Clips December 16, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips December 16,
2003

ARTICLES

Finance Sector Bracing for Upswing in Net Fraud
Scientific Research Backs Wisdom of Open Source
Former e-government officials favor governmentwide plan
Bush Signs National Anti-Spam Law 
Voting process too important to leave to technology
Group Mobilizes Opposition to New Voting Machines

*******************************
Reuters
Finance Sector Bracing for Upswing in Net Fraud
Mon Dec 15,10:51 AM ET
By Bernhard Warner, European Internet Correspondent 

LONDON (Reuters) - Banking officials and computer security experts
predicted on Monday the wave of cyber scams targeting the financial
services sector will soar in 2004 as the industry braces for a new
onslaught of fraud schemes.


The gloomy prediction comes amid a string of e-mail and Web site spoofing
scams preying on banking customers. 


Police call the relatively new phenomenon "phishing," so named
because fraudsters try to lure unwitting customers into divulging their
bank details. 


In the past few months, a rash of e-mails posing as correspondence from
some of the world's biggest banks have flowed into various e-mail
in-boxes. The scams have been reported in Britain, the United States and
Australia, to name a few. 


"We see phishing as just the toe in the water," said a security
expert for one of the UK's largest banks who spoke on condition of
anonymity at a summit in London dedicated to security matters in the
financial services industry. 


"It's like credit card fraud. Phishing is not big yet. But it will
be." 


TOP SECURITY THREAT 


Banks, desperate to protect their reputation and preserve a fast-growing
segment of their business, consider online fraud schemes a top security
issue. 


"The level of concern among our customers about the risk is
certainly on the increase," said Nick Sears, vice president of sales
for Finjan Software, a California-based security firm that counts some
large banks as its customers. 


British banks have been particularly hard hit this fall with more than a
half-dozen firms, including Barclays Plc, Lloyds TSB and NatWest, posting
warnings to customers that they have been the target of fraudsters.


At the summit on Monday, industry officials sounded a sobering note that
technological advances will do little to halt the crime wave. 


Instead, they said, the best defense lies with the customer. 


"At the end of the day, the customer has got to start being more
aware of what they're doing online. If somebody came up to you on the
street and asked you for your credit card, you're not going to give it
away. Why would you listen to an e-mail?," the bank security expert
said. 


ORGANIZED CRIME 


Police blame the crime wave on organized crime syndicates based in
Eastern Europe and other regions where law enforcement is ill-equipped to
investigate the cases. 


Meanwhile, the industry has been scrambling to find a fix of its own. One
suggestion is the creation of a "dot-bank" Web domain that
would be distributed solely to financial services companies. 


A main problem, law enforcement officials say, is that fraudsters can
easily acquire a dot-com Web site address that looks like an authentic
business Web address. 

   



In one version of the scam, bank customers are sent an email directing
them to a site that appears to be affiliated to the bank where they are
instructed to update their bank details by supplying various forms of
personal identification. 

"A dot-bank domain wouldn't stop it, but it would certainly narrow
down the spoofing opportunity," said Lee Fisher, solutions architect
for McAfee Security.
*******************************
Newsfactor
Scientific Research Backs Wisdom of Open Source
Mon Dec 15, 4:13 PM ET
Mike Martin , science.newsfactor.com 

Open-source can be faster, better and cheaper than closed corporate
software development, say researchers at the University of California,
Irvine (UCI) and the National Science Foundation (news - web
sites).


In a series of online reports UCI computer science researcher Walt
Scacchi is documenting how open-source development breaks many of
software engineering's formal rules, representing a new and better
approach based on community building. 


"This is perhaps a new fertile ground between software engineering
and the world of open-source, and maybe what the open-source community
can contribute to new academic and commercial development efforts,"
Scacchi told NewsFactor. 


Software Wants to be Free 


"Free and open-source software development is faster, better and
cheaper in building a community and at reinforcing and institutionalizing
a culture for how to develop software," said Scacchi, a senior
research scientist at UC Irvine's Institute for Software Research.


"We're not ready to assert that open-source development is the
be-all and end-all for software engineering practice, but there's
something going on in open-source development that is different from what
we see in the textbooks." 


Studying open-source projects to understand when the processes and
practices work and when they don't, Scacchi and his colleagues hope to
help businesses understand the implications of adopting open-source
methods internally or investing in external open-source communities.


