[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips July 14-15, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips July 14-15, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Tue, 15 Jul 2003 14:02:34 -0400
Clips July 14-15, 2003
ARTICLES
Swappers sprint to cloak identities
Internet Chat Seen as Tool to Teach Theft of Credit Cards
States pass laws to protect identity
Researchers seek to safeguard privacy in anti-terrorism plan
New site is the face of DOD biometrics
System pushes emergency alerts
Studios Stage Fight Against Internet Bill
Tech Insider: Vying for VISIT
Student Hackers Settle Debit-Card Device
Clinton critics corner market on domain names
*******************************
Mercury News
July 14, 2003
Swappers sprint to cloak identities
NO WAY TO STAY HIDDEN, SOME SAY
By Dawn C. Chmielewski
The response was predictable. The major file-swapping services are rushing to shield users' identities within weeks of the recording industry announcing plans to sue individuals who trade copyrighted music online.
Blubster, an upstart service in Madrid, Spain, was the first to claim to cloak users from the prying eyes of detection software. And it certainly isn't alone. Established file-swapping services such as Morpheus and iMesh say they'll implement new software to protect users' privacy -- some as soon as next week. Others are likely to follow.
Technologists working for the entertainment industry say these services are offering users a false sense of security. That there's no way to remain anonymous when exchanging data -- otherwise, like a letter without a postal address, the digital package would never arrive.
``If you are trading files on the Internet, we will find you,'' said Mark Ishikawa, chief executive of BayTSP.com, an Internet detective agency in Campbell that does work for major film studios, record labels and software companies.
The race for anonymity is only the latest move in the ongoing technological chess match between the technologists whose software enables an estimated 57 million people worldwide to exchange songs, movies and software, and the entertainment industry that's trying to stop it.
The entertainment industry has tried flooding file-sharing networks with millions of bogus or ``spoofed'' files and is developing more aggressive countermeasures that would freeze a user's computer or scour the hard drive for pirated files, then attempt to delete them. The peer-to-peer companies responded with new versions of software to sniff out phony files and to blacklist certain computers thought to be spewing phony files or snooping.
The record industry's latest anti-piracy initiative is intended to strike fear in the hearts of those who use file-swapping services to download music. The Recording Industry Association of America said it would spend the summer gathering dossiers on individuals who trade bootlegged songs over the Internet. And it plans to file hundreds -- and possibly thousands -- of lawsuits to scare people away from peer-to-peer networks.
There's no shortage of those within the file-swapping community who dismiss the RIAA announcement as a hollow threat. But the services are nonetheless acting quickly to shield users from detection.
Blubster uses an Internet protocol that allows computer users to trade data without directly connecting to one another. ``When you send a packet, you will never know what happened with that packet,'' said Pablo Soto, the 23-year-old creator of the underlying software. ``It's like throwing a bottle into the ocean with a message that may or may not go to somewhere else.''
A Blubster user tosses out a request for a file into an ocean of computer users -- at a rate of 15,000 computers a second -- and receives minute portions of the file flowing back from many users, not one identifiable source. Its technology is attracting interest from more established file-swapping services, such as Grokster, with its 10 million users.
Morpheus next week will begin directing users to a network of public proxy servers that act as a stand-in between the computer user requesting a file and the one offering it for download, effectively cloaking their identities.
IMesh, borrowing a page from the recording industry, plans to plant decoy computers from fake locations that trade non-existent files.
``It's the virus vs. the anti-virus software. The firewall vs. the hacker,'' said Elan Oren, chief executive of iMesh in Tel Aviv, Israel. ``They're going to come with a measure, we're going to come with a counter measure. At the end of the day, it serves nobody.''
Oren and other chief executives within the peer-to-peer community realize that they're just buying time. The services continue to evolve -- as much to skirt lawsuits as to improve the speed and reliability of downloads. But such mutations are only short-term solutions.
The file-swapping sites need access to licensed music and movies -- not just bootlegs, Oren said in a telephone interview. Despite discussions with record labels dating back to Napster's heyday in 2000 and continuing today -- those licenses are not coming.
