[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips October 21, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx, sairy@xxxxxxxxx;
- Subject: Clips October 21, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Tue, 21 Oct 2003 12:15:32 -0400
Clips October 21,
2003
ARTICLES
U.S. lawmakers form antipiracy caucus
Lawmakers launch 'extensive review' of transportation security
Computer viruses rampant in China
Md. Democrats Want Outside Voting Machine Audit
NIST readies new security documents
Joint Chiefs will apply Clinger-Cohen to warfighting systems
First responders lack data-sharing tools, feds say
ISC opens Internet crisis center
Former White House cybersecurity czar calls for security audit
standards
Hill Hurrying to Renew Ban on Web-Access Taxes
Open source makes gain in Massachusetts
*******************************
CNET News.com
U.S. lawmakers form antipiracy caucus
Last modified: October 20, 2003, 5:17 PM PDT
By John Borland
Staff Writer, CNET News.com
A group of federal lawmakers aims to put more steam behind intellectual
property piracy issues online and offline, forming a new caucus to focus
on the issue.
Dubbed the Congressional International Anti-Piracy Caucus, the group will
officially launch Tuesday, joined by representatives from movie studios,
record labels and software industry trade associations.
The group also plans to unveil a "Piracy Watch List" for 2003,
which will focus on countries where sales of illegal copies of software
or entertainment products are common. This type of list has traditionally
been kept by the U.S. Trade Representative's office.
The group will be jointly headed by Sens. Gordon Smith, R-Ore., and Joe
Biden, D-Del., along with Reps. Bob Goodlatte, R-Virg., and Adam Schiff,
D-Calif.
Goodlatte in particular has been active on digital piracy issues,
drafting the 1997 No Electronic Theft (NET) Act to close what some saw as
loopholes in earlier copyright law in terms of file sharing on the
Internet. Some lawmakers, including Biden, have pressed the U.S.
Department of Justice to use that law to prosecute people who swap
copyrighted music, software and movies on networks such as Kazaa.
However, the new group will primarily focus on international issues
rather than domestic piracy concerns, a Goodlatte spokeswoman said.
*******************************
Government Executive
October 20, 2003
Lawmakers launch 'extensive review' of transportation security
By Chris Strohm
cstrohm@xxxxxxxxxxx
The House Government Reform Committee launched an "extensive
review" Monday into the operations of the Transportation Security
Administration, with a special emphasis on airline passenger screening.
The announcement comes after recent reports by the General Accounting
Office and Homeland Security Department that found problems with
passenger screening, as well as a security breach last week in which bags
containing box cutters and other suspicious items were found on two
Southwest Airlines planes.
"Despite significant seizures of prohibited items from passengers
going through TSA security checkpoints, [last] week's events highlight
possible weaknesses in the system which need to be addressed,"
committee Chairman Tom Davis, R-Va., said in an Oct. 18 letter to TSA
Administrator James Loy announcing the review.
The committee has begun its review by asking TSA for specific information
about screening procedures, including: a written overview of testing
procedures and training criteria used to certify screeners, information
relating to the annual screener certification program, performance
measures for all contractors hired to conduct screening testing and
training, an explanation of the command structure for each passenger
screening checkpoint, and information relating to TSA's program for
covert testing of screening operations.
Davis said recent reports by GAO and the inspector general of the
Homeland Security Department found "significant weaknesses in the
testing and training procedures for TSA airport screeners." The GAO
report cited deficient supervisory training programs and a failure to
collect adequate information on screener performance in detecting
prohibited objects, Davis said. The inspector general's investigation
reported that screener testing was designed to maximize the likelihood
that students would pass tests, rather than ensuring that competent and
well-trained employees were operating explosive detection systems.
TSA spokesman Darrin Kayser said the agency is "committed to
continuously improving our systems" and is "looking forward to
working with Congressman Davis and responding to all of his questions in
a timely manner." TSA has previously noted that it has a
multi-layered approach for aviation security, relying on multiple
detection systems. Loy told the House Government Reform Committee during
a hearing last week that transportation is "radically more
secure" today than before the Sept. 11 terrorist attacks.
Last Friday, TSA ordered a search of every commercial plane in the
country after the box cutters and other suspicious items were found in
the restrooms of two Southwest Airlines planes during routine maintenance
checks.
By the end of the day Friday, TSA and the FBI were questioning a
20-year-old college student, Nathaniel Heatwole, in connection with the
security breaches. According to a Monday Associated Press report,
Heatwole told authorities the first bag was carried onto a Southwest
plane at Raleigh-Durham International Airport on Sept. 12-the day after
the two-year anniversary of the 2001 terrorist attacks-and the second bag
was smuggled onto a Sept. 15 Southwest flight at Baltimore-Washington
International Airport. Notes inside each bag indicated the items were
intended to challenge TSA's checkpoint security procedures.
Heatwole, a junior at Guilford College in Greensboro, N.C., is from
Damascus, Md. He was scheduled to make an initial appearance in federal
court in Baltimore on Monday afternoon.
