[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips August 19, 2003

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
Subject: Clips August 19, 2003
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Tue, 19 Aug 2003 10:52:06 -0400

ARTICLES

State Department issues new visa rules
China blocks foreign software
Dean campaign says it spammed
Bush Campaign Reaching Out to Bloggers
Citibank warns customers of e-mail scam
Civil Rights Concerns 'Not a Problem,' Official Says
SCO puts disputed code in the spotlight
Forman leaving for money
Challenging conventional wisdom
Federal agents using training simulator
DHS may restrict access to some solicitations
DHS rushes to finish tech plan
Border agency tests monitors
NSA boosts credentials
Data integrity initiative launched
Health group boosts mail security
Argentines to Get the E-Vote
Army seeks volunteers for teen science education program
Patching Becoming a Major Resource Drain for Companies
Blackout prompts worries about cyberattack

*******************************
Government Executive
August 18, 2003
State Department issues new visa rules
By Kellie Lunney
klunney@xxxxxxxxxxx

The State Department has issued two rules that aim to crack down on visa fraud and save the government money by streamlining the application process for a popular immigration program.

The rules, published in Monday?s Federal Register, restrict the automatic re-validation of visas for certain visitors and require applicants to the diversity visa lottery program to submit their forms electronically. The lottery program each year allows 50,000 people from countries with low rates of immigration to the United States to apply for permanent residency in this country.

The automatic revalidation of visas allowed certain visitors to re-enter the United States after a visit of 30 days or less to a ?contiguous territory,? including Canada and Mexico, without obtaining a new visa prior to re-entry. In March 2002, the department published an interim rule that denied the automatic visa re-validation privilege to foreigners from countries categorized by the U.S. government as state sponsors of terrorism. These countries include Iraq, Iran, Syria, Libya, Sudan, North Korea and Cuba. That rule also denied the benefit to those who chose to apply for a new visa while traveling in one of the United States?contiguous territories.

Monday?s final rule is intended to protect against the possibility that automatic re-validation would enable those visa applicants who were eventually rejected to return to the United States while their applications were pending.

The final rule, which goes into effect Aug. 18, mirrors the 2002 interim rule. It does not preclude foreigners who are in the U.S. and plan to go abroad temporarily from applying for a new visa prior to leaving this country.

The State Department received about 300 comments on the rule, some of which criticized the changes, calling them ineffective, unfair to innocent foreigners and inconvenient, particularly to foreigners studying in the United States and who travel abroad frequently. But the department emphasized that the visa benefit was a privilege, not a right, and the changes reflect a post-Sept. 11 world. ?These are difficult and different times, and certain conveniences must be foregone,? the rule stated.

The interim rule on the diversity visa lottery program, which would move the process from a paper-based one to an electronic format, is designed to reduce the number of duplicate applications from individuals seeking immigrant visas. The department is more apt to catch applicants fraudulently submitting multiple applications electronically than it would by sifting through piles of paperwork, according to the rule, which took effect Monday. The department also hopes that the new format will help the government reduce the cost of receiving, storing and handling massive amounts of paperwork. In recent years, the department has received up to 13 million applications to the diversity visa program annually, the rule said.

In response to any adverse effect on applicants from poorer countries who may not have Internet access, the rule said that concern is ?offset, especially after Sept. 11, 2001, by the security advantages and cost-saving of the electronic procedure.? The rule also said that competition among the global Internet café community, computer service providers and other ?third parties? would likely keep the cost down for those applying to the diversity visa program.

The comment period on changes to the diversity visa program ends on Oct. 17. Send comments by fax to 202-663-3898, by e-mail to VisaRegs@xxxxxxxxx, or by mail to:

Chief, Legislation and Regulations Division
Visa Services
State Department
Washington, D.C. 20520-0106
*******************************
CNET News.com
China blocks foreign software
By CNETAsia Staff
August 18, 2003, 8:56 AM PT

A new policy from China's governing body states that all government ministries must buy only locally produced software at the next upgrade cycle.
The State Council's move, aimed at breaking the dominance of Microsoft on desktop computers, will eliminate Microsoft's Windows operating system and Office productivity suite from hundreds of thousands of Chinese government computers over the next few years.

Gao Zhigang, an official with the Procurement Center of the State Council, told reporters that the new policy will be in place by year's end.

At a special congress held to encourage ministries to upgrade to WPS Office 2003, a China-made office productivity suite, Gao said the government will purchase only hardware preinstalled with domestic operating systems and applications. Those seeking exceptions will need to submit a special request.

The new policy is expected to increase the number of government officials who use domestic office software, from one-third to 100 percent, eventually. Gao said the new policy is meant to support the local software industry and protect the state's information security.

Microsoft had been on a charm offensive, including granting the government inspection rights over Windows source code and creating a new CEO position for greater China.

The new policy will continue until at least until 2010. The protections are standard and are not meant to discriminate against other countries, the council stated. China is a member of the World Trade Organization, and it is unclear if the new ban contravenes the body's charters.

"The domestic software industry is very insulated. There is poor interaction and partnership with user companies. The increased use of domestic software will make the China software industry more open," said Fei Lin, an official with the State Assets Supervision and Administration Commission.

The ban comes as part of China's efforts to challenge Western technology. Chinese software company Kingsoft used to have 90 percent of the market with its Chinese word processing tool, but has lost nearly all market share to Microsoft Word since the early 1990s.

In addition to commercial reasons for protecting local software, there are security issues. China is placing official support behind the Red Flag Linux operating system, which they trust, because the open-source code allows officials to see that there are no data spyholes installed by foreign powers.

Zhang Xiaonan of ZDNet China contributed to this report.
*******************************
CNET News.com
Dean campaign says it spammed
By Declan McCullagh
Staff Writer, CNET News.com
August 18, 2003, 11:41 AM PT

Howard Dean's presidential campaign acknowledged on Monday that it had spammed an undisclosed number of people with unsolicited political advertisements.
The campaign said Dean, the former Democratic governor of Vermont, remained opposed to unsolicited bulk e-mail and blamed the spamming on two contractors who had promised to contact only people who had specifically requested to receive the advertisements.

"We recently contracted with two vendors who made assurances that their lists were opt-in only," the campaign said in an e-mail to CNET News.com. "On Tuesday, August 12th, Dean for America received notification from a supporter that spam was being sent. We terminated our relationship with both vendors immediately."

The Dean campaign's bulk e-mail, which was sent last week, was disclosed by the Spamvertized.org Web site, which tracks political spam. The e-mail message touted Dean's accomplishments and asked for political support and donations, saying: "We are going to win this nomination and defeat George W. Bush in 2004, but we need your help."

Last week's spamming has the potential to embarrass a presidential campaign that both the media and its own campaign staff has touted as particularly Internet-savvy. A Newsweek cover story last week said Dean "is revolutionizing political fund-raising with his clever cyberstumping," while Dan Gillmor, a columnist for the San Jose Mercury News, proclaimed that Dean and his staff "truly get the meaning of the Net."

This is not the first time the Dean campaign has been embroiled in a controversy over spam. The campaign's Texas affiliate apologized earlier this year for spamming, saying "from now on, only people who personally sign up for our e-mail lists, contribute money, volunteer or sign a petition will receive e-mails from Dean for Texas."

There are some signs that politicians see spam as a cheap and effective way to reach voters. For example, out of about a dozen bills introduced in Congress that promise to regulate commercial spam, not one attempts to restrict political e-mail messages.

In January, the campaign of Sen. Joseph Lieberman, another Democratic presidential hopeful, acknowledged it had spammed prospective voters. So have many other politicians. The Democratic Party has been caught spamming, as has Bill Jones, the unsuccessful Republican candidate for governor of California, and Florida Gov. Jeb Bush, a Republican.