``We had meetings with Sony Music, Universal Music with Warner Music. We had meetings with Bertelsmann,'' Oren said. ``They told us we're just not going to get our music. `Shut this service down, then we will talk . . .' I'm not going to shut this service down.''
The recording industry's intransigence is so complete it has prompted the competing file-swapping services to cooperate to counter efforts to shut them down. Seven major services have formed a consortium, called Peer-to-Peer United, to begin lobbying Congress to compel the record labels and movie studios to license their content. Their initiative is expected to begin this fall.
``We think the voices of 60 million Americans need to be heard,'' said Michael Weiss, chief executive of StreamCast Networks, the corporate parent of Morpheus. ``Up until now the debate's been one-sided, with the record industry painting file-sharing software as illegal. A federal judge said it's not. They're painting their customers as pirates, when they're not. Congress needs to know the right name for their customers. They're not pirates. They're voters.''
*******************************
New York Times
July 14, 2003
Internet Chat Seen as Tool to Teach Theft of Credit Cards
By NICHOLAS THOMPSON
On Tuesday morning, one Internet chat group called #ccpower was bustling. A user there was selling credit card numbers, obtained illegally online, for 50 cents to $1 each, another was accusing other sellers of stolen credit card numbers of cheating, and yet another user wanted lessons on cracking into online sites containing credit card information.
Internet chat groups, particularly those using a format called Internet relay chat, or I.R.C., now play an important and growing role in online credit card fraud, according to a report released last week by a group of Internet security experts who form the Honeynet Project. The project sets up computer systems called honeynets that are intended to be easy to infiltrate in order to monitor and record how hackers work.
Online credit card fraud has generally been carried out by hackers operating on their own, without much organization or automation of their fraud schemes, the group says. But that appears to be changing.
Chat channels can make it possible for large groups of people to share tactics for criminal activity. The channels also allow access to programs users have placed there that automate the tasks of credit card fraud like checking a stolen card number's validity or systematically searching for Web sites that have card credit information and are vulnerable to attacks.
I.R.C channels are online meeting grounds that any person can visit if he knows the location and has installed one of several readily available programs for using the channel. Once a part of the channel, a user can send messages to all other users of the group or to a specific user who has logged in.
Many chat channels are used for legitimate purposes and can be found through Google or other search sites.
To get onto the #ccpower group that has discussions of credit card fraud, however, a user would have to know the specific server where the channel is based in addition to the channel name. That information spreads quickly among illicit hackers who appear quite eager to assist newcomers. In fact, users give each other tips, much the way people in online gardening groups exchange advice on growing rot-resistant roses.
One user of chat channels that frequently hold discussions of credit card fraud, who identified himself in an e-mail exchange as Walter Robson from Canada, said that many members of Internet relay channels who trade techniques and software on credit card fraud do so to gain the recognition and respect of peers. Mr. Robson, who said he visited the channels only to browse, added that hackers involved with the credit card fraud know who has written the cleverest programs and that "fame is power down here."
Bill McCarty, the principal author of the Honeynet Project's report, said that these I.R.C. channels and affiliated Web sites have made engaging in online credit card fraud easier than it has ever been.
Mr. McCarty, a professor at Azusa Pacific University, said he noticed the underground chat groups when attackers used his computer to log into chat channels specializing in credit card fraud. "We didn't go after them," he said. "They came to us."
The total amount of online credit card fraud last year was more than $850 million, according to Celent Communications, a Boston consulting firm.
Dan Clements, chief executive of a credit card fraud prevention organization called CardCops, said that the most professional and dangerous thieves stay out of chat groups. But Avivah Litan, a vice president at Gartner Research, estimates that about half of online fraud derives from chat channels and other underground Internet-based communication methods.
The Federal Bureau of Investigation now has several undercover operations in place to detect and disrupt credit card fraud originating from Internet chat channels, said Bill Murray, a spokesman for the agency.
