[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips November 12, 2003

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx, sairy@xxxxxxxxx;
Subject: Clips November 12, 2003
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Wed, 12 Nov 2003 14:32:15 -0500

Clips November 12, 2003

ARTICLES

Former FCC chairman blasts agency's 'suspicious' VoIP actions
TSA Pushes For Security in Foreign Cargo
Caught by the Act [DMCA]
Altnet says P2P spies violate patent rights
Is cyberterrorism a phantom menace?
Study: Tech has glass ceiling
Energy plan emphasizes computer power
Liberty Alliance releases privacy best practices
DHS plans cybersecurity summit
Defense bill elevates debate on tech security issues
DHS plans cybersecurity summit
Privacy study: Job sites tend to share information freely
Microsoft Warns of Latest Software Holes
Marketers trying to influence Congress on spam
Former State Officials Push Voting Systems

*******************************
TechTarget Online Publication
Former FCC chairman blasts agency's 'suspicious' VoIP actions
Tue Nov 11, 7:00 AM ET
Jim Rendon, SearchNetworking.com News Writer

SANTA CLARA, Calif. -- Former Federal Communications Commission (news - web sites) chairman Reed Hundt took his former agency to task today for what he feels will be its unnecessarily heavy-handed regulatory stance toward voice over Internet Protocol.

Speaking at the Pulver.com Wireless Internet Summit, Hundt said that it is likely that the FCC (news - web sites) will choose to regulate VoIP providers, which would stifle innovation, boost costs and protect traditional phone companies from the challenge that low-cost or free Internet calling service could bring.

Citing a letter from current FCC chairman Michael Powell to Sen. Ron Wyden (D-Ore.) that is posted on the FCC Web site, Hundt said it was apparent that the FCC had already decided to regulate VoIP.

Earlier this week, the FCC announced that it would hold a hearing to investigate the possibility of establishing VoIP regulations.

The agency has waived the usual public comment period, which is often the first step before making such a ruling, Hundt said. Though the hearing is scheduled for Dec. 1, Powell wrote that the agency planned to issue a Notice of Public Rule Making (NPRM) "shortly after the hearing," in an effort to gather comments from the public.

Hundt said that language indicates that the agency had already made up its mind about what rules it plans to issue, and that the December hearing would be little more than a formality.

"I ran this agency," Hundt said. "I know you should be suspicious."

Hundt pointed out three issues raised in chairman Powell's letter, which he said pointed to erroneous arguments for the regulations of VoIP.

The first was concern about emergency services and Enhanced 911 (E911), FCC rules seeking to improve the effectiveness and reliability of wireless (news - web sites) 911 service. While VoIP systems have had some problems adhering to E911 regulations, Hundt thought that it was odd that this was an issue of high concern to the FCC, since the wireless industry successfully lobbied to delay the implementation of most E911 requirements.

"If this is not an important issue for cell phones, why is it at the top of the list for VoIP?" Hundt asked.

The letter also cited universal service as an issue necessitating VoIP regulation, an issue that Hundt quipped had never been a concern for the agency when it was regulating broadband services. Unregulated VoIP, according to the letter, could also pose homeland security concerns.

Hundt said that the vast success of narrow-band Internet in the U.S. was largely due to the FCC's decision, made during his tenure as chairman, not to regulate the technology or to allow phone companies to charge Internet service providers for use by the minute.

The large telecommunications companies are concerned about the growth of VoIP because it has the ability to allow users to make calls for free on the Internet, undermining their fundamental business model. Hundt, however, said that there were opportunities for those companies to expand broadband access and generate revenue that way.

Regulating VoIP now would suppress innovation before the technology really gets off the ground, Hundt said. And if the U.S. does not innovate, companies in other countries will, he said.

Hundt also said that local phone service rates should be deregulated and taken out of the hands of the states, allowing for increased competition and more opportunities for carriers.

FOR MORE INFORMATION:

Read our tech tip on VoIP regulations.

Check out a related headline: Next stop after VoIP decision: The FCC.

Read chairman Powell's letter (Microsoft Word document).
*******************************
Washington Post
TSA Pushes For Security in Foreign Cargo
By Sara Kehaulani Goo
Wednesday, November 12, 2003; Page E01

The Transportation Security Administration is seeking to force foreign air cargo companies to follow the same security procedures as U.S. cargo carriers.

Foreign companies are exempt from the rules that require U.S. operators to submit security plans to the TSA. All domestic cargo companies must provide the TSA with a plan that details procedures to secure parked aircraft and to ensure that those with access to the planes pose no threat.

TSA spokesman Brian Turmail said the agency is working to bring foreign carriers in line with other cargo companies after a warning issued last week said cargo planes could be hijacked by terrorists. "In light of the information we have, we're looking at what additional measures need to be put in place," Turmail said.

The warning issued by the FBI and the Department of Homeland Security late Friday was the first to specify that al Qaeda plans to hijack a cargo jet. Terrorists might try to hijack planes in Canada, Mexico or the Caribbean and fly them into nuclear plants or other critical infrastructure in the United States, the warning said.

"Most of the threats against cargo aircraft have been in regard to explosive items," said a senior intelligence official. Intelligence has never "been quite this specific."

Any new requirements probably would affect only 10 to 15 foreign-based companies whose business is to ship goods to the United States, according to Brian Clancy, principal of MergeGlobal Inc., an Arlington consulting firm that specializes in freight transportation.

"They are such a small percentage of the total market," Clancy said.

Several foreign cargo companies reached yesterday, such as Bogota, Colombia-based Tampa Airlines Cargo SA and Luxembourg-based Cargolux Airlines International SA, were unable to comment on the new TSA requirements.

