Clips November 14, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips November 14,
2003

ARTICLES

Bipartisan Debate on Patriot Act Is Urged 
Liscouski takes reins of National Communications System 
GameSpy warns security researcher
Postal Museum Unveils New Interactive Display 
DOD plans central office for issuing smart cards 

*******************************
Washington Post
Bipartisan Debate on Patriot Act Is Urged 
Legal Tools to Fight Terrorism at Issue 
By Susan Schmidt
Friday, November 14, 2003; Page A11 

Former deputy attorney general Larry D. Thompson has proposed that a
bipartisan commission debate the legal tools that should be employed in
combating terrorism.

In a speech before a judicial conference in Philadelphia on Monday,
Thompson said he believes that provisions of the USA Patriot Act that are
scheduled to expire in 2005 should be discussed by constitutional
scholars and lawyers "outside the partisan wrangling of Congress and
outside the unhelpful influence of interest groups."

Thompson, who resigned from the Justice Department in August, praised the
new powers granted by the act and said he believes there should be
"a reasoned, dispassionate and informed debate" to maintain
public confidence in the legal tools used in fighting 
terrorism.

"We certainly cannot afford to allow the provisions of the Patriot
Act . . . sunset without the kind of high-level national discussion I am
talking about. Too much is at stake," he said. He suggested the
White House or Congress could create such a commission.

Some Democrats in Congress, Democratic presidential candidates, civil
liberties groups and others have complained that the Patriot Act,
approved six weeks after the Sept. 11, 2001, attacks, poses a threat to
privacy and civil liberties.

Michael Chertoff, who worked with Thompson as head of the Justice
Department's Criminal Division and is now an appellate judge in New
Jersey, told the same Philadelphia conference this week that it may also
be time to try to find a systematic legal approach to handling
"enemy combatants." 

Currently, the government designates "enemy combatants," who
include terrorism suspects arrested in this country and U.S. citizens
captured with the enemy abroad, case by case. Three such people are being
held in military brigs, with no access to visitors or lawyers. The
approach has been upheld by an appellate court but has generated
considerable controversy.

Chertoff suggested it may be time to develop a system by which enemy
combatants could contest such designations. 

"Inevitably, decisions of war are made with imperfect
information," he said. Now that some of the legal and national
security problems of confronting terrorism have become clearer, he said,
"perhaps the time has come to take a more universal
approach."
*******************************
Government Computer News
11/13/03 
Liscouski takes reins of National Communications System 
By Wilson P. Dizard III 
GCN Staff

The Homeland Security Department?s Robert Liscouski is adding a new
charge to his list of duties as assistant secretary for information
analysis and infrastructure protection. He?s now the manager of the
department?s National Communications System. 

NCS operates federal emergency telecommunications systems including the
Government Emergency Telecommunications Service, the Wireless Priority
Service and the Telecommunications Services Priority. All three services
provide agencies preferential telecommunications access in the aftermath
of a disaster. 

Before the creation of Homeland Security, the program was under the aegis
of the Defense Department. 

As NCS manager, Liscouski will oversee plans for federal
telecommunications during emergencies and propose funding for
communications emergency preparedness. He must also act as a liaison with
industry and other government agencies for planning emergency telecom
services.
*******************************
Washington Post
Spammers Target Instant Message Users 
By David McGuire
washingtonpost.com Staff Writer
Thursday, November 13, 2003; 11:03 AM 

Nicole Fann was shocked the first time it happened.

Fann, a consultant at a Northern Virginia high-tech company, was working
on her computer when a new window popped up. It was an instant message
from someone called "hot_girl" inviting her to "come check
out my website."

She had no idea who sent the invitation and didn't trust the dubious
nickname, so she blocked the sender from her Microsoft Network instant
message account.

"It's just kind of disconcerting, because the only people I give out
my IM [instant messaging] ID to are people I know," Fann said.
"E-mail is one thing, but to get an instant message is a totally
different experience. It's a lot more intrusive and it's a lot more
unexpected."

"Spim," as people are beginning to call unsolicited instant
messages, is the latest installment in the growing epidemic of unwanted
electronic ads and a further sign that unscrupulous online marketers will
seek to take advantage of all of the Internet's communication tools, not
limiting themselves to spam or pop-up ads.

