[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips October 9, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips October 9, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 09 Oct 2003 11:02:12 -0400
Clips October 9,
2003
ARTICLES
U.K. looking to Linux with help from IBM
Multinational consensus pegs top 20 net vulnerabilities
The science gap
Top FBI Counterterror Official Announces Retirement
DHS finishes architecture 1.0
DHS, allies seek to close the top 20 software holes
House votes to restrict file sharing at agencies [P2P]
File-Sharing Services Have Plan to Pay
Hacker victim files lawsuit blaming Microsoft security
Voters skeptical of e-voting systems
*******************************
CNET News.com
U.K. looking to Linux with help from IBM
Last modified: October 8, 2003, 1:28 PM PDT
By Michael Kanellos
The British government and IBM are kicking off nine Linux test programs
in an effort to see how much money government agencies can save by
switching to open-source software.
IBM also announced that it is setting up a Linux competency center in
Moscow in conjunction with the Russian government and local universities
to examine how Linux can be used in the region.
The two announcements build on the momentum Linux is currently enjoying
in the public sector. In May, the city of Munich agreed to replace 14,000
Windows desktops with Linux-based PCs. Open-source rumblings are also
being heard in Korea, China, India and the United States. Open-source
software, advocates say, can cut costs and ease software licensing and
management hassles.
Microsoft, Sun Microsystems and other proprietary software developers,
however, argue that the cost savings are often exaggerated. Because of
the recent lawsuits filed by SCO, Linux could open up users to legal
liability, some have said. Intellect, a trade group partly backed by
Microsoft, issued a report saying that Linux could bring anarchy to U.K.
government agencies.
The British Linux effort follows in the same general footsteps as recent
moves in Germany, said Adam Jollans, Linux strategy manager at IBM. The
German government first conducted test programs and then two years later
began deploying Linux.
The pilot programs "will provide data for the government
agencies," Jollans said.
Last year, the Office of Government Commerce (OPG), the procurement and
standards arm of the British government, and the Office of the e-Envoy
told agencies that they could begin to install open-source software. Some
projects are already under way.
"This builds upon our commitment to create a level playing field
between open-source software from a range of suppliers and propriety
software within government procurement," OGC Chief Executive Peter
Gershon said in a statement.
The nine pilot projects will be implemented in a variety of government
agencies, including the Office of the Deputy Prime Minister, the Office
of the e-Envoy and the Powys Borough Council.
Jollans could not state exactly how Linux will be used but said that
agencies are looking at using it in both servers and desktops. So far,
Linux has largely been a server phenomenon.
"The desktop conversation is definitely happening," Jollans
said.
The Russian center will primarily function to educate local agencies
about Linux and how it can be used in different environments. IBM has set
up similar centers on Wall Street, in the United Kingdom and in the
Middle East.
*******************************
Computerworld
Multinational consensus pegs top 20 net vulnerabilities
Experts from the U.S., Canada, the U.K., Singapore and Brazil name the
top Windows, Unix and Linux flaws.
Story by Dan Verton
OCTOBER 08, 2003 ( COMPUTERWORLD ) - WASHINGTON -- The U.S. Department of
Homeland Security, along with its Canadian and British counterparts and
the SANS Institute, today released a list of the 20 security
vulnerabilities most often exploited by criminal hackers.
The creation of the Top 20 list of commonly exploited Windows, Unix and
Linux flaws marks one of the first times that a multinational consensus
has been reached on critical Internet vulnerabilities that must be fixed
to meet a minimum level of security protection for computers connected to
the Internet.
"Basing the Top 20 on a multinational government/industry consensus
endows the list with more authority and makes it easy for each of our
agencies to persuade owners and operators of the critical infrastructure
to eliminate these vulnerabilities," said Steve Cummings, director
of the U.K.'s National Infrastructure Security Co-ordination Centre, in a
statement.
Sallie McDonald, director of outreach programs at the DHS, called the Top
20 project, "a useful example" of how the U.S. National
Strategy for Securing Cyberspace is being implemented.
Alan Paller, director of research at SANS, said the list is a consensus
of the knowledge of experts from around the world who are fighting
cybercrime. In addition to contributors in the U.S., U.K. and Canada,
experts from Singapore and Brazil also helped develop the list.
Paller said the security industry has put its support behind the Top 20
list. Two of the leading suppliers of vulnerability testing software,
Qualys Inc. and Foundstone Inc., announced that their customers will be
able to test for the top 20 vulnerabilities. Qualys is also offering a
free network auditing service that lets anyone test Internet-connected
systems for evidence of the vulnerabilities, Paller said.
"The list reflects the combined experience of many of the folks who
have to clean up after attacks," said Paller. "It couldn't be
developed by any individual organization because different sites face
different automated and targeted attacks."
SANS started the process of issuing a Top 10 list of vulnerabilities
three years ago, when it released its first list with the National
Infrastructure Protection Center. The updated SANS Top 20 is actually a
combination of two Top 10 lists: the 10 most commonly exploited
vulnerable services in Windows and the 10 most commonly exploited
vulnerable services in Unix and Linux.
"Although there are thousands of security incidents each year
affecting these operating systems, the overwhelming majority of
successful attacks target one or more of these 20 vulnerable
services," according to the final consensus document.