The Dean campaign did not immediately respond to questions about which e-mail contractors it hired, what kind of "opt-in" lists the contractors promised or how many persons' in-boxes were affected.
*******************************
Washington Post
Bush Campaign Reaching Out to Bloggers
By Mike Allen
Tuesday, August 19, 2003; Page A03

President Bush's campaign will unveil a Web site today that allows proprietors of online journals -- Blogs or Web logs -- to "get the latest campaign headlines and inside scoop posted instantly to your site through a live news feed from GeorgeWBush.com!"

Bush's campaign is leaving nothing to chance as his devotees spread his message. The automatic feeds are offered in horizontal and vertical versions.

Clearly cognizant of the Web frenzy over Democrat Howard Dean, Bush's aides held a conference call to preview the site, which replaces a bare-bones one that has raised $1.3 million from 6,000 donors since the campaign launch May 16.

Campaign manager Ken Mehlman said the site's purpose is "sharing the president's positions and tying them to grass-roots activities so that everyone who wants to, has something to do." The site allows a user to type in a Zip code and find local and national radio talk shows. A letter can be automatically e-mailed to newspapers, and all the supporter has to do is paste in pre-scripted text such as, "President Bush should be commended for his strong leadership on the economy."

The pages are similar to ones Timothy Noah of Slate magazine stumbled across in June when the campaign left a prototype unprotected for a few hours. Noah called the environment section "hilariously skimpy." Now it includes a three-page "issue brief." In fact, the site reveals that the environment is one of Bush's top issues, along with the economy, compassion, health care, education, homeland security, national security and education.

The not-so-subtle prototype section labeled "See more Hispanic photos" has been replaced by, "See more Environment photos." Visitors are invited to "forward this image to friends and family!"

Experts said the Web tends to be more effective for an insurgent such as Dean than for an incumbent. But Bush's site was praised by Max Fose, Internet manager for the presidential campaign of Sen. John McCain (R-Ariz.). "It's always pushing people to take an action," he said. "It's an unfiltered avenue to deliver the president's message."

Dean's Fundraising Hedge

Howard Dean, who has proved surprisingly adept at raising campaign money, appears to be having second thoughts about his pledge to participate in the nation's program for publicly financing political campaigns.

The former Vermont governor told the Associated Press that although he intends to keep his pledge, he is also still willing to consider opting out of the program. "Could we change our mind? Sure," Dean said.

The program, designed to lessen the importance of campaign fundraising, provides federal dollars to qualified candidates who agree to spending limits. Earlier this year, Dean said his campaign would join the program.

But he has since proved a prodigious fundraiser. And Democrats have long feared that participating in the program during their primary would put their candidate at a disadvantage, since President Bush is expected to opt out.

Democrats fear their candidate could emerge from the primaries, as early as March, nearly penniless and unable to match the president's unrestricted campaign efforts for months -- until they receive their general election money later that summer, after their presidential nominating convention. It was that scenario that appears to have given Dean second thoughts.

"I think public financing is a good thing. The question is what do you do with an opponent who can murder you" for months, Dean said.

Edwards Touts Palmetto Roots

Sen. John Edwards (D-N.C.) expanded his television ad campaign into South Carolina yesterday, a state that is considered critical to his bid for the Democratic presidential nomination.

The campaign consists of a trio of ads, touting his rise from humble beginnings, his plans to keep U.S. jobs from moving overseas and his long ties to the Palmetto state. Two of the spots have been running in New Hampshire and Iowa. The third features the senator sitting on the porch of a modest house he lived in as a child in Seneca, S.C. Edwards lived there until he was 10, when his parents moved, first to Georgia and, later, to North Carolina.

"This was my first home. The folks I grew up with, they weren't famous and they sure weren't rich," Edwards says in the spot. "But they worked long and hard to give their kids a better life."

The state hosts one of the nation's earliest presidential primaries. Edwards is the first of the nine Democratic candidates to take to the airwaves there, with what his campaign would describe only as a "substantial" buy.

Political researcher Brian Faler contributed to this report.
*******************************
CNET News.com
Citibank warns customers of e-mail scam
By Reuters
August 18, 2003, 10:00 PM PT

Citibank on Monday warned customers not to fall for an e-mail scam that threatened to shut down their checking accounts if they failed to provide their Social Security numbers.
Citibank, a division of Citigroup, said "numerous" people received the e-mail, which purported to advise them of conditions affecting their accounts.

It said the e-mail linked to a Web site that looks like Citibank's, and asked customers for their Social Security numbers, a form of identification. Scammers can use such data to obtain credit cards or access to bank and other accounts.

"Although the e-mail appears to come from Citibank regarding 'Your Checking Account at Citibank,' it does not, and Citibank is in no way involved in the distribution of this e-mail," a company representative said.

The bank urged recipients to delete the e-mail and call the customer service number on their automatic teller machine cards. It said that the company is working with law enforcement and that its systems have not been compromised.

The e-mail is an example of "phishing"--the use of spam, or unwanted junk e-mail, to lure computer users to Web sites that look like those of reputable companies, and to deceive them into divulging personal financial data.

It was not immediately clear how many customers had received or acted upon the e-mail.

Citibank is the No. 3 U.S. commercial bank by assets and the No. 2 retail bank in the New York City area. Citigroup's retail banking operations had average customer deposits of $197.2 billion in the quarter ended June 30.

Several people at Reuters--some of whom do not have Citibank accounts--received the e-mail, which carried varied addresses at juno.com, mail.com and yahoo.com.

The e-mail, which contains grammatical and spelling errors, said in part: "Dear Citibank customer, We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it. Please, carefully read all the parts of our new Terms & Conditions and post your consent. Otherwise, we will have to suspend your Citibank checking account."

As of Monday afternoon, the linked page carried an error message. A link on that page connected to a Web site, with text in Mandarin, for Nanhua Futures Trading Co., a brokerage in Zhejiang, China.

The U.S. Federal Trade Commission has warned about phishing. It encourages consumers to visit its Web sites for identity theft and spam to learn how to minimize the risk of loss.

Last month, in its first Internet phishing enforcement action, the FTC recovered $3,500 from a 17-year-old boy it charged with creating a fake America Online Web page to obtain customers' credit card information.

Story Copyright © 2003 Reuters Limited. All rights reserved.
*******************************
CNET News.com
Privacy advocates call for RFID regulation
By Alorie Gilbert
August 18, 2003, 8:40 PM PT

SACRAMENTO, Calif.--A handful of technology and consumer privacy experts testifying at a California Senate hearing Monday called for regulation of a controversial technology designed to wirelessly monitor everything from clothing to currency.

The hearing, presided over by state Sen. Debra Bowen, focused on an emerging area of technology that's known as radio frequency identification (RFID). Retailers and manufacturers in the United States and Europe, including Wal-Mart Stores, have begun testing RFID systems, which use millions of special sensors to automatically detect the movement of merchandise in stores and monitor inventory in warehouses.

Proponents hail the technology as the next-generation bar code, allowing merchants and manufacturers to operate more efficiently and cut down on theft.

Privacy activists worry, however, that the unchecked use of RFID could end up trampling consumer privacy by allowing retailers to gather unprecedented amounts of information about activity in their stores and link it to customer information databases. They also worry about the possibility that companies, governments and would-be thieves might be able to monitor people's personal belongings, embedded with tiny RFID microchips, after they are purchased.

"How would you like it if, for instance, one day you realized your underwear was reporting on your whereabouts?" said Bowen, posing a hypothetical RFID scenario.

