From rforno at infowarrior.org Thu Jun 1 00:07:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 00:07:39 -0400 Subject: [Infowarrior] - Justice Dept. Is Criticized by Ex-Official on Subpoenas Message-ID: June 1, 2006 Justice Dept. Is Criticized by Ex-Official on Subpoenas By ADAM LIPTAK http://www.nytimes.com/2006/06/01/washington/01chronicle.html?pagewanted=pri nt Subpoenas issued last month to reporters for The San Francisco Chronicle were criticized yesterday by a former chief spokesman for Attorney General John Ashcroft as a "reckless abuse of power." The former spokesman, Mark Corallo, made similar statements in an affidavit filed in federal court yesterday. He said Mr. Ashcroft's successor, Alberto R. Gonzales, had acted improperly in issuing the subpoenas. "This is the most reckless abuse of power I have seen in years," Mr. Corallo said in an interview. "They really should be ashamed of themselves." The subpoenas, part of an effort to identify The Chronicle's sources for its coverage of steroid use in baseball, would not have been authorized by Mr. Ashcroft, Mr. Corallo said. "You just don't ride roughshod over the rights of reporters to gather information from confidential sources," he added. Mr. Corallo left the Justice Department in 2005. His public relations firm represents, among others, Karl Rove, President Bush's top political adviser. A spokeswoman for Mr. Ashcroft, who also stepped down in 2005, declined to comment on Mr. Corallo's sworn statement, which was submitted with the reporters' motion to quash the subpoena. Brian Roehrkasse, a Justice Department spokesman, said he could not address the subpoena to the Chronicle reporters. Subpoenas, he said, are "handled consistent with Justice Department guidelines and on a case-by-case basis on facts specific to the case that only those in the Justice Department would be aware of." Mr. Gonzales has in recent weeks hinted that the Justice Department may move beyond subpoenas for journalists' sources, and pursue the criminal prosecution of reporters under espionage laws for publishing classified information. Mr. Corallo said the department's attitude toward news organizations "is starting to look like a policy shift, a policy shift for the worse." Specialists in journalism and First Amendment law said that Mr. Corallo's statement was itself significant evidence of a shift. "This illustrates in an unmistakable fashion," said Mark Feldstein, director of the journalism program at George Washington University, "that the Gonzales Justice Department has moved so far away from the mainstream of established legal opinion and case law when it comes to press freedom that even judicial conservatives are disturbed by it." The Chronicle reporters, Mark Fainaru-Wada and Lance Williams, submitted Mr. Corallo's sworn statement along with their motion to quash the subpoenas, which was filed yesterday in Federal District Court in San Francisco. The articles in The Chronicle that gave rise to the subpoenas had quoted, apparently verbatim, transcripts of grand jury testimony from prominent athletes, including the baseball stars Barry Bonds and Jason Giambi. Whoever provided those transcripts to the reporters may have violated grand jury secrecy rules or a judge's order. Under the Justice Department's internal guidelines, subpoenas to the press for confidential sources require authorization by the attorney general. Under Mr. Ashcroft, Mr. Corallo said, he and others also had authority to deny such requests. Mr. Corallo said that in three years as the department's press secretary and public affairs director, he approved a single subpoena to the press, involving what he called a serious national security matter, and turned down many more. One of those he refused, he said in the court filing, concerned "a public corruption case involving leaks of grand jury information." Mr. Gonzales has defended his decision to issue the subpoenas. "I think it was information that was necessary, that we needed to have in connection with that investigation," he told the editorial board of The Houston Chronicle last month. Mr. Corallo said he had used a different standard, one rooted in Justice Department policy. "It has to be a matter of grave national security or impending physical harm to innocent people," he said, "not just, well, this is the only way we're going to be able to get this information." From rforno at infowarrior.org Thu Jun 1 09:35:15 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 09:35:15 -0400 Subject: [Infowarrior] - Crashing the Wiretapper's Ball Message-ID: Crashing the Wiretapper's Ball http://www.wired.com/news/technology/1,71022-1.html By Thomas Greene| Also by this reporter 02:00 AM Jun, 01, 2006 CRYSTAL CITY, Virginia -- The dingy hotel corridor was populated with suits, milling about and radiating airs of defensive hostility. They moved in close-knit groups, rounding a stranger or a rival group conspicuously, the way cats do. They spoke in whispers. They glanced nervously over their shoulders as they took calls on their cell phones, then darted swiftly into alcoves. They were government officials, telephone company honchos, military officers, three-letter-agency spooks and cops, all brought together by salesmen dealing in the modern equipment of surveillance. It was my job to learn what they were up to. They'd gathered for the ISS World Conference, a trade show featuring the latest in mass communications intercept gear, held in the Washington, D.C., suburb of Crystal City, Virginia. Situated conveniently between Reagan National Airport and the Pentagon, Crystal City is an artificial place dominated by conference centers and hotels, set up to accommodate the endless, and often secret, intercourse between the U.S. military and its myriad itinerant contractors, lobbyists, consultants and trainers. They rotate in and out, civilians using the airport, military personnel taking the subway from the Pentagon, with Crystal City as the intersection in a figure-eight circuit of constant activity. Back in the narrow hotel corridor, vendors manned their booths, exhibiting the latest gadgets for mass electronic surveillance: machines capable of scouring the data streams of millions of subscribers -- industrial-strength kits for packet interception and analysis, RF interception, and voice and keyword recognition. These devices are a bonanza for the communications hardware industry, vouchsafed by the U.S. Communications Assistance to Law Enforcement Act of 1994, or CALEA, which mandates that all new telephone company gear must be wiretap-friendly, or "CALEA compliant," according to the popular euphemism. This has led to a seller's market with equipment makers pushing their dual-use kits with exceptional confidence. The sales pitch has evolved beyond the traditional points of reliability, scalability, total cost of ownership and ease of deployment to exploit the hard-sell undercurrents of mass-scale commerce that's mandated by law and funded by taxpayers who are powerless to review the deals and evaluate their various costs and benefits to society. While U.S. telephone companies are well accustomed to CALEA requirements (designed originally to make mobile phone networks as wiretap-friendly as land-line systems), the Federal Communications Commission has declared itself competent to expand the act to cover voice over internet protocol outfits and internet service providers as well. This expansion has been challenged in federal court, and the conflict has boiled down to a simple phrase in the law, exempting providers of "information services" (as opposed to communications services) from CALEA obligations. The Department of Justice, ever eager for opportunities to plug law enforcement into the internet at the most basic levels, claims that ISPs, like telephone companies, are communications services, on grounds that instant messaging, VOIP and e-mail constitute a significant replacement for traditional telecommunications. The FCC is in complete agreement with the Justice Department, and has issued its demand for compliance by May 14, 2007. The case, currently on appeal, is pending in a federal appeals court in Washington, D.C., where, comically, one judge characterized the FCC's legal arguments as "gobbledygook." Thus it's possible that only VOIP services that use the public switched telephone network will be covered by the CALEA, leaving peer-to-peer VOIP outfits and ISPs in the clear. A decision should arrive in a few months' time. Despite this uncertainty, ISPs (and universities) have become new sales targets for the surveillance equipment industry -- fresh leads, so to speak -- and the hustle is uniform and loud: "CALEA is coming, and you'd better be ready." In the conference rooms, salesmen pitched their solutions for "lawful interception." In attendance were the generally responsible representatives of North American and Western European government and law enforcement, but also numerous representatives of naked state control in the Middle East, Asia and Africa. The phrase "lawful interception" might have meaning in the United States, Canada and Europe, but this was the ISS world conference, after all, with attendees from more than 30 countries. Narus was there, maker of the kit fingered by Mark Klein and allegedly used with impunity by the National Security Agency at numerous AT&T facilities for mass, domestic internet surveillance, and, the company boasts, used by Shanghai Telecom "to block 'unauthorized' internet calls." There were European heavyweights like Ericsson and Siemens, American giants like Raytheon and light-heavyweights like VeriSign and Agilent, along with a vast host of leaner, more specialized, surveillance outfits such as Verint, Narus and the like. They offered equipment and services capable of every manner of radio frequency and packet interception, with user interfaces and database structures designed to manage and deliver not just information but "actionable data," properly organized and formatted for easy prosecutions. Certain conference sessions, according to the schedule, were "open to sworn law enforcement agents only." But there was no discrimination between the more punctilious law enforcement agencies of democratic nations and those hailing from quarters where darker practices are commonplace. The last thing anyone involved wanted was publicity. Unfortunately, I had a job to do, although it would be difficult; the press had been strenuously dis-invited, and Wired News' efforts to get credentialed for the event firmly rebuffed. I spent my first day lurking in public areas of the hotel. In the lobby, two nattily dressed men with Caribbean accents were being hustled by an American salesman. The Caribbean fellows stiffened upon my approach, and warily lowered their voices. I buried my nose in the paper and listened. I could hear little of what the two potential customers said, but the salesman, God bless him, was a loudmouth, and I was able to piece together parts of the conversation from his various announcements. It seemed elements of the deal that he was attempting to close were challenging. This may have had to do with his customers' qualifications to take delivery of surveillance equipment, perhaps because they weren't legitimate government representatives, or the government that employed them was subject to U.S. export restrictions. I never learned the exact problem with getting the equipment into the customers' hands, but it was obvious that there was one. The salesman concluded with a hearty recap. "I'm glad we had the chance to meet in person; this is not a conversation I'd want to have on the phone, for obvious reasons," he roared. Everyone laughed heartily. Later, at the bar, I sat beside three Americans: two cops and a civilian police employee. They bitched about how difficult RF interception is, how the equipment is complicated and its user interfaces mysterious, and the difficulty of getting adequate funds and properly trained personnel to carry out surveillance effectively. Grant money is to be avoided, they agreed. It's got strings attached -- strings like performance milestones and complicated reporting demands. And on top of that, there's such an assload of damned frequencies, and it's such a trial just to get the kit dialed in. You can waste hours listening to TV instead of the subject's cell phone. But all the brass understands is hard evidence leading to arrests, they whined. This was suggestive stuff, but it's not what I came for. On day two, it was time to make a move. I went to the registration booth and requested a pass and a press fee waiver. "The conference isn't open to the press," a receptionist explained with a fluty tone of voice and an android smile. A uniformed security guard took a step closer, for emphasis. I withdrew, bloodied but unbowed. In the bar that night, things got interesting. A group of men associated with the Pen-Link and Lincoln electronic surveillance systems came in. I exchanged small talk with them for a bit, then moved to their table. Although I had identified myself as a journalist, an enthusiastic reseller of the equipment decided to hold forth. We drank a great deal, so I won't name him. "I'm not much concerned about wiretaps in America and Europe," I'd been saying to one of the Pen-Link engineers, "but I wonder if it bothers you to consider what this technology can do in the hands of repressive governments with no judicial oversight, no independent legislature." Our man interrupted. "You need to educate yourself," he said with a sneer. "I mean, that's a classic journalist's question, but why are you hassling these guys? They're engineers. They make a product. They don't sell it. What the hell is it to them what anyone does with it?" "Well, it's quite an issue," I said. "This is the equipment of totalitarianism, and the only things that can keep a population safe are decent law and proper oversight. I want to know what they think when they learn that China, or Syria, or Zimbabwe is getting their hands on it." "You really need to educate yourself," he insisted. "Do you think this stuff doesn't happen in the West? Let me tell you something. I sell this equipment all over the world, especially in the Middle East. I deal with buyers from Qatar, and I get more concern about proper legal procedure from them than I get in the USA." "Well, perhaps the Qataris are conscientious," I said, "and I'm prepared to take your word on that, but there are seriously oppressive governments out there itching to get hold of this stuff." He sneered again. "Do you think for a minute that Bush would let legal issues stop him from doing surveillance? He's got to prevent a terrorist attack that everyone knows is coming. He'll do absolutely anything he thinks is going to work. And so would you. So why are you bothering these guys?" "It's a valid question," I insisted. "This is powerful stuff. In the wrong hands, it could ruin political opponents; it could make the state's power impossible to challenge. The state would know basically everything. People would be getting rounded up for thought crimes." "You're not listening," he said. "The NSA is using this stuff. The DEA, the Secret Service, the CIA. Are you kidding me? They don't answer to you. They do whatever the hell they want with it. Are you really that na??ve? Now leave these guys alone; they make a product, that's all. It's nothing to them what happens afterward. You really need to educate yourself." On day three, the last day of the conference, I had nothing left to gain from working the periphery, hence nothing to lose from being tossed out, so I strolled past the android and the uniformed guard. No one challenged me. I chatted with vendors. I grabbed brochures from their tables and handouts in the conference rooms. I hung out on the veranda and smoked with fellow tobacco addicts. The best conversation I had was with Robert van Bosbeek of the Dutch National Police. I asked him if he was tempted to buy anything. "Not really," he said with a laugh. "But it's always good to see what's on offer. Basically, we're three or four years ahead of all this." He said that in the Netherlands, communications intercept capabilities are advanced and well established, and yet, in practice, less problematic than in many other countries. "Our legal system is more transparent," he said, "so we can do what we need to do without controversy. Transparency makes law enforcement easier, not more difficult." By noon on day three, the conference had wound down. The final thing I needed was the forbidden packet, with its CD of the slides from the presentations. I would have it in spite of the android. Indeed, because of the android. I waited in the lobby. A group of Koreans came down the stairs. I know this because they spoke Korean, and few outsiders speak it. It's not a popular language, like French or English. As it happens, I can speak it a little. Most Koreans are charmed by foreigners who can mutter even a few words of their mother tongue, so I chatted for a bit, and asked if I might copy the conference CD onto my notebook computer. They were happy to oblige. Naturally, this forbidden object contained nothing that could justify keeping it from a journalist. There were no stunning revelations about new intercept equipment designs, capabilities or techniques. Making it unavailable was just another expression of the conference director's small-minded attitude of hostility toward the press. An attendee told me that during one presentation, a discussion arose about whether the press should be invited to future ISS conferences. Some of those present believed that secrecy only leads to speculation, which is usually worse for trade than the facts. Others believed that reporters are too ignorant to write competently about the secret intercourse between big business and law enforcement, and should be told as little as possible in hopes that they'll have nothing to write. Judging by my own experiences, it was clear that the second line of reasoning had prevailed. But it's foolish to be secretive: A determined reporter can't be thwarted, and it's better that one should have more rather than less information to work with. It's ironic that spooks so often remind us that we've got nothing to fear from their activities if we've got nothing nasty to hide, while they themselves are rarely comfortable without multiple layers of secrecy, anonymity and plausible deniability. While there was little or nothing at the conference worth keeping secret, the sense of paranoia was constant. The uniformed guard posted to the entrance was there to intimidate, not to protect. The restrictions on civilians attending the law enforcement agency sessions were, I gather, a cheap marketing gesture to justify their $6,500-per-head entrance fee with suggestions of secret information that the average network-savvy geek wouldn't have known. In the end, all this surveillance gear and attendant hype becomes meaningless with simple precautions like encrypted VOIP, a good implementation of virtual private networks, and proxies and SSH for web surfing, IM, internet relay chat, webmail and the like. Skype's VOIP service is encrypted but closed-source. Still, there's SpeakFreely, a peer-to-peer, open-source VOIP app; Zfone, an open-source VOIP crypto plug-in from PGP honcho Phil Zimmermann; Invisible IRC, an open-source IRC proxy implementation that includes anonymization and encryption features, plus other dodges too numerous to mention. The popular law enforcement myth is that crooks are getting ever more sophisticated in their use of modern technology, so the police have got to acquire more "sophisticated" point-and-drool equipment to catch them. We find versions of this incantation in virtually every Justice Department press release or speech related to CALEA. But these tools -- especially in the IP realm -- are not so much sophisticated as complicated and very expensive. They're a bad alternative to old-fashioned detective work involving the wearing down of shoes and dull stakeout sessions in uncomfortable quarters such as automobiles. The chief impulse behind this law enforcement gizmo fetish is laziness, and it's a bad trend: The more policemen we have fiddling with computer equipment, the fewer we have doing proper legwork. The windup is that garden-variety crooks will remain those most susceptible to remote, electronic surveillance, while sophisticated, tech-savvy bad guys will continue operating below the radar. CALEA and its most potent technological offspring are inadequate to catch the people who most need catching. The project of "lawful interception" is huge, grotesquely expensive, controversial, infused with unnecessary secrecy and often useless against the most important suspects it purports to target. It poses a tremendous threat to human rights and dignity in countries without adequate legal safeguards, and still invites occasional abuses in countries with them. Its costs are paid by citizens who are deliberately kept in the dark about how much they're paying for it, how effective it is in fighting crime and how susceptible it is to abuse. And that's the way the entire cast of characters involved wants to keep it. Which, of course, is exactly why the public needs to know much more about it, even if it requires rude tactics like crashing the spooks' soir??e. From rforno at infowarrior.org Thu Jun 1 10:17:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 10:17:11 -0400 Subject: [Infowarrior] - Schneier: Aligning Interest with Capability Message-ID: Aligning Interest with Capability http://www.schneier.com/blog/archives/2006/06/aligning_intere.html Have you ever been to a retail store and seen this sign on the register: "Your purchase free if you don't get a receipt"? You almost certainly didn't see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability. If you're a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner -- who was presumably elsewhere in the store -- that an employee was handling money. The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it's impossible to insert or delete transactions. It's an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee's paycheck. If you're a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that's how employees steal cash in retail stores. What can the store owner do? He can stand there and watch the employee, of course. But that's not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn't care one way or another about a receipt. So here's what the employer does: he hires the customer. By putting up a sign saying "Your purchase free if you don't get a receipt," the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly. There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest. In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work: "When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault--while in the UK, the banks did nothing." The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved. Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security. One last story? In Italy, tax fraud used to be a national hobby. (It may still be; I don't know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or they would be fined. Just as in the "Your purchase free if you don't get a receipt" story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax. This was a great idea, but it didn't work very well. Customers, especially tourists, didn't like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn't guard merchants wasn't as effective an enticement as offering people a reward if they didn't get a receipt. Interest must be aligned with capability, but you need to be careful how you generate interest. This essay originally appeared on Wired.com. From rforno at infowarrior.org Thu Jun 1 10:18:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 10:18:17 -0400 Subject: [Infowarrior] - Cybersecurity contests go national Message-ID: Cybersecurity contests go national Robert Lemos, SecurityFocus 2006-06-01 http://www.securityfocus.com/print/news/11394 It has all the makings of a B-movie plot: A corporate network targeted by hackers and a half dozen high-school students as the company's only defense. Yet, teams of students from ten different Iowa high schools faced exactly that scenario during a single night in late May in the High School Cyber Defense Competition. The contest tasked the teenagers with building a network in the three weeks leading up to the competition with only their teachers, and mentoring volunteers from local technology firms, as their guides. On Friday night, May 19, and into Saturday morning, the students defended the network against a team of Iowa State University students acting as the attackers. "As the hackers came in, you could see (the students') reactions: They were frustrated when they saw the attackers breach their systems and excited when they stopped the attack," said John Carr, a mentor for the team fielded by Valley High School of West Des Moines and senior solutions consultant with Iowa-based technology consulting firm QCI. The contest between high schools followed the first national Collegiate Cyber Defense Competition that took place earlier this year at the University of Texas at San Antonio, pitting four regional college champions and an all-star team from five U.S. military academies against each other. The two tournaments mark a turning point for cybersecurity competitions from the mostly amateur affairs of the past to exercises throwing student, government and corporate competitors into the arena against each other. The competitions give students and professionals the opportunity to get hands-on experience responding to attacks, without serious consequences. "At the end of the day, no data has been compromised and no one is going to get fired," said Timothy Rosenberg, CEO of White Wolf Security, a start-up company that has made a business out of running such competitions. "You can make an argument that this is not only good sport, but an excellent corporate security training exercise." The U.S. government agrees. Since 2001, the U.S. military academies for the five branches of service have run an annual Cyber Defense Exercise pitting teams from each school against a Red Team consisting of members of the National Security Agency and attack specialists from the Army and Air Force. "Exercises are an important way to improve our cyber security preparedness and having competitions like these are excellent ways to practice for the real thing," Andy Purdy, acting director of the National Cyber Security Division (NCSD) at the Department of Homeland Security, said in a statement marking the completion of the first national Collegiate Cyber Defense Competition (CCDC). The interest comes as companies increasingly face a variety of threats posed by online attackers. In May, antispam firm Blue Security got chased off the Internet by an irate spammer that attacked the company's Web site, service network, affiliates and clients. Several security groups warned companies that a previously unknown flaw in Microsoft Word was being actively exploited to attack specific companies. These attacks build on a particularly bad year for privacy in 2005, when more than 52 million consumer accounts were placed at risk. While academics, security experts and government officials have discussed turning the once ad-hoc hacking contests into a more formal competition, the seed for the idea failed to take root until a workshop held at University of Texas in San Antonio in the spring of 2004. Called together by Lance Hoffman, a computer science professor at George Washington University, and Ronald Dodge, a Lt. Colonel and professor at the U.S. Military Academy at West Point, a group of computer-security professors and graduate students discussed the future of such exercises. Everyone agreed that the competitions should be formalized, but one participant--Greg B. White, director of the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio--feared that the process would stall. "The first thing that happens when you get a bunch of academics together is they want to form a committee," White said. "We--three schools in Texas--decided to jump start the process and have a regional competition." Along with Texas A&M and UT Austin, White created a regional Texas competition pitting five schools against each other in a three-day competition in April 2005. Taking lessons from the military's CDX competitions, the annual Capture the Flag tournament at DEFCON, and a few smaller academic exercises across the country, the universities decided to create a defense-focused contest, and called it the Collegiate Cyber Defense Competition. The college and high-school contests focus on locking down an insecure business network in the face of an attack. "When students come in, they are given a network that is up and running, but we don't guarantee that it is secure," White said. "When a student graduates and joins the commercial sector, that is what they are going to face most likely--an insecure network." Both the college and high-school competitions use a neutral team of attackers, known as a Red Team, to represent online criminals that might infiltrate a company's network. An automated scoring system keeps track of the reliability of any services required by the current scenario, the success in detecting and mitigating an attack, and special bonuses for meeting seemingly random business goals from the fictitious company's management. Random events also spice up the competition, said Doug Jacobson, associate professor of electrical and computer engineering for Iowa State, who ran the High School Cyber Defense Competition. "We threw in anomalies," Jacobson said. "In a moment's notice, the CEO says that they want seven new users. Or a cable breaks. Saturday morning, we had a fire alarm, and the pseudo fireman did a few things, and the students had to come in and figure out what was done. We had those types of events going on throughout the exercise." The contests are not about creating the ultimate secure network--such a beast just does not exist, stressed QCI's Carr, who mentored the Valley High School team. Each team had to deal with requirements that gave an advantage to the attackers, such as run an old version of Red Hat Linux and have a Mac Mini as part of their network in addition to the seven other computers required by the rules. The Valley High School team, which won the Iowa high-school competition, used Windows 2003 running ActiveDirectory, FreeBSD, Windows XP, ALinux, and Mac OS X. "Coming from larger environment, we (the mentors) know there is no such thing as a 100 percent Windows or Linux environment," Carr said. In the end, the contests are about dealing with the messy real world, he said White Wolf Security's Rosenberg. "Is it stacked in the hackers favor? Of course it is," Rosenberg said. "We want the students to take a beating. Far beyond teaching students how to lock things down, we teach them how to get through an attack." The commercial sector has already started looking at the events as a good training exercise. Corporate security professionals are already a staple at the annual Capture the Flag event at the DEF CON hacking conference, which brings together eight teams to find vulnerabilities, attack each others networks and defend against their opponents' attacks. The SANS Institute completed a trial run of a competition that will take place during the training group's conferences, said Rosenberg. Both the high-school and college competitions expect to expand in 2007, given the overwhelming interest in the programs. Iowa State's Jacobson expects the number of Iowa high schools that enter the competition next year to double, while UT San Antonio's White hopes to hold 8 to 10 regional competitions in 2007. By 2008, he expects the CCDC to have a governing body in place to create standards for the regional competitions and to manage the national tournament. In the end, the competition is about training the next generation of network administrators and security engineers, UT San Antonio's White said. He hoped that companies would look at the contests as a fertile place to fill out their ranks. "It will also be a great recruiting tool," White said. "We have some of the brightest security geeks on the planet at these events." From rforno at infowarrior.org Thu Jun 1 12:44:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 12:44:03 -0400 Subject: [Infowarrior] - Codes on Sites 'Captcha' Anger of Web Users Message-ID: Codes on Sites 'Captcha' Anger of Web Users By DAVID KESMODEL May 31, 2006; Page B1 http://online.wsj.com/public/article/SB114903737427467003-BFXQeLeq3RdZ5Icuyb 8gkda47DA_20070530.html?mod=blogs Dave Simmer is a computer-savvy graphic designer. Yet when he surfs the Internet, he often gets stumped by the distorted jumbles of letters and numbers that some Web sites ask users to retype to gain access. "They keep warping them and making them longer," says the 40-year-old from Cashmere, Wash. The visually impaired have long decried these codes, which protect sites such as Yahoo.com and Ticketmaster.com from computer programs that create scores of email accounts for spammers or buy hundreds of concert tickets for scalpers. Now, the quizzes are irritating a wider array of Web surfers as companies toughen them as part of their arms race with the spam crowd. The codes, called captchas, are also showing up more often amid a boom in new Web services, ranging from blogging tools to social-networking sites. The trickiest ones "make you not want to go to those sites anymore," says Scott Reynolds, a 29-year-old software architect in Ocala, Fla., who lambasted the devices on his blog last year. [Captcha Examples] The captchas' flaws are prompting academics, independent computer programmers and some Web companies to craft new variations that they hope will be easier for humans to decipher but harder for computer programs. The World Wide Web Consortium, an international group that encourages improved standards for Web programming, published a paper last November that advocates the creation of alternatives, saying the tests "fail to properly recognize users with disabilities as human" and are vulnerable to defeat by astute programmers. Internet companies defend their use of the codes, saying they face a difficult balancing act of trying to fend off attackers while providing a good experience for users. "We know there's no perfect panacea, but we think this is a great tool to prevent malicious activity," says David Jeske, an engineering director at Google Inc. Google uses captchas for its free email service and its blog-writing service, among others. It is among companies that recently added an audio version, which lets the visually impaired listen to a series of letters or numbers and type them into their computer. Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere. Hobbyists also regularly write code to solve captchas on commercial sites with a high degree of accuracy. But several Internet companies say their captchas appeared to be highly effective at thwarting spammers. "Researchers are really good, and the attackers really are not," says Mr. Jeske of Google, based in Mountain View, Calif. "Having these methods in place we find extremely effective against automated malicious attackers." Ticketmaster, a unit of IAC/Interactive Corp., has altered its captchas over the years in response to automated computer programs, called "bots," that have cracked certain codes, says Brian Pike, Ticketmaster's chief technology officer. He says the robust resale market for tickets gives people a high incentive to try to swiftly snare tickets on its site. Spam companies sometimes get around the challenge of captchas by hiring workers to fill out the forms for them instead of relying on bots, according to the World Wide Web Consortium. The group said in its paper last year that "it is a logical fallacy...to hail captcha as a spam-busting panacea." Captcha is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Computer scientists at Carnegie Mellon University coined the term in 2000 to describe codes they created to help Internet giant Yahoo Inc. thwart a spam problem. "Turing" refers to Alan Turing, a mathematician famous for his codebreaking work during World War II and, later, as a pioneer in artificial intelligence. In 1950, Turing wrote a paper that proposed a test in which a person in one room would ask questions of both a human and a computer in another to try to determine which of the respondents was human. If the judge couldn't tell which was which, the computer could be said to be able to think. Captchas deployed by commercial Web sites vary widely. For example, Microsoft Corp.'s Hotmail email service requires registrants to read a long series of twisted letters or numbers, obscured by several lines of varying shape. In contrast, eBay Inc.'s PayPal payment service shows simple block-style letters or numbers against a grid. Other sites use complex multicolored backgrounds. Mr. Reynolds, the Florida software architect, says he has been confused by captchas shown by everyone from Microsoft to Apple Computer Inc. "The ones they make hard for a computer bot to break are also really hard for us to read," he says. "It kind of defeats the purpose." Henry Baird, a professor of computer science at Lehigh University who studies PC users' responses to the codes, has been working with colleagues to develop new generations of captchas that are designed to be easier on humans but baffling for computers. One, called "scattertype," shatters each letter shown to users into pieces. Some Internet companies have changed their captchas to make them simpler for users. Digg.com, a news Web site, changed the background to gray from multicolored earlier this year and now allows users to type in either capital or lower-case versions of the letters, says Steve Williams, a computer programmer for the company. The difficulty of deciphering the visual codes is prompting even those who don't have a vision problem to begin clicking audio captchas whenever sites make them available. A growing number of sites, including Hotmail.com and PayPal.com, offer audio captchas. Google added it for its email service in March and for its blogging and Google Groups service in April. (Alternatively, some Web sites urge users having trouble to call a phone number for customer service or send an email to the company.) The World Wide Web Consortium is urging programmers to devise viable alternatives to visual captchas because they affect people with a wide range of disabilities, including people with dyslexia and short-term memory problems, says Judy Brewer, director of the group's Web Accessibility Initiative, who is based in Cambridge, Mass. Captchas, "in their current form, are a misnomer," she says. They "don't tell humans and computers apart; instead, they tell able-bodied humans and computers, along with disabled humans, apart." Some Web sites and independent computer programmers have rolled out new types of captchas. They generally involve solving simple equations or answering simple questions and could be adapted for use by the blind, although they would still present problems for people with learning disabilities. Write to David Kesmodel at david.kesmodel at wsj.com From rforno at infowarrior.org Thu Jun 1 12:45:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 12:45:44 -0400 Subject: [Infowarrior] - Extortion virus code gets cracked Message-ID: Extortion virus code gets cracked Do not panic if your data is hidden by virus writers demanding a ransom. Poor programming has allowed anti-virus companies to discover the password to retrieve the hijacked data inside a virus that has claimed at least one UK victim. The Archiveus virus caught out British nurse Helen Barrow and swapped her data with a password-protected file. The virus is the latest example of so-called "ransomware" that tries to extort cash from victims. Code breaker Analysis of Archiveus has revealed that the password to unlock the file containing all the hijacked files is contained within the code of the virus itself. This virus swaps files found in the "My Documents" folder on Windows with a single file protected by a 30-digit password. Victims are only told the password if they buy drugs from one of three online pharmacies. The 30-digit password locking the files is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". Using the password should restore all the hijacked files. "Now the password has been uncovered, there should be no reason for anyone hit by this ransomware attack to have to make any payments to the criminals behind it," said Graham Cluley, senior technology consultant for security firm Sophos. Archiveus was discovered on 6 May but it took the rest of the month for the first victim, Rochdale nurse Helen Barrow, to emerge. Ms Barrow is thought to have fallen victim when she responded to an on-screen message warning her that her computer had contracted another unnamed virus. The virus asks those it infects to buy drugs on one of three websites to get their files back. "When I realised what had happened, I just felt sick to the core," said Ms Barrow about the incident. The Archiveus virus is only the latest in a series of malicious programs used by extortionists to extract cash from victims. Archiveus seems to use some parts of another ransoming virus called Cryzip that was circulating in March 2006. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/5038330.stm Published: 2006/06/01 16:13:00 GMT ? BBC MMVI From rforno at infowarrior.org Thu Jun 1 18:56:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 18:56:55 -0400 Subject: [Infowarrior] - Washingtonians love their game of tag... Message-ID: Washingtonians love their game of tag... Thu Jun 1, 2006 10:08 AM ET http://today.reuters.com/news/newsarticle.aspx?type=oddlyEnoughNews&storyid= 2006-06-01T140823Z_01_L31659378_RTRUKOC_0_US-WITNESS-TAGTOWN1.xml&src=rss By Deborah Zabarenko WASHINGTON (Reuters) - The dark suit is impeccable, the hair conservatively cut, the shoes a refined statement of solidity. But the outfit isn't complete for a Washington insider without an identity tag or two -- or more. While some know this city as "the capital of the free world," its denizens recognize it as Tagtown. Virtually everyone in downtown Washington wears some kind of credential during working hours. For some, it may be a simple pass that unlocks a garage or an office security door. But for those who work with the sprawling U.S. federal bureaucracy, it is literally a badge of honor. There are tags for Congress, the White House, the Pentagon, the State Department, the Treasury, the Justice Department, the Supreme Court, individual trials, museum openings and even some news conferences. And instead of taking off the tags when the workday is done, as people elsewhere might do, Washingtonians tend to keep them on, especially if they hint at a close relationship to power. Anthropologist Edward Smith recalls that when he worked as a White House speechwriter, there was a rule against wearing the White House tag after work. He also recalled it was widely flouted. The willingness to be labeled fits with the Washington mindset, said Smith, a professor at American University and a third-generation Washingtonian. "People wear these things as if they were bars on their uniform," Smith said. "I think that some people, particularly young people, want that extra patina of prestige. In Washington, you are much more recognized as a position than as a personality." NO TAGS FOR THE PREZ Some wear the tag with discretion, hidden in a wallet or inside a jacket, furtively pulling it out just long enough to gain entry. But for convenience, especially for those compelled to move around town to different agencies, tags are often worn on lanyards around the neck, where they click together like a shuffled pack of playing cards. The only ones who don't need to wear a tag are those whose faces are so famous they function as their own identity check. You won't see the president with a lanyard around his neck, and most members of Congress wouldn't dream of flashing a tag, though they are supposed to wear a security pin. This turned out to be a problem when one congresswoman, Cynthia McKinney, switched hairstyles and was stopped at the entrance to a congressional building by a security guard who didn't recognize her with her new "'do." There was what is known in Washington as "an altercation" and McKinney, a Georgia Democrat in the House of Representatives, wound up apologizing. Capitol Hill is one of the more low-tech operations for tag inspection. The Justice Department puts untagged visitors through an air lock as their belongings are X-rayed. At the White House, you flash the tag out on Pennsylvania Avenue and a uniformed guard buzzes you through a locked gate and then into a guardhouse. You put any bags on a conveyor belt, swipe your tag and enter a code before going through a turnstile. The mystery is how take-out food gets through. The Pentagon is more imposing, with separate entrances for those with badges and those without, and a hierarchy of different badges telling who's allowed to go where, when. Why are Washingtonians so willing to be tagged? Maybe they're just made to feel different. In other cities, people watch the morning news mainly for news. In Washington, more than one household watches to gauge the weather: if the reporter on the White House lawn looks cold, your kindergarten kid will too, so add an extra sweater. From rforno at infowarrior.org Thu Jun 1 23:11:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Jun 2006 23:11:00 -0400 Subject: [Infowarrior] - The new breed of cyber-terrorist Message-ID: (First I've heard of the CCU.......rf) The new breed of cyber-terrorist Could a ruthless new breed of cyber-terrorist cause meltdown at the click of a mouse? Jimmy Lee Shreeve reports Published: 31 May 2006 http://news.independent.co.uk/world/science_technology/article622421.ece According to cyber-security experts, the terror attacks of 11 September and 7 July could be seen as mere staging posts compared to the havoc and devastation that might be unleashed if terrorists turn their focus from the physical to the digital world. Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU), a Department of Homeland Security advisory group, believes that attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people. He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al-Qa'ida, he stresses, is becoming capable of carrying out such attacks. Most companies and organisations seem oblivious to the threat. Usually, they worry about e-mail viruses and low-grade hacker attacks. But Borg sees these as the least of their worries. "Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," he says. "In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for any short-term interruptions." What companies and organisations should worry about, Borg insists, is "what grown-ups could do" - terrorists or hardcore criminals. One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries. "Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks. "Control systems are a particular worry, because these are the computer systems that manage physical processes. They open and shut the valves, adjust the temperatures, throw the switches, regulate the pressures," he says. "Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse." Until now, hackers have usually targeted credit cards or personal information on the web. More sophisticated hackers, however, are beginning to focus on databases. The type of data most likely to be hit, Borg says, might include a pharmaceutical company's drug development databases, or programs that manipulate data, such as formulas for generating financial statements. "Many attacks of this kind would have two components. One would alter the process control system to produce a defective product. The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says. "Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities. Yet it might take months before someone figured out what was going on." The result, he says, would be panic, people afraid to visit hospitals and health services facing huge lawsuits. Deadly scenarios could occur in industry, too. Online outlaws might change key specifications at a car factory, Borg says, causing a car to "burst into flames after it had been driven for a certain number of weeks". Apart from people being injured or killed, the car maker would collapse. "People would stop buying cars." A few such attacks, run simultaneously, would send economies crashing. Populations would be in turmoil. At the click of a mouse, the terrorists would have won. Is Borg justified in his fears? All this sounds like a plot from a thriller; it's hard to take it seriously. But intelligence reports in the last year or so make for worrying reading. An assessment by the British security service MI5 stated that "Britain is four meals away from anarchy". And officials admit their greatest fears about electronic attacks focus on the more exposed networks that make up the "critical national infrastructure" - the systems Borg is concerned about. US agencies are concerned that terrorists could combine electronic and physical attacks to devastating effect, such as disrupting emergency services at the same time as mounting a bomb attack. Risk management analysts, equally edgy, are focusing on the financial impact on businesses and economies. They believe that an online attack would undermine public confidence in vital industries, especially utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A cyber attack on, say, the power industry would cause communications operations to close down for a period of time, expose customers to loss of service, increase liability exposure and ultimately damage reputation for service delivery." It isn't just Western nations that fear a digital meltdown. This month, the Malaysian government announced plans to establish a centre to fight cyber-terrorism, which will provide an emergency response to hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi said the facility - to be located at the technology hub of Cyberjaya outside Kuala Lumpur - would be called the International Multilateral Partnership against Cyber-Terrorism, or Impact, and would be funded by a combination of government revenue and the private sector. Badawi said the threat of cyber-terrorism was too serious for governments to ignore. "The potential to wreak havoc and cause disruption to people, governments and global systems has increased as the world becomes more globalised," he said. "The economic loss caused by a cyber attack can be truly severe; for example, a nationwide blackout, collapse of trading systems or the crippling of a central bank's cheque clearing system." While the case for cyber attack appears persuasive, some believe that much of it is hype. "It's difficult to avoid comparisons with the Millennium bug and the predictions of widespread computer chaos arising from the change of date to the year 2000," says Tom Standage, technology editor at The Economist magazine. "Then, as now, the alarm was sounded by technology vendors and consultants, who stood to gain from scaremongering." Almost ?400m was spent by the Government alone on preparations for the Millennium bug. Computer consultants issued dire warnings of the danger of an information technology breakdown that could paralyse nations on New Year's Day 2000. When the clock struck midnight, however, few problems were reported. There is scepticism that the bug was ever a threat. As far as Standage is concerned, those in the cyber-security industry - be they vendors boosting sales, academics chasing grants or politicians looking for bigger budgets - always have a "built-in incentive to overstate the risks". But what of the Scada systems; surely they are highly vulnerable? "It is true that utility companies and other operators of critical infrastructure are increasingly connected to the internet," Standage concedes. "But just because customers pay their bills online, it doesn't follow that critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with internet technology anyhow. Even authorised users require specialist knowledge." A simulation in 2002 by the US Naval War College concluded that an "electronic Pearl Harbor" attack on America's infrastructure would certainly cause serious disruption. But to pull it off would require five years of preparation and a $200m budget. As US computer security guru Bruce Schneier says: "If they want to attack, they will do it with bombs like they always have." But Richard Clarke, a former cyber-security expert in the Bush administration, says this is complacent. "People claim no one will ever die in a cyber-attack, but they're wrong. This is a serious threat." Clarke says that each time the US government has tested the security of the electric power industry, he and his colleagues have been able to hack their way in, "sometimes through an obscure route like the billing system". He reveals that computer security officers at a number of chemical plants have told him privately that they are very concerned about the openness of their networks. Scott Borg of the Cyber Consequences Unit goes along with this. He believes the $93m budget for 2007 allocated to the Department of Homeland Security to defend against cyber attack is justified. "Even systems isolated from the internet are often accessible to thousands of employees. How secure can any system be if thousands of people and thousands of data ports can provide inside access to that system?" The threat from software IT security consulting firm Cyber Defense Agency (CDA) has warned the US military, government and "critical infrastructure agencies" against using outsourced commercial software which could be tampered with by terrorists. CDA said that gas, electricity, telecommunications, banking and water companies are among the services that could fall foul of cyber terrorists exploiting "life-cycle" weaknesses buried deep in the software code. Life-cycle attacks occur when one line of code is programmed to open vulnerabilities within the software, exposing the software and the company to external threats. "Outsourced commercial software poses a silent but significant security risk to the defence and welfare of the US," says Sami Saydjari, president of CDA. "The chances of strategic damage from a cyber-terrorist attack on the US increases the longer it takes to remedy the risks posed by outsourced software." According to cyber-security experts, the terror attacks of 11 September and 7 July could be seen as mere staging posts compared to the havoc and devastation that might be unleashed if terrorists turn their focus from the physical to the digital world. Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU), a Department of Homeland Security advisory group, believes that attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people. He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al-Qa'ida, he stresses, is becoming capable of carrying out such attacks. Most companies and organisations seem oblivious to the threat. Usually, they worry about e-mail viruses and low-grade hacker attacks. But Borg sees these as the least of their worries. "Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," he says. "In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for any short-term interruptions." What companies and organisations should worry about, Borg insists, is "what grown-ups could do" - terrorists or hardcore criminals. One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries. "Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks. "Control systems are a particular worry, because these are the computer systems that manage physical processes. They open and shut the valves, adjust the temperatures, throw the switches, regulate the pressures," he says. "Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse." Until now, hackers have usually targeted credit cards or personal information on the web. More sophisticated hackers, however, are beginning to focus on databases. The type of data most likely to be hit, Borg says, might include a pharmaceutical company's drug development databases, or programs that manipulate data, such as formulas for generating financial statements. "Many attacks of this kind would have two components. One would alter the process control system to produce a defective product. The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says. "Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities. Yet it might take months before someone figured out what was going on." The result, he says, would be panic, people afraid to visit hospitals and health services facing huge lawsuits. Deadly scenarios could occur in industry, too. Online outlaws might change key specifications at a car factory, Borg says, causing a car to "burst into flames after it had been driven for a certain number of weeks". Apart from people being injured or killed, the car maker would collapse. "People would stop buying cars." A few such attacks, run simultaneously, would send economies crashing. Populations would be in turmoil. At the click of a mouse, the terrorists would have won. Is Borg justified in his fears? All this sounds like a plot from a thriller; it's hard to take it seriously. But intelligence reports in the last year or so make for worrying reading. An assessment by the British security service MI5 stated that "Britain is four meals away from anarchy". And officials admit their greatest fears about electronic attacks focus on the more exposed networks that make up the "critical national infrastructure" - the systems Borg is concerned about. US agencies are concerned that terrorists could combine electronic and physical attacks to devastating effect, such as disrupting emergency services at the same time as mounting a bomb attack. Risk management analysts, equally edgy, are focusing on the financial impact on businesses and economies. They believe that an online attack would undermine public confidence in vital industries, especially utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A cyber attack on, say, the power industry would cause communications operations to close down for a period of time, expose customers to loss of service, increase liability exposure and ultimately damage reputation for service delivery." It isn't just Western nations that fear a digital meltdown. This month, the Malaysian government announced plans to establish a centre to fight cyber-terrorism, which will provide an emergency response to hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi said the facility - to be located at the technology hub of Cyberjaya outside Kuala Lumpur - would be called the International Multilateral Partnership against Cyber-Terrorism, or Impact, and would be funded by a combination of government revenue and the private sector. Badawi said the threat of cyber-terrorism was too serious for governments to ignore. "The potential to wreak havoc and cause disruption to people, governments and global systems has increased as the world becomes more globalised," he said. "The economic loss caused by a cyber attack can be truly severe; for example, a nationwide blackout, collapse of trading systems or the crippling of a central bank's cheque clearing system." While the case for cyber attack appears persuasive, some believe that much of it is hype. "It's difficult to avoid comparisons with the Millennium bug and the predictions of widespread computer chaos arising from the change of date to the year 2000," says Tom Standage, technology editor at The Economist magazine. "Then, as now, the alarm was sounded by technology vendors and consultants, who stood to gain from scaremongering." Almost ?400m was spent by the Government alone on preparations for the Millennium bug. Computer consultants issued dire warnings of the danger of an information technology breakdown that could paralyse nations on New Year's Day 2000. When the clock struck midnight, however, few problems were reported. There is scepticism that the bug was ever a threat. As far as Standage is concerned, those in the cyber-security industry - be they vendors boosting sales, academics chasing grants or politicians looking for bigger budgets - always have a "built-in incentive to overstate the risks". But what of the Scada systems; surely they are highly vulnerable? "It is true that utility companies and other operators of critical infrastructure are increasingly connected to the internet," Standage concedes. "But just because customers pay their bills online, it doesn't follow that critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with internet technology anyhow. Even authorised users require specialist knowledge." A simulation in 2002 by the US Naval War College concluded that an "electronic Pearl Harbor" attack on America's infrastructure would certainly cause serious disruption. But to pull it off would require five years of preparation and a $200m budget. As US computer security guru Bruce Schneier says: "If they want to attack, they will do it with bombs like they always have." But Richard Clarke, a former cyber-security expert in the Bush administration, says this is complacent. "People claim no one will ever die in a cyber-attack, but they're wrong. This is a serious threat." Clarke says that each time the US government has tested the security of the electric power industry, he and his colleagues have been able to hack their way in, "sometimes through an obscure route like the billing system". He reveals that computer security officers at a number of chemical plants have told him privately that they are very concerned about the openness of their networks. Scott Borg of the Cyber Consequences Unit goes along with this. He believes the $93m budget for 2007 allocated to the Department of Homeland Security to defend against cyber attack is justified. "Even systems isolated from the internet are often accessible to thousands of employees. How secure can any system be if thousands of people and thousands of data ports can provide inside access to that system?" The threat from software IT security consulting firm Cyber Defense Agency (CDA) has warned the US military, government and "critical infrastructure agencies" against using outsourced commercial software which could be tampered with by terrorists. CDA said that gas, electricity, telecommunications, banking and water companies are among the services that could fall foul of cyber terrorists exploiting "life-cycle" weaknesses buried deep in the software code. Life-cycle attacks occur when one line of code is programmed to open vulnerabilities within the software, exposing the software and the company to external threats. "Outsourced commercial software poses a silent but significant security risk to the defence and welfare of the US," says Sami Saydjari, president of CDA. "The chances of strategic damage from a cyber-terrorist attack on the US increases the longer it takes to remedy the risks posed by outsourced software." From rforno at infowarrior.org Fri Jun 2 08:59:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 02 Jun 2006 08:59:34 -0400 Subject: [Infowarrior] - U.S. Wants Companies to Keep Web Usage Records Message-ID: June 2, 2006 U.S. Wants Companies to Keep Web Usage Records By SAUL HANSELL and ERIC LICHTBLAU http://www.nytimes.com/2006/06/02/washington/02records.html?pagewanted=print The Justice Department is asking Internet companies to keep records on the Web-surfing activities of their customers to aid law enforcement, and may propose legislation to force them to do so. The director of the Federal Bureau of Investigation, Robert S. Mueller III, and Attorney General Alberto R. Gonzales held a meeting in Washington last Friday where they offered a general proposal on record-keeping to a group of senior executives from Internet companies, said Brian Roehrkasse, a spokesman for the department. The meeting included representatives from America Online, Microsoft, Google, Verizon and Comcast. The attorney general has appointed a task force of department officials to explore the issue, and that group is holding another meeting with a broader group of Internet executives today, Mr. Roehrkasse said. The department also met yesterday with a group of privacy experts. The Justice Department is not asking the Internet companies to give it data about users, but rather to retain information that could be subpoenaed through existing laws and procedures, Mr. Roehrkasse said. While initial proposals were vague, executives from companies that attended the meeting said they gathered that the department was interested in records that would allow them to identify which individuals visited certain Web sites and possibly conducted searches using certain terms. It also wants the Internet companies to retain records about whom their users exchange e-mail with, but not the contents of e-mail messages, the executives said. The executives spoke on the condition that they not be identified because they did not want to offend the Justice Department. The proposal and the initial meeting were first reported by USA Today and CNet News.com. The department proposed that the records be retained for as long as two years. Most Internet companies discard such records after a few weeks or months.In its current proposal, the department appears to be trying to determine whether Internet companies will voluntarily agree to keep certain information or if it will need to seek legislation to require them to do so. The request comes as the government has been trying to extend its power to review electronic communications in several ways. The New York Times reported in December that the National Security Agency had gained access to phone and e-mail traffic with the cooperation of telecommunications companies, and USA Today reported last month that the agency had collected telephone calling records. The Justice Department has subpoenaed information on Internet search patterns ? but not the searches of individuals ? as it tries to defend a law meant to protect children from pornography. In a speech in April, Mr. Gonzales said that investigations into child pornography had been hampered because Internet companies had not always kept records that would help prosecutors identify people who traded in illegal images. "The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers," Mr. Gonzales said in remarks at the National Center for Missing and Exploited Children in Alexandria, Va. "This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time," he said. An executive of one Internet provider that was represented at the first meeting said Mr. Gonzales began the discussion by showing slides of child pornography from the Internet. But later, one participant asked Mr. Mueller why he was interested in the Internet records. The executive said Mr. Mueller's reply was, "We want this for terrorism." At the meeting with privacy experts yesterday, Justice Department officials focused on wanting to retain the records for use in child pornography and terrorism investigations. But they also talked of their value in investigating other crimes like intellectual property theft and fraud, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, who attended the session. "It was clear that they would go beyond kiddie porn and terrorism and use it for general law enforcement," Mr. Rotenberg said. Kate Dean, the executive director of the United States Internet Service Provider Association, a trade group, said: "When they said they were talking about child pornography, we spent a lot of time developing proposals for what could be done. Now they are talking about a whole different ball of wax." At the meeting with privacy groups, officials sought to assuage concerns that the retention of the records could compromise the privacy of Americans. But Mr. Rotenberg said he left with lingering concerns. "This is a sharp departure from current practice," he said. "Data retention is an open-ended obligation to retain all information on all customers for all purposes, and from a traditional Fourth Amendment perspective, that really turns things upside down." Executives of several Internet companies that participated in the first meeting said the department's initial proposals seemed expensive and unwieldy. At the meeting scheduled for today with executives of Internet access companies, Justice Department officials plan to go into more detail about what types of records they would like to see retained and for how long, said a Justice Department official who spoke on condition of anonymity. "It will be much more nuts-and-bolts discussions," he said, adding that the department would stop short of offering formal proposals. From rforno at infowarrior.org Fri Jun 2 09:26:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 02 Jun 2006 09:26:34 -0400 Subject: [Infowarrior] - Federal Judge Allows Lawsuit Against NSA Message-ID: Federal Judge Allows Lawsuit Against NSA http://www.salon.com/wire/ap/archive.html?wire=D8I038M80.html - - - - - - - - - - - - June 02,2006 | DETROIT -- A federal judge will go ahead with hearings in a legal challenge to a warrantless domestic surveillance program run by the National Security Agency. U.S. District Judge Anna Diggs Taylor also criticized the Justice Department for failing to respond to the legal challenge, The Detroit News reported Friday. The NSA and the Justice Department declined immediate comment. The Bush administration has said that hearings would reveal state secrets that affect national security. The American Civil Liberties Union in Detroit and the Center for Constitutional Rights in New York filed lawsuits against the program in January, saying it violates Americans' rights to free speech and to privacy. In March, the plaintiffs asked the judge to declare the National Security Agency's program illegal. They said the Foreign Intelligence Surveillance Act requires that the spy agency go to a secret court in order to spy within the United States. The government filed a motion saying that no court can consider the issues because of a privilege against revealing state secrets, if doing so harms national security. The judge said she will hear the government's motion only after proceeding with a June 12 hearing on the plaintiffs' motion to summarily declare the spying illegal. "Although defendants have not responded to said motion they may, if they appear, argue against it," she said. Salon provides breaking news articles from the Associated Press as a service to its readers, but does not edit the AP articles it publishes. ? 2006 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press. From rforno at infowarrior.org Sat Jun 3 19:01:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 03 Jun 2006 19:01:56 -0400 Subject: [Infowarrior] - Pre-emptive legal nastygrams Message-ID: The letter states that their client, Infront Sports & Media, "anticipates the possibility of unauthorized streaming and downloading of FIFA World Cup matches." The letter goes on to warn Boing Boing that Baker & McKenzie will be "actively monitoring your website ... to identify unlawful activity and will, if necessary, take appropriate action to ensure the protection of Infront's rights of those licenses." < - > http://www.boingboing.net/2006/06/03/hideous_company_send.html .... Oh, scary! [not] -rf From rforno at infowarrior.org Sat Jun 3 22:55:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 03 Jun 2006 22:55:48 -0400 Subject: [Infowarrior] - How eBay Makes Regulations Disappear Message-ID: June 4, 2006 How eBay Makes Regulations Disappear By KATIE HAFNER http://www.nytimes.com/2006/06/04/business/yourmoney/04ebay.html?_r=1&oref=s login&pagewanted=print IN quick succession one morning last month, Louisiana state legislators plowed through a long list of bills, including one to relocate the motor vehicle commission, another to regulate potentially abusive lending practices, and yet another that was the handiwork of eBay, the digital shopping mall that bills itself as "the world's online marketplace." EBay had worked overtime to ensure the passage of Senate Bill 642, which sought to exempt some Internet transactions ? like those that occur on its Web site ? from Louisiana licensing requirements for businesses conducting auctions. As the State Senate's Commerce Committee convened to consider the bill, Duane Cowart, an eBay lobbyist, testified that forcing eBay "trading assistants" to fork over $300 for a license was unduly burdensome. "What they do on the Internet is not an auction, and they are not auctioneers," Mr. Cowart told the committee. Trading assistants take items on consignment from other owners and put them up for bid on eBay, but Mr. Cowart said their activities were more akin to placing classified ads. Louisiana's senators seemed to agree with him wholeheartedly. "I think eBay is great," said one, while another regaled the room about his adventures shopping for a Plymouth Prowler on eBay. State Senator Noble E. Ellington, a Democrat who sponsored the bill at Mr. Cowart's behest, beamed as his colleagues gave the legislation their unanimous support. EBay's lobbying activities are not confined to Louisiana. As the company has spread its innovative and influential wings across the Internet, it has also woven together a muscular and wily lobbying apparatus that spans 25 states. "It is a fast-moving train, and if you get in front of it you'll get flattened," said Sherrie Wilks, an official with Louisiana's licensing agency, who is concerned that eBay flouts regulatory oversight by persuading state legislators to take the company's side. Regulators in other states also say that when they try to erect guidelines around eBay's activities, they quickly encounter the realities of the company's political power, raising anew the perennial questions about the proper balance among public policy, consumer protection and business interests. EBay's lobbying tactics, meanwhile, illustrate the spoils to be won when a savvy, resourceful company combines local political persuasion and grass-roots rallying to get lucrative regulatory exemptions that allow it to safeguard its profits. EBay's efforts have been remarkably successful, and the company, which has worked tirelessly to cultivate its image as a friendly neighborhood bazaar even as it engages in hard-nosed lobbying, is not shy about boasting of its victories. Last year, Ohio passed a law that would have regulated eBay sellers, but the company moved quickly ? with the help of seasoned lobbyists ? to have a pre-emptive and more favorable bill passed. "We realized what was there, and we worked with local lobbyists and were able to get the law reversed," said Tod Cohen, eBay's vice president for government relations. He oversees the company's efforts to convince state lawmakers of a core eBay belief: that state regulation can impede the flow of e-commerce. The Federal Trade Commission, which has loosened regulations across a broad range of industries, appears to agree. Late last week, responding to a request from Mr. Ellington for an analysis of the Louisiana bill, the agency advised that the bill promoted competition and increased consumer choice. Unlike many other Internet companies, eBay has to be especially fleet-footed when it comes to stopping what it perceives as hostile regulation, whether it involves the growing number of eBay drop-off stores ? places like UPS stores and small shops where people take their goods to be sold on eBay ? or the more general category of trading assistants. Anyone engaged in selling on the site depends on a relatively friction-free environment in order to make a profit. So does eBay, because its overall corporate goal is to keep sales volumes high. At any given moment, 89 million items are for sale on eBay, and the mother ship ? eBay itself ? gets a fee for each successful transaction. It also charges its 193 million registered users listing fees for any products they display on the site. EBay's gross transaction fees for the first quarter of 2006 alone were more than $500 million, a 30 percent increase over the same quarter in 2005. Keeping regulators at bay, particularly those whose efforts might slow down sales traffic, is a particularly high priority for the company. Regulations are threatening to eBay for another reason as well. They set precedents. Once a law regulating eBay sellers takes hold in one state, other states are more likely to follow suit. And not only do licenses and other regulatory requisites increase the cost of selling items on eBay, but regulations may deter entrepreneurs who are thinking of introducing eBay-based businesses. Although regulations can help rein in con artists and other fraudsters masquerading as legitimate vendors on eBay ? which is why most regulators say they favor strict licensing requirements ? eBay sees its online community as self-regulating. Analysts say the company has little room to maneuver when it comes to opposing outside oversight. "EBay doesn't have a choice," said Ina Steiner, editor of Auctionbytes.com, an online newsletter. "This is such a tight-margin, price-sensitive business that if there are excessive regulations on sellers, it will affect eBay dramatically." Accordingly, eBay fights regulators who try to categorize it as an auction house ? despite the fact that for years eBay has used the word "auction" when describing what takes place on its site. In securities filings from 1998, the year eBay went public, it said that it "pioneered online person-to-person trading by developing a Web-based community in which buyers and sellers are brought together in an efficient and entertaining auction format." In the annual report last year, eBay said it provided the "infrastructure to enable online commerce in a variety of formats, including the traditional auction platform." Yet eBay contends that such references are informal and says that auction laws ? many of them written long before the Internet and eBay even existed ? should not apply to its sellers. Chris Donlay, an eBay spokesman, said the timed auctions on eBay were fundamentally different from "someone who holds a live auction in front of an audience until he has achieved the highest price possible for the client." Instead, as the company says on its Web site, eBay merely "offers an online platform where millions of items are traded each day." THE headquarters of the Louisiana Auctioneers Licensing Board is a modest, three-room office in Baton Rouge with two employees and a dial-up Internet connection. The agency says its mission is to protect the public from "unqualified, irresponsible or unscrupulous individuals." Late last year, the agency's seven-member board, concerned about possible abuses, decided that eBay trading assistants doing business in Louisiana needed licenses. Last summer, Jim Steele, a retired police officer who is the agency's investigator, started paying visits to eBay sellers around Louisiana who were registered as trading assistants. Among those visited by Mr. Steele was Cheryl Brown, who runs a small eBay business out of her modest one-story home in Hammond, about an hour's drive east of Baton Rouge. Ms. Brown keeps an eclectic mix of wares ? including shoes, belts and Black & Decker laser levels ? piled around a bed in a spare back bedroom. Mr. Steele arrived at Ms. Brown's door last February and told her that she needed to get an auction-business license or face a cease-and-desist order. Ms. Brown said she was "blown away" to find herself singled out. After all, she said, her sales averaged little more than $2,000 a month. Even so, she paid $300 for the license and an additional $250 for a surety bond the licensing board required. Ms. Brown has yet to make a single sale as a trading assistant ("I don't want to sell people's old clothing," she said) and says she would rather not have to have a license. But, she said, she also enjoys the extra credential that a license gives her. Further, she said, she believes that her transactions on eBay are, in fact, auctions. "My opinion is that eBay is the one doing the auctioning," she said. "They're in control." Ms. Brown's opinion is shared by Brian Leleux, an eBay seller at the opposite side of the state and the opposite end of the eBay sales revenue stream. Mr. Leleux employs nearly a dozen people and sells some $120,000 each month in recliners, inflatable air beds and other goods on eBay, making him an eBay "Platinum PowerSeller." He pays eBay about $12,000 every month in listing and transaction fees and an additional $2,100 to PayPal, eBay's automated payment subsidiary. Mr. Leleux operates his business, MassageKing.com, in a large warehouse near Lafayette, and Mr. Steele visited him there earlier this year. Mr. Leleux had signed up with eBay as a trading assistant but done very few consignment sales. Still, he paid the state's fee and applied for the license. Like Ms. Brown, Mr. Leleux said that he did not want a license but that it did give him "one more bit of legitimacy," a notion that appealed to him. And he, too, says he believes that eBay is an auction house. Still, not every eBay trading assistant was so compliant when Mr. Steele came calling. Barry Simpson has a computer equipment store in Morgan City and sells items on eBay as a sideline. Earlier this year, Mr. Simpson said, Mr. Steele visited him and insisted that he be licensed, even after Mr. Simpson said he would prefer to stop being a trading assistant. Mr. Simpson refused to get a license and complained to eBay, after which the company stepped up its legislative push in Louisiana. "At that point, we decided we needed to act," said Mr. Donlay, the eBay spokesman. Mr. Simpson says he believes that complying with certain regulations just does not add up. "If someone comes in and tells me I need a license and I'm selling something for someone else, and I don't do enough of that business, I'll quit," he said. Unlike most entrepreneurs, Mr. Simpson has a well-heeled and influential corporation ? as vigilant about its own interests as it is about his ? ready to take on regulators. And eBay appears to be prepared to contest regulators in almost any state where it feels that its prerogatives are threatened. In California last year, a bill that would have subjected eBay drop-off stores to restrictions now placed on pawnbrokers died quickly after eBay executives ? including Meg Whitman, the chief executive ? met with leaders of the Republican caucus of the Legislature. "The Republican votes we thought we had withered away," said Leland Y. Yee, the Democratic California assemblyman who sponsored the bill. Last year, after eBay waged a protracted lobbying effort in Illinois, the state revised its laws to allow Internet auction sites to compete with licensed ticket brokers and sell tickets for more than their face value. New York and Florida have passed similar amendments after eBay lobbied for changes. Auctioneering laws like those in Louisiana are another focus for eBay. In Maine and Tennessee, after eBay intervened, laws were changed to exempt Internet auctions from licensing requirements. All of this is just a matter of common sense, according to some people involved in the debate. Ms. Steiner, the newsletter editor, says that many eBay sellers do their trading part time or in addition to another job. "If they are overregulated by licensing fees," she said, "they will abandon their eBay business." For its part, eBay is leaving little to chance. Over the last eight years, eBay has built a stable of local lobbyists in 25 states. Those lobbyists ? who work on retainers that can reach $10,000 a month, according to state lobbying registration documents ? have also made contributions to individual politicians who sponsor bills favorable to eBay. For example, Mr. Cowart's political action committee in Louisiana contributed $2,000 to Mr. Ellington in 2005. And eBay lobbyists in Illinois have contributed thousands of dollars to politicians who supported the ticket-scalping bill. EBay combines its politics-as-usual approach with more creative grass-roots tactics. It keeps its membership informed about regulatory issues as soon as they crop up, using mass e-mail messages and a year-old Web-based initiative called "eBay Main Street," which sends out "legislative alerts" and provides letters that users can send to government officials. Bowing to the traditions of ward politicos adept at turning out the vote, eBay routinely summons its sellers and sends them on personal visits to statehouses around the country to meet with legislators. "What better way to get a response than to get to the grass roots, which is eBay's members," said Kathy Greer, an eBay seller in New Hampshire, where there has been continuing debate about regulating eBay sellers. "Let them go out and fight your battle." WHEN eBay sent e-mail messages in April to its Louisiana members to tell them their livelihoods could be threatened by the state's intention to require licenses ? and urged them to take action ? Ms. Wilks, the licensing agency's sole administrator, was besieged with phone calls and e-mail messages from angry eBay sellers. After she explained that the board intended to require that only about 460 registered eBay trading assistants be licensed, the hubbub died down. But some sellers who joined in the campaign say they felt that eBay had misled them by making it appear that the proposed regulations were more sweeping. "They approached it in a very underhanded way," said Stephen Dille, a Baton Rouge accountant who sells items intermittently on eBay but received the alert and sent an e-mail message to Ms. Wilks. "I always thought of them as a good company, but now I'm questioning their culture, and their ethics." Anna Dow, a lawyer for the Louisiana licensing board, put it more forcefully. "They're being deliberately misrepresentational of what's going on," she said. For their part, eBay officials say that the licensing board has repeatedly refused to give the company a clear answer on whom it plans to regulate, so it has sent e-mail messages to a wide variety of recipients. EBay's anti-regulatory stance extends to storefront drop-off centers, which have been proliferating rapidly around the country. Vendors welcome the company's help. Debbie Gordon, the owner of Snappy Auctions, a nationwide chain of eBay drop-off stores that is based in Nashville, says she believes that all eBay consignment stores should follow certain practices to make sure that customers are protected. But she was outraged two years ago when Tennessee regulators told her that she would have to get an auctioneer's license and attend a week of auctioneering school. Ms. Gordon paid $700 for a license and other fees and spent what she called "five days I'll never get back" at a training course for auctioneers. "Ninety-nine percent of the course had nothing to do with our business," she recalled. "It was about traditional auctioneering, cattle and land and firearms." Soon after a local newspaper publicized Ms. Gordon's experience, eBay stepped in. It convinced lawmakers that not only did outfits like Ms. Gordon's have no relationship to hog calling, but also that because of the timed nature of an eBay auction, the transactions were altogether different and thus not subject to auctioneering laws. "We fundamentally believe that auctioneering laws are not applicable, are detrimental and are being used to harm competition," said Mr. Cohen of eBay in an interview. "They protect entrenched incumbents rather than enhancing competition, consumer choice and entrepreneurial spirit." BUT Ms. Wilks of the Louisiana licensing board says that if trading assistants on eBay are not required to have licenses, people like Linda Williams will have nowhere to turn. Earlier this year, Ms. Williams, who lives near Baton Rouge, gave an antique couch to someone to sell on consignment on eBay, she said. The couch was sold, Ms. Williams said, but she did not see a penny of the proceeds. Ms. Williams called the licensing board, which found that the seller was an auctioneer who was already facing a separate investigation. A bank seized his assets ? which included a warehouse filled with items he had taken on consignment from dozens of people, including Ms. Williams ? and his license was revoked, according to Ms. Wilks and Ms. Dow. "They were very helpful, and told me to call any time," said Ms. Williams of her experience with the licensing board. "If it wasn't for them, there would be nothing I could do." EBay executives say that stories like this do not mean that more laws are required. They point out that law enforcement agencies are set up to investigate Internet fraud. "Regulators regulate ? that is their job," Mr. Cohen said. "But we have an obligation as a company to protect our community." Shortly after the first legislative hearing on Senate Bill 642 in Louisiana, eBay sent out another e-mail alert, this time to its biggest sellers in the state. The company asked sellers to attend a meeting late last month to update them on the bill and to brief them on other potential impediments to their businesses. Some 50 sellers from around the state attended the meeting at a Baton Rouge Marriott. Michelle Peacock, eBay's director of state government relations, flew in from California to join Mr. Cowart, the lobbyist. Large colorful billboards outlining "barriers to e-commerce" decorated the room. Ms. Peacock discussed the proposed revisions to Louisiana's auctioneer statute and talked about a bill supporting the elimination of restrictions on the resale of tickets on the Internet. After the meeting, several attendees piled onto a shuttle bus that eBay provided and drove to the Capitol to talk with their state representatives about Senate Bill 642. The next day, the Commerce Committee of the Louisiana House of Representatives took up the bill, which the State Senate had already passed. The bill received unanimous support in the committee. Mr. Ellington, the state senator, said in an interview last week that he expected to see the bill pass the full House this week ? without a hitch. Iris Smalbrugge contributed reporting for this article. From rforno at infowarrior.org Sat Jun 3 23:23:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 03 Jun 2006 23:23:26 -0400 Subject: [Infowarrior] - USA: Russia can't enter WTO unless it shuts down music website Message-ID: Russian Download Site Is Popular and Possibly Illegal By THOMAS CRAMPTON International Herald Tribune http://www.nytimes.com/2006/06/01/world/europe/01cnd-mp3.html?ei=5090&en=4c9 bcba30952e86b&ex=1306814400&partner=rssuserland&emc=rss&pagewanted=print PARIS, June 1 ? Rising consumer popularity is turning AllofMP3.com, a music downloading service based in Moscow, into a global Internet success story, except for one important detail: The site may well be illegal. So great is the official level of concern about AllofMP3 that American trade negotiators darkly warned that the Web site could jeopardize Russia's long-sought entry into the World Trade Organization. Operating through what music industry lobbyists say is a loophole in Russia's copyright law, AllofMP3 offers a vast catalogue of music that includes artists who have not permitted their work to be sold online ? like the Beatles and Metallica ? at a fraction the cost of services like Apple Computer's iTunes service. Sold by the megabyte instead of by the song, an album of 10 songs or so on AllofMP3 can cost the equivalent of less than $1, compared with 99 cents per song on iTunes. And unlike iTunes and other commercial services, songs purchased with AllofMP3's downloading software have no restrictions on copying. It is an offer that may seem too good to be true, but in Russia, considered to be a hotbed of digital piracy and theft of intellectual property, courts have so far allowed the site to operate, despite efforts by the record labels Warner, Universal and EMI to aid prosecutors there. Music industry officials say AllofMP3, which first came to their attention in 2004, is a large-scale commercial piracy site, and they dismiss its claims of legality. "It is totally unprecedented to have a pirate site operating so openly for so long," said Neil Turkewitz, executive vice president of the Recording Industry Association of America, who is based in Washington. People associated with AllofMP3, which lists no telephone contacts on its Web site, declined to comment for this article when tracked down by domain-name ownership records kept by Verisign. Those records show that Ivan Fedorov of Media Services in Moscow is the owner. AllofMP3.com says on the site that it can legally sell to any user based in Russia and warns foreign users to verify the legality within their countries for themselves. The site features a wide selection of Russian music, but is written in English with prices listed in United States dollars. AllofMP3 asserts its legality by citing a license issued by a collecting society, the Russian Multimedia and Internet Society. In most countries, the collecting societies that receive royalty payments for the sale or use of artistic works need reciprocal agreements with overseas copyright holders, according to agencies that represent right holders. According to Russia's 1993 copyright law, however, collecting societies are permitted to act on behalf of rights holders who have not authorized them to do so. Collecting societies have thus been set up to gather royalties for foreign copyright holders without their authorization. Infringement cases have also affected foreign-produced software, films and books. The result is that numerous organizations in Russia receive royalties for the use of foreign artistic works, but never pass on that money to the artists or music companies, according to the International Confederation of Societies of Authors and Composers, the umbrella organization for collecting societies. "These collecting agencies are thieves and frauds because they accept money while pretending to represent artists," said Eric Baptiste, director general of the confederation. "They play off a bizarre aspect of the Russian law that we are lobbying to change." Consumers have been flocking to the site, particularly from Britain, where a survey in March ranked AllofMP3 second only to iTunes in popularity among self-described music enthusiasts surveyed by XTN Data. Amazon.com's Web site rating service, Alexa, ranks AllofMP3 as having the 986th highest level of traffic of any site on the Web over the past three months. Use in the United States reached 345,000 unique visitors in April, an increase of 57 percent over January, but a tiny fraction of the 19 million that used the iTunes software online, according to Comscore, a service that monitors the habits of Internet users. From rforno at infowarrior.org Sun Jun 4 12:45:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Jun 2006 12:45:28 -0400 Subject: [Infowarrior] - In Montana, Casting A Web for Terrorists Message-ID: In Montana, Casting A Web for Terrorists Online Sleuth Hunts Down Suspects Worldwide http://www.washingtonpost.com/wp-dyn/content/article/2006/06/03/AR2006060300 530_pf.html By Blaine Harden Washington Post Staff Writer Sunday, June 4, 2006; A03 HELENA, Mont. -- Like a hunter using a duck call, Shannen Rossmiller invites the online attentions of would-be terrorists by adorning her e-mail with video clips of Westerners getting their heads cut off. "They get pumped up when they see beheadings. For them, it's like rock videos," Rossmiller said. "I always give the appearance that I am one of them." Appearances deceive. At her Montana high school, Rossmiller was a cheerleader -- a farm girl whose slight frame meant she was the one hoisted to the top of the human pyramid. Now 35, she is a mother of three, a part-time paralegal and a $23,000-a-year municipal court judge in a town north of here. Since the Sept. 11, 2001, attacks, she has found herself an unpaid night job. She uses the Internet to find terrorism suspects, she said, hunting for them while her family sleeps, spending the hours between 3 a.m. and dawn at her home computer. Her husband, Randy, a wireless network technician, keeps eight computers and two broadband systems working in their house. Posing as an al-Qaeda operative, she has helped federal agents set up stings that have netted two Americans -- a Washington state National Guardsman convicted in 2004 of attempted espionage, and a Pennsylvania man who prosecutors say sought to blow up oil installations in the United States. Rossmiller was a key prosecution witness against the Guardsman, who is serving a life sentence, and said she has been told she will be called as a witness in the Pennsylvania case. Most of Rossmiller's terrorist tracking, though, has focused on foreign suspects, she said. By her count, she has turned over to federal investigators about 60 "packages" of information on suspects outside the United States. She provided The Washington Post with hundreds of pages of e-mail exchanges that she said are transcripts of her conversations with would-be jihadists outside this country. Rossmiller said she meets nearly every week with U.S. intelligence contacts in Montana, and that they have periodically given her feedback about the usefulness of her information. She said she has been told that foreign intelligence officers have detained more than a dozen individuals whom she helped identify. But while Rossmiller has been vital in uncovering two cases of domestic terrorism, it is not clear how extensive a role she has played in the global fight against terrorism. Federal intelligence sources confirmed that for several years she has provided the FBI and the CIA with useful information, but refused to characterize it or say how it has been used. Her assertions about detentions of foreign suspects could not be independently confirmed, and officials from the FBI and CIA declined to speak publicly about her. Still, the outspoken small-town judge raises the remarkable reality of the government regularly using a self-appointed, self-trained Internet sleuth to help fight terrorism at home and abroad. Given several chances to do so, no one in the intelligence community characterized Rossmiller as a crank. Indeed, protecting Rossmiller and her family in their rural Montana home, not far from the Canadian border, has for two years been a regular agenda item at meetings between local police, the FBI and U.S. Border Patrol agents, according to a Montana law enforcement official who requested anonymity. Rossmiller said she is disappointed that federal agencies will not go on the record to confirm the details she offers about the nature and extent of her online work. "For the life of me, I can't understand what the deal is with higher-ups in the FBI," she said. Rossmiller's night job became public knowledge in 2004, when she testified against Spec. Ryan G. Anderson, who was part of a National Guard tank crew based at Fort Lewis, Wash. Rossmiller said she spotted him Oct. 6, 2003, when he appeared, writing in English, on an Arabic Internet forum. She apparently convinced him she was a member of al-Qaeda and he wrote back, asking: "Just, curious, would there be any chance a brother who might be on the wrong side at the present, could join up defect so to speak?" Anderson was arrested six days before his unit was deployed to Iraq. Rossmiller was a key witness at his court-martial, during which one of her e-mail identities was published in newspapers. Within hours, she said, a man with a Middle Eastern accent called the Montana courthouse where she works and asked for her address. She and her husband have since obtained permits to carry concealed weapons. She sometimes carries a .38-caliber pistol in her purse. Although her home town has been named in previous articles about her, she asked that it not be printed in this one. In February, she was again identified in court documents after she posed online as an al-Qaeda operative and offered money to Michael Curtis Reynolds, who a U.S. attorney in Pennsylvania has said is suspected of plotting to blow up oil and gas pipelines. Rossmiller snared the two American terrorism suspects, she said, while casting Internet hooks for bigger fish: Arabic-speaking extremists in the Middle East and in Pakistan. To find them, she said she has invented a cast of male online characters. They hold court -- spitting insults at "dirty Americans" and distributing videos of beheadings -- on several Islamic Web sites, according to transcripts of her e-mail exchanges. Using those personas, Rossmiller said she strikes up conversations with chatty extremists. Rossmiller said she communicates primarily in Arabic, which she began learning after the Sept. 11, 2001, attacks. She also uses a computer translation program and said the FBI has occasionally provided her with a native Arabic speaker. As part of her online approach, she offers arms and money to fight in Iraq and to kill "slaves of the cross." She said her work led to the detention last year of several men training to enter Iraq to fight U.S. troops, as well as to the arrest of a Middle Eastern academic seeking al-Qaeda funding for his plans to build a nuclear bomb. Federal agencies declined to comment on both cases. Rossmiller said that "2005 was a very productive year for me." Why is Rossmiller talking about terrorist hunting that has not been made public in court? "With the Reynolds case coming up, it is important that people understand what I do," she said during two long conversations in a Perkins pancake house here. "I don't work for the FBI, the CIA, Mossad or any of those folks. It wouldn't make me feel right to be on a payroll." Rossmiller is angry that some news reports have portrayed her merely as a "Montana mom." "I am so upset about the press presenting me as this stupid little blonde woman patrolling the Internet," she said. After four years of watching the Bush administration's efforts against terrorism, Rossmiller said her commitment to finding enemies of the United States is stronger than ever and that she continues to track suspects in the middle of the night. "She doesn't have normal sleep patterns, never has," her husband said. Rossmiller's online experience, though, has soured her on many of the methods of the Bush administration's fight against terrorism. She said that the invasion of Iraq and the use of harsh interrogation techniques has increased the number of people in the Arab world who hate the United States. "It has created more discord, and the numbers of brothers interested in violence have grown," she said. Rossmiller has a knack for the minutiae and theatrics of wooing extremists over the Internet, according to Brent Astley, a Canadian software developer and executive director of a group of online volunteers who try to identify terrorism suspects and turn them over to authorities. "She was one of the first, and she is definitely one of the best," said Astley, who in 2002 helped set up Rossmiller with software that hides her computer address in Montana and allows her to appear online as if she lives in Pakistan or elsewhere. Astley said her particular gift is for "cyber-theatrics." "She has chutzpah, and that is definitely required," he said. One of Rossmiller's strategies is to warn jihadists that they are risking the lives of their Islamic brothers by speaking too candidly online. She calls her Arabic skills "workable." In 2002, she took an eight-week, online Arabic course. Later that year, she went to Buffalo for a two-week course that focused on grammar. But when it comes to online deception, perfect Arabic does not matter much, Astley said. "A lot of the people that are being dealt with are not the cream of educated society," he said. Rossmiller said she has been told she will be called to testify later this year against Reynolds, the unemployed man from Wilkes-Barre, Pa., who was arrested late last year near Pocatello, Idaho, and who a federal prosecutor has said was attempting to "provide material aid to al-Qaeda." As for the foreign terrorism suspects she says she has identified, Rossmiller said she does not know what has happened to them, other than that some have been detained. "I don't know what they do with these guys," she said. "And I don't want to know." ? 