[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips August 8, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips August 8, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Fri, 08 Aug 2003 15:11:55 -0400
Clips August 8, 2003
ARTICLES
OMB guides agencies to meet IT security law
Bush Misuses Science, Report Says
Supporters back away from software bill
AFL-CIO calls for reform on temp workers
Mail Tracking System Raises Privacy Fears
RIAA steps up bid to force BC, MIT to name students
Software patching gets automated
*******************************
Government Computer News
08/07/03
OMB guides agencies to meet IT security law
By Jason Miller
The Office of Management and Budget yesterday set guidelines for agencies to report their progress in securing IT systems.
In a letter to agency executives, OMB director Joshua Bolten outlined how agencies should implement the Federal Information Security Management Act, which became law as a provision in the E-Government Act of 2002 last December.
OMB detailed steps in four sections of the memo that agency CIOs and inspectors general must follow in evaluating IT security. These sections include changes introduced by FISMA, reporting instructions, quarterly plans and performance updates, and definitions in law and policy in the guidance.
Bolten also said he wants to make sure agencies spend enough money and resources on IT security.
?I am directing my staff to work with your agency to ensure that system remediation plans are implemented and appropriate resources are identified through the budget process to resolve critical IT security weaknesses,? Bolten said.
Bolten also laid out the criteria for agencies to earn a green score on the stoplight scoring system the White House uses to grade agencies in meeting the President?s Management Agenda.
Agencies will not improve their scores in e-government under the PMA unless they improve their scores in the security subsection first, Bolten said. OMB grades agencies quarterly on how they implement their security plans, he added.
To get to green, agencies must:
Demonstrate consistent progress in remediating IT security weaknesses
Have the IG verify there is a departmentwide IT plan
Have 90 percent of IT systems certified and accredited by the IG and by outside experts.
To get to yellow, agencies must:
Demonstrate consistent progress in remediating IT security weaknesses
Have the IG verify a departmentwide IT plan or have 80 percent of IT systems certified and accredited by the IG and outside experts.
*******************************
Washington Post
Bush Misuses Science, Report Says
Democrats Say Data Are Distorted to Boost Conservative Policies
By Rick Weiss
Friday, August 8, 2003; Page A15
The Bush administration has repeatedly mischaracterized scientific facts to bolster its political agenda in areas ranging from abstinence education and condom use to missile defense, according to a detailed report released yesterday by Rep. Henry A. Waxman (D-Calif.).
The White House quickly dismissed the report as partisan sniping.
The 40-page document, "Politics and Science in the Bush Administration," was compiled by the minority staff of the House Government Reform Committee's special investigations division. It marks the launch of a new effort by Waxman and others in Congress to highlight simmering anger among scientists and others who believe that President Bush -- much more than his predecessors -- has been spiking science with politics to justify conservative policies in areas such as reproductive rights, embryo research, energy policy and environmental health.
"The Administration's political interference with science has led to misleading statements by the President, inaccurate responses to Congress, altered web sites, suppressed agency reports, erroneous international communications, and the gagging of scientists," according to the report, posted yesterday at www.politicsandscience.org. "The subjects involved span a broad range, but they share a common attribute: the beneficiaries of the scientific distortions are important supporters of the President, including social conservatives and powerful industry groups."
White House spokesman Adam Levine said it would take time for the administration to address the specifics of the report. However, he said, "I'm hard-pressed to believe anyone would consider Congressman Waxman an objective arbiter of scientific fact."
Several prestigious scientific journals have editorialized about the Bush administration's dealings in science in recent months, including Science, Nature and the New England Journal of Medicine.
An editor at Science, for example, recently said in print that the administration was injecting politics into arenas of science "once immune to this kind of manipulation."
And the editors of the Lancet noted "growing evidence of explicit vetting of appointees to influential [scientific] panels on the basis of their political or religious opinions" and warned against "any further right-wing incursions" on those panels.
The General Accounting Office has been investigating such allegations since some in Congress asked the agency to do so in September, but it has not released any findings.
Among the purported abuses documented in the report:
? "Performance measures" used to determine the effectiveness of federally funded "abstinence only" sex education programs were altered by the administration in ways that made it easier to say the programs were effective. And information about how to use a condom -- along with scientific data showing that sex education does not lead to earlier or increased sexual activity in young people -- was removed from a Centers for Disease Control and Prevention Web site.
? In testimony before Congress, Interior Secretary Gale A. Norton omitted -- and in at least one case misstated -- federal scientists' findings that Arctic oil drilling could harm wildlife.
