[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips October 9, 2003

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
Subject: Clips October 9, 2003
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Thu, 09 Oct 2003 11:02:12 -0400

Clips October 9, 2003

ARTICLES

U.K. looking to Linux with help from IBM
Multinational consensus pegs top 20 net vulnerabilities
The science gap
Top FBI Counterterror Official Announces Retirement
DHS finishes architecture 1.0
DHS, allies seek to close the top 20 software holes
House votes to restrict file sharing at agencies [P2P]
File-Sharing Services Have Plan to Pay
Hacker victim files lawsuit blaming Microsoft security
Voters skeptical of e-voting systems

*******************************
CNET News.com
U.K. looking to Linux with help from IBM
Last modified: October 8, 2003, 1:28 PM PDT
By Michael Kanellos

The British government and IBM are kicking off nine Linux test programs in an effort to see how much money government agencies can save by switching to open-source software.

IBM also announced that it is setting up a Linux competency center in Moscow in conjunction with the Russian government and local universities to examine how Linux can be used in the region.

The two announcements build on the momentum Linux is currently enjoying in the public sector. In May, the city of Munich agreed to replace 14,000 Windows desktops with Linux-based PCs. Open-source rumblings are also being heard in Korea, China, India and the United States. Open-source software, advocates say, can cut costs and ease software licensing and management hassles.

Microsoft, Sun Microsystems and other proprietary software developers, however, argue that the cost savings are often exaggerated. Because of the recent lawsuits filed by SCO, Linux could open up users to legal liability, some have said. Intellect, a trade group partly backed by Microsoft, issued a report saying that Linux could bring anarchy to U.K. government agencies.

The British Linux effort follows in the same general footsteps as recent moves in Germany, said Adam Jollans, Linux strategy manager at IBM. The German government first conducted test programs and then two years later began deploying Linux.

The pilot programs "will provide data for the government agencies," Jollans said.

Last year, the Office of Government Commerce (OPG), the procurement and standards arm of the British government, and the Office of the e-Envoy told agencies that they could begin to install open-source software. Some projects are already under way.

"This builds upon our commitment to create a level playing field between open-source software from a range of suppliers and propriety software within government procurement," OGC Chief Executive Peter Gershon said in a statement.

The nine pilot projects will be implemented in a variety of government agencies, including the Office of the Deputy Prime Minister, the Office of the e-Envoy and the Powys Borough Council.

Jollans could not state exactly how Linux will be used but said that agencies are looking at using it in both servers and desktops. So far, Linux has largely been a server phenomenon.

"The desktop conversation is definitely happening," Jollans said.

The Russian center will primarily function to educate local agencies about Linux and how it can be used in different environments. IBM has set up similar centers on Wall Street, in the United Kingdom and in the Middle East.
*******************************
Computerworld
Multinational consensus pegs top 20 net vulnerabilities
Experts from the U.S., Canada, the U.K., Singapore and Brazil name the top Windows, Unix and Linux flaws.
Story by Dan Verton

OCTOBER 08, 2003 ( COMPUTERWORLD ) - WASHINGTON -- The U.S. Department of Homeland Security, along with its Canadian and British counterparts and the SANS Institute, today released a list of the 20 security vulnerabilities most often exploited by criminal hackers.
The creation of the Top 20 list of commonly exploited Windows, Unix and Linux flaws marks one of the first times that a multinational consensus has been reached on critical Internet vulnerabilities that must be fixed to meet a minimum level of security protection for computers connected to the Internet.

"Basing the Top 20 on a multinational government/industry consensus endows the list with more authority and makes it easy for each of our agencies to persuade owners and operators of the critical infrastructure to eliminate these vulnerabilities," said Steve Cummings, director of the U.K.'s National Infrastructure Security Co-ordination Centre, in a statement.

Sallie McDonald, director of outreach programs at the DHS, called the Top 20 project, "a useful example" of how the U.S. National Strategy for Securing Cyberspace is being implemented.

Alan Paller, director of research at SANS, said the list is a consensus of the knowledge of experts from around the world who are fighting cybercrime. In addition to contributors in the U.S., U.K. and Canada, experts from Singapore and Brazil also helped develop the list.

Paller said the security industry has put its support behind the Top 20 list. Two of the leading suppliers of vulnerability testing software, Qualys Inc. and Foundstone Inc., announced that their customers will be able to test for the top 20 vulnerabilities. Qualys is also offering a free network auditing service that lets anyone test Internet-connected systems for evidence of the vulnerabilities, Paller said.

"The list reflects the combined experience of many of the folks who have to clean up after attacks," said Paller. "It couldn't be developed by any individual organization because different sites face different automated and targeted attacks."

SANS started the process of issuing a Top 10 list of vulnerabilities three years ago, when it released its first list with the National Infrastructure Protection Center. The updated SANS Top 20 is actually a combination of two Top 10 lists: the 10 most commonly exploited vulnerable services in Windows and the 10 most commonly exploited vulnerable services in Unix and Linux.

"Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these 20 vulnerable services," according to the final consensus document.
*******************************
CNET News.com
Gartner echoes concerns on Microsoft reliance
Last modified: October 8, 2003, 4:59 PM PDT
By Robert Lemos

Exclusive reliance on Microsoft's Windows operating system could make companies vulnerable to greater damage during a cyberattack, according to an upcoming report from business-technology consultancy Gartner.

A draft copy of the Gartner research note seen by CNET News.com mirrors the conclusions of seven prominent security researchers, who released a paper stating that Microsoft's dominance in software could have serious consequences for national cybersecurity. The Gartner report is scheduled to be published Friday.

Both reports argue that allowing the bulk of information infrastructure to rely on a single code base--or monoculture--could result in a cascading failure, taking down large parts of the Internet in a manner similar to an electrical blackout. The research note focuses on a corporate--rather than national--scale, arguing that for companies, diversifying desktop operating systems could be a good defense against such catastrophe.

"The recent upsurge in malicious-code attacks that target Windows, which is used on more than 90 percent of enterprise desktops, highlights the urgent need for enterprises to improve the security and survivability of their personal computers," says the draft copy of the report.

"By spreading critical business functions across multiple desktop platforms," the report adds, "or by maintaining key operating groups on separate platforms, you can enhance your ability to keep at least some of your key personnel and processes functioning and communicating during an attack."

The paper is the first indication that corporate America may be lending credence to a position paper written by seven well-respected security researchers and released Sept. 24 by the Computer and Communications Industry Association, a noted Microsoft critic. A lawsuit that charges Microsoft with making computer users' personal data vulnerable was filed against the company a week later, on behalf of a victim of identity fraud. The suit extensively uses the report's conclusions in its arguments.

The advice to businesses also arrives as Linux, widely seen as the major competitor to Microsoft, is making inroads among companies and governments, despite recent research that found Windows still on top in server operating systems. The United Kingdom and Russia both signed Linux deals with IBM on Wednesday. The State of Massachusetts has adopted a policy that will make it more likely that open-source software, such as Linux, will be considered for government systems.

Putting all your PCs in one basket
The Gartner research note does not argue that Microsoft operating systems are inherently less secure, just that absolute reliance on only Windows computers could result in a major failure. The note points out that the danger of monocultures is well accepted: A forest that only has a single species of tree could likewise be destroyed by a single virus; a greater diversity of trees means that many will survive.

However, Bob Muglia, senior vice president of Microsoft's Enterprise Storage and Enterprise Management divisions, said he didn't buy the monoculture argument. Even diverse information systems have to communicate through common interfaces, opening them to broad attacks. Moreover, forcing a company to diversify means reducing efficiency.

"When you do that, you introduce a great deal of complexity and...make it harder for people to do their job on a day-to-day basis," Muglia said.

The Gartner research note agrees that diversity comes at a cost, but it adds that companies that were hit by the SQL Slammer and MSBlast worms may need to consider diversifying as an additional defense against future attacks. Gartner points to the quickening pace at which attacks are created from newly discovered vulnerabilities, predicting that 30 percent of attacks in 2006 will occur before companies can patch their systems, up from 15 percent in 2003.

"Simply patching will never be good enough," the draft report notes.

By diversifying, companies gain key benefits, Gartner says. Businesses will gain some immunity to the majority of viruses and worms that target Windows systems. Moreover, widespread adoption of alternative operating systems will increase competitive pressure on Microsoft, forcing the company to better secure its software.

Bruce Schneier, chief technology officer of network-monitoring company Counterpane Internet Security and one of the seven authors of the original monoculture paper, said Gartner's advice is a good sign and that though diversifying may involve some difficulties, it's worth it.

"We've always said it's a trade-off," Schneier said. "There are security benefits to a store of never letting customers inside, but the trade-off is unacceptable." The trick is finding an acceptable trade-off that improves security, Schneier said. "If people are finally saying that the security benefits are worth the trade-off, then that's a good thing."

However, Gartner warned its clients to do it right, or don't do it at all. Companies may stumble dealing with diversity on the desktop, the research note says. Noting that two-thirds of successful attacks take advantage of misconfigured systems, the report stresses that companies shouldn't diversify unless they can do so properly.

"Tight administration of a single operating system provides more security than sloppy administration of multiple operating systems," the draft report says.
*******************************
CNET News.com
Disgruntled Phillies fan arrested in hacking
Last modified: October 8, 2003, 10:55 PM PDT
By Reuters

Federal officers have arrested a Philadelphia Phillies fan in California on charges of hacking into computers and sending thousands of spam e-mails to sports reporters at two newspapers.

Allan Eric Carlson, 39, was arrested Tuesday by FBI agents at his home in the Los Angeles suburb of Glendale and charged with hacking, spoofing return addresses, launching spam attacks, and stealing identities by using fake e-mail addresses, the U.S. Attorney's Office said Wednesday.

He was released on $25,000 bail and ordered not to use the Internet, said Michael Levy, an assistant U.S. attorney in Philadelphia.

Carlson faces up to 471 years in prison and $117.25 million in fines.

Despite a competitive season, the Phillies failed to win a spot in Major League Baseball's championship playoffs. The spam messages were critical of Phillies management and the media, including one e-mail that had a subject line reading, "Corrupt Philly Media Keeps Phils in Cellar," according to the indictment.