One witness at Monday's hearing said that failing to impose conditions on the use of RFID technology could lead to a world not unlike the fictional society portrayed in Steven Spielberg's science-fiction thriller "Minority Report." In that movie, set in 2054, iris scanning technology allows billboards to recognize people and display personalized ads that called out their names. It also allows law enforcement authorities to track people's whereabouts.

"There has been scant scrutiny by policymakers on RFID and pervasive computing," said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group based in San Diego. "This hearing is an important first step."

Givens urged Bowen to lead a study of RFID and its "profound privacy and civil liberties implications." She suggested that RFID be subjected to a set of fair-use guidelines. For instance, companies should be required to inform consumers about products containing RFID chips by clearly labeling them, Givens said. Consumers should also have the right to permanently disable the chips upon purchasing such goods, she said. And companies ought to provide consumers with the information collected about them via RFID tracking systems upon consumers' request, Givens added.

Other witnesses, including a representative from the consumer privacy group Electronic Frontier Foundation and a researcher from University of California at Los Angeles, also called for limits on the use of RFID and a technology assessment by policymakers. "It's possible to set up these systems so that there is no privacy anywhere," said Greg Pottie, an electrical engineering professor at UCLA.

"The time is right for an assessment of this technology," said Pottie, who is involved in the Center for Embedded Networked Sensing, a research project based at UCLA that's funded by the National Science Foundation.

Katherine Albrecht, a vehement opponent of RFID technology, went further and suggested a moratorium on the commercial use of RFID technology until legal guidelines are set. Albrecht, who also testified Monday, is the head of Consumers Against Supermarket Privacy Invasion and Numbering. "I would personally like to see (RFID) go away," she said.

Dan Mullen, head of the trade group Association for Automatic Identification and Data Capture Technologies, tried to temper the discussion, testifying that mass adoption of RFID chips for tracking merchandise in stores has yet to take off and may never do so. "There has to be a business case to put an RFID chip on a can of Coke," Mullen said. "When it comes down to it, there may not be a business case for anyone to do that."

Major retailers are just beginning to experiment with RFID. Tesco, a United Kingdom-based supermarket chain, has begun selling Gillette razors with RFID chips embedded in them in a trial run of the technology at its Cambridge store, according to reports. Wal-Mart had undertaken a similar test in a Boston-area store but recently decided to cancel the test. Italian clothier Benetton is studying how it wants to use RFID chips.

Instead of introducing RFID to its store shelves, Wal-Mart is urging its top 100 suppliers to start attaching RFID chips to shipments of merchandize they send to the retailer by 2005. And by the end of 2006, the company wants the rest of its suppliers, about 25,000, to begin doing the same, a Wal-Mart representative said. Wal-Mart says the chips will be used only on palettes and cases, not on the goods themselves. It will confine its use of the chips, for now, to warehouses and distribution centers, keeping them out of its stores and away from consumers.

Bowen said that the introduction of legislation to control the use of RFID is "possible," but that she's not at the bill stage yet. Even if she were to draft a bill, it would not be her goal to outlaw RFID, she said. Bowen herself uses a special pet-tracking chip that uses RFID to keep tabs on her cats.

"Is the goal of this hearing is to restrict the use of the technology? No," Bowen said. "It's not our goal to create legislation that says this technology could never be used. It's to gain a better understanding."

Bowen, who is the chair of the legislative subcommittee on new technologies, has been on the forefront of the antispam legislation movement. An outspoken advocate of consumer privacy, Bowen also helped draft and introduce bills that would regulate face recognition technology, consumer data collected by cable and satellite television companies, and shopper loyalty cards used in grocery chains.

Policymakers in Britain are also starting to ponder the privacy implications of RFID. A member of Britain's Parliament recently submitted a motion for debate on the regulation of RFID devices when the government returns from its summer recess next month. *******************************
Justice Dept. Declines To Intervene in Recall
Civil Rights Concerns 'Not a Problem,' Official Says
By William Booth and Rene Sanchez
Washington Post Staff Writers
Tuesday, August 19, 2003; Page A03

LOS ANGELES, Aug. 18 -- A Justice Department official said tonight that federal authorities will not stop California's gubernatorial recall election from proceeding on Oct. 7 because of concerns that some civil rights groups have over new voting procedures.

"This is not a problem," Jorge Martinez, a Justice Department spokesman, told the Associated Press.

The election date for the recall vote on Gov. Gray Davis (D) had been thrown into doubt when a federal judge ruled last Friday that several California counties with historically low voter turnout needed "pre-approval" from the Justice Department if they reduced the number of polling sites and hired fewer Spanish-speaking poll workers. He had given the counties two weeks to get federal clearance for the new procedures. Several civil rights groups had filed a lawsuit alleging that the changes would violate the Voting Rights Act.

Earlier today, in response to another lawsuit seeking to delay the recall, a federal judge said he would rule by Wednesday on whether to postpone the vote. Latino and black civil rights groups want a delay because they say the use of antiquated punch-card voting machines will re-create a Florida-style electoral fiasco.

U.S. District Judge Stephen V. Wilson said in court that postponing "this extraordinary election" required convincing evidence that the possible harm to some voters forced to rely on punch-card ballots outweighed the rights of all Californians to proceed with the historic recall.

A lawyer for the American Civil Liberties Union, which filed the lawsuit seeking postponement until March 2004, argued today that six urban counties in California will still be using punch-card ballots in the Oct. 7 recall election -- a method of voting that will produce a large number of invalid ballots that are unreadable or have problems such as hanging chads. The rest of California will be using newer, more accurate "touch screen" electronic voting.

The result, warned ACLU lawyer Mark D. Rosenbaum, is that millions of voters using the punch cards "will have no confidence that their vote will be counted."

Rosenbaum said that the "error rate" for punch-card ballots is 2 percent, meaning that tens of thousands of votes "could go straight into the garbage can."

Doug Woods, the government lawyer representing the California secretary of state, told the court that the state constitution mandates that the recall election be held Oct. 7, which is within the 60- to 80-day window allowed after the measure was certified for the ballot.

Woods said postponing an election before it occurs would deny voters the right to cast ballots and that the ACLU was merely "speculating" about what will happen during the voting process.

"Nobody knows what the error rate will be," Woods said. "The only way to know is to hold the election and see if it occurs." Then the ACLU can sue if it wishes, Woods said.

Meanwhile, Democratic leaders across California today continued to debate how best to fight the recall. More than a dozen Latino members of the state legislature met privately in Sacramento. They decided to condemn the recall but also to endorse the candidacy of Lt. Gov. Cruz Bustamante, the top-ranking Democrat among the 135 candidates vying to replace Davis if voters remove the governor from office.

Many Democrats and their allies are divided over strategy; some worry that by endorsing Bustamante, they are signaling to voters that it is all right to dump Davis.

On Sunday, Bustamante accused Davis allies of trying to sabotage his campaign by urging Democratic donors not to give him money. "If some of the governor's minions would stop trying to undercut my efforts, I think we could have a very coalesced opportunity for Democrats," he said on NBC's "Meet the Press." Aides to Davis adamantly denied Bustamante's accusation.

Elsewhere in the recall campaign, actor Arnold Schwarzenegger, who has rarely ventured into the public eye since he declared his candidacy nearly two weeks ago, announced that he plans to participate in candidate debates. "I intend to debate Gray Davis and the other major candidates on the ballot," the actor said in a statement. He has appointed Rep. David Dreier (R-Calif.) to negotiate the terms of any debates.

Schwarzenegger had no public events today, but will hold a public meeting on the California economy Wednesday with the two most prominent advisers he has enlisted in his campaign, billionaire investor Warren Buffett and former Treasury secretary George Shultz. Schwarzenegger also spoke by telephone with the leaders of California's largest teachers union and asked for their support. His campaign is likely to start running its first television ads this week.