Bug Influence 


Scacchi joins other researchers -- Les Gasser at the University of
Illinois, John Noll of Santa Clara University, and UC Irvine's Richard
Taylor -- "in applying lessons learned from open-source practices to
create new design, process-management and knowledge-management tools for
large-scale, multi-organization development projects," said National
Science Foundation (NSF) spokesperson David Hart. 


Mining open-source project databases, which record hundreds of thousands
of bug reports, Gasser and Scacchi are trying to understand how bug
reporting relates to software quality. 


"These are unprecedented data sets in software engineering
research," Scacchi told NewsFactor. "We're thinking of these
databases in a 'national treasure' sense. We're never going to get this
from a corporate source." 


When Open Sources Close Up Shop 


While a small number of open-source projects, such as Linux (news - web
sites), have become well known, the vast majority fail, Scacchi
explained. 


Understanding how successful projects, such as the Linux kernel, grow
from a few individuals to thousand-developer communities is essential to
open-source research. 


"In many ways, open-source development projects are treasure troves
of information for how large software systems get developed in the wild,
if you will," Scacchi said. 


Scacchi and colleagues are looking at more than a hundred open-source
projects in several categories. On their list of more to explore: network
games such as PlaneShift and id Software's Quake; Internet and Web
infrastructure projects, such as Apache and Mozilla; and
industry-sponsored open-source projects, such as NetBeans from Sun
Microsystems and IBM's Eclipse. 


Evolution Revolution 

   



Informal, agile, and cheaper, open-source development provides faster
software evolution. It also quickly spreads expertise through the
development community, Scacchi explained. 

"Open-source is not a poor version of software engineering, but a
private-collective approach to large-software systems," Scacchi
said. 

"The software-intensive systems in today's world have become so
complex that we need every available design tool at our disposal,"
said NSF program director Suzanne Iacono. "Open-source development
has achieved some remarkable successes, and we need to learn from these
successes as our systems become increasingly distributed, complex and
heterogeneous."
*******************************
Government Executive
December 11, 2003 
Former e-government officials favor governmentwide plan
By Ted Leventhal, National Journal's Technology Daily 

The federal government should create a flexible, governmentwide
information technology plan to cut costs and expand services, including
new applications for homeland security, two former senior federal
officials said on Thursday at a Hewlett-Packard-sponsored event.

Stephen Squires, Hewlett-Packard's chief science officer and a former
senior official with the Defense Advanced Research Projects Agency, and
Mark Forman, the former e-government and information technology chief at
the White House, said the government should use inexpensive network
servers, advanced computer-operating systems, and specialized software
applications to create a tech framework that could eliminate redundant
systems in federal agencies. 

Separately, Forman told reporters that Congress' reluctance to meet the
Bush administration's request for a central e-government fund will not
thwart implementation of such initiatives. 

Hewlett-Packard is repositioning itself as a framework computing company,
shifting computer intelligence from desktop systems to networks, and the
conference was designed to demonstrate how an "adaptive
enterprise" would work for government. "In the future, we will
look at computers the way we look at electricity," with portable
computer devices that "just plug into the wall," said Bruce
Klein, vice president of HP's federal division. 

Squires said the Sept. 11, 2001, terrorist attacks demonstrated that the
U.S. defense complex had "over-optimized itself to win the Cold
War" and needs to be retooled for the 21st century. "The only
way the United States will achieve strategic advantage in economic and
strategic security is to work with emerging technologies," he said.

Building government-wide systems can create a virtual network of critical
resources -- including emergency response and supplies -- that could be
activated and monitored quickly, Squires said. With 85 percent of the
nation's critical infrastructure in private hands, government and
industry must cooperate to build an intelligent communications network
that goes "beyond the Internet." 

Such a network could track, locate and communicate with "first
responders" to emergencies. "The day will come when there will
be a building-code requirement in every room for ubiquitous wireless
communication," Squires said, "giving business and government a
strategic advantage in ordinary times and also during an extraordinary
event." 

Forman noted that the greatest recent computer innovations have been in
infrastructure. The law of diminishing returns shows that devoting money
and personnel toward a management problem yields limited results, he
said, whereas adaptable computer infrastructures yield greater returns.

