[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips July 28, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips July 28, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Mon, 28 Jul 2003 11:13:41 -0400
Clips July 28, 2003
ARTICLES
Web Registry May Be Liable for 'Sex.com'
File-sharers fight legal moves
WiFi Is Open, Free and Vulnerable to Hackers
Efforts to put government info online could backfire
Japan cancels hacking contest
Russian Computer Hacker Gets 4-Year Term
Out of the U.S. and Out of Luck to Download Music Legally
Stanford professor slams e-voting
New guidance for incident reporting
High-tech voting system can be hacked, scientists say
Diverging Estimates of the Costs of Spam
Doggedly pursuing downloaders
*******************************
Associated Press
Web Registry May Be Liable for 'Sex.com'
Sat Jul 26, 6:59 PM ET
By RACHEL KONRAD, AP Business Writer
SAN JOSE, Calif. - Comparing Internet domain names to property such as homes and cars, a federal appellate court ruled Friday that Web registry Network Solutions Inc. could be liable for damages after a convicted forger purloined ownership of www.sex.com from an e-commerce entrepreneur.
If Web site names are property, the court contended, domain name registries should be responsible for safeguarding them no different from a valet who guarantees a client's car won't get stolen from a parking lot.
The 9th U.S. Circuit Court of Appeals (news - web sites) Judge Alex Kozinski said courts should treat domain names, despite their virtual nature, exactly as they treat "a plot of land." Kozinski returned the case to the U.S. District Court in San Jose to be tried again.
Plaintiff Gary Kremen praised the ruling, the latest step in a lawsuit he filed in 1998 against NSI and Stephen Michael Cohen, who has served several prison stints for bank fraud and forgery.
"This was major victory, no doubt about it," Kremen said.
In 2001, a judge ordered Cohen to pay Kremen $65 million in damages roughly the sum Cohen made by building a Sex.com-centered porn empire. Kremen also won the rights to Sex.com, which he has expanded to Fetish.sex.com, Stars.sex.com and dozens of other porn sites. But shortly after the verdict, Cohen fled to Europe. He could not be reached for comment Friday.
Kremen is now commuting to his San Francisco office while living in the San Diego-area home Cohen surrendered to him the only payment Kremen has received. Kremen wants NSI to pay the remainder of the damages.
Representatives from NSI, the Mountain View subsidiary of Herndon, Va.-based VeriSign Inc., said Friday they would not comment on ongoing litigation. The case will likely be retried within a year.
Kremen, founder of Online Classifieds, requested and received from NSI the rights to Sex.com in 1994. In 1995, Cohen sent NSI a letter from a fictional administrator at Online Classifieds, saying the company had fired Kremen and no longer wanted Sex.com.
NSI complied without confirming details with Kremen, then gave the name to the next person to request it Cohen. Cohen built Sex.com into a multimillion dollar business within a few months.
The judge and plaintiff questioned why NSI would switch the domain name registry without so much as a phone call to Kremen. They also questioned why NSI administrators weren't suspicious of Cohen's letter, which requested that NSI not send e-mail to anyone at Kremen's company because it didn't have Internet access despite being named Online Classifieds.
"Cohen is obviously the guilty party here, and the one who should in all fairness pay for his theft," Kozinski wrote on behalf of all three judges hearing the case. "But he's skipped the country, and his money is stashed in some offshore bank account. ... It would not be unfair to hold Network Solutions responsible and force it to try to recoup its losses by chasing down Cohen."
Digital rights advocates praised the ruling. San Francisco-based Electronic Frontier Foundation submitted a brief to promote the idea that domain names should be considered property and NSI, Register.com and other registries should be responsible for safeguarding that property.
"Registrars are part of the fundamental architecture of the Internet, and they need to be held responsible for the mistakes they make," EFF attorney Jason M. Schultz said Friday. "The Internet is a great engine of democracy and free speech, and this decision means that people have something like a warranty when things go wrong."
The case is Gary Kremen v. Stephen Michael Cohen, No. 01-15899.
*******************************
BBC Online
File-sharers fight legal moves
File-sharers can find out if they are being targeted by the US record industry via a website created by civil liberty activists.
The Electronic Frontier Foundation, (EFF), has set up an online database which allows people to check if a subpoena has been issued for them by the Recording Industry Association of America, (RIAA).
"We hope that EFF's subpoena database will give people some peace of mind and the information they need to challenge these subpoenas and protect their privacy," said the group's senior lawyer Fred Von Lohmann.
Hundreds of subpoenas have been sent to suspected file-sharers as part of the industry's battle to stop people swapping songs over the internet.
Legal details
Using the EFF site, people can check the name they used for file-sharing against a list of subpoenas issued in a Washington court.
If someone finds their name in the database, they can look at an electronic copy of the subpoena.
This includes the name of the internet service provider, a list of songs pirated and the internet address of the user.
How could file-sharers be tracked? Click here to see a graphic
The EFF site takes its information from a US justice system called Pacer. Its online database lets people to gain a wide range of information about ongoing cases.
By the end of last week almost 900 subpoenas had been issued, with the courts granting more than 75 every day.
Advice to file-swappers
The subpoenas are part of the industry's battle to clamp down on music piracy, spearheaded by the RIAA.
They will force telecommunications companies to identify file-swappers, who are usually only known by their online user names.
People charged with piracy could face lawsuits for damages ranging from $750 (£480) to $150,000 (£96,100), which are applicable under US copyright laws.
"The recording industry continues its futile crusade to sue thousands of the more than 60 million people who use file-sharing software in the US," said Mr Von Lohmann.
The EFF is also offering advice to file-sharers who are facing legal action.
Together with the US Internet Industry Association, it has set up a website called subpoenadefense.org which has details of lawyers and other legal resources.