*******************************
BBC Online
Computer viruses rampant in China
Tuesday, 21 October, 2003, 08:56 GMT 09:56 UK
If you use a computer in China, the chances are that you have to do
battle with a virus sooner or later.
Official figures quoted by the Xinhua state news agency show that about
85% of computers were infected with a computer virus this year.
The main reason for the spread of the viruses was increasing use of the
internet and e-mail, said the survey.
The internet is hugely popular in China, with more than 68 million
internet users as of June.
No protection
The number of infected computers is based on a two-month survey conducted
in the middle of the year by officials of the Ministry of Public
Security.
The study cited computer viruses as the main threat to China's
information network security.
It said that most people were not aware of how to protect their machines
against viruses or did not use anti-virus software.
Instead the malicious programs were spreading as people downloaded files
from the internet or opened e-mail attachments.
One of the worst viruses to hit the country was the Sobig.F worm. It is
estimated to have infected as much as a third of the country's computers
in August.
China has one of the fastest growing internet populations of the world.
In 1997 just half a million had net access.
According to official figures, around 68 million people were online in
China by mid-2003, putting the world's most populous nation second behind
the United States in terms number of people on the net.
*******************************
Washington Post
Md. Democrats Want Outside Voting Machine Audit
By Nelson Hernandez and Lori Montgomery
Tuesday, October 21, 2003; Page B01
Democratic legislative leaders called yesterday for independent auditors
to study problems with Maryland's voting machines, saying they do not
trust Republican Gov. Robert L. Ehrlich Jr. to resolve the matter on his
own.
In a letter to the director of the Maryland Department of Legislative
Services, Sen. Paula C. Hollinger (D-Baltimore County) and Del. Sheila
Ellis Hixson (D-Montgomery) asked that the agency examine a report issued
in September by Science Application International Corp. on security
weaknesses in a new computerized voting system the state is prepared to
purchase for $55.6 million.
The SAIC report on the system, developed by Diebold Elections Systems
Inc., found serious flaws that could allow tampering with election
results. The study was a response to a July report by Johns Hopkins
University computer scientist Aviel Rubin and colleagues who said the
voting system was vulnerable to manipulation.
The report led Diebold to tighten the security of its software, but
Democrats questioned the impartiality of SAIC, the research company
chosen by the Ehrlich administration. The San Diego-based firm has had a
standing contract with the state government since 2002 for information
technology consulting.
"We first want to know what's going on," said Hollinger, who
chairs the Senate committee that oversees electoral issues. "The
legislature has not been involved at all. Whether there's a problem or
not, the only way to determine it is we do it independently.
"Elections are for everybody, 'D's and 'R's and 'I's and everybody
else on the ballot. In the next election, everybody ought to feel it's
not influenced by partisanship."
To that end, Hollinger and Hixson asked the legislative agency to examine
the process used to select the firm to conduct the review of the Diebold
system and the Johns Hopkins report and to report on "the
professional credentials and organizational composition of SAIC to ensure
that the SAIC analysis was objective, balanced, impartial, and free of
outside influence or other conflicts."
Company officials referred all questions to Ehrlich's office, where a
spokesman said the governor welcomes the new report.
"We're confident in the SAIC review's findings," Henry Fawell
said.
In recent weeks, some Democrats have expressed concerns that the problems
with the voting machines would be used to drive out State Board of
Elections Administrator Linda H. Lamone, a Democrat appointed by
Ehrlich's predecessor, Parris N. Glendening (D), and replace her with a
Republican. Lamone was at a conference yesterday and could not be
reached.
Karl S. Aro, executive director of the Department of Legislative
Services, said that his agency would respond to the request, but he noted
that the deadline set for his report -- Jan. 12, near the start of the
legislative session -- might be too close.
"We will look at it," Aro said. "We'll see exactly what
they're asking us to do."
*******************************
Wired News
E-Vote Firms Seek Voter Approval
By Kim Zetter
02:00 AM Oct. 20, 2003 PT
David Allen of Plan Nine, publisher of Bev Harris' critical book <link
http://www.plan9.org/>
on the electronic voting industry, participated in the conference call
between the ITAA and voting machine companies after obtaining a password
from an industry insider who was concerned about the lobbying move.
Allen said an unidentified member of the ITAA said during the call that
he didn't want them to use the word "lobbying" in the plan out
of concern that it might sound to outsiders as if the e-voting industry
were in trouble and needed help to take care of its problems.
But the ITAA's Kerr said there was nothing unusual about the plan, which
also included a recommendation to adopt an industry code of ethics. He
said it resembled any other marketing plan adopted by trade associations
to serve members.
"It basically was just a standard trade association plan to address
issues in the marketplace that we saw," he said.
Kerr said discussions about the plan were preliminary and any decisions
would be announced by the industry once they are finalized.
Bill Stotesbery, director of marketing for voting machine vendor Hart
InterCivic, said members of his industry were surprised by the critical
reaction to the plan.
