From rforno at infowarrior.org Mon Apr 3 11:34:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 03 Apr 2006 10:34:28 -0500 Subject: [Infowarrior] - America's war on the web Message-ID: America's war on the web http://www.sundayherald.com/54975 While the US remains committed to hunting down al-Qaeda operatives, it is now taking the battle to new fronts. Deep within the Pentagon, technologies are being deployed to wage the war on terror on the internet, in newspapers and even through mobile phones. Investigations editor Neil Mackay reports IMAGINE a world where wars are fought over the internet; where TV broadcasts and newspaper reports are designed by the military to confuse the population; and where a foreign armed power can shut down your computer, phone, radio or TV at will. In 2006, we are just about to enter such a world. This is the age of information warfare, and details of how this new military doctrine will affect everyone on the planet are contained in a report, entitled The Information Operations Roadmap, commissioned and approved by US secretary of defence Donald Rumsfeld and seen by the Sunday Herald. The Pentagon has already signed off $383 million to force through the document?s recommendations by 2009. Military and intelligence sources in the US talk of ?a revolution in the concept of warfare?. The report orders three new developments in America?s approach to warfare: lFirstly, the Pentagon says it will wage war against the internet in order to dominate the realm of communications, prevent digital attacks on the US and its allies, and to have the upper hand when launching cyber-attacks against enemies. lSecondly, psychological military operations, known as psyops, will be at the heart of future military action. Psyops involve using any media ? from newspapers, books and posters to the internet, music, Blackberrys and personal digital assistants (PDAs) ? to put out black propaganda to assist government and military strategy. Psyops involve the dissemination of lies and fake stories and releasing information to wrong-foot the enemy. lThirdly, the US wants to take control of the Earth?s electromagnetic spectrum, allowing US war planners to dominate mobile phones, PDAs, the web, radio, TV and other forms of modern communication. That could see entire countries denied access to telecommunications at the flick of a switch by America. Freedom of speech advocates are horrified at this new doctrine, but military planners and members of the intelligence community embrace the idea as a necessary development in modern combat. Human rights lawyer John Scott, who chairs the Scottish Centre for Human Rights, said: ?This is an unwelcome but natural development of what we have seen. I find what is said in this document to be frightening, and it needs serious parliamentary scrutiny.? Crispin Black ? who has worked for the Joint Intelligence Committee, and has been an Army lieutenant colonel, a military intelligence officer, a member of the Defence Intelligence Staff and a Cabinet Office intelligence analyst who briefed Number 10 ? said he broadly supported the report as it tallied with the Pentagon?s over-arching vision for ?full spectrum dominance? in all military matters. ?I?m all for taking down al-Qaeda websites. Shutting down enemy propaganda is a reasonable course of action. Al-Qaeda is very good at [information warfare on the internet], so we need to catch up. The US needs to lift its game,? he said. This revolution in information warfare is merely an extension of the politics of the ?neoconservative? Bush White House. Even before getting into power, key players in Team Bush were planning total military and political domination of the globe. In September 2000, the now notorious document Rebuilding America?s Defences ? written by the Project for the New American Century (PNAC), a think-tank staffed by some of the Bush presidency?s leading lights ? said that America needed a ?blueprint for maintaining US global pre-eminence, precluding the rise of a great power-rival, and shaping the international security order in line with American principles and interests?. The PNAC was founded by Dick Cheney, the vice-president; Donald Rumsfeld, the defence secretary; Bush?s younger brother, Jeb; Paul Wolfowitz, once Rumsfeld?s deputy and now head of the World Bank; and Lewis Libby, Cheney?s former chief of staff, now indicted for perjury in America. Rebuilding America?s Defences also spoke of taking control of the internet. A heavily censored version of the document was released under Freedom of Information legislation to the National Security Archive at George Washington University in the US. The report admits the US is vulnerable to electronic warfare. ?Networks are growing faster than we can defend them,? the report notes. ?The sophistication and capability of ? nation states to degrade system and network operations are rapidly increasing.? T he report says the US military?s first priority is that the ?department [of defence] must be prepared to ?fight the net??. The internet is seen in much the same way as an enemy state by the Pentagon because of the way it can be used to propagandise, organise and mount electronic attacks on crucial US targets. Under the heading ?offensive cyber operations?, two pages outlining possible operations are blacked out. Next, the Pentagon focuses on electronic warfare, saying it must be elevated to the heart of US military war planning. It will ?provide maximum control of the electromagnetic spectrum, denying, degrading, disrupting or destroying the full spectrum of communications equipment ? it is increasingly important that our forces dominate the electromagnetic spectrum with attack capabilities?. Put simply, this means US forces having the power to knock out any or all forms of telecommunications on the planet. After electronic warfare, the US war planners turn their attention to psychological operations: ?Military forces must be better prepared to use psyops in support of military operations.? The State Department, which carries out US diplomatic functions, is known to be worried that the rise of such operations could undermine American diplomacy if uncovered by foreign states. Other examples of information war listed in the report include the creation of ?Truth Squads? to provide public information when negative publicity, such as the Abu Ghraib torture scandal, hits US operations, and the establishment of ?Humanitarian Road Shows?, which will talk up American support for democracy and freedom. The Pentagon also wants to target a ?broader set of select foreign media and audiences?, with $161m set aside to help place pro-US articles in overseas media. 02 April 2006 From rforno at infowarrior.org Mon Apr 3 17:30:53 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 03 Apr 2006 16:30:53 -0500 Subject: [Infowarrior] - Coming Sooner to PCs: Movies Message-ID: Coming Sooner to PCs: Movies Starting today you can download big studios' films the day they're for sale on DVD. But you can't watch them on TV. By Dawn C. Chmielewski, Times Staff Writer April 3, 2006 http://www.latimes.com/business/la-fi-movielink3apr03,1,5452250.story?track= rss Major studios today will make mainstream movies available for downloading the same day they are released on DVD ? a significant step in Hollywood's tentative migration to the Internet. But movie fans will pay for the convenience: Downloadable flicks such as "Brokeback Mountain," "King Kong" and "Pride and Prejudice" may cost as much as twice what the DVD versions do and play only on a personal computer. New releases can't be rented online, just purchased. ADVERTISEMENT The constraints on services from Movielink and CinemaNow illustrate the central role that economics plays in the evolution of home video distribution. As they experiment with offering online video on demand, studios are keeping prices high and restrictions tough so they don't alienate retailers, whose DVD sales still provide the vast majority of revenue. "We think this is a great consumer offering that complements the DVD release," said Rick Finkelstein, Universal Pictures' president and chief operating officer. "If somebody wants to get their content online and create a digital library, this gives them the opportunity to do that. This is another way for consumers to access movies." Piracy fears also prevent online services from giving technological early adopters what they really want ? the ability to watch downloaded movies on their televisions. That's because the studios insist that downloadable movies include rigorous safeguards on copying. Users, for instance, can burn a DVD of a downloaded movie, but it will play only on a PC. Finkelstein said people eventually would be able to watch downloadable movies as they would any other DVD. But rather than wait for the technology to burn it securely, Universal is rushing to make more than 100 movie titles available online to provide a legitimate alternative to Internet piracy. "At this point, we wanted to get out there," Finkelstein said. "This is the only way we could do it at this time. The intent and goal is to allow people to also be able to have a DVD they could watch on their DVD players." The download-to-own services starting today are among a variety of studio experiments that take advantage of the instant gratification of the Internet. Universal Pictures partnered with online rental service Lovefilm in Britain to sell movie downloads for the computer, and also ship the DVD by mail. Warner Bros., meanwhile, sells movies and TV shows online in Germany through In2Movies, a service that distributes video using a file-sharing technology similar to BitTorrent's. But in some ways, the efforts by Movielink and CinemaNow are reminiscent of the music industry's response to Napster in the late 1990s. Early label-backed online music services such as Pressplay, launched in 2001 as a joint venture by Sony Music Entertainment and Universal Music Group, were more pricey and less flexible than Apple Computer Inc.'s iTunes Music Store, which was launched later. "Watching movies on a PC ? it's a real market," said David Card, senior analyst at JupiterResearch in New York. "There are college students, there are business travelers and kids in the back seat of the SUV. But the missing link to this kind of an offering is getting it on the TV screen." U.S. consumers spent $24.3 billion buying and renting home videos last year, according to Digital Entertainment Group, a trade association. And with sales projected to grow to $30 billion by the end of the decade, the studios are more focused on supporting their existing business ? and backing a new generation of high-definition video disc formats known as Blu-ray and HD-DVD ? not cannibalizing the market to support downloads, said Reed Hastings, chief executive of online movie rental service Netflix Inc., which mails DVDs to 4.2 million subscribers. "At some point, the studios will be interested in broad-scale licensing," Hastings said. "At some point, the Internet will be connected to the television. We see those as the two linchpins. That will happen eventually, but it won't happen this year." DVDs account for 46% of studios' sales ? more than double movie box-office receipts, Adams Media Research Inc. said. Movielink Chief Executive James Ramo said the ability to buy digital downloads filled a void in Movielink's service. Until now, the 4-year-old service has struggled to attract a wide audience because the films it rents online have already been out for months on DVD and at the neighborhood video store. "There's no question that 2006, in part with the addition of this offering, is becoming a crossover year, as the hardware community is beginning to make it easier and easier to get from the Internet to a TV set," Ramo said. "And we are, from our side, delivering the kind of content that a consumer would want to put on his TV set." Ramo said the new service offered fresher fare and let movie lovers create digital movie libraries of contemporary films such as "Memoirs of a Geisha," and classics such as "Easy Rider" or "To Kill a Mockingbird." "We think that this opens the digital downloading market not only to PC early-adopter types but really now to movie lovers who want to create these libraries," he said. Ramo said download-to-own movies would sell for $20 to $30 ? up to double the $15 that discount retailers such as Wal-Mart Stores Inc. charge for DVDs, with downloads of classic titles for $10 to $17. He said the premium reflected the convenience of the service and the flexibility to transfer the digital download to two computers, as well as the ability to create a backup DVD that also would play on computers running Microsoft Corp.'s Windows operating system. Movielink will have a greater array of movies available to purchase than CinemaNow ? including "Brokeback Mountain," when it's released Tuesday on DVD. The service is jointly owned by Metro-Goldwyn-Mayer Inc.'s studio unit, Viacom Inc.'s Paramount Pictures, Sony Corp.'s Sony Pictures Entertainment, General Electric Co.'s Universal Studios and Time Warner Inc.'s Warner Bros. CinemaNow will sell 75 downloadable films from Sony Pictures Home Entertainment, MGM and Lionsgate. Prices will range from $19.95 for new DVD releases to $9.95 for classic films such as "Taxi Driver" or "Easy Rider," although the service will offer an introductory promotion in which the second movie download of any film will sell for $4.95. CinemaNow Chief Executive Curt Marvis acknowledged that offering movie downloads locked to the computer was far from an ideal consumer proposition but called it a good first step. Marvis said "in a perfect world" the studios would introduce an offer that satisfied all consumers. "Unfortunately, it doesn't work that way," he said. "They need to take a first step to get into digital distribution for a variety of reasons. That's what this is, a first step." From rforno at infowarrior.org Tue Apr 4 10:05:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 04 Apr 2006 09:05:12 -0500 Subject: [Infowarrior] - OT: Marketing Peeves Message-ID: Is anyone else tired by movie companies doing the uber-cool "OWN IT" or "OWN THE DVD" in their marketing in print on TV? Sure, I presume this verbiage must work since DVD sales continue unabated, but a for me, the more in-your-face someone is to me to get me to do something, the less likely I am going to do it. To me, that's akin to the nails-on-a-chalkboard "Comcastic" marketing tripe I mentioned last week. ...and on a related note, WTF is it with everyone and their mother offering music and video sales of one sort or other? Now I hear Starbucks is offering DVD sales -- do they still sell coffee there? Which leads to an interesting question -- aside from market saturation, at what point is there "too much" choice for the same materials? Just some mid-morning musings tossed out for your perusal.... -rf From rforno at infowarrior.org Tue Apr 4 10:05:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 04 Apr 2006 09:05:39 -0500 Subject: [Infowarrior] - More than ever, watch what you say Message-ID: More than ever, watch what you say http://www.smh.com.au/news/opinion/more-than-ever-watch-what-you-say/2006/04 /02/1143916406540.html# April 3, 2006 The Government should have listened to its members, write George Williams and David Hume. AdvertisementAdvertisement Last week, Federal Parliament passed a law that allows the Government to read private emails, text messages and other stored communications without our knowledge. The power extends to innocent people, called B-parties, if they have been unlucky enough to communicate with someone suspected of a crime or of being a threat to national security. The Government should sometimes be able to monitor the communications of innocent people. This may be necessary to protect the wider community where a suspect can only be tracked through another person. However, the law goes beyond what can be justified and undermines our privacy more than is needed. Under the Telecommunications (Interception) Amendment Act, the Government will be able to access communications not only between the B-party and the suspect, but also between the B-party and anyone else. If you have unwittingly communicated with a suspect (and thereby become a B-party), the Government may be able to monitor all your conversations with family members, friends, work colleagues, your lawyer and your doctor. The Government may be able to use the information even though the information is not related to the original suspect. It also does not have to tell you that it has been listening in. While there are some remedies if you have been illegally monitored, these are pointless if you do not know you have come under surveillance. This is of even greater concern given how easy it is for ASIO to gain a warrant. The gatekeeper is not an independent person such as a judge, but a politician, the federal attorney-general. As long as ASIO has tried other means of tracking a suspect, to gain a warrant it need only show that intercepting the B-party's communications is "likely to assist" in obtaining intelligence "related to security" - vague terms providing scope for the misuse of the power. A further issue is how the law distinguishes between stored and real-time communications such as telephone conversations. It is easier to monitor stored communications, apparently because they are seen as less private than telephone conversations. However, now that telephone conversations often occur in public on mobile phones, many people reserve their most personal interactions for email and text messages. It is nonsensical that our personal affairs are made less private because they are in an email rather than said over the phone. These problems have been compounded because the Government rushed the law through Parliament without taking into account advice from its own ranks. A Senate committee examining the bill unanimously found last Monday that the powers were too extensive. It recommended strengthening protection against misuse. The Government's own Blunn report on the area also suggested stronger protection. Despite these warnings, the law does not incorporate the recommended safeguards. Indeed, amendments made to the law over the past week widened its reach. The Government says that there is an urgent need for this law and that it could not wait. This approach is wrong-headed. Like the sedition laws of late last year, a law of this importance should not be enacted in haste in the face of obvious problems. This is especially true when the law provides for covert surveillance. Protecting national security and investigating serious crime are important. However, we must be careful that in developing a legal response we do not lose sight of the freedoms we are trying to protect. We should ensure that if the Government gains intrusive new powers over our privacy the powers are balanced and go no further than is required. This law goes too far. It contains more power to access our emails and text messages than is needed and contains too few safeguards. Rather than rushing the law through Parliament, the Government should have listened to the report of its members. It should have come up with a law that better protects the private communications of innocent people. Professor George Williams is director and David Hume an intern at the Gilbert + Tobin Centre of Public Law, UNSW. From rforno at infowarrior.org Tue Apr 4 12:38:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 04 Apr 2006 11:38:14 -0500 Subject: [Infowarrior] - Con speaking change Message-ID: Due to some unfolding events this week, unfortunately I will not be at NC3 in Cleveland this coming weekend. Grrr, argh. However, anyone desiring to attend a rather fun, insightful, artistic, and well-run weekend conference is directed to check out www.notacon.org for event info. :) The folks up there put on a pretty good show! -rick From rforno at infowarrior.org Tue Apr 4 12:39:15 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 04 Apr 2006 11:39:15 -0500 Subject: [Infowarrior] - Security Fears Prod Many Firms To Limit Staff Use of Web Services Message-ID: Security Fears Prod Many Firms To Limit Staff Use of Web Services By SHAWN YOUNG March 30, 2006; Page A1 Companies are clamping down on employees' workplace use of the expanding range of free Internet services, such as instant messaging and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps. General Electric Co. has barred outside instant-messaging and file-sharing programs, as well as access to personal online email accounts like those offered by Yahoo Inc. Telecom company Global Crossing Ltd. also blocks outside instant messaging and online email accounts. J.P. Morgan Chase & Co. is one of many banks that blocks Internet services it can't track or monitor, including outside instant-messaging, phone and email programs. Another big bank, ABN Amro Holdings NV of the Netherlands, also bans many consumer-communications technologies, including Skype, the Internet phone service owned by eBay Inc. (See related article1.) "I'm not allowing Skype because I don't know what it does," says Bill Rocholl, global head of strategy and engineering for ABN Amro's telecommunications and network services. Mr. Rocholl says that in making such decisions he weighs whether the resources he needs to study and disarm any potential risks from Skype or other free services would outweigh the time or money that might be saved by using them. The corporate crackdown underscores an emerging challenge for the Web. As the spread of broadband technology makes it possible for millions of Americans to watch TV on the Web or make cheap phone calls, companies, government agencies and universities are concerned about the possible side effects -- including the threat of a worm or other bit of malicious code sneaking into their computer systems. Some companies worry the new services will overwhelm their networks with unwanted traffic. Others are primarily concerned about security or their ability to track workplace communications, especially in industries like financial services, where regular monitoring is required by regulators. Instant messages from the outside, for example, often aren't logged and archived the way email is, creating a potential backdoor for illicit communications or breaches of client privacy. Skype and other service providers say such concerns are overblown. They say their products are in many cases safer than email attachments, a common source of viruses that businesses nonetheless consider indispensable tools. They also say the popularity of their services in part reflects their success in weeding out spam, viruses and other nuisances. Still, many companies are proceeding cautiously. Global Crossing says it cut off its employees' access to outside instant-messaging services earlier this year after detecting a worm. It now has an internal instant-messaging system from Microsoft Corp., but that system can't be used to reach people outside the company. Global Crossing started blocking its employees' access to personal email accounts on sites like Yahoo and Time Warner Inc.'s America Online in 2003 after a virus used them to slip in. "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says. At Britain's Cambridge University, some colleges and departments ban Skype, fearing their data networks could become giant hubs for Skype transmissions from all over Europe. Most companies have stringent safeguards to block outside users from tapping into their internal networks, but many universities fear their more open systems could attract excessive traffic. Skype and some of the other services that worry private network managers employ a decentralized technology known as peer-to-peer networking, in which users connect directly with one another to swap conversation or data, instead of linking to a central computer. Skype's system relies in part on computers known as supernodes that help direct traffic. Since ordinary users' machines can function as supernodes, some universities fear they will become supernodes and be flooded. "We have had some occasions where the amount of traffic has been noticeable and has caused some problem," says Chris Cheney, head of the network division at Cambridge's Computing Service. Other universities, including Oxford and the University of Minnesota, have policies requiring Skype users to take steps in setting up their service that would prevent them from becoming way stations for other callers. Kurt Sauer, Skype's chief of security, says that the belief that Skype could flood a network is based on a misunderstanding of how the technology works. In fact, he says, the computers that act as supernodes in Skype's system function as directories that indicate which users are online; they don't actually transmit calls. The resistance to free Internet-based services comes as some commercial-network operators in Canada, China and elsewhere are moving to exclude certain online programs or limit the toll they take on network capacity. More than a year ago, for example, Canada's Rogers Communications Inc. and Shaw Communications Inc. assigned a lower priority to traffic generated by video-swapping programs BitTorrent and eDonkey; both services are heavy users of bandwidth, or transmission capacity. Some Internet users fear such moves could set a precedent for phone and cable companies, which own the pipelines that give most consumers access to the Internet, to take a more aggressive stance toward phone and video services they view as potential rivals, by blocking their access to the network or charging them higher fees. About 56% of the nation's households have high-speed Internet connections, according to research firm TNS Telecoms, making it feasible for them to use Skype and other Internet services. Many of those users don't hesitate to use the same services at work. In a recent international poll of 300 workers, British Internet-security company SmoothWall Ltd. found that 23% used Skype at work and 41% used instant messaging. More than 60% tapped into outside personal email accounts. Fewer than 54% knew if their companies had policies forbidding such activity. "You now have umpteen ways of breaching security or violating corporate policy," says Shailesh Shukla, vice president of marketing and partnerships at Juniper Networks Inc., whose company allows him to use instant messaging regularly to communicate with colleagues. Mr. Shukla says that the modern, always-connected mobile workplace makes it increasingly hard to define and police the boundaries of private networks. Adding to the policing problem is the subtlety of some new technology. For example, the same encryption that keeps Skype conversations private makes it hard to distinguish Skype transmissions from other data moving in and out of networks. That makes it tough to block Skype with a firewall, says Brian NeSmith, chief executive of Blue Coat Systems Inc., a Sunnyvale, Calif., company that recently introduced a Skype-blocking system for corporate use. Michael Jackson, Skype's vice president of operations, says that many technologies that are now crucial business tools were once greeted with fear and suspicion. "Many organizations were initially scared of the Internet and email," he said. "Now there's hardly a workplace on the planet that doesn't have an Internet connection." Corporate attitudes toward the new services may be starting to make a similar shift, especially among high-tech companies. Sonus Networks Inc., a telecom-equipment maker based in Chelmsford, Mass., allows outside instant messaging and doesn't block access to Skype. "It's a productivity tool," says Chief Executive Hassan Ahmed, adding that Sonus is now able to archive instant message communications as effectively as it does email. Write to Shawn Young at shawn.young at wsj.com2 URL for this article: http://online.wsj.com/article/SB114369288512912073.html From rforno at infowarrior.org Tue Apr 4 13:38:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 04 Apr 2006 12:38:38 -0500 Subject: [Infowarrior] - Microsoft Says Recovery from Malware Becoming Impossible Message-ID: http://www.eweek.com/print_article2/0,1217,a=174915,00.asp Microsoft Says Recovery from Malware Becoming Impossible April 4, 2006 By Ryan Naraine LAKE BUENA VISTA, Fla.?In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation. ADVERTISEMENT "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here. Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed. He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added. Danseglio, who delivered two separate presentations at the conference?one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits?said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard." Microsoft says stealth rootkits are bombarding Windows XP SP2 machines. Click here to read more. "We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said. "Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background." He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations. Are virtual machine rootkits the next big threat? Click here to read more. Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money. "At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said. Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is "human stupidity." "Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said. Ziff Davis Media eSeminars invite: Is your enterprise network truly secure? Join us April 11 at 4 p.m. ET as Akonix demonstrates best practices for neutralizing threats and securing your network. The most recent statistics from Microsoft's anti-malware engineering team confirm Danseglio's contention. In February alone, the company's free Malicious Software Removal Tool detected a social engineering worm called Win32/Alcan on more than 250,000 unique machines. According to Danseglio, user education goes a long way to mitigating the threat from social engineering, but in companies where staff turnover is high, he said a company may never recoup that investment. "The easy way to deal with this is to think about prevention. Preventing an infection is far easier than cleaning up," he said, urging enterprise administrators to block known bad content using firewalls and proxy filtering and to ensure security software regularly scans for infections. Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog. From rforno at infowarrior.org Wed Apr 5 09:56:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 08:56:05 -0500 Subject: [Infowarrior] - Apple's Boot Camp beta installs WinXP... Message-ID: Apple's Boot Camp beta installs WinXP http://www.macnn.com/articles/06/04/05/boot.camp.for.mactels/ Apple today introduced Boot Camp, new public beta software that enables Intel-based Macs to run Windows XP. Available as a download beginning today, Boot Camp allows users with a Microsoft Windows XP installation disc to install Windows XP on an Intel-based Mac, and once installation is complete, users can restart their computer to run either Mac OS X or Windows XP. Apple said that Boot Camp will be a feature in "Leopard," Apple's next major release of Mac OS X, that will be previewed at Apple's Worldwide Developer Conference in August. "Apple has no desire or plan to sell or support Windows, but many customers have expressed their interest to run Windows on Apple's superior hardware now that we use Intel processors," said Philip Schiller, Apple's senior vice president of Worldwide Product Marketing. "We think Boot Camp makes the Mac even more appealing to Windows users considering making the switch." From rforno at infowarrior.org Wed Apr 5 11:08:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 10:08:37 -0500 Subject: [Infowarrior] - Senior DHS Official Charged in Online Seduction Message-ID: http://news.yahoo.com/s/ap/press_secretary_arrested;_ylt=AgAh9ypVVIC6mgembUT 9qKes0NUE;_ylu=X3oDMTA2Z2szazkxBHNlYwN0bQ-- DHS Official Charged in Online Seduction By MICHELLE SPITZER, Associated Press Writer 1 hour, 9 minutes ago MIAMI - A deputy press secretary for the U.S. Department of Homeland Security was charged with using a computer to seduce a child after authorities said he struck up sexual conversations with an undercover detective posing as a 14-year-old girl. Brian J. Doyle, 55, the fourth-ranking official in the department's public affairs office, was expected to appear in court Wednesday afternoon in Maryland and also to be placed on administrative leave. "He said last night that he was going to waive extradition. If he does that, we may have him back by the end of the week," Polk County Sheriff Grady Judd said Wednesday. "He could get to court today and some lawyer may say 'no, you don't want to do that.' The bottom line is we don't know when he's coming back." Authorities arrested Doyle on Tuesday at his Silver Spring, Md., home as he was online with the "girl." The undercover detective had called Doyle at work and said she got a Web camera, as he had asked her to do, and wanted to test it out, said Carrie Rodgers, Polk County Sheriff's Office spokeswoman. "He said he would get on the computer when he got home from work so we knew he would be on," Rodgers said. "When (police) went to his door, he was on the computer in the middle of a conversation with the girl." Doyle found the teenager's profile online and began having sexually explicit conversations with her on the Internet on March 14, the sheriff's office said in a statement. He sent her pornographic movie clips, as well as non-sexual photos of himself, officials said. One of the photos, released by the sheriff's office, shows Doyle in what appears to be DHS headquarters. He is wearing a Homeland Security pin on his lapel and a lanyard that says " TSA." The Transportation Security Administration is part of the Homeland Security Department. During online conversations, Doyle revealed his name, who he worked for and offered his office and government-issued cell phone numbers, the sheriff's office said. On several occasions, Doyle instructed her to perform a sexual act while thinking of him and described explicit activities he wanted to have with her, investigators said. He was booked into the Montgomery County Detention Center. Doyle also faces a charge of transmission of harmful material to a minor. There was no immediate response to messages left on Doyle's government-issued cell phone and his e-mail, and he could not be reached by phone at the jail for comment. Homeland Security press secretary Russ Knocke in Washington said he could not comment on the details of the investigation. "We take these allegations very seriously, and we will cooperate fully with this ongoing investigation," Knocke said. From rforno at infowarrior.org Wed Apr 5 11:27:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 10:27:06 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Information_Operations=3A_Putting_?= =?iso-8859-1?q?the_=B3_I_=B2_Back_Into_DIME?= Message-ID: http://www.strategicstudiesinstitute.army.mil/pubs/display.cfm?PubID=642 Synopsis: In the past year, Information Operations (IO) has matured from an early emphasis on the protection of critical infrastructures and against electronic espionage and is now more focused on content and on interagency information-sharing. The value of information--all information, not only secret information--and the value of global monitoring in all languages, 24/7, has been clearly established by the Undersecretary of Defense for Intelligence (USDI). This monograph defines and discusses three IO elements: Strategic Communication (the message); Open Source Intelligence (the reality); and, Joint Information Operations Centers (the technology). It concludes with a strategic overview of the various conceptual and technical elements required to meet modern IO needs, and provides a requirements statement that could be tailored to the needs of any Combatant Commander, service, or agency. From rforno at infowarrior.org Wed Apr 5 11:28:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 10:28:45 -0500 Subject: [Infowarrior] - Agencies Not Protecting Privacy Rights, GAO Says Message-ID: Agencies Not Protecting Privacy Rights, GAO Says http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401 727_pf.html (Report at: http://www.gao.gov/docsearch/abstract.php?rptno=GAO-06-609T) By Robert O'Harrow Jr. Washington Post Staff Writer Wednesday, April 5, 2006; A09 Government agencies that use private information services for law enforcement, counterterrorism and other investigations often do not follow federal rules to protect Americans' privacy, according to a report yesterday by the Government Accountability Office. The Justice Department, the Department of Homeland Security and two other agencies examined by the GAO spent about $30 million last year on companies that maintain billions of electronic files about adults' current and past addresses, family members and associates, buying habits, personal finances, listed and unlisted phone numbers, and much more. But those agencies often do not limit the collection and use of information about law-abiding citizens, as required by the Privacy Act of 1974 and other laws. The agencies also don't ensure the accuracy of the information they are buying, according to the GAO report. That's in part because of a lack of clear guidance from the agencies and the Office of Management and Budget on guidelines known as "fair information practices," the report said. At the same time, the contractors are not bound by those "fair information practices," and they often don't comply with all of them, the report said. Companies do not notify individuals when information is collected, for instance. They limit individuals' access to records about themselves, and they generally do not have provisions for correcting mistakes, the report said. "The nature of the information reseller business is essentially at odds with the principles," the report said. "Resellers make it their business to collect as much personal information as possible." The 83-page report, the subject of a congressional hearing yesterday, was spurred in part by massive security breaches reported last year by ChoicePoint Inc. and LexisNexis in which sensitive files involving almost 200,000 people were sold to fraud artists. It highlights a difficult truth about the government's increasing reliance on information services: By outsourcing the building of rich dossiers, the government is sidestepping checks on surveillance approved in the wake of domestic spy scandals involving the FBI, Army and other agencies in the 1960s and 1970s. The report recommends that Congress consider requiring private information contractors to "more fully adhere" to fair information practices. Information services play an important but quiet role in homeland security and criminal investigations. ChoicePoint officials last year acknowledged that they serve in effect as a private intelligence service for the government. Rep. Chris Cannon (R-Utah), chairman of the House Judiciary Committee's subcommittee on commercial and administrative law, said the hearing was held because the ability of private information services to collect information and the government's use of those services have grown far beyond existing laws and oversight. Peter Swire, a law professor at Ohio State University, said the information industry delivers information more efficiently than ever before, helping investigators in many ways. But he told the congressional panel that the government needs to ensure that the information it buys is accurate while giving people a chance to correct mistakes. "Accuracy that is good enough for marketing is not necessarily good enough to detain a suspect," said Swire, who served as the chief privacy counselor in the Clinton administration White House. ? 2006 The Washington Post Company From rforno at infowarrior.org Wed Apr 5 15:17:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 14:17:37 -0500 Subject: [Infowarrior] - Shifts in airport security intended to fool terrorists Message-ID: Shifts in airport security intended to fool terrorists Wednesday, April 05, 2006 BY ROBERT COHEN STAR-LEDGER WASHINGTON BUREAU http://www.nj.com/search/index.ssf?/base/news-6/114421851464010.xml?starledg er?ntop&coll=1 WASHINGTON -- A top federal security official said yesterday the government intends to alter the type and frequency of its passenger screening at the nation's airports to make the process less predictable and harder for terrorists to penetrate. Kip Hawley, head of the Transportation Security Administration, told the Senate Commerce, Science and Transportation Commit tee that his agency has tested new screening regimes at 10 airports, and intends to "incorporate similar unpredictable additional screening into our standard operating proce dure." "Each of the enhanced screening procedures was designed to specifically address the threat of explosives, and the procedures were carried out regardless of whether a passenger cleared the walk-thorough metal detector or a carry-on bag successfully passed through an X-ray machine," said Hawley. He said the aim is to make sure that "no passenger, and therefore no terrorist, could predict what screening procedure he or she would be subject to." "Our biggest vulnerability has been predictability," said Hawley. "You can't allow the terrorists the luxury to make plans knowing exactly what defense they will face." The TSA has come under repeated criticism for security lapses as it has worked to improve passenger and baggage screening at more than 400 commercial airports, train inspectors and install explosive detection machines and other equipment. Last month, it was reported that federal investigators successfully smuggled bomb-making materials through security at 21 airports, none of which was identified. In October 2004, confidential records obtained by The Star-Ledger showed that screeners were missing one in four explosives and weapons in covert tests of checkpoints. In December 2004, screeners lost a fake test bomb during an unauthorized training exercise; the phony explosive eventually ended up on a plane to Amsterdam. Just last month, the federal se curity director at Newark Liberty International Airport was relieved of command after a four-year tenure beset by security breakdowns and high staff turnover among the 1,000-member force that guards one of the nation's busiest hubs. Cathleen Berrick, head of homeland security issues at the Government Accountability Office, told the committee that undercover testing has exposed "weaknesses and vulnerabilities" in the screening system "at airports of all sizes and at locations all across the country." Berrick said the TSA still is having problems deploying all the needed bomb detection and bag gage screening equipment because of lack of funding, and continues to have difficulties ensuring adequate staffing at airports and the proper training of personnel. "The TSA may have difficulty maintaining a screening work force that possess the critical skills needed to perform at a desired level," she warned the committee. From rforno at infowarrior.org Wed Apr 5 19:50:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 18:50:14 -0500 Subject: [Infowarrior] - Republicans defeat Net neutrality proposal Message-ID: Republicans defeat Net neutrality proposal By Declan McCullagh http://news.com.com/Republicans+defeat+Net+neutrality+proposal/2100-1028_3-6 058223.html Story last modified Wed Apr 05 15:37:56 PDT 2006 A partisan divide pitting Republicans against Democrats on the question of Internet regulation appears to be deepening. A Republican-controlled House Energy and Commerce subcommittee on Wednesday defeated a proposal that would have levied extensive regulations on broadband providers and forcibly prevented them from offering higher-speed video services to partners or affiliates. By an 8-to-23 margin, the committee members rejected a Democratic-backed "Net neutrality" amendment to a current piece of telecommunications legislation. The amendment had attracted support from companies including Amazon.com, eBay, Google, Microsoft and Yahoo, and their chief executives wrote a last-minute letter to the committee on Wednesday saying such a change to the legislation was "critical." Before the vote, amendment sponsor Rep. Ed Markey, a Massachusetts Democrat, assailed his Republican colleagues. "We're about to break with the entire history of the Internet," Markey said. "Everyone should understand that." This philosophical rift extends beyond the precise wording of the telecommunications legislation. It centers on whether broadband providers will be free to design their networks as they see fit and enjoy the latitude to prioritize certain types of traffic--such as streaming video--over others. (In an interview last week with CNET News.com, Verizon Chief Technology Officer Mark Wegleitner said prioritization is necessary to make such services economically viable.) After a day of debate, the committee went on to vote 27-4 in favor of approving the final bill--minus the Democrats' amendment--sending it onward to full committee consideration, expected in late April. The vote on the amendment itself did not occur strictly along party lines, with one Republican voting in favor and four Democrats voting against the bill. Leading Republicans have dismissed concerns about Net neutrality, also called network neutrality, as simultaneously overblown and overly vague. "This is not Chicken Little, the sky is not falling, we're not going to change the direction of the axis of the earth on this vote," said Rep. John Shimkus, an Illinois Republican. He said overregulatory Net neutrality provisions would amount to picking winners and losers in the marketplace and discourage investment in faster connections that will benefit consumers. Last week, Energy and Commerce Committee Chairman Joe Barton said: "Before we get too far down the road, I want to let the market kind of sort itself out, and I'm not convinced that we really have a problem with Net neutrality." Barton and other Republican leaders of the House panel did, however, offer some modest changes to a telecommunications bill in response to concerns from Internet and software companies. Their replacement bill would require the Federal Communications Commission to vet all complaints of violations of Net neutrality principles within 90 days. It gave the FCC the power to levy fines of up to $500,000 per violation. It also contained explicit language denying the FCC the authority to make new rules on Net neutrality. Democrats charged that lack of enforcement power would mean the FCC would be unable to deal with the topic flexibly. Rep. Charles Pickering, a Mississippi Republican, backed that less-regulatory approach, saying that a "case-by-case adjudicatory process" is the best way to address Net neutrality concerns while ensuring competition in the marketplace. The amendment that was rejected on Wednesday took a similar approach to strict Net neutrality legislation introduced in the Senate last month by Democratic Sen. Ron Wyden. It said that any content provider must be awarded bandwidth "with equivalent or better capability than the provider extends to itself or affiliated parties, and without the imposition of any charge." That would likely prohibit any plans by Verizon or other former Bell companies to offer their own video services that would be given priority over other traffic (video is bandwidth-intensive and intolerant of network delays). "I think this walled garden approach that many network providers would like to create would fundamentally change the way the Internet works and undermine the power of the Net as a force of innovation and change," said Rep. Anna Eshoo, a California Democrat. Markey warned: '"There is a fundamental choice. It's the choice between the bottleneck designs of a...small handful of very large companies and the dreams and innovations of thousands of online companies and innovators." By "very large companies," Markey was not referring to Microsoft, which has a market value of $287 billion, but its much smaller political rival Verizon, which has a market value of $101 billion and has opposed Net neutrality mandates. Markey did not appear to be referring to Google, which has a value of $121 billion and has been lobbying on behalf of federal regulations, but to AT&T, which has a value of $105 billion and has opposed them. A CNET News.com report published last week, however, showed that the Internet industry is being outspent in Washington by more than a 3-to-1 margin. AT&T, Comcast, Time Warner, and Verizon spent $230.9 million on politicians from 1998 until the present, while the three Internet companies plus Amazon.com and eBay spent only a combined $71.2 million. (Those figures include lobbying expenditures, individual contributions, political action committees and soft money.) Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Apr 5 19:51:43 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 18:51:43 -0500 Subject: [Infowarrior] - Pentagon Says Improper Data in TALON Database Message-ID: Pentagon Says Improper Data in Security Database By Will Dunham Reuters Wednesday, April 5, 2006; 5:23 PM http://www.washingtonpost.com/wp-dyn/content/article/2006/04/05/AR2006040501 423_pf.html WASHINGTON (Reuters) - The Pentagon said on Wednesday a review launched after revelations that it had collected data on U.S. peace activists found that roughly 260 entries in a classified database of possible terrorist threats should not have been kept there. But the review reaffirmed the value of the so-called Talon reporting system on potential threats to Pentagon personnel or facilities by international terrorists, said Bryan Whitman, a senior Pentagon spokesman. He said the Pentagon was putting in place new safeguards and oversight intended to prevent improper information from going in the database. Whitman said "less than 2 percent" of the more than 13,000 database entries provided through the Talon system "should not have been there or should have been removed at a certain point in time." Whitman disputed critics' assertions that the program amounted to Pentagon domestic spying, although he declined to state the nature of these entries or the people they involved, saying the database's contents are classified. Whitman stressed that to be properly placed in the database, a threat must have a suspected link to international terrorism. Under the Talon system, Defense Department civilian and military personnel are asked to report on activities they deem suspicious. These reports go in the Cornerstone database, handled by a Pentagon agency called the Counterintelligence Field Activity, or CIFA. The review was ordered in December by Stephen Cambone, under secretary of defense for intelligence, after revelations that the database included information on U.S. citizens including peace activists and others who did not represent a genuine security threat. 'SUSPICIOUS' NBC News and defense analyst William Arkin disclosed at the time a sample of the database containing reports of 1,519 "suspicious incidents" between July 2004 and May 2005, including activities by antiwar and anti-military protesters. This included a military intelligence unit monitoring a Quaker meeting in Lake Worth, Florida, on plans to protest military recruiting in high schools. The Pentagon is legally restricted in the types of information it can gather about activities and individuals inside the United States. A memo from Deputy Defense Secretary Gordon England said the Talon system "has detected international terrorist interest in specific military bases and has led to and supported counterterrorism investigations." It called the data "unfiltered and non-validated potential threat information." Whitman said data reported through Talon could be turned over the FBI or local law enforcement. The Pentagon said it will conduct annual oversight reviews of the Talon program, designate supervisors to review each Talon report before submission to the database, and direct CIFA to review submissions to ensure they are proper. Whitman said he did not know if the Pentagon had disciplined anyone for putting improper information in the database, but was "not aware of any malicious or deliberate attempts" to use the Talon system against a specific person or group. Some critics have noted similarities in the Pentagon's activities during the Iraq War and those of the Vietnam War period, when it spied on antiwar activists. "If the Pentagon has been collecting information improperly on Americans, it should provide a full accounting of what kind of information it collected, on whom and why, subject only perhaps to protecting the privacy of individuals," said Kate Martin, director of the Center for National Security Studies, a civil liberties group interested in government surveillance. ? 2006 Reuters From rforno at infowarrior.org Wed Apr 5 19:53:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 18:53:21 -0500 Subject: [Infowarrior] - CRS Legal Analysis of USA PATRIOT Renewal Message-ID: On March 9, the President signed into law the USA Patriot Improvement and Reauthorization Act, which made permanent 14 of the 16 sections of the Patriot Act that were set to expire. A new report from the Congressional Research Service provides a detailed, 74 page analysis of the Act, including the various modifications made in the reauthorization process. See "USA PATRIOT Improvement and Reauthorization Act of 2005: A Legal Analysis," March 24, 2006: http://www.fas.org/sgp/crs/intel/RL33332.pdf From rforno at infowarrior.org Thu Apr 6 20:53:09 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 06 Apr 2006 20:53:09 -0400 Subject: [Infowarrior] - How the RIAA Litigation Process Works Message-ID: Wednesday, April 05, 2006 http://recordingindustryvspeople.blogspot.com/2006/04/how-riaa-litigation-p rocess-works.html How the RIAA Litigation Process Works The RIAA lawsuits pit a small number of very large recording companies against individuals who have paid for an internet access account. On the plaintiff's end, the owners of the underlying copyrights in the musical compositions are not involved in the case; neither are many smaller record companies. As to the defendants, since no investigation is made to ascertain that the defendant is actually someone who engaged in peer to peer file sharing of copyrighted music without authorization, there are many defendants who have no idea why they are being sued and who did nothing even arguably violative of anyone's copyright. Defendants have included people who have never even used a computer, and many people who although they have used a computer, have never engaged in any peer to peer file sharing. Sometimes the cases are misleadingly referred to as cases against 'downloaders'; in fact the RIAA knows nothing of any downloading when it commences suit, and in many instances no downloading ever took place. It is more accurate to refer to the cases as cases against persons who paid for internet access which the RIAA has reason to believe was used by some person -- possibly the defendant, possibly someone else -- to engage in peer to peer file sharing. Ex parte discovery cases. At the core of the RIAA lawsuit process, is its initial lawsuit against a group of "John Does". Here is how it works: A lawsuit is brought against a group of "John Does". The location of the lawsuit is where the corporate headquarters of the internet service provider (ISP) is located. All the RIAA knows about the people it is suing is that they are the people who paid for an internet access acount for a particular dynamic IP address. The "John Does" may live -- and usually do live -- hundreds or thousands of miles away from the City where the lawsuit is pending, and are not even aware that they have been sued. The RIAA is aware that most of the defendants do not live in the state, and are not subject to the jurisdiction of the Court, but bring the case anyway. They are also aware that under the Federal Rules of Civil Procedure there is no basis for joining all these defendants in a single lawsuit, but do indeed join them in one case, sometimes as many as several hundred in a single "litigation". The only "notice" the "John Does" get is a vague letter from their ISP, along with copies of an ex parte discovery order and a subpoena. They are not given copies of (i) the summons and complaint, (ii) the papers upon which the Court granted the ex parte discovery order, or (iii) the court rules needed to defend themselves. Most recipients of this "notice" do not even realize that it means that there is a lawsuit against them. None of the recipients of the "notice" have any idea what they are being sued for, or what basis the Court had for granting the ex parte discovery order and for allowing the RIAA to obtain a subpoena. They are told they have a few days, or maybe a week or two, to make a motion to quash the subpoena. But if they were to talk to a lawyer they could not give the lawyer an iota of information as to what the case is about, what the basis for the subpoena is, or any other details that would permit a lawyer to make an informed decision as to whether a motion to quash the subpoena could, or could not, be made. What is more, the lawyer would have to be admitted to practice in the jurisdiction in which the ex parte case is pending, in order to do anything at all. In other words, except for lawyers who are knowledgeable about the RIAA tactics, no lawyer could possibly have any suggestions that would enable "John Doe" to fight back. So "John Doe" of course defaults. Then the John Doe "case" may drag on for months or even years, with the RIAA being the only party that has lawyers in court to talk to the judges and other judicial personnel. The RIAA -- without notice to the defendants -- makes a motion for an "ex parte" order permitting immediate discovery. ("Ex parte" means that one side has communicated to the Court without the knowledge of the other parties to the suit. It is very rarely permitted, since the American system of justice is premised upon an open system in which, whenever one side wants to communicate with the Court, it has to give prior notice to the other side, so that they too will have an opportunity to be heard.). The "ex parte" order would give the RIAA permission to take "immediate discovery" -- before the defendants have been served or given notice -- which authorizes the issuance of subpoenas to the ISP's asking for the names and addresses and other information about their subscribers, which is information that would otherwise be confidential. In the United States the courts have been routinely granting these "ex parte" orders, it appears. (Not so in other countries. Both Canada and the Netherlands have found the RIAA's investigation too flimsy to warrant the invasion of subscriber privacy. Indeed the Netherlands court questioned the investigation's legality.). Once the ex parte order is granted, the RIAA issues a subpoena to the ISP, and gets the subscriber's name and address. The RIAA then discontinues its "John Doe" "ex parte" case, and sues the defendant in his own name in the district where he or she lives. Thus, at the core of the whole process are: (1) the mass lawsuit against a large number of "John Does"; (2) the "ex parte" order of discovery; and (3) the subpoenas demanding the names and addresses of the "John Does". This process is currently under attack in 3 cases that are pending in Manhattan federal court: Atlantic v. Does 1-25 pending before Judge Swain, Motown v. Does 1-99 pending before Judge Buchwald, and Warner v. Does 1-149, pending before Judge Owen. A motion to vacate the ex parte discovery order is pending in Atlantic. Motions to vacate the ex parte discovery order, quash the subpoena, and sever and dismiss as to all John Does from 2 to the end, are pending in Motown and in Warner. In Atlantic v. Does, the "John Doe" who attacked the process is a resident of the Midwest. The "John Doe" who moved to vacate the ex parte discovery order in Motown v. Does 1-99 is from the South. In Warner v. Does 1-149, there are two moving parties. One is from the Southwest, the other from the Greater New York area. The motions in Atlantic and Motown have been fully briefed, and are awaiting decision. The motion in Warner was filed March 31st. The RIAA's opposition papers have not yet been served. Settlement phase After getting the name and address of the person who paid for the internet access account, they then send him or her a letter demanding a "settlement". Their settlement is usually for $3750, non-negotiable, and contains numerous one-sided and unusual provisions, such as a representation that peer to peer file sharing of copyrighted music is a copyright infringement (a representation that is far too broad, undoubtedly there are 'sharing' behaviors with digital files, as there are with cd's, that are not copyright infringements). Even certain innocuous provisions, worded in a way to make them obligations of the defendant but not the RIAA, are deemed 'non-negotiable'. At bottom, the settlement is cold comfort to the defendant, because it does not speak for the other potential plaintiffs -- the owners of the copyrighted work, or the other record companies not represented by the RIAA litigation fund. Litigations against named defendants If there is no settlement, the RIAA then commences suit against the named defendant in the district in which he or she resides. A boilerplate complaint is used which accuses the defendant of "downloading, distributing, and/or making available for distribution" a list of songs. There are actually 2 lists, a long list (exhibit B) and a short list (exhibit A). No details as to how, when, or where the alleged "infringement" took place. If the defendant defaults, plaintiffs apply for, and apparently usually obtain, a default judgement for $750 per Exhibit A song -- a number which is 757 times the 99-cent amount for which the license to the song could have been purchased. There have been several challenges to the sufficiency of the boilerplate complaint, in the form of a motion to dismiss complaint, 2 in Texas, 1 in Minnesota, and a number in New York in which my firm has been involved. In Elektra v. Santangelo, in Westchester, the motion was denied. In Elektra v. Barker in Manhattan, Maverick v. Goldshteyn in Brooklyn, and Arista v. Greubel and Fonovisa v. Alverez in Dallas, Texas, the motions are pending. In Elektra v. Barker, amicus curiae briefs have been submitted by the Electronic Frontier Foundation, the Computer & Communications Industry Association, and the Internet Industry Association, in support of Ms. Barker's motion, and by the MPAA in opposition to it. Additionally the American Association of Publishers and the United States Department of Justice have indicated an interest in filing papers in opposition to the motion as well. In cases where the sufficiency of the complaint is not being challenged, the RIAA serves a number of pretrial discovery requests, calling for examination of the hard drive and numerous other items, and discovery is being litigated. In Priority Records v. Brittany Chan, a Michigan case, the litigation was brought against a 14 year old girl who allegedly engaged in file sharing when she was 13. The RIAA made a motion to have a guardian ad litem appointed so that their case might proceed against the minor, but the Judge rejected the motion because it did not ensure payment of the guardian ad litem's fees. From rforno at infowarrior.org Fri Apr 7 08:24:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 07 Apr 2006 08:24:24 -0400 Subject: [Infowarrior] - Nessus for OSX Message-ID: (c/o D) Nessus for OS X, 3.0, Cocoa released -- http://www.nessus.org/ From rforno at infowarrior.org Fri Apr 7 08:32:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 07 Apr 2006 08:32:58 -0400 Subject: [Infowarrior] - F.B.I. and Justice Dept. Are Faulted Over Child Predators on Web Message-ID: April 7, 2006 F.B.I. and Justice Dept. Are Faulted Over Child Predators on Web By JOSHUA BROCKMAN http://www.nytimes.com/2006/04/07/us/07porn.html?