Clips September 5, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips September 5,
2003

ARTICLES

Record Labels to Offer Amnesty to File Sharers, With Conditions
Sydney airport computers stolen
Universities Rush to Protect Networks 
Evans: E-gov more than automation
Feds, industry mull offshore outsourcing
FBI: Power grid not a primary terror target 
Faulty Medicaid fraud databases seen costing Florida millions 
IT links to blackout under scrutiny
EU privacy concerns on airline passenger data could cause rift with
U.S.
The case for computerized voting 


*******************************
Los Angeles Times
Record Labels to Offer Amnesty to File Sharers, With Conditions
By Jon Healey
September 5, 2003

Worried that the major record labels are about to slap you or your
teenager with a lawsuit?

The labels' trade association is ready to grant music downloaders
amnesty  provided they put their names, and possibly their faces,
into a database.

The Recording Industry Assn. of America plans to file its first wave of
copyright infringement lawsuits as early as next week against hundreds of
people who share songs online. At the same time, it's expected to unveil
an amnesty program for file sharers not yet targeted by suits.

To be eligible, sources said, people would have to cleanse their
computers of all the tunes they downloaded without permission and destroy
any CDs they burned with those songs. They'd also have to submit a
notarized form to the RIAA, possibly with some official identification,
pledging not to run afoul of copyright laws again.

Analyst Michael McGuire of GartnerG2, a technology research firm, said an
amnesty program might appeal to parents of downloaders. But he questioned
how many people would turn themselves in before they'd actually been
targeted, as required by the program.

"That would just send a signal to me as a user that you're trolling
for IDs," McGuire said. "That's like saying, 'Come tell us if
you have any intention of becoming a revolutionary.' "

On the other hand, the widespread publicity about the RIAA's plan to sue
file sharers has prompted a number of people to try to make peace with
the labels before the legal papers start flying. That was a driving force
behind the decision to offer amnesty, sources said.

Under the program, which was first reported by Billboard Bulletin,
applying for amnesty carries a risk: Those who renege on their pledges to
honor copyrights would face much more severe penalties if they were
targeted in a later round of lawsuits.

Given that, the RIAA might demand a copy of a photo ID from amnesty
seekers to protect people against being placed in the database
fraudulently without their knowledge, a music industry source said. But
McGuire said, "I'd want to know how that information is going to be
protected."
*******************************
Australian IT
Sydney airport computers stolen
SEPTEMBER 05, 2003  
 
AUSTRALIA'S top security agencies are to conduct emergency damage audits
following the theft of computers from Sydney Airport's intelligence
centre.

Customs officials have told a Sydney newspaper the stolen computers held
thousands of confidential files, including top-secret communications
between customs investigators, Australian Federal Police and ASIO. 
The newspaper reports two men of Pakistani-Indian-Arabic appearance
presented themselves as computer technicians and were given unfettered
access to the airport's top security mainframe room on August 27.

"Inside, they spent two hours disconnecting two computers, which
they put on trolleys and wheeled out of the room, past the security desk,
into the lift and out of the building," the newspaper reported.

"The Australian Federal Police and ASIO, the two chief guardians
against terrorism, fired off angry memos to customs officials, demanding
to know the extent to which their top-secret operations have been
compromised." 

The theft is being investigated by the AFP. 

The chairman of a parliamentary inquiry into the security of government
information technology said it would reopen because of a breach at
Australia's biggest airport. 

Liberal MP Bob Charles also demanded to know why Customs didn't tell his
committee about the theft of two Customs computer servers from Sydney
airport. 

An angry Mr Charles asked Customs official Gail Batman why she had failed
to tell a separate inquiry into aviation security about the thefts when
she appeared as a witness yesterday. 

"How you could appear before us and not tell us about this security
breach is just beyond my comprehension," Mr Charles said. 

Ms Batman said she had not wanted to damage a federal police
investigation into the incident by making it public. 

"We certainly don't want to compromise that (investigation),"
Ms Batman said. 

"The people that stole these servers are certainly ones that we want
to see caught and prosecuted." 

Ms Batman said the stolen servers did not (not) contain sensitive
information. 

"They did not contain any personal, business-related or security
information, and they are not servers that are used to communicate with
law enforcement or security agencies," Ms Batman said. 

Mr Charles said it was obvious computer security in the government needed
to be investigated further. 

"If someone can walk into a government secure environment and walk
out with mainframes, then I don't know what guarantee we have of
information technology security," Mr Charles said. 

"I have just instructed our inquiry secretary to reopen the hearings
and reopen the inquiry." 

Ms Batman said security at Customs had been stepped up since the theft.
*******************************
CNET News.com
Lawmakers: Domain name oversight too lax 
By Reuters 
September 4, 2003, 3:01 PM PT


Spammers, scammers and child pornographers can hide easily on the
Internet, because regulators allow them to register under false names
with stolen credit cards, lawmakers and technology experts said Thursday.
One day after U.S. attorneys charged a Miami man with using misspelled
domain names to direct Web surfers to pornography sites, lawmakers said
the manner in which domain name sellers collect information about their
customers is too lax. 