The civil liberties group is also providing tips on how to avoid being sued by the record industry.
These include removing all copyrighted material from a computer and disabling the file-sharing facility on programs such as Kazaa and Grokster.
*******************************
Washington Post
WiFi Is Open, Free and Vulnerable to Hackers
Safeguarding Wireless Networks Too Much Trouble for Many Users
By Jonathan Krim
Sunday, July 27, 2003; Page A01
Here's how Army Lt. Col. Clifton H. Poole, who teaches classes on wireless security at the National Defense University, gets his kicks on I-66:
Several times a month, Poole turns on a laptop computer in his car as he commutes between his Reston home and the university campus at Fort McNair in Southwest Washington. As he drives, a software program records the number of "hot spots," areas where wireless transmitters allow Internet access over the air.
The results, Poole says, scare him.
After nearly two years of monitoring the same 23-mile route, Poole has watched the number of hot spots boom, as the technology known as WiFi has become the latest Big Internet Thing. Setting up a home or business wireless network gives people freedom to jump onto the Internet without their computers being tethered to cables.
WiFi, short for wireless fidelity, is becoming so popular that increasing numbers of airports, coffee houses, bars and other retailers offer public hot spots to attract laptop-toting customers who want to sit and surf.
But most of those networks are unprotected, vulnerable to hackers who could steal data, introduce viruses, launch spam or attack other computers. Even as the number of wireless networks has risen dramatically, Poole's surveys suggest that the rough percentage of them that are unprotected remains above 60 percent.
Poole's findings mirror those of other experts, who say that WiFi vulnerability is now one of the most serious threats to computer security.
In their darkest visions, consultants can imagine someone with a WiFi-enabled laptop walking through an airport launching a destructive computer virus at every other unprotected laptop in the vicinity, because users who tap into a vulnerable network are just as exposed as its host.
Hackers could also use WiFi access to anonymously launch attacks at the broader Internet, also threatening non-WiFi users.
WiFi speaks to the Internet's powerful allure of an always-on, connected world where it is possible to share things that might normally cost money. But like other popular applications, such as software for trading digital music over the Internet, WiFi is bumping into the hard realities of economics and security.
Although no calamitous hacking event via wireless has occurred, security professionals say it is only a matter of time.
Last year, 3.1 million U.S. households had wireless networks, according to the market-research firm IDC. IDC expects the number to double this year.
Gartner Inc. estimates that the number of public hot spots worldwide will increase to 150,000 by 2005 from 20,000 last year. Gartner estimates that there will be 75 million users of hot spots by 2008.
National estimates of vulnerable hot spots are hard to come by. Like Poole, many computer hobbyists and hackers engage in "war driving" to find open access points, and compile and compare their data at conventions. An Internet-organized war-drive week last fall found 24,958 access points, with only 6,970 using an encryption system to protect them from outside use.
"We've been lucky, but you can't rely on luck in the future," said Edward Skoudis, a security specialist with International Network Services in Santa Clara, Calif.
Skoudis, Poole and others say that some of the blame for lax security rests with users. WiFi equipment comes with an encryption system known as WEP, for Wired Equivalent Privacy.
But entering the required encryption codes can be confusing, time-consuming and can lead to connected systems not functioning properly with each other. Many users ignore the feature, or give up after trying to activate it.
"You want the access, the freedom, the mobility and you say, 'I don't have to think about security until I have a problem,' " Poole said.
Poole, Skoudis and others argue that WiFi software and hardware makers have focused on making WiFi ubiquitous, glossing over anything that might slow down its growth.
"Manufacturers don't want to support it," Skoudis said of computer security. "It's more complex and it means more help calls."
Thus, he said, makers of WiFi equipment set their products to come out of the box with encryption turned off by default.
Matthew Tanase, president of Qaddisin LLC, a St. Louis-based network security firm, said WiFi makers push security hard with business customers, who pay for the services. But for consumers, Tanase said, "it's left up to the end user to worry about security, and that's a sad state of affairs."
California-based Linksys Groups Inc., a leading WiFi equipment maker, says it takes security seriously but does not want to force encryption on users.
"We're not going to do security by default because it adds an extra step and a little bit of complexity to the start-up process," said marketing director Michael Wagner.
Although some operators of public hot spots charge for the service, they too want maximum use with minimum hassle.
A spokesman for T-Mobile, which operates the WiFi network for Starbucks Coffee shops, said the company does not use encryption. But he said T-Mobile encourages individuals to use other forms of protection, such as firewall software.
Poole, 39, said his foray into war-driving began in part because one night he caught a teenager in a car outside his house, piggybacking on the wireless network he had recently set up.
For the first few months in late 2000 and early 2001, Poole said he left the laptop on in his car continuously.
"It got crazy after awhile, and I just stopped doing it," he said, because he simply had a mound of data but was not doing anything with it.
But he could not kick the bug completely.
"It's like plane spotting, or train spotting," he said. "You do it because it's there."
On Dec. 1, 2001, he recorded 62 access spots from 2 p.m. to 3 p.m. Only six were using encryption.
On July 7 of this year, he found 221 along his route about the same time of day. But Poole thinks that number is low because many people turn off their networks when they are not using them.
Of the 221, 86 were protected.
Security experts acknowledge that current WiFi encryption technology is still highly vulnerable to hackers.
"It's broken; it has holes and flaws," Skoudis said of WEP technology. "It's kind of like a Band-Aid, but better to have a Band-Aid than a big gaping hole."
Users can also require passwords for access to their networks.
Several companies and code-writing organizations are working on new encryption technology. And although most WiFi-enabled laptops begin searching for and connecting to wireless access points as soon as they are turned on, some new models provide security warnings. Experts, though, worry that it may take a while for improvements to cycle through product lines, and for consumers to upgrade their equipment.
