Clips November 13, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips November 13,
2003

ARTICLES

Tech Security Chiefs Form Alliance 
Secretary of State Orders Audit of All Counties' Voting Systems
ACA's hand forced on privacy [Australia]
California regulators ponder VoIP
Computer Technicians Sue CSC to Seek Overtime Pay
Zombie machines fuelling new cyber crime wave
Dell to offer grants for cities to recycle computers
Feds need coordination on high-end computing
Florida county improves health services by integrating data 
Corps? IT official discusses lessons from Iraq 
Senate Bill Targets Internet Pirates 
Voice Authentication Trips Up the Experts

*******************************
Washington Post
Tech Security Chiefs Form Alliance 
By Brian Krebs
Wednesday, November 12, 2003; 6:08 PM 

Nearly a dozen top technology luminaries are lending their star power to
a new think-tank that will look for ways to elevate the status of chief
security officers in the private sector, a move that they say will go a
long way toward improving Internet security.

The Global Council of Chief Security Officers was formed by former White
House cybersecurity adviser Howard Schmidt, who said it helps fulfill a
promise he made after leaving the Bush administration earlier this year
to make Internet security a top issue in the business 
community.

"I committed to the White House that when I returned to the private
sector I'd make sure this stays as a front page item for corporate boards
and for everyone else," said Schmidt, now the chief security officer
of online auction giant eBay.

The White House's cybersecurity strategy, released in February, contains
plenty of requirements for the federal government to secure its own
computer networks but only features recommendations for the business
community. The problem with that, say technology experts, is that too
many corporations do not devote adequate money and other resources to
computer security even though they control 85 percent of the nation's
vital networks.

"This whole concept of a CSO is a relatively new thing,"
Schmidt said. "Ten years ago (chief information officers) had sort
of an ill-defined role where many companies didn't know where to put them
and how to fund them, and we're seeing much the same thing today in the
security space as well."

Schmidt assembled a group with an array of impressive credentials to
press for more resources for network security operations, including
Microsoft Corp. chief security strategist Scott Charney, encryption
pioneer and Sun Microsystems security chief Whitfield Diffie, Oracle
Corp. Chief Security Officer Mary Ann Davidson and MCI's Vint Cerf,
widely considered the "father of the Internet."

"We really do need to work together, because it's in the interest of
all to improve the lot of all," Oracle's CSO Davidson said.
"Hackers who are colluding against us are definitely cooperating a
lot more than we are right now."

The council also will consult with technology vendors and industry groups
to help design more secure products for the next generation of the
Internet, Schmidt said.

Cerf said that the council should also encourage more compatibility
between different and competing technologies. Failure to do so,
especially as the Internet grows into even more of a commercial medium,
could prove damaging to online networks.

"Many of us have a long-term connection with the Internet and an
interest in seeing it survive well into the 21st century, and there is a
great deal going on that could potentially threaten its stability,"
said Cerf, who also serves as chairman of the board for the Internet
Corporation for Assigned Names and Numbers (ICANN), the group that
oversees the Internet's addressing system.

In the early 70s, when Cerf helped develop the communications rules that
allow computers to talk to one another through the Internet, the network
was used mostly by a small number of trusted researchers and specialists
who were responsible for maintaining its health and security.

Today, the caretakers of the Internet have expanded to include millions
of businesses and home users. In addition, an onslaught of hackers,
viruses, worms and junk e-mail continuously use inherent weaknesses in
those communications rules, which were never designed with security in
mind.

Efforts underway to replace the old standards with more secure rules can
mitigate those threats, but only if a significant number of businesses
and governments building and retool their networks, said Sun's
Diffie.

Schmidt said he hopes the group can live up to its name by expanding its
membership outside of the United States.

"None of us kid ourselves to think we're going to solve all of these
problems, but this gives us the ability to continue to be cheerleaders in
this area," he said.

The council will hold its first meeting in San Jose in January and a CSO
summit in San Francisco the following month. U.S. CERT, a new partnership
between the Department of Homeland Security and the CERT Coordination
Center -- a government funded security watchdog group at Carnegie Mellon
University in Pittsburgh -- will oversee the council's day-to-day
activities.

Other security chiefs in the group include Motorola's Bill Boni, Dave
Cullinane of Washington Mutual, and Rhonda McLean from Bank of America,
as well as former Citigroup security head Steve Katz and Will Pelgrin,
director of the New York State Office of Cyberspace Security.