"The notion of companies working together in an association to work
on standards and communicate on issues like security, to try to shape
best practices, is nothing new," he said.
Critics like Allen have pointed out that the memo included a list of nine
goals, in which security improvements appeared only as No. 5 on the list,
below public relations and lobbying goals.
Stotesbery said the list was written by the ITAA to try to convince the
vendors to hire the organization to represent them. "It didn't
represent the opinions and positions of these companies," he said.
"It was trying to provide a framework for how to move forward.
"What the priorities are for the industry, or for individual
companies, have yet to be determined. It will be determined ... based
upon the things that appear to be most critical at any given time,"
he said.
According to Stotesbery, vendors are already addressing security issues
raised by critics.
"Nobody in the industry would argue that security is not a primary
objective.... It's not just the right thing to do, it's also increasingly
a market imperative."
He also said vendors are moving toward answering one of the biggest
requests critics have made to date.
"Every vendor in the industry is moving forward in being able to
offer a voter-verifiable paper ballot of some sort," he said. Three
companies make voting machines with a verifiable paper ballot, and Hart
InterCivic recently demonstrated its own model featuring such a function,
he said.
"I have no doubt that all systems will offer a voter-verifiable
paper ballot," Stotesbery said. "The capability to deliver that
functionality exists and will continue to improve."
Verified Voting's Dill was surprised at the announcement and called it
"an enlightened opinion."
"That's how I always hoped companies would respond," Dill said.
"It would be a very positive change to have companies try to develop
this feature, and if that's the ITAA's approach to restoring trust in the
election system, then that's the right approach."
Dill said, however, that the design of a voter-verified paper system is
not a trivial undertaking and that the usability and security aspects of
such a feature need to be thought through carefully so companies design
systems under standards that meet both these criteria.
"There are right ways and wrong ways to do it," he said.
"I hope the industry will engage in open discussions with
knowledgeable computer scientists about what the best standards for
verified voting systems would be."
*******************************
Government Computer News
NIST readies new security documents
By Patricia Daukantas
A new National Institute of Standards and Technology method for
categorizing security risk levels of federal systems is on the cusp of
final approval.
The first public draft of the minimum security requirements for systems
in new risk categories will be released in a couple of weeks, project
manager Ron Ross said yesterday at an enterprise architecture conference
in Vienna, Va.
Federal Information Processing Standard 199 ranks systems as low, medium
and high risk in the categories of confidentiality, availability and
integrity, Ross said. The standard will assist the reporting of security
policy effectiveness to the Office of Management and Budget, which
governs enterprise architecture issues.
Special Publication 800-53, which will specify the baseline security
requirements that go with the FIPS security assessments, draws on many
sources from Defense and civilian agencies and the International
Standards Organization, Ross said.
The Federal Information Security Management Act of 2002 mandated the new
FIPS.
The Open Group of San Francisco, a vendor consortium that promotes Unix
interoperability standards, sponsored the conference.
*******************************
Government Computer News
10/21/03
Joint Chiefs will apply Clinger-Cohen to warfighting systems
By Jason Miller
HERSHEY, Pa.In a change of policy, the Joint Chiefs of Staff will apply
the IT management practices of the Clinger-Cohen Act to warfighting
systems.
Lt. General Robert Shea, director of command, control, communications and
computer systems for the Joint Staff, yesterday said there needs to be
more management discipline and a new focus on developing capabilities
instead of applications for weapons systems.
Shea said the Joint Staff and Defense Department chieftains are working
on a policy directive for release by the end of the month that will
require warfighting systems to incorporate Clinger-Cohen practices. The
law, which established management and acquisition reforms for federal IT,
excludes warfighting systems.
?We are referring to the CIO approach in Clinger Cohen that gives the CIO
a tremendous amount of authority,? Shea said at the Industry Advisory
Council?s Executive Leadership Conference 2003. ?In the past, we haven?t
stopped to think about the capabilities and the data. We were thinking
too much of buying things instead of end-to-end capabilities.?
Shea said the directive will require IT officials to ask a series of
questions during development of systems for the battlefield:
Have the people affected by a system?s development and deployment been
identified?
What are the performance parameters for the system?
Has an employee-training plan been drafted?
Is lifecycle support in place?
Is network bandwidth available?
Does the system comply with interoperability standards?
Is the security adequate?
Has there been sufficient testing?
?What we are doing is trying to take good things in Clinger-Cohen and
incorporate them into a warfighting perspective,? Shea said. ?As we work
these systems through the Joint Requirements Oversight Council, which is
chaired by the Joint Staff?s vice chairman, we are trying to take a
holistic approach in how we move forward.?
Whether the effort succeeds, Shea said, will depend on whether the Joint
Staff enforces the policy.
*******************************
Government Computer News
10/21/03
First responders lack data-sharing tools, feds say
By Thomas R. Temin
HERSHEY, Pa.The homeland security effort needs an ?interstate information
expressway? paid for by the federal government but that can be used by
state and local first responders to share information, Steve Cooper says.