"This is part of an overall trend to make people watch
advertising," said Chris Hoofnagle, associate director of the
Washington-based Electronic Privacy Information Center. "It's kind
of a forced consumption and we haven't developed the proper tools to ward
off this invasion."

Even for people who grudgingly accept that e-mail spam is here to stay,
instant message spam is unsettling, not to mention embarrassing. Unlike
e-mail, which people can check at their leisure, spim is an intrusion
that presents itself on the desktop with all the annoyance of an
unexpected pop-up ad.

Reid Dossinger, a Web developer at a Washington, D.C., nonprofit firm,
compared it to a salesman pounding at your front door.

"You have the impression that it's just your friends who are
connected to you [over IM]," said Dossinger, who has received
unsolicited pornography advertisements at his America Online and
Microsoft instant messaging accounts. "It feels like somebody just
inserting themselves into your group of friends."

It is not even certain whether Fann's message from "hot_girl"
was sent by a real person sitting at a computer or whether the message
was generated by an automated program designed to send out hundreds of
similar messages to random targets.

It would be fairly easy to automate the process, but not as easy as it
would be to write a program to send out millions of e-mail messages, said
Matthew Prince, chief executive of Chicago-based Unspam, a consulting
firm that advises businesses and governments on how to comply with
anti-spam laws.

It's difficult to pin down who is behind instant message spam and how it
is sent, and there are no solid estimates available to reveal the size of
the problem. But the good news for users is that it's not easy for
spammers to send thousands or millions of unsolicited instant messages.
Instant message providers like AOL, Microsoft and Yahoo have a lot of
control over their instant message networks, and these firms are already
committing resources to making sure the spim problem never reaches the
same scale as spam.

"There's a small number of points of control and the network
managers can throttle the spam much more effectively than they can in the
distributed architecture of e-mail," said Jason Catlett, president
of the anti-spam organization JunkBusters.

AOL, for example, uses "rate limiting" technology that puts a
cap on the size of messages users can send as well as how many recipients
they can reach.

"I don't think IM spam has become anything on the scale of the
problem that regular spam is," AOL spokesman Andrew Weinstein
said.

Weinstein said AOL has other measures at its disposal to block spim but
would not provide details, saying it would give spammers clues to get
around those techniques.

One tool AOL Instant Messenger fans can use is the
"knock-knock" feature, which allows them to choose whether they
want to accept a message from an unknown sender. Instant messaging users
also can repeatedly "warn" message spammers until they are
temporarily kicked off the network.

"Will they find other ways to get back into the system? Yeah, they
probably will, but those tools are effective in slowing [spammers]
down," Weinstein said.

Microsoft recently updated its instant messaging products to curb spam,
said company spokesman Sean Sundwall. Customers using the latest versions
of the software can only receive messages from their online
"buddies."

"IM spam is increasing. It's concerning," Sundwall said.
"It has the attention of Congress and the FTC and what we are
gearing up for is preventing it from becoming the next big vector for
spammers to inundate customers with unwanted messages."

Unlike anonymous spammers, established marketers have not shown much
interest in using instant messaging, said Patricia Faley, vice president
for ethics and consumer affairs at the Direct Marketing Association
(DMA). She said some DMA members have toyed with marketing models that
use instant messages for special offers but only after getting a
customer's consent.

Faley said the DMA plans to adopt a policy on instant message marketing
within the next six months, and the group already is on record opposing
"dictionary attacks" where spammers send marketing materials to
random accounts.

"We have a policy not to shock, surprise or upset consumers,"
Faley said.

The Federal Trade Commission is tracking instant message spam but has yet
to act on it, said staff attorney Brian Huseman. "We haven't seen a
great number of consumer complaints about it so far, but we'll definitely
keep an eye on it."

Similarly, Congress and the states have taken no action on instant
messaging spam. Sen. Conrad Burns (R-Mont.), who sponsored the CAN-SPAM
Act that passed the Senate last month, is monitoring the issue and may
act on it next year, said spokesman Grant Toomey.