Schwarzenegger has become the focus of attacks from Republicans and Democrats since Buffett told the Wall Street Journal last week that property tax rates in California appeared to be too low. On Sunday, Schwarzenegger issued a second statement distancing himself from those comments and professed "rock solid" support for Proposition 13, the seminal anti-tax ballot measure that California voters approved 25 years ago.

"Warren and I have talked about Proposition 13, and he clearly understands my strong unequivocal support for the initiative," Schwarzenegger said in the statement.

Democratic leaders, meanwhile, are taunting Schwarzenegger for declining so far to reveal his views on most of the major issues confronting California. On Sunday, he was the only prominent candidate in the recall race who did not respond to a questionnaire from the Los Angeles Times about the state's budget crisis. That prompted Bob Mulholland, a spokesman for California's Democratic Party, to dub Schwarzenegger "the Squirminator."
*******************************
CNET News.com
SCO puts disputed code in the spotlight
By Lisa M. Bowman
August 18, 2003, 2:07 PM PT

LAS VEGAS--SCO Group's legal battles against Linux took center stage at the company's partner and customer conference, as executives displayed lines of disputed code and vowed to continue their fight.
The Lindon, Utah-based company has rattled Linux users by suing IBM, claiming that the company inserted unauthorized code from SCO's Unix into Linux. SCO has also sent letters to corporations with Linux systems, warning them that they may be violating copyright laws by using the increasingly popular operating system.

During the first two hours of a morning keynote session at SCO Forum here Monday, CEO Darl McBride outlined the company's legal strategy and tried to convince SCO partners and customers that it is fighting the good fight.

"We're fighting for the right in the industry to be able to make a living selling software," McBride told the audience. He compared this right to the ability "to send your children to college" and "to buy a second home."

McBride said that pattern-recognition experts SCO hired have ferreted out a slew of infringing code in Linux.

"They have found already a mountain of code," he said. "The DNA of Linux is coming from Unix."

McBride's message was reinforced by comments from Chris Sontag, head of the company's SCOsource effort to extract more revenue from its Unix intellectual property, and attorney Mark Heise, one of the Boies, Schiller & Flexner partners who is working on SCO's intellectual property case.

Sontag said the inclusion of its Unix code in Linux has enabled the open-source operating system to attain world-class status among big customers.

"I can understand one or two lines being in common," said Sontag, who is charged with maintaining the company's intellectual property rights surrounding Unix. "But when you're talking about this level of variables being the same?the comment sections all being the same, it's problematic."

Sontag then showed, in a series of slides, Linux code that he claimed has been literally copied from Unix. He said numerous comments, unusual spellings and typographical errors had also been copied directly into Linux.

Much of the Unix code in the slides was obscured, because the company wants to keep its intellectual property under wraps, but SCO is allowing people who want to see a more extensive side-by-side comparison during the conference to do so if they sign a nondisclosure agreement.

Sontag also said thousands of lines of Unix have made their way into Linux in the form of derivative works that should have been bound by SCO licensing agreements that require licensees to keep the code secret. The company said several enterprise features of Linux--the NUMA (nonuniform memory access), RCU (read-copy update), SMP (symmetrical multiprocessing), schedulers, JFS (journal file system) and XFS (extended file system) portions--all include copied code. The company broke out the number of lines of code that had been directly copied from each. It said, for example, that more than 829,000 lines of SMP code had been duplicated in Linux.

"A number of entities have violated contracts and contributed inappropriate content into Linux," Sontag said.

Upcoming products
The company spent so much time at the conference discussing its legal battles over Linux that its product plans took second billing. During a later keynote session Monday, Erik Hughes, SCO's director of product management, outlined SCO's upcoming products.

The company introduced portions of SCOx, the company's Web services initiative announced in April. The launch included SCOx WebFace Solution Suite, which is designed to allow developers and customers to easily make their applications and services Web-enabled and some application programming interfaces (APIs) that will let partners and customers build on the system.

Other software launches Monday were UnixWare Office Mail Server 2.0, messaging and collaboration software that aims to compete with Microsoft Exchange, and SCO Authentication 2.1 for Microsoft Active Directory, designed to easily share user identities across Unix and Windows environments.

The SCO Forum crowd applauded when SCO executives announced that an upcoming version of its OpenServer--code-named Legend--will support the latest releases of Java; include new hardware support, such as universal serial bus (USB) printer drivers; contain expanded security features; and provide better compatibility with Microsoft Windows through version 3 of Samba, which is developed by an open-source group. The OpenServer update is scheduled to debut in the fourth quarter of next year.

SCO plans to go into further detail about those products and others during upcoming sessions at the conference, which runs through Tuesday.
*******************************
Federal Computer Week
Forman leaving for money
BY Diane Frank
Aug. 15, 2003

The man responsible for the Bush administration's e-government initiatives says he's leaving government to get paid more.

Many observers have said agencies are having trouble attracting and retaining top technology talent because federal salaries are too low, and the impending departure of Mark Forman, administrator of the Office of Management and Budget's Office of E-Government, supports that claim.

"I came from a much higher salary," Forman said, referring to previous jobs in private industry.

Forman, whose last day is today, spoke to reporters Thursday during a conference call. He said his departure was neither motivated by fights with Congress over the e-government fund, nor resistance from agencies who wanted tighter control of their information technology budgets.

But Forman, who will join a California start-up that he declined to identify, said government pay isn't enough. "I am out of supplemental resources" after two years working for government, he said.

Washington, D.C.-based federal executives at Forman's level make $142,500 a year. Although he also worked in government years ago, Forman's jobs immediately before OMB were vice-president positions at IBM Global Services and Unisys.

OMB and the Office of Personnel Management recognize they must deal with the problem of finding and keeping people with the management skills needed for positions such as chief information officer. Forman expects there will be a "growing focus" on that area in the fiscal 2005 budget cycle.

But in the meantime, he thinks his two years at OMB really affected how government thinks about technology investment. "We now have tools that we didn't have before, to say, as a government, 'Is this a good investment?'" he said.

And he believes that the management agenda has had a measurable impact on how agencies work together. "I'm very happy in what we've been able to accomplish in the cross-agency arena," he said.
*******************************
Federal Computer Week
Challenging conventional wisdom
It's not privacy vs. security, says DHS privacy czar
BY Diane Frank
August 18, 2003

An understanding husband, two dogs with no sense of respect for titles and a new membership at a downtown gym. These are things Nuala O'Connor Kelly hopes will relieve the pressure that comes with overseeing protection of individual privacy at the Homeland Security Department.

The job of chief privacy officer at the newly created agency is one that comes with plenty of potential pitfalls, many of which extend from the debate currently raging over the Transportation Security Administration's passenger screening plans and the concerns over the numerous systems coming online to consolidate information across the 22 agencies that are now part of the department. When the topics of homeland security and privacy intersect, a debate is almost guaranteed.

O'Connor Kelly is certainly familiar with such challenges. Much of the respect that helped get her the job came from helping define and defend the privacy policy at DoubleClick Inc. after critics assailed the national Web firm for wanting to use personal information to guide its marketing and advertising services.

"There are very few people who could do this job effectively," said Ari Schwartz, associate director of the Center for Democracy and Technology in Washington, D.C. "She, in fact, may be the only one."

For O'Connor Kelly, this is not about gaining a higher profile and it is certainly not about getting a bigger office. She occupies one of many windowless cubicles in a government building at L'Enfant Plaza in downtown Washington, D.C. For her, as for so many at DHS, "This is personal."