? The administration altered a National Cancer Institute Web site in a way that wrongly implied there was good evidence linking abortions to breast cancer.
? The Education Department circulated a memo instructing employees to remove materials from the department's Web site not "consistent with the Administration's philosophy," prompting complaints about censorship from national educational organizations.
? Bush has appointed to key scientific advisory committees numerous people with political, rather than scientific, credentials. For example, his appointee to a presidential AIDS advisory committee, marketing consultant Jerry Thacker, has described homosexuality as a "deathstyle" and referred to AIDS as the "gay plague."
A spokesman for Waxman said the report will be updated on the Web as new examples arise.
*******************************
CNET News.com
Supporters back away from software bill
By Alorie Gilbert
August 7, 2003, 10:08 AM PT
The key supporters of a software-licensing bill that critics say promotes corporate rights over those of consumers have, in the face of mounting opposition, decided to quit lobbying for its enactment.
The Uniform Computer Information Transactions Act (UCITA), drafted four years ago, is meant to protect software developers from intellectual property theft by resolving conflicting software licensing laws that vary from state to state.
But critics have complained that the proposed laws favor corporate interests over those of consumers. They say it grants software makers too much freedom in restricting the use of their products and in dictating settlement terms for conflicts.
UCITA has been enacted in only two states, Maryland and Virginia, since the group of law experts that drafted the bill began its enactment campaign.
The group, called the National Conference of Commissioners on Uniform State Laws (NCCUSL), anticipated that an additional two to five states would pass the bill after the group amended it last year to address concerns about consumer rights. But the bill's opponents, including the American Bar Association and the American Library Association, refused to back down.
Despite being introduced in Nevada and Oklahoma legislatures this year, UCITA never made any further progress. And four states--Vermont, Iowa, West Virginia and North Carolina--have passed anti-UCITA "bomb-shelter" provisions, which make UCITA laws in Maryland and Virginia inapplicable to residents of those states, according to the Americans for Fair Electronic Commerce Transactions. AFFECT is a national coalition that opposes UCITA.
The lack of acceptance has prompted NCCUSL to announce on Friday that it had pulled the plug on all efforts to help states introduce and enact the bill. Without that backing, UCITA is unlikely to gain further consideration from the states, according to Katie Robinson, a NCCUSL spokeswoman.
"Without the conference pushing UCTIA, I don't see any other legislative activity happening on it," Robinson said.
NCCUSL, which concluded its annual meeting in Washington this week, also disbanded the special committee that oversees its UCITA activity. Robinson said politics had interfered with the group's efforts in support of the bill, adding that the group may revisit the subject of state laws that govern software contracts and digital information in the future.
"It is heartening to see NCCUSL backing away from a very flawed statute, but it will never be able to write sound law for the information economy until it takes to heart the criticisms of the user sector," Jean Braucher, a member of AFFECT and a professor at the University of Arizona James E. Rogers College of Law, said in a statement issued Wednesday.
"The debate is not just 'politics,'" Braucher added. "There are fundamental policy problems with UCITA."
Yet UCITA is not completely dead and buried, legal experts say. Because it's on the books in two states, courts across the country could be influenced by it, according to Fred von Lohmann, a staff attorney at the Electronic Frontier Foundation.
"However, the prevailing wind right now is against UCITA," von Lohmann said. "We think that's a good thing."
*******************************
CNET News.com
AFL-CIO calls for reform on temp workers
By Lisa M. Bowman
August 7, 2003, 11:06 AM PT
The AFL-CIO is calling on Congress to revamp its temporary-worker programs, saying workers are being abused and misused in the down economy, especially by companies in the tech sector.
Temporary-worker permits such as L-1 and H-1B visas allow highly skilled foreigners to enter the United States to fulfill certain jobs within a company and are especially popular among tech companies.
In a new policy statement on the topic that it released Wednesday, the AFL-CIO Executive Council asked for major revisions to the worker visa programs.
"In the current recession--unlike previous economic downturns--a growing number of well-educated and highly skilled U.S. professional and technical workers have found themselves in the long lines of the unemployed," the AFL-CIO Executive Council wrote in the policy statement. "For many, particularly workers in high tech, these policies have made a bad situation much worse."
The council urged Congress to limit the number of H-1B visas per company, restrict each worker to a three-year, nonrenewable term and implement a plan that requires companies to show that they've sought to employ U.S. workers but couldn't find them. Under the current plan, H-1Bs can stay for as long as six years, and companies do not have strict reporting requirements about their search for U.S. workers.