_r=1&oref=slogin&pagewanted =print WASHINGTON, April 6 ? Lawmakers from both parties continued on Thursday to question the commitment of the Justice Department and the Federal Bureau of Investigation to halting the online exploitation of children. They also accused the agencies of failing to provide major witnesses for a Congressional investigation into the matter. House members voiced their protest before and after testimony on the second day of hearings of the Oversight and Investigations Subcommittee, part of the House Committee on Energy and Commerce. The tenor of the hearings, which focused on law enforcement efforts to capture online predators and rescue child victims, signaled that a showdown might be imminent. "We keep trying to cooperate with the Justice Department and the F.B.I.," said Representative Joe L. Barton, Republican of Texas, the chairman of the full committee. Speaking directly to William W. Mercer, a United States attorney for Montana who testified at the hearings, Mr. Barton said: "You folks seem bound and determined to be as uncooperative as possible. I'm going to call the attorney general one more time, and we had better get the people we want to testify." Mr. Mercer testified that the caseload of the child exploitation section had increased 445 percent in the last four years, adding that federal prosecutions of child pornography and abuse cases increased to more than 1,500 cases last year from 344 in 1995. "The attorney general himself," he said, "has made very clear his and the department's commitment to protecting children from sexual exploitation over the Internet." The urgency of the hearings, where witnesses from agencies including the Phoenix police, the Postal Inspection Service and the Department of Homeland Security testified, was underscored by the arrest on Tuesday of a Homeland Security spokesman, Brian J. Doyle, on charges of using the Internet to try to seduce a Florida detective posing as a teenager. Officials on hand to testify, including James Plitt, chief of the Cyber Crimes Center for the Immigration and Customs Enforcement division, said arrests of federal employees had come as no surprise to them. The hearing followed testimony on Tuesday by Justin Berry, a teenager who was molested by online predators. Kurt Eichenwald, a reporter for The New York Times, chronicled Mr. Berry's experience in an article in December that spurred the Congressional investigation. Citing Mr. Berry's testimony that he had no faith in the Justice Department's efforts to act on information he had provided to them, Representative Edward Whitfield, a Kentucky Republican who is chairman of the subcommittee, asked, "Why has it taken so long for the department to act and rescue children in imminent danger of being molested?" Mr. Whitfield also asked why certain witnesses, including Andrew Oosterbaan, chief of the department's Child Exploitation and Obscenity section, and Raul Roldan, chief of the F.B.I.'s Cyber Crimes section, who appeared on television news programs Thursday morning, did "not have time for us." From rforno at infowarrior.org Fri Apr 7 08:48:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 07 Apr 2006 08:48:01 -0400 Subject: [Infowarrior] - New Journal: Federal Secrecy After September 11 and the Future of the Information Society Message-ID: Federal Secrecy After September 11 and the Future of the Information Society, http://is-journal.org/articles.php?level=1 I/S: A Journal of Law and Policy for the Information Society is an interdisciplinary journal of research and commentary concentrating on the intersection of law, policy, and information technology. I/S represents a one-of-a-kind partnership between one of America's leading law schools, the Moritz College of Law at the Ohio State University, and the nation's foremost public policy school focused on information technology, Carnegie Mellon University's H.J. Heinz III School of Public Policy and Management. The official citation format for I/S is: __ ISJLP __ (20YY). From rforno at infowarrior.org Fri Apr 7 09:23:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 07 Apr 2006 09:23:33 -0400 Subject: [Infowarrior] - Database ensures Big Brother is watching in China Message-ID: Database ensures Big Brother is watching in China http://reuters.myway.com/article/20060407/2006-04-07T045507Z_01_PEK315345_RT RIDST_0_NEWS-CHINA-SURVEILLANCE-DC.html Apr 7, 12:55 AM (ET) BEIJING (Reuters) - China has recorded details of more than 96 percent of its population on a police database, state media reported on Friday, supplementing Internet and other state-sanctioned surveillance. Since the 2003 launch of its "Gold Shield Program," the Public Security Bureau had collected information on about 1.25 billion of the country's 1.3 billion people. "It has helped police uncover many criminal cases," Liu Shuo, a police official, was quoted by Xinhua news agency as telling a news conference on Thursday, adding that over 20 percent of criminal cases last year were solved with help from the database. The database is just one way in which China keeps tabs on its citizens. An estimated 30,000 Web police monitor the surfing habits of China's 110 million internet users, and restrict access to Web sites and blogs posting sensitive material, including topics related to democracy or independence for Tibet and Taiwan. From rforno at infowarrior.org Sun Apr 9 08:22:36 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 09 Apr 2006 08:22:36 -0400 Subject: [Infowarrior] - Local Teacher's Run-In With Homeland Security Creates Insecurities Message-ID: Frankly, if someone said they're with 'Homeland Security' my first question would be a polite but relevant one -- "whose?" Since almost every city, county, and state government has some sort of 'Homeland Security' entity (with varying degrees of professionalism and competence) I'd sure as hell want to know WHO wanted to talk with me --- not to mention, the federal DHS doesn't need any more public perception problems these days......I mean, if someone said "Stop! IRS".you'd presume it was the federal agency and not Podunk County's Internal Revenue Service, right? --rf Local Teacher's Run-In With Homeland Security Creates Insecurities http://news.yahoo.com/s/wjxt/20060406/lo_wjxt/3379371&printer=1;_ylt=AoGMdqh rX7WbuhPaRBFLLowpx0QC;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE- Thu Apr 6, 5:29 PM ET A local school employee said a rough run-in with a couple of Homeland Security officers has left him with a strong sense of insecurity. Leander Pickett, a teacher's assistant at Englewood Elementary, said he was manhandled and handcuffed by two plain clothed Homeland Security officers in front of the school Tuesday for no reason at all. "I would like to treat people the way I would want to be treated, and yesterday I wasn't treated that way," Pickett said. Pickett has been working at Englewood for two years, and his principal and colleagues told Channel 4 they have never met a harder worker or nicer guy. "He's well loved by everyone because he's willing to do anything to help children," said the Englewood Elementary Principal Gail Brinson. However, Tuesday afternoon Pickett's niceness turned to anger, disappointment, and betrayal when, as Pickett was directing bus traffic, he said he was handcuffed and roughed up and humiliated by the very people that were supposed to protect him. "I walked up to him and said, 'Sir, you need to move.' That's when he said 'I'm a police officer. I'm with Homeland Security ... I'll move it when I want to.' That's when he started grabbing me on my arm," Pickett said. However, Homeland Security tells a different story. The department said the only reason the officers were at the school was because they pulled over to look at a map. The department also said it's looking into what happened, and that Pickett's version is wrong. It claims he was antagonizing the officers. Several people were outside of the school, watching the incident take place, and those witnesses agree with Pickett's story. "Mr. Pickett asked the guy blocking the bus loading zone to move, and the guy told him he would move his car when he got ready to move it," said Englewood coach Alton Jackson. "At that point I intervened and I went up to the gentleman and said, 'Mr. Pickett is an employee here,' and they said that didn't matter," said Englewood media specialist, Terri Dreisonstok. "'We're with Homeland Security,' and on and on they went, and pretty soon, before you know it, he's handcuffed and slammed against a car," Brinson said. "All the children are watching, they're all upset." After about 30 minutes, the men released Pickett. "The part that really upsets me is all these students were watching, and that and it isn't good," Jackson said. Pickett said he plans to sue. "You now you hear these stories everyday and say, 'This will never happen to me,' but yesterday it happened to me," Pickett said. "If this is Homeland Security, I think we ought to be a little afraid," Brinson said. The central office of Homeland Security contacted Channel 4 about the incident and stated that it considers all allegations seriously and the matter has been referred to a neutral investigative entity. From rforno at infowarrior.org Sun Apr 9 08:33:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 09 Apr 2006 08:33:49 -0400 Subject: [Infowarrior] - Princeton University-Microsoft Intellectual Property Conference Message-ID: Public Conference: May 18-20, 2006 http://www.princeton.edu/~pumipc/ Few areas of law are changing as rapidly as intellectual property law. With the growth of new technologies for communicating ideas, the development of e-commerce, and the globalization of the marketplace for goods and information, intellectual property law faces issues and challenges unlike those it has faced in the past. The dizzying pace of change requires new ways of thinking about intellectual property and the accompanying issues of copyright, fair use, public domain, artistic creation, and other concepts that have traditionally defined the field. Typically, conferences addressing intellectual property issues have, first, been sponsored by law schools and been driven by considerations of legal issues confronting the field; and, second, have focused on the application of intellectual property law to a particular set of industries or field of endeavor (for example, music, biotechnology, software, or humanities archives). The Princeton University-Microsoft Intellectual Property Conference will diverge from this model in two ways. First, it will focus less on legal doctrine per se, and more on the consequences of intellectual property law for the actual practices of creative workers. Second, the conference will bring to the table scholars and practitioners in several fields ? science, the arts, software design, archiving ? in an explicit effort to induce intellectual cross-pollination and drive the conversation beyond the usual boundaries of disciplinary discourse. We anticipate that organizing the meetings in this way will push legal scholars and others to explore new ways of framing and conceptualizing old and sometimes intractable legal issues. We plan to strike a balance between issues confronting creators and those confronting users. In particular, the unique role of the university (as creator, user, patron, disseminator, owner) will be explored in some depth. We expect the conference to generate one or more significant research initiatives designed to collect and analyze empirical data on the relationship between intellectual property regimes and the practices of creative workers. The conference is being organized by the Center for Arts and Cultural Policy Studies, the Program in Law and Public Affairs, and the Center for Information Technology Policy at the Woodrow Wilson School of Public and International Affairs and funded by the Microsoft Corporation, with additional support from the Rockefeller Foundation. OBJECTIVES The primary objectives of the Princeton University-Microsoft Intellectual Property Conference are to: * Induce a conversation among people from different fields (e.g., information technology, biotech, the arts, literature and the humanities, legal studies) with the hope that perspectives from each field will help people imagine fresh approaches. This conversation will be encouraged by focusing primarily upon dilemmas and practices in the fields themselves, as opposed to legal doctrines or questions, per se. * Generate synthetic insights, grounded by a discussion of practices across disciplines, with implications for further research, the evolution of intellectual property law, and public policy. * For some fields (e.g., biotech), the conference should serve to help define problems and their consequences, educate scientists, and articulate policy solutions. Some key questions to be considered include: * What kinds of intellectual-property regimes enable creators in different fields to best work up to their potential? * What intellectual-property regimes allow for the maximum public good to be derived from artistic and scientific creations? * What policy approaches are best able to reconcile the competing interests of creators, users, and disseminators of intellectual property? * How do ethical considerations regarding practices, consequences, and the law differ across fields? * What are the unintended consequences of existing intellectual property laws? From rforno at infowarrior.org Tue Apr 11 13:47:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 11 Apr 2006 13:47:27 -0400 Subject: [Infowarrior] - Air Force One data removed from Web In-Reply-To: Message-ID: (note that it took THREE DAYS to remove this stuff from the web.... ?e-enabled military? is starting to sound like an oxymoron....and ?password protecting it? on a website makes me feel much safer, too....rf) (see also: http://cryptome.org/af1-rescue.htm) Air Force One data removed from Web Site revealed details of security measures on president's jets - Paul J. Caffera, Special to The Chronicle Tuesday, April 11, 2006 Air Force and Pentagon officials scrambled Monday to remove highly sensitive security details about the two Air Force One jetliners after The Chronicle reported that the information had been posted on a public Web site. The security information -- contained in a "technical order" -- is used by rescue crews in the event of an emergency aboard various Air Force planes. But this order included details about Air Force One's anti-missile systems, the location of Secret Service personnel within the aircraft and information on other vulnerabilities that terrorists or a hostile military force could exploit to try to damage or destroy Air Force One, the president's air carrier. "We are dealing with literally hundreds of thousands of Web pages, and Web pages are reviewed on a regular basis, but every once in a while something falls through the cracks," Air Force spokeswoman Lt. Col. Catherine Reardon told The Chronicle. "We can't even justify how (the technical order) got out there. It should have been password-protected. We regret it happened. We removed it, and we will look more closely in the future." The technical order first came to light Saturday when The Chronicle revealed its existence -- but not any of its sensitive details. The Chronicle purposely withheld publishing the Web site and certain information about anti-missile capabilities from the order that could have compromised security of the two Air Force One jetliners. The Chronicle also took extensive steps to alert the government to the order's availability on the Internet. Immediately after discovering the document, The Chronicle notified military and federal authorities about its existence. Nonetheless, a week after they were initially notified, neither the Secret Service nor Air Force officials at Andrews Air Force Base, the home of Air Force One, had caused the document to be removed. Before publishing Saturday's story, The Chronicle again contacted Andrews Air Force Base and provided officials with the Web address for the document. The Chronicle also offered to provide the address to the White House. White House press spokeswoman Jeanne Mamo, when notified on Friday, said she was satisfied that Andrews officials had already been told by The Chronicle of the site's existence. The technical order remained on the Web until Monday afternoon. "The order came down this afternoon to remove this particular technical order from the public Web site," said John Birdsong, chief of media relations at Warner Robins Air Logistics Center, the air base in Georgia that had originally posted the order on its publicly accessible Web site According to Birdsong, the directive to remove the document came from a number of officials, including Dan McGarvey, the chief of information security for the Air Force at the Pentagon. Saturday's article "got the attention of the highest level in this building," a Pentagon official told The Chronicle on the condition that the person not be named. The article also got the attention of the White House press corps. At a daily briefing on Monday, Scott McClellan, President Bush's spokesman, was asked about The Chronicle article and if the administration was aware that potentially compromising information was available on the Internet. "I'm not going to talk about security measures," McClellan said. Reardon blamed the failure to act sooner on a general failure to appreciate the significance of the information. Officials at Andrews Air Force Base and the White House Military Office "missed the bigger picture (and) failed to raise the document to a higher level," she said. "They saw that the document was not classified and thought they could not do anything about it." Remarkably, the Pentagon official who requested anonymity said the reason for the document's existence in the public domain in the first place was thrift. Putting the order on the Internet, "was viewed (by someone) as a cost-effective method of making the information available," the official noted, "but it compromised information not only about Air Force One. ... It had information about our entire fleet." Jean Schaefer, deputy chief of public affairs for the secretary of the Air Force, said the services need to be more mindful of their own rules. "We have very clear policies of what should be on the Web," she said. "We need to emphasize the policy to the field. "It appears that this document shouldn't have been on the Web, and we have pulled the document in question," said Schaefer. "Our policy is clear in that documents that could make our operations vulnerable or threaten the safety of our people should not be available on the Web." The revelation of the anti-missile defenses on Air Force One, and other high-value aircraft, comes just weeks after the Pentagon notified Congress that obtaining funding for the installation of missile countermeasures on aircraft used by the secretary of state and other top officials was a high priority. Page A - 1 URL: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/11/MNGK3I7A641.DTL -------------- next part -------------- An HTML attachment was scrubbed... URL: https://attrition.org/mailman/private/infowarrior/attachments/20060411/d1c67261/attachment.html From rforno at infowarrior.org Tue Apr 11 20:14:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 11 Apr 2006 20:14:45 -0400 Subject: [Infowarrior] - Oracle's oops on security flaw Message-ID: Oracle's oops on security flaw By Joris Evers http://news.com.com/Oracles+oops+on+security+flaw/2100-1002_3-6060128.html Story last modified Tue Apr 11 16:57:46 PDT 2006 advertisement Oracle accidentally let slip details last week on a security flaw it has yet to patch. The business software giant is usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products. But on April 6, it itself published a note on its MetaLink customer Web site with details about an unfixed flaw, Alexander Kornbrust, an independent researcher who specializes in Oracle security, said on his Web site on Monday. Oracle confirmed the accidental posting. "Information regarding a security vulnerability was inadvertently posted to MetaLink," a representative for the company said Tuesday. "We are currently investigating events that led to the posting." The flaw in question affects versions 9.1.0.0 through 10.2.0.3 of Oracle's database software running on any operating system. Not only did the posting reveal details of the vulnerability, it also included computer code to test it, said Kornbrust, who runs Germany's Red Database Security and often hunts for bugs in Oracle products. The MetaLink posting was taken down. Yet, because of the posting, Kornbrust believes the issue is now public knowledge and the bug information should be shared publicly. "Database administrators and developers who missed the note on MetaLink should know of this vulnerability, in order to avoid or mitigate the risk, if possible, while waiting for a patch from Oracle," Kornbrust said. The flaw opens the door to privilege escalation, meaning that database users with limited privileges could take advantage of it to gain more rights. "Depending on the architecture of the application, it is possible to modify data, escalate privileges--for example, change database passwords," Kornbrust wrote. The vulnerability arises from an error in handling certain "views" created by unprivileged users, according to security analysts at the French Security Incident Response Team. The FrSIRT deems the issue of "moderate risk." Oracle has no fix publicly available, but the next edition in its regular Critical Patch Update is scheduled for release on Tuesday. "We plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update," the Oracle representative said, but could not say if it would arrive next week. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Apr 12 08:04:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Apr 2006 08:04:25 -0400 Subject: [Infowarrior] - Secret Agreement Reveals Covert Program to Hide Reclassification from Public Message-ID: Secret Agreement Reveals Covert Program to Hide Reclassification from Public National Archives Signed Deal with Air Force to Disguise Re-review of Open Files and Mislead Researchers on Reasons for Withdrawing Previously Open Records. http://www.gwu.edu/~nsarchiv/news/20060411/index.htm Washington D.C., 11 April 2006 - The National Archives and Records Administration secretly agreed to a covert effort, led by the Air Force, the CIA, and other still-hidden intelligence entities, to remove open-shelf archival records and reclassify them while disguising the results so that researchers would not complain, according to a previously secret Memorandum of Understanding (MOU). The secret agreement, made between the Air Force and the National Archives, was declassified pursuant to a Freedom of Information Act request by the National Security Archive and posted on the NARA website yesterday. The heavily excised MOU, signed by assistant archivist Michael Kurtz in March 2002, reveals that the National Archives agreed that the existence of the program was to be kept secret as long as possible: "it is in the interests of both [excised] and the National Archives and Records Administration (NARA) to avoid the attention and researcher complaints that may arise from removing material that has already been publicly available," states the MOU. NARA agreed that the withdrawal sheets indicating the removal of documents would conceal any reference to the program and "any reason for the withholding of documents." NARA also agreed to conceal the identities of the intelligence personnel who were reviewing and removing the documents, according to the agreement, including from NARA's own staff. "NARA will not disclose the true reason for the presence of [deleted agency] AFDO [deleted] personnel at the Archives, to include disclosure to persons within NARA who do not have a validated need-to-know." The National Security Archive first learned of the existence of the agreement, classified SECRET/[codeword deleted], earlier this year, when Archive staff accompanied historian Matthew Aid to a meeting at NARA to complain about absurd reclassifications such as 50-year-old documents that had been widely published. On February 1, Archive analyst William Burr filed a Freedom of Information Act request for the document. NARA and Defense Department officials acknowledged the existence of the MOU at the March 14, 2006 hearing of a House Government Reform subcommittee chaired by Rep. Christopher Shays (R-Ct), but refused to discuss the substance of the MOU in public session. (Click here to read excerpts from the March 14 hearing.) During the hearing, Archivist of the United States Allen Weinstein suffered persistent questioning about the MOU from Chairman Shays and other members of the Committee, to which Dr. Weinstein could only reply "it's classified." "This secret agreement reveals nothing less than a covert operation to white-out the nation's history, aided and abetted by the National Archives," said National Security Archive executive director Thomas Blanton. The excised portions of the MOU released yesterday apparently still hide other intelligence entities involved with the Air Force and the CIA in reclassifying public records. The MOU was originally classified at the codeword level, but the codeword itself remains classified, according to the markings on the released MOU. The reclassification activities at NARA began at the end of the Clinton administration. So far, more than 55,000 pages of declassified documents, dating back to the World War II era, have been removed from the open files. During the March 14 hearing, Congressman Shays noted that the reclassification program was not in the national interest. "This absurd effort to put the toothpaste back into the tube persists despite the growing consensus - supported by testimony before this Subcommittee - that from fifty to ninety percent of the material currently withheld should not be classified at all," Shays stated in his opening statement. According to National Security Archive historian William Burr, concern over references in some declassified records to various aerial reconnaissance systems that Air Force has used over the years, such as the U-2 and the earlier GENETRIX balloon program, may have triggered the reclassification project. Censored sections of the MOU, he noted, could refer to operations of the National Security Agency. If the NSA was involved, then perhaps the re-review referenced in the MOU focused on specialized intelligence activities. In February 2002, a recruitment notice shows that the Raytheon Corporation received a contract from the Air Force to conduct the reclassification review and that the project team would include at least 20 people. From rforno at infowarrior.org Wed Apr 12 08:06:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Apr 2006 08:06:28 -0400 Subject: [Infowarrior] - Proposed OK bill allows commercial spying/access to PCs Message-ID: Get ready for Microsoft, cable and phone companies, and quite a few other people to know a lot more about what you do on your computer, thanks to House Bill 2083. Wednesday, April 05, 2006 Ben Fenwick http://www.okgazette.com/news/templates/cover.asp?articleid=423&zoneid=7 It?s supposed to protect you from predators spying on your computer habits, but a bill Microsoft Corp. helped write for Oklahoma will open your personal information to warrantless searches, according to a computer privacy expert and a state representative. Called the ?Computer Spyware Protection Act,? House Bill 2083 would create fines of up to a million dollars for anyone using viruses or surreptitious computer techniques to break on to someone?s computer without that person?s knowledge and acceptance, according to the bill?s state Senate author, Clark Jolley. ?The bill has a clear prohibition on anything going in without your permission. You have to grant permission,? said Jolley, R-Edmond. ?You can look at your license agreement. It will say whether they have the ability to take that information or not.? But therein lies the catch. If you click that ?accept? button on the routine user?s agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for ?detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.? That means that Microsoft (or another company with such software) can erase spyware or viruses. But if you have, say, a pirated copy of Excel ? Microsoft (or companies with similar software) can erase it, or anything else they want to erase, and not be held liable for it. Additionally, that phrase ?fraudulent or other illegal activities? means they can: ?Let the local district attorney know that you wrote a hot check last month. ?Let the attorney general know that you play online poker. ?Let the tax commission know you bought cartons of cigarettes and didn?t pay the state tax on them. ?Read anything on your hard drive, such as your name, home address, personal identification code, passwords, Social Security number ? etc., etc., etc. ?I think in broad terms that is still a form of spying,? said Marc Rotenberg, attorney and executive director of the Electronic Privacy Information Center in Washington, D.C. ?Some people say, ?Well, it?s justified.? I?m not so clear that should be the case. Particularly if the reason you are passing legislation is to cover that activity.? The bill is scheduled to go back before the House for another vote. Will the Oklahoma House, on behalf of all computer users in the state of Oklahoma, click ?accept?? Where did you go yesterday? Computer users first accepted updates when anti-virus makers, such as Symantec Corp. or McAfee, began back in the Nineties offering regular updates in an attempt to stay current with the alarming number of viruses introduced over the Internet. This was followed by Windows ME and 2000 allowing updates to their programs via downloads. By the time Windows XP came out, regular online updates became part of the product one purchased. At around the same time, the Napster phenomenon pushed music corporations, courts and lawmakers into taking action against online file sharing of music. Hip, computer-savvy listeners traded pirated MP3 recordings beyond count, leading to action by the music industry to go on a search and destroy mission against the online music traders, even in Oklahoma. In 2000, Oklahoma State University police seized a student?s computer containing thousands of downloaded songs after he was traced by a recording industry group. Anti-spyware bill author Jolley said that?s what people like the OSU student get for sharing their information online. ?You have to look at the other side of that issue,? Jolley said. ?When they agreed to put their files online, they literally agreed to allow people to come on their computers and search the files online. On a P-to-P (peer-to-peer) network, you are inviting other people to see what you have. That?s a risk you run by participating in file share.? Jolley said his spyware bill is supposed to stop ?phishers? from stealing one?s identity off of one?s computer, is supposed to stop ?Trojan horse? viruses from being installed on the computer and is supposed to make illegal a host of other techniques for spying on a user?s personal information. ?It prohibits them from taking things as basic as your home address, your first name, your first initial in combination with your last name, your passwords, any personal identification numbers you have, any biometric information, any Social Security, tax IDs, drivers licenses, account balances, overdraft histories ? there is a clear prohibition on that,? Jolley said. Indeed, Sections 4 and 5 of the act specifically forbid anyone from doing so without the user?s permission. However, Section 6 of the act says such a prohibition ?shall not apply? to ?telecommunications carrier, cable operator, computer hardware or software provider or provider of information service? and won?t apply to those companies in cases of ?detection or prevention of the unauthorized use of or fraudulent or other illegal activities.? Which means software companies updating a user?s software or the cable company monitoring that user?s activities on a broadband modem hookup can turn over that user?s history of writing hot checks to the district attorney if the company feels like it, said Rotenberg. ?You go back to the old-fashioned wiretap laws,? Rotenberg said. ?There was an exception to allow telephone companies to listen in on telephone calls. The theory was that it was necessary to make sure that the service was working. Part of what?s going on here is to significantly expand that exemption to a whole range of companies that might have reason for looking on your computer. The statute will give them authority to do so. I think it?s too broad. I think the users in the end need to be able to allow that themselves.? Jolley insists his proposed law would not allow Microsoft, Symantec or Cox Communications to become ?Big Brother.? ?The goal of this is not to allow any company to go through and scan your computer,? Jolley said. ?If they are, it has to be for a specific purpose. If you don?t want them doing that, don?t agree to (the user?s agreement).? Which means, when a user accepts Microsoft?s Windows operating system on that new computer, or Norton AntiVirus, or Apple?s operating system or a host of other online-upgradable programs, that user agrees to being watched by the company. Who on Earth would write such a law? It wasn?t Jolley, or anyone in Oklahoma. To read more of ?The Watchers,? pick up a Gazette. MOUTHING OFF ?Now we are talking about Microsoft having the freedom to check your computer for any sort of illegal or fraudulent activity you might be participating in. Without your knowledge or consent. It is giving up your rights to privacy.? ?State Rep. Mike Reynolds, R-Oklahoma City, about House Bill 2083. The bill gives software or online access companies freedom, without liability, to erase spyware and pirated software from users? computers, in addition to monitoring for fraudulent or illegal activities. From rforno at infowarrior.org Wed Apr 12 08:08:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Apr 2006 08:08:47 -0400 Subject: [Infowarrior] - I.R.S. Asks PayPal for Taxpayer Data Message-ID: I.R.S. Asks PayPal for Taxpayer Data By THE ASSOCIATED PRESS http://www.nytimes.com/2006/04/12/technology/12paypal.html?_r=1&adxnnl=1&ore f=slogin&adxnnlx=1144843693-K2KVV41fvI/aYC2fY7Z3Ag&pagewanted=print WASHINGTON, April 11 (AP) ? The Internal Revenue Service said Tuesday that it had won approval from a federal court to ask the online payment company PayPal to turn over information about people who may be evading taxes by hiding income in other countries. A federal court in San Jose, Calif., gave the I.R.S. permission to ask PayPal for information on American taxpayers who have bank accounts, credit cards or debit cards issued by financial institutions in more than 30 countries that are reputed to be tax havens. Amanda Pires, a PayPal spokeswoman, said Tuesday that the company had just received the summons. "We're still evaluating our options," she said. "The privacy of our customers' information is something we take really seriously." PayPal enables individuals and businesses around the world to send and receive money online. The company, owned by eBay, has 100 million account holders globally, and it moved $27.5 billion in 2005. The request for information is an outgrowth of an I.R.S. effort, begun several years ago, to trace money that American taxpayers hold offshore to avoid paying taxes. The I.R.S. said many of those taxpayers access their money through credit and debit cards. The tax collectors have already obtained information from some credit card companies, merchants and payment processors. "PayPal is another one of the mechanisms by which money stashed overseas might be spent," Eileen J. O'Connor, assistant attorney general for the Justice Department tax division, said. From rforno at infowarrior.org Wed Apr 12 11:21:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 12 Apr 2006 11:21:29 -0400 Subject: [Infowarrior] - At Homeland Security, No Money Left Behind Message-ID: At Homeland Security, No Money Left Behind http://www.washingtonpost.com/wp-dyn/content/article/2006/04/11/AR2006041101 397_pf.html By Dana Milbank Wednesday, April 12, 2006; A02 Vendors at this week's homeland security convention have the answer for any catastrophe. They will sell you body armor, vehicle barriers, nuclear detectors, manhole-cover locks, unmanned helicopters -- and Kyrgyz yurts. After Hurricane Katrina destroyed thousands of homes, the good people of Kyrgyzstan saw a business opportunity. So the embassy rented a booth at the Washington Convention Center and got Kyrgyz officials on the program as speakers and hosts of the Homeland and Global Security Summit. This allowed the embassy to erect a yurt, the traditional nomadic tent of Central Asia, and offer it as a housing solution for the Gulf Coast. "After Katrina, people really need some temporary houses," explained the Kyrgyz Embassy's Saltanat Tashmatova, at the front door of the yurt. A brochure says the 14-foot-high structure, made from sheep's wool and "cool in summer," sells for $10,000 -- but the floor model can be had for $7,000. Any sales yet? "We just started," Tashmatova said with a shrug. Give it time, Kyrgyzstan: There's enough money for everybody in the homeland security budget. The host of the convention, Equity International, boasts that "more than $150 billion" will be spent this year to thwart terrorism and respond to natural disasters. Equity International promises attendees "valuable networking opportunities" and "the right contacts" to get a piece of the action. The program lists high-level speakers from the Department of Homeland Security and the military, and the list of participants includes the departments of State, Energy, Agriculture, Transportation, Justice, Commerce, and Housing and Urban Development; a bunch of embassies; and every law enforcement agency from the Secret Service to the Loudoun County sheriff. And they all seem to be flush with cash. "We're going to spend money!" George Foresman, the homeland undersecretary for preparedness, said when asked at a session yesterday about his "budget priorities." "Well, good!" responded the moderator. Foresman elaborated on his little quip: "We're making sure we push the dollars out the door under a consolidated approach." Maj. Gen. Bruce Davis of the U.S. Northern Command was also reassuring. "The funding priority is going to continue as it has in the past," he said. An audience member said he was concerned that security grants would shift from rural to urban areas. "We're not talking about an either/or equation; we're talking about an and approach," Foresman answered. He promised: "Nobody's going to get left behind." That's easy to believe. After the session, Foresman stopped at the booth of Hanson, a company that paid $10,000 for a sponsorship and is promoting wind-resistant building materials. "What winds will it withstand?" he inquired. A representative handed him a brochure. "I'm headed down there Friday," Foresman said. "Give me a business card. I'll make sure they call you." That was $10,000 well spent. "The projections are unreal," Hanson spokesman Adrian King said after Foresman left. "It is huge." Dozens of exhibitors vied for their place in the homeland security industrial complex: guard booths. Tactical antennas. Flood vents. Evacuation suits. The "German pavilion" promised "Safe and Sound with German Technologies." A Dutch pavilion had orange tulips and pictures of windmills. A Russian pavilion offered "safe" nuclear fuel. "We went from a small company to a large company overnight," marveled Robert Smith at the Nasatka Barriers booth, where a video shows a truck losing a battle with a barrier. Nearby, a Talon Robot was moving around with a mock pipe bomb in its claw. "In the last 18 months to two years, production skyrocketed," said Jason Wagner. The booth offering Stabiloc manhole-cover locks reported interest from the Pentagon and various embassies. Even John Ritzenthaler, the guy selling prisoner-made office furniture, saw an opportunity at DHS. "There's a lot of growth in that particular agency," he said. The government officials were happy to encourage the entrepreneurs. "We're asking industry to come to the table with us," Kevin Stevens, a U.S. Customs and Border Protection official, said at a workshop. "Help us transform the way we do business." Across the exhibition floor, Alex Martinez was doing his best to help. Until a few years ago, his company, Coptervision, rented out remote-controlled helicopters to Hollywood studios for aerial shots in movies. But since 9/11, governments have been demanding his choppers, which start at $75,000. "It's a life-changing event," Martinez said. For the federal government, this life change has added tens of billions of dollars to the deficit. For industry, it has added a similar amount to revenue -- and executives can hardly believe their luck. At the booth offering "LifeShirts" to monitor the vital signs of first responders and U.S. troops, CEO Andrew Behar said his products were originally used for drug trials. And now? "We just deployed our first 50 with the Air Force," he reported. "We've got back orders now. It's a new world." ? 2006 The Washington Post Company From rforno at infowarrior.org Thu Apr 13 11:38:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 11:38:20 -0400 Subject: [Infowarrior] - Beware of MS06-013, not just a security fix Message-ID: (more interesting reading on this at http://osvdb.org/blog/?p=111) IE Changes Due: What You Can Expect Microsoft will release a security update for Internet Explorer that will also change how users interact with Web sites. By Gregg Keizer, TechWeb.com April 11, 2006 URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=185300378 Microsoft Corp. will release Tuesday a security update for Internet Explorer that will also change how users interact with Web sites. Some sites that rely on popular ActiveX controls, such as Apple's QuickTime, RealNetworks' RealPlayer, and Adobe's Flash and Acrobat, are likely to give users fits. The change, which Microsoft has been warning Web site developers about since December 2005, was made to abide by a ruling in a patent infringement lawsuit Microsoft lost in 2003 to the University of California and its startup, Eolas Technologies Inc. With the changes rolled out in a mandatory security fix, any IE user who downloads and installs Tuesday's security patches -- either manually or via an automated system such as Microsoft Update -- will likely need to modify how they use those sites which haven't been rewritten. What should users expect? --- By default, IE will now consider embedded ActiveX content as inactive. Thus on unmodified sites, ActiveX content will not run. In other words, music won't play or a Flash component won't launch. --- To activate an interactive ActiveX control, move the mouse over the content -- which now will be boxed -- and click on the pop-up tool tip dialog. --- Alternately, users can press the Tab key until the focus is set on the content's box, then press either the spacebar or Enter key to activate. --- Each control on each page must be manually activated in this way. Adobe has posted a short Flash-based demo that shows the activation process. (Ironic note: If you're using IE after the Tuesday update has been applied, you must active the Flash demo manually.) Microsoft has acknowledged that not all Web site developers will have modified their pages to account for IE's new behavior -- the easiest way for developers to sidestep user activation is to call the ActiveX controls via JavaScript -- and so will also release a patch on Tuesday to delay the changes. "We will create a ?compatibility patch? (deployed like a hotfix) that allows customers to turn off the change for a limited period of time through the June update cycle (2nd Tuesday in June)," wrote Mike Nash, Microsoft's head of security, in a blog posting last month. The patch will put off the activation requirements until June 13. "[This is] to provide time for enterprise customers to resolve compatibility issues," added Nash. From rforno at infowarrior.org Thu Apr 13 16:20:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 16:20:24 -0400 Subject: [Infowarrior] - Coming Soon to XM: More Commercials Message-ID: Business Week Online http://www.businessweek.com/print/technology/content/apr2006/tc20060413_1503 89.htm APRIL 13, 2006 News Analysis By Olga Kharif Coming Soon to XM: More Commercials XM will air ads on some music stations, and analysts say that may just be the beginning. Advertisers couldn't be more pleased Come May, some XM Satellite Radio listeners will hear a jarring new sound: commercials. XM will air advertisements by Clear Channel Communications, an early investor and owner of competing radio stations, on certain music channels including KISS, specializing in contemporary hits, and Nashville, a country music station. XM (XMSR ), like its smaller satellite radio rival Sirius (SIRI), airs commercials on its talk-show stations. But by and large, commercials on music stations are anathema. XM agreed to air the commercials to resolve a dispute over demands by Clear Channel (CCU ) that XM run ads on stations for which it provides programming. Now, Clear Channel can run the ads indefinitely. An XM spokesman insists advertising won't spread to other music channels. "We are committed to maintaining commercial-free all music channels we program," he says. Sirius also says that its music channels will remain off-limits to marketers. NEW ERA? But is that so much wishful thinking? Analysts say the XM-Clear Channel move may herald a new era for satellite radio. XM recently replaced its marketing slogan of "100% commercial-free music" with "most commercial-free music channels." XM and Sirius are increasingly reliant on ad revenue from talk shows. It may be a matter of time before ads migrate to music channels, says Gartner Research analyst Laura Behrens. In five to ten years, XM and Sirius's mix of programming and advertising will be comparable to that of traditional, or so-called terrestrial radio, she says. "Eventually, [both media] are going to get more similar as they evolve." For XM and Sirius, more commercials may become a necessity. Satellite radio competes with terrestrial radio for users. And both types are facing a barrage of new competition, from music-download sites to services such as Motorola's (MOT ) iRadio, which will let users pick from some 435 commercial-free radio channels to record on mobile devices (see BW Online, 1/13/06, "Everyone's Aiming At Satellite Radio"). Besides staying as commercial-free as possible, the satellite radio stations need to set themselves apart through content. And content doesn't come cheap. Sirius is shelling out $500 million for shock jock Howard Stern. XM and Sirius each spend about $1 billion a year on programming. And neither is profitable. Analysts surveyed by Thomson Financial expect Sirius to lose more than $1 billion this year on $614 million in sales. XM is expected to report a loss of $529 million on $952 million in sales. "TIPPING POINT." While XM should reach profitability in 2008, analysts don't yet have a profitability target for Sirius. Both companies "have to be looking for all revenue sources, and ads are one of them," says Ted Schadler, an analyst with consultancy Forrester Research. Advertisers are all too eager to oblige. In recent years, before XM and Sirius built big subscriber bases, many advertisers were uninterested in satellite radio. Times are changing. Sirius has recruited high-profile stars such as Stern and boasts 4 million subscribers, while XM has 6.5 million users and plans to air shows by Oprah Winfrey starting in September. "Advertisers were concerned about mass," says D. Scott Karnedy, senior vice-president of sales and marketing solutions at XM. "When we broke through six million subscribers, we saw that as a tipping point [with advertisers]." Sirius expects to have more than 6 million subscribers by the end of this year. And already the company's talk-show channel advertisers include prime brands like Subaru and Heineken. BIG DEMAND. Last year, XM tripled the number of ad agencies it works with. Its ad revenues have grown sevenfold in the past two years, to $20 million last year. "We can't keep up with the demand," says Karnedy. At Sirius, advertising sales increased more than sixfold, to $6.1 million in 2005. And in February, Chief Executive Mel Karmazin told investors that Sirius already has garnered more advertising commitments this year than it had in all of 2005. In fact, January, which is typically slow, was the best month for the company's advertising sales in its history. "Our advertising is growing fantastically," says a Sirius spokesman. Sirius is considering increasing commercial time on its Howard Stern show from six to nine minutes an hour. XM, meanwhile, expects to double its ad-sales team by mid-2006, compared with mid-2005 levels. The company also will increase the number of commercial minutes on its talk channels, currently at about seven minutes an hour. On terrestrial radio, talk-show channels typically have well over 12 minutes of commercials each hour. NATIONAL REACH. Fred Moran, an analyst with Stanford Financial Group, estimates both companies will receive 10% of sales from advertising by 2011. That may be conservative. Sirius expects advertising to reach 10% of revenue in the next couple years. Advertising now accounts for less than 1% of Sirius sales today. Indeed, satellite radio could take a substantial bite of the $20 billion terrestrial-radio advertising pie. "If you listen to Howard Stern, you'll hear an awful lot of the advertisers who were with him when he was in terrestrial radio," Karmazin said recently. "So I assume either those advertisers increased their budgets, or maybe they didn't increase their terrestrial-radio budgets much and they're giving us the additional revenue" (see BW Online, 4/10/06, "Stern Is The Draw At Sirius Satellite Radio"). That's really no surprise, as XM and Sirius can offer advertisers looking for a national reach more than terrestrial radio can, at least for now. XM and Sirius allow for text capabilities: Your in-car XM radio might display an advertiser's phone number while an audio commercial is playing. And graphics- and video-displaying capabilities are on the way. "We are creating new ways to engage with consumers," says Karnedy. "And we are driving remarkable results." PLUSSES AND MINUSES. A recent study done by XM showed that adding text to radio ads boosted recall rate (that's the percentage of people who remembered hearing an ad) by 47%. XM also allows companies to sponsor specific channels or shows, offer sweepstakes and contests, and to reach out to users via newsletters (see BW, 3/27/06, "XM Satellite: From Handshakes To Stores In Just Nine Months"). Satellite radio stations can also offer other flexibility. Terrestrial-radio stations discourage ads that are longer than 60 seconds. But last fall, Tanqueray, the maker of a popular gin, ran ads on Sirius that were 2.5 minutes long. The segment included an original hip-hop song, "Get Your Ice On." Terrestrial radio still has advantages over satellite radio, though. Satellite radio is unable, due to regulations, to broadcast local channels, so it can't as effectively compete for ads from local small businesses. FEWER ADS. And traditional radio isn't standing still in technology, either. This year, the industry is making a huge marketing push for High Definition (HD) Radio, which will allow terrestrial-radio stations to significantly increase the number of channels they broadcast to better compete with the more varied satellite radio. Users need HD radio receivers to be able to listen to these new channels, which will be supported by ads or subscriptions. While HD radio stations (there are more than 1,200 today) are ads-free, that could change. And just as satellite radio advertising ramps up, traditional FM/AM radio is becoming less ads-packed. Since late 2004, Clear Channel, which owns about 10% of radio stations in the U.S., has cut back on the amount of commercials by about 20%, according to the company. SELLER'S MARKET. As a result, user-time spent listening has been jumping by double digits every quarter. Ratings have been on the rise. Interestingly, the outfit's ad revenues have been increasing as well, as advertisers clamoring for fewer spots are willing to pay more. Indeed, terrestrial and satellite radio are becoming increasingly alike. And while that may come as bad news to satellite listeners, it's music to advertisers' ears. From rforno at infowarrior.org Thu Apr 13 20:40:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 20:40:02 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?Clausewitz_=B9_s_Theory_of_War_and?= =?iso-8859-1?q?_Information_Operations?= Message-ID: Clausewitz?s Theory of War and Information Operations http://www.ndu.edu/inss/Press/jfq_pages/editions/i40/i40_featured_02.pdf From rforno at infowarrior.org Thu Apr 13 22:04:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 22:04:12 -0400 Subject: [Infowarrior] - Librarians Win as U.S. Relents on Secrecy Law Message-ID: April 13, 2006 Librarians Win as U.S. Relents on Secrecy Law By ANAHAD O'CONNOR http://www.nytimes.com/2006/04/13/nyregion/13library.html?_r=1&oref=slogin&p agewanted=print After fighting ferociously for months, federal prosecutors relented yesterday and agreed to allow a Connecticut library group to identify itself as the recipient of a secret F.B.I. demand for records in a counterterrorism investigation. The decision ended a dispute over whether the broad provisions for secrecy in the USA Patriot Act, the antiterror law, trumped the free speech rights of library officials. The librarians had gone to federal court to gain permission to identify themselves as the recipients of the secret subpoena, known as a national security letter, ordering them to turn over patron records and e-mail messages. It was unclear what impact the government's decision would have on the approximately 30,000 other such letters that are issued each year. Changes in the Patriot Act now allow the government discretion over whether to enforce or relax what had been a blanket secrecy requirement concerning the letters. Lawyers for the group, the Library Connection of Windsor, Conn., argued that their client was eager to participate freely in the debate last year over the reauthorization of the Patriot Act. But federal prosecutors asserted that the Patriot Act required that the group's identity remain secret and that the government would suffer irreparable harm if any information about its investigations became known. The decision by the Justice Department to drop the case was applauded by the American Civil Liberties Union, which brought the lawsuit on behalf of the librarians. The civil liberties group said it would identify its clients at a news conference once court proceedings in the case are completed in a few weeks. "We are obviously very much looking forward to the day where they can explain how it felt to be under threat of criminal prosecution for merely identifying themselves," said Ann Beeson, the civil liberties union's associate legal director. "The clients are happy that the fight over this gag is nearing its end." Kevin J. O'Connor, the United States attorney in Connecticut, said yesterday that the government decided drop its case largely because the Patriot Act's secrecy provisions concerning national security subpoenas were changed to give the Federal Bureau of Investigation discretion in allowing recipients to identify themselves. The government was also under pressure to drop its fight after mistakenly disclosing in court records the very information it was fighting to keep secret. Government lawyers failed to redact all of their references to the Library Connection in court filings, leading to the disclosure of the group's identity in The New York Times and other newspapers. "Certainly that was a factor," Mr. O'Connor said. But he said "the legal basis" for the decision was the change in the Patriot Act giving the government the authority to allow recipients of the subpoenas to identify themselves. "For both practical and legal reasons, we have determined that continuing to pursue this appeal does not make sense," he said. Mr. O'Connor was in the process of appealing a decision by a federal district judge last September to allow the library to identify itself, saying the nondisclosure provision in the national security letter violated the library's First Amendment rights. That appeal is pending in the United States Court of Appeals for the Second Circuit in New York. Mr. O'Connor said that in light of the changes to the Patriot Act, the Justice Department would re-examine whether the secrecy requirements that apply to recipients of past national security letters should continue to be enforced. He said the government would also make a determination when sending future letters whether the recipient would be prohibited from saying he had received one. George Christian, the executive director of Library Connection, a cooperative of 26 libraries that share an automated system, has answered "no comment" when asked about the case by reporters. He did not respond to several messages seeking comment last night. According to court records, the federal government's national security letter to Library Connection last year asked Mr. Christian to "personally" hand over records that might be of use in a counterterrorism investigation and that he not disclose the matter "to any person." But the group challenged the request in federal court, arguing through its lawyers that it wanted the ban lifted immediately. The group said that time was of the essence in lifting the ban because the Patriot Act was set to be reauthorized by Dec. 31 and, as a party with an interest in the matter, it wanted the right to speak out against the act. United States District Judge Janet C. Hall agreed with the group, ruling last year that the order of silence should be lifted. But the federal government appealed the decision, ultimately preventing the group from weighing in on how the Patriot Act should be rewritten before the Dec. 31 deadline. Ms. Beeson said yesterday that she believed the government's decision to drop the appeal was politically timed. "The issue over whether the government was using its Patriot Act powers to demand library records was one of the hot-button issues in this debate," she said. "And our clients could have been extremely powerful spokespeople in opposing the reauthorization of the act, because they had actually received one of those national security letters." Now that the debate in Congress is over, she said, "There's no longer any reason to keep our clients quiet." Mr. O'Connor dismissed that argument and said that the language in the Patriot Act was such that the federal government had no choice but to insist that Library Connection refrain from speaking out. "I know it's being perceived as a flip-flop, but that is simply not the case," he said. From rforno at infowarrior.org Thu Apr 13 22:05:52 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 22:05:52 -0400 Subject: [Infowarrior] - Microsoft's Security Disclosures Come Under Fire Message-ID: http://www.eweek.com/print_article2/0,1217,a=175694,00.asp Microsoft's Security Disclosures Come Under Fire April 13, 2006 By Ryan Naraine Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of "misleading" customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11. That bulletin, rated "critical," contained patches for a remote code execution hole in Windows Explorer, the embedded file manager that lets Windows users view and manage drives, folders and files. However, as Murphy found out when scouring through the fine print in the bulletin, the update also addressed what Microsoft described as a "publicly disclosed variation" of a flaw that was reported in May 2004 (CVE-2004-2289.) In an entry posted to the SecuriTeam blog, Murphy noted that the vulnerability that is documented was privately reported, but the "variation" that was also patched has been publicly known for 700+ days. "In that case, the issue that is truly the 'variation' is the issue that was discovered and reported privately after the public disclosure," he said. "[The] information as published is extremely misleading and Microsoft's choice not to document a publicly reported vulnerability is not one that will be for the benefit of its customers' security," Murphy said. In an interview with eWEEK, Murphy said another "throwaway line" in the bulletin also raised questions about whether a flaw he reported in August 2005 was silently fixed. The bulletin refers to a "Defense in Depth change" that ensures that consistent prompting occurs in "Internet zone drag and drop scenarios." That wording, Murphy said, "sounds suspiciously like an attempt to plug the vulnerability I reported publicly in February, which is CVE-2005-3240." Murphy originally reported that vulnerability to the MSRC in August 2005, but held off on publishing the details for six months. During that time, Murphy and MSRC officials haggled over the severity of the bug and Microsoft made it clear it had no plans to issue a security update to provide a fix, Murphy said. The company said the fixes would be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. "Microsoft's internal risk assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft," Murphy said. "I disagree with the technical conclusion behind Microsoft's decision and I further find the time frame of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude," he said. Murphy has not yet tested the patch to determine whether the drag-and-drop issue was actually fixed, but, even without testing, he argues that the way the information was released leaves everyone guessing. Read more here about Microsoft's April batch of security bulletins. "Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn't patch phantom vulnerabilities that don't exist or unrealistic science-fiction attack scenarios. Microsoft's under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot," he said. "You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment time frame if not deploying a patch has the potential to place you at an additional, unknown risk. As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information," Murphy said. Murphy said the MS06-015 bulletin "should be revised or completely rewritten, with the objective of providing sensible, coherent and complete information to customers." Microsoft, based in Redmond, Wash., declined requests for an interview to discuss the issue. Instead, the company sent a statement to eWEEK to stress that all the publicly disclosed vulnerabilities fixed by MS06-015 are addressed in the bulletin documentation, listed under the "Vulnerability Details" section and denoted by their individual CVE numbers. "[We] have a working relationship with Matt and, based on our ongoing discussions with him, view his blog posting as welcome feedback for how we can continue to improve our security bulletins," the statement read. The statement said "all publicly disclosed vulnerabilities" excludes Murphy's report, but even that claim is "false," Murphy said. "The bulletin patches a CVE that doesn't have its own individual denotation. The bottom line is, Microsoft's claim that every 'publicly disclosed vulnerability' is denoted specifically is bizarre, because they've yet to answer one of the criticisms in the blog post, which is that they don't provide meaningful information about this 'variation' that's allegedly patched," he said. Regarding Microsoft's statement, Murphy added, "That still doesn't answer the question of where this other 'Defense in Depth' change was originated. There's no specific threat that it's identified as correcting, so it seems almost random." Ironically, these questions about transparency and disclosure come less than a month after an MSRC official criticized Apple for the way it handles security guidance to customers. "Look, the only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe," MSRC program manager Stephen Toulouse said in response to what he described as the "recent trials and tribulations of Apple in the security space." Now, Murphy said, the shoe is on the other foot and Microsoft is just as guilty as Apple. "Every time Microsoft seems to be getting the security pitch right, one gets thrown in the dirt. Microsoft needs a new ball," he said. Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog. Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved. From rforno at infowarrior.org Thu Apr 13 22:07:04 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 22:07:04 -0400 Subject: [Infowarrior] - AOL charged with blocking opponents' e-mail Message-ID: AOL charged with blocking opponents' e-mail By Stefanie Olsen http://news.com.com/AOL+charged+with+blocking+opponents+e-mail/2100-1030_3-6 061089.html Story last modified Thu Apr 13 17:44:12 PDT 2006 advertisement America Online on Wednesday apparently began blocking e-mail on its servers containing the Web address of a petition against the company's upcoming certified-mail program, an issue the company called a "glitch." The Internet service provider, which has roughly 20 million subscribers in the United States, began bouncing e-mail communications with the URL "Dearaol.com" sometime late Wednesday and continuing through Thursday. A e-mail sent by CNET News.com to an AOL.com address and containing the URL "www.dearaol.com" bounced back on Thursday afternoon with a system administrator note that read: "The e-mail system was unable to deliver the message, but did not report a specific reason." AOL spokesman Nicholas Graham said late Thursday that AOL e-mails mentioning Dearaol.com would now be delivered as normal. The issue, he said, arose late Wednesday because of a software glitch that "affected dozens of Web links in messages," including the Dearaol.com. "We discovered the issue early this morning, and our postmaster and mail operations team started working to identify this software glitch," he said. Dearaol.com is a coalition of companies and individuals against AOL's adoption of GoodMail's CertifiedEmail, an antispam program that requires marketers to pay to ensure delivery of their e-mail messages and circumvent spam filters. The Web site contains an open letter and a petition that calls on people to protest what it calls an "e-mail tax" that would inhibit the Internet's inherent free flow of information and create a two-tiered system. The e-mail tax, which could amount to a penny per e-mail sent, would essentially line AOL's pockets for ensuring delivery for affluent mass mailers, while leaving others with unreliable service in ineffective spam-filtering systems, according to the site. Nearly 600 organizations and 350,000 individuals have signed the petition so far. Despite its quick fix, the hiccup adds fuel to a long-running controversy around GoodMail's certified-mail program and various ISPs adoption of it. Earlier this year, AOL and Yahoo said they would implement the e-mail postage program because with the rise of phishing scams and spam, they needed a way to tell legitimate marketing messages, like those advertising a sale at Jcrew.com, from junk. But their endorsement of GoodMail's system immediately spurred outcry from groups like MoveOn.org, the AFL-CIO, Gun Owners of America and the Electronic Frontier Foundation, which formed the coalition Dearaol.com. In March, AOL extended a peace offering by announcing a plan to pick up the costs for nonprofit groups that wish to send e-mails to AOL members. AOL was expected to adopt the GoodMail system last week, but that move was delayed for unknown reasons, according to MoveOn co-founder Wes Boyd, whose group and the Electronic Frontier Foundation started the petition. "AOL is essentially scanning e-mail for anything that's opposing their policy," Boyd said in a phone interview. The group says it also believes the alleged blocking cements the view that an e-mail tax will harm free speech on the Internet. "The fact is, ISPs like AOL commonly make these kinds of arbitrary decisions--silently banning huge swathes of legitimate mail on the flimsiest of reasons--every day, and no one hears about it," said Danny O'Brien of the Electronic Frontier Foundation. "AOL's planned CertifiedEmail system would let them profit from this power by offering to charge legitimate mailers to bypass these malfunctioning filters." Graham said that AOL has yet to implement the GoodMail system, but plans to do so imminently. When it does adopt the certified mail program, AOL will continue to operate its white lists, or lists of accepted e-mail senders, he said. In addition, the company plans to start a registration system for nonprofits and other groups wishing to send e-mail to subscribers so that they would avoid spam filters. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu Apr 13 22:11:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 22:11:14 -0400 Subject: [Infowarrior] - HDMI and Output Control Message-ID: HDMI and Output Control Thursday April 13, 2006 by Ed Felten http://www.freedom-to-tinker.com/?p=1004 Tim Lee at Tech Liberation Front points out an interesting aspect of the new MovieBeam device ? it offers its highest-resolution output only to video displays that use the HDMI format. (MovieBeam is a $200 box you buy that lets you buy 24-hour access to recent movies. There is a rotating menu of movies. Currently video content is trickled out to MovieBeam boxes via unused broadcast bandwidth rented from PBS stations. Eventually they?ll use the Internet to distribute movies to the devices.) This is a common tactic these days ? transmitting the highest-res content only via HDMI. And it seems like a mistake for Hollywood to insist on this. The biggest problem is that some HDTVs have HDMI inputs and some don?t, and most consumers don?t know the difference. Do you know whether your TV has an HDMI input? If you do, you either (a) don?t have a high-def TV, or (b) are a serious video geek. Consider a (hypothetical) consumer, Fred, who bought an early high-def set because he wanted to watch movies. Fred buys MovieBeam, or a next-gen DVD player, only to discover that his TV can?t display the movies he wants in full definition, because his TV doesn?t do HDMI. Fred will be especially angry to learn that his MovieBeam box or high-def DVD player is perfectly capable of sending content at higher definition to the inputs that his TV does have, but because of a bunch of legal mumbo-jumbo that Hollywood insists upon, his set-top box deliberately down-rezzes the video before sending it to his TV. Just imagine what Fred will think when he sees news stories about how pirated content is available in portable, high-def formats that will work with his TV. The official story is that HDMI is a security measure, designed to stop infringers. It?s been known for years that HDMI has serious security flaws; even Wikipedia discusses them. HDMI?s security woes make a pretty interesting story, which I?ll explore over several posts. First I?ll talk about what HDMI is trying to do. Then I?ll go under the hood and talk about how the critical part of HDMI works and its well-known security flaws. (This part is already in the academic literature; I?ll give a more accessible description.) Finally, I?ll get to what is probably the most interesting part: what the history of HDMI security tells us about the industry?s goals and practices. Officially, the security portion of HDMI is known as High-bandwidth Digital Content Protection, or HDCP. The core of this security design is the HDCP handshake, which takes place whenever two devices communicate over an HDMI cable. The handshake has two goals. First, it lets each device confirm that the other device is an authorized HDCP device. Second, it lets the two devices agree on a secret encryption key which only those two devices know. Subsequent communication over the cable is encrypted using that key, so that eavesdroppers can?t get their hands on any content that is distributed. In theory, this is supposed to stop would-be infringers. If an infringer tries to plug an authorized video source (like a MovieBeam box) into a device that can capture and redistribute video content, this won?t work, because the capture device won?t be able to do the handshake ? the authorized video source will recognize that it is unauthorized and so will refuse to sent it content. Alternatively, if an infringer tries to capture content off the wire, between an authorized source and an authorized TV set, this will be foiled by encryption. That?s the theory at least. The practice is quite different, as I?ll describe next time. From rforno at infowarrior.org Thu Apr 13 22:19:32 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 13 Apr 2006 22:19:32 -0400 Subject: [Infowarrior] - Unintended Consequences: Seven Years under the DMCA Message-ID: Unintended Consequences: Seven Years under the DMCA April, 2006 [Download a PDF of this Paper - 262K] This document is version 4. Previous versions are still available: version 3, version 2, version 1. Contents * Executive Summary * DMCA Legislative Background * Chilling Free Expression and Scientific Research * Fair Use Under Siege * A threat to innovation and competition * DMCA Shoulders Aside Computer Intrusion Statutes * Conclusion This document collects a number of reported cases where the anti-circumvention provisions of the DMCA have been invoked not against pirates, but against consumers, scientists, and legitimate competitors. It will be updated from time to time as additional cases come to light. The latest version can always be obtained at www.eff.org. < snip > http://www.eff.org/IP/DMCA/?f=unintended_consequences.html From rforno at infowarrior.org Fri Apr 14 09:27:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 14 Apr 2006 09:27:37 -0400 Subject: [Infowarrior] - ISP snooping gaining support Message-ID: ISP snooping gaining support By Declan McCullagh http://news.com.com/ISP+snooping+gaining+support/2100-1028_3-6061187.html Story last modified Fri Apr 14 05:51:22 PDT 2006 The explosive idea of forcing Internet providers to record their customers' online activities for future police access is gaining ground in state capitols and in Washington, D.C. Top Bush administration officials have endorsed the concept, and some members of the U.S. Congress have said federal legislation is needed to aid law enforcement investigations into child pornography. A bill is already pending in the Colorado State Senate. Mandatory data retention requirements worry privacy advocates because they permit police to obtain records of e-mail chatter, Web browsing or chat-room activity that normally would have been discarded after a few months. And some proposals would require providers to retain data that ordinarily never would have been kept at all. CNET News.com was the first to report last June that the U.S. Department of Justice was quietly shopping around the idea of legally required data retention. But it was the European Parliament's vote in December for a data retention requirement that seems to have attracted broader interest inside the United States. At a hearing last week, Rep. Ed Whitfield, a Kentucky Republican who heads a House oversight and investigations subcommittee, suggested that data retention laws would be useful to police investigating crimes against children. "I absolutely think that that is an idea that is worth pursuing," an aide to Whitfield said in an interview on Thursday. "If those files were retained for a longer period of time, it would help in the uncovering and prosecution of these crimes." Another hearing is planned for April 27. Internet providers generally offer three reasons why they are skeptical of mandatory data retention: first, it is not clear who will be able to access records of someone's online behavior; second, it's not clear who will pay for the data warehouses to be constructed; and third, it's not clear that police are hindered by current law as long as they move swiftly in investigations. "What we haven't seen is any evidence where the data would have been helpful, where the problem was not caused by law enforcement taking too long when they knew a problem existed," said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies. McClure said that while data retention aficionados cite child pornography, the stored data would be open to any type of investigation--including, for instance, those focused on drug crimes, tax fraud, or terrorism prosecutions. "The agenda behind this doesn't appear to be legitimate," he said. Proposals for mandatory data retention tend to adhere to one of two models: Address storage or some kind of content storage. In the first model, businesses must record only which Internet address is assigned to a customer at a specific time. In the second, which is closer to what Europe adopted, more types of information must be retained--including telephone numbers dialed, contents of Web pages visited, recipients of e-mail messages and so on. Without saying what model he favored, Homeland Security Secretary Michael Chertoff broadly endorsed data retention at a meeting of a departmental privacy panel last month. In response to a question, Chertoff said that federal police should be permitted to run queries against data repositories created and maintained by businesses for a set time. "That might be a model for some kind of data retention issue," Chertoff said. "It might be one that would say the government, instead of holding the data itself, will allow it to remain in the private sector, provided the private sector retains it for a period of time so we can ping against it." FBI Director Robert Mueller was more blunt. He was quoted by the Financial Times in January as saying: "There can be standardized regulations and rules relating to data retention and secondly a mechanism for the swift exchange of information." The remarks, made at the Davos economic forum, were part of Mueller's support of harmonizing national laws dealing with computer crime. Neither the FBI nor Homeland Security responded to a request for comment on Thursday. Agitation by state investigators Federal politicians also are being lobbied by state law enforcement agencies, which say strict data retention laws will help them investigate crimes that have taken place a while ago. Sgt. Frank Kardasz, head of Arizona's Internet Crimes Against Children Task Force, surveyed his colleagues in other states last month asking them what new law would help them do their jobs. "The most frequent response involved data retention by Internet service providers," or ISPs, Kardasz told News.com in an e-mail message on Thursday. Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on when the connection is actually in use. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.) Police typically rely on subpoenas to find which customer was assigned which Internet address. "When subscriber information is not preserved by the ISPs the investigation dead-ends," said Kardaz, who has testified before Whitfield's subcommittee. "Ideally, we would like to have ISPs preserve subscriber information for one year." Flint Waters, head of the Wyoming's Internet Crimes Against Children task force, also is pressing for federal data retention laws. He's interested in mandating records of who used what Internet address--not content such as chat conversations, e-mail messages, and so on. "Individuals will activate their Webcam when they're abusing a child and they'll record the sexual assault live, and it may be 45 days before law enforcement finally gets notified," Waters said. "We reach out to service providers and they say they don't maintain those records, so the child remains in that environment, and there's nothing we can do to help them." Waters said that Comcast was unable to help police in an investigation dealing with the rape of a 2-year-old child because logs are routinely deleted as is standard business practice. "We'd like to see one year minimum" for data retention, Waters said. "Two years would be even better." Comcast did not take a position on data retention laws when asked on Thursday. But Jeanne Russo, a Comcast spokeswoman, said: "Comcast is horrified by any act of violence inflicted upon a child and takes this issue very seriously. Comcast promptly processes and responds to valid legal and law enforcement requests according to law and as described in our applicable privacy policy." Colorado's legislature is considering an amendment (click here for PDF) to a bill dealing with sex offenders. The amendment, sponsored by state Sen. Ron Tupa, a Democrat, requires Internet providers to "maintain, for at least 180 days after assignment, a record of the Internet protocol address" assigned to each customer. Violations can be punished by fines of up to $10,000 per incident. "Preservation" vs. "Retention" At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation. A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency. That pair of laws--coupled with Internet providers' willingness to cooperate when a child is being harmed--has created a system that works today, says Kate Dean, director of the U.S. Internet Service Provider Association. "Law enforcement has not demonstrated that the absence of mandatory data retention is detrimental to the public interest," said Dean, whose board members include representatives of AOL, Verizon, BellSouth and EarthLink. Dean said she's not sure whether U.S. data retention proposals being discussed are likely to mandate mere address recording or also require the storage of the contents of e-mail messages and Web pages visited. A representative of one large Internet provider who did not want to be quoted expressed concern that content could be swept up into legislation--and cited the privacy and security risks of having such a massive data warehouse available. Michigan Rep. Bart Stupak, who's the senior Democrat on the House oversight and investigations subcommittee, expressed skepticism about forcible data retention requirements in an interview on Thursday. He said he would not "be in a rush to support" data retention requirements and would rather see the private sector come up with a better solution. "I'm against this child porn stuff, but at the same time, let's not further erode the rights of the American people," Stupak said. "That's what I'll be looking for. I'll be looking at (proposed laws) with a very close, constitutional eye as to the validity of the proposals... and I'd like to hear from private industry what they can do." The European precedent One question is how closely U.S. proposals will follow those that Europe already has adopted. In December, the European Parliament approved a U.K.-backed requirement saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years. The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time, and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008. According to a memo accompanying the proposed rules (click here for PDF), European politicians approved the rules because not all operators of Internet and communications services were storing information about citizens' activities to the extent necessary for law enforcement and national security. "These developments are making it much harder for public authorities to fulfill their duties in preventing and combating organised crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them," the memo said. Some U.S. companies are so alarmed by this requirement that they've talked about scaling back their operations in Ireland, which boasts some of the region's most aggressive data retention laws. Joe Macri, managing director of Microsoft Ireland, told the Irish Times last month: "Irish legislation is going beyond what is required from an EU perspective and is going to put significant additional costs on businesses...While we respect and understand the needs and concerns of the law enforcement agencies, there is also a need to take personal privacy concerns and the broader needs of business into consideration." Jim Harper, director of information policy studies at the free-market Cato Institute, was the member of the Homeland Security's Data Privacy and Integrity Advisory Committee who asked Chertoff about data retention last month. In an interview this week, Harper warned that mandatory data retention may cause more harm than good. "The true criminals will go and use random Wi-Fi nodes where you can get anonymous access," he said. "You haven't done anything but increase surveillance of law-abiding citizens." CNET News.com's Anne Broache contributed to this report. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Apr 14 12:41:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 14 Apr 2006 12:41:47 -0400 Subject: [Infowarrior] - DMCA: This Means Warcraft! Message-ID: This Means Warcraft! Mark Rasch, http://www.securityfocus.com/print/columnists/396 A recent World of Warcraft case involved a WoW book by Brian Knopp that was being sold on eBay. It resulted in automated takedown notices by "lawyerbots" and shows how the legal process today can end up silencing legitimate uses of trademarks and copyrights. One staple idea of 1950s science fiction movies was of robots that take over the world. For example, in The Day the Earth Stood Still, a robot named Gort was poised to destroy the Earth, awaiting commands from Michael Rennie's alien, Klaatu. War of the Worlds (any version) similarly saw automated-looking robots poised to take over the planet. But by the beginning of the 21st Century, a new threat emerged - attorneys. Now take these two and merge them, and you have a new scourge - the automated attorney. The lawyerbot. (Editor's Note: thanks to everyone to wrote in - we are aware that the War of the Worlds robots were technically not robots because there were actually aliens inside. This has been noted! Thus we have changed 'automated' to 'automated-looking') Increasingly, legal notices, threats of litigation, and other legal process are being issued - and acted on - not by bespectacled gentlemen and women in crisp tailored suits, but by autobots, robots trained for litigation. These lawyerbots threaten to, like their metallic counterparts, take over the world. They must be stopped. Come to think of it, perhaps their human (semi-human) counterparts need to be stopped as well. World of Warcraft lawyerbot Brian Kopp lives in Bronson, Florida where he became something of a gamer on his purchased copy of the online multiplayer video game World of Warcraft. In fact, he became so good at the game, he achieved level sixty as a night elf rogue (this apparently means something to gamers). He decided to share his wisdom with others by writing a book containing hacks, cracks and cheats as well as tips, techniques and experiences for players playing the game. While this was an "unauthorized" book (with no permission from the Warcraft publisher) there was no evidence that Kopp's book contained any of the publisher's intellectual property. There were no bits of code in the book, references to source code, and only a few screen shots of the game taken from a third party website. In fact, the book clearly stated that it was "unauthorized" and that there was no affiliation between the book and the copyright holder. Fair ?nuff. Then Brian began to sell - or more accurately to try to sell - his book on eBay. That's where the trouble began. Shortly after the book became available for sale, eBay began to receive probably automated "takedown" notices telling them that Kopp's book violated the intellectual property rights of the various copyright holders. One after another, the "lawyerbots" kept notifying eBay about the illegality of Kopp's actions - all under penalty or perjury. "I, ROBOT.. do solemnly swear?" Now these "takedown" notices are due to a provision of the Digital Millennium Copyright Act. You see, ISPs and other services that host content for others have had a legal problem. Third parties would host, post or otherwise display content that might infringe the copyrights of others. The parties injured by the postings would sue not only the poster, but also the ISP that was hosting the information. Under then existing copyright law, the host was making a "copy" in the cache of the infringing work, was doing so for commercial purposes (they were either being paid to host content, or drive traffic, or advertisements or whatever), and were contributing to the infringement. Therefore, hosting companies could possibly be held liable for content under their control unless they did something. Congress stepped into the fray by passing particular provisions of the DMCA. These essentially gave these hosting companies immunity from liability for copyright infringement if they followed certain procedures. A party that felt that its intellectual property rights were being infringed would have to send the hosting company a notice - under penalty of perjury - swearing that they owned a copyright to the work, that the material hosted infringed the copyright, that it was not authorized or licensed, and the that posting was causing some infringement or damage - so help me God. This takedown notice has to be in writing and signed (electronic writings and signatures are ok). When a hosting company gets a takedown notice, they are supposed to contact (or at least attempt to contact) the poster. If the poster doesn't respond, the host must take the offending material offline, and in fact is given immunity for doing so. If the poster swears under penalty of perjury that the materials don't infringe, this then gets transmitted back to the putative copyright holder, who must respond in 14 days. If there's no response, the materials stay up. If there is a dispute about it, then we go to court. A court can issue an injunction to remove the works, or can decide to let them stay up. The system is intended to represent a balance between the rights of copyright holders, the needs of ISPs, and the ability of people to make fair use of copyrighted materials. Several things however conspire to alter this balance in favor of copyright holders. RoboLawyers Many threats to companies, such as phishing attacks, spam, copyright and trademark infringement, occur with such frequency (particularly on well known trademarks) that it is simply impractical to personally review each and every message, write a formal letter to every mail host and ISP, and then litigate the potential copyright infringement. Thus, many companies have automated the process of detecting and responding to potentially infringing materials. Thus, if you are the Great Amalgamated Savings and Loan Company, you might employ an automated tool to search for references to you on websites, auction sites, message boards, chat rooms, etc. The tool can then be programmed to identify (or attempt to identify) improper uses of your name, trademark, copyright, trade secret, or other intellectual property rights. All well and good. In fact, if you have valuable intellectual property, you have a duty to protect it, and to be knowledgeable about potential infringement. These programs can then go one step further. You can automate the process of sending out letters to the web host to take down the offending works. Now there is no indication that that is what happened in Mr. Kopp's case. However, his eBay auction generated a slew of takedown notices from various parties. As soon as he reposted the auction, it generated a new takedown notice. Human lawyers are generally not that efficient. So these autonomous agents may in fact be the ones generating these takedown notices. Chilling effect One of the problems with these automated takedown notices is the fact that most ISPs will send a perfunctory notice to the last email address of the poster (if they even have that) and then just remove the putatively offending material. In Kopp's case (PDF), under eBay's Verified Rights Owner or "VeRO" program, eBay went even further - not only removing the allegedly infringing materials, but also suspending Kopp's account. Thus, Kopp could not sell ANYTHING - not just the Warcraft book. When he opened a new account, the takedown notices would come again, and the new account would be suspended. Most people - even those who don't infringe, or have a colorable claim of non-infringement, simply walk away, tail between their legs. Thus, by wallpapering the net with takedown notices, a copyright holder (or trademark holder, or person claiming any kind of damage, breach, infringement, or improper use) can effectively remove all kinds of content from the web. And there are few if any consequences to guessing wrong. At worst, the alleged infringer can send a letter back and get the content put back up. Nothing stops you then from either contesting the use in court, or just letting cyberlawyer send you another takedown notice! You won't hurt its feelings. Problems with Copyright and Trademarks One of the biggest problems with lawyerbots is their inability to think and discern - particularly in the area of infringement. One might make the same argument about human lawyers as well. You see, copyright or trademark infringement isn't really binary. A work doesn't either infringe or not ? there are infinite shades of grey. A clear case of infringement might be where I copy the entirety of your copyrighted work and sell it as you and keep the money. Pretty black and white. But in most cases, even when I copy parts of your copyrighted work, it may not be an infringement. Courts will look at whether my actions deprive you of substantial revenue. Whether I am doing it for commercial or other purposes. Whether I have copied all or a substantial portion of your copyrighted work, or only a small fraction. Whether my copy is for educational, literary, or commentary purposes. Or even whether you actually have a copyright in the work at all. Similarly, in the area of trademark, it depends on whether you have a legitimate mark, and how far it extents. A court will also look at whether my use of your mark creates a "substantial likelihood of confusion." And whether my use of your mark in some way diminishes or disparages your famous mark. Courts take testimony, hear arguments, study law and precedent, and eventually make a ruling. As far as I know, lawyerbots don't. So the lawyerbots' emphatic sworn statement that it has a good faith basis to believe (or, more accurately that the copyright holder has such a belief based upon the lawyerbot's representation) that the work is an infringement is based principally on the fact that there is something in the posting that offends the copyright holder. In most cases, this is enough to get the stuff removed, censored and censured. In Kopp's case, Brian finally did reach a real live human - well, a lawyer. Kopp explained that his work was clearly noted as unauthorized, used none of the copyright holder's copyrighted works, and was intended for commentary and educational purposes (and sold commercially.) The lawyer insisted that the works infringed (even though you could only really use the book in conjunction with a purchased copy of Warcraft) because Brian was using their intellectual property (copyright, trademark?) for commercial purposes, and "attempting to trade off the substantial good will" in the World of Warcraft brand. A quick look at Amazon.com's online bookstore identified 2,689 listings for a search for the term "Microsoft Office." In fact, in the previous sentence, I just referenced Amazon - a trademark holder - in an article published here for commercial purposes. Under this rationale, all of the "Idiot's Guides" and "Dummies" books, as well as technical journals, articles and references are infringing. Note that the lawyer didn't claim that Kopp's book disparaged the copyright holder, that it made them look bad, or injured the trademark. He never claimed that the book created any confusion about its source. No claim was made that there were copyrighted materials in the book. No claim that any sales were affected. In fact, he never even said which IP right was infringed. Just that the book was essentially "about" Warcraft, and published without permission. The letter ominously concludes, "You are not allowed to sell an unauthorized ?guide' that attempts to trade off the substantial good will and recognition that [trademark holder] has built up in connection with its World of Warcraft product. In addition, the EULA [End User License Agreement] prohibits using the World of Warcraft software for ?commercial purposes.' Your disclaimer that these guides are for ?educational purposes only' is ineffective. Please consider this a warning. If you continue with the aforementioned activities, we will have not [sic] other alternative but to review all legal remedies available to us including taking formal legal action to protect our rights." So the infringement seems to have been writing a book and selling it. "Danger! Will Robinson!" Moreover, by relying on the commercial use provisions of the EULA, effectively the lawyer is arguing that a software review published for commercial purposes would be a "use" of the software, and therefore both a violation of the EULA and then a copyright violation. The lawyer went on to lecture Brian about Brian's ignorance of trademark and/or copyright law, and suggest that Brian search the Internet for terms like "intellectual property," "trademark," and "copyright." Of course, the company had no need to resort to "formal legal action." No need to go to court. Just keep those automatic DMCA notices coming in, and eventually eBay and others will suspend the accounts. But Kopp did one better and sued the copyright holders and those who sent the DMCA notices. You see, it is rare that the issuer of a takedown notice is called to prove that what he swore under penalty of perjury is, in fact, true. So there are few consequences to calling a non-infringing use infringing, and great benefits if you manage to get the materials you don't like removed. When you automate the process you end up silencing legitimate uses of trademarks and copyrights. As Klaatu explained about the robot Gort, "In matters of aggression, we have given them absolute power over us. This power cannot be revoked. At the first signs of violence, they act automatically against the aggressor. The penalty for provoking their action is too terrible to risk." It's time to call off the robots. "Gort! Klaatu barada nikto!" From rforno at infowarrior.org Fri Apr 14 13:54:53 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 14 Apr 2006 13:54:53 -0400 Subject: [Infowarrior] - U.S. Treasury mulls end of phone excise tax - WSJ Message-ID: U.S. Treasury mulls end of phone excise tax - WSJ Fri Apr 14, 2006 5:54am ET10 NEW YORK, April 14 (Reuters) - The U.S. Treasury Department is developing a plan to discontinue a 3 percent federal excise tax on long-distance and wireless telephone calls and to refund billions of dollars to consumers and businesses that have paid it, the Wall Street Journal said on Friday. "Government officials are holding closely guarded discussions on how to best handle the repayment process as well as mitigate the impact of about $60 billion in potential refunds and lost federal revenues over the next five years," the Journal said. The planned end of the tax follows more than a half dozen court rulings in recent years that the government is misapplying the tax. The courts have ordered refunds to companies that sued over the charges. Rather than continue to fight similar pending lawsuits, the Treasury has decided to concede defeat and discontinue the tax, the report said, citing government officials. ? Reuters 2006. All Rights Reserved.\ http://yahoo.reuters.com/news/articlenews.aspx?type=topNews&storyid=urn:news ml:reuters.com:20060414:MTFH76429_2006-04-14_09-54-11_N14277438&rpc=44 From rforno at infowarrior.org Fri Apr 14 13:57:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 14 Apr 2006 13:57:00 -0400 Subject: [Infowarrior] - Censorship: China outlaws 'unlicensed' e-mail servers Message-ID: China Outlaws Outlook http://www.vnunet.com/articles/print/2154063 Unlicensed email servers illegal under new rule Simon Burns, vnunet.com 14 Apr 2006 China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. More than 600,000 servers were sold in China last year, according to market researchers. It's unclear how many of these are running mail server software, which includes programs like Microsoft Outlook Server, Sendmail, Qmail or Lotus Notes. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII). The chilling effect on corporate email servers, which are commonly used by companies with more than a handful of employees, appears to have gone unnoticed until now. However, Singapore-based technology consultant, James Seng, who first drew attention to the new email licence requirement, believes the inclusion of the prohibition on mail servers is no accident. ?Looking at the Chinese text, it is clear they have worded it carefully?, he told vnnet, ?They know exactly what they are doing and what they want. So this isn't a case of clueless civil servants screwing up or just bad translation.? Seng, a former assistant director of Singapore's Infocomm Development Authority, is a co-holder of several internet-related patents and the founder and former CTO of multilingual domain names company, i-DNS. China's new rules also prohibit use of email to discuss certain vaguely defined subjects related to 'network security' and ' information security', and also reiterate that emails which contain content contrary to existing laws must not be copied or forwarded. Wide-ranging laws of this nature have been used against political and religous dissenters in the past. ?I believe that the intent to have an antispam regulation was a good one,? Seng says, ?Unfortunately, it seems like during the policy formulation process, it got hijacked and went to one extreme." China has been troubled by a growing junk email problem during the past few years. Spam cost the country at least $760m in lost productivity last year, according to estimates from the Internet Society of China (ISC). China is also a major source of global junk mail, with one fifth of all the spam received worldwide being sent from or relayed through computers in China. According to the ISC's translation of the MII's new anti-spam regulations, organisations or individuals acting as so-called 'Email Services Providers' (ESPs) now need a 'License for value-added telecommunication services'. There appears to be an exemption for registered non-profit organizations. In the past, telecommunications-related licences have been difficult to obtain in China, particularly for foreign-controlled companies, because of the government's security concerns. ?It is probably like all new licences,? Seng believes, ?it will take a while before anyone knows what's the procedure. I suspect people are likely to ignore it for now - until the government enforces it.? Under the new regulations, Email Service Providers must register their mail servers' internet protocol (IP) addresses with authorities 20 days before they start operating the server. The must also keep a record of all emails sent and received for 60 days. The rules even prohibit open relays: mail servers which accept and relay email from any source without verification The regulations also ban many of the techniques commonly used by spammers, such as hijacking servers to use as 'zombie' spam relays. In addition, advertisers sending unsolicited commercial mail also need to prefix the subject line with 'Advertisement' or 'AD', and comply with recipients' requests to cease sending them unwanted email. Permalink to this story www.vnunet.com/2154063 From rforno at infowarrior.org Sun Apr 16 11:49:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 16 Apr 2006 11:49:20 -0400 Subject: [Infowarrior] - OT: Mac Mini for sale (near-mint) Message-ID: I had it online for 2 weeks testing OSX Tiger Server, but decided it didn't meet my needs. Ergo, I'm looking to find a good home for it. The Mini is in near-mint condition, and will be restored to factory-default software before shipping. Specs: Apple Mac mini M9686LL/A (G4 1.25GHz, 1GB RAM, 40 GB Hard Drive, DVD/CD-RW Drive). No wireless or bluetooth -- aside from the extra 512RAM addition, it's the standard barebones factory configuration. I originally paid $700 (incl memory upgrade) -- looking for $600+ s/h/insurance. Thanks in advance, -rick From rforno at infowarrior.org Sun Apr 16 12:25:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 16 Apr 2006 12:25:22 -0400 Subject: [Infowarrior] - Making and Breaking HDCP Handshakes Message-ID: Making and Breaking HDCP Handshakes Friday April 14, 2006 by Ed Felten http://www.freedom-to-tinker.com/?p=1005 I wrote yesterday about the HDCP/HDMI technology that Hollywood wants to use to restrict the availability of very high-def TV content. Today I want to go under the hood, explaining how the key part of HDCP, the handshake, works. I?ll leave out some mathematical niceties to simplify the explanation; full details are in a 2001 paper by Crosby et al. Suppose you connect an HDMI-compliant next-gen DVD player to an HDMI-compliant TV, and you try to play a disc. Before sending its highest-res digital video to the TV, the player will insist on doing an HDCP handshake. The purpose of the handshake is for the two devices to authenticate each other, that is, to verify that the other device is an authorized HDCP device, and to compute a secret key, known to both devices, that can be used to encrypt the video as it is passed across the HDMI cable. Every new HDCP device is given two things: a secret vector, and an addition rule. The secret vector is a sequence of 40 secret numbers that the device is not supposed to reveal to anybody. The addition rule, which is not a secret, describes a way of adding up numbers selected from a vector. Both the secret vector and the addition rule are assigned by HDCP?s central authority. (I like to imagine that the central authority occupies an undersea command center worthy of Doctor Evil, but it?s probably just a nondescript office suite in Burbank.) An example will help to make this clear. In the example, we?ll save space by pretending that the vectors have four secret numbers rather than forty, but the idea will be the same. Let?s say the central authority issues the following values: secret vector addition rule Alice (26, 19, 12, 7) [1]+[2] Bob (13, 13, 22, 5) [2]+[4] Charlie (22, 16, 5, 19) [1]+[3] Diane (10, 21, 11, ,14) [2]+[3] Suppose Alice and Bob want to do a handshake. Here?s how it works. First, Alice and Bob send each other their addition rules. Then, Alice applies Bob?s addition rule to her vector. Bob?s addition rule is ?[2]+[4]?, which means that Alice should take the second and fourth elements of her secret vector and add them together. Alice adds 19+7, and gets 26. In the same way, Bob applies Alice?s addition rule to his secret vector ? he adds 13+13, and gets 26. (In real life, the numbers are much bigger ? about 17 digits.) There are two things to notice about this process. First, in order to do it, you need to know either Alice?s or Bob?s secret vector. This means that Alice and Bob are the only ones who will know the result. Second, Alice and Bob both got the same answer: 26. This wasn?t a coincidence. There?s a special mathematical recipe that the central authority uses in generating the secret vectors to ensure that the two parties to any legitimate handshake will always get the same answer. Now both Alice and Bob have a secret value ? a secret key ? that only they know. They can use the key to authenticate each other, and to encrypt messages to each other. This sounds pretty cool. But it has a very large problem: if any four devices conspire, they can break the security of the system. To see how, let?s do an example. Suppose that Alice, Bob, Charlie, and Diane conspire, and that the conspiracy wants to figure out the secret vector of some innocent victim, Ed. Ed?s addition rule is ?[1]+[4]?, and his secret vector is, of course, a secret. The conspirators start out by saying that Ed?s secret vector is (x1, x2, x3, x4), where all of the x?s are unknown. They want to figure out the values of the x?s ? then they?ll know Ed?s secret vector. Alice starts out by imagining a handshake with Ed. In this imaginary handshake, Ed will apply Alice?s addition rule ([1]+[2]) to his own secret vector, yielding x1+x2. Alice will apply Ed?s addition rule to her own secret vector, yielding 26+7, or 33. She knows that the two results will be equal, as in any handshake, which gives her the following equation: x1 + x2 = 33 Bob, Charlie, and Diane each do the same thing, imagining a handshake with Ed, and computing Ed?s result (a sum of some of the x?s), and their own result (a definite number), then setting the two results equal to each other. This yields three more equations: x2 + x4 = 18 x1 + x3 = 41 x2 + x3 = 24 That makes four equations in four unknowns. Whipping out their algebra textbooks, the conspiracy solves the four equations, to determine that x1 = 25 x2 = 8 x3 = 16 x4 = 10 Now they know Ed?s secret vector, and can proceed to impersonate him at will. They can do this to any person (or device) they like. And of course Ed doesn?t have to be a real person. They can dream up an imaginary person (or device) and cook up a workable secret vector for it. In short, they can use this basic method to do absolutely anything that the central authority can do. In the real system, where the secret vectors have forty entries, not four, it takes a conspiracy of about forty devices, with known private vectors, to break HDCP completely. But that is eminently doable, and it?s only a matter of time before someone does it. I?ll talk next time about the implications of that fact. [Correction (April 15): I changed Diane?s secret vector and addition rule to fix an error in the conspiracy-of-four example. Thanks for Matt Mastracci for pointing out the problem.] From rforno at infowarrior.org Sun Apr 16 23:00:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 16 Apr 2006 23:00:27 -0400 Subject: [Infowarrior] - NYPD flips on surveillance cameras to fight crime and terror Message-ID: http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--eyesonthecity0416ap r16,0,3037922,print.story?coll=ny-region-apnewyork NYPD flips on surveillance cameras to fight crime and terror By TOM HAYS Associated Press Writer April 16, 2006, 11:32 AM EDT NEW YORK -- Along a gritty stretch of Knickerbocker Avenue in Brooklyn, police this month quietly launched one of the nation's most ambitious plans to combat street crime and terrorism. And there were no cops in sight. Peering down from lamp posts about 30 feet above the sidewalk were three wireless video recorders, each emblazoned with "NYPD" and equipped with two zoom lenses. The cameras were the first installment of a high-tech surveillance program to place 500 cameras throughout the city at a cost of $9 million. Hundreds of additional cameras could follow if the city receives $81.5 million in federal grants it has requested to safeguard Lower Manhattan and parts of midtown with a surveillance "ring of steel" modeled after security measures in London's financial district. Officials with the New York Police Department _ which considers itself at the forefront of counterterrorism among U.S. cities since the Sept. 11, 2001, attacks _ claim the money would be well-spent. They say revelations that al-Qaida once cased the New York Stock Exchange and other financial institutions shows terrorists have a fixation on Lower Manhattan. "We have every reason to believe New York remains in the cross-hairs, so we have to do what it takes to protect the city," Police Commissioner Raymond Kelly said in remarks last week at Harvard University's John F. Kennedy School of Government. Law enforcement and transportation agencies already have about 1,000 cameras in the subways, with 2,100 scheduled to be in place by 2008. An additional 3,100 cameras are monitoring city housing projects. The department believes its 500 security cameras on the street will deter crime in busy commercial districts once potential robbers and burglars realize they could be caught on videotape. The plan for Lower Manhattan, if funded, would rely on a more sophisticated closed-circuit system that would allow officers to monitor live feeds inside a command bunker. New York's approach isn't unique: Chicago spent roughly $5 million on a 2,000-camera system. In Washington, D.C., Homeland Security officials plan to spend $9.8 million for surveillance cameras and sensors on a rail line near the Capitol. And Philadelphia has increasingly relied on video surveillance. Privacy advocates in New York have depicted the NYPD's camera binge as Big Brother run amok. The plan, they say, needs more study and safeguards that would preserve privacy and guard against abuses like racial profiling and voyeurism. The department "is installing cameras first and asking questions later," said Donna Lieberman, executive director the New York Civil Liberties Union. Police officials insist that law-abiding New Yorkers have nothing to fear because the cameras will be restricted to public areas. The police commissioner recently established a panel of four corporate defense lawyers to advise the department on surveillance policies. "The police department must be flexible to meet an ever changing threat," Kelly said. "We also have to ensure whatever measures we take are reasonable as the Constitution requires. That's the only way to retain public support and preserve individual freedoms." Lieberman, while conceding cameras can help investigators identify suspects once a crime has been committed, argued they can't stop crime in the first place. She cited a 2002 study that concluded that closed-circuit systems used in 14 British cities had little or no impact on crime rates _ just as it didn't keep terrorists last year from bombing the London subway system. "The London experience shouldn't be misconstrued that the 'ring of steel' prevents terrorism," she said. "But that's how it's being pitched." Police in New York were impressed last summer by reports that their British counterparts drew on 80,000 videotapes to identify and retrace the routes of the suicide bombers and the suspects in a failed follow-up attack. NYPD officers were dispatched to London last September to study a system which photographs virtually every person and car entering the City of London, home to the financial district and landmarks like St. Paul's Cathedral. In Lower Manhattan, police envision a closed-circuit system that would monitor a series of fortified check points leading in and out of a roughtly one-square-mile district south of Chambers Street. Another set of cameras would read license plate numbers so they could be cross-checked with a database listing cars that have been stolen or linked to criminal or terror suspects. Timothy Horner, a specialist with the Kroll security firm and former NYPD captain, said the measures make sense. "It's not a cure-all, and the department is not thinking that way," he said. "But we really want law enforcement to use whatever tools they can to keep us safe." Copyright 2006 Newsday Inc. From rforno at infowarrior.org Mon Apr 17 07:59:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 17 Apr 2006 07:59:58 -0400 Subject: [Infowarrior] - The Real ID rebellion Message-ID: The Real ID rebellion By Declan McCullagh http://news.com.com/The+Real+ID+rebellion/2010-1028_3-6061578.html Story last modified Mon Apr 17 04:00:21 PDT 2006 In 1775, New Hampshire was the first colony to declare its independence from oppressive laws and taxes levied by the British crown. Now it may become the first state to declare its independence from an oppressive digital ID law concocted in Washington, D.C. New Hampshire's House of Representatives has overwhelmingly approved a remarkable bill, HB 1582, that would prohibit the state from participating in the national ID card system that will be created in 2008. A state Senate vote is expected as early as next week. The federal law in question is the Real ID Act (here's our FAQ on the topic) that was glued on to a military spending and tsunami relief bill last year. Because few politicians are courageous enough to be seen as opposing tsunami aid, the measure sailed through the U.S. Senate by a 100-0 vote and navigated its way through the House 368 votes to 58. Unless states issue new, electronically readable ID cards that adhere to federal standards, the law says, Americans will need a passport to do everyday things like travel on an airplane, open a bank account, sign up for Social Security or enter a federal building. The U.S. Department of Homeland Security is currently devising regulations for these federalized ID cards. One possibility is that the "electronically readable" requirement will be satisfied by embedding a radio frequency identification (RFID) chip. (They'll already be appearing in U.S. passports starting in October.) That prospect alarmed New Hampshire state Rep. Neal Kurk so much that he gave an impassioned floor speech during the March 8 debate saying the Granite State must not participate in the Real ID system. "There are times, Mr. Speaker, when we must look beyond the mundane and the pragmatic and take a stand based on our values," Kurk said. "I believe this is one of those times...I don't believe the people of New Hampshire elected us to help the federal government create a national ID card." Kurk invoked the memory of Patrick Henry's revolutionary speech, "Give me liberty or give me death," and New Hampshire's motto, "Live Free or Die." While New Hampshire may be the first, it's not alone. "The war on our civil liberties is actually begun," Kurk said. "There's a price to be paid for independence. But I ask you, what price-- liberty?" Kurk's impassioned plea prevailed. Even though a legislative committee had opposed the measure, the House overruled the committee's recommendations by a margin of 217 to 84. A Real ID rebellion? While New Hampshire may be the first, it's not alone. Other state politicians are seething over how the federales are strong-arming them on national IDs. The National Governors Association, hardly a bunch of libertarians, has called the Real ID Act "unworkable and counterproductive." The National Conference of State Legislatures wrote to Homeland Security Secretary Michael Chertoff in October, asking him to defer to states' expertise. No doubt much of the political outcry is over money and would evaporate if the Feds wrote checks to cover the cost of upgrading state computer systems. (The governors' press release baldly admits they're "asking Congress to fund the changes required" by the Real ID Act. One taxpayer watchdog group puts the cost at $90 per Real ID card.) That would be a shame. Privacy and autonomy are even better reasons to be skeptical of this scheme. There are no rules governing what data that private companies (hotels, retailers, employers) will be able to extract from the Real ID when it's swiped or placed next to an RFID reader. Will information like a home address and Social Security number be disclosed? Will a federal database be alerted whenever the card is swiped or read? And can an RFID'ed license be read from 20 or 30 feet away? Unanswered questions like those are why it's important that state legislators stand up to bullying by Washington. "If New Hampshire passes this bill, we'll be the first domino," Kurk, the state legislator, told me Friday. "We're told there will be other states that follow on." A New Hampshire Senate committee is mulling over the bill (and being lobbied by the motor vehicle agency, because the Real ID Act included a $3 million grant) with a floor vote expected after April 23. A rally is planned for noon on April 22 at the Concord state capitol by an anti-RFID group, and a Web site has sprung up to lobby senators. "Having a national ID would promote a surveillance society that we should all dread," Jim Harper, the director of information policy studies at the free-market Cato Institute, told the state Senate committee last week. The sad thing is that the U.S. Constitution was written to prohibit the federal government from taking such drastic steps. The long-forgotten Tenth Amendment says that powers not explicitly delegated to the Feds "are reserved to the states" or to the people. For now, though, the Real ID rebellion will continue. Patrick Henry's famous resolution in the Virginia legislature condemned "burdensome taxation" in the form of the hated Stamp Act. When more people learn about the Real ID Act, it might just spark a similar revolt today. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Mon Apr 17 08:07:40 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 17 Apr 2006 08:07:40 -0400 Subject: [Infowarrior] - State of the Blogosphere, April 2006 Message-ID: State of the Blogosphere, April 2006 Part 1: On Blogosphere Growth Yes, another quarter has passed, and it is time to take a look at the numbers! For historical perspective, you can see earlier State of the Blogosphere reports from February 2006, July 2005, from March 2005, and from October 2004. < snip > http://www.sifry.com/alerts/archives/000432.html From rforno at infowarrior.org Mon Apr 17 08:08:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 17 Apr 2006 08:08:26 -0400 Subject: [Infowarrior] - The corporate toll on the Internet Message-ID: http://www.salon.com/tech/feature/2006/04/17/toll/print.html To print this page, select "Print" from the File menu of your browser The corporate toll on the Internet Telecom giant AT&T plans to charge online businesses to speed their services through its DSL lines. Critics say the scheme violates every principle of the Internet, favors deep-pocketed companies, and is bound to limit what we see and hear online. By Farhad Manjoo Apr. 17, 2006 | To say that AT&T was once the nation's largest phone company is a bit like describing the Pentagon as America's leading purchaser of guns and bullets. Until its government-imposed dissolution in 1984, AT&T, which provided a dial tone to the vast majority of Americans, enjoyed a market dominance unlike that of any corporation in modern history, rivaling only state monopolies -- think of the Soviet airline or the British East India Tea Company -- in size and scope. In commercials, the company encouraged us to reach out and touch someone; the reality was that for much of the 20th century, you had no choice but to let AT&T touch your loved ones for you. Now -- after a series of acquisitions and re-acquisitions so tangled it would take Herodotus to adequately chronicle them -- AT&T is back, it's big, and according to consumer advocates and some of the nation's largest technology companies, AT&T wants to take over the Internet. The critics -- including Apple, Amazon, eBay, Google, Microsoft and Yahoo -- point out that AT&T, along with Verizon and Comcast, its main rivals in the telecom business, will dominate the U.S. market for residential high-speed Internet service for the foreseeable future. Currently, that market is worth $20 billion, and according to the Federal Communications Commission, the major "incumbent" phone and cable companies -- such as AT&T -- control 98 percent of the business. Telecom industry critics say that these giants gained their power through years of deregulation and lax government oversight. Now many fear that the phone and cable firms, with their enormous market power, will hold enormous sway over what Americans do online. Specifically, AT&T has hinted that it plans to charge Web companies a kind of toll to send data at the highest speeds down DSL lines into its subscribers' homes. The plan would make AT&T a gatekeeper of media in your home. Under the proposal, the tens of millions of people who get their Internet service from AT&T might only be able to access heavy-bandwidth applications -- such as audio, video and Internet phone service -- from the companies that have paid AT&T a fee. Meanwhile, firms that don't pay -- perhaps Google, Yahoo, Skype, YouTube, Salon, or anyone else -- would be forced to use a smaller and slower section of the AT&T network, what Internet pioneer Vint Cerf calls a "dirt road" on the Internet. AT&T's idea, its critics say, would shrink the vast playground of the Internet into something resembling the corporate strip mall of cable TV. The fears have been deepened by AT&T's new heft. Early in March, AT&T announced that it will spend $67 billion to acquire BellSouth, the phone company that serves nine states in the Southeast. The merger will make AT&T the nation's largest telecom company, and the seventh-largest corporation of any kind. According to one study, the new AT&T will take in almost a quarter of all money American households spend on communications services. In addition to maintaining a near monopoly on local phone and DSL service in 22 states, the new AT&T would provide land-line long-distance service throughout the country; cellular coverage through its subsidiary Cingular, the nation's largest wireless carrier; and soon, even television broadcasts to millions of Americans. The government is expected to approve the AT&T-BellSouth deal, but the merger has already prompted debate in Congress and at the FCC over how this new behemoth may control content online. Currently, there are few rules governing what broadband companies can do on their network lines; if AT&T wanted to, for instance, it could give you only slowed-down access to the iTunes store unless Apple paid it a cut of every song you buy. To fight back, online companies like Apple and Amazon, along with Internet policy experts and engineers, are pushing the government to draw up a set of rules to ensure what they call "network neutrality." The rules, debated this past February in a Senate hearing, would force broadband companies to treat all data on the Internet equally, preventing them from charging content companies for priority delivery into your house. AT&T and other broadband companies oppose laws to restrict how they operate online -- the free market, they say, will ensure an even playing field. In 2005, phone companies poured nearly $30 million into lobbying to ensure that the telecom industry remains free of regulation. The battle may sound wonky but its outcome could well determine the shape of tomorrow's media universe. Increasingly, we're all using the Internet for much more than surfing the Web; film, music, TV and phone companies are looking at the network as the primary channel for delivering media into our homes, and AT&T and other telecom firms are spending billions to deploy deliciously fast fiber-optic lines to handle the expected traffic. The regulatory tangle between broadband providers and Web companies over network neutrality reflects a more fundamental fight over precious communications real estate -- a battle for control of the lines that will serve as our main conduit for media in the future. Each side predicts dire consequences if its opponents win. Jim Ciccone, AT&T's senior executive vice president for external affairs, says that if broadband service is regulated, AT&T won't be able to recoup its costs for building these new lines -- "and then we don't build the network." The Web firms say that if the big broadband companies are allowed to charge content firms for access to your house, we'll see the Internet go the way of other deregulated media -- just like TV and radio, where a small band of big companies used their wealth to swallow up consumer choice. If broadband companies get their way, says Jeff Chester of the Center for Digital Democracy, the Internet will one day feature nothing much more exciting than "the digital equivalent of endless episodes of 'I Love Lucy.'" In 2003, when Internet policy experts first began discussing network neutrality, their primary worry was that broadband providers would strike deals with certain Web sites to block people's access to competing sites or services online. For instance, what if Comcast worked with Barnes and Noble so that every time a Comcast Internet user pointed his browser to Amazon.com, he was instead redirected to BN.com? FCC officials have frowned upon the possibility of ISPs blocking certain Web sites, but they have not regulated against it; Paul Misener, the vice president for global public policy at Amazon.com, argues that "under current rules," a company like AT&T "would be able to block us without punishment." Although such actions are theoretically possible, most experts concede that broadband firms wouldn't do something as brazen as blocking customers from going anywhere on the Web; such actions would probably prompt immediate regulation. Now Amazon, eBay, Google, Yahoo and others argue that broadband firms like AT&T, Verizon and Comcast are looking to institute a more subtle kind of discrimination. They're looking to "prioritize content from some content companies over others," Misener says. In fact, AT&T is not at all secret about its plans. In an interview with BusinessWeek magazine last year, Edward Whitacre, AT&T's CEO, took a hard line against Web companies that oppose paying for high-speed access to AT&T's customers. "What they would like to do is use my pipes free, but I ain't going to let them do that because we have spent this capital and we have to have a return on it," he said of Google and Microsoft. "Why should they be allowed to use my pipes? The Internet can't be free in that sense, because we and the cable companies have made an investment and for a Google or Yahoo or Vonage or anybody to expect to use these pipes [for] free is nuts!" The pipes Whitacre is referring to are those his company is building under a plan it calls Project Lightspeed, a multibillion-dollar initiative to install high-capacity fiber-optic Internet lines into thousands of residential neighborhoods across AT&T's service area. The company expects to serve about 18 million households with fiber-optic lines by 2008; Verizon has similar plans to roll out fiber lines. The new pipes will dramatically improve Internet speeds to home customers. Today a typical DSL line downloads data at about 1 or 2 Mbps, and cable modems run about double that rate. Advanced fiber-optic systems will see download speeds of at least 25 to 30 Mbps. Today's DSL can barely download a single standard-quality video stream in real time. In tests AT&T recently ran in San Antonio, Project Lightspeed lines carried three standard-quality streams and one high-definition stream down the line simultaneously. What will customers do with all this broadband capacity? As the phone companies envision it, we'll use it to watch a lot of TV. Both Verizon and AT&T are betting heavily on a technology called IPTV, a service that delivers television signals into people's homes over the new fiber-optic Internet lines. According to the phone companies, IPTV will be a boon to consumers, delivering high-quality video and advanced services like TV shows "on demand," and providing much-needed competition to cable companies. What's not clear, though, is what else -- besides watching TV -- customers will be allowed to do with the new lines. This is the heart of the fight over network neutrality. If you subscribe to AT&T's Project Lightspeed service, will you be able to use the 30 Mbps line coming into your house for, say, downloading high-definition movies from Apple, high-definition home videos from YouTube, or some other bandwidth-heavy application we haven't yet dreamed of? Or, instead, will AT&T reserve the line for its own TV service and for data from other companies that pay a fee -- thereby making AT&T the arbiter of content in your home? At the moment, phone companies are cagey about their plans. What they will say is they're not going to stop their customers from getting to any site or service on the Internet. "Let me be clear: AT&T will not block anyone's access to the public Internet, nor will we degrade anyone's quality of service," Whitacre said in a speech to a trade conference in Las Vegas recently. "Period. End of story." But just because AT&T won't block people from accessing Google's videos doesn't mean it will give Google's videos the same status on the broadband pipe as other content -- meaning that while AT&T's TV service may come in at high-definition quality, those from competing firms might only run at standard-definition. Indeed, AT&T and other network operators are building their networks in a way that would make it possible to split up network traffic into various lanes -- fast, slow, medium -- and then to decide what kind of data, and whose data, goes where, based on who's paid what. Broadband companies argue that engineering their networks in this way will benefit customers in two ways. First, they say, splitting up the Internet into several lanes will generally improve its efficiency -- the network will simply run better if it's more logically managed. The phone companies' second argument concerns cost. If AT&T builds a blindingly fast new Internet line to your house but only allows some firms -- firms that pay -- to get the fastest service, it can significantly offset the costs of the build-out. And that's good for you, AT&T says, because if the company can charge the likes of Apple and Google to pay for the line, it doesn't have to charge you. "I think what we're saying is friendly to the consumer," Ciccone says. "If we're building the capacity, what we're doing is trying to defray some of the cost from consumers to the business end of this." AT&T's critics don't buy this claim. They argue that by slicing up the Internet into different lanes, broadband companies are violating one of the basic network design principles responsible for the Internet's rise and amazing success. They add, too, that there's no proof that AT&T's plan would result in reduced broadband costs for home customers. Instead, consumers could lose out in a big way. If AT&T's plan comes to pass, the dynamic Internet, where innovation rules and where content companies rise and fall on their own merit, would shrivel. By exploiting the weaknesses in current laws, telecom firms would gain an extraordinarily lucrative stake in the new media universe. In the same way that a corporation like Clear Channel controls the radio airwaves, companies like AT&T could become kingmakers in the online world, granting priority to content from which they stand to profit most. Britney Spears, anyone? To understand why critics worry about the future of the Internet in the absence of what they call network neutrality, it helps to look at the underlying philosophy of the ubiquitous network. Engineers are fond of describing the Internet as a "dumb network," a designation that's meant to be a compliment. Unlike other large communications systems -- phone or cable networks -- the Internet was designed without a specific application in mind. The engineers who built the network didn't really know what it would be used for, so they kept it profoundly simple, making sure that the network performed very few functions of its own. Where other networks use a kind of "intelligence" to define what is and what isn't allowed on a system, the various machines that make up the Internet don't usually examine or act upon data; they just push it where it needs to go. The smallest meaningful bit of information on the Internet is called a "packet"; anything you send or receive on the network, from an e-mail to an iTunes song, is composed of many packets. On the Internet, all packets are equal. Any one packet hurtling over the pipe to my house is treated more or less the same way as any other packet, regardless of where it comes from or what kind of information -- video, voice or just text -- it represents. If I were to download a large Microsoft Word e-mail attachment at the same time that I were to stream a funny clip from Salon's Video Dog, the Internet won't make any effort to give the video clip more space on my line than the document, even if I may want it to. If the connection is too slow to accommodate both files at the same time, my video might slow down and sputter as the Word file hogs up the line -- to the network, bits are bits, and a video is no more important than a Word file. The notion that the Internet shouldn't perform special functions on network data is known as the "end-to-end principle." The idea, first outlined by computer scientists Jerome Saltzer, David Clark, and David Reed in 1984, is widely seen as a key to the network's success. It is precisely because the Internet doesn't have any intelligence of its own that it's been so useful for so many different kinds of things; the network works consistently and evenly for everyone, and, therefore, everyone is free to add their own brand of intelligence to it. Today's largest broadband firms, though, aren't accustomed to running dumb networks built on the end-to-end principle. AT&T ran the phone network at its own behest -- and the company usually benefited from it. Historically, in the telecom industry, "there's been this instinct toward control," says Tim Wu, a law professor at Columbia and a co-author of "Who Controls the Internet?" At firms like AT&T and Verizon, both of which have roots in the monopolistic old AT&T, there's now an effort afoot to reengineer parts of the Internet by introducing more intelligence to manage and control data. One firm that has been a vocal proponent of prioritizing data is Cisco, the giant network equipment company whose products currently power much of the Internet. "We think that as people use their broadband connections more intensively, the need to manage traffic is going to increase," says Jeff Campbell, director of government affairs at Cisco. The company has designed an array of products that allows service providers like AT&T and Verizon to scrutinize everything on their networks extremely closely. One Cisco brochure (PDF) touts a system called the Cisco Service Control Engine, which is described as "a deep packet inspection engine that helps enable service providers to identify, classify, monitor, and control traffic" on the network. "Deep packet inspection" refers to the practice of looking at each slice of data on the network and determining exactly what kind of information it is -- whether it's part of an e-mail message, or a bit of a video file you're trading over Bittorrent, or perhaps a New York Times news story on the Web. After examining each packet and deciding which user asked for it, where it's coming from, and what application it's meant for, the Cisco system allows network operators to assign various network privileges to the data. During a time of network congestion, data that is "delay-sensitive" -- like part of a voice phone call or a streaming video -- can be moved along the network in a hurry, while packets that represent less urgent data -- peer-to-peer file transfers, or downloads of e-mail attachments -- might be put on a slow lane. In this sort of network, were I to download a video file and a Word file at the same time, the network would notice it, and may decide to slow down the Word file so that the video file plays smoothly. Many Web entrepreneurs and network policy experts think that giving priority to some traffic is good for the Internet. In February, Mark Cuban, the billionaire media entrepreneur and sports-team owner, posted a rant on his blog decrying the current state of network traffic management, and calling on broadband firms to offer high-speed service for some kinds of data. "There are some basic facts about the Internet that remind me of driving on the 405 in Los Angeles," Cuban wrote. "Traffic jams happen. There is no end in sight for those traffic jams. The traffic jams are worse at certain times of the day. Whether it's the 405 or the Internet." If we use carpool lanes to allow some cars to bypass traffic on our freeways, Cuban asked, why not add HOV lanes to the Internet, so that media that needs fast service can get to its destination more quickly? Cuban is a co-founder of HDNet, a high-definition cable and satellite TV network, and has a particular interest in seeing the Internet give special treatment to certain files. In fact, the new Internet schemes are specifically designed to boost audio and video on the network. If your Word file slows down for a half-second during download, you're not going to notice it; but if your Internet phone call has a half-second interruption, it would annoy you to no end. Opponents of neutrality regulations say other applications currently being designed for the Internet will only work well if the network is improved. For instance, imagine if you were watching an Internet TV broadcast of a basketball game that allowed you to switch to different camera angles during the game. That program would be only useful, says Campbell of Cisco, if the camera angles appeared instantly, not seconds after you switched. Other advocates point to new medical diagnostic devices with which hospitals can monitor the status of patients at home; in that situation, it would seem obvious to give such traffic priority. "I guess we could leave the Internet in the dark ages and leave everything as an unprioritized, unorganized mass where all bits are treated the same," says Campbell. "But we think good network management technology will improve overall performance and consumers will have a better experience in the long term." Despite Cisco's position, there is fractious division among network engineers on whether prioritizing certain time-sensitive traffic would actually improve network performance. Introducing intelligence into the Internet also introduces complexity, and that can reduce how well the network works. Indeed, one of the main reasons scientists first espoused the end-to-end principle is to make networks efficient; it seemed obvious that analyzing each packet that passes over the Internet would add some computational demands to the system. Gary Bachula, vice president for external affairs of Internet2, a nonprofit project by universities and corporations to build an extremely fast and large network, argues that managing online traffic just doesn't work very well. At the February Senate hearing, he testified that when Internet2 began setting up its large network, called Abilene, "our engineers started with the assumption that we should find technical ways of prioritizing certain kinds of bits, such as streaming video, or video conferencing, in order to assure that they arrive without delay. As it developed, though, all of our research and practical experience supported the conclusion that it was far more cost effective to simply provide more bandwidth. With enough bandwidth in the network, there is no congestion and video bits do not need preferential treatment." Today, Bachula continued, "our Abilene network does not give preferential treatment to anyone's bits, but our users routinely experiment with streaming HDTV, hold thousands of high-quality two-way videoconferences simultaneously, and transfer huge files of scientific data around the globe without loss of packets." Not only is adding intelligence to a network not very useful, Bachula pointed out, it's not very cheap. A system that splits data into various lanes of traffic requires expensive equipment, both within the network and at people's homes. Right now, broadband companies are spending a great deal on things like set-top boxes, phone routers and other equipment for their advanced services. "Simple is cheaper," Bachula said. "Complex is costly" -- a cost that may well be passed on to customers. Expensive as they may be, the new network schemes will allow for myriad moneymaking opportunities. The new technology will allow AT&T and company to reserve the fast lane for the highest bidders. And AT&T says such a plan is perfectly fair. "It costs a lot to maintain and operate a network," says Ciccone of AT&T. "You don't pay for that by offering a raw pipe. We didn't build a copper line network a hundred years ago so people could do whatever they want on it. We offered a phone service. And you don't build networks so that somebody else can necessarily use them for free. We have the capability through dedicated lines of service for offering a high-quality product. There's a service there. We should be able to offer that in the market." Ciccone is particularly galled by the fact that those who are the most opposed to AT&T's plans are enormous firms -- such as Google -- that want to make money by offering video services online. "This really is just coming from a couple companies who have plans to stream movies," he says. "They hide behind the guise of the innovator in the garage who's building the next big Google. That's a lot of hooey because the little guy is not streaming movies. This is about the companies that want to stream movies, and they want to not just compete with us but with cable companies in doing so. What disturbs them is that we're building network capacity to be able to accommodate ourselves with a very high-quality product, and the Googles won't be able to deliver the same quality." Technology companies do say they fear AT&T's network won't provide a level playing field, and that AT&T's competitors won't be able to deliver videos that work as well as AT&T's content. Networks have finite space, and it is a fact of network engineering that when some data is given a priority on the network, other data will be pushed aside. At the Senate hearing, Stanford Law professor and Internet policy expert Lawrence Lessig argued that this will put companies or individuals that can't pay for high-quality service at an enormous disadvantage, "reducing application or content competition on the Internet." In the past year, streaming-video Web sites have proliferated on the Internet, and some of the most popular services have come from start-ups like YouTube. Under AT&T's plan, flush firms like Google would be able to pay for all the space on the line, leaving the smaller guys out of luck. The Internet has long been a meritocracy, where smart and creative companies can act quickly and beat out established players. That wouldn't be so on AT&T's Internet. Broadband operators respond by declaring they will offer high-speed services to all companies, big or small, and anybody will be able to pay for a spot in the fast lane. "Generally companies shy away from doing exclusive deals," says AT&T's Ciccone. "You don't say I'm only going to provide telephone service to only one bank." But as Amazon's Misener points out, "This is a zero-sum game. If you prioritize anyone's content you necessarily degrade someone else's. That's how it works." When you convert one lane on a freeway into a toll lane, it's true that you make traffic better for cars that can pay. But you also make traffic worse for cars that cannot. Indeed, that's what makes AT&T's plan so lucrative. The company can't offer fast service to everyone. If it did offer all companies access to the fast lane for a low fee, the lane would soon become congested and nobody would have an incentive to pay. To make the most money, the network operators may charge just a few firms huge sums to ride on the pipe. This means that one or two companies could lock in a preferred position on the network. And AT&T's own services could benefit greatly from the new plan. For instance, AT&T offers a voice-over-the-Internet phone plan called CallVantage that competes with Skype, a free service owned by eBay. "Let's say there's a certain amount of revenue in voice services, maybe $125 billion in voice," explains Wu. If AT&T determines that letting Skype onto the fast lane will cause it to lose customers and, thus, revenue, it could decide to only let Skype ride the slow lanes. "If you're going to lose $10 billion to Skype by letting them on, why give them that money?" Wu says that under current regulations, this practice would be perfectly legal. While such deals may be legal, AT&T says, they would be bad for business. If a broadband company didn't allow a popular service like Skype a spot in the fast lane, consumers would choose a different provider. "If you do make dumb decisions, your customers go somewhere else," Ciccone says. "Nobody wants to offer half a service with only special deals or arrangements for something of that nature. You're competing against other companies that may do it differently." But if you don't like your Internet provider, would you really be able to go elsewhere? Cerf, who is now Google's chief Internet "evangelist," pointed out in the Senate hearing that only 53 percent of Americans now have a choice between cable modem and DSL high-speed Internet service at home. According to the FCC, 28 percent of Americans have only one of these options for broadband Internet access, and 19 percent have no option at all. Moreover, phone and cable companies have been trying to reduce competition in the broadband business even further. They convinced the FCC to allow them to prohibit rival Internet service providers -- such as Earthlink -- from offering high-speed net access on phone- and cable-company-owned lines. (Phone and cable companies do lease their lines to independent ISPs like Earthlink, but under current rules they can decline to do so at any time.) AT&T, Verizon and Comcast have also pushed hard to stop cities across the country from launching free or low-cost municipal wireless Internet systems. In this marketplace, if your DSL or cable modem provider begins to favor some content over others, you will have very little recourse. Even if you could choose another provider, doing so isn't easy. "It's not like there are two supermarkets in town and if you don't like one you can go to the other," Amazon's Misener says. He adds that "every economic theory we know suggests that when there's a duopoly" -- in this case between cable broadband and phone broadband -- "there will be tacit collusion in the market." So even if you could choose between broadband or cable service, eventually, like radio stations in any metro area, you will find they all sound the same. Or think about your cable lineup. When your provider doesn't carry the TV network you like, what choice do you have? Almost none. At the moment, there are very few regulations that outline what broadband companies can and cannot do with content on their lines. So far, the FCC has only been willing to outline some principles to which firms should adhere. In a speech in Boulder, Colo., in February 2004, Michael Powell, the former FCC head, said that he didn't see the need for regulation. Instead, he set out a list of "Internet freedoms" that he "challenged the broadband network industry to preserve." Specifically, Powell called on high-speed network providers to allow their customers to access any legal content on the Internet, use any legal applications, and plug in any devices to their networks. The FCC later outlined these principles in a "policy statement," and imposed these conditions on Verizon and AT&T as temporary conditions of the mergers the companies underwent last year. But while these "freedoms" allow customers access to any services, they don't outline whether AT&T can give some content priority on the network. In addition, there is a debate about whether Powell's "challenge" is enforceable at all. Last year, when one small North Carolina ISP began blocking Internet voice calls on its network, the FCC quickly stepped in and fined the firm. Telecom firms say the incident proves that the FCC has enough authority to block egregious behavior. But AT&T's Ciccone also acknowledges that adhering to the FCC's vision is a "voluntary commitment. It's not a rule or a regulation of the FCC. They laid out the broadband principles and our compliance is purely a voluntary act on our part." Wu explains the issue this way: "Right now it's like the ghost of Michael Powell has his finger in the dike" protecting us against the worst behavior of big companies. But if you were starting a new service on the Internet, "do you want to bet your business on the ghost of Michael Powell?" Today, as numerous proposals for reforming telecom law float around Congress, broadband firms are fighting hard against a neutral network, and apparently winning. (AT&T may certainly be on the government's good side, as it has been secretly allowing the National Security Agency to monitor its phone and Internet lines, according to a retired AT&T technician, as reported by Wired News.) In a party-line vote last week, Republicans on a House subcommittee defeated one neutrality proposal. According to many observers, another bill in the Senate, offered by Democratic Sen. Ron Wyden of Oregon, faces similar dim prospects. In addition to lobbying, broadband firms have launched a campaign aimed at urging Americans to join their fight. Large telecom firms back a "coalition" called Hands Off the Internet, which argues that instituting network neutrality amounts to government "regulation" of the Internet. On its Web site, the group -- which is funded by, among other companies, AT&T, and is headed by former Bill Clinton press secretary Mike McCurry -- beseeches, "Join us and say NO to government regulation of the Internet!" Opponents say that regulation is the only way to save the Internet from the likes of AT&T. "They would have the pipe split between the public Internet -- which might get 1 Mbps speeds -- and a toll lane on the rest of the 100 Mbps pipe they're laying," Tod Cohen, the director of government affairs at eBay, says of the AT&T's plans. By "public Internet," Cohen is referring to today's Internet, the Internet of Google, Blogger, Skype, YouTube and Flickr, services that came out of nowhere and are now indispensable. "They're saying, 'We'll leave the public Internet to be like the public-access station. But if you want to be on one of the fast channels, you have to pay.'" Consumer advocate Chester sees a dark future for the Internet if big companies like AT&T gain unregulated control. "I think the public requires a serious national debate about what this means and what it's going to look like," he says. "There's a basic assumption that the Internet is going to remain forever open and diverse and affordable. I'm saying we should be cautious. We should really understand what these proposals mean for the kind of diverse voices we would want to see online." -- By Farhad Manjoo From rforno at infowarrior.org Mon Apr 17 21:22:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 17 Apr 2006 21:22:30 -0400 Subject: [Infowarrior] - Does open source encourage rootkits? Message-ID: Another case of FUD.....the fact folks openly analyze technology doesn't mean they're responsible for the potential malicious application of it. How many other such technologies has this argument been applied to in recent years? -rf This story appeared on Network World at http://www.networkworld.com/news/2006/041706-open-source-rootkits.html Does open source encourage rootkits? By Ellen Messmer, Network World, 04/17/06 Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community. In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems. "The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com," says Stuart McClure, senior vice president of global threats at McAfee Rootkit.com's 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it's na?ve to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit. "It's there to educate people," says Hoglund, who's also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. "The site is devoted to the discussion of rootkits. It's a great resource for anti-virus companies and others. Without it, they'd be far behind in their understanding of rootkits." No one with a profoundly malicious intent would post his rootkit on the site, because it would be publicly analyzed for detection purposes, Hoglund says. He concedes, however, that out of the tens of thousands of Rootkit participants, there are bound to be those whose intent is to exploit rather than learn. Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways. "We need those open source people," says David Perry, global director of education at Trend Micro. "They uncover things. It's a laboratory of computer science. They demand the intellectual right to discuss this." That said, Perry notes there are a lot of hacker wannabes who would be drawn to using the Rootkit site "as one-stop shopping for them to pick up the tools." Designing a rootkit is a complex programming process. Hoglund says there are probably no more than 20 or 30 main types today, along with a wide number of variants. Detecting rootkits has become a software research frontier, but eradicating them and what they hide is proving even more difficult. "I don't think it's fair to say Root kit.com is abetting the spread of rootkits. They were present before Rootkit.com," says co-author Butler, CTO at Komoku. Komoku is getting ready to release a rootkit-detector code-named Gamma. Butler says Rootkit.com has made it easier to use such software. "Technology being deployed today is now more sophisticated than it was two years ago. It's very advanced," he says. "Eradication is extremely difficult to do in 100% of the cases, while restoring a system and keeping it stable," Butler says. Some rootkits that can get into the [basic input/output system] might make it advisable "to throw the computer away" if you want to be sure you got rid of the rootkit, he says. A Microsoft official offered similar advice two weeks ago at the InfoSec Conference in Orlando. Rootkits with names including HackerDefender, AFXRootkit, PWS-Progent and FURootkit are cited by McAfee as among the most prevalent today. The trend is toward embedding stealth technologies with varying forms of spyware and malware, such as Backdoor-CEB, AdClicker-BA, W32/Feebs, Backdoor-CTV, Qoolaid, PWS-LDPinch, Opanki.worm, and W32/Sdbot.worm. This makes it harder to detect and eradicate spyware, adware and other unwanted code, McAfee's McClure says. The growing fear in the security world is that it won't be long before someone creates a worm that can scan networks for vulnerabilities and then effectively deliver a malicious payload - such as something that can wipe out files, change data or spy on organizations - that can be kept hidden by a well-made rootkit. "It's quite possible, once you've got a piece of code on someone's computer," Perry says. All contents copyright 1995-2005 Network World, Inc. http://www.networkworld.com From rforno at infowarrior.org Mon Apr 17 21:24:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 17 Apr 2006 21:24:46 -0400 Subject: [Infowarrior] - Background on NARA Classified MOUs Message-ID: Background on NARA Classified MOUs http://www.archives.gov/declassification/background.html?template=print Monday, April 17, 2006 The National Archives and Records Administration (NARA) has always sought to operate within the delicate balance of making as much information available to the public as possible, while protecting classified national security information as determined by other agencies. In 2001 and 2002, NARA entered into two classified Memoranda of Understanding (MOU), with the CIA and the Air Force, addressing their re-review of open records that may have been inadvertently or improperly declassified because one or more agencies did not have an opportunity to review the records for their classified information. NARA had three principal goals in agreeing to these MOUs: 1) protection and proper handling of the records; 2) minimizing the impact on researchers by trying to expedite the reviews of records subject to pending requests; and 3) minimizing the number of withdrawals. At the time, NARA believed that establishing written procedures was essential to achieving these goals and outweighed the agencies' determination that the MOUs be classified. While NARA had entered into these MOUs with the best of intentions, Archivist of the United States Allen Weinstein has given clear direction that never again will the National Archives enter into such classified agreements. Professor Weinstein has stated, "There can never be a classified aspect to our mission. Classified agreements are the antithesis of our reason for being. Our focus is on the preservation of records and ensuring their availability to the American public while at the same time fulfilling the people's expectation that we will properly safeguard the classified records entrusted to our custody. Agencies have the prerogative to classify their requests to NARA if disclosure of the reasons why they are asking us to take action would cause identifiable damage to national security. However, what we do in response to such requests, and how we do it, will always be as transparent as possible. If records must be removed for reasons of national security, the American people will always, at the very least, know when it occurs and how many records are affected." In addition to the above, these MOUs, even in their unclassified formats, will soon be replaced by thoroughly transparent standards governing the review of previously declassified records that have been available for research at the National Archives. These standards are currently being developed by the Information Security Oversight Office (ISOO) and will be promulgated as a change to "Classified National Security Information Directive No. 1" (32 CFR Part 2001) following formal interagency coordination, to include an opportunity for public comment. Recently, NARA mistakenly indicated that there was only one classified MOU dealing with the issue of " reclassification," when, in fact, there were two. This confusion was a result of a distinction in the minds of NARA staff between the Air Force MOU, which dealt with a specific re-review activity, and the CIA MOU, which was generic and procedural in nature. Upon learning of the second MOU last week, the Archivist, in keeping with his stated policy, requested its immediate declassification. The following chronology attempts to provide the background and context of this issue: * The declassification of hundreds of millions of pages of records under Executive Order 12958 and predecessor orders inevitably resulted in mistakes, largely due to one agency not being afforded the opportunity to review its classified information found in the records of other agencies. Even an error rate of only 0.01% would result in tens of thousands of pages of improperly disclosed records. While NARA believes that such mistakes are unavoidable and should be accepted as a necessary risk to the value of declassification of permanent historical records, many agencies nonetheless insisted that they needed to re-review open records and withdraw some of them from public access. * Accordingly, the Kyl and Lott Amendments of 1999 and 2000 required NARA and the Department of Energy (DOE) to create a plan to prevent the inadvertent release of records containing Restricted Data (RD) and Formerly Restricted Data (FRD). One of NARA's main concerns in implementing this plan was to minimize the burden that a re-review of open records would have on researchers, by getting DOE to expedite the review of any box that had been requested by a researcher. * Similarly, in 1999, a NARA employee discovered that records in approximately 56 boxes of State Department Intelligence and Research (INR) files might have been improperly declassified because they appeared to contain sensitive intelligence information. NARA reported this matter to State, CIA, and the Information Security Oversight Office (ISOO). The agencies determined that, in this case, a mistake in the declassification processing had occurred, resulting in inadvertent disclosures. A review was conducted by State and CIA, which took nearly two years to complete, and resulted in the withdrawal of a large number of documents that had previously been opened, despite NARA's urging that withdrawals be kept to a minimum. The re-review by CIA also resulted in a significant mishandling of the records, such that the order of the documents in many boxes was lost. (Some of the boxes remained in NARA's closed stacks until 2005 because researchers had not requested them until then.) * Because of this unfortunate experience, NARA sought to establish more effective procedures in the event that any future re-reviews of open records might occur. In early 2001, NARA provided the CIA with an unclassified draft memorandum of understanding proposing such procedures. As noted above, NARA's principal interest was in ensuring that the records were properly handled and that the review of open records was done expeditiously in order to minimize the burden on researchers - i.e., avoid researcher complaints - as well as to minimize the number of records withdrawn. The CIA revised the draft, and classified it (and required that the document remain classified thereafter). A final MOU was signed on October 24, 2001. At the Archivist's request, the CIA agreed to declassify it on April 14, 2006. * The CIA MOU also addressed CIA's concern that its association with the re-review effort, and the identification of its classified equities in other agencies' records, could itself, under certain circumstances, be classified information. Accordingly, it is not unheard of that the acknowledgement of one agency's classified equity in the records of another agency could be classified in itself and thus require protection from disclosure, including by referring any appeals to the denial of records to a different agency. This issue is addressed in section 3.6(b) of Executive Order 12958, as amended, which states: " When an agency receives any request for documents in its custody that contain information that was originally classified by another agency, or comes across such documents in the process of the automatic declassification or systematic review provisions of this order, it shall refer copies of any request and the pertinent documents to the originating agency for processing, and may, after consultation with the originating agency, inform any requester of the referral unless such association is itself classified under this order or its predecessors." (Emphasis added.) * Since the 2001 MOU, CIA has re-reviewed and withdrawn open records on at least three occasions. * Subsequently, in 2002, the Air Force requested that NARA sign a similar classified MOU, to address a particular problem of improper declassification that they had identified. The Air Force MOU is modeled on the CIA MOU. NARA's interest in signing this MOU was the same as with the CIA MOU, i.e., to ensure that the records were properly handled, that the review of open records was done expeditiously in order to minimize the burden on researchers, and to minimize the number of records withdrawn. At the Archivist's request, the Air Force agreed to declassify a redacted version of the MOU on April 10, 2006. The MOU remains classified in part because compromise of that information will cause identifiable damage to national security. * NARA's intent and practice has never been to hide the fact that agencies were engaged in efforts to re-review, and withdraw, open records because they had been inadvertently or improperly declassified. For example, NARA personnel discussed this review at the State Department's Historical Advisory Committee June 2003 meeting, the proceedings of which are published on the State Department's website (see http://www.state.gov/r/pa/ho/adcom/mtgnts/21201.htm). NARA also readily responded in January 2006 to Matthew Aid's inquiry that such a program existed. * NARA has no original classification authority, and is obligated to abide by the classification requirements of any document. This could include, for example, not acknowledging the presence of certain agency personnel or not identifying the fact that classified information in the records of one agency may belong to another agency, but only when those specific facts were classified. Nonetheless, the National Archives will never again enter into a classified agreement. * Other re-reviews and withdrawals for classification of open records have occurred at NARA - at the behest both of NARA staff and other agencies - including at Presidential Libraries. NARA continues to identify instances where classified records were opened to the public without agencies having the opportunity to review them. However, until the ISOO audit, NARA had not systematically kept track of all these instances, and thus did not know the full extent of what had been withdrawn. * In addition, following September 11, 2001, in response to the memorandum from Secretary Andrew Card to all agencies dealing with the safeguarding of information regarding weapons of mass destruction and other sensitive documents related to homeland security, NARA re-reviewed selected unclassified records under its " records of concern" program and has withdrawn unclassified documents that had previously been open to public access. * The ISOO audit will provide more information on the classification re-reviews that have taken place and recommendations for policy guidance. * NARA does not change or modify records in its custody, except to the extent that redactions are made when portions of records need to remain classified or are exempt for other reasons. This background paper on NARA's involvement with the classified MOUs was prepared at the request of Professor Allen Weinstein, Archivist of the United States since February 2005. Page URL: http://www.archives.gov/declassification/background.html The U.S. National Archives and Records Administration 8601 Adelphi Road, College Park, MD 20740-6001 ? Telephone: 1-86-NARA-NARA or 1-866-272-6272 From rforno at infowarrior.org Mon Apr 17 21:26:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 17 Apr 2006 21:26:34 -0400 Subject: [Infowarrior] - GAO on USG info-sharing of SBU material Message-ID: http://www.gao.gov/cgi-bin/getrpt?GAO-06-385 More than 4 years after September 11, the nation still lacks governmentwide policies and processes to help agencies integrate the myriad of ongoing efforts, including the agency initiatives we identified, to improve the sharing of terrorism-related information that is critical to protecting our homeland. Responsibility for creating these policies and processes shifted initially from the White House to the Office of Management and Budget (OMB), and then to the Department of Homeland Security, but none has yet completed the task. Subsequently, the Intelligence Reform Act called for creation of an Information Sharing Environment, including governing policies and processes for sharing, and a program manager to oversee its development. In December 2005, the President clarified the roles and responsibilities of the program manager, now under the Director of National Intelligence, as well as the new Information Sharing Council and the other agencies in support of creating an Information Sharing Environment by December 2006. At the time of our review, the program manager was in the early stages of addressing this mandate. He issued an interim implementation report with specified tasks and milestones to Congress in January 2006, but soon after announced his resignation. This latest attempt to establish an overall information- sharing road map under the Director of National Intelligence, if it is to succeed once a new manager is appointed, will require the Director?s continued vigilance in monitoring progress toward meeting key milestones, identifying any barriers to achieving them, and recommending any necessary changes to the oversight committees. The agencies that GAO reviewed are using 56 different sensitive but unclassified designations (16 of which belong to one agency) to protect information that they deem critical to their missions?for example, sensitive law or drug enforcement information or controlled nuclear information. For most designations there are no governmentwide policies or procedures that describe the basis on which an agency should assign a given designation and ensure that it will be used consistently from one agency to another. Without such policies, each agency determines what designations and associated policies to apply to the sensitive information it develops or shares. More than half the agencies reported challenges in sharing such information. Finally, most of the agencies GAO reviewed have no policies for determining who and how many employees should have authority to make sensitive but unclassified designations, providing them training on how to make these designations, or performing periodic reviews to determine how well their practices are working. The lack of such recommended internal controls increases the risk that the designations will be misapplied. This could result in either unnecessarily restricting materials that could be shared or inadvertently releasing materials that should be restricted. http://www.gao.gov/cgi-bin/getrpt?GAO-06-385 From rforno at infowarrior.org Tue Apr 18 08:08:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 18 Apr 2006 08:08:37 -0400 Subject: [Infowarrior] - Abuses of surveillance cameras Message-ID: Abuses of surveillance cameras last update: 12 April 2006 We are told that surveillance cameras are never abused by their operators, each of whom can supposedly be trusted not to use the awesome technology at their disposal to engage in despicable or outright illegal behavior. But this information is false: camera-operators are not angels; they are subject to the same prejudices, temptations and corruptions that we all struggle with; camera-operators get bored or arrogant and abuse their cameras on a regular basis. To confirm this, one only has to keep up with the news being reported from around the world, which is precisely what we plan to do here, on this page, in chronological order. (Click here for a listing of protests against surveillance cameras, and here for a listing of reports citing the ineffectiveness of video surveillance as a "crime-fighting" tool.) < snip > http://www.notbored.org/camera-abuses.html From rforno at infowarrior.org Tue Apr 18 09:22:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 18 Apr 2006 09:22:25 -0400 Subject: [Infowarrior] - MetriCon 1.0 Call for Papers In-Reply-To: <041820061214.4128.4444D814000C3799000010202200761064CECFCFCFCF069D0E@comcast.net> Message-ID: From: Andrew Jaquith MetricCon 1.0 - Announcement and Call for Participation First Workshop on Security Metrics (MetriCon 1.0), August 1, 2006 Vancouver,B.C., Canada Overview Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for numbers has come. MetriCon 1.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop. Workshop Format MetriCon 1.0 will be a one-day event, Tuesday, August 1, 2006, co-located with the 15th USENIX Security Symposium in Vancouver, B.C., Canada. Beginning first thing in the morning, with meals taken in the meeting room, and extending into the evening. Attendance will be by invitation and limited to 50 participants. All participants will be expected to "come with opinions" and be willing to address the group in some fashion, formally or not. Preference giventothe authors of position papers/presentations who have actual work in progress. Each presenter will have 10-15 minutes to present his or her idea, followed by 15-20 minutes of discussion with the workshop participants. Panels may be convened to present different approaches to related topics, and will be steered by what sorts of proposals come in in response to this Call. Goals and Topics The goal of the workshop is to stimulate discussion of and thinking about security metrics and to do so in ways that lead to realistic, early results of lasting value. Potential attendees are invited to submit position papers to be shared with all. Such position papers are expected to address security metrics in one of the following categories: - Benchmarking - Empirical Studies - Metrics Definitions - Financial Planning - Security/Risk Modeling - Visualization Practical implementations, real world case studies, and detailed models will be preferred over broader models or general ideas. How to Participate Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to MetriCon AT securitymetrics.org. Presenters will be notified of acceptance by June 15, 2006 and expected to provide materials for distribution by July 15, 2006. All slides and position papers will be made available to participants at the workshop. No formal proceedings are intended. Simultaneous submission of the same work to multiple venues, submission of previously published work, and plagiarism constitute dishonesty. The organizers of this Workshop as well as USENIX prohibit these practices and will take appropriate action if dishonesty of this sort is found. Location MetriCon 1.0 will be co-located with the 15th USENIX Security Symposium (Security ?06). Cost $200 all-inclusive ofmeeting space, materials preparation, and meals for the day. Important Dates Requests to participate: by May 15, 2006 Notification of acceptance: by June 15, 2006 Materials for distribution: by July 15, 2006 Workship Organizers Andrew Jaquith, Yankee Group, Chair Adam Shostack, emergentchaos.org Gunnar Peterson, Artec Group Elizabeth Nichols, ClearPoint Metrics Pete Lindstrom, Spire Security Dan Geer,Verdasys From rforno at infowarrior.org Wed Apr 19 08:40:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 19 Apr 2006 08:40:03 -0400 Subject: [Infowarrior] - A Pro-DRM FCC Commissioner Message-ID: April 18, 2006 A Pro-DRM FCC Commissioner http://www.techliberation.com/archives/038231.php Last night a FCC commissioner came out in favor of?DRM? Yes, at a reception sponsored by the DC Bar Association in her honor, Commissioner Deborah Taylor Tate, the newest addition to the FCC, spoke eloquently on a number of issues but perhaps most remarkable was her advocacy for strong copyright protections. Hailing from The Music City, Nashville, this former Tennessee Regulatory Commissioner proclaimed her love for country music and the artists that wish to use DRM to protect their content. Now I have no beef with DRM and think content owners should be free to utilize any scheme they want if informed consumers are willing to spend money on it. But regardless of your views of DRM (and TLF bloggers differ I know), I don?t think any of us here want the FCC to get more involved in this matter. The broadcast flag was an FCC rule that allowed the recording of digital broadcasts only by approved hardware devices that could recognize whether or not a certain data stream can be recorded, or if there are any restrictions on recorded content. That rule was invalidated last year in a case before the D.C. Circuit Court of Appeals, which found that the FCC had exceeded its authority by creating this rule. Commissioner Tate said that despite the FCC?s lack of legal authority, she can still use her bully pulpit to bring awareness to content protection issues. Fair enough?policymakers, even Supreme Court justices, use their position of prominence to discuss many issues. The convergence of communications and copyright is indeed a legitimate policy issue. Hopefully Commissioner Tate will use her pulpit to advocate for market-driven solutions, not greater FCC authority. She would be effective at this too. She comes across as warm and engaging and persuasive. Copyright protection shouldn?t be hindered by government through some sort of affirmative access requirement (see France). However, copyright protection shouldn?t be mandated by government either?hardware companies and content interests must learn to play together with the marketplace, not the Grand Ole FCC, as their venue. From rforno at infowarrior.org Thu Apr 20 07:26:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Apr 2006 07:26:24 -0400 Subject: [Infowarrior] - (AF-1): The USAF still doesn't "get" the nature of the WWW Message-ID: (c/o D.) San Francisco Chronicle: A week after Pentagon officials ordered an Air Force base in Georgia to remove from its Web site security information about the two Air Force One aircraft, the data remained publicly available Tuesday. Officials at the Warner Robins Air Logistics Center did not ignore the Pentagon command to remove the information. In fact, within hours of the Air Force chief of staff's office learning of the online posting, Warner Robins authorities removed the technical order that had caused consternation at the Pentagon and White House. The Air Force has discovered that once it -- or for that matter anyone -- places a Web page on a publicly accessible Internet site, that information moves into the public domain. "Once a page is out on the Net, Google and the Way Back Machine make copies ... for long-term archive," said Internet security expert Steve Gibson, president and founder of Gibson Research Corp. Although the Air Force has attempted to put the proverbial genie back into the bottle, Gibson said the effort is all but a lost cause. Once something is on a public Web site, "there is nothing, from a technological standpoint, that can prevent anyone from copying the information. There should be no expectation that once published, that information can be withdrawn." Martin Libicki, an expert in information warfare and security at Rand, was even more blunt. Once government data is released onto the Internet, he said, "it is gone." The security information about Air Force One was originally placed online in order to save a small expense involved with creating and distributing CDs or manuals for personnel who needed access to the technical order. The order described, among other things, anti-missile defenses carried by Air Force One that could be exploited by interests hostile to the United States. The disclosures went well beyond Air Force One. The order, which was successfully cached online, contained information about the countermeasures present -- and absent -- on all U.S. and NATO military aircraft. Much of this information was still available online Tuesday. Air Force and Pentagon officials scrambled last week to remove the data after The Chronicle reported April 8 that the information had been posted on a public Web site. David Ferguson, an Air Force data security official at the Pentagon, acknowledged Tuesday the problems with using the Internet to disseminate information not intended for the general public. "The Air Force has policy that says how (we) should share information (but) we can't ensure people read the policy. We do what we can to clean up the mess afterward," Ferguson said. In regard to people, such as bloggers, who copy and disseminate publicly accessible data, "legally there is not a lot we can do. ... We can appeal to their patriotism." From rforno at infowarrior.org Thu Apr 20 07:29:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Apr 2006 07:29:26 -0400 Subject: [Infowarrior] - LiveJournal TOS to preclude adblocking... Message-ID: Interesting.....and I always said LJ was the more 'respectable' and user-friendly of the blog-type services. -rf http://www.livejournal.com/legal/tos.bml # ADVERTISEMENTS AND PROMOTIONS You understand and agree that some or all of the Service may include advertisements and that these advertisements are necessary for LiveJournal to provide the Service. You also understand and agree that you will not obscure any advertisements from general view via HTML/CSS or any other means. By using the Service, you agree that LiveJournal has the right to run such advertisements with or without prior notice, and without recompense to you or any other user. The manner, mode and extent of advertising by LiveJournal on your Content and throughout the Service are subject to change at LiveJournal's discretion. Your correspondence or business dealings with, or participation in promotions of, advertisers found on or through the Service, including payment and delivery of related goods or services, and any other terms, conditions, warranties or representations associated with such dealings, are solely between you and such advertiser. You agree that LiveJournal shall not be responsible or liable for any loss or damage of any sort incurred as the result of any such dealings or as the result of the presence of such advertisers on the Service. From rforno at infowarrior.org Thu Apr 20 07:31:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Apr 2006 07:31:00 -0400 Subject: [Infowarrior] - Why the MP3.com Decision Was Never Appealed Message-ID: Why the MP3.com Decision Was Never Appealed http://www.techliberation.com/archives/038260.php In my DCMA paper I note in passing the sad case of MP3.com, which settled its copyright lawsuit after losing its case in district court, and before it could appeal the case. What I didn?t realize is the reason the case wasn?t appealed. I was delighted to receive an email from Michael Robertson, the founder of MP3.com (who has since founded Linspire and MP3tunes), who read the paper and wrote to explain why they didn?t appeal the case: We didn?t want to settle. I wanted to take it to the appellate court for examination of our issues. However we weren?t able to do this. This is because the media companies can elect for statutory damages. So although they could not prove they were harmed even $1 (and we had ample evidence that they actually profited from our technology) they were able to elect statutory damages which meant potentially tens of billions of dollars in damages. The problem arises in that to appeal you have to first bond the judgment assuming you lose at any step. Well there?s no way a small company can bond even a hundred million dollar award much less a multi-billion one. This means that the media companies can find just one judge to rule in their favor, elect statutory and the legal battle is over. No appellate court. No supreme court. One and done. And as you probably know often with new issues Judges and lower courts are hesitant to make new law, but rather leave that up to the higher courts. So instead of a full legal hearing MP3.com got in front of one Judge in media company friendly NYC and the battle and war was over. That?s not how our court system is supposed to work. It?s too easy to get one Judge to misread a situation. And misread it the judge did. In his poorly reasoned and over-literal opinion, Judge Rakoff describes MP3.com?s service (which permitted legal owners of CDs to stream the music on those CDs to other computers via the Internet) as an unauthorized retransmission of the content through another medium. It seems not to have occurred to him that all digital media devices work by converting content from one format to another. Nor did he seem to find it relevant that the music was being ?retransmitted? to people who had already purchased a legal copy of the CD containing the music. I hadn?t realized the pernicious effect of statutory damages in the case. The appeals court may or may not have overruled the decision (I think they should have), but they deserved the chance to appeal. From rforno at infowarrior.org Thu Apr 20 08:49:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Apr 2006 08:49:38 -0400 Subject: [Infowarrior] - Microsoft admits hiding vuln details Message-ID: Microsoft Patches: When Silence Isn't Golden April 19, 2006 By Ryan Naraine http://www.eweek.com/print_article2/0,1217,a=176124,00.asp Microsoft has 'fessed up to hiding details on software vulnerabilities that are discovered internally, insisting that full disclosure of every security-related product change only serves to aid attackers. The company's admission follows criticisms from a security researcher that its policy of silently fixing software flaws is "misleading" and not in the spirit of Microsoft's push for transparency. In an interview with eWEEK, Mike Reavey, operations manager of the MSRC (Microsoft Security Response Center), said the company's policy is to document the existence of internally discovered flaws as well as the area of functionality where the change occurred, but that full details on the fixes are withheld for a very good reason. "We want to make sure we don't give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers," Reavey said. When Microsoft receives a report of a security flaw from external researchers, Reavey said, the MSRC conducts an extensive investigation to look at all the surrounding code to make sure a comprehensive fix is pushed out the door. If a related bug is found internally, it will be fixed in the eventual patch, he said, but the details will be kept under wraps. Read more here about Microsoft's patch-creation process at the MSRC. However, critics argue that silent fixes have a way of backfiring and hurting businesses that depend on information from the vendor to determine deployment time frames and the actual severity of the patched vulnerability. According to eEye Digital Security, which sells host-based IPS (intrusion prevention system) technology, silent fixes from Microsoft are commonplace. "It is the skeleton in Microsoft's closet. We routinely find them," said Steve Manzuik, product manager of eEye's security research team, in Aliso Viejo, Calif. In an interview with eWEEK, Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed. Read details here about Microsoft's decision to use external patch testers. Manzuik's team presented a research paper on its findings at the Black Hat Briefings in Europe earlier in 2006 to highlight the problems with withholding details on fixes from customers. "Microsoft's customers depend on that information to figure out how to respond to Patch Tuesday. The reality is, system administrators will delay deploying a patch based on the details of the bulletin. When details aren't included, he won't install that patch. That is a big problem," Manzuik said. He said IT departments do not have the skill or resources to reverse-engineer every patch. "They are simply left in the dark and may ignore a patch that is super-critical to their environment. Meanwhile, the bad guy has spent the time to find out what was silently fixed," Manzuik said, arguing that Microsoft has a responsibility to make sure businesses are fully informed about software changes. "I don't buy the argument that they are aiding attackers. The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering," Manzuik said. Matthew Murphy, the independent researcher who flagged the issue after finding silent fixes in the April batch of patches, said third-party vendors that incorporate code from Microsoft are also hurt by the lack of full disclosure. Murphy outlined a recent case where anti-virus vendor Trend Micro got burned by a silent fix pushed out by Microsoft. That issue revolved around a bug in Visual Studio that was reported to Microsoft in 2002 but remained unfixed for several years. Microsoft eventually fixed the bug but information was withheld, causing Trend Micro to unwittingly use the vulnerable code in its products, putting its customers at risk of a heap overflow vulnerability that could be used in code execution attacks. Manzuik also pointed out that businesses rely heavily on host-based IPS technology to secure valuable assets while patches are being tested for deployment. "Some of these IPS products need information from the software vendor to create signatures. How can you create a signature for a flaw if you don't know the location of the flaw? We have proven that signature-based technology can be bypassed to exploit these silently fixed flaws," he said. Reavey said businesses should use Microsoft's severity rating system to help with patch deployment timetables. "It's important to remember that the best way to be safe and secure is to apply all the updates. We are providing patches for everything. We still recommend a defense-in-depth strategy that includes IPS and IDS [intrusion detection system] technology, but customers should use our severity ratings system and apply the patches," he said. Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog. Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved. From rforno at infowarrior.org Thu Apr 20 12:27:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Apr 2006 12:27:35 -0400 Subject: [Infowarrior] - DNI Civil Liberties Protection Officer Appointed Message-ID: New U.S. Post Aims to Guard Public's Privacy By ANNE MARIE SQUEO April 20, 2006; Page B1 http://online.wsj.com/public/article_print/SB114549771456130732-fNMKc3AWRNO7 Kt58oXWNzzR_pms_20060519.html As the son of a U.S. aid worker stationed in Guatemala during the 1970s civil war, Alex Joel recalls being unable to tell the good guys from the bad as both armed soldiers and civilians alike would order his family out of their car to search it. Those first-hand brushes with totalitarianism, says Mr. Joel, have led him to take the rights of individuals very seriously. Given that he was recently named as the first civil-liberties protection officer for the U.S. Office of the Director of National Intelligence, such talk is reassuring to privacy advocates. Mr. Joel's appointment to his new role, in fact, is one of several steps the Bush administration is taking to soothe concerns about civil liberties. Under siege for compromising privacy rights, most recently because of a National Security Agency program to monitor communications between people in the U.S. and overseas terrorist suspects, the administration is creating several privacy-related posts at government agencies. In February, the Justice Department named Jane Horvath its first chief privacy and civil-liberties officer, making her responsible for developing and ensuring compliance with privacy and civil-liberties policies, specifically as they relate to counterterrorism and law-enforcement efforts. The Department of Homeland Security splits the job between a chief privacy officer and an officer for civil rights and civil liberties. Mr. Joel's role is even broader because numerous intelligence agencies report up to the director of National Intelligence. While even critics of the administration applaud the effort, they question what authority these officials have. Unlike inspectors general at federal agencies, these privacy officers lack the subpoena power necessary to conduct investigations and don't report to Congress. "We've been supportive of this concept, but the administration has got to give these people more leeway to play the role that's been pitched," says Caroline Fredrickson, director of the Washington office of the American Civil Liberties Union. "I don't think they can do that under the circumstances." Mr. Joel's immediate supervisor, Director of National Intelligence John Negroponte, says his privacy chief's role is vital to the process. "We are fully committed to protecting Americans' privacy and civil liberties while defending our national security," says Mr. Negroponte. Mr. Joel has a multinational heritage. His father, who worked for the U.S. Agency for International Development, is a German Jew who escaped the Nazis. His mother is an ?migr? from Korea. A 41-year-old graduate of Princeton University and the University of Michigan's law school, he spent four years as an officer in the Army's Judge Advocate General's Corps, working as both a prosecutor and a defense attorney. He later worked in the Central Intelligence Agency's general counsel's office and as a privacy attorney at Marriott International Inc. When the NSA wiretapping program began, Mr. Joel wasn't working for the intelligence office, but he says he has reviewed it and finds no problems. The classified nature of the agency's surveillance work makes it difficult to discuss, but he suggests that fears about what the government might be doing are overblown. "Although you might have concerns about what might potentially be going on, those potentials are not actually being realized and if you could see what was going on, you would be reassured just like everyone else," he says. And therein lies the problem he faces: how to provide enough insight into government intelligence efforts to ease concerns about privacy invasions while protecting the usefulness of secret programs. In the aftermath of the 2001 attacks, intelligence and law-enforcement agencies were pilloried for having failed to piece together clues of the attacks. Critics cited their use of antiquated computer technologies and lack of information sharing as chief problems. The alternative, though, has raised the hackles of civil-liberties groups and private citizens who fear the misuse of personal information by a government without proper oversight. Mr. Joel's mission, like those of the other privacy cops, appears aimed more at policy than policing. While there might be occasion to look into complaints, he says most of his work is focused on creating a dialogue with government officials, intelligence operatives and others so they're thinking about privacy and civil liberties and ways to tailor a program to ensure rights aren't compromised. He says that if he thought a program went too far and those responsible weren't responding to his concerns, he would be able to have Mr. Negroponte and other agency heads help make his case more forceful. His office is also looking at technologies that promote "anonymization," or the ability to allow computer systems to share and match critical information without revealing personal details to humans. The technology works by allowing personal data to be anonymous and shared -- say to compare an airline passenger list and a terrorist-watch list -- with the government getting only data on the exact matches. This allows airlines, for example, to avoid having to turn over passenger data wholesale to the government. "One of the things I've tried to champion is finding ways to draw the circle around the secret a little more tightly," says Mr. Joel. By doing that, he says, there are things related to a program that can be discussed to ameliorate concerns without giving up its essence. There is institutional backlash to such a notion: Intelligence and law-enforcement officials contend that making public any element of secret efforts jeopardizes success. Changing their minds, Mr. Joel concedes, won't be easy. "There is no silver-bullet answer," he says of balancing privacy and national security. "There are actually a lot of silver BBs and if you put enough of those together in a coherent way, wrap it with good policy, procedures and training, then you can have the same impact as a silver bullet." Write to Anne Marie Squeo at annemarie.squeo at wsj.com1 URL for this article: From rforno at infowarrior.org Thu Apr 20 14:59:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 20 Apr 2006 14:59:17 -0400 Subject: [Infowarrior] - RFC: Federal Plan for Cyber Security and Information Assurance Research and Development In-Reply-To: <20060419163639.49206.qmail@web36409.mail.mud.yahoo.com> Message-ID: http://www.nitrd.gov/ Public comment on the Plan is welcome during a two-week comment period. Please send any comments to csia-plan-comments at nitrd.gov before April 28, 2006. The National Science and Technology Council (NSTC), a Cabinet-level Council that coordinates science and technology policies across the Federal Government, today released the Federal Plan for Cyber Security and Information Assurance Research and Development. This report sets out a framework for multi-agency coordination of Federal R&D investments in technologies that can better secure the interconnected computing systems, networks, and information that together make up the U.S. information technology (IT) infrastructure. ?This country?s IT infrastructure ? which includes not only the public Internet but also the networking and IT systems that control critical infrastructures ranging from power grids to emergency communications systems ? is vital not only to our national and homeland security but to our economic security,? said John H. Marburger III, Science Adviser to the President and Director of the Office of Science and Technology Policy. ?This report provides a blueprint for coordination of Federal R&D across agencies that will maximize the impact of investments in this key area of the national interest.? The Federal Plan for Cyber Security and Information Assurance outlines strategic objectives for coordinated Federal R&D in cyber security and information assurance (CSIA). The Plan presents a broad range of CSIA R&D technical topics and identifies those topics that are multi-agency technical and funding priorities. The Plan?s findings and recommendations address R&D priority-setting, coordination, fundamental R&D, emerging technologies, roadmapping, and metrics. Together with commentaries about the CSIA R&D technical topics that describe their significance, the current state of the art, and gaps in current capabilities, these elements provide a baseline for implementing the Plan?s recommendations. The Plan was prepared by the Interagency Working Group (IWG) on Cyber Security and Information Assurance (CSIA), whose members represent more than 20 government organizations. The CSIA IWG operates under the auspices of the NSTC?s Subcommittee on Infrastructure and Subcommittee on Networking and Information Technology Research and Development (NITRD). The Federal Plan for Cyber Security and Information Assurance Research and Development is available on the NITRD Program Web site: http://www.nitrd.gov/. =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Cybertelecom :: Federal Internet Law & Policy www.cybertelecom.org From rforno at infowarrior.org Fri Apr 21 08:16:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Apr 2006 08:16:35 -0400 Subject: [Infowarrior] - Google in China: The Big Disconnect Message-ID: April 23, 2006 Google in China: The Big Disconnect By CLIVE THOMPSON http://www.nytimes.com/2006/04/23/magazine/23google.html?pagewanted=print (This article is a preview of this weekend's Times magazine.) For many young people in China, Kai-Fu Lee is a celebrity. Not quite on the level of a movie star like Edison Chen or the singers in the boy band F4, but for a 44-year-old computer scientist who invariably appears in a somber dark suit, he can really draw a crowd. When Lee, the new head of operations for Google in China, gave a lecture at one Chinese university about how young Chinese should compete with the rest of the world, scalpers sold tickets for $60 apiece. At another, an audience of 8,000 showed up; students sprawled out on the ground, fixed on every word. It is not hard to see why Lee has become a cult figure for China's high-tech youth. He grew up in Taiwan, went to Columbia and Carnegie-Mellon and is fluent in both English and Mandarin. Before joining Google last year, he worked for Apple in California and then for Microsoft in China; he set up Microsoft Research Asia, the company's research-and-development lab in Beijing. In person, Lee exudes the cheery optimism of a life coach; last year, he published "Be Your Personal Best," a fast-selling self-help book that urged Chinese students to adopt the risk-taking spirit of American capitalism. When he started the Microsoft lab seven years ago, he hired dozens of China's top graduates; he will now be doing the same thing for Google. "The students of China are remarkable," he told me when I met him in Beijing in February. "There is a huge desire to learn." Lee can sound almost evangelical when he talks about the liberating power of technology. The Internet, he says, will level the playing field for China's enormous rural underclass; once the country's small villages are connected, he says, students thousands of miles from Shanghai or Beijing will be able to access online course materials from M.I.T. or Harvard and fully educate themselves. Lee has been with Google since only last summer, but he wears the company's earnest, utopian ethos on his sleeve: when he was hired away from Microsoft, he published a gushingly emotional open letter on his personal Web site, praising Google's mission to bring information to the masses. He concluded with an exuberant equation that translates as "youth + freedom + equality + bottom-up innovation + user focus + don't be evil = The Miracle of Google." When I visited with Lee, that miracle was being conducted out of a collection of bland offices in downtown Beijing that looked as if they had been hastily rented and occupied. The small rooms were full of eager young Chinese men in hip sweatshirts clustered around enormous flat-panel monitors, debugging code for new Google projects. "The ideals that we uphold here are really just so important and noble," Lee told me. "How to build stuff that users like, and figure out how to make money later. And 'Don't Do Evil' " ? he was referring to Google's bold motto, "Don't Be Evil" ? "all of those things. I think I've always been an idealist in my heart." Yet Google's conduct in China has in recent months seemed considerably less than idealistic. In January, a few months after Lee opened the Beijing office, the company announced it would be introducing a new version of its search engine for the Chinese market. To obey China's censorship laws, Google's representatives explained, the company had agreed to purge its search results of any Web sites disapproved of by the Chinese government, including Web sites promoting Falun Gong, a government-banned spiritual movement; sites promoting free speech in China; or any mention of the 1989 Tiananmen Square massacre. If you search for "Tibet" or "Falun Gong" most anywhere in the world on google.com, you'll find thousands of blog entries, news items and chat rooms on Chinese repression. Do the same search inside China on google.cn, and most, if not all, of these links will be gone. Google will have erased them completely. Google's decision did not go over well in the United States. In February, company executives were called into Congressional hearings and compared to Nazi collaborators. The company's stock fell, and protesters waved placards outside the company's headquarters in Mountain View, Calif. Google wasn't the only American high-tech company to run aground in China in recent months, nor was it the worst offender. But Google's executives were supposed to be cut from a different cloth. When the company went public two years ago, its telegenic young founders, Sergey Brin and Larry Page, wrote in the company's official filing for the Securities and Exchange Commission that Google is "a company that is trustworthy and interested in the public good." How could Google square that with making nice with a repressive Chinese regime and the Communist Party behind it? It was difficult for me to know exactly how Lee felt about the company's arrangement with China's authoritarian leadership. As a condition of our meeting, Google had demanded that I not raise the issue of government relations; only the executives in Google's California head office were allowed to discuss those matters. But as Lee and I talked about how the Internet was transforming China, he offered one opinion that seemed telling: the Chinese students he meets and employs, Lee said, do not hunger for democracy. "People are actually quite free to talk about the subject," he added, meaning democracy and human rights in China. "I don't think they care that much. I think people would say: 'Hey, U.S. democracy, that's a good form of government. Chinese government, good and stable, that's a good form of government. Whatever, as long as I get to go to my favorite Web site, see my friends, live happily.' " Certainly, he said, the idea of personal expression, of speaking out publicly, had become vastly more popular among young Chinese as the Internet had grown and as blogging and online chat had become widespread. "But I don't think of this as a political statement at all," Lee said. "I think it's more people finding that they can express themselves and be heard, and they love to keep doing that." It sounded to me like company spin ? a curiously deflated notion of free speech. But spend some time among China's nascent class of Internet users, as I have these past months, and you begin to hear such talk somewhat differently. Youth + freedom + equality + don't be evil is an equation with few constants and many possible solutions. What is freedom, just now, to the Chinese? Are there gradations of censorship, better and worse ways to limit information? In America, that seems like an intolerable question ? the end of the conversation. But in China, as Google has discovered, it is just the beginning. Cultural Differences Google was not, in fact, a pioneer in China. Yahoo was the first major American Internet company to enter the market, introducing a Chinese-language version of its site and opening up an office in Beijing in 1999. Yahoo executives quickly learned how difficult China was to penetrate ? and how baffling the country's cultural barriers can be for Americans. Chinese businesspeople, for example, rarely rely on e-mail, because they find the idea of leaving messages to be socially awkward. They prefer live exchanges, which means they gravitate to mobile phones and short text messages instead. (They avoid voicemail for the same reason; during the weeks I traveled in China, whenever I called a Chinese executive whose phone was turned off, I would get a recording saying that the person was simply "unavailable," and the phone would not accept messages.) The most popular feature of the Internet for Chinese users ? much more so than in the United States ? is the online discussion board, where long, rollicking arguments and flame wars spill on for thousands of comments. Baidu, a Chinese search engine that was introduced in 2001 as an early competitor to Yahoo, capitalized on the national fervor for chat and invented a tool that allows people to create instant discussion groups based on popular search queries. When users now search on baidu.com for the name of the Chinese N.B.A. star Yao Ming, for example, they are shown not only links to news reports on his games; they are also able to join a chat room with thousands of others and argue about him. Baidu's chat rooms receive as many as five million posts a day. As Yahoo found, these cultural nuances made the sites run by American companies feel simply foreign to Chinese users ? and drove them instead to local portals designed by Chinese entrepreneurs. These sites, including Sina.com and Sohu.com, had less useful search engines, but they were full of links to chat rooms and government-approved Chinese-language news sites. Nationalist feelings might have played a role, too, in the success Chinese-run sites enjoyed at Yahoo's expense. "There's now a very strong sense of pride in supporting the local guy," I was told by Andrew Lih, a Chinese-American professor of media studies at the University of Hong Kong. Yahoo also was slow to tap into another powerful force in Chinese life: rampant piracy. In most parts of the West, after the Napster wars, movie and music piracy is increasingly understood as an illicit activity; it thrives, certainly, but there is now a stigma against taking too much intellectual content without paying for it. (Hence the success of iTunes.) In China, downloading illegal copies of music, movies and software is as normal and accepted as checking the weather online. Baidu's executives discovered early on that many young users were using the Internet to hunt for pirated MP3's, so the company developed an easy-to-use interface specifically for this purpose. When I sat in an Internet cafe in Beijing one afternoon, a teenager with mutton-chop sideburns a few chairs over from me sipped a Coke and watched a samurai movie he'd downloaded free, while his friends used Baidu to find and pull down pirated tracks from the 50 Cent album "Get Rich or Die Tryin'." Almost one-fifth of Baidu's traffic comes from searching for unlicensed MP3's that would be illegal in the United States. Robin Li, Baidu's 37-year-old founder and C.E.O., is unrepentant. "Right now I think that the record companies may not be happy about the service we are offering," he told me recently, "but I think digital music as a trend is unstoppable." At first, Google took a different approach to the Chinese market than Yahoo did. In early 2000, Google's engineers quietly set about creating a version of their search engine that could understand character-based Asian languages like Chinese, Japanese and Korean. By the end of the year, they had put up a clunky but serviceable Chinese-language version of Google's home page. If you were in China and surfed over to google.com in 2001, Google's servers would automatically detect that you were inside the country and send you to the Chinese-language search interface, much in the same way google.com serves up a French-language interface to users in France. While Baidu appealed to young MP3 hunters, Google became popular with a different set: white-collar urban professionals in the major Chinese cities, aspirational types who follow Western styles and sprinkle English words into conversation, a class that prides itself on being cosmopolitan rather than nationalistic. By pulling in that audience, Google by the end of 2002 achieved a level of success that had eluded Yahoo: it amassed an estimated 25 percent of all search traffic in China ? and it did so working entirely from California, far outside the Chinese government's sphere of influence. The Great Firewall Then on Sept. 3, 2002, Google vanished. Chinese workers arrived at their desks to find that Google's site was down, with just an error page in its place. The Chinese government had begun blocking it. China has two main methods for censoring the Web. For companies inside its borders, the government uses a broad array of penalties and threats to keep content clean. For Web sites that originate anywhere else in the world, the government has another impressively effective mechanism of control: what techies call the Great Firewall of China. When you use the Internet, it often feels placeless and virtual, but it's not. It runs on real wires that cut through real geographical boundaries. There are three main fiber-optic pipelines in China, giant underground cables that provide Internet access for the public and connect China to the rest of the Internet outside its borders. The Chinese government requires the private-sector companies that run these fiber-optic networks to specially configure "router" switches at the edge of the network, where signals cross into foreign countries. These routers ? some of which are made by Cisco Systems, an American firm ? serve as China's new censors. If you log onto a computer in downtown Beijing and try to access a Web site hosted on a server in Chicago, your Internet browser sends out a request for that specific Web page. The request travels over one of the Chinese pipelines until it hits the routers at the border, where it is then examined. If the request is for a site that is on the government's blacklist ? and there are lots of them ? it won't get through. If the site isn't blocked wholesale, the routers then examine the words in the requested page's Internet address for blacklisted terms. If the address contains a word like "falun" or even a coded term like "198964" (which Chinese dissidents use to signify June 4, 1989, the date of the Tiananmen Square massacre), the router will block the signal. Back in the Internet cafe, your browser will display an error message. The filters can be surprisingly sophisticated, allowing certain pages from a site to slip through while blocking others. While I sat at one Internet cafe in Beijing, the government's filters allowed me to surf the entertainment and sports pages of the BBC but not its news section. Google posed a unique problem for the censors: Because the company had no office at the time inside the country, the Chinese government had no legal authority over it ? no ability to demand that Google voluntarily withhold its search results from Chinese users. And the firewall only half-worked in Google's case: it could block sites that Google pointed to, but in some cases it would let slip through a list of search results that included banned sites. So if you were in Shanghai and you searched for "human rights in China" on google.com, you would get a list of search results that included Human Rights in China (hrichina.org), a New York-based organization whose Web site is banned by the Chinese government. But if you tried to follow the link to hrichina.org, you would get nothing but an error message; the firewall would block the page. You could see that the banned sites existed, in other words, but you couldn't reach them. Government officials didn't like this situation ? Chinese citizens were receiving constant reminders that their leaders felt threatened by certain subjects ? but Google was popular enough that they were reluctant to block it entirely. In 2002, though, something changed, and the Chinese government decided to shut down all access to Google. Why? Theories abound. Sergey Brin, the co-founder of Google, whose responsibilities include