And, ?it?s high time for us to get on with this,? the Homeland Security
Department CIO said yesterday at the Industry Advisory Council?s
Executive Leadership Conference 2003.
With the exception of law enforcement, first responders generally cannot
share information easily enough, Cooper said. Public-health officials are
especially behind the curve in data sharing because most health issues
get solved locally so there?s rarely much impetus to sound public health
alarms, he added.
Scott Wetterhall, a medical epidemiologist at the Centers for Disease
Control and Prevention, echoed that view.
?Vertical communication is not a substitute for horizontal communication?
among police, emergency medical teams and others, Wetterhall said.
Cooper also vowed that DHS would have a single virtual network
infrastructure by the end of next year, and a single physical network by
late 2005.
*******************************
Computerworld
ISC opens Internet crisis center
Its goal is to try and head off future attacks
Story by Todd R. Weiss
OCTOBER 20, 2003 ( COMPUTERWORLD ) - Last October's hacker attack on the
global root servers that run the core addressing system of the Internet
knocked out seven of the 13 servers for a time, but caused nary a problem
for most Internet users (see story).
But that massive attack and its implications haven't been forgotten by
many of the people behind the scenes who help keep the Internet
functioning. And to try to prevent a larger attack from possibly taking
down the whole Internet in the future, a new group is being launched by
the nonprofit Internet Software Consortium (ISC) to help protect the
security of the system.
The ISC today announced the Operations, Analysis and Research Center
(OARC), a global Internet crisis coordination center that will be used to
study and monitor traffic on the Internet so that technicians will be
able to differentiate high-demand traffic spikes from high-intensity
attacks on root servers.
"That [attack last year] did open our eyes," said Paul Vixie,
chairman of the Redwood City, Calif.-based ISC, which provides services
for the Internet's Domain Name System (DNS). "In our application,
it's very difficult to determine what 'normal' [Internet traffic
conditions are]. So we're going to have to define 'normal' and go from
there."
Before the root server attacks, when all 13 of the Internet's root DNS
servers were hit by intruders in a massive distributed denial-of-service
attack, there was no group set up to protect the DNS system globally,
Vixie said. "It's like having a child and seeing them grow up and
suddenly they go to college, then wondering how it happened so
fast."
Last year's attack was apparently designed to disrupt the Internet by
clogging root DNS servers with useless traffic. The root DNS servers
provide the vital translation services needed for converting a Web name
such as
www.computerworld.com
into a corresponding numerical IP address.
Now that the new group has been launched, the OARC is seeking members to work on the problem by bringing together the resources of the IT community.
What will be created is essentially a virtual research center that will link together top-level domain operators, corporate network data centers, large commercial name servers, DNS technology vendors, researchers and government and law enforcement officials to study and monitor the meaning of Web traffic. By connecting some of their servers and equipment together in a global grid computing system, the group hopes to cull information that can be used to stop future attacks.
"Any entity that depends on DNS on a minute-by-minute basis is a potential member of the group," Vixie said.
ISC hopes to draw together a critical mass of between 100 and 500 members by the beginning of next year, when the group hopes to begin research for its mission, he said. For now, an incident reporting system has been set up on the group's Web site for members and major network operators to coordinate responses to threats and attacks on the DNS.
So far, members of the OARC include The Internet Society, Cisco Systems Inc., MCI (still operating as WorldCom Inc.), XO Communications Inc., UltraDNS Corp., TLD operator Afilias Inc. and Verio Inc., as well as many of the operators of the global root DNS name servers.
Ram Mohan, chief technology officer for Afilias in Horsham, Pa., which is participating in the project, said the OARC will also establish a testing laboratory where researchers will be able to safely simulate massive Internet DNS attacks and then find ways to fight them off.
Until now, there has been no direct way for root server operators and other domain operators to communicate in times of attack or problems, he said. "There was no organized, central way to do this," he said.
Hackers try to go for the kill by attacking the top of the Internet organizational chain -- the DNS root servers -- under which everything else operates, he said. "The root is at the heart of the Internet and if you can make that heart stop, no traffic flows," he said.
The new group could help change all that, Mohan said. "It will help us coordinate a response to that attack that isn't possible today. What we're looking for is an early warning system."
*******************************
Computerworld
Former White House cybersecurity czar calls for security audit standards
Richard Clarke, now a security consultant, says Congress needs to act
Story by Matt Hamblen
OCTOBER 20, 2003 ( COMPUTERWORLD ) - LAKE BUENA VISTA, Fla. -- Former White House cybersecurity expert Richard Clarke yesterday urged for stronger standards for security audits of U.S. companies, saying congressional action is needed.
"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke told reporters at the opening of Gartner Symposium ITxpo 2003 here. Clarke is now a private security consultant, serving as chairman of Good Harbor Consulting LLC in Arlington, Va. He joined Good Harbor in July.
