[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips August 7, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips August 7, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 07 Aug 2003 12:18:24 -0400
Clips August 7, 2003
ARTICLES
Oyez! The Supreme Court, Now on MP3
Ticketmaster privacy policy slammed
The Internet Security Demon That Won't Die
Wireless network attacks get a public airing
NIST manufacturing partnership adopts IM app
Navy to draft Linux-powered Macs
*******************************
New York Times
August 7, 2003
Oyez! The Supreme Court, Now on MP3
By JEFFREY SELINGO
THE United States Supreme Court is known as one of the least public of all government institutions. Cameras remain off-limits in the courtroom and official audio recordings are usually released months after the justices hear a case.
Despite calls for the court to follow Congress's example in allowing cameras to broadcast its proceedings, the ban is unlikely to be lifted anytime soon. Indeed, Justice David Souter told a congressional committee in 1996 that "the day you see a camera come into our courtroom, it's going to roll over my dead body."
But that hasn't stopped Jerry Goldman from trying to give more people access to the court's proceedings. Mr. Goldman, a professor of political science at Northwestern University, is taking the original audio recordings of the Supreme Court and turning them into MP3 files for free distribution on the Web (www .oyez.org).
"The human voice contains so much more information than a transcript," Mr. Goldman said. "The anger, the humor, the irony, the frustration, make this a real emotive listening experience."
Mr. Goldman created Oyez in 1994 in an effort to share details about the justices and their cases. (The name, pronounced OH-yay, is from the Middle English "Oyez, oyez, oyez" - "Hear ye, hear ye, hear ye'' - called out each time the justices enter the courtroom.) Until recently, he said, the court's own Web site had little information useful to students and researchers.
With the help of undergraduate assistants and audio technicians, Mr. Goldman started converting the original reel-to-reel tapes of the Supreme Court proceedings stored in the National Archives to streaming audio on his Web site. In June, he began releasing some of the cases in MP3 format to allow greater sharing among the public and scholars.
So far Mr. Goldman has converted about 2,000 hours of the tapes into digital form, about one-third of what the Supreme Court has recorded since it started taping oral arguments in 1955. The current Oyez catalog includes every case from 1994 through 2002, and dozens of landmark cases from before that, including Roe v. Wade, the 1973 decision that legalized abortion, and Miranda v. Arizona, the 1966 decision that required police officers making an arrest to inform the suspect of his rights before interrogating him.
The final catalog, which Mr. Goldman hopes to complete by 2007, will include nearly everything the court has recorded, including the rare occasions the justices have spoken from the bench when handing down opinions. For instance, in a 1996 ruling that the Virginia Military Institute's males-only admissions policy was unconstitutional, Mr. Goldman said, Justice Ruth Bader Ginsberg spoke from the bench "in a memorable speech to the American people, although only a few hundred people were probably in the courtroom that day to actually hear it."
Oyez is popular among law professors and others who teach constitutional law and civil rights. Many of them assign students the audio files that correspond with the cases they cover in class, and the recent move to MP3 files will allow them to edit or excerpt the oral arguments as needed. "It's more exciting for the students in that they get to hear what's going on," said Timothy R. Johnson, an assistant professor of political science at the University of Minnesota. "Students of today like multimedia. It's a way to trick them into being entertained."
John Q. Barrett, a professor at St. John's University law school, said the audio files available on Oyez could help the public better understand what to many is a mysterious institution. "Most Americans don't read Supreme Court opinions," Mr. Barrett said. "They read news reports and know little about the justices. The tapes are as good as we're going to get until the court decides to let cameras in."
Eventually, Mr. Goldman hopes to provide transcripts of the audio files that will identify the speakers and add time codes that will enable users to search for specific passages or justices. But for now, he is focused on trying to improve the poor quality of the original reel-to-reel recordings. "Making an audio record of their proceedings seems to be a pretty low priority for the Supreme Court," he said.
Even in the mid-1990's, the audio "was terrible," Mr. Goldman said, because the court reduced the speed of the tape in an effort to use less of it. "I've been advocating that they use digital audio equipment," Mr. Goldman added, "but the way the Supreme Court moves, it's going to be a long time before they part with using reel-to-reel."
*******************************
Washington Post
Ticketmaster privacy policy slammed
By Paul Festa
Staff Writer, CNET News.com
August 6, 2003, 3:20 PM PT
People buying tickets online through Ticketmaster may be surprised to find themselves receiving spam as an encore.
The ticket service, which holds a lock on advance ticket sales for most major entertainment events, is taking heat from consumers for a privacy policy that does not let online ticket buyers opt out of receiving e-mail pitches from an event's producers and other businesses associated with it.
That, Ticketmaster critics say, means that the company has made receiving spam part of the price of admission.