*******************************
CNET News.com
Gartner echoes concerns on Microsoft reliance
Last modified: October 8, 2003, 4:59 PM PDT
By Robert Lemos
Exclusive reliance on Microsoft's Windows operating system could make
companies vulnerable to greater damage during a cyberattack, according to
an upcoming report from business-technology consultancy Gartner.
A draft copy of the Gartner research note seen by CNET News.com mirrors
the conclusions of seven prominent security researchers, who released a
paper stating that Microsoft's dominance in software could have serious
consequences for national cybersecurity. The Gartner report is scheduled
to be published Friday.
Both reports argue that allowing the bulk of information infrastructure
to rely on a single code base--or monoculture--could result in a
cascading failure, taking down large parts of the Internet in a manner
similar to an electrical blackout. The research note focuses on a
corporate--rather than national--scale, arguing that for companies,
diversifying desktop operating systems could be a good defense against
such catastrophe.
"The recent upsurge in malicious-code attacks that target Windows,
which is used on more than 90 percent of enterprise desktops, highlights
the urgent need for enterprises to improve the security and survivability
of their personal computers," says the draft copy of the report.
"By spreading critical business functions across multiple desktop
platforms," the report adds, "or by maintaining key operating
groups on separate platforms, you can enhance your ability to keep at
least some of your key personnel and processes functioning and
communicating during an attack."
The paper is the first indication that corporate America may be lending
credence to a position paper written by seven well-respected security
researchers and released Sept. 24 by the Computer and Communications
Industry Association, a noted Microsoft critic. A lawsuit that charges
Microsoft with making computer users' personal data vulnerable was filed
against the company a week later, on behalf of a victim of identity
fraud. The suit extensively uses the report's conclusions in its
arguments.
The advice to businesses also arrives as Linux, widely seen as the major
competitor to Microsoft, is making inroads among companies and
governments, despite recent research that found Windows still on top in
server operating systems. The United Kingdom and Russia both signed Linux
deals with IBM on Wednesday. The State of Massachusetts has adopted a
policy that will make it more likely that open-source software, such as
Linux, will be considered for government systems.
Putting all your PCs in one basket
The Gartner research note does not argue that Microsoft operating systems
are inherently less secure, just that absolute reliance on only Windows
computers could result in a major failure. The note points out that the
danger of monocultures is well accepted: A forest that only has a single
species of tree could likewise be destroyed by a single virus; a greater
diversity of trees means that many will survive.
However, Bob Muglia, senior vice president of Microsoft's Enterprise
Storage and Enterprise Management divisions, said he didn't buy the
monoculture argument. Even diverse information systems have to
communicate through common interfaces, opening them to broad attacks.
Moreover, forcing a company to diversify means reducing efficiency.
"When you do that, you introduce a great deal of complexity
and...make it harder for people to do their job on a day-to-day
basis," Muglia said.
The Gartner research note agrees that diversity comes at a cost, but it
adds that companies that were hit by the SQL Slammer and MSBlast worms
may need to consider diversifying as an additional defense against future
attacks. Gartner points to the quickening pace at which attacks are
created from newly discovered vulnerabilities, predicting that 30 percent
of attacks in 2006 will occur before companies can patch their systems,
up from 15 percent in 2003.
"Simply patching will never be good enough," the draft report
notes.
By diversifying, companies gain key benefits, Gartner says. Businesses
will gain some immunity to the majority of viruses and worms that target
Windows systems. Moreover, widespread adoption of alternative operating
systems will increase competitive pressure on Microsoft, forcing the
company to better secure its software.
Bruce Schneier, chief technology officer of network-monitoring company
Counterpane Internet Security and one of the seven authors of the
original monoculture paper, said Gartner's advice is a good sign and that
though diversifying may involve some difficulties, it's worth it.
"We've always said it's a trade-off," Schneier said.
"There are security benefits to a store of never letting customers
inside, but the trade-off is unacceptable." The trick is finding an
acceptable trade-off that improves security, Schneier said. "If
people are finally saying that the security benefits are worth the
trade-off, then that's a good thing."
However, Gartner warned its clients to do it right, or don't do it at
all. Companies may stumble dealing with diversity on the desktop, the
research note says. Noting that two-thirds of successful attacks take
advantage of misconfigured systems, the report stresses that companies
shouldn't diversify unless they can do so properly.
"Tight administration of a single operating system provides more
security than sloppy administration of multiple operating systems,"
the draft report says.
*******************************
CNET News.com
Disgruntled Phillies fan arrested in hacking
Last modified: October 8, 2003, 10:55 PM PDT
By Reuters
Federal officers have arrested a Philadelphia Phillies fan in California
on charges of hacking into computers and sending thousands of spam
e-mails to sports reporters at two newspapers.
Allan Eric Carlson, 39, was arrested Tuesday by FBI agents at his home in
the Los Angeles suburb of Glendale and charged with hacking, spoofing
return addresses, launching spam attacks, and stealing identities by
using fake e-mail addresses, the U.S. Attorney's Office said Wednesday.
He was released on $25,000 bail and ordered not to use the Internet, said
Michael Levy, an assistant U.S. attorney in Philadelphia.
Carlson faces up to 471 years in prison and $117.25 million in fines.
Despite a competitive season, the Phillies failed to win a spot in Major
League Baseball's championship playoffs. The spam messages were critical
of Phillies management and the media, including one e-mail that had a
subject line reading, "Corrupt Philly Media Keeps Phils in
Cellar," according to the indictment.