A new law to require accurate customer data might be necessary because
the U.S. Department of Commerce and other oversight bodies have not been
doing their job, lawmakers on the U.S. House of Representatives
intellectual-property subcommittee said. 


"I'm disappointed with the failure of the marketplace and regulators
to deal with this problem. A legislative solution seems necessary,"
California Democratic Rep. Howard Berman said. 

The Commerce Department will seek to require greater accountability from
the Internet Corporation for Assigned Names and Numbers, or ICANN, when
it renews ICANN's authority to oversee the domain name system this fall,
a Commerce Department official said. 

Internet domain name sellers require customers to submit their names,
addresses, telephone numbers and other contact information into what is
known as a Whois database. But domain name sellers, or registrars, rarely
check to ensure that this information is accurate, making it easier for
child pornographers, identity thieves and other scam artists to operate
online, witnesses said. 

Often, it is in the registrar's interest to turn a blind eye to Whois
entries to attract porn site operators, who register thousands of domain
names at a time, Harvard University researcher Ben Edelman said.

"The Whois database is substantially fiction," Edelman said,
noting that as much as 10 percent of the Internet's 30 million domain
names may be registered under false names. 

ICANN management is taking steps to tackle the problem, Commerce
Department General Counsel Theodore Kassinger said. 

"A lot of work needs to be done, but I think they're headed in the
right direction," Kassinger said. 

Subcommittee Chairman Lamar Smith did not seem convinced. 

"There's not a real seriousness of intent either by ICANN or the
Department of Commerce to have an accurate Whois database," the
Texas Republican said. 
*******************************
Washington Post
Universities Rush to Protect Networks 
Area Schools Adopt Strict Policies Aimed at Getting Students to Upgrade
Computer Security 
By Brian Krebs
Thursday, September 4, 2003; 1:58 PM 

George Mason University administrators, anxious to protect the school's
computer network from a raft of viruses and worms plaguing the Internet,
today unplugged thousands of students from the network.

At 1:35 p.m. today, network administrators at the Northern Virginia
school cut Internet access for all 3,600 students living on campus.

The move should not have come as a surprise to GMU students. Last week,
as freshmen reported for orientation, they were required to meet
face-to-face with a network security expert to have their laptop or
computer checked out. Upper classmen were greeted by school officials who
handed out the latest anti-virus software. To get the school's message
across, all students were asked to sign a document confirming that their
computers were updated with all the needed security upgrades. 

Not enough students confirmed that their machines were updated, prompting
the GMU action today. Administrators said they would try later today to
reconnect dorms, weeding out students with infected PCs. Students living
off campus can continue to dial in to the campus computer
network.

George Mason is just one of many universities in the region and across
the country making computer security a top priority as the fall semester
gets underway.

University of Maryland residents who tried to access the school's network
for the first time over the past two weeks were corralled onto a Web site
to help search for and mend the security hole exploited by Blaster, a
computer worm that emerged last month and infected hundreds of thousands
of computers worldwide. More than 6,000 students that had yet to apply
the needed patches did so, but hundreds of other students ignored the
advice and were promptly booted from the university network, said Gerry
Sneeringer, an IT security officer at Maryland's Office of Information
Technology. 

"There were a certain percentage of students that wouldn't listen to
us unless we hit them upside the head with a lockout," he said.
"You simply can't deal with these problems until you've got your
network under control."

At the University of Virginia, some 800 new and returning student
residents were knocked offline by the schools' automated security
"bots," programs that patrolled the network looking for
infected PCs. Students were then handed CD-ROMs loaded with anti-virus
toolkits and software patches and were only allowed to plug their
computers into the school network after proving they installed needed
fixes. 

Spokespersons for Howard, American, Georgetown, George Washington and
Catholic universities reported far fewer problems with their networks.
While several of those schools were forced to disconnect some infected
computers, in most cases students asked to prove their PCs were clean
before being allowed to access campus networks. 

As computers have transformed the way students and teachers interact at
most universities, school administrators are focused on protecting their
networks. Roughly 80 percent of higher education classes employ e-mail
and the Internet for some form of student instruction, according to a
2002 study of more than 640 public and private universities nationwide
conducted by the Campus Computing Project. 

Instructors at most universities are under tremendous pressure from
administrators and students to distribute course material over the Web
and through e-mail, and allow students to add and drop classes online,
said Steven Worona, director of policy and networking programs at
EDUCAUSE, a nonprofit that provides computer training and support for
1,900 colleges, universities, and education organizations. 

Because of this dependency on the network, a lot of universities have
been forced to place much tougher computer security restrictions on
students. 