The TSA said foreign carriers that carry passengers and cargo, such as Deutsche Lufthansa AG and Air France, have already filed security plans.

"We want the ability to see on paper exactly what security measures these cargo carriers have in place," Turmail said.

The TSA said that in the next few weeks it will require all carriers of cargo to conduct random visual inspections of their own cargo. TSA agents will randomly check whether inspections are being done. The TSA can require foreign carriers to meet its rules as a condition for operating in the United States.

Critics, mainly pilots, flight attendants and public-interest groups, have criticized the TSA's air cargo security measures as a weak link in the nation's aviation system. Very few, if any, of the goods shipped by planes are ever physically screened. The TSA has forced air carriers to identify the companies shipping goods on their planes, but the agency has struggled to find quick ways to probe the contents of planes without burdening the time-sensitive freight-forwarding industry.

The TSA said 60 to 70 percent of planes that carry only cargo do not have cockpit doors. Under TSA rules, companies with fleets that do not have cockpit doors must restrict access to their aircraft to crew members, and employees of one cargo company are not permitted to "jump-seat," or travel when not working, on another airline's cargo plane.

Homeland Security Department spokesman Brian Roehrkasse said customs agents and other law enforcement officials stationed at airports are not stopping cargo planes from the Caribbean, Mexico and Canada as a result of the latest warning, but they are scrutinizing cargo manifests sent to the department before flights land in the United States.

Major U.S. cargo companies said they were prepared for the latest warning because of the security procedures they have long used.

Domestic cargo planes may be further protected if pilots win approval to carry guns in the cockpit. The cargo companies have opposed the effort, but they expect a bill to pass this year that would allow guns on board. Cargo pilots were eliminated from legislation passed last year allowing commercial airline pilots to carry guns.

FedEx Corp., United Parcel Service of America Inc. and others have argued that a lethal weapon on board would add danger rather than reduce it and have questioned whether guns are necessary given the nature of cargo operations. Pilots contend that guns would be helpful because cargo planes often operate in less secure areas of airports. In addition, the security perimeters of many airports in the United States and abroad are easily breached.

"Cargo aircraft, in many cases, operate in parts of the airport that aren't as secure as it would be on the passenger aircraft end," said Jim Shilling, a cargo pilot and spokesman for the Coalition of Airline Pilots Association, an organization that has lobbied for cargo pilots to carry guns in the cockpit. "We have to make sure that we're armed because of the threats that are out there."

Some cargo airlines said they already have tight security procedures in place in Latin America and the Caribbean because of past concerns about drug smuggling. FedEx said it has reinforced cockpit doors on its larger aircraft, a TSA requirement for passenger aircraft but not for cargo aircraft.
*******************************
Washington Post
Caught by the Act
Digital Copyright Law Ensnaring Businesses, Individuals Over Fair Use
By Frank Ahrens
Wednesday, November 12, 2003; Page E01

Ed Swartz, a self-described "old guy," is a canny North Carolinian who's been in heavy manufacturing since Eisenhower was president. Alloys for the auto industry, mostly. Come the late '80s, he needed something for his youngest son to run, so they jumped into the ground floor of a business few think about until the copier malfunctions: remanufacturing laser printer toner cartridges. His company, Static Control Components Inc., makes the replacement gears, springs and drums that go inside the cartridges when they break down. Pretty straightforward.

Until last winter, that is, when his company found itself in the most unlikely of positions -- on the same side of the courtroom as unauthorized Internet song-sharing sites, such as Kazaa, Grokster and Morpheus.

What links a southern office-supply manufacturer and a global next-generation Internet technology? A wafer-thin computer chip not much larger than a fingernail and a law unfamiliar to most: the Digital Millennium Copyright Act (DMCA).

Passed in 1998, the act is designed to protect copyrighted works in an age when the material easily can be illegally copied and distributed over the Internet. The music industry uses the DMCA to sue Internet song-swappers it maintains are violating copyright law. But another provision of the law -- Section 1201 -- expressly prohibits individuals from circumventing technological measures erected by copyright holders to protect their works.

Ever since, businesses that make products as diverse as voting machines, electronic pets and garage-door openers have turned to the law to protect their digital turf. Lexmark International Inc., one of the world's largest printer companies, joined the parade last December when it cited the law to sue Static Control.

Lexmark alleged that the company illegally copied some of the code used by computer chips in Lexmark cartridges to enable the remanufactured cartridges to work. The chips monitor the level of toner and tell users when it is running low. More important, they make the cartridges compatible with the printer -- if the two do not execute an electronic "secret handshake" activated by the chip, the copier will not work.

By figuring out how to emulate that handshake, Static Control circumvented Lexmark's ability to protect its copyrighted works, Lexmark's attorneys argued. In February, Lexmark won an injunction that stopped Static Control from making its chips.

Static Control countered that it copied only 56 bytes of code in the Lexmark chip, which it should be allowed to do under the fair-use provisions of copyright law. Static Control said many industries do the same when they manufacture products that need to be compatible with other systems -- the "aftermarket" that makes wiper blades for cars, video-game cartridges for game consoles and so on.

Static Control asked the U.S. Copyright Office for an exception to the DMCA that would help clear the way for it to make chips that would be compatible with Lexmark printers. The Copyright Office denied the exception in a ruling issued Oct. 27, saying that existing exceptions in the law may cover the issue. Both Static Control and Lexmark quickly claimed victory.

"It is inconceivable to us how anyone could consider this ruling a victory for Static Control," Vincent J. Cole, a Lexmark vice president, said in a prepared statement. The company has declined to comment further on the case.