"I have only bought a single ticket from Ticketmaster, many years ago," wrote one customer on an online discussion board devoted to the privacy policy. "Since that purchase, I have received tons of 'targeted' e-mail personalized with my full name, the city, etc...For now, I do everything I can to avoid ticket purchases from Ticketmaster (and have been successful)."
The Ticketmaster privacy policy under fire states that customers may "opt out" of getting e-mail from Ticketmaster itself, but cannot refuse to share their personal information with "event partners"--defined as "the venues, promoters, artists, teams, leagues and other third parties associated with that concert, game or other event."
"We cannot offer you a separate opportunity to opt-out, or not to consent, to our sharing of your personal information with them," reads the policy. "Event Partners may use your personal information in accordance with their own privacy policies, and may consequently use your personal information to contact you and may share your personal information with others. You will need to contact those Event Partners who contact you to instruct them directly regarding your preferences for the use of your personal information by them."
Ticketmaster did not return calls. But in a statement provided to Ed Foster's Gripelog, which hosts a discussion about the policy, the company's chief privacy officer said Ticketmaster had no choice but to share the information it collected with businesses associated with the events.
Event partners "have both the desire and the need to receive information about the consumers who purchase tickets for their entertainment offerings," Tickemaster's Kerry Samovar said in a statement. "Our clients, for whom we sell tickets, use the information to help fulfill the ticket orders and may use it to contact the consumer. Please remember that we are the legal 'agent' of these parties; we are selling tickets on their behalf. They are completely separate companies, and how they use the information is based on their respective policies."
Samovar recommended that people unhappy with the privacy policy use "more traditional" ticket sales venues, such as Ticketmaster's brick-and-mortar outlets.
One spam opponent said that although she didn't like the policy, she accepted Ticketmaster's defense that it was acting on behalf of its clients.
"If you purchase the tickets directly from the team, promoter, etc., they'd have all your personal information as well," Laura Atkins, president of the SpamCon Foundation, wrote in an e-mail exchange. "Ticketmaster could act as a privacy barrier, and not pass along so much identifying information, but they're not. I suspect that the promoters, etc., don't want that. They want the information of their visitors."
Based in West Hollywood, Calif., Ticketmaster is a unit of InterActiveCorp. The company says that last year it sold 95 million tickets, worth more than $4 billion, through venues including the Web site, more than 3,500 retail outlets, and 19 call centers. Other Web sites that use Ticketmaster include Microsoft's MSN portal, despite prior legal squabbles between the two companies over links to Ticketmaster from Microsoft pages.
*******************************
News Factor - AP Wire
The Internet Security Demon That Won't Die
Wed Aug 6, 2:05 PM ET
Vincent Ryan, www.NewsFactor.com
By some accounts, it has been a bad year for Internet security so far: The number of incidents reported in the first half of 2003 climbed to 76,404 -- just a little shy of the 82,094 reported for the entire year of 2002, according to the CERT Coordination Center (news - web sites) of the Software Engineering Institute at Carnegie Mellon University. On top of those bleak statistics, Microsoft's (Nasdaq: MSFT - news) Trustworthy Computing Initiative is coming off like a joke. And hackers are making mincemeat out of all types of software and hardware.
Despite all the publicity surrounding alerts and product defects, the Internet seems as vulnerable as ever. Why does it continue to be plagued by security threats and breaches? And what can be done to keep its integrity intact? Security experts chalk up the Internet's weaknesses to several factors, but they all agree that private industry will have to be the prime mover behind any changes.
New Is Old
For the most part, the vulnerabilities and attacks occurring on the Internet have become familiar types of disturbances, Brian King, Internet security analyst at CERT, told NewsFactor. "The activity we see is not new or groundbreaking," he said. Buffer overflows, for example, have been known about for 20 or 30 years, he said. The problem is that computer scientists are not taught how to write secure code, and vendors do not take the time to insert the extra code to accomplish tasks like verifying user input, a step that would stop an attack like a buffer overflow.
Improving Internet security is centering on getting vendors and administrators to pay more attention to it, King said. Vendors need to do things like turn off services by default, and administrators have to track best practices in protecting against a particular class of attack. And "vendors need to release software in a more secure state than a feature-rich state," he added.
The level at which Internet security really matters is at the desktop, King said. Backbone providers, concerned with speed and performance in passing packets, will not use applications like port filtering, for example. So the responsibility falls to small ISPs or the home user.
"Internet security is also about teaching people that there is a lot more to security than buying a cable modem (news - web sites) router with a firewall built into it," King said. It includes keeping operating systems up to date with patches and running current versions of antivirus software.
Not a Priority
Software flaws dominate the headlines when it comes to security attacks and threats. The Windows buffer-overflow vulnerability, for example, is causing widespread nail-biting, and Internet Security Systems (Nasdaq: ISSX - news) (ISS) raised its Internet security alert level a notch last week to "increased vigilance."