Carlson used fake return addresses, belonging to sports reporters at the
Philadelphia Inquirer and the Philadelphia Daily News, the indictment
said.
Many of spam messages bounced back to the reporters' e-mail accounts,
crippling the servers where they were stored, according to the
indictment.
*******************************
Boston Globe
The science gap
In 1995, a budget-cutting Republican Congress fired its science advisers
for being too politicized and too slow. In an age of bioterror, climate
change, and high-tech weaponry, we need them back.
By Chris Mooney, 10/5/2003
TWO YEARS AGO, as anthrax-laced letters arrived in Congress and at New
York media offices, reliable scientific information was in short supply.
With jittery Washingtonians popping Cipro and refusing to open the mail,
the confusion among leading policy makers only worsened the general
unease. In an embarrassing flub, Health and Human Services Secretary
Tommy Thompson suggested that the nation's first anthrax victim may have
fallen ill through drinking from a stream.
The press and members of Congress needed better scientific analysis --
and they found it, among other places, in two reports on weapons of mass
destruction published in 1993 by the congressional Office of Technology
Assessment (OTA). One report contained key facts about the number of
spores required to produce inhalation anthrax. The other report estimated
that given the proper weather conditions, the release of 100 kilograms of
anthrax from a plane upwind of Washington could kill more people than a
hydrogen bomb.
Faced with America's first major bioterrorism attack, why was Congress
dusting off decade-old reports? OTA hadn't produced anything more recent
because the agency, once dubbed Congress's "defense against the
dumb," no longer existed. Soon after the "Gingrich
revolution" of 1994 -- in a move that calls to mind current
complaints over the Bush administration's approach to scientific advice
-- incoming congressional Republicans dismantled their scientific
advisory office. They denounced OTA for being too slow and (some added)
suspect in its political orientation. Yet perhaps becauseOTA took its
time, its exactingly prepared and heavily reviewed reports have aged very
well.
OTA's 23-year body of work comprises some 750 reports and assessments on
subjects ranging from acid rain to climate change to the use of
polygraphs. "In the areas where I have expertise, I still look to a
number of OTA reports as kind of being the state of the art," says
Roger Pielke Jr., who studies climate change and space policy and heads
the University of Colorado's Center for Science and Technology Policy
Research.
In fact, some scientists are clamoring for OTA's return. The authors of a
new anthology, "Science and Technology Advice for Congress"
(Resources for the Future), outline a range of options for improving the
science savvy of elected representatives, from simply resurrecting OTA to
creating a similar organ in the General Accounting Office or
Congressional Research Service. They also suggest increasing the role of
the well-respected but undeniably slow-paced National Academy of
Sciences.
Meanwhile, New Jersey's Democratic congressman Rush Holt, who happens to
be a physicist, has introduced a bill to bring the OTA back. But so far,
Holt says, "the Republicans have dug in their heels." John
Feehery, a spokesman for House Speaker Dennis J. Hastert, confirms that
the party has little interest in Holt's efforts. "In `95, when we
took over," says Feehery, "we made a decision that that branch
of government was not producing. There's no reason to think that it will
start producing if it is re-created."
The case for OTA's reincarnation is fairly straightforward. When Congress
debates the Bush administration's rejection of the Kyoto treaty to combat
global warming or its explanation of the great blackout of 2003, partisan
voices on all sides appeal to the authority of science. But what does the
best science tell us? Members of Congress rarely have the ability or the
time to inform themselves about technical issues. After the House of
Representatives voted 265-162 to ban all cloning of human cells in 2001,
Representative Peter Deutsch, a Florida Democrat, commented, "This
is the least informed collectively that the 435 members of this body have
ever been on any issue."
. . .
OTA was created in 1972, at a time of considerable public concern over
the dangers of pollution, nuclear energy, and other technologies.
Partisan tensions hobbled the office from the outset. Because Senator
Edward Kennedy of Massachusetts had been OTA's chief sponsor, many on the
right suspected the office of being a "happy hunting ground of
Kennedy apparatchiks" and "liberal technocrats," as
William Safire wrote in The New York Times in 1977.
Under the leadership of physicist Jack Gibbons, who ran OTA from 1979 to
1993, the office pursued a strategy of studied political neutrality,
notes political scientist Bruce Bimber in his 1996 study of OTA,
"The Politics of Expertise in Congress." This approach
gradually won the support of key Republican allies. Still, when Ronald
Reagan took office, the new administration endorsed "Fat City,"
a 1980 book by conservative journalist Donald Lambro that identified OTA
as one of Washington's many wasteful programs.
But where OTA really crossed the Reagan administration was over the
Strategic Defense Initiative (SDI), or "Star Wars." In a 1983
speech, the president called for a research and development program to
determine ways of protecting the United States from nuclear missiles,
with an emphasis on space-based laser technology. The Pentagon quickly
got to work studying the feasibility of so-called ballistic missile
defense systems.
But in a 1984 study authored by Ashton Carter, now a professor at
Harvard's Kennedy School of Government, OTA warned that "a perfect
or near-perfect defense" was an illusory goal that "should not
serve as the basis of public expectation or national policy about
ballistic missile defense." The report enraged the Pentagon, which
asked to have it withdrawn. Instead, an OTA expert review confirmed the
study's conclusions.