American University copyright law professor Peter A. Jaszi, who led a law professors' amicus brief siding with Static Control, called the Copyright Office's ruling "disappointing" but said the decision did give the company some ammunition when it goes to court.

"I think the Static Control lawyers are in a position to make a good argument" that their product should be permitted under the DMCA, Jaszi said.

Static Control is appealing the injunction in Cincinnati's U.S. Court of Appeals for the 6th Circuit; the company cannot manufacture Lexmark-compatible cartridges unless the injunction is lifted. A ruling is expected within six months. Static Control has also filed a $100 million antitrust lawsuit against Lexmark in North Carolina.

"We would be very happy for the [appeals court] to use what the Copyright Office said as guidance for a decision," Swartz said.

Should his company lose in court, Swartz envisions a world of monopolies that would make turn-of-the-century Standard Oil blush. He predicts deals between automakers and tiremakers, for instance, that would put copyright-protected chips in tires to prevent a car from starting unless it was fitted with automaker-approved tires. Imagine, for instance, if Toyotas would run only on Goodyear tires, he said. What would become of Michelin, Cooper, Pirelli and other tiremakers?

"I'll be 68 in December. I had open-heart surgery in November 2001. I see this as my legacy. Somebody had to fight them," Swartz said. "If we rolled over and played dead and they had won, it would have set a precedent for lots of other people to pull the same baloney."

Baloney or not, other companies have attempted to protect their business by using the DMCA.

Voting-machine maker Diebold Election Systems is citing the DMCA regarding a number of students and activists who have posted the company's internal documents on the Internet, detailing bugs in the machine software. The company has sent cease-and-desist letters, saying the activists are violating copyright by spreading Diebold's code on the Internet.

Earlier this year, Chamberlain Group Inc., which makes garage-door openers, invoked the DMCA against rival Skylink Technologies Inc., which made an opener that was chosen over Chamberlain's clicker by several garage-door makers. Skylink said it legally reverse-engineered the code used by the garage-door receivers to open the door. Chamberlain's opener works only when specific software codes are transmitted to the door. Skylink's clicker circumvents these, which Chamberlain said violates the DMCA. The case is pending in an Illinois federal court.

Last year, Sony Corp. threatened action against a hobbyist who cracked some encryption in the company's electronic pet dog, the Aibo. That allowed him to write and post software on the Internet enabling Aibo owners to customize their pets to recognize their masters' voices. Although the hobbyist did not reveal the encryption codes, Sony pressed forward, relenting only after public outcry.

"A lot of people have turned this into a debate on competition or about how it's somehow doing harm to the average user," said Emery Simon, a lawyer with the Business Software Alliance, a trade group promoting digital copyright protection. Members include Microsoft Corp., Apple Computer Inc. and IBM. "It's not about those things for us. For us, it's about somebody who's stealing our stuff."

Concerns about the DMCA creating monopolies are overheated, he said. Section "1201 did nothing to change, dilute or diminish antitrust law," he said. "Intellectual property laws have always co-existed with competition laws."

Arguing for the other side, Jaszi said the Static Control case and others like it illustrate the larger problems with the DMCA.

"We've got here a law that runs like a bulldozer over this rather delicate balance and structure of rights and limitations on copyright that it took us 200-odd years to build up," he said. At the same time, he said, "I don't think a conscientious lawyer with a business client facing this kind of situation can do anything other than file a DMCA claim."

Verizon Communications Inc. is a more traditional foe of the DMCA. It is lobbying Congress to overhaul the act based on the recent record-industry lawsuits, saying the law's powers are too broad. Under another section of the DMCA, Internet service providers such as Verizon can be subpoenaed to turn over the names and addresses of customers who copyright holders, such as the music industry, believe are violating copyright by illegally downloading songs, for instance.

Rep. Rick Boucher (D-Va.) introduced a bill at the beginning of the current session focusing on rewriting Section 1201. His bill would allow consumers to circumvent a work's technological copyright protections for fair use. The bill, pending in the Energy and Commerce Committee, would also decriminalize the manufacture of such circumvention technology. Rep. Zoe Lofgren (D-Calif.) introduced a similar bill, now in the Judiciary Committee, which Boucher also sits on.

"As an increasing number of copyright works are wrapped in technological protection measures, it is likely that the DMCA's anti-circumvention provisions will be applied in further unforeseen contexts, hindering the legitimate activities of innovators, researchers, the press, and the public at large," writes the Electronic Frontier Foundation, which represents some defendants of the record-industry lawsuits and supports Boucher's bill.

Boucher expects no action on his bill before the end of the year but plans hearing and markup early next year, he said.

"I won't predict the date," Boucher said, "but eventually, we will change the DMCA."
*******************************
CNET News.com
Altnet says P2P spies violate patent rights
Last modified: November 11, 2003, 5:26 PM PST
By John Borland
Staff Writer, CNET News.com

Altnet, a company that distributes files legally through Kazaa and other peer-to-peer services, has sent legal threats to nine companies that monitor or meddle with file-trading networks, accusing them of violating its patent rights.

The cease-and-desist orders are the first legal use of a patent Altnet unveiled last June , under which it claims to hold rights to one of the most common means of identifying files on peer-to-peer networks. That technique, which uses a "hash," or a digital representation of all the information in a file, has even been used by the Recording Industry Association of America in its fight against online copyright infringers.

Altnet, a division of Brilliant Digital Entertainment and a close partner with Kazaa parent Sharman Networks, has spent months in discussions with other file-swapping companies about licensing the technology, according to Executive Vice President Derek Broes. But the company has chosen to send legal warning letters to this group of companies because they're using the technology in ways that Altnet wouldn't necessarily approve of. Among other things, Altnet pays Kazaa for the right to place its customers' files at the top of Kazaa search results.