government relations, told me that he suspects the block might have been at the instigation of a competitor ? one of its Chinese rivals. Brin is too diplomatic to accuse anyone by name, but various American Internet executives told me they believe that Baidu has at times benefited from covert government intervention. A young Chinese-American entrepreneur in Beijing told me that she had heard that the instigator of the Google blockade was Baidu, which in 2002 had less than 3 percent of the search market compared with Google's 24 percent. "Basically, some Baidu people sat down and did hundreds of searches for banned materials on Google," she said. (Like many Internet businesspeople I spoke with in China, she asked to remain anonymous, fearing retribution from the authorities.) "Then they took all the results, printed them up and went to the government and said, 'Look at all this bad stuff you can find on Google!' That's why the government took Google offline." Baidu strongly denies the charge, and when I spoke to Guo Liang, a professor at the Chinese Academy of Social Sciences in Beijing, he dismissed the idea and argued that Baidu is simply a stronger competitor than Google, with a better grasp of Chinese desires. Still, many Beijing high-tech insiders told me that it is common for domestic Internet firms to complain to the government about the illicit content of competitors, in the hope that their rivals will suffer the consequences. In China, the censorship regime is not only a political tool; it is also a competitive one ? a cudgel that private firms use to beat one another with. Self-Discipline Awards When I visited a dingy Internet cafe one November evening in Beijing, its 120 or so cubicles were crammed with teenagers. (Because computers and home Internet connections are so expensive, many of China's mostly young Internet users go online in these cafes, which charge mere pennies per hour and provide fast broadband ? and cold soft drinks.) Everyone in the cafe looked to be settled in for a long evening of lightweight entertainment: young girls in pink and yellow Hello Kitty sweaters juggled multiple chat sessions, while upstairs a gang of young Chinese soldiers in olive-drab coats laughed as they crossed swords in the medieval fantasy game World of Warcraft. On one wall, next to a faded kung-fu movie poster, was a yellow sign that said, in Chinese characters, "Do not go to pornographic or illegal Web sites." The warning seemed almost beside the point; nobody here looked even remotely likely to be hunting for banned Tiananmen Square retrospectives. I asked the cafe manager, a man with huge aviator glasses and graying hair, how often his clients try to view illegal content. Not often, he said with a chuckle, and when they do, it's usually pornography. He said he figured it was the government's job to keep banned materials inaccessible. "If it's not supposed to be seen," he said, "it's not supposed to be seen." One mistake Westerners frequently make about China is to assume that the government is furtive about its censorship. On the contrary, the party is quite matter of fact about it ? proud, even. One American businessman who would speak only anonymously told me the story of attending an award ceremony last year held by the Internet Society of China for Internet firms, including the major Internet service providers. "I'm sitting there in the audience for this thing," he recounted, "and they say, 'And now it's time to award our annual Self-Discipline Awards!' And they gave 10 companies an award. They gave them a plaque. They shook hands. The minister was there; he took his picture with each guy. It was basically like Excellence in Self-Censorship ? and everybody in the audience is, like, clapping." Internet censorship in China, this businessman explained, is presented as a benevolent police function. In January, the Shenzhen Public Security Bureau created two cuddly little anime-style cartoon "Internet Police" mascots named "Jingjing" and "Chacha"; each cybercop has a blog and a chat window where Chinese citizens can talk to them. As a Shenzhen official candidly told The Beijing Youth Daily, "The main function of Jingjing and Chacha is to intimidate." The article went on to explain that the characters are there "to publicly remind all Netizens to be conscious of safe and healthy use of the Internet, self-regulate their online behavior and maintain harmonious Internet order together." Intimidation and "self-regulation" are, in fact, critical to how the party communicates its censorship rules to private-sector Internet companies. To be permitted to offer Internet services, a private company must sign a license agreeing not to circulate content on certain subjects, including material that "damages the honor or interests of the state" or "disturbs the public order or destroys public stability" or even "infringes upon national customs and habits." One prohibition specifically targets "evil cults or superstition," a clear reference to Falun Gong. But the language is, for the most part, intentionally vague. It leaves wide discretion for any minor official in China's dozens of regulatory agencies to demand that something he finds offensive be taken offline. Government officials from the State Council Information Office convene weekly meetings with executives from the largest Internet service companies ? particularly major portals that run news stories and host blogs and discussion boards ? to discuss what new topics are likely to emerge that week that the party would prefer be censored. "It's known informally as the 'wind-blowing meeting' ? in other words, which way is the wind blowing," the American businessman told me. The government officials provide warnings for the days ahead, he explained. "They say: 'There's this party conference going on this week. There are some foreign dignitaries here on this trip.' " American Internet firms typically arrive in China expecting the government to hand them an official blacklist of sites and words they must censor. They quickly discover that no master list exists. Instead, the government simply insists the firms interpret the vague regulations themselves. The companies must do a sort of political mind reading and intuit in advance what the government won't like. Last year, a list circulated online purporting to be a blacklist of words the government gives to Chinese blogging firms, including "democracy" and "human rights." In reality, the list had been cobbled together by a young executive at a Chinese blog company. Every time he received a request to take down a posting, he noted which phrase the government had objected to, and after a while he developed his own list simply to help his company avoid future hassles. The penalty for noncompliance with censorship regulations can be serious. An American public-relations consultant who recently worked for a major domestic Chinese portal recalled an afternoon when Chinese police officers burst into the company's offices, dragged the C.E.O. into a conference room and berated him for failing to block illicit content. "He was pale with fear afterward," she said. "You have to understand, these people are terrified, just terrified. They're seriously worried about slipping up and going to jail. They think about it every day they go into the office." As a result, Internet executives in China most likely censor far more material than they need to. The Chinese system relies on a classic psychological truth: self-censorship is always far more comprehensive than formal censorship. By having each private company assume responsibility for its corner of the Internet, the government effectively outsources the otherwise unmanageable task of monitoring the billions of e-mail messages, news stories and chat postings that circulate every day in China. The government's preferred method seems to be to leave the companies guessing, then to call up occasionally with angry demands that a Web page be taken down in 24 hours. "It's the panopticon," says James Mulvenon, a China specialist who is the head of a Washington policy group called the Center for Intelligence Research and Analysis. "There's a randomness to their enforcement, and that creates a sense that they're looking at everything." The government's filtering, while comprehensive, is not total. One day a banned site might temporarily be visible, if the routers are overloaded ? or if the government suddenly decides to tolerate it. The next day the site might disappear again. Generally, everyday Internet users react with caution. They rarely push the government's limits. There are lines that cannot be crossed, and without actually talking about it much, everyone who lives and breathes Chinese culture understands more or less where those lines are. This is precisely what makes the environment so bewildering to American Internet companies. What's allowed? What's not allowed? In contrast to the confusion most Americans experience, Chinese businessmen would often just laugh when I asked whether the government's censorship regime was hard to navigate. "I'll tell you this, it's not more hard than dealing with Sarbanes and Oxley," said Xin Ye, a founding executive of Sohu.com, one of China's biggest Yahoo-like portals. (He was referring to the American law that requires publicly held companies to report in depth on their finances.) Another evening I had drinks in a Shanghai jazz bar with Charles Chao, the president of Sina, the country's biggest news site. When I asked him how often he needs to remove postings from the discussion boards on Sina.com, he said, "It's not often." I asked if that meant once a week, once a month or less often; he demurred. "I don't think I can talk about it," he said. Yet he seemed less annoyed than amused by my line of questioning. "I don't want to call it censorship," he said. "It's like in every country: they have a bias. There are taboos you can't talk about in the U.S., and everyone knows it." Jack Ma put it more bluntly: "We don't want to annoy the government." Ma is the hyperkinetic C.E.O. of Alibaba, a Chinese e-commerce firm. I met him in November in the lobby of the China World Hotel in Beijing, just after Ma's company had closed one of the biggest deals in Chinese Internet history. Yahoo, whose share of the Chinese search-engine market had fallen (according to one academic survey) to just 2.3 percent, had paid $1 billion to buy 40 percent of Alibaba and had given Ma complete control over all of Yahoo's services in China, hoping he could do a better job with it. From his seat on a plush sofa, Ma explained Alibaba's position on online speech. "Anything that is illegal in China ? it's not going to be on our search engine. Something that is really no good, like Falun Gong?" He shook his head in disgust. "No! We are a business! Shareholders want to make money. Shareholders want us to make the customer happy. Meanwhile, we do not have any responsibilities saying we should do this or that political thing. Forget about it!" A Bit of a Revolution Last fall, at a Starbucks in Beijing, I met with China's most famous political blogger. Zhao Jing, a dapper, handsome 31-year-old in a gray sweater, seemed positively exuberant as he explained how radically China had changed since the Web arrived in the late 1990's. Before, he said, the party controlled every single piece of media, but then Chinese began logging onto discussion boards and setting up blogs, and it was as if a bell jar had lifted. Even if you were still too cautious to talk about politics, the mere idea that you could publicly state your opinion about anything ? the weather, the local sports scene ? felt like a bit of a revolution. Zhao (who now works in the Beijing bureau of The New York Times) pushed the limits further than most. After college, he took a job as a hotel receptionist in a small city. He figured that if he was lucky, he might one day own his own business. When he went online in 1998, though, he realized that what he really wanted to do was to speak out on political questions. He began writing essays and posting them on discussion boards. Soon after he started his online writing, a newspaper editor offered him a job as a reporter. "This is what the Internet does," Zhao said, flashing a smile. "One week after I went on the Internet, I had a reputation all over the province. I never thought I could be a writer. But I realized the problem wasn't me ? it was my small town." Zhao lost his reporting job in March 2003 after his paper published an essay by a retired official advocating political reform; the government retaliated by shutting the paper down. Still eager to write, in December 2004 Zhao started his blog, hosted on a blogging service with servers in the U.K. His witty pro-free-speech essays, written under the name Michael Anti, were soon drawing thousands of readers a day. Last August, the government used the Great Firewall to block his site so that no one in China could read it; defiant, he switched over to Microsoft's blogging tool, called MSN Spaces. The government was almost certainly still monitoring his work, but remarkably, he continued writing. Zhao knew he was safe, he told me, because he knew where to draw the line. "If you talk every day online and criticize the government, they don't care," he said. "Because it's just talk. But if you organize ? even if it's just three or four people ? that's what they crack down on. It's not speech; it's organizing. People say I'm brave, but I'm not." The Internet brought Zhao a certain amount of political influence, yet he seemed less excited about the way his blog might transform the government and more excited about the way it had transformed his sense of himself. Several young Chinese told me the same thing. If the Internet is bringing a revolution to China, it is experienced mostly as one of self-actualization: empowerment in a thousand tiny, everyday ways. One afternoon I visited with Jiang Jingyi, a 29-year-old Chinese woman who makes her living selling clothes on eBay. When she opened the door to her apartment in a trendy area of Shanghai, I felt as if I'd accidentally stumbled into a chic SoHo boutique. Three long racks full of puffy winter jackets and sweaters dominated the center of the living room, and neat rows of designer running shoes and boots ringed the walls. As she served me tea in a bedroom with four computers stacked on a desk, Jiang told me, through an interpreter, that she used to work as a full-time graphic designer. But she was a shopaholic, she said, and one day decided to take some of the cheap clothes she'd found at a local factory and put them up for auction online. They sold quickly, and she made a 30 percent profit. Over the next three months, she sold more and more clothes, until one one day she realized that her eBay profits were outstripping her weekly paycheck. She quit her job and began auctioning full time, and now her monthly sales are in excess of 100,000 yuan, or about $12,000. "My parents can't understand it," she said with a giggle, as she clicked at the computer to show me one of her latest auctions, a winter jacket selling for 300 yuan. (Her description of the jacket translated as "Very trendy! You will look cool!") At the moment, Jiang sells mostly to Chinese in other major cities, since China's rudimentary banking system and the lack of a reliable credit-card network mean there is no easy way to receive payments from outside the country. But when Paypal ? eBay's online payment system ? finally links the global market with the Chinese market, she says she will become a small international business, marketing cut-rate clothes directly to hipsters in London or Los Angeles. Compromises and Disclaimers Google never did figure out exactly why it was knocked offline in 2002 by the Chinese government. The blocking ended abruptly after two weeks, as mysteriously as it had begun. But even after being unblocked, Google still had troubles. The Great Firewall tends to slow down all traffic coming into the country from the world outside. About 15 percent of the time, Google was simply unavailable in China because of data jams. The firewall also began punishing curious minds: whenever someone inside China searched for a banned term, the firewall would often retaliate by sending back a command that tricked the user's computer into believing Google itself had gone dead. For several minutes, the user would be unable to load Google's search page ? a digital slap on the wrist, as it were. For Google, these delays and shutdowns were a real problem, because search engines like to boast about delivering results in milliseconds. Baidu, Google's chief Chinese-language rival, had no such problem, because its servers were located on Chinese soil and thus inside the Great Firewall. Worse, Chinese universities had virtually no access to foreign Web sites, which meant that impressionable college students ? in other countries, Google's most ardent fans ? were flocking instead to Baidu. Brin and other Google executives realized that the firewall allowed them only two choices, neither of which they relished. If Google remained aloof and continued to run its Chinese site from foreign soil, it would face slowdowns from the firewall and the threat of more arbitrary blockades ? and eventually, the loss of market share to Baidu and other Chinese search engines. If it opened up a Chinese office and moved its servers onto Chinese territory, it would no longer have to fight to get past the firewall, and its service would speed up. But then Google would be subject to China's self-censorship laws. What eventually drove Google into China was a carrot and a stick. Baidu was the stick: by 2005, it had thoroughly whomped its competition, amassing nearly half of the Chinese search market, while Google's market share remained stuck at 27 percent. The carrot was Google's halcyon concept of itself, the belief that merely by improving access to information in an authoritarian country, it would be doing good. Certainly, the company's officials figured, it could do better than the local Chinese firms, which acquiesce to the censorship regime with a shrug. Sure, Google would have to censor the most politically sensitive Web sites ? religious groups, democracy groups, memorials of the Tiananmen Square massacre ? along with pornography. But that was only a tiny percentage of what Chinese users search for on Google. Google could still improve Chinese citizens' ability to learn about AIDS, environmental problems, avian flu, world markets. Revenue, Brin told me, wasn't a big part of the equation. He said he thought it would be years before Google would make much if any profit in China. In fact, he argued, going into China "wasn't as much a business decision as a decision about getting people information. And we decided in the end that we should make this compromise." He and his executives began discussing exactly which compromises they could tolerate. They decided that ? unlike Yahoo and Microsoft ? they would not offer e-mail or blogging services inside China, since that could put them in a position of being forced to censor blog postings or hand over dissidents' personal information to the secret police. They also decided they would not take down the existing, unfiltered Chinese-language version of the google.com engine. In essence, they would offer two search engines in Chinese. Chinese surfers could still access the old google.com; it would produce uncensored search results, though controversial links would still lead to dead ends, and the site would be slowed down and occasionally blocked entirely by the firewall. The new option would be google.cn, where the results would be censored by Google ? but would arrive quickly, reliably and unhindered by the firewall. Brin and his team decided that if they were going to be forced to censor the results for a search for "Tiananmen Square," then they would put a disclaimer at the top of the search results on google.cn explaining that information had been removed in accordance with Chinese law. When Chinese users search for forbidden terms, Brin said, "they can notice what's missing, or at least notice the local control." It is precisely the solution you'd expect from a computer scientist: the absence of information is a type of information. (Google displays similar disclaimers in France and Germany, where they strip out links to pro-Nazi Web sites.) Brin's team had one more challenge to confront: how to determine which sites to block? The Chinese government wouldn't give them a list. So Google's engineers hit on a high-tech solution. They set up a computer inside China and programmed it to try to access Web sites outside the country, one after another. If a site was blocked by the firewall, it meant the government regarded it as illicit ? so it became part of Google's blacklist. The Google executives signed their license to become a Chinese Internet service in December 2005. They never formally sat down with government officials and received permission to put the disclaimer on censored search results. They simply decided to do it ? and waited to see how the government would react. The China Storm Google.cn formally opened on Jan. 27 this year, and human-rights activists immediately logged onto the new engine to see how it worked. The censorship was indeed comprehensive: the first page of results for "Falun Gong," they discovered, consisted solely of anti-Falun Gong sites. Google's image-searching engine ? which hunts for pictures ? produced equally skewed results. A query for "Tiananmen Square" omitted many iconic photos of the protest and the crackdown. Instead, it produced tourism pictures of the square lighted up at night and happy Chinese couples posing before it. Google's timing could not have been worse. Google.cn was introduced into a political environment that was rapidly souring for American high-tech firms in China. Last September, Reporters Without Borders revealed that in 2004, Yahoo handed over an e-mail user's personal information to the Chinese government. The user, a business journalist named Shi Tao, had used his Chinese Yahoo account to leak details of a government document on press restrictions to a pro-democracy Web site run by Chinese exiles in New York. The government sentenced him to 10 years in prison. Then in December, Microsoft obeyed a government request to delete the writings of Zhao Jing ? the free-speech blogger I'd met with in the fall. What was most remarkable about this was that Microsoft's blogging service has no servers located in China; the company effectively allowed China's censors to reach across the ocean and erase data stored on American territory. Against this backdrop, the Google executives probably expected to appear comparatively responsible and ethical. But instead, as the China storm swirled around Silicon Valley in February, Google bore the brunt of it. At the Congressional hearings where the three companies testified ? along with Cisco, makers of hardware used in the Great Firewall ? legislators assailed all the firms, but ripped into Google with particular fire. They asked how a company with the slogan "Don't Be Evil" could conspire with China's censors. "That makes you a functionary of the Chinese government," said Jim Leach, an Iowa Republican. "So if this Congress wanted to learn how to censor, we'd go to you." Zhao Jing's Rankings In February, I met with Zhao Jing again, two months after his pro-democracy blog was erased by Microsoft. We ordered drinks at a faux-Irish pub in downtown Beijing. Zhao was still as energetic as ever, though he also seemed a bit rueful over his exuberant comments in our last conversation. "I'm more cynical now," he said. His blog had been killed because of a single post. In December, a Chinese newspaper editor was fired, and Zhao called for a boycott of the paper. That apparently crossed the line. It was more than just talk; Zhao had now called for a political action. The government contacted Microsoft to demand the blog be shuttered, and the company complied ? earning it a chorus of outrage from free-speech advocates in the United States, who accused Microsoft of having acted without even receiving a formal legal request from the Chinese government. Microsoft seemed chastened by the public uproar; at the Congressional hearings, the company's director of government relations expressed regret. To try to save face, Microsoft executives pointed out that they had saved a copy of the deleted blog postings and sent them to Zhao. What they did not mention, Zhao told me, is that they refused to e-mail Zhao the postings; they offered merely to burn them onto a CD and mail them to any address in the United States Zhao requested. Microsoft appeared to be so afraid of the Chinese government, Zhao noted with a bitter laugh, that the company would not even send the banned material into China by mail. (Microsoft declined to comment for this article.) I expected Zhao to be much angrier with the American Internet companies than he was. He was surprisingly philosophical. He ranked the companies in order of ethics, ticking them off with his fingers. Google, he said, was at the top of the pile. It was genuinely improving the quality of Chinese information and trying to do its best within a bad system. Microsoft came next; Zhao was obviously unhappy with its decision, but he said that it had produced such an easy-to-use blogging tool that, on balance, Microsoft was helping Chinese people to speak publicly. Yahoo came last, and Zhao had nothing but venom for the company. "Google has struck a compromise," he said, and compromises are sometimes necessary. Yahoo's behavior, he added, put it in a different category: "Yahoo is a sellout. Chinese people hate Yahoo." The difference, Zhao said, was that Yahoo had put individual dissidents in serious danger and done so apparently without thinking much about the human damage. (Yahoo did not respond to requests for comment.) Google, by contrast, had avoided introducing any service that could get someone jailed. It was censoring information, but Zhao considered that a sin of omission, rather than of commission. The Distorted Universe Zhao's moral calculus was striking, not least because it is so foreign to American ways of thinking. For most Americans, or certainly for most of those who think and write about China, there are no half-measures in democracy or free speech. A country either fully embraces these principles, or it disappears down the slippery slope of totalitarianism. But China's bloggers and Internet users have already lived at the bottom of the slippery slope. From their perspective, the Internet ? as filtered as it is ? has already changed Chinese society profoundly. For the younger generation, especially, it has turned public speech into a daily act. This, ultimately, is the perspective that Google has adopted, too. And it raises an interesting question: Can an imperfect Internet help change a society for the better? One Internet executive I spoke to summed up the conundrum of China's Internet as the "distorted universe" problem. What happens to people's worldviews when they do a Google search for Falun Gong and almost exclusively find sites opposed to it, as would happen today on google.cn? Perhaps they would trust Google's authority and assume there is nothing to be found. This is the fear of Christopher Smith, the Republican representative who convened the recent Congressional hearings. "When Google sends you to a Chinese propaganda source on a sensitive subject, it's got the imprimatur of Google," he told me recently. "And that influences the next generation ? they think, Maybe we can live with this dictatorship. Without your Lech Walesas, you never get democracy." For Smith, Google's logic is the logic of appeasement. Like the companies that sought to "engage" with apartheid South Africa, Google's executives are too dedicated to profits ever to push for serious political change. (Earlier this month, Google's C.E.O., Eric Schmidt, visited Kai-Fu Lee in Beijing and told journalists that it would be "arrogant" of Google to try to change China's censorship laws.) But perhaps the distorted universe is less of a problem in China, because ? as many Chinese citizens told me ? the Chinese people long ago learned to read past the distortions of Communist propaganda and media control. Guo Liang, the professor at the Chinese social sciences academy, told me about one revealing encounter. "These guys at Harvard did a study of the Chinese Internet," Guo said. "I talked to them and asked, 'What were your results?' They said, 'We think the Chinese government tries to control the Internet.' I just laughed. I said, 'We know that!' " Google's filtering of its results was not controversial for Guo because it was nothing new. Andrew Lih, the Chinese-American professor at the University of Hong Kong, said that many in China take a long-term perspective. "Chinese people have a 5,000-year view of history," he said. "You ban a Web site, and they're like: 'Oh, give it time. It'll come back.' " Or consider the position of a group of Chinese Internet geeks trying to get access to Wikipedia, the massive free online encyclopedia where anyone can write an entry. Currently, all of wikipedia.com is blocked; the group is trying to convince Wikipedia's overseers to agree to the creation of a sanitized Chinese version with the potentially illegal entries removed. They argue that this would leave 99.9 percent of Wikipedia intact, and if that material were freely available in China, they say, it would be a great boon for China, particularly for underfinanced and isolated schools. (So far, Wikipedia has said it will not allow the creation of a censored version of the encyclopedia.) Given how flexible computer code is, there are plenty of ways to distort the universe ? to make its omissions more or less visible. At one point while developing google.cn, Google considered blocking all sites that refer to controversial topics. A search for Falun Gong in China would produce no sites in favor of it, but no sites opposing it either. What sort of effect would that have had? Remember too that when Google introduced its censored google.cn engine, it also left its original google.com Chinese-language engine online. Which means that any Chinese citizen can sit in a Net cafe, plug "Tiananmen Square" into each version of the search engine and then compare the different results ? a trick that makes the blacklist somewhat visible. Critics have suggested that Google should go even further and actually publish its blacklist online in the United States, making its act of censorship entirely transparent. The Super Girl Theory When I spoke to Kai-Fu Lee in Google's Beijing offices, there were moments that to me felt jarring. One minute he sounded like a freedom-loving Googler, arguing that the Internet inherently empowers its users. But the next minute he sounded more like Jack Ma of Alibaba ? insisting that the Chinese have no interest in rocking the boat. It is a circular logic I encountered again and again while talking to China's Internet executives: we don't feel bad about filtering political results because our users aren't looking for that stuff anyway. They may be right about their users' behavior. But you could just as easily argue that their users are incurious because they're cowed. Who would openly search for illegal content in a public Internet cafe ? or even at home, since the government requires that every person with personal Internet access register his name and phone number with the government for tracking purposes? It is also possible that the government's crackdown on the Internet could become more intense if the country's huge population of poor farmers begins agitating online. The government is reasonably tolerant of well-educated professionals online. But the farmers, upset about corrupt local officials, are serious activists, and they pose a real threat to Beijing; they staged 70,000 demonstrations in 2004, many of which the government violently suppressed. In the eyes of critics, Google is lying to itself about the desires of Chinese Internet users and collaborating with the Communist Party merely to secure a profitable market. To take Lee at his word is to take a leap of faith: that the Internet, simply through its own inherent properties, will slowly chip away at the government's ability to control speech, seeding a cultural change that strongly favors democracy. In this view, there will be no "great man" revolution in China, no Lech Walesa rallying his oppressed countrymen. Instead, the freedom fighters will be a half-billion mostly apolitical young Chinese, blogging and chatting about their dates, their favorite bands, video games ? an entire generation that is growing up with public speech as a regular habit. At one point in our conversation, Lee talked about the "Super Girl" competition televised in China last year, the country's analogue to "American Idol." Much like the American version of the show, it featured young women belting out covers of mainstream Western pop songs amid a blizzard of corporate branding. (The full title of the show was "Mongolian Cow Sour Yogurt Super Girl Contest," in honor of its sponsor.) In each round, viewers could vote for their favorite competitor via text message from their mobile phones. As the season ran its course, it began to resemble a presidential election campaign, with delirious fans setting up Web sites urging voters to pick their favorite singer. In the final episode, eight million young Chinese used their mobile phones to vote; the winner was Li Yuchun, a 21-year-old who dressed like a schoolgirl and sang "Zombie," by the Irish band the Cranberries. "If you think about a practice for democracy, this is it," Lee said. "People voted for Super Girls. They loved it ? they went out and campaigned." It may not be a revolution, in other words, but it might be a start. Clive Thompson is a contributing writer. He frequently reports about technology for the magazine. From rforno at infowarrior.org Fri Apr 21 08:21:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Apr 2006 08:21:05 -0400 Subject: [Infowarrior] - Gonzales calls for mandatory Web labeling law Message-ID: Gonzales calls for mandatory Web labeling law By Declan McCullagh http://news.com.com/Gonzales+calls+for+mandatory+Web+labeling+law/2100-1028_ 3-6063554.html Story last modified Fri Apr 21 04:20:31 PDT 2006 advertisement Web site operators posting sexually explicit information must place official government warning labels on their pages or risk being imprisoned for up to five years, the Bush administration proposed Thursday. A mandatory rating system will "prevent people from inadvertently stumbling across pornographic images on the Internet," Attorney General Alberto Gonzales said at an event in Alexandria, Va. The Bush administration's proposal would require commercial Web sites to place "marks and notices" to be devised by the Federal Trade Commission on each sexually explicit page. The definition of sexually explicit broadly covers depictions of everything from sexual intercourse and masturbation to "sadistic abuse" and close-ups of fully clothed genital regions. "I hope that Congress will take up this legislation promptly," said Gonzales, who gave a speech about child exploitation and the Internet to the federally funded National Center for Missing and Exploited Children. The proposed law is called the Child Pornography and Obscenity Prevention Amendments of 2006. A second new crime would threaten with imprisonment Web site operators who mislead visitors about sex with deceptive "words or digital images" in their source code--for instance, a site that might pop up in searches for Barbie dolls or Teletubbies but actually features sexually explicit photographs. A third new crime appears to require that commercial Web sites not post sexually explicit material on their home page if it can be seen "absent any further actions by the viewer." A critic of the proposal said that its requirements amount to an unreasonable imposition on Americans' rights to free expression. In particular, a mandatory rating system backed by criminal penalties is "antithetical to the First Amendment," said Marv Johnson, legislative counsel to the American Civil Liberties Union. During his speech, Gonzales also warned that Internet service providers must begin to retain records of their customers' activities to aid in future criminal prosecutions--a position first reported by CNET News.com--and indicated that legislation might be necessary there as well. Internet service providers say they already cooperate with police and appear to be girding for a political battle on Capitol Hill over new regulations they view as intrusive. An idea once proposed by Democrats The Bush administration's embrace of a rating system backed by criminal penalties is uncannily reminiscent of where the Clinton administration and a Democratic member of Congress were a decade ago. In the mid-1990s, the then-nascent Internet industry began backing the Platform for Internet Content Selection, or PICS. The idea was simple: let Web sites self-rate, or let a third-party service offer ratings, and permit parents to set their browsers to never show certain types of content. Netscape and Microsoft soon agreed to support it in their browsers. At a White House summit in July 1997 hosted by President Clinton and Vice President Al Gore, the head of the Lycos search engine proposed that only rated pages would be indexed. (Bob Davis, the president of Lycos at the time, said: "I threw a gauntlet to other search engines in today's meeting saying that collectively we should require a rating before we index pages.") Sen. Patty Murray, a Democrat from Washington state, suggested that misrating a Web site should be a federal crime. And Australian government officials began talking about making self-rating mandatory. The popularity of the idea of rating eventually faded, though, thanks in no small part to the knotty problem of labeling news sites. News articles can feature sexually explicit content (when reporting on a rape trial or sexual education), and major online publishers decided in August 1997 that they were going to refuse to rate themselves. Because of those and other problems, courts have tended to take a dim view of mandatory rating systems. In a 1968 case called Interstate Circuit v. Dallas, the U.S. Supreme Court ruled that Dallas' ordinance requiring that movies be rated was unconstitutional because the criteria for rating were unclear and vague. Eugene Volokh, a law professor at UCLA who has written a book on the First Amendment, said the Bush administration's proposal may be more likely to survive judicial scrutiny. Because the definitions of sexually explicit material have been used elsewhere in federal law, Volokh said, "it has the virtue of relative clarity. I think that's probably constitutional." But David Greene, director of a free-speech advocacy group called The First Amendment Project, thinks it wouldn't survive a court challenge. "I believe the law would be struck down as impermissible compelled speech," Greene said. "The only times courts allow product labeling is with commercial speech--advertisements." For the rating system's definition of sexually explicit material, the Bush administration proposal borrows language from existing federal law. It covers: sexual intercourse of all types; bestiality; masturbation; sadistic or masochistic abuse; or lascivious exhibition of the genitals or pubic area of any person. In practice, courts have interpreted those definitions quite broadly. In one case, U.S. v. Knox, the Supreme Court and an appeals court ruled that the "lascivious exhibition" of the pubic area could include images of clothed people wearing bikini bathing suits, leotards and underwear. That suggests, for instance, that photos of people in leotards and bathing suits would have to be rated as sexually explicit if the commercial Web site owner wanted to avoid going to prison. There is one exception: Sexual depictions that constitute a "small and insignificant part" of a large Web site do not have to be rated. In an unusual twist, Gonzales' remarks this week represent a high-profile reversal of two of the Bush administration's previous positions. First, James Burrus, the FBI's deputy assistant director, told a Senate committee in January that there was no need for new laws to deal with child exploitation on the Internet. Second, the Justice Department has previously expressed (Click for PDF) "serious reservations about broad mandatory data retention regimes" such as the one that Gonzales proposed on Thursday. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Apr 21 08:27:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Apr 2006 08:27:33 -0400 Subject: [Infowarrior] - Counter-Terrorism Profiteers, With Your Money Message-ID: (Disclaimer: I know the founder of IntelCenter and while I wish the firm well, I have to agree with Arkin's concluding paragraph, not just for that firm but any such intelligence-analysis firm........rf) Counter-Terrorism Profiteers, With Your Money http://blogs.washingtonpost.com/earlywarning/2006/04/counterterroris.html A National Counter-terrorism Center and a Director of National Intelligence with ever greater authority. An FBI Terrorist Screening Center that can reach far and wide to local law enforcement. The Defense Intelligence Agency?s Joint Task Force for Counter-Terrorism and a Counterintelligence Field Activity at the Defense Department. And of course a Department of Homeland Security and its military counter-part the U.S. Northern Command (NORTHCOM). Broken stovepipes of information, a PATRIOT act, actionable intelligence out the whazoo. Post 9/11, the government argues - it doesn?t even have to argue, it is just assumed ? that the intelligence and law enforcement nexus has never been closer, that warnings are so seamless and complete if anything most people worry that the government has too much information, not too little. No potential terrorist is going to sneak through this new system, no government agency is ever going to go wanting for more information. So it just burns me up this week to see a prominent military command preparing to pay a private company to provide it with terrorist warnings. This week U.S. Air Force Space Command, a major command headquartered in Colorado Springs, CO, issued a solicitation called "Terrorism Threat Research" (thanks MS) saying that it was planning to license a "terrorism research database" to receive "real-time" warnings via pager, cell phone, and PDA. The database is produced by IntelCenter, one of a cottage industry that has sprung up since the early 1990?s to feed at the counter-terrorism trough. According to the group?s website, the IntelCenter?s ?primary client base is comprised of military, law enforcement and intelligence agencies in the US and other allied countries around the world." Space Command wants to obtain 20 licenses to the IntelCenter?s U.S. Government Terrorism Threat Intelligence Package ($1650.00 per license according to the IntelCenter website). This database, according to Space Command, includes "weekly and or real time email notifications of all significant terrorist, rebel group and other related activity, including bombings, assassinations, kidnappings, significant dates, threats and organizational changes within groups." IntelCenter will also provide warnings relating to "developments concerning intelligence agencies around the world including operational issues, organizational developments, new initiatives, espionage trials, new technologies and other related issues." And finally, IntelCenter will receive "real-time dissemination of raw statements, fatwas, announcements, and other messages directly from terrorist, rebel, extremist, and other organizations themselves." The immediate question is: isn?t this what all of these new ?long war? commands and reorganized and beefed-up intelligence agencies with all of their new databases and data mining and authorities supposed to do? Okay, by government standards, $32,000 annually is petty cash. But there must be dozens of additional agencies and commands buying the IntelCenter product and hundreds if not thousands of licenses paid for with your and my tax dollars. Everyone senses that we have a contractor crisis in our national security community, too many contractors acting like wild west prospectors in Iraq and the Middle East, contractors doing what we used to think of as "mission essential" jobs in headquarters and agencies. More power -- and money -- to IntelCenter for turning al Qaeda into a business; I'm sure their product and work are excellent. But it makes you wonder what the tens of thousands of government employees working in U.S. intelligence agencies actually do. It makes you wonder why it could be that if this information is so useful to Space Command and the government that it shouldn?t be provided by our $40 billion intelligence community directly. From rforno at infowarrior.org Fri Apr 21 09:06:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Apr 2006 09:06:44 -0400 Subject: [Infowarrior] - RIP, Scott Crossfield Message-ID: http://seattlepi.nwsource.com/local/267471_Crossfield20ww.html Famed aviator Scott Crossfield dies in plane crash Thursday, April 20, 2006 P-I STAFF AND NEWS SERVICES Scott Crossfield, the University of Washington graduate who was the first man to fly at twice the speed of sound, was found dead Thursday in the wreckage of his single-engine plane in Georgia. Crossfield, 84, dueled with Chuck Yeager a half century ago in piloting rocket-powered aircraft. He helped design and then piloted the X-15 rocket plane. He was a legend to aeronautic students at the UW, but he considered his cutting-edge career an ordinary profession. Air-traffic monitors had lost radio and radar contact with Crossfield Wednesday as he was en route from Alabama to his Virginia home. Thunderstorms were reported in the area. The cause of the crash, about 50 miles northwest of Atlanta, is under investigation. Crossfield was believed to be the only person aboard. "We're in a state of shock," said Adam Bruckner, chair of the UW's Department of Aeronautics and Astronautics. "He was sort of a hero here to our department, our students, our faculty and others. "What better role model can you imagine than someone who flew the greatest and the latest and then helped design an even better one?" Crossfield, 84, a native of Berkeley, Calif., enrolled at the UW in 1942, interrupting his studies to serve as a Navy fighter pilot and instructor during World War II. He returned to Seattle to earn a bachelor's degree in 1949 in aeronautical engineering and a master's degree in aeronautical science in 1950. He worked in the UW's Kirsten Wind Tunnel from 1946 to 1950. After graduate school, he joined the National Advisory Committee for Aeronautics (NACA), the predecessor of NASA, as a research pilot. The Cessna 210A in which Crossfield died was a puny flying machine compared with the rocket-powered aircraft he flew as a test pilot. During his heyday, he routinely climbed into some of the most powerful, most dangerous and most complex pieces of machinery of his time, took them to their performance limits or beyond -- or "pushed the envelope," as test pilots put it -- and usually brought them back to earth in one piece. Six years after Yeager broke the sound barrier, Crossfield set the Mach 2 record in November 1953, going twice the speed of sound and reaching about 1,300 mph in a Douglas D-558-II Skyrocket. The plane reached an altitude of 13.6 miles. He left NACA in 1955 to help North American Aviation design and build the X-15, then flew the unproven aircraft in dangerous tests to test its airworthiness. He piloted the rocket plane more than a dozen times, reaching a maximum speed of Mach 2.97 -- about 1,960 mph -- and climbing 16.7 miles above Earth in 1960. In a 1988 interview with Aviation Week & Space Technology, he downplayed any talk of heroism. Test pilots are "all just people who incidentally do flight tests," Crossfield said. "It is a profession just like anything else.5 In my mind, we should divest ourselves of this idea of special people (being) heroes, if you please, because really they do not exist." The early days of the research airplane program had much less bureaucracy than later years, Crossfield said in the same interview. "For instance, there could be a day where I would do an X-1 launch early in the morning, fly the X-4 over lunch hour, and do a D-558-II launch in the afternoon. That was not a typical day, but there were days of that type. We were very versatile in our operation in those days." During the 1950s, Crossfield embodied what came to be called "the right stuff," dueling Yeager for supremacy among America's Cold War test pilots. Yeager broke the sound barrier in 1947. Only weeks after Crossfield reached Mach 2, or twice the speed of sound, Yeager outdid him. "He's really one of the major figures," said Peter Jakab, aerospace chairman at the Smithsonian Air and Space Museum. "He was not only the great cutting-edge research pilot 5 but after that, he continued to be a great adviser and participant in all aspects of aerospace." NASA Administrator Michael Griffin hailed him as "a true pioneer whose daring X-15 flights helped pave the way for the space shuttle." In "The Right Stuff," Tom Wolfe's history of the dawn of the space age, Wolfe portrayed Crossfield, Yeager and other members of the brotherhood of test pilots as possessors of "the right stuff," which the author defined as "the ability to go up in a hurtling piece of machinery and put his hide on the line and then have the moxie, the reflexes, the experience, the coolness, to pull it back in the last yawning moment -- and then to go up again the next day, and the next day, and every next day." (During an interview on "The Early Show" on CBS in 2003, Crossfield said he would "not endorse anything that was in ?The Right Stuff.'.") The first group of seven NASA astronauts was selected in 1959. Bob Jacobs, a NASA spokesman, said Thursday that Crossfield never applied, though he did some engineering work on the Apollo space program. Many test pilots sneered at the Mercury program and did not consider it real flying; they regarded astronauts as little more than "Spam in a can" because their capsules were controlled from the ground. Attempts to break the sound barrier in the years following World War II involved high stakes and some big egos. On Oct. 14, 1947, Yeager finally reached the landmark, pushing his orange, bullet-shaped Bell X-1 rocket plane past 660 mph over the Mojave Desert in California. His feat was kept top secret for about a year. The now 83-year-old Yeager, in his book "Yeager: An Autobiography," described friction between the military pilots and the civilian NACA pilots. He groused that Crossfield "was a proficient pilot, but also among the most arrogant I've met. 5 None of us blue suiters was thrilled to see a NACA guy bust Mach 2." The competition did not end at Mach 2. On Dec. 12, 1953, just a few days before the 50th anniversary of the Wright brothers' first flight, Yeager bested Crossfield when he flew an X-1A to a record speed of more than Mach 2.4, or more than 1,600 mph. The upcoming Wright anniversary had weighed on his mind, Yeager wrote: "The television networks had scheduled special programs about Crossfield and his Mach 2 flight. 5 Our plan was to smash Scotty's record on December 12." Nowadays, the best fighter jets can fly well over Mach 2. Crossfield left NACA in 1955 to work for North American Aviation on the X-15 project, including its first flight, an unpowered glide, in 1959. Other early X-15 test flights were made by pilots Joe Walker and Robert White. In one of his test flights, Crossfield reached about three times the speed of sound on Nov. 15, 1960, in an X-15 launched from a B-52 bomber. The plane reached an altitude of 81,000 feet. There were some close calls. During an X-15 flight in 1959, one of the engines exploded. The emergency landing broke the aircraft's back just behind the cockpit, but Crossfield was not injured, according to the Edwards Air Force Base Web site. Less than a year later, a malfunctioning valve caused a catastrophic explosion during a ground test while Crossfield was in the cockpit. He again escaped injury. In later years, he was an executive for Eastern Airlines and Hawker Siddley Aviation and a technical consultant to the House Committee on Science and Technology. "I am an aeronautical engineer, an aerodynamicist and a designer," he told Aviation Week & Space Technology. "My flying was only primarily because I felt that it was essential to designing and building better airplanes for pilots to fly." More recently, Crossfield had a key role in preparations for the attempt to re-enact the Wright brothers' flight on the 100th anniversary of their feat on the sand dunes near Kitty Hawk, N.C. Crossfield trained four pilots, and one of them, Kevin Kochersberger, was selected for the Dec. 17, 2003, attempt. But in the end, unsuitable weather doomed the attempt to get the replica into the air. The plane plopped into wet sand as the crowd of 35,000 groaned. Among his many honors, Crossfield was inducted into the National Aviation Hall of Fame in 1983. P-I Reporter John Iwasaki contributed to this report by The Associated Press From rforno at infowarrior.org Fri Apr 21 21:22:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 21 Apr 2006 21:22:57 -0400 Subject: [Infowarrior] - DHS, HHS make secret pact to share airline passenger info Message-ID: DHS, HHS make secret pact to share airline passenger info BY Bob Brewin Published on Apr. 20, 2006 http://www.fcw.com/article94142-04-20-06-Web The departments of Health and Human Services and Homeland Security have a secret agreement to exchange airline passenger information as part of a Centers for Disease Control and Prevention plan to help combat pandemic flu, the Air Transport Association (ATA) said in a filing with the CDC. Barry Steinhardt, director of the Technology and Liberty Program at the American Civil Liberties Union said that such an agreement raises serious privacy concerns and appears to violate an agreement between the United States and the European Union. That agreement limits the exchange of foreign carrier passenger information to help combat terrorism and crime. Steinhardt added that the secret agreement between DHS and HHS also raises concerns hat the highly detailed passenger information CDC wants to collect could ultimately be shared with DHS. ?I?m very concerned this is a two-way data sharing agreement,? Steinhardt said. The existence of the secret agreement between DHS and HHS surfaced in a filing the ATA made last month with its comments on proposed CDC regulations that would electronically track more than 600 million passengers a year traveling on more than 7 million flights through 67 hub airports. Katherine Andrus, assistant general counsel at the ATA, said in her filing with CDC last month that DHS and HHS recently executed a memorandum of understanding (MOU) that ?though not publicly available?reportedly includes provisions for data sharing, including allowing CDC access to passenger information, including passenger name records, through? Customs and Border Protection. Steinhardt said passenger name record files include a large amount of data besides personal identifiers, such as meal preferences, which could help determine a passenger?s religion. The sharing of information between DHS and CBP appears to violate a passenger data sharing agreement between the European Union and the United States executed in May 2004, Steinhardt said. That agreement limits DHS to using data it obtains from EU airline reservation and departure control system databases to prevent and combat terrorism and other serious crimes, including organized crime, that are transnational . Steinhardt said this agreement does not cover the exchange of passenger name record data to help combat pandemic flu. The ACLU is concerned that the MOU between DHS and HHS will allow CDC to share data with DHS once its system is operating. The information that CDC wants to collect regarding airline passengers vastly exceeds DHS? passenger data collection efforts, Steinhardt said in the ACLU filing with CDC. Steinhardt said he is concerned that the MOU between DHS and HHS has not been made public, and he filed a Freedom of Information Act request for it today. Public affairs officers at DHS and HHS did not return calls from Federal Computer Week by the requested deadline. A CDC spokeswoman responded, but said HHS must answer any queries. From rforno at infowarrior.org Sun Apr 23 11:38:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 23 Apr 2006 11:38:29 -0400 Subject: [Infowarrior] - "Son of DMCA" being prepped by Congress Message-ID: Congress readies new digital copyright bill By Declan McCullagh http://news.com.com/Congress+readies+new+digital+copyright+bill/2100-1028_3- 6064016.html Story last modified Sun Apr 23 06:00:06 PDT 2006 For the last few years, a coalition of technology companies, academics and computer programmers has been trying to persuade Congress to scale back the Digital Millennium Copyright Act. Now Congress is preparing to do precisely the opposite. A proposed copyright law seen by CNET News.com would expand the DMCA's restrictions on software that can bypass copy protections and grant federal police more wiretapping and enforcement powers. The draft legislation, created by the Bush administration and backed by Rep. Lamar Smith, already enjoys the support of large copyright holders such as the Recording Industry Association of America. Smith is the chairman of the U.S. House of Representatives subcommittee that oversees intellectual-property law. Smith's press secretary, Terry Shawn, said Friday that the Intellectual Property Protection Act of 2006 is expected to "be introduced in the near future." "The bill as a whole does a lot of good things," said Keith Kupferschmid, vice president for intellectual property and enforcement at the Software and Information Industry Association in Washington, D.C. "It gives the (Justice Department) the ability to do things to combat IP crime that they now can't presently do." During a speech in November, Attorney General Alberto Gonzales endorsed the idea and said at the time that he would send Congress draft legislation. Such changes are necessary because new technology is "encouraging large-scale criminal enterprises to get involved in intellectual-property theft," Gonzales said, adding that proceeds from the illicit businesses are used, "quite frankly, to fund terrorism activities." The 24-page bill is a far-reaching medley of different proposals cobbled together. One would, for instance, create a new federal crime of just trying to commit copyright infringement. Such willful attempts at piracy, even if they fail, could be punished by up to 10 years in prison. It also represents a political setback for critics of expanding copyright law, who have been backing federal legislation that veers in the opposite direction and permits bypassing copy protection for "fair use" purposes. That bill--introduced in 2002 by Rep. Rick Boucher, a Virginia Democrat--has been bottled up in a subcommittee ever since. A DMCA dispute But one of the more controversial sections may be the changes to the DMCA. Under current law, Section 1201 of the law generally prohibits distributing or trafficking in any software or hardware that can be used to bypass copy-protection devices. (That section already has been used against a Princeton computer science professor, Russian programmer Dmitry Sklyarov and a toner cartridge remanufacturer.) Smith's measure would expand those civil and criminal restrictions. Instead of merely targeting distribution, the new language says nobody may "make, import, export, obtain control of, or possess" such anticircumvention tools if they may be redistributed to someone else. "It's one degree more likely that mere communication about the means of accomplishing a hack would be subject to penalties," said Peter Jaszi, who teaches copyright law at American University and is critical of attempts to expand it. Even the current wording of the DMCA has alarmed security researchers. Ed Felten, the Princeton professor, told the Copyright Office last month that he and a colleague were the first to uncover the so-called "rootkit" on some Sony BMG Music Entertainment CDs--but delayed publishing their findings for fear of being sued under the DMCA. A report prepared by critics of the DMCA says it quashes free speech and chokes innovation. The SIIA's Kupferschmid, though, downplayed concerns about the expansion of the DMCA. "We really see this provision as far as any changes to the DMCA go as merely a housekeeping provision, not really a substantive change whatsoever," he said. "They're really to just make the definition of trafficking consistent throughout the DMCA and other provisions within copyright law uniform." The SIIA's board of directors includes Symantec, Sun Microsystems, Oracle, Intuit and Red Hat. Jessica Litman, who teaches copyright law at Wayne State University, views the DMCA expansion as more than just a minor change. "If Sony had decided to stand on its rights and either McAfee or Norton Antivirus had tried to remove the rootkit from my hard drive, we'd all be violating this expanded definition," Litman said. The proposed law scheduled to be introduced by Rep. Smith also does the following: ? Permits wiretaps in investigations of copyright crimes, trade secret theft and economic espionage. It would establish a new copyright unit inside the FBI and budgets $20 million on topics including creating "advanced tools of forensic science to investigate" copyright crimes. ? Amends existing law to permit criminal enforcement of copyright violations even if the work was not registered with the U.S. Copyright Office. ? Boosts criminal penalties for copyright infringement originally created by the No Electronic Theft Act of 1997 from five years to 10 years (and 10 years to 20 years for subsequent offenses). The NET Act targets noncommercial piracy including posting copyrighted photos, videos or news articles on a Web site if the value exceeds $1,000. ? Creates civil asset forfeiture penalties for anything used in copyright piracy. Computers or other equipment seized must be "destroyed" or otherwise disposed of, for instance at a government auction. Criminal asset forfeiture will be done following the rules established by federal drug laws. ? Says copyright holders can impound "records documenting the manufacture, sale or receipt of items involved in" infringements. Jason Schultz, a staff attorney at the digital-rights group the Electronic Frontier Foundation, says the recording industry would be delighted to have the right to impound records. In a piracy lawsuit, "they want server logs," Schultz said. "They want to know every single person who's ever downloaded (certain files)--their IP addresses, everything." CNET News.com's Anne Broache contributed to this report. From rforno at infowarrior.org Sun Apr 23 12:12:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 23 Apr 2006 12:12:24 -0400 Subject: [Infowarrior] - N.Y. county mandates wireless security Message-ID: N.Y. county mandates wireless security Friday, April 21, 2006; Posted: 3:26 p.m. EDT (19:26 GMT) http://www.cnn.com/2006/TECH/internet/04/21/wireless.security.ap/index.html WHITE PLAINS, New York (AP) -- New York's Westchester County has enacted a law designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information. The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures. As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic. "There are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential," Spano said. "It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don't." All computers connected to the Internet and other networks are potentially vulnerable, but wireless networks are especially troublesome because a hacker can easily grab data traveling through the air. Experts warned that the law would not fully protect anyone from dedicated hackers but acknowledged it could raise awareness of the vulnerabilities inherent in wireless technology. Bruce Schneier, chief technical officer of Counterpane Internet Security Inc., said laws like Westchester's are probably helpful "because the information companies have on their networks is more valuable to you than it is to them and the law gives them an incentive" to protect it. No 'silver bullet' "But it's not going to stop identity theft," he added. Andrew Neuman, a senior assistant to Spano, said, "We know this is not a silver bullet. But deterring amateur hackers from the easiest targets is a step in the right direction." A primary component is public awareness, he said. "We believe companies and businesses will welcome these requirements once they realize what's at stake," he said. Spano said businesses will also find that "this is an easy way to avoid that public relations disaster that comes when companies find out their customers' information has been stolen." The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted. Penalties would range from a warning on first offense to a $500 fine on third offense. Norman Jacknis, the county's chief information officer, said that when the law was being considered officials detected 248 wireless networks during a 20-minute drive through downtown White Plains. Nearly half had no visible security. Some of the unprotected networks were at cafes, hotels or other establishments that offer wireless hot spots to patrons. Other networks, like those at Starbucks, were protected. The signs that are to go up at such places will say, "For your own protection and privacy, you are advised to install a firewall or other computer security measure when accessing the Internet." Jacknis said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network. At most, he said, installing firewall protection -- or just turning on the encryption and other security measures available with the hardware -- would take an hour of a consultant's time. Frank Hanzlik, managing director of the Wi-Fi Alliance, which certifies wireless products, said, "We're very much in favor of strong security. Security is just something that people expect, whether it's a phone call they're making on a wired network, a call they're making over a cellular network or an e-mail that they're transmitting via a Wi-Fi network. It's a basic capability that everybody expects." The law takes effect in October 2006. Copyright 2006 The Associated Press. All rights reserved.This material may not be published, broadcast, rewritten, or redistributed. From rforno at infowarrior.org Sun Apr 23 21:22:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 23 Apr 2006 21:22:06 -0400 Subject: [Infowarrior] - RIAA sues a PC-less family for online file sharing Message-ID: Local family sued by record companies http://news.mywebpal.com/news_tool_v2.cfm?show=localnews&pnpID=728&NewsID=71 3614&CategoryID=11575&on=1 04/22/06 By LOWELL VICKERS Respond to this story Email this story to a friend A Rockmart family is being sued for illegal music file sharing, despite the fact that they don?t even own a computer. A federal lawsuit filed this week in Rome by the Recording Industry Association of America alleges that Carma Walls, of 117 Morgan St., Rockmart, has infringed on copyrights for recorded music by sharing files over the Internet. The lawsuit seeks an injunction and requests unspecified monetary damages. The lawsuit states, ?Plaintiffs are informed and believe that Defendant, without the permission or consent of Plaintiffs, has used, and continues to use, an online media distribution system to download the copyrighted recordings, to distribute the copyrighted recordings to the public, and/or to make the copyrighted recordings available for distribution to others.? This came as shocking news to the Walls family, who were notified of the lawsuit Friday afternoon by a newspaper reporter. James Walls, speaking on behalf of his wife and family, said they have not been served with legal papers and were unaware of the lawsuit. After being shown a copy of the court filing, Walls said he found the whole thing bewildering. ?I don?t understand this,? Walls said. ?How can they sue us when we don?t even have a computer?? Walls also noted that his family has only resided at their current address ?for less than a year.? He wondered if a prior tenant of the home had Internet access, then moved, leaving his family to be targeted instead. However, the RIAA?s lawsuit maintains that Carma Walls, through the use of a file-sharing program, has infringed on the copyrights for the following songs: ?Who Will Save Your Soul,? Jewel; ?Far Behind,? Candlebox; ?Still the Same,? Bob Seger; ?I Won?t Forget You,? Poison; ?Open Arms,? Journey; ?Unpretty,? TLC; No Scrubs,? TLC; and ?Saving All My Love for You,? Whitney Houston. The lawsuit follows similar wording as in some 3,500 other lawsuits filed by the RIAA in the United States since June 2003. Typically, the lawsuits have targeted users of Kazaa, Grokster and other peer-to-peer Internet services ? most of which have since been shut down by RIAA lawsuits. With these services, users typically have an open folder on the computer that allows other users of the service access to any songs that have been saved in a digital format, such as MP3 files. The RIAA lawsuits have come under fire, with critics calling the effort a ?scare tactic? meant to intimidate the public from file sharing activities. However, in a public statement defending the litigation, the RIAA says its efforts have been effective in dissuading illegal activity. ?The industry?s anti-piracy efforts have deterred a sizeable number of would-be illegal downloaders,? the RIAA statement reads. ?Although a significant online problem undoubtedly persists, particularly with hard-core, frequent peer-to-peer users, absent action by the industry, the illegal down-loading world would be exponentially worse.? From rforno at infowarrior.org Mon Apr 24 08:01:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 08:01:41 -0400 Subject: [Infowarrior] - Four Months Later, In-Q-Tel Again Needs New CEO Message-ID: Four Months Later, In-Q-Tel Again Needs New CEO By Terence O'Hara Monday, April 24, 2006; D01 http://www.washingtonpost.com/wp-dyn/content/article/2006/04/23/AR2006042300 701_pf.html Amit Yoran resigned over the weekend as chief executive of In-Q-Tel , the venture capital arm of the U.S. spy community, after less than four months on the job. Yoran, a seasoned technology entrepreneur and investor as well as a former head of cybersecurity for the Department of Homeland Security, had led In-Q-Tel since January. He said yesterday that his reasons for leaving were entirely personal, including a desire to spend less time on the road and more with his family. He and his wife have three young children. In-Q-Tel has investments all over the country, and Yoran has traveled extensively. Considered a success inside the Central Intelligence Agency, which created it, In-Q-Tel's mandate has been expanding to find more technology for more spy agencies. "It's a very amicable parting," said Yoran, 35. "I will say I'm sorry and disappointed as well. But these are personal issues. . . . My continued performance as CEO was not going to be possible." Yoran said he will continue to work with In-Q-Tel as a part-time consultant. Before taking the chief executive job four months ago, Yoran had invested money in several private technology companies. He continues to serve on several company boards. Lee A. Ault III , chairman of In-Q-Tel's board of trustees, said he accepted Yoran's resignation "with regret." "In-Q-Tel has benefited from Amit's vision and leadership during his tenure as CEO," Ault said in a statement. "We appreciate his service to In-Q-Tel, and we look forward to continuing In-Q-Tel's unique and important mission of delivering important and cutting edge technologies to the CIA and the intelligence community." In-Q-Tel calls itself a venture capital firm, but venture investing is a small part of what it does. The CIA created the organization as a nonprofit, and its job was to identify technologies being funded and developed by the private sector that could have value in intelligence-gathering or national security applications. In-Q-Tel makes small investments in start-up companies, almost always as a junior partner to traditional venture capital funds. Most of In-Q-Tel's money goes toward evaluating and funding the technology to make sure the CIA or other intelligence agencies can use it. Yoran had begun to ramp up In-Q-Tel's investment activity to meet its growing budget and responsibilities. He said the organization has an annual budget of more than $50 million -- up from $30 million to $35 million several years ago -- and includes as "investors" several other intelligence and homeland security agencies in addition to the CIA. In its early years, In-Q-Tel was funded almost entirely by the CIA. All of In-Q-Tel's contacts with the intelligence community, no matter the agency, still run through a special office inside the CIA. Last month, Yoran hired his old friend, Mark Frantz , a well-known local venture capitalist who spent the past five years with the Carlyle Venture Partners , as In-Q-Tel's managing general partner. Frantz in an interview last week said the organization would be hiring more people for its investing team. "We're not exactly taking out help-wanted ads, but we want to add to our venture team," Frantz said. "We've got some very talented folks here, but we're here to turn it up a notch. " Yoran took over from founding chief executive Gilman Louie , who ran In-Q-Tel since its 1999 inception. The board is expected to appoint an interim chief executive this week and begin a national search for Yoran's replacement. Yoran said 120 technologies partly funded by In-Q-Tel have been deployed by the CIA or other agencies. "Unfortunately, we can't talk about the specific uses," he said. From rforno at infowarrior.org Mon Apr 24 08:10:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 08:10:34 -0400 Subject: [Infowarrior] - 'World of Warcraft' battles server problems Message-ID: 'World of Warcraft' battles server problems By Daniel Terdiman http://news.com.com/World+of+Warcraft+battles+server+problems/2100-1043_3-60 63990.html Story last modified Mon Apr 24 04:17:06 PDT 2006 With 6 million subscribers, each of whom pays $15 a month, Blizzard Entertainment's online game "World of Warcraft" has become a billion-dollar enterprise. Now comes the hard part: Making sure WoW is always up and running. Some players are angered by ongoing server problems that have led the game to crash without warning while they were playing. Complaints have also surfaced about long lag times and frustrating waits to even play. Despite Blizzard's contention that it's been keeping WoW customers informed of system problems at all times, some players contend that the company has been slow to react to complaints and reluctant to offer support when problems arise. According to players, the problems have been especially acute since Blizzard implemented its last major patch to WoW, in late March. At that time, the company acknowledged it had some temporary server problems but said they'd resolve themselves within hours. But some players say that ever since then, they're routinely encountered "urgent maintenance" that can result in being booted from the game at any time. "Being a system administrator myself, I have some understanding of what goes on in a corporate data center," said Evgeny Krevets, a sometimes-frustrated WoW player. "I don't know Blizzard's system setup. What I do know is that if I kept performing 'urgent maintenance' and taking the service down without warning for eight-hour periods, I would be out of a job." Blizzard blames some of the problems--such as the disconnection, for several hours on Friday, of players linked to several servers--on AT&T, its network provider. (AT&T did not respond to a request for comment.) It also argues that online games like WoW that have to manage hundreds of thousands, or millions, of accounts, are simply prone to network issues. "Due to the complex nature of massively multiplayer games like 'World of Warcraft,' technical issues such as the ones some of our players have experienced recently may occur on occasion," Blizzard spokeswoman Lisa Jensen, said in an e-mail to CNET News.com. "Our commitment to our players is to provide effective solutions as quickly and carefully as possible whenever any such situation occurs." WoW is what is known as a "sharded" online game. That means the game's many players are divided up among a large number of servers, or "shards," because no individual server could handle the full player base. This is common in the online games space. As a result, players can usually choose which server they wish to play on, and each server can take on its own characteristics due to the specific guilds that play on them. In some games, like "EverQuest II," different servers can even have different operating rules. Certainly, WoW is hardly the first online service to be hit by network and server problems. Over the years, services like eBay, Amazon.com and E*Trade have all dealt with various forms of outages. And even some WoW players who are frustrated by the inconsistency of their game acknowledge that providing constant uptime is tricky, especially considering how fast the service has grown. "I don't know how much I fault (Blizzard), since many of my own companies have had scaling problems," said Joi Ito, a venture capitalist who has put money into well-known online outfits such as Technorati, and who runs a WoW guild--or team--filled with other tech executives and well-known bloggers. "However, the uptime is really not (at an acceptable) level for a real commercial service, so I hope they get better." Ito said the server problems have been particularly frustrating for him and his guild members because of the particular flavor of virtual "quests" they often run in WoW. "Difficulty logging in (and) servers going down--it's become a normal part of our lives," Ito said. "It really does suck for us because we're running higher-level (quests) where it takes us a few hours to get to the (goal) and sometimes the server suddenly goes down right near the end before we finish. And they are unannounced (and) you just see people on the server--guild list--start dropping off." Another member of Ito's guild said he too had been having problems with the WoW servers, though of a different nature. "I have waited to get online the last couple times I have played," said Eric Haller, a San Francisco blogger and investor. "We moved (servers) because the old server was doing that, and now the brand new server is having the same issues." Haller said he attributes the wait times--often about 10 to 15 minutes--to WoW's growth being so fast. He joked about how long he has to wait. "When you live on Internet time, 10 minutes can seem like an eternity of delayed gratification," Haller said, "so it can be pretty frustrating." Not all WoW players have experienced the server problems, and even some who have complained note that the issue may be slowly resolving itself. "I decided to switch to another server over a week ago," Krevets said. "The amount of issues and problems I experienced were just too much for me. The new server that I've been playing on has not experienced any log-in problems or queues, so I've been quite happy so far." In any case, with no shortage of massively multiplayer online games, such as "EverQuest," "City of Heroes," "Ultima Online" and others, on the market, some might wonder why angry WoW players don't just walk away. But some say WoW has reached its 6 million subscriber threshold--no other American massively multiplayer online game has even broken a million--because its game play is easier to grasp for mainstream players. And because there are few other practical options for many such players, they feel Blizzard should take the performance problems more seriously. "The thing is, there is no other real alternative" to WoW, Ito said. "So they sort of have a natural monopoly, and that's why people are so mad, I think. They can't vote with their feet. They just have to wait. And 'Blizz' has to realize that they have millions of hours of people's time hostage and should feel that responsibility." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Mon Apr 24 08:16:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 08:16:21 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?OSVDB_Selected_for_Google_=B9_s_Su?= =?iso-8859-1?q?mmer_of_Code_2006?= Message-ID: OSVDB Selected for Google?s Summer of Code 2006 We are very pleased to report that OSVDB was selected for Google?s Summer of Code! This is great news as we hope to get some of the services and projects that have been on the back burner due to lack of development resources finally launched! You can read about Google?s SoC here: http://code.google.com/soc/ With our Summer of Code project work, we hope to make several exciting enhancements to OSVDB?s public services. We have provided a list of important projects we are currently planning for?however we are open to proposals for other projects and ideas. You can read about OSVDB?s Project Ideas here: http://www.osvdb.org/summerofcode.php OSVDB has been working very hard to provide many additional types of a services to the community. Unfortunately, as mentioned due to lack of development resources we have been unable to make much of this happen. We now have an opportunity to possibly deliver on the OVSDB Portal and OSVDB Ethical Disclosure Framework commitments that we made when the project first opened. You can read the public announcements with our intentions to provide OSVDB portal and disclosure services: OSVDB Objectives http://www.osvdb.org/OSVDB-Objectives.php Vendor Dictionary Announcement http://www.osvdb.org/news.php#vendorDictSiteUpgrade Personally, I am absolutely thrilled that we may have the resources to develop the OSVDB Ethical Disclosure Framework. This has been one of the projects that I have been wanting for years and is validated as we see more and more issues with the disclosure process! I have believed all along that OSVDB can be the service that helps to improve, streamline and more importantly removes the mystery of the breakdowns in the process. OSVDB has been handling one-off disclosures for researchers over the past 3-4 years and it is not an easy task. The amount of time it takes to handle a disclosure process is huge. We realized early on that a lot of the process needed to be automated in order to be successful and repeatable. Hopefully, there are some students out there that want to be apart of creating this service and we can get it launched by the end of the year! From rforno at infowarrior.org Mon Apr 24 08:18:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 08:18:58 -0400 Subject: [Infowarrior] - Word's Hidden Tags Reveal Once-Anonymous Peer Reviewers Message-ID: http://chronicle.com/free/v52/i33/33a04101.htm >From the issue dated April 21, 2006 Microsoft Word's Hidden Tags Reveal Once-Anonymous Peer Reviewers By JEFFREY R. YOUNG The peer-review process at many academic journals is intended to be blind, meaning that authors do not know who is reviewing their work. But a little-known setting in Microsoft Word has led to the unmasking of some peer reviewers, compromising the anonymity of the process. Keyne A. Cheshire, an assistant professor of classics at Davidson College, in North Carolina, is new to scholarly publishing. He recently discovered the problem by accident. After submitting an article to a journal in his field, he received a reviewer report by e-mail, forwarded from the journal's editor (he declined to name the journal or editor). The report, which Mr. Cheshire said included some "hefty criticism" of his article, arrived as a Microsoft Word file attached to the e-mail message. When Mr. Cheshire opened the document, he noticed that it seemed to have been created using a British version of Word. Curious, he clicked on the document's preferences and was surprised to see a screen labeled "Summary" that listed the name of the person who had created the document ? someone in his discipline whom he knew. "I didn't want to know who my reviewer is," he said, adding that he had no idea that the reviewer's name might be embedded in the file. He said other names were listed in the summary information as well, including the name of the journal's editor, who had apparently also opened the document at some point, and even the name of an information-technology-support official from the reviewer's university. Easy to Find As it turns out, Microsoft Word automatically tags every document with an author field, based on information pulled from the user's computer, when the file is first saved. It isn't hard to pull up that tag: It is visible by pulling down the "File" menu, clicking on "Properties," and selecting the "Summary" tab. It is possible to remove the tag manually ? one document at a time. Editors at some academic journals have been aware of the issue for some time and have devised guidelines telling reviewers how to keep Microsoft Word documents anonymous. One such journal is Women in German Yearbook, which gives reviewers a one-page guide called "Anonymity Instructions for Electronic Review." "It's something that would have never even occurred to me," said Margaret R. McCarthy, who first learned about the problem when she became co-editor of the journal about a year ago and was shown the guidelines. "This is just basic knowledge that any editor should have," said Ms. McCarthy, who is an associate professor of German and Russian at Davidson. S. Douglas Olson, who is editor of Classical Journal and a professor of classical and Near Eastern studies at the University of Minnesota-Twin Cities, said he stumbled upon the problem the hard way: After writing one of his first reviews, he got a note from the author, who should not have known his identity, alerting him that he had left his name in the document's summary field. "Luckily they were very positive referee reports," said Mr. Olson. He immediately informed the journal's editor, who was also unaware of the possibility that reviewers' names might be hidden in Word documents. "She was just horrified," he said. Scope Is Unclear Many journals, including the journal to which Mr. Cheshire submitted his article, use a double-blind process ? the reviewers are not supposed to know who the authors are, either. That means that hidden tags in electronic submissions could give away an author's identity as well. It is unclear how many journals could be affected. Not all journals use a blind peer-review process. Some journals still distribute documents to reviewers and authors by postal mail. Many journals, especially in technical fields, e-mail documents as PDF files, and in many cases, converting documents to such files removes identifying tags. Still, use of Microsoft Word among scholarly journals appears widespread. "Probably most production of journals and the review of most journal articles is being done in Word," said John Unsworth, dean of the graduate school of library and information science at the University of Illinois at Urbana-Champaign and a founder of one of the earliest electronic journals, Postmodern Culture. He said that when he edits articles, he creates a new file in which he incorporates the comments of several reviewers, rather than forwarding the files the reviewers created. A spokesperson for Microsoft, Catherine B. Brooker, said she had heard no complaints from professors about the tagging. She said that document-summary tags are designed to help businesses manage the flow of documents. "It's metadata," she said. "From a records-management perspective, you might want to hang onto it. But at the same time, Microsoft realizes that you may not want to have all this information out there publicly." Ms. Brooker said that a forthcoming edition of Microsoft Word, part of Microsoft Office 2007, will have a new feature called Document Inspector that will help users strip unwanted identifiers from documents. "A review process is part of everyone's lives, whether you're in academia or not," she said. The new feature, she added, is designed to "give people more power in how that review process happens." Several academic leaders contacted by The Chronicle said they were unaware of the problem, and some were not sure whether their editorial practices allowed reviewers' names to be revealed. "This is completely new to me," said Jana Argersinger, vice president of the Council of Literary Magazines and Presses. "It may be that none of our submitters have been savvy enough to know about it." "I have never heard of this," said Rosemary G. Feal, executive director of the Modern Language Association. "And I myself am a journal editor." She said that the journals she works with did not send reviewer comments directly to authors as Word files. "We're now preparing a new edition of our MLA Style Manual," she added. "We tell a million things to authors. This is something that we might need to tell them." Journal-Editing Systems Some journal editors say they use software systems designed to manage the review process, and that many of those systems prevent reviewers' names from slipping out. Margaret Ann Winker, deputy editor of the Journal of the American Medical Association, said the journal uses a Web-based system to manage its review and editing process. Dr. Winker said the system, eJournalPress, automatically converts Word documents submitted by reviewers to PDF format and clears out identifying tags. "Prior to that we copied and pasted reviews into e-mail documents," she said. "We haven't used Word documents as attachments for that very reason." The American Chemical Society uses a software package from ScholarOne called Manuscript Central. "It's our understanding that they've totally solved this problem," said Cheryl Shanks, vice president and director of editorial office operations at ACS Publications. "We've been aware of this since we first implemented online submission." Other journal editors who know about the potential pitfall of using electronic documents have decided to stick with postal mail. "That's why SEL Studies in English Literature 1500-1900 only forwards to our authors a paper copy of readers' reports," said Robert L. Patten, the journal's editor and a professor of humanities at Rice University. "In spite of institutional pressures to save postage and time by using electronic communications, we've been very slow to tamper with paper and print on highly confidential parts of the publishing process." Spreading the Word Since his accidental discovery, Mr. Cheshire has worked to tell his colleagues about it, hoping to preserve the anonymity of the peer-review process in the electronic age. He informed Davidson's information-technology department, for instance, which in response has issued a fact sheet on its Web site on "Removing Personal Data From Office Documents." "I would guess that the vast majority of folks just don't know that that's there," said Mur K. Muchane, executive director of information-technology services at Davidson. Mr. Cheshire also informed an official at the American Philological Association, David Konstan, who like many was also unaware of the issue. Mr. Konstan is chairman of the group's committee on professional matters and is a professor of classics and comparative literature at Brown University. "I've contacted all the members of the committee to let them know that we should be thinking of this," said Mr. Konstan. 'A Bit Curious' Meanwhile, several professors interviewed for this article worried that spreading details on how to dig out identifier tags of Word documents could lead some people who never knew of the possibility to do some sleuthing in old files they have received. "Who would not be just a bit curious about the identity of one's reviewers, whether kind or cruel?" said Gail L. Shivel, a lecturer in English at the University of Miami and associate editor of Menckeniana, in an e-mail interview. She said that many people will soon be "opening up old reviews they have received, especially negative ones, to see if they can find out who wrote them. "The wielder of the stinging lash might make a permanent enemy, as scholars seem to have long memories for criticism." http://chronicle.com Section: Information Technology Volume 52, Issue 33, Page A41 From rforno at infowarrior.org Mon Apr 24 09:00:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 09:00:58 -0400 Subject: [Infowarrior] - Judge orders record labels to turn over documents Message-ID: Judge orders record labels to turn over documents By Reuters http://news.com.com/Judge+orders+record+labels+to+turn+over+documents/2100-1 027_3-6064055.html Story last modified Sun Apr 23 18:57:17 PDT 2006 A U.S. federal judge has ordered major record labels to turn over privileged documents after finding they may have used misleading information to convince the government to abandon a major antitrust probe. The ruling late on Friday from U.S. District Judge Marilyn Hall Patel in San Francisco came out of a dispute over which documents Vivendi Universal Music Group and EMI Group should be forced to release in a lengthy copyright battle over Bertelsmann's investment in music-swapping service Napster. Prosecutors in 2001 began investigating whether music labels secretly worked together to use two joint ventures, MusicNet and Pressplay, to discourage digital downloading and protect CD sales by fixing digital music distribution terms. During the investigation, the joint ventures and their record label parents each submitted a "white paper" to the Justice Department summarizing their arguments. They also provided documents that included redacted, or blacked out, sections to remove privileged material. The U.S. Justice Department abandoned the probe in December 2003, citing no evidence of wrongdoing. Napster investor Hummer Winblad Venture Partners, Bertelsmann's co-defendant in the lawsuit, charged that the arguments offered in the white papers were known to be false or misleading. In the ruling, Patel said Hummer Winblad provided reasonable cause to believe that information in the white papers was "deliberately misleading." Patel ordered UMG and EMI to turn over all previously held communications related to the antitrust investigation within 30 days of the order. The parties could not immediately be reached for contact. Story Copyright ? 2006 Reuters Limited. All rights reserved. From rforno at infowarrior.org Mon Apr 24 13:17:43 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 13:17:43 -0400 Subject: [Infowarrior] - Symantec and Intel Collaborate to Change Security Computing Model Message-ID: ...yeah, yeah, it's a press release. Interesting stuff, though. -rf Symantec and Intel Collaborate to Change Security Computing Model http://news.moneycentral.msn.com/printarticle.asp?Feed=MW&Date=20060424&ID=5 663942 Symantec Corp. (NASDAQ: SYMC) today announced it is working with Intel Corp. to build security solutions for the new Intel? vPro(TM) technology that will allow IT managers to effectively manage security threats outside the main PC operating system (OS). In this isolated virtual environment embedded within Intel vPro technology, Symantec's security solutions will be more tamper resistant and always on, monitoring and protecting the desktop. In the emerging threat landscape, enterprises face security attacks that are increasing in complexity, frequency, and malicious intent. Additionally, the window of time between vulnerability disclosure and exploit is shrinking while the severity of vulnerabilities is increasing. To make the situation even more challenging, a new type of modular malicious code is increasingly used to take advantage of vulnerabilities in the operating system and desktop applications to disable security software on user systems. The end result is that enterprises are left more vulnerable when only traditional security protections in the primary OS are installed on the machine. "By isolating the computer's protection in a virtual environment outside the main operating system, enterprises will have confidence that the security itself has not been compromised, that it is always on, and that they can trust the result that it gives," said Jeremy Burton, senior vice president of enterprise security and data management, Symantec. "We believe this new approach will improve security and reduce the overall cost of administration." Symantec's solutions for the Intel vPro technology will offer enterprises several key benefits by taking advantage of the new virtualization capabilities built into PCs with Intel vPro technology. These capabilities will allow Symantec to build a tamper-resistant virtual security solution. The security functionality will operate in a secure environment separate from the user OS, where it will be unaffected by issues with the user OS. In the event malware is successful in infecting a desktop environment, the Symantec virtual security solution will contain the threat on that particular desktop, isolating it from other network resources. Since this new solution is built specifically for security and is separate from the primary OS, it offers IT departments a separate, stable environment from which to protect the desktop from attacks. "Intel and Symantec are committed to providing customers with the strongest and most manageable client security available to small, medium and large businesses," said Robert Crooke, vice president and general manager of Intel's Business Client Group. "The combination of Intel vPro technology and Symantec's virtual security solution will provide a new level of control over malicious attacks, simplify management, and increase confidence in endpoint security." Symantec and Intel's collaboration will focus on providing unprecedented next generation security solutions during the coming years. Together, the two companies will aim to provide robust security solutions in a way that is cost effective for IT administrators, yet gives them an appropriate level of control and helps ensure system and regulatory compliance on desktop PCs. About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Distributed by Market Wire CONTACT: Linda Smith Munyan Symantec Corporation +1 (415) 738 2686 linda_s_munyan at symantec.com David Forstrom Connect Public Relations +1 (703) 234 5390 davidf at connectpr.com Copyright 2006 Market Wire From rforno at infowarrior.org Mon Apr 24 14:15:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 14:15:01 -0400 Subject: [Infowarrior] - For MySpace, Making Friends Was Easy. Big Profit Is Tougher. Message-ID: April 23, 2006 For MySpace, Making Friends Was Easy. Big Profit Is Tougher. By SAUL HANSELL http://www.nytimes.com/2006/04/23/business/yourmoney/23myspace.html?ei=5087% 0A&en=a1a7f5cd0593bf13&ex=1146024000&pagewanted=print SANTA MONICA, Calif. ALMOST on a lark, Chris DeWolfe bought the Internet address MySpace.com in 2002, figuring that it might be useful someday. At first, he used the site to peddle a motorized contraption, made in China and called an E-scooter, for $99. Selling products online comes naturally to him. Having jumped into the Internet business in the early days, Mr. DeWolfe had become a master of the aggressive forms of online marketing, including e-mail messages and pop-up advertising. After the Internet bubble burst, he even built a site that let people download computer cursors in the form of waving flags; the trick was that they also downloaded software that would monitor their Internet movements and show them pop-up ads. Very quickly, however, Mr. DeWolfe's tactics for MySpace changed. He had noticed the popularity of Friendster, a rapidly growing Web site that let people communicate with their friends and meet the friends of their friends. What would happen, he wondered, if he combined this type of social networking with the sort of personal expression enabled by other sites for creating Web pages or online journals? He convinced the executives of eUniverse, the company that had bought his own marketing firm, ResponseBase, to back his plan. As soon as the site was reintroduced, in the summer of 2003, Mr. DeWolfe saw it grow quickly with little marketing. And although his scrappy backer was hungry for cash, he resisted pressure to flood MySpace with advertising and to turn all of its members into money. "Chris came from ResponseBase, and they knew all the direct marketing tactics to get money out of almost anything," said Brett C. Brewer, the former president of eUniverse, which was later renamed Intermix Media. "But I give him credit: from literally the first or second month, he realized MySpace could be something we really need to protect because user confidence in the site was paramount." Now MySpace has a new owner ? Rupert Murdoch's News Corporation, which bought MySpace and Intermix last year for $649 million ? and the pressure on Mr. DeWolfe to find a way to make much more money from MySpace is far greater. But the opportunity is greater, too. More than 70 million members have signed up ? more than twice as many as MySpace had when Mr. Murdoch agreed to buy it ? drawn by a simple format that lets users build their own profile pages and link to the pages of their friends. It has tapped into three passions of young people: expressing themselves, interacting with friends and consuming popular culture. MySpace now displays more pages each month than any other Web site except Yahoo. More pages, of course, means more room for ads. And, in theory, those ads can be narrowly focused on each member's personal passions, which they conveniently display on their profiles. As an added bonus for advertisers, the music, photos and video clips that members place on their profiles constitutes a real-time barometer of what is hot. FOR now, MySpace is charging bargain-basement rates to attract enough advertisers for the nearly one billion pages it displays each day. The company will have revenue of about $200 million this year, estimated Richard Greenfield of Pali Capital, a brokerage firm in New York. That is less than one-twentieth of Yahoo's revenue. In buying MySpace, Mr. Murdoch also bought a tantalizing problem: how to tame a vast sea of fickle and unruly teenagers and college students just enough to notice advertising or to buy things, yet not make the site so commercial that he scares off his audience. At the same time, he must address the real and growing concerns of parents and teachers who see MySpace as a den of youthful excess and, potentially, as a lure for sexual predators. Mr. Murdoch's initial strategy seems to be to do nothing to interfere with whatever alchemy attracted so many young people to MySpace in the first place. So he has embraced Mr. DeWolfe, 40, and Tom Anderson, 30, the company's president and co-founder, and their close-knit management team. And he is providing them with the cash to reinforce MySpace's shaky computer system and to hire armies of sales representatives to bring in more money from the banner ads and sponsored pages that MySpace sells. He also gave them multimillion-dollar bonus payments to smooth the feelings that were ruffled when Intermix was sold, dragging MySpace along with it against the will of its founders, who received only a small portion of the sale price. Still, change is coming. In Beverly Hills, nine miles and worlds away from MySpace's beachside office, the News Corporation is assembling its overarching online unit, Fox Interactive Media. Run by Ross Levinsohn, the longtime manager of FoxSports.com, Fox Interactive Media is stitching together several Web properties into a big Internet company focused on youth. The top priority is MySpace. "We have some very aggressive goals on how to build this thing into a real contributor to News Corp. financially," Mr. Levinsohn said last month. Mr. Murdoch, he added, "is focused on that, and he rightfully holds my feet to the fire." To expand ad sales, especially to big brands, Mr. Levinsohn plans to supplement the MySpace staff with a second sales force linked to the Fox TV sales department. He wants to expand one of Mr. DeWolfe's advertising ideas ? turning advertisers into members of the MySpace community, with their own profiles, like the teenagers' ? so that the young people who often spend hours each day on MySpace can become "friends" with movies, cellphone companies and even deodorants. Young people can link to the profiles set up for these goods and services, as they would to real friends, and these commercial "friends" can even send them messages ? ads, really, but of a whole new kind. Mr. Levinsohn is also developing plans for MySpace to be paid by some of the bands and video producers whose songs and short films are woven into its gaudy profiles like so many electronic stickers on a high-school locker. And he sees a chance for MySpace to rival eBay and Craigslist as a place where nearly anything is bought and sold. Mr. Greenfield, the Pali Capital analyst, says that these moves have potential ? especially if MySpace can convince members to put clips from Fox movies, television programs and other youth-oriented "content" on their profile pages. "I don't know how big a business this can be, but it can clearly be a lot bigger than it is today," he said. "The question is: Can you take it to the next level by making a business that leverages all the consumers who are telling you what they want to do?" Another question is this: Can the News Corporation achieve these goals if the executives in charge don't agree on how to do so, or even on whether they want to? Mr. Levinsohn, for example, said he saw opportunity in the one million bands that have established profiles on MySpace; he said MySpace could charge bands to promote concerts or to sell their songs directly through the site. In an interview the next day, however, Mr. DeWolfe dismissed the idea. "Music brings a lot of traffic into MySpace," he said, "and it lets us sell very large sponsorships to those brands that want to reach consumers who are interested in music. We never thought charging bands was a viable business model." Mr. Levinsohn brushed aside the discord, saying it was appropriate for the people running MySpace to be more concerned at this point about serving users than making money. And, for now, Mr. DeWolfe and Mr. Anderson say they are happy working for the News Corporation and Mr. Murdoch, its 75-year-old chairman and chief executive. "Rupert Murdoch blew me away," Mr. DeWolfe said. "He really understands what youth is doing today." BY many accounts, the MySpace culture reflects the style of Mr. DeWolfe, who has a hard-nosed business approach under a laid-back exterior. "Chris is a very strong personality," said Geoff Yang, a partner in Redpoint Ventures, which invested in MySpace last year as part of an effort to separate it from Intermix; the News Corporation's acquisition of Intermix thwarted that effort. "He will listen to a lot of ideas, make up his mind and be laser-focused to get a few of them done." Mr. DeWolfe, who focuses on business affairs, and Mr. Anderson, who designs features for the site, have deliberately kept MySpace rudimentary, with an almost homemade feeling, to give the most flexibility to users. In spirit, the site reflects its Southern Californian home with all of its idiosyncratic performers, designers, demicelebrities and other cultural hustlers, many of whom the founders recruited to be early members. Mr. DeWolfe, in particular, is a fan of Los Angeles nightlife and has become something of a public figure himself. "Chris has become this living persona of MySpace," said Mr. Brewer, who recalled a trip to Aspen, Colo., with Mr. Anderson and Mr. DeWolfe last December. "Chris is wearing an awesome leather jacket, some sort of designer shirt, with his hair all over the place. He has this whole rock-star persona. And you hear people going: 'Psst, psst. That's the MySpace guy.' " When he is not basking in the MySpace spotlight himself, Mr. DeWolfe has begun using it to promote music events around the country. MySpace members can become "friends" with a profile for "MySpace Secret Shows," for instance, and they will receive tips about free concerts ? sponsored by companies like Tower Records ? in their hometowns. On a recent Friday in Manhattan, several hundred people trekked through drizzling rain to the Tower Records store in the East Village for free tickets to a concert by Franz Ferdinand, the Scottish postpunk band, at the Hammerstein Ballroom. Heather Candella, a college student from Sloatsburg, N.Y., was among those at the show. She said the shows were "a really good idea because it's kind of a secret kind of thing ? it's not so commercial." She added that MySpace had become a main way to stay in touch with her friends. While she does not use the site to meet people, it has become part of the dating ritual. "When you meet someone, the question is not 'What's your number?' " she said. "It's 'What's your MySpace?' " By checking out a guy's profile, she said, "you can actually get a feeling for who they are." MySpace users pepper their profiles with their own photographs, musings and poetry, and with their favorite music and video clips. That maximizes the individuality of each profile but turns the typical media-company business model upside down, which is one reason that it is so hard for the News Corporation to use the audience to sell ads or to promote its own programming. The best way to get, say, a television show in front of the MySpace audience is not to cut a deal with a programming czar at a Hollywood restaurant, but to win the hearts, one by one, of thousands of members who will display the show to all of their friends. "We can't look at this as a media property," said Peter Chernin, the News Corporation's president. "This is a site programmed by its users." For that reason, MySpace is only gingerly pushing users into other Fox properties. Right now, Fox's relationship to MySpace is not explicit, although Fox movies and television shows are frequent advertisers. Ultimately, the News Corporation will make it easy for MySpace members to put clips from its television programs and trailers for its movies on their profile pages. But there will be nothing to stop them from using material from other companies. Mr. Levinsohn calls MySpace the antiportal. "It's not about a central hub, because that's not where things are going," he said. "The under-30 set wants choice. It's not about one destination; it's about 65 million." Indeed, rather than squeeze all its Internet ambitions into MySpace, Fox Interactive is assembling a network of Web sites, including IGN, a collection of sites focused on video games, and Scout, which runs Web sites for about 200 local sports teams. The News Corporation is also developing a portal devoted to entertainment, drawing from its Fox network programs, the Page Six gossip column of The New York Post and show-business reporters at the 35 local television stations it owns, Mr. Levinsohn said. AT MySpace, the first challenge is to raise advertising rates. Because its supply of pages so greatly outstrips demand from advertisers, it has offered deep discounts. Indeed, the average rate paid for advertising is a bit over a dime for 1,000 impressions, Mr. Levinsohn said, far lower than rates at major competitors. "If we can raise that by 10 cents, think of the upside," he said. One way to coax more money from advertisers is to build special sections ? areas devoted to music and independent filmmakers ? that provide a neutral home to advertisers that want MySpace's youthful audience but don't want their ads associated with the risqu? content of some members' profiles. A sign of that challenge is seen in Mr. Levinsohn's effort to expand the use of text ads ? the rapidly growing format pioneered by search engines. He has been running tests with Yahoo, Google and several smaller ad providers and has sought proposals from them for longer-term deals. The answer he received was a shock. Not one of them, not even the mighty Google, was sure that it could provide enough advertisements to fill all the pages that MySpace displays each day, Mr. Levinsohn said. The search companies did not want to dilute their networks with so many ads for MySpace users, whom they said were not the best prospects for most marketing because they use MySpace for socializing, not buying. Mr. Levinsohn says he also hopes to raise ad rates by collecting more user data so advertisers can find the most promising prospects. To use the site, people need to provide their age, location and sex, and often volunteer their sexual orientation and personal interests. Some of that information is already being used to select ads to display. Soon, the site will track when users visit profile pages and other sections devoted to topics of interest to advertisers. People who put information about sports cars in their profiles or who frequent MySpace message boards about hot-rodding, for example, would be shown ads for car parts, even while reading messages from friends. The bigger opportunity, however, is not so much selling banner ads, but finding ways to integrate advertisers into the site's web of relationships. Wendy's Old Fashioned Hamburgers, for example, created a profile for the animated square hamburger character from its television campaign. About 100,000 people signed up to be "friends" with the square. Fox officials wonder whether this sort of commerce, built on relationships, can be extended to small businesses. A Ford dealership in, say, Indiana could create a profile, said Mark A. Jung, the chief operating officer of Fox Interactive. The profiles themselves, he said, would probably be free, but MySpace would sell enhancements to help businesses attract customers and complete transactions, Mr. Jung said. Yet here is another place that executives at Fox and MySpace don't see eye to eye. Mr. DeWolfe discounted the idea of people creating profile pages for small businesses. "If it was a really commercial profile ? the gas station down the street ? no one is going to sign up to be one of their friends," he said. "There is nothing interesting about it." For now, Mr. DeWolfe said, he has more down-to-earth plans. With the News Corporation's help, he is opening an office in London to coordinate MySpace's expansion in Europe. He is cutting deals to let members connect to MySpace over cellphones. The News Corporation, he said, is helping MySpace achieve his goals sooner than it could on its own. So far this year, MySpace has spent $20 million of the News Corporation's money, in part to nearly double its staff of 250. About one-third of its employees focus on customer service and, increasingly, on responding to parents' concerns about what teenagers do on the site and what else they can see there. In the last six months, there has been a torrent of letters from schools to parents ? as well as newspaper articles ? about the glorification of drinking, drug use and sex on many MySpace profiles. MySpace has long had rules that forbid anyone under 14 to join and that ban pornographic images and hate speech. Beyond those, however, the site is very open to frank discussion, provocative images and links to all sorts of activities. It didn't stop Playboy magazine, for example, from creating a profile page on its site to recruit members to pose in the magazine. Nor does it object to Jenna Jameson, the pornographic film star, maintaining a profile with links to her hard-core Web site. Ms. Jameson "is more than a porn star," Mr. Anderson said. "She is an author and a celebrity and has been on Oprah." He added that "if we had a site that was 'My name is so-and-so and this is my porn site,' we would delete that." Mr. Levinsohn, Mr. DeWolfe and others at the News Corporation say the site has no more or fewer problems than any other community on the Internet, and their primary response to parents' concern is a campaign to educate users about safe surfing techniques. "There are a couple of basic safety tips that can make MySpace safe for anyone over 14," Mr. DeWolfe said. "Just like you tell kids not to get in the car with strangers and to look both ways before you cross the street." A sign that MySpace can play a role in some of the most distressing experiences of growing up came last week, when five teenage boys were arrested in Riverton, Kan. Law enforcement and school officials there said that the group planned to go on a shooting spree at their high school but were stopped after one of them discussed the plot on MySpace. IN some ways, MySpace has assumed the role America Online held a decade ago when it introduced e-mail services and Internet chat to the masses. But AOL's example is a cautionary one. For many reasons, largely its failure to keep up with trends, AOL lost its place in the social lives of young people. Mr. DeWolfe argues that MySpace won't suffer that fate because, in just two years, it has already become so entrenched in so many lives. "People are truly invested in the site," he said. "All their friends are on it. They spent months building their profiles. And so the cost of switching is too high. If we keep building the features they want, they will stay on the site." If he is right, MySpace will be more than just a trendy toy to be discarded like last year's E-scooter. From rforno at infowarrior.org Mon Apr 24 20:48:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 24 Apr 2006 20:48:00 -0400 Subject: [Infowarrior] - More on "DMCA 2.0" Message-ID: The Bill the Hollywood cartels don?t want you to see Many of you have seen or heard about the new amendment to the DMCA being sent to Congress by the Dep. of Justice. We've gotten a copy of the proposed bill and it's worse than we could have imagined. This is a concerted effort to escalate Hollywood's war on America by creating a generation of criminals and sending them off to jail. That's right: the "Intellectual Property Protection Act of 2006" (IPPA) would double the authorized prison terms for existing copyright infringement, create a host of new offenses, and establish a division within the FBI to hunt down infringers. The Members of Congress in the pockets of the Hollywood cartels want to divert $20 million a year and FBI agents from fighting real criminals so they can go after people without computers. http://ipaction.org/blog/2006/04/bill-hollywood-cartels-dont-want-you_24.htm l The full bill is at: http://ipaction.org/media/Draft_DOJ_IP_bill.pdf From rforno at infowarrior.org Tue Apr 25 07:53:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 07:53:06 -0400 Subject: [Infowarrior] - Security Myths and Passwords Message-ID: Security Myths and Passwords April 19th, 2006 by spaf in General, Secure IT Practices Prof. Eugene Spafford http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ (This is an updated version of a contribution I made to the Educause security mailing list last week.) In the practice of security we have accumulated a number of ?rules of thumb? that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective?or possibly even dangerous. Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom. >From a high-level perspective, let me observe that one problem with any widespread change policy is that it fails to take into account the various threats and other defenses that may be in place. Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. ?Best practice? is intended as a default policy for those who don?t have the necessary data or training to do a reasonable risk assessment. Consider the underlying role of passwords: authentication. Good authentication is intended to support access control, accountability and (in some cases) accounting. Passwords provide a cost-effective and user-familiar form of authentication. However, they have a number of failure modes depending on where they are used and the threats arrayed against them. Failure modes include disclosure, inference, exposure, loss, guessing, cracking, and snooping. In the most general case, passwords (such as the security numbers on credit cards, or mother?s maiden name) are not sufficiently secret and are simply too weak to use as strong authenticators. I?ll skip this case, although it is far too pervasive to actually ignore. Disclosure is a systemic threat on the platforms involved, as well as in the operational methods used to generate and transmit the passwords. This cannot be addressed through changing the password. Instead, the methods used to generate and distribute passwords needs to be examined to ensure that the passwords are not disclosed to the wrong parties. Most operating systems are currently designed so that passwords are not stored ?in the clear? and this reduces the chance of disclosure. Unfortunately, some 3rd-party applications (including web-based systems) fail to adequately guard the passwords as they are entered, stored, or compared, resulting in potential disclosure. Another form of disclosure is when the holder of the password discloses the password on purpose. This is an education and enforcement issue. (Anecdote: at one location where a new policy was announced that passwords must be changed every month, a senior administrator was heard to moan ?Do you know how much time I?m going to waste each month ensuring that everyone on my staff knows my new password??) Inference occurs when there is a pattern to the way the passwords are generated/chosen and thus can be inferred. For instance, knowing that someone uses the same password with a different last character for each machine allows passwords to be inferred, especially if coupled with disclosure of one. Another example is where generated passwords are employed and the generation algorithm is predictable. Exposure is the case where accident or unintended behavior results in a sporadic release of a password. As an example, think of someone accidentally typing her password as the user name in login, and it is captured in the audit trail. Another example is when someone accidentally types his password during a demonstration and it is exposed on a projection screen to a class. Loss is when someone forgets his or her password, or (otherwise) loses whatever is used to remind/recreate the password. This introduces overhead to recover the password, and may induce the user to keep extra reminders/copies of the password around ? leading to greater exposure ? or to use more memorable passwords ? leading to more effective guessing attacks. It is also the case that frequent loss opens up opportunities for eavesdropping and social engineering attacks on the reset system as it becomes more frequently used: safeguards on reset may be relaxed because they introduce too much delay on a system under load. Guessing is self-explanatory. Guessing is limited to choices that can be guessed. After a certain limited number of choices, the guessing can only transform into a cracking attempt. Cracking is when an intermediate form of the password (e.g., an encrypted form stored in the authentication database) is captured and attacked algorithmically, or where iterated attempts are made to generate the password algorithmically. The efficacy of this approach is determined by the strength of the obfuscation used (e.g., encryption), the checks on bad attempts, and the power and scope of the resources brought to bear (e.g., parallel computing, multi-lingual databases). Snooping (eavesdropping) is when someone intercepts a communication employing the password, either in cleartext or in some intermediate form. The password is then extracted. Network sniffing and keyloggers are both forms of snooping. Various technical measures, such as network encryption, can help reduce the threat. Now, looking back over those, periodic password changing really only reduces the threats posed by guessing, and by weak cracking attempts. If any of the other attack methods succeed, the password needs to be changed immediately to be protected ? a periodic change is likely to be too late to effectively protect the target system. Furthermore, the other attacks are not really blunted by periodic password changes. Guessing can be countered by enforcing good password selection, but this then increases the likelihood of loss by users forgetting the passwords. The only remaining threat is that periodic changes can negate cracking attempts, on average. However, that assumes that the passwords choices are appropriately random, the algorithms used to obfuscate them (e.g., encryption) are appropriately strong, and that the attackers do not have adequate computing/algorithmic resources to break the passwords during the period of use. This is not a sound assumption given the availability of large-scale bot nets, vector computers, grid computing, and so on ? at least over any reasonable period of time. In summary, forcing periodic password changes given today?s resources is unlikely to significantly reduce the overall threat ? unless the password is immediately changed after each use. This is precisely the nature of one-time passwords or tokens, and these are clearly the better method to use for authentication, although they do introduce additional cost and, in some cases, increase the chance of certain forms of lost ?password.? So where did the ?change passwords once a month? dictum come from? Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their ?best practice? that they expected. It also got written into several lists of security recommendations. This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security! It is a ?best practice? based on experience 30 years ago with non-networked mainframes in a DoD environment ? hardly a match for today?s systems, especially in academia! The best approach is to determine where the threats are, and choose defenses accordingly. Most important is to realize that all systems are not the same! Some systems with very sensitive data should probably be protected with two-factor authentication: tokens and/or biometrics. Other systems/accounts, with low value, can still be protected by plain passwords with a flexible period for change. Of course, that assumes that the OS is strong enough to protect against overall compromise once a low-privilege account is compromised?.not always a good bet in today?s operating environment! And, btw, I?ve got some accounts where I?ve used the same password for several years with nary an incident. But in the spirit of good practice, that?s all I?m going to say about the passwords, the accounts, or how I know they are still safe. :-) One of my favorite Dilbert cartoons (from 9/10/05) ends with the pointy-haired boss saying ??and starting today, all passwords must contain letters, numbers, doodles, sign language and squirrel noises.? Sound familiar to anyone? From rforno at infowarrior.org Tue Apr 25 07:54:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 07:54:39 -0400 Subject: [Infowarrior] - Intel's VPro to boost security Message-ID: Intel's VPro to boost security By Joris Evers http://news.com.com/Intels+VPro+to+boost+security/2100-7355_3-6064609.html Story last modified Tue Apr 25 03:51:58 PDT 2006 advertisement SAN FRANCISCO--A killer application for Intel's upcoming VPro business PCs? Security, the chip giant said Monday. VPro systems, due to be broadly available in the third quarter, will be able to run security software in an environment isolated from the main operating system, making it tamper proof, Intel and security specialist Symantec said at an event here unveiling the VPro brand. "It's perfect," Enrique Salem, senior vice president at Symantec, said in an interview. "You can't disable security. Not only can't the end-user disable it, malware can't disable it. Hardware is helping us enforce that nobody can access the bits in this sealed space." Salem compared running security software in its own space on a PC to installing a dedicated security appliance. It will run on its own operating system with access granted only for updates to the security features. This should foil common attempts by Trojan horses that try to disable security software on PCs, for example. Cordoning off the security software is possible through Intel Virtualization Technology (VT), new hardware support for virtualization. This allows for the creation of a secure partition on the PC, which can be used to run applications such as a firewall, intrusion prevention, antivirus and other security software, Intel and Symantec said. "This application is very specifically endorsing virtualization at the client level," Thomas Kilroy, vice president and general manager of Intel's Digital Enterprise Group, said in an interview. "It is a killer application, if you will...Now you are able to deliver a level of manageability and security transparent to the user." The industry has made several attempts at building hardware to support security. Perhaps the highest-profile attempt was four years ago, when Microsoft unveiled Palladium, later renamed Next-Generation Secure Computing Base. NGSCB also promised to isolate parts of a computer from malicious code. In addition, it would foil attacks that use logging devices by encrypting data as it moves between hardware components in a PC. Today, NGSCB appears to have been put on the back burner. Instead, Microsoft is adding support for another, more common hardware-based security technology to Windows Vista: the Trusted Platform Module, or TPM, which offers protected storage of encryption keys, passwords and digital certificates. But Intel is bringing something new to the PC. Virtualization is almost unknown on client systems. It is common on high-end servers to consolidate jobs otherwise handled by a group of servers onto a single system. VPro PCs will allow a single "service partition" that can be host to a single product. The virtualization technology is operating-system agnostic. Software makers can include any operating system they like to run their product on. Companies including Symantec already sell security appliances that run Linux, for example. The limitation to the service partition is intentional; it will prevent any compatibility clashes between software products. "Because nothing else is happening in this virtual space, any compatibility issues go away," Salem said. "Administrators are going to be more confident in deploying updates quickly." Several software makers are developing products to take advantage of the technology. These include Symantec, Trend Micro, CA, Altiris and LANDesk, according to information from Intel and the software companies. VPro stickers will start appearing during the next few months on PCs that contain Intel's Conroe processor, a new chipset and an Intel networking chip, Intel CEO Paul Otellini said at the event. VPro systems with the virtualization feature are designed for business users, not consumers, Intel stressed at the event. Symantec, however, predicts the technology, or something similar, will make it to consumer PCs at some point. "Today we use it on business platforms," Salem said. "I expect virtualization will become a standard part of computing over time, everywhere." From rforno at infowarrior.org Tue Apr 25 07:56:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 07:56:33 -0400 Subject: [Infowarrior] - New plans for economy class on planes Message-ID: One Day, That Economy Ticket May Buy You a Place to Stand By CHRISTOPHER ELLIOTT http://www.nytimes.com/2006/04/25/business/25seats.html?ei=5094&en=807cafd0a fecec8b&hp=&ex=1146024000&partner=homepage&pagewanted=print The airlines have come up with a new answer to an old question: How many passengers can be squeezed into economy class? A lot more, it turns out, especially if an idea still in the early stage should catch on: standing-room-only "seats." Airbus has been quietly pitching the standing-room-only option to Asian carriers, though none have agreed to it yet. Passengers in the standing section would be propped against a padded backboard, held in place with a harness, according to experts who have seen a proposal. But even short of that option, carriers have been slipping another row or two of seats into coach by exploiting stronger, lighter materials developed by seat manufacturers that allow for slimmer seatbacks. The thinner seats theoretically could be used to give passengers more legroom but, in practice, the airlines have been keeping the amount of space between rows the same, to accommodate additional rows. The result is an additional 6 seats on a typical Boeing 737, for a total of 156, and as many as 12 new seats on a Boeing 757, for a total of 200. That such things are even being considered is a result of several factors. High fuel costs, for example, are making it difficult for carriers to turn a profit. The new seat technology alone, when used to add more places for passengers, can add millions in additional annual revenue. The new designs also reduce a seat's weight by up to 15 pounds, helping to hold down fuel consumption. A typical seat in economy class now weighs 74 to 82 pounds. "There is clearly pressure on carriers to make the total passenger count as efficient as possible," said Howard Guy, a director for Design Q, a seating design consultant in England. "After all, the fewer seats that are put on board, the more expensive the seat price becomes. It's basic math." Even as the airlines are slimming the seatbacks in coach, they are installing seats as thick and heavy as ever in first and business class ? and going to great lengths to promote them. That is because each passenger in such a seat can generate several times the revenue of a coach traveler. At the front of the cabin, the emphasis is on comfort and amenities like sophisticated entertainment systems. Some of the new seats even feature in-seat electronic massagers. And, of course, the airlines have installed lie-flat seats for their premium passengers on international routes. Seating specialists say that all the publicity airlines devote to their premium seats diverts attention from what is happening in the back of the plane. In the main cabin, they say, manufacturers are under intense pressure to create more efficient seats. "We make the seats thinner," said Alexander Pozzi, the director for research and development at Weber Aircraft, a seat manufacturer in Gainesville, Tex. "The airlines keep pitching them closer and closer together. We just try to make them as comfortable as we can." There is one bit of good news in the thinner seats for coach class: They offer slightly more room between the armrests because the electronics are being moved to the seatbacks. One of the first to use the thinner seats in coach was American Airlines, which refitted its economy-class section seven years ago with an early version made by the German manufacturer Recaro. "Those seats were indeed thinner than the ones they replaced, allowing more knee and legroom," Tim Smith, a spokesman for American, said. American actually removed two rows in coach, adding about two inches of legroom, when it installed the new seats. It promoted the change with a campaign called "More Room Throughout Coach." But two years later, to cut costs, American slid the seats closer together and ended its "More Room" program without fanfare. When the changes were completed last year, American said its "density modification program" had added five more seats to the economy-class section of its MD-80 narrow-body aircraft and brought the total seat count to 120 in the back of the plane. A document on an internal American Airlines Web site, which was briefly accessible to the public last week, estimated that the program would generate an additional $60 million a year for its MD-80 fleet. United Airlines has also used the earlier-generation thin seats. But it held open the possibility that once its current seat stock needs to be replaced, it might try to squeeze in more seats. "We're always looking at options," Brandon Borrman, a spokesman, said. Airlines can only do so much with their existing fleets to save space. The real opportunities, say seat manufacturers and design experts, are with the new generation of aircraft that are coming soon. "People hear about these new planes, and they have bowling alleys and barber shops," Michael B. Baughan, the president and chief operating officer of B/E Aerospace, a manufacturer of aircraft cabin interiors in Wellington, Fla., said with a bit of exaggeration. "But that's not how planes are delivered. On a real airline, with real routes, you have to be economically viable." Perhaps the most extraordinary example of a new jet that could accommodate features unheard of previously is the Airbus A380. There is so much available room on the superjumbo that Virgin Atlantic Airways is even considering placing a beauty salon in its premium-class section. (No final decision has been made, according to the company.) The first A380 is scheduled to be delivered later this year. With a typical configuration, the A380 will accommodate about 500 passengers. But with standing-room-only seats, the same plane could conceivably fit in 853 passengers, the maximum it would be permitted to carry. "To call it a seat would be misleading," said Volker Mellert, a physics professor at Oldenburg University in Germany, who has done research on airline seat comfort and has seen the design. If such a configuration were ever installed on an aircraft, he said, it would only be used on short-haul flights like an island-hopping route in Japan. While an Airbus spokeswoman, Mary Anne Greczyn, played down the idea that Airbus was trying to sell an aircraft that accommodated 853 passengers, the company would not specifically comment on the upright-seating proposal. There is no legal barrier to installing standing-room seats on an American airliner. The Federal Aviation Administration does not mandate that a passenger be in a sitting position for takeoffs and landings; only that the passenger be secured. Seating must comply only with the agency's rules on the width of aisles and the ability to evacuate quickly in an emergency. The Air Transport Association, the trade association for the airline industry in the United States, does not have any seat-comfort standards. Nor does it issue any recommendations to its members regarding seating configurations. The two Asian airlines seen as the most likely to buy a large plane for short-haul flights, All Nippon Airways and Japan Airlines, are lukewarm about the Airbus plan. "Airbus had talked with us about an 800-seat configuration for domestic flights," said Rob Henderson, a spokesman for All Nippon Airways. "It does not fit with our present plans going forward." A spokesman for Japan Airlines, Geoffrey Tudor, said Airbus had presented its ideas for using the A380 on short-haul flights, but added, "We have no interest in increasing seat capacity to this level." Boeing is under similar pressure to squeeze more seats onto its newest aircraft, the midsize Boeing 787. Some airlines are planning to space the seats just 30 inches apart from front to back, or about one inch less than the current average. And rather than installing eight seats across the two aisles, which would afford passengers additional elbow room, more than half of Boeing's airline customers have opted for a nine-abreast configuration in the main cabin, said Blake Emery, a marketing director at Boeing. Even so, he said, "It will still be as comfortable as any economy-class section today." Indeed, it is possible to have it both ways: more comfortable seats that are also more compact. For example, the latest economy-class seat from B/E Aerospace, called the ICON, allows the seat bottom to move forward when the seat is reclined, so that it does not steal legroom from the passenger behind it. It also incorporates better ergonomic designs now typically found in the business-class cabin. But the ICON and similar seats can cost up to three times more than the $1,200 that a standard coach seat costs. That may make them unaffordable to all but a few international airlines that would use the seats on long-haul routes, the experts said. Some frequent fliers, asked about the slimmer seats, said they feared that the result would be tighter quarters. Some expressed concerns about sharing a cabin with even more passengers and increasing the risk of contracting a communicable disease. Others were worried about even more passengers sharing the already-tight overhead bin space. "It seems like every year there is less room for my long legs," said Bud Johnson, who is a frequent traveler for a military contractor in Scottsdale, Ariz. "I'm afraid that's going to continue." From rforno at infowarrior.org Tue Apr 25 08:15:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 08:15:56 -0400 Subject: [Infowarrior] - Arming Big Brother: The EU Security Research Programme Message-ID: http://www.statewatch.org/news/2006/apr/bigbrother.pdf Arming Big Brother: The EU s Security Research Programme Ben Hayes, April 2006 Overview This Statewatch-TNIreport examines the development of the security-industrial complex in Europe and in particular the development of the EU Security Research Programme (ESRP). Spawned by the military-industrial complex, the security-industrial complex has developed as the traditional boundaries between external security (military) and internal security (security services) and law enforcement (policing) have eroded. With the global market for technologies of repression more lucrative than ever in the wake of 11 September 2001, it is on a healthy expansion course. The story of the EU Security Research Programme is one of ?Big Brother? meets market funda- mentalism. It was personified by the establishment in 2003 of a ?Group of Personalities? (GoP) comprised of EU officials and Europe?s biggest arms and IT companies. The GoP?s concern was a simple one: European multinationals are losing out to their US competitors because the US gov- ernment is providing them with a billion dollars a year for security research ? it recommended the EU match this level of funding to ensure a ?level playing field?. The European Commission has obliged with a ?preparatory? budget for security research 2004-6, with the full ESRP to begin in 2007, and appointed anEU Security Research Advisory Board to oversee the programme. This makes permanent the GoP and gives profit-making corporations an official status in the EU, shap- ing not just security research but security policy. Myriad local and global surveillance systems; the introduction of biometric identifiers; RFID, elec- tronic tagging and satellite monitoring; ?less-lethal weapons?; paramilitary equipment for public order and crisis management; and the militarization of border controls ? technological advances in law enforcement are often welcomed uncritically but rarely are these technologies neutral, in either application or effect. Military organisations dominate research and development in these areas under the banner of ?dual-use? technology, avoiding both the constraints and controversies of the arms trade. Tomorrow?s technologies of control quickly become today?s political imperative; con- tentious policies appear increasingly irresistible. There are strong arguments for regulating, limit- ing and resisting the development of the security-industrial complex but as yet there has been pre- cious little debate. < snip > http://www.statewatch.org/news/2006/apr/bigbrother.pdf From rforno at infowarrior.org Tue Apr 25 08:26:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 08:26:19 -0400 Subject: [Infowarrior] - Password overload hitting firms' IT security: study Message-ID: Password overload hitting firms' IT security: study Reuters Tuesday, April 25, 2006; 7:22 AM http://www.washingtonpost.com/wp-dyn/content/article/2006/04/25/AR2006042500 382_pf.html LONDON (Reuters) - Security breaches from computer viruses, spyware, hacker attacks and theft of equipment are costing British business an estimated 10 billion pounds ($18 billion) a year, according to a survey on Tuesday. The loss is 50 percent higher than the level calculated two years ago, said the study by consultancy PricewaterhouseCoopers for the Department of Trade and Industry. The rise comes despite companies increasing their spending on information security controls to an average 4-5 percent of their IT budget from 3 percent in 2004. One area of concern for security, the study warned, was the increasing number of user IDs and passwords employees were having to remember. Larger companies, which tend to be more security-conscious, saw the number and cost of computer security breaches fall, but both rose at smaller firms where controls may be less rigorous. Firms were asked how much the worst incident last year cost them. For large firms, the average loss was between 65,000 and 130,000 pounds, mostly accounted for by disruption to business. At small companies, the average loss was between 8,000 and 17,000 pounds. Industry Minister Alun Michael said while slightly fewer companies overall reported breaches than in 2004, there was no room for complacency. "The cost of the damage caused by attacks on security has risen as the nature of the attacks has become more serious," he said. "That's why it's crucial to have good security in place." Virtually every UK company uses anti-virus software, but a quarter of businesses are not protected against the newer threat of spyware, which can lead to the loss of confidential information. One in five corporate wireless networks is completely unprotected, with a further one in five operating without encryption, allowing outsiders to eavesdrop on company communications. Chris Potter from PricewaterhouseCoopers said British business had become more aware of the risks of IT crime, but added that some firms "still seem to believe they are immune to the dangers and don't have even basic security controls in place." "This is particularly worrying as we see new technologies emerging that pose new threats to UK plc." Poor IT procedures can make companies vulnerable. The study found that employees have on average to remember three different user IDs and passwords, while in two percent of companies staff have to recall 10 different IDs. "The more IDs and passwords users have to remember, the more likely the business is to have had unauthorized access," the report said. PricewaterhouseCoopers interviewed 1,000 companies between October 2005 and January 2006 for the DTI Information Security Breaches Survey. ? 