Still, few of OTA's reports made enemies the way the "Star
Wars" studies did. Gibbons, who directed the office until becoming
the Clinton administration's science adviser in 1993, insisted that each
study provide Congress with a range of well-informed policy options to
choose from. "OTA produced a body of scientific information from
which, then, the politics could be argued," says Rosina Bierbaum,
who headed OTA's climate-change project in the 1980s and now serves as
dean of the University of Michigan's School of Natural Resources and
Environment. "And now, it doesn't seem to me like there's any
consensus body of information that the Congress accepts."
Before it was shuttered, OTA had come to be regarded by those who knew it
well as a uniquely successful agency. "How to Revolutionize
Washington with 140 People," read a lengthy 1989 Washington Monthly
article that celebrated the clarity and surprising humanism of the OTA's
reports. This flavor seems attributable to Gibbons, a folksy
administrator who ran OTA more like a university and was prone to quoting
the Edna St. Vincent Millay poem "Huntsman, What Quarry?",
which reads in part, "Wisdom enough to leech us of our ill/Is daily
spun, but there exists no loom/To weave it into fabric." For
Gibbons, OTA's mission was to weave what scientists know into a fabric
that policy makers could use.
But the Republicans who swept into Congress in 1994 saw things
differently. OTA became a "sacrificial victim," says Henry
Kelly, president of the Federation of American Scientists, because the
new Congress wanted to show its willingness to make budget cuts in its
own house.
According to Newt Gingrich's current spokesman Rick Tyler, the then-House
Speaker also felt the OTA's analyses tilted to the left: "In some
cases it was politicized work." Republican congressman Amo Houghton
of New York nonetheless led an almost-successful fight to save the agency
under the slogan "You don't cut the future." Today, Houghton
says that cutting the agency was "dumb." He adds, "It was
not that much money, and they were just looking for sort of symbolic
targets."
. . .
Those hoping to revive OTA face a political bind. Most advocates believe
the most sensible option would be to create a new office modeled closely
on its predecessor. But Michigan congressman Vernon Ehlers, another
pro-OTA Republican and a physicist, says that as long as his party
retains control of Congress, "reconstructing OTA as it was has zero
chance of becoming law."
This should not come as a surprise. In November 2001, the Chronicle of
Higher Education ran a lengthy article on "the waning influence of
scientists on national policy." The Chronicle cited the already
dramatic rifts between the Bush administration and the majority of
scientists on stem cells, climate change, and missile defense. The
article did not note, however, that Bush's science adviser, physicist
John Marburger, had by then been demoted from the position of
"assistant to the president" -- a title that Bush's father
first bestowed upon his own science adviser -- or that the agency
Marburger headed, the Office of Science and Technology Policy, was moved
out of the White House's executive office building shortly after 9/11.
(OSTP spokeswoman Kathryn Harrington maintains that this does not
represent a decrease in the office's influence.)
In the past year, major newspapers have reported on the politicization of
the scientific advisory panels appointed by the executive branch in areas
ranging from reproductive health to the environment. In the journal
Science, editor-in-chief Donald Kennedy responded with an editorial
titled "An Epidemic of Politics." In August, Democratic
congressman Henry Waxman released a report listing alleged abuses of the
scientific process and noting the "unprecedented criticism from the
scientific community." The Bush administration, it concluded,
"has repeatedly suppressed, distorted, or obstructed science to suit
political and ideological goals."
Waxman's colleague Rush Holt calls the report "a polemic," but
notes that it nevertheless contains "some striking examples of the
misuse of science, and what might almost be taken as an anti-scientific
attitude in some quarters of this administration."
Of course, the Bush administration hardly claims to be acting
anti-scientifically; it simply defines science with reference to its own
experts. John Graham, who runs the Bush administration's Office of
Information and Regulatory Affairs in the Office of Management and
Budget, is well-known for his belief that government regulations should
be subjected to a stringent form of cost-benefit analysis. Although it
has become a lightning rod for some environmental advocates, his approach
has at least some admirers across the political spectrum.
In any case, debates on issues from global warming to stem cells might
not divide so predictably along partisan lines if an authoritative agency
once again offered its analyses or even suggested new policies. A new OTA
would let legislators make up their minds on the basis of an accurate
picture of the full state of scientific knowledge. Perhaps that's why the
Federation of American Scientists' Henry Kelly says of bringing back OTA,
"The necessity is so overwhelming that I would say over the long
term, it will certainly happen."
Chris Mooney, a freelance writer living in Palo Alto, is writing a book
about the politics of science in the Bush administration.
*******************************
Washington Post
Top FBI Counterterror Official Announces Retirement
Veteran's Departure, After Three Months on Job, Is the Latest in a String
Since Attacks of Sept. 11
By Dan Eggen
Thursday, October 9, 2003; Page A11
The FBI's top counterterrorism official announced his retirement
yesterday after just three months on the job, marking the latest in a
wave of departures from the senior ranks of the FBI since the Sept. 11,
2001, attacks.
Larry Mefford, a 24-year FBI veteran who became executive assistant
director for counterterrorism and counterintelligence in July, will leave
at the end of the month to take a top security job for a large casino
firm in Las Vegas, FBI officials said.
Mefford is the third person in the past 18 months to hold that position,
which FBI Director Robert S. Mueller III created to oversee terrorism and
intelligence investigations. All the senior posts at the FBI have turned
over at least once since the Sept. 11 attacks.
