Clips August 20, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips August 20, 2003

Articles

'Good' worm, new bug mean double trouble
Lawmakers approve privacy bill in time to head off initiative
Govt launches net crackdown
Internet Search Companies Could Face Fight on Ads
RFID Tunes Into Supply Chains
Recording, movie industries appeal file-trading ruling
Tampa police eliminate controversial facial-recognition system 
Scientist quits election software board

*******************************
CNET News.com
'Good' worm, new bug mean double trouble 
By Robert Lemos 
Staff Writer, CNET News.com
August 19, 2003, 1:58 PM PT

The Internet worm--called MSBlast.D, W32.Welchia or W32/Nachi--started compromising computers Monday and has overwhelmed some corporate networks with its aggressive scans for vulnerable hosts. Meanwhile, a new variant of the mass-mailing Sobig virus, called W32/SoBig.F, took off on Tuesday, swamping many companies' mail servers. 

The double whammy caused problems on some corporate networks but not for the Internet at large. SoBig.F disrupted e-mail systems at the Massachusetts Institute of Technology, while the MSBlast variant, Nachi, disrupted the ticketing systems of Air Canada and the corporate networks at Lockheed Martin. 

"This is local clogging as opposed to worldwide Internet clogging," said Jimmy Kuo, a research fellow at security software company Network Associates. "There are many areas of local pain." 

The MSBlast variant, Nachi, infects computers using the same widespread vulnerability in Microsoft Windows that previous versions of the worm exploited. The program then downloads a patch to protect systems against future infections of the MSBlast worm. The worm's goal of patching systems resulted in some pundits labeling it a "good" worm. 

While the intentions of the unknown worm writer seem to have been good, its aggressive spread has clogged many networks. 

"It's faster," Kuo said. Previous versions of MSBlast tried to spread to 20 different network addresses at a time but had to wait for each attempt to fail, if no computer was at that address. The Nachi variant tries to spread to 300 different addresses at a time and doesn't wait, letting it spread very fast. 

Lockheed Martin and Air Canada were among the many companies that suddenly found their networks inundated with data, as the Nachi worm searched for vulnerable hosts to infect. 

Although the worm infected less than one percent of the company's 110,000 desktops, Lockheed Martin had some disruptions, said Elaine Hinsdale, director of communications for the company. 

"Lockheed Martin, like many others around, has had to deal with this worm," she said. 

Air Canada had more serious issues. The Nachi virus disrupted the airline's reservation center, forcing the carrier to delay and cancel flights. 

"As a result of the virus, the impact of which is not limited to Air Canada, a number of the airline's computer systems are affected, including its reservations and airport check-in systems," the company said in a statement it released Tuesday. "While the airline's on-time performance has been good up to (11 a.m. PDT), in addition to longer wait times customers should expect some flight delays and cancellations for the remainder of the day." 

SoBig, so far
The latest version of the SoBig mass-mailing computer virus also caused headaches for network administrators. E-mail service provider MessageLabs stopped more than 100,000 messages carrying the latest virus in the first few hours of the attack. 

"It is definitely a quick spread," said Brian Czarny, marketing director of MessageLabs. 

Administrators at MIT had to deal with blocking the avalanche of copies of the SoBig.F worm. 

"It is just causing long delays," said Jeffrey Schiller, manager of the university's network. Because so many messages had hit MIT's e-mail gateways, the computers had long queues of messages waiting to be processed by the antivirus filters. Combined with the effort of stomping out Nachi, the administrators had their hands full, Schiller said. 

"There is a special section of hell reserved for the guys that write these things," Schiller said. 

Rick Stratton, president of Web software company 1871 Media, said the virus hit his business and his clients' Web sites hard, because many sites had public e-mail addresses posted on their pages. 

"Before I turned (the transmission of those e-mails) off, I probably got about 200 in an hour," he said. "The Web mail interface can't even process the volume." 