The council is on the web at:
http://www.csocouncil.org.
*******************************
Los Angeles Times
Secretary of State Orders Audit of All Counties' Voting Systems
Review of upgraded touchscreen software leads to discovery that two
registrars installed it without state's OK.
By Allison Hoffman and Tim Reiterman
Times Staff Writers

November 13, 2003

Responding to revelations that at least one county used unapproved voting
software in the Oct. 7 recall election, Secretary of State Kevin Shelley
has ordered an audit of voting systems used in all 58 California
counties. 

State elections officials reviewing an upgraded version of Diebold Inc.'s
Accuvote touchscreen voting machines for future certification were told
by company employees that the new software had already been installed in
Alameda and Plumas counties  without state approval.

The software had been certified by a federal panel for use in the
states.

"We believed that with the federal certification [of the software],
we were meeting state certification," said Diebold spokesman David
Bear. He said the company would cooperate with the audit. 

Shelley also said he would require the chief executive of each voting
system company to affirm, under penalty of perjury, that no significant
changes be made to elections systems or software without asking for
approval from the secretary of state's office. 

Terri Carbaugh, a spokeswoman in the secretary of state's office, said,
"From our point of view, modifications to software require
certification." 

Alameda and Plumas counties are the only two in California using the
Diebold touchscreen systems. Bradley Clark, Alameda County's registrar,
said that the new software had been installed before the recall election,
but Kathleen Williams, Plumas County's registrar, said that she had not
installed the upgrade before the election. 

Los Angeles County Registrar Conny B. McCormack said the incident
highlighted ongoing uncertainty in Sacramento about how to regulate
electronic voting. 

She said all counties in the state, whether they use electronic or
mechanical voting systems, had installed significant software upgrades in
the past several years to accommodate changes to primary voting and to
handle the unique recall election itself. 

"All of us have made changes to our software  even major
changes  and none of us have gone back to the secretary of
state," McCormack said. "But it was no secret we've been doing
this all along. [Shelley] knew we were making changes."
*******************************
Australian IT
ACA's hand forced on privacy
Selina Mitchell
NOVEMBER 13, 2003  
 
THE telecommunications watchdog has been "forced" to set new
rules to protect sensitve consumer information stored in a huge national
database.

The Australian Communications Authority will create a standard
controlling the use of information stored in the Integrated Public Number
Database, after discovering phone directory companies were misusing the
information. 
The Database contains the personal details of every Australian with a
telephone number, including home, holiday, mobile and all other possible
contact details. 

The information is used by police and emergency services as well as for
the production telephone directories and directory assistance services.

Until now use of the information in the database has been governed by an
industry code administered by the Australian Communications Industry
Forum. 

The ACA discovered consumer information was being used for purposes other
than those set out in the code by a number of companies after it began
investigations into an incident which occurred earlier this year. 
*******************************
CNET News.com
California regulators ponder VoIP
Last modified: November 12, 2003, 5:49 PM PST
By Ben Charny 

California public utility regulators will meet Thursday in a
much-anticipated showdown with Internet phone providers. 

At the meeting, the five-member California Public Utilities Commission
(CPUC) for the first time will hear details from a report that commission
staff prepared on the issue, which is expected to heavily sway future
decisions.

The commission will also come face-to-face with a lawyer for voice over
Internet Protocol (VoIP) provider Vonage, one of six VoIP providers the
state has asked to seek a traditional telephone license. A Vonage
spokesman said one of its attorneys will read a prepared statement to the
commission.

"We welcome them to an open dialogue," a Vonage spokesman said
Wednesday.

California is one of a dozen states that favor imposing traditional phone
rules on VoIP providers. Some states, such as California, have already
begun regulating VoIP providers, while others, including New York, have
just begun exploring the issue. In a move largely backed by traditional
phone companies, states want to regulate VoIP providers because it
generates much-needed fees to fund necessary phone services like 911. But
VoIP providers say their rules apply only to calls that travel over a
traditional phone network. VoIP calls use the Internet instead.