The steady stream of departures has left the bureau "extremely thin
in the experience department," one FBI official acknowledged
yesterday. The bureau has struggled to hold on to personnel amid grueling
hours, intensive congressional scrutiny and a dramatic effort to remake
the FBI into an agency focused on preventing terrorism.
"These are just high-burnout jobs," said Robert Blitzer, a
former FBI counterterrorism official who has worked with Mefford and
others who have left in recent months. "The pressure is incredible,
given everything that's going on around the world. You can only take that
pounding, emotionally, for so long."
One FBI official said that Mefford, 53, left in part because of family
ties in Nevada and because of the lucrative offer to be a top security
official at the company controlled by casino magnate Steve Wynn.
Mefford declined to comment through the FBI press office.
Mefford joined the FBI in 1979 and worked at field offices in Sacramento,
Los Angeles, Minneapolis, San Diego and San Francisco before coming to
FBI headquarters to work on weapons of mass destruction issues and to
oversee establishment of a new cybercrime division. He took over the
counterterrorism division last November before being named to his current
post.
In a statement, Mueller called Mefford "one of the most experienced
leaders in the FBI and in the law enforcement community." No
replacement was immediately named.
*******************************
Federal Computer Week
DHS finishes architecture 1.0
BY Sara Michael
Oct. 8, 2003
Homeland Security Department officials have completed the first version
of their enterprise architecture, and are using it to guide development
and consolidation efforts.
"We have completed the first version of our target architecture and
we are already beginning to implement the objectives of our [enterprise
architecture] transitional strategy," DHS chief information officer
Steve Cooper told lawmakers today.
The architecture has allowed officials to identify the projects inherited
when 22 agencies merged to form the department. Officials can then look
for areas of possible consolidation. For example, they have identified
300 applications for performing back-office functions, and now they can
stop some of the redundant solutions, Cooper said. The principle, he
said, was to simplify.
"We can begin to move from many -- in this case 300 -- down to some
sizable number," Cooper said, testifying before the House Government
Reform Committee's Technology, Information Policy, Intergovernmental
Relations and the Census Subcommittee.
Developing the initial architecture took officials less than four months,
which Cooper called "unique in the federal government." More
detailed versions will follow.
The current architecture lacks depth, Cooper told lawmakers, but
officials have already begun work on a second to fill in the gaps and
detail more systems and projects. Cooper called the approach "an
inch deep and a mile wide," working down from DHS' overall mission.
Officials have also identified about a dozen "quick hit"
projects, which they have already begun to consolidate, such as
e-training and network integration.
The department's architecture is aligned with the federal enterprise
architecture, which provides guidance to all agencies for developing
their architectures. The Office of Management and Budget, which
spearheads the federal effort, will work closely with DHS, said Karen
Evans, recently appointed as OMB's administrator for e-government and
information technology.
"It is the intention of OMB through budget guidance to align their
efforts with" federal enterprise architecture, Evans told lawmakers
at the hearing. When questioned by Rep. Adam Putnam (R-Fla.),
subcommittee chair, whether there has been talk of holding up spending on
projects if the architecture is not followed, Evans said she would have
to get back to the panel with an answer.
"Primarily, it will be using the existing processes in place,"
she said, referring to the budget guidance. "Ensuring progress is
made is happening through the quarterly score card
reviews."
Ranking member Rep. William Lacy Clay, (D-Mo.) asked Cooper how the
architecture might address cultural issues among agencies.
"The enterprise architecture is actually an objective way of taking
the emotional element out," Cooper said. "The enterprise
architecture, being devoid of emotion, actually can objectively document
'Here is where we are trying to automate or improve.' We don't eliminate
or negate culture, but we allow all of us to have a common frame of
reference."
*******************************
Federal Computer Week
House passes P2P security bill
BY Diane Frank
Oct. 8, 2003
The House today approved the Government Network Security Act (H.R. 3159),
a bill intended to protect sensitive data on government computers from
security threats posed by peer-to-peer file swapping.
Reps. Tom Davis (R-Va.) and Henry Waxman (D-Ca.), chairman and ranking
member of the House Government Reform Committee, respectively, introduced
the bill last month to address the increase in file sharing within the
government. The bill now moves to the Senate.
While the entertainment industry is very concerned right now about the
legal issues surrounding file sharing, the bill does not look at whether
file sharing is good or bad. In fact, the technology "may turn out
to have a variety of beneficial applications," Davis said in a
statement. But it also provides a way to either take files from or add
worms or other malicious code to a government system, he said.
Under the legislation, agencies would be required to develop and
implement a procedure to specifically address the potential security and
privacy risks through both technical and nontechnical means, such as
better firewall controls and user training.
The plans must be in place within six months of the bill's being signed
into law and must be reviewed and revised after that. In addition, the
bill directs the General Accounting Office to conduct a review of the
adequacy of agencies' plans and submit a report to both the House
Government Reform Committee and the Senate Governmental Affairs
Committee.
*******************************
Government Computer News
10/08/03
DHS, allies seek to close the top 20 software holes
By Susan Menke
The Homeland Security Department today joined with its U.K. and Canadian
counterparts to promote universal closing of the top 20 software
vulnerabilities on the SANS Institute?s annual list.