"Schools are rapidly moving far away from the complete openness that
used to exist on their networks," Worona said. "What we're
seeing is most schools have a desperate need for solutions that can be
applied to hundreds or thousands of computers in a very short amount of
time."

At George Mason, nearly 95 percent of resident students arrived with a
computer this year. Like at many big schools, GMU professors are
encouraged to use e-mail to update students on assignments and
last-minute changes to the syllabus -- and even to administer pop-quizzes
and tests. Last year, instructors were free to send e-mail to an address
of the student's choosing, but this semester teachers are required to
communicate with their students using the school's e-mail system, thus
the school is taking extra steps to ensure that its computer network
remains free from viruses.

Despite coordinated efforts to update students' computers, George Mason
found that handing out free software to upper classmen didn't guarantee
that students could successfully install it.

Kimberly Borchert, a 19-year-old sophomore, said her computer
"freaked out" as soon as she plugged it into the school's
network last week. The anti-virus software she received from GMU scanned
her computer and determined it had been hit with the "Welchia"
worm, a so-called "good" worm that destroys Blaster but still
attacks other PCs and seizes the victim's computer power and Internet
connection. As of Wednesday night, her computer was still infected and
thus banned from the school network.

Freshman Andrew Canose was one of several GMU students who encountered
problems after installing the university-provided anti-virus software.
Canose found the new program conflicted with an older anti-virus program
already on his computer. "My computer is like at war with itself and
won't work," he said. 

Schools outside of the Washington region also scrambled in recent weeks
to protect their networks. Vanderbilt University in Nashville last week
banned more than 1,300 students -- about one-quarter of all its residents
-- from using the network until they cured their machines of Sobig and
Blaster infections. The school converted administrative conference rooms
into digital triage units so that campus IT experts could help incoming
students disinfect and patch their computers, a university spokeswoman
said.

At the University of North Texas in Denton, the school found that 4,000
of the school's 5,700 resident students reporting for the fall semester
last month brought computers infected with some sort of virus. Students
are being charged $30 if a university technician is called in to clean an
infected machine, a school spokesman said. Students can go to off-campus
experts for a fix but must certify that their computers are updated with
the latest security fixes before being allowed to access the campus
network. 

Brown University mass-produced 8,000 CDs loaded with anti-virus software
and security patches and distributed them when students picked up their
dorm room keys. Still, the Providence, R.I., Ivy League school was forced
to dispatch teams of security experts to residents' rooms to patch
computers by hand after university officials detected more than a
thousand virus-infected student PCs connecting to the university
network.

"I think we really need to groom a new type of student who is
responsible for their computer security," said Kathy Gillette,
manager of George Mason University's beleaguered tech support center.
"A lot of them lived at home and mom or dad took care of the
computer so they've never learned how to fix them, but hopefully we'll be
able to teach them that too."
*******************************
Federal Computer Week
Evans: E-gov more than automation
BY Judi Hasson and Sara Michael 
Sep. 4, 2003

CAMBRIDGE, Md.  In her first public comments since being named to
replace e-government chief Mark Forman, Karen Evans said Thursday that
e-government is not just about office automation.

In fact, she said, e-government is about providing better services to the
public and using technology to make life better for citizens. It is about
evaluating how a dirty bomb might impact a community or the impact an
electrical blackout has as it sweeps across the Northeast, said Evans,
who replaces Forman as administrator of the Office of Management and
Budget's Office of E-Government and Information Technology.

"IT is the enabler. ... It's the glue that will hold all that
together," Evans told the annual Interagency Resources Management
Conference in Cambridge, Md.

Evans said she is being challenged to continue the track record set by
Forman, the federal government's first e-gov executive who developed 24
interagency initiatives and pushed the federal government to carry out a
mandate for the electronic age.

Although her experience is strictly in government, unlike Forman who came
from industry, she said she intends to develop partnerships with the
private sector and "reach across the table to
industry."

"I do not consider myself an IT czar," Evans said. "I'm
not a tyrant. ... I'm not a ruler. I'm Karen Evans, mother of two, wife
of Randy. I live in West Virginia. ... I do IT."

Evans' appointment was lauded by industry and government officials. Ira
Hobbs, co-chairman of the CIO Council's Workforce and Human Capital for
IT Committee, said Evans and Forman have worked closely together on the
Bush administration's e-government initiatives.

"Karen and Mark were almost symbiotic in their relationship,"
Hobbs said. "It is almost like a natural extension."

Hobbs said it is good to have Evans step into that role because it means
the initiatives can maintain their momentum. 

"Mark set a strong foundation, a very fast pace," he said.
"That's always difficult to come behind. It's like we didn't stop
the train to let Mark off, and we've got a capable engineer to keep the
train moving."