But tracking users of these groups can be difficult. Many are based in foreign countries and almost all conceal their names and locations, in part by connecting to the chat channels through remote, unrelated computers they have hacked into a fairly easy tactic for even moderately experienced computer programmers. To complicate detection further, the servers on which #ccpower is based are registered in Azerbaijan. (The person who registered the servers did not respond to an e-mail message.)
Users of underground chat channels frequently shift locations when they suspect that they are being monitored by government authorities or if the owners of the servers being used shut down the channels. But new channels can spring up overnight, even as security experts attack the problem with more fervor.
"People around the community come from all over the world," Mr. Robson wrote in an e-mail message. "Many are looking for other people to provide things they can't find or get in their countries. When a spot is closed, another gets opened and everybody just moves out."
*******************************
USA Today
States pass laws to protect identity
By Sandra Block, USA TODAY
State lawmakers, alarmed by high-profile identity-theft scams, are adopting measures that could become models for a federal law protecting victims from the nation's fastest-growing crime.
As many as 700,000 Americans are targeted by identity thieves every year, the Justice Department says. Advocates say the state laws address gaps in federal consumer-protection statutes. Several initiatives became effective July 1. What they do:
?Strengthen fraud alerts. A new Texas law requires lenders and creditors to take extra steps to verify a customer's identification when a fraud alert is placed on the individual's credit report.
Fraud alerts are designed to prevent criminals from opening bogus accounts in a victim's name, but lenders often ignore them, says Luke Metzger of the Texas Public Interest Research Group.
"The current system wasn't effective enough to stop thieves," he says.
The Texas law also allows victims to "freeze" their credit reports, barring lenders from issuing any credit until the freeze is lifted. In March, a hacker broke into the University of Texas' computer systems and stole Social Security numbers for more than 50,000 students, staffers and alumni.
?Help victims clear names. A new Indiana law allows identity theft victims to request a court order directing credit agencies to remove negative information.
Indiana residents are "really frustrated at how hard it is to try to get credit card companies or credit agencies to work with them on this problem," says Sen. Murray Clark, the bill's author. Concerns about identity theft in Indiana were heightened by revelations that a convicted identity thief had been hired to oversee the state's Public Employees' Retirement Fund.
Virginia, meanwhile, has created a Virginia Identity Theft Passport. Victims can use the passport, available from the state attorney general's office, to convince law enforcement officers and credit agencies that they're innocent of crimes committed in their names.
?Notify individuals of risk. California's new law requires banks, government agencies, e-commerce firms and others to notify customers if hackers target their computer systems. "The goal is to give consumers information they need to protect themselves," says Palo Alto Assembly Member Joe Simitian, co-sponsor of the bill.
Simitian, who represents Silicon Valley, says he'd prefer a nationwide law but says Californians want more protection now. The state has one of the highest rates of identity theft. Last year, hackers broke into computers containing payroll information and Social Security numbers for 265,000 state employees.
States soon could adopt even tougher laws. Provisions in the federal Fair Credit Reporting Act limiting state regulation of credit reporting agencies expire this year. Financial institutions want Congress to renew the provisions, warning that a patchwork of state laws would raise consumers' borrowing costs. The Bush administration supports renewal but also wants stronger identity theft laws and easier consumer access to credit reports.
*******************************
Seattle Times
Researchers seek to safeguard privacy in anti-terrorism plan
By Matthew Fordahl
The Associated Press
PALO ALTO, Calif. The Pentagon's plan to sniff out terrorists from a sea of personal data collected by the government, banks, airlines, credit-card companies and other sources has been criticized as the most sweeping invasion of privacy in history.
But Teresa Lunt thinks the much-maligned Terrorism Information Awareness (TIA) system can work without stomping on individual rights. The researcher has proposed, and the government is funding, creating a device that could watch and rein in the watchers.
Civil libertarians aren't so sure about Lunt's so-called privacy appliance, which is being developed at the famed Xerox Palo Alto Research Center under a $3.5 million, 3-1/2-year contract. Critics question whether it will work and, if it does, whether clever snoops can bypass it.