"You've got to have a relatively specific standard ... with some real probability that someone will show up at the door to audit. That will take a congressional act," he said.
Clarke also said standards should encourage automatic audits, so network probes could quickly determine security levels, "instead of bringing in PriceWaterhouse for $500,000," to do the audit.
Similar to banking audits, only 90% of what will be audited should be known, so companies won't prepare only for audits and nothing else, he said.
Clarke, who resigned from his U.S. government cybersecurity role in January after serving in three administrations, made his comments after being asked about Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act security requirements. Both federal mandates require companies to provide security certification. But "what do they certify, and who is going to say that they are wrong?" Clarke asked.
He also criticized Homeland Security Secretary Tom Ridge's recommendations for security certification as ineffective. "Frankly, it was Tom Ridge's idea that there be a Y2k-like statement [about security protection steps] to the SEC, but if that happens, it is going to be at such a high level of aggregation that you are never going to know what it means," Clarke said.
During year 2000 IT modifications, the SEC required Y2k certification by public companies. "We got away with that because it was a one-year trick, and you can trick people for one year," Clarke said. That Y2k certification was a "device" to get CIOs in front of their boards of directors to provide funds for date change fixes, he said.
Asked if cybersecurity failures could have caused the power blackout in Canada and the Northeast in August, Clarke ticked off a string of power outages and attacks on energy systems globally in recent months, including the loss of power throughout Italy in September. "We don't what caused any of these so far," he said. "We do know that Norway and Israel at least are saying there were cyber-hacking attempts to bring down the power grids in their countries.
"If the Aug. 14 outage was not caused by a hack attack, could it have been?'' Clarke said. "Could you bring down the power grid with a hack attack? I fully believe the answer is yes."
Clarke also endorsed new technology from PGP Corp. in Palo Alto, Calif., and is expected to take part in a presentation on behalf of that company today at the symposium. PGP last month announced the first version of its Universal product, which is designed to automatically provide end-to-end e-mail security. The burden of protecting critical information resides on the network and not a user's desktop, reducing the security burden on end users, Clarke and company officials said.
Generally, IT managers need to make security encryption as automatic as possible, he said. "The key here is whoever makes the decision to use encryption in the organization [so] that after that, it becomes automatic," Clarke said. "Establishing elaborate systems [for security] is a pain in the ass, frankly, and they require lots of people to run them, and that's why they don't work and why people don't do them."
Clarke also noted a humorous personal problem with unsolicited commercial e-mail, saying that last week he got a spam from himself. He said it was obviously because somebody or some program had spoofed his e-mail address and then sent the spam with his address back to him.
Clarke said it would be "really easy" for e-mail users to start their personal "do not call" lists for e-mail by taking any of several programs now available to allow e-mail only from certain people, which could be combined with e-mail encryption to provide a private system.
*******************************
Washington Post
Hill Hurrying to Renew Ban on Web-Access Taxes
States, Local Jurisdictions Worry About Loss of Revenue
By Jonathan Krim
Tuesday, October 21, 2003; Page E01
Congress is moving quickly to beat a Nov. 1 deadline for renewing a ban on taxes for getting online, but the push has sparked a furor over how broadly Internet services should be taxed and whether cash-strapped state and local governments might lose billions of dollars in revenue per year.
Supporters of making the ban on Internet access taxes permanent have prevailed in the House, and an identical bill has passed a Senate committee and could be put to the full Senate as early as this week.
For proponents, the issue is simple: Internet use is vital to economic growth, and going online should not be subject to a new tax when consumers already pay an array of local and state taxes and fees for telephone and cable television services.
That view was backed by Congress five years ago when it first approved the ban. As a result, states cannot levy taxes or impose fees on Internet service providers, such as America Online or EarthLink, for providing consumers with Internet accounts.
But those were the days when most consumers went online via ordinary phone lines, sometimes paying for additional lines. Although no tax could be levied on the Internet account, a consumer still paid taxes and fees for use of a second phone line.
Now, increasing numbers of consumers are going online via high-speed systems that piggyback on existing lines, rendering extra lines unnecessary. Digital-subscriber-line service, for example, provided over phone lines, is in about 9 million U.S. homes.
Because the same phone line carries voice calls and data for Internet use, many states and localities have taxed DSL services. EarthLink, for example, collects taxes in 25 states and the District at the behest of local governments.
The permanent ban in the Senate, authored by Sens. Ron Wyden (D-Ore.) and George Allen (R-Va.), attempts to make the terms of the ban more clear.
"What we have always wanted to do is nail down what shouldn't be taxed," Wyden said yesterday. "If it looks like Internet access and acts like Internet access, it shouldn't be taxed."
Wyden insists that there will be "absolutely no change in telecommunications revenues that state and local governments can generate." He said states are misrepresenting the bill because they want to find ways to levy more taxes.
In a speech on the Senate floor last week, he accused states of wanting to tax all Internet activities, including e-mail. If the states have their way, he said, the America Online slogan "You've got mail" will become "You owe taxes."