Evans, who has been a management analyst at the Agriculture Department
and head of the IT shop at the Office of Justice Programs, was widely
seen as the frontrunner for the job ever since Forman announced his
resignation last month to take a job in the private sector.

Evans is vice chairwoman of the CIO Council and takes over the post
during a money crunch. Although Forman repeatedly tried to get $45
million for an e-government fund, Congress only appropriated $5 million
in fiscal 2003. 

The Senate has slashed the fund to $1 million for fiscal 2004, and
congressional negotiators are expected to try to increase the money for
crossagency e-government initiatives later this month.

But Norm Lorentz, the OMB's chief technology officer, who has been the
acting e-government chief, said OMB will have to do a better job
communicating with Congress exactly how much money is needed to develop
the e-government initiatives.

For fiscal 2004, agencies will be asked to contribute, but he said the
administration would have to work harder to get more money in fiscal
2005.

"We're not going to rest on our laurels," he said. "We're
going to have to use the tools at our disposal."
*******************************
Federal Computer Week
Feds, industry mull offshore outsourcing
BY Michael Hardy 
Sept. 4, 2003  

As American workers face mounting job losses and rising unemployment
rates, government and industry officials are struggling with the
sensitive issue of offshore outsourcing.

The issue is particularly difficult to address because no one even knows
how many American companies have moved tech jobs to foreign countries
where labor costs are lower, said Harris Miller, president of the
Information Technology Association of America.

"I've heard estimates ranging from 10,000 to 150,000," he said
after a panel discussion that ITAA hosted today in Washington,
D.C.

The numbers are so widely different that "it's not even a wild
guess," Miller said. "The problem is that companies aren't
talking." ITAA may commission its own study to try to quantify the
extent to which American companies use foreign labor, he said.

The American IT industry has weathered a succession of blows, said Bruce
Mehlman, assistant secretary for technology policy at the Commerce
Department. The flurry of spending that IT companies had been getting to
fix Year 2000 problems withered as the year came and went. The economy
began to slump; terrorists attacked the country; the Enron and WorldCom
scandals shook the faith of investor; and the United States launched wars
in Afghanistan and Iraq, causing more economic caution at home.

As a result, technology companies have had to consider cost-cutting
measures more than ever, including foreign labor, Mehlman said.
"It's a very real trend driving offshore outsourcing," he said.
"There is a lot yet to be understood."

The state of Virginia is still trying to figure out what part of the $900
million it spends on IT should be outsourced, two years into Democratic
Gov. Mark Warner's first term, said George Newstrom, Virginia's secretary
of technology. Trying to make such decisions carefully is not easy, he
said.

"Until we get our arms around it, I don't know what to
outsource," he said.

Virginia is trying to discourage companies from leaving the state,
especially if the jobs go out of state or to other countries, he said.
The government itself should not even think about it, Newstrom
added.

"I think the political climate is very adverse for government to say
'We want to outsource work offshore,'" he said. "I don't think
there's a politician who could survive to the end of that sentence. We
don't even want to outsource to Maryland."
*******************************
Government Computer News
FBI: Power grid not a primary terror target 
By William Jackson 
September 5, 2003

The FBI is concerned about cyberterror, but bombs remain a bigger danger
than bytes, the agency?s counterterrorism chief told a joint House
Homeland Security subcommittee hearing on last month?s Northeast
blackout. 

?We haven?t seen any evidence that al-Qaida possesses any sophisticated
computer capability,? Larry A. Mefford said yesterday. Overall,
investigators have found only ?very, very basic computer functionality
from terrorists around the world.? 

Government officials told the subcommittees on Cybersecurity, Science and
R&D and on Infrastructure and Border Security that the power grid
does not appear to be a primary target for terrorists. 

Mefford said that when the blackout began Aug. 14, his office convened a
conference call with special agents in charge of eight field offices
affected by the outage. Local Joint Terrorism Task Forces, which include
federal, state and local law enforcement agencies, took part and worked
with industry officials. 

?To date, we have not discovered any evidence that the outages were the
result of activity by international or domestic terrorists or other
criminal activity,? Mefford said. ?The FBI Cyber Division working with
the Homeland Security Department has found no indication to date that the
blackout was the result of a malicious computer-related intrusion or any
sort of computer worm or virus attack.? 

He also dismissed a subsequent claim of responsibility for the blackout
by an alleged terrorist organization, Abu Hafs al-Masri Brigade, as
?wishful thinking. We have no information confirming the actual existence
of this group.? 

Although the possibility of attacks on power stations and transmission
grids is not being ignored, none has materialized so far, said Cofer
Black, the State Department?s counterterrorism coordinator. 

?We do know from intelligence collecting activities? that the goal of
terrorists continues to be ?large-scale attacks that do a lot of damage,?
Black said. ?Most of the effort so far has been to kill lots of people.?

Mefford said the FBI has seen no evidence that a cyberterrorism attack
has ever occurred. 