At stake is a key distinction between voice services, which have in the
past used the Public Switched Telephone Network, and data services such
as the Internet. Unlike phone networks, data networks have been left
largely unregulated and untaxed to help spur growth. This has raised
concerns for groups such as the Multistate Tax Commission that
Internet-style services could jeopardize billions of dollars in state
funding for programs including universal telephone service, 911 emergency
services and the E-Rate school technology fund.
*******************************
Los Angeles Times
Computer Technicians Sue CSC to Seek Overtime Pay
The lawsuit could mark the start of a wave of litigation targeting the
technology sector.
By Lisa Girion
November 13, 2003

Computer Sciences Corp. was accused Wednesday of cheating thousands of
computer technicians out of overtime pay in a lawsuit that could open the
technology industry to the same class-action litigation that has forced
millions of dollars in back wages from fast-food chains and retail
outlets.

The suit, filed in U.S. District Court in Los Angeles, alleges that the
El Segundo company owes back pay to all systems administrators and other
technical employees who have not received time-and-a-half compensation
for work in excess of 40 hours a week.

The plaintiffs, two former CSC employees in Connecticut, seek to
represent a proposed nationwide class of workers who earn as much as
$50,000 or more installing and maintaining computer software and
equipment for CSC clients.

A spokeswoman for the company, which employs about 92,000 people
worldwide, said she could not discuss details of the suit.

"CSC has always strived to comply with all state and federal
laws," said the spokeswoman, Janet Herin. "Based on what we
know at this time, we believe that we are compliant. We have not been
served with this complaint and have no further comment at this
time."

The suit, which cites federal overtime law, is believed to be the most
sweeping effort to win overtime pay for computer workers who do not write
software or design systems, according to several labor lawyers. It is
expected to test state and federal statutes adopted since 1996 that allow
companies to avoid paying overtime to certain computer
professionals.

In order to exempt an employee from the federal overtime mandate for
computer professionals, companies must prove, among other things, that
the worker in question earns at least $27.63 an hour (the equivalent of
$57,500 a year) and is primarily engaged in software development or other
independent, creative work.

"This could line up to be a very good fight," said Frank
Cronin, a labor lawyer for Snell & Wilner in Irvine, a firm that
represents employers. "It will be watched by others in the industry
because there are hundreds of other smaller firms that have people doing
the same work. This could be a landmark case?. An awful lot of these jobs
are right on that borderline."

Class-action overtime lawsuits have swept through the restaurant and
retail industries. More recently, banks have been the targets of such
litigation, and insurance companies have taken some of the biggest
hits.

California Chamber of Commerce Vice President Fred Main said "it was
only a matter of time" before computer workers were the subject of
overtime suits.

"They get paid a lot of money, so if you can get them out of the
exemption for computer professionals, then you can make a significant
amount on a class-action claim," Main said. "It's potentially
far more lucrative than reclassifying the shift manager at a fast-food
joint."

Steve Zieff, a San Francisco lawyer who represents the computer workers,
won a $90-million overtime verdict against Farmers Insurance on behalf of
2,400 claims adjusters. Zieff said he believed that alleged overtime
violations in the information-technology industry went beyond
CSC.

He said he and other lawyers on the case had received similar complaints
from employees of other computer firms.

"It doesn't matter what you call someone; it matters how you spend
your time," said James Finberg, a San Francisco attorney who has
represented insurance adjusters and fast-food restaurant managers in
overtime suits and is also representing the CSC plaintiffs.

"There is a specific exemption for people who are developing
software, but that's not what these people are doing," he said.
"They install software and answer questions."
*******************************
USA Today
Zombie machines fuelling new cyber crime wave
By Bernhard Warner, Reuters
Posted 11/12/2003 6:06 PM

LONDON  The rapid growth of broadband home computer connections may
be inadvertently fuelling what police suspect could be the start of a new
crime wave  cyber-blackmail.
As more homes connect to faster delivery systems, their computers are
becoming vulnerable to hackers and virus writers who can turn them into
"zombie" machines, ready to carry out any malevolent
command.

Favorite targets for the extortionists  many thought to come from
eastern Europe  have been casinos and retailers, but one recent
high-profile victim was the Port of Houston.

"At the end of the day, this is old-fashioned protection racket,
just using high-tech," said a spokeswoman for Britain's Hi-Tech
Crime Unit.

On Wednesday, UK cyber crime cops made a plea to businesses to report
attacks against their Internet businesses following a recent string of
incidents with the blackmailing trademark.

Police have seen an increase in the number of distributed denial of
service (DDoS) attacks targeting online businesses.

In some cases, the attacks, which can cripple a corporate network with a
barrage of bogus data requests, are followed by a demand for money. An
effective attack can knock a Web site offline for extended
periods.