State and local governments sharply disagree, arguing that they support a simple extension of the existing ban. But they say the wording passed by the House and pending in the Senate opens up the possibility that telecommunications companies will be exempt from virtually all taxes, even on ordinary telephone service, as they transfer their networks and services to Internet-based systems.
"This begins costing the states between $4 billion and $9 billion in 2006 and will grow rapidly after that," said Dan Bucks, executive director of the Multistate Tax Commission, an organization of state tax administrators.
State and local officials acknowledge that this is a worst-case reading of how the bill might be interpreted. But the nonpartisan Congressional Budget Office agreed that the bill is ambiguous.
"Depending on how the language altering the definition of what telecommunications services are taxable is interpreted, that language also could result in substantial revenue losses for states," according to a CBO report released in July.
The report said it was impossible to quantify those losses. But the CBO said that in the short run 10 states -- and localities within those states -- that began collecting consumer-use taxes on Internet access before the 1998 moratorium, and thus were exempt from the ban, could lose $80 million to $120 million a year because the exemption would be eliminated.
Those states are Hawaii, New Hampshire, New Mexico, North Dakota, Ohio, South Dakota, Tennessee, Texas, Washington and Wisconsin.
Local taxing authorities are especially worried that the bill would mean a loss of tax revenue from the various businesses that contribute to providing Internet access to the end user. For example, Internet providers that must purchase online bandwidth from "backbone" or other large network providers would be exempt from taxes on those purchases.
The current bills "substantially abrogate the commitments made to state and local governments" when the original ban was approved in 1998, according to a report by the Center on Budget and Policy Priorities.
Dave Baker, EarthLink vice president for public policy, said his company supports a permanent extension of the ban but the language of the bill "could create problems."
The CBO also suggested that the bill constitutes an "unfunded mandate" on states and localities, which Congress has prohibited if a federal policy would result in state or local tax losses above a certain threshold.
Bucks said he is troubled by the notion that the federal government could crimp state and local tax authority to promote one particular technology.
"Congress could have said that electricity is so important that you can't tax it," he said. "Then there would be no state and local tax system left" to provide for its use.
*******************************
USA Today
Open source makes gain in Massachusetts
By Justin Pope, The Associated Press
Posted 10/20/2003 4:49 PM
BOSTON With more than $32 billion in sales last year, Microsoft doesn't usually worry about losing one customer. But this one may be different.
In a memo sent last month, Massachusetts Administration and Finance Secretary Eric Kriss instructed the state's chief technology officer to adopt a policy of "open standards, open source" for all future spending on information technology.
The directive likely wouldn't completely cut out Microsoft from the state's $80 million technology budget.
But it may have been the clearest example yet of a state government taking sides against Redmond, Wash.-based Microsoft in the most important struggle in the software industry.
Microsoft's software generally uses "proprietary" code that the company closely guards. Its biggest threat is from "open source" operating systems led by Linux, whose core components are public, and which users are free to pass around and customize as they like.
Governments are a huge market, accounting for about 10% of global information technology spending, according to research firm IDC. Federal, state and local governments in the United States spent $34 billion last year on huge systems to track everything from tax collection to fishing licenses.
"I think they're correct to be concerned," said Ted Schadler, principal analyst at Forrester Research, adding that government switchovers could doubly hurt Microsoft by persuading big corporate customers that, if huge public bureaucracies can adopt platforms like Linux, so can large companies.
Governments have also been among the most aggressive early adapters of Linux. IBM, a major Linux backer, says it has installed or is installing Linux for 175 public sector customers.
"The momentum is unstoppable at this point," said Scott Handy, vice president of Linux strategy and market development at IBM. "The leading indicator as far as a customer set has been government."
Many believe open source will prove cheaper to deploy and operate, and that it may be more secure; because the codes are public, flaws may be discovered more quickly. And some foreign governments seem eager not to be dependent on an American company.
Federal agencies in France, China and Germany, as well as the city government of Munich, have opted for Linux. Britain, Brazil and Russia are also exploring it.
"You scratch any one of these initiatives and you can't escape that it's Microsoft they're trying to displace," Schadler said.
Microsoft's risk of losing the public sector market altogether is small, at least for now.
The company's products are just too essential, and many open source alternatives too ineffective for many of the kinds of big database jobs governments require. Kriss said the state would still use Microsoft products when cost-effective open-source alternatives aren't available.
Microsoft says it knows it won't win every contract, but it opposes any type of mandate preventing proprietary software from even being considered. It says that's bad for technology companies and bad for taxpayers, who may get stuck paying for inferior, more expensive products.
"We do treat this issue very seriously here," said David Kaeffer, Microsoft's director of technology policy.
Microsoft has fought open-source mandates with limited success. Proposals similar to Massachusetts', including ones in Oregon and Texas, have been shot down after complaints from Microsoft and other technology companies whose products could be shut out. Microsoft also aggressively lobbied the Defense Department to cut its use of open source software, according to a Washington Post report last year.