Instant messaging is not a big revenue generator, but companies have good
reason to keep their networks clean, said Matt Rosoff, an analyst at
Kirkland, Wash.-based Directions on Microsoft. Microsoft and AOL look at
their IM offerings as gateway services that help draw customers in to
their paid Internet offerings. Staying competitive requires happy
customers.

Under that rationale, IM user Dossinger is a perfect example of why
instant message spam needs to be stopped before it becomes an epidemic:
"If I got even a quarter of the amount of IM spam as I do over
e-mail, there's no way I'd still be using it."
*******************************
CNET News.com
GameSpy warns security researcher
Last modified: November 13, 2003, 3:29 PM PST
By Robert Lemos 
Staff Writer, CNET News.com

Online-gaming service provider GameSpy Industries acknowledged this week
that it had sent an Italian hacker a cease-and-desist letter requesting
that he remove advisories and utilities that highlight vulnerabilities in
the company's products. 

The Nov. 6 letter bases the legal request on assertions that the
advisories and programs created by Luigi Auriemma, an independent
researcher, violate the controversial Digital Millennium Copyright Act
(DMCA), a law that makes it illegal to break the security that protects
copyrighted content. Auriemma posted a copy of the letter to his Web site
and on Thursday pulled down the offending files.

While the DMCA is a U.S. law and thus may not apply to Auriemma, GameSpy
wanted to put a legal stake in the ground to establish its position on
the vulnerability research, said Chris Wildermuth, vice president of
corporate communications for the company.

"It's the next step after asking him please not to do this," he
said, adding that the company hopes to discourage Auriemma from making
further disclosures. "Because we don't know what else he is working
on." 

The move, however, has been criticized by some lawyers and the
vulnerability-research community as unhelpful to their quest of finding
security bugs to be squashed and holding software makers to a high
standard of quality. 

"The problem with the DMCA is that it's so broad and relatively
untested," said Jennifer Granick, executive director of Stanford Law
School's Center for Internet and Society. Granick has frequently
represented hackers and security researchers in such cases. "That's
why people hate the DMCA and are so fearful of it."

Security researchers and hackers have long worried that companies might
succeed in using the DMCA to quell their reports of vulnerabilities in
software products. Hewlett-Packard threatened a security group with legal
action under the DMCA after a member released information about the flaw
before the company had prepared a patch. And complaints from software
maker Adobe led to the indictment and trial of Dmitry Sklyarov and his
employer, ElcomSoft, which published a utility for breaking the security
of Adobe's e-book format.

To date, the success of such tactics has been mixed. HP backed off its
legal action against the security group, Secure Network Operations, and
Adobe retracted its support for the criminal prosecution of Sklyarov.
Sklyarov was eventually dropped from the case, and ElcomSoft was found
innocent of the charges. More recent legal actions against students who
have poked holes in a CD copy protection system created by SunComm
Technologies and an electronic election system created by Diebold
Election Systems have both met stiff resistance. 

GameSpy's Wildermuth stressed that the action his company has taken is
not against security researchers in general but against one person who,
the company maintains, has focused on the company maliciously. 

"It is not that we don't welcome people talking about bugs--we
do," he said. 

Auriemma, an independent researcher, had posted on his Web site several
advisories about vulnerabilities in GameSpy's voice chat program, Roger
Wilco, and in the company's online game finder, GameSpy 3D. One flaw
found by the Italian hacker could have allowed an attacker to break into
and take control of GameSpy 3D servers. 

"You have to question, why focus on this?" Wildermuth said.
"There is not a high degree of criticality. You are not losing
people's information. You are basically talking about pirating
games." 

Auriemma characterizes the collection of information as security
research, not an attempt to aid software pirates. 

"The stuff is composed (of) my proof-of-concepts (programs to test
vulnerabilities) and advisories written to test and explain the bugs in
the GameSpy's (sic) products found and signaled (sic) to them a lot of
months ago," the Italian researcher wrote in a public posting to a
security news group. 

The research done by Auriemma focused on finding security flaws and
reverse-engineering many aspects of online games, including
"Half-Life," "Quake 3," "Soldier of
Fortune" and "Tribes," as well as games based on the
Unreal engine. While he doesn't recall why he initially focused on Roger
Wilco, he said GameSpy didn't pay adequate attention to his bug reports.