The SoBig.F virus spreads by harvesting e-mails from Web pages and from the address book of an infected computer. It sends a copy of itself to the addresses in an e-mail message with a subject lines such as "Your Details" "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer. 

Stratton said he doesn't think his company nor his clients were infected with the virus, but the amount of e-mail generated by SoBig.F caused enough of a headache. 

"Once I figured it out, I was fine. But I found our customers were getting killed with the number of e-mails created," he said. 

The SoBig variant isn't all that different from previous versions of the worm. The family of viruses is thought to have been created so that spammers can use victims' computers to send bulk e-mails anonymously. Compromised systems connect to an Internet server specified by the virus and download a Trojan horse, Kuo said. 

While the mass-mailing virus hasn't changed much, people still open the attachment and infect their computers, he said. 

"The education is slow," Kuo said. "We would have figured that this mechanism should have died out a year ago, but people still do click on e-mail attachments." 
*******************************
USA Today
Lawmakers approve privacy bill in time to head off initiative
08/19/03

SACRAMENTO (AP)  With a tougher ballot proposal waiting in the wings, lawmakers on Tuesday sent Gov. Gray Davis a long-stalled bill that supporters said would create the nation's toughest financial records privacy law. 
"It was a long time in coming but it was worth the wait," Sen. Jackie Speier said before the Senate voted 31-6 to adopt the same version of the legislation that passud the Assembly a day earlier with unusual speed. 

The bill would enable consumers, in certain instances, to block the sharing or selling of their personal information by banks, insurance companies and other financial institutions. 

Davis supports the bill and will sign it, although it hasn't been decided when that signing will take place, said spokesman Russ Lopez. 

"This is a good consumer bill that the governor is glad to sign," he said. "It strikes the best balance between business and consumer rights." 

Speier (D-Daly City) has been trying to get the bill approved for the last four years, but earlier versions ran into heavy opposition from business groups, which spent millions to kill it. 

This year the bill passed the Senate in March but seemed to die weeks later in an Assembly committee. 

It was revived after supporters of the bill collected more than 600,000 voter signatures to put a stronger financial privacy initiative on California's March 2004 ballot. Inytiative supporters agreed to hold off turning in the signatures to election officials if lawmakers approved Speier's bill by Wednesday. 

Speier said the signature drive "gave us the roadmap" to get the bill approved. 

"There has been a civil rights movement, a women's movement, a sexual revolution," she said. "Now there's a privacy revolution, not only in this state but around the country." 

She said her bill was the "first salvo" in that uprising and would help Californians protest their records against identity theft. 

Also spurring the bill's revival was a federal court ruling that said cities and counties could adopt their own controls on consumer information, and agreement on a series of what Speier called "fairly modest amendments" that made business groups more comfortable with the bill. 

The bill would require a financial institution to get permission from a customer before sharing information, such as the customer's bank balance or spending habits, wyth a nonaffiliated company. That's commonly referred to as an opt-in requirement. 

The bill also includes what is known as an opt-out provision, requiring the bank or other financial institution to give the consumer the opportunity to bar the company from sharing information with an affiliate that was not in the same line of business. 

That means a bank, for instance, could not pass on information about a customer to an insurance company owned by the same corporation if the customer objected, or opted out. 

The same opt-out requirement would apply to the sharing of customer information by two companies with a joint marketing agreement, such as a small bank that has a contract with another firm to offer its customers credit cards. 

The initiative includes a tougher opt-in provision requiring companies to get permission before sharing customer information with their affiliates. 

Senate president pro tem John Burton (D-San Francisco) compared Speier's struggle to enact the bill to the pain of giving birth. 

"Many of us would have said, "The heck with it. Let the initiative roll,'" he said. "But she persisted and persisted and persisted. It's much better done through the legislative process than the initiative process." 

Supporters of the bill say the legislation could have a better chance than the initiative of surviving a court challenge. 