"One of my civil-liberties nightmares is that you have a system that sounds very good with a privacy appliance, but it's got some sort of a breaker switch that in an emergency is shut off," said Lee Tien, senior staff attorney at the Electronic Frontier Foundation.
Project Genisys
Lunt's appliance is being developed under Project Genisys, one branch of the Defense Advanced Research Projects Agency's wide-ranging TIA program.
The appliance would be controlled by whoever owns the data, Lunt said. With the owner's permission, government analysts would submit queries to the appliances, which would filter out identifying data such as names or credit-card numbers.
Returned results might show, for instance, how many people fit a certain profile or whether there's a trend among a group of still-unidentified people.
A number of protections would be built into each device, including an unalterable log of what information is returned and to whom. Its software would be smart enough to adjust results based on what has previously been released and whether individuals can be identified through inference.
Once questionable behavior is detected and narrowed to a small number of people, analysts could seek court orders that would allow for the identification of suspects.
The whole scheme worries privacy advocates.
"What is the standard the judge is going to be judging this on?" asked David Sobel, general counsel for the Electronic Privacy Information Center. "We're talking about someone who might have a proclivity to commit a crime that has not yet been committed. This is just something that is completely alien to our judicial system."
Lunt, a pioneer in the field of data security, privacy and intrusion detection, is critical of the debate over TIA. After all, marketing companies constantly mine personal data to drum up sales.
Still, she admits she is not fully aware of all of TIA's details and the government's plans. But as she understands it, government analysts won't be fishing through data swept into a central database.
Rather, they will create models of suspicious activities, then query privately controlled databases protected by privacy appliances to find out numbers but not identities of people matching certain traits.
"The idea was that the data sources should stay in private hands, not be sucked down into some government database," she said. "There seems to be some idea out there that that's what's happening."
Gathering useful information
Privacy appliances are based on relatively new ideas about gathering useful information out of data that have been trimmed of identifying details. It's not an easy task given that as little information as a birthdate, ZIP code and gender can identify 87 percent of all Americans.
Latanya Sweeney, a computer scientist at Carnegie Mellon University, has developed an appliance that removes identifying information from medical data before the data is submitted to investigators looking for bioterrorism outbreaks.
The device, expected to be tested in Virginia this year, focuses on events in specific ZIP codes, such as unusual patterns in hospital admissions, but removes birthdates.
Counterterrorism research is a different story, Sweeney said.
"In bioterrorism surveillance, we have the luxury that we're looking for an increasing number of unusual cases," she said. "In counterterrorism surveillance, you're looking for that unusual, single, small-scale event. There are lots of small unusual things that happen all the time, and figuring out which one is an important one is a tricky matter."
TIA has been widely criticized since it was first proposed after the Sept. 11, 2001, terrorist attacks. TIA's supporters maintain the terrorist plot could have been detected if only the government had access to enough information and synthesized it properly.
Several recent changes
But the project has been a comedy of errors, with liberals and conservatives alike uniting against it. Led by Iran-contra scandal figure John Poindexter, TIA has undergone several transformations in recent months.
After Congress demanded details, TIA changed its name from Total Information Awareness to Terrorism Information Awareness. Most information in the media is pulled from its Web site, which once listed veterinary records as a data source.
The site also sported an ominous logo complete with the Masonic symbol of an eyeball at the top of a pyramid. Meanwhile, documents describing the project and its funding have vanished from the site.
Jan Walker, a spokeswoman for the Defense Advanced Research Program Agency, said agency officials are no longer granting interviews on the program.
Even if Lunt's project is successful, some critics question whether the government should be involved in such an activity at all.
"It's nice that they'll take some steps to try to minimize the damage, but I think there's tremendous damage being done to our privacy by the mere fact that they're putting this TIA program together," said former U.S. Rep. Bob Barr, R-Ga.
"It does serious damage to the whole structure and notion of our government, in which the government is not supposed to collect and compile dossiers on law-abiding citizens for no reason."