"I've wanted this position since it was a twinkle in the president's eye," she said, pointing to a framed copy of the New York Times that is immediately recognizable as the cover of the Sept. 12, 2001, issue, and is only one of many personal photos and items lining the walls of her cubicle.

At the time of the attacks, she was living in New York City, but she was born in Northern Ireland, where she witnessed the impact of terrorism and counterterrorism on the lives of the people there. She wanted to be involved in achieving not only physical safety for U.S. citizens, but also personal safety, which means protecting both the tangible and intangible aspects of a citizen's well-being.

"I like to really challenge the conventional wisdom that [says it's] either privacy or security," she said.

Much of her family is still in New York, and "having folks out in the real world, out past the Beltway, is a really good way to keep yourself grounded," she said. She also escapes from the office by spending time with her two Labrador retrievers a love she shares with DHS Secretary Tom Ridge, who has three.

At the same time, "it's hard to put [the job] down at the end of the day," she said. "It's a life-changing opportunity for all of us, and that's what keeps us going" through long hours, political push and pull, and the need to schedule "dates" with her husband in order to see him some weeks.

"I've had to develop some more positive coping mechanisms," she said, admitting that this is where the new gym comes in. "I am trying to remember to keep a little bit of sanity."

O'Connor Kelly's job at DHS is the first chief privacy officer position to be created by law. Members of the Bush administration, Congress and the private sector shaped it. Her responsibilities stretch from education and oversight inside the department to communication and collaboration with the private sector and the public, which leaves very little in the way of free time. She keeps a copy of the section outlining her responsibilities under both the Homeland Security Act of 2002 and the E-Government Act of 2002 taped to the wall above her desk.

The chief information officer's staff generally develops privacy impact assessments for new systems, and the program management staff ensures Freedom of Information Act and Privacy Act compliance. "Having these two processes intertwine in my office means we have the cross-functional dialogue," she said. "I see [the internal oversight] as a much more proactive effort, trying to help people ward off problems before they really become problems."

O'Conner Kelly may not deserve all the credit for the change in the privacy notice for TSA's Computer Assisted Passenger Prescreening System (CAPPS) II from an unintelligible document to one that can be read and used to find answers to personal questions by nearly anyone, Schwartz said. But he added that there is no way to deny the drastic improvement in the department's communication on privacy issues since she arrived.

Educating other agencies on privacy issues is not part of her job, but coordinating with them, particularly the Federal Aviation Administration and the Justice Department, is a must. This is because of the importance of the information that passes back and forth everyday in order to keep the homeland security mission on track.

The interagency privacy group that the Office of Management and Budget recently restarted is central to this effort because it allows all of the privacy officials across the government to get together to share ideas and problems and form personal relationships, O'Connor Kelly said. She used the example of the relationship she has with Zoe Strickland, the chief privacy officer at the U.S. Postal Service.

OMB officials themselves, including Dan Chenok, branch chief for information policy and technology at OMB, and Eva Kleederman, the lead privacy analyst working under Chenok, "have been a tremendous help," O'Connor Kelly said. But she is also well aware that her position is seen as a test case and a model, and other senior privacy officials are keeping a careful eye on how well she fares as they attempt to raise their profiles and positions within their agencies.

When it comes to external communication, technology both helps and confuses the issue. O'Connor Kelly and another staff member have access to the privacy@xxxxxxx e-mail account, which, she says, gets "tons" of messages each day. Messages range from technical questions from lawyers to personal comments and complaints from people around the country.

Before, in the all-paper world, queries were limited to a select few. E-mail has largely removed that barrier. But with so many different kinds of questions, many of them necessitate individual responses, which is a time-consuming process.

With two wireless phones, a beeper and a personal digital assistant, O'Connor Kelly can attest to the fact that "an outgrowth of increasing technology and increasing access is that you're going to have more feedback."

Many agencies are struggling with this volume, and O'Connor Kelly said her experience in the private sector has helped with handling that volume and range of messages. However, her office is also trying to set up an automated response on the general e-mail address so that people know someone received their message, at the very least, she said.

***

The Nuala O'Connor Kelly file

Title: Chief privacy officer, Homeland Security Department

Appointed: April 16, 2003

Born in: Belfast, Northern Ireland

Now lives in: Arlington, Va., with her husband and a pair of 2-year-old Labrador retrievers.

Other government jobs: Chief privacy officer, chief counsel for technology and deputy director of the Office of Policy and Strategic Planning at the Commerce Department.

Private-sector experience: Vice president of data protection and chief privacy officer for emerging technologies at DoubleClick Inc. Previously worked at several Washington, D.C., law firms.

Quote: "No matter what I do during the day, I have to come home and clean up after the dogs."
*******************************
Federal Computer Week
Federal agents using training simulator
BY Sara Michael
August 18, 2003

FBI and Border Patrol agents are going beyond traditional firearms training and testing their judgment and reactions to stressful situations.

With an interactive training simulator, agents face real-life situations tailored to their area of training and must make decisions about their use of force. With each decision, the training takes them on a different path, allowing agents to apply their classroom and firing range training.

"Before, when we were doing firearms training, you were basically shooting at a target, and it doesn't shoot back at you and it doesn't react," said Xavier Rios, a supervisory Border Patrol agent in McAllen, Tex.

Border Patrol agents, now part of the Homeland Security Department's Bureau of Customs and Border Protection, have been using IES Interactive Training Inc.'s Range 3000 XP4 for a few months, Rios said. The FBI recently bought a mobile training unit for special agents and law enforcement officers.

"We force them to apply everything we taught them in the classroom and on the range," said Joe Mason, vice president of IES Interactive Training, based in Littleton, Colo. "If they're not able to, there must be some segment of the training they didn't comprehend."

The mobile training unit includes a laptop computer console, a projector and a host of digital video scenarios. The Border Patrol also purchased a 28-foot trailer to house the unit, allowing the agency to move the simulator to locations across the country.

The Border Patrol has nine patrol stations across 19 south Texas counties and 17,000 square miles, Rios said. The simulator brings interactive training to the 1,000 agents who otherwise would have to travel to one of the national academy's three locations.

"That's the environment [in which] the agent would be exposed to that equipment," Rios said. "We do have tactical arms training [at the local level], but everything was static no interactive firearms training. That was all at the academy level. None of this was available at the sector level."

Officials can mold the training to suit their needs. For example, Border Patrol agents can film scenarios of traffic stops along the Texas border. The training unit comes equipped with video-editing software, so officials need only a digital video camera and a few willing actors to create their own training videos, Mason said.

"We've made it so it works very simply," Mason said. "It's filmed in the first person, in the perspective of the officer, so it's not like Hollywood."

A trainer controls the training session from the console, choosing the path depending on the agent's reactions. For example, a trainer may present an agent with a suspect who threatens the agent. The agent must then decide to use his firearm, baton or chemical spray.

"It basically allows the student to make decisions, split-second decisions, based on what he's seeing," Rios said, noting that the Border Patrol is currently customizing scenarios.

The trailer expands an extra 10 feet on each side to give agents room to react to scenarios. Agency officials can build walls or props to make the situation more realistic. "It doesn't necessarily feel like a video game where there is no interaction except you controlling the screen," Rios said.

Each system is custom-built for the customer, Mason said, and costs about $45,000. The trailer can cost an extra $60,000. The FBI opted to buy just the training system.

The simulator is expected to help agencies save on travel expenses and overtime pay for employees who travel to training centers across the country. Once the trainers are instructed on how to use the unit, they can drive it to the patrol stations along the southern border, Rios said.

"We reduce the cost of travel expenses," Rios said. "Once you start getting into far distances, you have to pay the employees for participating."