The bill, SB1, is online and can be read at http://www.senate.ca.gov.
*******************************
Boston Globe
US judge will rule on Calif. recall
Groups allege flaws in punch-card ballot
By William Booth and Rene Sanchez, Washington Post, 8/19/2003

LOS ANGELES -- A federal judge said yesterday he would rule by tomorrow on whether to postpone the recall election against Governor Gray Davis of California -- a move sought by Latino and black civil rights groups here that say the use of antiquated punch-card voting machines will recreate a Florida-style electoral fiasco.

US District Judge Stephen Wilson said in court that postponing "this extraordinary election" required convincing evidence that the possible harm to some voters forced to rely on punch-card ballots outweighed the rights of all Californians to proceed with the historic recall.

A lawyer for the American Civil Liberties Union, which filed the lawsuit seeking postponement until March, argued yesterday that six urban counties in California will still be using punch-card ballots in the Oct. 7 recall election -- a method of voting that will produce a large number of invalid ballots that are unreadable or have problems such as hanging chads. The rest of California will be using newer, more accurate "touch screen" electronic voting.

The result, said ACLU lawyer Mark Rosenbaum, is that millions of voters using the punch-cards "will have no confidence that their vote will be counted."

Rosenbaum said that the "error rate" for punch-card ballots is 2 percent, meaning that tens of thousands of votes "could go straight into the garbage can."

Doug Woods, the government lawyer representing the California secretary of state, told the court that the state constitution mandates that the recall election be held on Oct. 7, which is within the 60- to 80-day window allowed after the measure was certified for the ballot.

Woods said postponing an election before it occurs would deny voters the right to cast ballots and that the ACLU was merely "speculating" regarding what will happen during the voting process.

"Nobody knows what the error rate will be," said Woods. "The only way to know is to hold the election and see if it occurs." Then the ACLU can sue if it wishes, Woods said.

This is the second federal case being heard on the recall. The other lawsuit in San Jose is over whether limiting the number of polling places and Spanish-speaking election workers violates protections under the Voting Rights Act. Several counties in California with historically low turnouts must secure "preapproval" from the Justice Department if they want to do things like condense the number of polling stations. That lawsuit will be decided by Aug. 29.

Democratic leaders around California continued to debate yesterday how best to fight the recall. More than a dozen Latino members of the state Legislature met privately in Sacramento and decided to condemn the recall but also endorse the candidacy of Lieutenant Governor Cruz M. Bustamante, the lone Democrat among the 135 candidates vying to replace Davis if voters remove the governor from office. Actor Arnold Schwarzenegger, who has rarely ventured into the public eye since he declared his candidacy nearly two weeks ago, announced that he plans to participate in candidate debates.
*******************************
Australian IT
Govt launches net crackdown
AUGUST 20, 2003  
 
THE federal Government plans to outlaw using the internet for "offensive and menacing purposes", proposing new laws that could mean two years in prison for activities like organising or advocating violent protests through the internet.

A joint statement from Communications Minister Senator Richard Alston and Justice Minister Chris Ellison said the new laws were part of a crackdown on e-crime. 
"People using the internet to advocate or facilitate violent protests, for example by spreading information on methods of violently disrupting international meetings and attacking police officers protecting such gatherings, including those using the internet to harass or menace others are amongst those who could be prosecuted under the new offences," the statement says. 

Other targets would include those using the internet to encourage criminal acts. 

The new laws are part of a package of legislation that will tackle other offences including child pornography and the rebirthing of mobile phones. 

The legislation will also introduce "criminal penalties for placing material on the internet that would be regarded by reasonable persons as being, in all the circumstances, offensive". 

However, the new laws will include specific exemptions for internet service providers and content hosts "where they do not have knowledge of the content of the material that they transmit or host". 

