widespread use by the airline industry and retailers could lead to production volumes large enough to drive down prices for the tags.
Shoemaker said he can't discuss terms of the agreement with Delta, but he did say that Matrics can deliver the RFID inlays that Delta will use in the tags at a cost well below 50 cents per tag. He said the inlays will be embedded in standard bar-code tags, which cost 8 to 13 cents each. Shoemaker estimated that at large volumes, the cost of an RFID bag tag could drop to 20 cents within a year.
He estimated that Delta uses between 90 million and 100 million bag tags a year, out of an airline industry total of 1 billion a year.
RFID tags today sell for between 30 and 50 cents each, according to Bill Allen, a spokesman for Texas Instruments Inc. in Dallas. In 1999, British Airways PLC conducted a test that involved some 150,000 RFID bag tags on flights from Manchester, England, and Munich, Germany, to London's Heathrow Airport under the auspices of the International Air Transport Association. Allen said standards need to be adopted before RFID tags can be used throughout the international airline industry.
Rob Maruster, Delta's director of airport customer service strategy, planning and development, said in a statement that "by using RFID, we can further improve our baggage handling, provide real-time baggage updates and provide better, faster and friendlier service."
Shetty said RFID bag tags would provide better accuracy than bar-code tags, since bags can be tracked from a distance of up to 30 feet, whereas bar code tags have to be in close proximity to a reader.
Shoemaker said RFID tags will improve security by allowing the TSA to track bags with a high level of accuracy -- up to 99% -- as they move from check-in counters through explosives-detection machines and then onto aircraft.
*******************************
Government Executive
June 18, 2003
Converted military jobs could go to contractors
By Tanya N. Ballard
tballard@xxxxxxxxxxx
Contractors could end up with some of the 320,000 military jobs Defense Department officials seek to switch to civilian positions, a top Pentagon official said Tuesday.
?Not all [the jobs] will necessarily go to [the] civil service, some might go to contractors in some fashion,? David Chu, undersecretary of Defense for personnel and readiness, said at a meeting with reporters Tuesday morning. ?There is a large role for the civil service in this transition, but it will not be 100 percent.?
Chu, the Pentagon?s chief human capital officer, has spent more than two months pushing the department?s proposal to create its own personnel system for 730,000 civilian employees, complete with a pay-banding system that would more closely link salary increases to job performance, generous flexibility to craft collective bargaining relationships and broad authority to hire and fire employees. The proposal also includes a plan to shift up to 320,000 military jobs to civilian positions.
?To have 320,000 military personnel doing jobs that are not military tasks is not a good thing for the department,? Defense Secretary Donald Rumsfeld told Senate lawmakers at a June 4 hearing. ?It's not right, especially at a time when we have to call up the National Guard, when we have to call up Reserves, when we?re telling people on active duty who are due to get out and have plans that we have to ? not allow them to get out.?
According to Chu, the services would perform reviews using guidelines created by Pentagon leaders to determine what, if any, military jobs should be performed by civilians. ?We are not saying we are necessarily going to decide to convert all these slots,? cautioned Chu. Most of the jobs up for review are in administrative and technical career fields. The services would have to determine why some jobs are classified civilian in one service, but not in another. For example, some services staff military hospitals with military personnel while others use civilian employees.
The Defense Department would use the free slots to add positions in other key military job areas where there are shortfalls, such as surveillance and reconnaissance, civil affairs and communications.
One union official called the job conversion plan a red herring to draw attention away from what he described as a ?proposal full of holes.?
?All of this rhetoric about 320,000 soldiers hasn?t got anything to do with personnel reforms, it?s just some bait they threw out there to distract us,? said Bobby Harnage, president of the American Federation of Government Employees, which represents more than 200,000 civilian employees at the Defense Department. ?I don?t expect to see a lot of federal civilian employees come out of that.?
Harnage said there are many parts of the Defense personnel transformation proposal that the union would be open to discussing with Pentagon officials.
?There?s quite a bit of it that we would be willing to work on, but we haven?t been asked to,? Harnage explained. ?In 1998, we asked President Clinton to sit down with us, [saying]?Let?s talk about pay.? He never did. In 2001, we asked President Bush to sit down with us, [and said]?Let?s talk about pay.? He never did and now two years later they drop this one us. They could have this situation worked out if they had sat down with us.?
Harnage questioned how Pentagon officials expected to hire a huge influx of employees with or without added personnel flexibilities, given budget constraints.
?They can hire all the people they want, as long as they have the money,? Harnage said. ?This will happen in dribs and drabs over about 20 years; you?ll never notice it.?
Jayson Spiegel, senior national defense counsel at the law firm Ball Janick, voiced similar concerns about the expense of adding civilian jobs without eliminating military positions.