2006 Reuters From rforno at infowarrior.org Tue Apr 25 08:36:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 08:36:38 -0400 Subject: [Infowarrior] - Apple set to display ads on iTunes Message-ID: Apple Chomps Into Forbidden Fruit: Ads Set to Accept Podcast Ads on iTunes http://www.adage.com/print?article_id=108772 By Abbey Klaassen Published: April 23, 2006 NEW YORK (AdAge.com) -- Coming soon to iTunes: ads. Apple -- a brand that prides itself on the purity of the user experience -- will soon put up billboards on its popular iTunes service, according to content partners who have been briefed on the plan. The introduction of visual ads could be the first step to allowing ads in other content areas or on iPods. Apple CEO Steve Jobs has supported the idea of ad-supported podcasts, so adding a visual component to the existing audio ads isn't much of a stretch. Apple CEO Steve Jobs has supported the idea of ad-supported podcasts, so adding a visual component to the existing audio ads isn't much of a stretch. Users' reaction? That's sure to entice advertisers interested in reaching millions of devotees of the service. But it could be worrisome to the service's users, who unplug from ad-supported media when they plug their earphones in. That may be why Apple's current plans call for the ads to appear only in the lower-left corner of the iTunes library while users listen to podcasts from their computers rather than from portable devices. But it's a big step for the service, which has so far limited ad intrusions to audio spots embedded in some of the podcasts offered via iTunes. ESPN Radio, which supplies some of iTunes' most popular ad-supported sports podcasts, is working with the service on the new advertising offering. 'Much richer advertising experience' "Our ad model is performing very well thus far. We offer gateway audio ads, often voiced by ESPN talent and a 30-second brand-sell spot," said Marc Horine, general manager-new media, ESPN Radio. "We are looking at new technology that will provide a much richer advertising experience and hope to roll that out very soon." Apple executives wouldn't comment. But CEO Steve Jobs has supported the idea of ad-supported podcasts, so adding a visual component to the existing audio ads isn't much of a stretch. What's more compelling is what it might mean for other iTunes content, and specifically whether Apple might allow advertising in its premium content, for which it charges users. It may be under pressure to do just that as content suppliers begin to offer similar fare to consumers online at no cost and with ads. For now, the TV networks are making money from iTunes' ad-free model, charging viewers $1.99 to download an episode of a show. J.P. Morgan analyst Spencer Wang estimates the networks make $1.44 per iTunes sale compared to 57cents per viewer in ad revenue for every episode aired on broadcast TV. May undercut TV networks Still, the iTunes deal undercuts the networks' bread-and-butter business. ABC is about to work advertising into its on-demand distribution plans; in May and June it will offer free versions of several of the same shows it sells on iTunes on its own site with ads that can't be skipped. NBC will launch free original Webisodes this summer of its hit "The Office." AOL's In2TV plans to offer free, ad-supported original fare and just signed a distribution deal with A&E Network. "The question is whether the power of free is more compelling than portability," said Ben Bajarin, an analyst with Campbell, Calif.-based Creative Strategies. "It's an interesting test for ABC and we'll be watching how it affects iTunes." Not only does iTunes face distribution from content owners' sites, it will soon face competition from other digital download sites. Amazon has announced it will enter the game, and MTV is weeks away from the Beta test of Urge, the digital media service it created with Microsoft. From rforno at infowarrior.org Tue Apr 25 09:40:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 09:40:58 -0400 Subject: [Infowarrior] - Say what? A look back at McNealy zingers Message-ID: (off-topic but amusing......rf) Say what? A look back at McNealy zingers By Charles Cooper http://news.com.com/Say+what+A+look+back+at+McNealy+zingers/2100-1014_3-6064 563.html Story last modified Tue Apr 25 05:54:50 PDT 2006 Say what you like about Scott McNealy, but one adjective you'll never find attached to his name is shy. The Sun Microsystems co-founder has reveled in running his mouth, and the list of "McNealy-isms" has become legendary within the tech industry. The following includes highlights from two decades' worth of his witticisms: ? "Probably the most dangerous and powerful industrialist of our age." (Microsoft Chairman Bill Gates) ? "Ballmer and Butt-Head." (Microsoft CEO Steve Ballmer and Gates) ? "A giant hair ball." (Microsoft's Windows and Windows NT) ? "When Steve Ballmer calls me wacko, I consider that a compliment." ? "General and motors." (Microsoft and Intel) ? "Windows More Errors" (Windows ME) ? "Look Out" (Microsoft's Outlook) ? "The Corvair of Web servers, unsafe at any speed" (Internet Information Server) ? "Captive Directory" (Active Directory) ? ".Not," ".Not Yet" and ".Nut" (Microsoft's .Net development strategy) ? "The beast from Redmond" and "the evil empire." (Microsoft and its headquarters.) ? "Only a monopolist could study a business and ruin it by giving away products." ? "With Microsoft, the first hit is always free--remember that all your life." ? "Microsoft is now talking about the digital nervous system. I guess I would be nervous if my system was built on their technology, too." ? "We've got bayonets fixed, and we'll go into any cave no matter how dark and dank it is. And in the air war (against Microsoft to win new developers), we'll go after any developer and not just let them turn over to the dark side." ? "Having Microsoft give us advice on open standards is like W.C. Fields giving moral advice to the Mormon Tabernacle Choir." ? "The only thing I'd rather own than Windows is English, because then I could charge you $249 for the right to speak it, and I could charge you an upgrade fee when I add new letters." ? "I've always argued the best way to keep your teenager off drugs is buy him a Pentium Pro, give him NT and Microsoft Office and a printer, and tell him you get $500 if you can print something out of PowerPoint on that printer. That will take him six months of drug-free activity. I think that's probably the best thing you could possibly do for your teenager." ? We should "shut down some of the bullshit the government is spending money on and use it to buy all the Microsoft stock. Then put all their intellectual property in the public domain. Free Windows for everyone! Then we could just bronze Gates, turn him into a statue, and stick him in front of the Commerce Department." ? "Listen, I have never turned down a meeting with Gates or Ballmer...On many occasions, I've challenged them to get onstage one-on-one and have a reasonable debate, but they've always refused. And that's because they don't even flirt with telling the truth anymore. And if I were protecting a monopoly like they are, I wouldn't do it, either. Because they know the real truth." ? "The visual I see is a slow-motion collision of two garbage trucks--and they are just about to meet bumpers." (On the prospects for the Hewlett-Packard and Compaq merger.) ? "If I could embed a locator chip in my child right now, I know I would do that. Some people call that Big Brother; I call it being a father." ? "Technology has the shelf life of a banana." ? "Open source is free like a puppy is free." ? "People say, 'Tape is kind of boring.' Well, I say go in and tell your customer that you have lost their back-up tapes and you'll see excitement pretty quickly." ? "You already have zero privacy--get over it." ? "So I think the opportunity with Java versus 'CaptiveX,' as everybody calls it, is either you want to be captive to the Microsoft arena or you want to have something that runs on everything." ? "Is there a McNealy's law? Yeah, that's 'eat lunch or be lunch.' Or if you're in academia, 'do lunch, or be lunch.' ? "I enjoy my wife enough to now have four children." Compiled from CNET News.com archives, BusinessWeek, Thinkexist.com and the books "Bad Boy Ballmer" and "High Noon." From rforno at infowarrior.org Tue Apr 25 14:23:23 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 14:23:23 -0400 Subject: [Infowarrior] - First DMCA 2.0, now H.R.683 and trademarks Message-ID: New Trademark Law Might Restrict Free Speech http://www.editorandpublisher.com/eandp/columns/shoptalk_display.jsp?vnu_con tent_id=1002384406 By Steve Yahn NEW YORK (April 22, 2006) -- This is a big wake-up call for defenders of free speech in the United States, an urgent one, and worrisomely little known. Embedded deep in H.R. 683??The Trademark Dilution Revision Act,? which awaits what may well be a last look in the U.S. House of Representatives before being signed into law by President Bush?is language that would remove key free-speech protections that have been part of U.S. trademark law since 1996. With only the most minimal notice in the mainstream press, the bill as it currently stands would remove three exceptions from part of the present trademark law: --News reporting and commentary. --Fair use. --Non-commercial use. Elimination of the news reporting and commentary protections would overnight put newspapers at much greater risk of trademark infringement actions being brought against them, for everything from a columnist?s or editorial writer?s ill-received reference to a company?s trademark, to, say, a news photograph of a homeless person?s shopping cart parked in front of a row of gleaming, readily identifiable new-model cars at the dealership of a well-known automaker. Paul Alan Levy, attorney at Washington, D.C.-based Public Citizen Litigation Group, notes that when the foundational 1946 Lanham Act trademark provisions were amended in 1988 and 1996, Congress was ?acutely? aware of the constitutional problems (under the First Amendment) that would arise if the Lanham Act provisions were extended to non-commercial speech. These protections for newspapers and other media entities, plus a host of freelance writers, photographers, illustrators, and other artists, would be replaced with the prospect of complicated?and invariably costly?defenses that would have to be mounted in any trademark infringement case. Rep. Lamar Smith (R-TX), the sponsor of H.R. 683 who currently is reviewing a revised Senate version of the bill: ?This bill will clarify the rights of trademark holders and eliminate unnecessary litigation.? But that?s a line of thinking viewed with skepticism by artist Don Stewart?not to mention such groups as the Professional Photographers of America, the Electronic Frontier Foundation, the American Library Association and National Video Resources, among others. Stewart?a medical doctor turned artist (he interned at the Mayo Clinic before turning to doing visual-pun ?composite drawings?)?was enjoying a growing following, especially on the Internet, for a drawing of Volkswagen?s "Beetle? that was a rendering of the car made up of various kinds of beetles, butterflies and other bugs. But Stewart?s salad days were spoiled overnight in early January when Volkswagen?s U.S. attorneys?Howard, Phillips & Andersen of Salt Lake City?slammed him with a cease and desist letter threatening a suit for damages. You can imagine how Stewart, not yet in the same rank with Andy Warhol, felt about that. Luckily for Stewart, a feisty resourceful businessman as well as artist, he found top-notch pro bono legal help. His legal team responded to an exploratory e-mail message from Volkswagen?s counsel with a tidal-wave of legal precedents that, to say the least, had to have let more than a little air out of VW?s tires. That?s the last Stewart or his attorneys have heard from Volkswagen. It is just this Big Guy/Little Guy scenario that opponents of H.R. 683 are deeply concerned about. Public Knowledge?a Washington, D.C. advocacy group working to defend consumers? rights in the digital age (its board includes the likes of former Federal Communications Commission Chairman Reed E. Hundt)?says it fears that the bill ?could negatively impact free speech, small business commercial speech, and repurpose traditional trademark law to protect business interests instead of consumers.? Public Citizen?s Paul Alan Levy, says, ?The ultimate question I keep coming back to is, what harm does it do to apply a defense for ?news reporting? or ?fair use? to infringement claims? I must say, I do not get it.? Steve Yahn (letters at editorandpublisher.com) is also co-author of E&P's monthly SAGE Advice column. From rforno at infowarrior.org Tue Apr 25 14:42:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 14:42:29 -0400 Subject: [Infowarrior] - Kathleen Mauchly dies Message-ID: (c/o IP) Kathleen Mauchly Antonelli, the wife of John W. Mauchly of Eniac and Univac fame, and a renowned programmer and computer pioneer in her own right, died at age 85. The Philadelphia Inquirer has a full obituary in the 4/25 edition: Kathleen Antonelli, 85, computer pioneer By Sally A. Downey Inquirer Staff Writer Kathleen McNulty Mauchly Antonelli, 85, of Ambler, one of the original programmers of the first electronic computer, died of cancer Thursday at Keystone Hospice in Wyndmoor. From rforno at infowarrior.org Tue Apr 25 15:39:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 15:39:06 -0400 Subject: [Infowarrior] - CIA, NSA folks may get expanded arrest powers Message-ID: http://www.fas.org/sgp/news/secrecy/2006/04/042506.html The House version of the 2007 intelligence authorization bill would grant CIA and NSA security personnel the authority to make arrests for "any felony" committed in their presence, no matter how remote from the foreign intelligence mission it might be, the Baltimore Sun reported today. Section 423 of H.R. 5020 "appears...to grant to CIA security personnel powers that have little to do with the primary mission of 'executive protection,' and potentially creates a pretext for use or abuse of these powers for the purposes of general domestic law enforcement -- something no element of the CIA has ever been empowered to perform," wrote Danielle Brian of the Project on Government Oversight in a letter to members of the House Intelligence Committee opposing the provision. http://www.pogo.org/p/government/gl-060401-intel.html Section 432 of the bill grants similar authority to NSA security personnel. The bill also includes measures intended to increase penalties for unauthorized disclosures of classified information. See "Congress cracking down on U.S. leaks" by Siobhan Gorman, Baltimore Sun, April 25: http://www.baltimoresun.com/news/nationworld/bal-te.spies25apr25,0,5928384.s tory From rforno at infowarrior.org Tue Apr 25 15:42:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 15:42:48 -0400 Subject: [Infowarrior] - Fusion Center Guidelines: Developing and Sharing Information and Intelligence Message-ID: (c/o SecrecyNews) Last year, the Department of Justice and the Department of Homeland Security published guidelines for the operation of fusion centers dealing with law enforcement intelligence. See "Fusion Center Guidelines: Developing and Sharing Information and Intelligence in a New World," July 2005 (1.8 MB PDF): http://www.fas.org/irp/agency/ise/guidelines.pdf From rforno at infowarrior.org Tue Apr 25 20:23:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 20:23:55 -0400 Subject: [Infowarrior] - The Great Microsoft Blunder Message-ID: Wow....here's a Dvorak column that I can agree with nearly 100%. Is there a full moon tonight? -rick The Great Microsoft Blunder Internet Explorer is a dead albatross. http://abcnews.go.com/Technology/ZDM/story?id=1884077 John Dvorak - PC Magazine April 24 I think it can now be safely said, in hindsight, that Microsoft's entry into the browser business and its subsequent linking of the browser into the Windows operating system looks to be the worst decision?and perhaps the biggest, most costly gaffe?the company ever made. I call it the Great Microsoft Blunder. It looks like a whopper that keeps whacking the company. The most recent bash came from the Eolas v. Microsoft patent suit over aspects of the ActiveX usage in Internet Explorer. Microsoft lost and was slapped with a $521 million settlement. If the problem is not weird legal cases against the company, then it's the incredible losses in productivity at the company from the never-ending battle against spyware, viruses, and other security problems. All the work that has to go into keeping the browser afloat is time that could have been better spent on making Vista work as first advertised. All of Microsoft's Internet-era public-relations and legal problems (in some way or another) stem from Internet Explorer. If you were to put together a comprehensive profit-and-loss statement for IE, there would be a zero in the profits column and billions in the losses column?billions. The joke of it is that Microsoft is still working on this dead albatross and is apparently ready to roll out a new version, since most of the smart money has been fleeing to Firefox or Opera. This means new rounds of patches and lost money. Continue reading? This fiasco and the great Microsoft Blunder began when Marc Andreessen, then of Netscape, made some silly, off-handed remark about how the browser would become the next platform for applications and suggested, in so many words, that Microsoft would be destroyed. Instead of the boys at Microsoft laughing out loud and then ignoring this remark, they started scrambling around like ants on a hot stove. The next thing you know, Microsoft went Internet slaphappy. Besides cobbling together a browser from any code it could license, it rolled out all sorts of Internet magazines and various Internet-centric ideas to the point where it was obvious to anyone watching that the company itself was believing all the hype coming from outside. The main piece of propaganda among the Internet-centric ideas was that the personal computer is dead. "There'll be no computers in a few short years, as everything will be embedded and become appliances," said all the experts. This appliance malarkey comes and goes, but always goes. We still have computers, we still need operating systems, and we still need Microsoft Office. Yes, there are alternatives to everything, but the gold standards for all these basics make most of the money, no matter what anyone idealizes to the contrary. But Microsoft buys the fear. It must have some of the lowest corporate self-esteem for any dominant company in the history of modern business. The company is like the panicky old woman wondering how she lost a penny in her purse while giving exact change in the express line at the grocery store. Hey lady, you are holding things up! So what can Microsoft do about its dilemma? First, it needs to face the fact that this entire preoccupation with the browser business is bad for the company and bad for the user. Microsoft should pull the browser out of the OS and discontinue all IE development immediately. It should then bless the Mozilla.org folks with a cash endowment and take an investment stake in Opera, to influence the future direction of browser technology from the outside in. Then, Microsoft can worry about security issues that are OS-only in nature, rather than problems compounded by Internet Explorer. Of this I can assure you. People will not stop buying Microsoft Windows if there is no built-in browser. Opera and/or Firefox can be bundled with the OS as a courtesy, and all the defaults can lead to Microsoft.com if need be. Of course we already know that this will never happen, since Microsoft is a creature of habit. So it will forever be plagued by its greatest blunder ever. Have fun, boys. From rforno at infowarrior.org Wed Apr 26 07:19:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 07:19:59 -0400 Subject: [Infowarrior] - Internet2's network to get a facelift Message-ID: Internet2's network to get a facelift Denise Pappalardo, Network World 26/04/2006 08:26:16 http://www.computerworld.com.au/index.php/id;102071774 Internet2's network is growing up. That was one of the key topics discussed Tuesday at the group's Spring Member Meeting in Arlington, Virginia. The research group is phasing out its Abilene network after about seven years of service with a big backbone that will support 10 10Gbps Lambdas, says Douglas Van Houweling, president and CEO of Internet2. Internet2 is a consortium of 201 universities that works with government and the IT industry to develop and deploy advanced network applications and technologies with the goal of accelerating development of the public Internet. In early April, Internet2 announced to its members that it would not renew its contract with Qwest Communications, the prime network provider of its Abilene network. At the same time, Internet2 said it has a "non-binding" contract with another carrier to support the group's next generation network needs. Because Internet2 is a member organization, all contracts have to be approved by members. Once that happens the name of the new service provider will be revealed, the group says. The new network, which will likely receive its own name akin to Abilene, will initially support 10 10Gbps Lambdas, but will eventually scale to 80 10Gbps Lambdas, Van Houweling says. The new network will allow Internet2 to "focus on the trains, not the tracks," he says. The additional bandwidth is needed to support high-speed experiments that are already being conducted. Van Houweling says Internet2 members are running an experiment that uses 7Gbps, but currently Abilene can only support one such experiment at a time. The research group is still working out some details such as what type of service level agreements (SLAs) will be offered to Interent2 users. Today, no SLAs are offered over the Abilene network. The new network will also include self-provisioning support so universities that are about to launch a new experiment will need only go to a Web site to have additional bandwidth provisioned. All Internet2 members are expected to be transitioned off of Abilene by September 2007. From rforno at infowarrior.org Wed Apr 26 07:21:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 07:21:20 -0400 Subject: [Infowarrior] - Bill seeks music royalties for satellite downloads Message-ID: Bill seeks music royalties for satellite downloads By Reuters http://news.com.com/Bill+seeks+music+royalties+for+satellite+downloads/2100- 1027_3-6065133.html Story last modified Tue Apr 25 22:41:08 PDT 2006 A bipartisan group of lawmakers has introduced legislation that would require satellite radio companies to compensate the music industry for downloads, industry and congressional sources said. The legislation, by U.S. Senators Dianne Feinstein, D-Calif., Lindsey Graham, R-S.C., and majority leader Bill Frist, R-Tenn., is aimed at compensating copyright holders as satellite radio services become distribution services. The "Perform Act," or the "Platform Equality and Remedies for Rights Holders in Music Act of 2006," would require satellite, cable and Internet broadcasters to pay fair market value for the performance of digital music. Additionally, the bill would require the use of readily available and cost-effective technological means to prevent music theft. "The birth of the digital music place has been a boon for businesses and consumers. However, these new technologies and business models have become so advanced that the clear lines between a listening service and a distribution service have been blurred," Feinstein said. "I believe that the Perform Act would help strike a balance between fostering the development of new technologies and ensuring that songwriters and performers continue to be fairly compensated for their works." Record industry executives want so-called "parity" among the different download platforms. They argue that the new devices XM Radio is bringing to the market that allow customers to save songs on the receivers without paying for the download rip off the copyright holder. "Digital sales are finally replacing physical losses," said Mitch Bainwol, chairman and CEO of the Recording Industry Association of America, which lobbies for the major labels. "If someone gets a distribution right without paying for it, that blows a hole in the digital marketplace." Warner Music Group chairman and CEO Edgar Bronfman Jr. endorsed the legislation in testimony prepared for a hearing on the issue scheduled for Wednesday. "When I see a device that permits consumers to identify the specific tracks they want from a satellite broadcast, record them and library them for future use, I call that device an iPod and I call the satellite service making that device available a download service," Bronfman said. "What is clear to everyone is that these services no longer resemble and will increasingly stray from our collective understanding of what constitutes a traditional radio service." The bill protects copyright holders by ensuring that "the same rules apply to all of the satellite, cable and Internet services, which avail themselves of a compulsory license under" the nation's copyright laws, Bronfman said. Sirius Satellite Radio has reached deals with the major record companies that compensate them for downloads on its S-50 receiver that allows customers to record content, but XM has not. A pair of devices, the Pioneer Inno and Samsung NeXus, allows customers to record programming. XM executives contend that the devices are nothing more than a high-tech way to record radio programming, which is protected. In XM Chairman Gary Parsons' prepared testimony, he said that the Feinstein-Graham bill, tentatively known as the Perform Act, will "lead to a new tax being imposed on our subscribers." The company already pays millions in copyright royalties to the record companies, and said their push for a new royalty is a negotiating tactic designed to push those rates higher. The copyright office is currently reviewing those rates. "The reason the recording industry is now insisting on a different standard has nothing to do with fairness," Parsons said. "XM and the record industry are in the middle of renegotiating their performance license. By changing the standard now, the recording industry hopes to stack the deck in its favor." Bainwol denied the charge. "Competition should be based on the offering. Their license is for a performance, not a distribution," he said. "I was struck by the power of their slogan: 'It's not a pod. It's a mother ship."' Story Copyright ? 2006 Reuters Limited. All rights reserved. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Apr 26 07:37:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 07:37:54 -0400 Subject: [Infowarrior] - Book Preview: The Story of PGP Message-ID: The Story of PGP by Michael W. Lucas http://www.webmonkey.com/06/17/index4a.html Webmonkey is pleased to present the introduction to the book PGP & GPG: Email for the Practical Paranoid by Michael W. Lucas. Excerpt ? 2006 No Starch Press. Reprinted with permission. Encryption is an old science, and as computers became more and more powerful, the number of people working with encryption grew and grew. Government officials grew increasingly concerned about the widespread availability of encryption techniques. Although encryption has perfectly valid uses for everyday citizens, it's also a powerful tool for criminals. In 1991, Senate Bill 266 (a sweeping anticrime bill) had a minor point that required government-accessible back doors in all encryption tools. While this bill was still under discussion, Phil Zimmermann combined some common encryption methods to produce the software he dubbed Pretty Good Privacy, or PGP. The ideas behind PGP had been known and understood by computer scientists and mathematicians for years, so the underlying concepts weren't truly innovative. Zimmermann's real innovation was in making these tools usable by anyone with a home computer. Even early versions of PGP gave people with standard DOS-based home computers access to military-grade encryption. While Senate Bill 266 was still threading its way through the legislative process, a friend of Zimmermann's distributed PGP as widely as possible in an effort to make military-grade encryption widely available before the law could take effect. The software was distributed to a variety of BBS systems as well as on the internet (largely an academic and research network at the time, but still with worldwide reach). Their activism contributed to the demise of antiencryption legislation. Zimmermann, a long-time antinuclear activist, believed that PGP would be of most use to dissidents, rebels, and others who faced serious risks as a consequence of their beliefs ? in other words, to many people outside as well as inside the United States. Ever since World War II, the United States government has considered heavy-duty encryption a serious threat to national security and would not allow it to be exported from the United States. (For details, see the Wikipedia entry on "Export of Cryptography") Exporting encryption software, including PGP, required a license from the State Department, and certain countries could not receive such software exports under any circumstances. These rules were known as ITAR (for International Traffic in Arms Regulations) and classified encryption tools as weapons of war. Zimmermann decided to try to avoid the export restrictions by exploiting the difference between written words and software. Zimmermann originally wrote PGP in boring old everyday text (or "source code"), just like that used in any book, and used computer-based tools to convert the human-readable text into machine-readable code. This is standard practice in the computer industry. The text is not software, just as the blueprints for a car are not a car. Both the text and the blueprints are necessary prerequisites for their respective final products, however. Zimmermann took the text and had it published in book form. Books are not considered software, even when the book contains the "source code" instructions for a machine to make software. And books are not munitions (those of you who have dropped one of those big thick computer textbooks on your foot might take issue with this statement). Although many books on cryptography did have export restrictions, Zimmermann could get an export permit for his book of source code. Thus, people all over the world were able to get the instructions to build their own PGP software. They promptly built the software from those instructions, and PGP quickly became a worldwide de facto standard for data encryption. As you might guess, the US government considered this tactic merely a way to get around munitions export restrictions. Zimmermann and his supporters considered the book speech, as in "free speech," "First Amendment," and "do you really want to go there?" The government sued, and over the next three years Zimmermann and the administration went a few rounds in the courts. This lawsuit turned Zimmermann into something of a hero in the computer community. Many people downloaded PGP just to see what all the fuss was about, and quite a few of them wound up using it. Zimmermann's legal defense fund spread news of the PGP lawsuit even further. In congressional hearings about encryption, Zimmermann read letters he had received from people in oppressive regimes and war-torn areas whose lives had been saved by PGP, contributing greatly to the public awareness of how valuable his work had been. Also, PGP was available on the internet before the book was published ? the code was available from anywhere in the world. (Admittedly, you needed internet access to get a copy, which was slightly difficult in the early 1990s.) The book was simply a legal device to make it possible for people outside the United States to use PGP without breaking US law. The story of the PGP lawsuit is fascinating and could fill a book this size or larger. Where exactly is the line between speech and computer code? Also, PGP was not distributed by Zimmermann himself, but by third parties. If someone in Libya downloaded PGP from an MIT server, was Zimmermann responsible? Lawyers fought these questions back and forth, but when it became obvious that the courts firmly believed that the First Amendment trumped State Department regulations, the State Department and subsequently the government dropped the suit. This not only saved them some time, money, effort, and humiliation at that moment but also prevented a legal precedent deeming encryption generally exportable. If a future administration desires, it can bring this issue back to the courts in more favorable circumstances against some other defendant. OpenPGP Even without the US government looming over it, PGP had some basic technical problems that cryptographers across the world quickly pointed out. The most glaring was that PGP made heavy use of the patent-protected RSA and IDEA encryption techniques; anyone who wanted to use PGP commercially needed to pay a license fee to the patent holders. Many computer scientists and security professionals found this unacceptable because they wanted an encryption system that would be freely usable by both the general public and businesses. Zimmermann offered a solution in 1998, when his company, PGP Corporation, submitted an improved PGP design called OpenPGP to the internet Engineering Task Force (IETF), the body responsible for internet standards. OpenPGP defined standards by which different programs could communicate freely but securely by using an enhanced version of the PGP protocol and a variety of different encryption algorithms. This led the way for people and companies to create their own implementations of OpenPGP from scratch, tailoring them to meet their own requirements. How Secure Is OpenPGP? The OpenPGP standard is considered a military-grade, state-of-the-art security system. Although you see these words attached to all sorts of security products, OpenPGP is trusted by governments around the world, major industrial manufacturers, medical facilities, and the best computer security practitioners in the world. That's not to say that OpenPGP is the be-all and end-all of computer security. Misuse of OpenPGP can reduce your security by making you believe that you're secure when you're not, much as if you leave for vacation and forget to lock the front door of your house. Poor computer-management practices might lock the front door but leave the key under the welcome mat for anyone to find. Also, given sufficient computing power, it is possible to break the encryption used in any OpenPGP application. The National Security Agency is rumored to have computers specifically engineered from the ground up especially to break this sort of encryption. Of course, if someone is willing to spend millions of dollars to get your information, there are easier ways for them to get it, so I would say that when properly configured and used, OpenPGP is sufficiently strong enough to make people choose another method of violating your privacy rather than try to break the encryption. Today's PGP Corporation Today, PGP Corporation is a major player in the world of cryptography and information security, providing PGP software for many different platforms, from PCs to handhelds and even Blackberry phones. PGP Corporation software secures everything from email to instant messages to medical records. PGP Corporation provides an implementation of OpenPGP that runs on popular operating systems. It provides a PGP system that integrates seamlessly with standard mail clients and desktops. Although PGP Corporation was owned by Network Associates for a few years during the dot-com boom, it is now an independent company with a variety of big-name industry partners. PGP is a commercial product, and PGP Corporation provides a whole range of related support services. We're going to cover the basic version: the PGP Desktop. (The corporate PGP solutions could fill a book on their own.) Because PGP is a typical commercial product, you are expected to pay for it. GnuPG is a freely available implementation of the OpenPGP standard that was released to the public in 1999 by the German developer Werner Koch. It is available for both Windows and Unix-like computers (including Mac OS X). Because GnuPG conforms to the OpenPGP standard, it can be used to communicate with people using any other OpenPGP-compliant software. "Freely available" means that you can get for free. You also get access to all the source code used to create the program, which is not directly useful to many readers but is vital to those who can do something with it. The formal name of the software is GnuPG, but many people simply refer to it as GPG. No matter which you use, people conversant with OpenPGP will understand what you're talking about. GnuPG is freely available, but that doesn't mean you can do anything you want with it. Any personal use is fine. Use within a company is also fine. If you want to use GnuPG within a commercial product and resell it, be absolutely certain to read the full General Public License (GPL) and comply with its terms! There is no such thing as "proprietary code" based on the GPL. You have been warned. PGP versus GnuPG Hmm. GnuPG is free, and PGP costs money. Why would you not always use GnuPG? There are several reasons why a person or organization might choose to purchase PGP rather than use the free GnuPG, or vice versa, including ease of use, support, transparency, and supported algorithms. All these reasons make the choice of encryption software very situation-dependent. Take a look at your options and pick the right tool for you. Ease of Use To use GnuPG, you must not be afraid to get code under your fingernails and tangle with the operating system's command line. Although various GnuPG add-ons provide a friendly user interface, they're not tightly integrated with the main product, and when the main GnuPG software is updated, these add-ons might or might not be updated. I wouldn't dream of setting up Grandpa with GnuPG unless I really liked talking to him five days a week. PGP Corporation puts a lot of effort into making its products work transparently for the end user, in exactly the same manner as any other desktop program. As a support person, I find this extremely valuable. If I needed to set up the sales force, marketers, and accountants at my company with a single cryptographic solution, I would choose PGP in a heartbeat on this factor alone. (The nontechnical staff at your company might be more tech-literate than mine. If so, you're more fortunate than you realize. Please tell me where to send my resume.) Support PGP Corporation has an extensive support organization. You can get phone support for the desktop products or have a whole team of consultants implement your company-wide PGP solution. When you buy PGP software, you get 30 days of free installation and setup support, which will allow enough time for most people to become comfortable with the tool. Support afterward exists at whatever level you require, for a fee. GnuPG's support organization, on the other hand, is typical of free software. Users are expected to read the software instructions, check the GnuPG website, and search the mailing list archives and the internet before contacting the mailing list for help. There is no phone number to call to speak to the "owner" of GnuPG. If you are the sort of person who wants to pick up a phone and yell at someone until they make your problem go away, GnuPG just isn't for you. Although you can easily find expertise in GnuPG and OpenPGP, and hiring a consultant to maintain GnuPG isn't that big a deal, that's very different from having direct access to the vendor. Although you might find an edge case for which one or the other program doesn't work, or you might discover a software bug, both programs have thousands and thousands of users who have exercised every piece of functionality countless times. If you have a problem, one of these users has almost certainly already had that same problem, asked for help on a mailing list or message board, and received assistance. I find that a web search answers questions on either tool far more quickly than a phone call ever could. Auditing, algorithms, and the law Transparency Transparency refers to how much of the software is visible. For most users, this is irrelevant ? they just want the software to work properly, without causing system crashes or scrambling their recipe collection. You're probably in this category. In the security industry, however, transparency is a vital question. People who are serious about security ? serious as in "billions and billions of dollars and/or many human lives depend on this information remaining private" ? hire security experts to evaluate their security software and point out problems. The process of reviewing code and algorithms for problems is called auditing. Encryption is an old science, and one of its primordial rules is that knowing how a good encryption scheme works doesn't help you break it. Encryption schemes that are available for review by the general public are the only ones that professional cryptographers take seriously. The cryptography behind OpenPGP has been continuously audited for 10 years now by people who would be delighted to find problems with it. Discovering a problem in OpenPGP would be a sure-fire way to gain fame within the cryptography community, much as discovering how to build a 100-mile-per-gallon, high-performance gasoline engine would be in the auto industry. Both seem impossible, but many people try. However, both PGP and GnuPG are more than the algorithms used by OpenPGP. There's a whole bunch of source code in and around those algorithms. A bad guy could find a problem with that source code and use it to break the protection provided by the software. That source code requires auditing by skilled individuals to ensure its safety. GnuPG's source code is open for audit by anyone in the world and is checked by many different people of differing skill levels. PGP's source code is open for audit only to customers, but many of those customers hire very skilled people specifically to audit the code. Algorithm Support The original PGP used encryption methods that were encumbered by patents at the time PGP was created. Some of those encryption methods are now in the public domain, but one (IDEA) is protected by patents in Europe. OpenPGP has moved beyond all of these algorithms, but you might find references to them if you encounter old versions of PGP. You don't need to understand what IDEA is, but you do need to recognize it if you encounter it and have to deal with it. GnuPG does not support IDEA because IDEA is less than completely free. IDEA is licensed under very liberal terms ? it's free for non-commercial use; if you've ever bought a product that includes IDEA you have a lifetime, royalty-free IDEA license; and if all else fails you can buy an IDEA license online for $18.93. Those terms are modest, especially for modern software, but it doesn't meet GnuPG's standards. (Hey, it's their software; they set the standards.) You can hack GnuPG to support IDEA, but the GnuPG folks won't do it for you. PGP Corporation has paid the patent holder, and when you buy PGP you get access to that cipher. OpenPGP no longer requires IDEA, but some businesses might require it. If you find a 10-year-old encrypted file you need to open, you'll need IDEA. Otherwise, it's irrelevant. OpenPGP and the Law OpenPGP uses some of the strongest public-key encryption algorithms available to cryptographers anywhere. And I do mean strong. Law enforcement officials cannot break into a file properly protected with GnuPG, and some governments just don't like their citizens having such strong protection. Some countries allow their citizens to use strong encryption algorithms, but only in a limited and breakable manner. Others require that all encryption keys be given to a "key escrow" agency, so that if you become a criminal mastermind the government can get your key from the escrow agency and decrypt your incriminating messages. This is much like asking muggers to register their Saturday Night Specials before committing holdups ? and roughly as effective. To make matters more confusing, these laws change irregularly. If you are in doubt about the laws regarding encryption use in your country, check with a local computing professional or lawyer. Googling for "encryption law survey" will uncover several websites on the topic, including a very good survey at http://rechten.uvt.nl/koops/cryptolaw. Excerpted from the introduction to PGP & GPG: Email for the Practical Paranoid by Michael W. Lucas. ? 2006, No Starch Press. Used with the permission. All rights reserved. Did you love this article? Did you hate it? Think you can do better? Send us your Feedback. Feedback submitted here will be considered for publication on Webmonkey or Wired News, so if you don't want us to print your comments, please say so in your email. Michael W. Lucas is a network/security engineer. He is the author of the critically acclaimed Absolute BSD, Absolute OpenBSD, and Cisco Routers for the Desperate. He also writes the column Big Scary Daemons at O'Reilly's BSD DevCenter. From rforno at infowarrior.org Wed Apr 26 09:49:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 09:49:03 -0400 Subject: [Infowarrior] - OSX Users -- browser preference RFI Message-ID: Out of curiosity, what do you MacOSX users use for web browsing? Opera, Safari, Firefox, Omniweb, etc, etc, etc? I've been getting fed up with Firefox and its memory leaks and a few new quirks in recent weeks -- but IMO Safari doesn't give the same flexibility options as Firefox. So what's your ideal browser and/or browser trade-offs on OSX? -rick From rforno at infowarrior.org Wed Apr 26 10:27:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 10:27:06 -0400 Subject: [Infowarrior] - A Survey of DNS Security: Most Vulnerable and Valuable Assets Message-ID: A Survey of DNS Security: Most Vulnerable and Valuable Assets http://www.cs.cornell.edu/people/egs/beehive/dnssurvey.html From rforno at infowarrior.org Wed Apr 26 12:36:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 12:36:02 -0400 Subject: [Infowarrior] - Head of visitor tracking program wants global ID system Message-ID: http://www.govexec.com/story_page.cfm?articleid=33925&dcn=e_gvet Head of visitor tracking program wants global ID system By Jonathan Marino jmarino at govexec.com The head of the Homeland Security Department's visitor tracking program on Tuesday called for the creation of a "global ID management system" to make travel easier while enhancing security. Jim Williams, director of the US VISIT program within DHS, told attendees of the National Business Travel Association's annual meeting he is aware of the plight of the business traveler. Even he, despite his senior position in the department, once found himself temporarily unable to board a plane because he shared the name of an individual on a terrorist watch list, he said. Williams said he wants to join forces with several DHS agencies to develop a global identification system that would cut wait times, reduce government fees for travelers, fight illegal immigration and, perhaps paramount, better defend nations from terrorists. The US VISIT chief, who already oversees identity inquiries for nearly every visitor who enters the United States, said a worldwide identification system will better link nations in the fight against terrorism. In his speech, he likened al Qaeda operatives and sleeper cells - including the ones that attacked on 9/11 - to "submarines" that must surface to kill. "In order for them to do what they want to do, they have to travel," Williams said. He did not specify when, or how, the proposed global program would be implemented. Williams suggested that a biometrics identification system might be used to better track travelers to the United States. A similar program is being tested in Great Britain, where such physical characteristics as fingerprints or iris scans are being tied to national identification cards. Proponents say it can cut the odds of success for immigration fraud. Any program that can successfully ease both financial burdens and wait times for travelers will be welcomed with open arms, said Hank Roeder, vice president of global operations for the National Business Travel Association. In his speech, Williams said an American version of the global ID plan would likely require the cooperation of US VISIT, the Customs and Border Protection bureau, the Transportation Safety Administration and U.S. Customs and Immigration Services, all under the DHS umbrella. A TSA official declined to comment, saying the agency has no knowledge of the proposed plan. CBP and CIS could not be reached for comment. From rforno at infowarrior.org Wed Apr 26 13:15:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Apr 2006 13:15:57 -0400 Subject: [Infowarrior] - Piracy penalties WORSE than child porn under DMCA 2.0 Message-ID: Piracy worse than child pornography http://www.theinquirer.net/?article=31256 By Nick Farrell: Wednesday 26 April 2006, 06:44 THE NEW look Digital Millenium Copyright Act (DMCA) seems to be giving the world an unusual moral code. Details of the upgraded act, which has the blessing of the music and film industry and the Bush administration, are now coming to light. It appears that the DMCA will have a maximum sentence of ten years inside for the crime of software and music piracy. It will also give the FBI the powers to wiretap suspected pirates. Although sentencing varies in the US, the new law does send a very strange message as to what the government considers 'bad' in the 21st century. For example assaulting a police officer will get you five years, downloading child porn will get you seven years, assaulting without a weapon will get you ten years and aggravated assault six years. So in other words if you copy a Disney CD and sell it you will be in the same league as a paedophile who is distributing pictures of sexual attacks on children. If you copy Craig David's CD you get ten years, but if you punch him in the face and pummel him into a seven day coma you will only get six. You are more likely to get the respect of the prison population with your six year sentence as well. From rforno at infowarrior.org Thu Apr 27 08:11:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Apr 2006 08:11:50 -0400 Subject: [Infowarrior] - AUS to require national ID card in 2010 Message-ID: Official: national card due by 2010 http://www.smh.com.au/news/national/official-national-card-due-by-2010/2006/ 04/26/1145861419456.html By Louise Dodson and Stephanie Peatling April 27, 2006 AdvertisementAdvertisement AUSTRALIANS will need a photo identity card within four years to receive Medicare and welfare payments but will not be forced to carry it at all times. The new "smart card" will contain "enhanced security" and replace 17 existing cards for Medicare benefits, family tax, child-care and unemployment payments, pensions, Austudy and pharmaceutical and transport concessions. People will be able to register for the card from the beginning of 2008 and it will be phased in over two years. The card will also be used to check identities for immigration and security purposes and to crack down on fraud. Its embedded computer chip will include a photograph, number, signature, date of birth and address. >From 2010 people will not be able to receive government health and welfare payments without a card. People may choose to have other information stored on the card, such as health and emergency contact details which, for example, ambulance officers could use. Although it will cost $1 billion it is estimated it will save the Government $3 billion a year. The Prime Minister, John Howard, said the Government had considered a national identity card after last year's London bombings but in the end it "was not predisposed to adopt a national ID card". He denied the card was "a Trojan horse for an ID card" but acknowledged it would have "enhanced security features". He said the security features of the smart card were one reason that a separate national identity card was not deemed necessary. Its perceived "Big Brother" features were another reason. The Government's decision followed a number of cabinet debates. Mr Howard said it showed a balance had been struck between ease of access to government payments and enhanced security measures on the one hand and legitimate concerns about storing personal information on the other. However some of his ministers think of it as an identity card. Before the announcement the Treasurer, Peter Costello, referred to it as just that, and then corrected himself. The NSW Premier, Morris Iemma, whom Mr Howard consulted before the announcement, welcomed the card. He said it was possible to balance threats to security with individual rights. However, the president of the NSW Council of Civil Liberties, Cameron Murphy, said the card would put people at risk of identity theft and fraud. "Everybody is interested in streamlining accessibility to government services," he said. "It's really how you go about doing it and ensuring any system is safe and secure and people aren't forced to provide information that is unnecessary and exposes them to the risk of fraud." The president of the Australian Council of Civil Liberties, Terry O'Gorman, said the announcement "marked a move towards an eventual ID card". Business reacted suspiciously, saying it could easily turn into an identity card. The Australian Chamber of Commerce and Industry's chief, Peter Hendy, said that although he supported clamping down on welfare fraud he was concerned that "an upgraded card runs the risk of providing government with a platform for a far more costly and intrusive Australia Card-type proposal". The Opposition's human services spokesman, Kelvin Thomson, gave in-principle support to the card but warned of a potential cost blow-out. From rforno at infowarrior.org Thu Apr 27 08:18:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Apr 2006 08:18:20 -0400 Subject: [Infowarrior] - OpEd: What's the point of security? Message-ID: http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158393, 00.htm By Simon Moores 26 April 2006 Security trade shows are booming - but does that mean companies are any safer? Simon Moores reports from Infosecurity 2006. It's Infosec time again. Walking the aisles of Europe's most successful information security trade show, I found myself plagued with a nagging sense of doubt. Why? Scantily clad girls dressed as angels and the sash-climbing acrobats in yellow lycra bodysuits on the Symantec stand were entertaining and colourful enough. Even the message on the EP Secure stand warning visitors of the dangers from viruses and "wormes" should have brought a smile to my face. But all I could see in London's packed Olympia conference centre was an industry united in a profitable celebration of the failure of our society to properly protect itself from the dangers of living an increasingly online existence. Infosec was once again the venue for the release of the latest government-sponsored survey of information security breaches in the UK, conducted by a consortium led by PricewaterhouseCoopers LLP. While you can find encouragement in the news that large businesses have become more security-conscious, with the total security incidents having fallen by 50 per cent over the last two years, the opposite is true of small business. Here, the average number of incidents has risen by 50 per cent to approximately eight per year. Worse still is the estimate of the total cost of security breaches to UK plc, which is up by 50 per cent from two years ago to approximately ?10bn per annum - figures that support last month's smaller e-Crime Congress survey. Microsoft, which is at last joining the dubious Windows Client Protection business with its own antivirus solution, has been working hard to improve its own security credentials with a number of initiatives over the last year. Its Hotmail web email service is blocking 3.4 billion spam messages each day and has had two billion downloads of its malicious software removal tool in the last year, which tells us something about the overall size of the malicious software problem. The computing environment that surrounds us today reminds me of a large termite mound. It's intricate, solid, highly efficient and constantly improved. It does however have lots of different openings to the world outside and every now and then, a hungry chimpanzee with a twig comes along and plays havoc with the poor industrious termites' defensive structure. Taking this metaphor a step further - and looking at the sheer number of companies displaying solutions at Infosec - I have to wonder how long business will be forced to continue spending sizeable sums on information security products that continue to have relatively modest success in mitigating the expanding risks from internet crime. It was Winston Churchill who said: "Although personally I am quite content with existing explosives, I feel we must not stand in the path of improvement." At an earlier Infosec Show, I released a Microsoft-sponsored report called A matter of trust which examined some of the many challenges facing Microsoft's Trustworthy Computing strategy and the steadily growing threat from online crime. In the intervening period, Infosec and the security industry have become larger and more successful, as have the organised crime groups which are busy milking people's bank accounts, defrauding businesses and stealing the identities of as many as 100,000 people in the UK each year. So I'm confused. Infosec is a great show and a wonderful platform for an arsenal of information security and identity products. But all the evidence of this year and previous years suggests that we're on the wrong side of the arms race to secure the computing environment. Even for the most paranoid of organisations, an unlimited security budget doesn't offer a safe and bullet-proof existence. It all makes me think of a quote from Arthur Dent in The Hitchhiker's Guide to the Galaxy: "Ah, this is obviously some strange use of the word 'safe' that I wasn't previously aware of." From rforno at infowarrior.org Thu Apr 27 08:21:13 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Apr 2006 08:21:13 -0400 Subject: [Infowarrior] - Study Shows Downside of IT Certification Message-ID: (c/o J) Study Shows Downside of IT Certification By Deborah Rothberg April 26, 2006 http://www.eweek.com/article2/0,1759,1954198,00.asp Long seen as a method to maximize employment opportunities and salaries in the post-dot-com-bust era, a study released today finds that pay for certified IT skills falls short of the pay for non-certified skills. The Q1 2006 Hot Technical Skills and Certifications Pay Index, released April 25 by Foote Partners, a New Canaan, Conn., IT compensation and workforce management firm, found that pay premiums for non-certified IT skills grew three times faster than for certified ones in a six-month period spanning 2005-2006. The study suggests that there has been a change in employers' acceptance of the value of non-certified tech skills versus certifications in maintaining competitive pay for their workers. "This is the first time skills have trumped certifications since our firm began surveying tech skills pay in 2000," said David Foote, president and chief research office for the workforce research and consulting firm, in a statement. "Eighteen months ago, it was all about certifications for IT workers as employers stumbled out of the wreckage of an economic recession, looking to start hiring again. "This is a clear indication that employers are not placing the same emphasis on certification that they once did. Perhaps more to the point, they are finding other qualities of IT professionals more critical to their businesses going forward, and they are willing to pay more for those." Tracking the market value of 212 IT skills and certifications, premium pay for 103 non-certified skills averaged 7.1 percent of the base salary for a single skill. This number was up from 6.8 percent in Q1 2005, and 6.6 percent in Q1 2004. Pay for non-certified skills grew nearly 70 percent more than certifications, or 4.4 percent versus 2.6 percent respectively. Among "cooling" certified tech skills, those that have lost their value in the last year, the study lists nine, including MCDST (Microsoft Certified Desktop Support Technician), CISA (Certified Information Systems Auditor), and three Novell certifications (NCDE, MCNE, and CNA). Fourteen certifications have grown in value, showing an 11 percent or higher growth over the last year, including SCNP (Security Certified Network Professional), CISM (Certified Information Security Manager) and MCT (Microsoft Certified Trainer). Highest-paid certifications include CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), and five different Cisco certifications (CCDP, CCEA, CCIE, CCIP and CCSP). Skills categories showing the most growth in the survey included Applications Development/Programming Languages, Project Management, Training, Webmaster and Security. From rforno at infowarrior.org Thu Apr 27 08:31:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Apr 2006 08:31:46 -0400 Subject: [Infowarrior] - Comments on my OSX browser RFI Message-ID: Quick reply as I have to get going early today, but my preferred browser of the past couple of months is now Camino. I got fed up with Safari's slowness and inability to handle sites. < snip > I know I shouldn't laugh, but memory leaks are what finally made me give up safari for firefox. I think those leaks, and regular restarts are probably just part of the deal. FYI, those restarts aren't so painful when the Mr Tech and Tab Mix Plus extensions are installed; tab mix includes a session saver, so all your tabs get saved, and Mr Tech includes a simple restart firefox command. I have found that FF's memory leaks on my macbookpro went down fairly drastically after they released and I upgraded to the universal binary version. Also, paring down the list of active firefox extensions, and keeping up to date with the ones installed helped me out as well. Nobody wants to be this guy: http://splasho.com/blog/wp-content/pic2.html < snip > I use Omniweb on my main computer. The tab interface is by far the best out there, as is the search blank (which goes to Scroogle, I can't get Netscape or Safari's to do the same), the easy bookmark management, the privacy settings, and so on. The way it saves the sites you were browsing before you quit is also awesome. Oh yeah, and it's add blocking blows away everything out there, including Privoxy. It's downsides are relatively slow speed and incompatibility with some sites. That's why I keep Safari and Firefox on the machine as well. On my second machine I use Safari mostly, because it's faster and more stable most of the time than Firefox. Firefox is around for Pricegrabber.com, because Safari runs too slow. I'd use Omniweb, but out of the box, Omniweb needs a lot of tweaking for the add blocking and I just haven't bothered. < snip > I do use Safari as my main browser. The few things that do need improving in my view (like choosing where attachments can be saved) can be often accomplished by Automator actions. The one big advantage Safari has for the roadwarrior is that it follows the network settings (proxy et al). So one can have different proxy settings incl. logins with the network settings for each location one travels. For the things that don't work with Safari I use Firefox and Netscape (some sites actually check strings and are only happy if an IE on Windows or some Netscape comes along...). From rforno at infowarrior.org Thu Apr 27 09:10:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Apr 2006 09:10:19 -0400 Subject: [Infowarrior] - Archives: 1 in 3 Records Wrongly Resealed Message-ID: Archives: 1 in 3 Records Wrongly Resealed http://www.guardian.co.uk/worldlatest/story/0,,-5782554,00.html Wednesday April 26, 2006 11:16 PM By HOPE YEN Associated Press Writer WASHINGTON (AP) - The government improperly sealed hundreds of previously public CIA, Pentagon and other records by reclassifying them as secret on questionable grounds, an internal review said Wednesday. The National Archives' audit of thousands of records withdrawn from public view since 1995 contends that one of every three was resealed without justification. The investigation covered historical records held by the National Archives. But it comes amid broader debate on classifying records on national security grounds, which critics say is often done based on political expediency. The Associated Press reported earlier this month that the National Archives agreed to seal previously public records - many of them more than 50 years old - despite concerns about whether it was justified. On the other hand, Democrats have decried the timing of President Bush's 2003 decision to declassify sensitive intelligence and authorize its disclosure to rebut Iraq war critics. In recent weeks, the CIA has fired an employee accused of sharing classified information with news media. ``The ability and authority to classify national security information is a critical tool at the disposal of the government and its leaders,'' said William Leonard, head of the Archives' information security oversight office, in a briefing with reporters. Such a system, Leonard said, is only effective if the 3 million federal workers who decide whether to seal records on national security grounds each day follow clear standards and are kept honest. While the audit found numerous instances of improper reclassification, the National Archives declined to release details of what those documents contained, saying it was still working with the agencies to make them public again. According to the audit: -At least 32,315 publicly available records were reclassified since 1995, primarily by the U.S. Air Force (17,702), CIA (3,147) and Energy Department (2,164). Based on a sampling of 1,353 of those documents, 24 percent were resealed on clearly inappropriate grounds, while another 12 percent were questionable. -Poor oversight by the agencies and the National Archives was to blame, primarily due to a lack of clear standards and protocol for reclassification. -In many cases where a previously public document was resealed on national security grounds, the decision didn't make sense because the material had been published elsewhere. National Archivist Allen Weinstein said at the news briefing that he was implementing new procedures to curtail abuses and ensure that resealing of documents is rare. The procedures require that the public be informed on a regular basis when records are withdrawn from public access. The archives also will boost training, seek more federal funding to speed declassification and launch a longer-term study of how it handles materials that are deemed classified. The archives' secret agreements with government agencies were made public earlier this month in response to a 3-year-old Freedom of Information Act request by The Associated Press. They provided new details on the efforts of the nation's chief historical repository to hide the fact that U.S. intelligence was secretly trying to reclassify approximately 55,500 pages of previously public documents. The revelation drew widespread anger on Capitol Hill, and the agreement was even disowned by a former head of the archives. John Carlin, a former Kansas governor who served as chief archivist from 1995 to 2004, said the agreement was kept secret even from him. ``I was shocked by the content, particularly the language that it was in the best interest of the National Archives to keep the public in the dark,'' he said in a statement last week. ``I spent most of my tenure stating that NARA is a public trust - this (agreement) undermines that trust.'' Archives officials have been criticized for keeping the agreements secret. But internal NARA reports obtained by the AP under the Freedom of Information Act show archivists were concerned about the reclassification scheme as early as January 2003. As boxes of documents were pulled from shelves, historians and other researchers who regularly use archival materials were beginning to notice their absence. ``Researchers continue to question why records, some of which have been open for years, are not readily available for research in 2003,'' archivists said in a January 2003 report. ``The exceptional efforts of the (staff) ... have worked to placate most of the impacted researchers, and complaints are amazingly few in number.'' Two years later, NARA officials appeared frustrated by the reclassification effort. ``The amount of disruption to timely reference service wreaked by ... declassification (sic!) teams is growing,'' a NARA official said in an April 2005 report. ``The Air Force team seems particularly bent on expanding their mandate to series of records well beyond recognized rationality considering the sort of information they are allegedly seeking to identify.'' --- AP Investigative Researcher Randy Herschaft in New York and AP Writer Frank Bass in Washington contributed to this report. On the Net: National Archives: http://www.archives.gov Federation of American Scientists government secrecy project: http://www.fas.org/sgp/index.html National Security Archive: http://www.gwu.edu/nsarchive Advertiser links $145,000 mortgage for $484/mo Mortgage rates are still low. Compare rates - Refinance and... lowermybills.com Comcast High-Speed Internet Faster than DSL - $19.99/month special, $75 cash back and... comcastoffers.com 2.75% Fixed Student Loan Consolidation 70% lower student loan payments - fixed rate, no fees,... nextstudent.com From rforno at infowarrior.org Thu Apr 27 16:03:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 27 Apr 2006 16:03:17 -0400 Subject: [Infowarrior] - Sen. Specter Threatens to Block NSA Funds Message-ID: Sen. Specter Threatens to Block NSA Funds http://www.washingtonpost.com/wp-dyn/content/article/2006/04/27/AR2006042700 977_pf.html By LAURIE KELLMAN The Associated Press Thursday, April 27, 2006; 2:09 PM WASHINGTON -- Senate Judiciary Committee Chairman Arlen Specter said Thursday he is considering legislation to cut off funding for the Bush administration's secret domestic wiretapping program until he gets satisfactory answers about it from the White House. "Institutionally, the presidency is walking all over Congress at the moment," Specter, R-Pa., told the panel. "If we are to maintain our institutional prerogative, that may be the only way we can do it." Specter said he had informed President Bush about his intention and that he has attracted several potential co-sponsors. He said he's become increasingly frustrated in trying to elicit information about the program from senior White House officials at several public hearings. The amendment amounted to a warning to the White House from a powerful but frustrated Senate chairman. "I'm not prepared to vote for it myself," Specter told reporters. According to a copy of the amendment obtained by The Associated Press, it would enact a "prohibition on use of funds for domestic electronic surveillance for foreign intelligence purposes unless Congress is kept fully and currently informed." The move got the White House's attention, but not its immediate cooperation. Bush has insisted that the program falls within his authority and has staunchly refused to allow administration officials to answer many of Specter's questions. "The appropriate members of Congress have been and continue to be informed with respect to the Terrorist Surveillance Program," said White House spokeswoman Dana Perino. "The Administration remains confident that a majority of members of Congress continue to recognize the importance of protecting Americans through lawful intelligence activities directed at terrorists." Specter also agreed with Democrats who say that any of the bills to tighten guidelines for National Security Agency program and increase congressional oversight could be flatly ignored by an administration with a long history of acting alone in security matters. "It is true that we have no assurance that the president would follow any statute that we enact," Specter said. He said he's considering adding an amendment to stop funding of the program to an Iraq war-hurricane relief bill being debated by the Senate this week and next. Senior Republican officials said they had not received guidance about the legislation and could not say when it might come to the Senate floor. Specter's announcement came a day after the House passed an bill 327-96 to dramatically increase spending on intelligence programs. In the process, Republicans blocked an amendment to expand congressional oversight of the NSA's warrantless surveillance program. House Intelligence Committee Chairman Peter Hoekstra, R-Mich., said allegations that NSA domestic wiretapping operations are abusive or unconstitutional are outrageous and that Congress is committed to vigorous oversight of the program. ? 