2006 The Washington Post Company From rforno at infowarrior.org Sun Jun 4 21:30:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Jun 2006 21:30:01 -0400 Subject: [Infowarrior] - IEEE: Death by DMCA Message-ID: Death by DMCA By: Fred von Lohmann and Wendy Seltzer http://www.spectrum.ieee.org/print/3673 Illustration by David Plunkert In 1998, U.S. entertainment companies persuaded Congress to make dramatic changes in its copyright code by passing the Digital Millennium Copyright Act. The DMCA gave copyright holders new rights to control the way people use copyrighted material and new protection for technologies designed to restrict access or copying. The movie and record companies argued they needed these new restrictions to fight increased piracy threats in the digital era. In the eight years since the DMCA's passage, however, piracy has not decreased, and hurdles to lawful uses of media have risen. The Motion Picture Association (MPA), the international arm of the Motion Picture Association of America (MPAA), estimated worldwide losses because of piracy to be US $2.2 billion in 1997 and $3.5 billion annually in 2002, 2003, and 2004. Meanwhile, entire consumer electronics categories have been wiped from retail shelves. If three or four years ago you didn't buy a digital video recorder that automatically skips commercials, you're out of luck; that feature is not in such products today. Television executives brought litigation that bankrupted the company offering DVRs with these user-friendly features, because skipping commercials potentially undermines their ability to sell commercial time. You're likewise out of luck if you're looking to buy software that lets you copy a DVD onto your laptop's hard drive; it's no longer for sale, at least not in the United States. Even if you want to put the movie you bought onto a pocket-size video and game console, such as Sony's PlayStation Portable, which allows users to watch video stored on flash memory or a miniature hard drive, you can't legally do so, because you'd have to ?rip,? or decode, it to make the transfer?and the studios claim that this action violates the DMCA. When you rip a CD, be it to an audiotape or an MP3 file, you're not breaking any laws. But to rip a DVD you need to somehow get around the encryption technology built into a standard disc, and since such circumvention is forbidden by the DMCA, if you rip a DVD, you are breaking a law. Under the DMCA, legality doesn't depend on how the copy will be used but rather on the means by which the digital content is copied. Now, in an even more vexing situation, U.S. entertainment companies are successfully spreading the copyright code changes established by the DMCA around the world. Laws similar to the DMCA now exist in Japan, Australia, and much of Europe. At least nine additional countries, including Chile, Guatemala, and Singapore have also been pressured to enact DMCA-like laws as part of a devil's bargain with U.S. trade negotiators, who say the copyright change is necessary to secure free trade pacts with the United States that would govern all sorts of commerce. And in Europe, the body charged with defining the European digital television standards is mixing in content-protection obligations, responding yet again to pressure from major U.S. movie studios. Emboldened by their successes, U.S. entertainment companies are pushing for another wave of even more restrictive legislation. ?Broadcast flag? legislation could require that all consumer electronics devices recognize protected television broadcasts and potentially refuse to copy them; a so-called ?radio flag? bill would prevent or restrict the manufacture of hard disk recorders for digital radio; and an ?analog hole? closure would restrict the connections new digital devices can make with analog devices. As the entertainment industry expands copyright law, the rising tide threatens to completely wash away many types of innovative gadgets. Before the passage of the DMCA, entertainment and technology had, for the most part, peacefully coexisted. Laws addressing the use and misuse of copyrighted content targeted ?bad actors? rather than complete classes of technology. For example, when songwriters in the 1920s sued radio stations for broadcasting live music performances without paying the songwriters, the lawyers did nothing to the companies that designed and built the broadcast transmitter towers. And in the early 1980s, when videocassette recorders (VCRs) made it possible for consumers to record television broadcasts, the U.S. Supreme Court, in its landmark Betamax case, ruled that the manufacturers of home video-recording devices were not liable for copyright infringement. By the 1990s, U.S. entertainment companies wanted not just compensation but control. They went abroad to fight for in?ternational treaties that went beyond punishing copyright infringement. These new treaties endorsed copyright-protection technologies and prohibited the circumvention of these technological barriers. Then the companies brought the treaties back home to demand an update of the U.S. Copyright Act. And that brought about the DMCA. The most controversial of the DMCA's additions to copyright made it a crime to circumvent ?technological protection measures? deployed on copyrighted works. Under the DMCA, these measures mean any technology used to restrict or prevent copying of or access to a copyrighted work. Thus, the DMCA makes it illegal to bypass a password-control system and also prevents working around an encryption scheme that might stop someone from copying a song to an MP3 player. Other DMCA provisions outlaw the distribution of devices that bypass these digital locks. Copyright is being turned from a limited-term incentive designed to encourage creative artists to a broadly scoped transfer of wealth from the public to the private realm. As the industries that generate copyrighted materials seek control over not only their works but also the devices on which we watch, listen to, and remix them, copyright law is turning into technology regulation. Illustration by David Plunkert ReplayTV 4000, an advanced digital video recorder introduced in 2001 by ReplayTV Network Inc., of Cupertino, Calif., was an early victim of the rising legislative tide. Like its competitor TiVo, from TiVo Inc., Alviso, Calif., the ReplayTV 4000 recorded television programs to a hard drive and allowed the viewer to watch the show at a later time?the kind of time shifting the Supreme Court approved as a fair use of the Betamax. The ReplayTV had two additional unique features: it could automatically skip commercials, and it could also relay a recorded program to another ReplayTV unit in the home or elsewhere on the Internet. These new capabilities did not please Hollywood. Jamie Kellner, then CEO of Turner Broadcasting System Inc., called skipping commercials ?theft? and, along with 28 entertainment companies including major movie studios and television networks?such as Disney, Paramount, Time Warner, Fox, Columbia, ABC, NBC, and CBS?sued ReplayTV for contributing to copyright infringement. Though the company might have prevailed in the end based on the Betamax precedent, ReplayTV ultimately ended up in bankruptcy before it could have its day in court. The company that rescued ReplayTV from bankruptcy, D&M Holdings Inc., Tokyo, settled the case in 2005 by pledging not to include the commercial-skipping and the show-forwarding features in its future models. None of the DVRs on the market today, from TiVo, ReplayTV's successors, or elsewhere, such as from cable companies, offer these features. Although nothing currently stops a technically savvy hobbyist from turning a personal computer with a TV tuner card into a ReplayTV 4000?like video recorder, the legislative tide may soon threaten these tinkerers as well, as we'll explain. The DVD, introduced in 1996, quickly became one of the most successful consumer products of all time. It revolutionized the market for home movie viewing and enabled new, portable devices to be created; it also gave rise to new distribution schemes like the Netflix subscription service and its many imitators. But for consumers, the DVD format left room for improvement. Copy-protection schemes implemented in the DVD format at Hollywood's insistence made it difficult to reproduce movies, in whole or in part. So DVD owners who wanted to copy a few movies onto a laptop computer for a long trip?and to leave the drive and discs themselves at home?couldn't. Furthermore, region codes locked discs to specific areas of the world, blocking travelers from picking up new discs or trying foreign selections. In 1999, a team that included Jon Lech Johansen, a young Norwegian programmer, cracked the DVD copy-protection technology. Johansen explained how to do it on his Web site, and programs soon developed to enable direct copying of a DVD. A group of movie studios complained to legal authorities in Norway, and the Norwegian prosecutor charged Johansen with a crime. The court cleared him after years of legal battles. However, Johansen's Web site addressed technologically savvy users, not the average consumer looking to make a quick copy of one of the Barney movies. In 2003, 321 Studios, of St. Charles, Mo., launched a software product called DVD X Copy for these more typical DVD owners. The company built in aggressive measures to prevent piracy, including an antipiracy splash screen that appeared when viewing any copy and watermarks that would enable copies to be traced back to those who made them. The management at 321 Studios hoped that these cooperative measures would stave off Hollywood's wrath. The company was wrong. Before the DMCA, 321 Studios would have been on relatively safe legal ground. From the time of the Betamax case, U.S. courts had made it clear that copying devices were legal so long as they had any substantial lawful use. But the DMCA changed the rules. When the movie studios sued 321 Studios, the Hollywood contingent did not argue that any of their movies had been unlawfully copied. Instead, it said that the product circumvented a ?technical protection measure,? which in this case was the Content Scramble System (CSS) on DVDs. The CSS is the scheme Hollywood uses to encrypt movies on DVDs. Decryption requires a key, which manufacturers of DVD players obtain by signing a license with the DVD Copy Control Association, a consortium of movie studios, including Fox and Warner, and technology providers, such as Intel and Toshiba. This license, in turn, forbids licensed devices from making digital copies of DVD content or from offering playback modes that the studios disapprove of. (DVD recorders can copy only unencrypted digital material, such as home movies.) The licensing rules and DMCA put companies like 321 Studios in a quandary. If they signed the license in order to obtain the CSS decryption keys, the document prohibited them from using those keys in software capable of copying a DVD. If they didn't sign the license and forged ahead anyway, deriving the CSS keys on their own, they risked prosecution or a civil suit under the DMCA for circumventing the CSS. After consideration, 321 Studios opted to go forward without a license. The DMCA quickly washed away DVD X Copy. After the movie studios prevailed in court in 2004, manufacturers pulled DVD X Copy and similar ripping tools off the U.S. market. Though DVD-copying software has been swept off U.S. retail shelves, plenty of it escaped to higher ground. Freeware DVD-copying applications like DVD Shrink, MacTheRipper, and HandBrake wander the Web. To escape the Hollywood hunters, most live on Web servers located outside the United States. Unencumbered digital television tuners are a bit higher up on the beach, yet they represent another class of products that may be eliminated by legislation. These peripherals slip into a computer's PCI card slot or hook up to a USB port to enable it to receive digital television broadcasts, turning a PC into a TV or video recorder. The cards, which cost from $100 to $350, came to market in 2004 from a variety of manufacturers, including ATI, Dvico, Elgato, and pcHDTV. With a tuner card, a hobbyist can build his or her own DVR. The entertainment companies do not like the flexibility of these home-built machines?or, more significant to them, the flexibility of the machines that consumer electronics manufacturers could offer under the current copyright law and its Betamax rule. Envisioning a world in which copyrighted works are indiscriminately distributed on the Internet, the entertainment industry looked for ways to force limitations into the design of these devices. Hollywood went first to the U.S. Federal Communications Commission (FCC) to demand a ?broadcast flag mandate,? that is, a requirement that every device capable of receiving digital television broadcasts incorporate restrictions against redistribution of those programs. Such a law would give Hollywood a say in the design of all the new hardware consumers would need to make DTV work. The mandate would require devices capable of receiving over-the-air DTV signals to detect and respond to a flag, known officially as the Redistribution Control Descriptor, in the broadcast stream. The flag indicates that the owner of the rights to the transmission has imposed restrictions on its copying or redistribution. The mandate required that the technology designed to detect the flag and implement the restrictions be embedded in every tuner that has digital outputs. Hollywood lobbyists actually convinced the FCC to impose broadcast flag regulations in 2003, but a U.S. Court of Appeals found that the Commission lacked the authority to regulate the internal workings of televisions. Hollywood is now asking Congress to give the FCC that legal authority by passing the Audio Broadcast Flag Licensing Act of 2006, sponsored by Rep. Michael Ferguson (R-N.J.). If Congress does enact these broadcast flag regulations, existing tuner cards will ignore the flag, but it will be unlawful to manufacture any new cards without the feature. Products that would have to be redesigned in response to the flag mandate would include the wide variety of inexpensive tuner cards available today, as well as TV hard disk digital recorders, DVD recorders, and any other hardware or software that would make it possible to receive or view digital broadcast television. The broadcast flag law would force designers of tomorrow's digital television devices to either implement one of a limited list of approved content-protection technologies to restrict flagged broadcasts or hire lawyers to seek FCC approval for any newly developed content-protection mechanism. Neither option would ensure backward-compatibility with existing high-definition televisions or interoperability with the other digital media equipment consumers might have already purchased. These requirements would inevitably mean higher costs for technology developers and would handicap the introduction of new features. And all this would happen without stopping those who are truly determined to redistribute HDTV programming. Like the DMCA's provisions, broadcast flag legislation, if established in the United States, is likely to proliferate around the world. Illustration by David Plunkert Hollywood is no longer waiting for products to actually be invented, manufactured, and shipped to retailers before trying to bar them from the market. Instead, the entertainment industry has already begun attacking some consumer electronics devices before the manufacturing process begins. That's happening to products that would give consumers the ability to record digital radio in the same way we ?TiVo? television shows. In the United States, 3000 FM broadcasters have committed to augmenting their traditional analog AM and FM broadcasts with digital signals using a technology called In-Band On?Channel Digital Audio Broadcasting, more commonly called HD Radio, which debuted around 2004. Some 700 of these stations already have HD Radio on the air. Europe has deployed a similar digital radio system. HD Radio promises increased fidelity for AM broadcasts and increased capacity for FM broadcasts: using digital radio, broadcasters could transmit as many as three compressed digital programs in the same width of spectrum that supports only one analog program today, albeit at lower fidelity than with analog FM. For decades, music fans have been recording analog music from radio broadcasts. The recording industry never liked this home taping, and in the 1970s and early 1980s it repeatedly tried but failed to convince legislators to tax analog tape. In 1991, the music industry took the issue to the courts, suing to block the first digital audio tape recorders, asserting that digital music is different from analog because digital copies are as good as the originals, whereas analog copies are not. Congress brokered a compromise between the music industry and the consumer electronics manufacturers and enacted the Audio Home Recording Act of 1992. Among other items, the law resolved the question of taping off the radio, making it clear that analog taping for noncommercial use was perfectly legal but digital taping would be legal only if the recording devices and blanks included a small royalty, for example, 3 cents on a $1.00 recordable audio CD, payable to the music industry. The law also required that covered digital audio recorders include a primitive copy-control system known as the Serial Copy Management System. With the advent of HD Radio, the recording industry wanted to reopen the issue. The industry, represented by the Recording Industry Association of America (RIAA), is trying to renege on the bargain struck in the Audio Home Recording Act, in which it agreed to accept the royalty in exchange for permitting digital radio recording. The RIAA is urging the FCC and Congress to impose design restrictions on any future HD Radio recorders to stave off a successful new mutation: a digital hard disk recorder that allows easy and flexible archiving of radio broadcasts. As similar devices have appeared for satellite radio, the recording industry has also begun pushing for legislation to restrict them, such as S. 2644, the Platform Equity and Remedies for Rights Holders in Music (PERFORM) Act of 2006, introduced by Sen. Diane Feinstein (D-Cal.). The restrictions sought by the RIAA would prevent users from storing individual song tracks, searching by title or artist, or creating playlists. What the RIAA wants, according to documents it filed with the FCC, are digital recorders that record only in segments at least 30 minutes long. This action would prevent users from splitting the 30-minute segment into individual songs or skipping to the beginnings of songs. Limitations such as these would make off-the-air recordings less desirable and therefore, the industry hopes, prevent them from cutting into record sales, and they would also deny users key benefits of the new technology. The industry argues that the regulations should also require that recordings be cryptographically bound to the recording device, thereby making them nontransferable to iPods, MP3 players, or computers. Further, the regulations should also limit the use of metadata?that is, identifying information that may supplement the audio file?and so deny users the convenience of setting up devices to record only favored artists or genres. In essence, these rules would force future digital recorders to ape the analog cassette recorders of decades past. The regulations would ban all ?noncompliant? recorders from the marketplace. The good news for radio fans is that the recording industry's proposal met with a chilly reception both at the FCC and at a Senate hearing this past January. The bad news is that the recording industry continues to push hard for it. While some gizmos in the eye of the storm are exotic or newly evolved, one is, today, as common as a house cat. This is the type of device that transforms analog signals into digital ones: the analog-to-digital converter. The MPAA has made plugging the ?analog hole? a top legislative priority. The concept is simple: most of today's digital entertainment devices, whether they are DVD or CD players, hard disk recorders like TiVo, or television tuners, have analog as well as digital outputs. The analog outputs include composite video (a single yellow RCA jack), component video (a trio of RCA jacks, usually green, blue, and red), and S-video (a multipin jack). These jacks let consumers easily connect modern digital products to home entertainment devices that predate the digital era. Hundreds of millions of consumers worldwide use these jacks to enjoy DVDs and other digital media without having to run out and replace all their existing consumer electronics. New and emerging products are increasingly encrypting their digital outputs. The list includes DVD-Audio players and the new Blu?Ray Disc and HD DVD players, the much-hyped high-definition successors to DVD players, the first examples of which are just reaching the market. In contrast, device designers can't encrypt or scramble analog outputs, at least not if they intend the products to continue to work with older devices. This means that users can freely record and manipulate analog signals, using an old VCR, for example. Nevertheless, what really bothers Hollywood about standard, unencrypted analog interfaces is that it cannot use licensing to impose restrictions on the makers of analog devices; unlike digital devices, most analog interfaces do not need decryption keys. If such interfaces are eliminated, however, then when analog devices wear out and consumers replace them with digital devices, Hollywood will have tighter control over the evolution and interconnection of consumer entertainment technologies than it did in the analog era. Hollywood, therefore, is going on the attack against devices that convert analog content to digital. This category covers an incredibly broad array of products, from basic components found on RadioShack shelves to fully formed gadgets ubiquitous in the marketplace. For example, for just a few hundred dollars consumers can buy video capture cards and use them in their personal computers to digitize old home movies. With a video capture card, you can make a copy of a movie for your video iPod, excerpt video for a school project, or take a clip to remix with your own footage. In an attempt to put an end to all that, Hollywood has drafted the Digital Transition Content Security Act, introduced as H.R. 4569 in December 2005 by Reps. F. James Sensenbrenner Jr. (R-Wis.) and John Conyers Jr. (D-Mich.). This legislation, better known as the Analog Hole Bill, would impose a design mandate on any ?analog video input device that converts into digital form an analog video signal.? The act would require digital recorders, video capture cards, and other devices that can convert analog signals into digital data to detect and respond to two different analog signaling technologies. One of them, the Copy Generation Management System for Analog (CGMS-A) would set a flag in a television transmission that would identify whether or not the show being broadcast has copy restrictions on it. If it does, the flag would identify the generation of the recording and the number of times it could be copied: not at all, once, or some preset number. The television broadcaster would transmit this identification during the video-blanking interval of the analog transmission, that moment in which the electron gun that paints the pixels on a television screen jumps from the bottom to the top. The second signal, called Video Encoded Invisible Light (VEIL), would be inserted into the video picture itself and, like CGMS-A, would not be visible to the eye. Originally developed to trigger responses by toys to daytime cartoons, VEIL would operate as a backup for CGMS-A and would be present in every content-controlled broadcast. If a device covered by the legislation detected a VEIL signal without accompanying copy-control information, the mismatch would tip off the device that the copy-control flag had been stripped or tampered with. Hollywood is going on the attack against devices that convert analog content to digital The Analog Hole Bill is Hollywood's attempt to control an even broader range of devices than the DMCA does. The chips used to convert video from analog to digital are in today's digital cameras, camera phones, and personal media players. A host of future new devices are likely to include this basic technology. The Analog Hole Bill would require that all these products incorporate content-protection technologies certified by federal regulators and include hardware and software to block any end-user modifications. The days of hardware ?tweaking? would end. The legislation would also dictate the kinds of video outputs permitted, potentially orphaning generations of older products, including television sets, stereo speakers, and VCRs. Such legislation, combined with other laws already passed and pending, would lead to a world in which federal regulators, not creative engineers, would dictate many product features and design decisions. In place of the new era's digital developments, Hollywood's vision takes us back to the Stone Age. Hollywood is good at telling stories. The one it has been screening in Washington?that music and movies will perish if the regulators don't kill the dangerous gizmos first?is powerful drama but has about as much basis in reality as Lord of the Rings. Killing off gizmos and subjecting technological development to the whims of federal regulators will ultimately hurt not just consumers but also tomorrow's creative industries?both technology and entertainment. About the Author FRED VON LOHMANN is a senior staff attorney with the Electronic Frontier Foundation, a nonprofit group based in San Francisco that is devoted to protecting civil liberties and free expression in the digital world. He handles various areas of litigation involving copyright and new technologies, and he advises policymakers about the importance of protecting the public interest when enacting intellectual property laws and regulations. WENDY SELTZER is a visiting professor of law at Brooklyn Law School, where she teaches Internet Law and Information Privacy and writes about free speech online. Previously, she was a staff attorney with the Electronic Frontier Foundation. As a fellow with Harvard Law School's Berkman Center for Internet & Society, Wendy founded and leads the Chilling Effects Clearinghouse (http://www.chillingeffects.org), which helps Internet users understand their rights in response to cease-and-desist threats. To Probe Further Freedom-to-Tinker (http://www.freedom-to-tinker.com), a blog by Princeton computer science professor Edward W. Felten, discusses technical and policy issues, including digital rights management. Deep Links (http://www.eff.org/deeplinks), the official blog of the Electronic Frontier Foundation, follows legal and policy issues surrounding copyright, digital rights management, and the Digital Millennium Copyright Act. Public Knowledge (http://www.publicknowledge.org), a nonprofit group based in Washington, D.C., follows legislative developments relating to copyright and digital rights management. Sidebar 1 DMCA Brings Good Things to Life Few single pieces of legislation have done more to spur technological innovation and expand the supply of movies and other entertainment than the Digital Millennium Copyright Act (DMCA). Photo: Thomas Del Brase/Getty Images When Congress passed the DMCA in 1998, neither consumers nor innovators in the technology and entertainment industries imagined that just eight years later people would be viewing movies and TV shows on their computers, their video iPods, their PlayStation Portables, and even their cellphones. During these years, innovators were not only able to imagine new ways to provide movies to consumers but were also able to deliver them. They could do so because they knew that the products of their creativity would be protected from theft and abuse by a fair set of rules. The DMCA put into law a common-sense proposition: that it is wrong to break through technical ?locks? that keep digital content from being stolen or to market devices that do so. The DMCA gave innovators and creators an effective means of protecting themselves against thieves who try to beat the system by unlawfully making copies and redistributing movies and other entertainment. Perhaps the best example of the innovation that the DMCA is bringing home to consumers is the DVD. DVD players are the most successful consumer electronics devices in history. Since the passage of the DMCA, tens of millions of consumers have enjoyed a wide variety of entertainment in this high-quality format. We at the Motion Picture Association of America (MPAA) attribute the triumph of the DVD directly to the DMCA, because in providing some protection against unbridled theft, the DMCA empowered entertainment companies to release their products in digital format. Although critics have accused the DMCA of damping technological innovation and preventing the ?fair use? of copyrighted works, recent history supports the opposite conclusions. (?Fair use? is a legal concept that permits the reproduction of copyrighted works for certain purposes without permission or payment.) Rather than discouraging innovation, the DMCA has fostered an innovative environment that has given consumers greater access to movies, TV shows, and other copyrighted material than ever before, advancing new technologies as well as new business models. The DMCA recognizes the historical importance of fair use. In fact, under a DMCA requirement, the U.S. Copyright Office is conducting its third investigation into fair use practices. It has found no evidence to support claims that the DMCA diminishes consumers' ability to fairly use copyrighted materials. Although the DMCA has greatly expanded consumers' viewing choices, threats to the future expansion of these choices still remain, especially in the realm of over-the-air broadcast television. Cable and satellite subscription services can protect their high-quality programs from being illegally copied and infinitely transmitted over the Internet, but over-the-air broadcasters cannot. The broadcast signal must be unprotected so that all consumers can receive it on their existing televisions. Congress can help ensure the future growth of viewing choices for over-the-air viewers by enacting ?broadcast flag? legislation. This law would allow broadcasters to invisibly protect their programs from copying and redistribution in the same way that satellite and cable providers do, so broadcasters will not be forced to limit new television programs to fee-based subscription services to make them safe from theft. But neither protecting digital programs nor inserting broadcast flags in analog programs is enough to ensure that everyone enjoys the benefits of new and expanding entertainment options. As we make the transition to the digital television, we must keep in mind that the majority of U.S. consumers still use analog TVs. Therefore, digital programs still must be converted into analog for viewing on these nondigital TV sets. When such programs are converted back to digital, say, for use with a DVD recorder, they lose their original digital protections and are exposed to unlimited illegal copying and redistribution. It is not hard to understand why producers would choose not to expand viewing options in a realm with such vulnerability to theft. Hence, we at the MPAA are urging Congress to enact the ?Analog Hole? legislation. This law can help ensure that consumer choices are not undermined by the risk of theft?by laying out simple rules of the road for programming and equipment. While these issues remain to be resolved, the DMCA and related legislation have fostered a climate of unbridled innovation and development and an explosion of consumer entertainment choices. No one exposed to today's video marketplace could possibly argue that consumers do not have more and better viewing choices now than they did before the DMCA. Enacted on the eve of the 21st century, it has truly ushered in a digital millennium of incredible achievement and infinite promise. ?Fritz Attaway, Executive Vice President and Special Policy Advisor, Motion Picture Association of America From rforno at infowarrior.org Sun Jun 4 23:09:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Jun 2006 23:09:20 -0400 Subject: [Infowarrior] - Medical Privacy Law Nets No Fines Message-ID: Medical Privacy Law Nets No Fines Lax Enforcement Puts Patients' Files At Risk, Critics Say http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400 672_pf.html By Rob Stein Washington Post Staff Writer Monday, June 5, 2006; A01 In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases. Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records. The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty. "Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services Office of Civil Rights, which is in charge of enforcing the law. While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration's decision not to enforce the law more aggressively has failed to safeguard sensitive medical records and made providers and insurers complacent about complying. "The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them," said Janlori Goldman, a health-care privacy expert at Columbia University. "They have done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless." The debate has intensified amid a government push to computerize medical records to improve the efficiency and quality of health care. Privacy advocates say large centralized electronic databases will be especially vulnerable to invasions, making it even more crucial that existing safeguards be enforced. The highly touted Health Insurance Portability and Accountability Act -- known as HIPAA -- guaranteed for the first time beginning in 2003 that medical information be protected by a uniform national standard instead of a hodgepodge of state laws. The law gave the job of enforcement to HHS, including the authority to impose fines of $100 for each civil violation, up to a maximum of $25,000. HHS can also refer possible criminal violations to the Justice Department, which could seek penalties of up to $250,000 in fines and 10 years in jail. Wilkinson would not discuss any specific complaints but said his office has "been able to work out the problems . . . by going in and doing technical assistance and education to resolve the situation. We try to exhaust that before making a finding of a technical violation and moving to the enforcement stage. We've been able to do that." About 5,000 cases remain open, and some could result in fines, Wilkinson said. "There might be a need to use a penalty. We don't know that at this stage." His office has referred at least 309 possible criminal violations to the Justice Department. Officials there would not comment on the status of those cases other than to say they would have been sent to offices of U.S. attorneys or the FBI for investigation. Two cases have resulted in criminal charges: A Seattle man was sentenced to 16 months in prison in 2004 for stealing credit card information from a cancer patient, and a Texas woman was convicted in March of selling an FBI agent's medical records. Representatives of hospitals, insurance companies, health plans and doctors praised the administration's emphasis on voluntary compliance, saying it is the right tack, especially because the rules are complicated and relatively new. "It has been an opportunity for hospitals to understand better what their requirements are and what they need to do to come into compliance," said Lawrence Hughes of the American Hospital Association. "We're more used to the government coming down with a heavy hand where it's unnecessary," said Larry S. Fields, president of the American Academy of Family Physicians. "I applaud HHS for taking this route." But privacy advocates say the lack of civil fines has sent a clear message that health organizations have little to fear if they violate HIPAA. "It's not being enforced very vigorously," said William R. Braithwaite of the eHealth Initiative and Foundation, an independent, nonprofit research and advocacy organization based in Washington. "No one is afraid of being fined or getting bad publicity. . . . As long as they respond, they essentially get amnesty." The approach has made health-care organizations complacent about protecting records, several health-care consultants said. A recent survey by the American Health Information Management Association found that hospitals and other providers are still not fully complying, and that the level of compliance is falling. "They are saying, 'HHS really isn't doing anything, so why should I worry?' " said Chris Apgar of Apgar & Associates in Portland, Ore., a health-care industry consultant. Goldman and others also questioned why the government is not conducting more independent audits of compliance in addition to investigating complaints. "It's like when you're driving a car," said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. "If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply." Wilkinson's office has conducted just a "handful" of compliance reviews, an HHS spokesman said, and completed only one -- a case involving a radiology center that was dumping old files of patients into an unsecured trash bin. The center agreed to hire a company to dispose of records and no fine was levied, the spokesman said. Wilkinson said the size of his staff limits their ability to do much more than respond to complaints. "We've had challenges with our resources investigating complaints," he acknowledged, saying they are complaint-driven. Wilkinson added, "We've been successful with voluntary compliance so there's has not been a need to go out and look." But other government regulators take a different approach, privacy advocates say. "The Securities and Exchange Commission, the Federal Trade Commission -- they find significant and high-profile cases and send a message to industry about what is permitted and what isn't," said Peter Swire, an Ohio State University law professor who helped write the HIPAA regulations during the Clinton administration. Goldman and other privacy advocates point to numerous reports of health information being made public without patients' consent, such as the recent theft of millions of veterans records that included some medical information, a California health plan that left personal information about patients posted on a public Web site for years, and a Florida hospice that sold software containing personal patient information to other hospices. In the meantime, Goldman said, surveys continue to show that for fear that their medical information will be used against them, people avoid seeking treatment when they are sick, pay for care out of pocket, or withhold important details about their health from their doctors. "The law came about because there was a real problem with people having their privacy violated -- they lost jobs, they were embarrassed, they were stigmatized. People are afraid. The law was put in place so people wouldn't have to choose between their privacy and getting a job or going to the doctor," said Goldman, who also heads the Health Privacy Project, a Washington-based advocacy group. "That's still a huge problem." ? 2006 The Washington Post Company From rforno at infowarrior.org Mon Jun 5 09:12:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Jun 2006 09:12:50 -0400 Subject: [Infowarrior] - OT: Argh! Apocalypse is upon us! (6-6-06) Message-ID: Apocalypse tomorrow? 666 arrives By Seth Borenstein ASSOCIATED PRESS Published June 5, 2006 http://www.washtimes.com/functions/print.php?StoryID=20060605-121953-9265r Is tomorrow's date -- 6-6-6 -- merely a curious number, or could it mean our number is up? There's a devilishly odd nexus of theology, mathematics and commercialism on the sixth day of the sixth month of the sixth year. OK, it's just the sixth year of this millennium, but insisting on calling it 2006 takes the devil-may-care fun out of calendar-gazing. Something about the number 666 brings out the worry, the hope and even the humor in people, said the Rev. Felix Just, a professor of theology and religious studies at the University of San Francisco. A Jesuit priest, Father Just has taught both apocalyptic theory and mathematics and maintains a "666-Numbers of the Beast" Web site that contains history, theology, math and precisely 66 one-line jokes about 666. One can even make sport of it, betting online if the apocalypse will happen on that date. The good news is that one online oddsmaker has made the world a 100,000-to-1 favorite to survive tomorrow -- something that Father Just said is supported by theology. "Many people avoid the number. They're afraid of it almost, and there's absolutely no reason to be afraid of it," he said. "It is not a prediction of future events. It is not supposed to be taken as a timetable for when the world is going to end." It all started with Revelation 13:18 in the Bible: "This calls for wisdom: let him who has understanding reckon the number of the beast, for it is a human number, its number is six hundred and sixty-six." The beast is also known as the Antichrist, according to some apocalyptic theories. Many scholars, such as Father Just, say the beast is really a coded reference -- using Hebrew letters for numbers -- for the despotic Roman emperor Nero, and 616 appears instead of 666 in some ancient manuscripts. The Book of Revelation isn't prophesying a specific end of times but "is about the overall cosmic struggle of good versus evil," Father Just said. But for some more apocalyptic theologians, the end of times is coming, even if not specifically tomorrow. The evangelical Raptureready.com Web site puts its "rapture index" at 156, calling that "fasten your seat belts" time. It's not the date June 6 that's worrisome, but the signs in our society of the approach of the 666 Antichrist, said the Rev. Tim LaHaye, founder of a self-named ministry and co-author of the best-selling "Left Behind" series of apocalyptic novels. "I don't think that people understand that 666 is not a good time," Mr. LaHaye said. He said he sees signs of an upcoming "tribulation period" that leads to the Antichrist's arrival in a movement toward one-world government, a single economic system and single religion. Apocalyptic culture and theology, especially those surrounding 666, "is especially appealing for people in an underdog situation," said Father Just. So people have looked for -- and found -- 666 in all sorts of places. Believers in the number's power have used a biblical letter-numeric code to convert the names of countless political leaders, including many popes, to come out 666, marking them as that generation's Antichrist. That includes Franklin Delano Roosevelt, John F. Kennedy, Ronald Reagan and Bill Clinton. The math of 666 is also open to biblical interpretation and manipulation. Father Just points out that 666 is the sum of all the numbers on a roulette wheel. Other oddities include variations on pi and products of prime number multiplication. There's also something special about the number 6, which in the Bible stands for man, said Brian C. Jones, a religion professor at Wartburg College in Iowa. "People need to lighten up about this," Mr. Jones said, adding that it's hard to take tomorrow seriously as a day of reckoning. "Monday, we always hate Mondays. Wednesday is hump day. Friday sometimes has the 13th attached to it. But Tuesdays and Thursdays, they don't ring for me as days when bad things happen or good things happen. They're filler days." From rforno at infowarrior.org Mon Jun 5 09:59:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Jun 2006 09:59:57 -0400 Subject: [Infowarrior] - UK group says digital content should show DRM warning on label Message-ID: MPs in digital downloads warning Consumers should be told exactly what they can and cannot do with songs and films they buy online, says an influential group of MPs in the UK. The All Party Parliamentary Internet Group looked at how copy protection systems restrict the way digital movies and music can be enjoyed. Labels on digital content should spell out how easy it is to move from gadget to gadget, said the report. It also called for an inquiry into the pricing schemes of online music stores. Price point A public inquiry organised by the MPs sought views on copy protection technologies, known as Digital Rights Management (DRM), from industry groups, consumers and media makers earlier this year. DRM systems are becoming increasingly popular as the makers of music and movies, as well as operators of online stores, try to limit piracy of copyrighted works through home computers. DRM systems can include special formats for media files or proprietary media players. For instance, a DRM system may allow a CD to be played on a PC but would not let tracks from that album be copied so they can be listened to on a portable player such as an iPod. The MPs' report made several recommendations and called on the Office of Fair Trading hasten the introduction of labelling regulations that would let people know what they can do with music and movies they buy online or offline. This would ensure that it was "crystal clear" to consumers what freedom they have to use the content they are purchasing and what would happen if they do something outlawed by the protection system. The same labelling systems would also spell out what happened in the event of a maker of DRM technology going bust, if a protection system became obsolete or if gadgets to play the content are replaced. Lock and load The report also called for the makers of DRM systems to be made aware of the consequences of using aggressive copy protection systems. The technologies are extending beyond the law they are supposed to uphold Suw Charman, Open Rights Group This recommendation was made because, as the report was being drawn up, information was emerging about the controversial copy protection system employed in the US by Sony BMG. This system used virus-like techniques to hide itself and stop CDs being copied. The row over the software ended up in the US courts. Firms employing DRM systems needed to be aware that using such systems in the UK would mean they "run a significant risk of being prosecuted for criminal actions". The MPs called on the Department of Trade and Industry to look into the prices charged for the same digital content, such as music tracks, in different countries. For instance some nations, such as the UK, pay significantly more for songs from Apple's iTunes store than customers in the US or mainland Europe. "This is somewhat at odds with the notion of the 'single market'", noted the report. Rental agreement A spokesman for All Party Parliamentary Internet Group said he expected a response from makers of digital content and hoped that the report would inform wider government thinking about copy protection. In particular, he said, it would provide input for the ongoing Gowers report into intellectual property. Suw Charman, executive director of the Open Rights Group which campaigns on digital rights issues, said the organisation was pleased that the MPs had made a series of "sensible recommendations". But, she added, the group could have gone further to combat the ways that copy protection systems impinge on rights to use copyrighted material protected by law. For instance, she said, UK law allows people to make copies of parts of copyrighted works for the purposes of critiquing or reviewing them. "That's an exemption thwarted by DRM systems," she said. "The technologies are extending beyond the law they are supposed to uphold." Increasingly, said Ms Charman, consumers were bumping up against DRM technologies as they use digital media such as downloaded songs. She said that DRM was less about protecting copyright and more about creating a system in which people rent rather than own the media they spend money on. "We think people rightly feel that once they buy something, it stays bought," she said. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/5041684.stm Published: 2006/06/04 23:48:38 GMT ? BBC MMVI From rforno at infowarrior.org Mon Jun 5 23:25:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Jun 2006 23:25:57 -0400 Subject: [Infowarrior] - SIRA - More secret BAD copyright legislation proposals Message-ID: Season of Bad Laws, Part 4: Music Services Sell Out Fair Use June 04, 2006 http://www.eff.org/deeplinks/archives/004721.php According to our DC sources, the House Judiciary Subcommittee on the Courts, the Internet, and Intellectual Property is planning on marking up and expediting a not-yet-introduced bill entitled the Section 115 Reform Act (aka SIRA) this coming Wednesday, June 7. Why the rush? Because otherwise someone might notice that the bill represents an unholy alliance between the major music service providers (AOL, Yahoo, Apple, Real Networks, etc.) and music publishing industry. If the bill passes, they win, but fair use loses. SIRA's main aim is clearing the way for online music services by revising the current mechanical compulsory license set out in Section 115 of the Copyright Act to accommodate "full downloads, limited downloads, and interactive streams." So far so good, but the devil is in the details. This license specifically includes and treats as license-able "incidental reproductions...including cached, network, and RAM buffer reproductions." By smuggling this language into the Copyright Act, the copyright industries are stacking the deck for future fights against other digital technologies that depend on making incidental copies. Just think of all the incidental copies that litter your computer today -- do you have a license for every copy in your browser's cache? This is dangerous language that creates a dangerous precedent. When courts look at how copyright should apply to new digital technologies, they often have few judicial precedents for guidance and thus they turn to the Copyright Act itself for clues about how Congress views similar issues. Incidental copies made in the course of otherwise lawful activities should be treated either as outside the scope of a copyright holder's rights or as a fair use (even the Copyright Office agrees on the fair use point). But you can be sure that the copyright industries will use SIRA as a precedent to the contrary in future fights. And that's not the only dangerous, subtle change that SIRA would effect. By treating digital transmissions as "distributions" under the Copyright Act, SIRA would bolster arguments that the record industry is making in its case against XM Radio. What's more, the act creates a second, royalty-free compulsory license that applies to incidental copies for noninteractive streaming, subject to an important condition: the music service may not take "affirmative steps to authorize, enable, cause, or induce the making of reproductions of music works by or for end-users." Like the PERFORM Act, this would erode lawful home recording. You'd think that everyone in the technology industry would be up in arms; however, acting through their representatives in the Digital Media Association (DiMA), major music service providers are supporting this bill because it helps clear the licensing thicket for their current services. Instead of selling out our fair use rights in an effort to cut a deal with music publishers, these companies should be fighting against these dangerous changes to the Copyright Act. We're all in favor of reforming music composition licensing, but this is the wrong way to go about it. From rforno at infowarrior.org Mon Jun 5 23:37:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Jun 2006 23:37:29 -0400 Subject: [Infowarrior] - Wal-Mart's data center remains mystery Message-ID: Wal-Mart's data center remains mystery http://www.joplinglobe.com/local/local_story_148015054/resources_printstory CNHI News Service ? By Max McCoy Globe Investigative Writer JANE, Mo. - Call it Area 71. Behind a fence topped with razor wire just off U.S. Highway 71 is a bunker of a building that Wal-Mart considers so secret that it won't even let the county assessor inside without a nondisclosure agreement. The 125,000-square-foot building, tucked behind a new Wal-Mart Supercenter, is only a stone's throw from the Arkansas line and about 15 miles from corporate headquarters in Bentonville, Ark. There is nothing about the building to give even a hint that Wal-Mart owns it. Despite the glimpses through the fence of manicured grass and carefully placed trees, the overall impression is that this is a secure site that could withstand just about anything. Earth is packed against the sides. The green roof - meant, perhaps, to blend into the surrounding Ozarks hills - bristles with dish antennas. On one of the heavy steel gates at the guardhouse is a notice that visitors must use the intercom for assistance. What the building houses is a mystery. Speculation Wal-Mart's ability to crunch numbers is a favorite of conspiracy theorists, and its data centers are the corporate counterpart to Area 51 at Groom Lake in the state of Nevada. According to one consumer activist, Katherine Albrecht, even the wildest conspiracy buff might be surprised at just how much Wal-Mart knows about its customers - and how much more it would like to know. "We were contacted about two years ago by somebody who runs a security company that had been asked in a request for proposals for ways they could link video footage with customers paying for their purchases," Albrecht said. "Wal-Mart would actually be able to view photos and video of customers paying, say, for a pack of gum. At the time, it struck me as unbelievably outlandish because of the amount of data storage required." But Wal-Mart, according to a 2004 New York Times article, had enough storage capacity to contain twice the amount of all the information available on the Internet. For the technically minded, the exact amount was for 460 terabytes of data. The prefix tera comes from the Greek word for monster, and a terabyte is a trillion bytes, the basic unit of computer storage. Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering, said she never could confirm the contractor's story. That is not surprising, since Wal-Mart seldom comments on its data capabilities and operations. A Globe request for information about the Jane data center was referred at Wal-Mart headquarters to Carrie Thum, a senior information officer and former lobbyist for the retailer. "This is not something that we discuss publicly," Thum said. "We have no comment. And that's off the record." Skeleton crew The Jane data center is an enigmatic icon to the power of data, which has helped Wal-Mart become the largest retailer in the world, and to the corporation's growing secrecy since founder Sam Walton's death in 1992. When Wal-Mart constructed its primary data center at corporate headquarters in 1989, it wasn't much of a secret: It was the largest poured concrete structure in Arkansas at the time, and Walton himself ordered a third story. "Not only had we completely designed it, we were under construction," said Bill Ferguson, a founder of Askew Nixon Ferguson Architects in Memphis, Tenn. "They were pouring foundations, and Sam walked across the parking lot one Friday at the end of the day and said, 'You know, let's add a third floor and put some people up there.'" Ferguson said the Bentonville data center is built on bedrock and is designed to withstand most natural and man-made disasters, but is not impregnable. The biggest danger, he said, is the area's frequently violent thunderstorms. "We studied making it tornado-proof, which is difficult," he said. "We calculated the probability of a category 5 tornado hitting it, which was less likely than an airplane crashing into it head-on. At the time, they decided not to." Since then, Ferguson said, changes have been made to increase the integrity of the structure. The data center was designed with backup generators, fuel on site, and room and board for a skeleton crew in the event an emergency required an extended stay. Ferguson said his firm learned to design data centers by working with FedEx, which also is based in Memphis, and that the 1989 Wal-Mart data center was built so that it could communicate via any means available - including copper wire, fiber optics and satellites. The firm no longer works with Wal-Mart, and Ferguson said he had no knowledge of the design or purpose of the data center in Jane. But he suggested that Jim Liles, a Memphis engineer, might know. Liles said he was a consultant on the Jane project, and that Crossland Construction was the contractor, but he was reluctant to say much else. "As far as what its purpose is, all that has to come from Wal-Mart," Liles said. Crossland Construction, based in Columbus, Kan., said Tim Oelke of the company's Rogers, Ark., office had been in charge. Oelke did not return a phone call seeking comment. 'Never saw a plan' The data center was completed in 2004 and was part of a project that included the Supercenter, which opened early last year, and a warehouse. The resulting economic impact on McDonald County, known for its rolling hills and lazy rivers, is difficult to underestimate, said Rusty Enlow. "Just a few years ago, one new store would have been a big deal," Enlow said. "And I'm not talking about a Supercenter. Just a gas station would have generated excitement." Now, Enlow said, the county's tax base has doubled, and land is going for about $2,100 an acre, about twice what it was before the project was announced in 2001. Enlow is chairman of the county planning commission, a body created by popular vote in 1964 but which had not met until this month. Enlow said he doesn't know why the commission never met, but he believes it was because whatever problem prompted its creation was solved before the board was appointed. He also said he's not sure the planning commission has any real authority, or would want any (there is no zoning in the county), but that he and the other 18 members are eager to bring even more business into the county. "It seems with the opening of that store there has just been a lot of activity," he said. "McDonald County has always been a poor county, but we are in an excellent position now. We're a friendly place, and we're open to things." Wal-Mart, Enlow said, had created a business synergy that was helping the county of 22,000 shed its hillbilly stereotype. Enlow was director of the McDonald County Economic Development Council when Wal-Mart quietly began scouting for land. Only after the land had been bought south of the then-unincorporated community of Jane was it announced that the project was Wal-Mart's, and even then, plans for the data center were closely held. "I never even saw a plan on it," Enlow said. But Enlow said he watched during the construction of the data center, and that it appeared to be a single-story building that was built "like a bunker," with mounds of earth piled against the sides. He later was told that it would employ 15 to 20 people, and that the building was for data storage. To facilitate the project, the Missouri Department of Transportation agreed to widen Highway 71 to four lanes from Jane to the Arkansas line; a grant was used to expand the public water district; and the Army Corps of Engineers approved a request to fill in a small portion of wetland along Bear Hollow Road. Meanwhile, the village of Jane incorporated. In April 2005, Wal-Mart used the 160,000-square-foot Supercenter to demonstrate its micro-merchandising capabilities as part of a media conference. Employees demonstrated hand-held Telxon (pronounced Tel-zon) computers, which resemble hand scanners but hold a year's worth of a particular store's sales history on every item. The devices help store managers decide what to stock. Bananas are Wal-Mart's best-selling produce product nationwide, but at Jane, the top seller was lettuce, Supermarket News reported after the event. 'Secretive' Bill Wilson, McDonald County presiding commissioner, said he has never been inside the green-roofed data center, and that to his knowledge, only one county official has: Assessor Laura Pope. "I had to sign a document saying that I wouldn't talk about what's in there," Pope said. "I've never been in a situation to tour anything like that before. I don't want to be secretive about it. Basically, it houses computer equipment." Pope said she had never been asked to sign a nondisclosure agreement before in her job as assessor, and that she didn't keep a copy. She said she didn't appraise the building and equipment, but rather came to an agreement with Wal-Mart on what it was worth. They agreed that the data center would be worth $10.7 million at fair market value, she said. The equipment inside the center was judged to be worth nearly three times as much: $31.7 million. The taxes that Wal-Mart paid last year on the data center totaled just more than $500,000: $128,091 for the real estate and $373,091 for the equipment. Pope said she did not place a value on the data stored at the building. At an estimated worth of $42.4 million, is the Wal-Mart data center at Jane important enough to the infrastructure of the state - or the country - to be on Missouri's list of critical assets? Paul Fennewald, Missouri Homeland Security coordinator, said the list is confidential, and that he could neither confirm nor deny that the Jane building is on it. He did say that the list includes 4,000 to 4,500 sites across the state. 'Retail surveillance' Albrecht, the consumer activist, said that when the contractor came to her with the story about Wal-Mart wanting to biometrically identify customers through video, one of the reasons given was to help law enforcement. "You could search for all sales of a particular kind of rope and get a photo of who bought it," she said. "On the other end, you could research all of the purchases of a particular individual, even if they paid in cash." Albrecht is the co-author of "Spychips," about the use of RFID, or radio frequency identification devices, by the government and corporations to track individuals. She lives in Nashua, N.H., and is getting ready to receive a doctorate of education in consumer education. "To the best of our knowledge, the only consumer-level item that is (RFID) tagged at Wal-Mart are Hewlett-Packard products and some Sanyo television sets," she said. "Now, the privacy implications of that are fairly trivial, because you're not going to be walking down the street carrying your printer box in your back pocket." But in 2003, she said, Wal-Mart did two experiments using RFID on smaller items: razor blades and lipstick. At Brockton, Mass., Albrecht said, the company used a surveillance camera on a shelf that was linked to chips in packages of razor blades. When someone picked up a package, she said, the shelf camera would be activated. Another camera would take a mug shot of the customer at the checkout stand. At Broken Arrow, Okla., she said, the company linked devices in packages of lipstick that triggered a camera that allowed the lipstick manufacturer to watch consumers on live video. The experiments apparently were aimed at decreasing theft or for use in merchandise research, she said. "Since 1999, I've been working on a phenomenon called retail surveillance, which is a whole panoply of technologies that are being secretly deployed," she said. "I think most people, when they learn about these technologies, are quite disturbed. There's a sense that when you enter a retail space, you should retain some degree of privacy." But, Albrecht said, there's a push among retailers to collect as much information about their customers as possible - and to keep the lower-profit individuals, known as "barnacles" and "bottom-feeders," away. "There's a lot of hand-wringing about how we can find out even more about our customers," she said. "And to the extent that Wal-Mart may be creating the ability to monitor consumers by RFID and identify them by video, I'm extremely concerned. ... If that's the case, they would need that kind of data storage." Wal-Mart's stand on RFID "Electronic product codes (EPCs) can best be described as the next generation of bar codes. Unlike current bar codes, which only share that a carton contains product XYZ, EPCs can identify one box of product XYZ from another box of product XYZ. "This is possible because EPCs are powered by radio frequency identification or RFID. EPCs do not track customers. ... EPCs assist retailers in more closely monitoring where products are as they move from manufacturers to warehouses to a store's backroom. "This helps us do a better job of having the right products on the shelves when you come to buy them." Source: www.walmart.com Copyright ? 1999-2006 cnhi, inc. From rforno at infowarrior.org Tue Jun 6 09:03:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Jun 2006 09:03:19 -0400 Subject: [Infowarrior] - Google Spreadsheets Message-ID: (...not sure I'd be comfy using this for a business or anything proprietary, but interesting challenge to Microsoft, for sure......rf) Creating spreadsheets Create basic spreadsheets from scratch. You can start from scratch and do all the basics, including changing the number format, sorting by columns, and adding formulas. Upload your spreadsheet files. Upload spreadsheets or worksheets from CSV or XLS format - all your formulas and formatting will come across intact. Familiar desktop feel makes editing a breeze. Just click the toolbar buttons to bold, underline, change the font, change the cell background color and more. http://www.google.com/googlespreadsheets/tour1.html From rforno at infowarrior.org Tue Jun 6 12:43:16 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Jun 2006 12:43:16 -0400 Subject: [Infowarrior] - Hilary Rosen's Change of Heart Message-ID: The Supreme Wisdom of Not Relying on the Court http://www.huffingtonpost.com/hilary-rosen/the-supreme-wisdom-of-not_b_3221. html The entertainment industry is anticipating -- as early as tomorrow -- a decision in the ?MGM v Grokster? case. This is a case about whether or not those businesses creating and promoting P2P software for file-sharing are liable for the infringements of copyright made by the users on their networks. This is a big case with lots of money poured into it from all sides. It is said that the Supreme Court?s decision will be one of the most important copyright cases ever on the books. I think it has all the makings of being famous for another reason. Because while the victory of whoever wins maybe important psychologically, it just won?t really matter in the marketplace. I was Chairman and CEO of the RIAA when we developed the case almost five years ago. Suffice to say it was a frustrating time. Napster had been shut down rather than be licensed by the record companies and here were a whole group of new services that specifically avoided the legal frailties that Napster demonstrated in court. I thought that there was a need for a legal ruling at the time, but I also expected so much progress in the marketplace. So why won?t this case matter now in the marketplace? Because by now SEVERAL HUNDRED MILLION copies of this software that the entertainment industry would like to vanquish have been downloaded to individual computers around the world. They go by names like Grokser, Morpheus, Limewire, eDonkey, Bit Torrent, Kazaa, etc.) And each time, there is a successful enforcement or a new way to catch the developers with copyright liability, they reinvent themselves and generate another two or three year court proceeding. And now, a majority of them are hosted outside the United States. There is no court ruling whose enforcement can keep up with this. Sure, it might affect some venture capitalist deciding where to put money for a product. But none of these services since Napster have required venture money. They grow organically, because they are serving a still unserved desire. Do people like free content, sure, but they also like content. All the stuff - when they want it - to feel like free even if it might not be free. What about the consumer you say? Oh yeah, us. Well, what the consumer wants has been ignored far too often by both of these sides. The technology industry makes money from hardware and software innovation. They have seen that with enough ?innovation? their consumers can get all the content they want for free without it really being the tech industry?s problem to worry about the investment required to make that content. And those that do try to find common ground and acknowledge that there can be good guys and bad guys in their business as well, get so quickly attacked by their own that they withdraw. And the entertainment industry is still far too often spending time comparing the profit margins and risk of new ideas to an earlier time when the world was less digital. So here is the crux of the problem. These services have traffic at a rate 40 to 50 times the traffic of legitimate sites. Yet, the amount of time and money wasted on besting the game by the entertainment and techonolgy industries is huge. This volume needs to be embraced and managed becasue it cannot be vanquished. And a tone must be set that allows future innovation to stimulate negotiation and not just confrontation. Sure iTunes is great but it doesn?t have enough songs at its music store. And when you find songs you want at other stores like Yahoo, Rhapsody, Napster and AOL, you can?t put them in your iPod without denigrating the sound quality and working around the system set up to prevent you from doing just such a thing. And none of these services have all of the live recordings and bootleg tracks that I have said, since the days of Napster, is one of the most appealing aspects of P2P services. And don?t get me started on the movie business. I have met countless times, at their request, with the studio CEO?s to discuss ways to avoid the mistakes the music industry made. The studios have the potential to learn from past problems. Unlike the record industry which had relied almost solely on physical sales, the studios have been more sophisticated businesses that relied on multiple revenue streams for a long time. But, illegal movie downloading is growing so rapidly, and consumer alternatives are nowhere near on the front burner as they should be. The central premise that tech will "wait until we are ready with our business models" is not going to work for the movie and television indsutries either. So what the consumer is left with now are a few legitimate services that offer some great content and lots more illegal P2P choices that offer ALL the content plus a healthy dose of spyware, bad files and unwanted risk. These are not legal decisions or trade association PR responsibilities on either side. They are fundamentally business issues that must be addressed in the marketplace. The entertainment industry has no choice right now but to speed up its licensing activity and risk-taking and the tech industry should start caring that they are not helping their customers when the easiest way to get entertainment content is to also accept spyware, viruses, and bad files in the process. Sure there are some promising things happening, but they are not being embraced nearly fast enough. All the wisdom of the Supreme Court will not change that bottom line. ______________________________________________________________________ *for those who haven't heard the basics - P2P services create a network of users who can connect directly to each other. Napster relied on a central server to distribute all the files therefore creating a record of each transaction. Therefore, the owners of these services like Grokster argue they have no control over what their users are doing. The copyright community argues that it is the copyrighted works that draw users to the P2P services and the services are creating a sham ignorance since they profit from the users on their network though the sale of advertising and use of spyware ad and they have demonstrated control over the years of their network through software updates, porn rules, etc. There are certainly more arguments on both sides than these and I won?t go into the details. If you are interested in the details go to MPAA.org, MUSICunited.org, and EFF.org. From rforno at infowarrior.org Tue Jun 6 17:52:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Jun 2006 17:52:06 -0400 Subject: [Infowarrior] - Hack Attack: Turn your $60 router into a $600 router Message-ID: Hack Attack: Turn your $60 router into a $600 router http://www.lifehacker.com/software/router/hack-attack-turn-your-60-router-in to-a-600-router-178132.php From rforno at infowarrior.org Tue Jun 6 18:45:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Jun 2006 18:45:49 -0400 Subject: [Infowarrior] - Senate won't quiz telecoms about NSA spying Message-ID: Senate won't quiz telecoms about NSA spying By Anne Broache http://news.com.com/Senate+wont+quiz+telecoms+about+NSA+spying/2100-1028_3-6 080646.html Story last modified Tue Jun 06 14:55:38 PDT 2006 A prominent Republican senator on Tuesday backed away from his pledge to question executives from telecommunications companies that have allegedly been cooperating with the government's secret wiretapping program. Arlen Specter said that after discussions with the Bush administration and Senate Intelligence Committee colleagues who had been more fully briefed on the National Security Agency program, he was "prepared to defer on a temporary basis" requiring representatives from AT&T, Verizon Communications and BellSouth to testify before the Senate Judiciary Committee, which he leads. The Pennsylvania senator, who had emerged as one of the few vocal Republican skeptics of the warrantless surveillance, had promised to organize such a hearing after USA Today reported last month that the nation's three leading telecom companies had opened up their lines to the NSA. (Some of those companies have since denied their participation.) He said Tuesday that the companies voiced willingness to discuss the topic in a closed session but wouldn't be able to reveal classified information, which he found "insufficient and unacceptable." Got views on Vista? Specter said he was willing to suspend the inquiry largely because Vice President Dick Cheney had provided assurances that the White House would be more receptive to pending legislation--including a proposal chiefly backed by Specter himself--that would send the existing NSA program and all future surveillance plans to a special court for review of their constitutionality. That decision, announced at an afternoon committee meeting, clearly startled a number of Specter's Democratic colleagues. "Why don't we just recess for the rest of the year...and simply say we'll have no more hearings, and Vice President Cheney will just tell the nation what laws we'll have--he'll let us know which laws will be followed and which laws will not be followed," deadpanned Patrick Leahy, the committee's ranking Democrat. "Heck, it's a nice time in Vermont this time of year. That'd make my life a lot easier." Specter said that he didn't intend to abandon scrutiny of the program. He said the committee is currently negotiating a time for next week or the week after to bring in Attorney General Alberto Gonzales again and plans to ask him about the telecom companies' involvement. Had enough committee members been present to allow for it, Massachusetts Democrat Ted Kennedy said, he would have ordered a formal vote on whether to summon the telecom companies--although he acknowledged such an idea would likely be defeated. The committee wants to learn "not who's listening on who; we're not trying to find out what is happening on the telephones, but what is the legal and constitutional justification that was given to those companies," Kennedy said. "If we don't have a responsibility to deal with that, who in the world does?" Of the four Democrats present, only Calif. Sen. Dianne Feinstein--an Intelligence Committee member who said she'd been briefed "very thoroughly" on the program--said she agreed with Specter's decision. "I don't know what would be served by issuing a subpoena here," she said. "It seems to me that the Intelligence Committee having reviewed that program knows what questions to ask, and they cannot be asked in open session." She did suggest, however, that the Intelligence Committee bring in the telecom company representatives for its own private round of questioning. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jun 7 07:59:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 07:59:02 -0400 Subject: [Infowarrior] - Data on 2.2M Active Troops Stolen From VA Message-ID: Data on 2.2M Active Troops Stolen From VA http://apnews.myway.com/article/20060607/D8I32RVO1.html Jun 6, 9:37 PM (ET) By HOPE YEN WASHINGTON (AP) - Personal data on about 2.2 million active-duty military, Guard and Reserve personnel - not just 50,000 as initially believed - were among those stolen from a Veterans Affairs employee last month, the government said Tuesday. VA Secretary Jim Nicholson said the agency was mistaken when it said over the weekend that up to 50,000 Navy and National Guard personnel - and no other active-duty personnel - were affected by the May 3 burglary. In fact, names, birth dates and Social Security numbers of as many as 1.1 million active-duty personnel from all the armed forces - or 80 percent of all active-duty members - are believed to have been included, along with 430,000 members of the National Guard, and 645,000 members of the Reserves. "VA remains committed to providing updates on this incident as new information is learned," Nicholson said in a statement, explaining that it discovered the larger numbers after the VA and Pentagon compared their electronic files more closely. His announcement came shortly after the Pentagon distributed a briefing memo to Congress - obtained by The Associated Press - that said the 50,000 figure cited over the weekend was understated. The disclosure is the latest in a series of revisions by the government as to who was affected since publicizing the burglary on May 22. At the time, the VA said the stolen data involved up to 26.5 million veterans discharged since 1975, as well as some of their spouses. It also came as a coalition of veterans' groups charged in a lawsuit against the federal government Tuesday that their privacy rights were violated by the theft. The class-action lawsuit, filed in U.S. District Court in Washington, is the second suit since the VA disclosed the burglary two weeks ago. Veterans advocates immediately expressed outrage. "The magnitude of this data breach is simply breathtaking and overwhelming," said Rep. Lane Evans, D-Ill., the top Democrat on the House Veterans' Affairs Committee. He called on the Government Accountability Office, Congress' investigative arm, to launch an investigation and get a full accounting. "Instead of continuing to eke out the information, drip by drip, on an almost daily basis, adding to the list of those whose personal information is at risk, the Department of Veterans Affairs must get to the bottom of this now, fix the problem and put veterans' minds at ease," he said. Joe Davis, a spokesman for Veterans of Foreign Wars, said the VA must come clean after three weeks of "this debacle." "This confirms the VFW's worst fear from day one - that the loss of data encompasses every single person who did wear the uniform and does wear the uniform today," he said. In the VA statement, Nicholson said the total number of military personnel affected by the theft - 26.5 million - remains unchanged. The VA initially assumed its data would only include veterans, but upon closer investigation it realized it had records for active-duty personnel because they are eligible to receive certain VA benefits such as GI Bill educational assistance and the home loan guarantee program. The VA previously has said that veterans discharged before 1975 might also be affected if they submitted claims. The lawsuit filed Tuesday demands that the VA fully disclose which military personnel are affected by the data theft and seeks $1,000 in damages for each person - up to $26.5 billion total. The veterans are also seeking a court order barring VA employees from using sensitive data until independent experts determine proper safeguards. "VA arrogantly compounded its disregard for veterans' privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of the personally identifiable information from unauthorized disclosure," the complaint says. In response to the lawsuit, the VA said it is in discussions with credit-monitoring services to determine "how veterans and others potentially affected can best be served" in the aftermath of the theft, said spokesman Matt Burns. Maryland authorities, meanwhile, announced they were offering a $50,000 reward for information leading to the return of the laptop or media drive taken during the May 3 burglary at a VA data analyst's home in Aspen Hill, Md. Veterans groups have criticized the VA for a three-week delay in publicizing the burglary. The VA initially disclosed the burglary May 22, saying it involved the names, birth dates and Social Security numbers - and in some cases, disability codes - of veterans discharged since 1975. Since then, it also has acknowledged after an internal investigation that the data could also include phone numbers and addresses of those veterans. There have been no reports that the stolen data have been used for identity theft in what has become one of the nation's largest security breaches. On Tuesday, the Montgomery County, Md., police department stepped up efforts to apprehend the burglars, asking the public to contact authorities if they recently purchased a used Hewlett-Packard laptop or HP external drive. Anyone who purchased a used Hewlett Packard Laptop model zv5360us or HP external personal media drive after May 3 was asked to call Montgomery County Crime Solvers at 1-866-411-TIPS (8477). Anyone with the stolen equipment can turn it in anonymously and become eligible for the $50,000 reward, police said. The five veterans' groups involved in the lawsuit are Citizen Soldier in New York; National Gulf War Resource Center in Kansas City; Radiated Veterans of America in Carson City, Nev.; Veterans for Peace in St. Louis; and Vietnam Veterans of America in Silver Spring, Md. Separately, a Democratic activist also has sued the VA in federal court in Cincinnati. From rforno at infowarrior.org Wed Jun 7 08:01:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 08:01:41 -0400 Subject: [Infowarrior] - Google.com blocked as vise tightens on Internet users Message-ID: 6 June 2006 Google.com blocked as vise tightens on Internet users SOURCE: Reporters sans fronti?res (RSF), Paris http://cryptome.cn/china-vise.htm **For further information on Internet companies' activities in China, see alerts of 28 and 19 April, 17 and 15 February and 10 January 2006, 29 July 2004, 3 December 2003 and 13 December 2002** (RSF/IFEX) - Reporters Without Borders has condemned the current unprecedented level of Internet filtering in China, which means the Google.com search engine can no longer be accessed in most provinces - although the censored Chinese version, Google.cn, is still accessible - and software designed in the United States to get round censorship now only works with great difficulty. The organisation also deplored the fact that the 17th anniversary of the Tiananmen Square massacre on 4 June 2006 has been used to tighten the vice on Chinese Internet users. "It was only to be expected that Google.com would be gradually sidelined after the censored version was launched in January," Reporters Without Borders said. "Google has just definitively joined the club of western companies that comply with online censorship in China. It is deplorable that Chinese Internet users are forced to wage a technological war against censorship in order to access banned content." Internet users in many major Chinese cities have had difficulty in connecting to the uncensored international version of Google for the past week. The search engine was totally inaccessible throughout the country on 31 May. The blocking then gradually extended to Google News and Google Mail. So the Chinese public is now reduced to using the censored Chinese versions of these services. At the same time, the authorities have largely managed to neutralise software designed to sidestep censorship since 24 May. Such software as Dynapass, Ultrasurf, Freegate and Garden Networks is normally used by about 100,000 people in China to gain access to news and information that his blocked by the firewall isolating China from the rest of the worldwide web. Bill Xia, the US-based exile who created Dynapass, said the jamming of these programmes had reached an unprecedented level and he was convinced the authorities were deploying considerable hardware and software resources to achieve it. Software engineers based abroad have been trying to update these programmes on the basis of information they have received from Internet users inside China. A new version of Dynapass was released a few days ago, but its effectiveness is still extremely limited. For further information, contact Julien Pain, RSF Internet Desk, 5, rue Geoffroy Marie, Paris 75009, France, tel: +33 1 44 83 84 71, fax: +33 1 45 23 11 51, e-mail: internet[at]rsf.org, Internet: http://www.internet.rsf.org The information contained in this alert is the sole responsibility of RSF. In citing this material for broadcast or publication, please credit RSF. _________________________________________________________________ DISTRIBUTED BY THE INTERNATIONAL FREEDOM OF EXPRESSION EXCHANGE (IFEX) CLEARING HOUSE 555 Richmond St. West, # 1101, PO Box 407 Toronto, Ontario, Canada M5V 3B1 tel: +1 416 515 9622 fax: +1 416 515 7879 alerts e-mail: alerts[at]ifex.org general e-mail: ifex[at]ifex.org Internet site: http://www.ifex.org/ _________________________________________________________________ From rforno at infowarrior.org Wed Jun 7 08:46:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 08:46:30 -0400 Subject: [Infowarrior] - Justice Official Mum on Possible Prosecution of Journalists Message-ID: Silence Angers Judiciary Panel Justice Official Mum on Possible Prosecution of Journalists http://www.washingtonpost.com/wp-dyn/content/article/2006/06/06/AR2006060601 303_pf.html By Walter Pincus Washington Post Staff Writer Wednesday, June 7, 2006; A05 Senior Republican and Democratic members of the Senate Judiciary Committee sharply criticized a Justice Department official yesterday for refusing to say whether the Bush administration has ever considered prosecuting journalists for publishing leaked national security information. The senators also bristled when Deputy U.S. Attorney Matthew W. Friedrich declined to answer questions about the rationale for the FBI's attempts to review the papers of the late columnist Jack Anderson. "You're basically taking what would be called a testifying Fifth Amendment. You should be ashamed of yourself, or your superiors should be ashamed of themselves," Sen. Patrick J. Leahy (D-Vt.) told Friedrich after he declined to answer questions from committee Chairman Arlen Specter (R-Pa.) and Sen. Charles E. Grassley (R-Iowa). The purpose of the hearing, Specter said in opening the session, was to examine Justice Department efforts to control leaks, explore suggestions that newspapers and their reporters can be prosecuted under the 1917 Espionage Act and take comment on legislation that would protect reporters through a shield law. The law would provide an exception if national security matters were involved. Friedrich, in his opening statement, confirmed that the Justice Department was prepared to investigate and prosecute leaks, but referred to Attorney General Alberto R. Gonzales's recent statement that the "primary focus is on the leakers of classified information, as opposed to the press." When Friedrich confirmed that the department thought that journalists or "anyone" could be prosecuted under the Espionage Act for publishing classified information, Specter asked specifically about whether the law could be applied to reporter James Risen of the New York Times, the newspaper that published an article in December about the National Security Agency's warrantless surveillance program. "Obviously, Senator, I can't comment as to any particular case or specific matter," Friedrich said. He added that espionage laws "do not exempt . . . any class of professional, including reporters, from their reach." Specter then asked, without specifying a particular case, whether the department, under Gonzales or former attorney general John D. Ashcroft, ever considered prosecuting a newspaper or reporter for publishing leaked classified information. "I don't think it would be appropriate for me to give an indication one way or another, and I hope people don't read anything into my answer one way or another," Friedrich said. But after a short lecture from Specter, he added that it was his "understanding" that there were historical examples of officials considering whether to prosecute journalists. "I'm not interested in history this morning," Specter responded. "I'm interested in current events." Grassley sought to follow up on questions he had posed to FBI Director Robert S. Mueller III at a hearing last month about the bureau's attempts to access Anderson's files. Friedrich declined to answer but said that "hopefully the bureau will be submitting some type of factual submission to you on that." Grassley responded: "I would think that the department would send somebody here to testify that could answer our questions if they [had] any respect for this committee whatsoever." Friedrich told Specter that the department is studying a policy on issuing subpoenas for documents from the estate of a deceased reporter such as Anderson. He also said that Justice continues to maintain that no new legislation is needed to protect reporters, but said he will "take a closer look" at a bill now before the committee that would shift the decision to subpoena journalists from the executive branch to a judge. Yesterday afternoon, Specter also put off a vote on issuing subpoenas for executives of three telephone companies to testify on whether they cooperated in the NSA warrantless surveillance program by providing records of millions of phone calls. ? 2006 The Washington Post Company From rforno at infowarrior.org Wed Jun 7 12:48:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 12:48:48 -0400 Subject: [Infowarrior] - Tiscali music site closes due to "interactivity" complaints by IFPI Message-ID: ...this is a new one for loonyness. -rf Internet firm Tiscali has suspended its music sharing Juke Box and accused the European recording industry of being "virtually impossible to work with". It took the move after it was told to remove the service's search by artist. < - > http://news.bbc.co.uk/1/hi/entertainment/5055744.stm From rforno at infowarrior.org Wed Jun 7 15:06:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 15:06:20 -0400 Subject: [Infowarrior] - Is DRM just a consumer rights issue? Message-ID: # Is DRM just a consumer rights issue effecting your record collection? A UK board is treating it as such. But it's much more important than that. http://technocrat.net/d/2006/6/6/4149 Before Gutenberg, copyists, using pen and ink, duplicated written political dialogue laboriously. Only the wealthy and the church could afford to employ copyists, and during this period the paucity of communications limited the exercise of democracy to small groups. The advent of Gutenberg's press made the mass distribution of written political dialogue possible. People vote based on what they hear and read, and the improvement in communications brought by the press made egalitarian mass democracy possible. It is thus no surprise that the first amendment to the U.S. Constitution protects the freedom of the press. Within the last century, electronic communications have increasingly become the vehicle of democratic discourse. Because radio and television broadcasting are expensive with limited frequencies available, the wealthy have dominated broadcasting. The Internet and World Wide Web place into the common man's hands the capability of global electronic broadcasting. Clearly, the Internet is the most important tool of democracy since Gutenberg developed movable type. In order to protect democratic discourse in the future, the Internet must remain a fair and level playing field for the distribution of political speech. The full capability of the Internet must remain available to all, without restriction by religious, business, or political interests. A number of "Internet radio" and "streaming TV" devices and programs have become available today. Most of the products sold for this purpose only receive stations that have been enabled through the gateway site of product's manufacturer. The devices are sold below their real cost, because the manufacturers of these products get a royalty from all of the stations that the product is allowed to carry. Thus, the manufacturer of an Internet radio or TV will control what stations their product provides access to, and what political viewpoints are available via the product. Most of these products use proprietary file formats to lock out anything the manufacturer doesn't control. One day in the future, most of us will receive text, audio, and video programming via the Internet, either wired or wireless. Imagine the problem for democracy if, when that day dawns, the manufacturers of our access devices are a few companies that have attained a market lock on Internet broadcasting, thus determining what political viewpoints the electorate can receive. Unfortunately, the trend is for law to further restrict any attempt to circumvent a manufacturer's choice of what programs you will be able to receive, through protection of their proprietary formats in the name of "eliminating piracy". DMCA does it today, Barbara Boxer's PERFORM act, and the WIPO broadcasting treaty will soon add to the burden. The $250,000 fine attached to DMCA and the associated legal defense costs would be enough to bankrupt most people, and there's jail time too. A tiered Internet would further limit your choices. So, if you think DRM only affects your music collection, think again. It affects the very core of democracy. Bruce Perens From rforno at infowarrior.org Wed Jun 7 21:04:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 21:04:20 -0400 Subject: [Infowarrior] - Microsoft's antipiracy tool phones home daily Message-ID: Microsoft's antipiracy tool phones home daily By Joris Evers http://news.com.com/Microsofts+antipiracy+tool+phones+home+daily/2100-1016_3 -6081286.html Story last modified Wed Jun 07 17:25:54 PDT 2006 Microsoft has vowed to better disclose the actions of its antipiracy tool once it is installed on Windows PCs. The tool, called Windows Genuine Advantage Notifications, is designed to validate whether a copy of Windows has been legitimately acquired. However, it also checks in with Microsoft on a daily basis, the company confirmed Wednesday. This has alarmed some people, such as Lauren Weinstein, a civil liberties activist, who likened it to spyware in a blog posting. Microsoft disputes that notion. It said that WGA's regular call home is innocent and done for necessary maintenance purposes. "The WGA Notifications program checks a server-side configuration setting to determine if WGA should run or not," a company representative said in an e-mailed statement. "As part of the pilot, this gives Microsoft the ability to disable the program if necessary." No meaningful data is exchanged during the check-in with Microsoft, which happens after a computer starts up, the software maker said. Regardless, the company does receive a user's IP address and a timestamp, Weinstein said in his blog posting. "We can argue about whether or not the tool's behavior is really spyware," Weinstein wrote on his blog Tuesday. The question is whether or not Microsoft has provided sufficient notice, he added. Microsoft acknowledged that it has not been forthcoming enough about the antipiracy tool's behavior, but countered that its tool is not spyware, since it is not installed without a user's consent and has no malicious purpose. Still, Microsoft is considering several options to make its actions clear to the user, including amending the software license, the company representative said. Microsoft launched WGA in September 2004 and has gradually expanded the antipiracy program. It now requires validation before Windows users can download additional Microsoft software, such as Windows Media Player and Windows Defender. Validation is not required for security fixes. Originally, people only had to validate their Windows installation when downloading additional Microsoft software. Since November last year, however, Microsoft has been pushing out the WGA Notifications tool along with security updates to people in a number of countries. The first time that a user runs WGA Validation to check if their version of Windows is genuine, the information sent to Microsoft is the Windows XP product key, PC maker, operating system version, PC bios information and the user's local setting and language. Microsoft discloses that this information is sent in the WGA tool license. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jun 7 21:10:10 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 21:10:10 -0400 Subject: [Infowarrior] - US branch of "Pirate Party" launches Message-ID: Pirate Party Facts Founded: June 6, 2006 Why We Call Ourselves A Pirate Party: This is the original name of our pioneering Swedish counterpart, but it's also now common to adopt epithets as a mark of pride and identity. The RIAA and MPAA, and later the state hurled this term against people doing what comes naturally, sharing and critiquing culture. So in response, we proudly call ourselves "Pirates". Besides, pirates are just cool. http://www.pirate-party.us/ From rforno at infowarrior.org Wed Jun 7 22:24:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 22:24:48 -0400 Subject: [Infowarrior] - MySpace or OurSpace? Message-ID: http://www.salon.com/mwt/feature/2006/06/08/my_space/print.html MySpace or OurSpace? School administrators and even cops are policing the social networking site. For teens used to living their lives online, that isn't fair. By Alex Koppelman Jun. 08, 2006 | In October, 17-year-old Dimitri Arethas posted a doctored photo on his MySpace page depicting his public high school's black vice principal as RoboCop. Arethas said he found the photo, which had a racial slur scrawled on it, on another student's Web site, and that he posted it to his own MySpace page thinking it was funny. Arethas, of Charlotte, N.C., claims he didn't mean the post to be racist and says that most of his fellow students thought the post was funny too. But one anonymous student didn't, and brought it to the attention of school administrators. As a result, Arethas says principal Joel Ritchie, who did not respond to a request for comment, suspended Arethas for 10 days. Arethas, who says he apologized and removed the photo when he was initially confronted, was incensed by the suspension, and contacted his local paper, the Charlotte Observer, and the American Civil Liberties Union. With the help of ACLU lawyers, Arethas was able to convince the school to end the suspension. He returned after two days. "Maybe what I did was wrong, morally," Arethas said in a recent e-mail, "but I had every right to express myself. I just chose to do it as a picture, instead of rambling down the hallways yelling, 'Man! This school sucks.'" Arethas isn't the only student to be disciplined for what he posted to his MySpace profile. The past few years have seen an explosion in the number of schools taking to the Web to find out what students are saying and doing. And punishment has followed, from a Pennsylvania school that suspended one student for creating a parody MySpace profile of his principal to a California school that suspended 20 students simply for viewing one student's MySpace profile, which contained threats against another student. And some public school systems, like Illinois' Community High School District 128, are even taking steps to monitor everything their students say on sites like MySpace. According to the Chicago Tribune, under new guidelines, students who participate in extra-curricular activities will need to sign a pledge in which they agree that the school can discipline them if it finds evidence that they have posted any "illegal or inappropriate" material online. Even some police are beginning to patrol MySpace, seeing the site as an effective tool for catching teenage criminals. All of this new scrutiny poses a vital question for MySpace, which claims 76 million users and is now the largest of all the Web's social networking sites: What will happen to the site if and when users no longer feel safe expressing themselves there? And in an age where teenagers are accustomed to living their lives online, what will happen when they learn that what they thought was private is, in fact, public, and not without consequence? "I never thought [this] would happen," Arethas says of his suspension. "I figured only my friends would see my profile page." Most large online social networking services have undergone similar challenges as they've grown, with users feeling safe in the widely held though mistaken perception that what they posted was private, or at least that it would only be seen by a select group of people. Other sites have also, like MySpace, dealt with users who have preyed on other more gullible ones, as with the recent high-profile arrests of men who used MySpace to lure young girls. But few sites have grown as large, and as quickly, as MySpace, which was acquired in July 2005 by Rupert Murdoch's News Corp. for $580 million. And few have specialized so effectively in encouraging kids to get comfortable and open up. As with all forms of electronic media, people still have a hard time wrapping their minds around the fact that little online is truly private. A sampling of MySpace's offerings reveals the evidence: Posts explore almost every aspect of users' personal lives, from typical teenage angst about acne and unrequited crushes to more incriminating fare -- sexually suggestive images and photos of drinking and drug use -- as well as professions of love, anger and every emotion in between. "MySpace has encouraged its users to be aware that what they post on their MySpace profile is available for the public to see," says MySpace spokesman Matthew Grossman, adding that "part of why MySpace has been so successful is because people can share their feelings." While Grossman stresses that MySpace does not spy on its users, or share their information, the site will work with law enforcement "if they [law enforcement] go through the proper legal channels," such as a subpoena or warrant. The site's privacy statement makes that caveat explicit. But many users haven't heeded those warnings. They do so now at their peril, because more and more, they are being watched. "We patrol the Internet like we patrol the streets," officer James McNamee, a member of the Barrington, Ill., police department's Special Crimes Unit, says. "We'll go in on a MySpace or a Xanga, we'll pick out our area and we'll just start surfing it, checking it, seeing what's going on." McNamee says the fact that police have only recently realized what a powerful tool social networking sites can be for investigative purposes may be what makes MySpace users feel the site is their own private realm. "We're still playing catch-up," McNamee says. "I wouldn't say we're super far behind, but we're learning as we go and I think that's the reason some [teens] feel like, 'Oh, this is an invasion of our privacy.' Well, no, it's not, it's just that we were behind on learning that we should have been paying attention to this, and now we're paying attention." In the eight months the Barrington Police Department has been patrolling MySpace, McNamee says, they've found pictures of graffiti, with the artists standing next to it, "smiling, all happy about their activity," they've found evidence of drug dealing --"where they could hook up, who was dealing drugs ... photos of their money ... photos of their drugs" -- they've even found a "We Hate Barrington Police Department" blog. ("We don't care," McNamee says of the blog. "It's kind of funny to us; we'll let them vent that way.") The question of what public school students have the right to say, and where they have the right to say it, remains murky, with little in the way of definitive jurisprudence to guide schools and courts. Indeed, just about the only thing experts on the topic seem to agree on is that no one really knows what the law is. "There have been some court decisions, and in all honesty they've been a little bit confused," says Mark Goodman, the executive director of the Student Press Law Center. "And it really isn't just Internet-based speech, but actually any kind of expression by students outside of school. There really have been relatively few cases going to court on this issue, so it's understandable [to a certain extent] why there would be some confusion surrounding it." Goodman, for his part, believes that the law is on the students' side. "In a public school, I believe the law's pretty clear that the school does not have the authority to punish students for expression they engage in outside of school. There are really important fundamental reasons for that. At the very least, it's a major usurpation of parental authority. Outside of school, parents have the authority to discipline their children ... I think the problem is a lot of people simply presume that the Internet in effect becomes school expression, and I simply don't believe it does. I think there are legally important distinctions, and very good policy reasons why the school shouldn't have that authority." Marc Rotenberg, who teaches information privacy law at the Georgetown University Law Center and is the executive director of the Electronic Privacy Information Center, believes the issue is not so clear-cut. "The key point is whatever is publicly accessible," Rotenberg says. "If a student writes an article in the town paper that defames one of the teachers, the fact that it didn't happen in a school publication really is irrelevant. The school will still act on that information if it's public and available to the community ... The courts have not, particularly in the last few years, been sympathetic to student privacy claims, and I don't think there's any reason to think it would be otherwise when the conduct is posted to publicly available Web sites ... The critical point here is that yes, I think students should have the freedom to express their views, and I don't think there should be any type of prior restraint on publication, whether it's in print or online media. But that doesn't mean what you say may not have some repercussions." There are no such questions about whether the police have a right to patrol MySpace. "If it is a public forum that is accessible to others, then presumably the police are welcome to participate, as they would be welcome to enter a shopping mall or something like that," Rotenberg says. Kurt Opsahl, a staff lawyer with the Electronic Frontier Foundation, a nonprofit organization whose mission is to defend Internet free speech, agrees. "You have of course a Constitutional right not to incriminate yourself, but you have to exercise that right by not incriminating yourself," Opsahl says. "If you post a photo of yourself engaged in apparently illegal activity with text confirming what you're doing, that can be used against you. Anything you say can and will be used against you, as they say in the Miranda warnings." But according to James McNamee, MySpace's younger users, or at least the ones he sees in his virtual patrols, haven't yet caught on to that. "Some people criticize MySpace, and there's no reason to criticize it," he says. "It's a social networking Internet site that's doing a great function, in my view. The problem is young people aren't sure how to handle it yet. They're not understanding that it's the World Wide Web, they don't get that concept. They think only their friends are looking at it." Eight MySpace users in Wilkes-Barre, Penn., learned the hard way that the people visiting their MySpace profiles were not just friends. Wilkes-Barre police, stumped by a rash of graffiti in the downtown area, turned to MySpace to seek suspects. "The police dug very deep to find me," says one of those arrested in the case, who asked to remain anonymous because of ongoing legal proceedings, and who would communicate only through MySpace. "I didn't have my name, phone number or any info on me online. I've never used my real name, I've never had my own Internet connection (always another person's name), and I never had my address or name at all posted or registered online." That user, who denies any involvement in the graffiti, says he was aware of the public nature of the site -- "I always think that people are looking," he says -- but that some of his friends were not, and that he thinks the police overstepped their bounds. "I feel that police shouldn't lie and disguise their identity to gain friendship with people they can't see, or ever meet without [informants]." Dimitri Arethas also feels his rights were violated. "A home page is basically as private as it gets," he told the Observer at the time of his suspension. When asked recently if he still felt that way, his answer was much the same. "Private like exclusive to only your friends? No, not that kind of private," he said. "[But] someone has to personally seek out your name and find you in order to view your MySpace, which is what stirs me up. That's where I got some sense of privacy. I could have never imagined someone printing out my profile page and then turning it in." Mark Goodman worries about the lessons students like Arethas will learn as more face consequences for what they post to sites like MySpace. "What I would hate to see happen, and I think it has happened in some communities at least, is students deciding they can't publish unpopular or controversial viewpoints on their MySpace page or an independent Web site because they're afraid school officials will punish them for it. That, I think, is very disturbing, and those are the young people who, as adults, are going to believe the government should be regulating what the public says. It has very troubling implications for their appreciation of the First Amendment in the world outside of school." Arethas says that he has become more cautious about what he posts. "Gotta play the political game now," he says. He took his MySpace profile down for a week after the incident, but decided to put it back up -- without the offending photo -- when he realized, he says, that he "could pretty much get away with it," and that he "had won the case" by being reinstated to school. He still believes the school was wrong to suspend him. Goodman thinks, though, that few students would act as Arethas did. He points to a study on high school students' attitudes toward the First Amendment, conducted by researchers at the University of Connecticut. Released early last year, the study found that 49 percent of students thought that newspapers should need government approval for their stories, 75 percent didn't realize flag-burning was legal and more than a third thought the First Amendment went too far. Half believed the government could censor the Internet. "I think the point of it, ultimately, is how can we expect anything different [than the survey results]," Goodman says. "A direct result of these actions is young people's dismissiveness of the fundamental values of free expression that we as a nation supposedly hold dear." The MySpace user arrested in the Wilkes-Barre case agrees. "I think that MySpace is the epitome of free speech, and censorship, all rolled in one. And I think that America with[out] free speech is not free at all. Just think about the people that have been censored. Go to another country, like Denmark and there is no censorship at all, and the kids growing up there don't look at it as dirty, just as life. When we make things illegal, or 'dirty to look at' we create the feeling that it's bad." -- By Alex Koppelman From rforno at infowarrior.org Wed Jun 7 22:48:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Jun 2006 22:48:03 -0400 Subject: [Infowarrior] - Judge to review gov evidence in ATT NSA case Message-ID: Judge Will Taste The Apple http://blog.wired.com/27BStroke6/#1497337 District Court Judge Vaughn Walker delivered what may be the death blow to the Electronic Frontier Foundation's lawsuit against AT&T today, ruling that he will look at the government's secret evidence supporting its motion to dismiss the anti-secret surveillance lawsuit since it might disclose national security secrets. The EFF had argued that the judge could order AT&T to stop its alleged complicity in warrantless government surveillance based solely on government admissions and the sealed, but unclassified, evidence provided by AT&T whistleblower Mark Klein. The online civil liberties group also counseled Judge Walker to only look at the documents little by little and disclose what he could to the EFF, so they could counter the secret arguments backing the government?s assertion of a power known as the state secrets privilege. The government argues that the case should be dismissed because it could confirm or deny the existence of a secret program, while the EFF says that if AT&T was provided with legal justification for turning over records to the government, that letter isn?t classified according to law. Walker dismissed EFF?s arguments, agreeing (.pdf) with AT&T and the governments? arguments that AT&T can?t defend itself without providing the letter, a letter which the government says would prove the existence of a state secret. ?[U]ntil the applicability and reach of the privilege is ascertained, AT&T might be prevented from using certain crucial evidence, such as whether AT&T received a certification from the government,? Walker wrote. EFF is also not entitled to view the classified documents, according to the ruling, since the law ?does not provide plaintiffs with a present right to view the classified documents.? The judge ordered the government to deliver the secret sworn statements from intelligence chief John Negroponte and NSA director Keith Alexader from Washington D.C. to his chambers by June 9. Walker left one sliver of hope for the civil liberties group, saying that he was mindful of the competing interests of the plaintiffs seeking recourse and the government?s need to keep state secrets safe. Walker said he intended to look closely both at whether the government?s invocation of its legal nuclear option was justified and whether the privilege will keep only some facts out of the public view, or justify the outright dismissal of the case. Legal precedents involving the state secrets privilege, including the recent dismissals of FBI whistleblower?s lawsuit against the government for allegedly firing her for revealing security flaws and of a German man?s lawsuit against the CIA for allegedly kidnapping and torturing him, suggest that the judge will dismiss the case following the June 23 hearing. From rforno at infowarrior.org Thu Jun 8 09:12:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 09:12:59 -0400 Subject: [Infowarrior] - Lessig: No Tolls on The Internet Message-ID: No Tolls on The Internet By Lawrence Lessig and Robert W. McChesney Thursday, June 8, 2006; A23 http://www.washingtonpost.com/wp-dyn/content/article/2006/06/07/AR2006060702 108_pf.html Congress is about to cast a historic vote on the future of the Internet. It will decide whether the Internet remains a free and open technology fostering innovation, economic growth and democratic communication, or instead becomes the property of cable and phone companies that can put toll booths at every on-ramp and exit on the information superhighway. At the center of the debate is the most important public policy you've probably never heard of: "network neutrality." Net neutrality means simply that all like Internet content must be treated alike and move at the same speed over the network. The owners of the Internet's wires cannot discriminate. This is the simple but brilliant "end-to-end" design of the Internet that has made it such a powerful force for economic and social good: All of the intelligence and control is held by producers and users, not the networks that connect them. The protections that guaranteed network neutrality have been law since the birth of the Internet -- right up until last year, when the Federal Communications Commission eliminated the rules that kept cable and phone companies from discriminating against content providers. This triggered a wave of announcements from phone company chief executives that they plan to do exactly that. Now Congress faces a legislative decision. Will we reinstate net neutrality and keep the Internet free? Or will we let it die at the hands of network owners itching to become content gatekeepers? The implications of permanently losing network neutrality could not be more serious. The current legislation, backed by companies such as AT&T, Verizon and Comcast, would allow the firms to create different tiers of online service. They would be able to sell access to the express lane to deep-pocketed corporations and relegate everyone else to the digital equivalent of a winding dirt road. Worse still, these gatekeepers would determine who gets premium treatment and who doesn't. Their idea is to stand between the content provider and the consumer, demanding a toll to guarantee quality delivery. It's what Timothy Wu, an Internet policy expert at Columbia University, calls "the Tony Soprano business model": By extorting protection money from every Web site -- from the smallest blogger to Google -- network owners would earn huge profits. Meanwhile, they could slow or even block the Web sites and services of their competitors or those who refuse to pay up. They'd like Congress to "trust them" to behave. Without net neutrality, the Internet would start to look like cable TV. A handful of massive companies would control access and distribution of content, deciding what you get to see and how much it costs. Major industries such as health care, finance, retailing and gambling would face huge tariffs for fast, secure Internet use -- all subject to discriminatory and exclusive dealmaking with telephone and cable giants. We would lose the opportunity to vastly expand access and distribution of independent news and community information through broadband television. More than 60 percent of Web content is created by regular people, not corporations. How will this innovation and production thrive if creators must seek permission from a cartel of network owners? The smell of windfall profits is in the air in Washington. The phone companies are pulling out all the stops to legislate themselves monopoly power. They're spending tens of millions of dollars on inside-the-Beltway print, radio and TV ads; high-priced lobbyists; coin-operated think tanks; and sham "Astroturf" groups -- fake grass-roots operations with such Orwellian names as Hands Off the Internet and NetCompetition.org. They're opposed by a real grass-roots coalition of more than 700 groups, 5,000 bloggers and 750,000 individual Americans who have rallied in support of net neutrality at http://www.savetheinternet.com/ . The coalition is left and right, commercial and noncommercial, public and private. Supporters include the Christian Coalition of America, MoveOn.org, National Religious Broadcasters, the Service Employees International Union, the American Library Association, AARP and nearly every consumer group. It includes the founders of the Internet, the brand names of Silicon Valley, and a bloc of retailers, innovators and entrepreneurs. Coalitions of such breadth, depth and purpose are rare in contemporary politics. Most of the great innovators in the history of the Internet started out in their garages with great ideas and little capital. This is no accident. Network neutrality protections minimized control by the network owners, maximized competition and invited outsiders in to innovate. Net neutrality guaranteed a free and competitive market for Internet content. The benefits are extraordinary and undeniable. Congress is deciding on the fate of the Internet. The question before it is simple: Should the Internet be handed over to the handful of cable and telephone companies that control online access for 98 percent of the broadband market? Only a Congress besieged by high-priced telecom lobbyists and stuffed with campaign contributions could possibly even consider such an absurd act. People are waking up to what's at stake, and their voices are growing louder by the day. As millions of citizens learn the facts, the message to Congress is clear: Save the Internet. Lawrence Lessig is a law professor at Stanford University and founder of the Center for Internet and Society. Robert W. McChesney is a communications professor at the University of Illinois at Urbana-Champaign and co-founder of the media reform group Free Press. From rforno at infowarrior.org Thu Jun 8 09:15:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 09:15:54 -0400 Subject: [Infowarrior] - AOL subscribers up in arms over e-mail ads Message-ID: AOL subscribers up in arms over e-mail ads Throngs of users threaten to say goodbye forever to AOL because of its decision to display ads with e-mail messages sent to paid subscribers http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/06/07/ 79048_HNaoluproar_1.html By Juan Carlos Perez, IDG News Service June 07, 2006 Millions have canceled their AOL LLC subscriptions in recent years, but Barbara Borchers has remained a loyal paying member of the Internet service provider since 1997. Even after signing up with a broadband provider, the Kentucky retiree decided to pay AOL $14.95 per month, mostly to keep the e-mail address she has had for almost 10 years, and also because of her high opinion of AOL's technical support staff. But Borchers is very close to joining the throngs of users saying goodbye forever to AOL. The reason? AOL's recent decision to display to its paying subscribers ads along with e-mail messages for the first time. "I don't want to switch to another e-mail provider, but I will if they don't fix this so that these ads aren't there anymore," Borchers said. She is not alone. In blogs, discussion forums and interviews, a number of AOL subscribers are loudly objecting to these ads, calling them intrusive, unsolicited, distracting and annoying. "These are animated ads. They blink on and off and carry on when you're trying to read a message. They're right there in your face," said Borchers, who began getting them last week. The banner ads appear below the e-mail message read form, just like they have appeared for years below the AOL Mail inbox. However, for users like Borchers, having them displayed along with e-mail messages crosses the line. These users don't begrudge ads elsewhere on AOL, but they feel that paying members should be allowed to read e-mail messages in an ad-free territory. Rebecca Monteiro, an AOL subscriber since 1997, also plans to cancel her membership. "These ads are almost the equivalent of having commercial music ads in the background of every telephone conversation," Monteiro, who lives in Louisiana and started seeing the ads on Monday, said in an e-mail interview. "The worst part is that these ads are located on our private e-mails ... the last place I'd expect or want to see an ad." B.J. Brooks, an AOL subscriber for over 10 years, also has definitive plans to cancel his account. He has a broadband connection and kept the AOL account to hang on to his e-mail address. "As a member I should be given the option to block [these] ads, should I desire," he said in an e-mail interview. Like Brooks, Linda Shinsky has been an AOL member for over 10 years and keeps her membership active mainly for the e-mail address, since she also has a broadband connection with another provider. Now she is planning to cancel as well. "Why pay for a service when there is no benefit?" Shinsky, a California resident, said in an e-mail interview. The ads are being shown to AOL subscribers using version 9.0 of the company's proprietary access software. AOL surveyed subscribers and found that displaying banner ads along with AOL Mail messages generally wouldn't bother them, an AOL spokeswoman said Tuesday. The ads aren't being targeted to users based on the content of e-mail messages, she said. From rforno at infowarrior.org Thu Jun 8 09:29:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 09:29:35 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?Inside_CNN_=B9_s_=8C_The_Situation?= =?iso-8859-1?q?_Room_=B9?= Message-ID: Inside CNN?s ?The Situation Room? http://www.examiner.com/a-130008~Inside_CNN_s__The_Situation_Room_.html Patrick W. Gavin, The Examiner Jun 8, 2006 7:00 AM (2 hrs 26 mins ago) WASHINGTON - During a news break on CNN?s ?The Situation Room,? a press release from Congresswoman Jane Harman arrives in the e-mail inbox of Senior Executive Producer Sam Feist at exactly 4:17 p.m. In the release, Harman denounces the National Security Agency?s tracking of phone calls in the United States, made public in a recent USA Today story. Feist, sitting in one of two control rooms needed for ?The Situation Room,? wants to get Harman?s release on the air immediately and tells host Wolf Blitzer. Blitzer is in the studio down the hallway, sitting at his laptop in a corner of the set and checking e-mail and breaking news. After hearing Feist?s pitch through his ear piece, Blitzer concurs and says that they should push back the next planned story coming out of the break in order to make room for the Harman release. But not everyone in the control is convinced that this merits the buzz Feist and Blitzer are giving it. Someone calls out, ?Why are we making such a big deal out of Harman?? Another: ?Feinstein and others have been saying this sort of thing all day long.? Feist pauses for two seconds ? a rare luxury in the warp-speed environment that ?The Situation Room? is created in ? and re-queries Blitzer. ?Are we sure we want to go with this? Some are wondering if Harman?s saying anything new here.? Twenty seconds until airtime. ?Absolutely, Sam? Blitzer says. ?She?s the ranking Democrat on the House Intelligence Committee.? Feist is creating a whirlwind of commotion all over his computer screen, clicking and dragging and cutting and pasting and typing in order to rearrange the lineup and turn Harman?s release into broadcast material. Above and in front of Feist are hundreds of television screens channeling news feeds from around the world. Clocks and timers are everywhere. Ten seconds. Director Howie Lutt snaps production commands into his headset and punches the air like a symphony conductor possessed ? ? Roll B! Put it in! Stand by A ? Roll B!? ? until Blitzer re-emerges on screen after the break. (On air) ?And we?re just getting this in ? our lead story. A statement from the ranking Democrat of the House Intelligence Committee, Jane Harman of California?? The newsroom breaths a bit more easy, having just turned a press release into on-air material in the space of a few minutes. But such is life in ?The Situation Room? ? the furthest thing possible from your daddy?s news show. Even for those who may still wax nostalgic for the old Cronkitean way of doing the news ? an anchor behind a desk reading a teleprompter or throwing to a packaged news segment or reporter ? you have to give credit to a news show whose format actually requires the anchor ? Wolf Blitzer, in this case ? to bolster his fitness regimen in order to keep up with the demands of a live, three-hour show. ?I spend an hour on the treadmill every morning to get in shape,? Blitzer admits. ?It does take a lot out of you.? For the three-hour show (it airs at 4, 5 and 7 p.m.) Blitzer and nearly all of his guests remain standing. Pacing, even. ?The Situation Room,? which debuted on CNN last August, is an impressive technical feat and, in many ways, it?s television for the ADD set. There?s the giant screen behind Blitzer that frequently gets chopped into six separate windows broadcasting different feeds. There?s the fancy graphic designs. Cameramen take MTV-like tracking shots of the studio?s monitors. Blitzer pans to correspondents all around the world with wizard-like speed. There?s an ?Inside the Blogs? feature. Jack Cafferty asks a ?Question of the Day? and reads viewer e-mail. Clocks let you know what time it is all over the world. There are polls and data feeds and real time video and, of course, the ever-present ticker along the bottom of your television screen. The fast pace is intentional and meant to make the show feel ?fast? and ?developing? and ?happening now.? It may very well not be a coincidence that, during The Examiner?s visit, Floor Manager Chris Carter wore a Tommy Armour athletic shirt designed to wick sweat away from one?s body. This whole technical circus may be sensory overload for some, but it?s an intentional attempt to bring cable news into the age of the Internet. ?The Situation Room? is custom-built for raw, breaking news and they intentionally shun falling into a regimented format from day to day. ?Times have changed,? Blitzer says. ?There are new capabilities and video technologies and, especially with computers and the Internet, there was a sense that viewers are capable of digesting more than one image at a time.? The inspiration for ?The Situation Room? came to Blitzer, Feist and CNN?s Washington Bureau Chief David Bohrman following the 2004 Election Night. Blitzer led CNN?s coverage and, as they featured continuous reports from correspondents around the country, information, updates and video feeds filtered into CNN at a rapid clip. Still, it was frustrating to both Bohrman and Feist that so much great satellite footage from affiliates went unused. ?David and Sam wondered how can we could convey CNN?s unbelievable reach and our hundreds of affiliates and video and satellites,? Blitzer explained. ?How do we get all of that material ? more graphically and vividly ? to our viewers so they can see this enormous power that we have?? Although ?The Situation Room? still trails cable ratings giant Fox News Channel, their audience is improving and they have, on rare occasions, bested Fox during the 5 and 6 p.m. timeslots in the coveted 25-54 year old demographic. The future success of ?The Situation Room? seems to hinge on two primary factors. First, their eagerness to get the latest news on the air before anybody else has the potential to present problems, such as broadcasting incorrect information. Surprisingly, that has happened far less often than you might suspect during ?The Situation Room?s? ten month run, but the potential for a major gaffe always lurks around the corner (after one segment I witnessed, Blitzer had to ask his producers, ?Did I pronounce that congressman?s name correctly??). Blitzer thinks that the best buffer against faulty reporting is a good staff. ?The staff we?ve put together behind the scenes is amongst the best in television news and everybody screens stuff,? Blitzer says. ?The front man is the guy who?s seen on television. I have a lot of stake ? my credibility, my reputation ? and I have to rely on these people. If they tell me it?s good to go, I can?t start arguing and asking, ?How do you know?? I need to know they?re not going to screw me.? The other potential pitfall for ?The Situation Room??s approach is that the need for speed could cause them to follow the frivolous. Since they need to fill three hours of air time everyday, will they cut to a forest fire simply because it?s breaking and they have video? Does their system run the risk of choosing triviality over depth? Perhaps ?The Situation Room??s need for speed was most acutely seen when, during President Bush?s May 15 primetime speech on immigration reform, they prematurely cut to a live video of President Bush reciting a few lines from his speech. The fault wasn?t theirs (Bush was cued early by a NBC stage manager) but ?The Situation Room? managed to turn lemons into lemonades, using the goof as a way to prove just how ?happening now? they really are. They later issued a statement saying: ?NBC stage manager has now admitted he cued the president early and CNN was the only network ready to go.? Maybe even too eager to go live? That may prove to be the ultimate question for ?The Situation Room.? Patrick W. Gavin is The Examiner?s associate editorial page editor. You can e-mail him at pgavin at dcexaminer.com From rforno at infowarrior.org Thu Jun 8 12:57:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 12:57:27 -0400 Subject: [Infowarrior] - Can the malware industry be trusted? Message-ID: Title Can the malware industry be trusted? Date 2006.06.07 16:00 Author Joe Barr Topic http://www.newsforge.com/article.pl?sid=06/06/06/1832223 Commentary: Internet security is big business. Microsoft Windows and Office vulnerabilities have made major contributions to making it -- and keeping it -- that way. Today, players like McAfee, Symantec, and dozens of other firms fight for a share of a market worth tens-of-billions of dollars a year. I would like to think that this industry displays the same high degree of ethical standards and integrity shown by other first-responders: our police forces, firefighters, and paramedics. Sure, there are bad apples in the bunch now and then, but on the whole they are a admirably honest and trustworthy group. I don't think nearly as highly of the computer security industry. Here's why. Put a stake in its heart Remember Dan Geer, the widely respected security guru who used to be CTO at @Stake? He's been in the news again recently. The last time I saw that much news about Geer, it was when he was fired by @Stake after presenting an assessment critical of Microsoft and "monoculture." @Stake, I presume, is proud of having maintained a good relationship with Microsoft by firing Geer for daring to speak the truth. The irony comes from the fact that the recent headlines concerning Geer -- about the MS Word vulnerability -- proved him to be dead-on in the report he was fired for delivering. Obviously, @Stake valued their relationship with Microsoft more than they did the security of their clients. Word up, as they say. It's that very trait -- the need to lick Microsoft's boots to play in their ecosystem -- which accounts for a lot of the corruption, lies, deceit, false claims, false viruses, and false alarms which emanate regularly from this false security industry. But no need to dwell on @Stake being cherry red with embarrassment over being shown up as idiots and servile buffoons. There are plenty of other examples to talk about. US-Cert: Count this way Every year, US-Cert produces huge fireworks in the security trade press with their annual summary of misinformation about security flaws. The idiots in the press repeat the lie verbatim and the lie becomes real. What is the lie? That Unix/Linux is less secure than Windows. Granted, only the stupidest dolts in the universe -- and the trade press -- are going to buy that crap, but they put it out there anyway. Here's the problem. The summary gives a total for flaws found in Windows and another total for flaws found in Unix and Linux. Last year, those totals were 812 for Windows and 2,312 for Unix/Linux. As usual, those two misleading numbers once again got trumpeted and cited as evidence that Windows is more secure than Unix or Linux on every Windows-leaning news site in the known universe. Why is it misleading? Well, say that a vulnerability occurs in the Linux kernel. There are dozens Linux distributions, and when the vulnerability is found, eventually it will get patched in each and every one of them. Now, guess how many times it gets counted. That's right, not just once, but once for each distribution. US-Cert knows about the problem of the super-inflated malware numbers in their summary, but they refuse to correct it or to comment on it. They also know that it misleads consumers and encourages them to stay on an inferior platform -- one which is infamous for its chronic malware infestations -- rather than switching to Mac OS X or Linux, both of which are more secure by design. Since they refuse to comment on the issue, the reason why they don't correct it is something probably known only to Homeland Security and their private sector partners in the US-Cert combine. Apple OS X: Mea culpa The SANS Institute, -- a name which sounds all officious and possibly not profit oriented, but which is owned by the mysterious but definitely for-profit Escal Institute of Technology -- recently did an unusual update to its Top 20 list of vulnerabilities. They issued their "update" in order to trumpet the assertion that Apple OS X is now just as exposed and vulnerable to malware as Windows. The timing of the release of this unusual "update" is suspicious, coming as it did on the eve of the new advertising campaign by Apple which plays up the fact that Apple is pretty much immune to the types of malware infestations that plague Windows. Previous updates to this list have usually come in the fall: November, 2005; October, 2004; October, 2003; and October, 2002. The SANS Institute announcement seemed to be designed to destroy -- or at least bring into question -- the idea that Apple OS X is more secure than Windows. In a document sent to members of the press prior to the teleconference, the SANS Institute wrote: During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day attack is one that causes damage to users even before the vendor makes a patch available. In this case, Safari users who just browsed a malicious web site found their computers automatically downloading and executing a malicious file. The user made no error other than to visit the web site. Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop another attack involving email attachments. The experts involved in the 2006 Top 20 Spring update agree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof alternative to Windows is in tatters. As attackers are increasingly turning their attention to the platform, OS/X vulnerabilities are being discovered at a rapid pace, which could erode this safety in the future. I covered the SANS teleconference event for NewsForge. Because of my recent experiences with a Kaspersky Lab disinformation campaign against Linux, my ears were tuned for false claims being made against Linux. But I didn't pay much attention to the fact that SANS was launching a similar attack against Apple. I am ashamed to say it, but just like all the other idiots in trade press, I simply reported what had been said. My apologies to all Apple users, and Apple. It won't happen again. Imagine my surprise in the days that followed the teleconference as I read story after story by Mac-aware journalists and analysts which questioned or challenged the SANS Institute and similar findings by others in the malware business. On May 9, The Mac Observer reported that Yankee Group analyst Andrew Jaquith accused McAfee of engaging in "scaremongering" in a report entitled "The New Apple of Malware's Eye: Is Mac OS X the Next Windows?" In Jaquith's view, McAfee was attempting to frighten Mac users into buying malware protection they just happen to sell. Other Apple-related news sites picked up the theme as well, as one might expect. But what's this, a defense of Apple by BusinessWeek's Arik Hesseldahl? In response to The SANS Institute claim that Apple's security rep was now in tatters, he wrote on May 4: Tatters? Well, let's look at the record. As you may remember from a few months ago, there were indeed not one but two Mac security teapot tempests. Astute readers of this column and its accompanying blog will remember that in March, there was the "hacked Mac Mini" contest (see BW Online, 3/08/06, "Apple Finding the Root of the Problem"). Entrants were challenged to find a way to upgrade limited-access privileges to those of someone with so-called root status, a position that would let them wreak pretty much untrammeled havoc on a computer. Someone pulled it off. Though the contest proved little, the misguided press still went a little nuts. That observation about the "misguided press" points out the reason that malware vendors beat their drums so loudly and so often: the trade press blindly accepts whatever the security firms utter as being the gospel. I know, I know. Mea culpa, too. Hesseldahl went on to write about an AP story which seems to have been the precipitating factor in The SANS Institute's decision to push its "Apple fatally flawed" rhetoric. He said: "The story coincided with the disclosure that six newly discovered so-called zero-day bugs targeting Mac OS X were found by Tom Ferris, a security researcher who publishes a blog concerning vulnerabilities he has found. Zero-days are exploits or vulnerabilities that cause damage in the wild before being disclosed to the vendors of the targeted software. While they were directed at the Mac operating system, there's no evidence these vulnerabilities have actually done any damage." >From Russia with malice Kaspersky Lab, a Russian Internet security company which operates around the globe, including here in the USA, has been spreading FUD about malware targeting Linux for years. I've cited this example from 2001 before, but here it is again, and it still appears on their Web site. Hey, maybe the SANS Institute used it as a template for their anti-Apple effort. I quote: Predictions regarding a world epidemic of Linux-viruses have come true in the first quarter of 2001. The latest incidents caused by the Ramen Internet-worm and its numerous modifications, as well as the multi-platform virus Pelf (Lindose) and other Linux-targeted malicious code, have proved that this operating system, (previously considered as the most protected software), has fallen victim to computer viruses. After finding that page on the Web, and after watching Torvalds patch the Linux kernel so that some very old code that Kaspersky Lab was trying to pass off as a "new cross-platform virus" would run on the latest versions of the Linux kernel, I decided to keep an eye on other claims Kaspersky Lab was making about malware on Linux. Figure 1: Alleged Linux viruses - 2005 Checking their Web site, I found a new report entitled 2005: *nix Malware Evolution and decided to take a look. A graph (see Figure 1) purporting to illustrate a dramatic increase in all types of malware for Linux between 2004 and 2005 showed an incredible -- literally -- jump from 4 to 91 Linux viruses. I found that intriguing because I've been using Linux exclusively on the desktop since 1999, and reading and writing about it for longer than that, and I was completely unaware of _any_ Linux viruses beyond a few lame "proof of concept" samples, similar to the one previously mentioned that caused Torvalds to patch the kernel so that it could run correctly on the most recent versions of the kernel, which don't really do anything remarkable other than demonstrate the ability to run on both Windows and Linux. Yet Kaspersky was claiming that 87 new Linux viruses were discovered last year. I asked Kaspersky Lab if they had any documentation to back up that claim. Jennifer Jewett, a public relations person representing Kaspersky, told me "the documentation sighting the viruses is included in the Encyclopedia on Kaspersky's Viruslist site: http://www.viruslist.com/en/viruses/encyclopedia." I searched the encyclopedia for Linux viruses and came up with an astounding 972 hits. But just the barest hint of an analysis of those hits reveal that the number would break an industrial-strength bogusity-meter. A few low-lights of my analysis: * The first 256 items are completely undocumented. * Only 21 --less than 3% -- are described at all. * Of the 21 that are described, 2 are duplicates. * One of the 21 is a Windows virus, not Linux. * Almost all of the 21 are programs modifying files in accordance with standard *nix permissions. I went back to Kaspersky and told them my results. Jewett then put me in touch with Kaspersky's Senior Technical Consultant, Shane Coursen. I repeated my request to Coursen for documentation on the 91 claimed viruses. He told me he would have to check with the report's author, Konstantin Sapronov, in Russia. A few days later I received a list containing the 91 alleged Linux viruses. The list contained nothing but the names, no documentation. I checked the first one on the list. Naturally, there was no information about it in the Kaspersky encyclopedia, but it did suggest searching for it under other names from other vendors, so I did. That led me to this page on the McAfee site, where I learned that it had been discovered in 2003. Since McAfee didn't provide any further information on the virus, I kept looking. That's how I came across the Virus Pool Project. One thing there really caught my eye. The site's reason for being is explained like this: "I always found virus names rather confusing. Mainly because there are so many of them for one and the same virus. By indexing them and making it possible to search them I hope people will be able to help others." Perhaps confusion is why, of the 972 hits found in Kaspersky's encyclopedia, only 21 are documented. Out of curiosity, I decided to check the list of 91 names against the list of the 21 documented viruses in the encyclopedia. I found a total of 10 matches from the list of 91. Remember, Kaspersky claims 87 of the viruses were found in 2005. Of the 10 that matched, two were found in 2000, four were discovered in 2001, three in 2002, and one in 2003. None of 87 alleged new Linux viruses are documented or substantiated by Kaspersky in any way whatsoever. Coursen responded via email to my initial analysis of the list by saying: 1st) Other vendors' names are going to be different than Kaspersky names in most cases. The industry does its best to coordinate names, but as you can imagine, with the speed at which new viruses appear, it is a very difficult thing for us to accomplish in all cases. And unfortunately, even if you can find the same name between two different vendors it does not mean the description is discussing the same variant; sometimes the description doesn't even discuss a virus from the same family! 2nd) When McAfee adds a description on their site, it doesn't always match the date they added actual detection. As for Kaspersky, McAfee and others, descriptions usually appear well-after detection is added, if at all. (Which is why Kaspersky adds both dates to its descriptions -- when then detection is added and when the description is published.) 3rd) In the case you mention above, where McAfee added detection for something that looks to be the same virus back in 2003 -- well, that's a bit of an odd one, but very explainable: If #2 reason above doesn't explain it, then we can try this....(since it is more likely the case) AV companies may add a record to detect a virus, but then receive a new variant of the same family some time later. In such a case it may be necessary to modify the existing detection signature. So, what you end up with is a signature that was added some time ago (could be years, even), but that was modified just recently. It is my guess that recently-updated signatures would probably show up in Konstanstin's stats. After this story was submitted, and the week following another black-eye for Microsoft security in the form of malevolent macros in MS Word, Kaspersky Lab issued another headline-grabbing but bogus alert for a proof-of-concept of the same type of attack on MS Word's largest competitor, OpenOffice.org. Was the timing once more just a coincidence? I don't think so. But all I am sure of is this: Kaspersky Lab is making claims about malware and Linux which they cannot substantiate. Period. They did it in 2001 and they are doing it again now. They were asked for documentation on the alleged viruses and they delivered nothing at all. Another thing I am sure of is that they aren't the only ones doing it, and Linux is not the only victim of their crimes. Why they do it The answer, of course, is money. Security firms look on more secure alternatives to Windows as a threat to their bottom line. It is in their best interest to slow down the migration of users from Windows to any alternative platform, simply because any alternative platform is going to a better job of providing security than Microsoft has done, or seems capable of doing. If they can't stop the attrition, and the growth of the Apple and Linux markets are showing that they can't, they can also try to position themselves to be in the new markets, even if they are not as lucrative for them as the Windows culture. So by inventing and/or exaggerating threats to the alternatives, they can slow down their growth and try to establish some cred in them at the same time. Conclusion The Windows economy is a tough arena to play in. You have to keep Mister Gates happy to survive, and even then, there isn't any guarantee that your niche in the market won't be gobbled up by the next release of Windows. Of course, sometimes the little fish try to bite back. That is what Symantec is trying to do now to prevent Vista swallowing them whole. It may be that if you do business with Microsoft on a regular basis, you get used to working in an ethics-free environment, and you begin to practice the same black business arts as the master. Whatever the cause, what I see happening in the malware business today reflects Microsoft's own ethics-free practices. I'm not convinced there is an honest firm in the whole mess. So in my humble opinion, the answer to the question, "can the malware industry be trusted?" is a resounding "No!" What do you think? Links 1. "the news" - http://www.consortiuminfo.org/standardsblog/article.php?story=20060523181724 678 2. "he was fired" - http://www.computerworld.com/securitytopics/security/story/0,10801,85563,00. html 3. "annual summary of misinformation" - http://trends.newsforge.com/article.pl?sid=06/01/05/1627242&tid=138 4. "dozens Linux distributions" - http://distrowatch.com/ 5. "US-Cert" - http://www.us-cert.gov/aboutus.html 6. "Top 20" - http://www.sans.org/top20/2005/spring_2006_update.php 7. "new advertising campaign" - http://www.macnewsworld.com/story/U12S5MXqOtPNPP/Mac-Ads-Depict-Windows-PCs- as-Uncool-Unsafe.xhtml 8. "SANS teleconference event" - http://software.newsforge.com/article.pl?sid=06/05/01/186200&tid=78 9. "reported" - http://www.macobserver.com/article/2006/05/09.5.shtml 10. "defense of Apple" - http://www.businessweek.com/technology/content/may2006/tc20060504_303032.htm ?campaign_id=search 11. "Apple Finding the Root of the Problem" - http://www.businessweek.com/technology/content/mar2006/tc20060308_032391.htm 12. "this example" - http://www.kaspersky.com/news?id=175 13. "Torvalds patch the Linux kernel" - http://software.newsforge.com/article.pl?sid=06/04/18/1941251&tid=78 14. "list containing the 91 alleged Linux viruses" - http://www.newsforge.com/blob.pl?id=003cafa35827b90891ad982d7fcf919d 15. "this page" - http://vil.nai.com/vil/content/v_119885.htm 16. "Virus Pool Project" - http://www.viruspool.net/ 17. "explained" - http://www.viruspool.net/faq.cms#q3 18. "malevolent macros in MS Word" - http://www.eweek.com/article2/0,1895,1965042,00.asp 19. "bogus alert" - http://software.newsforge.com/article.pl?sid=06/06/02/2136202&tid=78 20. "trying to do now" - http://news.com.com/2061-11203_3-6077459.html ? Copyright 2006 - NewsForge, All Rights Reserved From rforno at infowarrior.org Thu Jun 8 14:07:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 14:07:26 -0400 Subject: [Infowarrior] - VPOTUS Office Declares Exemption from Secrecy Oversight Message-ID: http://newstandardnews.net/content/index.cfm/items/3261/printmode/true Cheney?s Office Declares Exemption from Secrecy Oversight by Michelle Chen *A correction was appended to this news article after initial publication. June 7 ? Thickening the haze of secrecy surrounding the executive branch, the Office of Vice President Dick Cheney has declared itself exempt from a yearly requirement to report how it uses its power to classify secret information. In its 2005 report to the president released last month, the Information Security Oversight Office (ISOO), a branch of the National Archives, provides a quantitative overview of hundreds of thousands of pages of classified and declassified documents. But the vice president's input consists of a single footnote explaining that his office failed to meet its reporting requirements for the third year in a row. Open-government advocates say Cheney's refusal to divulge even basic information about classification activities reflects an alarming pattern of broadening executive privilege while narrowing public accountability. "It's part of a larger assertiveness by the Office of the Vice President and a resistance to oversight," said Steve Aftergood of the Project on Government Secrecy, a division of the public-interest association Federation of American Scientists. "It's as if they're saying, 'What we do is nobody's business.'" Though not the only government entity to shrug off the reporting duties, Cheney's office is unique in that it has actually issued a public justification for its non-compliance. Cheney's office argued on Monday that its dual role in the federal government places it above the reporting mandate. "This matter has been carefully reviewed, and it has been determined that the reporting requirement does not apply to [the Office of the Vice President], which has both executive and legislative functions," Lea McBride, a spokesperson for Cheney's office, told The NewStandard. Cheney's press aides declined to specify to TNS how the office's legislative role effectively exempted it from the executive order, or why the office had complied prior to 2003. In a May 30 letter to J. William Leonard, director of the ISOO, the Project on Government Secrecy contended that Cheney's rationale was illogical, because additional legislative functions should have no bearing on the vice president's executive-branch obligations. Troubled by the continued non-compliance, the organization warned that if the ISOO did not act to enforce the vice president's responsibilities under the executive order, "every agency will feel free to re-interpret the order in idiosyncratic and self-serving ways." Each year, the ISOO publishes data on the amount of information classified by government entities, such as the Department of Justice and the Pentagon, and broadly analyzes how the bureaucracy processes national-security secrets. Mandated by an executive order, the report is intended to encourage greater accountability and minimize secrecy. In 2003 ? around the time Cheney's office stopped reporting to the ISOO ? the Bush administration affirmed and expanded the vice president's classification powers through a revision of Executive Order 12958, the same order mandating the yearly ISOO assessment. The amended order explicitly granted the vice president unprecedented authority to classify information "in the performance of executive duties," including the ability to label information "secret" and "top secret" on par with the heads of federal agencies and the president himself. Critics also note another legal shield compounding the vice president's reticence about how he handles secrets: Cheney enjoys general immunity from the Freedom of Information Act, which empowers members of the public with a process for demanding the release of government documents. Along with Cheney's office, the President's Foreign-Intelligence Advisory Board and Homeland Security Council ? both advisory bodies attached to the White House ? also failed to report classification activity in 2005. In the footnote of its report, the ISOO suggested that the loss of this information was inconsequential, because these entities "historically have not reported quantitatively significant data." However, Aftergood argued that because the annual report is a statistical breakdown of information processed, the quantitative data merely reflects the volume, not the individual public-interest value, of the secrets withheld by the government. The most recent report shows that decisions to classify information have declined by about 9 percent since 2004, and the volume of newly declassified information has risen slightly. But watchdogs say the government is still amassing secrets at a disturbing rate: total classification activity was over 60 percent higher in 2005 than in 2001. Overall, agencies reported 14.2 million classification decisions last year. Though Cheney's obfuscation of his classification activity has been ongoing since 2003, the explosion of the Valerie Plame leak scandal, which centers on the suspected retaliatory leak of a CIA agent's identity by the White House, has invited fresh scrutiny of the administration's political opacity. Some question whether Cheney has wielded his power over secret government information to smear opponents. In a February interview with Fox News, asked whether he had ever exercised declassification powers, Cheney replied, "I've certainly advocated declassification and participated in declassification decisions," though he refused to elaborate on the nature of those decisions. Aftergood said that the ISOO could try to compel Cheney to comply with the executive order through enforcement mechanisms. These could include sanctions, which under the ISOO's mandate might entail "termination of classification authority" or "denial of access to classified information" ? or officially requesting an advisory ruling from the attorney general to clarify the vice president's obligations. Since receiving the letter, Leonard of the ISOO told TNS that he is "currently pursuing the matter." Noting the novelty of Cheney's defense, he added, "I am not aware of any other entity claiming any such 'exemption.'" Jennifer Gore, communications director for the watchdog group Project on Government Oversight (POGO), pointed to a precedent for public-interest advocates bringing legal challenges to curb executive secrecy. Referring to the Watergate scandal, which also involved a court battle over the White House's refusal to disclose incriminating documents, she said, "In the past, when members of the executive branch have voiced privilege as a reason not to turn something over, then it's time to go to the courts." To counterbalance the expansion of secrecy under the current administration, POGO is also advocating the Executive Branch Reform Act of 2006. The bill, introduced by Representatives Tom Davis (R-Virginia) and Henry Waxman (D-California), targets new, vaguely defined categories that build on the regular classification system, mainly the "sensitive but unclassified" label that has enabled agencies to limit public access to counterterrorism-related information. Aftergood said that systemic problems in the classification system undermine the public value of the ISOO's annual report, with or without full compliance from agencies. To move toward genuine transparency, he said, the ISOO's tracking should encompass more aggressive, in-depth reviews of classified materials to monitor whether federal operatives are overusing or abusing their privilege. "What's really missing is a sense of the quality of the classification activity," Aftergood said. "You could tell me how many things you classify, but that doesn't give me any indication of whether you exercised good judgment or not." CORRECTION Minor Change: In the original version of this article, the Federation of American Scientists was incorrectly written American Federation of Scientists. | Change Posted June 8 at 10:48 AM EST ? 2006 The NewStandard From rforno at infowarrior.org Thu Jun 8 14:11:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 14:11:18 -0400 Subject: [Infowarrior] - BlackBerry addict? - Chicago hotel offers detox Message-ID: BlackBerry addict? - Chicago hotel offers detox Wed Jun 7, 2006 4:53 PM ET http://today.reuters.com/stocks/QuoteCompanyNewsArticle.aspx?view=CN&storyID =2006-06-07T205253Z_01_N07317500_RTRIDST_0_LIFE-BLACKBERRY.XML&rpc=66 CHICAGO, June 7 (Reuters) - BlackBerry addicts have a crack at freedom when they check into one Chicago hotel: the manager will put the communications devices and others like them under lock and key for guests who want a break. Rick Ueno, general manager of the Sheraton Chicago Hotel, said the program which began on Wednesday grew out of his own personal BlackBerry addiction. His one-step recovery was switching to a regular cell phone. "I was really addicted to my BlackBerry. I had an obsession with e-mail," he told Reuters. "Morning and night. There came a time when I didn't think it was healthy ... I quit cold turkey." He believes guests might want to try the same thing for a day or two anyway, so they can concentrate on meetings, business and socializing while at the hotel. Ueno said he would take personal charge of any BlackBerrys or related devices guests want to surrender and place them in his office locked up until their return is requested. There is no charge. "I run a hotel with over 900 employees and thousands of guests. I think I'm more effective. I feel better. I sleep better. My family likes it," he said of his post-BlackBerry life. The popular hand-held devices, sometimes called "CrackBerries" because users become so reliant on them, are made by Canadian-based Research In Motion Ltd. From rforno at infowarrior.org Thu Jun 8 16:28:40 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 16:28:40 -0400 Subject: [Infowarrior] - Veterans Affairs chief calls for stronger data laws Message-ID: Veterans Affairs chief calls for stronger data laws By Anne Broache http://news.com.com/Veterans+Affairs+chief+calls+for+stronger+data+laws/2100 -1028_3-6081705.html Story last modified Thu Jun 08 12:57:36 PDT 2006 WASHINGTON--The head of the U.S. Veterans Affairs Department told Congress on Thursday that the massive theft of personal data at his agency signals the need for more "teeth" in federal data security laws. "While we have a system in the government of doing background investigations (on those to) whom we will give access to classified information, we do not have a similar screen (for) those to whom we will give enormous amounts of (personal) data," VA Secretary R. James Nicholson told the U.S. House of Representatives Committee on Government Reform. Nicholson's appearance before politicians came as his agency deals with continued revelations over news that the personal data of as many as 26.5 million veterans and nearly 2 million active-duty military, National Guard, and Reserve personnel was stolen. That information resided on a government-owned laptop computer and hard drive pilfered from a VA analyst's home in a Maryland suburb of Washington, D.C. A 34-year employee of the agency, he had been toting the gear home for the past three years in violation of agency policy. The theft didn't come to Nicholson's attention until 13 days after the data analyst reported the incident to superiors, the secretary said. The analyst was fired but has been protected by not being publicly named. Two of his bosses have since been fired, Nicholson said. "It's an emergency at the VA, and it should be an emergency in our society," he said. Rep. Tom Davis, the Virginia Republican who heads the committee, said the incident had prompted him to weigh changes to a law called the Federal Information Security Management Act of 2002, which outlines procedures federal agencies must undertake in order to protect their data and systems. That law requires agencies to notify law enforcement and internal inspectors general when a breach occurs, but it does not require notification of potential victims or the public. It must be updated to include penalties, incentives and "proactive notification requirements," Davis said, adding that he is "troubled as the number and scope of losses continues to expand." Nicholson said he and investigators on the theft case "remain hopeful that this was a common, random theft and that no use will be made of this data. However, we certainly cannot count on that." He assured the politicians that every person whose information has been compromised has been notified, and the VA has established call centers and a dedicated Web site to respond to inquiries. But the specter of identity theft prompted stern words from some of the committee members. "My hope, Mr. Secretary is...that in case there is identity theft taking place, you will do everything you can to protect our veterans financially and legally and you will come before the Congress to do that," said Rep. Bernard Sanders, a Vermont Independent. David Walker, comptroller general for the Government Accountability Office, which serves as the government's watchdog, said he agreed the law must be expanded to require federal agencies to alert of individuals affected by a breach--and perhaps the general public as well. "Public disclosure of major data breaches is a key step to ensuring that organizations are held accountable for the protection of personal information," he said. With or without new legislative action, Walker urged all agencies to limit collection of and access to personal information, to curb the amount of time such records are retained and to consider using encryption and other technological controls, particularly when data is stored on mobile devices. Change won't happen overnight, Nicholson said. "Ultimately our success in changing this is going to depend on changing the culture, ant that depends on our ability to change the attitudes of our people." To that end, the agency is reviewing its security practices and beefing up employee training. Nicholson has also ordered that every VA laptop undergo a review designed to ensure that all security and virus software is current, and he prohibited future use of personal laptops or computers for official business. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu Jun 8 16:48:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 16:48:11 -0400 Subject: [Infowarrior] - Comments on VA Data Loss Article In-Reply-To: Message-ID: http://news.com.com/2102-1028_3-6081705.html?tag=st.util.print > WASHINGTON--The head of the U.S. Veterans Affairs Department told Congress on > Thursday that the massive theft of personal data at his agency signals the > need for more "teeth" in federal data security laws. Actually, the bigger question at hand is to determine exactly how bad the US Government is when it comes to protecting data -- classified or not. > Nicholson's appearance before politicians came as his agency deals with > continued revelations over news that the personal data of as many as 26.5 > million veterans and nearly 2 million active-duty military, National Guard, > and Reserve personnel was stolen. That information resided on a > government-owned laptop computer and hard drive pilfered from a VA analyst's > home in a Maryland suburb of Washington, D.C. A 34-year employee of the > agency, he had been toting the gear home for the past three years in violation > of agency policy. This analyst was breaking policy for THREE YEARS? Why didn't anyone do anything about it sooner? (See point later about accountability.) > The theft didn't come to Nicholson's attention until 13 days after the data > analyst reported the incident to superiors, the secretary said. The analyst > was fired but has been protected by not being publicly named. Two of his > bosses have since been fired, Nicholson said. 13 days is totally unacceptable. If a corporation can notify its CEO when something bad happens or a problem becomes known in their product line, there's absolutely no reason why it takes 13 days for similar "abyssmal news" to make its way to the 'CEO' of a Cabinet Agency. > With or without new legislative action, Walker urged all agencies to limit > collection of and access to personal information, to curb the amount of time > such records are retained and to consider using encryption and other > technological controls, particularly when data is stored on mobile devices Can anyone explain why the VA needed to posess a complete database on nearly 2 million active-duty military, National Guard, and Reserve personnel? If it needed access to certain data on active/reserve folks (which they probably do) couldn't the agency develop ways to query databases operated by DOD to avoid having another huge database that could, and in fact, did, get compromised? > Rep. Tom Davis, the Virginia Republican who heads the committee, said the > incident had prompted him to weigh changes to a law called the Federal > Information Security Management Act of 2002, which outlines procedures federal > agencies must undertake in order to protect their data and systems. > > That law requires agencies to notify law enforcement and internal inspectors > general when a breach occurs, but it does not require notification of > potential victims or the public. It must be updated to include penalties, > incentives and "proactive notification requirements," Davis said, adding that > he is "troubled as the number and Again, a law that doesn't foist executive-level accountability for failure will never motivate folks and organizations to change. Let the executive heads roll, already -- set an example, please! This happened on Nicholson's watch....I wonder if he, his CIO, CSO, or other senior folks will be held accountable for this fiasco other than a Congressional hearing or two. My sense is no. > To that end, the agency is reviewing its security practices and beefing up > employee training. Nicholson has also ordered that every VA laptop undergo a > review designed to ensure that all security and virus software is current, and > he prohibited future use of personal laptops or computers for official > business Does this include raising the question about why 26 million records were able to be exported onto a laptop in the first place? How about implementing some thresholds on data export, number of database-queries-per-minute-or-user, and implementing other such REAL controls at the application level to help prevent such large-scale data transfer? Updating Symantec Antivirus is not a technical control that can fix this problem. -rick Infowarrior.org From rforno at infowarrior.org Thu Jun 8 16:52:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 16:52:14 -0400 Subject: [Infowarrior] - Congress Warned About Broadcast Treaty Message-ID: Congress Warned About Broadcast Treaty >From Public Knowledge, June 8, 2006 By Art Brodsky http://www.freepress.net/news/print.php?id=15928 While we?re otherwise occupied here in the U.S., broadcasters, webcasters and cablecasters are working hard overseas to extend their domain over material that goes out over their networks. They want an intellectual property right over programming they don?t own ? even works in the public domain. Late yesterday, two letters went to Capitol Hill to alert Congress to what?s going on, and to ask for some hearings before the World Intellectual Property Organization (WIPO) takes final action on the broadcast treaty. You can read the letter from the non-profits, including PK, here. A similar letter from an impressive group of companies is here. Here?s a key paragraph from the letter: The harm to the millions of consumers represented by the undersigned organizations would be particularly great ? this additional layer of rights could permit broadcasters to restrict access to content within the home and could limit lawful uses of content over the Internet. Thus, this treaty could reverse the explosion of diverse and increasingly sophisticated ?user generated? content that has become part of the fabric of the Internet. This article is from Public Knowledge. If you found it informative and valuable, we strongly encourage you to visit their website and register an account to view all their articles on the web. Support quality journalism. From rforno at infowarrior.org Thu Jun 8 21:26:07 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 21:26:07 -0400 Subject: [Infowarrior] - House panel OKs digital licensing bill Message-ID: " The groups also charged that the bill would, for the first time, require licenses for every cache, buffer and other "incidental" copy of a song." --- what a crock!!!! -rf House panel OKs digital licensing bill By Anne Broache http://news.com.com/House+panel+OKs+digital+licensing+bill/2100-1028_3-60818 74.html Story last modified Thu Jun 08 18:14:10 PDT 2006 advertisement A U.S. House of Representatives panel on Thursday approved a digital copyright bill that critics say could imperil home-use copying of music and video recording devices like TiVo. The Section 115 Reform Act, or SIRA, introduced by Texas Republican Lamar Smith, attempts to overhaul a piece of copyright law that established a complex system of "mechanical royalties" for record companies, recording artists, songwriters and publishers in exchange for the right to reproduce and distribute their music. There's a general consensus among politicians, the U.S. Copyright Office and the music industry that the law, first written in the era of piano music rolls, is in need of updates for a digital era. Right now, companies wishing to sell music have to negotiate separate licenses for each song's recording. SIRA proposes establishing a "blanket licensing" system in which those entities would apply for and receive licenses through a one-stop shop. Established by the Copyright Office, that body would act as a representative for music publishing companies with the greatest share of the market. Supporters of the bill argue that such an approach would make it easier for online music services to secure speedier approval for vast libraries of music, opening up the possibility for new market entrants, greater selection and lower prices. "We now have the ability to give legal services the tools to compete with and hopefully drive illegal music services out of business," said California Democrat Howard Berman, a co-sponsor of the bill. In a joint statement, the Recording Industry Association of America, the Digital Media Association and the National Music Publishers Association said they had "much to gain" from the legislation but still hadn't reached "complete agreement on all aspects" of it. An RIAA representative contacted by CNET News.com would not elaborate on those concerns. Others, including two Democrats who reluctantly agreed to approve the bill on Thursday, have aired louder gripes about the current language. The Electronic Frontier Foundation, for its part, encouraged its visitors to call their elected representatives and make their dissatisfaction known. In three-page letter (click for PDF) this week to the bill's authors, a coalition of 19 consumer-oriented advocacy groups--including the American Association of Law Libraries, BellSouth, the Consumer Electronics Association, Public Knowledge, RadioShack, and Sirius and XM satellite radio--claimed the proposal poses a threat to fair use. Under copyright law, separate licenses exist for the "performance" of a song and for the reproduction or distribution of it. The consumer groups argued that the bill views digital recordings as falling into both categories, which could lead to "potentially duplicative fees" by forcing sellers to pay more than once for the same content. Those fees, some contend, would have to be passed on to consumers. And by viewing digital music in such a light, they argued, Congress could open the door for requiring licenses for reproductions in other areas, ranging from time-shift recordings on VCRs or TiVos to analog cassettes or CDs recorded from the radio. Such a development could lead to a dangerous erosion in fair use rights, which permit consumers to copy copyrighted material without permission for noncommercial purposes. The groups also charged that the bill would, for the first time, require licenses for every cache, buffer and other "incidental" copy of a song. "There is no basis for giving copyright owners added control because of incidental copies that have no independent economic value apart from the performance itself," the letter said. Granted, the bill provides that such a license would be "royalty-free"--that is, of no cost to the user. But the better approach would to exempt those incidental copies entirely from the licensing regime, said Rep. Rick Boucher, a Virginia Democrat who added that he'd vote for the bill Thursday with the understanding that a number of changes would be made. Before the vote, Boucher gave remarks that essentially echoed the consumer groups' concerns. Smith said he would be open to discussing the suggested changes "as soon as next week, if possible." From rforno at infowarrior.org Fri Jun 9 08:08:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 08:08:27 -0400 Subject: [Infowarrior] - Pentagon sets its sights on social networking websites Message-ID: Pentagon sets its sights on social networking websites http://www.newscientist.com/article/mg19025556.200?DCMP=NLC-nletter&nsref=mg 19025556.200 "I AM continually shocked and appalled at the details people voluntarily post online about themselves." So says Jon Callas, chief security officer at PGP, a Silicon Valley-based maker of encryption software. He is far from alone in noticing that fast-growing social networking websites such as MySpace and Friendster are a snoop's dream. New Scientist has discovered that Pentagon's National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks. And it could harness advances in internet technology - specifically the forthcoming "semantic web" championed by the web standards organisation W3C - to combine data from social networking websites with details such as banking, retail and property records, allowing the NSA to build extensive, all-embracing personal profiles of individuals. Americans are still reeling from last month's revelations that the NSA has been logging phone calls since the terrorist attacks of 11 September 2001. The Congressional Research Service, which advises the US legislature, says phone companies that surrendered call records may have acted illegally. However, the White House insists that the terrorist threat makes existing wire-tapping legislation out of date and is urging Congress not to investigate the NSA's action. Meanwhile, the NSA is pursuing its plans to tap the web, since phone logs have limited scope. They can only be used to build a very basic picture of someone's contact network, a process sometimes called "connecting the dots". Clusters of people in highly connected groups become apparent, as do people with few connections who appear to be the intermediaries between such groups. The idea is to see by how many links or "degrees" separate people from, say, a member of a blacklisted organisation. By adding online social networking data to its phone analyses, the NSA could connect people at deeper levels, through shared activities, such as taking flying lessons. Typically, online social networking sites ask members to enter details of their immediate and extended circles of friends, whose blogs they might follow. People often list other facets of their personality including political, sexual, entertainment, media and sporting preferences too. Some go much further, and a few have lost their jobs by publicly describing drinking and drug-taking exploits. Young people have even been barred from the orthodox religious colleges that they are enrolled in for revealing online that they are gay. "You should always assume anything you write online is stapled to your resum?. People don't realise you get Googled just to get a job interview these days," says Callas. Other data the NSA could combine with social networking details includes information on purchases, where we go (available from cellphone records, which cite the base station a call came from) and what major financial transactions we make, such as buying a house. Right now this is difficult to do because today's web is stuffed with data in incompatible formats. Enter the semantic web, which aims to iron out these incompatibilities over the next few years via a common data structure called the Resource Description Framework (RDF). W3C hopes that one day every website will use RDF to give each type of data a unique, predefined, unambiguous tag. "RDF turns the web into a kind of universal spreadsheet that is readable by computers as well as people," says David de Roure at the University of Southampton in the UK, who is an adviser to W3C. "It means that you will be able to ask a website questions you couldn't ask before, or perform calculations on the data it contains." In a health record, for instance, a heart attack will have the same semantic tag as its more technical description, a myocardial infarction. Previously, they would have looked like separate medical conditions. Each piece of numerical data, such as the rate of inflation or the number of people killed on the roads, will also get a tag. The advantages for scientists, for instance, could be huge: they will have unprecedented access to each other's experimental datasets and will be able to perform their own analyses on them. Searching for products such as holidays will become easier as price and availability dates will have smart tags, allowing powerful searches across hundreds of sites. On the downside, this ease of use will also make prying into people's lives a breeze. No plan to mine social networks via the semantic web has been announced by the NSA, but its interest in the technology is evident in a funding footnote to a research paper delivered at the W3C's WWW2006 conference in Edinburgh, UK, in late May. That paper, entitled Semantic Analytics on Social Networks, by a research team led by Amit Sheth of the University of Georgia in Athens and Anupam Joshi of the University of Maryland in Baltimore reveals how data from online social networks and other databases can be combined to uncover facts about people. The footnote said the work was part-funded by an organisation called ARDA. What is ARDA? It stands for Advanced Research Development Activity. According to a report entitled Data Mining and Homeland Security, published by the Congressional Research Service in January, ARDA's role is to spend NSA money on research that can "solve some of the most critical problems facing the US intelligence community". Chief among ARDA's aims is to make sense of the massive amounts of data the NSA collects - some of its sources grow by around 4 million gigabytes a month. The ever-growing online social networks are part of the flood of internet information that could be mined: some of the top sites like MySpace now have more than 80 million members (see Graph). The research ARDA funded was designed to see if the semantic web could be easily used to connect people. The research team chose to address a subject close to their academic hearts: detecting conflicts of interest in scientific peer review. Friends cannot peer review each other's research papers, nor can people who have previously co-authored work together. So the team developed software that combined data from the RDF tags of online social network Friend of a Friend (www.foaf-project.org), where people simply outline who is in their circle of friends, and a semantically tagged commercial bibliographic database called DBLP, which lists the authors of computer science papers. Joshi says their system found conflicts between potential reviewers and authors pitching papers for an internet conference. "It certainly made relationship finding between people much easier," Joshi says. "It picked up softer [non-obvious] conflicts we would not have seen before." The technology will work in exactly the same way for intelligence and national security agencies and for financial dealings, such as detecting insider trading, the authors say. Linking "who knows who" with purchasing or bank records could highlight groups of terrorists, money launderers or blacklisted groups, says Sheth. The NSA recently changed ARDA's name to the Disruptive Technology Office. The DTO's interest in online social network analysis echoes the Pentagon's controversial post 9/11 Total Information Awareness (TIA) initiative. That programme, designed to collect, track and analyse online data trails, was suspended after a public furore over privacy in 2002. But elements of the TIA were incorporated into the Pentagon's classified programme in the September 2003 Defense Appropriations Act. Privacy groups worry that "automated intelligence profiling" could sully people's reputations or even lead to miscarriages of justice - especially since the data from social networking sites may often be inaccurate, untrue or incomplete, De Roure warns. But Tim Finin, a colleague of Joshi's, thinks the spread of such technology is unstoppable. "Information is getting easier to merge, fuse and draw inferences from. There is money to be made and control to be gained in doing so. And I don't see much that will stop it," he says. Callas thinks people have to wise up to how much information about themselves they should divulge on public websites. It may sound obvious, he says, but being discreet is a big part of maintaining privacy. Time, perhaps, to hit the delete button. From rforno at infowarrior.org Fri Jun 9 08:15:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 08:15:37 -0400 Subject: [Infowarrior] - The Great No-ID Airport Challenge Message-ID: The Great No-ID Airport Challenge http://www.wired.com/news/technology/1,71115-0.html By Ryan Singel| Also by this reporter 02:00 AM Jun, 09, 2006 SAN FRANCISCO -- Jim Harper left his hotel early Thursday morning at 5:30 a.m. to give himself more than two hours to clear security at San Francisco's International Airport. It wasn't that he was worried the security line would be long, but because he accepted a dare from civil liberties rabble-rouser John Gilmore to test whether he could actually fly without showing identification. Gilmore issued the challenge at Wednesday's meeting of the Homeland Security's privacy advisory committee in San Francisco, which otherwise lacked much in the way of controversy. An entrepreneur and co-founder of the Electronic Frontier Foundation, Gilmore recently lost a court battle seeking to unmask the government's secret regulations asking passengers to show identification when flying, and to have those rules declared unconstitutional. Scolding the DHS committee for dithering over small matters, Gilmore said that it should be investigating the NSA's eavesdropping program and that the committee's real job was to "protect the homeland from mean-spirited officials." Gilmore then dared committee members to place their driver's licenses in the envelopes he had passed out, mail them to their home addresses and then attempt to fly home without identification. While signs in the airport and on the TSA website insist that showing ID is mandatory, the official policy, as revealed by the judges' decision (.pdf) in Gilmore's case, is that "airline passengers either present identification or be subjected to a more extensive search." But Gilmore said that's not what really happens in an airport when one refuses to provide identification. "You will find out what the real rules are," Gilmore said. "Are you afraid to? You have good reason." Gilmore referred to his own experience when Southwest Airlines refused to let him fly in 2002 without identification, and a recent blog post by travel expert Edward Hasbrouck, chronicling his near-arrest for trying to figure out if the person checking identification at Washington Dulles was an airline or federal employee. At the meeting's close, Harper, a committee member, said he'd take the challenge so long as he could hand his envelope to a reporter who accompanied him to the airport. He also challenged the other members to join him. "We have influence," Harper said. "I challenge my colleagues to believe in the law." None of the other committee members volunteered, but the committee's chair, former director of consumer protection for the Federal Trade Commission Howard Beales gave Harper a tongue-in-cheek blessing. "I wish Jim the best and hope to see you in the future," Beales said. At 6:00 a.m. the next morning, Harper handed this reporter a green self-addressed stamped envelope and entered the checkpoint line, which even at that early hour was filled with travelers facing a 20 minute crawl to the magnetometers. Harper told the identification checker he had no ID, and the attendant quickly wrote "No ID" with a red marker on his ticket and shunted him off to an extra screening line -- generously allowing him to bypass the longer queue of card-carrying passengers. There Harper was directed into the belly of a GE EntryScan puffer machine which shot bits of air at his suit in order to see if he had been handling explosives. TSA employees wearing baby blue surgical gloves then swiped his Sidekick and his laptop for traces of explosives and searched through his carry-on, while a supervisor took his ticket, conferred with other employees and made a phone call. Meanwhile, a TSA employee approached this reporter, who was watching the search through Plexiglas, and said, "It's pretty awkward you are standing here taking notes," but he did not ask for identification or call for a halt to the note-taking. The TSA supervisor returned from her phone call and asked Harper why he didn't have identification and to where he was traveling. But she was satisfied enough with his answer -- that he had mailed his driver's license home to Washington D.C. -- that she allowed him to pass. At 6:30 a.m., standing 50 yards away on the other side of the glass screen, Harper phoned to say he now had two hours to kill, having gotten through screening perhaps even faster than he would have if he'd shown ID. He guessed he was able to get through without much hassle by being polite and dressing well. Why did he take the challenge? "Part of it was my concern with the growing use of identification checks to control access to society, such as buildings, stadiums and air travel," Harper said, referring to issues that are central to his recently published book called Identity Crisis. And will he do it again? "Yeah, I'm inclined to do it more and more and hopefully more people will follow my lead and it will become a clear option to not show government ID to fly," Harper said. "My identity has nothing to do with the real risk. "In fact, today, I'm the safest guy on the plane." From rforno at infowarrior.org Fri Jun 9 10:33:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 10:33:34 -0400 Subject: [Infowarrior] - How Not to Get a Homeland Security Job Message-ID: Some Friday humor....rf How Not to Get a Homeland Security Job An experienced computer security professional I know recently interviewed for a position at the Department of Homeland Security.... < snip > http://blog.wired.com/27BStroke6/index.blog?entry_id=1498202 From rforno at infowarrior.org Fri Jun 9 14:33:15 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 14:33:15 -0400 Subject: [Infowarrior] - Blizzard abandons DMCA threat over 'WoW' manual Message-ID: Blizzard abandons DMCA threat over 'WoW' manual By Anne Broache http://news.com.com/Blizzard+abandons+DMCA+threat+over+WoW+manual/2100-1043_ 3-6082135.html Story last modified Fri Jun 09 11:27:26 PDT 2006 A Florida man who claimed he'd been unlawfully blocked from selling copies of his unofficial "World of Warcraft" guide by the wildly popular game's makers can resume his sales, owing to an out-of-court settlement reached Friday. Brian Kopp, 24, had filed suit in March against California-based Blizzard Entertainment, parent company Vivendi Universal and the Entertainment Software Association (ESA). The complaint alleged that those organizations were wrong to order eBay to terminate auctions of his book, "The Ultimate World of Warcraft Leveling & Gold Guide," of which he had sold hundreds of copies at about $15 apiece since last August. Alleging that the book violated intellectual-property laws, Blizzard, Vivendi and the ESA sent repeated take-down notices, provided for by the Digital Millennium Copyright Act (DMCA), to eBay. The auction giant's general policy is to halt auctions when it receives such notices and to suspend a user's account after it racks up a certain number of warnings. Kopp routinely filed counternotices protesting the claims, according to his original court complaint (click here for PDF) in California federal court. Because the companies never responded to those documents, eBay was free to reinstate Kopp's auctions, which it did. But the video game industry continued to issue takedown notices, the number of which grew high enough that eBay was forced to suspend Kopp's accounts under multiple usernames. "It's pretty much the equivalent of showing up at your store one morning and finding your goods on the curb with nothing you can do about it," said Greg Beck, an attorney representing Kopp on behalf of advocacy group Public Citizen. "They get so many notices of claimed infringement that they can't investigate all claims." The parties also threatened copyright and trademark infringement action against Kopp, which he disputed in his complaint. He argued that the book was in the clear because it presented a disclaimer on its first page about its unauthorized nature, contained no copyrighted text or storylines, and though it did use selected screen shots downloaded from a site unaffiliated with the video game's makers, those uses were "fair." The terms of the settlement do not provide for monetary compensation for Kopp, which he had originally sought. Instead, the companies agreed to withdraw their previous take-down notices and to drop their infringement claims. They also said they'd refrain from filing any future takedown notices against the same items that Kopp had already disputed through counternotices. Kopp, for his part, agreed to retain the book's disclaimers about its unofficial nature and said he wouldn't include links or instructions on how to locate "cheats" in the game. Representatives from the video game industry were not immediately available for comment. From rforno at infowarrior.org Fri Jun 9 14:37:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 14:37:56 -0400 Subject: [Infowarrior] - EFF Founder debates MPAA Chair Message-ID: Quoth John Perry Barlow, to MPAA's Dan Glickman: "I've got good news and bad news and good news. And the good news is that you guys have managed to buy every major legislative body on the planet, and the courts are even with you. So you've done a great job there and you should congratulate yourself. But you know the problem is - the bad news is that you're up against a dedicated foe that is younger and smarter that you are and will be alive when you're dead. You're 55 years old and these kids are 17 and they're just smarter than you. So you're gonna lose that one." < - > http://news.bbc.co.uk/2/hi/programmes/newsnight/5064170.stm From rforno at infowarrior.org Fri Jun 9 14:49:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 14:49:21 -0400 Subject: [Infowarrior] - Saturday protests @ Apple Stores against DRM Message-ID: Flash Mobbing Apple on Saturday, Why Apple? Two weeks ago we launched DefectiveByDesign.org - the Campaign to Eliminate DRM - since then, more than 2000 technologists have joined us and taken the pledge to stop DRM through direct action. Now we are taking the campaign to a national stage in an effort to increase discussion of DRM. This Saturday, June 10 at 10:30am (local time) Flash Mobs will gather in San Francisco, Seattle, Boston, Chicago, Long Island and New York converging on Apple stores to warn customers of the dangers of DRM in the iPod and iTunes. < - > http://defectivebydesign.org/node/95 From rforno at infowarrior.org Fri Jun 9 14:50:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 14:50:34 -0400 Subject: [Infowarrior] - Court Orders Wiretapping of the Internet Message-ID: Court Orders Wiretapping of the Internet http://blog.wired.com/27BStroke6/#1498951 A divided appeals court ruled Friday that the FCC has the power to order broadband internet companies to make their networks wiretap friendly for law enforcement. In a 2-1 decision (.pdf), the U.S. Circuit Court for the District of Columbia found that cable modem providers and other companies are subject to the Communications Assistance for Law Enforcement Act, or CALEA, the 1997 law that requires phone companies to put law enforcement backdoors in their switching networks. The law explicitly exempts "information services," and the FCC has previously ruled, while interpreting the 1996 Telecommunications Act, that the internet is a such a service. But the court accepted the FCC's argument that identical language can hold two completely different meanings when such a view is necessary to help law enforcement do its job. "When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean -- neither more nor less." "The question is,? said Alice, "whether you can make words mean so many different things." "The question is," said Humpty Dumpty, "which is to be master--that?s all." Oops. Sorry. That's not from the ruling. That's from Through the Looking Glass by Lewis Carroll. Here's an excerpt from the actual decision. CALEA's definition of "information service" is virtually identical to the one included in the 1996 Act ... Therefore, [the plaintiff] concludes broadband providers must fall within the ambit of CALEA's identical "information services" exclusion. Notwithstanding the superficial attractiveness of this argument, we disagree [...] CALEA -- unlike the 1996 Act -- is a law-enforcement statute. Dissenting in the ruling is circuit judge Harry Edwards, who described the FCC's position as "gobbledygook" during oral arguments last May. In determining that broadband Internet providers are subject to CALEA as "telecommunications carriers," and not excluded pursuant to the "information services" exemption, the Commission apparently forgot to read the words of the statute. CALEA does not give the FCC unlimited authority to regulate every telecommunications service that might conceivably be used to assist law enforcement. Quite the contrary. ... It expressly states that the statute's assistance capability requirements "do not apply to [] information services." Broadband Internet is an "information service" -- indeed, the Commission does not dispute this. Therefore, broadband Internet providers are exempt from the substantive provisions of CALEA. If the ruling stands, universities and broadband ISPs will be on the hook for an expensive retrofitting of their networks with surveillance gear, while law enforcement agencies will enjoy much quicker and easier access to information like a user's e-mail headers and the websites they visit, or -- with a court order -- a real time feed of the target's entire internet stream. The plaintiff (the American Council on Education) could seek a review before a larger panel of judges. Eventually, the case is likely headed for the Supreme Court. From rforno at infowarrior.org Fri Jun 9 21:59:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 21:59:27 -0400 Subject: [Infowarrior] - Microsoft to ease up on piracy check-ins Message-ID: Microsoft to ease up on piracy check-ins By Joris Evers http://news.com.com/Microsoft+to+ease+up+on+piracy+check-ins/2100-7348_3-608 2334.html Story last modified Fri Jun 09 14:17:39 PDT 2006 Microsoft is cutting the cord on its antipiracy tool. The software maker this month plans to update the Windows Genuine Advantage Notifications program so that it only checks in with Microsoft once every two weeks, instead of after each boot-up, a company representative said Friday. By year's end, the tool will stop pinging Microsoft altogether, the representative said. The changes come after a critic likened the antipiracy tool to spyware. He found that the program, designed to validate whether a copy of Windows has been legitimately acquired, checks in with Microsoft on a daily basis. Microsoft did not disclose in any of its documentation that the application would phone home. Microsoft earlier this week had vowed to better disclose the actions of WGA Notifications. Now the company says it will gradually let go of the program once it is installed on Windows PCs. "We are changing this feature to only check for a new settings file every 14 days," Microsoft said in a statement on its Web site. "Also, this feature will be disabled when WGA Notifications launches worldwide later this year." No meaningful data is exchanged during the check-in with Microsoft, the software maker said. Unlike the initial validation, which sends system information to Microsoft, the check-in operation is limited to the download of the new settings file, the company said. Microsoft launched WGA in September 2004 and has gradually expanded the antipiracy program. It now requires validation before Windows users can download additional Microsoft software, such as Windows Media Player and Windows Defender. Validation is not required for security fixes. Originally, people had to validate their Windows installation only when downloading additional Microsoft software. Since November last year, however, Microsoft has been pushing out the WGA Notifications tool along with security updates to people in a number of countries, including the U.S. The first time that users run WGA Validation to check if their Windows version is genuine, the information sent to Microsoft is the Windows XP product key, PC maker, operating system version, PC bios information and the user's local setting and language. Microsoft discloses in the WGA tool license that this information is being sent. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Jun 9 22:00:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 22:00:49 -0400 Subject: [Infowarrior] - Data on nuclear agency workers hacked: lawmaker Message-ID: Data on nuclear agency workers hacked: lawmaker Fri Jun 9, 2006 7:57 PM ET http://tinyurl.com/pvtre By Chris Baltimore WASHINGTON (Reuters) - A computer hacker got into the U.S. agency that guards the country's nuclear weapons stockpile and stole the personal records of at least 1,500 employees and contractors, a senior U.S. lawmaker said on Friday. The target of the hacker, the National Nuclear Safety Administration, is the latest agency to reveal that sensitive private information about government workers was stolen. The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. An NNSA spokesman was not available for comment. The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies. Committee chairman Rep. Joe Barton said NNSA Administrator Linton Brooks should be "removed from your office as expeditiously as possible" because he did not quickly notify senior Energy Department officials of the breach. "And I mean like 5 o'clock this afternoon if it's possible," Barton, a Texas Republican, said in a statement. Earlier this week the Pentagon revealed that personal information on about 2.2 million active-duty, National Guard and Reserve troops was stolen last month from a government employee's house. That comes on top of the theft of data on 26.5 million U.S. military veterans, the Department of Veterans Affairs has said. A spokesman for Energy Secretary Sam Bodman declined comment on the call for Brooks' resignation but said the secretary was "deeply disturbed about the way this was handled internally" and would make it a priority to notify workers about the lapse. The "vast majority" of those workers were contractors, not direct government employees, said the spokesman Craig Stevens. According to Barton, the NNSA chief knew about the incident soon after it happened in September but did not inform Energy Department officials, including Bodman, until Wednesday. "I don't see how you could meet with (Bodman) every day the last seven or eight months and not inform him," Barton said. He said Brooks cited "bureaucratic confusion" to explain the reporting lapse. "It appears that each side of that organization assumed that the other side had made the appropriate notification," Brooks told the House energy panel's oversight and investigations subcommittee, according to a record provided by Barton's office. "Just as the secretary just learned about this week, I learned this week that the secretary didn't know," Brooks said. "There are a number of us who in hindsight should have done things differently on informing." ? Reuters 2006. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters and the Reuters sphere logo are registered trademarks and trademarks of the Reuters group of companies around the world. Close This Window From rforno at infowarrior.org Fri Jun 9 22:10:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 22:10:21 -0400 Subject: [Infowarrior] - Amnesty for NSA surveillence? Message-ID: Frankly, I think Specter's "compromise" bill is a sellout. My cynical two cents from this WaPo article follow. > The new proposal specifies that it cannot "be construed to limit the > constitutional authority of the President to gather foreign intelligence > information or monitor the activities and communications of any person > reasonably believed to be associated with a foreign enemy of the United > States." Translation: Don't try to limit executive powers. Winner: White House. > Another part of the Specter bill would grant blanket amnesty to anyone who > authorized warrantless surveillance under presidential authority, a provision > that seems to ensure that no one would be held criminally liable if the > current program is found illegal under present law. Translation: We're pretty sure we're okay, but if somehow this turns out to be illegal, please make sure everyone involved is legally-covered just in case we overstepped our legal authorities. Winner: White House > A third provision would consolidate the 29 cases that have been filed in > various federal district courts challenging the legality of the NSA program > and give jurisdiction over them to the Foreign Intelligence Surveillance Court > of Review, which was established by FISA. Any decision of that court would be > subject to Supreme Court review and otherwise would be binding on all other > courts. Translation: Let's minimize the potential that one or more of the 29 cases filed will go against the Administration. Winner: White House < - > http://www.washingtonpost.com/wp-dyn/content/article/2006/06/08/AR2006060801 992_pf.html From rforno at infowarrior.org Sat Jun 10 09:28:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 10 Jun 2006 09:28:25 -0400 Subject: [Infowarrior] - Craigslist is Being Blocked by Cox Interactive? Message-ID: Craigslist is Being Blocked by Cox Interactive >From Silicon Valley Watcher, June 9, 2006 By Tom Foremski http://www.freepress.net/news/print.php?id=15953 Is this what the loss of net neutrality will bring? An SVW reader left this tip: ?I use Cox cable internet, Cox?s media empire printed classifieds is one of their big revenue drivers. Guess what? If you try to access Craigslist over Cox Cable internet? its nearly impossible! It appears that they throttle access to craigslist ? as a matter of fact there have been a zillion complaints but hey, who can blame Cox? They?re trying to stop the opening cap in their money dam! Maybe you should investigate this tip further. Cheers.? I did investigate further, I walked out of my apartment and across Alamo Square and popped in on Jim Buckmaster, the CEO of Craigslist. Jim was just getting back from work and I spoke with Susan Best, publicist for Craigslist. Susan said they have known about the problem with Cox. Jim soon arrived and said the problem of access had been going on since late February. It had something to do with the security software that Cox isusing from a company called Authentium. Cox has been collaborating with Authentium since April 2005 to develop the security software suite. Back on February 23rd Authentium acknowledged that their software is blocking Craigslist but it still hasn?t fixed the problem, more than three months later. That?s a heck of long time to delete some text from their blacklist. And this company also supplies security software to other large ISPs. Craigslist has approached Authentium several times to get it to stop blocking access by Cox internet users but it has been unresponsive. Jim wasn?t aware that Cox had its own classified ads service. ?That changes things, ? he said. This situation does not look good in the context of the net neutrality debate. This is exactly the kind of scenario that many people are concerned about, that the cable companies and the telcos will make it difficult for their internet users to access competing services. Here are Craigslists? system reports: If you scroll down you can see the Cox problem, and there are quite a few problems with others too: email with SBC, and also with Yahoo and BT Internet. Are those problems also related to the telcos using software that discriminates against Craigslist? Some more related links: >From Newspapers and Technology: Cox papers adding interactive features to classifieds Sept 2005 Take a look at this story about Cox refusing to run AP video. Is it fighting for open standards are is it fighting off a competitor with a poor revenue split? >From Mark Glaser?s MediaShift: Cox Newspapers Says No to AP Video Are the telcos funding an online campaign against net neutrality? Take a look at this recent post from Mark Glaser?s MediaShift: Bloggers Must Be Vigilant Against Astroturf Comments This article is from Silicon Valley Watcher. If you found it informative and valuable, we strongly encourage you to visit their website and register an account to view all their articles on the web. Support quality journalism. From rforno at infowarrior.org Sun Jun 11 02:51:08 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Jun 2006 02:51:08 -0400 Subject: [Infowarrior] - FW: [Dataloss] VA Notification Letter In-Reply-To: Message-ID: Regarding the VA privacy fiasco these days. -rf ------ Forwarded Message From: lyger Date: Sat, 10 Jun 2006 21:43:45 -0400 (EDT) Scanned copy of the Department of Veteran Affairs notification letter: http://attrition.org/errata/dataloss/VA_letter.jpg http://attrition.org/errata/dataloss/VA_Help_Sheet_1.jpg http://attrition.org/errata/dataloss/VA_Help_Sheet_2.jpg _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ ------ End of Forwarded Message From rforno at infowarrior.org Sun Jun 11 15:00:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Jun 2006 15:00:11 -0400 Subject: [Infowarrior] - Public Secrets Message-ID: Public Secrets http://www.washingtonpost.com/wp-dyn/content/article/2006/06/09/AR2006060901 976_pf.html By Robert G. Kaiser Sunday, June 11, 2006; B01 Why does The Washington Post willingly publish "classified" information affecting national security? Should Post journalists and others who reveal the government's secrets be subject to criminal prosecution for doing so? These questions, raised with new urgency of late, deserve careful answers. There's a reason why we're hearing these questions now. We live in tense times. The country is anxious about war and terrorism. Washington is more sharply divided along ideological lines than at any time since I came to work at The Post in 1963. The Bush administration has unabashedly sought to enhance the powers of the executive branch as it wages what it calls a "war on terror," many of whose components are classified secrets. These are new circumstances, but to a reporter who has been watching the contest between press and government for four decades, what isn't new here seems more significant than what is. What isn't new is a government trying to hide its activities from the public, and a press trying to find out what is being hidden. Thanks to resourceful reporters, we have learned a great deal about the war that the administration apparently never intended to reveal: that the CIA never could assure the White House that Saddam Hussein's Iraq actually had weapons of mass destruction; that U.S. forces egregiously abused prisoners at Abu Ghraib; that the United States had a policy of rendering terrorism suspects to countries such as Egypt and Jordan where torture is commonplace; that the United States established secret prisons in Eastern Europe for terrorism suspects; that the National Security Agency was eavesdropping without warrants on the phone calls of countless Americans, as well as keeping track of whom Americans called from home and work. You may have been shocked by these revelations, or not at all disturbed by them, but would you have preferred not to know them at all? If a war is being waged in America's name, shouldn't Americans understand how it is being waged? Secrecy and security are not the same. On this point, Exhibit A for journalists here at The Post is the 1971 Pentagon Papers case. The Pentagon Papers were a top-secret history of the Vietnam War written inside the Pentagon and leaked to the New York Times and then The Post. Top-secret means a document is so sensitive that its revelation could cause "exceptionally grave damage to the national security." The Nixon administration was in power, and it went to court to block publication on grounds that revealing this history would endanger the nation. A court in New York enjoined the two papers from publishing the information for several days. But the Supreme Court decided, 6 to 3, that the government had failed to make a case that overrode the constitutional bias in favor of publication. The man who argued the case was Solicitor General Erwin N. Griswold. Eighteen years later, Griswold wrote a confession for the op-ed page of this newspaper: "I have never seen any trace of a threat to the national security from the publication [of the Papers]. Indeed, I have never seen it even suggested that there was such an actual threat." There have been many more. In 1986, William Casey, then the director of central intelligence, threatened The Post with legal action if we disclosed an intelligence-gathering operation code-named Ivy Bells. "There's no way you can run that story without endangering the national security," Casey ominously warned Ben Bradlee, The Post's executive editor at the time. But it turned out that when Casey issued this warning, the Soviet Union had already learned about Ivy Bells from its spy Ronald Pelton; because of Pelton, the Soviets had captured the hardware that had allowed the United States to listen to Soviet naval communications. So in reality we proposed to publish old news. But Casey had intimidated us; even after learning that the Soviets knew the secret, we equivocated for weeks. Finally, NBC News scooped us on our own story, then we published our version. As the editor supervising preparation of the story, I was humiliated; I also learned a good lesson. Another aspect of our experience colors our reactions to various officials' complaints about our reporting on classified information. If you relied on the public comments of members of Congress or the example of the Pentagon Papers, you might conclude that we get these stories simply because some disgruntled employee decides to "leak" them to us. In fact, this is a rare occurrence. The image of the rogue leaker was promoted again this spring when the CIA fired a senior officer named Mary McCarthy while anonymous official sources passed the word that she had been a source of Post reporter Dana Priest's Pulitzer Prize-winning scoop disclosing secret CIA prisons in Eastern Europe. McCarthy's lawyer has flatly denied this, saying she never knew about the prisons before Priest published her article. I am not going to disclose Priest's sources (I don't know who they were), but I do know there were many of them. I know that she traveled extensively to report the story. I know that her article, like virtually all the best investigative reporting on sensitive subjects that we publish, was assembled like a Lego skyscraper, brick by brick. Often the sources who help reporters with this difficult task don't even realize that they have contributed a brick or two to the construction. Typically, many of the sources who contribute know only a sliver of the story themselves. A good reporter such as Priest can spend weeks or months on a single story, looking for those bricks. I want to add, immodestly, that The Post's record on stories of this kind is good. I don't know of a single case when the paper had to retract or correct an important story containing classified information. Nor do I know of a case when we compromised a secret government program, or put someone's life in danger, or gave an enemy significant assistance. These are the criteria we generally use when evaluating a report based on classified information. Editors here spend long hours on these stories. We never rush them into print; our lawyers usually read them along with editors. We publish news we think is important, which is usually easy to recognize. We always ask the administration of the day to comment on sensitive stories, knowing that we may be inviting efforts to dissuade us from publication. This happened in the case of Priest's story on the secret prisons. The Bush administration asked Leonard Downie Jr., our executive editor, not to mention the names of the countries in which these prisons were located, on grounds that naming them could disrupt important intelligence relationships. He agreed, in part because "naming the countries wasn't necessary for American readers," he said later. But Downie rejected the suggestion that he kill the story altogether. "It raised important issues for American voters about how their country was treating prisoners, and it raised significant civil liberties issues," he said. Journalists are inclined to publish what we learn -- that's our job. But we don't assert that the government has no right to keep secrets. On the contrary, we have probably helped the government keep secrets more often than we should have. But we exercise common sense, and seek guidance from knowledgeable people when we're uncertain. We avoid the gratuitous revelation of secrets. If we learn next week that the United States has found Osama bin Laden's hiding place, you are unlikely to read a story about it here before the government takes some action. The American experiment is an experiment in self -government. The Founders established Americans' right to govern themselves. Abuse of government power was their abiding concern. The Founders saw a free press as a tool to control the abuse of power, which is why they gave the press special protection in the First Amendment to the Constitution: "Congress shall make no law . . . abridging the freedom . . . of the press." The history of the First Amendment makes clear why the Founders embraced it. Consider, for example, an early draft of the journalist's favorite provision offered to the Constitutional Convention by James Madison: "The people shall not be deprived or abridged of their right to speak, to write, or to publish their sentiments, and the freedom of the press, as one of the great bulwarks of liberty, shall be inviolable." Information is the bulwark Madison had in mind. The people had to know what the government was doing in their name to be able to respond like good citizens. Accountability is only possible when citizens, including members of Congress, know what is going on. None of us has ever been held accountable for an act no one knew we committed. Self-government and self-defense are two values that don't always coexist easily -- they have to be balanced. But balance is the Founders' greatest gift. They gave us three branches of government to prevent any one from getting an upper hand. And they gave us a free press, a completely independent observer to keep the people informed about the doings of the other three. Once we understand the need for balance, it follows logically that no single authority should be able to decide what information should reach the public. Some readers ask us why the president's decisions on how best to protect the nation shouldn't govern us, and specifically our choices of what to publish. The answer is that in the American system of checks and balances, the president cannot be allowed to decide what the voters need to know to hold him accountable. A king may have such power, but the elected executive of a republic cannot, or we will have no more republic. Labeling something "classified" or important to "national security" does not make it so. The government overclassifies with abandon. And the definition of "national security" is elusive. Some politicians act as though revealing any classified information threatens our nation's security, but that seems preposterous. The Bush administration has been publicly toying with the idea of using the Espionage Act, passed by Congress in 1917 when the country was swept up in an emotional response to our entry into World War I, to prosecute journalists for disclosing classified information. The legislative history of the act convinces me that its authors never intended for it to be used to censor the press, and since World War I it has never been used for that purpose. Numerous legal scholars from right to left say that doing so would violate the First Amendment. But Attorney General Alberto R. Gonzales said recently that invoking the Espionage Act against the press "is a possibility." I heard Gonzales's remark as an attempt at intimidation. Intimidation by classification already seems to be a hallmark of this administration, which has created classified secrets at an unprecedented pace -- 14 million in fiscal 2005, compared with 8 million in 2001, according to the National Archives. The Bush administration has encouraged the use of more than 60 new categories ("sensitive but unclassified," for example) to control the distribution of millions more facts and documents. Steven Aftergood, who works on classification issues for the Federation of American Scientists, calls the administration's approach to secrets "a cultivation of fear as a policy driver." He adds: "We are being told that nothing is more important than the external threat that confronts us, and nothing is more valuable than security in the face of that threat." Aftergood calls this "craven, and an insult to the millions of Americans who have given their lives to defend this country." For the Founders, the issue was freedom and how best to secure it. Addressing that point in his Pentagon Papers opinion, Justice Hugo Black captured the spirit that animates my profession in just two sentences: "The government's power to censor the press was abolished [by the First Amendment] so that the press would remain forever free to censure the government. The press was protected so that it could bare the secrets of government and inform the people." robertgkaiser at yahoo.com Robert G. Kaiser is an associate editor of The Washington Post. He served as the paper's managing editor from 1991 to 1998. From rforno at infowarrior.org Sun Jun 11 18:17:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Jun 2006 18:17:12 -0400 Subject: [Infowarrior] - Marketing email question Message-ID: > We are happy to remove your name from our e-mail list. > Please be aware that it may take up to 10 business days to remove your name. > We apologize if you receive additional e-mails in the meantime. Why does every site tell you it will take 7-14 days to remove you from their mailing lists --- that makes no sense to me. Does it to you? -rick From rforno at infowarrior.org Sun Jun 11 19:43:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Jun 2006 19:43:21 -0400 Subject: [Infowarrior] - Microsoft's Calling Home Problem: It's a Matter of Informed Consent Message-ID: Microsoft's Calling Home Problem: It's a Matter of Informed Consent Sunday, June 11 2006 @ 11:18 AM EDT http://www.groklaw.net/article.php?story=20060608002958907 No doubt many of you saw on Slashdot the article "Microsoft Talks Daily With Your Computer" or in Steven J. Vaughan-Nichols article for eWeek titled, Big Microsoft Brother, about allegations that Microsoft's Windows Genuine Advantage validation tool phones home daily to report information to Microsoft about you on each boot. Lauren Weinstein broke the story on his blog. Microsoft has now put out a statement, asserting that the Windows Genuine Advantage tool is not spyware, that they're going to change it some, and that one thing that distinguishes it from spyware is that they get consent before installing it. I question the accuracy of the statement. David Berlind did a fabulous job of discovering that in fact the tool has two parts, one of which is new, the Notification part, as you can see in his helpful series of screenshots. First, he explains how the applications actually work. His research indicated to him that Microsoft asks permission for only one of the two, but the wrong one. I think it's muddier even than that, after reading the EULA. Thanks to Berlind's work, I see a legal problem with consent, which I noticed by reading the EULA. I also see a problem with the statement Microsoft has issued with regard to what information it collects. And something in the EULA needs to be explained, because it doesn't match Microsoft's statement. Let me explain. Vaughan-Nichols lists the information Microsoft says it is collecting, which matches the Microsoft statement's list: Now, when you use Windows Genuine Advantage for the first time, it gathers up, Microsoft tell us, and it will grab your PC's XP product key, PC manufacturer, operating system version, PC BIOS information and user locale setting and language. Nothing at all, Microsoft assures us, that could identify us or what programs we use, or anything like that. No siree. No chance of that. Microsoft actually collects more information than that. I have some additional details I found on Microsoft's own website that I thought you'd want to know. Let's look at what Microsoft currently tells customers about the validation tool and what information it collects: Information collected during validation Q: What information is collected from my computer? A: The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. This process does not collect or send any information that can be used to identify you or contact you. The only information collected in the validation process is: * Windows product key * PC manufacturer * Operating System version * PID/SID * BIOS information (make, version, date) * BIOS MD5 Checksum * User locale (language setting for displaying Windows) * System locale (language version of the operating system) * Office product key (if validating Office) * Hard drive serial number Q: How does Microsoft use this information? A: The information serves three purposes: * It provides Web page flow, tailoring the pages you see based on your responses. * It conveys demographics, which help Microsoft to understand regional differences in Windows or Office usage. * It confirms user input. User input is often compared against data collected from the PC in order to determine whether to grant a user?s request for additional access. I think we can discount those three items as being the purpose behind taking in our hard drive serial numbers. Microsoft is not checking our hard drive serial numbers to provide web page flow, convey usage demographics, or confirm user input, unless they are also perusing the contents of our hard drives, which they claim they are not. Of course, once they are inside your computer, there's really nothing much stopping them, if they felt like it. So why does Microsoft collect information like that and what are they doing with it? The above statement surely isn't all. They don't need such information about you as your hard drive's serial number, the company that built your computer, what language you use, PID/SID, Bios information with an MD5 checksum, and where you are located to do any of the three things they say they are doing it for. Obviously, they are checking to know if you are a pirate, and they should say so straightforwardly. But does Microsoft need your hard drive serial number to know if you are a pirate? If you change it, is it any of Microsoft's business? Did they sell you that hard drive? But my point is, it's not mentioned in the EULA at all, so I don't see consent having been given. But it gets worse. Here's part of what Lauren Weinstein wrote about his discovery in his blog entry on June 5th: It appears that even on such systems, the MS tool will now attempt to contact Microsoft over the Internet *every time you boot*.... The connections occur even if you do not have Windows "automatic update" enabled. I do not know what data is being sent to MS or is being received during these connections. I cannot locate any information in the MS descriptions to indicate that the tool would notify MS each time I booted a valid system. I fail to see where Microsoft has a "need to know" for this data after a system's validity has already been established, and there may clearly be organizations with security concerns regarding the communication of boot-time information. I'll leave it to the spyware experts to make a formal determination as to whether this behavior actually qualifies the tool as spyware. Shortly thereafter, he was contacted by Microsoft and so he had a chance to ask his questions, and he tells what happened next in his blog entry for June 6: Why is the new version of the validity tool trying to communicate with MS at every boot? The MS officials tell me that at this time the connections are to provide an emergency "escape" mechanism to allow MS to disable the validation tool if it were to malfunction.... I was told that no information is sent from the PC to MS during these connections in their current modality, though MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving. Apparently these transactions will also occur once a day if systems are kept booted, though MS intends to ramp that frequency back (initially I believe to once every two weeks) with an update in the near future. Further down the line, the connections would be used differently, to provide checks against the current validation revocation list at intervals (e.g., every 90 days) via MS, even if the user never accessed the Windows Update site directly. Oh, excellent. So they get your ip address too, and date/timestamp data "relating to systems' booting and continued operations". No way to contact customers, eh? No information sent? In what way is this not spyware? I am reminded of what the gentleman from Homeland Security said after the Sony rootkit was revealed: yes, it's your intellectual property; it's not your computer. (video.) Again, there is nothing in the EULA that gets your consent for that information to be collected that I can find. Microsoft, of course, says it is not spyware, and this is a one of their statements explaining their point of view, from Berlind's article: "Broadly speaking, spyware is deceptive software that is installed on a user?s computer without the user?s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware." Now, as we've already seen, they didn't clearly notify customers that they were installing something that calls home daily, by their own acknowledgment. Here's what their website says about the ease of the validation process: Q: Is genuine Windows validation a one-time process? A: We?ve designed validation to be as easy as possible. Validation itself just takes a moment. The lengthiest part of the process is downloading the ActiveX control that performs validation. The ActiveX control is downloaded on the first validation and when a new version is available from Microsoft. So, while it?s not a one-time process, it is still quick and easy. Aside from breaking out in hives at the thought of having ActiveX running constantly on my computer, is this a clear description of how often it checks? Does it even indicate? How often does Microsoft release a new version? Daily? Weekly? Microsoft's statement distinguishes between the two tools: Q: What information is collected in this check? Is Microsoft collecting Personally Identifiable Information? A: Other than standard server log information, no information is collected. Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft. Q: Why were customers not told that their PCs would periodically check in with Microsoft? A: Microsoft strives to maintain the highest standards in our business conduct and meet our customers' expectations. We concentrated our disclosure on the critical validation step that would occur when validating through WGA. Not specifically including information on the periodic check was an oversight. We believe that being transparent and upfront with our customers is very important and have updated our FAQ accordingly. We have gone to great lengths to document any time a Microsoft product connects with Microsoft servers and will continue to do so. For example, we published a white paper that covers the topic of connecting with Microsoft Servers in Windows XP SP2. It is located at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/intmgmt/downl oad.mspx I understand that to be saying that the validation tool collects information about the computer, but the new notification tool does not, that it only checks to see if you should be sent a notice that you are not running validly licensed software. But if you think about it, that is the same as saying that it is checking every day on your validation, so the statement on their website about checking only once and then again when a new system is released isn't matching this information. And remember what they told Weinstein: "MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving." Berlind was the one who noticed that there are actually two tools, and the Validation tool never asks consent before installation. The Notification tool does, but without telling you that what you are downloading will be calling home daily. The notion of informed consent is that you have to know what you are saying yes to, and the party asking for your consent has an obligation to tell you the things you need to know to make an informed decision. A hospital, for example, can't get your consent to try a new, untested drug without telling you that it is new, untested, that you are a guinea pig, and exactly what the risks are and what your choices are. And if you refuse treatment, it can't force you to take the drug. And your doctor can't remove your gall bladder while doing surgery on your appendix, just because he notices a tumor in the gall bladder. Why not? Because that is battery, if he didn't get your prior consent to remove your gall bladder. You might wish to treat the tumor a different way, after all. Motive doesn't matter. There is no, "I was only trying to help" excuse. It's your right to say yes or no, because it's your body and medicine isn't a field where one has sufficient certainty to determine in advance if a certain treatment is or isn't going to work. What about Microsoft's statement that it isn't spyware because it has no malicious purpose? First, I don't think spyware has to have a malicious purpose to be spyware. That's Microsoft's definition, but spyware companies no doubt would object. And that's also taking Microsoft's word for their good purposes. We don't actually know what they do with the information. There's no way to check. Do they store it? I'm sure they must. And let's face it, "malicious purpose" depends on where you are standing, doesn't it? Did Sony's rootkit have a malicious purpose? Or was its purpose very much like Microsoft's here? The "content industry" has gotten so used to waxing indignant about the harm being done to them by piracy, and getting laws to suit, that they now, evidently, believe that anything they do to reduce or prevent piracy is acceptable. It's not. My computer is mine, not Microsoft's. But what purpose does Microsoft have? They tell us that their purpose is to notify the user if a proper license is not in place. Why would the user care if they are running a validly licensed copy of the software? Does this have anything at all to do with an "improved" experience for them? I suppose they care because Microsoft holds back updates unless they agree. But if you look at the screenshots Berlind took, you'll see something else that doesn't seem so straightforward. The notice you get to prompt you to download and install the tools describes it as "updates," not new installations, which would lead a customer to believe that he already has the tool on his computer and just needs to tweak it. The Notification part is labeled "high priority updates", which would lead me to think that I really needed it to be safe. Microsoft says this is what it's for: The Windows Genuine Advantage Notification tool notifies you if your copy of Windows is not genuine. If your system is found to be non-genuine, the tool will help you obtain a licensed copy of Windows. Here's the screenshot Berlind took of what you see if you try to update without already having the Windows Genuine Advantage tool in place, although they don't mention it by name at the starting gate, which is devious enough for me right there. [Update: A reader tells me that Berlind missed a tiny Details link, which he says would have provided more information. I have asked him to send me a screenshot.] If you agree, and who wouldn't, given the description, the next thing you see is your first mention of the Validation tool, but it is already downloading. That isn't consent, let alone informed consent. It is actually a little more complex, as you can see beginning in the explanation of this screenshot. After you "successfully update" your computer with the Validator tool, if you click Continue, you get your notice of another vital update, the Notification tool. Notice you can't uninstall it, under the terms of the EULA, nor can you "test the software in a live operating environment unless Microsoft permits you to do so under another agreement." You do get a notice, very vague, about consent but only after the Validator tool is already installed, which raises the question of what happens if you say no? Berlind clicked yes all the way through, so I don't know because there is no way in the world I would put my computer through this. Here's part of the language of the "consent": Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it. Now, I have read a lot of contracts in my time, as part of my job, and I have no idea what this is saying. Are they saying I can switch off the daily notification? Or that I don't have to install it in the first place? Or is it talking about the "in some cases" feature whereby I don't get notice? Clearly folks have not been getting notices of the daily contact with Microsoft's servers, so what "services" is Microsoft talking about? Does the user need to know its license is valid every single day? What is Microsoft expecting to happen in 24 hours, after it first checks that a license is in place and valid? And why does Microsoft need to check every day? Obviously, they don't, because they've said they intend to cut back to every 14 days, and then, oddly, they say that once the beta test if over -- and that's another issue, Microsoft installing beta software for you to test for them without making it clear until it is already downloading that it is "Beta PreRelease" software (see the last Berlind screenshot) -- they will end the daily phoning home, according to InformationWeek: The company plans to change the settings of the application in its next release, so that it dials in to Microsoft every two weeks, the spokeswoman said. The call-in feature would be disabled permanently when the program is generally available worldwide later this year. That actually worries me even more. Why do they need it now but they won't once the software is available worldwide? Have they got something even more effective coming next? Perhaps they will say it's because once it isn't beta, then they won't need to maybe turn it off. All right. But surely they don't intend to stop validating, and that's the tool that sends Microsoft all the personal information about you, so I find their statement misleading, in that it talks about the notification component, which doesn't, they claim, send any info about you to them, rather than the validation part, which certainly does. People aren't just disturbed about the tool calling home; they are concerned about what the conversation includes. That brings me to the problem I see in the EULA. Before I explain, some of you might like to know how to get rid of it. Here is what the Rob Pegoraro in the Washington Post says: Notifications also looks for new instructions from Microsoft every day. The company says these daily checks (which it plans to slow to once every 14 days) let it adjust the program's behavior if problems arise. That raises an alarming point: Notifications is pre-release software, tested without users' consent. Worse yet, Notifications -- unlike other Microsoft updates -- cannot be uninstalled. (You can, however, erase it by restoring your PC back to its condition before Notifications' install: From the Start Menu, select All Programs, then Accessories, then System Tools, then System Restore.) Microsoft is out of line here. The Notifications program is not the kind of critical update that should be installed automatically, much less excluded from uninstallation. And if people respond to this intrusive behavior by turning off automatic updates -- thus severing their PCs from the Microsoft patches they do need -- the already-bad state of Windows security can only get worse. Actually it already is worse, because even if you turn off automatic updates, the notification tool continues to run. So, what about the EULA? Let's take a look at it. First, as Berlind so ably demonstrates, you are asked to consent to the notification tool, but not to the validation tool, which is the part that, according to Microsoft's statement, is the tool that sends them information about you and your computer. That's a hole in the consent process right there. That's the same as saying that you never gave consent for your information to be sent, or only after the fact. You are presented with this EULA only when you are considering whether to install the Notification tool. But it's more complicated, because the EULA you are presented with -- and remember that the notification tool only recently was offered, as of April 24, according to Microsoft's statement -- describes the validation tool's actions, at least according to what Microsoft is telling us. My question is, what was the EULA like before? When did you first see it? And my next question is, if you say no to the EULA, and you don't install the Notification tool, have you ever said yes to the Validation tool? On what terms? Here's Microsoft's description of the two, from the statement: The WGA program consists of two major components, WGA Validation and WGA Notifications. Validation determines whether the copy of Windows XP installed on a PC is genuine and licensed. WGA Notifications reminds users who fail validation that they are not running genuine Windows and directs them to resources to learn more about the benefits of using genuine Windows software. They ask for your consent regarding the notification installation only, but it seems as if the EULA is intended to cover both tools, in which case they only ask for consent after the Validation tool is already installed. Here's what Microsoft says the Notification tool does: Recent public discussions about WGA Notifications have raised questions about its operation. Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found. The settings file provides Microsoft with the ability to update how often reminders are displayed and to disable the program if necessary during the test period. This functionality enables Microsoft to respond quickly to feedback to improve the customer's experience. Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft. There have been some questions on this issue, and Microsoft is working to more effectively communicate details of this feature to the public. Just telling the truth would work. I think it's obvious no customer wants this software, Microsoft knows that, and so they tried to finesse it so as to get customers to agree to install it. And now they've been caught, just like Sony. Do you remember the time lag after that story broke, before Microsoft would say anything condemnatory? Now we probably know why. Berlind notices issues remaining after Microsoft's statement. I would only add the following about the EULA: it isn't just a matter of timing, of when you get asked for consent. It's a matter of what you are asked to consent to. From the EULA: This software is a pre-release version of the software intended to update the technological measures in Windows XP which are designed to prevent unlicensed use of Windows XP. By using the software, you accept these terms. If you do not accept them, do not use the software. As described below, using some features also operates as your consent to the transmission of certain standard computer information for Internet-based services. So far, so good. They are letting you know that there will be some transmission of information about your computer sent to Microsoft. They don't however tell you precisely what they mean by "certain standard computer information." They describe the process as being done in connection with services, which implies you are getting something out of it, but you actually are getting nag screens, which by no stretch of my imagination is a service I would ask for. Additionally, this EULA first appears when you are being asked to download the Notification tool. You already have the Validation tool on your computer without any EULA or request for consent, and according to Microsoft, the Notification tool doesn't send any information about you to them. So this part of the EULA must be about the Validation component, unless they haven't been truthful about what the Notification tool does. Let's continue: When you install the software on your premises, it will check to make sure you have a genuine and validly licensed copy of Microsoft Windows XP (?Windows XP?) installed. If you have a genuine copy of Windows XP, you receive special benefits, which are listed on the following link: http://go.microsoft.com/fwlink/?linkid=39157. ? If the software detects you are not running a genuine copy of Windows XP, the operation of your computer will not be affected in any way. However, you will receive a notification and periodic reminders to install a genuine licensed copy of Windows XP. Automatic Updates will be limited to receiving only critical security updates. ? You will not be able to uninstall the software but you can suppress the reminders through the software icon in the system tray. The first part of this seems to be talking about the Validation tool, because it talks about checking to make sure you have a valid copy of the software, unless the Notification component does that too. But the end part, about not being able to uninstall it, which part is that talking about? Can you not uninstall either? Or was the Validation tool you already downloaded uninstallable too? If so, then you have installed software that you can't uninstall that does God knows what without being given an opportunity to say yes or no. Next comes the Privacy clause: PRIVACY NOTICE: The validation process of the software does not identify you and is used only for the purpose of reporting to you whether or not you have a genuine copy of Windows XP. The software does not collect or send any personal information to Microsoft about you. The sole purpose of the software is to inform you whether or not you have installed a genuine copy of Windows XP. However, Microsoft may collect and publish aggregated data about the use of the software. Now, this is the part I find misleading. Here they say that the validation process doesn't collect anything about you or send it to Microsoft. But in fact, they have already told us in their statements and on their website that in fact the Validation tool does both. Remember the hard drive and the IP address? So this part of the EULA appears to be talking about the Notification tool, but it calls it "the validation process" which means either that the Notification tool has in fact a validation aspect also, or it means that Microsoft never asked you for your consent to send that information to them, because this says they don't do so in the validation process and the software is only for the purpose of notifying you. If this EULA purports to be for both tools, it is inadequate and inaccurate. The validation process does collect information about you and it sends it to Microsoft, and they need to tell us that and get our consent. So. Where's the information about the Validation tool, which does collect information about us and does send it to Microsoft? I think it's this part: 3. INTERNET-BASED SERVICES. Microsoft provides Internet-based services with the software. It may change or cancel them at any time. a. Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it. For more information about this feature, see http://go.microsoft.com/fwlink/?LinkId=56310. By using this feature, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you. i. Computer Information. The software uses Internet protocols, which sends to Microsoft computer information, such as your Windows XP product key, PC manufacturer, operating system version, Windows XP product ID, PC BIOS information, user locale setting, and language version of Windows XP. ii. Use of Information. We may use the computer information to improve our software and services. We may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software. In reality, the information we have indicates that you can't turn off this feature. What feature is it you can turn off? Paragraph a is talking about connecting to Microsoft's servers. You can't turn that off, can you? This is so unclear that I consider it no notice at all. What is it that you are agreeing to? It doesn't tell you how often you will be connecting or all of the information that it turns out is sent. Microsoft, for example, in the EULA never mentions your hard drive's serial number or your IP address, unless that is what they mean by standard computer information, in which case they need to explain how very personal and identifying it actually is. If that isn't personal, what is? And in what way is the customer "using" the software or getting a service? Don't forget that by this point, you already have the Validation tool on your computer and there is a question as to whether you can uninstall it. The EULA purports to cover both tools, as far as I can make out, without ever fully telling you precisely what it is actually doing. There is no notice of daily calling home on each boot, for example. Next, Microsoft's EULA lets you know it is beta, but which tool are they talking about? Let's assume both: 4. PRE-RELEASE SOFTWARE. This software is a pre-release version. It may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version. Now, it's on your computer, half way already, and apparently you can't uninstall it, so if Microsoft changes it for a final commercial version, what happens to you? Do you then have to pay for it? Do you get any choice? Speaking of which, let's look at clause 6: 6. Scope of License. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not ? disclose the results of any benchmark tests of the software to any third party without Microsoft?s prior written approval; ? work around any technical limitations in the software; ? reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation; ? make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation; ? publish the software for others to copy; ? rent, lease or lend the software; ? transfer the software or this agreement to any third party; or ? use the software for commercial software hosting services. You have been given a vision of the future, where software will be a service, and all you get is a license to use it the way they allow you to use it. How do you like Microsoft's Brave New World? Surely they will find a way to check that you are complying with all the above, so I think it's clear that if you stay with Microsoft products, you have to agree to share your computer with them, that your privacy will be in their hands, and that they can control your computer without your say so. And they won't necessarily tell you clearly what they are doing, judging by this incident, or perhaps there will be no notice at all, as mentioned in the EULA. It's not about you buying a product and using it any way you wish. They let you use their software only within strict limitations they set which by the way do not conform to your rights under Copyright Law. This is a license, a kind of contract, whereby you waive rights you would otherwise have in order to use their software. And you are presented with a EULA at least one paralegal can't even understand, too late to say no in a meaningful way. Is that your only choice? This unintentionally funny article "Windows anti-piracy program causes shock for doing its job," says Microsoft has been "pretty upfront about the WGA program," and if we don't like it, we should switch to Linux. That's a very good idea. You could use GPL software instead. It doesn't care how you use it. Share it, lend it, rent it, install it on as many computers as you wish, write about it, test it, transfer it to a third party, work around any technical limitations of the software, improve it, personalize it to make it do what you want it to do, and use it for commercial services. Do all of the above and you still haven't violated the software license, and by the way, the software is yours. You own it. No one has a need or even a right to check to see if you are using it properly or if you have the right license or if you swapped in a new hard drive or where you live or what your IP address is. Think about it. And then ask yourself, which do I prefer? The world is at a crossroads, where for the first time there really is a choice. You don't have to accept Microsoft's demeaning and insulting EULA terms. If you are a business, do you want Microsoft having free access to your computer? If you are a government? I'm just an individual, and I don't. If you wish to remove the Windows Genuine Advantaage tools, and I expect most of you do, why not go the whole hog and remove the entire software package, replace it with GNU/Linux, and find out what it feels like to be treated with respect and to breathe free? From rforno at infowarrior.org Sun Jun 11 21:03:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Jun 2006 21:03:56 -0400 Subject: [Infowarrior] - IRS Laptop Lost With Data on 291 People In-Reply-To: <000601c68dc2$fecfc940$f330f404@abyssinian> Message-ID: ------ Forwarded Message From: Scott Bonacker Organization: Scott Bonacker Reply-To: Date: Sun, 11 Jun 2006 19:53:24 -0600 To: Subject: What's more stupid than checking your laptop before a flight? Here's a good one for you Richard. Scott Bonacker IRS Laptop Lost With Data on 291 People Given the likelihood of lost luggage on airlines (especially with valuable contents), what's more stupid than checking your laptop before a flight? An Internal Revenue Service employee lost an agency laptop early last month that contained sensitive personal information on 291 workers and job applicants, a spokesman said yesterday. The IRS's Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Slightly more than 100 of the people affected were IRS employees, he said. No tax return information was in the laptop, he said. Christopher Lee, "IRS Laptop Lost With Data on 291 People," The Washington Post, June 8, 2006 --- Click Here ------ End of Forwarded Message -------------- next part -------------- An HTML attachment was scrubbed... URL: https://attrition.org/mailman/private/infowarrior/attachments/20060611/0b6531bb/attachment.html From rforno at infowarrior.org Mon Jun 12 10:29:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 10:29:56 -0400 Subject: [Infowarrior] - DHS accepts fake ID at HQ Message-ID: The Washington Times www.washingtontimes.com Homeland Security accepts fake ID By Stephen Dinan THE WASHINGTON TIMES Published June 12, 2006 http://tinyurl.com/hyquk The Department of Homeland Security allowed a man to enter its headquarters last week using a fake Matricula Consular card as identification, despite federal rules that say the Mexican-issued card is not valid ID at government buildings. Bruce DeCell, a retired New York City police officer, used his phony card -- which lists his place of birth as "Tijuana, B.C." and his address as "123 Fraud Blvd." on an incorrectly spelled "Staton Island, N.Y." -- to enter the building Wednesday for a meeting with DHS officials. Mr. DeCell said he has had the card for four years and has used it again and again to board airliners and enter government buildings, without being turned down once. But he said he was surprised that DHS, the agency in charge of determining secure IDs, accepted it. "Obviously, it's not working," Mr. DeCell said. The Mexican government has issued millions of Matricula Consular cards in the past few years, mostly to give illegal aliens a form of identification that banks and other institutions will accept. The FBI, in testimony to Congress, has said that the cards are not secure. The General Services Administration ruled in 2003 that the Matricula Consular is not valid ID for entering a federal building. In addition to being a forgery obtained for him from a street vendor in California, Mr. DeCell's card was modeled on an older version, which the Mexican government publicly acknowledges is not a secure document. The Mexican government says the old-style cards "are no longer valid." Some members of Congress tried to crack down on use of the card, particularly as valid ID for opening a bank account, but the Bush administration opposed that effort. Jarrod Agen, a spokesman for DHS, said the department shouldn't have allowed the ID to be used for entry to its headquarters. "DHS is following up on these allegations and will take necessary actions to ensure there is not another occurrence of this type," he said. Mr. DeCell had provided his name, birth date and Social Security number to be pre-cleared for entry to the building and had been vetted before, Mr. Agen said. The security guard accepted the ID to match Mr. DeCell's name to a name on her list of cleared visitors, he said. The spokesman said Mr. DeCell's group went through metal detectors and other routine security screening and had an escort at all times while in the building. "At no time was there a threat to any person or property," Mr. Agen said. DHS' security performance didn't surprise one member of Congress. "You mean the Department of Homeland Insecurity," said Rep. Elton Gallegly, California Republican and one of the first to introduce a bill in Congress several years ago cracking down on acceptance of the Matricula Consular card. "The real sad story here is that it doesn't surprise me -- in fact it just vindicates all the things I've been saying here, along with so many others." The Mexican government argues that the cards improve security by giving illegal aliens some form of identification, which assists police and businesses. Mexico is not the only country to issue such cards, and has in fact issued a form of the Matricula Consular card for decades. But Mr. Gallegly said the Mexicans used to issue few, and only for special circumstances, while in recent years they have issued millions. Mr. DeCell is a member of 9/11 Families for a Secure America, an organization of families with relatives who died in the September 11 terrorist attacks. He and two other members paid the visit Wednesday to DHS officials. Mr. DeCell said he keeps the fake ID card in his wallet and often shows it just to see what places will accept it. He keeps his driver's license handy in case the forgery is challenged, he said, but it never has been. "I'm dismayed," Mr. DeCell said. Joan Molinaro, who accompanied him, said she was shocked that DHS, of all agencies, accepted the phony ID. "Homeland Security is not doing their job," she said. "Homeland Security accepted a fraudulent document as a legitimate one." Copyright ? 2006 News World Communications, Inc. From rforno at infowarrior.org Mon Jun 12 12:33:10 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 12:33:10 -0400 Subject: [Infowarrior] - ACLU Tries to Stop Warrantless Wiretapping Message-ID: ACLU Tries to Stop Warrantless Wiretapping http://www.washingtonpost.com/wp-dyn/content/article/2006/06/12/AR2006061200 158_pf.html By SARAH KARUSH The Associated Press Monday, June 12, 2006; 11:19 AM DETROIT -- Critics of the government's domestic surveillance program claim it violates the rights of free speech and privacy. The Bush administration says it is necessary and legal. Both sides were in court Monday to argue the constitutionality of the program, with the American Civil Liberties Union seeking an immediate halt to warrantless wiretapping. The Bush administration has asked U.S. District Judge Anna Diggs Taylor to dismiss the lawsuit, saying litigation would jeopardize state secrets. The administration has acknowledged eavesdropping on Americans' international communications without first seeking court approval. President Bush has said the eavesdropping is legal because of a congressional resolution passed after the Sept. 11, 2001, terrorist attacks that authorized him to use force in the fight against terrorism. The parties in the ACLU lawsuit, who include journalists, scholars and lawyers, say the program has hampered their ability to do their jobs because it has made international contacts, such as sources and potential witnesses, wary of sharing information over the phone. Ann Beeson, the ACLU's associate legal director, said the administration's arguments in defense of the program don't square with the Constitution. "The framers never intended to give the president the power to ignore the laws of Congress even during wartime and emergencies," she said last week during a conference call with reporters. She said no state secrets need to be revealed to litigate the case because the administration has already acknowledged the program exists. The Center for Constitutional Rights has filed a similar lawsuit on the eavesdropping in federal court in New York. ? 2006 The Associated Press From rforno at infowarrior.org Mon Jun 12 12:36:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 12:36:45 -0400 Subject: [Infowarrior] - China Walks Out of Encryption Meeting Message-ID: China Walks Out of Encryption Meeting http://apnews.excite.com/article/20060611/D8I5MPN80.html Jun 10, 9:06 PM (ET) By CHRIS HAWKE BEIJING (AP) - An international dispute over a wireless computing standard took a bitter turn this past week with the Chinese delegation walking out of a global meeting to discuss the technology. The delegation's walkout from Wednesday's opening of a two-day meeting in the Czech Republic escalated an already rancorous struggle by China to gain international acceptance for its homegrown encryption technology known as WAPI. It follows Chinese accusations that a U.S.-based standards body used underhanded tactics to prevent global approval of WAPI. "In this extremely unfair atmosphere, it is meaningless for the Chinese delegation to continue attending the meeting," the Standardization Administration of China delegation said in a statement carried by the official Xinhua News Agency. The U.S.-based group, the Institute of Electrical and Electronics Engineers, denies any impropriety and says China isn't playing by the established rules. At stake is a leg-up in technology research and billions of dollars in licensing fees and component sales for laptops, mobile phones, handheld computers and other wireless devices that connect to wireless networks around the world, including hotels, coffee shops and universities. These gadgets run on networks based on the IEEE's 802.11 standards. The original standards, however, have security holes that allow digital snoops to steal data from those who are logged on to the networks. Members of the IEEE, an open international professional organization, and a Chinese government-backed group of engineers with military backgrounds, have developed competing technologies to plug the security holes: for China, WAPI, for the IEEE, 802.11i. China had earlier tried to compel Intel and other tech companies to adopt its WAPI standard domestically, leading to a showdown with Washington that ended with Beijing backing down last year. But the push for the Chinese standard persisted and Beijing decided to follow Washington's advice and put the Chinese standard before the International Organization for Standardization, or ISO, a world body made up of representatives from national standardization groups. In March, delegates representing standard bodies from 25 countries voted in favor of the IEEE's version over WAPI. China appealed the ISO decision and demanded an apology from the IEEE which it accused of "dirty tricks" in lobbying for its standard, Xinhua said. The Standardization Administration of China, in a statement, accused backers of the American technology of "a lot of dirty tricks including deception, misinformation, confusion and reckless charging to lobby against WAPI," Xinhua reported. The Standardization Administration of China declined requests for comment. The ISO organized the Czech Republic meeting as a follow-up. ISO spokesman Roger Frost on Thursday refused to comment on the Chinese delegation's walkout. The IEEE has called on China to return to the talks and offered to work with the country on harmonizing the WAPI technology with international standards. Steve Mills, the chairman of the IEEE Standards Association Standards Board, said in a statement, China "has lost another valuable opportunity to constructively discuss the technical merits of the two security amendments." Instead, Mills said, China continued "to focus its attention on complaints about the balloting process." From rforno at infowarrior.org Mon Jun 12 13:28:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 13:28:38 -0400 Subject: [Infowarrior] - A ring tone meant to fall on deaf ears Message-ID: A ring tone meant to fall on deaf ears By Paul Vitello http://news.com.com/A+ring+tone+meant+to+fall+on+deaf+ears/2100-11395_3-6082 685.html Story last modified Mon Jun 12 08:07:11 PDT 2006 In that old battle of the wills between young people and their keepers, the young have found a new weapon that could change the balance of power on the cell phone front: a ring tone that many adults cannot hear. In settings where cell phone use is forbidden--in class, for example--it is perfect for signaling the arrival of a text message without being detected by an elder of the species. "When I heard about it, I didn't believe it at first," said Donna Lewis, a technology teacher at the Trinity School in Manhattan. "But one of the kids gave me a copy, and I sent it to a colleague. She played it for her first graders. All of them could hear it, and neither she nor I could." The technology, which relies on the fact that most adults gradually lose the ability to hear high-pitched sounds, was developed in Britain but has only recently spread to America--by Internet, of course. Recently, in classes at Trinity and elsewhere, some students have begun testing the boundaries of their new technology. One place was Michelle Musorofiti's freshman honors math class at Roslyn High School on Long Island. At Roslyn, as at most schools, cell phones must be turned off during class. But one morning last week, a high-pitched ring tone went off that set teeth on edge for anyone who could hear it. To the students' surprise, that group included their teacher. "Whose cell phone is that?" Musorofiti demanded, demonstrating that at 28, her ears had not lost their sensitivity to strangely annoying, high-pitched though virtually inaudible tones. "You can hear that?" one of them asked. "Adults are not supposed to be able to hear that," said another, according to the teacher's account. She had indeed heard that, Musorofiti said, adding, "Now turn it off." The cell phone ring tone that she heard was the offshoot of an invention called the Mosquito, developed last year by a Welsh security company to annoy teenagers and gratify adults, not the other way around. It was marketed as an ultrasonic teenager repellent, an ear-splitting 17-kilohertz buzzer designed to help shopkeepers disperse young people loitering in front of their stores while leaving adults unaffected. The principle behind it is a biological reality that hearing experts refer to as presbycusis, or aging ear. While Miss Musorofiti is not likely to have it, most adults over 40 or 50 seem to have some symptoms, scientists say. While most human communication takes place in a frequency range between 200 hertz and 8,000Hz (a hertz being the scientific unit of frequency equal to one cycle per second), most adults' ability to hear frequencies higher than that begins to deteriorate in early middle age. "It's the most common sensory abnormality in the world," said Dr. Rick A. Friedman, an ear surgeon and research scientist at the House Ear Institute in Los Angeles. But in a bit of techno-jujitsu, someone--a person unknown at this time but probably not someone with presbycusis--realized that the Mosquito, which uses this common adult abnormality to adults' advantage, could be turned against them. The Mosquito noise was reinvented as a ring tone. "Our high-frequency buzzer was copied. It is not exactly what we developed, but it's a pretty good imitation," said Simon Morris, marketing director for Compound Security, the company behind the Mosquito. "You've got to give the kids credit for ingenuity." British newspapers described the first use of the high-frequency ring tone last month in some schools in Wales, where Compound Security's Mosquito device was introduced as a "yob-buster," a reference to the hooligans it was meant to disperse. Since then, Morris said his company has received so much attention--none of it profit-making because the ring tone was in effect pirated--that he and his partner, Howard Stapleton, the inventor, decided to start selling a ring tone of their own. It is called Mosquitotone, and it is now advertised as "the authentic Mosquito ring tone." David Herzka, a Roslyn High School freshman, said he researched the British phenomenon a few weeks ago on the Web and managed to upload a version of the high-pitched sound into his cell phone. He transferred the ring tone to the cell phones of two of his friends at a birthday party on June 3. Two days later, he said, about five students at school were using it, and by Tuesday the number was a couple dozen. "I just made it for my friends. I don't use a cell phone during class at school," he said. How, David was asked, did he think this new device would alter the balance of power between adults and teenagers? Or did he suppose it was a passing fad? "Well, probably it is," said David, who added after a moment's thought, "And if not, I guess the school will just have to hire a lot of young teachers." Kate Hammer and Nate Schweber contributed reporting for this article. Entire contents, Copyright ? 2006 The New York Times. All rights reserved. From rforno at infowarrior.org Mon Jun 12 13:44:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 13:44:47 -0400 Subject: [Infowarrior] - CNBC Viewer Feedback Message-ID: Many of you know I use CNBC as background noise during the day. While it's "new" (6 month) format change isn't all that bad, they're playing horrific games with audio effects in an effort to be "hip" or "cool" as they prepare for the launch of the Fox Business Channel sometime this year. Anyway....recently, their new "swoosh" sound effect (chord) used for graphic transitions took on a greater annoyance factor last week...but when they played it 5 times in 15 seconds today, I almost threw the television off the balcony. Ergo, earlier this afternoon, I called the number below and left a polite message expressing my frustration with this "nails on a chalkboard" sound effect and how (besides the annoyance factor) it detracts from the on-air commentaries if/when I wanted to pay more attention. To my amazement, I got a call back in 15 minutes, which I certainly didn't expect from a major media broadcaster -- which impressed me. The person -- perhaps a production intern -- said while they've been innundated with complaints recently about the new audio fx the producers haven't done anything about it. I gathered she was just as annoyed by this item (or the volume of calls she fielded) as I was. Grumble, grumble. That said, I suggest anyone wanting to register a complaint about this latest audio fx annoyance should call CNBC Viewer Services at 877-251-5685. Maybe somebody in charge there will wake up and realize the way to keep viewers isn't by pissing them off endlessly during the day. -rick Infowarrior.org From rforno at infowarrior.org Mon Jun 12 14:56:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 14:56:27 -0400 Subject: [Infowarrior] - Microsoft Releases Windows Malware Stats Message-ID: Microsoft Releases Windows Malware Stats http://blog.washingtonpost.com/securityfix/2006/06/microsoft_releases_malwar e_sta.html Microsoft today gave the world a rare -- albeit conservative -- glimpse of its view on just how bad the virus and bot problem has gotten for Windows users worldwide. The data comes from 15 months' worth of experience scanning computers with its "malicious-software removal tool," a free component that Microsoft offers Windows XP, Windows 2000 and Windows Server 2003 users when they download security updates from Microsoft. The tool has been run approximately 2.7 billion times by at least 270 million unique computers, leading to the removal of 16 million instances of malicious software from 5.7 million unique Windows-based computers over the past 15 months, Microsoft said. Sixty-two percent of those computers had Trojan horse programs on them. Microsoft found that most of those Trojan programs took the form of bot software, which allows attackers to remotely control the infected machines for use in all sorts of online criminal activities, from knocking Web sites offline to spreading viruses, spam, adware and spyware. Bots in the Rbot, Sdbot, and Gaobot families made up three of the top five slots in terms of number of removals. (There are hundreds of variants of each of those bot programs, and usually several new ones surface each week.) Microsoft also acknowledged an increasing prevalence of "rootkits," software that hackers and viruses can use to hide their presence once they have broken into a computer system. The company found rootkits in 780,000 machines, or 14 percent of those it treated. Microsoft noted that this figure drops to 9 percent (530,000 PCs) if you don't count the rootkit distributed via some Sony music CDs. In 20 percent of the cases when a rootkit was found on a computer, at least one backdoor Trojan was found as well, Microsoft said. The statistics also show how computer worms never really go away. For example, the "Blaster worm," which first surfaced in August 2003, is still the 10th-most-removed piece of malware, according to Microsoft. Indeed, Redmond found that in about 20 percent of cases where it removed malware in March 2006, the intruder was something the removal tool had previously nixed. The continued high rate of Blaster infections no doubt is due in large part to the number of people who re-install Windows for whatever reason and do not immediately apply security updates or take other precautions necessary for surfing the Internet with a Windows machine, such as using firewall and anti-virus software. Microsoft chose an interesting time and manner in which to issue these numbers. The company said it was releasing the data to coincide with its TechEd 2006 conference, but the figures can only help Microsoft sell more subscriptions to its new OneCare Live anti-virus and computer security suite. Posted by Brian Krebs | Permalink | From rforno at infowarrior.org Mon Jun 12 21:52:08 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Jun 2006 21:52:08 -0400 Subject: [Infowarrior] - IP: YouTube owns YourStuff Message-ID: Original URL: http://www.theregister.co.uk/2006/06/12/youtube_owns_derivative_works/ YouTube owns YourStuff By Andrew Orlowski Published Monday 12th June 2006 16:13 GMT Never trust a hippy - John Lydon The latest attempt to rebrand the web, "Web 2.0" has been evangelized as a platform for sharing - but it's increasingly looking like a platform tilted steeply in one direction. Millions may be about to discover what what singer Billy Bragg found out recently, and that "community" hosting web sites can do as they please with creative material you submit. In its Terms & Conditions (http://youtube.com/t/terms), the wildly popular video sharing site YouTube emphasizes that "you retain all of your ownership rights in your User Submissions". There's quite a large "BUT...", however. Not only does YouTube retain the right to create derivative works, but so do the users, and so too, does YouTube's successor company. Since YouTube has all the hallmarks of a very shortlived business - it's burned through $11.5m of venture investment (Sequoia Capital is the fall guy here) and has no revenue channels - this is more pertinent than may appear. The license that you grant YouTube is worldwide, non-exclusive, royalty-free, sublicenseable and transferable. The simplest way to terminate it is by withdrawing your video. But even this is problematic, as OpenTV's Nathan Freitas wrote recently (http://openvision.tv/blog/?p=48): "It is good to know that if you delete a video from YouTube, then the rights you have granted them terminate. However, once they have distributed your video 'in any media format and through any media channel', that?s a little hard to take back, right?" And if YouTube went titsup tomorrow, its successor YouTubeTwo would sit on a large library of irrevocable content. For now, as Nathan noticed, YouTube regards its rights grab as something of a joke: You Tube treats its IP landgrab as a joke As we've noted with this wave of web juvenilia, it's considered "Web 2.0" to take things like rights, and uptime flippantly. See Flakey Flickr goes down. Again (http://www.theregister.co.uk/2005/04/14/flakey_flickr_fckd_again/). Judging from a handful of sporadic blog posts, the issue has been troubling a few users for a while. But with the mainstream press (http://www.theregister.co.uk/2005/11/24/nytimes_two_point_nought/) still treating the handful of web hopefuls as if they represent the new From rforno at infowarrior.org Tue Jun 13 08:37:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Jun 2006 08:37:56 -0400 Subject: [Infowarrior] - Technologists assail federal Net-tapping rules Message-ID: Technologists assail federal Net-tapping rules By Declan McCullagh http://news.com.com/Technologists+assail+federal+Net-tapping+rules/2100-1028 _3-6083066.html Story last modified Mon Jun 12 21:00:05 PDT 2006 Federal regulations saying that police must be able to tap into Internet phone conversations with ease are coming under renewed attack from academics, engineers and one of the Net's founding fathers. A 21-page study to be released Tuesday says it's impossible for the government to expect all products that use voice over Internet protocol, or VoIP, to comply with the Federal Communications Commission's September 2005 requirement mandating wiretapping backdoors for government surveillance. That requirement is backed by the Bush administration. Listening in The study, organized by the Information Technology Association of America, says that because VoIP relies on a fundamentally different network architecture from that of traditional phone lines, such a mandate would pose "enormous costs" to the industry and could even introduce significant security risks. The nine contributors included Vint Cerf, Google's chief Internet evangelist and one of the Net's founding fathers; Steven Bellovin and Matt Blaze, both prominent computer security professors who specialize in security; Clinton Brooks, a former National Security Agency official; and engineers from Sun Microsystems and Intel. The report follows a ruling Friday by a federal appeals court in Washington, D.C., that upheld the legality of the FCC's wiretapping regulations. Librarians, community colleges, and companies including Sun had challenged the rules, saying the FCC did not have the authority to extend the Communications Assistance for Law Enforcement Act, or CALEA, to the Internet. (The decision may be appealed.) Even without the FCC rules that are scheduled to take effect in May 2007, police have the legal authority to conduct Internet wiretaps--that's precisely what the FBI's Carnivore system was designed to do. Still, the FBI has claimed, the need for "standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication." The controversy over the FCC mandatory wiretapping regulations comes as the Bush administration is facing increasing congressional pressure, especially from Sen. Arlen Specter, a Pennsylvania Republican, over its telephone and Internet surveillance program overseen by the National Security Agency. AT&T is being sued in a separate case in San Francisco over allegations that it cooperated in a way that violated federal privacy laws. The nature of VoIP could also elevate the risk that authorities aren't eavesdropping on the person they originally had in mind, the ITAA report's authors argue. Because it's theoretically simple for an individual to acquire multiple VoIP phone numbers, "recognizing and tracking the multiple identities that are so natural to the Internet lifestyle would be taxing." In addition, the study says, allowing full access by law enforcement would almost certainly require overhauling inherently decentralized networks to allow for certain points where interception would take place--and open up new security risks in the process. That's because such an arrangement would arguably make it easier for hackers to capture identity information and passwords, engage in "man-in-the-middle alteration of data," or potentially spoof the communications going on. "It's sort of like if you were chasing someone and you knew they had to go over a particular bridge," said Mark Uncapher, a senior vice president at ITAA. Though there may be some security concerns, the benefits of mandating wiretapping access outweigh the costs, said Tim Richardson, senior legislative liaison for the Fraternal Order of Police. (Many police organizations, including the National Sheriffs' Association, the Police Executive Research Forum, the Illinois State Police and the Tennessee Bureau of Investigation petitioned the FCC in favor of the wiretapping rules.) "If that was going to increase the propensity for crime, that's something that law enforcement would take a look at," Richardson said. "But the adaptability of technology is so great in this day and age that I have a high degree of faith in the initiative that (companies would employ to find something) that's not as costly and doesn't compromise the security of their networks." Complexities involved in meeting such a mandate exist on a number of levels, the ITAA report said. One problem is that, in contrast to traditional telephones, whose calls can virtually always be traced to a centralized switching location, VoIP users are often nomadic. "The paradigm of VoIP intercept difficulty is a call between two road warriors who constantly change locations and who, for example, may call from a cafe in Boston to a hotel room in Paris and an hour later from an office in Cambridge to a gift shop at the Louvre," the report says, and adds that building in mandatory wiretapping hubs for real-time interception is so expensive that it could put smaller companies out of business. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Tue Jun 13 08:52:43 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Jun 2006 08:52:43 -0400 Subject: [Infowarrior] - RIAA chief: "song-sharing contained now" Message-ID: ...that's their newest position, for the moment. I don't believe they're as happy as they lead us to believe.....rf RIAA chief says illegal song-sharing 'contained' Posted 6/12/2006 10:34 PM ET By Jefferson Graham, USA TODAY http://www.usatoday.com/tech/products/services/2006-06-12-riaa_x.htm?csp=34 LOS ANGELES ? Nearly a year after the Supreme Court issued a landmark ruling against online music file-sharing services, the CEO of the Recording Industry Association of America says unauthorized song swapping has been "contained." "The problem has not been eliminated," says association CEO Mitch Bainwol. "But we believe digital downloads have emerged into a growing, thriving business, and file-trading is flat." That's an optimistic view from an industry that saw its numbers slide to near oblivion after the launch of the original Napster in 1999. CD sales fell as much as 30%, and the RIAA pressed Congress and the courts for relief against what it said was rampant piracy. After the Supreme Court ruled that the services could be liable for piracy by their users, the RIAA sent cease-and-desist letters to several firms. Most ? including BearShare, WinMX and Grokster ? shut down. EDonkey and others said they would switch to a licensed, paid model. EDonkey, which along with BitTorrent is one of the most-used file-sharing services, has yet to make the switch. Even with Grokster and WinMX shut down, their software programs still exist. Eric Garland, CEO of Internet measurement firm BigChampagne, says that more people than ever are using file-sharing networks. "Nearly 10 million people are online, swapping media, at any given time," he says. That May figure is up from 8.7 million people in 2005, he says. Garland says the RIAA has made some inroads. "They have removed the profiteers from online piracy," he says. "They've also embarked on a very successful education campaign. Kids now know about copyright, and the consequences." The RIAA has sued just over 18,000 individuals for sharing songs online, with 4,500 settling for about $4,000 per case. Album sales are still down ? about 3% this year. But Bainwol says digital sales ? up 77% ? make up for the shortfall. The wide availability of legitimate alternatives to file-sharing services has helped wean computer users away, says Russ Crupnick, president of the music group for market tracker NPD Group. Apple's iTunes has sold more than 1 billion songs to consumers, and online stores Rhapsody and Napster are gaining traction. Crupnick says digital store purchases have "almost doubled" while file-sharing is flat among computer users in 12,000 homes in an NPD survey. Meanwhile, the RIAA is suing XM Satellite Radio, which introduced a portable $399 player (from Pioneer and Samsung) that lets subscribers record songs. Bainwol says he doesn't mind consumers acquiring songs on the device ? it's just that XM hasn't licensed the songs for download. "We love the technology and think it's cool, but if you want to be an iTunes clone, you should pay for it," he says. XM has called the RIAA lawsuit a "negotiating" tactic. About 1.5 billion songs are available for free swapping at any given time on file-sharing networks, says Garland, a mix of current hits and songs from such artists as the Beatles and Led Zeppelin that have yet to be released to the digital music stores. That number is huge but hasn't grown substantially, while video piracy has. "The music industry isn't seeing double-digit growth in piracy anymore, but Hollywood is," Garland says. From rforno at infowarrior.org Tue Jun 13 14:39:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Jun 2006 14:39:54 -0400 Subject: [Infowarrior] - Finding Fault With Logic of Congress's E-Mail Plan Message-ID: Finding Fault With Logic of Congress's E-Mail Plan http://www.washingtonpost.com/wp-dyn/content/article/2006/06/11/AR2006061100 691_pf.html By Jeffrey H. Birnbaum Monday, June 12, 2006; D01 Congress to Lobby Groups: Drop Dead! That could be the headline on the latest development from the House of Representatives. Last month the House quietly began to make it harder for interest groups to send large numbers of e-mails to lawmakers. Increasingly, citizens are being forced to demonstrate a basic knowledge of mathematics to have any chance of communicating electronically with their congressional offices. At the end of May, the House started to offer congressmen the chance to add an extra obstacle -- the completion of a math problem -- to their already difficult-to-penetrate e-mail systems. The purpose, officials said, was to cut down on the deluge of messages they receive. The reaction from K Street has been swift and loud. "It's very disturbing," said Ralph G. Neas, president of People for the American Way. "We are concerned," agreed David Willett, spokesman for the Sierra Club. Most offices in the House are pretty impregnable as it is. Generally, before a person can send an e-mail to a member of the House, he or she must go to a lawmaker's Web site, click on "Write Your Rep," select the congressman's state, type in a Zip code that is in that state, and then fill out a form that includes name, address, city, e-mail address and phone number. And all of that must be completed before an e-mail can either be composed or sent. Even with these many impediments, lawmakers still bellyache that the torrent of e-mails they get every day is more than their staffs can handle. According to a recent study, electronic messages to the House doubled to 99 million from 2000 to 2004. In the Senate, the number of e-mails more than tripled to 83 million during the same period. So the House's managers are adding what they call a logic puzzle to the hurdles that constituents must already scale before writing e-mails to members. In addition to the Zip code test and others, the system now used by a growing number of lawmakers also asks would-be e-mailers to solve a simple numbers problem. For example, "What is 5 minus 1?" Or, "24 : What number appears at the beginning of this question?" Or, "Please solve the following math problem: 3 x 1?" The idea is to ensure that only actual people -- and not mass-mailing computers of the kind often used by interest groups -- will send e-mails to the House from now on. "This feature has been designed to minimize the amount of mass e-mail generated by automated programs," wrote Jay Eagen, the House's chief administrative officer, in a note to House members. >From lawmakers' perspective, the new barrier is a good way to block millions of cookie-cutter lobby letters that are conceived and created by giant trade associations, labor unions and the like. According to some lawmakers, these often-identically worded missives too often come from people who don't live in the congressman's districts or who don't even know that messages have been sent in their names. In other words, these pleas are either misdirected or fraudulent. Such meaningless messages, these lawmakers contend, take too much time away from their overworked aides and give a false impression of public sentiment to boot. Interest-group leaders vehemently disagree. E-mails have become the communication of choice on Capitol Hill. They're cheap, easy to use and, unlike postal letters, they aren't delayed by weeks of inspection, which was necessitated by the anthrax attack on the Senate soon after Sept. 11, 2001. Lobbying groups also object on principled grounds. How does it make sense, they ask, for elected representatives to erect walls between themselves and their constituents, rather than take them down? Isn't democracy supposed to be about listening to voters? "It is troubling," said Eli Pariser, executive director of Moveon.org, the liberal Internet-based organization. "We should be living in the golden age of politics -- an age in which every member of Congress can easily have a two-way conversation with his or her most engaged constituents. Instead, we're seeing bunkerization." "This is a significant threat to digital democracy," agreed Bill Pease, chief technology officer of GetActive Software Inc., a vendor of public policy programs for the Web. "It assumes anyone who participates in any organization's online advocacy campaign is not to be trusted." And then there's the fundamental question of fairness. "Why do I have to answer math questions in order to be able to speak with my own congressman?" asked Pam Fielding, president of e-Advocates, an Internet and grass-roots advocacy consultant. Critics have long seen Congress's aversion to e-mail as troubling. "It seems like congressional offices are spending more time 'sealing off the borders' than dealing with the inescapable truth that most people prefer to communicate via e-mail," said Douglas G. Pinkham, president of the Public Affairs Council, a nonprofit group that teaches corporations how to deal with Washington. "It makes me wonder if this is going to deter a lot of average folks from contacting their members of Congress." Pinkham believes the solution to e-mail overload is for congressmen to add more staffers, not to reduce the number of e-mails they receive. It's hard to argue with him, except for this: E-mail companies are already well on their way to circumventing the "logic puzzles" and will almost certainly defeat the gimmick soon. "The fact is that the technology firms working in the space will find work-arounds to the problem," Fielding said. On a single day last week, of the 8,262 times the logic puzzle was viewed in the House, only 1,568 people answered it and moved on to send a message -- a 19 percent success rate. It's unknowable whether this means that computers could not crack the code or whether actual humans were frustrated and gave up (though there were probably a combination of both). In the meantime, lobbies, on behalf of their citizen advocates, are kicking up a ruckus. "What we've been doing -- and what the [political] right has been doing -- contributes to a more robust democracy and it ought to be welcomed," said Neas of People for the American Way. Unfortunately, in the House of Representatives, it isn't. Jeffrey H. Birnbaum writes about the intersection of government and business every other Monday. His e-mail address iskstreetconfidential @washpost.com. From rforno at infowarrior.org Tue Jun 13 21:03:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Jun 2006 21:03:50 -0400 Subject: [Infowarrior] - KDDI leaks data on 4 million customers In-Reply-To: Message-ID: (via the dataloss list at attrition.org) Personal data on almost 4 million customers of Japanese telecom carrier KDDI has been leaked, the company said Tuesday. The data includes the name, address and telephone number of 3,996,789 people who had applied for accounts with KDDI's Dion Internet provider service up to December 18, 2003, KDDI said. Additionally the gender, birthday and email addresses of some of the people was also leaked. KDDI is Japan's second largest telecommunications carrier. It operates fixed-line, dial-up Internet, broadband and cellular services through a number of different companies. [...] http://www.digitalworldtokyo.com/2006/06/kddi_leaks_data_on_4_million_c.php From rforno at infowarrior.org Tue Jun 13 22:37:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Jun 2006 22:37:31 -0400 Subject: [Infowarrior] - Google's not-so-very-secret weapon Message-ID: Google's not-so-very-secret weapon By John Markoff and Saul Hansell The New York Times Published: June 13, 2006 http://www.iht.com/articles/2006/06/13/business/search.php THE DALLES, Oregon On the banks of the windswept Columbia River, Google is working on a secret weapon in its quest to dominate the next generation of Internet computing. But it is hard to keep a secret when it is as big as two football fields, with twin cooling towers protruding four stories into the sky. The towers, looming like an information-age nuclear plant, mark the site of what may soon be one of the world's most powerful supercomputers, helping to supply the ever-greater horsepower needed to process billions of search queries a day and a growing repertory of other Internet services. And odd as it may seem, the barren desert land surrounding the Columbia along the Oregon-Washington border - at the intersection of low-cost electricity and readily accessible data networking - is the backdrop for a multibillion-dollar face-off among Google, Microsoft and Yahoo that will determine dominance in the online world in the years ahead. Microsoft and Yahoo have announced they are building giant data centers upstream in Washington State, 130 miles to the north. But Google is doing something radically different here. The very need for two cooling towers, each connected to a football field-sized data center, is evidence of its extraordinary ambition. As imposing as Google's new Oregon data center is, when it opens it will only a piece of a worldwide computing system known as the Googleplex, which is tied together by strands of fiber optic cables. A similar computing center has recently been completed in Atlanta. "Google has constructed the biggest computer in the world, and it's a hidden asset," said Danny Hillis, a supercomputing pioneer and the cofounder of Applied Minds, a technology consulting firm, referring to the Googleplex. The design and even the nature of the Google center in this industrial and agricultural outpost 80 miles, or 130 kilometers, east of Portland, Oregon, has been a closely guarded corporate secret. Many local officials in The Dalles, including the city attorney and the city manager, said they could not comment on the Google data center project, referred to locally as Project 02, because they signed confidentiality agreements with the company last year. "No one says the 'G' word," said Diane Sherwood, who, as executive director of the Port of Klickitat, Washington, directly across the river from The Dalles, is not bound by such agreements. "It's a little bit like 'He-Who- Must-Not-Be-Named' in Harry Potter." Local residents are at once enthusiastic and puzzled about their affluent but secretive new neighbor, a successor to the aluminum manufacturers who once came seeking the inexpensive power that flows readily from the dams holding back this powerful river. The project has created hundreds of construction jobs, caused local real estate prices to jump 40 percent and is expected to create 60 to 200 permanent jobs in a town of 12,000 people when the center opens later this year. "We're trying to organize our chamber ambassadors to have a ribbon-cutting ceremony, and they're trying to keep us all away," said Susan Huntington, executive director of The Dalles Area Chamber of Commerce. "Our two cultures aren't matching very well." Culture clashes may be an inevitable byproduct of the urgency with which the search-engine war is being waged. Google, Microsoft and Yahoo are spending vast sums of capital to build out their computing capabilities to run both search engines and a vast variety of Web services that encompass e-mail, video and music downloads and online commerce. Microsoft stunned analysts last quarter when it announced that it would spend an unanticipated $2 billion next year, much of it in an effort to catch up with Google. Google said its own capital expenditures would run to at least $1.5 billion. Google is known to the world as a search engine, but in many ways it is foremost an effort to build a network of supercomputers, using the latest academic research, that can process more data, faster and cheaper than its rivals. The rate at which the Google computing system has grown is as astounding as its size. In March of 2001, when the company was serving about 70 million Web page views daily, it had 8,000 computers, according to a Microsoft researcher who was given a detailed tour of one of the company's Silicon Valley computing centers. By 2003 the number had grown to 100,000. Today even the closest Google watchers have lost precise count of how big the system is. The best guess is that Google now has more than 450,000 servers spread in at least 25 locations around the world. The company has major operations in Ireland, and is building significant facilities in China and Russia. Connecting these centers is a high- capacity data network that the company has assembled over the past few years. Google has found that for search engines, every millisecond longer it takes to give users their results leads to lower satisfaction. So the speed of light ends up being a constraint, and the company wants to put significant processing power close to all of its users. Microsoft's Internet computing effort is currently based on 200,000 servers and the company expects that number to grow to 800,000 by 2011 under its most aggressive forecast, according to a company document. Computer scientists and computer networking experts caution that it is impossible to compare the two companies' efforts directly. Yet it is the way in which Google has built its globally distributed network that illustrates the daunting task of its competitors in catching up. "Google is like the Borg," said Milo Medin, a computer networking expert who was a founder of the 1990s online service @Home, referring to the robotic species on Star Trek that was assembled from millions of individual components. "I know of no other carrier or enterprise that distributes applications on top of their computing resource as effectively as Google." John Markoff reported from The Dalles and Saul Hansell from New York. Google Earth upgraded Google has released a major upgrade to its Google Earth software, which gives users a three-dimensional satellite view of the world, The Associated Press reported from Mountain View, California. The company said four times more land would be covered in the latest version of its free Google Earth software, enabling about one-third of the world's population to obtain an aerial view of their homes and neighborhood. The software also is being offered in German, Spanish, French and Italian, and will work on computers using the Linux operating system for the first time. More than 100 million people have downloaded Google Earth software since it was offered a year ago, according to figures released by the company for the first time on Monday. Meanwhile, Google's online mapping service for finding directions and locating businesses has emerged as a major challenger to the longtime leaders in the category, AOL's Mapquest and Yahoo. Google Maps attracted 26 million U.S. visitors in May to rank third behind Mapquest at 43.5 million visitors and Yahoo at 26.1 million, according to Nielsen/NetRatings. THE DALLES, Oregon On the banks of the windswept Columbia River, Google is working on a secret weapon in its quest to dominate the next generation of Internet computing. But it is hard to keep a secret when it is as big as two football fields, with twin cooling towers protruding four stories into the sky. The towers, looming like an information-age nuclear plant, mark the site of what may soon be one of the world's most powerful supercomputers, helping to supply the ever-greater horsepower needed to process billions of search queries a day and a growing repertory of other Internet services. And odd as it may seem, the barren desert land surrounding the Columbia along the Oregon-Washington border - at the intersection of low-cost electricity and readily accessible data networking - is the backdrop for a multibillion-dollar face-off among Google, Microsoft and Yahoo that will determine dominance in the online world in the years ahead. Microsoft and Yahoo have announced they are building giant data centers upstream in Washington State, 130 miles to the north. But Google is doing something radically different here. The very need for two cooling towers, each connected to a football field-sized data center, is evidence of its extraordinary ambition. As imposing as Google's new Oregon data center is, when it opens it will only a piece of a worldwide computing system known as the Googleplex, which is tied together by strands of fiber optic cables. A similar computing center has recently been completed in Atlanta. "Google has constructed the biggest computer in the world, and it's a hidden asset," said Danny Hillis, a supercomputing pioneer and the cofounder of Applied Minds, a technology consulting firm, referring to the Googleplex. The design and even the nature of the Google center in this industrial and agricultural outpost 80 miles, or 130 kilometers, east of Portland, Oregon, has been a closely guarded corporate secret. Many local officials in The Dalles, including the city attorney and the city manager, said they could not comment on the Google data center project, referred to locally as Project 02, because they signed confidentiality agreements with the company last year. "No one says the 'G' word," said Diane Sherwood, who, as executive director of the Port of Klickitat, Washington, directly across the river from The Dalles, is not bound by such agreements. "It's a little bit like 'He-Who- Must-Not-Be-Named' in Harry Potter." Local residents are at once enthusiastic and puzzled about their affluent but secretive new neighbor, a successor to the aluminum manufacturers who once came seeking the inexpensive power that flows readily from the dams holding back this powerful river. The project has created hundreds of construction jobs, caused local real estate prices to jump 40 percent and is expected to create 60 to 200 permanent jobs in a town of 12,000 people when the center opens later this year. "We're trying to organize our chamber ambassadors to have a ribbon-cutting ceremony, and they're trying to keep us all away," said Susan Huntington, executive director of The Dalles Area Chamber of Commerce. "Our two cultures aren't matching very well." Culture clashes may be an inevitable byproduct of the urgency with which the search-engine war is being waged. Google, Microsoft and Yahoo are spending vast sums of capital to build out their computing capabilities to run both search engines and a vast variety of Web services that encompass e-mail, video and music downloads and online commerce. Microsoft stunned analysts last quarter when it announced that it would spend an unanticipated $2 billion next year, much of it in an effort to catch up with Google. Google said its own capital expenditures would run to at least $1.5 billion. Google is known to the world as a search engine, but in many ways it is foremost an effort to build a network of supercomputers, using the latest academic research, that can process more data, faster and cheaper than its rivals. The rate at which the Google computing system has grown is as astounding as its size. In March of 2001, when the company was serving about 70 million Web page views daily, it had 8,000 computers, according to a Microsoft researcher who was given a detailed tour of one of the company's Silicon Valley computing centers. By 2003 the number had grown to 100,000. Today even the closest Google watchers have lost precise count of how big the system is. The best guess is that Google now has more than 450,000 servers spread in at least 25 locations around the world. The company has major operations in Ireland, and is building significant facilities in China and Russia. Connecting these centers is a high- capacity data network that the company has assembled over the past few years. Google has found that for search engines, every millisecond longer it takes to give users their results leads to lower satisfaction. So the speed of light ends up being a constraint, and the company wants to put significant processing power close to all of its users. Microsoft's Internet computing effort is currently based on 200,000 servers and the company expects that number to grow to 800,000 by 2011 under its most aggressive forecast, according to a company document. Computer scientists and computer networking experts caution that it is impossible to compare the two companies' efforts directly. Yet it is the way in which Google has built its globally distributed network that illustrates the daunting task of its competitors in catching up. "Google is like the Borg," said Milo Medin, a computer networking expert who was a founder of the 1990s online service @Home, referring to the robotic species on Star Trek that was assembled from millions of individual components. "I know of no other carrier or enterprise that distributes applications on top of their computing resource as effectively as Google." John Markoff reported from The Dalles and Saul Hansell from New York. From rforno at infowarrior.org Wed Jun 14 09:57:13 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Jun 2006 09:57:13 -0400 Subject: [Infowarrior] - Debunking the MS-Borland myth In-Reply-To: <004c01c68fb9$b21c5200$1800000a@abyssinian> Message-ID: From: Scott Bonacker Original URL: http://www.regdeveloper.co.uk/2006/06/13/myth_legend_part2/ 'Microsoft was caught stealing secrets from Borland' By Mark Whitehorn Published Tuesday 13th June 2006 12:17 GMT Database Myths and Legends "Microsoft was caught stealing secrets from Borland.". Or was it? Of course, this all happened way, way back in 1992; but then myths are supposed to be old; that's the whole point. And this one just won't lie down and die. -/snip/- Well, this myth has lasted long enough. The public has a right to know the truth about what really happened that fateful night in 1992. But who is telling the truth? How can I be sure that I can ever get to the truth after all this time? Simple. I was in the room at the time. -/snip/- From rforno at infowarrior.org Wed Jun 14 10:16:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Jun 2006 10:16:00 -0400 Subject: [Infowarrior] - New IP Proposals by WIPO -- Constitutional circumvention Message-ID: James Boyle: Constitutional circumvention >By James Boyle >Published: June 13 2006 16:18 | Last updated: June 13 2006 16:18 http://news.ft.com/cms/s/fa07af4a-fadc-11da-b4d0-0000779e2340.html In September last year, I wrote about a very bad proposal being debated in the World Intellectual Property Organization (WIPO). The proposal was to extend the length of an existing set of intellectual property rights for broadcasters, and even apply them to webcasting. As I pointed out, there is no empirical evidence that these rights produce any social benefit. Indeed, the US has never had such a right and yet has a flourishing broadcast industry. Extending the rights to webcasting, despite the manifest differences between the economic structure and global reach of the two media, was a jaw-dropping move with obviously bad consequences. We should be focusing on rules about conduct, not rights over content. If signal piracy and rebroadcasting is a problem, we should have a rule that narrowly focuses on that conduct, prohibiting unfair business practices by commercial competitors. The last thing we should do is create yet another set of long lasting property rights over the content. Copyright offices around the world admit that there is a huge problem with ?orphan works? ? copyrighted material for which the copyright holder cannot be found. Given the absurdly long copyright term, it is quite possible that the majority of the cultural production of the twentieth century consists of orphan works. Because of the difficulty of clearing copyright, those works remain locked up in the library. Even though the copyright holder has long disappeared, or would not mind, it is impossible to show the old movie, adapt the old book, play the old song, put the old poem in an anthology. Many libraries simply refuse to allow screening of movies until the copyright term has expired; probably no one would object, but the legal risk is too great. Now imagine creating an entirely new layer of rights over everything that is broadcast or webcast, on top of whatever copyrights already cover the work. You find a copy of a movie in the library and manage, at great expense, to work out that it is in the public domain, or to get the copyright holder?s permission. Perhaps the work is covered by a Creative Commons license, granting you permission to reproduce. Not so fast! Even after trudging through all the orphan works problems in copyright, you would have to prove that this copy had not been made from a broadcast or webcast. More clearance problems! More middle-men! More empirically ungrounded state-granted monopolies! Just what we wanted. There are even some serious free speech problems. What if only Fox or CBS has the footage of a particular public event? Do we let the broadcaster eviscerate the ideas of fair use, prohibiting other networks from showing fragments so as to comment on the events, or criticise the original coverage? The proposed treaty text allows for fair use-like exceptions but does not require them. Once again, we harmonise upward property rights for powerful commercial entities, but leave to individual states the discretion whether and how to frame of the equally crucial public interest exceptions to those rights. Increased property rights for broadcasters are required. The public interest in education, access, and free speech is optional. (Among other things, most of the recent drafts would outlaw home recording of TV and radio unless a special exception was put into the law, state by state.) This proposal was so bad, so empirically threadbare, so unbalanced, that I had cherished a faint hope that the members of WIPO would abandon it. At least, I hoped there might be a comparative study of the nations that had previously adopted the protection and those that had not, to see if there was any need for such a change? What was I thinking!!? Why do we need evidence? With remarkably little public attention, the Broadcasting Treaty train is chugging ahead strongly, with states providing new draft proposals over the next two months for a possible decision in September. The status of the webcasting provision is still unclear. But the webcasters are pressing hard. Expect another poorly reasoned proposal to rise from the ashes, with the US playing a key role. The press seems to have missed the story. Bizarrely, the proposal is getting more robust criticism from industry sources, who can see how it will affect competitiveness on the web, than from librarians and civil libertarians who ought to appreciate better than anyone its effect on speech and cultural heritage. Of course, the casting treaty is a paradigmatic example of the dysfunctions in our international deliberations on these issues; we have the absence of evidence, the mandatory rights and optional exceptions, the industry-capture, the indifference to harm caused by rights-thickets. But the representatives of the United States, who have played an ignominious role as cheerleaders for this silly treaty, have a particular, indeed a constitutional, reason to be ashamed. Unlike their descendants who now work the floor at WIPO, the framers of the US constitution had a principled, pro-competitive attitude to intellectual property. They knew rights might be necessary, but they worried about industry-capture and unnecessary monopoly and so they tied congress?s hands, restricting its power in multiple ways. Rights have to be of limited duration. (Congress has managed to get around that one by repeatedly extending the limit: Jefferson must be spinning in his grave.) They can only cover original material, which must be fixed in some material form. No rights over inventions that are already known, or over unoriginal compilations of fact. Of course, if the material is not within the core domain of copyright and patent, congress may go further, as it has with trademarks. But over the material covered by copyright, where we are dealing with fundamental constitutional limitations, these rules reign supreme and congress may not circumvent them by turning to another constitutional source of power. What does this mean in practice? That is a complicated question. There are pending legal disputes about ?bootlegging statutes? and about foreign works that have been pulled out of the public domain as a consequence of the Uruguay Round of trade agreements. In my view, the current drafts of the Broadcast Treaty would be unconstitutional if implemented in American law. They create new copyright-like rights over unoriginal material, indeed material that is frequently copyrighted by someone else. That violates a core restriction of the copyright clause of the constitution. They also ignore the fixation requirement. But forget the attempt to predict what the Supreme Court would do if it heard the case. Are the US?s negotiators ignoring their constitutional responsibilities, and seeking to get a bad treaty passed with inadequate public debate of its desirability, constitutionality or consequences? About that there is no doubt at all. Shame on them. Jefferson and Madison would not approve. Should we? James Boyle is William Neal Reynolds Professor of Law at Duke Law School, co-founder of the Center for the Study of the Public Domain and the author of A Manifesto on WIPO. His most recent work is Bound By Law, a ?graphic novel? on the effects of intellectual property on documentary film. From rforno at infowarrior.org Wed Jun 14 19:19:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Jun 2006 19:19:25 -0400 Subject: [Infowarrior] - What users hate most about Web sites Message-ID: What users hate most about Web sites Too many sites are low on usability and high on annoyance http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/06/14/ 79274_HNhateaboutwebsites_1.html By Sandra Rossi, Computerworld Today (Australia) June 14, 2006 Too many organizations unwittingly give their competitors a free kick by having Web sites that are low on usability and high on annoyance. Users have a short fuse when they are browsing the Web, according to Theresa Cunnington, senior usability consultant with services firm iFocus. "It doesn't matter how cool a Web site looks, if users find it impractical they will head to your competitor's site, which is only a click away," Cunnington said. "Flash animations are an obvious, yet stellar, example of what users hate in a Web site; the skip intro button is the most used button on the Internet. "Users hate flash because it's a barrier to the site." Cunnington describes Flash as a classic example of "Jurassic Park Design," that is, designing what you 'can,' rather than what you 'should.' She said Web sites are constantly torn between form and function and as technology changes, new variants on old issues stand out, and new problems emerge. Head of Comunet's Web site design, Damien Coyle believes design is crucial for an effective Web site. "You need to represent your corporate image, which should reflect company ideals," Coyle said. "Not everyone is going to access your site so you need only address the target audience." The top five Web site quirks that users hate the most, according to iFocus are: 1. Invasive advertising: Cunnington says users widely despise ads that cover content, ads that flash wildly and ads that chew broadband. 