Poole said the greatest danger is the anonymity enjoyed by users who piggyback on WiFi networks. As a result, hackers can operate with little fear of being traced.
"It's like hanging a cable out your window for anyone to use," he said.
*******************************
USA Today
Efforts to put government info online could backfire
Posted 7/27/2003 11:15 PM
JEFFERSON CITY, Mo. (AP) Jean Leonatti has just 20 paper copies left of the "Missouri Guide for Seniors," a catalog of available financial aid, health care and other services.
It's among the most popular publications available from the Central Missouri Area Agency on Aging, which Leonatti heads. Owners tend to keep their copies close at hand.
Because of budget cuts, however, the state has halted its annual 50,000-copy printing of the 92-page book. When Leonatti's supply runs out, she'll have to send seniors to the Internet.
Across the nation, cash-strapped government agencies are putting more and more materials online not necessarily to make the information more accessible, but to save money.
Leonatti's office saved $35,000 by halting the seniors guide in paper, while Missouri tourism officials saved upward of $50,000 by placing their monthly newsletter exclusively online.
Kansas saved about $15,000 by nearly halving the number of budget books it prints instead posting the documents on the Internet and distributing them on computer disks. The state's telephone directory is no longer printed, at a savings of $45,000.
In Michigan, the Legislature expects to save about $33,000 by not printing or by trimming copies of daily session calendars, journals and legislation.
"It's an easy thing to look at what you're paying for paper and printing and say, 'Geez, if we eliminated paper, you can see the cost savings,'" said Frank Romano, a professor of digital publishing at the Rochester Institute of Technology in Rochester, N.Y. "On the Internet, theoretically it's free."
And theoretically, information is more accessible, Romano said, because people don't have to drive or wait for the mail.
But Leonatti worries that government information is becoming less usable for people who need it the most.
In the case of Missouri's seniors guide, "I seriously doubt anyone is going to sit there and look at all 92 pages on the Internet," Leonatti said. "It's not something you can have in your hand and carry with you when you go to a doctor's office."
Guila Wells keeps a copy in a basket by the recliner in her family room. She's concerned about the change.
"I'll have to hold onto that book," said Wells, 84, of Jefferson City. Otherwise, "it's less available to me, because I'm not into computers I don't have one."
A June survey by the Pew Internet and American Life Project found that 62% of adults had access to the Internet at work, home or elsewhere. But just 18% of people age 65 and older are online, and just 35% of those in households making less than $20,000.
That adds an interesting twist for governments looking to place more materials on the Internet, because many social programs are aimed at the poor, disabled and elderly.
"More and more government information is being put online, and yet there is still a sizable portion of the U.S. population that lacks access to the Internet or the skills to use it," said Andy Carvin, an expert on Internet access at the Benton Foundation.
Officials at the Missouri Department of Health and Senior Services agonized over that fact when deciding the future of the seniors guide.
"But in tough budget times, you have to make decisions like that," department spokeswoman Nanci Gonder said.
The move toward the Internet has not been trouble-free.
In Alabama, the Department of Industrial Relations put up billboards last fall advertising a jobs program in the state's poorest region. The billboards listed only a Web site, not a telephone number or mailing address. But most residents there have no Internet access, and a large percentage of adults are computer illiterate.
"We took a lot of criticism on that," department spokeswoman Debbie Herbert said.
Romano, the Rochester professor, jokes that governments might have to start issuing computers to people who depend on their services, akin to government food stamps.
"Technology is a two-edged sword. On one hand, it increases access for a certain part of the population, but on the other hand, it decreases access for another part," said Romano, who served on a 1992 committee that created an electronic version of the Congressional Record, the daily chronicle of congressional proceedings.
The Congressional Record is now published in about half the quantity as a decade ago, said Bruce James, U.S. public printer. The Government Printing Office, which James directs, has seen a sharp decline in printings by various agencies as more documents go online.
About 10 years ago, for example, the office had about 35,000 daily subscribers to the Federal Register, the inch-thick book that includes newly proposed government rules and regulations. Today, it has fewer than 2,000 but gets about 4 million Internet requests each month, James said.
Unlike the recent Internet surge in some states, the federal government's move to the Internet has been going on for some time and has little to do with money, James said.
"So much of what government prints is for research purposes statistical in nature and is easier to use electronically," James said. "That's what's driving the trend."
Nonetheless, the reduction in paper worries Mike MacLaren, executive director of the Michigan Press Association.
Paper provides a permanent record not impaired by changing technology. And some online publications may be inaccessible even to people who have the Internet because they don't have the right software or powerful enough machines.
"Government's supposed to be for everybody, not only those people who have computers," MacLaren said. "People's access to government is supposed to be as unfettered as possible."
*******************************
Australian IT
Japan cancels hacking contest
Correspondents in Tokyo
JULY 28, 2003
JAPAN canceled a national computer-hacking contest scheduled for next month after the government came under fire as encouraging cybercrime, a government official said.
The Economy, Trade and Industry Ministry had planned the August 11-12 contest as a way of fostering computer expertise among high school and vocational college students. Teams of up to three students would have tried to hack into opponents' computer systems, while protecting their own.
But after receiving a flood of angry phone calls and mail, the ministry decided to scrap the "Security Koshien" - a reference to the stadium where national high school baseball tournaments are held - ministry spokesman Takashi Kume said.
The ministry had said the contest was devised in response to growing concerns over computer security. Although the computers would have used Windows 2000 software, competitors could have drawn on other operating systems, such as Linux.
Under Japanese law, computer users convicted of hacking into computer systems or downloading files without authorisation face up to one year in prison or a fine of 500,000 yen ($US4200).