?We will only be successful through partnership,? said Sallie McDonald,
DHS director of outreach for infrastructure protection, at the list?s
unveiling in Washington.
McDonald joined Steve Cummings, director of the U.K. National
Infrastructure Security Coordination Centre and the Canadian Office of
Critical Infrastructure Protection and Emergency Preparedness in calling
on governments to ?draw a line on the sand.?
Allan Paller, research director of SANS in Bethesda, Md., said there has
been about 50 percent turnover in the top 20 list since last year.
One reason half the list remained the same, he said, is that ?less than
50 percent of sites actually patch their known vulnerabilities.?
On the current list, Microsoft Windows? top vulnerabilities were in the
company?s Internet Information Services, Data Access Components, SQL
Server and Windows peer-to-peer file sharing software. ?They are very
widely used and have multiple holes,? Paller said.
On the Unix and Linux list, ?the security systems are the ones with the
holes,? he said. ?Most sysadmins don?t know that.?
Paller recommended requiring vendors to keep systems free of those
vulnerabilities. He said the Virginia Polytechnic Institute and State
University in Blacksburg has altered 600 contracts to require vendors to
certify their products as free of the top 20 vulnerabilities.
Asked whether any federal agencies require similar assurances, McDonald
said, ?There are no requirements in the federal environment. It?s an
interesting idea.? The Office of Management and Budget would establish
such requirements, she said.
Paller said that Sandia National Laboratories now requires that before
delivering software, vendors must configure it in accordance with
National Security Agency benchmarks.
?There has been a massive shift at Microsoft,? Paller said, ?mostly
caused by NSA.? He cited automatic security patching of Windows XP and
2000, and Windows 2003?s configuration to NSA?s hardening guideline.
He also recommended what he called the Nancy Reagan rule: ?Just say no?
to connecting a client if it doesn?t meet minimum security standards.
A problem, Paller said, is that a lot of commercial software won?t run in
a hardened environment. ?That?s the reason systems don?t get patched.?
In mentioning another security threat, Paller said that some spyware can
now capture words spoken in an office where a PC has a microphone.
SANS? annual list has been a joint effort of SANS and the FBI. Paller
said partnership couldn?t continue this year because the FBI contingent
that had helped develop the list was absorbed into DHS. But, he promised,
?We will recreate that relationship.?
*******************************
Government Computer News
10/08/03
House votes to restrict file sharing at agencies
By Jason Miller
The House today passed legislation that would require agencies to develop
policies to protect government systems from threats posed by peer-to-peer
file sharing programs.
Reps. Tom Davis (R-Va.) and Henry Waxman (D-Calif.), chairman and ranking
member respectively of the Government Reform Committee, introduced the
Government Network Security Act of 2003, HR 3159, late last month and
moved it through committee and the House in just two weeks.
?We learned that using these programs can be similar to giving a complete
stranger access to your personal file cabinet,? Davis said. ?Installing
these programs on government computers can cause sensitive information to
be exposed to the public. Because files are shared anonymously on
peer-to-peer networks, there is also a risk of the spread of viruses,
worms and other malicious computer files.?
The bill would require each agency to develop and implement a plan to
protect its systems, incorporating technology, policy and training,
within six months of the bill?s enactment. The comptroller general would
report to the House and Senate on the results of the plans within 18
months of enactment.
Peer-to-peer networking is a technology that lets users with common
software share files on their computers over proprietary networks or the
Internet, in effect turning each computer into a server. It has gained
its greatest notoriety in the distribution of copyrighted music, but it
can be used to share any type of digital material stored on a computer.
The bill would not outlaw peer-to-peer file sharing, but would restrict
its use.
?Innovations in peer-to-peer technology for government applications can
be pursued on intragovernmental networks that do not pose risks to
network security,? it says.
There is no companion bill in the Senate, but Davis? staff is working to
get the Governmental Affairs Committee to introduce one of its own or
consider the House version, said David Marin, Davis? spokesman.
*******************************
Government Computer News
10/08/03
OMB directs agencies to post grants
By Jason Miller
GCN Staff
Starting Nov. 7, agencies will post all grant opportunity announcements
on www.grants.gov,
the Office of Management and Budget directed today.
In a memo to agency executives, Linda Springer, OMB comptroller,
finalized the policy guidance outlining the data elements that agencies
must include in their grant announcements and instructing departments to
use only the portal.
The Health and Human Services Department developed grants.gov under the
E-Grants project.
The directive is part of OMB?s implementation of the Federal Financial
Assistance Management Improvement Act of 1999, Springer said.
OMB issued the initial guidance in June and received comments from seven
agencies. The final directive requires agencies to provide potential
applicants with enough information about any funding opportunity to
decide whether to view the full announcement, with multiple ways to
obtain the full announcement and with one Web site that is searchable by
keyword, date, the Catalog of Federal Domestic Assistance or agency name.
Agencies must include 27 standard data elements, including federal agency
name, agency contact name, phone number and e-mail, type of funding
opportunity and expected number of awards, on all announcements, OMB
said.
*******************************
Washington Post
File-Sharing Services Have Plan to Pay
Group Says It Can Protect Music Industry
By Frank Ahrens
Thursday, October 9, 2003; Page E01
A group representing the Internet's most popular free music-sharing
service has come up with a business plan that it says would stop piracy
by allowing consumers to legally buy copyright-protected music, though
the music industry remains skeptical.