Katherine Jones, a research director for Aberdeen Group, said technology has advanced and prices have gone down to allow for more simulation training. She said simulation training is ideal for testing an agent's reaction to an unknown situation and checking his or her decision-making skills under pressure.

"You still know it's a simulation, but you have that sense of the moment you don't get with other kinds of training," Jones said. "I, as a student, can judge the whole view."
*******************************
Federal Computer Week
DHS may restrict access to some solicitations
BY Judi Hasson
August 18, 2003

The Homeland Security Department's research division may issue quasi-classified procurement announcements to avoid tipping off potential terrorists about U.S. security gaps.

The Homeland Security Advanced Research Projects Agency (HSARPA) is likely to model its broad agency announcements after the Pentagon's handling of classified projects, said Jane Alexander, HSARPA's deputy director.

"It is similar to what we have done at the Department of Defense," Alexander said. "Sometimes you do a phased [Broad Agency Announcement] if the BAA itself is classified and I can't publish it openly."

Renny DiPentima, SRA International Inc.'s president of consulting and systems integration, said restricting solicitations would make it difficult for some companies to work with HSARPA.

However, "a well-functioning contracting organization will be able to solicit bids from organizations known to be able to perform the desired type of work," he said.

"U.S. intelligence agencies, of course, do not always issue public solicitations for their required technologies, yet they have been successful in conducting fair competitions," DiPentima said.

Alexander said the agency is trying to avoid revealing too many details about the nation's weaknesses in homeland security and the technology needed to fix them.

To compete for a contract, she said, companies must be able to store and receive classified documents.

HSARPA has every right to throw a security blanket over its solicitations, according to Larry Allen, executive vice president of the Coalition for Government Procurement.

"This should not come as any great shock to anyone involved in government contracting," Allen said. "It is a concern to them because they would be putting everything out there on what their needs are for the world to see."

Ray Bjorklund, a vice president at Federal Sources Inc., a market research firm in McLean, Va., said the Pentagon's Defense Advanced Research Projects Agency has been mostly successful in "going out and getting new technology" using this technique.

DARPA has been successful because it rotates military and civilian experts through its doors and creates a "faster track that is more responsive to ultimate Defense needs," he said. HSARPA needs to create a similar model using field officers from border patrol and law enforcement who are "far more sensitive to user needs."

Alexander and other former DARPA employees now at DHS know how DARPA operates, according to agency spokeswoman Jan Walker.

"The vast majority of our solicitations are unclassified," Walker said. "Where we do have programs where we need to impart classified information as part of the solicitation process, we tend to have a classified annex."

***

Seeking input

The Homeland Security Department's Homeland Security Advanced Research Projects Agency is expected to issue its first Broad Agency Announcement (BAA) by the end of this month, said Jane Alexander, the division's deputy director.

Alexander declined to say if the BAA would be partly classified, but she did say the procedureincludes finding out what vendors are interested in a particular area and then sending them a classified solicitation.
*******************************
Federal Computer Week
DHS rushes to finish tech plan
BY Diane Frank
Aug. 14, 2003

By week's end, the Homeland Security Department wants to finish the document that will define the future of the agency's information technology and business structure.

"We're at a juncture in the department right now where you're watching the sausage be made in front of you," said Lee Holcomb, chief technology officer at DHS.

The department has a Friday deadline for the initial draft of its "to be" enterprise architecture, although Holcomb described it as just a first pass at the future technology architecture for the department. It will be for internal review only, he added. The transition strategy -- outlining how officials expect to combine the existing jumble of systems across the 22 organizations into a coherent and consolidated tech infrastructure -- is due by October.

Holcomb spoke Wednesday at a conference on solutions architects sponsored by Potomac Forum Ltd. and Federal Sources Inc.

Homeland security officials are reviewing business cases submitted for IT systems and programs for fiscal 2005. But those reviews depend on the enterprise architecture, so Holcomb and others in the office of the chief information officer particularly want to have a thorough transition plan in place for fiscal 2004, he said.

Some smaller groups that came to DHS didn't bring any enterprise architecture expertise with them, because that knowledge was held by their former parent organizations, Holcomb said. Many of these smaller agencies now make up brand new capabilities -- such as the Science and Technology, and Information Analysis and Infrastructure Protection directorates -- and must have that expertise in-house.

Officials are looking at training and education for these organizations, but they are also beginning to discuss the concept of a "draft," which would allow the groups with the most need get the first pick of the people with expertise, Holcomb said.
*******************************
Federal Computer Week
Border agency tests monitors
BY Sara Michael
Aug. 13, 2003

The Bureau of Customs and Border Protection will embark on a pilot project to automate the monitoring of intrusions along the border.

VistaScape Security Systems won a contract for software that analyzes border videos and sensors to present a single, real-time image of the region. Based on policies set by the border agency, VistaScape's Security Data Management System software recognizes events from streams of data and maps the events for a single agent to monitor.

"They are faced with this challenge of scaling their surveillance," VistaScape's chief executive officer Glenn McGonnigle said. "They want to watch more things."

The initial test covers one sector along the U.S. border with Mexico. McGonnigle declined to disclose the amount of the contract, but said it was the largest deal in the Atlanta-based company's history.

Border officials can use the Secure Data Management System to set policies, such as which objects can cross a certain part of the border at a certain time. The software then takes the unstructured data from video streams and pulls out structured data, such as the size, time and location of an object on the border. That information is plotted on a three-dimensional display at a console, allowing a single agent to monitor the area, McGonnigle said.

The software also can trigger surveillance of a specific camera based on an intrusion and send alerts to the nearest personal data assistant, he said.

VistaScape's product is meant to save the agency money by cutting down on the work and time spent by border agents watching hundreds of security cameras and motion sensors.

"It's really the only way we are going to be able to handle the scale of border security cost-effectively," McGonnigle said.
*******************************
Federal Computer Week
NSA boosts credentials
BY Matthew French
August 18, 2003

Scrutiny of job applicants' credentials at the National Security Agency has always been intense, and it's about to get even more intense for senior information technology security specialists.

The International Information Systems Security Certification Consortium signed a deal with the agency in February to develop a certification test for NSA's Information Assurance Directorate. The outcome is the Information Systems Security Engineering Professional (ISSEP) credential, a new certification for the agency's employees or contractors who work on information assurance.

Dow Williamson, communications director for the consortium, said professionals who already have other information systems certifications were looking for something else that could help advance their careers and set them apart from general information systems workers. The group already offered a certification called the Certified Information Systems Security Professional (CISSP), but ISSEP takes that one step further.

"Our CISSPs said they wanted more of a career path focus and asked what came next after CISSP certification," Williamson said. "CISSP focuses on 10 domains of the information security space, and the ISSEP focuses on four additional domains."

An NSA spokesperson said the certification will allow the agency to identify individuals whose skills extend beyond the information security basics.

"For NSA, this will serve to push our process to a larger community and to identify a group of individuals and companies who could provide support to NSA customers," the spokesperson said. "This exam is available to anyone worldwide, but the focus will continue to be on U.S. regulations."

The spokesperson said the certification will not be required.

"While the CISSP certification may be recommended for many positions within the Information |Assurance Directorate and other areas of NSA, the ISSEP certification will not be as widespread," the spokesperson said. "One area where the certification may be required or desired is in the role of systems security designer."

Williamson said the consortium has focused much of its effort on the Defense Department and its national security requirements during the past several months. "There are a lot of folks at NSA who have CISSP certification," he said. "So we think a lot of them will be interested in the ISSEP follow-up. This partnership with NSA and ISSEP represents a new relationship."

***

Ratcheting up certifications

The National Security Agency is offering a new certification level for its information technology staff. The Information Systems Security Engineering Professional certification covers the following subject matters:

* Systems security engineering.