*******************************
Associated Press
Russian Computer Hacker Gets 4-Year Term
Sat Jul 26, 6:57 PM ET
NEWARK, N.J. - A Russian computer hacker was sentenced to four years in federal prison for running a fraud and extortion ring that victimized dozens of financial institutions and Internet service providers.
Aleksey V. Ivanov was arrested with an accomplice after being lured to the United States by the FBI (news - web sites) in 2000. An indictment accused them of hacking into U.S. banks and e-commerce sites, and then demanding money for not publicizing the break-ins.
Ivanov, 23, of Chelyabinsk, Russia, was sentenced Thursday by U.S. District Judge Alvin W. Thompson in Hartford, Conn., following an investigation by federal prosecutors in Hartford, Newark, Seattle and Los Angeles and Sacramento, Calif.
Ivanov pleaded guilty before Thompson in August 2002 to conspiracy, computer hacking, computer fraud, credit card fraud, wire fraud and extortion.
His cohort, Vasiliy Gorshkov, was convicted of similar charges in Seattle and was sentenced to three years in prison.
Thompson determined that Ivanov cost victims about $25 million and supervised a criminal enterprise (news - web sites) that engaged in numerous acts of fraud and extortion by manipulating computer data and financial information, the Newark U.S. Attorney's Office said.
The ring had dozens of victims from late 1999 through August 2000, said Assistant U.S. Attorney Scott S. Christie, of the Newark office.
He said victims included Speakeasy, an Internet service provider in Seattle; VPM Internet Services, another Internet service provider, in Folsom, Calif.; Online Information Bureau, a financial transaction clearinghouse in Vernon, Conn.; Sterling Microsystems, a computer hardware and Internet service company in Anaheim, Calif.; Goodnews Internet Service, an Internet service provider in Cincinnati; and Nara Bank, of Los Angeles.
The New Jersey fraud involved Ivanov hacking into the computer system of Financial Services Inc. of Glen Rock, a Web hosting and electronic banking processing company on March 22, 2000.
He stole 11 passwords that FSI employees used and a file with about 3,500 credit card numbers. An unidentified cohort then threatened that the hackers would release the credit card numbers and damage the FSI computer system unless FSI paid $6,000. After negotiations, FSI wired $5,000 in April and May 2000 to a Moscow bank, prosecutors said.
That November, the FBI tricked Ivanov and Gorshkov into traveling to Seattle by posing as potential customers from a mock company called Invita Computer Security. Undercover agents asked the pair for a hacking demonstration, then arrested them.
On the Net: U.S. Attorney's Office in Newark:
http://www.njusao.org/break.html
*******************************
New York Times
July 28, 2003
Out of the U.S. and Out of Luck to Download Music Legally
By BOB TEDESCHI
Online music-selling services have far fewer restrictions than the industry's early offerings, but they do not necessarily travel well.
That became evident on Friday, after an Apple iTunes customer posted a complaint on the Web log of Declan McCullagh, who covers technology for CNet's News.com, and the discussion list of David J. Farber, a business and technology professor at the University of Pennsylvania.
The posting, from Shawn Yeager, a technology consultant in Toronto, related Mr. Yeager's problems gaining access to songs he had downloaded from the iTunes online music store before he moved to Canada from the United States.
Mr. Yeager said in an interview that after complaining to Apple, he received automated e-mail responses implying that international licensing rights were to blame for his troubles.
An Apple spokeswoman, Lara Vacante, said on Friday that Mr. Yeager's disappearing music files were not the result of Apple's policies, but a systems error, though she and Mr. Yeager disagreed on whose end. "Once you download a song, it's yours," Ms. Vacante said.
But she said that consumers who do not have a credit card with a United States billing address cannot download iTunes, because Apple has rights to sell over 200,000 songs in its database only in this country.
Mr. Yeager said the problem was resolved to his satisfaction, but "this points to some core problems" with how online companies restrict the use of the music they sell.
His posting resulted in much discussion in online news groups and inquiries to other online music services about their international sales policies.
Before a song can be distributed online, the labels must first clear two sets of copyrights those for the sound recordings and those for the songwriter's publishing rights. American music labels have in many cases licensed those rights overseas to different companies agreements that sometimes must be negotiated one artist at a time to regain international digital rights. And since copyright laws in other nations can vary from those in the United States, those discussions also must often take place country by country.
"It's a big task," said John Jones, the vice president for programming and label relations at MusicNet, which provides a digital download subscription service to America Online. Mr. Jones said his company was reviewing how much work would be involved in setting up an international version of the service before it sets a rollout schedule. "International rights are extremely important for the development of MusicNet," Mr. Jones said.
No wonder customers of the online music services may encounter trouble with their accounts if they travel abroad.
Lisa Amore, a spokeswoman for RealNetworks, which distributes Listen.com's Rhapsody music subscription service, said it was available only in this country.
If a Rhapsody customer was traveling in Rome, for example, and tried to log onto his subscription, the rights-management software "would know that I'm out of the country," she said, "and I wouldn't have the rights to get into the service." RealNetworks uses geographic location software to determine the user's country of origin.
Because a large portion of the American music industry's revenue comes from abroad, where free file-swapping services are flourishing, American executives sense a growing urgency to create legitimate online paid music services overseas.
"We're concentrating a lot of attention on this," said Chris Gorog, chief executive of the online music company Roxio, which plans to revive Napster as a paid music download service this year, "and we hope to be overseas within 12 months of our launch."
*******************************
Federal Computer Week
Stanford professor slams e-voting
BY Dibya Sarkar
July 25, 2003
Although many states and counties see touch-screen voting machines as an answer to the hanging chad controversy of the 2000 presidential election, a Stanford University professor says the systems may have flaws.
The touch-screen devices, known as direct recording electronic (DRE) machines, provide no verifiable paper trail to ensure the machines count votes correctly, said David Dill, a computer science professor.