*******************************
Government Computer News
07/11/03
New site is the face of DOD biometrics
By Vandana Sinha
The Defense Department?s Biometrics Knowledgebase System, part of whose content is restricted to .gov and .mil domains, will serve as a central government source for biometrics policy and practices.
The knowledge base, at https://www.bfc-kno.army.mil, details product testing criteria, reports, surveys, white papers, background research, glossaries, and tutorials on fingerprint, iris, voice, facial and hand geometry biometrics.
The site carries updates of evaluation teams? work cycles, from controlled environments to field tests. There also are resources for the Defense Department?s massive Common Access Card rollout that could include fingerprint or iris authentication by 2004 under one of four verification scenarios.
In the works since February, the site was part of the statement of work for the DOD Biometrics Fusion Center, now based in Bridgeport, W.Va. Maj. Stephen Ferrell, the center?s director, called the site a venue for the exchange of information.
?BFC leadership decided that a Web site would be the most effective means of propagating information to the government as a whole,? a center spokesman said.
More than 100 users have registered, he said, and he expects 100 times that number to join each year. Although the content was not specifically designed for wireless display, the spokesman said authorized users can access the information from mobile devices.
The site?s security includes firewalls, packet monitoring, domain network filters, passwords and encryption. It is certified under the DOD Information Technology Security Certification and Accreditation Process, DOD Instruction 5200.40.
*******************************
Federal Computer Week
System pushes emergency alerts
BY Brian Robinson
July 11, 2003
A new emergency alert system is using "push" communications to send warnings and messages from federal, state or local governments directly to constituents via the Internet.
The Emergency Direct Messenger System (EDMS), developed by Fine Point Technologies Inc., consists of an application that users can acquire via download or CD-ROM and a server that government administrators use to log and manage messages.
Administrators use a simple point-and-click interface to organize which messages they want to send and to whom. The server can store custom messages for re-use and can log which users have received any given message.
When an administrator sends a message out, it appears in a small pop-up window on the subscriber's system and does not depend on whether the subscriber is actively scanning for such a message, said Antonia Townsend, vice president of marketing for Fine Point Technologies.
"The administrator sets the parameters for who is to receive what message according to a list of questions that people reply to when they first log onto the system or download the application," she said.
The idea for the system came when officials some localities decided to use the company's existing CyberTruck Direct Messenger application for their Amber Alert systems, which notify the public about abducted children.
One of the system's advantages, according to Townsend, is that a user's system does not need to be continually open to the Internet to receive a message. An applet is sent out by the system on a regular basis to check with the server to see if a message is being broadcast, and the system is open only as long as the applet needs to make that check.
Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@xxxxxxxxxxxxxxx
*******************************
Los Angeles Times
Studios Stage Fight Against Internet Bill
By Jon Healey
July 15, 2003
The Hollywood studios are fighting a behind-the-scenes battle in Sacramento to derail a bill they say would promote online piracy though the bill has little to do with downloading movies.
Actually, the fight may have more to do with who's behind the legislation: the Electronic Frontier Foundation, a civil liberties and technology advocacy group that frequently opposes the studios' anti-piracy initiatives.
The measure by Assemblyman Joe Simitian (D-Palo Alto) would help Internet users maintain the anonymity they have in chat rooms and elsewhere on the Internet when sued in state court for something they said or did online.
Passed by the Assembly on June 2 and scheduled for a Senate Judiciary Committee hearing today, AB 1143 would require Internet services to notify customers of subpoenas seeking their identities and give customers 30 days to challenge the requests in court.
Because it would apply to lawsuits in state courts, the bill wouldn't affect people accused of pirating movies or other copyrighted works online. Copyright cases are heard in federal court.
Still, lobbyists for the movie, video game and retail industries argue that AB 1143 would take away one of the tools they need to ferret out Internet users who violate trade secrets, offer counterfeit goods or steal intellectual property.
The battle is the latest in a series between entertainment companies and privacy and consumer advocates. It's a near replay of the fight between the Recording Industry Assn. of America and Verizon Communications Inc. over the RIAA's use of federal court subpoenas to obtain the names of alleged music pirates who used Verizon's Internet services. Verizon released the names on a federal judge's order, but it is appealing the ruling.