"Our intent has always been to commercialize peer to peer, and if anyone is misusing our patent for any reason, I have to protect that intellectual property," Broes said. "If they're building business on the backs of the patent I worked hard to acquire, then they should talk to us."

Altnet's action, while aimed at some of the underground file-swapping world's chief foes, is likely to ruffle feathers on both sides of the technological fence. The company's claim to own rights to such a basic file-identification technique has sparked considerable controversy inside peer-to-peer circles and has in part been responsible for a political divide that has created two separate lobbying and policy groups in Washington, D.C.

The company acquired the patent in late 2002, from a researcher who now serves as Altnet's chief scientist.

At least one of the companies now targeted by Altnet says the claim is simply off base.

BigChampagne, a Los Angeles-based market research company that's come to prominence recently by providing record labels and other entertainment companies with reports of what files are most popular online, says it doesn't use Altnet's technology.

"I think at first blush this looks like a case of mistaken identity," said BigChampagne Chief Executive Officer Eric Garland. Identifying files "is not really the business we're in."

Garland said his company does do some file identification in order to ensure the accuracy of its aggregate data reports but does not use the hash technique.

Several of the other companies targeted take more direct action inside file-swapping networks, posting false versions of files in the hope of steering would-be downloaders away from the real ones, or taking snapshots of individual users' hard drives to use in copyright-infringement actions.

The full list of companies targeted by the Altnet letters includes

? BigChampagne
? BayTSP
? Cyveillance
? MediaDefender
? MediaSentry
? NetPD
? Overpeer
? Ranger Online
? Vidius

Altnet is asking the companies to stop using the hash technique in their businesses unless they take a license.

Broes said he had no immediate plans to pursue a similar strategy against the RIAA, which has publicly outlined its use of file hashes to identify copyrighted files downloaded from Kazaa users' hard drives.

"We have a good relationship with the RIAA, and we have lines of communication open with them," Broes said. "It is not a notice that we have served."

*******************************
CNET News.com
Is cyberterrorism a phantom menace?
Last modified: November 11, 2003, 12:33 PM PST
By Patrick Gray
Special to CNET News.com

Gartner's information security and risk research director has dismissed cyberterrorism as a "theory."

The comments came during a media roundtable session at the Gartner Symposium and IT Expo, which began today in Sydney, Australia. The director, Rich Mogull, told journalists that despite the incidence of high-profile digital attacks, cyberterrorism is a phenomenon that has never occurred.

"The goal of terrorism is to change society through the use of force or violence, resulting in fear," he explained. "I want to put this cyberterrorism thing to rest. It's a theory, it's not a fact."

Even though there were examples of attacks that have physical consequences--such as the case of Vitek Boden, sentenced to two years in prison for releasing up to 1 million liters of sewage into the river and coastal waters of the town of Maroochydore, in Queensland, Australia, in 2001--they could not be described as terrorist acts, Mogull explained. To a large extent, it comes down to motive, he said.

"If a directed cyberattack on, say, a power system that...resulted in the blackout of an entire nation or a large region and deaths because of that...that would constitute cyberterrorism, if they claimed they did this as a terrorist act," he said. "The motive will define what's terrorism and what's not."

Mogull said the argument is largely academic--it doesn't matter who's attacking an organization. It should be doing the best it can to protect itself in the first place, whether attacks are coming from criminals or "cyberterrorists."

"Let's stop running around being scared about these esoteric threats out there. Let's look at protecting ourselves by closing the vulnerabilities we know exist and protecting ourselves from the attacks that we know exist," he said.
*******************************
SiliconValley.com
Study: Tech has glass ceiling
BARRIERS BELIE INDUSTRY'S IMAGE
By Michelle Guido

The United States leads the world in technological advances, but women are still denied many of the high-tech industry's leadership roles, according to a study released today by Catalyst, a non-profit research and advisory group dedicated to advancing women in business.

The obstacles women face while climbing the corporate ladder -- a male-dominated business culture, poor recruitment and professional development, and work-life balance issues -- hold them back regardless of the industry, the report said.

``The barriers and demands of the high-tech industry are very similar to those of traditional industries,'' said Catalyst President Ilene H. Lang. ``What is surprising is that in an industry that thinks of itself as a meritocracy, women and men both perceive a lack of acceptance of women.''

The study revealed that nearly a third of male and female participants agreed that women have a difficult time getting ahead. Among Fortune 500 high-tech companies, women make up 11.1 percent of corporate officers. That's lower than the 15.7 percent of corporate officers women account for in Fortune 500 firms overall, according to Catalyst.

In its latest study, ``Bit by Bit: Catalyst's Guide to Advancing Women in High Tech Companies,'' Catalyst conducted five roundtable discussions across the United States with 75 senior executives who helped identify barriers to advancement for women:

? The corporate culture at many high-tech companies is exclusionary and does not support women's advancement.

? Companies don't strategically and objectively identify and develop talent.

? Women feel isolated because they lack role models, networks and mentors.

? The demands of work and career are at odds with having a commitment to family and personal responsibilities.

Making assumptions

Kara Helander, vice president of the western region for Catalyst, said that within the discussion groups, one common theme was an assumption that women were less equipped to take on leadership roles than men.

``People assumed that women are too emotional to be effective leaders, that a woman who has a family won't be willing to travel -- which can automatically exclude her from a more high-profile job,'' said Helander, whose office is in San Jose. ``Those kind of assumptions have enabled managers to shift women to support-type jobs, which limits their ability to move up in a company.''

Jeanette K. Harrison, Intel's director of knowledge and learning, participated in one of the round table discussions and said participants were honest about the roadblocks women face in the workplace.