Carlson used fake return addresses, belonging to sports reporters at the Philadelphia Inquirer and the Philadelphia Daily News, the indictment said.

Many of spam messages bounced back to the reporters' e-mail accounts, crippling the servers where they were stored, according to the indictment.
*******************************
Boston Globe
The science gap
In 1995, a budget-cutting Republican Congress fired its science advisers for being too politicized and too slow. In an age of bioterror, climate change, and high-tech weaponry, we need them back.
By Chris Mooney, 10/5/2003

TWO YEARS AGO, as anthrax-laced letters arrived in Congress and at New York media offices, reliable scientific information was in short supply. With jittery Washingtonians popping Cipro and refusing to open the mail, the confusion among leading policy makers only worsened the general unease. In an embarrassing flub, Health and Human Services Secretary Tommy Thompson suggested that the nation's first anthrax victim may have fallen ill through drinking from a stream.

The press and members of Congress needed better scientific analysis -- and they found it, among other places, in two reports on weapons of mass destruction published in 1993 by the congressional Office of Technology Assessment (OTA). One report contained key facts about the number of spores required to produce inhalation anthrax. The other report estimated that given the proper weather conditions, the release of 100 kilograms of anthrax from a plane upwind of Washington could kill more people than a hydrogen bomb.

Faced with America's first major bioterrorism attack, why was Congress dusting off decade-old reports? OTA hadn't produced anything more recent because the agency, once dubbed Congress's "defense against the dumb," no longer existed. Soon after the "Gingrich revolution" of 1994 -- in a move that calls to mind current complaints over the Bush administration's approach to scientific advice -- incoming congressional Republicans dismantled their scientific advisory office. They denounced OTA for being too slow and (some added) suspect in its political orientation. Yet perhaps becauseOTA took its time, its exactingly prepared and heavily reviewed reports have aged very well.

OTA's 23-year body of work comprises some 750 reports and assessments on subjects ranging from acid rain to climate change to the use of polygraphs. "In the areas where I have expertise, I still look to a number of OTA reports as kind of being the state of the art," says Roger Pielke Jr., who studies climate change and space policy and heads the University of Colorado's Center for Science and Technology Policy Research.

In fact, some scientists are clamoring for OTA's return. The authors of a new anthology, "Science and Technology Advice for Congress" (Resources for the Future), outline a range of options for improving the science savvy of elected representatives, from simply resurrecting OTA to creating a similar organ in the General Accounting Office or Congressional Research Service. They also suggest increasing the role of the well-respected but undeniably slow-paced National Academy of Sciences.

Meanwhile, New Jersey's Democratic congressman Rush Holt, who happens to be a physicist, has introduced a bill to bring the OTA back. But so far, Holt says, "the Republicans have dug in their heels." John Feehery, a spokesman for House Speaker Dennis J. Hastert, confirms that the party has little interest in Holt's efforts. "In `95, when we took over," says Feehery, "we made a decision that that branch of government was not producing. There's no reason to think that it will start producing if it is re-created."

The case for OTA's reincarnation is fairly straightforward. When Congress debates the Bush administration's rejection of the Kyoto treaty to combat global warming or its explanation of the great blackout of 2003, partisan voices on all sides appeal to the authority of science. But what does the best science tell us? Members of Congress rarely have the ability or the time to inform themselves about technical issues. After the House of Representatives voted 265-162 to ban all cloning of human cells in 2001, Representative Peter Deutsch, a Florida Democrat, commented, "This is the least informed collectively that the 435 members of this body have ever been on any issue."

. . .

OTA was created in 1972, at a time of considerable public concern over the dangers of pollution, nuclear energy, and other technologies. Partisan tensions hobbled the office from the outset. Because Senator Edward Kennedy of Massachusetts had been OTA's chief sponsor, many on the right suspected the office of being a "happy hunting ground of Kennedy apparatchiks" and "liberal technocrats," as William Safire wrote in The New York Times in 1977.

Under the leadership of physicist Jack Gibbons, who ran OTA from 1979 to 1993, the office pursued a strategy of studied political neutrality, notes political scientist Bruce Bimber in his 1996 study of OTA, "The Politics of Expertise in Congress." This approach gradually won the support of key Republican allies. Still, when Ronald Reagan took office, the new administration endorsed "Fat City," a 1980 book by conservative journalist Donald Lambro that identified OTA as one of Washington's many wasteful programs.

But where OTA really crossed the Reagan administration was over the Strategic Defense Initiative (SDI), or "Star Wars." In a 1983 speech, the president called for a research and development program to determine ways of protecting the United States from nuclear missiles, with an emphasis on space-based laser technology. The Pentagon quickly got to work studying the feasibility of so-called ballistic missile defense systems.

But in a 1984 study authored by Ashton Carter, now a professor at Harvard's Kennedy School of Government, OTA warned that "a perfect or near-perfect defense" was an illusory goal that "should not serve as the basis of public expectation or national policy about ballistic missile defense." The report enraged the Pentagon, which asked to have it withdrawn. Instead, an OTA expert review confirmed the study's conclusions.