Distributed Computing Industry Association, a trade group formed in July
by the parent companies of song-sharing services Kazaa and Altnet, rolled
out the plan at its Arlington headquarters yesterday, saying it could
earn the music industry up to $900 million per month in Internet music
sales.
The group characterized the plan as a starting point for peacemaking
discussions with a music industry hostile toward free file-sharing Web
sites, which it says rob musicians and record labels of billions of
dollars in royalties and revenue they would otherwise get through music
sales.
The trade group said its plan would work only if it were joined by other
file-sharing sites, such as Grokster and Morpheus -- which have formed
their own trade group -- the music industry and Internet service
providers, or ISPs. The music industry's trade group, the Recording
Industry Association of America (RIAA), has waged a legal campaign to
shut down free file-sharing sites such as Kazaa.
"We are in an earn-your-trust mode," said Marty Lafferty, chief
executive of the trade group. "This plan is kind of like looking at
a concept car at a car show," the first of three to five business
plans the group will roll out in coming months.
More than 4 million users per week employ Kazaa, many to illegally swap
copyrighted songs for free, the music industry says. The RIAA sued to
shutter Kazaa, as it did Napster in the past, but a federal court ruled
in April that Kazaa and other song-sharing Web sites are not responsible
for the actions of their users.
The trade group is meant to equally represent three interests --
file-sharing services such as Kazaa, content providers such as music
labels, and digital pipelines such as ISPs, Lafferty said. Thus far,
however, the only announced members are Kazaa and Altnet, the two
file-sharing services that funded the group's start-up.
The RIAA maintains it wants consumers to be able to legally buy digital
songs on the Internet, but it favors Web sites such as Apple's iTunes
music store, as opposed to peer-to-peer services such as Kazaa.
The plan from the trade group representing Kazaa and Altnet would roll
out in stages, starting with the record companies allowing their songs,
protected with copyright tools rendering them unlistenable, to be
distributed on networks such as Kazaa. Consumers would pay Kazaa to unzip
the copyright-protection shroud, enabling their computer to play the
song.
Later stages of the plan would shift the billing to Internet service
providers, which would be required to monitor which songs users are
listening to, raising potential privacy concerns and putting ISPs into a
business they may not want to enter.
"For us to somehow be responsible for monitoring and tacking every
download that might flow through our system is extremely unrealistic, and
the ISP would turn into the Internet police," said Sarah B. Deutsch,
associate general counsel for Verizon Communications Inc., the nation's
largest phone company and a top ISP. "And it would also create the
world's most complicated billing system."
The RIAA reacted coolly to the plan.
"It's nice to hear that a couple of the [peer-to-peer] services are
actually interested in finding a business solution," said RIAA
spokesman Jonathan Lamy. But "it is hard to take seriously proposals
to turn [peer-to-peer] systems into legitimate businesses when they
continue to induce users to violate the law and willfully refuse to use
available technologies to stop the rampant infringement of copyrighted
works on their networks."
Meanwhile, the name of Napster, the service that first popularized online
song swapping, will be revived today as a legal Internet music store that
will go head to head with such competitors as iTunes, the Associated
Press reported, citing sources familiar with the plans.
*******************************
USA Today
Disney aims to scare pirates, profit from technology
By Peter Henderson, Reuters
LOS ANGELES Hollywood's movie studios need to "scare the
heck" out of online digital pirates and embrace new technologies
like digital video recorders and video-on-demand to boost profits in a
rapidly changing media landscape, Walt Disney executives said
Wednesday.
Hollywood needs to provide consumers with new ways to buy what they want,
and the studios must find digital locks on entertainment content to bar
people who don't pay, said Disney Chief Operating Officer Bob Iger in a
Webcast at the launch of a new ride, Mission: Space, at Walt Disney World
in Florida.
"The value of the content you are putting out there is likely
increased by technology and a greater ability to reach consumers,"
added Tom Staggs, Disney's chief financial officer.
"It doesn't mean that the business models are going to stay the
same, and there are challenges to adapting those business models to take
into account how you reap the value of that programming," he
said.
The comments come as investors grow increasingly concerned that digital
pirates will swap movies online for free, thereby hurting profits the way
the pirates have weakened music sales.
Digital video recorders are challenging old business models that rely on
advertising, and video-on-demand, which lets viewers watch a program
whenever they like, is upsetting the way movies and TV shows are
distributed to paying customers.
In particular, Disney executives are talking among themselves and
approaching advertising agencies about how to deal with digital video
recorders that store programs on a computer hard drive and let viewers
speed through or skip commercials, Iger said.
Disney recently launched a service, MovieBeam, that offers home viewers a
self-updating cache of 100 movies for rental and self destructing DVDs
that only work for 48 hours. Disney, too, has expanded its Internet movie
offerings.
Critics have said some of Disney's efforts may fail to catch fire, but
Disney generally believes they cost little to try and offer an array of
choices that could hit big with consumers.
"We are going to try a lot of new technologies ... and not just make
the product available in one window (of time) in one form," Iger
said.
But he also said that studios needed to standardize digital rights
management to keep control of their movies, educate consumers on the
illegality of copyright infringement, and strip anonymity from Internet
file sharing.
"I realize that there are a lot of concerns regarding privacy in
this regard, invading people's homes and their home PCs, but at some
point we've got to somehow ... scare the heck out of these people that
they could get caught," Iger said.