``The most commonly raised barriers were attitudes about the acceptance of women at the highest levels,'' Harrison said. ``You could see the reflection taking hold on their faces that they had either personally seen that happening or could see that this is very much a reality for women in the tech industry.''

The report suggests that to make real change, companies should address the barriers to advancement by including women in career development programs, providing opportunities for mentoring and networking with other successful women and fostering more flexibility.

Local companies

The report also gave examples of what some local companies are doing to develop, promote and retain women:

At Santa Clara-based Intel, a comprehensive work/life initiative includes telecommuting options, child-care services and on-site conveniences such as laundry, and ATM and postal services. At Sun Microsystems, a program called ``iWork'' was designed to support a mobile workforce. And at Cisco Systems, its annual Women's Leadership Forum is an opportunity for the company's very senior leadership to engage in a discussion about women's advancement.
*******************************
Federal Computer Week
Energy plan emphasizes computer power
BY Randall Edwards
Nov. 10, 2003

The Energy Department's 20-year plan for science facilities puts a high priority on increasing research computing capabilities in the United States.

The DOE plan prioritizes 28 facilities that will support the research missions of the agency's Office of Science. The facilities will either be completely new or upgrades to current facilities. By involving several sites, DOE officials plan to increase the nation's research capability by a factor of 100.

"These facilities are needed to extend the frontiers of science, to pursue opportunities of enormous importance and to maintain U.S. science primacy in the world," Energy Secretary Spencer Abraham said.

Department officials listed UltraScale Scientific Computing Capability second among 12 near-term goals on the list, behind top-ranked ITER, an international experiment attempting to produce a self-sustaining fusion reaction called burning plasma.

Other near-term priorities include: the Joint Dark Energy Mission, a partnership with NASA to understand unseen energy that most physicists predict exist according to their theories of the universe; the Linac Coherent Light Source project to provide laserlike radiation that is 10 billion times greater in power than an X-ray; and the Rare Isotope Accelerator, dedicated to producing new isotopes not naturally found on Earth.

In addition to the 12 near-term priority facilities, DOE's plan also includes eight midterm and eight long-term priority facilities.

"They can make major and necessary contributions to national security and give us the ability to understand matter at its most fundamental level," Abraham said.
*******************************
Government Computer News
Liberty Alliance releases privacy best practices
By Joab Jackson
11/12/03

An industry standards body has released guidelines on how to ensure that online credentialing systems meet privacy laws.

Agencies can use the Liberty Alliance Project?s guide when developing authentication systems, said Christine Varney, a consultant for the San Francisco alliance whose members? focus is identity management standards.

The best practices released today accompany the release of the alliance?s second set of specifications for federated identity management.

The Privacy and Security Best Practices includes a high-level summary of how to implement federated identity management systems so that they meet U.S. and European government privacy laws, such as the Child Online Protection Act, Health Insurance Portability and Accountability Act, and European Union Privacy Directive. It also offers guidelines on securing identity management systems.

The federated identity management specifications lay the groundwork for setting up Web-based services for authentication. With the specs, vendors and end-user organizations can start building applications that work together across systems. The initial round of Web services specifications includes templates for setting up registration systems and building employee profiles.

The federated approach to authentication is based on organizations setting up their own authentication systems that use a standard set of specifications for exchanging credentials across systems.

The Liberty Alliance specifications are well-suited to government use, Varney said, especially given the Office of Management and Budget?s and General Services Administration?s recent decision to scrap plans for a centralized federal authentication gateway.

The Liberty Alliance Project has more than 160 participating organizations, including GSA, the Defense Department and companies such as PeopleSoft Inc. of Pleasanton, Calif., Schlumberger Ltd. of New York, Sun Microsystems Inc. and VeriSign Inc. of Mountain View, Calif.

Link to Liberty Alliance Document: http://www.projectliberty.org/specs/final_privacy_security_best_practices.pdf
Link to Liberty Alliance Resource Center: http://www.projectliberty.org/resources/resources.html

*******************************
Government Computer News
11/11/03
DHS plans cybersecurity summit
By Wilson P. Dizard III

Officials in the Information Analysis and Infrastructure Protection Directorate of the Homeland Security Department plan to announce details of the upcoming Cyber Security Summit soon, a department spokesman said.

The summit, which assistant secretary for IAIP Robert Liscouski first discussed in September, will be held in the San Francisco Bay area, directorate spokesman Donald Tighe said.

Additional cybersecurity meetings will occur before and after the main event on Dec. 3, Tighe said. ?We are still finalizing plans? for the location of the conference and the officials who will attend, he said.

Amit Yoran, director of the directorate?s National Cyber Security Division, will take a leading role at the conference.

?The reason that industry and government need to work together in two-way conversations on cyber and IT infrastructure security ... is to determine for both sides what opportunities we have and what obligations we have,? Tighe said.

?We will be announcing goals and plans as we get closer to it,? Tighe said of the conference.

Entrust Inc. of McLean, Va., issued a statement saying that its chief executive officer, Bill Connor, will work on the Corporate Governance Task Force that will convene at the summit, and homeland secretary Tom Ridge and Liscouski are tentatively scheduled to attend.

?The Summit will initiate both planning and action,? the Entrust statement said, ?bringing together representatives from across the critical infrastructures, government and academia, to collaboratively craft tangible solutions for major security challenges identified in the White House National Strategy to Secure Cyberspace.?

Tighe declined to disclose the exact location of the summit.