Still, few of OTA's reports made enemies the way the "Star Wars" studies did. Gibbons, who directed the office until becoming the Clinton administration's science adviser in 1993, insisted that each study provide Congress with a range of well-informed policy options to choose from. "OTA produced a body of scientific information from which, then, the politics could be argued," says Rosina Bierbaum, who headed OTA's climate-change project in the 1980s and now serves as dean of the University of Michigan's School of Natural Resources and Environment. "And now, it doesn't seem to me like there's any consensus body of information that the Congress accepts."

Before it was shuttered, OTA had come to be regarded by those who knew it well as a uniquely successful agency. "How to Revolutionize Washington with 140 People," read a lengthy 1989 Washington Monthly article that celebrated the clarity and surprising humanism of the OTA's reports. This flavor seems attributable to Gibbons, a folksy administrator who ran OTA more like a university and was prone to quoting the Edna St. Vincent Millay poem "Huntsman, What Quarry?", which reads in part, "Wisdom enough to leech us of our ill/Is daily spun, but there exists no loom/To weave it into fabric." For Gibbons, OTA's mission was to weave what scientists know into a fabric that policy makers could use.

But the Republicans who swept into Congress in 1994 saw things differently. OTA became a "sacrificial victim," says Henry Kelly, president of the Federation of American Scientists, because the new Congress wanted to show its willingness to make budget cuts in its own house.

According to Newt Gingrich's current spokesman Rick Tyler, the then-House Speaker also felt the OTA's analyses tilted to the left: "In some cases it was politicized work." Republican congressman Amo Houghton of New York nonetheless led an almost-successful fight to save the agency under the slogan "You don't cut the future." Today, Houghton says that cutting the agency was "dumb." He adds, "It was not that much money, and they were just looking for sort of symbolic targets."

. . .

Those hoping to revive OTA face a political bind. Most advocates believe the most sensible option would be to create a new office modeled closely on its predecessor. But Michigan congressman Vernon Ehlers, another pro-OTA Republican and a physicist, says that as long as his party retains control of Congress, "reconstructing OTA as it was has zero chance of becoming law."

This should not come as a surprise. In November 2001, the Chronicle of Higher Education ran a lengthy article on "the waning influence of scientists on national policy." The Chronicle cited the already dramatic rifts between the Bush administration and the majority of scientists on stem cells, climate change, and missile defense. The article did not note, however, that Bush's science adviser, physicist John Marburger, had by then been demoted from the position of "assistant to the president" -- a title that Bush's father first bestowed upon his own science adviser -- or that the agency Marburger headed, the Office of Science and Technology Policy, was moved out of the White House's executive office building shortly after 9/11. (OSTP spokeswoman Kathryn Harrington maintains that this does not represent a decrease in the office's influence.)

In the past year, major newspapers have reported on the politicization of the scientific advisory panels appointed by the executive branch in areas ranging from reproductive health to the environment. In the journal Science, editor-in-chief Donald Kennedy responded with an editorial titled "An Epidemic of Politics." In August, Democratic congressman Henry Waxman released a report listing alleged abuses of the scientific process and noting the "unprecedented criticism from the scientific community." The Bush administration, it concluded, "has repeatedly suppressed, distorted, or obstructed science to suit political and ideological goals."

Waxman's colleague Rush Holt calls the report "a polemic," but notes that it nevertheless contains "some striking examples of the misuse of science, and what might almost be taken as an anti-scientific attitude in some quarters of this administration."

Of course, the Bush administration hardly claims to be acting anti-scientifically; it simply defines science with reference to its own experts. John Graham, who runs the Bush administration's Office of Information and Regulatory Affairs in the Office of Management and Budget, is well-known for his belief that government regulations should be subjected to a stringent form of cost-benefit analysis. Although it has become a lightning rod for some environmental advocates, his approach has at least some admirers across the political spectrum.

In any case, debates on issues from global warming to stem cells might not divide so predictably along partisan lines if an authoritative agency once again offered its analyses or even suggested new policies. A new OTA would let legislators make up their minds on the basis of an accurate picture of the full state of scientific knowledge. Perhaps that's why the Federation of American Scientists' Henry Kelly says of bringing back OTA, "The necessity is so overwhelming that I would say over the long term, it will certainly happen."

Chris Mooney, a freelance writer living in Palo Alto, is writing a book about the politics of science in the Bush administration.
*******************************
Washington Post
Top FBI Counterterror Official Announces Retirement
Veteran's Departure, After Three Months on Job, Is the Latest in a String Since Attacks of Sept. 11
By Dan Eggen
Thursday, October 9, 2003; Page A11

The FBI's top counterterrorism official announced his retirement yesterday after just three months on the job, marking the latest in a wave of departures from the senior ranks of the FBI since the Sept. 11, 2001, attacks.

Larry Mefford, a 24-year FBI veteran who became executive assistant director for counterterrorism and counterintelligence in July, will leave at the end of the month to take a top security job for a large casino firm in Las Vegas, FBI officials said.

Mefford is the third person in the past 18 months to hold that position, which FBI Director Robert S. Mueller III created to oversee terrorism and intelligence investigations. All the senior posts at the FBI have turned over at least once since the Sept. 11 attacks.