For the studios' trade organization, the Motion Picture Assn. of America, the Electronic Frontier Foundation's support for AB 1143 is a main reason to work to block the bill, said Vans Stevenson, MPAA senior vice president for state legislative affairs. Alternatively, the group wants to exempt subpoenas related to intellectual property, a change the EFF says would gut the bill.
Stevenson said AB 1143 was part of the EFF's agenda "to make sure people have unfettered free access to everything on the Internet."
"It's clear that they have a legislative agenda, both defensively and offensively, to undermine the ability of the intellectual-property community to legitimately protect its work from theft."
Nonsense, said Cindy Cohn, legal director of San Francisco-based EFF. The purpose of AB 1143, she said, was to protect people from abusive "John Doe" lawsuits that aim to silence users online.
"You don't have the right to use the cover of anonymity to protect yourself" when breaking the law, Cohn said. But as it is, "the law is not giving a fair shake to those who are wrongly accused or who are accused for the purpose of shutting them up."
Simitian, whose Silicon Valley district has thrived on patents and other intellectual property, said both sides have legitimate concerns.
"I would hope that people would consider the bill based on merits, not motives, and based on consideration of the policy, not the players," he said. "I'm interested in doing good policy work. I'm not much interested in getting caught up in a spitting match between competing interest groups."
The EFF and the MPAA have been spitting at each other frequently in the last year.
They have faced off in state legislatures across the country over MPAA-sponsored bills to expand laws against the theft of services, which the EFF argued would weaken free-speech and privacy rights. They have butted heads at the Federal Communications Commission over a proposed regulation to bar retransmission of digital television broadcasts over the Internet, and in Congress over a bill to require anti-piracy technology in an array of digital devices.
The EFF is defending the distributors of a file-sharing program and the makers of DVD-copying software against copyright-infringement lawsuits brought by the MPAA. In the appeal of the Verizon case, the two groups are clashing over the ability of accused infringers to fight for their anonymity in court.
In Sacramento, AB 1143 is opposed by industries beyond the studios, the Screen Actors Guild and the Directors Guild of America. Several California-based video game companies including Electronic Arts Inc., Eidos Interactive Ltd. and Capcom USA Inc. weighed in against the bill this month, contending that it would interfere with their ability to bring cases against pirates. And Yahoo Inc., which has won several changes in the bill, said in a letter to the Senate Judiciary Committee last week that it couldn't support the bill unless more changes were made to clarify and limit the obligations of Internet services.
In a letter to Simitian, Yahoo lobbyist John Scheibel said his company expected to receive 600 subpoenas in 2003, up 50% from last year.
Yahoo, like many large Internet services, voluntarily alerts users when it receives a subpoena. Under current law, Internet services have to turn over the requested name and address within 10 days, leaving little time for a user to challenge the subpoena in court. Simitian's bill is designed to give users 30 days to challenge a subpoena.
Cohn said her office gets two to five requests for help each month from individuals or groups who want to fight a subpoena in a "John Doe" case. One such request came from four people sued in 2001 by an Arizona-based ambulance company, which accused them of making false statements about the company and said they might be in a position to reveal trade secrets on a Yahoo message board.
One of the four, who asked not to be identified, said the message board was filled with comments criticizing the company's management for causing its stock price to plummet. The company went "on a fishing expedition with subpoenas and shut people up," he said.
"If I hadn't had the EFF on my side, financially I'd be devastated," he said. The EFF's intervention protected the group's anonymity and led the company to drop the lawsuit, he said, but by that time the message board had been silenced.
The California bill was drafted for the EFF and Simitian by law students at the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley. Deirdre K. Mulligan, director of the clinic, said Virginia adopted a similar statute two years ago, causing no apparent damage to the enforcement of intellectual-property rights there.