*******************************
USA Today
Hacker victim files lawsuit blaming Microsoft security
By Byron Acohido, USA TODAY
Posted 10/7/2003 11:59 PM
An Emmy-winning film producer whose life was disrupted after hackers
stole her Social Security number has become the champion for computer
users frustrated by software security breaches.
Marcy Levitas Hamilton, 51, CEO of TriCoast Studios, sued Microsoft last
week in an attempt to hold it responsible for damage stemming from
security flaws in its software. "My hope is that ... we can wake up
companies and compel them to take responsibility for safeguarding their
customers," Hamilton says.
Designed to form the basis of a class action, Hamilton's
first-of-its-kind complaint argues that the majority of cyberattacks
trace back to vulnerabilities in Microsoft software. It further alleges
that Microsoft's disclaimers, which absolve it from any responsibility
for security flaws, constitute an unfair business practice under
California law, because consumers have little choice but to use Microsoft
products.
"This is the first time Microsoft has had its feet held to the fire
on security issues," says Richard M. Smith, an Internet security and
privacy consultant.
The lawsuit is expected to heat up debate about whether the software
industry should be held to the same standard of liability as other
companies, such as carmakers. The result could be to make software more
secure and expensive, computer security experts say. "It's
obvious Microsoft does not bear 100% of the responsibility ... but it's
just as obvious that it doesn't bear 0%," Bruce Schneier at
Counterpane Internet Security, told Reuters.
Earlier this year, hackers swiped Hamilton's Social Security number. Bank
accounts were accessed and frozen. During a business trip to Australia,
Hamilton racked up a $1,700 phone bill trying to untangle the mess.
"They completely cannibalized her life," says Dana Taschner,
Hamilton's attorney.
Taschner must next persuade a Los Angeles judge to certify the lawsuit as
a class action, with any remedies generally applying to all PC users hurt
by security flaws in Microsoft software. Depending on how the case plays
out, that could cover tens of thousands of home users and business owners
victimized by online thieves as well as computer viruses, Taschner
says.
Microsoft will defend itself, says spokesman Sean Sundwall.
"This complaint misses the point," he says. "The problems
caused by viruses and other security attacks are the result of criminal
acts."
*******************************
USA Today
Voters skeptical of e-voting systems
By Rachel Konrad, Associated Press
Posted 10/8/2003 6:51 PM
OAKLAND (With a disgruntled sigh, Charles Coffey slapped a red,
white and blue "I voted today" sticker on his T-shirt after
voting at a firehouse. He wasn't sure, though, whether his computer-cast
ballot counted.
Though he had no evidence, Coffey was suspicious that the touch-screen
voting computer could have been rigged to vote "yes" on the
recall while recording the Democrat as voting for Republican winner
Arnold Schwarzenegger.
"I have no confidence at all in electronic voting," the
54-year-old real estate investor said. "I have no confidence in any
voting system after what happened in Florida."
Coffey had a chorus of company this week in Alameda County, one of the
nation's largest to swap paper ballots in favor of touch-screen
terminals. His cynicism may resonate with voters nationwide as some
computer scientists cast doubt on popular touch-screen systems.
"The companies that run this software aren't smart enough to compete
against an 8-year-old hacker," said Shawn Taylor, a 31-year-old
writer in Oakland. "As soon as my vote leaves the screen, someone
with an agenda can manipulate it."
Counties nationwide are switching to touch-screens to comply with new
federal law requiring upgrades from punch-card systems to get federal
funds.
Elections officials and vendors say the systems are safe, speed lines at
the polls and save hundreds of thousands of dollars.
But new research from computer scientists on the theoretical dangers of
electronic voting seemed to fan emotions over the recall despite no
reported cases of fraud and no demand for a recount in the California
recall election.
"They're unfairly eroding people's faith in voting," Mark
Radke, director of the voting industry division of Ohio-based Diebold,
said of the scientists. Diebold sold Alameda 4,000 touch-screens and has
installed 50,000 nationwide.
Sharon Golden, 45, a floral designer from Riverside, said the electronic
voting system gave her confidence her vote was being counted instantly.
"I thought it was a lot better than the punching," Golden said
Wednesday. "After you voted it plugged everything in, your whole
ballot, and then it said push this button and your vote will be counted,
so your vote was counted right away."
But Bev Harris, author of Black Box Voting: Ballot Tampering in the 21st
Century, which debuted last week online, has documented more than 100
incidents of computer miscounts from Georgia to Washington state. Harris
said voters shouldn't presume their votes are cast properly.
According to a study in July by Johns Hopkins and Rice universities, any
clever hacker could break into Diebold's system and vote multiple times.
Researchers also found that hackers or insiders could fix the outcome.
David Dill, a computer science professor at Stanford University and a
leading skeptic of electronic voting, last week urged voters in Alameda
and three other California counties using touch-screen terminals to vote
with paper absentee ballots counted by an older method known as optical
scan.
Numerous voters said Tuesday they'd feel more comfortable if the
computers spit out receipts confirming that paper results match their
touch-screen choices.
"I'd love it if the computer could give me a piece of paper,"
said Berkeley resident Carol Jacobson, 46. "I wonder where the votes
go once you touch the screen and if it's possible to mess with the
vote."
Black Box Voting has a Web site at blackboxvoting.com.
*******************************