(Click for Sept. 22 GCN story http://www.gcn.com/22_28/news/23616-1.html)
*******************************
Government Executive
November 11, 2003
Defense bill elevates debate on tech security issues
By William New, National Journal's Technology Daily

The House-Senate compromise bill for authorizing Defense Department programs in fiscal 2004 contains provisions that have raised questions about software security requirements, as well as abuse of the right to keep intelligence information secret.

One provision calls for the department to ensure that its recent emphasis on using commercial, off-the-shelf software will not make sensitive command, control, communications and intelligence for Defense more vulnerable. The measure says the department "must be more proactive" in protecting its information systems and urges implementation of an "architecture or blueprint" for all of its information technology systems.

The provision would specify that the blueprint protect against unauthorized modifications or insertions of malicious code into critical software and against "reverse engineering" of intellectual property within that software. Reverse engineering involves taking a product apart to see how it works in order to duplicate or improve its functions.

The provision also would direct the department to assess the usefulness of tamper-resistant security software and other security tools. It says tamper-resistant software inserts "security-related functionality directly into the binary level of software code."

Ronald Lee, a partner at the law firm of Arnold and Porter, said that while the concept of increasing Defense security is not new, what is new is that "the authorizers are sufficiently concerned and unified about it to come up with a provision like this."

"They clearly put down their marker here," Lee said. "I think it's a way of opening dialogue and elevating" the issue. He added that the language could benefit vendors working on high-end assurance products and affect procurement and research and development of defense products.

Lee said the language could lead appropriators to back the idea of an assessment and technology blueprint and possibly attach conditions on future funding related to security. And because Defense is seen as a bellwether for the federal government on some issues, it also could extend to other agencies.

Another provision would give the National Security Agency (NSA) an exemption it requested from the Freedom of Information Act (FOIA) for so-called "operational files." Those files are intended to involve the technical collection of intelligence, according to Steve Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists.

But the exemption could be abused if extended to other types of intelligence, he said. The provision would relieve NSA from having to search or review documents for FOIA requests if they are considered operational.

Aftergood said such documents probably would not have been released anyway, so the provision "makes some administrative sense." However, "openness" advocates worry because they say a similar clause has been abused by other agencies such as the National Reconnaissance Office (NRO), which builds spy satellites, and the CIA.

The NRO rejected a request for budget documents, calling them operational, but Aftergood is challenging that rejection.

The compromise version of the provision is narrowed to two NSA directorates: signals intelligence, which intercepts electronic signals, and research associations.
*******************************
Computerworld
Privacy study: Job sites tend to share information freely
And they don't always disclose that they track and profile users

Story by Jaikumar Vijayan

NOVEMBER 12, 2003 ( COMPUTERWORLD ) - Job seekers who go to online sites seeking employment run a considerable risk of having their confidential information improperly sold, shared or used for profiling purposes.
That is the finding of a yearlong study into the privacy practices of online job sites released yesterday by The World Privacy Forum, a newly formed privacy rights nonprofit organization.

The study of more than 70 online job sites, employment kiosks, resume databases and resume distribution services uncovered several issues of concern for job seekers, including the sharing and sale of their personal data and the undisclosed tracking and profiling of users, according to researcher Pam Dixon (download PDF).

"We really need a whole new way of talking with job seekers about how they can look for jobs and not get [their personal information] tracked, diced and sliced in multiple ways," Dixon said.

Among the privacy problems identified in the survey were the following:

There appeared to be little effort to restrict the collection of data on online job sites. Job seekers were routinely asked to provide a substantial amount of personal information that sometimes included Social Security number and date of birth before they could submit applications.

There were no consistent policies when it came to the collection and use of ethnic and racial information.

The use of third-party persistent cookies has increased. A job seeker's confidential data was frequently passed on to third parties and advertisers.

Even when they give consent, job seekers often may not realize the full extent to which their data is being used because job search sites have become much more sophisticated about finding legal ways of sharing job-seeker data.
The rapid proliferation of employment application kiosks inside malls and retail stores also presents a problem from a privacy standpoint, Dixon said. Few have any privacy policies that explain how information such as Social Security numbers, birth dates and other pieces of personal information will be used or stored.

Portland Ore.-based Unicru Inc., one of the largest operators of such kiosks, for instance, didn't post privacy policies at any of its kiosks before, during or after personal information was collected, Dixon said. Unicru's list of clients includes CVS, Universal Studios and Blockbuster.

A Unicru spokeswoman defended the company's practices and said they meet legal guidelines.

"Unicru fully meets all federal guidelines with regard to hiring for each of its customers. While there are no current rules or regulations requiring a privacy statement on a job application, Unicru does recommend to its customers, as a best practice, that they have such a policy," she said. Unicru processes on average one job application every second.

In some cases, information collected for one use was actually being used for other purposes. FastWeb.com, a major scholarship search service owned by Monster Inc., for instance, collected ethnic, nationality and religious information from students, which it then shared with potential employers looking to fill positions based on diversity.

A spokesman from FastWeb said that in all instances where such information was passed on to an employer, it was only with the full consent of the students.

"We have looked into this in depth. We ensure that we are compliant with every issue in question," the spokesman said.

The privacy policies of companies that maintain personnel databases used for recruitment at some companies are also suspect, Dixon said.

Cambridge, Mass.-based Eliyon Technologies Inc., for example, has compiled a database of more than 16 million names from more than 1 million companies. The database contains detailed profiles of individuals that Eliyon sells to companies, including 25 Fortune 100 firms.

But Eliyon doesn't have a formal privacy policy, doesn't offer an opt-out policy and doesn't offer individuals a chance to correct the information in the database, Dixon said. In at least one case during the study, personal information -- including the names of children -- was included in an individual profile.