The council also called on other lawmakers to support legislation that Rep. Rosa DeLauro, D-Conn., and Rep. Christopher Shays, R-Conn., sponsored that would reform the program for L-1 visas, otherwise known as intracompany transferee visas. L-1 visa are designed to allow employees with specialized skills to transfer from a company's offices in a foreign country to its workplace in the United States. The AFL-CIO said companies abuse the program by using foreigners who have L-1s to replace U.S. workers, sometimes requiring people to train their replacements.
The permit programs have long been controversial. During boom times, tech companies said they simply couldn?t find enough skilled U.S. workers to fill their vast numbers of job openings and thus turned to foreign guest workers to grow or maintain their business. However, some tech workers have argued that companies were using the permits to hire cheaper labor.
Now that the boom has gone bust, many highly skilled workers feel as if they're facing a multipronged attack on their jobs, making the worker permits an even more heated topic among employees in the tech sector.
The economic doldrums have made it hard for many people to find full-time work. What's more, companies are increasingly turning to outsourcing, sending even white-collar and development jobs overseas to countries such as China, Ireland and India. A recent Gartner study predicted that nearly one out of every 10 jobs at technology companies will eventually move overseas.
*******************************
Washington Post
Mail Tracking System Raises Privacy Fears
By Brian Krebs
Thursday, August 7, 2003; 1:33 PM
A presidential commission proposal to use tracking codes to verify who sends and receives mail through the U.S. Postal Service is getting a chilly reception from privacy advocates who say it could violate civil liberties.
The Postal Service began considering the "Intelligent Mail" idea several years ago as a way to help its commercial customers, such as credit card companies and direct marketers, get more information on when and if their mail reaches intended recipients.
The idea is similar to what private shipping companies like United Parcel Service and Federal Express already do as part of their everyday business operations -- simply labeling everything they deliver with a bar code and monitoring the mail's location in the delivery process.
Intelligent Mail for the public Postal Service took on a new urgency after the anthrax mail scare in 2001, when the government started looking for ways to improve the security of the mail network.
The President's Commission on the Postal Service last week recommended that the independent agency work with the Department of Homeland Security to study the development of sender-identification requirements for all mail.
The Postal Service estimates that it delivers about 670 million pieces of mail to more than 138 million addresses daily, leading to concerns among law enforcement and government officials that it is too easy to use the system for criminal or terrorist activity.
The commission said the Intelligent Mail could bolster security, as well as let consumers track the progress of anything they send. The latter has been identified as a top consumer demand in the commission's independent surveys.
It also proposed that the Postal Service sell vanity stamps that would let customers use personalized images or business logos on their stamps. They would contain unique sender identification codes, and cost more than regular stamps, the commission suggested.
Critics warned that there is too much of a threat to Americans' privacy rights if Intelligent Mail is applied to all mail.
"You have to question the Big Brother aspect of the government being able to document who is writing who," said Rick Merritt, executive director of the Virginia Beach-based advocacy group PostalWatch. "There will be some serious privacy concerns if it becomes mandatory that all mail be sender identified."
The proposal contradicts the Postal Service's cherished notion of anonymous correspondence, said Ari Schwartz, associate director of the Center for Democracy and Technology in Washington, D.C.
"There is a rich history in this country around the concept of anonymous mail that goes back to the Federalist Papers," Schwartz said, referring to the documents anonymously authored by the nation's founding fathers which helped sway public opinion in favor of ratifying the Constitution.
"There are way too many unknowns about expanding this idea beyond its original scope, including who would have access to the information, and what this would mean for tracking individuals in the future," Schwartz said. "We just haven't dealt with those questions yet."
"Banning anonymous speech through the mail would be a major revolution," said Peter Swire, former chief privacy officer during the Clinton administration, now a law professor at Ohio State University.
Zoe Strickland, the Postal Service's chief privacy officer, declined to discuss specifics of the report, citing an ongoing internal review of the recommendations.
"Privacy is a major value with us, and we will make sure those values are integrated into any program, including Intelligent Mail," Strickland said.
The commission did not say exactly how much the program would cost, nor what the privacy impact would be, focusing instead on how it would make it more difficult for criminals to work via mail. It noted that Intelligent Mail would be expensive, but could save at least $2 billion each year, the amount that the Postal Service spends trying to redirect mail that arrives at outdated addresses.
"The greatest inconvenience, most certainly, would be to those who use the mail system for unlawful purposes, since such a move would hand law enforcement a powerful new tool to identify and prevent such abuse," the commission said.