But the MPAA's Stevenson said the bill would diminish the studios' ability to protect their copyrighted works against theft, hacking and other online perils by giving violators a 30-day warning. "All we're seeking is a name, that's it," Stevenson said. "We're seeking a name behind the Internet address. We have a long history, in California and elsewhere, of protecting people's 1st Amendment rights, and we're clearly on that side."
Besides, he said, California already provides plenty of protection against frivolous or abusive lawsuits. But Mulligan noted that those penalties typically don't kick in until after someone's identity is revealed.
"That's the problem with privacy," she said. "Once it's been disclosed, you can certainly get money back, but you can't get your privacy back."
*******************************
Government Executive
July 14, 2003
Tech Insider: Vying for VISIT
By Shane Harris
sharris@xxxxxxxxxxx
The race officially is on for the government?s most anticipatedand potentially lucrativehomeland security contract.
Officials announced last week at a briefing for technology executives that the much-anticipated US VISIT program to track every foreigner crossing American borders will begin revving up at the end of the year. For the first several months, VISIT will rely on existing government systems at ports of entry to take fingerprints and photographs of 35 million annual visitors. But by May 2004, the Homeland Security Department plans to award a contract to one company that will ensure a new system is operating at every border crossing and all air and seaports by the end of 2005.
The presumed leaders of the pack for the multi-billion-dollar VISIT contract are among the usual suspects for massive government tech projects. Teams forming now led by Lockheed Martin, Northrop Grumman and Computer Sciences Corp. are the favorites. The smaller IT and biometrics firms whose technology will make up the backbone of the project are busy sizing up the tech titans and courting the ones they think have the best shot at winning.
The big firms are in such a sweet spot because of their past experience. The ace up Lockheed?s sleeve is its work integrating the Immigration and Naturalization Service?s fingerprint identification system with one housed at the FBI. Northrop Grumman has built a demonstration center for new homeland security products that has attracted considerable buzz among smaller firms. And CSC is already working for Homeland Security under the successor to an INS technology services contract.
But smaller technology manufacturers may be the big winners, because even a small share of the contract could eclipse their current annual revenues. One shoo-in for VISIT has already emergedIdentix of Minnetonka, Minn., the only company that makes mobile biometric readers that scan two fingerprints. VISIT will start out taking two fingerprints, and readers will need to be hand-carried in some cases, particularly to ships at sea so passengers can be scanned before they disembark.
Identix chief executive officer Joseph Attick has been analyzing the scope of the project, which is bigger than any border control effort the government has ever attempted. Attick estimates that there are 288 million border crossings by foreigners every year. And that?s just entries. For the first time, the government also will track exits, and Attick presumes a corresponding number of crossings in that category. In total, then, VISIT will process nearly 600 million transactions every year, a number Attick calls ?phenomenal.?
The number of crossings only tells half the story of VISIT?s giant scale. Attick says new government studies show that if processing through VISIT tacked on an extra nine seconds wait time for each person coming across the U.S. border crossing with Mexico at San Ysidro, Calif., the average queue would last for 11 hours. That number is unacceptable to both government and industry, and it confirms long-held fears that a U.S. entry-exit system could cripple cross-border traffic and have a devastating effect on international trade. Federal officials told industry representatives at last week?s briefing that crossings under VISIT can add no more than one or two seconds of additional time.
Buying Time
Satellite communications companies are on a mission to change the way the military buys time on their birds.
The satellite industry wants the Defense Department to buy time in bigger chunks and through long-term contracts, more like their commercial customers. That would help Defense better manage the substantial bandwidth it purchases now in one- to two-year deals, executives say. But it would also buoy a flagging satellite industry at a time when revenues from corporate, broadcast and cable television customers are lackluster.
Defense normally uses short-term contracts to buy bandwidth during military operations, said David Helfgott, chief executive officer of satellite manager Americom Government Systems, a subsidiary of Washington-based SES Americom. Industry wants more predictability than that, Helfgott explained, and it could come from contracts that might last up to ten years. Helfgott estimates the total government market at half a billion dollars annually, with about 50 percent of that revenue coming from Defense.