Under current laws, it is an offence to use a telecommunications service "in a way that would be considered by a reasonable person as offensive, or with the result that another person is menaced or harassed". The proposed legislation would extend the provisions to cover the internet, which is not covered under existing legislation. 

"The new offence will carry a penalty of two years imprisonment, double the punishment for an existing offence," the statement says.
*******************************
Reuters
Internet Search Companies Could Face Fight on Ads
Tue Aug 19,10:02 PM ET

SAN JOSE, Calif. (Reuters) - Some of the biggest Internet search services could be setting the stage for a legal battle with companies that object to the way these sites are using their trademarks, experts at a Web search conference said Tuesday. 


Google and Overture Services Inc. (Nasdaq:OVER - news) have in recent years seen explosive growth from their "paid listings" services, in which companies pay to have their ads run when Internet users key in certain search terms. 


More recently, these companies have further improved their paid-listings revenues by suggesting customers bid on other key words, or by running their ads for free with related search terms. 


For example, Google or Overture might suggest to an advertiser who pays to use the term "running shoes" to also add Nike, Adidas or New Balance to their search terms, to help them get more visibility. And on Google, the advertiser who bid on the term "running shoes" -- who could be a retailer, a rival shoe maker or a discounter -- might automatically have its ad appear when a customer enters the term "Nike running shoes." 


"Arguably, (Google and Overture) are facilitating one of the greatest trademark infringement schemes ever perpetrated," Jeffrey Rohrs, a strategist at digital marketing firm Optiem and former practicing intellectual property attorney, told Reuters at Jupitermedia Corp.'s Search Engine Strategies Conference. 


Google and Overture both declined to comment for this article. 


Web auction site Ebay Inc. (Nasdaq:EBAY - news) in recent weeks sent Google a letter in which it asked the search company not to sell third-party ads that link to search terms with Ebay's name alone, or in variations or phrases. 


Some search companies have said they adhere to fair use trademark practices, noting that they are not selling trademarks but allowing advertisers to bid to use them. 


According to Google's trademark policy, the company will remove ads if a trademark owner goes through Google's formal trademark complaint procedures. To that end, a search for "Ebay" on Google.com now brings up almost exclusively Ebay-sponsored sites among the top-ranked search results. 


"That is a very dangerous precedent that Google set," said Rohrs, who added he would not be surprised if Google eventually changed its policy regarding who is allowed to use trademarked names. 


While linking ads to the key word "Ebay" may test the fair use of a trademark, using a phrase like "Ebay alternatives" is a legitimate use, Rohrs said. 


Wendy Seltzer, staff attorney for the Electronic Frontier Foundation, agreed. "Everybody needs to use other people's trademarks," Seltzer said. 


While no lawsuits have yet been filed to test the laws governing the issue, conference participants said they fully expect one in the future, since Google and Overture have the deep pockets that trial lawyers target. 

*******************************
Government Computer News
08/20/03 

Defense homes in on new infrastructure vendors 

By Dawn S. Onley 
GCN Staff

By years end, the Defense Information Systems Agency plans to award a slew of contracts to build a network-centric infrastructure that will serve Defense Department users at 90 sites around the globe. 

DISA officials said they will award contracts next month for fiber-optic network services under the Global Information Grid-Bandwidth Expansion program. Meanwhile, DISA also is wrapping up tests of products at vendor sites in preparation for awarding contracts in December for GIG-BE hardware and software. 

The winning vendors of what the GIG-BE team calls the fiber solutions contracts will have to establish fiber service delivery points as well as oversee network management, information and physical security, and commercial transport leases. Originally, DISA had hoped to award these contracts in midsummer [see story]. 

For the hardware and software portion of project, GIG-BE program director Tony Montemarano described the current phase of the procurement as the ?bake-off process.? 

DISA and prime contractor Science Applications International Corp. are visiting bidders to make sure that their systems can do what each vendor outlined in its proposal. 

?We watch their machines perform,? Montemarano said. 