Computer bugs or intentional tampering could change votes and shroud elections in doubt, Dill said. "This is a case where the Emperor has no clothes," he said, questioning the machine's integrity.
Dill, who established a Web site called VerifiedVoting.org to publicize the problem, said the solution is to require a "voter-verifiable audit trail," which would provide voters and officials with a paper record to validate ballot choices, in case a manual recount occurs.
Deborah Seiler, a representative for Diebold Election Systems, a subsidiary of Ohio-based Diebold Inc., said Georgia and several California counties use the company's DRE machines. She said Maryland announced a $55.6 million contract to install 11,000 machines statewide.
The DRE machine, she said, does not permit voters to overvote, which is casting ballots for multiple candidates in a race.
Local election officials subject the machines to rigorous acceptance check procedures and conduct their own logic and accuracy testing before the machines are deployed, she said. They also incorporate encryption to secure the voting data. Printers can be attached so voters can check their choices and poll workers can also keep final tallies.
But Dill said federal and state certification standards are weak, and, he said, there should be independent security audits of the machines. The public is kept in the dark about such security measures, he added.
Glenn Newkirk, president and cofounder of InfoSENTRY Services Inc., an information technology consulting and project management company, said DRE machines are still in the minority for nationwide use, and there is no evidence of problems.
He said voting equipment testing will eventually be the responsibility of the National Institute of Standards and Technology. In the meantime, states could pass laws requiring the chief state election officials to "prepare and maintain an industry-standard, information systems security management plan for every vote tabulation system in the state," he said.
*******************************
Federal Computer Week
New guidance for incident reporting
BY Diane Frank
July 25, 2003
The Bush administration will soon give agencies specific directions on how to report information security problems to the Federal Computer Incident Response Center.
The guidance, due within six weeks, will ensure that FedCirc is receiving the information it needs to best track, analyze and, if possible, prevent incidents that occur across agencies, said Sallie McDonald, a senior official within the Homeland Security Department's Information Analysis and Infrastructure Protection directorate.
The department's National Cyber Security Division houses the Federal Computer Incident Response Center (FedCIRC) and other national and governmentwide warnings and analysis groups that were spread around government.
"I think that's going to be a step in the right direction," McDonald said during a panel on July 25 at the GovSec 2003 conference in Washington, D.C.
State governments are also concerned about having a centralized view of security information, said Chris Dixon, issues coordinator for The National Association of State Chief Information Officers.
NASCIO is still working on technology and policies for its Interstate Information Sharing and Analysis Center, which will collect data from states across the country. The ISAC has support despite the incredibly tight budgets at the state level, Dixon said.
Because senior administrators within government now understand the importance of security, states do not seem to be cutting back on it as budgets are slashed to cover shortfalls, Dixon said. However, states are also unable to expand their programs the way they planned, he added.
*******************************
Federal Computer Week
Broadband needs states' help
BY Dibya Sarkar
July 25, 2003
States should do more to encourage broadband deployment, said a high-tech lobbying group.
Despite their fiscal quandaries, state governments should develop strategies and provide financial incentives to promote the installation of high-speed Internet lines, said the Technology Network, or TechNet, a group of more than 200 high-tech and biotechnology executives. The organization recently released a report on beneficial state policies and roadblocks toward high-speed Internet access.
TechNet's report argues that states and municipalities hinder broadband installations by imposing costly fees and time-consuming processes on private companies seeking to install wires. TechNet wants states to adopt policies that standardize and speed up permissions and limit access fees charged by municipalities.
The report also said states should encourage municipalities to install high-speed networks in areas, mostly rural, where it's not profitable for private companies to build. Wireless capabilities were also discussed as ways to get high-speed access in some regions.
Broadband speeds of 1.5 to 2 megabits/sec aren't fast enough, said Rick White, a former congressman and now president and CEO for the tech lobbyist group. Instead, he wants 100 million U.S. homes and small businesses to have 100 megabits/sec connections at affordable prices by 2010.
"That's the sort of thing that would transform our backbone and lets us do the things that we want to do," White said.
Broadband is also vital for economic development, said Robert Filka, chief operating officer of the Michigan Broadband Development Authority, a new state agency designed to expand high-speed telecommunications services. Michigan topped TechNet's ranking of the top 25 states for broadband deployment.
States should have benchmarks to compare their broadband development to other states and countries, said Jeffrey Campbell, Cisco Systems Inc.'s director of technology and communications policy. But only a few states have conducted a thorough assessment of their existing infrastructure, according go the TechNet report.
Campbell said states can encourage broadband in ways other than providing money. Those methods won't spur private use but could make government operations more efficient and improve productivity through online services and faster and more information sharing, Campbell said.
*******************************
Government Executive
July 24, 2003
Defense Department lacks data on cyberterror threat
By William New, National Journal's Technology Daily
More research is needed on how to protect the Defense Department's communications systems from cyberterrorism, the department's top information security official said on Thursday.
"One gap that needs to be filled immediately is the need to do more research in this area," Robert Lentz, director of information assurance at Defense, told the House Armed Services Terrorism, Unconventional Threats and Capabilities Subcommittee. Lentz added that the defense community has held an "aggressive series of working groups" on cyber security in the past year.
But the General Accounting Office highlighted persistent weaknesses across the federal government. "Our most recent analyses of audit and evaluation reports for the 24 major departments and agencies continued to highlight significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse and disruption," said Robert Dacey, director of the GAO information technology team.
Dacey said GAO found that Defense still lacks mechanisms to assess its compliance with information security standards.
"Without a Defense-wide information assurance policy and implemented practices, the Defense Department's networks may be vulnerable to anyone who has a computer, the knowledge and the willpower to launch cyber attacks," said Subcommittee Chairman Jim Saxton, R-N.J. And subcommittee ranking Democrat Martin Meehan of Massachusetts added, "Many [Defense] systems remain redundant, outdated and inefficient."