Eliyon CEO Jonathan Stern dismissed the concerns and said the database only contained publicly available information gathered in Google-like fashion from multiple Internet sources. All the company does is search the Web for public mentions and records pertaining to an individual. In fact, some records that are publicly available, such as legal records, aren't included in the individual profiles, he said.

Despite such concerns, the news wasn't all bad, according to Dixon.

Since the last survey, which was conducted in 2001, there have been several improvements, Dixon said. Most job sites are now posting privacy policies and have a fairly good process for responding to privacy-related queries. Similarly, fewer sites require users to register prior to providing access to job advertisements, and more sites are allowing anonymous access to job listings.
*******************************
Washington Post
Microsoft Warns of Latest Software Holes
By Brian Krebs
Tuesday, November 11, 2003; 6:17 PM

Microsoft Corp. today revealed a serious software security hole that lets hackers take over people's computers, its ninth "critical" software warning in the past four months.

Microsoft said the flaw allows hackers to take complete control of computers running the Windows 2000 and Windows XP operating systems. The hole is one of at least eight other serious security problems that the Redmond, Wash.-based software company highlighted today in a posting on its Web site.

Microsoft labeled the vulnerability "critical," meaning that it provides a prime opportunity for hackers to take over other people's computers. It is the company's highest threat level.

The hole is the latest in a long line of vulnerabilities that have plagued the popular Windows operating system this year. In July, Microsoft issued an alert about a similar security hole in another Windows program. One month later, the "Blaster" worm exploited that flaw to infect hundreds of thousands of Microsoft computers with instructions to attack Microsoft's security Web site.

Most of the patches released today address shortcomings in previous patches or new ways of exploiting old vulnerabilities. The security update released today to fix the most recent batch of Internet Explorer flaws replaces a patch that was issued last month, which was also a cumulative update.

The most serious problem lies inside a program called the "workstation service," which system administrators use to add new computers to a network and other tasks. If the program receives too much data the service could crash, giving an attacker the power to install other programs and view, change or delete data from the computer, Microsoft said.

The company has received no reports that hackers are exploiting any of the security holes, said spokesman Sean Sundwall.

Neel Mehta, a research engineer at Atlanta-based Internet Security Systems, said hackers will likely figure out a way to use the Windows workstation flaw sometime within the next two weeks.

"Once hackers know a security issue exists, especially one as serious as this vulnerability, there's a lot of motivation to go ahead and create an exploit for it," Mehta said.

Windows XP users who applied a patch Microsoft released last month to fix a security hole in its Windows Messenger service should be protected against the workstation flaw. Other patches and alerts are located at Microsoft's Security and Windows Update Web sites.

Most of the other critical security holes in today's posting reside in recent versions of Microsoft's Internet Explorer Web browser, which the company said could be tricked by maliciously crafted Web sites or e-mails into giving attackers control of people's computers.

Microsoft announced several other problems, including two new critical security vulnerabilities in Windows XP and Windows 2000 PCs running the Microsoft Front Page Server Extensions Web publishing software. There also is a security flaw in the company's "digital certificates," which are designed to verify the authenticity of secure Web sites and software packages. That flaw was discovered nearly a year ago, but Microsoft said it will reissue the patch to fix a new vulnerability that affects certain computers running Windows NT 4.0 and Windows 98.

It also posted security updates for several recent versions of Microsoft Office.

Today's batch of updates is the second since Microsoft revised its patch release schedule to issue software fixes on the second Tuesday of each month. Microsoft chief executive Steve Ballmer announced the change in early October in light of criticism that the company is not doing enough to protect Windows users.

Microsoft said it made the changes to help ease the burden on system administrators by making its patching process more predictable. But the shift garnered criticism from one security expert who said it is a public relations ploy to distract users from fundamental flaws in the design of its software products.

"Microsoft is tired of taking the heat from all these weekly random vulnerability announcements, and it seems to have adopted the old adage 'if you can't fix it, feature it'," said Alan Paller, research director for the SANS Institute, a security training group in Bethesda, Md. "It's interesting how this regularly scheduled release of software flaws sort of takes the surprise away," Paller said. "But it shouldn't take away our sense of outrage."
*******************************
USA Today
Marketers trying to influence Congress on spam
By Andrea Stone, USA TODAY
Posted 11/11/2003 1:12 PM

WASHINGTON Jerry Cerasale has a standard line at parties. "I tell them I'm the guy who calls you at dinner time and fills up your inbox," he jokes.
But it's no laughing matter for the chief Capitol Hill lobbyist of the Direct Marketing Association, the trade group that counts telephone solicitors and e-marketers among its unpopular members.

Last month, Cerasale's group failed to fend off the National Do Not Call Registry, which since Oct. 1 has put nearly 55 million phone numbers off-limits to most telemarketers. Now Cerasale is trying to influence other legislation before Congress in order to preserve his members' ability to use the Internet to pitch products and services. He fears a tough anti-spam law will destroy the Internet as a burgeoning marketplace where businesses can sell their products more cheaply than through print and TV ads.

"It's not the easiest job," a deadpan Cerasale says.

Not at a time when spam makes up more than half of all e-mails, up from 7% in April 2001, according to the anti-spam software company Brightmail. The growing volume of unsolicited e-mails hawking diet supplements, get-rich-quick schemes, body enhancement gimmicks and pornography has turned one-time foes of anti-spam laws into advocates. Businesses spend roughly $10 billion a year to battle spam. Many legitimate marketers say their messages are trashed amid the junk.

Electronic marketers realize they cannot block all anti-spam legislation, so they're "focused on making it as livable as possible," says Rep. Gene Green, D-Texas, co-sponsor of a tough anti-spam bill in the House of Representatives. The Direct Marketing Association and its allies are fighting that bill, which makes it easier for consumers to avoid unwanted e-mails than a measure passed by the Senate last month.