?Our No. 1 threat today remains al-Qaida,? Mefford said. Although its
targets are across the board, ?we haven?t seen any specific or credible
threats to date? against the power grid and no specific threats to
nuclear power plants.
*******************************
Government Computer News
Faulty Medicaid fraud databases seen costing Florida millions 
By Wilson P. Dizard III 

Faulty databases at the Florida Legal Affairs Department?s Medicaid Fraud
Unit have denied the state millions of dollars from fraud loss recovery,
state auditors reported. 

The fraud unit investigates and prosecutes corruption in Florida?s
Medicaid program. The unit looked at 664 cases between July 2001 and
January 2003, about a quarter of which led to convictions or settlements
totaling $24.7 million, according to a report from the office of auditor
general William O. Monroe. 

The auditors found that ?department data systems were not complete and
accurate, inhibiting computation and reporting of overpayments and costs
associated with investigation and prosecution,? their report said.

The fraud unit uses three separate databases to track cases, employee
time and case expenses associated with Medicaid abuse. An audit of 60
cases found that 28 of them, or 47 percent, were not properly recorded by
the case-tracking database. Additional database errors led to a $2.4
million understatement of restitution due to the state. 

In addition, the auditors found that the time tracking database had
recorded only one-third of the time spent by investigators and attorneys
on fraud cases. The auditors said fraud unit officials ?acknowledged the
inadequacies with the current systems and indicated that the
department?is in the process of redesigning the systems used to track
time and other costs associated with case investigations.? 

The auditors called for additional review and reconciliation of the
databases plus better procedures for using them.
*******************************
Computerworld
IT links to blackout under scrutiny
Investigators search system logs for evidence of sabotage 

Story by Dan Verton 

SEPTEMBER 05, 2003 ( COMPUTERWORLD ) - WASHINGTON -- Federal and
private-sector officials this week said they still can't rule out
cybersabotage or IT-based failures as the cause of the Aug. 14 blackout.

Although no clear evidence has been found to suggest that the blackout
was the result of anything other than an internal technical failure, the
FBI's Joint Terrorism Task Forces have been working with the U.S.
Department of Homeland Security and the private sector since the blackout
to search system logs of critical utility control computers for evidence
of insider abuse or outside intrusions. 

"All eight FBI field offices that were affected and all of the Joint
Terrorism Task Forces were convened immediately on Aug. 14 to investigate
the potential for terrorist involvement in the blackout," said Larry
Mefford, executive assistant director for counterterrorism at the FBI,
speaking yesterday at a hearing of the House Select Committee on Homeland
Security. 

"Our JTTFs are looking at the issue from various perspectives. One
is the external threat to see if we have signs of actual sabotage. We
have not yet found any evidence of that," said Mefford. 

"In addition, we're very concerned about the insider threat --
somebody who would have access to critical systems from a physical
standpoint, a sabotage standpoint and a computer-intrusion
standpoint," Mefford said. "We have not yet seen evidence of
that, but this is [a] preliminary assessment. We are reviewing the
computer logs for evidence of that type of activity." 

Congress has also turned up the heat on both the government and the
private sector to deliver answers on whether a cybersecurity failure in
one or more systems could have contributed to the blackout, especially
since the power failure occurred at the height of the Blaster worm
outbreak. 

Government and industry experts speaking unofficially with Computerworld
have linked Blaster to the severity of the blackout, since on the day of
the blackout Blaster affected the communications networks used to manage
the power grid (see story). But the degree to which the hampered flow of
data over those networks might have contributed to the blackout is still
unclear. 

According to a transcript released by the House Energy and Commerce
Committee that detailed telephone calls made between FirstEnergy Corp.
and the Midwest regional power grid operator only hours before the
blackout was triggered, a control room operator at FirstEnergy complained
that the Akron, Ohio-based company had "no clue" what was
happening because of unspecified computer problems. 

"Our computer is giving us fits too," the operator said.
"We don't even know the status of some of the stuff around us."

Responding to accusations that his company may have triggered the
cascading failure, H. Peter Burg, chairman and CEO of FirstEnergy, said
yesterday at a hearing of the House Energy and Commerce Committee that
events on FirstEnergy's system "in and of themselves could not
account for the widespread nature of the outage." 

However, Burg acknowledged that FirstEnergy did experience problems with
its Energy Management System on Aug. 14. The system includes file
servers, process-control servers and workstations that capture data from
supervisory control and data acquisition systems, which are used to
manage large industrial operations. 

"We are still evaluating the functionality of that system that was
available to our dispatchers during this time frame," Burg said.

Computerworld requested an interview with FirstEnergy CIO Ali Jamshidi to
explain what types of problems the company's computer systems were
experiencing on the day of the blackout. However, a company spokesperson
said FirstEnergy wouldn't be making any IT personnel available for
interviews until the investigation into what those problems were is
completed. 