"The story of Roger Wilco's bugs, for example, is really
incredible," he wrote in an interview with CNET News.com conducted
via e-mail. "I released the 2 bugs found in the 2001 version, (and)
they patched it, (so) no problems there. The problems happen when they
didn't answer to my mails for the other new and partial-old bugs."

The company later patched some, but not all, the flaws, he said.

"My only purpose is (to provide) free information," he added.

GameSpy said some flaws that appear not to have been patched were
actually fixed through software changes to its server.

The case is complicated by several factors. Auriemma says he is in Italy,
which is outside the jurisdiction of the DMCA. In addition, GameSpy has
accused the researcher of conduct that could be considered extortion,
saying he asked for a consulting fee before he would show the company the
information. If GameSpy didn't pay, he said he would publish the
information publicly, GameSpy's Wildermuth said. 

"He is basically saying that you have a problem, and I will tell you
what the problem is, or else I will publish what it is," Wildermuth
said. "From our perspective, he did not seem to be a person just
helping us fix some bugs; he was hoping to get compensated for it."

However, Auriemma denied that he ever asked the company for money.
Security research firm PivX Solutions, which had previously employed
Auriemma as a contractor, severed its relationship with him when GameSpy
sent them a similar cease-and-desist letter in June. A PivX executive
said all its vulnerability research has been provided to affected
companies for free. 

"PivX never asked for money from GameSpy nor did PivX submit any
type of proposal for work," said Geoff Shively, chief technology
officer for the Newport Beach, Calif.-based company. 

An executive at another game company that had previously worked with
Auriemma said the security researcher had always offered to help for
free. Auriemma had found a flaw in that company's product as well. The
executive asked that his name and that of his company not be used in this
story.

"I can't speak for what he did or didn't do at GameSpy, but he has
always acted professionally with us," the executive said, adding
that he was surprised at the allegations. "He is totally
professional and up-front and honest." 

Another security researcher said companies that haven't often dealt with
hackers can sometimes misread their intentions. 

"Some people think that way just because you say, 'You should fix
this problem, and I will tell people if you don't fix it,'" said
Chris Wysopal, vice president of research and development at security
firm @stake. "Some companies think of that as extortion."

Wysopal pointed to material available from the Organization for Internet
Safety, a group promoting responsible disclosure of flaws and of which
his company is a member, as a good guide for companies on how to handle
security researchers. In the end, he said, going after the person
pointing out the flaws is not productive.

"It just doesn't look good to be attacking the messenger," he
said. "The person is really trying to help the company's
customers." 

While Wysopal believed that GameSpy will be hard pressed to apply the
DMCA to Auriemma's research, Stanford Law School's Granick thought that
the case should be closely watched. 

"I don't think anything with the DMCA is an empty threat," she
said.
*******************************
Washington Post
Postal Museum Unveils New Interactive Display 
By Jacqueline Trescott
Friday, November 14, 2003; Page C03 

Navigating a Smithsonian museum, even one of the smaller ones, can be a
daunting experience. The National Postal Museum is no exception, with
just enough space to tell the story of mail delivery but unable to
exhibit more than a tiny percentage of its 13 million objects, mostly
stamps.

Beginning today, the museum is dedicating a small corner of its main
atrium to an interactive arcade, which will provide additional postal
history and a way to look into the museum's holdings. The new feature is
called the Ford Education Center. The Ford Motor Co., which has been
involved with mail delivery since the Model T, gave the museum $2 million
to develop the electronic activities. The museum has two Ford vehicles on
view.

"Only 2 percent of our collection is on view. We can only put
50,000-60,000 objects, mostly stamps, on display at once," said
Esther Washington, the museum's education director.

Though the materials were designed for all visitors, Washington said,
special emphasis was given to the needs of the 4,300 students who tour
the facility each year. Since September, more than 16,000 curriculum
guides have been downloaded from the museum's Web site.