Richard M. Smith, a Boston-based security and privacy consultant, said a mandatory Intelligent Mail system would be too expensive and invasive.
"The notion that this proposal would somehow be able to solve the problem of people doing bad things through the mail is ludicrous," Smith said. "The idea that the way we get secure is to identify people all the time is just wrongheaded."
Federal Express, which uses bar codes to track shipments, has cooperated with the Homeland Security Department in the past, said spokeswoman Kristin Krause. Krause declined to provide further details, but said that FedEx can verify the identity of its customers through credit card transactions, except when the senders pay cash.
*******************************
Boston Globe
RIAA steps up bid to force BC, MIT to name students
By James Collins, Globe Correspondent, 8/8/2003
The Recording Industry Association of America this week asked judges in both Massachusetts and Washington, D.C., to order the Massachusetts Institute of Technology and Boston College to release the names of students who are accused of sharing copyrighted music files over the Internet.
The schools have refused to comply with subpoenas that the organization issued last month to obtain the information. Jonathan Lamy, a spokesman for the industry group, did not say when the organization would begin filing lawsuits based on the information it is seeking, but the organization previously threatened to begin suing illegal music sharers this month. Under federal copyright law, the group could seek penalties of up to $150,000 for each illegally shared song.
The industry group has filed at least 900 similar subpoenas against other schools and Internet service providers to determine the identities of computer users it accuses of music piracy. The recording industry group's lawyers argued in a countermotion this week that the schools' objections do not invalidate the 1998 Digital Millennium Copyright Act, the law under which the subpoenas were issued. A hearing has not been scheduled in either case.
Meanwhile, this week officials at MIT determined that a student accused of sharing hundreds of copyrighted music files there lives in the school's Theta Delta Chi fraternity house. James Bruce, the school's vice president for information services, said the school notified the student, but is not releasing his name to the public or to the industry association.
Columbia University, which also received at least one subpoena from the organization, has filed a similar objection in court in New York. Officials at Columbia could not be reached for comment last night.
Comcast Corp., which received at least 100 subpoenas, has complied fully with the organization, but Pacific Bell Internet Services, a unit of SBC Communications Inc., has challenged the crackdown in court. Verizon Communications Corp., which received about 150 requests from the organization, has also challenged the legality of the subpoenas, but the company is releasing the information because it says it has no choice.
James Collins can be reached at collins@xxxxxxxxxx
*******************************
Government Computer News
August 8, 2003
Software patching gets automated
By William Jackson
GCN Staff
Whenever the Defense Department?s Computer Emergency Response Team Coordination Center sends out a vulnerability alert, each DOD systems administrator must acknowledge it and respond with a plan for closing the hole.
?The notification and response is becoming more automated,? said a security manager at a DOD software development shop, who contacted GCN and asked that neither he nor his agency be named in print. ?The problem is that the remediation is manual. When you get two or three alerts an hour, it gets out of control.?
The DOD security manager said he uses the Hercules automated remediation tool from Citadel Security Software Inc. of Dallas to cut the time for fixing flaws in multiple machines from weeks to days or hours.
?There was a lot of gnashing of teeth in getting the purse strings loosened? to buy the software, he said. Now his headquarters recommends it to other agencies because ?it?s a great force multiplier.?
Vulnerability remediation is a two-step process. First comes an inventory of hardware and software vulnerabilities. Then somebody must decide what to fix, prioritize the jobs and actually make the fixes.
The DOD shop began using Stat Scanner from Harris Corp. of Melbourne, Fla., to automate the first part of the process, the security manager said.
?It can tell us where we are vulnerable,? he said, ?but we still had to remediate manually. Harris told us, ?You really need to look at an automated remediation tool? and recommended Hercules.? The product typically runs under Microsoft Windows 2000 Server but can handle remediation on various Windows and Unix platforms. The administrator decides what vulnerabilities need to be fixed and schedules them. Hercules? automated agents then do the work and report back.
The DOD shop tested Hercules 1.9 in December with Stat Scanner, the security manager said, running it against 10 out-of-the-box PCs. The standard practice with new machines is to establish a baseline software configuration, then remediate any vulnerabilities, he said.
?The tool does exactly what we were led to believe it does,? the security manager said. ?But this is not the be-all and end-all.? On several occasions, he said, patches failed to install properly or froze up the computers on which they were installed. ?We were able to go back to the Hercules log and find out what went wrong,? he said.
At his shop, the security manager said, policy required turning off all user systems outside work hours. That had to be changed to leave systems on for automated remediation, he said.
*******************************