The flaw affects about 80 percent of the desktops, laptops and servers on the Internet, compared with about 5 percent for the Slammer worm, said Peter Allor, manager of X-Force threat intelligence services at ISS.
Overall, software and protocol defects are not the greatest threat to Internet security, though. The No. 1 problem is still the failure of enterprises and individuals to secure their environments, Allor said. "A lot of people [say], 'if we close these ports, we wouldn't have an issue' -- but the ports shouldn't be open in the first place," Allor pointed out. "There are a lot of things [enterprises] can do at the perimeter of their networks to make themselves less vulnerable."
Despite the media hype, the attention on delivery of services in IT departments means that closing openings or updating vulnerabilities is not at the top of the priority list, Allor said. Moreover, many security products are reactive -- an antivirus product does not protect against a virus until it is written and discovered, for example. But security-solutions vendors need to move to a methodology of detecting attacks and product imperfections before there is widespread knowledge that they exist, Allor said.
Government Rumblings
What is the U.S. government doing to batten down the hatches of the Internet? In February, it issued the National Strategy to Protect Cyberspace report, which drew some criticism for its lack of "nuts and bolts" recommendations. But the report established a clear strategy for attacking the problem and also set in motion a new division at the department of Homeland Security, Larry Clinton, chief operating officer at the Internet Security Alliance (ISA), told NewsFactor.
The strategy report made it clear that the federal government's position is that Internet security requires a private-public partnership, Clinton said. "It's a very different thing than securing shipping ports or airports," he added. The report also recognized that the industry has to demonstrate a substantial amount of leadership in the effort, Clinton said. "A traditional regulatory model applied to the Internet is doomed to failure. By the time it was regulated, you'd be dealing with an Internet that was two years older," he said.
A new cybersecurity division established within the Department of Homeland Security (DHS)is organizationally on par with similar divisions devoted to physical security, Clinton said. It seeks to operate a 24x7 facility for monitoring threats and sharing information on security incidents. The cyberstrategy security report also said the government would seek to establish a private communications network for sharing information on security threats.
"I think it's important to remember that it's metaphorically 9:30 in the morning on the first day of this whole effort by the government. It's important to remember how embryonic the process is," Clinton said.
When Cisco (Nasdaq: CSCO - news) System's router flaw occurred earlier this month, Clinton said the DHS team worked with the company to organize a number of information-sharing events. "I'm getting calls from senior people at the DHS asking how we can coordinate [efforts]," Clinton said. "I never got those calls from the FCC (news - web sites) when I worked in telecom."
Finding Incentives
On the legislative side, new ideas are being floated regarding Internet security, although the US$900 million earmarked for cybersecurity last year remains largely unappropriated.
One move the federal government is making is to identify security weaknesses in its own infrastructure. Audits of the 24 largest federal agencies identified "information security weaknesses that put critical federal operations and assets in each of these agencies at risk," according to a statement by Representative Adam Putnam (R-Florida), chairman of the subcommittee on Technology, Information Policy, Intergovernmental Relations.
If the federal government demanded security standards from its suppliers, it would be using its market power to increase the security consciousness of vendors, Clinton said. Already, the Defense Department adheres to a "common criteria" purchasing mandate, which requires that it only purchase certified software products tested in government labs.
Another idea arising from the Putnam committee is to require security audits of private-sector enterprises and to have the audit results included in reports to the Securities and Exchange Commission (news - web sites). "That's much more problematic," Clinton noted. "It would only apply to the U.S., and it could stifle innovation."
For ISA's part, it is trying to develop market incentive programs to spur the private sector to cooperate on Internet security. The ISA has established a program with AIG Insurance, for example, to give companies that join the ISA a 15 percent discount on their cyber-insurance. And Visa is requiring retail outlets that swipe their credit cards to meet a dozen security requirements. "This is the direction we would like public policy to move in," Clinton said. "It's much more effective -- and not quite as dangerous -- as the regulatory model."
Whatever moves the government and vendors make, software and hardware flaws will always exist, as will the people exploiting those flaws. Put simply, it is just too late to go back and rebuild the infrastructure of the Internet. "We're repairing an airplane while it's in flight," Allor said.
*******************************
Government Computer News
08/06/03
Wireless network attacks get a public airing
By William Jackson
Federal grants are funding research by some very bright investigators in the computer science departments of our nation?s universities to probe the vulnerabilities of wired and wireless networks.
Some of the results of that research were presented today at the Security Symposium in Washington sponsored by the USENIX Association of Berkeley, Calif.
A team from Stanford University, in one example, used a timing attack to extract a private encryption key from a server across a network. In another, researchers at the University of California at San Diego perfected denial-of-service attacks against 802.11 wireless networks.