Hitting the slots

Online casinos appear to be a favorite target as they do brisk business
and many are located in the Caribbean where investigators are poorly
equipped to tackle such investigations.

In 2001, cyber forensics expert Neil Barrett told Reuters that his firm
Information Risk Management was working with Internet casinos to shore up
their defences against a spate of DDoS attacks.

At the time, he said the denial-of-service barrages were followed by
demands to pay up or the attacks would continue. He said the attacks
appear to have come from organized criminal groups in Eastern Europe and
Russia.

Police said because of a lack of information from victimised companies,
they are unsure whether these are isolated incidents or the start of a
new crime wave.

Whatever the motive, DDoS attacks are on the rise, coinciding with the
proliferation of broadband deployment in homes. Security experts believe
the increasing number of unsecured home PCs may be a major
culprit.

New Internet- and e-mail-borne computer infections are hitting home
computers, turning them into zombie machines that can be controlled by
outsiders without the owner's knowledge, security experts say.

Such infected machines can be told to send e-mail spam or even be used to
initiate or participate in a denial of service attack against another
computer.

"Home broadband computers are going to be the launching point for a
majority of these," said Richard Starnes, director of incident
response for British telecoms firm Cable & Wireless and an advisor to
Scotland Yard's Computer Crime Unit.

Last week, the online payment service WorldPay admitted to suffering a
major DDoS attack that lasted three days. WorldPay, owned by the Royal
Bank of Scotland, has been fully restored.

The NHTCU spokeswoman said the investigation into the WorldPay attack is
ongoing.
*******************************
USA Today
Dell to offer grants for cities to recycle computers
By April Castro, Associated Press
Posted 11/12/2003 7:57 PM

AUSTIN  Dell is strengthening its push to recycle old computers,
awarding $10,000 grants to 12 cities around the country to host computer
recycling drives. 
The grants will be used to organize, promote and recycle computer
equipment. 

The 12 cities will be selected by a review board based on various
factors, such as community need and interest. 

"These events are intended to keep reusable and recyclable equipment
out of landfills while raising awareness of responsible product
end-of-life options," said Pat Nathan, Dell's sustainable business
director. 

Dell has been the subject of criticism from environmentalists who say the
Round Rock-based company doesn't do enough to protect the environment.
They contend the most dangerous ingredient in old computers is lead from
cathode ray tubes and solder used on the motherboard. 

Dell began recycling computers from consumers last fall, when it offered
the service for free  if the customer shipped the machine to Dell, a
costly proposition. In March, the company switched to a $15 fee and
offered to pick up the old machines. Now Dell will pick up old computers
for $7.50. 

Dell on Wednesday advanced 66 cents to close at $35.67 Wednesday on the
Nasdaq Stock Market.
*******************************
Federal Computer Week
Feds need coordination on high-end computing
BY Diane Frank 
Nov. 12, 2003

Central coordination of federal high-end computing investments is
critical as the supercomputing arena competes with high-profile
technology needs for fewer budget dollars, experts said today.

For many years, the federal government comprised most of the high-end
computing environment, but today it is only a fraction of the market,
which is now focused on commercial products instead of scientific and
national security needs. That has raised concerns in the Bush
administration, and in Congress.

However, any new policy must be tied to federal needs and missions,
because it's easy to get "really cool technology" that's not
truly helpful, said Dona Crawford, associate director for computation at
Lawrence Livermore National Laboratory. She was speaking on a panel
sponsored by the IBM Corp. Center for the Business of
Government.

A new report by the center highlights the need for coordination within
the federal government. What is high-end computing today will be
mainstream technology tomorrow, said Juan Rogers, a co-author of the
report, associate professor of public policy and director of the research
value mapping program in the Georgia Institute of Technology's School of
Public Policy. 

Even more important, the United States must have a high-end computing
policy driven by sustained results, not emergencies or specific events,
Rogers said.

"Rather than studying for an exam in a class, you want to learn the
skills to be able to apply them over and over," he said.

The High-End Computing Revitalization Task Force is intended to provide
coordination among agencies, and between mission and investment, said
John Grosh, a project manager in the Office of the Deputy Undersecretary
of Defense for Science and Technology.

The task force -- made up of about 60 people from agencies including the
Defense Department, NASA, the Environmental Protection Agency, and the
Office of Management and Budget -- has a draft of a five-year road map
for advancing the federal high-end computing investment portfolio, Grosh
said. The map focuses the government on specific portions of the high-end
computing environment, such as clusters and advanced architectures, and
provides a process for moving from basic and applied research to advanced
development, experimentation, and testing and evaluation.