2006 The Associated Press From rforno at infowarrior.org Fri Apr 28 08:28:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Apr 2006 08:28:19 -0400 Subject: [Infowarrior] - WaPo on ""Gamercise" Message-ID: Get a Move On http://www.washingtonpost.com/wp-dyn/content/article/2006/04/27/AR2006042700 723_pf.html By Caroline Kettlewell Friday, April 28, 2006; WE30 HELLO, my name is Caroline, and I'm addicted to "Dance Dance Revolution." Six weeks ago, I'd never even heard of this game. Then one day the junior member of the household began clamoring for it. A video game you play not with the usual handheld controller but with a touch-sensitive mat on the floor. A dance pattern scrolls on the screen, and you have to match it with your feet on the mat. If you don't count a brief and engrossing fascination with "Pong" around Christmas 1975, my general interest in video games could safely be described as nominal and my playing ability worse. "Eh," I said dismissively to my 8-year-old. "It sounds like one of those things you'll play with for a day and never touch again." Then two weeks ago, I got my first try at "Dance Dance Revolution." Two days later we had a PlayStation 2. The next day we added a second dance mat. Now my feet are bruised, my shins ache, my child begs piteously for dinner while I mutter, "Just once more, just once more," and I fear I may be in the market for a couple of knee replacements. But really, I can quit anytime. "Dance Dance Revolution" (known by the less cumbersome "DDR"), introduced by Konami Digital Entertainment as an arcade game in Japan in 1998 and two years later in the United States, was released in a home version for PlayStation in 2001, making "DDR," in the warp-speed world of electronic entertainment, the ancient, if spry, ancestor of the new video-gaming trend dubbed "exergaming." Seeking to put the "active" in "interactive," exergaming -- anything from inexpensive video games that get you off the couch to high-end exercise equipment for the commercial fitness market -- premiered as a self-identified category barely more than a year ago at the huge International Consumer Electronics Show in January 2005. Though it's too early to say whether it will be the hot new thing or a mere blip on the radar, the success or failure of exergaming is likely to rest on two essential questions: Is it fun, and is it exercise? Pedal Power My initiation into exergaming began with the Gamebike from Cateye Fitness. A stationary bicycle with the game controller built into the handlebars, it comes in two sizes (for kids and adults), connects to a PlayStation 2 (with adaptors for other platforms) and works with video racing games. You pedal to move your racer and steer with the handlebars. A round of "ATV: Offroad Fury" led, unfortunately for my game character, to a series of brutal onscreen accidents incompatible with a lengthy cyber life span. I could see, however, that a person with better gaming skills than mine (no big challenge there) could easily get lost in playing and hardly notice the exercising; my kid, who hates sitting still, would probably love the Gamebike and want one immediately, which is why (at $349 for the consumer model) I didn't invite him to try it with me. And imagine an adult Spinning class at your local fitness club (the Gamebike costs $1,169 for upright and $1,600 for recumbent commercial versions) where you're matched against several fellow riders in an onscreen race. "You get so focused on the competition, 30 or 40 minutes will pass and you won't even realize it," says Russell Triebert, who is Cateye Fitness's regional sales manager for the Southeast. 'Screen Time' Of course, the home market is the bread and butter of the video game industry, and that industry has been taking plenty of hits lately from those who blame it for helping turn a generation of children into doughy sofa-sloths. What degree of blame they actually deserve for the runaway rise in obesity rates and attendant health problems in this country is a matter for the sociologists to debate. Nevertheless, as any parent of the under-20 set knows, onscreen games are a ubiquitous feature of the modern American childhood. So when I -- armed with a selection of exergames -- went in search of the appropriate gaming platforms to try them on and a requisite selection of test subjects -- that would be the under-20 set -- it didn't take me long to find either. "Four years ago, we didn't even own a TV," says Anne Westrick, a Hanover, Va., mom whose oldest child of four is a college sophomore. Now, surveying a den equipped with a large-screen TV, Xbox, PlayStation 2, GameCube, two well-worn "DDR" mats and a stack of games, she admits, "It's a slippery slope. We got the TV so we could play 'Dance Dance.' I tell my kids they can have an hour of 'screen time' a day, and they say, 'But, Mom, 'DDR' is exercise, not screen time.' " Ted (14) and Sam (12) Westrick; their friends Daniel Lehman (16) and Dane (12) and Ellen (10) Orie; and my son, who would never have spoken another word to me in this or any future lifetimes if he hadn't been included in this research project, crowded into the den, where Ted and Sam were introducing us to "DDR" in a dizzying blur of synchronized footwork. By the final beat they were flush-faced and panting from exertion. Exercise? Check. Conceptually simple, "DDR" is maddeningly, addictively, entertainingly difficult in practice. The floor mat has four touch-sensitive arrows on it: right, left, forward and back. Standing on the pad, you follow a scrolling step pattern of arrows displayed onscreen and varyingly timed to the beat of one of the game's selection of catchy dance hits. If your feet and your timing are on target, you're rewarded with onscreen encouragement ("GREAT" "PERFECT") and a higher score. But if you don't step on the correct spot on the correct arrow at just the right time, you get a "BOO," miss multiple steps and a chorus of boos follows your spiral into the depths. Short of a perfect score, when the song comes to an end -- well, it takes a stronger person than I to fight off the urge to say, "Just one more time." When I tell you that my father-in-law, whose knees have not forgiven him those Army parachuting days, tried soft-shoeing it to "Play That Funky Music," you get the idea that Konami is definitely on to something. Four levels of difficulty -- beginner, light, standard and heavy -- add increasing speed and complexity to the steps. Each version of the game (I've been playing "Dance Dance Revolution Extreme 2" for PlayStation 2) has brought new features and music; "DDR Extreme 2" includes a workout mode and songs ranging from a relatively funereally paced cover of "Oops! . . . I Did It Again" to the panic-speed "Butterfly (Upswing Mix)." Having been thoroughly flummoxed in "light" mode, I reel at the prospect of a fast song set on "heavy" -- surely pure Savion Glover. At the Westricks', the boys obligingly slowed an already leisurely song to nearly comatose speed (if you ask me how they did this, the answer is I have no idea, but "DDR" comes with an instruction booklet) for my first turn on the dance pad. It wasn't pretty, but it was enough. I was caught immediately and inescapably in the grip of "DDR" madness. Which I had to wrestle into temporary submission, because the kids were on to the next thing, the Qmotions-Xboard. Inter-Action A new product from the company Qmotions, which also has interactive baseball and golf systems on the market, the Xboard is a skateboard-size platform balanced on a shorter and narrower block of slightly giving foam and attached to a game controller. Using a snowboard, skateboard, surfing or windsurfing game, you control the motion of your onscreen board by tilting the angle of the board beneath your feet. The Xboard we tried was a prototype. (Qmotions says the product will be available sometime in May in PlayStation 2 and Xbox formats and will cost about $100.) It came without instructions, not that your average video-game-conversant kid bothers with those anyway. Before I could offer more than an "Um, I think you're supposed to connect . . .," the boys had the Xboard plugged in, the snowboarding game "SSX 3" powered up and Ted was wobbling unsteadily on the board while the others offered suggestions and critiques. After cycling through several players and a steady procession of wipeouts and off-course flounderings, it became clear that Xboarding called for a certain degree of subtlety and finesse. It was not, you might say, child's play. "These products are not toys, they are simulators," says Amro Albanna, founder and chief executive of California-based Qmotions. "We are making video games a lot closer to the actual sport and giving video gamers a new way to play the game." It was more balance work than workout, but then again balance is an important part of a well-rounded fitness regimen. And certainly it's a more active and demanding way to play games that otherwise exercise nothing more than your fingers. For the fun factor, I thought the Xboard added challenge to the game and an enjoyable element of authenticity; although I doubt that I represent the marketing demographic the Xboard is aiming for. If we had one of these in our house, I might actually try playing those games that, with a hand controller only, have never much piqued my interest. Moving up the exertion scale, we next tried "EyeToy: Kinetic" from Sony Computer Entertainment America. The EyeToy is a tiny camera that plugs into the PlayStation 2. It sits on the TV and projects your image onto the screen. Then, in rather a cool bit of technological whiz-bang, your movements somehow interact with the onscreen video. You kick and punch and duck and weave, and frankly, watching the off-screen EyeToy-player flailing about as though plagued by a cloud of imaginary insects is pretty funny. Sony has created a number of games to work with the EyeToy, most of which appear to be aimed at the youth market. The 2005 game "Kinetic," however, is more fitness-program-with-a-game-element than the other way around. Matt -- buff and vaguely multi-ethnic -- and British-accented fitness babe Anna are our computer-animated onscreen hosts. "Kinetic" includes combat, cardio, toning, and mind and body zones and offers customizing features, such as a Personal Trainer mode that will build you a 12-week training program. Of course, the kids went straight for the combat zone and rapidly thereafter for pure goofiness, but later I put "Kinetic" through its paces in more detail and certainly worked up a reasonable if not exhausting sweat in the process. In cardio and combat zones you try to hit, jab or touch certain moving objects onscreen while avoiding others, and each session gets progressively more difficult. The good and the bad of "Kinetic" is that I was concentrating more on taking out the moving objects than on registering how hard I was exercising. If you're looking simply for something that gets you up and moving, then you'll find that in "Kinetic," but I decided that the game would take some getting the hang of before I, at least, could pull off the smooth -- and more exerting -- maneuvers demonstrated onscreen by a shadow-outline Matt or Anna. I'm sure my neighbors, if they'd caught sight of me through the window, would have had a good and hearty laugh. I advise drawing the blinds. My Maya Marrying interactive technology with more traditional fitness programming is "Yourself!Fitness," which creator Phin Barnes dreamed up when he was training for a triathlon and using a software program that came with his heart-rate monitor. "After every workout I would download all the information and see the graphs and so forth. It really helped me train," he says. Barnes's concept was "a fitness game that would bring health and fitness guidance to the broadest segment of the population as possible -- the video-game-console-equipped household." Behold, then, Maya, your interactive personal "Yourself!Fitness" trainer for Xbox, PC and PlayStation 2. Built by focus group and born of computer animation, Maya gets your height, weight and age, then works you through initial tests of strength and conditioning before offering suggested focus areas such as cardio, upper- and lower-body strength, or flexibility. During each workout, she -- okay, the program -- periodically asks you to assess how hard you're working, then readjusts future sessions to increase or decrease intensity accordingly. "Yourself!Fitness" builds on a familiar range of Pilates, yoga and aerobics routines, but thanks to the multiple, evolving levels of personalized interactivity, it's about as close as you can get to having a 24-hour on-call personal trainer without actually having one, and all for about $35 for PS2 and Xbox platforms. " 'Yourself!Fitness' is 100 percent dependent on the profile you build as you use the program," Barnes says. "It specifically targets your needs." I'll admit it won me over. I've never had much enthusiasm for workout videos, which quickly grow stale, and I'm averse to group fitness classes. But "Yourself!Fitness" let me pick what I wanted (Maya suggested cardio, but I flouted her advice and tried upper body and core first) and allowed me to incorporate my hand weights and balance ball into the routines and increase the intensity as I liked, until I was feeling the burn indeed. I'd definitely use this program. Assuming I could stop playing "DDR." DANCE DANCE REVOLUTION EXTREME 2 With dance pad for PS2, $59.99. Without dance pad, $39.99. Other versions also available for Xbox and PS2. http://www.konami.com. QMOTIONS-XBOARD Available in May for PS2 and Xbox for about $100. http://www.qmotions.com/xboard.html. SONY EYETOY: KINETIC (With camera) for PS2, $49.99. http://www.us.playstation.com/eyetoy.aspx. YOURSELF!FITNESS $34.99 for PS2 and Xbox. $29.99 for PC. http://www.yourselffitness.com. CATEYE GAMEBIKE $349. Gamebike Pro, $1,169 upright and $1,600 recumbent, for PS2, Xbox, GameCube and PC. 972-644-8403. http://www.gamebike.com. When she isn't playing "DDR," Caroline Kettlewell is a freelance writer and regular contributor to Weekend and can be found online at http://www.carolinekettlewell.com. From rforno at infowarrior.org Fri Apr 28 12:21:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Apr 2006 12:21:02 -0400 Subject: [Infowarrior] - Total Information Awareness Project Lives On Message-ID: The Total Information Awareness Project Lives On Technology behind the Pentagon's controversial data-mining project has been acquired by NSA, and is probably in use. By Mark Williams http://www.technologyreview.com/read_article.aspx?ch=infotech&sc=&id=16741&p g=1 In April, the Electronic Frontier Foundation (EFF), the advocacy organization for citizens' digital rights, filed evidence to support its class-action lawsuit alleging that telecom giant AT&T gave the National Security Agency (NSA), the ultra-secret U.S. agency that's the world's largest espionage organization, unfettered access to Americans' telephone and Internet communications. The lawsuit is one more episode in the public controversy that erupted in December 2005, when the New York Times revealed that, following September 11, President Bush authorized a far-reaching NSA surveillance program that included warrantless electronic eavesdropping on telephone calls and e-mails of individuals within the United States. Critics charged that the Bush administration had violated both the Constitution's Fourth Amendment, which protects citizens against unwarranted search or seizure, and the Foreign Intelligence Surveillance Act (FISA) of 1978, which requires eavesdropping warrants to be obtained from a special court of judges empowered for that purpose. In February 2006, the controversy intensified. Reports emerged that component technologies of the supposedly defunct Total Information Awareness (TIA) project -- established in 2002 by the Pentagon's Defense Advanced Research Projects Agency (DARPA) to develop advanced information technology to counter terrorists, then terminated by Congress in 2003 because of widespread criticism that it would create "Orwellian" mass surveillance -- had been acquired by the NSA. Washington's lawmakers ostensibly killed the TIA project in Section 8131 of the Department of Defense Appropriations Act for fiscal 2004. But legislators wrote a classified annex to that document which preserved funding for TIA's component technologies, if they were transferred to other government agencies, say sources who have seen the document, according to reports first published in The National Journal. Congress did stipulate that those technologies should only be used for military or foreign intelligence purposes against non-U.S. citizens. Still, while those component projects' names were changed, their funding remained intact, sometimes under the same contracts. Thus, two principal components of the overall TIA project have migrated to the Advanced Research and Development Activity (ARDA), which is housed somewhere among the 60-odd buildings of "Crypto City," as NSA headquarters in Fort Meade, MD, is nicknamed. One of the TIA components that ARDA acquired, the Information Awareness Prototype System, was the core architecture that would have integrated all the information extraction, analysis, and dissemination tools developed under TIA. According to The National Journal, it was renamed "Basketball." The other, Genoa II, used information technologies to help analysts and decision makers anticipate and pre-empt terrorist attacks. It was renamed "Topsail." Has the NSA been employing those TIA technologies in its surveillance within the United States? And what exactly is the agency doing, anyway? The hearings that the Senate Judiciary Committee convened in February to consider the NSA's surveillance gave some clues. Attorney General Alberto Gonzales, maintaining the administration's defense against charges that it violated the Fourth Amendment and FISA, told senators, firstly, that Article II of the U.S. Constitution granted a president authority to conduct such monitoring and, secondly, that the Authorization to Use Military Force (AUMF) passed after September 11 specified that the president could "use all necessary and appropriate force" to prevent future terrorist acts. Regarding FISA, Gonzalez claimed, the NSA had sidestepped its requirements to obtain warrants for electronic eavesdropping in particular cases. But, overall, the attorney general said, FISA worked well and the authorities had used it increasingly. The available facts support Gonzalez's contention: while the FISA court issued about 500 warrants per year from 1979 through 1995, in 2004 (the last year for which public records exist) 1,758 warrants were issued. But when senators asked why, given the fact that FISA had provisions by which government agents could wiretap first and seek warrants later, the Bush administration had sidestepped its requirements at all, Gonzalez claimed he couldn't elaborate for reasons of national security. Former NASA director General Michael Hayden, in charge when the NSA's surveillance program was initiated in 2002, was slightly more forthcoming. FISA wasn't applicable in certain cases, he told the senators, because the NSA's surveillance relied on what he called a "subtly softer trigger" before full-scale eavesdropping began. Hayden, who is nowadays the nation's second-highest ranking intelligence official, as deputy director of national intelligence, said he could answer further questions only in closed session. Gonzalez's testimony that the government is making increased use of FISA, together with his refusal to explain why it's inapplicable in some cases -- even though retroactive warrants can be issued -- implies that the issue isn't simply that government agents may sometimes want to act quickly. FISA rules demand that old-fashioned "probable cause" be shown before the FISA court issues warrants for electronic surveillance of a specific individual. Probable cause would be inapplicable if NSA were engaged in the automated analysis and data mining of telephone and e-mail communications in order to target possible terrorism suspects. As the Electronic Frontier Foundation's lawsuit against AT&T reveals, NSA has access to the switches and records of most or all of the nation's leading telecommunications companies. These companies' resources are extensive: AT&T's data center in Kansas, for instance, contains electronic records of 1.92 trillion telephone calls over several decades. Moreover, the majority of international telecommunications nowadays no longer travel by satellite, but by undersea fiber-optic cables, so many carriers route international calls through their domestic U.S. switches. With the telecom companies' compliance, the NSA can today tap into those international communications far more easily than in the past, and in real time (or close to it). With access to much of the world's telecom traffic, the NSA's supercomputers can digitally vacuum up every call placed on a network and apply an arsenal of data-mining tools. Traffic analysis, together with social network theory, can reveal patterns indiscernible to human analysts, possibly suggesting terrorist activity. Content filtering, applying highly sophisticated search algorithms and powerful statistical methods like Bayesian analysis in tandem with machine learning, can search for particular words or language combinations that may indicate terrorist communications. Whether the specific technologies developed under TIA and acquired by ARDA have actually been used in the NSA's domestic surveillance programs -- rather than only for intelligence gathering overseas -- has not been proved. Still, descriptions of the two former TIA programs that became Topsail and Basketball mirror descriptions of ARDA and NSA technologies for analyzing vast streams of telephone and e-mail communications. Furthermore, one project manager active in the TIA program before it was terminated has gone on record to the effect that, while TIA was still funded, its researchers communicated regularly and maintained "good coordination" with their ARDA counterparts. It's this latter fact that is most to the point. Whether or not those specific TIA technologies were deployed for domestic U.S. surveillance, technologies very much like them were. In 2002, for instance, ARDA awarded $64 million in research contracts for a new program called Novel Intelligence from Massive Data. Furthermore, overall, a 2004 survey by the U.S. General Accounting Office, an investigative arm of Congress, found federal agencies operating or developing 199 data mining projects, with more than 120 programs designed to collect and analyze large amounts of personal data on individuals to predict their behavior. Since the accounting office excluded most of the classified projects, the actual numbers would likely have been far higher. Beyond these programs, additionally, there exist all the data-mining applications currently employed in the private sector for purposes like detecting credit card fraud or predicting health risks for insurance. All the information thus generated goes into databases that, given sufficient government motivation or merely the normal momentum of future history, may sooner or later be accessible to the authorities. How should data-mining technologies like TIA be regulated in a democracy? It makes little sense to insist on rigid interpretations of FISA. This isn't only because when the law was passed by Congress 30 years ago, terrorist threats on al Qaeda's scale did not yet exist and technological developments hadn't gone so far in potentially giving unprecedented destructive power to small groups and even individuals. Today's changed technological context, additionally, invalidates FISA's basic assumptions. In an essay published next month in the New York University Review of Law and Security, titled "Whispering Wires and Warrantless Wiretaps: Data Mining and Foreign Intelligence Surveillance," K. Taipale, executive director of the Center for Advanced Studies in Science and Technology Policy, points out that in 1978, when FISA was drafted, it made sense to speak exclusively about intercepting a targeted communication, where there were usually two known ends and a dedicated communication channel that could be wiretapped. With today's networks, however, data and increasingly voice communications are broken into discrete packets. Intercepting such communications requires that filters be deployed at various communication nodes to scan all passing traffic with the hope of finding and extracting the packets of interest and reassembling them. Thus, even targeting a specific message from a known sender today generally requires scanning and filtering the entire communication flow in which it's embedded. Given that situation, FISA is clearly inadequate because, Taipale argues, were it to be "applied strictly according to its terms prior to any 'electronic surveillance' of foreign communication flows passing through the U.S. or where there is a substantial likelihood of intercepting U.S. persons, then no automated monitoring of any kind could occur." Taipale proposes not that FISA should be discarded, but that it should be modified to allow for the electronic surveillance equivalent of a Terry stop -- under U.S. law, the brief "stop and frisk" of a person by a law enforcement officer based on the legal standard of reasonable suspicion. In the context of automated data mining, it would mean that if suspicion turned out to be unjustified, after further monitoring, it would be discontinued. If, on the other hand, continued suspicion was reasonable, then it would continue, and at a certain point be escalated so that human agents would be called in to decide whether a suspicious individual's identity should be determined and a FISA warrant issued. To attempt to maintain FISA and the rest of our current laws about privacy without modifications to address today's changed technological context, Taipale insists, amounts to a kind of absolutism that is ultimately self-defeating. For example, one of the technologies in the original TIA project, the Genisys Privacy Protection program, was intended to enable greater access to data for security reasons while simultaneously protecting individuals' privacy by providing critical data to analysts via anonymized transaction data and by exposing identity only if evidence and appropriate authorization was obtained for further investigation. Ironically, Genisys was the one technology that definitely had its funding terminated and was not continued by another government agency after the public outcry over TIA. From rforno at infowarrior.org Fri Apr 28 18:32:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Apr 2006 18:32:31 -0400 Subject: [Infowarrior] - Virginia Gov's How-To-Spot-A-Terrorist Guide Message-ID: Hrmmm.....among other electronic devices and owning many notebooks, I own diving gear and have a card saying that I can rent/buy more such gear since I posess knowledge of underwater mobility. I must be a terrorist, then....*headdesk* -rf Virginia Training Manual Lists Property Rights Activists As Terrorists Says video cameras, binoculars, sketch pads are terrorist tools Paul Joseph Watson/Prison Planet.com | March 28 2006 A Virginia training manual used to help state employees recognize terrorists lists anti-government and property rights activists as terrorists and includes binoculars, video cameras, pads and notebooks in a compendium of terrorist tools. The manual, discovered by the Virginia News Source, is keen to emphasize that terrorists are not only Middle Eastern in scope and the main focus is afforded to domestic terrorism. Included with Hamas, Al-Qaeda and Islamic Jihad, the following groups are identified as terrorist organizations. In any anti-government and militia movements Are property-rights activists Are in any racist, separatist and hate groups Are an environmental and animal rights activist Are a religious extremist Are in a street gang Presumably, tourists, journalists, hikers, bird-watchers, scuba divers, artists, painters, and anyone who takes a photograph is also now a terrorists according to the official list of terrorist paraphernalia provided. - sketch pads or notebooks - maps or charts - still or video camera - hand held tape recorder - binoculars - SCUBA equipment - disguises < snip > http://prisonplanet.com/articles/march2006/280306trainingmanual.htm From rforno at infowarrior.org Fri Apr 28 20:48:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Apr 2006 20:48:44 -0400 Subject: [Infowarrior] - U.S.: FBI Sought Info Without Court OK Message-ID: ....figures something this controversial gets buried late in the Friday afternoon news cycle....how typical. -rf U.S.: FBI Sought Info Without Court OK http://apnews.myway.com/article/20060428/D8H99DSG1.html Apr 28, 6:27 PM (ET) By MARK SHERMAN WASHINGTON (AP) - The FBI secretly sought information last year on 3,501 U.S. citizens and legal residents from their banks and credit card, telephone and Internet companies without a court's approval, the Justice Department said Friday. It was the first time the Bush administration has publicly disclosed how often it uses the administrative subpoena known as a national security letter, which allows the executive branch of government to obtain records about people in terrorism and espionage investigations without court approval. Friday's disclosure was mandated as part of the renewal of the Patriot Act, the administration's sweeping anti-terror law. The FBI delivered a total of 9,254 NSLs relating to 3,501 people in 2005, according to a report submitted late Friday to Democratic and Republican leaders in the House and Senate. In some cases, the bureau demanded information about one person from several companies. The department also reported it received a secret court's approval for 155 warrants to examine business records last year, under a Patriot Act provision that includes library records. However, Attorney General Alberto Gonzales has said the department has never used the provision to ask for library records. The number was a significant jump over past use of the warrant for business records. A year ago, Gonzales told Congress there had been 35 warrants approved between November 2003 and April 2005. From rforno at infowarrior.org Fri Apr 28 20:50:52 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Apr 2006 20:50:52 -0400 Subject: [Infowarrior] - Congress may consider mandatory ISP snooping Message-ID: CNET News.com http://www.news.com/ Congress may consider mandatory ISP snooping By Declan McCullagh http://news.com.com/Congress+may+consider+mandatory+ISP+snooping/2100-1028_3 -6066608.html Story last modified Fri Apr 28 17:27:52 PDT 2006 It didn't take long for the idea of forcing Internet providers to retain records of their users' activities to gain traction in the U.S. Congress. Last week, Attorney General Alberto Gonzales, a Republican, gave a speech saying that data retention by Internet service providers is an "issue that must be addressed." Child pornography investigations have been "hampered" because data may be routinely deleted, Gonzales warned. Now, in a demonstration of bipartisan unity, a Democratic member of the Congressional Internet Caucus is preparing to introduce an amendment--perhaps during a U.S. House of Representatives floor vote next week--that would make such data deletion illegal. Colorado Rep. Diana DeGette's proposal (click for PDF) says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could not be discarded until at least one year after the user's account was closed. It's not clear whether that requirement would be limited only to e-mail providers and Internet providers such as DSL (digital subscriber line) or cable modems. An expansive reading of DeGette's measure would require every Web site to retain those records. (Details would be left to the Federal Communications Commission.) DeGette Rep. Diana Rep. Diana DeGette "We're still addressing some of the issues, and we will have those issues or answers before we introduce this as either an amendment or a standalone bill," Brandon MacGillis, a spokesman for DeGette, said in an interview on Friday. CNET News.com was the first to report last June that the Justice Department was quietly shopping around the idea of legally required data retention. In a move that may have led to broader interest inside the United States, the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers. U.S. politicians began talking publicly about mandatory data retention during a series of House of Representatives hearings on child pornography and in speeches, News.com reported earlier this month. Legislation similar to DeGette's has been circulating in the Colorado legislature, and another hearing on child exploitation is planned for next Wednesday. The Bush administration's current position is an abrupt reversal of its previous long-held belief that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed (PDF) "serious reservations about broad mandatory data retention regimes." DeGette said in a statement that her amendment was necessary because: "America is the No. 1 global consumer of child pornography, the No. 2 producer. This is a plague we had nearly wiped out in the seventies, and sadly the Internet, an entity that we practically worship for all the great things it has brought to us, is being used to commit a crime against humanity." For their part, Internet providers say they have a long history of helping law enforcement in child porn cases and point out that two federal laws already require them to cooperate. It's also unclear that investigations are really being hindered, according to Kate Dean, director of the U.S. Internet Service Provider Association. MacGillis, a spokesman for DeGette, said his boss is likely to introduce her data retention proposal as a standalone measure or as an amendment to a broad telecommunications bill that's moving rapidly through the House. The bill (PDF)--best known for a debate this week over its Net neutrality sections--was approved by a House committee on Thursday and is expected to receive a floor vote next week. (DeGette had considered adding it as an amendment during the committee vote but decided against it at the last minute.) "Our main concern on the bill is privacy, protecting the privacy of everyone out there on the Internet, but also retention of those records so law enforcement officials will have access to them, so we just need to really tinker with the language," MacGillis said. Child porn as surveillance excuse? Critics of DeGette's proposal have said that while the justification for Internet surveillance might be protecting children, the data would be accessible to any local or state law enforcement official investigating anything from drug possession to tax evasion. In addition, the one-year retention is a minimum; the FCC would receive the authority to require Internet companies to keep records "for not less than one year after a subscriber ceases to subscribe to such services." Jim Harper, director of information policy studies at the free-market Cato Institute, said: "This is an unrestricted grant of authority to the FCC to require surveillance." "The FCC would be able to tell Internet service providers to monitor our e-mails, monitor our Web surfing, monitor what we post on blogs or chat rooms, and everything else under the sun," said Harper, a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. "We're seeing a kind of hysteria reminiscent of the McMartin case. The result will be privacy that goes away and doesn't come back when the foolishness is exposed." The McMartin case was probably the most extreme example of the hysteria over "Satanic ritual abuse"--a widespread scare in the 1980s that children were molested, murdered and tortured, even though no evidence was found. In the McMartin preschool case, a family was falsely accused of Satanic activities and the charges were eventually dropped. At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation. A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn is charged with forwarding that report to the appropriate police agency. CNET News.com's Anne Broache contributed to this report. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Apr 28 22:27:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 28 Apr 2006 22:27:03 -0400 Subject: [Infowarrior] - USG to invoke "State Secrets Privilege" in ATT Wiretap Case Message-ID: Feds Drop Bomb on EFF Lawsuit http://wiredblogs.tripod.com/27BStroke6/index.blog?entry_id=1468765 The federal government intends to invoke the rarely used "State Secrets Privilege" -- the legal equivalent of a nuclear bomb -- in the Electronic Frontier Foundation's class action lawsuit against AT&T that alleges the telecom collaborated with the government's secret spying on American citizens. The State Secrets Privilege is a vestige from English common law that lets the executive branch step into a civil lawsuit and have it dismissed if the case might reveal information that puts national security at risk. Today's assertion severely darkens the prospects of the EFF's lawsuit, which the organization had hoped would shine light on the extent of the Bush Administration's admitted warrantless spying on Americans. The government is not admitting, however, that AT&T aided the National Security Agency in spying on American's phone calls and internet communications. "[T]he fact that the United States will assert the state secrets privilege should not be construed as a confirmation or denial of any of Plaintiffs? allegations, either about AT&T or the alleged surveillance activities," the filing reads. "When allegations are made about purported classified government activities or relationships, regardless of whether those allegations are accurate, the existence or non-existence of the activity or relationship is potentially a state secret." The Justice Department has not formally invoked the privilege yet. Today's notice was intended to inform Northern California US District Court Judge Vaughn Walker that the government was intending to assert the privilege in order to seek dismissal of the case. The complete paperwork justifying the government's decision will be filed by May 12. Full filing From rforno at infowarrior.org Sat Apr 29 19:02:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 29 Apr 2006 19:02:57 -0400 Subject: [Infowarrior] - In Leak Cases, New Pressure on Journalists Message-ID: April 30, 2006 In Leak Cases, New Pressure on Journalists By ADAM LIPTAK http://www.nytimes.com/2006/04/30/washington/30leak.html?ei=5094&en=9db240cf 3f964691&hp=&ex=1146369600&partner=homepage&pagewanted=print Earlier administrations have fired and prosecuted government officials who provided classified information to the press. They have also tried to force reporters to identify their sources. But the Bush administration is exploring a more radical measure to protect information it says is vital to national security: the criminal prosecution of reporters under the espionage laws. Such an approach would signal a thorough revision of the informal rules of engagement that have governed the relationship between the press and the government for many decades. Leaking in Washington is commonplace and typically entails tolerable risks for government officials and, at worst, the possibility of subpoenas to journalists seeking the identities of sources. But the Bush administration is putting pressure on the press as never before, and it is operating in a judicial climate that seems increasingly receptive to constraints on journalists. In the last year alone, a reporter for The New York Times was jailed for refusing to testify about a confidential source; her source, a White House aide, was prosecuted on charges that he lied about his contacts with reporters; a C.I.A. analyst was dismissed for unauthorized contacts with reporters; and a raft of subpoenas to reporters were largely upheld by the courts. It is not easy to gauge whether the administration will move beyond these efforts to criminal prosecutions of reporters. In public statements and court papers, administration officials have said the law allows such prosecutions and that they will use their prosecutorial discretion in this area judiciously. But there is no indication that a decision to begin such a prosecution has been made. A Justice Department spokeswoman, Tasia Scolinos, declined to comment on Friday. Because such prosecutions of reporters are unknown, they are widely thought inconceivable. But legal experts say that existing laws may well allow holding the press to account criminally. Should the administration pursue the matter, these experts say, it could gain a tool that would thoroughly alter the balance of power between the government and the press. The administration and its allies say that all avenues must be explored to ensure that vital national security information does not fall into the hands of the nation's enemies. In February, Senator John Cornyn, Republican of Texas, asked Attorney General Alberto R. Gonzales whether the government's investigation into The Times's disclosure of a National Security Agency eavesdropping program included "any potential violation for publishing that information." Mr. Gonzales responded: "Obviously, our prosecutors are going to look to see all the laws that have been violated. And if the evidence is there, they're going to prosecute those violations." Recent articles in conservative opinion magazines have been even more forceful. "The press can and should be held to account for publishing military secrets in wartime," Gabriel Schoenfeld wrote in Commentary magazine last month. Surprising Move by F.B.I. One example of the administration's new approach is the F.B.I.'s recent effort to reclaim classified documents in the files of the late columnist Jack Anderson, a move that legal experts say was surprising if not unheard of. "Under the law," Bill Carter, a spokesman for the Federal Bureau of Investigation, said earlier this month, "no private person may possess classified documents that were illegally provided to them." Critics of the administration position say that altering the conventional understanding between the press and government could have dire consequences. "Once you make the press the defendant rather than the leaker," said David Rudenstine, the dean of the Benjamin N. Cardozo School of Law in New York and a First Amendment scholar, "you really shut down the flow of information because the government will always know who the defendant is." The administration's position draws support from an unlikely source ? the 1971 Supreme Court decision that refused to block publication by The Times and The Washington Post of the classified history of the Vietnam War known as the Pentagon Papers. The case is generally considered a triumph for the press. But two of the justices in the 6-to-3 majority indicated that there was a basis for after-the-fact prosecution of the newspapers that published the papers under the espionage laws. Reading of Espionage Laws Both critics and allies of the administration say that the espionage laws on their face may well be read to forbid possession and publication of classified information by the press. Two provisions are at the heart of the recent debates. The first, enacted in 1917, is, according to a 2002 report by Susan Buckley, a lawyer who often represents news organizations, "at first blush, pretty much one of the scariest statutes around." It prohibits anyone with unauthorized access to documents or information concerning the national defense from telling others. The wording of the law is loose, but it seems to contain a further requirement for spoken information. Repeating such information is only a crime, it seems, if the person doing it "has reason to believe" it could be used "to the injury of the United States or to the advantage of any foreign nation." That condition does not seem to apply to information from documents. In the Pentagon Papers case, Justice Byron R. White, joined by Justice Potter Stewart, said "it seems undeniable that a newspaper" can be "vulnerable to prosecution" under the 1917 law. Indeed, the Nixon administration considered prosecuting The Times even after the government lost the Pentagon Papers case, according to a 1975 memoir by Whitney North Seymour Jr., who was the United States attorney in Manhattan in the early 1970's. Mr. Seymour wrote that Richard G. Kleindienst, a deputy attorney general, suggested convening a grand jury in New York to that end. Mr. Seymour said he refused. Some experts believe he would not have won. The most authoritative analysis of the 1917 law, by Harold Edgar and Benno C. Schmidt Jr. in the Columbia Law Review in 1973, concluded, based largely on the law's legislative history, that it was not meant to apply to newspapers. A second law is less ambiguous. Enacted in 1950, it prohibits publication of government codes and other "communications intelligence activities." Andrew C. McCarthy, a former federal prosecutor who took part in terrorism investigations in New York after the Sept. 11 attacks, said that both The Times, for its disclosures about the eavesdropping program, and The Post, for an article about secret C.I.A. prisons, had violated the 1917 law. The Times, he added, has also violated the 1950 law. "It was irresponsible to publish these things," Mr. McCarthy said. "I wouldn't hesitate to prosecute." The reporters who wrote the two articles recently won Pulitzer Prizes. Even legal scholars who are sympathetic to the newspapers say the legal questions are not straightforward. "They are making threats that they may be able to carry out technically, legally," Geoffrey R. Stone, a law professor at the University of Chicago and the author of "Perilous Times: Free Speech in Wartime," said of the administration. The law, Professor Stone added, "has always been understood to be about spying, not about newspapers, but read literally it could be applied to both." Others say the law is unconstitutional as applied to the press under the First Amendment. "I don't think that anyone believes that statute is constitutional," said James C. Goodale, who was the general counsel of The New York Times Company during the Pentagon Papers litigation. "Literally read, the statute must be violated countless times every year." Rodney A. Smolla, the dean of the University of Richmond law school, took a middle ground. He said the existing laws were ambiguous but that in theory it could be constitutional to make receiving classified information a crime. However, he continued, the First Amendment may protect newspapers exposing wrongdoing by the government. The two newspapers contend that their reporting did bring to light important information about potential government misconduct. Representatives of the papers said they had not been contacted by government investigators in connection with the two articles. That is baffling, Mr. McCarthy said. At a minimum, he said, the reporters involved should be threatened with prosecution in an effort to learn their sources. "If you think this is a serious offense and you really think national security has been damaged, and I do," he said, "you don't wait five or six months to ask the person who obviously knows the answer." Case Against 2 Lobbyists Curiously, perhaps the most threatening pending case for journalist is one brought against two former lobbyists for the American Israel Public Affairs Committee, or Aipac. The lobbyists, Steven J. Rosen and Keith Weissman, were indicted in August on charges of violating the 1917 law by receiving and repeating national defense information to foreign officials and reporters. The lobbyists say the case against them is functionally identical to potential cases against reporters. "You can't say, 'Well, this is constitutional as applied to lobbyists, but it wouldn't be constitutional if applied to journalists,' " Abbe D. Lowell, a lawyer for Mr. Rosen, said at a hearing in the case last month, according to a court transcript. In court papers filed in January, prosecutors disagreed, saying lobbyist and journalist were different. But they would not rule out the possibility of also charging journalists under the law. "Prosecution under the espionage laws of an actual member of the press for publishing classified information leaked to it by a government source would raise legitimate and serious issues and would not be undertaken lightly," the papers said. Indeed, they continued, "the fact that there has never been such a prosecution speaks for itself." Some First Amendment lawyers suspect that the case against the lobbyists is but a first step. "From the point of view of the administration expanding its powers, the Aipac case is the perfect case," said Ronald K. L. Collins, a scholar at the First Amendment Center, a nonprofit educational group in Virginia. "It allows them to try to establish the precedent without going after the press." From rforno at infowarrior.org Sun Apr 30 09:45:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 30 Apr 2006 09:45:30 -0400 Subject: [Infowarrior] - Pentagon Halts Contractor Clearances Message-ID: Pentagon Halts Contractor Clearances http://www.washingtonpost.com/wp-dyn/content/article/2006/04/28/AR2006042801 878_pf.html By Renae Merle Washington Post Staff Writer Saturday, April 29, 2006; D01 The Pentagon stopped processing security clearances for government contractors this week, potentially exacerbating a shortage of employees authorized to work on the government's most secret programs. The Defense Security Service blamed overwhelming demand and a budget shortfall for the halt, which caught the government contracting community by surprise. Already, 3,000 applications have been put on hold, said Cindy McGovern, a DSS spokeswoman. "We're holding them [the applications] now to see if we can resolve the issue. The more drastic step would be not accepting them" at all, McGovern said, a step the agency considered but dropped for now. The demand for security clearances among private companies has grown dramatically since the Sept. 11, 2001, terrorist attacks as the government increasingly relies on contractors to do intelligence gathering and work on classified programs. There has been growing frustration with the wait time, which some companies have described as up to a year, to obtain clearances for new employees. Some firms have reverted to gimmicks and large bonuses to attract employees with pre-existing clearances, and industry officials worry that this week's action will increase competition and salary demands. The move affects not only defense contractors, but also those who work on projects for more than 20 other agencies, including NASA and the Department of Homeland Security. "We have companies right now that have positions that are funded that they can't find people for," said Stan Soloway, president of the Professional Services Council. "This could completely shut the system down." The Defense Security Service blames, in part, the sheer volume of requests. Between October and March, more than 100,000 security-clearance applications were submitted. The service is also struggling with a budget shortfall, McGovern said, noting that its funding was cut by $20 million this year. McGovern said she did not know how much of a shortfall the agency faces. Last year, the Office of Personnel Management took over the job of conducting background investigations. But the Defense Security Service picks up the tab, which can be as much as $3,700 for a top-secret clearance. The Office of Personnel Management can also charge a premium of 19 to 25 percent for the work, which was not factored into the DSS budget, said David Marin, staff director for the House Government Reform Committee. Marin estimates the agency's shortfall at between $75 million and $100 million. The agency's efforts to cut costs began earlier this month when it alerted contractors that it would no longer offer a more expensive expedited application process. On Tuesday, the agency stopped forwarding new applications to the OPM altogether. The decision is "both baffling and disturbing," Rep. Thomas M. Davis III (R-Va.), chairman of the Government Reform Committee, said in a letter to the agency yesterday. Davis expects to hold a hearing on the issue, according to his office. "It sure could get to be a real problem really fast," said John Douglas, president of the Aerospace Industries Association, a lobby group that represents companies including Lockheed Martin Corp. and Boeing Co., the Pentagon's largest contractors. "There doesn't seem to be any exceptions, and you would think that if you were working on a classified project to stop IEDs [improvised explosive devices], there would be." ? 2006 The Washington Post Company From rforno at infowarrior.org Sun Apr 30 10:22:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 30 Apr 2006 10:22:39 -0400 Subject: [Infowarrior] - Stupid Movie Promo = Public Terror Menace Message-ID: Talk about a REALLY STUPID idea.......but I guess any publicity for a movie these days is considered good......wonder if the promoter will be forced to reimburse localities responding to emergency calls arising from their actions....I doubt it. --rf Movie Promotion Confused With Bomb in L.A. http://apnews.myway.com/article/20060429/D8H9U66O0.html Apr 29, 6:04 PM (ET) SANTA CLARITA, Calif. (AP) - A newspaper promotion for Tom Cruise's upcoming "Mission: Impossible III" got off to an explosive start when a county arson squad blew up a news rack, thinking it contained a bomb. The confusion: the Los Angeles Times rack was fitted with a digital musical device designed to play the "Mission: Impossible" theme song when the door was opened. But in some cases, the red plastic boxes with protruding wires were jarred loose and dropped onto the stack of newspapers inside, alarming customers. Sheriff's officials said they rendered the news rack in this suburb 35 miles north of downtown Los Angeles "safe" after being called to the scene Friday by a concerned individual who thought he'd seen a bomb. Times officials said the devices were placed in 4,500 randomly selected news boxes in Los Angeles and Ventura counties in a venture with Paramount Pictures designed to turn the "everyday news rack experience" into an "extraordinary mission." It was just that, at least for the Los Angeles County Sheriff's Department arson squad, which destroyed the box. "This was the least intended outcome. We weren't expecting anything like this," said John O'Loughlin, the Times' senior vice president for planning. The devices are to remain in the boxes until May 7, two days after the film is scheduled to open. From rforno at infowarrior.org Sun Apr 30 10:29:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 30 Apr 2006 10:29:06 -0400 Subject: [Infowarrior] - Capitol Hill Joins Criticism of Smithsonian Film Deal Message-ID: Capitol Hill Joins Criticism of Smithsonian Film Deal Key Congressmen Call for Review of Showtime Pact http://www.washingtonpost.com/wp-dyn/content/article/2006/04/28/AR2006042802 213_pf.html By Jacqueline Trescott Washington Post Staff Writer Saturday, April 29, 2006; C01 Angered that the Smithsonian Institution sold a television network access to its treasures without consulting Congress, two influential members of the House have asked for a public airing of the business deal. The two lawmakers, who oversee the Smithsonian's appropriations, are also displeased that the institution refuses to make the contract public. The contract between the Smithsonian and Showtime Networks has generated considerable criticism in recent weeks from documentary filmmakers and historians, mainly because of new restrictions on access to Smithsonian archives. Smithsonian Secretary Lawrence Small, in his first public comments on the Showtime matter, defended the agreement and said the contract has a "confidentiality provision." This is the first public rebuke from Congress about the deal, which was announced last month. In a letter to Small, the congressmen warned that they are monitoring all future agreements, especially ones that "appear to essentially sell access to Smithsonian resources." A spokesman for Showtime said the network would not respond to the letter because it was addressed to the Smithsonian. The April 27 letter from Capitol Hill, released yesterday, was written by Rep. Charles Taylor (R-N.C.), chairman of the House subcommittee that approves the federal appropriation to the Smithsonian, and Rep. Norman D. Dicks (D-Wash.), the ranking minority member of the subcommittee. The panel is currently considering a $644.4 million appropriation for fiscal 2007. The Smithsonian receives about 70 percent of its funds from the government. "The Subcommittee requests the Board of Regents to immediately review this contract to determine whether it violates the spirit if not the letter of the Smithsonian Trust and to consider changes to the contract which would fully guarantee that its terms are limited to a narrow set of programs," the letter said. Taylor and Dicks also said they objected to the restrictions on "legitimate commercial filmmakers who we believe have the right to reasonable access to the collections and staff." In a written response, released last night, Small defended the venture and said the regents would review the "issues you have raised regarding reasonable access to collections and staff." He argued that the television deal would bring the Smithsonian to many more people than are able to visit the Mall. "The venture provides an unprecedented opportunity for the Smithsonian to expand exponentially its ability to reach the public with information about our collections and activities, at no cost to us," he wrote. The contract, according to Smithsonian officials, creates Smithsonian on Demand, an outlet that will produce 100 programs a year. The programs will use Smithsonian materials and experts, and the shows will be available, starting in December, to households with digital cable TV. Because of the vastness of its archives, the Smithsonian is a popular resource for researchers, authors and filmmakers. The Smithsonian says the archives will be fully available to news and public-affairs teams as well as noncommercial organizations. But the Smithsonian will decide which commercial requests for more than "incidental use" of the archives will be approved. The congressmen suggested that the Smithsonian Board of Regents, the policy and oversight board chaired by Chief Justice John Roberts, review the whole matter at its May 8 meeting. Taylor and Dicks also said Small should put together a public forum, and Small said in his letter that the regents would consider the suggestion. The congressmen urged that the meeting include "an opportunity for public testimony, to analyze the issues surrounding financial agreements which appear to provide exclusivity or significant limitations on access to Smithsonian collections, which are by definition the property of all of the people of the United States." The congressmen were worried that the contract "crosses the line" for a public institution's business deal, according to congressional sources. The sources said that Taylor and Dicks thought the Smithsonian had been "nonchalant" in its public responses so far on the matter. "In addition to our concern about this particular contract, we would be concerned about any future agreements that are negotiated in secret, without Committee consultation, which commercialize Smithsonian resources or which appear to essentially sell access to Smithsonian resources," said the letter. Taylor and Dicks, at an Appropriations hearing last month, said repairs needed for the Smithsonian are a high priority for Congress. But in their letter, they said, "While the Committee recognizes that budget shortfalls, in particular the need for funds to repair and maintain an aging infrastructure, require the Smithsonian to be aggressive and imaginative in its fund raising, these actions are often controversial and raise the risk of damaging both Congressional and public support for the Institution." The protests against the Showtime contract have included a coalition of 215 filmmakers and historians, the American Historical Association, Society of American Historians, Society of American Archivists, American Library Association and the Association of Research Libraries. In his letter to Congress, Small said, "The fear the Smithsonian is curtailing or constraining the work of historians and documentary researchers seeking to use the collections is unfounded." He also responded to Carl Malamud, a senior fellow at the Center for American Progress, who raised a number of issues in a letter signed by actress Anna Deavere Smith, filmmakers Ken Burns and Michael Moore, and dozens of others. To that group, Small argued that filmmakers would benefit from the production entity and that the Smithsonian had the right to exercise controls of the material so it wouldn't be competing with itself. "The joint venture," he said, "will provide millions of dollars of incremental income to the very community you fear will be discouraged from creating projects." ? 2006 The Washington Post Company