Forman said oversight of government technology by House Government Reform
Chairman Tom Davis, R-Va., and Rep. Adam Putnam, R-Fla., is moving the
government toward a leveraged computer system. 

The Linux computer-operating system soon will play a bigger role in
federal technology, Forman said. "Linux is more robust; it fits
better for heavy-duty applications," he said of the "open
source" system that is open to review and alteration. "There's
a clear path to Linux for servers." 

He further argued that a central e-government fund is not essential for
tech deployment, but that continued oversight by the White House Office
of Management and Budget is. OMB can go to individual agencies and tell
them to "shut down redundant investments and join the common
plan," Forman said.
*******************************
Washington Post
Bush Signs National Anti-Spam Law 
By David McGuire
Tuesday, December 16, 2003; 10:30 AM 

A new anti-spam law signed by President Bush today marks the federal
government's first stab at cleansing the Internet of spam, but critics
complain that its provisions are too weak and technology experts suggest
that it may be impossible for legislation passed by one country to
eliminate the global problem of unsolicited e-mail.

The law's most anticipated provision is one that opens the door for the
creation of a national "do-not-spam" registry similar to the
national "do-not-call" list that the Federal Trade Commission
(FTC) launched earlier this year to combat unwanted telemarketing
calls.

The Can-Spam Act of 2003 also outlaws the common practice of falsifying
the "from" information and the subject lines of e-mail
solicitations to make people think they are e-mails from people they know
or companies they trust. Instead, they often contain pornographic
material or ads for anything from smaller mortgage rates to bigger
breasts.

Violators can be fined as much as $6 million and jailed for up to five
years, under the law.

Supporters of the legislation say it gives state and federal authorities
the tools they need to track down and prosecute the "kingpin"
spammers responsible for sending most of the unwanted mail cluttering
Americans' in-boxes.

"Our message is the fight has just begun and enforcement has got to
be tough, tough, tough," said Sen. Ron Wyden, D-Ore., who first
co-authored a spam bill four years ago with Sen. Conrad Burns
(R-Mont.).

Wyden said the burden will shift to law enforcers. "I am going to,
every few weeks, be checking on whether prosecutors and law enforcement
officials are coming down hard on violators of this law," he
said.

Opponents say the law makes too many concessions to
"legitimate" marketers like those represented by the Direct
Marketing Association, opening the door for a tide e-mail offers that may
be more honest but just as annoying.

After years of opposing spam legislation, the DMA endorsed the Can-Spam
Act, in part because it preempts stiffer state laws like those on the
books in Washington, California and Virginia.

Virginia last week announced its first felony spam indictments, charging
two North Carolina men with running a major illegal bulk e-mail
operation. Some anti-spam groups say laws like Virginia's could become
meaningless under the federal law's less stringent punishments.

The federal law will harm consumers by preempting those sorts of
protections, said Rep. Zoe Lofgren (D-Calif.), one of five Congress
members to vote against the bill. "If this bill doesn't work, and I
don't think it will...we will have to look at [spam]
again."

Critics also complain that the law doesn't mandate the creation of a
do-not-spam list. Rather, it requires the FTC to study the do-not-spam
registry and create one if it deems the idea feasible.

Although FTC Chairman Tim Muris has vowed to enforce the law, he has also
questioned whether a do-not-spam list would work as intended.

The bill gives law enforcers some good tools, but won't be a cure-all for
the fast-growing spam problem, said Howard Beales, director of the FTC's
Bureau of Consumer Protection.

"The majority of spam that drives people crazy is not coming from
legitimate marketers, and getting [illegitimate marketers] to comply is
going to be just as difficult as it's always been," he
said.

Burns and Wyden sent a letter to Muris last week urging him to begin
enforcing the spam law "preferably within the first week" after
it goes into effect Jan. 1.

"We can think of no better way to put established spammers on notice
that the game has changed, and to discourage new ones from entering the
sleazy business," the senators wrote.

The U.S. law comes as the European Union tries to get its member
countries to adopt its own anti-spam statute. The E.U. law requires
companies to get people's permission before sending them e-mail or
tracking their locations through their cellphones. It also forbids
companies and individuals from installing software on people's computers
to track their Internet use. The law leaves it up to the individual E.U.
nations to develop their own penalties.