* Technology management.

* Certification and accreditation.

* U.S. government information assurance regulations.

***

The more traditional Certified Information Systems Security Professional certification covers the following subjects:

* Access control systems and methodology.

* Applications and systems development.

* Business continuity planning.

* Cryptography.

* Law, investigation and ethics.

* Operations security.

* Physical security.

* Security architecture and models.

* Security management practices.

* Telecommunications, network and Internet security.
*******************************
Federal Computer Week
Data integrity initiative launched
BY Rutrell Yasin
August 11, 2003

Tripwire Inc. launched an effort last week for an open standard to validate the integrity of software running on several platforms.

The program, known as the file signature database, will help systems administrators validate legitimate software, uncover suspicious data and keep better track of file changes that could bring down systems.

Information technology shops are under pressure to deliver services in a secure manner, said Wyatt Starnes, president and chief executive officer of Tripwire, which makes integrity management software. Systems administrators "need to get [better] operational control over [IT] resources," Starnes said.

Joining Tripwire in the program are major operating systems vendors including Hewlett-Packard Co., IBM Corp. and Sun Microsystems Inc.; software installation vendor InstallShield Software Corp.; and security software provider RSA Security Inc.

Starnes said the National Institute of Standards and Technology has been actively promoting such standards through its National Software Reference Library and focusing on increasing the government's computer forensic capabilities. Representatives of the consortium and the institute are discussing combining their efforts, he said. The vendors plan to make the database available to government and law enforcement agencies to aid in cybercrime investigations.

Federal agencies with systems connected to the Internet could benefit from the initiative, said John Pescatore, Gartner Inc.'s vice president for Internet security research. "The ability to detect [software] that is out of configuration is a big thing."

A repository of file information and metadata derived from software vendors forms the heart of the proposed database and enables users to determine the authenticity of files that make up the software. Information will include file names and digital hash values that provide a unique file signature archive, which crosses operating systems and applications.
*******************************
Federal Computer Week
Health group boosts mail security
BY Sarah Bailey
Aug. 6, 2003

The Michigan Public Health Institute is expanding its use of software that encrypts e-mail.

Officials from the institute downloaded ArticSoft FileAssurity onto six computers in January and found the software so effective that they will install it on 100 additional machines.

ArticSoft encrypts e-mails when there are confidential attachments, scrambling the file contents so they are no longer readable in their original format. The institute used to send private information out with a courier to ensure security, but e-mailing is a faster and less expensive option, according to Steven Pierce, former privacy officer at the institute.

While the courier service costs up to $20 per trip, FileAssurity Software costs $39 for the original download for each computer. Therefore, the software pays for itself after just two uses.

"We thought this was a great solution and we still think it's a great solution," Pierce said.

Encrypted e-mails can only be read with private key numbers generated by the software. The sender sends the message using the receiver's personal key number, according to Steve Matthews, president of ArticSoft.

The Institute wanted secure e-mail to exchange information with clients about health problems and to share raw data with police departments about violent deaths relating to firearm incidents. Also, FileAssurity's secure delete feature allows staff members to clean up old backup tapes to make sure nothing is there left past its retention period.
*******************************
Government Computer News
Argentines to Get the E-Vote
http://www.wired.com/news/politics/0,1283,60032,00.html
Wired News
02:00 AM Aug. 18, 2003 PT

BUENOS AIRES, Argentina -- In a bid to make balloting cheaper and more open, a half-million Argentines will try their hand at electronic voting in an upcoming gubernatorial election.

The Sept. 14 pilot test will involve 500,000 voters distributed among 20 constituencies in the eastern Argentine province of Buenos Aires, the most populous in the country. With an area of 118,000 square miles, the province -- with a population of more than 10 million -- is roughly the size of the state of Arizona.

The election system to be used in Buenos Aires is fairly simple. The voting machines are similar to an automatic teller machine, consisting of a metal cabinet with a numeric keyboard, a computer screen, a hard disk and a printing mechanism that will provide voters with a paper record. Voters will cast their ballots discreetly behind privacy curtains.

Upon arriving at the booths, voters will hand their ID cards to an election official -- no change from the normal procedure -- who then will enter the citizens' personal information into a small terminal.

Voters then will go behind the curtain to type a number corresponding to the candidate of their choice. A picture of the candidate will pop up on the screen immediately.

If the voter's choice has been read correctly, the voter will press a green key, finalizing the choice. If not, the voter simply presses a red key to correct the mistake. In case a voter is not willing to cast his or her ballot for any candidate on the slate, there is a white key for the "none of the above" vote. After a vote is entered, the machine makes a sound and prints a paper record.

Though the procedure is easy, many citizens will enter the high-tech ballot booths full of doubts -- and citizens of Buenos Aires are not the only ones who might feel uneasy about the upcoming test.

The pilot program has been approved by the provincial Congress, but the amendment of the election law by the National Congress is still pending, a situation that has Gov. Felipe Solá on edge.

"The e-vote would allow us to conduct a test leading to modernization and greater transparency," he said. "If the National Congress does not give us the law we need -- which is being blocked by the 'political corporation' -- then we will conduct a test with no legal value, though it will be a useful experience for the people."

And what do inhabitants of this province haunted by urban violence and poverty say?

"We have heard something about e-vote," said agricultural producer Marcelo Bardi, 39, of Bolivar. "But we don't know how it is used, and for the time being, the authorities have not explained a thing."

"E-vote?" asked Alberto Ansaldi. The storekeeper from Olavarria has large hands, and his skin has been hardened by the sun. "I haven't heard anything for the time being, but I think there are more important things to solve, (such) as unemployment," Ansaldi said. "I'd rather go on voting with a paper ballot and have the government use that money to give us more security."

In the short term, the electronic voting test will save Argentines money.

Brazil loaned Argentina more than 900 PC terminals, and has made available to any voter with Web access an online demo that is an exact replica of the system that will be used here.

Ongoing controversies surround electronic voting in the United States and few places in the world have had previous experience with the process. Electronic voting has been successfully tested in Brazil, Mexico and Paraguay.

The advantages, according to Buenos Aires Cabinet Chief Florencio Randazzo, include "greater transparency in election procedures and considerable savings in public expenditure, mainly in paper ballot printing."

With regard to transparency -- always a concern in Latin American countries that are relatively new to the democracy game -- Randazzo called the process trustworthy, explaining that the voting machines are not networked.

Instead, each machine has a flash memory card that stores information. Overseers representing each political party will be posted at each voting site and will receive tickets with the ballot totals. Ultimately, the Election Board will receive the information saved on a diskette.

"As to saving(s) in public expenditure, it will range between 40 and 50 percent," said Randazzo. "Spending in ballot printing and disposable ballot boxes will be cut."

But if adopted permanently, electronic voting won't be quite as cheap going forward.

Brazil loaned Buenos Aires its voting machines for use in only two elections. After the initial tests, the provincial government will have to buy its own electronic voting machines at about $350, or more than 1,000 Argentine pesos, each. Not everyone will agree to such spending in a country in the midst of a seemingly unending economic crisis.
*******************************
Government Executive
August 8, 2003
Army seeks volunteers for teen science education program
By Chloe Albanesius, National Journal's Technology Daily

An Army education program designed to spur interest in math, science and technology is struggling this year to attract enough volunteer "ambassadors" to help students with their projects.

The program, dubbed eCybermission, is an online competition open to teenagers in sixth through ninth grades. Student groups are instructed to identify a problem in their community with health and safety, arts and entertainment, sports and recreation, or the environment and craft solutions that they eventually will submit via the Internet.