The steady stream of departures has left the bureau "extremely thin in the experience department," one FBI official acknowledged yesterday. The bureau has struggled to hold on to personnel amid grueling hours, intensive congressional scrutiny and a dramatic effort to remake the FBI into an agency focused on preventing terrorism.

"These are just high-burnout jobs," said Robert Blitzer, a former FBI counterterrorism official who has worked with Mefford and others who have left in recent months. "The pressure is incredible, given everything that's going on around the world. You can only take that pounding, emotionally, for so long."

One FBI official said that Mefford, 53, left in part because of family ties in Nevada and because of the lucrative offer to be a top security official at the company controlled by casino magnate Steve Wynn.

Mefford declined to comment through the FBI press office.

Mefford joined the FBI in 1979 and worked at field offices in Sacramento, Los Angeles, Minneapolis, San Diego and San Francisco before coming to FBI headquarters to work on weapons of mass destruction issues and to oversee establishment of a new cybercrime division. He took over the counterterrorism division last November before being named to his current post.

In a statement, Mueller called Mefford "one of the most experienced leaders in the FBI and in the law enforcement community." No replacement was immediately named.
*******************************
Federal Computer Week
DHS finishes architecture 1.0
BY Sara Michael
Oct. 8, 2003

Homeland Security Department officials have completed the first version of their enterprise architecture, and are using it to guide development and consolidation efforts.

"We have completed the first version of our target architecture and we are already beginning to implement the objectives of our [enterprise architecture] transitional strategy," DHS chief information officer Steve Cooper told lawmakers today.

The architecture has allowed officials to identify the projects inherited when 22 agencies merged to form the department. Officials can then look for areas of possible consolidation. For example, they have identified 300 applications for performing back-office functions, and now they can stop some of the redundant solutions, Cooper said. The principle, he said, was to simplify.

"We can begin to move from many -- in this case 300 -- down to some sizable number," Cooper said, testifying before the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

Developing the initial architecture took officials less than four months, which Cooper called "unique in the federal government." More detailed versions will follow.

The current architecture lacks depth, Cooper told lawmakers, but officials have already begun work on a second to fill in the gaps and detail more systems and projects. Cooper called the approach "an inch deep and a mile wide," working down from DHS' overall mission. Officials have also identified about a dozen "quick hit" projects, which they have already begun to consolidate, such as e-training and network integration.

The department's architecture is aligned with the federal enterprise architecture, which provides guidance to all agencies for developing their architectures. The Office of Management and Budget, which spearheads the federal effort, will work closely with DHS, said Karen Evans, recently appointed as OMB's administrator for e-government and information technology.

"It is the intention of OMB through budget guidance to align their efforts with" federal enterprise architecture, Evans told lawmakers at the hearing. When questioned by Rep. Adam Putnam (R-Fla.), subcommittee chair, whether there has been talk of holding up spending on projects if the architecture is not followed, Evans said she would have to get back to the panel with an answer.

"Primarily, it will be using the existing processes in place," she said, referring to the budget guidance. "Ensuring progress is made is happening through the quarterly score card reviews."

Ranking member Rep. William Lacy Clay, (D-Mo.) asked Cooper how the architecture might address cultural issues among agencies.

"The enterprise architecture is actually an objective way of taking the emotional element out," Cooper said. "The enterprise architecture, being devoid of emotion, actually can objectively document 'Here is where we are trying to automate or improve.' We don't eliminate or negate culture, but we allow all of us to have a common frame of reference."
*******************************
Federal Computer Week
House passes P2P security bill
BY Diane Frank
Oct. 8, 2003

The House today approved the Government Network Security Act (H.R. 3159), a bill intended to protect sensitive data on government computers from security threats posed by peer-to-peer file swapping.

Reps. Tom Davis (R-Va.) and Henry Waxman (D-Ca.), chairman and ranking member of the House Government Reform Committee, respectively, introduced the bill last month to address the increase in file sharing within the government. The bill now moves to the Senate.

While the entertainment industry is very concerned right now about the legal issues surrounding file sharing, the bill does not look at whether file sharing is good or bad. In fact, the technology "may turn out to have a variety of beneficial applications," Davis said in a statement. But it also provides a way to either take files from or add worms or other malicious code to a government system, he said.

Under the legislation, agencies would be required to develop and implement a procedure to specifically address the potential security and privacy risks through both technical and nontechnical means, such as better firewall controls and user training.

The plans must be in place within six months of the bill's being signed into law and must be reviewed and revised after that. In addition, the bill directs the General Accounting Office to conduct a review of the adequacy of agencies' plans and submit a report to both the House Government Reform Committee and the Senate Governmental Affairs Committee.
*******************************
Government Computer News
10/08/03
DHS, allies seek to close the top 20 software holes
By Susan Menke

The Homeland Security Department today joined with its U.K. and Canadian counterparts to promote universal closing of the top 20 software vulnerabilities on the SANS Institute?s annual list.

?We will only be successful through partnership,? said Sallie McDonald, DHS director of outreach for infrastructure protection, at the list?s unveiling in Washington.

McDonald joined Steve Cummings, director of the U.K. National Infrastructure Security Coordination Centre and the Canadian Office of Critical Infrastructure Protection and Emergency Preparedness in calling on governments to ?draw a line on the sand.?