Six E.U. nations have adopted the E.U. law.
*******************************
USA Today
Voting process too important to leave to technology
Posted 12/11/2003 1:36 AM     Updated 12/11/2003 1:36
AM

You can't trust technology, but somehow we always do. 
Many objects technological have become background noise  literally
or figuratively. You don't think about it unless it breaks  there's
no dial tone, or the heat doesn't come up, or the engine explodes. We
expect things to work. Most of the time they do. 

It's not a matter of how old something is. Powered flight's been around
for 100 years and I'm still sure the wings are going to come off the
MD-88 I'm on. 

But the modern Internet is fewer than 10 years old and I always expect my
e-mail to arrive in seconds. If you use a spreadsheet and put
"=2+2" in a box, you expect to see a "4" appear,
George Orwell notwithstanding. But there's a danger to treating any gizmo
like an unfailing "black box." There are always human beings
involved, and human beings make mistakes. Or worse. 

Last month, we  well, some of us  voted. Depending on where you
live, you may have stuck a piece of paper in box, or thrown a little
mechanical lever, or punched a hole in a card. Or pushed a button 
beep! John Smith gets your vote for school board president. 

Or does he? 

Electronic voting machines, it turns out, may or may not be counting your
votes properly, if at all. 

Detractors  and there are more and more of them  call it
"black box voting." You assume the machine's software is
counting the votes correctly, but there's no way to know. But the
government must have tested these machines before entrusting our very
democracy with them, right? 

Maybe. Maybe not. 

With black box voting systems, the machine records each vote onto its
internal memory via software. And software can be hacked. Coding it to
switch every 50th vote from Smith to Jones would be trivial. 

Can't happen, you say? There's that trust in technology I mentioned. It
can happen. Someone broke into the computers of Diebold, one of the
largest makers of electronic voting machines, and downloaded hundreds of
staff memos regarding the company's voting systems. 

They're a scary read  software bugs, faked demos to governments,
discussions of how easy it is to break into the machines' databases that
store the votes. (The memos have since spread far and wide onilne. A
search on "Diebold memos" will find them.) 

OK, you say, so the software had bugs. That doesn't mean there was any
malice involved, or that anything actually went wrong. 

Would that it were the end of it. But it's not. First, there was
Diebold's CEO, one Walden O'Dell, who told the Cleveland Plain Dealer in
Augustthat he was "committed to helping Ohio deliver its electoral
votes to the President next year." Coming from the head of a voting
machine company, that's scary. 

OK, you say, that was a stupid thing to say. But only a conspiracy
theorist would believe it's more than hyperbole from an overzealous exec.
There's no indication the machines don't work. 

Unless you're in, say, Fairfax, Va., where the county's new e-voting
machines (made by Advanced Voting Solutions, not Diebold) apparently
subtracted about one out of every hundred votes for Rita Thompson,
Republican candidate for school board. She lost by fewer than 1,700
votes. 

Oops. 

Or in Boone County, Ind., where the software showed 144,000 votes cast.
Trouble was, there are only about 19,000 registered voters. 

Or Alameda, Kern, or Plumas counties in California  which do use
Diebold machines  where the e-voting systems reported, somehow, that
every single voter cast a ballot for the recall election; that is, no one
abstained. In every other county, between one-half and 9% of voters
skipped the recall question, but the Diebold machines in these three
counties showed 100% participation. That means either the machines
discarded thousands of votes (those who abstained) or cast a vote for
them. Which do you think is better? 

A true cynic (good for you!) might say that we also trust the folks who
make and use the mechanical voting systems. But mechanical systems offer
two things an e-voting machine doesn't. First there's the clear feedback
to the voter  a piece of paper or a resounding 'click'  that
tells you your vote's been cast. I bet the folks in Fairfax would have
appreciated that. Second, it's harder to "hack" a mechanical
voting system. Anyone can look inside see how it works: Here are the
paper ballots, here is where the tape is punched. A lot of people have
sufficient mechanical aptitude to verify the workings. Not so with
software. 

Further, it's impossible to get such a system to shift its votes just a
little bit. You could make one cast every vote for Jones or for Smith,
but that would be obvious. Tricking it into switching, say, one out of
every 50 Smith votes into a Jones vote would be darned near impossible.