The company has plenty of reason to worry.
The Microsoft-led industry group Initiative for Software Choice has tracked 70 different open-source preference proposals in 24 countries. And despite Microsoft's lobbying, a Pentagon report concluded that open source was often cheaper and more secure, and that its use, if anything, should expand.
Gerry Wethington, Missouri's chief information officer and president of the National Association of State Chief Information Officers, said many of his group's members are pushing hard to bring open standards to their states.
Microsoft countered with an initiative in July that steeply discounts software for government users. It also agreed to make its secret source code available to some governments in order to assuage security concerns.
Microsoft insists that it supports "open standards," which is often associated with "open source" but can also be a broader term meaning any way of making technology work together.
Although some analysts say open-source products may offer stronger security and greater reliability, the argument that they make it easier for systems to talk to each other falls apart if many of those systems are already Microsoft.
"Politically, there are only pros, but in terms of government employee productivity there are quite a few cons," said Schadler, the Forrester researcher.
*******************************
USA Today
RIAA notifies suspected music swappers of lawsuits
Posted 10/19/2003 3:30 AM Updated 10/19/2003 3:45 AM
SAN FRANCISCO (AP) The record industry's trade group has warned 204 people suspected of illegally swapping music over the Internet that it plans to file lawsuits against them.
The Recording Industry Association of America started mailing sternly worded warnings last week. Unlike last month's crackdown against 261 alleged song sharers, the targets are being notified before lawsuits are filed.
"In light of the comments we have heard, we want to go the extra mile and offer illegal file sharers an additional chance to work this out, short of legal action," said RIAA president Cary Sherman.
The letters give the recipients 10 days to contact the RIAA to discuss a settlement and avoid a formal lawsuit. The RIAA declined to identify the individuals, but said they were sharing an average of more than 1,000 songs on their computers.
The advanced notice also could help the RIAA avoid embarrassment.
Last month's targets included a 12-year-old girl and a grandmother who claimed she was falsely accused of sharing rap songs. Many of the accused learned of the lawsuits when they were called by reporters.
So far, the RIAA says it has settled 64 suits and received an average of $3,000 per settlement. It also has dropped one suit against a Boston woman whose computer could not run the peer-to-peer file-sharing program she was accused of running.
Last month's lawsuits also drew criticism from members of Congress, including Sen. Norm Coleman, R-Minn. A spokesman said Coleman was pleased at the new approach.
"The senator certainly thinks it's a step in the right direction, and wishes it had happened sooner," said Tom Steward, a Coleman spokesman.
The Electronic Frontier Foundation, a civil liberties group, says the RIAA is making a mistake by not listening to music fans.
"Instead of continuing their legal crusade, the record labels should give their customers the option to pay a reasonable fee to continue file-sharing," said Wendy Seltzer, a staff attorney for the foundation.
*******************************
Wired News
Balancing Utility With Privacy
By Mark Baard
02:00 AM Oct. 21, 2003 PT
SEATTLE -- During the dot-com boom, marketers predicted that we wouldn't be able to pass a Chinese restaurant without our mobile phones ringing with a coupon for free fried rice. A wireless device in the restaurant would recognize passing phones as belonging to favorite customers, or people who listed Chinese as their favorite food in an America Online member profile.
That hasn't happened quite yet, but the technologies that will make such scenarios possible -- wireless hot spots, video monitors, radio tags and readers -- are quickly weaving their way into everyday life. And that has privacy advocates worried. Governments and corporations, they say, could easily use the technology to spy on people.
Engineers in the growing field of ubiquitous computing want to use these technologies to create ad hoc networks of tiny wireless devices that can, for example, tell when we've left the kettle on the stove or bust our kids with their hands in the cookie jar.
Designers of ubiquitous computing systems envision seeding private and public places with sensors and transmitters, embedded in objects and hidden from view.
The tiny devices, some the size of a postage stamp, could help cognitively impaired seniors take care of themselves, for example, by quietly watching and recording all of their activities, making decisions based on their personal histories, and communicating with their caregivers via mobile phones or other wireless handheld devices.
But whereas some people may be willing to sacrifice their privacy if it keeps them out of the nursing home, designers of ubiquitous computing systems are admitting for the first time that their technology could be abused if it winds up in the wrong hands.
Last week at UbiComp 2003, a ubiquitous computing conference in Seattle, many engineers confronted the damage their technology might cause to personal privacy. "The more awareness you have in the system," said one engineer who asked not to be named, "the less privacy you're going to have. That's the trade-off."
Sociologists and anthropologists at the conference also worried that human memory, which can be flexible and forgiving, will be supplanted by the memory banks of ubiquitous computing systems. No human act, no matter how benign or foolish or cruel, will escape the binary memory and cold interpretation of an artificially intelligent computer.