That report has gone through the Office of Science and Technology Policy
and OMB. Administration leaders should be briefed on it in the next few
months, Grosh said.

Bush administration officials and Congress are interested in the United
States' high-end computing capabilities, and "the timing is right,
the window is open to attempt to improve the state of play here," he
said.
*******************************
Government Computer News
11/13/03 

White House should oversee spectrum, new report says 

By Joab Jackson 
GCN Staff

The White House must take over management of the nation?s airwaves, the
Center for Strategic and International Studies advises. 

In a new report, Spectrum Management For the 21st Century, the center
recommends a number of steps to quell increasing fights over existing
spectrum space: 


Develop a national spectrum strategy 
Increase research support for technologies that make better use of the
spectrum 
Establish a spectrum oversight advisory board 
Implement White House oversight. The Federal Communications Commission
now oversees commercial use of the nation?s airwaves, and the National
Telecommunications and Information Administration handles government use.

In the past few years, companies have pressured both agencies to change
existing spectrum holder rights. New wireless technologies, for instance,
have spawned a call from many IT companies for the Defense Department to
relinquish some of the spectrum reserved for national security needs.

At a House briefing yesterday, the center presented its report to Rep.
Tom Davis (R-Va.), chairman of the House Committee on Government Reform.

Davis said his committee will weigh the report?s findings, along with the
results of five ongoing General Accounting Office reviews and a
Presidential Spectrum Policy Initiative study commissioned in June.

"This is a very good start," Davis said. 

The GAO reports are due early next year, and the presidential report in
May, said Grace Washbourne, a committee staff member. 

She cautioned, however, that it might be years before any spectrum reform
legislation is introduced because of the issue?s complexity and the need
for independent evaluations. 

A team of advisers from both telecommunications companies and government
agencies-including DOD, FCC and NTIA-drafted the Center for Strategic and
International Studies report. 

The center is a private research organization that studies global issues.
To order the report, click here for a link <
http://www.csis.org/pubs/2003_spectrum.htm>.
*******************************
Government Computer News
11/13/03 
Florida county improves health services by integrating data 
By Trudy Walsh 

Orange County, Fla., is juicing up its health and family services case
management system to boost efficiency and give health workers a clearer
view of their clients? cases. 

The Health and Family Services Department is adopting a browser-based
case management system from Softscape Inc. of Wayland, Mass. 

Since February, the department has been using Softscape?s CaseOne
software for medical case management, outpatient services and referrals
to specialists, said Pete Clarke, deputy director of the department.

The system runs on an intranet within the county?s firewalls, Clarke
said. 

Before, the data had resided on several standalone mainframes in multiple
formats, said Kris Richarde, the department?s supervisor of application
development. 

The department plans to eventually use the Softscape app to separate out
patients that require intensive monitoring and care, such as patients
with diabetes or asthma. 

The CaseOne system has between 100 and 150 users, mostly nurses,
administrators and social workers, Richarde said. 

The system uses a group-level security scheme, she said. Each groupsuch
as social workers or nurseshas its own system administrator and
predefined level of security. 

The system complies with the Health Insurance Portability and
Accountability Act of 1996. 

Passwords are carefully controlled, Richarde said. The software
automatically logs users off after a period of inactivity, she said.
After three unsuccessful log-in attempts, users must call their sysadmin
to reset passwords. 

The system accesses records for 30,000 patients in an Oracle Corp.
database. 

CaseOne works with Oracle, Microsoft SQL Server and IBM DB2 databases,
said Kim D?Augusta, vice president of government sales for Softscape. It
also has an application server built in C++. 

?It?s been our dream for a long time to have a single database,? Clarke
said. ?We have folks that go from program to program. They overlap.? With
multiple systems and databases, it is harder to track patients? needs, he
said. 

Clarke gave the example of a patient with asthma. ?It could be he
actually has asthma. Or it could be he just doesn?t have adequate
ventilation in his home,? Clarke said. The solution could be as simple as
moving the person to a room with a window. 

In a year or so, Richarde expects 70 percent of the records for the
county?s Health and Family Services clients will be on one system.