Based on the demonstrations, DISA will ask some of bidders to send their hardware and software to AT&T Labs in Middletown, N.J., for two and half months more testing, he added. 

The contracts will cover four areas: core and edge IP routers, multiservice provisioning platforms, optical transport systems and optical digital cross-connect switches. 

DOD estimates it will spend $877 million to build the GIG network infrastructure. 
*******************************
Computerworld
RFID Tunes Into Supply Chains
Outlook: Retailers and their suppliers are testing radio frequency identification tags, but production apps and mature software are still years off. 

Emerging Technology by Carol Sliwa 

AUGUST 18, 2003 ( COMPUTERWORLD ) - Everyone in the retail industry stopped and took notice when Wal-Mart Stores Inc. declared in June that it will urge its top 100 suppliers to deliver pallets and cases equipped with radio frequency identification (RFID) tags by 2005. Any directive issued by the world's largest retailer has the potential to drive sweeping adoption, and this particular one could spell major changes for supply chain management. 
Wal-Mart thinks that the nascent technology, which can automatically identify a container's contents without requiring line-of-sight scanners, can help to reduce the costs associated with tracking inventory. 

Given that Wal-Mart moved 2.5 billion cases through its distribution centers during one six-month period last year, it's not hard to imagine the savings that the company might realize by reducing the time and labor associated with inventory tracking. 

One of the chief suppliers to the retail industry, Procter & Gamble Co., has another angle. The Cincinnati-based company estimates that 10% to 16% of its products may be out of stock at any moment. Reducing that number by even 10% or 20% could mean a revenue boost of between 1% and 3%, says Larry Kellam, director of business-to-business supply network innovation at the consumer goods maker. With over $40 billion in annual revenue, that would translate to more than $400 million in new revenue. 

But neither suppliers nor retailers will realize much benefit until the technology overcomes a series of technical and engineering hurdles. For instance, the tags need to come down in price. To do that, manufacturers need orders for billions of tags, and they need to improve their manufacturing processes to support those volumes. 

Tag readers also need to improve in both performance and price. In addition, the software infrastructure to handle RFID tag data must advance past the work-in-progress stage, and standards need to be established to enable different vendors' tags and readers to work together using a wide range of radio frequencies. 

"It's one of the most overhyped technologies that we're talking about today," says Jeff Woods, an analyst at Stamford, Conn.-based Gartner Inc. "It's going to require a lot of creative thinking and hard work to get from vision to reality." 
*******************************
Computerworld
Recording, movie industries appeal file-trading ruling

Claim P2P services make huge profit from copyright infringement 

Story by Grant Gross, IDG News Service

AUGUST 20, 2003 ( IDG NEWS SERVICE ) - WASHINGTON -- Three entertainment groups have appealed an April 25 U.S. District Court ruling saying that operators of two file-sharing services aren't liable for any copyright infringement that may be happening on their networks. 
Late on Aug. 18, the Recording Industry Association of America Inc. (RIAA), the Motion Picture Association of America (MPAA) and the National Music Publishers' Association Inc. filed an appeal to a Los Angeles district court judge's decision that said the operators of the Grokster and Morpheus peer-to-peer (P2P) services couldn't know when users were trading copyrighted works (see story) 

As expected, the three groups have asked the U.S. Court of Appeals for the Ninth Circuit to overturn the decision by U.S. District Court Judge Stephen Wilson and hold Grokster Ltd. and StreamCast Networks Inc., the operator of Morpheus, responsible for copyright violations that happen on those P2P networks. 

Wilson's decision recognized that P2P services have many legitimate uses, Michael Weiss, CEO of Franklin, Tenn.-based StreamCast Networks, said in a statement. "In our case ... the federal court recognized that you can't ban new technology just because it threatens an old distribution model," he added. "We expect to prevail, and if we do not, we will take this to the Supreme Court if we must. We also believe that the 63 million file-sharing, voting Americans will take the issues to Congress, so that the laws are passed to reflect social and economic realities." 