The program relies on the work of ambassadors who promote it to schools and give feedback on student progress to organizers. Eligible participants include any civilian and military personnel drawn from active duty, the Army National Guard and the Army Reserve.

The program also utilizes volunteer Army personnel with backgrounds in science and technology to serve as cyber guides. Those online coaches answer questions the teams might have about science, math and technology and steer the students toward useful resources.

This year's competition is set to begin in the fall, but as of Aug. 8, only 121 ambassadors and some 40 cyber guides had registered. Kate Sparrow, a senior consultant with eCybermission contractor Booz Allen Hamilton, said that falls short of the 600 ambassadors and 80 cyber guides the program hopes to attract. "We are in dire need of more ambassadors," she said.

The large number of troops currently stationed overseas likely is contributing to the shortage, Sparrow said.

People interested in becoming ambassadors first must pass background checks and then receive training from eCybermission officials. The time commitment is about 15 to 20 hours a month, with volunteers required to make three school visits and two community outreach visits each month. The duties are considered year round, though there is heavier emphasis in the August-November recruitment months.

The program began last year with 442 teams from the seventh and eighth grades. The seventh-grade winners, from New York's Mott Hall School, developed a plan to make their neighborhood safer, while the eighth-grade team, from Malow Junior High in Michigan, created a code designed to speed responses to emergency 911 calls.

ECybermission has been extended to the sixth and ninth grades this year, and the national winners for each grade will receive $5,000 EE savings bonds, medals and plaques.
*******************************
Computerworld
Patching Becoming a Major Resource Drain for Companies

Need to stay on top of threats such as Blaster poses burden to users

Story by Jaikumar Vijayan

AUGUST 18, 2003 ( COMPUTERWORLD ) - Last week's W32.Blaster worm, which affected thousands of computers worldwide running Windows operating systems, highlighted the enormous challenge companies face in keeping their systems up to date with patches for vulnerabilities, users said.
Companies that, ahead of Blaster's rampage, had installed Microsoft Corp.'s patch for a flaw identified last month said they felt no effect from the worm. But the seemingly constant work involved in guarding against such worms is becoming a burden that could prove unsustainable over time, users said.

"The thing about patching is that it is so darn reactive. And that can kill you," said Dave Jahne, a senior security analyst at Phoenix-based Banner Health System, which runs 22 hospitals.

"You need to literally drop everything else to go take care of [patching]. And the reality is, we only have a finite amount of resources" to do that, Jahne said.

Banner had to patch more than 500 servers and 8,000 workstations to protect itself against the vulnerability that Blaster exploited. "I can tell you, it's been one heck of an effort on a lot of people's part to do that," Jahne added.

For the longer term, Banner is studying the feasibility of partitioning its networks in order to minimize the effect of vulnerabilities, he said.

Adding to the patching problem is the fact that companies, especially larger and more distributed ones, need time to properly test each patch before they can deploy it, said Art Manion, an Internet security consultant at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

That's because patches haven't always worked or have broken the applications they were meant to protect, said Marc Willebeek-LeMair, chief technology officer at TippingPoint Technologies Inc., an Austin-based vendor of intrusion-prevention products.

Companies also need to schedule downtime in advance to deploy such patches, said Kevin Ott, vice president of technology at Terra Nova Trading LLC, a Chicago-based financial services firm.

"We work in a 24-by-7 environment, so there is a limited scope for downtime" in which to deploy patches, he said.

But the stunning quickness at which Blaster exploited Windows' remote procedure call vulnerability is a sign that companies are going to have to respond to new threats even faster than they do today, said Chuck Adams, chief security officer at NetSolve Inc., an IT services company in Austin.

Although worms such as SQL Slammer didn't appear until eight months after the vulnerability was announced, Blaster was released in just one month, Adams said.

That means companies will need to somehow find ways to lessen the time it takes to test and deploy patches, said Vivek Kundra, director of infrastructure technologies for Arlington County, Va. Currently, Arlington County needs about three or four days to push out patches across its networks.

"[Three or four days] is not going to work any longer," Kundra said. "I need something that can cut the process down to a few hours, if not minutes."

The county is looking at outsourcing its patch management process to a third party. Also under consideration is a plan to adopt a more automated process for testing and deploying software patches, Kundra said.

"Sometimes [patching] can be more an art than a science," said Hugh McArthur, information systems security officer at Online Resources Corp., a McLean, Va.-based application service provider for more than 500 financial institutions.

"There will be times when you may need to make a judgment call balancing risk, appropriate testing [and] mitigating factors," he said.

Even so, patching remains the best available option, according to Bruce Blitch, CIO at Tessenderlo Kerle Inc., a multinational chemical company with U.S. headquarters in Phoenix.

"Everyone would no doubt agree that having completely error- and exploit-proof code would be the most desirable situation," Blitch said. In the absence of that, he said, "we're convinced that [patching] is the best strategy."
*******************************
USA Today
Blackout prompts worries about cyberattack
By Kevin Maney and Michelle Kessler, USA TODAY
8/19/03
The electric power grid might be more vulnerable to a cyberattack today than it was on Sept. 11, 2001.
Officials doubt last week's massive blackout was caused by a terrorist or domestic hacker breaking into an electric power system via the Internet. Yet, the incident again brought to the forefront concerns that such an attack is possible.

"This power infrastructure is all Band-Aids and baling wire. And, of course, it's all dependent on computers," says Peter Neumann of research firm SRI International. "This stuff is riddled with security and reliability flaws."

The electric industry is concerned enough that on Wednesday one day before the blackout the North American Electric Reliability Council (NERC) adopted the industry's first-ever cybersecurity standard. It outlines 16 things that utilities should do to protect themselves.

"Some companies have gone well beyond this. Some have to catch up," says Lynn Constantini, NERC's chief information officer.

Yet, because the grid is so interconnected, experts note, companies that must catch up put the whole system at risk. "Most computer networks are only as good as the weakest point," says Ramnath Chellappa, computer business professor at the University of Southern California. As the blackout illustrated, if a hacker could break into one undefended piece of the system, the effects could cascade through the grid.

Some security and energy experts say developments in the past two years actually increase the grid's vulnerability. Among those:

? Worries about Supervisory Control and Data Acquisition (SCADA) systems. Such systems control critical functions in many industrial settings, such as chemical processing and water filtration. They also control the flow of electricity in many power company systems, and are often connected to the Internet so managers can monitor them, collect data and manipulate them from afar. A hacker might not be able to breach a utility's protected central computer but might be able to get into a SCADA system.

The energy industry has opened its systems "to a vast array of cyberdisruptions by creating inadvertent Internet links (both physical and wireless) between their corporate networks and (SCADA) systems," writes Dan Verton in his new book Black Ice: The Invisible Threat of Cyber-Terrorism.

? Competitive pressures on power companies have increased. Since Sept. 11, utilities are two years deeper into deregulation. Verton points out that as utility managers focus on reducing costs, they increasingly use the Internet, just like managers in any industry. That can create more pathways into the power system, or make it possible for a one password to open access to more functions, experts say.

? A study by security company Riptech found that in the six months after the Sept. 11 terrorist attacks, energy companies were cyberattacked at twice the rate of other industries surveyed.

The problems won't go away if the power industry hastily patches the grid to get power back on. Instead, the industry needs to update the system to make it robust enough to survive any problem. "There's a tremendous opportunity here," SRI's Neumann says.
*******************************

Prev by Date: ACM TechNews - Monday, August 18, 2003
Next by Date: ACM TechNews - Wednesday, August 20, 2003
Previous by thread: ACM TechNews - Monday, August 18, 2003
Next by thread: ACM TechNews - Wednesday, August 20, 2003
Index(es):
- Date
- Thread