Visitors to the center will be able to sit at a gray laminated desk
shaped like a cancellation mark. In the area are five multimedia stations
that contain information about time periods, games and a glossary. There
are also special features on various aspects of postal delivery. For
example, one reviews the flights Amelia Earhart, the aviation pioneer,
took to deliver the mail. In the collection is a stamp with her image,
issued by the Mexican government in 1935. 

The information available through the education center is distinct from
the material on the museum's Web site. (The new center's computer program
is called Arago, after the French physicist and astronomer Dominique
Francois Arago, a friend of the Smithsonian's original benefactor,
scientist James Smithson.)

Postal history during the Civil War and World War II receives the first
in-depth treatment. Montgomery Blair, postmaster general during the Civil
War, decided that families needed home delivery so they could receive the
news from the front. This effort to get soldiers' letters home developed
over the next 80 years. During World War II, the government established
military post offices and gave soldiers free mailing 
privileges.

The system also allows a look at recent acquisitions. For example,
visitors can learn about the Boutwell Presentation Album, a gift to
George S. Boutwell, treasury secretary during Abraham Lincoln's
administration. The album, acquired in 1999, contains revenue stamps he
had designed for taxes on match, perfumery and medicine companies to help
finance the Civil War.
*******************************
Government Computer News
11/14/03 
DOD plans central office for issuing smart cards 
By Joab Jackson 

The Defense Department late next year will open a new central facility to
hand out Common Access smart cards to recruits and new personnel at very
remote sites, said Mary Dixon, director of the Common Access Card Office
of the Defense Manpower Data Center. 

The CAC program will continue its decentralized manner of distribution,
however. About 900 sites around the world now issue the cards with
digital certificates and multiple forms of identification. The central
facility will serve areas where it is impractical or costly to set up a
card operation, Dixon said. 

Because of the high volume of cards for recruits, supplying them from one
location is more efficient, Dixon said. She predicted the new facility
will produce at least 40,000 cards per year for recruits. 

The facility should be ready by October 2004, she said, and initially it
will not be contracted out. Dixon declined to reveal the cost of the
facility or its location. 

Remote registration would begin at a field site, which would gather
identifying information about individuals and transmit it to the central
facility. Cards would be shipped to the local unit within three days by a
form of secure mail such as Federal Express. 

One person at the local unit would receive the cards, and a different
person would get the personal identification numbers. That would
eliminate the risk of compromise should any cards be stolen en route,
Dixon said. 

So far, the CAC program has issued more than 3.8 million of an estimated
4 million total. The program also has started issuing replacement cards.

With about 12,000 to 15,000 cards going out per day, the initial round
should be done by March, Dixon said. 

The smart cards go to active-duty service members, civilian employees,
contractors and reservists for network authentication, physical access
and digital signatures for online transactions.
*******************************
Government Computer News
11/14/03 

NIST posts security control guidelines for comment 

By William Jackson 
GCN Staff

The National Institute of Standards and Technology yesterday released an
initial public draft of recommended security controls for federal
information systems. The guidelines for mandatory controls are expected
to go into effect in two years. 

The agency?s IT Laboratory drafted Special Publication 800-53 under the
Federal Information Security Management Act. SP 800-53 is one of seven
NIST publications to be completed over the next two years as a security
framework. 

Federal Information Processing Standard Publication 200, ?Minimum
Security Controls for Federal Information Systems,? will replace SP800-53
in late 2005 and will be mandatory for government systems not involved in
national security. 

Controls include management, operational and technical safeguards and
countermeasures that ensure the confidentiality, integrity and
availability of government systems. 

The current 238-page report is preliminary and covers only guidelines for
low and moderate security baselines. ?For the high baseline, the number
of security controls will increase significantly,? the report said. That
section will be added to the guidelines next year. 

NIST will host a workshop on the high security guidelines at its
Gaithersburg, Md., headquarters in March. Public feedback is a
prerequisite for moving forward on a high security baseline, the report
said. 

NIST?s Computer Security Division will accept comments on the initial
draft of SP 800-53 until Jan. 31, 2004, by e-mail to sec-cert@xxxxxxxx,
or by postal mail to 100 Bureau Dr., Mail Stop 8930, Gaithersburg, Md.,
20899-8930.

To see the draft:
http://csrc.nist.gov/publications/drafts.html
*******************************