 From both an IT perspective and a business perspective, ?it makes our
life a lot easier,? Richarde said.
*******************************
Government Computer News
11/12/03 
Corps? IT official discusses lessons from Iraq 
By Dawn S. Onley 

Although the Marine Corps deployed its most advanced systems in Iraq,
there were still technical snafus, deputy CIO Debra Filippi said today.

The Corps had problems communicating on the move, identifying enemy and
friendly units, and crossing the digital divide between operational and
tactical forces, Filippi said at an Armed Forces Communications and
Electronics Association?s Northern Virginia chapter luncheon. The service
is reviewing its experiences and deciphering how best to make
improvements in its deployable IT, she said. 

The Marine Corps Tactical Data Network extended 375 miles ashore, and new
command, control, communications and computer systems debuted and were
successful, Filippi said. 

Still, the Corps had difficulty integrating the many so-called Blue Force
Tracking systems used throughout the battlefield into a single common
operational picture of friendly and enemy forces, she said. Despite the
use of updated troop-tracking software, each of the services saw only a
partial picture of enemy and friendly forces.
*******************************
Government Computer News
11/12/03 

Is government ignoring the threat of cyberterrorism? 

By William Jackson 
GCN Staff

The government has not been taking the threat of cyberterrorism seriously
enough, according to the author of a new book on the subject. 

Dan Verton, author of Black Ice: The Invisible Threat of Cyberterrorism,
said the private sector has forestalled regulating privately owned
critical infrastructure components despite government recognition of
their importance to national security. 

?If we are going to call them national security concerns, we should start
treating them like national security concerns,? he said during a speech
at the Cato Institute in Washington. 

Verton criticized the IT security community for what he called
appeasement, accepting unacceptable levels of risk and focusing on past
threats rather than future dangers. 

?This is going to be one of the primary battlefields of the future,? he
said. ?We need to have a discussion of cybervulnerabilities today, before
the next failure occurs.? 

George Smith, a senior fellow with Globalsecurity.org of Alexandria, Va.,
and co-editor of vmyths.com, which combats what it calls computer
hysteria, was less critical of the state of IT security. 

?We haven?t seen any direct physical attacks that fit the
prognostications of the doomsayers,? Smith said. 

He said reports of cyberthreats too often are accepted without critical
evaluation and that there is a high level of ?flake factor? in
cyberterrorism discussions. 

The background of the two men was reflected in their approach to
cybersecurity. Vertona former Marine with a crewcut, suit and
tiepresented the threat in military terms of victory or defeat.
Smithbearded with an open collar and generally rumpledcautioned against
mistaking hype for facts. 

But both agreed that the reactive nature of security today is inadequate
for keeping pace with the quickly evolving nature of threats to the IT
infrastructure.
*******************************
Government Computer News
November 12, 2003 
Agencies urged to seek outside input on e-gov projects
By Amelia Gruber 
agruber@xxxxxxxxxxx 

Four agencies should pay more heed to outside input on their electronic
government projects, the General Accounting Office recommends in a new
report. 

President Bush's management agenda established 24 e-government
initiatives aimed at providing citizens with greater access to federal
agencies and improving efficiency in government. 

Managers in charge of the Office of Personnel Management's e-payroll
initiative, which aims to reduce the number of agencies processing
federal employee paychecks from 22 to four, have done a good job of
fostering collaboration among the agencies designated as future payroll
providers, GAO reported. 

But OPM needs to fully involve all agencies slated to use the
consolidated system in the project, GAO said. The agencies need to agree
upon a common set of payroll standards, the report (GAO-04-6) explained.

OPM has adequately canvassed agencies for suggestions, GAO said. Even so,
reaching a consensus will likely prove challenging, the report predicted.
"Unless OPM places increased emphasis on collaboration as
governmentwide standards are developed and consolidation of payroll
systems progresses, it will be at increased risk that the consolidated
systems will not meet the needs of all federal agencies," GAO
cautioned.

For instance, Veterans Affairs Department officials told GAO that OPM
rushed them into choosing the Defense Finance and Accounting Service as a
future payroll provider. VA later found that "migrating to the DFAS
would be costly and inefficient, because VA would have to separate its
payroll system from its human resources system." 

OPM has the "ultimate authority in deciding how payroll operations
are to be consolidated," but risks interfering with the project's
overall schedule by "not fully considering stakeholder
concerns," the report said. In response, OPM officials said they
would continue holding discussions with VA to resolve concerns. 

Three other e-government initiatives could also benefit from more outside
input, GAO said. The Interior Department should encourage state and local
officials to become more involved in its geospatial one-stop initiative,
a project to gather geospatial data in a central location, the report
recommended.