?It absolutely costs more money, because if you don?t cut your end strength than you end up with more people,? Spiegel said.
Chu admitted that it would take years to transfer all the positions, but said increased personnel flexibilities would ease hiring restrictions for Defense civilian personnel and help make the job transfers happen more quickly and smoothly.
House legislators included the Pentagon personnel overhaul in the fiscal 2004 Defense authorization bill (H.R. 1588). Senate lawmakers modified the legislation and offered it as the ?National Security Personnel System Act? (S. 1166). The Senate Governmental Affairs Committee approved the legislation on Tuesday.
*******************************
Washington Post
Beyond Kazaa, a Grand Plan
Executive Seeks Partnership With Showbiz
By Jonathan Krim
Thursday, June 19, 2003; Page E01
Nikki Hemming, who runs the world's most popular service for sharing online music and other files, has a message for the people who hate her most: Kazaa, infamous for enabling users to swap music and videos without paying for them, wants to be the official online distributor for the entertainment industry.
"Realize that this technology is inexorable, and come to the table" is what Hemming said she would say to chief music-industry lobbyist Hilary B. Rosen and Jack Valenti, head of the Motion Picture Association of America.
It's a statement of characteristic cool for Hemming, who spoke by telephone from her home in Australia hours before Kazaa took another flogging on Capitol Hill this week.
Sen. Dianne Feinstein (D-Calif.) testified that peer-to-peer networks facilitate "a new era of easily obtainable pornographic material." Rep. Thomas M. Davis III (R-Va.) said research shows that some users of file-sharing services unwittingly expose private information on their computers, including tax returns, social security numbers and medical records.
Sen. Orrin G. Hatch (R-Utah), a musician himself, said that if nothing else could stop people from stealing copyrighted works, he would support using programs to damage the computers of those who do.
As chief executive of Australia-based Sharman Networks Ltd., which owns Kazaa, Hemming has heard it all before.
Kazaa and other file-sharing services have weathered blistering legal and public relations campaigns by the entertainment industry, aimed at shutting down their businesses or at least undermining consumer confidence in them.
Yet file sharing is flourishing. The Kazaa Media Desktop software, which is free, has been downloaded more than 240 million times. Software from Morpheus, a similar service, has been downloaded more than 111 million times. Other services, including Grokster and LimeWire, also have grown remarkably.
Hemming said Kazaa cannot control how consumers use its software, but the company does not condone piracy.
She said privately held Sharman Networks is primarily in the business of distributing digitally protected content, allowing artists to collect royalties.
Through a California-based partner, Altnet Inc., Kazaa offers thousands of music and game titles.
Unlike the millions of songs, videos and software programs that users load onto their computers and make available for others to share, those files are digitally protected.
When users want one, they pay a royalty fee. If they want to share files, the system forces the next person who wants to get it to also pay the fee.
Derek S. Broes, a senior partner at Altnet, said that if computer users try to copy a file to remove digital protection, the file is degraded.
Many experts argue that such a system is the wave of the future, which the entertainment industry will have to embrace in some way. So far, the music and video industries have taken only halting, initial steps to distribute their products online. Apple Computer recently launched a service called iTunes that makes industry-sanctioned music files available for 99 cents each.
But such systems work when the only recordings are available in digital form, and can be protected electronically.
What the entertainment industries object to are people who copy audio and video discs in digital formats and make them available on file-sharing services. Industry efforts to encrypt the discs have been thwarted.
With so much entertainment released on discs, file sharers have a free bonanza.
The entertainment industries demand that peer-to-peer networks prevent sharing of all copyrighted works.
Hemming said that is not technologically possible. File sharing won a major legal victory in April, when a federal court in California ruled that the software itself was not inherently illegal even though many people use it for illegal purposes.
Instead, Kazaa wants to put more and more titles on its digitally protected service so that over time, unprotected files get crowded out.
When users search for a particular title or artist, Kazaa produces a list with priority given to protected, for-pay files, which are marked with an icon.
Even if the public willingly migrates to paying for music in this fashion, so much is available for free that few expect it to happen quickly.
There are concerns about file sharing that persist.
According to a study by Nathaniel Good, a University of California graduate student, and Aaron Krekelberg, who works in the technology office of the University of Minnesota, Kazaa's system for installing its software is sufficiently flawed that users could easily make errors that would expose personal, information to other file sharers.
Hemming said Sharman Networks has made several changes to its software, including adding an anti-virus program and parental controls. Other computing applications, including e-mail and modems without firewalls, pose similar dangers of allowing viruses, pornography and hackers into people's computers, she said.
File-sharing services also are notorious for allowing "spyware," which allows many actions of computer users to be monitored. Hemming said Kazaa avoids spyware, but the service does include "adware" from third parties, which allows them to keep track of whether users are responding to online ads.
*******************************