Members of the subcommittee raised questions about whether the proposed cut of $2 billion from the information technology component of the House Defense authorization bill would impact the department's ability to protect communications systems.
Eugene Spafford, a Purdue University professor and information assurance expert, cited the risks inherent in Defense using so much commercial technology. He said that any adversary could buy such technology and that it may not be sufficiently robust to withstand attacks. Spafford also said the high number of patches required to keep commercial software ahead of attackers is "unacceptable for us to be in a high state of [military] readiness."
Panelists debated how to address the potential problem that increasing numbers of software developers do not have security clearance or are foreign. Scott Charney, chief security strategist at Microsoft, said the level of risk depends on the development process, not who is doing the work. There must be quality assurance around the software code, he said.
Dacey said GAO is studying the issue.
Lentz said his office has daily contact with the Homeland Security Department entities that have longstanding close relations with Defense, such as the National Communications System and the National Infrastructure Protection Center (NIPC). Defense now is placing officials within the NIPC, he said.
Lentz said Defense and Homeland Security are discussing ways to coordinate cybersecurity research and development.
Subcommittee members asked about terrorist camps that teach computer hacking, but Lentz said he would have to answer privately. Spafford said bulletin boards and discussion lists teach cyberterrorism techniques to anyone. "We have perhaps a virtual worldwide training camp," he said.
*******************************
Computerworld
High-tech voting system can be hacked, scientists say
One researcher said the software is so full of errors, it should be rewritten
By Andy Sullivan, Reuters
JULY 25, 2003
Software flaws in a high-tech voting system could allow vandals to tamper with election results in several U.S. states, computer security researchers said yesterday.
Interest in electronic voting systems has grown since the 2000 presidential election, when problems with primitive punch-card systems in Florida led to a bruising, weeks-long recount battle that was ultimately settled by the Supreme Court.
But researchers at Johns Hopkins University in Baltimore and Rice University in Houston said they had uncovered bugs in a Diebold Inc. voting system that could allow voters and poll workers to cast multiple ballots, switch others' votes or shut down an election early.
"It's unfortunate to find flaws in a system as potentially important as this one," Tadayoshi Kohno, a graduate student at the John Hopkins Information Security Institute, said in a telephone interview.
The researchers found the software on a Diebold Internet site in January and said they believe it was at the heart of an electronic touch-screen voting system used last year in Maryland, Georgia, Kansas and California.
A spokesman for North Canton, Ohio-based Diebold didn't return several telephone calls seeking comment.
While researchers said they didn't know for sure whether the software had been used in voting situations, they said comments and copyright notices in the code indicated that it was legitimate. "I have no proof that this is what's running in their systems, but I would bet it's pretty close," said Avi Rubin, technical director of the Information Security Institute.
Rubin, Kohno, Johns Hopkins graduate student Adam Stubblefield and Rice University computer science professor Dan Wallach said they have uncovered several flaws in the system.
Encryption of sensitive data is spotty, they said, allowing outsiders to reach into the system and change election tallies. A lack of oversight in the development process could also allow programmers to create secret "back doors" for tampering, they said.
Though the system relies on credit-card-style smart cards for authentication, voters could easily create their own bogus cards to cast multiple ballots or to administer larger changes by posing as poll workers, they said.
While such bugs are common in commercial software used to run desktop computers and Web sites, voting systems should be held to a higher standard, the researchers said. They suggested that Diebold should open up the system for public scrutiny to uncover other flaws, or at least design a paper trail to guard against electronic tampering.
Rubin said the software was so full of errors that it would have to be rewritten completely. Even then, he said, computers and voting shouldn't mix.
"I am against electronic voting because I think voting is too important and computers are too difficult to secure," he said.
*******************************
New York Times
July 28, 2003
Diverging Estimates of the Costs of Spam
By SAUL HANSELL
BLOOMINGTON, Ind., July 27 When Indiana University installed its new e-mail system in 2000, it spent $1.2 million on a network of nine computers to process mail for 115,000 students, faculty members and researchers at its main campus here and at satellite facilities throughout the state. It had expected the system to last at least through 2004, but the volume of mail is growing so fast, the university will need to buy more computers this year instead, at a cost of $300,000.
Why? Mainly, the rising volume of spam, which accounts for nearly 45 percent of the three million e-mail messages the university receives each day.
Unwanted commercial e-mail, or spam, has become the bane of the Internet because it is so cheap and easy to send that all sorts of companies and individuals do so, prodigiously. Spammers these days pay as little as 0.025 cent to send an e-mail message. The computing costs for the recipients, or their Internet providers, to process each message are similarly tiny. But with billions of spam messages sent each day, all these fractions of cents start to add up to real money. Even greater are the costs of trying to block spam, catch spammers and undo the damage they cause to recipients.
Gauging the cost of tiny bits of computer power and the value of many moments of wasted time, multiplied by millions of e-mail users, leads to big, if inevitably imprecise, numbers. One company, Ferris Research, says the cost is $10 billion in the United States this year. The Radicati Group estimates the worldwide cost at $20.5 billion.
Another firm, Nucleus Research, shoots higher. By its reckoning, the economic cost is $874 a year for every office worker with an e-mail account, which multiplied by 100 million such workers amounts to about $87 billion for the United States.
"Spam is one of those areas where we see a severe impact on productivity," said Rebecca Wettemann, research director of Nucleus. "The average worker receives 13.3 spam messages a day, which takes six and a half minutes to process. Do the math and that comes to 1.4 percent of their productive time."
Not everyone thinks the sky is falling. Peter S. Fader, a marketing professor at the Wharton School who has studied e-mail, says the research firms' estimates vastly overstate the actual cost of spam.