The General Services Administration should solicit advice from agency
chief financial officers on its integrated acquisition environment
project, designed to facilitate more efficient procurement, GAO said. And
Small Business Administration were urged t get more advice from potential
users of its proposed "business gateway," which would reduce
paperwork for small businesses and provide them with information on
relevant laws and regulations.
*******************************
Washington Post
Senate Bill Targets Internet Pirates 
By David McGuire
Thursday, November 13, 2003; 10:25 AM 

People who steal copies of films and albums and post them on the Internet
before their official release dates could face felony charges under
legislation scheduled to be introduced Thursday in the U.S.
Senate.

Authored by Sens. John Cornyn (R-Texas) and Dianne Feinstein (D-Calif.),
the Artists Rights and Theft Prevention (ART) Act makes it easier to
prosecute suspected pirates who offer "pre-release" movies and
music online.

"We're trying to go after the pre-release stuff that is absolutely
killing any potential revenue for one of the segments of our economy
that's doing well," said Don Stewart, a spokesman for Cornyn. The
movie studios and record labels are "just absolutely getting
clobbered."

The movie and record industries are eager to stamp out pre-release
piracy, which they see as one of the most dangerous trends facing their
respective industries. This year alone, blockbuster films like "The
Hulk" and "The Matrix Reloaded" hit the Web before they
hit the theaters. More recently, popular hip-hop artists Jay-Z and G-Unit
had to bump up the release dates for their albums when pirated copies hit
the Internet.

Internet movie piracy is costing the major studios up to $1 billion a
year in lost revenue, according to Macrovision Corp., which develops
anti-piracy technology. The largest music publishing and distribution
companies lost $700 million to digital file sharing in 2002, according to
a report from the Boston-based Forrester research group.

For movie studios, which count on earning revenues from film releases
from the time they hit the theaters until well after they come out on
DVD, pre-release piracy is especially galling, said Motion Picture
Association of America spokesman Rich Taylor.

"If it happens before a film can even penetrate the darkness of the
theater for the first time, obviously it has grave consequences,"
Taylor said.

Under current law, felony charges apply only to piracy suspects who
distribute 10 or more copies of pre-release albums and movies, with a
retail value of more than $2,500. Under the Cornyn-Feinstein bill, felony
charges could be filed against people who share pre-release entertainment
online, regardless of the number of copies or its value.

On the Internet, where many pirated goods are offered free over
peer-to-peer networks, it can be difficult to place a dollar figure on a
single act of piracy. That difficulty has made it harder to prosecute
even the most egregious cases of copyright infringement, Stewart
said.

For the movie and music industries, which have often faced staunch
opposition in their efforts to push stiffer anti-piracy laws, the
Cornyn-Feinstein bill could be a slam-dunk. While civil liberties
advocates have opposed efforts to topple peer-to-peer networks or impose
copyright-friendly technological standards on personal computers, this
bill is unlikely to face much opposition.

Public Knowledge President Gigi Sohn said the bill addresses the concerns
of copyright owners without trampling consumers' constitutional rights.
"To us it's a narrow bill, but for them it's a huge problem and this
is a good way of taking care of it."

"To the extent that the bill remains focused on those ... problems,
it doesn't raise much of a problem for us," Sohn said, adding that
she hopes the legislation marks the start of a new approach for the music
and movie industries.

"Focus on illegal behavior and not on outlawing technology,"
she said.

Stewart said it's unlikely that the legislation will go anywhere before
Congress goes home for the holidays, but the senators want to use that
time to seek support from their colleagues.

Senate Judiciary Committee Chairman Orrin Hatch has already signed on as
a co-sponsor.
*******************************
New York Times
November 13, 2003
WHAT'S NEXT 
Voice Authentication Trips Up the Experts
By ANNE EISENBERG

T'S not easy to recognize speakers solely by their voices. A voice on an
audiotape might be that of Osama bin Laden, but it might also be that of
a skilled imposter.

It turns out, though, that computers can help humans in the tricky task
of speaker recognition, using their huge memories, pattern matching and
fast processing to search a database and pair the sound of a voice with
its owner. 

Computer-based applications of speaker recognition are gradually
expanding, and already include intelligence gathering and telephone
transactions, in which sellers reduce the risk of fraud by making sure
that the voice on the line is in fact that of the credit card's
owner.