Timing attacks are used to uncover secret information by observing the time it takes a system to respond to various queries, said David Brumley, of Stanford.
While such attacks have been used to get private keys from hardware security tokens such as smart cards, it has been believed that the variety of processes running on general purpose servers would make such attacks ineffective in that environment.
?We successfully mounted our timing attack between two machines on our campus network,? Brumley said. ?The attack machine and the server were in different buildings with three routers and multiple switches between them.?
The work was funded by a National Science Foundation grant. Using a series of mathematical functions too complex for a layman to follow, Brumley and a partner, Dan Boneh, were able to extract an OpenSSL private key on an Apache Web server.
The process was not simple. It took about two hours and from 350,000 to 1.4 million queries to obtain the key, but that is a small fraction of the time it would take to obtain a key through a brute force attack, the criteria generally used for determining the security of an encryption scheme.
The attack can be defended against by a process known as blinding, which modifies an encryption exponent with a random number.
It is easy to launch denial of service attacks against wireless networks by jamming or flooding the radio frequencies they use for communication.
But in a program funded by the Defense Advanced Research Projects Agency and the National Institute of Standards and Technology, a pair of researchers at UC San Diego exploited vulnerabilities in the 802.11 protocols itself.
John Bellardo demonstrated the process, shutting down traffic to a targeted notebook computer that was using the wireless network provided for the conference. He then interrupted traffic to most of the other notebooks in the conference room.
He blocked the traffic by spoofing deauthentication packets, which are used to break connections between a user node and a wireless access point. Once a deauthentication request has been received from an authenticated user, the access point will no longer process data from that user.
The attack can be defended against by patching access points to have them ?hold? a deauthentication packet for several seconds before acting on it. If the user that supposedly requested deauthentication immediately sends data, the access point ignores the request.
?The deauthentication packet is probably the most immediate concern,? in a wireless denial-of-service attack, Bellardo said. There are many other threats in wireless networking, he said, but ?you have to start one hole at a time.?
*******************************
Government Computer News
08/06/03
NIST manufacturing partnership adopts IM app
By Vandana Sinha
A federally funded network of manufacturing and business advisers has begun using an instant messaging service to better coordinate both near-term activities and long-term strategies.
The Manufacturing Extension Partnership, a program of the National Institute for Standards and Technology, has purchased a package that included Web-based enterprise instant messaging software from Bantu Inc. of Washington and portal technology from YellowBrix Inc. of Alexandria, Va.
The software, incorporating a Java-based client accessed through a password-protected partnership Web site, has already assigned IM accounts to 113 business advisers and manufacturing specialists nationwide involved in the MEP?s 360vu network, at www.360vu.net, an online resource center that helps small to midsize manufacturing companies compete.
?We?ll be able to communicate with each other in real time,? said Lee Bryan, a professional business adviser with the Vermont Manufacturing Extension Center, a member of the 360vu network. ?One of the problems inherent in e-mail is that it is asymmetric.?
Because of its Java foundation, the Bantu software runs on any operating system that can connect to an Internet browser. While it lacks the file-trading functionality of some consumer messaging systems, it allows for alerts when others log on and simultaneous multiple chats, Bryan said.
And the number of accounts is expected to grow as the technology catches on among the several-hundred network members. ?It implies a definite cultural shift,? Bryan said.
*******************************
CNET New.com
Navy to draft Linux-powered Macs
By Ina Fried
August 6, 2003, 5:12 PM PT
A company that specializes in running Linux on Macs said Wednesday that it has landed a deal to supply the U.S. Navy with 260 Apple Xserve servers.
Terra Soft Solutions said the machines will be used as part of a sonar imaging system that defense contractor Lockheed Martin is building for the Navy. Rather than using the Mac OS, the Apple servers will run Terra Soft's Yellow Dog Linux operating system. Terra Soft is one of a handful of Linux companies that is authorized to sell Apple gear.
"This brings to fruition two years of effort with an intense recent six months of research, coordination, prototype development and testing," Terra Soft CEO Kai Staats said in a statement.
Apple has been trying to make inroads into the federal governement computer market, though presumably it would rather do so with its own operating system, not Linux. Last year, Apple submitted its operating system for a security evaluation that's required for products that federal agencies buy.
An Apple representative was not immediately available for comment.
Joe Fanto, Lockheed Martin's lead project engineer, said the Terra Soft approach "provides an optimal balance of open-source flexibility, AltiVec-enhanced performance and community support."
Terra Soft said the 260 servers that Lockheed Martin ordered will be delivered by the end of October. The company claimed it is an Apple retailer's largest-ever sale of Xserves. Apple introduced the Xserve, its first rack-mounted server, in May 2002.
*******************************