Joseph L. Welch, chairman of International Transmission Co. in Michigan,
told Congress that the systems that failed were those underlying
communication. 

"There are three electronic systems through which control-area
operators and security coordinators communicate system status, convey
warnings, etc.," said Welch. "I asked my staff and operators to
determine what information was conveyed via that route. They informed me
that there were no records or reports of the line outages which were so
critical to this event. 

"Without such information, there is no way for control-area
operators or security coordinators to take actions necessary to mitigate
problems, especially those events in other systems which could affect our
system," Welch said. 

Meanwhile, Michehl Gent, president of the North American Electric
Reliability Council in Princeton, N.J., who also spoke at the Energy and
Commerce hearing, said initial analysis of data taken from the system
logs of the various utilities involved in the blackout shows that the IT
infrastructure at various points throughout the regional grid wasn't
recording critical events properly. 

"Each event, which might be a relay or circuit-breaker operation or
an electrical fault, is time-stamped as it occurs," said Gent.
"We discovered that many of these time stamps were not accurate
because the computers that recorded the information became backlogged or
the clocks from which the time stamps were derived had not been
calibrated to the national time standard." 

In a related development, Rep. Edward J. Markey (D-Mass.), a senior
member of both the House Energy and Commerce Committee and the Homeland
Security Committee, sent a letter on Aug. 22 to the U.S. Nuclear
Regulatory Commission requesting detailed information on the effect the
January outbreak of the Slammer worm had on the systems that control
FirstEnergy's Davis-Besse nuclear power plant in Oak Harbor, Ohio.

"It may be too soon to know whether the Blaster worm was involved in
[the Aug. 14] blackout," wrote Markey. "However, it is clear
that cybersecurity was deeply flawed at the Davis-Besse nuclear reactor
just a few months before the blackout occurred."
*******************************
Computerworld
EU privacy concerns on airline passenger data could cause rift with
U.S.
An EU commissioner warned that U.S. antiterror efforts could breach
European privacy laws 
Story by Jaikumar Vijayan 

SEPTEMBER 05, 2003 ( COMPUTERWORLD ) - The European Commission this week
warned that a trans-Atlantic row may soon result if U.S. demands for
airlines to reveal passenger information as an antiterror measure aren't
backed by adequate privacy safeguards. 

In a letter to Secretary of Homeland Security Tom Ridge, the European
Union commissioner in charge of customs issues, Frits Bolkestein, said
that only a "tightly worded undertaking" about the manner in
which passenger information is handled and shared is acceptable.

"Data protection authorities here take the view that [passenger]
data is flowing to the U.S. in breach of our Data Protection
Directive," Bolkestein said in his letter. "It is thus urgent
to establish a framework which is more legally secure." 

The letter was originally sent to Ridge in June but was released to
journalists this week after a meeting on the topic by European Commission
representatives, who said they hadn't won any significant concessions
from the U.S. so far. 

Discussions on the issue have been ongoing since December 2001, soon
after the U.S. began requiring all airlines flying into the country to
disclose the Passenger Name Record (PNR) of all passengers. PNR
information typically includes names, travel routes, credit card numbers,
special meals and other details, which U.S. authorities said they would
need to identify potential terrorists entering the country. 

The European Commission has been insisting on adequate privacy safeguards
relating to the manner in which the data can be accessed and used by U.S.
authorities. The privacy issues being raised are similar to the ones that
U.S. businesses need to comply with when doing business in Europe.

The concerns relate to issues such as the purpose for which the data is
used, stronger protection, filtering out of certain types of data and the
need for a redress mechanism in cases where mistakes are made. 

Nevertheless, under an interim agreement between the two sides, U.S.
customs and immigration authorities have been accessing such information
from European airlines since March. 

"On a number of important points the U.S. undertakings fall short of
what we need and it is urgent that these issues now be looked at from a
political perspective," Bolkestein's letter said. Otherwise, there
could be a "highly charged Trans-Atlantic confrontation" over
the issue, he said.
*******************************
MSNBC
The case for computerized voting 
Hacking fears overblown
OPINION
By Simson Garfinkel
TECHNOLOGY REVIEW 
 