2. Re-inventing the wheel: people do not want to have to learn how to use a site before they can browse it, Cunnington said. 3. 'Leap of faith' links: that means disclosing information on content and file size. 4. Attention-deficit Web sites: "Users have a special hatred of flashing icons and banners, because they draw the eye away from what is important and hinder their progress," Cunnington said. 5. War and Peace length: "A common mistake in Web design is to just [convert] a brochure to the Web. But the Web is its own medium, and communication has to change to reach users. Users are known to read 25 percent slower on the screen than on paper, read fewer words and don't like long pages which require scrolling down," she said. Another problem is site blindness. "We are now seeing right-column blindness, where users do not see information and links down the right hand side of the screen. This occurs because the right hand column has become known for advertising," Cunnington said. From rforno at infowarrior.org Wed Jun 14 19:30:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Jun 2006 19:30:11 -0400 Subject: [Infowarrior] - Bell Labs building to be demolished Message-ID: June 14, 2006 Square Feet Pastoral Site of Historic Inventions Faces the End By ANTOINETTE MARTIN http://www.nytimes.com/2006/06/14/realestate/commercial/14bell.html?_r=1&ore f=slogin&pagewanted=print HOLMDEL, N.J., June 7 ? For 44 years, a six-story, two-million-square-foot structure nestled here in a 472-acre exquisitely pastoral setting was a habitat for technological ferment. The vaunted Bell Labs, whose scientists invented the laser and developed fiber optic and satellite communications, touch-tone dialing and cellphones, modems and microwaves, was housed in the glass building, set far off the road, providing the community with some luster ? not to mention a tax bonanza. These days, the building's lobby, with its magnificent glass ceiling, is off limits to all but those having formal appointments with Lucent Technologies, which disassembled and dispersed much of Bell Labs after the collapse of the technology market in 2000. Few outsiders have viewed its breathtaking scale or walked along the perimeters to admire displays of technological breakthroughs like a 1929 movie camera or an early office switchboard straight out of "Bells Are Ringing." But now, the building has been sold, and the public will be invited in for at least one date while it remains, which may not be much longer. The developer who will create a future for the property says the structure will have to be demolished. Preferred Real Estate Investments, a company based in Conshohocken, Pa., will maintain the site as office space and will keep the property as pastoral as possible, said its chief executive, Michael G. O'Neill. But Mr. O'Neill said his firm, which specializes in the reuse of outmoded commercial buildings, simply could not find a way to renovate this structure. The soaring lobby is surrounded on three sides by stacks of windowless concrete-walled cubicles ? perfect for scientists, but unappealing to office workers of any other type ? he noted. "So many of these lavish old commercial buildings have a great history to them, and then one day their useful life is over," Mr. O'Neill said a bit wistfully. When Lucent found itself needing to downsize and leave a special building behind, it was following in the footsteps of another New Jersey telecommunications giant, AT&T, which moved out of its opulent 2.7-million-square-foot headquarters in Bedminster in 2001. The AT&T building stood empty for four years ? considered nearly unmarketable by some commercial brokers. It did find a buyer last year in Verizon, which has begun renovations aimed at carving up its gargantuan spaces and stripping away some of the luxuries, like the waterfall in the cafeteria. At one time, Lucent employed 5,600 people in Holmdel. The company plans to move the approximately 1,000 who remain to offices in Murray Hill and Whippany by the summer of 2007. Right now, Mr. O'Neill said his primary focus was on providing reassurance to the citizenry of Holmdel that not much has to change in terms of the Lucent property's historic impact on the town. Bell Labs has been a cash cow in a picturesque setting ? paying $3.19 million in property taxes last year, while putting little strain on town services. Holmdel's mayor, Serena DiMaso, and other town officials have been adamant that a housing development, which might require additional traffic control, new infrastructure and school spending, would not be a suitable replacement. "I think there were about 20 other developers competing against us to buy the property," Mr. O'Neill said, "and everybody we competed with wanted to put 500 to 600 houses here, and turn this into a big subdivision, but that is not our intent. "Can you imagine? This incredible, expansive space ? cutting it up, and covering it over with yet another cookie-cutter community of McMansions?" Mr. O'Neill, whose company recently converted a pre-World War I toilet factory in Hamilton, N.J., into plush office space, said plans for the Lucent site were in very early stages. It is expected, he said, that a public meeting about the property will be held inside the Bell Labs structure during the last week of this month. On a walking tour of the property, Mr. O'Neill said he currently envisioned three smaller headquarters-type buildings in place of the one big lab structure, providing somewhat less total space than the Bell Labs building. "The size would be in keeping with the more modest size of today's typical company headquarters, or data processing centers," he said. Final plans will not be drawn until companies commit to moving to the site, Mr. O'Neill said. The huge oval road around the building, the long approach from Crawford's Corner Road and even the weirdly shaped water tower at the entrance ? said by locals to resemble a transistor ? will most likely remain, though, Mr. O'Neill asserted. "We want to keep the country-road feel," he said. Diving enthusiastically through thick shrubbery, Mr. O'Neill made his way to a lovely pond set behind Bell Labs, surrounded by plantings and weeping willows and adjacent to a large terrace off the company cafeteria. "This is such a special place for a company to offer its workers," he said. "There is hardly anything like this available anywhere any more. We believe people will be beating down the doors to move their businesses here." Founded in 1992, Preferred owns numerous properties east of the Mississippi, worth a total of more than $1.5 billion, that were once central to communities but are now vacant or heading that way, according to Mr. O'Neill. At the former American Standard plant in Hamilton, for instance, the company pledged to tastefully renovate the empty toilet factory and fill it with high-quality tenants, and it kept its promises, said the mayor, Glen Gilmore. Last month, with that job complete, Preferred sold the property, now called American Metro Center, to two other large real estate companies. Mr. O'Neill said he had no idea whether his company would be the long-term owner in Holmdel. "Please!" he said, laughing and throwing up his hands. "We've got a lot of work to do here and now." From rforno at infowarrior.org Wed Jun 14 21:20:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Jun 2006 21:20:21 -0400 Subject: [Infowarrior] - Labeling mandate for sexual content surfaces in Senate Message-ID: How many Mrs. Lovejoys are there in the Congressional GOP??? ---rf Labeling mandate for sexual content surfaces in Senate By Anne Broache http://news.com.com/Labeling+mandate+for+sexual+content+surfaces+in+Senate/2 100-1028_3-6083983.html Story last modified Wed Jun 14 17:50:33 PDT 2006 Operators of commercial Web sites with sexually explicit content would have to post warning labels on each offending page or face imprisonment under a new proposal in the U.S. Senate. Caving to earlier demands from the U.S. Department of Justice, the 24-page proposed law focuses on a medley of new penalties related to child pornography and other sexual content on the Internet. For instance, Internet service providers that fail to report to authorities any sightings of child pornography on their networks would have to cough up fines that are triple those written into current law: $150,000 for the first violation and $300,000 thereafter. "The increase in Internet use has given sexual predators new ways to prey on children," said Sen. Jon Kyl, an Arizona Republican, who joined eight members of his party in introducing the bill on Tuesday. "This bill, among other things, is intended to shut down these opportunities, and severely punish the degraded individuals who are involved in the sexual exploitation of our youth." Called the Stop Adults' Facilitation of the Exploitation of Youth Act, or Internet SAFETY Act, the bill actually beefs up the Justice Department's suggested penalties for negligent Web labelers. It would impose up to 15 years in prison--an increase from the five years suggested in the original proposal--on any commercial site operator who fails to place "clearly identifiable marks or notices" prescribed by the federal government in either the site's code or on the pages themselves. The bill would also create a new crime out of "using misleading domain names to direct children to harmful material on the Internet." Conviction would carry a prison sentence of up to 20 years. A similar sentence would apply to anyone who knowingly embeds words or images in the source code of their sites with the intent of deceiving minors into viewing "harmful" content. Attorney General Alberto Gonzales originally called for the new laws while speaking at an event at the National Center for Missing and Exploited Children in April. He said a mandatory rating system is necessary to "prevent people from inadvertently stumbling across pornographic images on the Internet." At the same event, Gonzales also raised the possibility of requiring Internet service providers to retain records on their subscribers for a set period of time to aid law enforcement in investigations. The Justice Department has since held several private meetings with ISPs, as first reported by CNET News.com. No such mandate made it into the Internet SAFETY Act, though other members of Congress have floated proposals bearing those requirements in recent months. Criticized as ambiguous The latest proposal drew criticism from civil liberties advocates, who said it presents enough ambiguities to prompt self-censorship of Web content. "Whether artistic works or political commentary or any type of images that may arguably come close to this category, people may not publish them for fear of being sent to jail for 15 years," said David Greene, director of a free-speech advocacy group called The First Amendment Project. It's equally unclear how to draw the line between "commercial" Web sites, covered by the regulations, and "noncommercial" sites, which appear to be exempt, the bill's critics said. "They may sell T-shirts or do things that are unrelated to the image or the content that is labeled," Greene said. "When their commercial transaction doesn't relate to the image, to the sexual content, there's a great danger in these laws." To some extent, it was the thorny issue of labeling online news sites, which sometimes feature material considered to be sexually explicit as part of their regular coverage, that caused support for an Internet self-rating system to fizzle out during the Clinton administration years. At that time, in the late-1990s, Sen. Patty Murray, a Democrat from Washington state, proposed that misrating a Web site be made a federal crime. The Internet SAFETY Act pulls its definition of sexually explicit material from existing federal law. It covers sexual intercourse of all types: bestiality, masturbation, sadistic or masochistic abuse, or lascivious exhibition of the genitals or pubic area of any person. In practice, courts have interpreted those definitions quite broadly. In one case, U.S. v. Knox, the Supreme Court and an appeals court ruled that the "lascivious exhibition" of the pubic area could include images of clothed people wearing bikini bathing suits, leotards and underwear. That suggests, for instance, that photos of people in leotards and bathing suits would have to be rated as sexually explicit if the commercial Web site owner wanted to avoid going to prison. The Senate proposal grants just one reprieve: Sexual depictions that constitute a "small and insignificant part" of a large Web site do not have to be labeled. Also problematic, they said, is that, in addition to the labeling requirement, Web site operators would have to ensure that "any matter that is initially viewable" does not contain sexually explicit content. "What if someone deep links to an image, and someone clicks on that image, and it's the first one they see?" asked Marv Johnson, legislative counsel for the American Civil Liberties Union. "Has the law been violated?" CNET News.com's Declan McCullagh contributed to this report. From rforno at infowarrior.org Thu Jun 15 09:07:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 09:07:51 -0400 Subject: [Infowarrior] - Government Increasingly Turning to Data Mining Message-ID: Government Increasingly Turning to Data Mining Peek Into Private Lives May Help in Hunt for Terrorists http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402 063_pf.html By Arshad Mohammed and Sara Kehaulani Goo Washington Post Staff Writers Thursday, June 15, 2006; D03 The Pentagon pays a private company to compile data on teenagers it can recruit to the military. The Homeland Security Department buys consumer information to help screen people at borders and detect immigration fraud. As federal agencies delve into the vast commercial market for consumer information, such as buying habits and financial records, they are tapping into data that would be difficult for the government to accumulate but that has become a booming business for private companies. Industry executives, analysts and watchdog groups say the federal government has significantly increased what it spends to buy personal data from the private sector, along with the software to make sense of it, since the Sept. 11, 2001, attacks. They expect the sums to keep rising far into the future. Privacy advocates say the practice exposes ordinary people to ever more scrutiny by authorities while skirting legal protections designed to limit the government's collection and use of personal data. Critics acknowledge that such data can be vital to law enforcement or intelligence investigations of specific targets but question the usefulness of "data-mining" software that combs huge amounts of information in the hopes of finding links and patterns that might pick someone out as suspicious. Dialing for Data Recent reports about the National Security Agency's effort to acquire phone call records highlights the government's growing interest in the technique. "The only question we would have is at what rate would the demand be increasing," Wayne Johnson, a financial analyst at Raymond James Financial Inc., said of the government's interest in buying commercial data and related software. It is difficult to pinpoint the number of such contracts because many of them are classified, experts said. At the federal level, 52 government agencies had launched, or planned to begin, at least 199 data-mining projects as far back as 2004, according to a Government Accountability Office study. Most of the programs are used to improve services, such as detecting Medicare fraud and improving customer relations. But a growing number of agencies are exploring the technology to analyze intelligence and assist in the hunt for terrorists. Another GAO report released in April found that of $30 million spent by four government agencies last year on services from data-crunching companies, 91 percent was for law enforcement or counterterrorism. The hope is that the technology can help to discern and thwart threats just as businesses have used it for years to predict consumer behavior on buying cosmetics or repaying mortgages, for example. Companies keep an increasing amount of data about everyone -- tracking their buying, travel, bank transactions and bill-paying habits. Data mining uses mathematical formulas to look for patterns in those behaviors. The results could enable the grocery store to send out targeted coupons, or, in theory, help the government decide how likely it may be that someone is linked to terrorist groups. The Education Department's Project Strikeback uses mining methods to compare its databases with the FBI and verify identities. The Defense Department's Verity K2 Enterprise program searches data from the intelligence community and Internet searches to identify foreign terrorists or U.S. citizens connected to terrorists. A Navy program analyzes data to try to predict where it might find small weapons of mass destruction and narcotics smuggling in the shipping industry. Cogito Inc. sells software to the National Security Agency that the company says can find patterns in massive amounts of data, such as lists of telephone calling records. The Utah-based company does not know how the super-secret agency is using the software, but it does know that data-mining technology once used primarily by commercial clients is now doing booming business with the federal government. "What was surprising . . . was how aggressive and hot the intelligence and security market is for this," said William Donahoo, vice president of product management and marketing at Cogito. More than half of Cogito's clients are in the fields of intelligence, security and public safety, he said. Donahoo said he believed the NSA could use the software to reveal patterns about how people deal with one another just from their calling records. "There are gatekeepers and bridges and collaborators and leaders that could be identified just by the nature of the communications among the groups," he said. "You do not have to know the content of the conversation to identify this." False Positives Critics argue that catching terrorists is far different from predicting consumer purchases or preventing credit card fraud, saying that data mining is likely to provide so many false leads that its use is a waste of time and money. "What you don't want is to get into the Kevin Bacon game, which is to say that you show that everybody is six degrees of separation from a terrorist," said James B. Steinberg, dean of the Lyndon B. Johnson School of Public Affairs at the University of Texas. Steinberg was a deputy national security adviser in the Clinton administration. "Out of pure resource allocation, it is so unlikely to provide something useful and so likely to provide dead ends and false leads that you are going to spend an enormous amount of resources on things that don't pan out," he said. "Before you start searching haystacks for needles, you've got to have some reason to believe that the needles are there." The federal government's most public experiment with data mining since the terrorist attacks in 2001 failed to get off the ground, after the Homeland Security Department spent $200 million on it and the technology failed to prove what it set out to do, according to several former U.S. officials familiar with the program. The system, originally called CAPPS II, sought to comb airline passenger records and verify information that fliers provided about themselves with information provided by companies that aggregate data about consumers. The problem, according to several officials who worked closely on the program but declined to speak publicly about it, was that the information about consumers was never proved to be effective in evaluating the risk posed by an airline passenger. At first, officials sought to identify passengers who were not "deeply rooted" in a community and, for example, moved often and did not have an established credit history. But the system always ended up scoring too many people as "risky" who really posed little threat. "I am just not prepared to say that because someone can't get a mortgage, they are a terrorist threat to an airplane," said a former official, who spoke on condition of anonymity because he was not authorized to speak for the program. "These data aggregator products are used today in the financial world to identify certain things, and they're not designed to identify potential terrorist threats." The former official said that the program still shows some promise, but that it needs more testing and should be considered only one tool of many to protect the nation's air travel system. Despite privacy concerns about CAPPS II that were raised by groups such as the American Civil Liberties Union, top U.S. officials continue to express faith that the technology will prove to be useful for national security purposes. "This issue of using data to ferret out evildoers, many administration officials believe very firmly this is the way we should be going and that the barriers there should be overcome because it will result in a greater good," said another former official, who spoke on condition of anonymity. "It's a philosophy that if you have nothing to hide, why do you care if I know what movies you rent? Who you are talking to? If you live a godly life, a perfect life, you don't have worry about 100 percent disclosure." Security vs. Privacy Even critics say data mining can be effective in targeted circumstances, such as gathering information about known suspects. But the government's wide interest in the technology disturbs privacy advocates, who say the vast commercial data industry provides a ready-made window into private lives that the government would be unable to legally assemble on its own. Jim Dempsey, policy director at the Center for Democracy and Technology, said risks include errors in the data, drawing incorrect inferences from the information and "the chilling effect that comes when a citizenry feels itself under scrutiny." But since the 2001 terror attacks, a slim majority of the American public has favored protecting security over preserving civil liberties, according to opinion pollsters. "The public is willing to bend the rules a little bit with respect to privacy," said Andrew Kohut, director of the Pew Research Center, adding that Americans showed similar tendencies during the "red scares" after World War I and World War II. "They are giving the government the benefit of the doubt in large part because they are concerned about terrorism." ? 2006 The Washington Post Company From rforno at infowarrior.org Thu Jun 15 09:26:07 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 09:26:07 -0400 Subject: [Infowarrior] - VA Data Security Website Message-ID: Latest Information on Veterans Affairs Data Security http://www.firstgov.gov./veteransinfo From rforno at infowarrior.org Thu Jun 15 09:51:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 09:51:51 -0400 Subject: [Infowarrior] - U.S. Joins Industry in Piracy War Message-ID: U.S. Joins Industry in Piracy War Nations Pressed On Copyrights http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402 071_pf.html By Frank Ahrens Washington Post Staff Writer Thursday, June 15, 2006; A01 The U.S. government has joined forces with the entertainment industry to stop the freewheeling global bazaar in pirated movies and music, pressuring foreign governments to crack down or risk incurring trade barriers. Last year, for instance, the movie industry lobby suggested that Sweden change its laws to make it a crime to swap copyrighted movies and music for free over the Internet. Shortly after, the Swedish government complied. Last month, Swedish authorities briefly shut down an illegal file-sharing Web site after receiving a briefing on the site's activities from U.S. officials in April in Washington. The raid incited political and popular backlash in the Scandinavian nation. In Russia, the government's inability, or reluctance, to shut down another unauthorized file-sharing site may prevent that nation's entrance into the World Trade Organization, as effective action against intellectual property theft tops the U.S. government's list of requirements for Russian WTO membership. As more residents of more nations get high-speed Internet access -- making the downloading of movies and music fast and easy -- the stakes are higher than ever. The intellectual property industry and law enforcement officials estimate U.S. companies lose as much as $250 billion per year to Internet pirates, who swap digital copies of "The DaVinci Code," Chamillionaire's new album and the latest Grand Theft Auto video game for free. Such entertainment and other copyright exports -- worth about $626 billion annually, or 6 percent of the U.S. gross domestic product -- are as important to today's American economy as autos, steel and coal were to yesterday's. More than a decade of hard lobbying by two powerful trade groups, the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), has convinced U.S. lawmakers and law enforcement officials that it's worth using America's muscle to protect movie and music interests abroad. Now, lawmakers are calling the trade groups, asking what else Congress and the government can do for the entertainment industry. Efforts to stem piracy within the United States by targeting peer-to-peer file-sharing networks have produced mixed results. Kazaa -- once the most popular of them and a hard target of the music industry -- has half as many users as it did at its peak three years ago, thanks in part to the music industry's lawsuit and education campaign. At the same time, the total number of peer-to-peer users has grown in the past year, according to Internet traffic researchers. Overseas, U.S. government officials say, it is in the national interest to work on behalf of Hollywood and other entertainment and intellectual property industries. The United States does not offer specific dictates on how other nations handle their border controls, said Assistant U.S. Trade Representative Victoria Espinel, "but they need to have an effective intellectual property system for protecting our rights holders abroad." The U.S. trade representative's office maintains a "priority watch list" of countries that, in its estimate, do not adequately protect intellectual property rights. China and Russia top the most recent list. Unlike the case with Sweden, U.S. government pressure has brought little change in China, home to perhaps the world's most prolific DVD and CD pirates. An ongoing battle between Swedish authorities and an illegal file-sharing service called the Pirate Bay can be traced to an April meeting in Washington between the Swedes and the U.S. government. Officials from the State Department, the Department of Commerce and the U.S. trade representative's office told visitors from the Swedish Ministry of Justice in April that Sweden was harboring one of the world's biggest Web sites for enabling the massive and unauthorized distribution of movies, music and games. It uses a file-swapping technology known as BitTorrent that is tougher to contain than earlier systems such as the original Napster, which the U.S. government shut down in 2001, and popular current peer-to-peer services, such as LimeWire. A little more than a month later, Swedish police hit the headquarters of the Pirate Bay and closed the site. The MPAA crowed, saying it had helped the effort by filing a criminal complaint against the site. The raid prompted a backlash of criticism in the Swedish press and from some members of government. Politicians and editorialists wanted to know why America was meddling in Swedish affairs. Claes Hammar, Swedish minister for trade and economic affairs, said U.S. authorities noted that copyrighted Swedish material, as well as U.S. movies and music, was being stolen on the Pirate Bay. "We don't like to be seen as negligent and losing out rather than cooperating with the U.S. and other markets," Hammar said. In the aftermath of the raid, members of the Left and Moderate parties in Sweden have proposed scrapping last year's law that criminalized illegal file-sharing, reported the Local, an English-language newspaper in Sweden. At the same time, hundreds of demonstrators have gathered in Stockholm and Goteborg in recent days, hoisting pirate flags and demanding that the government return the Pirate Bay's seized servers, according to reports. Several attempts to reach Pirate Bay administrators through the Web site were unsuccessful. They did, however, post a defiant manifesto on a related Web site. Shut down on May 31, the Pirate Bay moved to the Netherlands and was back up and running three days later, sporting a logo of a pirate ship sinking the word "Hollywood" with a fusillade of cannon fire and demonstrating how difficult it is to stop anything on the Internet. Dan Glickman, president of the MPAA, confirmed that his group had asked Sweden to toughen its laws on intellectual property theft. "What we do is look around the world to look if laws need to be improved, then we make suggestions," Glickman said. He emphasized that the MPAA respects the sovereign rights of foreign nations. As for the backlash, Glickman said, "Yes, I'm sure the pirates in Sweden are upset." Russia's pirates may cost their country more than domestic unrest. Entrance into the World Trade Organization would grant the country numerous trading benefits. Each of the WTO's 149 members has veto power over accession and each has key demands of applicants. For the United States, the focus is on intellectual property. And the U.S. wants to make sure the mistake of China is not repeated. "We let China in and China has not fully complied with the WTO requirements" for protecting intellectual property, Glickman said. The MPAA has an enforcement division in Hong Kong whose members accompany local law enforcement officials on raids. "The time to get action is now, rather than after they get in," Glickman said. In Russia, CD and DVD pirates have established manufacturing plants on abandoned Soviet military bases, Glickman and RIAA President Mitch Bainwol said. A Web site called Allofmp3.com is selling millions of songs without authorization from copyright holders. The site looks as professional and legal as Apple Computer Inc.'s popular iTunes online music store. It claims to be licensed by a Russian agency to sell music, but U.S. trade groups aren't satisfied. None of the revenue generated from the 10-cent song downloads on the site goes to the artists, Bainwol said. Moscow began an investigation of Allofmp3.com, dropped it, then picked it back up again after U.S. pressure was applied, said RIAA Executive Vice President Neil Turkowitz, who has traveled several times to Russia and filed criminal complaints with prosecutors there about the site. "The Russian government is aware of all really existing problems in the [intellectual property] sphere and makes active efforts to solve them step-by-step," the Russian Ministry of Economic Development and Trade wrote in an April paper translated into English. "We will undertake a complex of additional measures in [the intellectual property] sphere in the nearest future with the intention to speed up the work in this sphere." Two e-mails to the site administrator of Allofmp3.com went unanswered. Assistant U.S. Trade Representative Espinel said shutting down Allofmp3.com "is right at the top of the agenda. This is a top-priority issue in terms of our discussion with Russia and the WTO." As the bilateral talks with Russia continue, congressional leaders are bringing pressure to bear on President Bush, who has vowed to speed that nation's entry into the WTO. Working against Russia, the lawmakers say, are its plans to make intellectual property rights violators subject to civil, rather than criminal, penalties. The U.S. government and the entertainment industry have a right to raise such issues with foreign nations, the RIAA's Turkowitz said. Movie and music piracy, he said, "is a problem that really doesn't know any borders." ? 2006 The Washington Post Company From rforno at infowarrior.org Thu Jun 15 10:57:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 10:57:11 -0400 Subject: [Infowarrior] - Windows, Mac OS to run side-by-side Message-ID: Windows, Mac OS to run side-by-side By Ina Fried http://news.com.com/Windows%2C+Mac+OS+to+run+side-by-side/2100-1016_3-608395 6.html Story last modified Thu Jun 15 06:15:25 PDT 2006 advertisement Parallels, a start-up whose software enables Macs to run Microsoft Windows and the Mac OS at the same time, says it is ready with a final version of its product. Apple Computer made headlines back in April when it said it would offer its own software--Boot Camp--for loading Windows onto Macs. However, Boot Camp permits people to run only one operating system at a time, meaning either Windows or the Mac OS can be in use, but not both at once. Around the same time, Parallels started testing for its Parallels Desktop program, which uses virtualization technology to have Windows programs operate alongside Mac applications. The Windows programs open in a separate window within the Mac OS. Unlike past software that allowed Windows programs to run on a Mac, Parallels Desktop does not need to emulate the hardware that's inside a PC. That's because Macs and PCs now use the same Intel-based chips. As a result, the speed of Parallels is far better than past efforts at bringing together the two operating systems, the software start-up said. In fact, Parallels says Windows programs can run nearly as fast through its virtualization as running natively on a Windows PC. "The difference in performance between Parallels and Boot Camp is negligible," said Parallels marketing manager Ben Rudolph. "Things move very, very fast." Being able to run Windows programs is seen as a potentially significant catalyst for Mac sales. Needham analyst Charlie Wolf upgraded Apple's stock on Tuesday, saying that the combination of Boot Camp and programs like Parallels could help the Cupertino, Calif.-based company gain market share. "The trigger for our upgrade is the prospect that a significant number of Windows users will switch to a Mac once it's able to run Windows applications," Wolf wrote in a report. He cited a survey by his firm, which found that in the U.S., some 8 percent of home PC owners would switch to a Mac if it could run Windows. "An increase of this magnitude would almost triple Apple's share in the home market and increase it 75 percent worldwide," Wolf wrote. Put through its paces The Parallels software has been in testing since April, and more than 100,000 people have tried it out, according to the company. Interest has come not only from hobbyists eager to try out Microsoft's operating system on their Mac at home, but also from governments, businesses and schools that want to have their Macs better able to converse in a Windows-dominated world. Parallels Windows on Mac Canada's University of Waterloo, for example, has been testing Parallels software. It plans to use it in the Mac lab of its environmental studies department so students can benefit from a number of programs that aren't available for Apple machines. "I've been very impressed with the performance of it," said Don Duff-McCracken, a graphics and computer-aided design systems manager at the university. Duff-McCracken said he has been using the Parallels tool to run processor-intensive software, such as the World Construction Set software for rendering terrain. Duff-McCracken compared applications in Parallels with the same ones running directly in Windows via Boot Camp. The performance in Parallels was within 1 to 2 percent of the other, he said. And both Mac-based options were faster than some recently acquired Dell machines the school had. "It's running this sophisticated software at native speeds," he said. While Boot Camp is essentially a tool for letting a Mac run either Windows or the Mac OS, Parallels makes both operating systems available at the same time. To do this, Windows runs as what is known as a virtual machine--essentially acting as if it was a separate PC. Boot Camp, meanwhile, is still in beta, though Apple has said it will be part of Leopard, the next version of Mac OS X. The company is expected to outline Leopard's key features at a developer conference in August. Parallels plans to eventually charge $79 for its software, though it is selling it for $49 for the next 30 days. It has been offering it for $10 less than that for beta testers who pre-ordered the final version. A potential challenge for the start-up is that Apple may decide to offer, in addition to Boot Camp, a feature that acts more like Parallels in allowing Windows programs to run within the Mac OS. There has been speculation that Leopard might have such abilities. Rudolph said Parallels can't spend its time worrying about what others might do. "All we do is virtualization," he said. "Apple has got hundreds of different products. I believe we are going to have a faster, better solution regardless of what happens." Herndon, Va.-based Parallels got its start when its two founders were doing freelance help-desk work. They found they had a knack for virtualization and came up with the software engine behind Parallels Desktop. The company now has 75 employees, with more being added on a weekly basis, Rudolph said. "We went from being a little tiny company to a little tiny company with a huge product," he said. The company also has some venture funding, though Rudolph did not offer many specifics. "We definitely have enough money to keep the lights on for the next couple of years," he said. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu Jun 15 11:04:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 11:04:28 -0400 Subject: [Infowarrior] - NSA Surveillance: A Leap of Faith, Off a Cliff Message-ID: (I love the first sentence....geez! -rf) A Leap of Faith, Off a Cliff http://www.nytimes.com/2006/06/15/opinion/15thurs1.html?_r=1&oref=slogin&pag ewanted=print On Monday, the Bush administration told a judge in Detroit that the president's warrantless domestic spying is legal and constitutional, but refused to say why. The judge should just take his word for it, the lawyer said, because merely talking about it would endanger America. Today, Senator Arlen Specter wants his Judiciary Committee to take an even more outlandish leap of faith for an administration that has shown it does not deserve it. Mr. Specter wants the committee to approve a bill he drafted that tinkers dangerously with the rules on wiretapping, even though the president has said the law doesn't apply to him anyway, and even though Mr. Specter and most of the panel are just as much in the dark as that judge in Detroit. The bill could well diminish the power of the Foreign Intelligence Surveillance Act, known as FISA, which was passed in 1978 to prevent just the sort of abuse that Mr. Bush's program represents. The committee is considering four bills. Only one even remotely makes sense now: it would give legal standing to groups that want to challenge the spying in court. The rest vary from highly premature (Senator Dianne Feinstein's proposed changes to FISA) to the stamp of approval for Mr. Bush's claims of unlimited power that Senator Mike DeWine drafted. Mr. Specter's bill is not that bad, but it is fatally flawed and should not go to the Senate floor. He is trying to change the system for judicial approval of government wiretaps in a way that suggests Congress is facing a technical problem with a legislative solution, when in fact it is a constitutional showdown. There is also a practical problem: a bill on the floor of this Senate becomes the property of the Republican leadership, which will rewrite it to the specifications of Vice President Dick Cheney, the man in charge of this particular show of imperial power. Mr. Specter, of all people, should have no doubt of that, having been forced to watch in embarrassment last week as Mr. Cheney seized control of the committee's deliberations on the spying issue. Mr. Specter says his bill would impose judicial review on domestic spying by giving the special court created by FISA power to rule on the constitutionality of the one program that Mr. Bush has acknowledged. But the review would be optional. Mr. Specter's bill would eliminate the vital principle that FISA's rules are the only legal way to eavesdrop on Americans' telephone calls and e-mail. It would give the president power to conduct surveillance under FISA "or under the constitutional authority of the executive." That merely reinforces Mr. Bush's claim that he is the sole judge of what powers he has, and how he exercises them. Mr. Specter's lawyers have arguments for many of these criticisms, and say the bill is being improved. But the main problem with the bill, like most of the others, is that it exists at all. This is not a time to offer the administration a chance to steamroll Congress into endorsing its decision to ignore the 1978 intelligence act and shred constitutional principles on warrants and on the separation of powers. This is a time for Congress to finally hold Mr. Bush accountable for his extralegal behavior and stop it. From rforno at infowarrior.org Thu Jun 15 11:08:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 11:08:58 -0400 Subject: [Infowarrior] - US insists on right to develop arms for outer space Message-ID: US insists on right to develop arms for outer space Tue Jun 13, 2006 7:57 AM ET http://today.reuters.com/news/newsArticle.aspx?type=topNews&storyID=2006-06- 13T115717Z_01_L13495545_RTRUKOC_0_US-ARMS-SPACE-USA.xml&archived=False By Stephanie Nebehay GENEVA (Reuters) - The United States on Tuesday reasserted its right to develop weapons for use in outer space to protect its military and commercial satellites and ruled out any global negotiations on a new treaty to limit them. In a speech to the Conference on Disarmament, a senior State Department arms control official insisted that such weapons systems would be purely defensive. Washington sees no need for negotiations to prevent an arms race in space as a 40-year-old international treaty banning weapons of mass destruction in space remains adequate, he said. John Mohanco, deputy director of the office of multilateral, nuclear and security affairs, said the United States faced a threat of attacks from the earth or from other countries' spacecraft. He did not name any potential attackers. "As long as the potential for such attacks remains, our government will continue to consider the possible role that space-related weapons may play in protecting our assets," he told the United Nations-backed forum. "For our part, the United States does not have any weapons in space, nor do we have plans to build such weapons," he said. The White House is due to announce a new space policy this month, the first overhaul in a decade. Some U.S. experts have said it will underscore the Pentagon's determination to protect its existing space assets and maintain dominance of outer space. The United States and Britain are under pressure to agree to global negotiations on space at the 65-member Geneva forum, where they remain virtually alone in opposing them. Washington argues a treaty banning production of nuclear bomb-making fissile material should be the forum's next goal. Last week, China and Russia warned that space-based weapons would pose a threat as great as weapons of mass destruction and pointed to gaps in existing international law. The two powers also back fissile talks under a wider agenda including space. LION'S SHARE The United States -- which has the "lion's share of assets in outer space" -- remains committed to the peaceful use of space by all nations, according to Mohanco. "There is no -- repeat, no -- problem in outer space for arms control to solve," he said, citing "unprecedented international cooperation" in civil and commercial space activities, including among former Cold War foes. A 1967 U.N. treaty bans weapons of mass destruction from space, but some experts believe the United States would not shy away from withdrawing from the pact. In 2002, it pulled out of the 1972 Anti-Ballistic Missile (ABM) treaty to begin deploying a missile defense shield. Mohanco vowed all U.S. activities in the exploration and use of outer space would comply with international law. But a new pact to ban anti-satellite weapons or other space-related weapon systems would be impossible, given the problems of defining what it covered, because any space object had an inherent "dual-use potential", meaning it could be used for civilian or military purposes, he said. From rforno at infowarrior.org Thu Jun 15 11:21:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 11:21:18 -0400 Subject: [Infowarrior] - Legislators want to hear from domestic spying witness Message-ID: Legislators want to hear from domestic spying witness http://www.govexec.com/story_page.cfm?articleid=34312&sid=28 By Chris Strohm, CongressDaily More lawmakers are clamoring on Capitol Hill to hear from a former intelligence officer who alleges that unlawful activity took place at the National Security Agency. House Government Reform National Security Subcommittee Chairman Christopher Shays, R-Conn., and ranking member Dennis Kucinich, D-Ohio, have told the NSA they want to hear from Russell Tice, who worked on what are known as "special access programs" at the agency until he was fired in May 2005. Tice alleges that the NSA conducted illegal and unconstitutional surveillance of U.S. citizens while he was there with the knowledge of its former director, Air Force Gen. Michael Hayden, who is now director of the CIA. During an 18-year career, Tice worked on some of the most secretive programs in the government. He would not discuss with a reporter the details of his allegations, saying doing so would compromise classified information and put him at risk of going to jail. Tice said his information is different from the terrorist surveillance program that President Bush acknowledged in December and from news accounts last month that the NSA has been secretly collecting phone call records of millions of Americans. Because he worked on special access programs, however, it has not been clear on Capitol Hill which committees have jurisdiction to debrief him. Shays and Kucinich gave the NSA until Friday to explain any legal reason why they cannot interview him. But that deadline passed without a response, and a subcommittee aide on Monday called the missed deadline troubling. Shays and Kucinich had originally asked the NSA to give them a reason by May 26, but the agency asked for an extension until June 9. NSA spokesman Don Weber said Monday that the agency "is performing due diligence in developing a response to the committee's request," but added that Tice has not notified the agency of the alleged illegal activity. Tice said he does not believe he needs to notify the agency of his allegations. Tice originally wrote letters last December asking to meet with the Senate and House Intelligence committees. He got a meeting earlier this year with staff from the House Intelligence Committee, but they told him they were not cleared to hear what he had to say. Instead, Tice met last month in a closed session with senior staff from the Senate Armed Services Committee. Tice said he told the staffers everything he knew. But he said the aides did not say how, or if, they would follow up on his allegations. Shays and Kucinich believe that the House Government Reform Committee has jurisdiction to hear from Tice. In a May 17 letter to the NSA, the lawmakers argue that they can hear from Tice because the House Intelligence Committee does not have exclusive jurisdiction over special access programs that Tice worked. "If the SAP [special access programs] does not fall under the exclusive jurisdiction of [the House Intelligence Committee], but rather under the jurisdiction of the Armed Services Committee, the House rules provide that the Government Reform Committee may exercise oversight jurisdiction to investigate allegations of illegal activity under that government program," the letter said. Tice was fired after the NSA ordered him to undergo psychological evaluations following a separate clash with agency leadership, and psychologists diagnosed him as being paranoid. Tice claimed the order to undergo psychological evaluations was retaliation for raising concerns. He also said he saw an independent psychologist who found no evidence that he has a mental disorder. From rforno at infowarrior.org Thu Jun 15 11:51:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 11:51:48 -0400 Subject: [Infowarrior] - High Court Backs Police No-Knock Searches Message-ID: High Court Backs Police No-Knock Searches http://www.washingtonpost.com/wp-dyn/content/article/2006/06/15/AR2006061500 730_pf.html By GINA HOLLAND The Associated Press Thursday, June 15, 2006; 11:23 AM WASHINGTON -- The Supreme Court ruled Thursday that police armed with a warrant can barge into homes and seize evidence even if they don't knock, a huge government victory that was decided by President Bush's new justices. The 5-4 ruling signals the court's conservative shift following the departure of moderate Sandra Day O'Connor. The case tested previous court rulings that police armed with warrants generally must knock and announce themselves or they run afoul of the Constitution's Fourth Amendment ban on unreasonable searches. Justice Antonin Scalia, writing for the majority, said Detroit police acknowledge violating that rule when they called out their presence at a man's door then went inside three seconds to five seconds later. "Whether that preliminary misstep had occurred or not, the police would have executed the warrant they had obtained, and would have discovered the gun and drugs inside the house," Scalia wrote. But suppressing evidence is too high of a penalty, Scalia said, for errors by police in failing to properly announce themselves. The outcome might have been different if O'Connor were still on the bench. She seemed ready, when the case was first argued in January, to rule in favor of Booker Hudson, whose house was searched in 1998. O'Connor had worried aloud that officers around the country might start bursting into homes to execute search warrants. She asked: "Is there no policy of protecting the home owner a little bit and the sanctity of the home from this immediate entry?" She retired before the case was decided, and a new argument was held so that Justice Samuel Alito could participate in deliberations. Alito and Bush's other Supreme Court pick, Chief Justice John Roberts, both supported Scalia's opinion. Hudson's lawyers argued that evidence against him was connected to the improper search and could not be used against him. Scalia said that a victory for Hudson would have given "a get-out-of-jail-free card" to him and others. In a dissent, four justices complained that the decision erases more than 90 years of Supreme Court precedent. "It weakens, perhaps destroys, much of the practical value of the Constitution's knock-and-announce protection," Justice Stephen Breyer wrote for himself and the three other liberal members. Breyer said that police will feel free to enter homes without knocking and waiting a short time if they know that there is no punishment for it. Justice Anthony M. Kennedy, a moderate, joined the conservatives in most of the ruling. He wrote his own opinion, however, to say "it bears repeating that it is a serious matter if law enforcement officers violate the sanctity of the home by ignoring the requisites of lawful entry." The case is Hudson v. Michigan, 04-1360. ? 2006 The Associated Press From rforno at infowarrior.org Thu Jun 15 13:54:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Jun 2006 13:54:44 -0400 Subject: [Infowarrior] - Microsoft: Vista Most Secure OS Ever Message-ID: (I would agree that Vista is the world's most secure OS given that it's not being used yet.......*g* ---rf) Microsoft: Vista Most Secure OS Ever By Nate Mook and Tim Conneally, BetaNews June 15, 2006, 6:08 AM Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry. < - > http://www.betanews.com/article/print/Microsoft_Vista_Most_Secure_OS_Ever/11 50366131 From rforno at infowarrior.org Fri Jun 16 07:37:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 07:37:56 -0400 Subject: [Infowarrior] - Asian nations seeks protection from Web threats Message-ID: Jun 15, 11:19 AM EDT Group seeks protection from Web threats http://hosted.ap.org/dynamic/stories/A/ASIA_INTERNET_THREATS?SITE=CADIU&SECT ION=HOME&TEMPLATE=DEFAULT SHANGHAI, China (AP) -- A Russian and Chinese-led bloc of Asian states said Thursday it plans to set up an expert group to boost computer security and help guard against threats to their regimes from the Internet. Suggesting the new group might tackle censorship, the six-nation Shanghai Cooperation Organization said information communication technology could infringe on the "internal affairs of sovereign states," bringing "serious harm to individual, social and national security." The group's statement, issued following its annual summit in this Chinese city, identified no specific threats and didn't specify what kinds of information communications technology it considered vulnerable. However, SCO members - China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan - are mostly authoritarian states that maintain tight controls on communications technology, including the Internet China, which hosts the groupings permanent secretariat, has some of the world's tightest Internet restrictions, blocking thousands of sites containing information considered sensitive or threatening by the communist regime, along with those hosting gambling and pornography. Russia is also the alleged home of many computer hackers and gangs that commit fraud over the Internet. Criminals, terrorists, and even nation states could use the technology to attack individual countries or even undermine global stability, the statement said. It said the expert group, to include representatives from its Regional Anti-Terrorist Structure, would formulate plans for action against such threats and develop solutions to information security problems. ? 2006 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Learn more about our Privacy Policy. From rforno at infowarrior.org Fri Jun 16 07:41:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 07:41:44 -0400 Subject: [Infowarrior] - Major Internet hiccups yesterday Message-ID: Original URL: http://www.theregister.co.uk/2004/06/15/akamai_goes_postal/ Akamai goes postal, kills Microsoft, Symantec, Google, Apple, Lycos... By Kieren McCarthy Published Tuesday 15th June 2004 15:26 GMT A major cock-up at Akamai has seen the world's biggest websites vanish from view for two hours today. >From around 1.30pm, the Internet domain that Akamai uses to host content - akadns.net - disappeared and only reappeared at 3.30pm. Because a huge number of websites run through the Akamai site - including the world's four biggest, Yahoo.com, MSN.com, Google.com and Microsoft.com - when Akamai went down, so did they. Akamai is the world's biggest content hoster, claiming to carry 15 per cent of the Net's traffic. Companies pay it to seamlessly host their website content so files that appear to be at www.microsoft.com are, in reality, hosted at www.microsoft.akamai.net. Ironically, one of Akamai's main selling pitches for its technology is that it prevents there from being a single point of failure. Outsourcing content to a specialist like Akamai enables companies to concentrate on content rather than have to install their own infrastructure to deal with such things as denial-of-service attacks. But the concept appears to be rather like the Titanic - founded on the belief that Akamai is unsinkable. Akamai has got back to us to explain that the problem stemmed from what a spokesman called a "large scale international attack on the Internet's infrastructure". Akamai said the attack was primarily aimed at the large search engines - of which it runs the three largest, Yahoo!, Google and Lycos - which meant that people were unable to access the sites. The spokesman denied however that it was an outage and said that the Akamai name service continued to function throughout the attack which ended around two hours later. The company is still analysing the attack and the spokesman told us it could not yet conclude whether it was directed solely at Akamai. ? From rforno at infowarrior.org Fri Jun 16 07:44:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 07:44:41 -0400 Subject: [Infowarrior] - Bush Signs Legislation On Broadcast Decency Message-ID: Bush Signs Legislation On Broadcast Decency http://www.freepress.net/news/16072 >From Washington Post, June 16, 2006 By Peter Baker Complaining that television and radio shows in recent years have ?too often pushed the bounds of decency,? President Bush signed legislation yesterday to escalate dramatically the penalties against broadcasters who violate federal standards. ?The language is becoming coarser during the times when it?s more likely children will be watching television,? Bush said, citing a study of nighttime programming. ?It?s a bad trend, a bad sign.? He noted that complaints to regulators have exploded since he took office. ?People are saying, ?We?re tired of it, and we expect the government to do something about it.? ? The ceremony came on a busy day for Bush as he tended to various matters in between his surprise visit to Baghdad this week and a domestic fundraising trip starting today followed by a European summit next week. In back-to-back events, Bush also gave a speech calling for action on stalled global trade talks, signed a bill to improve coal mine safety and authorized creation of the world?s largest protected marine reserve. The White House decided to showcase the signing of the Broadcast Decency Enforcement Act at a time when Bush and Republican congressional allies are trying to reassure disaffected conservative supporters that they remain committed to conservative causes. With midterm elections approaching, Bush recently gave two speeches promoting a constitutional amendment banning same-sex marriage and the Senate plans to vote on another amendment that outlaws flag burning. The decency act, coming two years after one of singer Janet Jackson?s breasts was exposed in a ?wardrobe malfunction? during a Super Bowl halftime show, increases the maximum penalty for broadcasting indecent material on radio or television between 6 a.m. and 10 p.m. from $32,500 to $325,000. The new law does not change the standards of indecency, which is defined as ?patently offensive? sexual or excretory content. Broadcasters and free-speech advocates argue that the legislation attacks expression and unfairly targets broadcast networks while cable and satellite programming remains beyond the reach of federal regulation. The main television networks and affiliates recently sued to challenge the government?s power to regulate on-air content. The National Association of Broadcasters yesterday released the same statement it issued when the legislation passed, calling ?responsible self-regulation? the preferred path and asserting that any rules ?should be applied equally? to cable and satellite outlets. Bush also signed legislation to bolster safety in coal mines after a spate of deadly accidents, including the January explosion in West Virginia that trapped a dozen men who ultimately died. The lone survivor of that accident, Randal McCloy Jr., attended yesterday?s ceremony. The new law requires more emergency supplies of breathable air, more accessible rescue teams and higher fines for violations. At a separate event, the president signed a proclamation designating 140,000 square miles of sea and uninhabited islands northwest of Hawaii a national monument, an area larger than all but four states. The designation affords federal protection for the home of 7,000 marine species, including virtually the entire population of endangered Hawaiian monk seals. The president also devoted part of his day to international trade and development, addressing a group formed by former secretaries of state Colin L. Powell and Madeleine K. Albright aimed at reducing global poverty. Bush used the occasion to urge Congress to pass his proposed increases in foreign aid and to press foreign leaders to work harder to reach a global trade deal with a June 30 deadline for basic agreements looming. Accompanied by newly sworn-in U.S. Trade Representative Susan C. Schwab, Bush acknowledged that the so-called Doha trade talks have encountered ?tough sledding? but said he would push for breakthroughs to lower trade barriers when he travels to Austria and Hungary next week. ?In my view, countries in Europe have to make a tough decision on farming and the G-20 countries have to make a tough decision on manufacturing,? he said, referring to a group of 20 developing nations. ?And the United States is prepared to make a tough decision along with them. That?s my message to the world.? This article is from Washington Post. If you found it informative and valuable, we strongly encourage you to visit their website and register an account to view all their articles on the web. Support quality journalism. From rforno at infowarrior.org Fri Jun 16 07:54:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 07:54:05 -0400 Subject: [Infowarrior] - A thought on USG data protection capability Message-ID: Given the ever-worsening data security fiascos at the VA, DOE, and who-knows-where-else, if you set aside the whole "domestic surveillance" and "false positive" arguments for a minute, does anyone else here doubt the USG's ability to safeguard effectively such treasure-troves of personal information it wants to or is collecting under such "anti-terrorist" programs? What privacy oversights and protections are in place over such data? Would an unscrupulus DOD contractor be able to offload a bunch of MySpace blogs (or private LiveJournal entries) and peruse them at leisure from their laptop at home? Looking at recent data loss stories, I'm not particularly confident of the USG's demonstrated competence in protecting private information. Yet the desire for collecting it continues... Thoughts? -rick Infowarrior.org From rforno at infowarrior.org Fri Jun 16 08:35:36 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 08:35:36 -0400 Subject: [Infowarrior] - US suing NJ Attorney General to prevent phone co subpoena Message-ID: US sues New Jersey over phone company subpoenas Thu Jun 15, 2006 8:58 PM ET http://today.reuters.com/news/newsArticle.aspx?type=domesticNews&storyID=200 6-06-16T005812Z_01_N15200507_RTRUKOC_0_US-TELECOMS-EAVESDROPPING-NEWJERSEY.x ml NEW YORK (Reuters) - The U.S. government has sued the New Jersey Attorney General's office on grounds of security concerns to prevent it from asking telephone companies if they gave customer call records to the National Security Agency. The government wants to stop the disclosure of confidential and sensitive information, according to the lawsuit filed in Trenton, New Jersey on Wednesday, a day before phone companies were due to reply to subpoenas issued by the New Jersey attorney general. "Compliance with the subpoenas issued by those officers would first place the carriers in a position of having to confirm or deny the existence of information that cannot be confirmed or denied without causing exceptionally grave harm to national security," the lawsuit said. New Jersey Attorney General Zulima Farber sent subpoenas to AT&T, Verizon Communications Inc., Cingular Wireless, Sprint Nextel and Qwest Communications International Inc. on May 17 asking if they had cooperated with the NSA. The suit charged that New Jersey's attorney general issued the subpoenas without proper authorization from the federal government. The lawsuit named AT&T, Verizon, Sprint, Qwest and Cingular, a venture of AT&T and BellSouth, as defendants as well as Farber and other New Jersey officials. USA Today newspaper reported last month that AT&T, Verizon and BellSouth Corp. gave the NSA access to and turned over call data so it could secretly analyze calling patterns to detect terrorist plots. This provoked a host of lawsuits and objections from privacy advocates. BellSouth has denied turning over information to the NSA, and Verizon has said that it does not provide the government with unfettered access to customer records. AT&T has said it helps when asked by the government but only within the law. A lawyer for Qwest's former Chief executive Joe Nacchio has said that he refused government requests for information. David Wald, a spokesperson for the New Jersey attorney general, did not say what Farber's next step would be. "We acted to determine whether the rights of citizens in New Jersey have been violated. We will look at this complaint and respond in court," Wald said. AT&T spokesman Walt Sharp said, "The filing by the federal government underscores the fact that the government and not corporations has responsibility for and control over national security issues." Representatives for Verizon and Sprint Nextel were not immediately available for comment. Cingular and Qwest declined comment saying they do not discuss national security matters. From rforno at infowarrior.org Fri Jun 16 08:38:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 08:38:51 -0400 Subject: [Infowarrior] - The Don't-Bother-to-Knock Rule Message-ID: http://www.nytimes.com/2006/06/16/opinion/16fri1.html?_r=1&oref=slogin&pagew anted=print June 16, 2006 Editorial The Don't-Bother-to-Knock Rule The Supreme Court yesterday substantially diminished Americans' right to privacy in their own homes. The rule that police officers must "knock and announce" themselves before entering a private home is a venerable one, and a well-established part of Fourth Amendment law. But President Bush's two recent Supreme Court appointments have now provided the votes for a 5-4 decision eviscerating this rule. This decision should offend anyone, liberal or conservative, who worries about the privacy rights of ordinary Americans. The case arose out of the search of Booker T. Hudson's home in Detroit in 1998. The police announced themselves but did not knock, and after waiting a few seconds, entered his home and seized drugs and a gun. There is no dispute that the search violated the knock-and-announce rule. The question in the case was what to do about it. Mr. Hudson wanted the evidence excluded at his trial. That is precisely what should have happened. Since 1914, the Supreme Court has held that, except in rare circumstances, evidence seized in violation of the Constitution cannot be used. The exclusionary rule has sometimes been criticized for allowing criminals to go free just because of police error. But as the court itself recognized in that 1914 case, if this type of evidence were admissible, the Fourth Amendment "might as well be stricken." The court ruled yesterday that the evidence could be used against Mr. Hudson. Justice Antonin Scalia, writing for the majority, argued that even if police officers did not have to fear losing a case if they disobeyed the knock-and-announce rule, the subjects of improper searches could still bring civil lawsuits to challenge them. But as the dissenters rightly pointed out, there is little chance that such suits would keep the police in line. Justice Scalia was also far too dismissive of the important privacy rights at stake, which he essentially reduced to "the right not to be intruded upon in one's nightclothes." Justice Stephen Breyer noted in dissent that even a century ago the court recognized that when the police barge into a house unannounced, it is an assault on "the sanctity of a man's home and the privacies of life." If Justice Sandra Day O'Connor had stayed on the court, this case might well have come out the other way. For those who worry that Chief Justice John Roberts and Justice Samuel Alito will take the court in a radically conservative direction, it is sobering how easily the majority tossed aside a principle that traces back to 13th-century Britain, and a legal doctrine that dates to 1914, to let the government invade people's homes. From rforno at infowarrior.org Mon Jun 19 07:53:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Jun 2006 07:53:06 -0400 Subject: [Infowarrior] - News Reporting -- Web Users Open the Gates Message-ID: Web Users Open the Gates http://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800 618_pf.html By Jay Rosen Special to washingtonpost.com Monday, June 19, 2006; 12:00 AM A decade after major news providers such as The Washington Post began publishing on the Internet, they are finally beginning to ask the right questions about what the Web can do for them and their readers -- and to realize how disruptive web technology is to traditional journalism. Big guns such as the Associated Press's chief executive, Tom Curley, have admitted that the industry seriously fumbled its new media strategy for years by opting to re-purpose material produced to serve print and broadcast audiences. Only recently has it begun to respond to the decisive, Internet-driven shift in the "balance of power" between news providers and readers by striving to deliver news "on-demand" and by developing truly interactive reports, Curley told the Online News Association in 2004. "When the Web was born as a commercial content enterprise back in the mid-'90s, we thought it was about replicating -- that is, 'repurposing' -- our news and information franchises online," Curley said. "The news, as 'lecture,' is giving way to the news as a 'conversation'." The earlier idea of re-purposing content was not innovative, but it was rational and cost-effective. The Web is flexible. It can "kinda/sorta" replicate an older format, if that's the goal. It's useful as a cheap, fast mass delivery system. "Trusted brands," the thinking went, could establish trusted sites, and transfer their reputations to the new medium. Newspaper, radio, television ... Web! It made sense at the time. But in the 10 years following the birth of washingtonpost.com, the Net and its publishing platform, the World Wide Web, have proved harder to master, scarier to get wrong and more thrilling to get right than expected. Wilder, and discontinuous with the past in a way those coming out of traditional journalism never could have imagined. Simple example: The Net radically shifts principles of news distribution as all sites become equidistant from the reader. In 2003, I tracked Arnold Schwarzenneger's gubernatorial campaign by reading California Insider by Dan Weintraub because the Sacramento Bee political columnist seemed more clued-in to the race than top national reporters. That I could choose his coverage (and links) over the Washington Post's demonstrates the "unbundling" effect of the Internet. Containers in which news had been packaged broke apart because the Internet could deliver content without the wrapping. I had no use for the Sacramento Bee, just Weintraub. The technology increased his influence, his "brand," while subtly diminishing the Bee's. The disintegration of news containers unsettled a business that had coped with the introduction of radio and television. Executives were forced to redraw their value chains. Curley, for example, suggested that "legacy technology, silo-ed bureaucracies and entrenched workflows" at American newsrooms had prevented creative responses to the Web. True. Yet the disruptions happened anyway. Here are some that stand out for me: The "closed" system of gates and gatekeepers has been busted open. What's the most amazing thing about the new media world? Its low barriers to entry. Thanks to the Internet, it is cheap and simple to launch a site that, theoretically, the whole world could be watching. Yesterday there were a few dozen providers; today news, views and attitudes stream through millions of gates. And the Web accepts all kinds of gatekeepers, each with unique rules for what matters, rather than the rules adopted by a class of professionals with set journalistic principles. For the old gatekeepers that's a big disruption. The charges made against Democratic presidential candidate John Kerry by Swift Boat Veterans for Truth, claiming that his medals were undeserved, could have been held out of circulation by newsroom gatekeepers, pre-Internet. By 2004, it was impossible to keep such a story quiet, and editors knew it. The new balance of power between producers and consumers. Curley described this change to the Online News Association on Nov. 12, 2004. When it came to consuming media, the Web allows users to decide "what application, what device, what time, what place." Curley described a decisive shift in whose clock the news runs on, away from an "appointment-driven" model. Producers had to adjust. The basic idea of what defines a news "consumer" morphs when consumers gain access to producers' tools, and can float between being a reader and an editor. In a speech to BBC staff on April 25, 2006, the network's director-general, Mark Thompson, said users with expanded choices demand more from big brands. New media, he said, "empowers those audiences, transfers control from us to them, lets them consume what they want, when they want, lets them create content, lets them participate." It's a long way from "Excuse us, just re-purposing," to, "Oh my God, there's been a power shift." But since 2004, mainstream providers have shown signs of learning to swing with the Web. They supported blogs. They encouraged interactivity. They began to re-draw their picture of their audience. 'Newspaper, radio, television...Web!' was a wrong turn down a one way street. Uh, oh, power shift. In October of 2005, Andrew Heyward, the president of CBS News, said the era of omniscience in network news had ended. His insight: You could improve viewer trust by denying full knowledge. Disruption! (By the way Heyward said it at my blog, PressThink.) Sources have more power to sidestep journalists. What goes for consumers goes for sources. Because sources can be publishers too, there's a new balance of power between them and reporters, who once gave those sources a voice in the press. For example, the Dallas Mavericks' owner and a tech entrepreneur, Mark Cuban, has little use for beat writers assigned to cover his team. Instead, with Blog Maverick, he speaks to hardcore fans and addresses controversies directly. Reporters read his blog concurrently with the fans, who once relied on the sports section for inside information. The Net exploded the universe in press criticism. A decade ago, six letters and two phone calls from readers in response to a three-part series that took months to report was considered "good" feedback. Today, a big story commonly brings in 500 to 1,000 e-mails. It's not just the volume, but who is speaking up. Today there is much more criticism of the press from outside the club of mainstream journalists. This changes the kind of explanations that will wash in forums like the Washington Post's live online discussions with reporters, where -- under tightly controlled conditions -- journalists reply to skeptical users. Heavy consumers of online journalism also effectively fact-check, cry foul and push back with weblogs and other tools. That's an environment of critical scrutiny unknown to most journalists pre-1996. Of all things bloggers have tried to do, their criticism of the news media has probably made the biggest difference in the business. The Net has exposed group think in journalism. The strongest motivation I had in starting PressThink (my one-person magazine of press criticism) was to circumvent the gatekeepers in the national discussion. I was tired of passing my ideas through editors who forced me to observe the silences they kept as professional journalists. The day after President Bush was re-elected in 2004, I suggested suggestedon my blog that at least some news organizations should consider themselves the opposition to the White House. Only by going into opposition, I argued, could the press really tell the story of the Bush administration's vast expansion of executive power. That notion simply hadn't been discussed in mainstream newsrooms, which had always been able to limit debate about what is and isn't the job of the journalist. But now that amateurs had joined pros in the press zone, newsrooms couldn't afford not to debate their practices. This is disruptive because if the unthinkable cannot be ignored, professional correctness loses its power. A Pulitzer-prize winning media columnist at the Los Angeles Times, David Shaw, denounced my suggestion after reading about it at Romenesko, an online gathering spot for journalists. He quoted CNN staffers as saying what a terrible idea opposition press would be. Are you nuts? It would instantly destroy our credibility! But my question was: Why has no major news organization tried to build up credibility as the oppositional (but relentlessly factual) network the way Fox News built credibility as a Bush-friendly channel, which capably won the ratings for its coverage of the 2004 Republic National Convention? After all, the target audience -- cable watchers from "blue"America -- comprised at least 40 percent of the overall market, plus anyone from the right who would tune in for the outrage factor. Prior to the Internet, the idea that an opposition press could have value would simply have been ignored. Disrupting the legacy media's overconfidence. How crazy is it to think a third-place cable news channel might see the logic of developing an oppositional, adversarial -- even liberal -- voice? It isn't improbable in the big picture, but finding support for such programming is deemed impossible by those in the TV news club. Some call it the "legacy" effect. When mainstream journalists, trying to maintain consensus ideas that justify their work and form bases for their professional identities, misunderstand the environment created by the Internet, bad decision-making and dumb statements follow. In 2004, Dan Rather and his team at "60 Minutes," along with the CBS executives, misrecognized what was happening to their story about President Bush's National Guard service. They made a lot of dumb statements. They were over-confident in their understanding of the new medium. To them, it was impossible that amateurs on the Net could apply factual tests more strenuous than those their staff had conducted. The higher-ups assessed inaccurately who was reading certain bloggers' assaults on the network's story. Correspondents for the national newspapers monitored the blogs, picked out tidbits and developed them into stories, raising questions CBS could no longer ignore, even though it had tried to ignore the bloggers. In that episode and others, the combined effect of amateurs and news professionals proved decisive. In the fall of Senate Minority Leader Trent Lott (December, 2002) the press reported Lott's comments praising Strom Thurmond's 1948 campaign, but failed to weight them adequately. The bloggers corrected for that, and added substantial background information. The freewheeling discussion proved that distress over Lott's comments came from both sides of the aisle. Within days, the national press picked the story back up and within two weeks, Lott was gone. That's accountability journalism gone pro-am, and it shows how the great disruption may yield solid improvements. Another example: On the day the Indian Ocean tsunami struck, Reuters had 2,300 journalists and 1,000 stringers positioned around the world, according to the firm's chief executive, Tom Glocer. But none of them were on the beaches to witness the disaster, he told the Online Publishing Association. The amateurs were there and they were prepared. "So for the first 24 hours the best and the only photos and video came from tourists armed with 1.3 megapixel portable telephones, digital cameras and camcorders. And if you didn't have those pictures you weren't on the story," Glocer said. Reuters, a wire service, had to recognize there are more people in the press zone now -- and integrate their material into its report. That should make us better, he said, but "you have to be open to both amateur and professional to tell the story completely." Exactly: To survive you have to be open. That's where disruption in the news business looks a lot like renewal. Jay Rosen teaches journalism at New York University and is the author of the blog PressThink. From rforno at infowarrior.org Mon Jun 19 07:57:04 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Jun 2006 07:57:04 -0400 Subject: [Infowarrior] - Mine Data not Details Message-ID: Mine Data not Details http://www.wired.com/news/wireservice/1,71184-0.html Associated Press 10:45 AM Jun, 17, 2006 CAMBRIDGE, Massachusetts -- As new disclosures mount about government surveillance programs, computer science researchers hope to wade into the fray by enabling data mining that also protects individual privacy. Largely by employing the head-spinning principles of cryptography, the researchers say they can ensure that law enforcement, intelligence agencies and private companies can sift through huge databases without seeing names and identifying details in the records. For example, manifests of airplane passengers could be compared with terrorist watch lists -- without airline staff or government agents seeing the actual names on the other side's list. Only if a match were made would a computer alert each side to uncloak the record and probe further. "If it's possible to anonymize data and produce ... the same results as clear text, why not?" John Bliss, a privacy lawyer in IBM's "entity analytics" unit, told a recent workshop on the subject at Harvard University. The concept of encrypting or hiding identifying details in sensitive databases is not new. Exploration has gone on for years, and researchers say some government agencies already deploy such technologies -- though protecting classified information rather than individual privacy is a main goal. Even the data-mining project that perhaps drew more scorn than any other in recent years, the Pentagon's Total Information Awareness research program, funded at least two efforts to anonymize database scans. Those anonymizing systems were dropped when Congress shuttered TIA, even while the data-mining aspects of the project lived on in intelligence agencies. Still, anonymizing technologies have been endorsed repeatedly by panels appointed to examine the implications of data mining. And intriguing progress appears to have been made at designing information-retrieval systems with record anonymization, user audit logs -- which can confirm that no one looked at records beyond the approved scope of an investigation -- and other privacy mechanisms "baked in." The trick is to do more than simply strip names from records. Latanya Sweeney of Carnegie Mellon University -- a leading privacy technologist who once had a project funded under TIA -- has shown that 87 percent of Americans could be identified by records listing solely their birth date, gender and ZIP code. Sweeney had this challenge in mind as she developed a way for the U.S. Department of Housing and Urban Development to anonymously track the homeless. The system became necessary to meet the conflicting demands of two laws -- one that requires homeless shelters to tally the people they take in, and another that prohibits victims of domestic violence from being identified by agencies that help them. Sweeney's solution deploys a "hash function," which cryptographically converts information to a random-appearing code of numbers and letters. The function can't be reversed to reveal the original data. When homeless shelters had to submit their records to regional HUD offices for counting how many people used the facilities, each shelter would send only hashed data. A key detail here is that each homeless shelter would have its own computational process, known as an algorithm, for hashing data. That way, one person's name wouldn't always translate into the same code -- a method that could be abused by a corrupt insider or savvy stalker who gained access to the records. However, if the same name generated different codes at different shelters, it would be impossible to tell whether one person had been to two centers and was being double-counted. So Sweeney's system adds a second step: Each shelter's hashed records are sent to all other facilities covered by the HUD regional office, then hashed again and sent back to HUD as a new code. It might be hard to wrap your mind around this, but it's a fact of the cryptography involved: If one person had been to two different shelters -- and so their anonymized data got hashed twice, once by each of the shelters applying its own formula -- then the codes HUD received in this second phase would indicate as much. That would aid an accurate count. Even if HUD decides not to adopt the system, Sweeney hopes it finds use in other settings, such as letting private companies and law enforcement anonymously compare whether customer records and watch lists have names in common. A University of California, Los Angeles professor, Rafail Ostrovsky, said the CIA and the National Security Agency are evaluating a program of his that would let intelligence analysts search huge batches of intercepted communications for keywords and other criteria, while discarding messages that don't apply. Ostrovsky and co-creator William Skeith believe the system would keep innocent files away from snoops' eyes while also extending their reach: Because the program would encrypt its search terms and the results, it could be placed on machines all over the internet, not just computers in classified settings. "Technologically it is possible" to bolster security and privacy, Ostrovsky said. "You can kind of have your cake and eat it too." That may be the case, but creating such technologies is just part of the battle. One problem is getting potential users to change how they deal with information. Rebecca Wright, a Stevens Institute of Technology professor who is part of a five-year National Science Foundation-funded effort to build privacy protections into data-mining systems, illustrates that issue with the following example. The Computing Research Association annually analyzes the pay earned by university computer faculty. Some schools provide anonymous lists of salaries; more protective ones send just their minimum, maximum and average pay. Researchers affiliated with Wright's project, known as Portia, offered a way to calculate the figures with better accuracy and privacy. Instead of having universities send their salary figures for the computer association to crunch, Portia's system can perform calculations on data without ever storing it in unencrypted fashion. With such secrecy, the researchers argued, every school could safely send full salary lists. But the software remains unadopted. One large reason, Wright said, was that universities questioned whether encryption gave them legal standing to provide full salary lists when they previously could not -- even though the new lists never would leave the university in unencrypted form. Even if data-miners were eager to adopt privacy enhancements, Wright and other researchers worry that the programs' obscure details might be difficult for the public to trust. Steven Aftergood, who heads the Federation of American Scientists' project on government secrecy, suggested that public confidence could be raised by subjecting government data-mining projects to external privacy reviews. But that seems somewhat unrealistic, he said, given that intelligence agencies have been slow to share surveillance details with Congress even on a classified basis. "That part of the problem may be harder to solve than the technical part," Aftergood said. "And in turn, that may mean that the problem may not have a solution." From rforno at infowarrior.org Mon Jun 19 08:46:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Jun 2006 08:46:34 -0400 Subject: [Infowarrior] - Homeland Security Inc. Message-ID: http://www.nytimes.com/2006/06/19/washington/19port.html?ei=5094&en=da070813 1a1e85ab&hp=&ex=1150776000&partner=homepage&pagewanted=print June 19, 2006 Homeland Security Inc. Company Ties Not Always Noted in Security Push By ERIC LIPTON WASHINGTON, June 18 ? When the storm erupted several months ago over plans by a United Arab Emirates-based company to take over management of a half-dozen American port terminals, one voice resonated in Washington. Stephen E. Flynn, a retired Coast Guard commander who is a senior fellow at the Council on Foreign Relations, repeatedly told lawmakers and reporters that domestic ports were so vulnerable that terrorists could easily sneak a radioactive device into something as innocuous as a shipment of sneakers. And he offered a solution: a cargo inspection system in Hong Kong that scans every container, instead of the fraction now checked in the United States. "The top priority should be working with the overseas terminal operators and putting in place a system that is being piloted in Hong Kong," Mr. Flynn told a House panel in March. "We have to view every container as a Trojan horse." Homeland Security Department officials and lawmakers had been aware of the innovative port security approach in Hong Kong, but they had been reluctant to embrace it, convinced that screening every container at a port would be impractical. Mr. Flynn's forceful advocacy has changed that view. But as Democrats and Republicans rushed to act on his advice, one fact usually remained in the background: From 2003 until 2005, he was a paid consultant to the Science Applications International Corporation, or S.A.I.C., the San Diego company that manufactured the system and could make hundreds of millions of dollars if its port security solution is adopted worldwide. In one Congressional appearance this year, Mr. Flynn had acknowledged some involvement in the Hong Kong project, saying, "I've been a leader of the side putting it together." Four publications this year also mentioned his ties to the company. But in most of his public comments this year ? in at least three television interviews, two other appearances before Congress, opinion pieces in The New York Times and Far Eastern Economic Review and in nearly two dozen newspaper or magazine articles ? Mr. Flynn's connection to S.A.I.C. was not noted. Even Homeland Security Secretary Michael Chertoff, who was briefed by Mr. Flynn during a tour of the Hong Kong port, said he did not initially know of Mr. Flynn's involvement with the company. In a recent interview, Mr. Flynn said that in news interviews and Congressional testimony he had been an advocate for better screening at ports and never endorsed S.A.I.C.'s products specifically. He declined to disclose how much he was paid by the company, but said it represented less than 5 percent of his annual income. "If S.A.I.C. sold millions or billions of dollars of equipment, I don't make anything," Mr. Flynn added, saying that he sometimes worked for the company as little as one day a month. "I am willing to champion it because I think it will make a qualitative difference in improving container security." >From Public to Private As a growing number of Department of Homeland Security employees exit the agency, the practice of former officials joining prestigious research or academic institutions while working on behalf of for-profit companies is not uncommon in Washington. C. Stewart Verdery Jr., the former assistant secretary for border and transportation policy, frequently testifies before Congress, identifying himself as an adjunct fellow at the Center for Strategic and International Studies in Washington and a partner at a lobbying firm. Among other clients, he represents Lockheed Martin, the giant military and domestic security contractor, which is now competing for an estimated $2 billion Homeland Security Department border security deal. Richard A. Falkenrath, the former White House deputy homeland security adviser, is a senior fellow at Brookings Institution. He has a second job as a managing director at Civitas Group, which advises corporations and investors on the domestic security market. And Frank J. Cilluffo, a former special assistant to President Bush on domestic security matters, also straddles both worlds. He delivers his views to Congress as the director of the Homeland Security Policy Institute at George Washington University while serving as a partner for a Virginia consulting firm whose clients include the Saflink Corporation, a maker of identity confirmation software to combat terrorism. Mr. Cilluffo, Mr. Falkenrath and Mr. Verdery said they worked to make sure there were no conflicts between their various roles. "I never would let the two collide in any way, shape or form," Mr. Cilluffo said. Mr. Flynn's reputation for integrity in his field is unrivaled, several industry representatives said, adding that he would never advocate for something he did not believe in, regardless of any consulting deal. Lisa Shields, a spokeswoman for the Council on Foreign Relations in New York, said the institution recently examined Mr. Flynn's work for S.A.I.C. and concluded that he "has abided by all council rules and the conflict of interest policy." But Michael Greenberger, director of the Center for Health and Homeland Security at the University of Maryland and a professor of law, said that academics who consult for companies in their area of expertise risked compromising their impartiality. At a minimum, they should always disclose the relationship, even if it has ended. "Discovering this involvement after the fact is more troublesome than if you were more upfront in disclosing it," Mr. Greenberger said. Mr. Flynn, 45, joined the efforts to help S.A.I.C. devise new domestic security products in April 2002, less than a month after he retired from the Coast Guard, a division of the Department of Homeland Security, and was appointed to an endowed chair for national security studies at the Council on Foreign Relations. He was paid to participate in a company brainstorming session on port security devices. The Coast Guard commander was a natural choice for S.A.I.C., which has spent $4.5 million on lobbyists since 2001 and whose political action committee and employees donated another $1 million in the last federal election cycle, much of it to lawmakers who oversee domestic security matters. With a doctorate from Tufts University in international politics and vast knowledge of port security matters, Mr. Flynn was well known in the field and routinely was called upon by top Homeland Security Department officials for his advice. In scholarly articles published before and after the 2001 attacks, he repeatedly warned that the nation needed to move quickly to better secure the roughly 25,000 ship containers that arrive in the United States each day. S.A.I.C. had come up with an approach that it was convinced could do just that, piecing together two types of inspection devices ? one that checked containers for radioactive objects and a second, X-ray-like machine that could identify dense objects, which might be a radioactive material the first machine missed because a terrorist tried to shield the weapon with lead. The potential market for such an integrated system was enormous. Scanning all the cargo in Hong Kong would require about 50 of these systems, said Terry G. Gibson, an S.A.I.C. vice president leading the sales effort. At $2.5 million per system, the total cost would be $125 million, Mr. Gibson said. If Congress demanded that all United States-bound cargo undergo such a check, the market worldwide could reach 1,000 to 2,000 systems, or $2.5 billion to $5 billion in sales, he said, a cost that would be paid by port terminal operators, not necessarily governments. "Reducing the risk of a weapon of mass destruction being shipped into the United States, that is what this is about," Mr. Gibson said, acknowledging: "We want to make money. We want to sell our devices." Operating the system could cost even more: ports would have to set aside space for suspicious cargo to be double-checked, and hundreds of inspectors would have to be hired to review the scanner images. S.A.I.C. is not the only manufacturer of such machines, but it was the first to integrate the technologies and it had the only device, one company official said, that could efficiently scan a container as it passes through a major port on a truck at a speed fast enough to avoid bottlenecks. But some security experts have questioned S.A.I.C.'s plan, given the high costs and often cloudy images the X-ray-like machine produces. "Overinvesting in countering one tactic when terrorists could easily employ another is dangerously myopic," said James Jay Carafano, a senior research fellow at the Heritage Foundation, a conservative research group, who has not served as a consultant to private sector companies in the domestic security field. Many unknowns also remained, as even though hundreds of thousands of images of ship containers passing through Hong Kong were collected, no one was actually examining them to look for weapons since the S.A.I.C.