"I am deeply skeptical that these crude top-down methods are accurate," he said. "Hitting the delete key is far more efficient than carrying your physical mail from the mailbox over to the trash can."
He also argues that the computers and networks that are being installed to deal with spam will be a powerful resource for processing legitimate e-mail, once spam filters and economic Darwinism tame the spam epidemic.
"Spam, although it is a bad thing per se, is fostering the growth of the e-mail infrastructure," he said.
But few involved in actually building that infrastructure take as broad a view as Dr. Fader. At Indiana University, Brian D. Voss, the associate vice president for telecommunications, can cite many costs of spam beyond the computers and network needed to deliver it.
First, he says, is the cost of building a system to filter out spam for users who do not wish to receive it. The university is building a filter for a new $50,000 server, and it does not know yet how many of these it will need for its entire network. The task requires not only programmers but also lawyers, as the state university has to be sensitive to the First Amendment rights of the spammers.
His staff also spends time and time is money dealing with the spam filters of other companies and universities when they reject mail from Indiana University because one of its users is thought, rightly or wrongly, to be a spammer.
"The most serious cost of spam," Mr. Voss said, "is also the hardest to figure out: the loss of productivity."
Using himself as an example of an active e-mail user, Mr. Voss estimated that 60 of the 100 messages he gets a day are spam. Most come overnight, because the spammers find response rates highest in the morning. So when he checks his e-mail first thing in the morning, he is rapidly tapping his delete key.
"Recently came a message with the subject line, `Here is your activation code,' " he said. "In my morning haze, before the coffee sunk in, I assumed it was spam." In fact, it was the password for his new BlackBerry pager. It took three weeks for him to figure out what had happened and to request another.
Deleting spam has become like exercising: a dreary chore for many, and a passionate activity for a few.
"Every single day, two or three times a day, I'm erasing multiple messages that I have to spend at least a few seconds glancing at to make sure it's not something I need," said Brian Basham, a commercial and residential real estate broker in downtown Denver.
"I would say I'm the kind of guy who is worth $100 to $200 an hour," he said with a snort. "By the end of the year, who knows how many hours I spent looking at this stupid stuff to figure out what's junk?"
For big companies, the challenges are much the same, but on a large scale. Companies like Brightmail, MailFrontier and Sendmail offer spam filtering software that often costs $2 to $15 a user annually.
In total, corporations will spend $120 million this year on antispam systems, Ferris Research said. (Or $635 million, if one would rather listen to Radicati.)
At Nortel Networks, the cost of the spam filters is negligible, said Chris Lewis, its security architect, but the real economic burden is the 10 to 15 percent of the spam that still gets through. Employees still receive 5,000 to 10,000 spam messages a day, and Mr. Lewis has calculated that each costs the company about $1 in lost productivity.
Most messages take only 5 to 10 seconds for the user to delete, he estimates. But "some messages use subjects that are quite good at making you read them," Mr. Lewis said. "Then there are people who get really upset and are put off work for an hour or half a day."
Even worse, from a time-wasting standpoint, is when a top executive is upset or mad about spam. When top executives become angry, after all, they expect someone to do something. "If someone in senior management gets spammed," Mr. Lewis said, "it could take 20 or 30 hours of everyone's time, up and down the chain."
Despite the huge volume, conveying spam is a tiny fraction of the cost of running the Internet. Since the spammers pay for Internet access based on the total network capacity they use, they have an incentive to keep each message small. Network operators say the amount of traffic devoted to e-mail is far less than that for displaying Web pages or, especially, for the swapping of music.
Yet for one of the largest Internet backbone carriers, MCI, the spam explosion has more indirect costs. MCI receives a half-million complaints a month that its network is being used to transmit spam, in violation of its policy. It has what it calls an abuse desk that investigates complaints and disconnects violators.
Indeed, the biggest single cost to the company is unpaid bills from the spammers it evicts.
"Spammers know they are going to be kicked off, so they won't pay their first few months' bill," said Craig Silliman, the legal director for MCI's network and facilities operation. "By the time you catch them, they turn into a net loss."
At America Online, which manages more than 90 million e-mail accounts, the cost of delivering the spam to users is far less than that of dealing with the problems it leaves in its wake. AOL has developed methods to winnow the processing and storage demands of spam. If a spammer sends one million AOL members a message offering, say, coral calcium, the company can spot it as spam and store a single copy for viewing by as many of the intended recipients as want to read it.
America Online now simply discards nearly 80 percent of the 2.5 billion e-mail messages sent a day to addresses at AOL.com because they have been flagged as spam. While that requires processing, AOL does not have to bother storing them or consuming network time to distribute them to users.
AOL's filters have become so stringent that it has actually reduced the volume of e-mail it has delivered so far this year, compared with a 70 percent increase last year, according to Joe Barrett, senior vice president for systems operations.
But that stringency has its own costs: complaints from people who say their e-mail is being blocked unfairly. AOL now has 18 people in its postmaster department, who set the spam filters and take the calls from aggrieved mailers.
At the same time, AOL may well derive competitive benefits from spam, now that spam filters are among the features most promoted by Internet service providers.
A cost that is hard to measure is the losses from e-mail users defrauded by spammers. One rapidly growing category of e-mail fraud is what is known as phishing, in which e-mail messages purporting to be from a big company ask for credit card and bank information. When credit card numbers are stolen, account holders face the time and bother of putting things right, though most banks do not hold them responsible for losses. But if the spammer buys computer equipment from a Web site with a stolen number, the seller suffers a loss, perhaps never knowing it was an indirect victim of spam.
Another rapidly growing, if hard to measure, cost of spam results from what are known as false positives: legitimate e-mail messages blocked by spam filters.