New laws should allow for compulsory licensing similar to radio royalties, Weiss said, and he also suggested a small tax on recordable media. 

The RIAA and MPAA argued in their appeal brief that the P2P services make a huge profit from copyright infringement. "Defendants reap millions of dollars in revenue from their online trading bazaars by selling advertising they display to their users while they engage in infringement," the brief said. 

The judge's decision "rewrote years of well-established copyright law," Cary Sherman, president of the Washington-based RIAA, said in a statement. "It was wrong. These are businesses that were built for the exclusive reason of illegally exchanging copyrighted works, and they make money hand over fist from it."
*******************************
USA Today
Tampa police eliminate controversial facial-recognition system 
Posted 8/20/2003 12:53 PM 

TAMPA (AP) Tampa police have scrapped their controversial security camera system that scanned city streets for criminals, citing its failure over two years to recognize anyone wanted by authorities. 

The system was intended to recognize the facial characteristics of felons, sexual predators and runaway children by matching passers-by in Ybor City with a database of 30,000 mug shots. 

"It's just proven not to have any benefit to us," Capt. Bob Guidara, a department spokesman, said Tuesday. The cameras have led only to arrests for such crimes as drug deals. 

Tampa was the first city in the United States to install the permanent camera surveillance system along public streets and the technology was used during the 2001 Super Bowl. 

Critics welcomed the end of the program. 

"It's a relief," said Darlene Williams, chairwoman of the Greater Tampa Chapter of the ACLU. "Any time you have this sort of technology on public streets, you are subjecting people who come to Ybor to an electronic police lineup, without any kind of probable cause."
*******************************
USA Today
Scientist quits election software board
08/20/03

BALTIMORE (AP)  A Johns Hopkins University computer scientist who co-wrote an influential report alleging flaws in touch-screen voting software used by a leading manufacturer has resigned from the technical advisory board of a provider of competing software. 
The researcher, Avi Rubin, resigned this week because "he didn't want any perception of conflict of interest," Jim Adler, chief executive of VoteHere, said Tuesday. 

Rubin, technical director of Johns Hopkins' Information Security Institute, said he was returning stock options, resigning from the VoteHere board of advisors, and asking Hopkins to review his outside consulting work. 

"I believe it was careless of me to engage in a study of a software system of a company in the same space as another company in which I had a financial interest," Rubin said in a statement. "Had it occurred to me at the time, I would have disassociated myself from them. I am now doing just that." 

Rubin said he had never exercised the options and had not profited in any way from his affiliation with VoteHere. In fact, he said he has had no contact with VoteHere since he signed on to the board two years ago. He said he didn't talk to VoteHere about the report or review its products or software. 

In the report last month, Rubin and his Hopkins associates claimed the voting system made by Diebold Election Systems could let outsiders or election officials manipulate election results. The study was billed as the first independent review of electronic voting. 

Election officials in several states and some computer researchers said the study exaggerated the machines' vulnerability. 

However, in Maryland, which recently reached an agreement with Diebold to provide up to $55.6 million worth of touch-screen voting terminals for 19 counties, governor Robert Ehrlich commissioned a private consultant to investigate possible security flaws in the system. Georgia governor Sonny Perdue also called for a probe into his state's $54 million system of computerized voting machines. 

Shareese DeLeaver, a spokeswoman for the Maryland governor, said the news that Rubin had been a member of VoteHere's board would have no effect on the administration's investigation. 

"It's best to err on the side of caution," she said. "Our study is about instilling voter confidence on election day." 

Diebold officials said they were "shocked and disappointed" by Rubin's admissions. 

"Diebold Election Systems has consistently questioned the conclusions drawn by the Johns Hopkins-issued report," the company said in a statement. "It is now clear, by Mr. Rubin's own admission, that questions of bias must be considered." 
*******************************