Dan Jaffe, a lobbyist for the Association of National Advertisers and a DMA ally in pushing legislation that won't shut out honest marketers, agrees. "We're heading into a crisis situation," he says. "Businesses are facing a serious threat from criminal spammers and state legislation that could also be devastating."

Good spam, bad spam

Defining spam is among several contentious issues that have stalled federal legislation. The stumbling blocks virtually guarantee that any bill signed into law won't clear the nation's inboxes of spam.

The business community says legitimate e-mail marketers are not misleading or deceptive. Their e-mails include valid physical addresses that identify the sender and subject matter and give consumers an "opt-out" option to remove themselves from mailing lists. In contrast, illegitimate spam is usually misleading and often offensive.

No matter what legislation, if any, eventually passes, few believe Congress can erect an impenetrable firewall against spam. Only a combination of tough laws, strict enforcement and new screening technologies will stem the growth of unwanted e-mail. But experts say federal legislation to replace a hodgepodge of laws in more than 35 states would be a first step.

Congress has been trying for at least three years to pass an anti-spam bill. Prospects are much brighter now that industry groups such as the DMA have dropped their opposition to legislation. Growing public disgust with spam and recent moves by state legislatures to pass a patchwork of anti-spam laws help explain the change in attitude.

But while no "pro-spam" lobbyists prowl the halls of Capitol Hill, plenty want to craft a bill as friendly to their industry as possible. Among the most interested are lobbyists for direct marketers, retailers, real estate and, most notably, financial services companies that offer credit cards and mortgages.

"Everybody will publicly say this is terrible stuff while making sure to write into the law an exemption for themselves," says Rep. Heather Wilson, R-N.M., whose bill Cerasale and other lobbyists oppose. "There is a fundamental fault line between business interests and consumers."

Wilson personally understands that divide. She became interested in the issue five years ago, when she received an e-mail at home headed, "What the federal government doesn't want you to know." When she opened it, "I found myself on a pornographic Web site," Wilson recalls. Now she doesn't let her two elementary-school-age children use the Internet.

"It's an overwhelming problem" for families as well as businesses, Wilson says. Her bill would consider any e-mail unwanted if a consumer does not specifically request it. "I don't make a distinction between good spam and bad spam," she says.

Loosening the noose?

Consumer groups generally favor Wilson's and Green's bill, which includes a stricter definition of spam and tough enforcement measures. Businesses prefer a more broadly worded bill backed by House leaders. It would allow more e-mail traffic and put limits on who could sue spammers.

Industry lobbyists also like the Senate bill sponsored by Republican Conrad Burns of Montana and Democrat Ron Wyden of Oregon. But they disagree with parts of it, including a requirement inserted by Sen. Charles Schumer, D-N.Y., that the Federal Trade Commission study a do-not-spam registry.

Critics say the Senate bill is weak and full of loopholes. They note that it doesn't mandate the registry. It would force consumers to "opt out" of receiving unwanted e-mails from each affiliate of a company, which Cerasale admits "could be" a loophole. For banks, insurance and mortgage companies, that can mean as many as 100 or more. Under Wilson's bill, one opt-out message would bar e-mails from all of the company's affiliates.

A group of eight state attorneys general wrote Congress last week criticizing the Senate bill. They said it "creates so many loopholes, exceptions and high standards of proof that it provides minimal consumer protections and creates too many burdens for effective enforcement."

Paul Wellborn, an Atlanta lawyer who specializes in suing spammers, says all the measures being considered in Washington "are pro-spam bills disguised as anti-spam bills." Pre-empting state statutes "loosens the noose rather than tightens the noose" on illegal spammers, he says, because many states have stricter definitions of spam.

That may explain the urgency on the part of lobbyists to pass something this year. One of the toughest laws goes into effect Jan. 1 in California. It would allow computer users to sue spammers for up to $1 million.

"California has passed extraordinarily destructive legislation," says Jaffe, the advertiser lobbyist. "It's critical that Congress act."

But the industries lobbying for protection are far from united, Cerasale says. That's why e-marketers haven't run newspaper or TV ads to influence members of Congress. They've relied instead on what Cerasale calls "old-fashioned" one-on-one lobbying, such as his recent meeting with Rep. John Dingell of Michigan, top Democrat on the House Energy and Commerce Committee.

What's his message for Dingell and other members of Congress?

"My members aren't the real bad guys in this one, yet they will get affected by it," he says. "You try to argue that you want to kill the curse without killing the promise."
*******************************
Los Angeles Times
Former State Officials Push Voting Systems
November 12, 2003

Re "Ex-Officials Now Behind New Voting Machines," Nov. 10: Are these altruistic people concerned about all aspects of the multimillion-dollar systems? As someone with a 22-year career in software systems who is concerned about security and testing and has used an electronic voting machine, I have mixed feelings.

The machines are easy and efficient, yet the systems may not have been thoroughly and independently tested. Internal and external security precautions may be inadequate or nonexistent. There may not be a backup plan if an electricity grid loses power. Tampering and patching could alter the election results. System developers with a political bias may have that bias built into the software.

And there does not seem to be a paper trail to assure that each vote counts as intended. After billions of dollars have been spent, what is to prevent voting catastrophes?

Joan Forman
Redondo Beach
*******************************

Prev by Date: Clips November 11, 2003
Next by Date: ACM TechNews - Wednesday, November 12, 2003
Previous by thread: Clips November 11, 2003
Next by thread: ACM TechNews - Wednesday, November 12, 2003
Index(es):
- Date
- Thread