In fact, there is a new job description at many companies that are voluminous e-mailers I.S.P. relations for those whose job it is to remove their employers' addresses from Internet service providers' blacklists.
False positives are a particular concern for the Web auctioneer eBay, on whose site sellers and buyers often exchange several e-mail messages before completing a transaction. "We hear from bidders that they tried to contact sellers, and the sellers say they never heard from them, and it turns out they are both right because of spam filters," said Rob Chestnut, eBay's vice president for trust and safety.
False positives have become so extensive that the research firms, which have spent so much time assessing the cost of spam and the need for spam filters, now have a new research topic. "We have a report coming out in the next two weeks," said David Ferris, who runs the research company bearing his name. "We think companies lose $3 billion dealing with false positives."
*******************************
MSNBC
Doggedly pursuing downloaders
Grandma gets a subpoena
ASSOCIATED PRESS
WASHINGTON, July 27 Parents, roommates even grandparents are being targeted in the music industry?s new campaign to track computer users who share songs over the Internet, bringing the threat of expensive lawsuits to more than college kids.
?WITHIN FIVE MINUTES, if I can get hold of her, this will come to an end,? said Gordon Pate of Dana Point, Calif., when told by The Associated Press that a federal subpeona had been issued over his daughter?s music downloads. The subpoena required the family?s Internet provider to hand over Pate?s name and address to lawyers for the recording industry.
Pate, 67, confirmed that his 23-year-old daughter, Leah Pate, had installed file-sharing software using an account cited on the subpoena. But he said his daughter would stop immediately and the family didn?t know using such software could result in a stern warning, expensive lawsuit or even criminal prosecution.
?There?s no way either us or our daughter would do anything we knew to be illegal,? Pate said, promising to remove the software quickly. ?I don?t think anybody knew this was illegal, just a way to get some music.?
The president of the Recording Industry Association of America, the trade group for the largest music labels, warned that lawyers will pursue downloaders regardless of personal circumstances because it would deter other Internet users.
?The idea really is not to be selective, to let people know that if they?re offering a substantial number of files for others to copy, they are at risk,? Cary Sherman said. ?It doesn?t matter who they are.?
Over the coming months this may be the Internet?s equivalent of shock and awe, the stunning discovery by music fans across America that copyright lawyers can pierce the presumed anonymity of file-sharing, even for computer users hiding behind clever nicknames such as ?hottdude0587? or ?bluemonkey13.?
In Charleston, W.Va., college student Amy Boggs said she quickly deleted more than 1,400 music files on her computer after the AP told her she was the target of another subpoena. Boggs said she sometimes downloaded dozens of songs on any given day, including ones by Fleetwood Mac, Blondie, Incubus and Busta Rhymes.
Since Boggs used her roommates? Internet account, the roommates? name and address was being turned over to music industry lawyers.
?This scares me so bad I never want to download anything again,? said Boggs, who turned 22 on Thursday. ?I never thought this would happen. There are millions of people out there doing this.?
In homes where parents or grandparents may not closely monitor the family?s Internet use, news could be especially surprising. A defendant?s liability can depend on their age and whether anyone else knew about the music downloads.
Bob Barnes, a 50-year-old grandfather in Fresno, Calif., and the target of another subpeona, acknowledged sharing ?several hundred? music files. He said he used the Internet to download hard-to-find recordings of European artists because he was unsatisfied with modern American artists and grew tired of buying CDs without the chance to listen to them first.
?If you don?t like it, you can?t take it back,? said Barnes, who runs a small video production company with his wife from their three-bedroom home. ?You have all your little blonde, blue-eyed clones. There?s no originality.?
Citing on its subpoenas the numeric Internet addresses of music downloaders, the RIAA has said it can only track users by comparing those addresses against subscriber records held by Internet providers. But the AP used those addresses and other details culled from subpoenas and was able to identify and locate some Internet users who are among the music industry?s earliest targets.
Pate was wavering whether to call the RIAA to negotiate a settlement. ?Should I call a lawyer?? he wondered.
The RIAA?s president wasn?t sure what advice to offer because he never imagined downloaders could be identified by name until Internet providers turned over subscriber records.
?It?s not a scenario we had truthfully envisaged,? Sherman said. ?If somebody wants to settle before a lawsuit is filed it would be fine to call us, but it?s really not clear how we?re going to perceive this.?
The RIAA has issued at least 911 subpoenas so far, according to court records. Lawyers have said they expect to file at least several hundred lawsuits within eight weeks, and copyright laws allow for damages of $750 to $150,000 for each song.
The AP tracked targets of subpoenas to neighborhoods in Boston; Chicago; St. Louis; San Francisco; New York and Ann Arbor, Mich.
Outside legal experts urged the music industry to carefully select targets for its earliest lawsuits. Several lawyers said they were doubtful the RIAA ultimately will choose to sue computer users like the Pate family.
?If they end up picking on individuals who are perceived to be grandmothers or junior high students who have only downloaded in isolated incidents, they run the risk of a backlash,? said Christopher Caldwell, a lawyer in Los Angeles who works with major studios and the Motion Picture Association of America.
The recording industry said Pate?s daughter was offering songs by Billy Idol, Missy Elliot, Duran Duran, Def Leppard and other artists. Pate said that he never personally downloaded music and that he so zealously respects copyrights that he doesn?t videotape movies off cable television channels.
Barnes, who used the Napster service until the music industry shut it down, said he rarely uses file-sharing software these days unless his grandson visits. The RIAA found songs on his computer by Marvin Gaye, Savage Garden, Berlin, the Eagles, Dire Straits and others.
Barnes expressed some concern about a possible lawsuit but was confident that ?more likely they will probably come out with a cease and desist order? to stop him sharing music files on the Internet.
?I think they?re trying to scare people,? Barnes said.
*******************************