Sept. 4   Over the last two decades, geeks have rarely passed
on an opportunity to replace a perfectly good mechanical device with a
computerized system. Got one of those old-fashioned cash registers?
Replace it with a PC and a touch screen. Got a hotel with perfectly good
door locks and metal keys? Rip them out and replace them with
computerized locks and swipe-cards. Wherever you look, pinball is out,
video games are in. But there is a rising chorus of geeks  a chorus
led by some very high-profile computer science professors and
researchers  who say that one machine should never be computerized:
the voting machine.
       THESE COMPUTER PROFESSIONALS say
that accurately counted free elections are the bedrock of democracy.
Voting, they claim, is too important to be done on a computer. The irony
is delicious  it?s sort of like group of doctors arguing for the
return of leeches because the President of the United States is too
important to be treated by modern medicine. 
       Specifically, the computer
scientists are opposed to that new generation of voting machines that
resemble automatic teller machines. These systems are called ?direct
recording electronic? (or DRE) voting machines because people vote on the
touch screen and the votes are recorded directly on the computer?s hard
drive, without any paper being harmed in the process.
       There are a lot of reasons to like
these DRE machines. Because the voting is done on a large touch screen,
they can use big fonts that are easier for the elderly to read. The
machine can be programmed to reject attempted votes that are patently
wrong, like voting both ?yes? and ?no? on a referendum question. The
machines can be equipped with speech synthesizers, allowing people who
are blind or illiterate to vote on a truly secret ballot for the first
time in their lives. They can even confirm the voter?s choices on a
second screen  which means that there would be no more elderly
Jewish voters in Palm Beach accidentally casting their ballots for Pat
Buchanan.
       
TAMPERING FEARS
       Nevertheless, most computer
professionals are opposed to the DRE machines. One reason is that there
is fundamentally no way to audit them: If 600 people vote at a DRE on
Election Day and the machine says that 310 voted for the Democratic
candidate, who is to say that the number 310 is true? Perhaps only 280
voted Democratic, but the machine was programmed to randomly flip 5
percent of the Republican votes to Democrat before recording them on the
computer?s hard drive. To make this sort of programmatic tampering harder
to detect, perhaps the program was devised so that the flipping would
only happen on the first Tuesday in November. On other days 
presumably the days when election officials tested the voting
machine  no vote flipping would take place. To make it even harder
to detect, perhaps the flipping occurs only when the machine discerns
that the vote is close; this would avoid the embarrassment of having
polls predict one outcome, and having the machines tally another.
       This sort of election-stealing logic
would be easy to code into the voting machine?s operating system. The
logic could be written by a lone programmer  perhaps an activist
hacker with a grudge  without the knowledge of the voting machine
company. The logic could be so well hidden that not even a careful review
of the machine?s source code would find it. This isn?t as far-fetched as
it might sound: Unauthorized features called ?Easter eggs? are routinely
hidden in commercial software, even software shipped by Microsoft.
       I keep writing ?most computer
professionals? because I recently met one who isn?t opposed to DREs: In
fact, he?s positively enthusiastic about them. And this man isn?t just
anybody; he?s Ted Selker, an award-winning inventor with many patents,
formerly with IBM Research, currently a professor at the MIT Media Lab,
and member of several panels and commissions that looked at the issue of
voting following the debacle of the 2000 presidential election. 
       
PITFALLS OF PAPER
       I met Selker a few days after he had
attended a meeting of computer scientists and election officials in
Colorado. He was livid. He had just spent two days listening to the
experts of the field talk about all of the failings with DREs and how
these systems could be used to steal an election.
       ?What these people don?t realize,?
he told me, ?is that automated tabulating machines were invented for a
reason?  that is, because paper is a fundamentally bad way of making
and keeping accurate records. Paper is bulky and heavy. It can be hard to
read something recorded on paper, no matter whether the marks were made
by hand with pen-and-ink or by a computerized printer. Paper rips and
gets jammed in machines. Paper dust gets everywhere. Eliminating paper,
Selker explained to me, has the potential for dramatically improving
elections.
       ?But what about all of the ways that
you can hack the voting machines?? I asked him. 
       Selker laughed. Politicians, he told
me, have been hacking elections in America for more than 200 years. The
geeks are focusing on the abilities of hackers to steal elections by
reprogramming DREs because electronic attacks are what these folks
understand. But if your goal is truly better elections, he says, the DREs
can do more good than harm.
       One of the most effective ways to
affect an election?s outcome is to take your opponent?s supporters off
the election roles. That?s what happened in Florida three years ago:
thousands of Democrats, many of them minorities, showed up at voting
places and discovered that they were no longer registered. Why? Because
it?s illegal for convicted felons to vote unless that right is
specifically restored. Florida had recently purged the voting roles
against a computerized database of convicted felons; tens of thousands of
people were removed, some apparently in error. Other techniques for
stealing an election, Selker told me, are stationing tow trucks outside
the polls to intimidate voters; setting up police roadblocks (as was done
in Florida in 2000); intentionally designing confusing ballots; putting
people on the ballot with the same name as your opponent; and getting
votes the old fashioned way  by buying them. ?And don?t get me
started on absentee ballots,? he said.
       