There have been calls  loud calls, in some cases  for
"voter-verifiable paper ballots" from black-box machines:
something that says "I voted for Smith." If you vote for Smith
but your receipt says you voted for Jones (or that you didn't vote at
all), you can complain and have something to back you up. 

The Electronic Frontier Foundation is working to have this kind of
machine be mandatory. But for now it's not. So the next time your
expensive piece of software crashes  or does something
unexpected  think about how you'll be casting your ballot in 2004.

Beep. 

Andrew Kantor is a technology writer, pundit, and know-it-all living in
Columbus, Ohio; he's also a former editor for PC Magazine and Internet
World. Read more of his work at kantor.com.
*******************************
Washington Post
Group Mobilizes Opposition to New Voting Machines 
By Brigid Schulte
Sunday, December 14, 2003; Page C04 

The fight to preserve democracy in Maryland is being waged from a sunset
pink room on the second floor of an orange house in Takoma Park, where a
gray cat named Handsome sleeps soundly on the batik-draped 
sofa.

The freedom fighters, Linda Schade and Kevin Zeese, pad about the house
in their stocking feet and jeans, firing off e-mails and calling state
legislators and warning citizens that the new, ATM-like voting machines
that are becoming all the rage are, in fact, quite nefarious.

Who's to say that the machines -- Maryland just signed a $56 million
contract with Diebold Election Systems to purchase 11,000 of them before
the presidential primary -- won't misfire and throw elections? Or worse,
be programmed to do so?

Without some kind of receipt, they say, there's no way to verify that a
vote cast on the touch screen is the vote that's registered.

"Every other machine Diebold makes has a receipt -- ATMs, cash
registers," Zeese said. "It just makes no sense that they
wouldn't do the same for voting." Especially since Diebold, they
say, just agreed to add a paper trail to touch-screen voting machines in
San Diego County for free.

And so, under bright posters of antiwar slogans and pro-farm workers'
rights celebrations, the Campaign for Verifiable Voting in Maryland goes
about its work.

Most of the heavy lifting is done through Schade and Zeese's Web site --
www.truevotemd.org
-- a $4,000 investment they made from their own bank account. And many of their comrades in arms in this new virtual reality of e-mail, conference calls and Internet grass-roots organizing -- the woman out on the Eastern Shore, the Republican up in Carroll County -- they've never seen.

But in just a few weeks, the virtual campaign has started an actual tremor. It may be too early to call it an earthquake, but that's what they're shooting for.

A few months ago, state elections officials assured nervous Montgomery County officials that not only were the Diebold machines safe, but that voters didn't really care much if they weren't.

Now, Schade and Zeese are happy to report, they are proving the officials wrong. More than 600 people have gone to their Web site and sent hundreds of the form letter protests to legislators, election officials and county leaders.

Many join because they're worried, writing on the discussion board about funky experiences with the machines -- "smart" cards that didn't work, computers that crashed, screens that went dark leaving no way of knowing whether the machines counted their votes.

Karen Montgomery, a Democratic state legislator, has introduced a bill requiring all voting machines to produce a paper printout that voters can check before pushing the final button and casting their vote.

"Nobody was worried, because nobody knew about it," said Bob Ferraro, who is part of the core of the group, along with Zeese and Schade and a handful of other activists. Ferraro, who works on the receiving dock at a nearby Giant grocery, wears mud-spattered black pants and brown work boots. In his spare time, he serves as president for the Eyes of Paint Branch, a local environmental group. 

Ferraro became concerned after reading that nearly 1,000 computer scientists from across the country -- the ones who make the machines -- warned that the machines' accuracy can't be entirely trusted.

The group got its start last summer after a town hall meeting held by Rep. Chris Van Hollen (D-Md.). Nancy Wallace, a local environmental activist, asked him whether he was concerned about the machines. He said that he was, adding that in June, he had signed on to a bill requiring a voter-verified paper trail.

Wallace invited civic-minded friends to her house, including Zeese, Ferraro and Schade, and the movement was born.

Among them, the activists represent an alphabet soup of causes, from legalized drug use to fighting the proposed intercounty connector. They are mostly Democrats and Greens, but Republicans, they say, want their votes counted, too.

"This is definitely a multi-partisan group," Zeese said. 

"Republicans think the Democrats are out to steal votes. The Democrats think the Republicans are out to steal votes. And the Greens know they're both right."
*******************************