Allan Paller, research director of SANS in Bethesda, Md., said there has been about 50 percent turnover in the top 20 list since last year.

One reason half the list remained the same, he said, is that ?less than 50 percent of sites actually patch their known vulnerabilities.?

On the current list, Microsoft Windows? top vulnerabilities were in the company?s Internet Information Services, Data Access Components, SQL Server and Windows peer-to-peer file sharing software. ?They are very widely used and have multiple holes,? Paller said.

On the Unix and Linux list, ?the security systems are the ones with the holes,? he said. ?Most sysadmins don?t know that.?

Paller recommended requiring vendors to keep systems free of those vulnerabilities. He said the Virginia Polytechnic Institute and State University in Blacksburg has altered 600 contracts to require vendors to certify their products as free of the top 20 vulnerabilities.

Asked whether any federal agencies require similar assurances, McDonald said, ?There are no requirements in the federal environment. It?s an interesting idea.? The Office of Management and Budget would establish such requirements, she said.

Paller said that Sandia National Laboratories now requires that before delivering software, vendors must configure it in accordance with National Security Agency benchmarks.

?There has been a massive shift at Microsoft,? Paller said, ?mostly caused by NSA.? He cited automatic security patching of Windows XP and 2000, and Windows 2003?s configuration to NSA?s hardening guideline.

He also recommended what he called the Nancy Reagan rule: ?Just say no? to connecting a client if it doesn?t meet minimum security standards.

A problem, Paller said, is that a lot of commercial software won?t run in a hardened environment. ?That?s the reason systems don?t get patched.?

In mentioning another security threat, Paller said that some spyware can now capture words spoken in an office where a PC has a microphone.

SANS? annual list has been a joint effort of SANS and the FBI. Paller said partnership couldn?t continue this year because the FBI contingent that had helped develop the list was absorbed into DHS. But, he promised, ?We will recreate that relationship.?
*******************************
Government Computer News
10/08/03
House votes to restrict file sharing at agencies
By Jason Miller

The House today passed legislation that would require agencies to develop policies to protect government systems from threats posed by peer-to-peer file sharing programs.

Reps. Tom Davis (R-Va.) and Henry Waxman (D-Calif.), chairman and ranking member respectively of the Government Reform Committee, introduced the Government Network Security Act of 2003, HR 3159, late last month and moved it through committee and the House in just two weeks.

?We learned that using these programs can be similar to giving a complete stranger access to your personal file cabinet,? Davis said. ?Installing these programs on government computers can cause sensitive information to be exposed to the public. Because files are shared anonymously on peer-to-peer networks, there is also a risk of the spread of viruses, worms and other malicious computer files.?

The bill would require each agency to develop and implement a plan to protect its systems, incorporating technology, policy and training, within six months of the bill?s enactment. The comptroller general would report to the House and Senate on the results of the plans within 18 months of enactment.

Peer-to-peer networking is a technology that lets users with common software share files on their computers over proprietary networks or the Internet, in effect turning each computer into a server. It has gained its greatest notoriety in the distribution of copyrighted music, but it can be used to share any type of digital material stored on a computer.

The bill would not outlaw peer-to-peer file sharing, but would restrict its use.

?Innovations in peer-to-peer technology for government applications can be pursued on intragovernmental networks that do not pose risks to network security,? it says.

There is no companion bill in the Senate, but Davis? staff is working to get the Governmental Affairs Committee to introduce one of its own or consider the House version, said David Marin, Davis? spokesman.
*******************************
Government Computer News
10/08/03

OMB directs agencies to post grants

By Jason Miller
GCN Staff

Starting Nov. 7, agencies will post all grant opportunity announcements on www.grants.gov, the Office of Management and Budget directed today.

In a memo to agency executives, Linda Springer, OMB comptroller, finalized the policy guidance outlining the data elements that agencies must include in their grant announcements and instructing departments to use only the portal.

The Health and Human Services Department developed grants.gov under the E-Grants project.

The directive is part of OMB?s implementation of the Federal Financial Assistance Management Improvement Act of 1999, Springer said.

OMB issued the initial guidance in June and received comments from seven agencies. The final directive requires agencies to provide potential applicants with enough information about any funding opportunity to decide whether to view the full announcement, with multiple ways to obtain the full announcement and with one Web site that is searchable by keyword, date, the Catalog of Federal Domestic Assistance or agency name.

Agencies must include 27 standard data elements, including federal agency name, agency contact name, phone number and e-mail, type of funding opportunity and expected number of awards, on all announcements, OMB said.
*******************************
Washington Post
File-Sharing Services Have Plan to Pay
Group Says It Can Protect Music Industry
By Frank Ahrens
Thursday, October 9, 2003; Page E01

A group representing the Internet's most popular free music-sharing service has come up with a business plan that it says would stop piracy by allowing consumers to legally buy copyright-protected music, though the music industry remains skeptical.

Distributed Computing Industry Association, a trade group formed in July by the parent companies of song-sharing services Kazaa and Altnet, rolled out the plan at its Arlington headquarters yesterday, saying it could earn the music industry up to $900 million per month in Internet music sales.