OVERHAUL IN THE WORKS
       Selker has been studying the
electoral process for years, and he has come to a disturbing conclusion:
The more he looks, the more problems he finds. A few years ago, for
instance, he stationed himself at a Chicago polling place on election
day. He discovered that the election workers had not been adequately
informed as to how ballots should be properly marked for an important
question; the ballots that were filled out incorrectly had to be
disqualified. Those were paper ballots, Selker was quick to point out.
Hacking aside, election officials are supposed to be able to audit the
programming of a voting machine. What they can?t do is make sure that
every election-day volunteer is giving out correct instructions for
filling in a paper ballot.
      What about the value of a paper trail? I
asked Selker. Just having a vote on paper is no guarantee that it will be
correctly counted, he explained. He cited an example (again from Chicago)
of an election commissioner who bragged about counting votes for a
Republican candidate and then writing them down as votes for the
Democrat.
       All of this suddenly matters a great
deal. Over the next year, counties all over the United States will be
throwing out their old mechanical voting machines and buying new voting
systems. The money for this project  roughly $3.9 billion  is
coming from the U.S. Congress through the Help America Vote Act. The two
big contenders are the DRE machines and a paper-based system that counts
votes with optical scanners.
       Ironically, many of the proposals
that have been made to ?improve? the security of DRE systems actually
make it easier for politicians to sabotage an election via other means.
For example, any technique that gives a voter a printed receipt is
susceptible to a vote-selling scam: Just turn in the receipt, and collect
your $20. Even receipts that would be visually inspected by the voter and
dropped into a sealed box  a proposal made by Stanford professor
David Dill  are vulnerable to a vote-selling technique known as
?chain voting.?
       Before talking with Selker, I was
squarely in the anti-DRE camp. After listening to him, I realize that
there is another side to the story that is being systematically
underreported by the technology press. Did he convince me? Well, let?s
say that I?m no longer convinced of the inherent correctness of the
anti-DRE position.
       
BRAZIL?S EXAMPLE
       So you can imagine how surprised I
was by the next thing that Selker told me. ?Of course,? he said, ?this
country is going about election machines entirely the wrong way.? 
       The current DRE machines, says
Selker, are monstrosities. They cost ten times more than they should.
Their designs are secret and their code is proprietary. And even worse,
what precious few facts that have been revealed in public are deeply
troubling.
       A few months ago, the source code
for a voting machine manufactured by Diebold was inadvertently left on a
Web site. A group of researchers at Johns Hopkins downloaded the code and
analyzed it. They found many software errors and poor design methodology.
One of the most glaring problems had to do with encryption: although the
computer used the DES algorithm to encrypt the votes, the encryption key
was hard-coded into the program and unchangeable. A key that can?t be
changed offers little more security than using no encryption at 
all.
      Instead of having US taxpayers spend more
money on proprietary voting machines of questionable quality, Selker says
that we should follow in the footsteps of Brazil, which deployed DREs in
the 1990s and is currently working on the second generation of these
machines.
       Brazil?s machines were designed in a
transparent, public process by two of the country?s leading research
institutions. The national government then accepted bids from different
companies who competed to build machines according to the open design.
Everything was above-board  extremely important for a nation that
has a history of election fraud.
       These voting machines are simple,
compact, functional, and have done a great job to bringing fair elections
to the entire country. For example, each system operates on either wall
current or on a set of self-contained batteries, allowing it to accept
votes more than 12 hours deep in the Amazon jungle without having to be
plugged in. The touch screens display not only the candidates? names but
also their photographs  an important detail in a country where so
many voters are illiterate. What?s more, instead of costing thousands of
dollars, each machine costs just hundreds.
       The Brazilian machines are not
perfect: they?ve been criticized because, like other DREs, they
fundamentally cannot be audited after the fact. But security is a series
of tradeoffs: the first electronic election in Brazil gave voters a
printed receipt that the voters had to drop into a box after verifying
it; this receipt was reportedly used for chain voting scams and the
practice was discontinued in the next election.
       Selker is convinced that DREs are
the way of the future; many notable computer scientists continue to
believe otherwise. ?Election technology has not advanced to the point
where it can provide us with electronic systems that are reliable enough
to trust with our democracy,? writes Stanford?s Dill on his Web site,
VerifiedVoting.org. 
       My feeling is that elections are in
a mess throughout this country: voting machines are a problem, but so are
the voter registration system, election-day intimidation, and the whole
districting process. The problem with optical scan (the main
technological competitor to DRE) is that unless the ballots are actually
scanned when they are turned in by the voters, there is no way to prevent
people from throwing away their votes by making minor clerical errors on
the ballots.
       Selker?s argument is simple: paper
is bad, and whatever problems are inherent in today?s DREs can be
overcome by an open design and review process. Nobody else seems to be
making this case. The U.S. DRE vendors want to sell high-priced
proprietary voting machines. Meanwhile the academics want to stick with
paper and all its problems.
       
       Technology Review columnist Simson
Garfinkel is the author of 12 books on computing, including Database
Nation.
Copyright © 2003 Technology Review, Inc. All Rights Reserved.
*******************************