But the underlying technology is still far from foolproof, so a small
band of researchers is working to refine its accuracy and
consistency.

Some of the researchers say they are finding the task harder than they
had expected. "In principle, this is a very simple problem,"
said George Doddington, a speaker recognition expert in Orinda, Calif.,
who is a consultant to the federal government. "It's a binary
decision - is this person who he claims to be or not?"

But accuracy has been hampered by many difficulties, from the differences
in telephone connections and microphones to the inherent variability of
the human voice.

"Voice characteristics vary with your age, your metabolic state,
your emotional state and all the ways you can say 'yeah,' " Dr.
Doddington said.

"You'd think we could exploit the differences for recognition,"
he said. "But people's voices are different at different
times."

Adding to the difficulty are the varied circumstances in which voices are
recorded. People talking in a studio sound different from people talking
on a car phone. To do a good job, authentication programs must account
for all these sources of variation.

To spur research in the technology, the National Institute of Standards
and Technology in Gaithersburg, Md., enlists many scientists in annual
evaluations to see how their computer programs stack up in matching
unidentified voices with the actual speakers.

The task set for the competition is a tough one, said Alvin F. Martin, a
mathematician at NIST and one of the organizers of the event, which uses
recordings of telephone conversations. The contestants' programs have to
determine if two speech excerpts are from the same speaker. "But
they don't know in advance what words they will be dealing with,"
Dr. Martin said. 

This is a far harder task for programs to handle than word-for-word
matching of passwords or code numbers, a standard approach of traditional
authentication software. "Instead, they are matching speech on
different things at different times," he said.

Dr. Martin said that the technology had improved strikingly in the last
few years, particularly in mining other characteristics of voice beyond
the physical ones related to a speaker's vocal apparatus. "We are
learning to take advantage of many other kinds of information from the
speech signal," he said, "like word combinations that speakers
typically use."

Douglas Reynolds, a senior staff member at the Massachusetts Institute of
Technology's Lincoln Labs in Lexington, Mass., is among the researchers
who have worked on extending the traditional range of acoustic
information analyzed, adding characteristics like pitch, pauses and
pronunciation style. Information like this should prove highly useful in
applications like audio mining, in which computers search tapes to
identify particular speakers. 

"If you have archived meeting minutes or news broadcasts and you
want to know who is speaking, you want to squeeze as much information as
you can from the speech signal, because you can't get more," Dr.
Reynolds said.

At I.B.M.'s Thomas J. Watson Laboratory in Hawthorne, N.Y., Ganesh
Ramaswamy and his group of researchers are using multiple sources of
information from a conversation to develop their technology, which they
call conversational biometrics. 

"We look not just at the voice," Dr. Ramaswamy said, "but
at what you say and how you say it."

The I.B.M. technology is intended for use in authenticating transactions
like gaining access to credit card account information over the
telephone. I.B.M. enrolls people in the program by asking them to read
from a magazine for 30 seconds. "Any magazine is fine," Dr.
Ramaswamy said. "When people speak this long, you get enough of an
idea of the frequency content of the various sounds in their
voices." The program also creates a model of other details like
pronunciation.

This might suffice to authenticate a voice in simple cases, he said.
"If someone is calling from a home phone and the voices match along
with the phone numbers, that might be the end of it."

But the system has programming to deal with more complicated situations;
it asks questions of the speaker and decides whether the answers are
adequate. "The acoustic verification runs in parallel with the
speech recognition," Dr. Ramaswamy said. "It will ask a lot
more questions for a $1,000 transaction than for a $10 one."
.

Applications of voice verification research are gradually showing up
commercially. A recent survey of voice-based biometrics by Judith
Markowitz, a consultant based in Chicago, listed more than 50 companies
providing goods and services.

The use of voice in biometrics may turn out to have a significant
advantage, said Joel S. Lisker, senior vice chairman of a lobbying and
consulting firm in Washington. "For other biometrics like face or
dynamic signature, you have to go someplace to do it, like a bank,"
he said. "Here you can do the enrollment in comfort at home or at
your desk - a huge plus."

Dr. Doddington hopes that whatever comes, future vendors of voice
authentication systems will be wary of making facile comparisons to
fingerprints, less they offer false assurances. "Fingerprints are
physical," he said. "Speech is a completely different animal.
It's something you do as opposed to what you are. It's a
performance."

E-mail: Eisenberg@xxxxxxxxxxx
*******************************