The group characterized the plan as a starting point for peacemaking discussions with a music industry hostile toward free file-sharing Web sites, which it says rob musicians and record labels of billions of dollars in royalties and revenue they would otherwise get through music sales.

The trade group said its plan would work only if it were joined by other file-sharing sites, such as Grokster and Morpheus -- which have formed their own trade group -- the music industry and Internet service providers, or ISPs. The music industry's trade group, the Recording Industry Association of America (RIAA), has waged a legal campaign to shut down free file-sharing sites such as Kazaa.

"We are in an earn-your-trust mode," said Marty Lafferty, chief executive of the trade group. "This plan is kind of like looking at a concept car at a car show," the first of three to five business plans the group will roll out in coming months.

More than 4 million users per week employ Kazaa, many to illegally swap copyrighted songs for free, the music industry says. The RIAA sued to shutter Kazaa, as it did Napster in the past, but a federal court ruled in April that Kazaa and other song-sharing Web sites are not responsible for the actions of their users.

The trade group is meant to equally represent three interests -- file-sharing services such as Kazaa, content providers such as music labels, and digital pipelines such as ISPs, Lafferty said. Thus far, however, the only announced members are Kazaa and Altnet, the two file-sharing services that funded the group's start-up.

The RIAA maintains it wants consumers to be able to legally buy digital songs on the Internet, but it favors Web sites such as Apple's iTunes music store, as opposed to peer-to-peer services such as Kazaa.

The plan from the trade group representing Kazaa and Altnet would roll out in stages, starting with the record companies allowing their songs, protected with copyright tools rendering them unlistenable, to be distributed on networks such as Kazaa. Consumers would pay Kazaa to unzip the copyright-protection shroud, enabling their computer to play the song.

Later stages of the plan would shift the billing to Internet service providers, which would be required to monitor which songs users are listening to, raising potential privacy concerns and putting ISPs into a business they may not want to enter.

"For us to somehow be responsible for monitoring and tacking every download that might flow through our system is extremely unrealistic, and the ISP would turn into the Internet police," said Sarah B. Deutsch, associate general counsel for Verizon Communications Inc., the nation's largest phone company and a top ISP. "And it would also create the world's most complicated billing system."

The RIAA reacted coolly to the plan.

"It's nice to hear that a couple of the [peer-to-peer] services are actually interested in finding a business solution," said RIAA spokesman Jonathan Lamy. But "it is hard to take seriously proposals to turn [peer-to-peer] systems into legitimate businesses when they continue to induce users to violate the law and willfully refuse to use available technologies to stop the rampant infringement of copyrighted works on their networks."

Meanwhile, the name of Napster, the service that first popularized online song swapping, will be revived today as a legal Internet music store that will go head to head with such competitors as iTunes, the Associated Press reported, citing sources familiar with the plans.
*******************************
USA Today
Disney aims to scare pirates, profit from technology
By Peter Henderson, Reuters
LOS ANGELES Hollywood's movie studios need to "scare the heck" out of online digital pirates and embrace new technologies like digital video recorders and video-on-demand to boost profits in a rapidly changing media landscape, Walt Disney executives said Wednesday.
Hollywood needs to provide consumers with new ways to buy what they want, and the studios must find digital locks on entertainment content to bar people who don't pay, said Disney Chief Operating Officer Bob Iger in a Webcast at the launch of a new ride, Mission: Space, at Walt Disney World in Florida.

"The value of the content you are putting out there is likely increased by technology and a greater ability to reach consumers," added Tom Staggs, Disney's chief financial officer.

"It doesn't mean that the business models are going to stay the same, and there are challenges to adapting those business models to take into account how you reap the value of that programming," he said.

The comments come as investors grow increasingly concerned that digital pirates will swap movies online for free, thereby hurting profits the way the pirates have weakened music sales.

Digital video recorders are challenging old business models that rely on advertising, and video-on-demand, which lets viewers watch a program whenever they like, is upsetting the way movies and TV shows are distributed to paying customers.

In particular, Disney executives are talking among themselves and approaching advertising agencies about how to deal with digital video recorders that store programs on a computer hard drive and let viewers speed through or skip commercials, Iger said.

Disney recently launched a service, MovieBeam, that offers home viewers a self-updating cache of 100 movies for rental and self destructing DVDs that only work for 48 hours. Disney, too, has expanded its Internet movie offerings.

Critics have said some of Disney's efforts may fail to catch fire, but Disney generally believes they cost little to try and offer an array of choices that could hit big with consumers.

"We are going to try a lot of new technologies ... and not just make the product available in one window (of time) in one form," Iger said.

But he also said that studios needed to standardize digital rights management to keep control of their movies, educate consumers on the illegality of copyright infringement, and strip anonymity from Internet file sharing.

"I realize that there are a lot of concerns regarding privacy in this regard, invading people's homes and their home PCs, but at some point we've got to somehow ... scare the heck out of these people that they could get caught," Iger said.
*******************************
USA Today
Hacker victim files lawsuit blaming Microsoft security
By Byron Acohido, USA TODAY
Posted 10/7/2003 11:59 PM

An Emmy-winning film producer whose life was disrupted after hackers stole her Social Security number has become the champion for computer users frustrated by software security breaches.