-backed effort was a demonstration project, not a fully operation security system. Mr. Flynn himself had once had his own doubts, writing in a January 2002 article in Foreign Affairs magazine that "even with the assistance of new high-tech sensors, inspectors have nowhere near the amount of time, space or manpower to inspect all the cargo arriving." But Mr. Flynn said he was prepared to be proven wrong. He signed a contract to be a part-time consultant for the company in 2003 and soon set up a series of meetings with senior domestic security officials, including Tom Ridge, then the secretary of homeland security. A New Era of Contractors The decision to sign up with S.A.I.C., Mr. Flynn said Sunday, was compelled by the government's post-9/11 reliance on contractors to conceive of and put in place antiterrorism initiatives, tasks that in an earlier era might have been handled by civil servants. It is part of the reason, he said, so many former department executives are taking jobs with contractors. Mr. Flynn said he urged Mr. Ridge to send a team to Hong Kong to evaluate the company's project and if impressed, to "agree to meet with the C.E.O.'s of the world's largest marine terminal operators to discuss a timetable for their deploying" the system globally, according to a written summary of the October 2004 briefing for Mr. Ridge. The summary identified Mr. Flynn as a fellow at the Council on Foreign Relations and made no mention of his role as a paid S.A.I.C. consultant, although Mr. Flynn said it was something he acknowledged verbally. He also said he routinely informed officials about his relationship with the company. Staff members for Senator Charles E. Schumer, Democrat of New York, and Senator Norm Coleman, Republican of Minnesota, both said Mr. Flynn disclosed this past work before briefing the senators on the project. But Robert C. Bonner, the former commissioner of Customs and Border Protection, who had the most regular contact with Mr. Flynn, said he could not remember being told of the relationship. Representative Jerrold Nadler, Democrat of New York, the leading proponent in the House of Mr. Flynn's port security plan, said he had not been told of his ties to the company. An academic paper Mr. Flynn co-wrote in 2005 with a Stanford professor that evaluated the S.A.I.C. approach also made no mention of his ties to the company. After being asked about the matter last week, Lawrence M. Wein, the co-author, said he and Mr. Flynn had decided to add a disclosure of the prior consulting work before publishing it in an industry journal. Project Gets Final Push Mr. Flynn's consulting contract with S.A.I.C. ended in 2005, he said. But in February 2006, when news broke of the plan by DP World of Dubai to manage American port terminals, his phone started to ring with calls from reporters. Mr. Flynn said he saw this as an opportunity ? given that he had already ended the consulting deal ? to give an important final push to the Hong Kong pilot project, which he feared the Homeland Security Department, despite his initial efforts, was about to let end without any federal endorsement. "It was clear that the pilot was going to end prematurely without any substantive consideration by the U.S. government of its potential," he said. "I decided that I would need to become the pilot's leading champion." Soon, Mr. Flynn's endorsement of the Hong Kong screening approach began to be picked up by others. "Port security under the Bush administration is full of holes," Representative Nancy Pelosi of California, the House minority leader, said at a news conference. "One hundred percent of the cargo containers going into a terminal in Hong Kong are inspected, while only about 5 percent of the containers entering the United States are screened. Who thinks that's a good idea?" By April, with Democrats and Republicans citing Mr. Flynn, a Senate panel passed a bill that would mandate "as soon as practicable and possible" that any container headed to the United States undergo an inspection with an S.A.I.C.-like system. The House passed a measure ordering tests of the technology. While Congress has not yet reached a consensus on the language, domestic security officials say they are already seriously considering more universal scanning of cargo. In April, Mr. Chertoff, the homeland security secretary, toured the Hong Kong terminals where the S.A.I.C. system was being tested, and discussed the technology with Mr. Flynn immediately afterward. Mr. Chertoff said he had not been aware when he was invited to visit the port that Mr. Flynn had been working with S.A.I.C., though Mr. Flynn said department officials had been told. Though Mr. Chertoff said he would now give Mr. Flynn's endorsement less weight, he added that his agency was moving ahead with the idea. "I think it is something we are going to want to take to the next stage," Mr. Chertoff said. From rforno at infowarrior.org Mon Jun 19 08:55:23 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Jun 2006 08:55:23 -0400 Subject: [Infowarrior] - SCADA industry debates flaw disclosure Message-ID: SCADA industry debates flaw disclosure Robert Lemos, SecurityFocus 2006-06-16 http://www.securityfocus.com/news/11396?ref=rss The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities. The flaw, in a particular vendor's implementation of the Inter-Control Center Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server. Yet, unlike corporate servers that handle groupware applications or Web sites, the vulnerable server software--from process-control application maker LiveData--monitors and controls real-time devices in electric power utilities and healthcare settings. The best known types of devices are supervisory control and data acquisition (SCADA) devices and distributed control system (DCS) devices. A crash becomes a more serious event in those applications, said Dale Peterson, CEO of Digital Bond, the infrastructure security firm that found the flaw. "These are what you would consider, in the IT world, critical enterprise applications," Peterson said. "But the companies don't act like these are critical enterprise applications." LiveData maintains that the flaw is a software bug, not a security vulnerability, pointing out that it only affects how the LiveData ICCP Server handles a non-secure implementation of the communications protocol--typically used only in environments not connected to a public network. "In general SCADA networks are run as very private networks," said Jeff Robbins, CEO of LiveData. "You cannot harness an army of public zombie servers and attack them, because they are not accessible." The incident has touched off a heated debate among a small collection of vulnerability researchers, critical infrastructure security experts and the typically staid real-time process control systems industry. The controversy mirrors the long-standing dispute between independent researchers and software vendors over disclosing vulnerabilities in enterprise and consumer applications. In that industry, researchers have taken Apple, Oracle, Cisco and Microsoft to task at various times over the last year for the perception that the companies were not responding adequately to reports of flaws in their software products. Last week at the Process Control System Forum (PCSF), a conference on infrastructure management systems funded by the U.S. Department of Homeland Security, a similar debate played itself out. Perhaps three dozen industry representatives and security researchers met during a breakout session to hash out the issues involving disclosure. The tone became, at times, contentious, said Matt Franz, the moderator at conference panel on the topic and a SCADA security researcher with Digital Bond. "The vendors were sticking together saying that (researchers) didn't need to be involved with SCADA flaws," he said. "'It puts people and infrastructure in danger,' they said." Moreover, many vendors did not appreciate the involvement of the U.S. Computer Emergency Readiness Team (US-CERT), the nation's response group tasked with managing the process of vulnerability remediation for critical infrastructure, Franz said. The LiveData flaw was the first flaw in SCADA systems handled by US-CERT and the CERT Coordination Center, the group that manages the national agency. While valuable as a learning experience, the entrance of a third party into the disclosure of a flaw in an infrastructure system brought up more questions than answers. At the PCSF session, many vendors voiced concerns over involving a third party. "I did not come away with a feeling that any issues were settled," said Art Manion, Internet security analyst for the CERT Coordination Center and a participant in the discussion at the conference. The debate over how disclosure should be handled underscores both the intense focus on SCADA and DCS systems as potential targets of cyberattacks and the position of many companies in the real-time process control systems industry that vulnerabilities in such systems require special treatment. "In security circles, it is widely discredited that you can secure something though obscurity--yet SCADA systems are really obscure," LiveData's Robbins said. "That is not a statement of a principle of security and doesn't rationalize anything, but is a fact." Even SCADA security specialists agree that obscurity can raise the hurdle enough to keep most online attackers from jumping into SCADA systems. "There are some legacy systems out there running plants that are more secure than many latest and greatest systems, because they are not connected to the Internet or they are using obscure standards," said Ernest Rakaczky, program director for process control systems at infrastructure firm Invensys. That's true--at least to an extent, said CERT Coordination Center's Manion. "The information on these systems can be found by a determined attacker," Manion said. "Part of our outreach is to show that people can find out about these things and find vulnerabilities." Consultants who have done penetration testing and security audits of real-time process control systems tell grim stories about the lack of security in the systems. Data is transfered with no encryption using protocols, such as Telnet and FTP, that are being phased out in other industries; many firewalls have ports opened to any traffic; and, many workstations still run Windows NT, said Jonathan Pollet, vice president and founder of PlantData Technologies, a division of infrastructure security company Verano. "The guys who are setting up these systems are not security professionals," he said. "And many of the systems that are running SCADA applications were not designed to be secure--it's a hacker's playground." For between 5 and 10 percent of the networks audited by PlantData, a single ping attack or a data flood aimed at a SCADA system could shut down most of the managed devices, Pollet said. Yet, security researchers acknowledge that the software that monitors, manages and runs the variety of manufacturing and infrastructure control systems is indeed different. While researchers can hold the threat of public disclosure over the heads of an uncooperative software maker in the enterprise application arena, publicly outing a flaw in a SCADA or DCS system has larger ramifications, Pollet said. "You have to be careful disclosing these issues to the public when the vendors seem uninterested in talking about the problem, because these systems cannot be patched overnight and the information could prove devastating in the wrong hands," he said. Moreover, software vendors and infrastructure operators legitimately need more time because most of the industry's legacy systems were not created to be easily updated. And, to be fair, LiveData's response to the first SCADA vulnerability handled by a third party--about 3 to 6 months for a fix and less than 9 months for notification--is in line with the response from many enterprise and commercial software makers. Not bad for an industry that has not had a history of third-party vulnerability disclosure, said Digital Bond's Franz. "The idea that someone outside their customer base would have access to their product to find vulnerabilities is strange to them," said Franz, who created an interest group within the Process Control Systems Forum to hash out the issues. Security researchers are not the only ones applying pressure to software developers in the SCADA and DCS industry. The software maker's customers--infrastructure owners and operators--are starting to demand proof of security audits, especially in the power industry where companies are required by a recent law to adhere to the Critical Infrastructure Protection (CIP) guidelines published by the North American Electric Reliability Council (NERC). "The difference that a few months has made is absolutely incredible," said Lori Dustin, vice president of marketing and services for infrastructure security company Verano. "The people I'm meeting with now have a copy of the NERC documents in their hands." While many in the real-time process control industry might not agree, Invensys's Rakaczky stresses that allowing US-CERT to bring other industries' vulnerability reporting practices to the bear on infrastructure issues should help reduce communications problems and increase trust. "People will respond faster than if some random white hat calls them up out of the blue," he said. But, while vendors work with US-CERT and focus on improving product security, infrastructure owners need to move more quickly to prevent unauthorized access to their systems from the Internet and implement more strict auditing, Rakaczky said. "Right now, we need perimeter protection," he said. "We need to stop the wound from bleeding before we can heal it." From rforno at infowarrior.org Mon Jun 19 15:30:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Jun 2006 15:30:58 -0400 Subject: [Infowarrior] - University opens school for hackers Message-ID: University opens school for hackers By Andy McCue http://news.com.com/University+opens+school+for+hackers/2100-7355_3-6085375. html Story last modified Mon Jun 19 12:17:25 PDT 2006 A degree course in computer hacking has been launched by a Scottish university in response to industry demand for IT security experts. The University of Abertay in Dundee will run the Bachelor of Science undergraduate course in "Ethical Hacking and Countermeasures" starting in the next academic year in October. Around 30 students will be enrolled in the course, which the university says will provide a graduate with knowledge of how illegal computer attacks can be performed and how they can be stopped. The course catalog description says: "In the same way that police detectives need to know how thieves can steal, computer systems administrators need to know what hackers can do." The university said it has launched the degree course in response to demand for people with the skills to test the security of corporate IT networks. "There are an increasing number of compliance regulations and insurance policies that insist businesses carry out security checks on their networks," a representative for the academic institution said. The university also stressed it will be vetting students "very carefully" in accordance with Home Office guidelines and that they will be monitored closely throughout the course. "We are not going to give them the full set of tools on day one," the representative said. Although many existing undergraduate computing degrees cover elements of this new course, Abertay claims to be the first U.K. university to offer a dedicated degree course in hacking. There are also ethical hacking courses and qualifications offered by private sector IT training organizations such as the Training Camp, which launched a course two years ago. Andy McCue of Silicon.com reported from London. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Mon Jun 19 15:45:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Jun 2006 15:45:55 -0400 Subject: [Infowarrior] - New System Blocks Unwanted Video & Still Photography Message-ID: New System Blocks Unwanted Video & Still Photography Libraries Science News Keywords DIGITAL CAMERA BLOCKING PIRACY CCD http://www.newswise.com/articles/view/521339/#imagetop Newswise ? Researchers at the Georgia Institute of Technology have completed a prototype device that can block digital-camera function in a given area. Commercial versions of the technology could be used to stymie unwanted use of video or still cameras. The prototype device, produced by a team in the Interactive and Intelligent Computing division of the Georgia Tech College of Computing (COC), uses off-the-shelf equipment ? camera-mounted sensors, lighting equipment, a projector and a computer -- to scan for, find and neutralize digital cameras. The system works by looking for the reflectivity and shape of the image-producing sensors used in digital cameras. Gregory Abowd, an associate professor leading the project, says the new camera-neutralizing technology shows commercial promise in two principal fields ? protecting limited areas against clandestine photography or stopping video copying in larger areas such as theaters. ?We're at a point right now where the prototype we have developed could lead to products for markets that have a small, critical area to protect,? Abowd said. ?Then we?re also looking to do additional research that could increase the protected area for one of our more interesting clients, the motion picture industry.? Abowd said the small-area product could prevent espionage photography in government buildings, industrial settings or trade shows. It could also be used in business settings -- for instance, to stop amateur photography where shopping-mall-Santa pictures are being taken. James Clawson, a research technician on Abowd?s prototype team, said preventing movie copying could be a major application for camera-blocking technology. ?Movie piracy is a $3 billion-a-year problem,? Clawson maintains -- a problem said to be especially acute in Asia. ?If someone videotapes a movie in a theater and then puts it up on the web that night or burns half a million copies to sell on the street ? then the movie industry has lost a lot of in-theater revenue.? Moreover, movie theaters are likely to be a good setting for camera-blocking technology, said Jay Summet, a research assistant who is also working on the prototype. A camera?s image sensor -- called a CCD -- is retroreflective, which means it sends light back directly to its origin rather than scattering it. Retroreflections would probably make it relatively easy to detect and identify video cameras in a darkened theater. The current prototype uses visible light and two cameras to find CCDs, but a future commercial system might use invisible infrared lasers and photo-detecting transistors to scan for contraband cameras. Once such a system found a suspicious spot, it would feed information on the reflection?s properties to a computer for a determination. ?The biggest problem is making sure we don?t get false positives from, say, a large shiny earring,? said Summet. ?We need to make our system work well enough so that it can find a dot, then test to see if it's reflective, then see if it's retroreflective, and then test to see if it's the right shape.? Once a scanning laser and photodetector located a video camera, the system would flash a thin beam of visible white light directly at the CCD. This beam ? possibly a laser in a commercial version ? would overwhelm the target camera with light, rendering recorded video unusable. Researchers say that energy levels used to neutralize cameras would be low enough to preclude any health risks to the operator. Still camera neutralization in small areas also shows near-term commercial promise, Abowd said. Despite ambient light levels far higher than in a theater, still cameras at a trade show or a mall should be fairly easy to detect, he said. That?s because image sensors in most cell phones and digital cameras are placed close to the lens, making them easier to spot than the deeper-set sensors of video cameras. Camera neutralization?s potential has helped bring it under the wing of VentureLab, a Georgia Tech group that assists fledgling companies through the critical feasibility and first-funding phases. Operating under the name DominINC, Abowd?s company has already received a Phase 1 grant from the Georgia Research Alliance (GRA) with VentureLab assistance. Abowd said that funding availability will likely decide which technology -- small- or large-area -- will be developed first. DominINC will apply soon for GRA Phase 2 money, Abowd said. Those funds would be used to aid anti-piracy product development, as would any funding coming from the film industry. Other potential funding, from industry and elsewhere, would likely be used to develop anti-espionage small-area applications. Stephen Fleming, Georgia Tech?s chief commercialization officer, said motion-picture groups are actively looking for technology to foil piracy. Movie distributors might even promote camera-neutralizing systems by refusing to send films to theaters that don?t install anti-piracy systems. There are some caveats, according to Summet. Current camera-neutralizing technology may never work against single-lens-reflex cameras, which use a folding-mirror viewing system that effectively masks its CCD except when a photo is actually being taken. Moreover, anti-digital techniques don?t work on conventional film cameras because they have no image sensor. Good computer analysis will be the heart of effective camera blocking, Summet believes. ?Most of the major work that we have left involves algorithmic development,? he said. ?False positives will eliminated by making a system with fast, efficient computing.? Also involved in the camera-neutralizing project are Shwetak Patel, a College of Computing PhD student; Khai Truong, a former Georgia Tech PhD student who is now at the University of Toronto, and Kent Lyons, a College of Computing post-doctoral student. A paper on this technology was published and presented at the Ubicomp 2005 conference in Tokyo, Japan, last September. Writer: Rick Robinson From rforno at infowarrior.org Tue Jun 20 07:59:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 07:59:48 -0400 Subject: [Infowarrior] - Polygraph Test Results Vary Among Agencies Message-ID: Polygraph Test Results Vary Among Agencies Discrepancies Affect Security Clearances http://tinyurl.com/ekz58 By Shankar Vedantam Washington Post Staff Writer Tuesday, June 20, 2006; A01 The National Security Agency denied a top-secret clearance to David Vermette this year after two polygraph tests. But the computer programmer still has access to sensitive, classified information -- from the CIA, which independently cleared him after administering its own "lie detector" test. The FBI recently ran a background check on Wayne Johnson, which led to a five-year extension of his top-secret White House clearance. But when Johnson applied for a job at the FBI itself, the agency made him an offer -- then rescinded it after a polygraph exam. The Defense Department has long issued Tara Wilk a top-secret clearance. But when Wilk tried to get similar clearance from the NSA, she failed three tests -- leaving her so frustrated she sought help from a hypnotist and a therapist. In a region where a security clearance is a necessary ticket to countless jobs with the federal government and its thousands of contractors, it is not hard to find people caught in turf wars over clearance. Polygraph tests are often at the root of the problem. "The CIA doesn't respect the NSA's polygraph and the NSA doesn't respect the CIA's polygraph," said Wilk, a computer engineer from Arnold, Md. "Nobody knows who the boss is, and they all think they are the most important." The government recognizes the problem and plans to harmonize the process across the intelligence community, but Director of National Intelligence John D. Negroponte cannot say when that will happen, said spokesman John Callahan. "The goal is to streamline and fix things and make things better," he said. "The legislation which founded the DNI actually requires the DNI have as one of its goals to unify this process," he said. Even those who believe in the value of polygraphs acknowledge that they are far from objective. Using a polygraph device, which measures changes in heart rate and breathing as well as other cues to detect anxiety, is like searching in a dark room for an object whose shape is unknown. It is the examiner's job not only to figure out if someone is a spy but also to search for character flaws or past actions -- drug use, for instance -- that might make a person unfit to handle sensitive information. Since polygraph examiners typically do not know what to look for in a candidate, they tend to home in on anything that hints at reticence or nervousness, said John Sullivan, who spent three decades at the CIA administering the tests and still supports them. During his career, he said, he used the tests to unmask seven double agents and spotted numerous criminal and character problems. But Sullivan said that after the agency's polygraphers failed for years to detect the duplicity of Aldrich H. Ames, who compromised dozens of CIA operations by passing information to the Soviet Union before being sent to prison in 1994, agency examiners ratcheted up the level of intimidation during tests. Sullivan believes polygraphers can elicit useful information without resorting to threats and harassment. But after Ames's case, he said, CIA examiners were told that if their subjects did not complain about rough handling, the examiners probably were not doing their job correctly: "People in many cases are too aggressive . . . we were so afraid of getting beat." Asked why examiners disagree with one another, Sullivan said that interpreting polygraphs is more "art than science" and that examiners at different agencies range from "Rembrandts" to "finger-painters." "I myself and most of my colleagues caught people who passed other people's polygraph examinations," said Sullivan, who is retired. "I don't want to disparage anyone else's program, but I really feel up until Ames, [the CIA] had the best polygraph program in the government." Paul Gimigliano, a CIA spokesman, declined to discuss individual cases. But he said that "large numbers of highly qualified officers" have been cleared and hired after the agency's polygraph tests. Don Weber, an NSA spokesman, also would not discuss individual cases but said the agency issues clearances based on approvals by other agencies. Slightly more than one in five contractor clearances last year were issued this way, he said. A number of factors influence why the NSA thinks more security procedures are needed for some people, he said. Vermette, the computer programmer, said the six exams he has taken for three agencies have left him scared, angry and dubious. Besides being asked whether he had ever revealed classified information, Vermette was quizzed about whether he had paid for sex or had gotten a woman drunk to seduce her. Examiners asked about his computer use, his contacts with foreign students and his volunteer work with junior high students at church -- down to a high-five he had given one teenager. Vermette describes himself as naturally nervous and said he grew more flustered with each exam. After the second CIA polygraph test, he was called in to see a higher official, who said he wanted to talk "man to man." After telling Vermette that "there's no way you are not lying to me," the examiner pressed him on whether he was sexually involved with the teenager at church. The examiner then asked Vermette about her bra size. When Vermette said he did not know, the examiner asked him to guess -- after explaining bra sizes. "He gave me a list of numbers to choose from, and I gave up and guessed one. Then he went on to ask about hair color, eye color, height and weight, all of which I am sure are absolutely vital to national security," Vermette wrote in an account of the episode. "I felt bad afterwards that I answered any of these questions but was under extreme psychological pressure and humiliation." After the interview, Vermette filed a complaint. An investigation ensued, and the CIA apologized in writing, acknowledged that the questions were inappropriate and gave him his security clearances. But it was not over. Late last year, Vermette's employer decided he ought to get clearances from the NSA as well. Although Vermette had been given top-secret and Sensitive Compartmented Information clearances by the CIA and the National Reconnaissance Office, which operates U.S. reconnaissance satellites, the NSA gave him new polygraph tests. Vermette said the last straw was being asked by NSA examiners to talk about the incident with the CIA. When he refused and explained that the CIA had apologized for the episode, the NSA denied his clearance -- citing his "failure to cooperate with security processing." Whereas Vermette found himself caught between agencies, Wayne Johnson said he was snared by seemingly conflicting decisions at the same agency. Johnson was stunned to discover there was a problem with his FBI polygraph test, given that the agency had done a recent background investigation that led to a renewal of his top-secret credentials at the White House. Like Vermette, Johnson said the polygraph made him nervous, even though he had nothing to hide. When asked about drug use, Johnson, who is black, found himself worrying about stereotypes that link blacks to drug use. Johnson said he had never touched an illegal narcotic but believed his examiner, who is white, did not believe him. The race question was always at the back of Johnson's mind, he said, and his fears may have shown up on the polygraph -- and perhaps were misinterpreted as a sign of deception. Paul Bresson, an FBI spokesman, said that he could not discuss any individual case but that in general the White House makes its decisions on clearances after the agency forwards the results of its investigations. When someone seeks employment at the FBI, the agency uses investigative results to draw its own conclusions, he said. Wilk, who flunked three tests at the NSA despite her security clearance from the Pentagon, said examiners do not seem to realize that innocent people can be nervous. "People say if you don't have anything to hide you should not be worried, but I have nothing to hide and I am worried," she said. "A citizen's entire means of making a living boils down to answering one stupid question on a polygraph." When examiners kept telling her she was hiding something, the thought that eventually went through her mind was: "Should I just make something up?" From rforno at infowarrior.org Tue Jun 20 08:01:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 08:01:45 -0400 Subject: [Infowarrior] - EFF Seeks Staff Technologist Message-ID: EFF Seeks Staff Technologist The Electronic Frontier Foundation (EFF), an Internet civil liberties nonprofit organization based in San Francisco, is seeking a fulltime Staff Technologist to work in our Mission District office. EFF works in that difficult space where law and technology collide. Unlike other nonprofit lawfirms, EFF is known for our technical expertise. Along with our webmaster and sysadmin, EFF's tech staff includes a couple of technologists who translate technical issues to two major audiences: 1) EFF attorneys, who need to understand the specifics of how technology works in order to do their legal work and 2) the general public, which looks to EFF to explain what's really going on in non-technical jargon. The staff technologist job includes being part of litigation teams, writing white papers, attending technical meetings, public speaking, preparing evidence or declarations to be presented to courts, and working with the rest of EFF's staff. Technical expertise is absolutely required, as is great writing skill and a healthy respect for deadlines. As part of the tech team, the staff technologist will sometimes be asked to pitch in and assist with whatever tech issue happens to be causing a problem at the moment. A willingness to be a team player is a must. The job requires some travel. Requirements: * Bachelor's degree in electrical engineering, computer science or a related technical field (mathematics, physics, etc.), or equivalent experience; * Strong writing and public speaking skills. Must have technical writing sample(s) illustrating the explanation of a technical topic to an intelligent lay audience; * Detailed knowledge of and experience using and programming for at least one computer operating system; * Detailed knowledge of and experience using at least one (preferably low-level) programming language, such as C; * Knowledge of or willingness to learn about information security topics such as cryptography and digital rights management (DRM); and * Familiarity with Internet architecture and network protocols. In addition, the ideal candidate will have: * Experience with radio frequency technologies and communications; * Detailed knowledge of the Microsoft Windows platform (development, * debugging, reverse engineering, etc.); * Hardware engineering experience; * System administration or system programming experience; and/or * Experience presenting at technical conferences. To apply, send a cover letter and your resume to stafftech at eff.org. Please send these materials in a non-proprietary format. No phone calls please! Principals only. From rforno at infowarrior.org Tue Jun 20 09:35:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 09:35:17 -0400 Subject: [Infowarrior] - IBM's 'frozen chip' claims speed record Message-ID: http://www.eetimes.com/news/semi/showArticle.jhtml?articleID=189500692 IBM's 'frozen chip' claims speed record Mark LaPedus EE Times (06/20/2006 12:11 AM EDT) SAN JOSE, Calif. ? IBM Corp. and the Georgia Institute of Technology Tuesday (June 20) claimed they have broken the silicon speed record, thanks in part to a "frozen chip." IBM (Armonk, N.Y.) and Georgia Tech (Atlanta) claimed that they have demonstrated the first silicon-based chip capable of operating at frequencies above 500 GHz by cryogenically "freezing" the circuit to minus 451 degrees Fahrenheit (4.5 Kelvins). By comparison, 500 GHz is more than 250 times faster than today's cell phones, which typically operate at approximately 2 GHz, according to the organizations. The experiments, conducted jointly by IBM and Georgia Tech, are part of a project to explore the ultimate speed limits of silicon germanium (SiGe) devices, which are said to operate faster at cold temperatures. Ultrahigh-frequency SiGe circuits have potential applications in commercial communications systems, military electronics, space and remote sensing. The research could make possible a new class of powerful, low-energy chips that will deliver future applications like HDTV and movie-quality video to cellphones, automobiles and other devices. The chips used in the research are from a prototype fourth-generation SiGe technology fabricated by IBM on 200-mm wafers. At room temperature, the circuits operated at approximately 350 GHz. "For the first time, Georgia Tech and IBM have demonstrated that speeds of half a trillion cycles per second can be achieved in a commercial silicon-based technology, using large wafers and silicon-compatible low-cost manufacturing techniques," John Cressler, Byers Professor in Georgia Tech's School of Electrical and Computer Engineering, and a researcher in the Georgia Electronic Design Center at Georgia Tech, said in a statement. "This groundbreaking collaborative research by Georgia Tech and IBM redefines the performance limits of silicon-based semiconductors," Bernie Meyerson, vice president and chief technologist at IBM Systems and Technology Group, said in the same statement. In addition to Cressler, the team included Georgia Tech PhD students Ramkumar Krithivasan and Yuan Lu; Jae-Sun Rieh of Korea University in Seoul (formerly with IBM); and Marwan Khater, David Ahlgren and Greg Freeman of IBM Microelectronics (East Fishkill, N.Y.) The accomplishment will be reported in the July issue of the journal IEEE Electron Device Letters. ?Nicolas Mokhoff contributed to this article from Manhasset, N.Y. From rforno at infowarrior.org Tue Jun 20 10:09:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 10:09:03 -0400 Subject: [Infowarrior] - Preserve the Internet Standards for Net Neutrality Message-ID: (I am a signatory......rf) http://dpsproject.com/ Preserve the Internet Standards for Net Neutrality 1) Facing Reality on Net Neutrality Is there a place for fresh thinking and new recommendations in the infamous "network neutrality" debate? The advocates below suggest there is. In the following document we recommend the prosecution of distorted offerings of Internet connectivity as "deceptive practice." When several incumbent telephone carriers announced their plans to give preferential treatment to favored Internet sites, a wide range of Internet users and designers felt in their guts that it somehow violated the very meaning of the term "Internet." On the other hand, many of these people feel uncomfortable letting Congress set parameters for Internet service. It is safer to deal with Internet offerings as a market issue, not to legislate fundamental protocols or router behavior. As a way to break the impasse, we offer the following draft language. We believe the gut feeling -- that one cannot discriminate and still call the service "Internet" -- is founded in reality. The very term "Internet" suggests that participants assume their traffic will be passed without interference; the concept is backed up by over thirty years of standards and ISP behavior. In effect, under the present circumstances, the system of developing specifications, which involves the writing and review of formal documents known as RFCs, which has held since the beginning of the Internet, would be tossed out by a few large providers and equipment manufacturers and replaced by corporate fiat. The loss of an open, consistent, and predictable platform would also crimp innovation at higher levels. Thus, we recommend that Congress clarify the meaning of offering Internet connectivity and set up rules for the Federal Trade Commission to enforce the definition. 1) Facing Reality on Net Neutrality 2) Two Types of Neutrality 3) Draft Legislative Proposal Signed, (Affiliations listed for identification only) John Bachir, Lead Developer, Lyceum Daniel Berninger, Senior Analyst, Tier1 Research Dave Burstein, Editor, DSL Prime Steven Cherry, Senior Associate Editor, IEEE Spectrum Gordon Cook, Editor, Publisher and Owner since 1992 of the COOK Report on Internet Protocol Cynthia H. de Lorenzi, Washington Bureau for ISP Advocacy Miles R. Fidelman, President, The Center for Civic Networking Richard Forno (bio: http://www.infowarrior.org/rick.html) Bob Frankston, Telecommunications Analyst and Visionary Paul Ginsparg, Cornell University Lucas Gonze Saleem Jahangeer, Ph.D. Seth Johnson, New Yorkers for Fair Use Paul Jones, School of Information and Library Science, University of North Carolina - Chapel Hill Peter D. Junger, Professor of Law Emeritus, Case Western Reserve University Bruce Kushnick, chairman, Teletruth Michael Maranda, President, Association For Community Networking Sascha Meinrath, Champaign-Urbana Community Wireless Network, Free Press Edward Mills, Independent Technology Consultant John Mitchell, InteractionLaw Steve Mossbrook, President, Wyoming.com Andy Oram, Editor, O'Reilly Media Dave Pentecost, documentary television producer Jan L. Peterson, Software Developer David P. Reed, contributor to original Internet Protocol design Pamela Samuelson, Richard M. Sherman Distinguished Professor of Law, UC Berkeley Clay Shirky, Interactive Telecommunications Program, New York University Jay Sulzberger, New Yorkers for Fair Use Siva Vaidhyanathan, Department of Culture and Communication, New York University Eric F. Van de Velde, Ph.D., Director, Library Information Technology, California Institute of Technology Esme Vos, Founder, Muniwireless David Weinberger, Fellow, Harvard Berkman Center Michael J. Weisman, JD, LLM, Technology and Intellectual Property Law and Policy Brett Wynkoop, Wynn Data Ltd. From rforno at infowarrior.org Tue Jun 20 13:05:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 13:05:20 -0400 Subject: [Infowarrior] - Data Protection - The Cost of Failure (Report) In-Reply-To: Message-ID: This is to a study done by the Ponemon Institute on the cost of data breaches. http://www.securitymanagement.com/library/Ponemon_DataStudy0106.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: https://attrition.org/mailman/private/infowarrior/attachments/20060620/639bd88e/attachment.html From rforno at infowarrior.org Tue Jun 20 18:27:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 18:27:14 -0400 Subject: [Infowarrior] - Fighting Microsoft's piracy check Message-ID: Fighting Microsoft's piracy check By Joris Evers http://news.com.com/Fighting+Microsofts+piracy+check/2100-1029_3-6085853.htm l Story last modified Tue Jun 20 12:00:05 PDT 2006 Counterfeiters aren't Microsoft's only opponents in its effort to combat piracy: Some of its customers are against it, too. The company is forging ahead with a program, Windows Genuine Advantage, tied to its free software downloads and updates, that checks whether the Windows installation on a PC is pirated. But some people, including some who say they own a legitimately acquired copy of Windows, have challenged the need for such validation. Most of their criticism is directed at the way Microsoft's antipiracy technology, Windows Genuine Advantage, interacts with a PC. Recently, the software maker was lambasted over its WGA Notifications tool, which it pushes out as a "high priority" update alongside security fixes. There have also been complaints about the tool collecting information from PCs and causing system troubles. "The issue is not that they are trying to reduce the number of pirated copies. It's the unethical way in which they go about it," a CNET News.com reader using the name "jabbotts" wrote in response to a recent story on Microsoft's antipiracy efforts. But there is more going on than just talk. Some Windows users have started to search for ways around the antipiracy technology, setting up a struggle between Microsoft and WGA opponents. Since the 2004 introduction of the WGA program, multiple hacks and tricks to circumvent the piracy check or to remove the software have been published on the Internet. And the hunt for effective workarounds appears to be continuing. Windows Genuine Advantage is a stepped-up effort by Microsoft to boost the number of Windows users who actually pay for the operating system. The company has said that roughly a third of Windows copies worldwide have not been acquired legitimately--as a boxed product or bundled onto a machine, for example. Microsoft has gradually expanded its pirate-busting efforts. Today, Windows users must have their PC electronically approved before they can download add-on Microsoft software such as Windows Media Player and Windows Defender. WGA excludes security updates from this requirement. When the antipiracy program started, validation was optional for downloads. As the program has grown, so have efforts to circumvent it. One Web site, for example, lists 15 methods--including step-by-step directions and links to file downloads--to disable Microsoft's copyright-check tools and WGA Notifications warning messages. One of the listed methods is to install the "905474.exe" program. This "crack" was also suggested by CNET News.com readers providing story feedback. The file, named after the number for the support article for WGA on Microsoft's Web site, is widely available on the Internet. (Caution: CNET News.com hasn't tested this application, and it isn't wise to install files from sources that aren't known and trusted.) "I have licenses for all my PCs," wrote CNET News.com reader "kamwmail-cnet1." But citing a lack of trust in Microsoft, this reader installed the 905474.exe tool. "Install this hack. Boot your PC. You're in business, private business," the reader added. Other proposals to defeat the piracy checks vary from the simple--such as blocking the Microsoft applications using firewall software--to the more complex, such as replacing files that are part of the checking tools with cracked versions of those files. Some methods require changes to the Windows Registry, which calls for more advanced technical knowledge on the part of the PC owner. The hacks and workarounds are a sign of the indignation among some Microsoft users, including some CNET News.com readers. "A few days after the first WGA notification program was released, a workaround was found, so Microsoft reworked the program so the workaround doesn't work, then pushes the software onto people's systems under the guise that it's a critical update," wrote a reader using the nickname "thedreaming." "It's not a critical update to users, just (to) Microsoft," the reader added. Some readers say the workarounds are functional, but it isn't clear if they all are. A cautionary note on the Web page that listed 15 ways to bypass WGA also warned that, with the new releases of WGA, some cracks no longer work. It is even possible that some of the hacks will work for one user, but not for another, according to the Web site. CNET News.com did not test any of the workarounds. Stepped-up effort Microsoft advanced its antipiracy program in November last year, when it started pushing out a tool called WGA Notifications alongside its security updates. The tool has been sent millions of Windows users in a number of countries. In April, the U.S. joined the list of covered territories, as did the United Kingdom, Malaysia, Australia and New Zealand. The first time a computer owner runs WGA to check if their version of Windows is genuine, the software sends data on the system back to Microsoft. This information covers the Windows XP product key, the maker of the PC, the operating system version, PC bios information and the user's local setting and language. Microsoft discloses that this information is transferred in its WGA tool license. In past weeks, reports have emerged that the WGA Notifications software connects to a Microsoft server each time the PC is started--something Microsoft didn't previously disclose. Also, as it has become clear that the tool isn't a finished product, millions of Windows users may unwittingly be subjects in a trial run for a Microsoft antipiracy program. This has irked some people, even those who have acknowledged Microsoft's right to fight piracy and who have supported the WGA program in the past. Users shouldn't be pushed into being guinea pigs, many readers argued. "I spent several hours trying to fix an office machine which slowed to a crawl or froze after this update was installed," wrote CNET News.com reader "umbramistweave," in response to a story about the prerelease status of WGA Notifications. "It's beta. It's flawed. It should not have been released as an update." Other readers also reported PC trouble after installing the WGA software. "Windows Update should only be used for delivering completed, non-beta software, period," wrote CNET News.com reader "john55440." In response to the criticism, Microsoft maintains that there is a real benefit in validating a copy of Windows. "Our experience is that customers--as long as the process is understandable, unobtrusive, quick and painless--appreciate not only their copy of Windows more, but also appreciate Microsoft more," David Lazar, director of the Windows Genuine program at Microsoft, told CNET News.com last week. That comment brought out some zealots. One reader, using the nickname "imacpwr" wrote: "Mac just keeps looking better and better and better...That's it Microsoft, just keep shooting yourself in the foot. Before you know it you'll be on your knees begging the public to come back." From rforno at infowarrior.org Tue Jun 20 19:15:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 19:15:41 -0400 Subject: [Infowarrior] - Justice Dept. wants NSA suits consolidated for D.C. court Message-ID: Justice Dept. wants NSA suits consolidated for D.C. court By Reuters http://news.com.com/Justice+Dept.+wants+NSA+suits+consolidated+for+D.C.+cour t/2100-1028_3-6085874.html Story last modified Tue Jun 20 11:21:04 PDT 2006 The U.S. Department of Justice wants to consolidate at least two dozen lawsuits against the government and Verizon Communications that involve the National Security Agency's alleged access to telephone customer records. The government on Monday filed a motion supporting Verizon's request that 20 class action lawsuits accusing the company of helping the foreign intelligence surveillance program be combined in a single court in Washington. "Given the national security concerns in this case, the District of Columbia would be the most logical and convenient forum," the filing said. The Justice Department also asked that five other lawsuits against the U.S. government related to the surveillance program be consolidated and coordinated with the Verizon proceeding. Government lawyers said they planned to seek dismissal of the lawsuits against Verizon by asserting military and state secrets privileges under U.S. law. Moving the cases to one court would expedite the process while protecting classified information, it said. Combining all the cases would "allow the resolution of this threshold matter in the most efficient manner for the courts and the parties while protecting highly sensitive and classified information, the disclosure of which would be harmful to the national security," the filing said. Class action lawsuits were filed against Verizon, AT&T and BellSouth after USA Today reported that they gave access and turned over call data records to the NSA to help track terrorist plots. BellSouth has denied turning over records or providing access to the NSA, while Verizon has said that it does not provide the government unfettered access to customer records. AT&T has said it helps when asked by the government, but only within the law. Verizon on May 24 asked the Judicial Panel on Multidistrict Litigation to consolidate 20 similar lawsuits that were filed against the company in 14 federal district courts. Story Copyright ? 2006 Reuters Limited. All rights reserved. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Tue Jun 20 22:31:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 22:31:03 -0400 Subject: [Infowarrior] - Another NSA room in AT&T facility in St Louis? Message-ID: http://www.salon.com/news/feature/2006/06/21/att_nsa/print.html Is the NSA spying on U.S. Internet traffic? Salon exclusive: Two former AT&T employees say the telecom giant has maintained a secret, highly secure room in St. Louis since 2002. Intelligence experts say it bears the earmarks of a National Security Agency operation. By Kim Zetter Jun. 21, 2006 | In a pivotal network operations center in metropolitan St. Louis, AT&T has maintained a secret, highly secured room since 2002 where government work is being conducted, according to two former AT&T workers once employed at the center. In interviews with Salon, the former AT&T workers said that only government officials or AT&T employees with top-secret security clearance are admitted to the room, located inside AT&T's facility in Bridgeton. The room's tight security includes a biometric "mantrap" or highly sophisticated double door, secured with retinal and fingerprint scanners. The former workers say company supervisors told them that employees working inside the room were "monitoring network traffic" and that the room was being used by "a government agency." The details provided by the two former workers about the Bridgeton room bear the distinctive earmarks of an operation run by the National Security Agency, according to two intelligence experts with extensive knowledge of the NSA and its operations. In addition to the room's high-tech security, those intelligence experts told Salon, the exhaustive vetting process AT&T workers were put through before being granted top-secret security clearance points to the NSA, an agency known as much for its intense secrecy as its technological sophistication. "It was very hush-hush," said one of the former AT&T workers. "We were told there was going to be some government personnel working in that room. We were told, 'Do not try to speak to them. Do not hamper their work. Do not impede anything that they're doing.'" The importance of the Bridgeton facility is its role in managing the "common backbone" for all of AT&T's Internet operations. According to one of the former workers, Bridgeton serves as the technical command center from which the company manages all the routers and circuits carrying the company's domestic and international Internet traffic. Therefore, Bridgeton could be instrumental for conducting surveillance or collecting data. If the NSA is using the secret room, it would appear to bolster recent allegations that the agency has been conducting broad and possibly illegal domestic surveillance and data collection operations authorized by the Bush administration after the terrorist attacks of Sept. 11, 2001. AT&T's Bridgeton location would give the NSA potential access to an enormous amount of Internet data -- currently, the telecom giant controls approximately one-third of all bandwidth carrying Internet traffic to homes and businesses across the United States. The nature of the government operation using the Bridgeton room remains unknown, and could be legal. Aside from surveillance or data collection, the room could conceivably house a federal law enforcement operation, a classified research project, or some other unknown government operation. The former workers, both of whom were approached by and spoke separately to Salon, asked to remain anonymous because they still work in the telecommunications industry. They both left the company in good standing. Neither worked inside the secured room or has access to classified information. One worked in AT&T's broadband division until 2003. The other asked to be identified only as a network technician, and worked at Bridgeton for about three years. The disclosure of the room in Bridgeton follows assertions made earlier this year by a former AT&T worker in California, Mark Klein, who revealed that the company had installed a secret room in a San Francisco facility and reconfigured its circuits, allegedly to help collect data for use by the government. In detailed documents he provided to the Electronic Frontier Foundation, Klein also alleged there were other secret rooms at AT&T facilities in other U.S. cities. NSA expert Matthew Aid, who has spent the last decade researching a forthcoming three-volume history of the agency, said of the Bridgeton room: "I'm not a betting man, but if I had to plunk $100 down, I'd say it's safe that it's NSA." Aid told Salon he believes the secret room is likely part of "what is obviously a much larger operation, or series of interrelated operations" combining foreign intelligence gathering with domestic eavesdropping and data collection. "You're talking about a backbone for computer communications, and that's NSA," Russ Tice, a former high-level NSA intelligence officer, told Salon. Tice, a 20-year veteran of multiple U.S. intelligence agencies, worked for the NSA until spring 2005. "Whatever is happening there with the security you're talking about is a whole lot more closely held than what's going on with the Klein case" in San Francisco, he said. (The San Francisco room is secured only by a special combination lock, according to the Klein documents.) Tice added that for an operation requiring access to routers and gateways, "the obvious place to do it is right at the source." In a statement provided to Salon, NSA spokesman Don Weber said: "Given the nature of the work we do, it would be irresponsible to comment on actual or alleged operational issues as it would give those wishing to do harm to the United States insight that could potentially place Americans in danger; therefore, we have no information to provide. However, it is important to note that NSA takes its legal responsibilities seriously and operates within the law." Since last December, news reports have asserted that the NSA has conducted warrantless spying on the phone and e-mail communications of thousands of people inside the U.S., and has been secretly collecting the phone call records of millions of Americans, using data provided by major telecommunications companies, including AT&T. Such operations would represent a fundamental shift in the NSA's secretive mission, which over the last three decades is widely understood to have focused exclusively on collecting signals intelligence from abroad. The reported operations have sparked fierce protest by lawmakers and civil liberties advocates, and have raised fundamental questions about the legality of Bush administration policies, including their consequences for the privacy rights of Americans. The Bush administration has acknowledged the use of domestic surveillance operations since Sept. 11, 2001, but maintains they are conducted within the legal authority of the presidency. Several cases challenging the legality of the alleged spying operations are now pending in federal court, including suits against the federal government, and AT&T, among other telecom companies. In a statement provided to Salon, AT&T spokesman Walt Sharp said: "If and when AT&T is asked by government agencies for help, we do so strictly within the law and under the most stringent conditions. Beyond that, we can't comment on matters of national security." According to the two former AT&T workers and the Klein documents, the room in the pivotal Bridgeton facility was set up several months before the room in San Francisco. According to the Klein documents, the work order for the San Francisco room came from Bridgeton, suggesting that Bridgeton has a more integral role in operations using the secured rooms. The company's Bridgeton network operations center, where approximately 100 people work, is located inside a one-story brick building with a small two-story addition connected to it. The building shares a parking lot with a commercial business and is near an interstate highway. According to the two former workers, the secret room is an internal structure measuring roughly 20 feet by 40 feet, and was previously used by employees of the company's WorldNet division. In spring 2002, they said, the company moved WorldNet employees to a different part of the building and sealed up the room, plastering over the window openings and installing steel double doors with no handles for moving equipment in and out of the room. The company then installed the high-tech mantrap, which has opaque Plexiglas-like doors that prevent anyone outside the room from seeing clearly into the mantrap chamber, or the room beyond it. Both former workers say the mantrap drew attention from employees for being so high-tech. Telecom companies commonly use mantraps to secure data storage facilities, but they are typically less sophisticated, requiring only a swipe card to pass through. The high-tech mantrap in Bridgeton seems unusual because it is located in an otherwise low-key, small office building. Tice said it indicates "something going on that's very important, because you're talking about an awful lot of money" to pay for such security measures. The vetting process for AT&T workers granted access to the room also points to the NSA, according to Tice and Aid. The former network technician said he knows at least three AT&T employees who have been working in the room since 2002. "It took them six months to get the top-security clearance for the guys," the network technician said. "Although they work for AT&T, they're actually doing a job for the government." He said that each of them underwent extensive background checks before starting their jobs in the room. The vetting process included multiple polygraph tests, employment history reviews, and interviews with neighbors and school instructors, going as far back as elementary school. Aid said that type of vetting is precisely the kind NSA personnel who receive top-secret SCI (Sensitive Compartmented Information) clearance go through. "Everybody who works at NSA has an SCI clearance," said Aid. It's possible the Bridgeton room is being used for a federal law enforcement operation. According to the Communications Assistance for Law Enforcement Act of 1994, telecom companies are required to assist law enforcement officials who have legal authorization to conduct electronic surveillance, either in pursuit of criminal suspects or for the protection of national security. The companies must design or modify their systems to make such surveillance possible, essentially by making them wiretap-ready. The FBI is the primary federal agency that tracks and apprehends terrorist suspects within the U.S. Yet, there are several indications that the Bridgeton room does not involve the FBI. "The FBI, which is probably the least technical agency in the U.S. government, doesn't use mantraps," Aid said. "But virtually every area of the NSA's buildings that contain sensitive operations require you to go through a mantrap with retinal and fingerprint scanners. All of the sensitive offices in NSA buildings have them." The description of the opaque Plexiglas-like doors in Bridgeton, Aid said, indicates that the doors are likely infused with Kevlar for bulletproofing -- another signature measure that he said is used to secure NSA facilities: "You could be inside and you can't kick your way out. You can't shoot your way out. Even if you put plastique explosives, all you could do is blow a very small hole in that opaque glass." Jameel Jaffer, deputy director of the American Civil Liberties Union's national security program, said it is unlikely that the FBI would set up an ongoing technical operation -- in this case, for several years running -- inside a room of a telecommunications company. The Foreign Intelligence Surveillance Act, passed by Congress in 1978, requires law enforcement officials to obtain warrants from a secret federal court for domestic surveillance operations involving the protection of national security. If the FBI (or another federal agency) wanted data, it would more likely be targeting a specific individual or set of individuals suspected of engaging in criminal or terrorist activities. The agency would obtain a warrant and then call AT&T, or show up in person with the warrant and ask for the wiretap to be engaged. According to Jaffer, the FBI, NSA or any other federal agency could also legally tap into communications data under federal guidelines using technical means that would not require technical assistance of a telecom company. In an e-mail statement to Salon, FBI spokesperson Paul Bresson said: "The FBI does not confirm whether or not we are involved in an alleged ongoing operational activity. In all cases, FBI operations are conducted in strict accordance with established Department of Justice guidelines, FBI policy, and the law." Rather than specifically targeted surveillance, it is also possible that the Bridgeton room is being used for a classified government project, such as data mining, with which the Pentagon has experimented in the past. Data mining uses automated methods to search through large volumes of data, looking for patterns that might help identify terrorist suspects, for example. According to Tice, private sector employees who work on classified government projects for the NSA are required to undergo the same kind of top-secret security clearance that AT&T workers in the Bridgeton room underwent. According to the former network technician, all three AT&T employees he knows who work inside the room have network technician and administration backgrounds -- not research backgrounds -- suggesting that those workers are only conducting maintenance or technical operations inside the room. Furthermore, Tice said it is much more likely that any classified project using data collected via a corporate facility would take place in separate facilities: "The information that you garner from something like a room siphoning information and filtering it would be sent to some place where you'd have people thinking about what to do with that data," he said. Dave Farber, a respected computer scientist at Carnegie Mellon University and former chief technologist for the Federal Communications Commission, also said it is likely that data collected in a facility like the Bridgeton center would be used elsewhere, once the facility is set up to divert the data. "If I own the routers, I can put code in there to have them monitor for certain data. That's not a particularly difficult job," said Farber, who is considered one of the pioneers of Internet architecture. Farber said that "packets" of data can essentially be copied and then sent to some other location for use. "Most of the problems would have to do with keeping your staff from knowing too much about it." According to the former network technician, workers at Bridgeton, at the direction of government officials, could conceivably collect data using any AT&T router around the country, which he says number between 1,500 and 2,000. To do so, the company would need to install a wiretap-like device at select locations for "sniffing" the desired data. That could explain the purpose of the San Francisco room divulged by Klein, as well as the secret rooms he alleged existed at AT&T facilities in other U.S. cities. "The network sniffer with the right software can capture anything," the former network technician said. "You can get people's e-mail, VoIP phone calls, [calls made over the Internet] -- even passwords and credit card transactions -- as long as you have the right software to decrypt that." In theory, surveillance involving Internet communications can be executed legally under federal law. "But with most of these things," Farber said, "the problem is that it just takes one small step to make it illegal." -- By Kim Zetter From rforno at infowarrior.org Wed Jun 21 08:02:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 08:02:57 -0400 Subject: [Infowarrior] - Creative Commons comes to Microsoft Office Message-ID: Creative Commons comes to Microsoft Office By Martin LaMonica http://news.com.com/Creative+Commons+comes+to+Microsoft+Office/2100-1032_3-6 086018.html Story last modified Tue Jun 20 21:00:04 PDT 2006 Microsoft and the Creative Commons on Wednesday plan to release a free tool that will let people attach a Creative Commons copyright license to Microsoft Office documents. Creative Commons is a nonprofit organization that has written licenses that allow content creators to share information while retaining some rights. Currently, some Web-based tools let people associate a Creative Commons license with information. But Microsoft is the first vendor to embed a license-selection option inside its applications, said Lawrence Lessig, the founder of the Creative Commons and a Stanford Law School professor. Creative Commons in Office "This is important to us because a huge amount of creative work is created inside the Office platform. Having a simple way to add Creative Commons licenses obviously helps us spread those licenses much more broadly," Lessig said. Once installed, the license-selection software will appear as a menu option in the Microsoft Office application. It will generate a Creative Commons logo, a short summary of the license chosen, and a hyperlink to the Creative Commons Web site. People can download the software from the Creative Commons Web site or from Microsoft Office Online. Microsoft and Creative Commons have collaborated on other projects, but the Office tool is the most significant effort to date, said Tom Rubin, assistant general counsel at Microsoft. "We very much share a common belief that creators of works should be able to express their intentions with regard to subsequent use, and Creative Commons has created exciting ways to have works shared freely or have works reused by others," Rubin said. He said there are 400 million users of Microsoft Office applications. Microsoft contracted with 3Sharp, a Redmond, Wash.-based consultant to build and test the copyright licensing tool. The first document to be created with the Office plug-in tool will be a speech about globalism by Gilberto Gil, the Brazilian musician who is now the minister of culture in Brazil. Lessig said that Creative Commons continues to explore ways to attach licenses to other types of content such as video and audio files. However, Microsoft has not yet decided to make a license-selection tool for its Windows Media creation software, Rubin said. "It's something we'll certainly look at," he said. "We're certainly open to it." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jun 21 08:08:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 08:08:41 -0400 Subject: [Infowarrior] - MySpace to Add Restrictions to Protect Younger Teenagers Message-ID: MySpace to Add Restrictions to Protect Younger Teenagers By SAUL HANSELL http://www.nytimes.com/2006/06/21/technology/21myspace.html?pagewanted=print Starting next week, MySpace, the popular online hangout, will make it harder for strangers to send messages to younger teenagers. The site, which has more than 70 million members, has been under pressure because members are frequently subjected to lewd or inappropriate messages and occasionally lured into dangerous real-world encounters. The site will also stop showing advertisements for certain products ? like online dating sites ? to those under 18. The owner of MySpace, the News Corporation, has been working to address concerns about the safety of the many teenage users of the site, while not clamping down on the freewheeling and flirtatious interchanges that are the source of its appeal. Next week, the site will restrict how users over 18 can contact those aged 14 and 15. Older users sending a message asking to become friends with younger users will have to enter the recipients' actual first and last names or their e-mail addresses, rather than simply their user names. The new policy still allows people under 18 to send messages to those under 16 without knowing their full names or e-mail addresses. "A lot of 14- and 15-year-olds are friends in school with 16- and 17-year-olds," said Hemanshu Nigam, the chief security officer of News Corporation's Internet unit. "We want to balance the openness of our community with the interest of protecting the member." Mr. Nigam declined to say how often strangers made such contact with people under 16 or whether such contacts figure into any of the cases where predators have used MySpace. MySpace will also start to allow all members to designate their profiles as private and thus available only to their named list of friends. MySpace had allowed and encouraged those under 16 to set their profiles to be private, but profiles of anyone older than that have been available for any visitor to the site to read. Parry Aftab, the executive director of WiredSafety, a group that promotes online privacy for young people, dismissed the change in the contact rules for those under 16 as ineffectual. "Kids that want to do the open stuff will set their ages to 16," she said. MySpace does not verify users' ages. But Ms. Aftab praised the change that allows anyone to have a private profile. "I know adults who set their age to be 14," she said, "not to lure kids, but because they want their profiles private." From rforno at infowarrior.org Wed Jun 21 08:17:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 08:17:41 -0400 Subject: [Infowarrior] - FinCEN RFC on reducing threshold for money transfers Message-ID: Threshold for the Requirement To Collect, Retain, and Transmit Information on Funds Transfers and Transmittals of Funds ACTION: Joint advance notice of proposed rulemaking (Advance Notice). ----------------------------------------------------------------------- SUMMARY: The Financial Crimes Enforcement Network (FinCEN) of the Department of the Treasury (Treasury) and the Board of Governors of the Federal Reserve System (Board) are reviewing the threshold in the rule requiring banks and nonbank financial institutions to collect and retain information on funds transfers and transmittals of funds. FinCEN is reviewing the threshold in the rule requiring banks and nonbank financial institutions to transmit information on funds transfers and transmittals of funds. The requirement to collect, retain, and transmit information on funds transfers and transmittals of funds applies only to funds transfers and transmittals of funds in amounts of $3,000 or more. FinCEN and the Board (collectively, the Agencies) request comment from the public, including law enforcement and financial institutions, to assess whether the potential benefit to law enforcement of a lower threshold outweighs the potential burden to financial institutions. < - > http://cryptome.org/treas062106.htm From rforno at infowarrior.org Wed Jun 21 08:21:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 08:21:47 -0400 Subject: [Infowarrior] - More overprotecting of our online kids... Message-ID: Forget teaching common sense and good living -- technology can enforce rules and you're presumed guilty until proven guiltier by your parents. Ugh. -rf Why mom enlisted an online sleuth to keep tabs on child Posted 6/20/2006 6:42 PM ET By Daniel B. Wood, The Christian Science Monitor LOS ANGELES ? Author Vicki Courtney in Texas keeps close tabs on her 13-year-old son, Hayden, by monitoring his instant messages (IMs) from a computer in the next room. Sometimes Hayden knows. Sometimes he doesn't. Carolina Aitken, a mom in Santa Rosa, Calif., took her two teenage sons on the Dr. Phil show after she exposed their Internet misuse. She had contacted them via e-mail as "Candy Sweetness," a fictitious 16-year-old girl, to see if she could get them to give up their home phone number. One did. A mother in State College, Pa., who asked to remain anonymous because she's embarrassed by her Internet naivet?, recruited a techno-savvy friend to search for unpublished Web log addresses of her 12-year-old daughter. The friend found the girl posing as an 18-year-old on MySpace.com, a social-networking site for teens. Amid hand-wringing over the increasing sophistication of online sexual predators, financial scammers, and other cyber-solicitors, more moms and dads are resolving to become their children's "Big Brothers" ? in both the collegial and the Orwellian sense, but too few parents are doing as much as they should, Internet experts say. "A larger percentage of parents are getting involved in ways to advise, watch over and even control what their kids are doing," says Ken Colburn, founder and president of Data Doctors Computer Services, a nationwide computer service, which also publishes warning signs to identify net-addicted teens, safety tips, parental advice, and family contracts for Internet use. "But that involvement is still not anywhere close to where it needs to be." Officials say 750,000 sexual predators have been identified on the Web. One in five children between grades 7 and 11 has been contacted on the Web by someone asking to meet, according to Rob Nickel, author of Staying Safe in a Wired World: A Parent's Guide to Internet Safety. "Internet predators haven't changed over the years, but what has changed are the ways they can contact and infiltrate through cellphones, IMs, blogs, social websites and a number of other Internet tools," says Mr. Colburn. Generally, parents are not as involved partly because of the rise of two-income families (i.e. two absent parents) as well as the increased number of computers and child-owned cellphones per household, and the technological generation gap that has kept cyber-sophisticated children light-years ahead of their techno-befuddled guardians. But now, more are beginning to recognize the dangers of such neglect. Using an array of new monitoring, blocking, and filtering technology, they are more determined to protect their kids from the consequences they have seen in the media. Just last week, the FBI released a story of a 16-year-old girl in Michigan who flew to the Middle East to meet a man in the West Bank that she came to know on MySpace.com. "Parents are waking up because there are more and more stories where a family friend or inner circle member has been affected," says Colburn. "Parents are realizing, hey, if that can happen to them, maybe it can happen to us, too." To keep up with technology's onslaught of new lures, moms and dads are trying everything from a fresh dose of familial heart-to-hearts (including written contracts of computer rules) to stealth software that can pinpoint every keystroke, e-mail, pop-up ad, and website visited on their children's laptops. Ms. Courtney put two kinds of protection on her family's three computers to monitor her three children. One, SafeEyes, costs $60 from Safebrowse.com, and requires 13-year-old Hayden to plug in a special password, and then limits his Internet access ? those he contacts and those who contact him ? based on categories Ms. Courtney chose from a long list including ways to limit sexual content, words, language, and gambling. She also customizes his daily and weekly hours on the computer, occasionally cutting him off when she is away on weekends or has gone to bed. "Sometimes I hear these bloodcurdling screams from the next room when the computer has cut him off in the middle of a game," says Courtney. A second software, called eBlaster, documents every keystroke, IM, e-mail, and website visited on the computer her 16- and 18-year-olds use. Courtney can get a log of the day's activities or watch online activity in real time, with a slight delay. About a year ago, she was watching as a young girl sent Hayden an obscene phrase and link to a sexual website. "I was watching this all from the next room and holding my breath, and then he didn't click on it," recalls Courtney. She praised him for doing the right thing, but decided to suspend his IM privileges because he could be vulnerable to such suggestions from online acquaintances. "These put me in control, let me create the boundaries for each and change them at will," says Courtney. Her eldest son ribs her and her husband for "stalking his every move," but on Father's Day he thanked them for the rules that have kept him out of trouble. Houston computer software developer Larry Estes and his wife Lisa, who also have three kids (ages 11, 13, and 16), have placed monitoring technology on their computers. The family policy is "zero expectation of privacy" says Mr. Estes, and all computers are face out in an open room. "They can't hide what they are doing," he says. The family has regular dinner discussions over the dangers of the Internet, including posting personal information, engaging in suggestive conversations, or writing commentary that could be screened by future employers. "We feel education is the best form of control," says Estes. "If we tried to control everything, they would just go out and seek it somewhere else." Brian Gibbs in Calgary, says he blocks his 10-year-old stepson and 18-year-old foster son from accessing websites that are known as "hunting grounds" for predators. His older son has a "lack of impulse control and lack of understanding as to what is and is not appropriate (sexual conversation, etc.)," he says. He found a product called K9 Web Protection to monitor his use. "I set my foster son up on the computer, and told him to look up every nasty thing he could possibly think of in every manner possible. I left him to it for about an hour. After this time, he came to me in my office to announce his results: zilch. He couldn't get anything. He was much less pleased than I was with this news. I was thrilled. Finally, a filtering application that is truly kid-proof," says Mr. Gibbs. Many Internet watchers say that parental involvement with kids should go hand in hand with increased Internet monitoring. To help with this, some websites carry new technology and provide "Do's and Don'ts" lists for Internet safety. "The point for now is that kids are both more savvy and sophisticated in using the Internet but still naive about the ways of the adult world," says Mr. Nickel. Copyright 2006, The Christian Science Monitor Find this article at: http://www.usatoday.com/tech/news/internetprivacy/2006-06-20-parent-cyber-sl euths_x.htm?csp=34 From rforno at infowarrior.org Wed Jun 21 08:23:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 08:23:01 -0400 Subject: [Infowarrior] - More Private Data Is Burgled From Government Than Hacked Message-ID: More Private Data Is Burgled From Government Than Hacked Posted on 06/20/2006 @ 14:03:39 in Identity Theft. http://www.emailbattles.com/archive/battles/idtheft_aaejhcjbai_hi/ America's universities admit that, in the first half of 2006, they let a million Social Security numbers slip through their fingers. Accountants, banks and brokerages have proven themselves to be half as competent at protecting your critical data, conceding to more than 1.9 million lost SSNs. And the health care industry fares even worse: 2.4 million. But the King of Data Giveaways, with over 40 million Social Security numbers stolen in just six months, is your government... local, state and federal. The raw data from Privacy Rights Clearinghouse's latest report bears me out. Ignore, for a moment, the infamous theft of 28.5 million records from a Veterans' Administration employee's laptop. You're still left with over 11 million stolen identities. Government incompetence enabled nearly five times as many thefts of SSNs as all the health care providers, including health insurance companies. Why focus on SSNs? Because, unlike a credit card that can be quickly frozen, a Social Security number is the key to your identity. Armed with a name and SSN, a clever thief can easily acquire your birth date. With SSN and birth date in hand, the remaining keys to assuming your identity, from birth certificate to bank accounts, are a piece of cake. From that point, reclaiming your life is nearly impossible. Ninety-one percent of the data was lifted via physical theft, where crooks stole tapes, printed records, or computer gear... especially laptops. In fact, over 30.5 million records skipped out via laptop. That's 73% of the records lost through physical means. Another 1.8 million records were exposed through what can best be described as Official Stupidity. Lists of personal records were inadvertently broadcast via email, SSNs were posted online, dummies left downloaded databases on hotel computers, and viruses picked up from porn sites harvested in-house databases. In the end, only 2.5 million identities were purloined using the method most romanticized on the Web: hacking... just 5%. And the vast majority of those were inside jobs. Keep that in mind as you put together next year's Security Budget... and don't forget to demand that your legislators: a) outlaw the current crop of SSNs for any use, and b) push for a new, more reliable means of assuring your security... social, that is. From rforno at infowarrior.org Wed Jun 21 08:27:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 08:27:59 -0400 Subject: [Infowarrior] - Intellectual Property Prosecutions Double, Says Justice Message-ID: ...but they can't say the same thing about terrorism, can they? Can anyone say 'misplaced priorities' ?? -rf Intellectual Property Prosecutions Double, Says Justice >From Broadcasting & Cable, June 20, 2006 By John Eggerton http://www.freepress.net/news/print.php?id=16153 The Justice Department Tuesday is issuing a status report on protection of intellectual property in the digital age, saying it has almost doubled the number of defendants prosecuted for intellectual property crimes. Even Court TV has been part of the solution, according to the department. In its 104-page progress report, the Task force on Intellectual Property says it has implemented recommendations made in October 2004, when it issued its initial report about what steps needed to be taken. Among the progress it is reporting: ?Boosting the number of prosecutors of intellectual property crimes by a dozen. ?Creating an intellectual property educational program for young people (including distributing information on college campuses). ?Increasing the number of defendants prosecuted for intellectual property offenses 98% (from 177 in fiscal year 2004 to 350 in 2005). ?Training over 2,000 prosecutors in other countries and boosting efforts in Asia and Eastern Europe. ?Partnering with the Patent Office to put $900,000 over three years into piracy prevention efforts. ?Teaming with Court TV, which has covered a number of events on intellectual property rights. Prosecuting the theft of DISH?s satellite signal by a man who made over $300,000 selling pirated and re-programmed devices. Content providers, arguably led by NBC Universal Chairman Bob Wright, have been pushing for stronger copyright protections and stepped-up pursuit of IP pirates, arguing they threaten hundreds of billions of dollars across a host of sectors, from counterfeit drugs to stolen TV shows, and could impede the transition to digital content distribution. In October 2005, Attorney General Alberto Gonzales added new members to the task force and told it to implement the 2004 recommendations ASAP. From rforno at infowarrior.org Wed Jun 21 11:18:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 11:18:01 -0400 Subject: [Infowarrior] - AT&T rewrites rules: Your data isn't yours Message-ID: AT&T rewrites rules: Your data isn't yours - David Lazarus Wednesday, June 21, 2006 http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/21/BUG9VJHB9C1.DTL AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers' personal data with government officials. The new policy says that AT&T -- not customers -- owns customers' confidential info and can use it "to protect its legitimate business interests, safeguard others, or respond to legal process." The policy also indicates that AT&T will track the viewing habits of customers of its new video service -- something that cable and satellite providers are prohibited from doing. Moreover, AT&T (formerly known as SBC) is requiring customers to agree to its updated privacy policy as a condition for service -- a new move that legal experts say will reduce customers' recourse for any future data sharing with government authorities or others. The company's policy overhaul follows recent reports that AT&T was one of several leading telecom providers that allowed the National Security Agency warrantless access to its voice and data networks as part of the Bush administration's war on terror. "They're obviously trying to avoid a hornet's nest of consumer-protection lawsuits," said Chris Hoofnagle, a San Francisco privacy consultant and former senior counsel at the Electronic Privacy Information Center. "They've written this new policy so broadly that they've given themselves maximum flexibility when it comes to disclosing customers' records," he said. AT&T is being sued by San Francisco's Electronic Frontier Foundation for allegedly allowing the NSA to tap into the company's data network, providing warrantless access to customers' e-mails and Web browsing. AT&T is also believed to have participated in President Bush's acknowledged domestic spying program, in which the NSA was given warrantless access to U.S. citizens' phone calls. AT&T said in a statement last month that it "has a long history of vigorously protecting customer privacy" and that "our customers expect, deserve and receive nothing less than our fullest commitment to their privacy." But the company also asserted that it has "an obligation to assist law enforcement and other government agencies responsible for protecting the public welfare, whether it be an individual or the security interests of the entire nation." Under its former privacy policy, introduced in September 2004, AT&T said it might use customer's data "to respond to subpoenas, court orders or other legal process, to the extent required and/or permitted by law." The new version, which is specifically for Internet and video customers, is much more explicit about the company's right to cooperate with government agencies in any security-related matters -- and AT&T's belief that customers' data belongs to the company, not customers. "While your account information may be personal to you, these records constitute business records that are owned by AT&T," the new policy declares. "As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process." It says the company "may disclose your information in response to subpoenas, court orders, or other legal process," omitting the earlier language about such processes being "required and/or permitted by law." The new policy states that AT&T "may also use your information in order to investigate, prevent or take action regarding illegal activities, suspected fraud (or) situations involving potential threats to the physical safety of any person" -- conditions that would appear to embrace any terror-related circumstance. Ray Everett-Church, a Silicon Valley privacy consultant, said it seems clear that AT&T has substantially modified its privacy policy in light of revelations about the government's domestic spying program. "It's obvious that they are trying to stretch their blanket pretty tightly to cover as many exposed bits as possible," he said. Gail Hillebrand, a staff attorney at Consumers Union in San Francisco, said the declaration that AT&T owns customers' data represents the most significant departure from the company's previous policy. "It creates the impression that they can do whatever they want," she said. "This is the real heart of AT&T's new policy and is a pretty fundamental difference from how most customers probably see things." John Britton, an AT&T spokesman, denied that the updated privacy policy marks a shift in the company's approach to customers' info. "We don't see this as anything new," he said. "Our goal was to make the policy easier to read and easier for customers to understand." He acknowledged that there was no explicit requirement in the past that customers accept the privacy policy as a condition for service. And he acknowledged that the 2004 policy said nothing about customers' data being owned by AT&T. But Britton insisted that these elements essentially could be found between the lines of the former policy. "There were many things that were implied in the last policy." He said. "We're just clarifying the last policy." AT&T's new privacy policy is the first to include the company's video service. AT&T says it's spending $4.6 billion to roll out TV programming to 19 million homes nationwide. The policy refers to two AT&T video services -- Homezone and U-verse. Homezone is AT&T's satellite TV service, offered in conjunction with Dish Network, and U-verse is the new cablelike video service delivered over phone lines. In a section on "usage information," the privacy policy says AT&T will collect "information about viewing, game, recording and other navigation choices that you and those in your household make when using Homezone or AT&T U-verse TV Services." The Cable Communications Policy Act of 1984 stipulates that cable and satellite companies can't collect or disclose information about customers' viewing habits. The law is silent on video services offered by phone companies via the Internet, basically because legislators never anticipated such technology would be available. AT&T's Britton said the 1984 law doesn't apply to his company's video service because AT&T isn't a cable provider. "We are not building a cable TV network," he said. "We're building an Internet protocol television network." But Andrew Johnson, a spokesman for cable heavyweight Comcast, disputed this perspective. "Video is video is video," he said. "If you're delivering programming over a telecommunications network to a TV set, all rules need to be the same." AT&T's new and former privacy policies both state that "conducting business ethically and ensuring privacy is critical to maintaining the public's trust and achieving success in a dynamic and competitive business climate." Both also state that "privacy responsibility" extends "to the privacy of conversations and to the flow of information in data form." As such, both say that "the trust of our customers necessitates vigilant, responsible privacy protections." The 2004 policy, though, went one step further. It said AT&T realizes "that privacy is an important issue for our customers and members." The new policy makes no such acknowledgment. David Lazarus' column appears Wednesdays, Fridays and Sundays. Send tips or feedback to dlazarus at sfchronicle.com. Page C - 1 URL: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/21/BUG9VJHB9C1.DTL From rforno at infowarrior.org Wed Jun 21 19:37:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 19:37:31 -0400 Subject: [Infowarrior] - House Judiciary Committee passes resolution demanding NSA telecom requests Message-ID: House Judiciary Committee passes resolution demanding NSA telecom requests http://www.rawstory.com/news/2006/House_Judiciary_Committee_passes_resolutio n_demanding_0621.html John Byrne Published: Wednesday June 21, 2006 Print This | Email This The House Judiciary Committee unexpectedly passed a Democratic resolution Wednesday morning calling on the Justice Department to turn over all requests made by the National Security Agency and other federal agencies to telephone service providers to obtain information without a warrant. The measure was passed by a voice vote Wednesday morning with support of Republican Chairman F. James Sensenbrenner (R-WI). It was introduced by Florida Democrat Robert Wexler. Sensenbrenner told the Committee he would bring the measure to the full House floor for a vote if the Justice Department did not comply with his earlier requests for information about the program. The resolution is not a subpoena. It would have to pass the full House before it had the effect of law. Ranking Judiciary Democrat John Conyers (D-MI) applauded the move. "I am pleased that the House Judiciary Committee is exercising its oversight authority and demanding real answers of the Administration," Conyers said in a statement. "We do not know how trillions of phone call records were obtained, nor how they are being used. And there is no guarantee that this private information will ever be destroyed." The resolution comes on the heels of last month?s revelation by USA Today that the National Security Agency was amassing the phone records of Americans in possible violation of federal law. Officials speaking under the condition of anonymity estimated the collected phone records number in the trillions. The resolution follows. # HRES 819 IH 109th CONGRESS 2d Session H. RES. 819 Requesting the President and directing the Attorney General to submit to the House of Representatives all documents in the possession of the President and the Attorney General relating to requests made by the National Security Agency and other Federal agencies to telephone service providers requesting access to telephone communications records of persons in the United States and communications originating and terminating within the United States without a warrant. IN THE HOUSE OF REPRESENTATIVES May 17, 2006 Mr. WEXLER submitted the following resolution; which was referred to the Committee on the Judiciary RESOLUTION Requesting the President and directing the Attorney General to submit to the House of Representatives all documents in the possession of the President and the Attorney General relating to requests made by the National Security Agency and other Federal agencies to telephone service providers requesting access to telephone communications records of persons in the United States and communications originating and terminating within the United States without a warrant. Resolved, That the President is requested and the Attorney General is directed to submit to the House of Representatives, not later than 14 days after the date of the adoption of this resolution, all documents in the possession of the President and the Attorney General, including all legal opinions, relating to requests made without a warrant by the National Security Agency or other Federal departments and agencies to telephone service providers, including wireless telephone service providers, for access to telephone communications records of persons in the United States (other than as authorized under title I of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or chapter 119 or 121 of title 18, United States Code), subject to necessary redactions or requirements for handling classified documents. From rforno at infowarrior.org Wed Jun 21 20:18:09 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Jun 2006 20:18:09 -0400 Subject: [Infowarrior] - JSG: Secrecy Mustn't Crush Rule of Law Message-ID: Secrecy Mustn't Crush Rule of Law By Jennifer Granick 02:00 AM Jun, 21, 2006 http://www.wired.com/news/columns/1,71212-0.html Are there any legal limits to what the executive branch can do in the name of national security, or is it anything goes? In separate federal lawsuits challenging the warrantless surveillance of American citizens, the Bush administration argues that courts must dismiss cases claiming that the National Security Agency has broken the law because those claims implicate "state secrets." On Friday of this week, U.S. District Judge Vaughn Walker sitting in San Francisco will hear arguments on the issue in Hepting v. AT&T, a class action claiming that the telecommunications giant has been collaborating with the NSA in illegally eavesdropping on millions of Americans' calls and e-mails. (Disclosures: Last week, professor Susan Freiwald and our Stanford Center for Internet and Society filed a law professors' amicus brief on behalf of the plaintiffs in Hepting. Wired News has also filed motions to intervene in the case and asked the court to make public evidence filed under seal of AT&T's alleged wiretapping activities.) Later in the month, Judge Anna Diggs Taylor in Detroit will hear similar arguments in ACLU v. National Security Agency (NSA), a case brought against the NSA by journalists claiming the surveillance program has dried up sources and interfered with the plaintiffs' ability to gather news. The stakes are high, and sight of them should not be lost among the citations to cases from the 1870s or the redacted pleadings referencing classified arguments and evidence lodged in a secure location in Washington, D.C., for sequestered review by the sitting judges. The way the government has asserted the state-secrets privilege means these courts will do more than answer the already serious question of what protection official secrets deserve in a democratic government. The judges will be deciding whether the rule of law applies to any party, whether an agency of the government or a private company, acting in the realm of national security. The government has already been wildly successful in using the state-secrets privilege to completely shield itself from appropriate punishment for shocking and illegal behavior in El-Masri v. Tenet. Khaled El-Masri was abducted, sodomized and beaten over five months of detention at the hands of CIA agents or their operatives. Eventually, the government realized it had kidnapped the wrong person and, luckily, released him. El-Masri sued the head of the CIA, claiming the agency authorized his kidnapping and torture as part of the U.S. "rendition program." Though German prosecutors back up El-Masri's story and though the United States has admitted and lauded the practice of rendition, the government successfully moved to dismiss the lawsuit on the grounds of state secrets. The trial judge dismissed El-Masri's case because litigating it would reveal operational details as to means and methods, persons, companies or governments involved. I suppose we're fortunate the CIA operatives didn't kill El-Masri to protect the world from learning about the "operational details" of rendition. Though if they had, his family would have had no legal recourse against his murderers. The government is attempting to build on the anomaly of its victory in El-Masri v. Tenet to push for complete dismissal on state-secrets grounds in other cases where it has acted illegally. If this claim prevails, then executive agencies can act with impunity if part of a national intelligence effort, regardless of efforts by Congress, the courts or the international community to set rules of engagement. This Friday, Walker will take the issue up with lawyers from the government, AT&T and the Electronic Frontier Foundation. In Hepting v. AT&T, the EFF represents a class of plaintiffs comprised of AT&T customers. Based on documents from Mark Klein, a former AT&T employee, the plaintiffs claim that AT&T has been illegally diverting their communications to the NSA. The United States moved to intervene in the case, arguing that the claims should be dismissed because litigation would disclose intelligence information, sources and methods. The government claims neither it nor AT&T may confirm or deny the existence, scope and potential targets of intelligence activities because there is a reasonable danger that national security would be harmed by the disclosure. If this claim is true, then the court must dismiss the case. Thus, much of the argument Friday will be about whether the case requires information that is, in fact, secret. The public knows that telecommunications carriers like AT&T have both the capability and often the legal responsibility to intercept communications, and that the government often asks them to do so. The fact that the government is listening to phone calls and that AT&T is involved is not secret. The only issue is whether AT&T eavesdropped with court authorization. But court authorization isn't secret either. It's a piece of paper signed by a judge. Sensitive details contained in that court order can be excised, received under seal, reviewed by the judge in chambers (in camera review) or handled any number of ways that courts use to deal with confidential information. The public knows this case is a challenge to the government's previously secret program of warrantless surveillance. But the plaintiffs have had to argue they can prove AT&T illegally intercepted its customers' private calls without needing any evidence of the government's surveillance program in order to avoid the state-secrets ax. It's one of the many Kafkaesque turns in the case, though certainly no more strange than the government's assertion that the court -- even if it were to review the evidence outside of the public eye and find the government acted illegally -- could not then award damages because to do so would confirm the plaintiffs' allegations. One improvement might be to disfavor claims of state-secrets privilege in cases directly challenging the legality of U.S. conduct in the national-security arena. This rule particularly would make sense when the facts on which the plaintiff is depending to make his case are already available from unclassified sources. El-Masri knows what the CIA did to him, and German authorities back him up. Klein's documents showing AT&T's mass surveillance are in the public record. The only secret is whether the defendant -- the CIA, the NSA or AT&T -- has a legitimate excuse. This idea arguably goes against case law stating that if "the very subject matter of the action" is a state secret, then the case should be dismissed. That language comes from an 1875 case involving a lawsuit for breach of a contract to pay a secret agent under a government contract for clandestine services, and a 1953 negligence lawsuit brought by widows whose husbands had been killed in the crash of a military airplane carrying electronic surveillance equipment. However, in those cases, the state secret was separate and apart from the plaintiffs' claims of wrongdoing. In El-Masri and the pending surveillance cases, the government's illegal behavior is the very thing it seeks to keep secret. Perhaps my idea also seems uncomfortably suspicious of national-security claims at a time when international terrorism is on the rise and national security is of pre-eminent importance. The healthier skepticism I suggest does not mean courts will disfavor national-security claims that arise in the normal course of litigation, but only that they will be suspicious of state-secret claims that shield government wrongdoing from judicial review and remedy, particularly when the plaintiffs have made out a case from independent investigation, record collection and expert testimony. The judges in the Hepting and ACLU cases have to draw the line between protecting legitimate state secrets and protecting illegal activity connected to the war on terror. Illegal programs like rendition and warrantless wiretapping do not keep America safe. They undermine our democracy by violating civil rights and ignoring the rule of law. - - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. From rforno at infowarrior.org Thu Jun 22 20:50:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Jun 2006 20:50:02 -0400 Subject: [Infowarrior] - House panel OKs global rules for U.S. Net firms Message-ID: House panel OKs global rules for U.S. Net firms By Anne Broache http://news.com.com/House+panel+OKs+global+rules+for+U.S.