The department pays for much of its satellite time out of a fund controlled by the Defense Information Systems Agency. However, several satellite executives have said that government buyers aren?t aware of some purchasing alternativesfor example, that time can be bought in some cases through the General Services Administration?s supply schedules.
Now, executives are spreading the word to their customers that they need not be tied to the DISA piggy bank. In the process, they?re promoting the alternative buying methods to potential new customers, such as the Homeland Security Department.
*******************************
Washington Post
Student Hackers Settle Debit-Card Device
By MARK NIESSE
The Associated Press
Tuesday, July 15, 2003; 8:34 AM
ATLANTA Two computer hackers admitted in a settlement Monday that they never completed a device that could cheat university campus debit card systems out of food, laundry machine use or sports tickets.
Blackboard Inc., the maker of a vending system used by 223 colleges nationwide, agreed to drop its lawsuit against Georgia Tech student Billy Hoffman and University of Alabama student Virgil Griffith.
The settlement requires the students to apologize to Blackboard and its clients, promise that they never built a transaction processing system and serve 40 hours community service. The device could purportedly manipulate the amount of money on a debit card used in the system.
"They actually didn't do a lot of the things they were claiming to do," Blackboard spokesman Michael Stanton. "They knew full well the claims they were making were silly. They're obviously bright young guys, but a little misguided in where they were focusing their attention."
Blackboard said the settlement reaffirms that its systems are secure.
Hoffman and Griffith published information about the card reading system on a Web site, and they planned on talking at a hacker convention about manipulating university student ID cards for things like free soft drinks, laundry or access to school buildings.
But Blackboard, based in Washington, got a judge to issue an order barring them from discussing it.
Hoffman, a 22-year-old computer engineering major, said he and Griffith wanted to settle rather than fight in court. The settlement is to be filed in U.S. District Court in Atlanta on Tuesday.
In April, Hoffman claimed he broke into a Blackboard card reader at Georgia Tech because he wanted to expose security flaws in the system.
Georgia Tech asked Hoffman to sign a paper saying he wouldn't break computer rules again, and he wasn't punished further.
An attorney for Griffith and Hoffman couldn't be reached for comment.
*******************************
USA Today
Clinton critics corner market on domain names
July 14, 2003
LITTLE ROCK (AP) A $5 million museum is in the works as a counterweight to Bill Clinton's presidential library, but it only takes $30 to affect the Internet debate over the former president's legacy.
The Clinton Presidential Foundation, the nonprofit group in charge of building the official $160 million library and policy center, didn't get to use the obvious Web addresses ClintonLibrary.org and ClintonLibrary.com because those addresses were already taken for a $30 registration fee.
ClintonLibrary.com is being held for a $9,500 ransom. And Greg Forsythe, a 28-year-old graduate student from Huntsville, Ala., created ClintonLibrary.org to link to other anti-Clinton sites, including the site of the Counter Clinton Library group that has plans for an anti-Clinton museum.
ClintonPresidentialCenter.org was the best name left for the official library.
Foundation president Skip Rutherford says the Internet site names don't bother him, and insists the more cumbersome name is better anyway for what will be a museum, policy center and graduate school campus, as well as a library.
"You can't spend time worrying about people who hate," Rutherford said. "Clinton will always draw this kind of attention because he's the most intriguing, interesting political figure of our time."
Knowing that the buzz over Clinton's presidential legacy inspires thousands of Web surfers to visit ClintonLibrary.org, Forsythe uses the site to taunt those who want information on the real library. He tells them that their only option is to "go Greyhound ... for an authentic Arkansas experience." Below that is a photograph of Clinton smiling at pop diva Mariah Carey, who's dressed in a skin-tight, low-cut tank top.
"The photo really speaks for itself and it sums up the Clinton years," Forsythe said. "He has this wolfish grin."
Forsythe says he isn't a "hard-core Clinton hater" and is more bemused than angered by the Clinton years, but he also admires the work of the Counter-Clinton Library.
"It looks to be pretty right-wing, but it's interesting stuff," he said.
*******************************