Marcy Levitas Hamilton, 51, CEO of TriCoast Studios, sued Microsoft last week in an attempt to hold it responsible for damage stemming from security flaws in its software. "My hope is that ... we can wake up companies and compel them to take responsibility for safeguarding their customers," Hamilton says.

Designed to form the basis of a class action, Hamilton's first-of-its-kind complaint argues that the majority of cyberattacks trace back to vulnerabilities in Microsoft software. It further alleges that Microsoft's disclaimers, which absolve it from any responsibility for security flaws, constitute an unfair business practice under California law, because consumers have little choice but to use Microsoft products.

"This is the first time Microsoft has had its feet held to the fire on security issues," says Richard M. Smith, an Internet security and privacy consultant.

The lawsuit is expected to heat up debate about whether the software industry should be held to the same standard of liability as other companies, such as carmakers. The result could be to make software more secure and expensive, computer security experts say. "It's obvious Microsoft does not bear 100% of the responsibility ... but it's just as obvious that it doesn't bear 0%," Bruce Schneier at Counterpane Internet Security, told Reuters.

Earlier this year, hackers swiped Hamilton's Social Security number. Bank accounts were accessed and frozen. During a business trip to Australia, Hamilton racked up a $1,700 phone bill trying to untangle the mess. "They completely cannibalized her life," says Dana Taschner, Hamilton's attorney.

Taschner must next persuade a Los Angeles judge to certify the lawsuit as a class action, with any remedies generally applying to all PC users hurt by security flaws in Microsoft software. Depending on how the case plays out, that could cover tens of thousands of home users and business owners victimized by online thieves as well as computer viruses, Taschner says.

Microsoft will defend itself, says spokesman Sean Sundwall.

"This complaint misses the point," he says. "The problems caused by viruses and other security attacks are the result of criminal acts."
*******************************
USA Today
Voters skeptical of e-voting systems
By Rachel Konrad, Associated Press
Posted 10/8/2003 6:51 PM

OAKLAND (With a disgruntled sigh, Charles Coffey slapped a red, white and blue "I voted today" sticker on his T-shirt after voting at a firehouse. He wasn't sure, though, whether his computer-cast ballot counted.
Though he had no evidence, Coffey was suspicious that the touch-screen voting computer could have been rigged to vote "yes" on the recall while recording the Democrat as voting for Republican winner Arnold Schwarzenegger.

"I have no confidence at all in electronic voting," the 54-year-old real estate investor said. "I have no confidence in any voting system after what happened in Florida."

Coffey had a chorus of company this week in Alameda County, one of the nation's largest to swap paper ballots in favor of touch-screen terminals. His cynicism may resonate with voters nationwide as some computer scientists cast doubt on popular touch-screen systems.

"The companies that run this software aren't smart enough to compete against an 8-year-old hacker," said Shawn Taylor, a 31-year-old writer in Oakland. "As soon as my vote leaves the screen, someone with an agenda can manipulate it."

Counties nationwide are switching to touch-screens to comply with new federal law requiring upgrades from punch-card systems to get federal funds.

Elections officials and vendors say the systems are safe, speed lines at the polls and save hundreds of thousands of dollars.

But new research from computer scientists on the theoretical dangers of electronic voting seemed to fan emotions over the recall despite no reported cases of fraud and no demand for a recount in the California recall election.

"They're unfairly eroding people's faith in voting," Mark Radke, director of the voting industry division of Ohio-based Diebold, said of the scientists. Diebold sold Alameda 4,000 touch-screens and has installed 50,000 nationwide.

Sharon Golden, 45, a floral designer from Riverside, said the electronic voting system gave her confidence her vote was being counted instantly.

"I thought it was a lot better than the punching," Golden said Wednesday. "After you voted it plugged everything in, your whole ballot, and then it said push this button and your vote will be counted, so your vote was counted right away."

But Bev Harris, author of Black Box Voting: Ballot Tampering in the 21st Century, which debuted last week online, has documented more than 100 incidents of computer miscounts from Georgia to Washington state. Harris said voters shouldn't presume their votes are cast properly.

According to a study in July by Johns Hopkins and Rice universities, any clever hacker could break into Diebold's system and vote multiple times. Researchers also found that hackers or insiders could fix the outcome.

David Dill, a computer science professor at Stanford University and a leading skeptic of electronic voting, last week urged voters in Alameda and three other California counties using touch-screen terminals to vote with paper absentee ballots counted by an older method known as optical scan.

Numerous voters said Tuesday they'd feel more comfortable if the computers spit out receipts confirming that paper results match their touch-screen choices.

"I'd love it if the computer could give me a piece of paper," said Berkeley resident Carol Jacobson, 46. "I wonder where the votes go once you touch the screen and if it's possible to mess with the vote."

Black Box Voting has a Web site at blackboxvoting.com.
*******************************

Prev by Date: Clips October 8, 2003
Next by Date: Clips October 10, 2003
Previous by thread: Clips October 8, 2003
Next by thread: Clips October 10, 2003
Index(es):
- Date
- Thread