"People are showing me spatulas and frying pans with RFID (radio frequency identification) tags on them, and AI (artificial intelligence) systems that can infer when you're making an omelet," said Carleton University sociologist Anne Galloway. "And that's fine. But think of all the embarrassing things we do that we would like to forget. With everything stored on a disk somewhere, that will be extremely difficult."
Many of the systems designers at UbiComp 2003 acknowledged they will have to protect personal privacy if they expect people to share their world with ubiquitous computing systems.
The designers claim that -- by recruiting specialists from multiple disciplines -- they can ensure users that their personal data will be protected.
"We have a diverse group of people developing the technology, and many of the scientists here are especially sensitive about privacy issues," said Volodymyr Kindratenko, a research scientist at the National Center for Supercomputing Applications.
Kindratenko is one of the researchers working on IntelliBadge, an RFID-based project run by the NCSA, which uses ubiquitous readers to track people wearing RFID badges. The system reports the badge wearers' locations, and calculates how much walking each individual has been doing over a given time period. The system also analyzes the badge wearers' demographics, according to Web profiles that the participants input themselves on a voluntary basis.
NCSA also has a privacy policy Web page that tells IntelliBadge participants that their personal data is being protected.
But out of the nearly 6,000 registered users of IntelliBadge last year, only 32 viewed the privacy page on the project's website, according to the NCSA.
Kindratenko would not guess why the IntelliBadge privacy page was so unpopular. "But I can tell you that people have been asking us if we can make it (IntelliBadge) do more," he said, "to use more of their personal information to find interesting connections between them."
Engineers and scientists here said people like being able to control the amounts and types of data gathered by ubiquitous computing systems. And just as IntelliBadge allows participants to limit the information in their Web profiles, other projects aim to give participants control over the data gathered by sensors and other devices.
University of Calgary researchers at UbiComp 2003, for example, presented a system that allows telecommuters to blur out family members moving around behind them in their home offices.
"Let's say you're working, and your spouse enters your home office wrapped in a towel," said University of Calgary researcher Carman Neustaedter. "That's not something you want the camera to pick up. It's not an appropriate sight for the workplace."
Others, for now, are sidestepping the privacy issue by limiting their ubiquitous computing applications to art installations.
The Future Applications Lab at the Viktoria Institute in Göteborg, Sweden, is experimenting with Audio Tags, small gadgets tacked onto walls and utility boxes, which whisper personal messages into the ears of passersby.
It's an intimate experience for the artist and the listener: A person must come very close to the Audio Tag to be detected by its infrared sensor and to trigger a 10-second recorded message.
The Audio Tag, said Future Applications Lab researcher Lalya Gaye, is only as risky to a person's privacy as the message the individual records. Most people playing with the device leave short poems and messages for lovers, Gaye said, like, "This is where we kissed for the first time."
"People leave behind only what they want to," Gaye said
*******************************
MSNBC Online
Yahoo! launches anti-spam decoys
Web portal launches premium features to fight junk e-mail
LOS ANGELES, Oct 21 Yahoo! Inc., the Internet media and services company, on Tuesday launched a new set of premium e-mail features that lets users create hundreds of decoy addresses to thwart spam mail.
YAHOO!, WHICH HAS marketed itself as a successful spam fighter for e-mail users, said most of the new functions are available only to subscribers of its Mail Plus service, which costs $29.99 a year.
The battle against spam has drawn the attention of e-mail providers and legislators, amid growing concern about the cost of junk e-mail to companies and consumers.
Yahoo! said it has seen a 40 percent jump in spam from January to August and now averages 700,000 spam reports a day. Some analysts estimate that spam totals one-third of all e-mail, costing corporations billions of dollars a year.
Yahoo! said its new AddressGuard feature would let users create a fictitious ?base name? and then 500 variations on that name that they could give out when shopping, banking and joining communities online.
If an address started to receive spam, the user could simply shut down the address and use another one.
SpamGuard Plus, which like AddressGuard is available only to premium subscribers, lets customers set individual rules to define spam and continue to use a blanket filter to block all spam.
Another new feature available to all users allows for a message display limited to e-mails from known users. Some users will start to have that function next week, Yahoo! said, though it will not be fully launched systemwide until November.
Yahoo! has also changed rules on viruses, forcing users to scan all attachments for viruses before downloading. Such scans had been optional.
Brad Garlinghouse, vice president of communications products at Yahoo!, told Reuters the company had to keep enhancing its software because the legal battle against spam could not do the job alone.
?Legislation and litigation, it?s something of a whack-a-mole problem,? he said, a reference to a popular arcade game that challenges players to try to hit an increasingly fast array of pop-up figures, though he added Yahoo! has supported spam laws and used anti-spam suits in past.
Yahoo! said its marketing research highlights the extent to which spam is despised. In an August survey of Yahoo users, 77 percent said they would rather clean a toilet than sort through the junk e-mail in their inbox.
© 2003 Reuters Limited. All rights reserved. Republication or redistribution of Reuters content is expressly prohibited without the prior written consent of Reuters.
*******************************