+Net+firms/2100-102 8_3-6087112.html Story last modified Thu Jun 22 17:19:15 PDT 2006 advertisement A congressional bill that would impose strict new obligations on American tech companies doing business with "Internet-restricting countries" like China cleared its first hurdle to becoming law on Thursday. The Global Online Freedom Act, introduced in February by Rep. Christopher Smith, passed by a unanimous voice vote in the U.S. House of Representatives subcommittee that focuses on Africa, global human rights and international operations. "The growth of the Internet and other information technologies can be a force for democratic change if the information is not subject to political censorship," Smith, a New Jersey Republican, said in a statement Thursday. Smith proposed the bill just days after a daylong congressional hearing at which politicians lashed out at representatives from Microsoft, Google, Yahoo and Cisco Systems for compliance with China's state-sponsored censorship regime. The concerns among politicians flared up after reports that, under pressure from the Chinese government, Microsoft had deleted a journalist's blog, Yahoo had turned over information leading to the conviction of at least one Chinese journalist, and Google was offering a restricted search service there. Politicians also accused Cisco's hardware of aiding in filtering out content, although company representatives explained that the same features are available on all such devices they sell worldwide. Some of those companies have said they have no choice but to comply with the laws in all of the countries where they do business. Strict new rules The approved bill attempts to target those practices directly. Under its list of "minimum corporate standards," American businesses would be barred from keeping any electronic communication, such as e-mail, that contains personally identifiable information on servers or other storage facilities in "Internet-restricting countries." The rules would also prohibit them from turning over personal information about their subscribers to governments in those locales except for "legitimate law enforcement purposes." All search engine providers would be required to give the U.S. State Department's Office of Global Internet Freedom a detailed breakdown of how their search results have been restricted or censored in such countries. All Web content hosts would have to supply a list of URLs that have been removed or blocked there. Internet service providers could also face fines of up to $2 million per offense and imprisonment for blocking access to any U.S. government-sponsored Web site or content, such as Voice of America, in the blacklisted countries. Although China has taken center stage, the bill says the rules would also apply to dealings with Belarus, Cuba, Ethiopia, Iran, Laos, North Korea, Tunisia and Vietnam--along with any other country on which the U.S. government decides to bestow an "Internet-restricting" designation. Microsoft's managing director of federal government affairs, Jack Krumholz, called the Global Online Freedom Act's approach "unproductive." He said in a statement Thursday that the bill "could provoke greater restrictions, or even the withdrawal of Internet services in China, which would leave the Chinese people with even less ability to access information and communicate with others." Yahoo declined to reveal whether it supported the bill. Spokeswoman Mary Osako said in a statement, "We look forward to continuing to work with the U.S. Department of State's Office of Global Internet Freedom, Congress and our industry peers to develop reasonable measures and policies that will promote Internet freedom around the world." Google spokesman John Murchinson said the search giant hadn't yet reviewed the approved bill but believes "that our approach in China advances our mission of making all the world's information universally accessible and useful." Cisco representatives were not immediately available for comment. The human rights group Reporters Without Borders, which has been pressuring Yahoo on its alleged Chinese cooperation, applauded the bill's approval, though spokeswoman Lucie Morillon said it could have gone even further. The original version of Smith's bill, for instance, would have barred search engine companies from agreeing to remove "protected filter terms" from search results in order to serve the interests of restrictive governments. That content, to be determined by the Office of Global Internet Freedom, would have included "key words, terms and phrases relating to human rights, democracy, religious free exercise and peaceful political dissent." Despite that apparent compromise, Morillon said, "we believe it's going to help make the Internet freer and help protect the privacy of users in repressive countries," she said. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Jun 23 08:16:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 08:16:29 -0400 Subject: [Infowarrior] - Torrentspy names alleged MPAA hacker Message-ID: Torrentspy names alleged MPAA hacker By Greg Sandoval http://news.com.com/Torrentspy+names+alleged+MPAA+hacker/2100-1030_3-6087146 .html Story last modified Fri Jun 23 05:13:58 PDT 2006 A month after accusing the Motion Picture Association of America of conspiring to commit data theft, the operators of a file search engine presented more details regarding the alleged relationship between the MPAA and a man who admits hacking the small company's network. Valence Media, the parent company of Torrentspy.com, charges that the MPAA paid the Canadian resident $15,000 for information on Torrentspy and its executives, according to documents filed Thursday with the U.S. District Court for the Central District of California in Los Angeles. "I contacted (the MPAA) and offered to provide it information regarding (Torrentspy.com founder) Justin Bunnell and Torrentspy," according to a signed statement by Robert Anderson, the man identified elsewhere in the filing as a "hacker." Among the claims by Valence Media is that as part of its attempt to gather information on Torrentspy, the MPAA hired private investigators to comb the trash cans of Torrentspy executives. Valence Media obtained this information from Anderson, who for undisclosed reasons has agreed to help the company against the MPAA, according to copy of the suit obtained by CNET News.com. Valence Media has asked a judge to order the MPAA to turn over the information taken by Anderson and to identify anyone that the MPAA may have shared it with. This is the latest volley in a legal battle that began in February, when the MPAA sued Torrentspy and other directories that it accuses of contributing to the theft of copyright movies. Some file sharers use search engines, such as Torrentspy, to locate downloadable movies. The MPAA has aggressively pursued those accused of distributing copyright material, as well as directories that the MPAA says are abetting piracy. An MPAA spokeswoman did not immediately return phone calls, but the association issued a broad denial to Torrentspy's initial charges. Valence Media charged in its suit that on June 10, 2005, MPAA executives met with Anderson, a resident of Vancouver, Canada. Dean Garfield, the MPAA's director of legal affairs, was among the association's representatives who agreed to pay Anderson $15,000 to obtain private e-mails, financial and technology information, according to the court documents. Garfield could not be immediately reached for comment. An MPAA executive told Anderson: "We don't care how you get it," Valence Media alleges in the court documents. Anderson, who could not be immediately reached for comment, was successful at breaching Torrentspy's computer system, Valence Media alleges. By rigging Torrentspy's e-mail system, Anderson received copies of company e-mail as soon as they were sent or received, as well as important login information, according to the suit. This allowed him broad access to company data, Valence Media claims. The company's suit said Anderson managed to pilfer a spreadsheet of company earnings and expenses, indexes of file architecture, screen shots of proprietary search functions and even a utility bill belonging to one Torrentspy executive. In July 2005, the MPAA reviewed Anderson's work and wired $15,000 to a Toronto-based bank account, according to the court documents. Sometime after, Anderson had a change of heart, according to a signed statement by Anderson that was included in the court filing. In fact, Anderson was actually acquainted with Bunnell. He had done some marketing work for another company associated with Bunnell, Anderson said in his statement, but his relationship with the Torrentspy founder apparently ended acrimoniously in April 2005. "After our business relationship ended, I was upset with Justin Bunnell," Anderson said in the statement. He then contacted the MPAA and offered to retrieve information on Torrentspy executives including Bunnell, as well as other Torrent file search engines. Anderson has provided a written agreement signed by an MPAA executive and other documentation related to Anderson being hired to gather information on Torrentspy and its executives, said Ira Rothken, Valence Media's attorney. Also included in the filing is a copy of the alleged contract that was signed by Anderson and MPAA executives. Some of the information filed with the court was obscured, including names. Rothken said the names of Anderson and MPAA executives can be found on the original contract. The purported contract includes a paragraph calling for the gathering of information on other peer-to-peer companies and torrent directories at odds with the MPAA, including The Pirate Bay, eXeem and Mininova. Importantly, the contract specifies that the MPAA expected information to be obtained through legal means. Such statements won't save the MPAA from liability in this case, argued Rothken. "There's an irony that they could put a clause into a contact and that would allow them to turn a blind eye to hiring a hacker," Rothken said. "There's no magical term that lets them off the hook." Valence Media's latest filing, which asks for unspecified damages, comes after the company and the MPAA met over a 10-day period to discuss turning over whatever Anderson had provided the trade association, according to the lawsuit. The talks were unsuccessful, Rothken said. It's unclear what prompted Anderson to cooperate with Torrentspy and risk possible criminal prosecution. "The only person that would know the precise answer to that is him," Rothken said. "We believe that he broke the law in a serious manner...we're encouraged that after making a big mistake he's now mitigating his wrongdoing by providing information about things he did so we can take remedial action against the MPAA." From rforno at infowarrior.org Fri Jun 23 08:17:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 08:17:05 -0400 Subject: [Infowarrior] - Bank Data Sifted in Secret by U.S. to Block Terror Message-ID: Bank Data Sifted in Secret by U.S. to Block Terror By ERIC LICHTBLAU and JAMES RISEN http://www.nytimes.com/2006/06/23/washington/23intel.html?ei=5065&en=8b8acbe 63f34dad9&ex=1151640000&partner=MYWAY&pagewanted=print WASHINGTON, June 22 ? Under a secret Bush administration program initiated weeks after the Sept. 11 attacks, counterterrorism officials have gained access to financial records from a vast international database and examined banking transactions involving thousands of Americans and others in the United States, according to government and industry officials. The program is limited, government officials say, to tracing transactions of people suspected of having ties to Al Qaeda by reviewing records from the nerve center of the global banking industry, a Belgian cooperative that routes about $6 trillion daily between banks, brokerages, stock exchanges and other institutions. The records mostly involve wire transfers and other methods of moving money overseas and into and out of the United States. Most routine financial transactions confined to this country are not in the database. Viewed by the Bush administration as a vital tool, the program has played a hidden role in domestic and foreign terrorism investigations since 2001 and helped in the capture of the most wanted Qaeda figure in Southeast Asia, the officials said. The program, run out of the Central Intelligence Agency and overseen by the Treasury Department, "has provided us with a unique and powerful window into the operations of terrorist networks and is, without doubt, a legal and proper use of our authorities," Stuart Levey, an under secretary at the Treasury Department, said in an interview on Thursday. The program is grounded in part on the president's emergency economic powers, Mr. Levey said, and multiple safeguards have been imposed to protect against any unwarranted searches of Americans' records. The program, however, is a significant departure from typical practice in how the government acquires Americans' financial records. Treasury officials did not seek individual court-approved warrants or subpoenas to examine specific transactions, instead relying on broad administrative subpoenas for millions of records from the cooperative, known as Swift. That access to large amounts of confidential data was highly unusual, several officials said, and stirred concerns inside the administration about legal and privacy issues. "The capability here is awesome or, depending on where you're sitting, troubling," said one former senior counterterrorism official who considers the program valuable. While tight controls are in place, the official added, "the potential for abuse is enormous." The program is separate from the National Security Agency's efforts to eavesdrop without warrants and collect domestic phone records, operations that have provoked fierce public debate and spurred lawsuits against the government and telecommunications companies. But all the programs grew out of the Bush administration's desire to exploit technological tools to prevent another terrorist strike, and all reflect attempts to break down longstanding legal or institutional barriers to the government's access to private information about Americans and others inside the United States. Officials described the Swift program as the biggest and most far-reaching of several secret efforts to trace terrorist financing. Much more limited agreements with other companies have provided access to A.T.M. transactions, credit card purchases and Western Union wire payments, the officials said. Nearly 20 current and former government officials and industry executives discussed aspects of the Swift operation with The New York Times on condition of anonymity because the program remains classified. Some of those officials expressed reservations about the program, saying that what they viewed as an urgent, temporary measure had become permanent nearly five years later without specific Congressional approval or formal authorization. Data from the Brussels-based banking consortium, formally known as the Society for Worldwide Interbank Financial Telecommunication, has allowed officials from the C.I.A., the Federal Bureau of Investigation and other agencies to examine "tens of thousands" of financial transactions, Mr. Levey said. While many of those transactions have occurred entirely on foreign soil, officials have also been keenly interested in international transfers of money by individuals, businesses, charities and other groups under suspicion inside the United States, officials said. A small fraction of Swift's records involve transactions entirely within this country, but Treasury officials said they were uncertain whether any had been examined. Swift executives have been uneasy at times about their secret role, the government and industry officials said. By 2003, the executives told American officials they were considering pulling out of the arrangement, which began as an emergency response to the Sept. 11 attacks, the officials said. Worried about potential legal liability, the Swift executives agreed to continue providing the data only after top officials, including Alan Greenspan, then chairman of the Federal Reserve, intervened. At that time, new controls were introduced. Among the safeguards, government officials said, is an outside auditing firm that verifies that the data searches are based on intelligence leads about suspected terrorists. "We are not on a fishing expedition," Mr. Levey said. "We're not just turning on a vacuum cleaner and sucking in all the information that we can." Swift and Treasury officials said they were aware of no abuses. But Mr. Levey, the Treasury official, said one person had been removed from the operation for conducting a search considered inappropriate. Treasury officials said Swift was exempt from American laws restricting government access to private financial records because the cooperative was considered a messaging service, not a bank or financial institution. But at the outset of the operation, Treasury and Justice Department lawyers debated whether the program had to comply with such laws before concluding that it did not, people with knowledge of the debate said. Several outside banking experts, however, say that financial privacy laws are murky and sometimes contradictory and that the program raises difficult legal and public policy questions. The Bush administration has made no secret of its campaign to disrupt terrorist financing, and President Bush, Treasury officials and others have spoken publicly about those efforts. Administration officials, however, asked The New York Times not to publish this article, saying that disclosure of the Swift program could jeopardize its effectiveness. They also enlisted several current and former officials, both Democrat and Republican, to vouch for its value. Bill Keller, the newspaper's executive editor, said: "We have listened closely to the administration's arguments for withholding this information, and given them the most serious and respectful consideration. We remain convinced that the administration's extraordinary access to this vast repository of international financial data, however carefully targeted use of it may be, is a matter of public interest." Mr. Levey agreed to discuss the classified operation after the Times editors told him of the newspaper's decision. On Thursday evening, Dana Perino, deputy White House press secretary, said: "Since immediately following 9/11, the American government has taken every legal measure to prevent another attack on our country. One of the most important tools in the fight against terror is our ability to choke off funds for the terrorists." She added: "We know the terrorists pay attention to our strategy to fight them, and now have another piece of the puzzle of how we are fighting them. We also know they adapt their methods, which increases the challenge to our intelligence and law enforcement officials." Referring to the disclosure by The New York Times last December of the National Security Agency's eavesdropping program, she said, "The president is concerned that once again The New York Times has chosen to expose a classified program that is working to protect our citizens." Swift declined to discuss details of the program but defended its role in written responses to questions. "Swift has fully complied with all applicable laws," the consortium said. The organization said it insisted that the data be used only for terrorism investigations and had narrowed the scope of the information provided to American officials over time. A Crucial Gatekeeper Swift's database provides a rich hunting ground for government investigators. Swift is a crucial gatekeeper, providing electronic instructions on how to transfer money among 7,800 financial institutions worldwide. The cooperative is owned by more than 2,200 organizations, and virtually every major commercial bank, as well as brokerage houses, fund managers and stock exchanges, uses its services. Swift routes more than 11 million transactions each day, most of them across borders. The cooperative's message traffic allows investigators, for example, to track money from the Saudi bank account of a suspected terrorist to a mosque in New York. Starting with tips from intelligence reports about specific targets, agents search the database in what one official described as a "24-7" operation. Customers' names, bank account numbers and other identifying information can be retrieved, the officials said. The data does not allow the government to track routine financial activity, like A.T.M. withdrawals, confined to this country, or to see bank balances, Treasury officials said. And the information is not provided in real time ? Swift generally turns it over several weeks later. Because of privacy concerns and the potential for abuse, the government sought the data only for terrorism investigations and prohibited its use for tax fraud, drug trafficking or other inquiries, the officials said. The Treasury Department was charged by President Bush, in a September 2001 executive order, with taking the lead role in efforts to disrupt terrorist financing. Mr. Bush has been briefed on the program and Vice President Dick Cheney has attended C.I.A. demonstrations, the officials said. The National Security Agency has provided some technical assistance. While the banking program is a closely held secret, administration officials have held classified briefings for some members of Congress and the Sept. 11 commission, the officials said. More lawmakers were briefed in recent weeks, after the administration learned The Times was making inquiries for this article. Swift's 25-member board of directors, made up of representatives from financial institutions around the world, was previously told of the program. The Group of 10's central banks, in major industrialized countries, which oversee Swift, were also informed. It is not clear if other network participants know that American intelligence officials can examine their message traffic. Because Swift is based overseas and has offices in the United States, it is governed by European and American laws. Several international regulations and policies impose privacy restrictions on companies that are generally regarded as more stringent than those in this country. United States law establishes some protections for the privacy of Americans' financial data, but they are not ironclad. A 1978 measure, the Right to Financial Privacy Act, has a limited scope and a number of exceptions, and its role in national security cases remains largely untested. Several people familiar with the Swift program said they believed that they were exploiting a "gray area" in the law and that a case could be made for restricting the government's access to the records on Fourth Amendment and statutory grounds. They also worried about the impact on Swift if the program were disclosed. "There was always concern about this program," a former official said. One person involved in the Swift program estimated that analysts had reviewed international transfers involving "many thousands" of people or groups in the United States. Two other officials placed the figure in the thousands. Mr. Levey said he could not estimate the number. The Swift data has provided clues to money trails and ties between possible terrorists and groups financing them, the officials said. In some instances, they said, the program has pointed them to new suspects, while in others it has buttressed cases already under investigation. Among the successes was the capture of a Qaeda operative, Riduan Isamuddin, better known as Hambali, believed to be the mastermind of the 2002 bombing of a Bali resort, several officials said. The Swift data identified a previously unknown figure in Southeast Asia who had financial dealings with a person suspected of being a member of Al Qaeda; that link helped locate Hambali in Thailand in 2003, they said. In the United States, the program has provided financial data in investigations into possible domestic terrorist cells as well as inquiries of Islamic charities with suspected of having links to extremists, the officials said. The data also helped identify a Brooklyn man who was convicted on terrorism-related charges last year, the officials said. The man, Uzair Paracha, who worked at a New York import business, aided a Qaeda operative in Pakistan by agreeing to launder $200,000 through a Karachi bank, prosecutors said. In terrorism prosecutions, intelligence officials have been careful to "sanitize," or hide the origins of evidence collected through the program to keep it secret, officials said. The Bush administration has pursued steps that may provide some enhanced legal standing for the Swift program. In late 2004, Congress authorized the Treasury Department to develop regulations requiring American banks to turn over records of international wire transfers. Officials say a preliminary version of those rules may be ready soon. One official described the regulations as an attempt to "formalize" access to the kind of information secretly provided by Swift, though other officials said the initiative was unrelated to the program. The Scramble for New Tools Like other counterterrorism measures carried out by the Bush administration, the Swift program began in the hectic days after the Sept. 11 attacks, as officials scrambled to identify new tools to head off further strikes. One priority was to cut off the flow of money to Al Qaeda. The 9/11 hijackers had helped finance their plot by moving money through banks. Nine of the hijackers, for instance, funneled money from Europe and the Middle East to SunTrust bank accounts in Florida. Some of the $130,000 they received was wired by people overseas with known links to Al Qaeda. Financial company executives, many of whom had lost friends at the World Trade Center, were eager to help federal officials trace terrorist money. "They saw 9/11 not just as an attack on the United States, but on the financial industry as a whole," said one former government official. Quietly, counterterrorism officials sought to expand the information they were getting from financial institutions. Treasury officials, for instance, spoke with credit card companies about devising an alert if someone tried to buy fertilizer and timing devices that could be used for a bomb, but they were told the idea was not logistically possible, a lawyer in the discussions said. The F.B.I. began acquiring financial records from Western Union and its parent company, the First Data Corporation. The programs were alluded to in Congressional testimony by the F.B.I. in 2003 and described in more detail in a book released this week, "The One Percent Doctrine," by Ron Suskind. Using what officials described as individual, narrowly framed subpoenas and warrants, the F.B.I. has obtained records from First Data, which processes credit and debit card transactions, to track financial activity and try to locate suspects. Similar subpoenas for the Western Union data allowed the F.B.I. to trace wire transfers, mainly outside the United States, and to help Israel disrupt about a half-dozen possible terrorist plots there by unraveling the financing, an official said. The idea for the Swift program, several officials recalled, grew out of a suggestion by a Wall Street executive, who told a senior Bush administration official about Swift's database. Few government officials knew much about the consortium, which is led by a Brooklyn native, Leonard H. Schrank, but they quickly discovered it offered unparalleled access to international transactions. Swift, a former government official said, was "the mother lode, the Rosetta stone" for financial data. Intelligence officials were so eager to use the Swift data that they discussed having the C.I.A. covertly gain access to the system, several officials involved in the talks said. But Treasury officials resisted, the officials said, and favored going to Swift directly. At the same time, lawyers in the Treasury Department and the Justice Department were considering possible legal obstacles to the arrangement, the officials said. In 1976, the Supreme Court ruled that Americans had no constitutional right to privacy for their records held by banks or other financial institutions. In response, Congress passed the Right to Financial Privacy Act two years later, restricting government access to Americans' banking records. In considering the Swift program, some government lawyers were particularly concerned about whether the law prohibited officials from gaining access to records without a warrant or subpoena based on some level of suspicion about each target. For many years, law enforcement officials have relied on grand-jury subpoenas or court-approved warrants for such financial data. Since 9/11, the F.B.I. has turned more frequently to an administrative subpoena, known as a national security letter, to demand such records. After an initial debate, Treasury Department lawyers, consulting with the Justice Department, concluded that the privacy laws applied to banks, not to a banking cooperative like Swift. They also said the law protected individual customers and small companies, not the major institutions that route money through Swift on behalf of their customers. Other state, federal and international regulations place different and sometimes conflicting restrictions on the government's access to financial records. Some put greater burdens on the company disclosing the information than on the government officials demanding it. Among their considerations, American officials saw Swift as a willing partner in the operation. But Swift said its participation was never voluntary. "Swift has made clear that it could provide data only in response to a valid subpoena," according to its written statement. Indeed, the cooperative's executives voiced early concerns about legal and corporate liability, officials said, and the Treasury Department's Office of Foreign Asset Control began issuing broad subpoenas for the cooperative's records related to terrorism. One official said the subpoenas were intended to give Swift some legal protection. Underlying the government's legal analysis was the International Emergency Economic Powers Act, which Mr. Bush invoked after the 9/11 attacks. The law gives the president what legal experts say is broad authority to "investigate, regulate or prohibit" foreign transactions in responding to "an unusual and extraordinary threat." But L. Richard Fischer, a Washington lawyer who wrote a book on banking privacy and is regarded as a leading expert in the field, said he was troubled that the Treasury Department would use broad subpoenas to demand large volumes of financial records for analysis. Such a program, he said, appears to do an end run around bank-privacy laws that generally require the government to show that the records of a particular person or group are relevant to an investigation. "There has to be some due process," Mr. Fischer said. "At an absolute minimum, it strikes me as inappropriate." Several former officials said they had lingering concerns about the legal underpinnings of the Swift operation. The program "arguably complies with the letter of the law, if not the spirit," one official said. Another official said: "This was creative stuff. Nothing was clear cut, because we had never gone after information this way before." Treasury officials said they considered the government's authority to subpoena the Swift records to be clear. "People do not have a privacy interest in their international wire transactions," Mr. Levey, the Treasury under secretary, said. Tighter Controls Sought Within weeks of 9/11, Swift began turning over records that allowed American analysts to look for evidence of terrorist financing. Initially, there appear to have been few formal limits on the searches. "At first, they got everything ? the entire Swift database," one person close to the operation said. Intelligence officials paid particular attention to transfers to or from Saudi Arabia and the United Arab Emirates because most of the 9/11 hijackers were from those countries. The volume of data, particularly at the outset, was often overwhelming, officials said. "We were turning on every spigot we could find and seeing what water would come out," one former administration official said. "Sometimes there were hits, but a lot of times there weren't." Officials realized the potential for abuse, and narrowed the program's targets and put in more safeguards. Among them were the auditing firm, an electronic record of every search and a requirement that analysts involved in the operation document the intelligence that justified each data search. Mr. Levey said the program was used only to examine records of individuals or entities, not for broader data searches. Despite the controls, Swift executives became increasingly worried about their secret involvement with the American government, the officials said. By 2003, the cooperative's officials were discussing pulling out because of their concerns about legal and financial risks if the program were revealed, one government official said. "How long can this go on?" a Swift executive asked, according to the official. Even some American officials began to question the open-ended arrangement. "I thought there was a limited shelf life and that this was going to go away," the former senior official said. In 2003, administration officials asked Swift executives and some board members to come to Washington. They met with Mr. Greenspan, Robert S. Mueller III, the F.B.I. director, and Treasury officials, among others, in what one official described as "a full-court press." Aides to Mr. Greenspan and Mr. Mueller declined to comment on the meetings. The executives agreed to continue supplying records after the Americans pledged to impose tighter controls. Swift representatives would be stationed alongside intelligence officials and could block any searches considered inappropriate, several officials said. The procedural change provoked some opposition at the C.I.A. because "the agency was chomping at the bit to have unfettered access to the information," a senior counterterrorism official said. But the Treasury Department saw it as a necessary compromise, the official said, to "save the program." Barclay Walsh contributed reporting for this article. From rforno at infowarrior.org Fri Jun 23 08:17:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 08:17:35 -0400 Subject: [Infowarrior] - Media Refuses to Hold Surveillance Story Message-ID: Media Refuses to Hold Surveillance Story Jun 23 12:23 AM US/Eastern http://www.breitbart.com/news/2006/06/23/D8IDMQ180.html By JUSTIN BACHMAN AP Business Writer NEW YORK The Bush administration and The New York Times are again at odds over national security, this time with new reports of a broad government effort to track global financial transfers. The newspaper, which in December broke news of an effort by the National Security Agency to monitor Americans' telephone calls and e- mails, declined a White House request not to publish a story about the government's inspection of monies flowing in and out of the country. The Los Angeles Times also reported on the issue Thursday night on its Web site, against the Bush administration's wishes. The Wall Street Journal said it received no request to hold its report of the surveillance. Administration officials were concerned that news reports of the program would diminish its effectiveness and could harm overall national security. "It's a tough call; it was not a decision made lightly," said Doyle McManus, the Los Angeles Times' Washington bureau chief. "The key issue here is whether the government has shown that there are adequate safeguards in these programs to give American citizens confidence that information that should remain private is being protected." Treasury Department officials spent 90 minutes Thursday meeting with the newspaper's reporters, stressing the legality of the program and urging the paper to not publish a story on the program, McManus said in a telephone interview. "They were quite vigorous, they were quite energetic. They made a very strong case," he said. In its story, The New York Times said it carefully weighed the administration's arguments for withholding the information and gave them "the most serious and respectful consideration." "We remain convinced that the administration's extraordinary access to this vast repository of international financial data, however carefully targeted use it may be, is a matter of public interest," said Bill Keller, the Times' executive editor. In December, Bush used part of his weekly radio address to criticize The New York Times' initial eavesdropping story as helping to inform enemies, saying "the unauthorized disclosure of this effort damages our national security and puts our citizens at risk." McManus said the other factor that tipped the paper's decision to publish was the novel approach government was using to gather data in another realm without warrant or subpoena. "Police agencies and prosecutors get warrants all the time to search suspects' houses, and we don't write stories about that," he said. "This is different. This is new. And this is a process that has been developed that does not involve getting a specific warrant. It's a new and unfamiliar process." Copyright 2006 The Associated Press. From rforno at infowarrior.org Fri Jun 23 08:18:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 08:18:22 -0400 Subject: [Infowarrior] - Secret U.S. Program Tracks Global Bank Transfers Message-ID: http://www.latimes.com/news/nationworld/nation/la-na-swift23jun23,0,6482687. story?coll=la-home-headlines >From the Los Angeles Times Secret U.S. Program Tracks Global Bank Transfers The Treasury Dept. program, begun after the Sept. 11 attacks, attempts to monitor terrorist financing but raises privacy concerns. By Josh Meyer and Greg Miller Times Staff Writers June 23, 2006 WASHINGTON ? The U.S. government, without the knowledge of many banks and their customers, has engaged for years in a secret effort to track terrorist financing by accessing a vast database of confidential information on transfers of money between banks worldwide. The program, run by the Treasury Department, is considered a potent weapon in the war on terrorism because of its ability to clandestinely monitor financial transactions and map terrorist webs. It is part of an arsenal of aggressive measures the government has adopted since the Sept. 11 terrorist attacks that yield new intelligence, but also circumvent traditional safeguards against abuse and raise concerns about intrusions on privacy. Under this effort, Treasury routinely acquires information about bank transfers from the world's largest financial communication network, which is run by a consortium of financial institutions called the Society for Worldwide Interbank Financial Telecommunication, or SWIFT. The SWIFT network carries up to 12.7 million messages a day containing instructions on many of the international transfers of money between banks. The messages typically include the names and account numbers of bank customers ? from U.S. citizens to major corporations ? who are sending or receiving funds. Through the program, Treasury has built an enormous ? and ever-growing ? repository of financial records drawn from what is essentially the central nervous system of international banking. In a major departure from traditional methods of obtaining financial records, the Treasury Department uses a little-known power ? administrative subpoenas ? to collect data from the SWIFT network, which has operations in the U.S., including a main computer hub in Manassas, Va. The subpoenas are secret and not reviewed by judges or grand juries, as are most criminal subpoenas. "It's hard to overstate the value of this information," Treasury Secretary John W. Snow said Thursday in a statement he issued after The Times and other media outlets reported the existence of the Terrorist Finance Tracking Program. SWIFT acknowledged Thursday in response to questions from The Times that it has provided data under subpoena since shortly after Sept. 11, 2001, a striking leap in cooperation from international bankers, who long resisted such law enforcement intrusions into the confidentiality of their communications. But SWIFT said in a statement that it has worked with U.S. officials to restrict the use of the data to terrorism investigations. The program is part of the Bush administration's dramatic expansion of intelligence-gathering capabilities, which includes warrantless eavesdropping on the international phone calls of some U.S. residents. Critics complain that these efforts are not subject to independent governmental reviews designed to prevent abuse, and charge that they collide with privacy and consumer protection laws in the United States. Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, said the SWIFT program raises similar issues. "It boils down to a question of oversight, both internal and external. And in the current circumstances, it is hard to have confidence in the efficacy of their oversight," he said. "Their policy is, 'Trust us,' and that may not be good enough anymore." A former senior Treasury official expressed concern that the SWIFT program allows access to vast quantities of sensitive data that could be abused without safeguards. The official, who said he did not have independent knowledge of the program, questioned what becomes of the data, some of it presumably related to innocent banking customers. "How do you separate the wheat from the chaff?" the former official said. "And what do you do with the chaff?" More than a dozen current and former U.S. officials discussed the program on condition of anonymity, citing its sensitive nature. The effort runs counter to the expectations of privacy and security that are sacrosanct in the worldwide banking community. SWIFT promotes its services largely by touting the network's security, and most of its customers are unaware that the U.S. government has such extensive access to their private financial information. U.S. officials, some of whom expressed surprise the program had not previously been revealed by critics, acknowledged it would be controversial in the financial community. "It is certainly not going to sit well in the world marketplace," said a former counterterrorism official. "It could very likely undermine the integrity of SWIFT." Bush administration officials asked The Times not to publish information about the program, contending that disclosure could damage its effectiveness and that sufficient safeguards are in place to protect the public. Dean Baquet, editor of The Times, said: "We weighed the government's arguments carefully, but in the end we determined that it was in the public interest to publish information about the extraordinary reach of this program. It is part of the continuing national debate over the aggressive measures employed by the government." Under the program, Treasury issues a new subpoena once a month, and SWIFT turns over huge amounts of electronic financial data, according to Stuart Levey, the department's undersecretary for terrorism and financial intelligence. The administrative subpoenas are issued under authority granted in the 1977 International Emergency Economic Powers Act. The SWIFT information is added to a massive database that officials have been constructing since shortly after Sept. 11. Levey noted that SWIFT did not have the ability to search its own records. "We can, because we built the capability to do that," he said. Treasury shares the data with the CIA, the FBI and analysts from other agencies, who can run queries on specific individuals and accounts believed to have terrorist connections, Levey said Thursday in an interview with The Times. Levey said that "tens of thousands" of searches of the database have been done over the last five years. The program was initially a closely guarded secret, but it has recently become known to a wider circle of government officials, former officials, banking executives and outside experts. Current and former U.S. officials said the effort has been only marginally successful against Al Qaeda, which long ago began transferring money through other means, including the highly informal banking system common in Islamic countries. The value of the program, Levey and others said, has been in tracking lower- and mid-level terrorist operatives and financiers who believe they have not been detected, and militant groups, such as Hezbollah, Hamas and Palestinian Islamic Jihad, that also operate political and social welfare organizations. It's no secret that the Treasury Department tries to track terrorist financing, or that those efforts ramped up significantly after the Sept. 11 terrorist attacks. But the SWIFT program goes far beyond what has been publicly disclosed about that effort in terms of the amount of financial data that U.S. intelligence agencies can access. The program also represents a major tactical shift. U.S. investigators long have been able to subpoena records on specific accounts or transactions when they could show cause ? a painstaking process designed mainly for gathering evidence. But access to SWIFT enables them to follow suspicious financial trails around the globe, identifying new suspects without having to seek assistance from foreign banks. SWIFT is a consortium founded in 1973 to replace telex messages. It has almost 7,900 participating institutions in more than 200 countries ? including Bank of America, JP Morgan Chase Bank, Citibank and Credit Suisse. The network handled 2.5 billion financial messages in 2005, including many originating in countries such as Saudi Arabia, Pakistan and the United Arab Emirates that the United States scrutinizes closely for terrorist activity. The system does not execute the actual transfer of funds between banks; that is carried out by the Federal Reserve and its international counterparts. Rather, banks use the network to transmit instructions about such transfers. For that reason, SWIFT's data is extremely valuable to intelligence services seeking to uncover terrorist webs. CIA operatives trying to track Osama bin Laden's money in the late 1990s figured out clandestine ways to access the SWIFT network. But a former CIA official said Treasury officials blocked the effort because they did not want to anger the banking community. Historically, "there was always a line of contention" inside the government, said Paul Pillar, former deputy director of the CIA's counterterrorism center. "The Treasury position was placing a high priority on the integrity of the banking system. There was considerable concern from that side about anything that could be seen as compromising the integrity of international banking." Before Sept. 11, a former senior SWIFT executive said, providing access to its sensitive data would have been anathema to the Belgium-based consortium. But the attacks on the World Trade Center and the Pentagon led to a new mind-set in many industries, including telecommunications. SWIFT said the Treasury Department's Office of Foreign Assets Control sent the first subpoena shortly after Sept. 11, seeking "limited sets of data" to learn about how Al Qaeda financed the attacks. Unlike telephone lines and e-mail communications, the SWIFT network cannot be easily tapped. It uses secure log-ins and state-of-the-art encryption technology to prevent intercepted messages from being deciphered. "It is arguably the most secure network on the planet," said the former SWIFT executive who spoke on condition of anonymity. "This thing is locked down like Fort Knox." SWIFT said it was responding to compulsory subpoenas and negotiated with U.S. officials to narrow them and to establish protections for the privacy of its customers. SWIFT also said it has never given U.S. authorities direct access to its network. "Our fundamental principle has been to preserve the confidentiality of our users' data while complying with the lawful obligations in countries where we operate," SWIFT said in its statement. Current and former U.S. officials familiar with the SWIFT program described it as one of the most valuable weapons in the financial war on terrorism, but declined to provide even anecdotal evidence of its successes. A former high-ranking CIA officer said it has been a success, and another official said it has allowed U.S. counterterrorism officials to follow a tremendous number of leads. CIA officials pursue leads overseas, and the FBI and other agencies pursue leads in the United States, where the CIA is prohibited from operating. Officials said the program is relied upon especially heavily when intelligence chatter from phone and e-mail intercepts suggested an imminent attack, conveying real-time intelligence for counterterrorism operations. The former SWIFT executive said much can be learned from network messages, which require an actual name and address of both the sender and recipient, unlike phone calls and e-mails, in which terrorist operatives can easily disguise their identities. "There is a good deal of detail in there," he said. As the global war on terrorism has succeeded in taking out some senior terrorists and their financiers, particularly within Al Qaeda, the organization and its many affiliates have sought to move to hidden locations and to transfer their money through proxies such as charities, aid organizations and corporate fronts. The officials said the SWIFT information can be used in "link analysis." That technique allows analysts to identify any person with whom a suspected terrorist had financial dealings ? even those with no connection to terrorism. That information is then mapped and analyzed to detect patterns, shifts in strategy, specific "hotspot" accounts, and locations that have become new havens for terrorist activity. The SWIFT program is just one of the Bush administration's post-Sept. 11 initiatives to collect intelligence that could include information on U.S. residents. The National Security Agency, which can intercept communications around the world, is eavesdropping on the telephone calls and e-mails of some U.S. residents without obtaining warrants. And it has been accused of asking telecommunications companies to help create a database of the phone-call records of almost all Americans. The Justice Department also has asked Internet companies to keep records of the websites customers visit and the people they e-mail for two years, rather than days or weeks, which would greatly expand the government's ability to track online activity. Numerous lawsuits have been filed against the government and phone companies, challenging the NSA efforts. The government has asked courts to throw them out, invoking the "state secrets" privilege and arguing that trials would compromise national security. The NSA's interception of telephone calls also has been criticized for lacking an independent review process to ensure that the information is not abused. The SWIFT program raises similar concerns, some critics say. Privacy advocates have questioned "link analysis" because it can drag in innocent people who have routine financial dealings with terrorist suspects. And no outside governmental oversight body, such as the Foreign Intelligence Surveillance Court or a grand jury, monitors the subpoenas served on SWIFT. Levey said the program is subject to "robust" checks and balances designed to prevent misuse of the data. He noted that requests to access the data are reviewed by Treasury's assistant secretary for intelligence; that analysts can only access the data for terrorism-related searches; and that records are kept of each search and are reviewed by an outside auditor for compliance. Levey said there had been one instance of abuse in which an analyst had conducted a search that did not meet the terrorist-related criteria. The analyst was subsequently denied access to the database, he said. During the last five years, SWIFT officials have raised concerns about the scope of the program, particularly at the outset, when it was handing over virtually its entire database. The amount of data handed over each month has been winnowed down. "The safeguards were not all there in September 2001," Levey acknowledged. "We started narrowing it from the beginning." New safeguards have been added, he said, noting that SWIFT officials are now allowed to be present when analysts search the data and to raise objections with top officials. Officials from other government agencies have raised the issue of accessing the records for other investigative purposes, but Levey said such proposals have been rejected ? largely out of concern that doing so might erode support for the program. Asked what would prevent the data from being used for other purposes in the future, Levey said doing so would likely trigger objections from SWIFT and the outside auditor. A SWIFT representative said that Booz Allen Hamilton, an international consulting firm, is the auditor but provided no further details on how the oversight process works. Although the searches focus on suspected terrorist activity overseas, U.S. officials acknowledged that they do delve into the financial activities of Americans, noting that privacy laws don't protect individuals believed to be acting as a "foreign terrorist agent." Officials said the administration has briefed congressional intelligence committees on the SWIFT program. In contrast, information on the NSA wiretapping was shared only with key lawmakers. One senior congressional aide said the committees have "a good handle on what the executive branch is doing to track terrorist financing" and are generally supportive of those efforts. But the operation seems to have been kept secret from key segments of the banking industry, including senior executives in the United States and overseas. John McKessy, chairman of the SWIFT user group in the United States, said he was unaware of any such program. McKessy represents companies and institutions that are not members of the SWIFT cooperative but use its messaging system. SWIFT noted that its published policies clearly indicate that it cooperates with law enforcement authorities and that the subpoenas were "discussed carefully within the board," made up of members from 25 major banks. SWIFT said it has also kept informed an oversight committee drawn from the central banks of the major industrial countries. The SWIFT program plugs a gap in global efforts to track terrorism financing. In the United States, law enforcement authorities can access bank records if they get permission through the legal process. The FBI also has various legal ways to get almost instantaneous access to financial records. And U.S. banking laws require financial institutions to file Suspicious Activity Reports, but authorities believe Al Qaeda and other terrorist groups know how to evade the activities that trigger such red flags. U.S. officials, however, long have complained that they cannot get access to financial records overseas and that some requests for cooperation from foreign governments and financial institutions took months, while others were rebuffed. "The sort of 18th century notions on this stuff drive me nuts," said one senior U.S. counterterrorism official. "Somebody can move money with the click of a mouse, but it takes me six months to find it. If that is the world in which we live, you have to understand the costs involved with that." The Sept. 11 commission urged the government in its July 2004 report on the U.S. intelligence failures leading up to the terrorist attacks to put more emphasis on tracking the flow of funds, rather than seeking to disrupt them, to learn how terrorist networks are organized. Lee Hamilton, a former congressman and co-chairman of the commission who said he has been briefed on the SWIFT program, said U.S. intelligence agencies have made significant progress in recent years, but are still falling short. "I still cannot point to specific successes of our efforts here on terrorist financing," he said. From rforno at infowarrior.org Fri Jun 23 08:31:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 08:31:55 -0400 Subject: [Infowarrior] - Will Congress Unwittingly Repeal the DMCA and Violate Our Trade Treaties? Message-ID: http://www.ipi.org/ipi%5CIPIPublications.nsf/PublicationLookupFullText/B683D 67C12D0BAB78625719400653CD7 IPI Issue Brief A Bad Trade: Will Congress Unwittingly Repeal the Digital Millennium Copyright Act and Violate Our Trade Treaties? by Lee Hollaar on 06/23/2006 Pages Synopsis Full Text PDF In his recent IPI Ideas paper ?Will Congress Circumvent the DMCA?,? Richard Epstein notes how the ?other purposes? of Rep. Boucher?s (D-VA) H.R. 1201 ?could eviscerate the already inadequate protection that federal law provides against copyright policy.? Professor Epstein is too kind toward the Boucher bill. If passed with its proposed language, it would effectively repeal all of the anticircumvention provisions of the 1998 Digital Millennium Copyright Act (DMCA), and thereby violate a number of current trade treaties, including the recently-ratified Central America-Dominican Republic Free Trade Agreement (CAFTA-DR). Why Anticurcumvention Legislation? Congress, at the time the DMCA was being considered, was concerned over the widespread copyright infringement that was occurring on the Internet. Copyright litigation is expensive and not geared toward addressing millions of small infringers. Statutory damages are based on the number of works infringed, and not the number of downloads, so that a person sharing even a hundred songs would be liable for at least $75,000.1 Such a minimum penalty actually discourages content providers from filing suit, since they must be concerned that the court might try to find an excuse for the infringement to avoid imposing the statutory damages that then becomes a bad precedent. Digital rights management, while far from perfect, provides an attractive alternative to litigation. By making it more difficult to infringe a copyright, users are reminded that what they are about to do may not be legal. But if circumvention devices or programs were available through legitimate sources or as a standard feature in a media program, this important clue would be lost. Congress has previously dictated copy protection for digital devices as digital sound recording devices,2 and banned the use and trafficking in cable TV descramblers3 and satellite decoders.4 While those laws have not eliminated such illegal devices, there is no doubt that people are aware through the way they are advertised and are available that they are illegitimate, and the vast majority of people shun them. Implementing the WIPO Copyright Treaty To understand the effect of H.R. 1201, it is necessary to understand how the DMCA anticircumvention provisions came about and are structured. They were added to United States copyright law to implement our treaty obligations under the World Intellectual Property Organization (WIPO) Copyright Treaty. Its Article 11 states: Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.5 Although there may be legitimate uses for circumvention technology, Congress decided that the most likely use was copyright infringement. Recognizing that there may be things that could be used to circumvent a protection mechanism (such as a computer program debugger), it did not ban every device or computer program that might circumvent a protection mechanism. Instead, it banned technology that: (A) is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title [the Copyright Act] in a work or a portion thereof; (B) has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof; or (C) is marketed by that person or another acting in concert with that person with that person?s knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof.6 Both (A) and (C) are good examples of the active and intentional inducement of copyright infringement that the unanimous Supreme Court condemned in its recent Grokster decision,7 and (B) makes the reasonable assumption that a company benefits not from some commercially-insignificant activity, but by its use for infringement by others. The anticircumvention provisions of the DMCA are really about traffickers in circumvention technology, not about those using it. It keeps things off the shelves of stores so they don?t seem legitimate. But provide a loophole, and you?ll see the devices being sold or the programs available, perhaps with a warning not to use them to infringe (along with a wink). Circumventing to Access a Copyrighted Work Before the DMCA, Congress had considered legislation proposed in the Clinton Administration?s ?white paper? on copyright in the digital age.8 It proposed a simple anticircumvention provision: No person shall import, manufacture or distribute any device, product, or component incorporated into a device or product, or offer or perform any service, the primary purpose or effect of which is to avoid, bypass, remove, deactivate, or otherwise circumvent, without the authority of the copyright owner or the law, any process, treatment, mechanism or system which prevents or inhibits the violation of any of the exclusive rights of the copyright owner under section 106. No exceptions of any kind were proposed. When the DMCA was introduced in the 105th Congress, it contained a similar provision as Section 1201(b), but also contained a new right for copyright owners ? ?No person shall circumvent a technological protection measure that effectively controls access to a work protected under title 17,? ? as Section 1201(a)(1). Section 1201(a)(2) mirrored the ban against trafficking in circumvention devices of 1201(b), but for ?circumvention to access? instead of ?circumvention to infringe.? As an example, if an effective technological protection measure limits access to the plain text of a work only to those with authorized access, but provides no additional protection against copying, displaying, performing or distributing the work, then a potential cause of action against the manufacturer of a device designed to circumvent the measure lies under subsection 1201(a)(2), but not under subsection 1201(b).9 There is little explanation given in the legislative history of the DMCA on why this new right was given to copyright owners. It does avoid the question of whether a copy of a work is made when the work is being accessed, say in a buffer in a computer?s memory, and whether that copy is sufficiently permanent to make its creation an infringement.10 This could be a concern when determining whether streaming audio or using a computer program stored on a server results in an infringement, and if so, whether it is by the provider or the user. Beyond an objection to anticircumvention in general, there was no opposition to the Section 1201(a)?s circumvent to access provision as the DMCA was being considered, except for a concern that it might allow the unwarranted locking-up of material not protected by copyright. Congress addressed that with a provision allowing the Copyright Office to issue rules every three years exempting classes of works from the provision upon a showing of an impact on criticism, comment, news reporting, teaching, scholarship, or research and the effect of allowing circumvention on the market value of the copyrighted works. The Boucher Bill, A Wolf in Sheep?s Clothing? On October 3, 2002, Rep. Rick Boucher (D-VA) along with Rep. John Doolittle (R-CA) introduced H.R. 5544, the ?Digital Media Consumers? Rights Act of 2002.? The day before, Rep. Zoe Lofgren (D-VA) had introduced H.R. 5522, which proposed a number of changes to the DMCA anticircumvention provisions. But instead of the clear changes to the DMCA proposed by Rep. Lofgren, Rep. Boucher put his changes at the end of the bill dealing with mislabeled music CDs, and called them ?other purposes? in the bill summary. Rep. Boucher reintroduced his bill in the 108th Congress, changing only ?2002? to ?2003? in the title. But this time, he was able to get the number H.R. 107, a play on the section number for the ?fair use? provision of the Copyright Act. For the current Congress, he made some minor changes and was able to snag the number H.R. 1201, this time a play on the section number of the DMCA anticircumvention provisions. Under the heading ?Fair Use Restoration,? H.R. 1201 makes two short changes to Section 1201. First, it changes 1201(c) so that it would read: Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title and it is not a violation of this section to circumvent a technological measure in order to obtain access to the work for purposes of making noninfringing use of the work. (Added language in italics.) It also adds a new paragraph to 1201(c): (5) Except in instances of direct infringement, it shall not be a violation of the Copyright Act to manufacture or distribute a hardware or software product capable of substantial noninfringing uses. We?ll look at the new paragraph first. Come Up With a Use, Avoid Liability The new paragraph says that anyone who manufactures or distributes software or hardware will not have any liability for copyright infringement if it is capable of any substantial noninfringing use.11 Presumably, what Rep. Boucher is trying to do is codify the Supreme Court?s Sony Betamax decision. But as Professor Epstein noted, there has been a dramatic change in the theory of indirect liability for copyright infringement with the Supreme Court?s unanimous decision in Grokster. The Supreme Court in Grokster recognized the problem with the Sony test. It is hard to imagine a device or computer program used to reproduce, display, or distribute a copyrighted work that would not be capable of a substantial noninfringing use under one of the many exceptions to infringement in copyright law. Copyright law provides a variety of special exceptions to the exclusive rights of the copyright owner.12 Libraries can make a single copy of a work in certain circumstances.13 A computer program can be duplicated to create an archive copy.14 Works can be performed or displayed in a classroom setting.15 Judge Posner, in his Aimster opinion, noted a variety of possible noninfringing uses for peer-to-peer technology.16 The ?capable of substantial noninfringing uses? test comes from patent law. But in contrast to copyright, the patent statutes provide only a very limited statutory exception for patent infringement during the required testing of a drug.17 In addition, the courts have allowed an ?experimental use? defense to a charge of patent infringement, but it is far narrower than copyright?s ?fair use? defense, being limited to making or using the patented invention solely ?for amusement, to satisfy idle curiosity or for strictly philosophical inquiry.?18 In contrast, for almost every copyrighted work of any commercial value there is some fair use, such as including a snippet of the work in a review or criticism of the work. Since it is almost always possible to state a substantial noninfringing use of a work that is protected by a copy control mechanism, under Rep. Boucher?s bill it would be possible for anybody to traffic in devices that circumvent the protection mechanism even when they know that that will not be the way the device will be most-often used. And because it should be possible to dream up some substantial noninfringing use for any circumvention program or tool, what Rep. Boucher is really proposing is that the DMCA prohibitions on trafficking in such devices be effectively repealed, although he doesn?t come right out and say that. H.R. 1201 Effectively Repeals 1201(A), Too The second stealthy provision in H.R. 1201 effectively repeals Section 1201(a)(1)?s prohibition against circumventing to gain access to a copyrighted work. (Section 1201(a)(2)?s trafficking provision is gutted along with Section 1201(b) discussed above, since the same loophole is created.) To understand how it does this, you have to remember the two types of circumventions discussed above. Section 1201(b) addresses ?circumvention to infringe,? and only has a trafficking provision since any infringement that results is already a violation of the copyright statutes. Section 1201(a), on the other hand, addresses ?circumvention to access,? which is of importance only when there is not an infringement. H.R. 1201 adds the following: ?It is not a violation of [Section 1201] to circumvent a technological measure in order to obtain access to the work for purposes of making noninfringing use of the work.? With that change, you would only violate the circumvention by access section, Section 1201(a), if you also infringe. But infringement is already prohibited by the copyright statutes, and so Section 1201(a) becomes redundant. The Effect on Recent Trade Agreements Since the passage of the DMCA in 1998, the United States has included language that parallels the anticircumvention provisions of the DMCA in trade pacts. For example, the recently-adopted Central America-Dominican Republic Free Trade Agreement (CAFTA-DR) Article 15.5 requires that all parties to the agreement (including the United States) have it be a violation if a person ? (i) circumvents without authority any effective technological measure that controls access to a protected work, performance, phonogram, or other subject matter; or (ii) manufactures, imports, distributes, offers to the public, provides, or otherwise traffics in devices, products, or components, or offers to the public or provides services, that: (A) are promoted, advertised, or marketed for the purpose of circumvention of any effective technological measure; or (B) have only a limited commercially significant purpose or use other than to circumvent any effective technological measure; or (C) are primarily designed, produced, or performed for the purpose of enabling or facilitating the circumvention of any effective technological measure, mirroring the current language of Section 1201(a) of the DMCA. It goes on to state ? Each Party shall provide that a violation of a measure implementing this paragraph is a separate civil cause of action or criminal offense, independent of any infringement that might occur under the Party?s law on copyright and related rights. It also limits the exceptions that can be made to the anticircumvention law, generally mirroring those in the DMCA. Similar provisions are in the trade agreements with Australia, Bahrain, Chile, Morocco, Oman, and Singapore, as well as one being negotiated with Colombia, Ecuador, and Peru.19 Adoption of H.R. 1201 would likely mean that we would no longer be in compliance with those trade agreements, which contain other provisions that substantially benefit the United States. Is it Worth it? It might be worth trying to change, or even dumping, those trade agreements if the anticircumvention provisions of the DMCA, and in particular the trafficking provisions and the circumvention to access provision effectively repealed if H.R. 1201 becomes law, were causing real problems. But it appears that they are not. In the almost eight years since the DMCA was enacted, there have been only a handful of cases regarding Section 1201. Some involved people who were clearly trafficking in anticircumvention programs, and the courts after considering their arguments regarding the provisions affecting fair use and free speech soundly rejected them.20 On the other hand, in the cases where the anticircumvention provisions were being stretched to protect garage door opener controllers21 or laser printer toner cartridges,22 the courts have had no problem in finding that the DMCA provisions were applicable. The case commonly mentioned regarding the chilling effects on research of the DMCA anticircumvention provisions involved Princeton professor of computer science Edward Felten, who received a threatening letter from the Recording Industry Association of America (RIAA) regarding his proposed publication of results from a test of a new protection mechanism. (He was able to crack it.) Even after the RIAA backed off, Felten took the case to court to try to have the DMCA struck down, but was unsuccessful. His efforts were not ?chilled? so much as he was seizing an opportunity to try to get the DMCA struck down in court. The Electronic Frontier Foundation (EFF) runs a ?Chilling Effects? web site,23 soliciting examples of how the DMCA anticircumvention provisions (and other laws) affect researchers and companies. It only lists eleven instances of cease and desist notices from alleged circumvention activities: one in 2000 (when the site was established), three in 2001, two in 2002, none in 2003, one in 2004, one in 2005, and two related letters in 2006. Many appear to be legitimate concerns and, in any case, these are hardly the abuse that warrants violating important and hard-fought-for trade agreements. While it may be argued that those reports are just the tip of the iceberg, and that people are not innovating because they are concerned about violating the DMCA anticircumvention provisions, it is more likely that any chilling comes from the overheated rhetoric of the DMCA opponents who use it as a boogie man to get people to support their calls for repeal, and not what has actually happened since the enactment of the DMCA in 1998. H.R. 1201 should not be the mechanism for putting the United States in violation of its trade agreements. If such a far-reaching decision is to be made, it should be after careful debate based on an understanding of the anticircumvention provisions. It should not happen by the passage of a misleading bill that repeals the provisions through stealth. Endnotes 1. See 17 U.S.C. ? 504(c). If the ?infringer was not aware and had no reason to believe that his or her acts constituted an infringement of copyright, the court in its discretion may reduce the award of statutory damages to a sum of not less than $200? or $20,000 for our hypothetical ?sharer? for 100 files. 2. 17 U.S.C. ? 1002(c). 3. 47 U.S.C. ? 553(a)(2). 4. 47 U.S.C. ? 605(e)(4). 5. The full text of the treaty, along with other information about it, can be found at http://www.wipo.int/treaties/en/ip/wct/ 6. 17 U.S.C. ? 1201(b)(1). 7. MGM v. Grokster, decided June 27, 2005, available at http://straylight.law.cornell.edu/supct/html/04-480.ZO.html. For a discussion of inducement liability before and after Grokster, particularly with respect to the Sony decision, see my paper ?Sony Revisited? at http://digital-law-online.info/papers/lah/sony-revisited.htm. 8. Intellectual Property and the National Information Infrastructure, Report of the Working Group on Intellectual Property Rights, Information Infrastructure Task Force, September 1995, available at http://www.uspto.gov/web/offices/com/doc/ipnii/. This report also influenced the U.S. negotiators of the WIPO Copyright Treaty. 9. Sen. Rep. 105-190, at 12. 10. See MAI v. Peak, 991 F.2d 511 (Ninth Cir., 1993), holding that loading a computer program into memory creates a copy that infringes if not otherwise permitted. 11. That test comes from the Supreme Court?s decision in Sony v. Universal City Studios, 464 U.S. 417 (1984). It is not clear what they considered a ?substantial? use, with some contending that it should be a commercially-significant use while others argue that it should be any use that is not just a pretext for other infringement. 12. See 17 U.S.C. ??107-122. 13. 17 U.S.C. ?108(a). 14. 17 U.S.C. ?117(a). 15. 17 U.S.C. ? 110(1). 16. In re: Aimster Copyright Litigation, 334 F.3d 643, 652-653 (7th Cir. 2003). 17. See 37 U.S.C. ?271(e). 18. Roche Products v. Bolar Pharmaceutical, 733 F.2d 858, 863 (Fed. Cir. 1984). Subsection (e) was added to 37 U.S.C. 271 in 1984 specifically to provide an exception to this case, but Congress declined to provide a general ?fair use? exception to patent infringement. 19. Information on current and pending trade agreements can be found at http://www.ustr.gov/Trade_Agreements/Section_Index.html 20. See, for example, Universal City Studios v. Corley, 273 F.3d 429 (Second Cir. 2001). 21. See Chamberlain v. Skylink, 381 F.3d 1178 (Fed. Cir. 2004). 22. See Lexmark v. Static Control Components, 387 F.3d 522 (Sixth Cir. 2004). 23. See http://www.chillingeffects.org/anticircumvention/notice.cgi. About the Author Lee Hollaar is a professor of computer science in the School of Computing at the University of Utah, where he teaches computer networking and intellectual property and computer law. He is the author of Legal Protection of Digital Information (BNA Books, 2002), available on the Internet along with a number of his papers at http://digital-law-online.info. He was a Committee Fellow with the Senate Judiciary Committee during the time the DMCA was being drafted. From rforno at infowarrior.org Fri Jun 23 08:53:52 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 08:53:52 -0400 Subject: [Infowarrior] - Capability =| Threat for Security Planning Message-ID: Excerpt from Bill Arkin's latest blog entry on WaPo. Couldn't have said it better myself......the full entry deserves reading......rf < -> Terrorists have the "capability" to obtain illicit nuclear materials, the "capability" to fabricate 10-kiloton nuclear devices, the "capability" to smuggle not one but two nuclear devices into the United States,and the "capability" to get one of those nuclear device to downtown D.C. and detonate it. A terrorist group has been given all of these "capabilities," by someone writing a fictional account of a non-existent organization. Don't you get it? "Actual terrorist organizations' capabilities" become plausible threats through sheer repetition and the WMD stranglehold. The threats, realistic or not, influence policy and plans. In turn, those policies and plans makes the threats seem real. The necessity for war against Saddam Hussein, a U.S. first strike on North Korea, a suspension of U.S. law to fight the Universal Adversary -- pretty soon just about anything can be justified to keep those mushroom clouds away. <- > Thousands of federal government employees evacuate to their bunkers, hundreds of federal state, and local officials "practice" disaster response to a nuclear attack, the FBI and "Delta Force" like commandos take to the domestic alleyways in Top Secret operations, all because a butterfly flapped its wings in Asia. It all ties in so nicely. http://blog.washingtonpost.com/earlywarning/2006/06/the_attack_has_already_h appene.html From rforno at infowarrior.org Fri Jun 23 16:14:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 16:14:41 -0400 Subject: [Infowarrior] - U.S. unprepared for Net meltdown, blue chips warn Message-ID: U.S. unprepared for Net meltdown, blue chips warn By Anne Broache http://news.com.com/U.S.+unprepared+for+Net+meltdown%2C+blue+chips+warn/2100 -7348_3-6087470.html Story last modified Fri Jun 23 12:49:44 PDT 2006 The United States has never experienced a massive Internet outage, but a coalition of dynamic chief executives said Friday that the nation must do more to prepare for that prospect. The cautionary document (click here for PDF) was a product of the Business Roundtable, whose 160 corporate members include companies ranging from Hewlett-Packard, IBM and Sun Microsystems to General Motors, Home Depot and Coca-Cola. All told, the group's high-rolling membership counts $4.5 trillion in annual revenues, more than 10 million employees, and nearly a third the total value of the U.S. stock market. Experts remain divided on the likelihood that a "cyber Katrina" will occur, as the roundtable itself acknowledges. But many sectors of the economy continue to urge the government to be better prepared, should such an event occur. Without proper planning, myriad industries--from health care to transportation to financial services--could face devastation if a natural disaster, terrorist or hacker succeeds in disrupting Net access, they charged. "There is no national policy on why, when and how the government would intervene to reconstitute portions of the Internet or to respond to a threat or attack," the report said. Private-sector companies may have individual readiness plans, but they aren't prepared to work together on a wide scale to restore normal activity, the businesses said. The report called for the government to take a number of actions, including: ? setting up a global advance-warning mechanism, akin to those broadcasted for natural disasters, for Internet disruptions ? issuing a policy that clearly defines the roles of business and government representatives in the event of disruptions ? establishing formal training programs for response to cyberdisasters ? and allotting more federal funding for cybersecurity protection. The U.S. Computer Emergency Readiness Team, or US-CERT, which bears primary responsibility for coordinating responses to cyberattacks, receives on average $70 million per year, or about 0.2 percent of the entire U.S. Department of Homeland Security budget, the report noted. The suggestions drew praise from the Cyber Security Industry Alliance. That organization, composed of computer security firms, has long been lobbying for additional actions in the cybersecurity realm by Congress and the Bush administration. "A massive cyberdisruption could have a cascading, long-term impact without adequate coordination between government and the private sector," said Paul Kurtz, the alliance's executive director. "The stakes are too high for continued government inaction." Homeland Security has borne the brunt of the criticism for alleged inaction, though the agency did lead a mock cyberattack and response earlier this year. An analysis of that exercise is expected this summer. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Jun 23 16:39:08 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 16:39:08 -0400 Subject: [Infowarrior] - White House Says Tracking Bank Data Deters Terror Message-ID: June 23, 2006 White House Says Tracking Bank Data Deters Terror By ERIC LICHTBLAU and SHERYL GAY STOLBERG http://www.nytimes.com/2006/06/23/washington/23cnd-react.html?ei=5094&en=9d9 f4dbd36e17ed4&hp=&ex=1151121600&partner=homepage&pagewanted=print WASHINGTON, June 23 ? The White House on Friday vigorously defended a secret program of combing through a vast international data base containing banking transactions involving thousands of Americans. Vice President Dick Cheney and other officials said the program, whose existence was revealed today in an article in The New York Times, was both legal and necessary to deter terrorism. Treasury Secretary John Snow, in his first public remarks about the program, called it "government at its best." He told reporters that the operation, first disclosed today in The New York Times, was carefully controlled to trace only those transactions with an identifiable link to possible terrorist activity. "There can't be any doubt about the fact that the program is an effective weapon, an effective weapon in the larger war on terror," he said. "It's for that reason that these disclosures of the particular sources and methods are so regrettable." Separately, President Bush's spokesman, Tony Snow, said the program complies with "the letter and spirit of the law." He said members of Congressional intelligence committees had been apprised of the program, though he did not provide specifics. Mr. Snow derided criticisms of the program as "entirely abstract in nature." He said it had been subjected to outside auditing, and that the president did not need to seek authorization from Congress for it. "Let me tell you why this is important: it works," Mr. Snow said. "It is sought only for terrorism investigations. A series of safeguards have been put in place." The banking consortium, known as Swift, that maintains the database gave no sign today that it was rethinking its relationship with the American government, despite the sudden glare of publicity aimed at an organization that generally keeps a very low profile. Prior to publication of the article, some backers of the program had expressed concerns that Swift, based in Brussels, could be prompted to pull out of the program if its role were revealed ? particularly in light of sharp anti-American sentiments in parts of Europe. But an official with Swift, speaking on condition of anonymity, said today that there had been "no discussions" about a withdrawal. Still, there were indications of possible disagreements between Swift and the American government over the group's role and how it came to cooperate. Swift has said that its role in the program was never voluntary, that it was obligated to comply with a valid subpoena presented by American officials, and that it worked to narrow the range of data it provided. But Secretary Snow offered a different account at a news conference today. He said that after the Sept. 11 attacks, Treasury officials initially presented Swift with "really narrowly crafted subpoenas all tied to terrorism," only to be told by Swift that it did not have the ability to "extract the particular information from their broad data base." "So they said, 'we'll give you all the data,' " Secretary Snow said. News of the program's existence renewed concerns about civil liberties first raised last year when The Times reported on another secret program, conducted by the National Security Agency, involving eavesdropping on telephone communications without court warrants. Both disclosures prompted complaints to the administration from members of Congress, who are calling for more oversight, and from advocates for civil liberties. "I am very concerned that the Bush Administration may be once again violating the Constitutional rights of innocent Americans, as part of another secret program created in the aftermath of the Sept. 11th attacks," Representative Ed Markey, a Massachusetts Democrat who has made privacy a signature issue, said in a statement. The executive director of the American Civil Liberties Union, Anthony D. Romero, condemned the program, calling it "another example of the Bush administration's abuse of power." But Mr. Snow, the White House press secretary, said Americans by and large supported the eavesdropping program. "You can go ahead and look at your own polling, and you will find that Americans ? if somebody says, 'Do you want a program that listens in on people who have been identified as al Qaeda terrorists?' ? the answer would be, 'Yes, I would like to do that. I would like to find data on it.' " The press secretary made his remarks during a lengthy morning briefing, during which he at times grew uncharacteristically testy. At one point, he accused news organizations like CNN, The New York Times and The Los Angeles Times of collecting personal data from visitors to their web sites without disclosing it. At another, he grew exasperated when Helen Thomas, a longtime White House correspondent, interrupted him, and told her to "stop heckling and let me conduct the press conference." From rforno at infowarrior.org Fri Jun 23 20:11:08 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Jun 2006 20:11:08 -0400 Subject: [Infowarrior] - Microsoft to publish its privacy rules Message-ID: Microsoft to publish its privacy rules By Joris Evers http://news.com.com/Microsoft+to+publish+its+privacy+rules/2100-1029_3-60875 38.html Story last modified Fri Jun 23 16:51:02 PDT 2006 MOUNTAIN VIEW, Calif.--Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products. The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft. "We think that this is information that partners and others could benefit from. Lots of people build and develop applications," Cullen said in an interview Thursday. "The privacy development standards will not only be made public, but we will actively be promoting their use so that others can benefit from what we've learned." Related news Fighting Microsoft's piracy check Ways to avoid the WGA tool are appearing on the Net. The privacy rules offer guidelines on providing people with proper notification and options in certain situations--for example, when a software application is about to send information via the Internet to its maker, Cullen said. Microsoft believes it is the first major software company to publish these guidelines. "This is designed for an IT pro or a developer, in terms of: 'If you're building an application that does X, this is what we think should be built,'" he said. "The public document will use a lot of 'shoulds.' Inside Microsoft, those are 'musts.'" While the release of the guidelines will likely not have any immediate effect on consumer privacy, it is a positive development, privacy watchers said. "Microsoft is advancing the dialog about how privacy issues are addressed by the technology providers," said James Van Dyke, an analyst at Javelin Strategy & Research. "This will force other technology firms to similarly comply, rebut or propose alternative positions, all of which will move us closer to deciding acceptable use of private information through technology." The company has a single, global privacy policy, Cullen said. This means that the same policy applies even in countries that have limited or no privacy regulation. Microsoft's privacy reputation is not untarnished. Earlier this month, it faced criticism for not disclosing that one of its antipiracy tools, called Windows Genuine Advantage Notifications, pinged the company every time a PC was booted up. Microsoft has offered a public mea culpa and has said it will adjust the frequency of the calls home. "We have a basic promise that we will be as transparent as possible," Cullen said. "We neglected the area of the notifications, so that's definitely going to be changed?It's just an oversight." Some of Microsoft's practices are impressive and commendable, but others are badly bungled, said Ben Edelman, a spyware researcher and Harvard doctoral candidate. He supports Microsoft's plan to publish its privacy standards for developers. "It's a fine idea," he said. "It would be easier to endorse if we could be more confident that Microsoft's own house is in order, which is suddenly a subject of some worry after the WGA issues." (Return to CNET News.com next week for the full interview with Microsoft's Cullen.) Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Sat Jun 24 10:06:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Jun 2006 10:06:58 -0400 Subject: [Infowarrior] - Verizon to exit in-flight phone business Message-ID: Verizon to exit in-flight phone business By Marguerite Reardon http://news.com.com/Verizon+to+exit+in-flight+phone+business/2100-1033_3-608 7534.html Story last modified Fri Jun 23 16:30:41 PDT 2006 Verizon Airfone will exit the in-flight phone business by the end of the year, a company spokesman confirmed Friday. Airfone's parent company, Verizon Communications, plans to focus its efforts more on its core business, said Jim Pilcher, a spokesman for Verizon Airfone. Verizon, the second-largest phone company in the U.S., is in the midst of a multibillion-dollar upgrade to its network to compete better with cable. Verizon's new Fios network extends fiber-optic cable directly to homes. Using these new fiber connections, Verizon plans to offer high-speed Internet access, phone service and television. Verizon acquired Airfone back in 2000 from GTE. The air-to-ground phone system, which first began about 21 years ago, is installed in about 1,000 planes operated by Continental Airlines, Delta Air Lines, United Airlines and US Airways. Pilcher said the company will work with the airlines to figure out how to remove the phones and other equipment from the planes. Due to its high price tag, the Airfone service has never been popular. The service costs 69 cents per minute for Verizon Wireless customers, or 10 cents a minute for a $10 fee per month. But for people who are not Verizon Wireless subscribers, the prices are much higher. For domestic calls it costs $3.99 to connect the call and $4.99 for each additional minute. International calls require a connection fee of $5.99 and $5.99 for each minute of calling. Verizon Airfone had been a favorite to win the Federal Communications Commission's auction of 800MHz spectrum, but it dropped out of the bidding early. A company called AirCell ended up winning a license to use the spectrum currently being used by Airfone. Earlier this month, AirCell said it plans to use its radio spectrum license to offer "affordable" wireless broadband service based on Wi-Fi standards aboard commercial airplanes. Verizon's license would have expired in 2010, but because of the auction, the company would have had to relinquish its part of the spectrum within two years of when AirCell receives its own license. From rforno at infowarrior.org Sat Jun 24 10:12:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Jun 2006 10:12:06 -0400 Subject: [Infowarrior] - Watergate Echoes in NSA Courtroom Message-ID: Watergate Echoes in NSA Courtroom http://www.wired.com/news/technology/1,71227-0.html By Kevin Poulsen 17:00 PM Jun, 23, 2006 SAN FRANCISCO -- It was perhaps inevitable that someone would compare President Bush's extrajudicial wiretapping operations to Richard Nixon's 1970s-era surveillance of journalists and political enemies. Both were carried out by Republican presidents; both bypassed the courts; both relied on the cooperation of U.S. telecommunications companies. But there's some irony in the fact that it was AT&T to first make the comparison in a federal courtroom here, while defending itself from charges of complicity in Bush's warrantless spying. Company attorney Bradford Berenson cited the case of The New York Times reporter Hedrick Smith, who'd been illegally wiretapped by Nixon's Plumbers as part of an investigation into White House leaks. In 1979, the U.S. Court of Appeals for the District of Columbia Circuit ruled that Smith couldn't sue Chesapeake & Potomac Telephone Company -- then part of AT&T's Bell System -- for installing the wiretaps at the Plumbers' behest. The Nixon Defense was one of several arguments offered Friday by AT&T and the Justice Department in their bid to win summary dismissal of the Electronic Frontier Foundation's class-action lawsuit. The suit accuses the company of providing the National Security Agency with access to customer and non-customer internet traffic passing through AT&T's systems, without a warrant. Without confirming the allegations, AT&T said if it is cooperating with the NSA, it can't be held responsible, because -- as in the Nixon case -- it's serving as a "passive instrument or passive agent of the government," said Berenson. "AT&T could refuse, could it not, to provide access to its facilities?" countered U.S. District Judge Vaughn Walker. Berenson replied that AT&T would refuse any clearly illegal request, and a courtroom overflowing with EFF supporters broke into murmured, sardonic laughter. In the back, late-coming observers unable to win a seat pressed their faces against the windows of the courtroom door. The government's surveillance activities of the 1970s were an ever-present ghost in the nearly three-hour-long hearing Friday, in a case that's emerging as a crucial challenge of the law passed in response to Watergate-era abuses. The Foreign Intelligence Surveillance Act, or FISA, requires the government to obtain a court order before performing electronic surveillance in national security cases, except for surveillance targeting only foreign nationals or for emergency wiretaps lasting no longer than 72 hours. A related law allows private parties to sue a telecommunications company for cooperating in government surveillance that doesn't meet FISA's requirements or the demands of criminal wiretap laws. But that law grants companies immunity if the U.S. attorney general first presents them with a letter certifying that the surveillance is legal. AT&T won't confirm or deny that it received such a letter. But Walker, who's privy to the government's classified evidence in the case, spent some time posing questions about how a letter would affect the litigation's outcome. EFF attorney Kevin Bankston argued that AT&T has a duty to know the law, and wouldn't be protected by a written request to assist in an illegal surveillance operation. "That piece of paper could not authorize the conduct that we allege here," Bankston said. The government argued that the existence or nonexistence of a letter from the attorney general addressed to AT&T is one of the many secrets that cannot be disclosed without causing grave damage to the United States. The Justice Department asked that the entire case be dismissed on national security grounds under the rarely used "state-secrets privilege." Never passed by Congress, the state-secrets privilege has its roots in English common law and was cemented into American jurisprudence by a landmark 1953 Supreme Court case titled U.S. v. Reynolds. In Reynolds, the widows of three men who died in a mysterious Air Force crash sued the government, and U.S. officials quashed the lawsuit by claiming that they couldn't release any information about the accident without endangering national security. The Supreme Court upheld the claim, establishing a legal precedent that today allows the executive branch to block the release of information in any civil suit -- even if the government isn't the one being sued. "It is an area of the law where the degree of deference from the court to the executive is at its highest," said Justice Department attorney Peter Keisler, who argued Friday that the case must be dismissed because its basic allegations can't be addressed without harming national security. Acknowledging or disavowing any cooperation between the NSA and a particular telecommunications company, for example, would help terrorists communicate securely. "What the terrorist does when he decides to communicate ... is balance the risk that a particular communication will be intercepted against the operational inefficiencies" of finding another way to talk, said Keisler. Identifying a company as cooperating with the government would take some of the guesswork out of that assessment, and could even subject the company to terrorist reprisals. But Walker showed some signs that he was taking a more nuanced look at the state-secrets privilege, and might consider making some information -- such as the existence or nonexistence of the attorney general's letter -- available for use in the case. "The state-secret privilege is not unlimited," Walker said. Walker asked if the government would oppose the court retaining an expert to help sift through the classified evidence and evaluate its sensitivity; Keisler argued that such an analysis wouldn't show proper deference to the executive branch, and suggested it might prove problematic to grant such an expert the necessary security clearance. For its part, EFF argued that the case can go forward without access to any government documents or testimony, thanks to the written statement and papers provided by former AT&T technician Mark Klein, which purports to show AT&T establishing a secure room in its San Francisco switching center to transmit intercepted internet traffic to the NSA. EFF technical consultant J. Scott Marcus, a former FCC technology adviser, performed an analysis of the documents. Marcus concluded that AT&T's taps suck down about 10 percent of all U.S. internet traffic. The operation can pick up traffic transiting AT&T's network on its way somewhere else, so even non-AT&T customers are intercepted, he wrote. "AT&T has constructed an extensive -- and expensive -- collection of infrastructure that collectively has all the capability necessary to conduct large-scale covert gathering of (internet protocol)-based communications information, not only for communications to overseas locations, but for purely domestic communications as well," Marcus wrote. The government dismissed Klein's and Marcus' statements as "hearsay and speculation" Friday. "They don't know as much as they think they know," said Keisler. AT&T agreed. "Pieces of cable go into a room," said company attorney Bruce Ericson. "That's as far as they take us." There were few clues to where the judge was leaning Friday, but as the hearing drew to a close, he asked both sides how they would want to proceed should he deny the government's motion to dismiss -- suggesting he's considering allowing some portion of EFF's case to proceed. Speaking to reporters outside the courthouse, whistle-blower Klein said the evidence he provided was sufficient to make the case, without exposing any national security secrets. AT&T, he said, helped with "massive interception, without warrant, of everyone's information." From rforno at infowarrior.org Mon Jun 26 08:57:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Jun 2006 08:57:49 -0400 Subject: [Infowarrior] - Poor security? Just blame Google Message-ID: (Well, I guess they're not blaming the student for 'hacking' or 'terrorism' in this case for a change....rf) Blame game Schools file injunction; Google denies fault BY LAUREN WILLIAMSON Record Staff Writer Saturday, June 24, 2006 http://www.journalnow.com/servlet/Satellite?pagename=Common%2FMGArticle%2FPr intVersion&c=MGArticle&cid=1149188715340 Catawba County Schools took aim at Google Friday. The system filed an injunction against the Internet search engine The temporary injunction, granted by the Honorable Richard D. Boner, calls for Google to remove any information pertaining to Catawba County Schools Board of Education from its server and index and alleges conversion and trespass against the corporation. In short, schools say Google grabbed information they shouldn?t have. Google says they are wrong. Either way, the names, Social Security numbers and test scores of 619 students were still bouncing around the Web for people with computers to find and read until late Friday, when the page was apparently removed. Catawba County Schools chief technology officer Judith Ray said her department removed the file from its storage server Friday. They are also working to delete any other electronic files that may contain Social Security numbers or other secure student information. The information was stored in the system?s DocuShare server, which required a username and password to access, Ray said. ?One of the students on the list had a presence on the Web,? she said. ?In Google?s effort to get information on her, one of its spiders latched onto her name in this document. We were not aware that password-protected sites are set up like that. To our knowledge, Google could only cache unsecure information that did not require a password or username.? She?s right, Barry Schnitt, Google spokesman, said. ?If there is a password, we cannot access or cache the site,? Schnitt said. While the argument between the school system and Google continues, parents are voicing their own frustrations. The central office received more than 50 calls from concerned parents and relatives Friday, said public information officer Beverly Lampe. One parent shared with Lampe that her daughter has been a victim of identity theft within the last year. The young woman?s name is on the list of 619 students. Letters were mailed Friday to the parents of students whose name and information is floating on the Internet, alerting them to the situation. Markley said information for parents is also available on the school system?s Web site. ?We have very secure systems here,? Markley said. ?There are other private businesses and companies that don?t, so parents should be watching those as well.? On the Net: www.catawba.k12.nc.us lwilliamson at hickoryrecord.com From rforno at infowarrior.org Mon Jun 26 21:48:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Jun 2006 21:48:14 -0400 Subject: [Infowarrior] - Under Surveillance: Government spy cameras proliferate Message-ID: http://www.rocklintoday.com/news/templates/community_news.asp?articleid=3535 &zoneid=4 Under Surveillance: Government spy cameras proliferate Friday, June 23, 2006 / LISA HOFFMAN (Scripps Howard News Service) In an unprecedented proliferation of public spying, government is casting its watchful eye on millions of ordinary Americans through largely unregulated surveillance cameras trained on public spaces throughout the nation. A Scripps Howard News Service tally found that at least 200 towns and cities in 37 states now employ video cameras _ or are in the process of doing so _ to watch sidewalks, parks, schools, buses, buildings and similar community locales. That number excludes the approximately 110 other municipalities that use traffic cameras to catch speeders and red-light runners. But despite their proliferation and potential for altering the very tenor of public life in America, virtually no one is keeping track of the use of these security devices long associated with authoritarian regimes. In many cases, the increasingly sophisticated general surveillance systems _ a growing number of which are capable of networking to compile and share information about those under view _ are deployed unaccompanied by written policies or other strictures to limit abuse. More troubling to civil liberties and camera-use proponents alike is the even greater absence of local, state or federal laws that specifically govern police-video surveillance of Americans, suspected of no crime, as they go about their daily business. Equally rare are enforceable regulations on such matters as who or what can be watched, how long images can be kept, who can see and share them, where a person's "zone of privacy" begins, and what recourse and punishments exist if that privacy is abused. To Philadelphia Police Staff Inspector Thomas Nestel III, who played a major role in his city's referendum vote last month on the installation of video cameras, the lack of oversight is an ill-advised invitation to trouble. "Forging ahead with reckless abandon by providing no written direction, no supervision, no training and no regulating legislation creates a recipe for disaster," Nestel wrote in a March research thesis on the phenomenon, one of the only in-depth, national studies of the subject to have been done. While headlines and congressional and court hearings are examining the CIA and other agencies' eavesdropping and Internet snooping programs, the coast-to-coast spread of public spy cameras is occurring largely on the periphery of the nation's attention, even though it brings with it a catalog of "Big Brother" privacy concerns. The American Civil Liberties Union and a handful of other watchdogs have occasionally sounded the alarm, but now are largely focused on other issues. The lack of attention worries former Rep. Dick Armey, who, when he was the majority leader of the U.S. House of Representatives, was an outspoken opponent of law-enforcement-by-video camera. "It seems like we need to be giving surveillance to the surveillance," said the Texas Republican, now chairman of the Washington-based political advocacy group Freedom Works. "I would hope somebody in the House or Senate would raise the privacy issues." Meanwhile, the presence of government-run cameras is growing by the month, thanks to technology advances that are cutting the cost of the systems and to a bountiful spigot of federal anti-terror funds available to pay for them. In June alone, for instance, the cities of Spokane, Wash.; Kissimmee, Fla.; South Bend, Ind.; and Hazelton, Pa., decided either to seek funds for cameras, gave the formal OK to use them, or began installing a system. In May, Philadelphia voters by a nearly 4 to 1 margin backed the use of cameras, and Milwaukee, Wis., joined the city-camera fraternity. This growth parallels that of the increase in the number of security cameras being installed by the private sector in America. Now a $9-billion industry, it is projected to more than double to $20 billion by 2010, according to security experts. In all, an estimated 5 million video surveillance devices are in use nationwide today _ and that number is forecast to double in only five more years. Oversight of these is similarly sparse. "The technology is way ahead of the law," said James Ross, assistant criminal justice professor at the State University of New York-Brockport and an authority on privacy and security issues. Banks and bars, convenience stores, churches and cemeteries, shopping malls, apartment buildings and farms _ all now commonly watch us. An average department store is estimated to have at least 100 cameras trained on shoppers and staff. Even the six bridges of Madison County, Iowa are equipped with them. "It's just a huge proliferation," said Rajiv Shah, an expert on the security industry and a communications professor at the University of Illinois-Chicago. Also expanding is the capability of the cameras and the increasing sweep of their focus. Now available, and being installed in several cities, are devices that can record in near-total darkness and are so powerful they can read a license plate up to a mile away or words on a cigarette pack 100 yards distant. Some also are programmed to automatically alert authorities when they detect up to a dozen threatening or otherwise suspicious body movements, or vehicles traveling too slow or too fast. Technology to recognize individual faces is on the drawing board. In Chicago, where 2,000 cameras already are in place, Mayor Richard Daley recently proposed requiring every business open more than 12 hours a day _ about 12,000, including 7,000 restaurants _ to install indoor and outdoor cameras. He said he intends to link public and private cameras alike to a central city government facility, which would provide an unprecedented degree of coordinated surveillance. Houston Police Chief Harold Hurtt also has plans for a bigger visual blanket. In February, he said he wants every apartment complex and shopping mall to have cameras, and said it is worth considering a requirement that every home that frequently warrants police attention must install them, as well. While such suggestions draw howls from civil liberties activists, they so far have triggered no apparent notice on Capitol Hill, in the Bush administration or most statehouses. Part of the reason for the lack of congressional or other government oversight is the public's general approval of the use of such cameras, and the lack of attention addressed to the technology's pitfalls, experts say. A nationwide Harris Poll in February found that 67 percent of respondents supported expanding video surveillance on streets and public places _a jump from the 59 percent who felt that way in a June 2005 poll. Citizens say they like the fact that security cameras can help police catch criminals and serve as a deterrent to wrongdoers, who know they risk identification in areas under the lens, according to Shah and others who study the issue. "Most recognize the benefits of cameras and say if you're not doing anything wrong, you don't have anything to hide if a camera is there," Shah said. And Barry Levine, chief executive officer of surveillance product manufacturer Sperry West in San Diego, says the camera industry itself is sensitive to privacy concerns and has developed products that, among other things, can be programmed not to peer into windows. "Even covert cameras recognize a zone of privacy," Levine said. But the effectiveness of the devices as anti-crime weapons is in dispute, and even those who favor cameras temper their support when presented with a litany of possible abuses, experts said. "People often don't see the big picture," said Jay Stanley, a director of the ACLU's Technology and Liberty Program. There is no shortage of examples of the cameras aiding police in capturing culprits. Grainy shots of crooks robbing banks and convenience stores have become staples of local TV newscasts and are credited with cracking cases. Last month, security cameras in Philadelphia recorded a gunman just moments before he shot a police officer investigating an armed robbery. Also in May, a sharp-eyed city video technician in Wilmington, Del., spotted the main suspect in the killing of an 84-year-old woman and tracked his movements until police could arrest him. Although few long-term studies have been done, several cities say cameras have contributed to an overall drop in crime. In Greenville, N.C., the police chief said auto thefts, burglaries and other offenses dropped by 32 percent in the first six months after the cameras were installed to watch the public on city streets. Baltimore police recorded a 20 percent crime decrease in areas monitored by the city's 283 cameras. In Chicago, the devices are credited with helping to push crime down to the lowest levels in 40 years. New Orleans police said their system had a similar effect on downtown crime. (They also note that their camera network was the only communications link that survived Hurricane Katrina.) Even privacy hawks such as Jay Stanley, who directs the ACLU's technology and liberty program, acknowledge cameras can be valuable _ if used in a restricted way. "We would never say every camera should be taken down," Stanley said. But he and other critics contend that the worth of spy camera systems has not yet been proved. In Britain, one of the world's most watched countries, a government study released in February found that the estimated 4.2 million cameras arrayed across that nation have done little to reduce crime in the decade they have been in use. As a result, officials there have decided not to install any more cameras. In 2000, a University of Cincinnati study came to a similar conclusion, finding that crime in Cincinnati dropped initially after the eight cameras were deployed but then rebounded. In Minneapolis, overall crime actually increased a bit during the 11 months after cameras were installed, according to a May 10 report by city of St. Paul's mayor's office. And St. Petersburg, Fla., police officials said images from cameras there had not "been successfully used in prosecution" of any crime in 15 years, according to researcher Nestel's study. If the effect of cameras on crime remains in dispute, experts say there is no disagreement that, as Nestel put it, "potential abuse lurks at the turn of every camera." In Tuscaloosa, Ala., state police have been accused of focusing a camera not on the intersection it was supposed to be monitoring, but on the breasts and buttocks of young women walking down the street. In Overton County, Tenn., parents have filed suit against school officials for allowing cameras to film children undressing in middle-school locker rooms. More troubling to privacy advocates was the graphic police-camera video of the 2004 gunshot suicide of a young man in New York City housing project that wound up on a pornographic Web site for the world to see. Critics also worry that, without sufficient safeguards, unethical police or city personnel might sell other sensitive or grisly videos to Internet sites or to the growing number of reality police series cropping up on cable TV. The cameras also offer far more chilling opportunities for abuse beyond video voyeurism, such as for racial profiling of minorities or intimidating political or other protesters. Those who patronize gay bars or strip clubs, attend Alcoholics Anonymous meetings or are under treatment by a psychiatrist could be vulnerable to extortion and blackmail. To forestall problems, a handful of city police departments have adopted their own written rules, including New York City, Chicago and Honolulu. But, according to Nestel's survey of some of the largest U.S. police departments, most haven't. Among those lacking written policies are Atlanta, Baltimore, Charlotte, N.C., Dallas, Fresno, Calif., Minneapolis, and Tampa, and St. Petersburg, Fla. Equally troubling to privacy advocates is the ability government will soon have to construct dossiers of suspected criminals and innocent individuals alike, using networked cameras and other databases to document every aspect of a person's life and track his every move. In Beijing, China, where 260,000 cameras scan the city and thousands more are on the way, authorities are doing just that. "Today, every bit of information can be collated, marshaled, can be used," said David Keene, head of the American Conservative Union. With each citizen already under watch by between 10 and 100 cameras a day _ depending on where he or she lives _ America's zone of personal privacy and public anonymity is in jeopardy of shrinking further, perhaps to just the confines of a person's residence, and those of public restrooms or locker rooms. "The question is: How much of our civil liberties do we want to trade?" New York professor Ross said. "Are we getting a fair payback (from the video cameras) for giving up our freedoms?" From rforno at infowarrior.org Mon Jun 26 22:33:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Jun 2006 22:33:50 -0400 Subject: [Infowarrior] - 'Breathtaking' Waste and Fraud in Hurricane Aid Message-ID: June 27, 2006 'Breathtaking' Waste and Fraud in Hurricane Aid By ERIC LIPTON http://www.nytimes.com/2006/06/27/washington/27katrina.html?ei=5094&en=9aca3 fe376c7a9b4&hp=&ex=1151380800&partner=homepage&pagewanted=print WASHINGTON, June 26 ? Among the many superlatives associated with Hurricane Katrina can now be added this one: it produced one of the most extraordinary displays of scams, schemes and stupefying bureaucratic bungles in modern history, costing taxpayers up to $2 billion. There is the hotel owner from Sugar Land, Tex., who has been charged with submitting $232,000 worth of bills for phantom victims. There are the 1,100 prison inmates across the Gulf Coast who apparently collected more than $10 million in rental and disaster-relief assistance. There are the bureaucrats who ordered nearly half a billion dollars worth of mobile homes that are still empty, and renovations for a shelter at a former Alabama Army base that cost about $416,000 per evacuee. And there is the Illinois woman who tried to collect federal benefits by claiming she watched her two daughters drown in the rising New Orleans waters. In fact, prosecutors say, the children did not exist. The tally of ignoble acts linked to Katrina, pulled together by The New York Times from government audits, criminal prosecutions and Congressional investigations, could rise because the inquiries are under way. Even in Washington, a city accustomed to government bloat, the numbers are generating amazement. "The blatant fraud, the audacity of the schemes, the scale of the waste ? it is just breathtaking," said Senator Susan Collins, Republican of Maine, who is chairwoman of the Homeland Security and Governmental Affairs Committee. Such an outcome was feared soon after the initial Katrina relief package was passed, as officials at the Federal Emergency Management Agency and the American Red Cross acknowledged that their systems were overwhelmed and tried to create new ones on the fly. "We did, in fact, put into place never-before-used and untested processes," Donna M. Dannels, acting deputy director of recovery at FEMA, told a House panel this month. "Clearly, because they were untested, they were more subject to error and fraud." Officials in Washington say they recognized that a certain amount of fraud or improper payments is inevitable in any major disaster, as the government's mission is to rapidly distribute emergency aid. They typically send out excessive payments that represent 1 percent to 3 percent of the relief distributed, money they then ask people to give back. What was not understood until now was just how large these numbers could become. The estimate of up to $2 billion in fraud and waste represents nearly 11 percent of the $19 billion spent by FEMA on Hurricanes Katrina and Rita as of mid-June, or about 6 percent of total money that has been obligated. "This started off as a disaster-relief program, but it turned into a cash cow," said Representative Michael McCaul, Republican of Texas, a former federal prosecutor and now chairman of a House panel investigating Katrina waste and fraud. The waste ranged from excessive loads of ice to higher-than-necessary costs on the multibillion-dollar debris removal effort. Some examples are particularly stark. The $7.9 million spent to renovate the former Fort McClellan Army base in Anniston, Ala., included fixing up a welcome center, clinic and gymnasium, scrubbing away mold and installing a protective fence between the site and a nearby firing range. But when the doors finally opened, only about 10 people showed up each night, leading FEMA to shut down the shelter within one month. The mobile homes, costing $34,500 apiece, were supposed to provide temporary housing to hurricane victims. But after Louisiana officials balked at installing them inland, FEMA had no use for them. Nearly half, or about 10,000, of the $860 million worth of units now sit at an airfield in Arkansas, where FEMA is paying $250,000 a month to store them. The most recent audit came from the Government Accountability Office, which this month estimated that perhaps as much as 21 percent of the $6.3 billion given directly to victims may have been improperly distributed. "There are tools that are available to get money quickly to individuals and to get disaster relief programs running quickly without seeing so much fraud and waste," said Gregory D. Kutz, managing director of the forensic audits unit at the G.A.O. "But it wasn't really something that FEMA put a high priority on. So it was easy to commit fraud without being detected." The most disturbing cases, said David R. Dugas, the United States attorney from Louisiana, who is leading a Katrina antifraud task force for the Department of Justice, are those involving government officials accused of orchestrating elaborate scams. One Louisiana Department of Labor clerk, Wayne P. Lawless, has been charged with issuing about 80 fraudulent disaster unemployment benefit cards in exchange for bribes of up to $300 per application. Mr. Lawless, a state contract worker, announced to one man he helped apply for Katrina benefits that he wanted to "get something out of it," the affidavit said. His lawyer did not return several messages left at his office and home for comment. "The American people are the most generous in the world in responding to a disaster," Mr. Dugas said. "We won't tolerate people in a position of public trust taking advantage of the situation." Two other men, Mitchell Kendrix of Memphis, Tenn., and Paul Nelson of Lisbon, Me., have pleaded guilty in connection with a scheme in Mississippi in which Mr. Kendrix, a representative for the Army Corps of Engineers, took $100 bribes in exchange for approving phantom loads of hurricane debris from Mr. Nelson. In New Orleans, two FEMA officials, Andrew Rose and Loyd Holliman, both of Colorado, have pleaded guilty to taking $20,000 in bribes in exchange for inflating the count on the number of meals a contractor was serving disaster workers. And a councilman in St. Tammany Parish, La., Joseph Impastato, has also been charged with trying to extort $100,000 from a debris removal contractor. Mr. Impastato's lawyer, Karl J. Koch, said he was confident his client would be cleared. A program set up by the American Red Cross and financed by FEMA that provided free hotel rooms to Katrina victims also resulted in extraordinary abuse and waste, investigators have found. First, because the Red Cross did not keep track of the hundreds of thousands of recipients ? they were only required to provide a ZIP code from the hurricane zone to check in ? FEMA frequently sent rental assistance checks to people getting free hotel rooms, the G.A.O. found. In turn, some hotel managers or owners, like Daniel Yeh, of Sugar Land, Tex., exploited the lack of oversight, investigators have charged, and submitted bills for empty rooms or those occupied by paying guests or employees. Mr. Yeh submitted $232,000 in false claims, his arrest affidavit said. His lawyer, Robert Bennett, said that Mr. Yeh is mentally incompetent and that the charges should be dismissed. And Tina M. Winston of Belleville, Ill., was charged this month with claiming that her two daughters had died in the flooding in New Orleans. But prosecutors said that the children never existed and that Ms. Winston was living in Illinois at the time of the storm. The public defender representing Ms. Winston did not respond to a request for comment. Charities also were vulnerable to profiteers. In Burbank, Calif., a couple has been charged with collecting donations outside a store by posing as Red Cross workers. In Bakersfield, Calif., 75 workers at a Red Cross call center, their friends and relatives, have been charged in a scheme to steal hundreds of thousands of dollars in disaster relief. To date, Mr. Dugas said, federal prosecutors have filed hurricane-related criminal charges against 335 individuals. That represents a record number of indictments from a single hurricane season, Justice Department officials said. Separately, Red Cross officials say they are investigating 7,100 cases of possible fraud. Congressional investigators, meanwhile, have referred another 7,000 cases of possible fraud to prosecutors, including more than 1,000 prison inmates who collected more than $12 million in federal aid, much of it in the form of rental assistance. Investigators also turned up one individual who had received 26 federal disaster relief payments totaling $139,000, using 13 Social Security numbers, all based on claims of damages for bogus addresses. Thousands more people may be charged before the five-year statute of limitations on most of these crimes expires, investigators said. There are bigger cases of government waste or fraud in United States history. The Treasury Department, for example, estimated in 2005 that Americans in a single year had improperly been granted perhaps $9 billion in unjustified claims under the Earned Income Tax Credit. The Department of Health and Human Services in 2001 estimated that nearly $12 billion in Medicare benefit payments in the previous year had been based on improper or fraudulent complaints. Auditors examining spending in Iraq also have documented hundreds of millions in questionable spending or abuse. But Mr. Kutz of G.A.O. said that in all of his investigative work, he has never encountered the range of abuses he has seen with Katrina. R. David Paulison, the new FEMA director, said in an interview on Friday that much work has already been done to prevent such widespread fraud, including automated checks to confirm applicants' identities. "We will be able to tell who you are, if you live where you said you do," he said. But Senator Collins said she has heard such promises before, including after Hurricane Frances in 2004 in which FEMA gave out millions of dollars in aid to Miami-Dade residents, even though there was little damage. Mr. Kutz said he too is not convinced the agency is ready. "I still don't think they fully understand the depth of the problem," he said. From rforno at infowarrior.org Mon Jun 26 22:39:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Jun 2006 22:39:29 -0400 Subject: [Infowarrior] - Senators introduce data security legislation Message-ID: Senators introduce data security legislation By John Poirier Reuters Monday, June 26, 2006; 9:08 PM http://www.washingtonpost.com/wp-dyn/content/article/2006/06/26/AR2006062601 251_pf.html WASHINGTON (Reuters) - Two senators on Monday introduced legislation to better protect sensitive personal data held by institutions including financial services firms, retailers and government agencies. "We are not doing enough to protect consumers and businesses from identity theft and account fraud," said Sen. Bob Bennett, a Utah Republican who chairs the Senate banking subcommittee on financial institutions. Bennett and Sen. Tom Carper, a Delaware Democrat, introduced the Data Security Act of 2006, which creates a uniform national standard to safeguard data on Social Security, driver's licenses, credit cards, and account access codes and passwords. It also requires that notifications be sent to consumers when there is a likelihood that stolen identities or accounts could cause "substantial harm or inconvenience." Similar legislation has emerged from committees in the House of Representatives, but the full House has not yet voted on a final version. Personal information on 26.5 million veterans was stolen last month from the Department of Veterans Affairs. Since then, authorities have said the stolen data includes information on 2.2 million active-duty, National Guard and Reserve troops. Personal data on 28,000 U.S. sailors and their families appeared on a public Web site last week. Even Agriculture Secretary Mike Johanns and other top officials were among 26,000 people whose personal information may have been stolen by a computer hacker, the department said last week. "We used to just worry about people breaking into our homes or stealing our cars, but in the 21st century, we have to worry about people stealing our identities via computers and the Internet," Carper said. The Senate bill would cover any information that could be used to commit identity theft or account fraud at businesses and government institutions, which would be required to safeguard all paper and electronic records. The American Bankers Association said banks already have a system in place. "It makes sense to extend bank-like regulations to other industries that handle sensitive information," said ABA executive director Floyd Stoner. The bill would also charge state and federal regulatory agencies to oversee the operations and business practices of their entities, and the agencies themselves would be internally regulated. ? 2006 Reuters From rforno at infowarrior.org Mon Jun 26 22:53:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Jun 2006 22:53:01 -0400 Subject: [Infowarrior] - Letter From Bill Keller on The Times's Banking Records Report Message-ID: June 25, 2006 Letter From Bill Keller on The Times's Banking Records Report http://www.nytimes.com/2006/06/25/business/media/25keller-letter.html?pagewa nted=print The following is a letter Bill Keller, the executive editor of The Times, has sent to readers who have written to him about The Times's publication of information about the government's examination of international banking records: I don't always have time to answer my mail as fully as etiquette demands, but our story about the government's surveillance of international banking records has generated some questions and concerns that I take very seriously. As the editor responsible for the difficult decision to publish that story, I'd like to offer a personal response. Some of the incoming mail quotes the angry words of conservative bloggers and TV or radio pundits who say that drawing attention to the government's anti-terror measures is unpatriotic and dangerous. (I could ask, if that's the case, why they are drawing so much attention to the story themselves by yelling about it on the airwaves and the Internet.) Some comes from readers who have considered the story in question and wonder whether publishing such material is wise. And some comes from readers who are grateful for the information and think it is valuable to have a public debate about the lengths to which our government has gone in combatting the threat of terror. It's an unusual and powerful thing, this freedom that our founders gave to the press. Who are the editors of The New York Times (or the Wall Street Journal, Los Angeles Times, Washington Post and other publications that also ran the banking story) to disregard the wishes of the President and his appointees? And yet the people who invented this country saw an aggressive, independent press as a protective measure against the abuse of power in a democracy, and an essential ingredient for self-government. They rejected the idea that it is wise, or patriotic, to always take the President at his word, or to surrender to the government important decisions about what to publish. The power that has been given us is not something to be taken lightly. The responsibility of it weighs most heavily on us when an issue involves national security, and especially national security in times of war. I've only participated in a few such cases, but they are among the most agonizing decisions I've faced as an editor. The press and the government generally start out from opposite corners in such cases. The government would like us to publish only the official line, and some of our elected leaders tend to view anything else as harmful to the national interest. For example, some members of the Administration have argued over the past three years that when our reporters describe sectarian violence and insurgency in Iraq, we risk demoralizing the nation and giving comfort to the enemy. Editors start from the premise that citizens can be entrusted with unpleasant and complicated news, and that the more they know the better they will be able to make their views known to their elected officials. Our default position ? our job ? is to publish information if we are convinced it is fair and accurate, and our biggest failures have generally been when we failed to dig deep enough or to report fully enough. After The Times played down its advance knowledge of the Bay of Pigs invasion, President Kennedy reportedly said he wished we had published what we knew and perhaps prevented a fiasco. Some of the reporting in The Times and elsewhere prior to the war in Iraq was criticized for not being skeptical enough of the Administration's claims about the Iraqi threat. The question we start with as journalists is not "why publish?" but "why would we withhold information of significance?" We have sometimes done so, holding stories or editing out details that could serve those hostile to the U.S. But we need a compelling reason to do so. Forgive me, I know this is pretty elementary stuff ? but it's the kind of elementary context that sometimes gets lost in the heat of strong disagreements. Since September 11, 2001, our government has launched broad and secret anti-terror monitoring programs without seeking authorizing legislation and without fully briefing the Congress. Most Americans seem to support extraordinary measures in defense against this extraordinary threat, but some officials who have been involved in these programs have spoken to the Times about their discomfort over the legality of the government's actions and over the adequacy of oversight. We believe The Times and others in the press have served the public interest by accurately reporting on these programs so that the public can have an informed view of them. Our decision to publish the story of the Administration's penetration of the international banking system followed weeks of discussion between Administration officials and The Times, not only the reporters who wrote the story but senior editors, including me. We listened patiently and attentively. We discussed the matter extensively within the paper. We spoke to others ? national security experts not serving in the Administration ? for their counsel. It's worth mentioning that the reporters and editors responsible for this story live in two places ? New York and the Washington area ? that are tragically established targets for terrorist violence. The question of preventing terror is not abstract to us. The Administration case for holding the story had two parts, roughly speaking: first that the program is good ? that it is legal, that there are safeguards against abuse of privacy, and that it has been valuable in deterring and prosecuting terrorists. And, second, that exposing this program would put its usefulness at risk. It's not our job to pass judgment on whether this program is legal or effective, but the story cites strong arguments from proponents that this is the case. While some experts familiar with the program have doubts about its legality, which has never been tested in the courts, and while some bank officials worry that a temporary program has taken on an air of permanence, we cited considerable evidence that the program helps catch and prosecute financers of terror, and we have not identified any serious abuses of privacy so far. A reasonable person, informed about this program, might well decide to applaud it. That said, we hesitate to preempt the role of legislators and courts, and ultimately the electorate, which cannot consider a program if they don't know about it. We weighed most heavily the Administration's concern that describing this program would endanger it. The central argument we heard from officials at senior levels was that international bankers would stop cooperating, would resist, if this program saw the light of day. We don't know what the banking consortium will do, but we found this argument puzzling. First, the bankers provide this information under the authority of a subpoena, which imposes a legal obligation. Second, if, as the Administration says, the program is legal, highly effective, and well protected against invasion of privacy, the bankers should have little trouble defending it. The Bush Administration and America itself may be unpopular in Europe these days, but policing the byways of international terror seems to have pretty strong support everywhere. And while it is too early to tell, the initial signs are that our article is not generating a banker backlash against the program. By the way, we heard similar arguments against publishing last year's reporting on the NSA eavesdropping program. We were told then that our article would mean the death of that program. We were told that telecommunications companies would ? if the public knew what they were doing ? withdraw their cooperation. To the best of my knowledge, that has not happened. While our coverage has led to much public debate and new congressional oversight, to the best of our knowledge the eavesdropping program continues to operate much as it did before. Members of Congress have proposed to amend the law to put the eavesdropping program on a firm legal footing. And the man who presided over it and defended it was handily confirmed for promotion as the head of the CIA. A secondary argument against publishing the banking story was that publication would lead terrorists to change tactics. But that argument was made in a half-hearted way. It has been widely reported ? indeed, trumpeted by the Treasury Department ? that the U.S. makes every effort to track international financing of terror. Terror financiers know this, which is why they have already moved as much as they can to cruder methods. But they also continue to use the international banking system, because it is immeasurably more efficient than toting suitcases of cash. I can appreciate that other conscientious people could have gone through the process I've outlined above and come to a different conclusion. But nobody should think that we made this decision casually, with any animus toward the current Administration, or without fully weighing the issues. Thanks for writing. Regards, Bill Keller From rforno at infowarrior.org Tue Jun 27 08:21:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Jun 2006 08:21:12 -0400 Subject: [Infowarrior] - Internet providers to create database to combat child porn Message-ID: If it's already illegal to posess or exchange child porn images, won't these firms be breaking the law by creating and populating this database? And, does anyone want to place bets on when slices of this database make it to the Internet?? -rf Internet providers to create database to combat child porn http://www.nwfdailynews.com/articleArchive/jun2006/ispchildporn.php By ANICK JESDANUN AP Internet Writer 2006-06-27 NEW YORK (AP) - Five leading online service providers will jointly build a database of child-pornography images and develop other tools to help network operators and law enforcement better prevent distribution of the images. The companies pledged $1 million (?0.8 million) among them Tuesday to set up a technology coalition as part of the National Center for Missing and Exploited Children. They aim to create the database by year's end, though many details remain unsettled. The participating companies are Time Warner Inc.'s AOL, Yahoo Inc., Microsoft Corp., EarthLink Inc. and United Online Inc., the company behind NetZero and Juno. Ernie Allen, the chief executive of the missing children's center, noted that the Internet companies already possess many technologies to help protect users from threats such as viruses and e-mail "phishing" scams. "There's nothing more insidious and inappropriate" than child pornography, he said. The announcement comes as the U.S. government is pressuring service providers to do more to help combat child pornography. Top law enforcement officials have told Internet companies they must retain customer records longer to help in such cases and have suggested seeking legislation to require it. AOL chief counsel John Ryan said the coalition was partly a response to Attorney General Alberto R. Gonzales' April speech identifying increases in child-porn cases and chiding the Internet industry for not doing more about them. The creation of the technology coalition does not directly address the preservation of records but could demonstrate the industry's willingness to cooperate. Plans call for the missing children's center to collect known child-porn images and create a unique mathematical signature for each one based on a common formula. Each participating company would scan its users' images for matches. AOL, for instance, plans to check e-mail attachments that are already being scanned for viruses. If child porn is detected, AOL would refer the case to the missing-children's center for further investigation, as service providers are required to do under federal law. Each company will set its own procedures on how it uses the database, but executives say the partnership will let companies exchange their best ideas _ ultimately developing tools for preventing child-porn distribution instead of simply catching violations. "When we pool together all our collective know-how and technical tools, we hope to come up with something more comprehensive along the lines of preventative" measures, said Tim Cranton, Microsoft's director of Internet safety enforcement programs. Ryan said that although AOL will initially focus on scanning e-mail attachments, the goal is to ultimately develop techniques for checking other distribution techniques as well, such as instant messaging or Web uploads. Representatives will begin meeting next month to evaluate their technologies, determining, for instance, whether cropping an image would change its signature and hinder comparisons. Also to be discussed are ways to ensure that customers' privacy is protected. Authorities still would need subpoenas to get identifying information on violators. The companies involved said they are talking with other service providers about joining. But companies that do not participate still are required by law to report any suspected child-porn images, and many already have their own techniques for monitoring and identifying them. From rforno at infowarrior.org Tue Jun 27 12:58:23 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Jun 2006 12:58:23 -0400 Subject: [Infowarrior] - How To Remove Windows Genuine Advantage Notification Tool Message-ID: How To Remove Windows Genuine Advantage Notification Tool June 26th, 2006 by Angsuman Chakraborty http://blog.taragana.com/index.php/archive/how-to-remove-windows-genuine-ad vantage-notifications-tool/ Windows Genuine Advantage includes two main tools - Windows Genuine Advantage Validation and Windows Genuine Advantage Notification. The WGA Validation too checks that an instance of Windows XP is properly licensed, and is required for some Windows updates. If the copy doesn?t check out, WGA Notification repeatedly reminds the user to upgrade to a properly licensed version of Windows. Unfortunately WGA Notification also checks back with Microsoft once a day even if the licensing check is successful, something the company hadn?t previously made public. Neither of the programs is designed to be removable. Now you can remove the pesky WGA Notification tool, thanks to Guillaume Kaddouch, a French developer. RemoveWGA enables you to remove the Microsoft ?Windows Genuine Advantage Notifications? tool, which is calling home and connecting to Microsoft servers every time you boot, even after you passed their validation checks. Once the WGA Notification tool has checked your OS and has confirmed you had a legit copy, there is no decent point or reason to check it again and again every boot. Moreover, connecting to Microsoft brings security issue for corporate networks, and privacy issues for everyone. It is also unclear which information are transmitted (Microsoft published an official answer, but an individual study brought some questions). All of that, along the fact that Microsoft used deceptive ways to make you install this tool (it was told you it was an urgent security update, whereas it is a new installation giving you no extra security) makes me calling this tool a spyware. You can download the WGA Notifications removal tool here (site). From rforno at infowarrior.org Tue Jun 27 16:52:08 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Jun 2006 16:52:08 -0400 Subject: [Infowarrior] - Congress mulls slew of Net-sex rules Message-ID: (Noble intentions, clueless legislators.....rf) Congress mulls slew of Net-sex rules By Declan McCullagh http://news.com.com/Congress+mulls+slew+of+Net-sex+rules/2100-1028_3-6088627 .html Story last modified Tue Jun 27 13:37:13 PDT 2006 When it comes to topics conducive to political speechifying, few compare to the volatile mix of the Internet, sex and children. At a hearing before the House of Representatives' Subcommittee on Oversight and Investigations, politicians served up a dizzying slew of suggestions about what kind of new federal laws should be enacted. The ideas were all over the map, and most were new. Only one or two have actually been turned into formal legislation so far, but politicians are vowing to take action in the very near future. A child exploitation law is "one of the highest priority issues not just before this subcommittee, but the full committee," said Rep. Joe Barton, the Texas Republican who heads the Energy and Commerce Committee. "It is my intention to...see if we can't develop very quickly a comprehensive piece of anti-child-pornography legislation." Following is a roundup of some of the proposals for new federal laws, rules or regulations that would target American businesses--if, that is, various members of Congress get their way. Forcibly blocking off-color Web sites: Rep. Bart Stupak, a Michigan Democrat, lauded a U.K. approach that involves compiling a list of illicit Web sites and using it to cordon off access to them. Internet providers should, Stupak said, block "American predators from using U.S.-based platforms to access child pornography at any site worldwide." Eavesdropping on what Americans are doing online: Rep. Marsha Blackburn, a Tennessee Republican, suggested surveillance might do the trick. "One issue that keeps recurring is how these companies are monitoring communications that might reveal the contents are child pornography," she suggested. Rep. Diana DeGette, a Colorado Democrat, sounded a similar tone without endorsing the eavesdropping plan: "I don't think that people who are raping 2-year-old children on the Internet have any right to privacy." Making certain hyperlinks illegal: One antigambling bill in Congress a few years ago would have required companies to delete hyperlinks to offshore gambling sites. Now the idea is resurfacing. "Who's able to link to which site...and how we filter that out" is key, said Rep. Greg Walden, an Oregon Republican. "Some ISPs are better than others." Recording which customer is assigned which Internet Protocol address: Rep. Ed Whitfield, a Kentucky Republican who chairs the oversight subcommittee, said he wanted to learn "about Internet service providers' retention policies for IP addresses in particular." In one case, Whitfield warned, police could not find who had been assigned a "3-day-old IP address from an Internet service provider. That is unacceptable." (Attorney General Alberto Gonzales has been pushing for this as well.) Dispatching "search and destroy" bots: The idea of disrupting peer-to-peer networks surfaced in 2002 in the House of Representatives, and Sen. Orrin Hatch said a year later that copyright holders should be allowed to remotely destroy the computers of music pirates. Now Rep. Walden has revived that idea, proposing that search and destroy bots be launched to scour the Internet for illicit content. "If you could search for different things, you might be able to search for a known image, identify it and destroy it," Walden suggested. He dubbed the idea "technologically scan and destroy." Restricting naughty Webcams: Rep. Cliff Stearns, a Florida Republican and chairman of a consumer protection subcommittee, cited a New York Times article about an adolescent boy who charged customers to watch him perform erotic acts in front of his Web cam. "We've heard about one Web site that had 140,000 images of adolescents from their Web cam," Stearns said. We need "to do whatever we can in our power to protect the innocent." Recording e-mail correspondents and Web pages visited: "Amazingly, even though we require telephone companies to keep records of telephone calls for 18 months...there is no federal law for Internet communications and there is no industry standard," said DeGette, the Colorado Democrat. "This is hindering investigations." DeGette has been a leading proponent in the House of Representatives of data retention and already drafted legislation making it mandatory for Internet providers and Web sites. Taking aim at search engines: Search engines were accused of selling sponsored links that relate to sex and minors. "I have serious concerns about the adequacy of efforts by the search engine providers," said Tammy Baldwin, a Wisconsin Democrat. Google was singled out for selling racy ads tied to the search term "pre-teen." Rep. Chip Pickering, a Mississippi Republican, complained that Google fought a subpoena from the Justice Department in court and had a culture of liberalism. "Do you want to be known as the company where teenagers can have access to teen pornography and where your clients can go into child pornographic sites, feeling as they'll be protected and that information will not be given to the government?" Pickering said. (For its part, Google says it has a "zero-tolerance policy on child pornography." Nicole Wong, its associate general counsel, said that Google's system had blocked only "preteen" and it now recognized the hyphen.) Letting government bureaucrats rate chat rooms: Video games and movies have ratings, so why not chat rooms, Rep. Stearns proposed. "Should chat rooms be set up with some sort of controls from the Federal Trade Commission, or should software be developed to categorize?" Stearns suggested. "Should manufacturers of computers provide that software? Sort of like a V-chip in a TV. You'd have this software program...that way it would be automatic." Permitting the National Center for Missing & Exploited Children to send subpoenas to Internet providers: This idea came from Gerard Lewis, Comcast's deputy general counsel and chief privacy officer, who testified at the hearing. NCMEC already receives federal tax dollars to forward reports of child exploitation to police. But the concept was shot down by DeGette, who said: "I don't think it would work." Stupak said, however, that he wanted to give NCMEC the power to require Internet providers to preserve records in specific cases--a move that would effectively make it a quasi police agency. A 1996 federal law called the Electronic Communication Transactional Records Act currently requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." (Also on Tuesday, Comcast said it would retain customer records for 180 days, up from 30 days.) Targeting peer-to-peer networks: Politicians have been talking about enacting new laws targeting P2P networks since early 2003. Now it may happen. Government reports have talked about finding child pornography on P2P networks, and Stupak said he wants to find a way to pull the plug. "How to stop the peer to peer?" Stupak said. "I'd be interested in some suggestions...We have to find a way to block the peer to peer from person to person." Granting Internet censorship power to federal bureaucrats: Under the current U.S. legal system, only a judge can decide what's legally obscene or pornographic. In addition, the U.S. Supreme Court has overturned a law that criminalized any computer-generated sex image that "appears to be" of a minor--which makes deciding what's legal and not even more tricky. But Barton said the judicial process takes too long to rule in prosecutions of child pornography. "Why is it not possible to immediately terminate that site?" Barton said. "You have to have some agency of the government definitively say that is child pornography. Once that's established, why can't we immediately cut off that site? (That would avoid) waiting for a court to go out and convict the people operating the site." From rforno at infowarrior.org Tue Jun 27 22:28:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Jun 2006 22:28:51 -0400 Subject: [Infowarrior] - Senators endorse broadcast flag plan Message-ID: Senators endorse broadcast flag plan By Anne Broache http://news.com.com/Senators+endorse+broadcast+flag+plan/2100-1028_3-6088711 .html Story last modified Tue Jun 27 18:29:24 PDT 2006 advertisement WASHINGTON--A legislative proposal to revive a controversial anticopying system known as the broadcast flag cleared a U.S. Senate panel on Tuesday, despite misgivings from some senators. During a day of debate on a wide-ranging communications bill, members of the Senate Commerce Committee endorsed the idea of requiring digital TV receivers to restrict redistribution--particularly over the Internet--of over-the-air broadcasts. The measure would also allow for similar rules, or an "audio flag," for digital radio receivers. Also at the committee meeting, chairman Ted Stevens, an Alaska Republican, postponed discussion on what has proved to be one of the thorniest provisions of the bill: Net neutrality. Senators plan to begin debate on that topic on Wednesday at 7 a.m. PDT, with votes on a number of amendments expected. The entire communications bill won't become law unless it receives final approval by the committee and, later, the full Senate. It must also be reconciled with a House of Representatives version that differs in many respects, including its lack of broadcast or audio flag components. House members scheduled a Tuesday afternoon hearing to explore the issue. The flag provisions may have sailed through the Senate committee without changes for now, but New Hampshire Republican John Sununu said he was strongly considering offering an amendment when the bill moves to the floor. (No recorded vote took place in the committee.) "I have concerns about the flag language because it is a technology mandate and because the technology mandate may actually discourage innovation and discourage different products from coming into the market," he said. Backed by the entertainment industry, the audio and video flags are aimed at staving off piracy. The Federal Communications Commission attempted to respond to Hollywood's concerns in November 2003 by writing rules that would render it illegal to "sell or distribute" any digital TV product that's unable to quell redistribution of video clips made from recorded over-the-air broadcasts, particularly over the Internet. But last spring, a federal court yanked down the flag after concluding that the FCC didn't have the authority to make such rules. The court's ruling came in response to a suit filed by a coalition of librarians and public interest groups. They argued that the FCC's rules would hinder the ability of librarians and consumers to make "fair use" of copyright works and would hamper interoperability between devices. Such a plan "injects government into technological design, restricts lawful consumer activities and increases consumer costs by making obsolete millions of digital devices," Gigi Sohn, president of the advocacy group Public Knowledge, said in a statement for Tuesday's House hearing. Recording Industry Association of America CEO Mitch Bainwol said in a statement for the House committee meeting that his industry wants new content-protection rules targeting portable digital-radio devices that allow users to save songs to playlists and replay them later. He also wants a requirement that digital radio companies pay extra licensing fees for "distribution" of their content--in addition to those they pay for airing it--if they effectively allow users to download songs, he said. Without those rules, Bainwol said, it's "tantamount to saying that if someone buys a ticket to watch a movie in a theater, he's entitled to take a DVD of the movie home with him afterwards." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jun 28 00:18:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 00:18:47 -0400 Subject: [Infowarrior] - Whois data a key weapon in fraud fight, FTC says Message-ID: Whois data a key weapon in fraud fight, FTC says By Erica Ogg http://news.com.com/Whois+data+a+key+weapon+in+fraud+fight%2C+FTC+says/2100- 7348_3-6088651.html Story last modified Tue Jun 27 15:01:12 PDT 2006 The Federal Trade Commission has made a pitch for open access to Whois, saying the databases are a key weapon in its fight against spyware and other Internet fraud. The agency on Tuesday called access to the Whois databases, which contain contact information for Web site operators, "critical to the agency's consumer protection laws." It was responding to a recommendation from a Internet Corporation for Assigned Names and Numbers committee to restrict use of the data to strictly "technical purposes." The official statement comes after an address by FTC Commissioner John Leibowitz to a meeting of ICANN this week in Morocco, where he gave examples of how Whois data has aided the agency's attorneys and investigators in identifying perpetrators of Internet scams, spam and other illegal online activity. "Whois databases often are one of the first tools FTC investigators use to identify wrongdoers," he said. In one instance, the agency was able to stop seven companies sending sexually graphic e-mails without the legally required warning labels. Leibowitz said he was "uncertain" the agency would have been able to do so without unhindered access to Whois data. "If ICANN restricts the use of Whois data to technical purposes only, it will greatly impair the FTC's ability to identify Internet malefactors quickly--and ultimately stop perpetrators of fraud, spam and spyware from infecting consumers' computers," Leibowitz said. He did note the importance of an accurate Whois database, saying, "the Commission has advocated that stakeholders work to improve the accuracy of such information, because inaccurate data has posed significant obstacles in FTC investigations." However, he added that even imperfect information has proved helpful. He cited cases in which the agency tracked down suspects using a range of phony registration names by matching contact information. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jun 28 00:28:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 00:28:56 -0400 Subject: [Infowarrior] - Damage Study Urged on Surveillance Reports Message-ID: The New York Times http://tinyurl.com/r72yc June 28, 2006 Damage Study Urged on Surveillance Reports By SCOTT SHANE WASHINGTON, June 27 ? Senator Pat Roberts, the chairman of the Senate intelligence committee, asked the director of national intelligence on Tuesday to assess any damage to American counterterrorism efforts caused by the disclosure of secret programs to monitor telephone calls and financial transactions. Mr. Roberts, Republican of Kansas, singled out The New York Times for an article last week that reported that the government was tracking money transfers handled by a banking consortium based in Belgium. The targeting of the financial data, which includes some Americans' transactions, was also reported Thursday by The Los Angeles Times and The Wall Street Journal. In his letter to John D. Negroponte, director of national intelligence, Mr. Roberts wrote that "we have been unable to persuade the media to act responsibly and to protect the means by which we protect this nation." He asked for a formal evaluation of damage to intelligence collection resulting from the revelation of the secret financial monitoring as well as The Times's disclosure in December of the National Security Agency's monitoring of phone calls and e-mail messages of Americans suspected of having links to Al Qaeda. In London, meanwhile, a human rights group said Tuesday that it had filed complaints in 32 countries alleging that the banking consortium, known as Swift, violated European and Asian privacy laws by giving the United States access to its data. Simon Davies, director of the group, Privacy International, said the scale of the American monitoring, involving millions of records, "places this disclosure in the realm of a fishing exercise rather than a legally authorized investigation." The Belgian prime minister, Guy Verhofstadt, has asked the Justice Ministry to investigate whether Swift violated Belgian law by allowing the United States government access to its data. The American Civil Liberties Union has condemned the program, and a Chicago lawyer, Steven E. Schwarz, filed a federal class-action lawsuit against Swift on Friday alleging that it had violated United States financial privacy statutes. President Bush, Vice President Dick Cheney, Treasury Secretary John W. Snow and numerous Republicans in Congress have vigorously defended the financial tracking program as legal and valuable and condemned its public disclosure. They have suggested that the articles might tip off terrorists that their money transfers could be detected. Representative J. D. Hayworth, Republican of Arizona, circulated a letter to colleagues on Tuesday asking that The Times's Congressional press credentials be suspended. Tony Snow, the White House spokesman, said any effort to measure damage to intelligence collection would take some time. "It's not as if the terrorists are going to say, 'Oops! Going to stop doing that,' " Mr. Snow said at a briefing. "But I think it is safe to say that once you provide a piece of intelligence, people on the other side act on it." The electronic messaging system operated by Swift, the Society for Worldwide Interbank Financial Telecommunication, routes nearly $6 trillion a day in transfers among nearly 8,000 financial institutions. At a confirmation hearing on Tuesday for Henry M. Paulson Jr., the nominee for Treasury secretary, Senator Max Baucus, Democrat of Montana, asked whether the monitoring might violate the Fourth Amendment's protection against unreasonable searches. "I think you'll agree that we could fight terrorism properly and adequately without having a police state in America," Mr. Baucus said. Mr. Paulson did not express an opinion on the propriety of the Swift monitoring but pledged to study it. "I am going to, if confirmed, be all over it, make sure I learn everything there is to learn, make sure I understand the law thoroughly," he said. Democratic staff members said they had pressed Treasury officials in recent days for a fuller accounting of which members of Congress were briefed on the program and whether notification requirements under the International Economic Emergency Powers Act, invoked by President Bush days after Sept. 11, were met. Treasury officials have told Congressional staff members that they briefed the full intelligence committees of both houses about a month ago, after inquiries by The Times, according to one Democratic aide who spoke on condition of anonymity. Some members were told of the program several years ago, but the Treasury Department has not provided a list of who was informed when, the aide said. Democrats said they hoped to get a clearer idea of the legal foundations for the program, how it was monitored, and how long it will be allowed to continue under the president's invocation of emergency powers. Representative Carolyn B. Maloney, a New York Democrat who serves on the House financial services committee, said Tuesday: "The administration is basing its actions on a 1970's law that never envisioned a state of perpetual emergency. It wasn't meant to become the status quo. That is why Congress needs to look at it its current use." Victor Comras, a former State Department official who served on a United Nations counterterrorism advisory group, pointed out on The Counterterrorism Blog that a 2002 United Nations report had noted with approval that the United States was monitoring international financial systems. While providing no details, the report mentioned Swift and similar organizations, saying "the United States has begun to apply new monitoring techniques to spot and verify suspicious transactions." Dan Bilefsky contributed reporting from Brussels for this article, andCarl Hulse and Eric Lichtblau from Washington. From rforno at infowarrior.org Wed Jun 28 10:09:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 10:09:31 -0400 Subject: [Infowarrior] - Deal for Cybersecurity Chief Questioned Message-ID: Deal for Cybersecurity Chief Questioned http://www.washingtonpost.com/wp-dyn/content/article/2006/06/28/AR2006062800 240_pf.html By TED BRIDIS The Associated Press Wednesday, June 28, 2006; 7:23 AM WASHINGTON -- The Bush administration's cybersecurity chief is being paid $577,000 under a two-year agreement with the university that employs him and also does extensive business with the federal office he manages. Donald "Andy" Purdy Jr. has been acting director of the Homeland Security Department's National Cyber Security Division for 21 months. His contract, which has drawn attention from members of Congress, is paying him more than the $175,000 annual salary that Homeland Security Secretary Michael Chertoff earns. Purdy is employed by Carnegie Mellon University in Pittsburgh, which has loaned him to the Homeland Security Department in exchange for the government paying nearly all of his salary. Meanwhile, Purdy's cybersecurity division has paid Carnegie Mellon $19 million in contracts this year, almost one-fifth the unit's total budget. Purdy said he has not been involved in discussions over his office's business deals with the school. Some lawmakers who oversee the Homeland Security Department questioned the decision to hire Purdy as acting cybersecurity director. They noted enduring criticism by industry experts and congressional investigators over the department's performance on cybersecurity matters. Purdy's contract "raises questions about whether the American people are getting their money's worth," Democratic Reps. Bennie Thompson of Mississippi and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to Republicans. Purdy, a longtime attorney who has held a number of state and federal legal and managerial jobs, has no formal, technical background in computer security. His two-year contract expires in October, but he said it could be extended two more years. Under the contract, the government pays Purdy $245,481 in salary and benefits _ but not including travel reimbursements _ with Carnegie Mellon paying $43,320. The Associated Press obtained a copy of Purdy's contract. Purdy said his salary was commensurate with those of some other government contractors. Purdy works four levels below Chertoff within the Homeland Security Department and controls a budget of roughly $107 million and as many as 44 full-time federal employees. "Frankly, it's a very competitive market place out there, and I could make a lot more in the private sector," said Purdy, a former White House cybersecurity adviser and the former top lawyer at the U.S. Sentencing Commission. Purdy's former boss and predecessor as cybersecurity chief, Amit Yoran, earned $131,342 before he resigned abruptly in October 2004. Chertoff agreed one year ago to create a position of DHS assistant secretary over cybersecurity, but the job hasn't been filled. "Andy has done a pretty good job under the circumstances, working in an 'acting' capacity and buried in the bureaucracy of the department," said Shannon Kellogg, director of government affairs for RSA Security Inc., a leading security firm. "He's had one of the tougher jobs in America." Carnegie Mellon is highly regarded among experts who study hacker attacks and software flaws. Its Software Engineering Institute works closely with the Defense Department, which last year renewed a five-year, $411 million contract with the research center. The university declined to comment on Purdy's salary, citing employee confidentiality. It said it has avoided discussing government contracts with Purdy in his role as chief of the cybersecurity office that awards those contracts. The Homeland Security Department said Purdy consulted with ethics lawyers when he signed his contract. Purdy is so assiduous about avoiding potential conflicts that he leaves the room when employees discuss contracts related to Carnegie Mellon's work, said one DHS official, who spoke on condition of anonymity because this official is not authorized to speak with reporters. Among other activities, Carnegie Mellon helps run the U.S. Computer Emergency Response Team, which sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves. ___ On the Net: Homeland Security: http://www.dhs.gov U.S. Computer Emergency Response Team: http://www.us-cert.gov Carnegie Mellon Software Engineering Institute: http://www.sei.cmu.edu From rforno at infowarrior.org Wed Jun 28 10:11:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 10:11:21 -0400 Subject: [Infowarrior] - MoD patrols stop 2100 people at US phone tap site Message-ID: (c/o DE) MoD patrols stop 2100 people at US phone tap site IAN BRUCE, Defence Correspondent June 26 2006 http://www.theherald.co.uk/news/64687-print.shtml Armed Ministry of Defence police have stopped more than 2100 civilians and body-searched 941 in the last five years to help protect the secrets of America's main phone-tapping and surveillance site on British soil, The Herald can reveal. The American government has also paid more than ?1.7m to the MoD since 2003 to fund security patrols on the approach roads to the Menwith Hill facility in north Yorkshire because it cannot legally deploy its own armed troops outside the perimeter of what is still officially an RAF base. The MoD has admitted both the stop-and-search and funding figures in answers to private parliamentary questions. The Menwith Hill site, on moorland eight miles from Harrogate, is the biggest American intelligence-gathering centre outside the US. The bulk of its staff are 1200 employees of the US National Security Agency plus a handful of British military intelligence personnel and analysis and liaison teams from the UK government's GCHQ monitoring centre outside Cheltenham. Its job is to scan telephone, fax, e-mail and microwave communications throughout Europe, including diplomatic signals from embassies and commercially sensitive exchanges between major companies. One intelligence source said: "Menwith Hill deals with hundreds of millions of communications and signals packages a day. These are filtered through banks of computers pre-programmed with a list of key words which allows analysts to home in on items of interest. "Siting the base on British soil allows the NSA to neatly circumvent US human rights legal restrictions which might hamper domestic or foreign intelligence-gathering. "This has become ever more important since September 11. Why risk judicial refusal for a wire-tap on a terrorist suspect in New York or Miami when you can eavesdrop on him from North Yorkshire without anyone back home knowing or being able to interfere? "Because it can hide behind the official though patently false cover of being an RAF facility, it lies outside US jurisdiction. "It also suits Whitehall to turn a blind eye, given the levels and quantity of shared intelligence plucked from the ether. Menwith Hill works very closely with GCHQ and its outstations in Cyprus and elsewhere round the globe. Between them, they've got a very big ear to the sky." Menwith Hill could theoretically tap into 250,000 domestic telephone lines simultaneously within the UK and is linked directly to the Hunter's Stone Post Office Tower, the pivotal point for more than a million miles of British microwave connections. It is also the key reception and analysis site for the Echelon electronic surveillance system, a worldwide satellite-based intelligence-gathering network whose findings are shared between the US, the UK, Canadian, Australian and New Zealand intelligence services. Echelon monitors every signal passing through the world's communications' satellites and has 120 satellites of its own to capture other microwave communications, including all known mobile telephone and pager systems. The NSA, America's largest and most secretive intelligence agency, lists Menwith Hill as "Field Station 83". From rforno at infowarrior.org Wed Jun 28 10:13:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 10:13:39 -0400 Subject: [Infowarrior] - Comcast to log Internet usage longer Message-ID: URL: http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_4806781,0 0.html Comcast to log Internet usage longer Colorado child porn case spurs company to change its policy By M.E. Sprengelmeyer, Rocky Mountain News June 28, 2006 WASHINGTON - An outcry over a Colorado child pornography case has prompted the nation's largest broadband provider to change its policy on retaining Internet user records. Comcast announced Tuesday that the company will begin keeping records identifying account holders for 180 days - nearly six times longer than their current policy - in an effort to assist law enforcement. It was a reaction to congressional outrage over a case that came to light this year at a hearing of an investigative subcommittee of the House Energy and Commerce Committee. In April, Flint Waters, lead special agent for the Wyoming task force on Internet Crimes Against Children, testified about being thwarted in an investigation into a videotape circulating on the Internet that depicted the rape of a 2-year-old child. Waters testified that investigators traced the video to a computer in Colorado, but could not identify the sender because Comcast had not retained records on the account holder's identity. "I'm sure that just makes all your employees around the country feel sick," committee member Rep. Diana DeGette, D-Denver, said to Comcast's chief privacy officer, Gerard Lewis, at a follow-up hearing on Tuesday. "No one feels that more acutely than I do," Lewis said. Lewis said that at the time, Comcast had a policy of retaining records for only 31 days. Meanwhile, because of computer problems during a renovation of Comcast's Internet Protocol (or IP) network last year, "we had significant difficulties in meeting many law enforcement requests," he said. Rep. Michael Burgess, R-Texas, said the 31-day policy was "almost criminal" in an age of rampant online crimes targeting children. Lewis announced that starting later this year, Comcast plans to retain records that help identify users of specific Internet Protocol, or IP addresses, for 180 days. "Because of the importance of child safety, we want to do more," Lewis testified. Lewis said the shorter data-retention period was established at a time when various state and federal lawmakers were raising privacy concerns, "so we erred on the side of setting a shorter time period." The 180-day period still is far short of the seven years that service provider Earthlink Inc. retains records. It's also half of the one-year period that DeGette wants to impose on Internet providers through planned legislation. Still, DeGette applauded Comcast's announcement as a step in the right direction. "Child pornography on the Internet is burgeoning. It is exploding out of control and it's time for everybody in society to take this seriously and look at some serious steps to control it," she said, pointing out that telephone companies must keep phone call records for 18 months. Comcast officials stressed that their new policy only meant retaining customer IP address assignments. To protect customers' privacy, Comcast does not plan to retain specific e-mail messages, histories of visited Web sites or similar types of information. Comcast is Colorado's largest cable television provider. It also provides broadband services to more than 8.5 million customers nationwide. Copyright 2006, Rocky Mountain News. All Rights Reserved. From rforno at infowarrior.org Wed Jun 28 11:20:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 11:20:38 -0400 Subject: [Infowarrior] - NIAC Meeting Notice Message-ID: 28 June 2006 ----------------------------------------------------------------------- [Federal Register: June 28, 2006 (Volume 71, Number 124)] [Notices] [Page 36821-36822] >From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28jn06-108] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2006-0029] Notice of Meeting of National Infrastructure Advisory Council (NIAC) AGENCY: Directorate for Preparedness, DHS. ACTION: Notice of meeting. ----------------------------------------------------------------------- SUMMARY: The National Infrastructure Advisory Council (NIAC) will meet in open session. DATES: Tuesday, July 11, 2006, from 1:30 p.m. to 4:30 p.m. ADDRESSES: National Press Club, 529 14th Street, NW., Washington, DC 20045. You may submit comments, identified by DHS-2006-0029, by one of the following methods: Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. E-mail: william.corcoran at associates.dhs.gov. When submitting comments electronically, please include by DHS-2006-0029, in the subject line of the message. Mail: Jenny Menna, Department of Homeland Security, Directorate for Preparedness, Washington, DC 20528. To ensure proper handling, please reference by DHS-2006-0029, on your correspondence. This mailing address may be used for paper, disk or CD-ROM submissions. Hand Delivery/Courier: Jenny Menna, Department of Homeland Security, Directorate for Preparedness, Washington, DC 20528. Contact Telephone Number 703-235-5316. Instructions: All submissions received must include the words ``Department of Homeland Security'' and DHS-2006-0029, the docket number for this action. Comments received will be posted without alteration at http://www.regulations.gov, including any personal information provided. Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Jenny Menna, NIAC Designated Federal Officer, Department of Homeland Security, Washington, DC 20528; telephone 703-235-5316. SUPPLEMENTARY INFORMATION: Notice of this meeting is given under the Federal Advisory Committee Act (FACA), Public Law 92-463, as amended (5 U.S.C. App.1 et seq.). At this meeting, the NIAC will be briefed on the status of several Working Group activities in which the Council is currently engaged. This meeting is open to the public on a first-come, first-served basis. Please note that the meeting may close early if all business is finished. A tentative agenda for the meeting is set forth below, but may be updated. Please consult the NIAC Website, http://www.dhs.gov/niac, for the most current agenda. Information on Services for Individuals with Disabilities: For information on facilities or services for individuals with disabilities, or to request special assistance at the meeting, telephone the Designated Federal Officer as soon as possible. Dated: June 23, 2006. Jenny Menna, Designated Federal Officer for the NIAC. Draft Agenda of July 11, 2006 Meeting I. Opening of Meeting Jenny Menna, Designated Federal Officer, NIAC, Department of Homeland Security II. Roll Call of Members Jenny Menna III. Opening Remarks and Introductions NIAC Chairman, Erle A. Nye, Chairman Emeritus, TXU Corp. NIAC Vice Chairman, John T. Chambers, President and CEO, Cisco Systems, Inc. Michael Chertoff, Secretary, Department of Homeland Security (DHS) (Invited) Frances Fragos Townsend, Assistant to the President for Homeland Security and Counterterrorism (Invited) IV. Approval of February Minutes NIAC Chairman, Erle A. Nye V. Final Reports and Deliberations NIAC Chairman, Erle A. Nye Presiding A. Intelligence Coordination NIAC Vice Chairman John T. Chambers, Chairman and CEO, Cisco Systems, Inc. and Gilbert Gallegos, Chief of Police (ret.), Albuquerque, New Mexico Police Department, NIAC Member B. Deliberation and Approval of Recommendations of Final Report NIAC Members VI. Status Reports on Current Working Group Initiatives NIAC Chairman, Erle A. Nye Presiding A. Chemical, Biological and Radiological Events and the Critical Infrastructure Workforce Chief Rebecca F. Denlinger, Fire Chief, Cobb County, Georgia Fire and Emergency Services, NIAC Member, Martha H. Marsh, Chairman and CEO, Stanford Hospital and Clinics, NIAC Member and Bruce Rohde, Chairman and CEO Emeritus, ConAgra Foods, Inc. [[Page 36822]] B. Convergence of Physical and Cyber Technologies and Related Security Management Challenges George Conrades, Executive Chairman, Akamai Technologies, NIAC Member, Margaret Grayson, President, AEP Government Solutions Group, NIAC Member, and Gregory A. Peters, Former President and CEO, Internap Network Services Corporation, NIAC Member. VII. New Business NIAC Chairman, Erle A. Nye, NIAC Members TBD A. Introduction of New Initiative: The Prioritization of Critical Infrastructure for a Pandemic Outbreak in the United States NIAC Members B. Deliberation and Voting on Additional New Initiatives NIAC Members VIII. Adjournment NIAC Chairman, Erle A. Nye [FR Doc. E6-10140 Filed 6-27-06; 8:45 am] From rforno at infowarrior.org Wed Jun 28 17:33:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 17:33:12 -0400 Subject: [Infowarrior] - RIAA Shifts Lawsuit Strategy Message-ID: RIAA Shifts Lawsuit Strategy June 28, 2006 Thomas Mennecke http://www.slyck.com/news.php?story=1237 June 26, 2003, marked the day the Recording Industry Association of America began collecting evidence and preparing lawsuits against individual file-sharers. At the time, the effort was the main spearhead in a multifaceted campaign to stem the unchecked growth of file-sharing. Anticipation of the lawsuits had been growing for over a year, as early attempts to hold P2P developers responsible for copyright infringement proved difficult. In 2003, Presiding Justice Steven Wilson disagreed with the entertainment industry?s assertion that StreamCast Networks and Grokster were responsible for the unlawful activities of their users. "Defendants distribute and support software, the users of which can and do choose to employ it for both lawful and unlawful ends," Wilson wrote in his opinion. "Grokster and StreamCast are not significantly different from companies that sell home video recorders or copy machines, both of which can be and are used to infringe copyrights." The entertainment industry?s appeal in 2004 faired little better. The panel of three judges confirmed the lower court?s ruling, and maintained neither party qualified for secondary copyright infringement. "This appeal presents the question of whether distributors of peer-to-peer file-sharing computer networking software may be held contributory or vicariously liable for copyright infringements by users. Under the circumstances presented by this case, we conclude that the defendants are not liable for contributory and vicarious copyright infringement and affirm the district court?s partial grant of summary judgment." The entertainment industry, represented by the RIAA and MPAA, immediately appealed this decision to the United States Supreme Court. Unlike the two previous rulings, the entertainment industry finally received the decision they so desperately sought. In a unanimous 9-0 ruling, the Supreme Court remanded the case to the lower courts, stating StreamCast Networks and Grokster could be sued for violating federal copyright laws. ?We hold that one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties,? Justice David H. Souter wrote in court?s decision. While all three rulings varied in their success for the entertainment industry, the common denominator maintained that users are responsible for their own actions. This gave the RIAA and MPAA the ammunition they needed to continue pursuing individuals who distribute copious amounts of files online. Yet three years and over 18,000 lawsuits later, the strategy of launching a continuous barrage of monthly lawsuits aimed at approximately 750 individuals is being retooled. The problem with the current barrage of lawsuits is equivalent to being hit with a fire hose of information. With so many individuals being hit at once, it becomes counterproductive to the entertainment industry?s effort to educate the file-sharing populace. The growing perception over the years has developed into complacency. Who are these people? Do they live near me? Why should I care if some nameless, faceless individual on the other side of the continent was sued for sharing 5,000 songs on the FastTrack network? This lack of focus is apparent when alleged file-sharing pirates come forward to the media and plead ignorance in the face of a $3,000.00 settlement. Often times such individuals are completely befuddled, unaware their actions were unlawful. Realizing this, the RIAA has shifted their strategy away from once a month, en masse lawsuits. Replacing the old strategy is one that still focuses on individuals; however the number is spread out over the course of a month rather than an immediate date. In addition, the weekly lawsuits focus on specific geographic locations, working with local media outlets to catch the attention of the surrounding populace. ?We are currently filing lawsuits throughout the month in batches, in order to maximize efficiencies and expand the geographic reach,? an RIAA spokesperson told Slyck.com. ?We are always looking for ways to make the program as effective, smart and targeted as possible. We need to be flexible in how we manage these litigations in order to handle them efficiently. The lawsuits are and will continue to be an essential part of a larger effort to encourage fans to enjoy music legally.? This new strategy is already taking shape. Quite noticeably, there has been a lack of RIAA press releases articulating the usual monthly, en masse round of lawsuits. Conversely, there?s been an increase of local and specific news articles describing potential lawsuits against alleged P2P pirates. For example, the Palm Beach Post recently reported that local Boynton Beach resident Dorothy O'Connell (and several others) was sued for sharing files online. It?s a similar story in Evansville, Indiana, where the Evansville Courier Gazette published an article this week describing two local residents currently facing potential RIAA lawsuits. The aim of the new RIAA strategy is to give a name and face to a previously ho-hum lawsuit campaign. It?s designed to summon a reaction that invokes a sense of relevance and vulnerability, not one that?s perceived as something happening in a far off land. There?s little question the previous RIAA strategy is far from the worldly success hoped for. Three years and 18,000 lawsuits later, more people are populating P2P and file-sharing networks than ever before. This new campaign will certainly bring more localized attention to the issues surrounding the great file-sharing debate, however which direction the local populace focuses this attention will only be realized with time. From rforno at infowarrior.org Wed Jun 28 22:00:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 22:00:26 -0400 Subject: [Infowarrior] - Feds bust ring of film counterfeiters Message-ID: Shucks....because I've become hooked on getting first-run camcordered DVDs for $2. The quality of video and audio makes it such a bargain that I'd never buy a "legitimate" DVD again. [/sarcasm] However, the MPAA was unavailable to comment on how their request for FBI assistance influenced or detracted from the agency's efforts in the Global War on Terrah......rf Feds bust ring of film counterfeiters By Greg Sandoval http://news.com.com/Feds+bust+ring+of+film+counterfeiters/2100-1030_3-608932 1.html Story last modified Wed Jun 28 17:18:37 PDT 2006 The FBI has broken up a ring of international movie-bootleggers that the agency says was responsible for distributing half of all illegally produced "camcorded" copies in the United States and 25 percent of them worldwide. FBI agents arrested 13 members of the group Wednesday, according to the Motion Picture Association of America, the trade group that represents six of the top movie studios. All 13 people were due to be arraigned Wednesday in a Manhattan federal court on charges of conspiracy, copyright infringement and trafficking in counterfeit labels, the MPAA said. Each charge carries a maximum prison sentence of five years. Thieves sneak into movie houses packing digital video recorders to shoot films and later mass produce DVDs to sell. The MPAA said that practice cost the movie industry $3.8 billion last year. Movie studios lose another $2.3 billion on illegal Internet downloads. "Camcorders...supply 90 percent of newly released movies that end up on the Internet and on the streets," the MPAA said in a statement. "These recordings are duplicated and sold on the black market and loaded onto the Internet triggering an avalanche of millions of illegal downloads." From rforno at infowarrior.org Wed Jun 28 22:02:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Jun 2006 22:02:06 -0400 Subject: [Infowarrior] - Google's eBay Challenge Message-ID: Google's eBay Challenge By Robert Hof http://uk.biz.yahoo.com/28062006/244/google-s-ebay-challenge.html The battle to control your online wallet is about to get a lot bloodier. More than a year after search giant Google (GOOG) was rumored to be preparing an online payment service, GBuy finally looks set to launch in test mode as early as June 28. But while Google (NASDAQ: GOOG - news) may have quickly become the dominant force in search advertising, it's unlikely there will be one winner in online payments anytime soonif ever. That's because no other player is likely to give up without a big fight. There are credit-cards like Visa and MasterCard, of course, which remain by far the leading way for consumers and merchants to handle online payments. What's more, prime GBuy rival PayPal is running all-out to get its payment system used more widely, far beyond transactions involving parent eBay Inc. (EBAY (NASDAQ: EBAY - news) ) and even past the Web. "We have a lead that's been built since 2002," eBay Chief Executive Margaret C. Whitman told analysts in May. COPYCAT. Whatever the outcome, this battle is bound to benefit consumers and merchants. By providing new and cheaper alternatives to credit cards for buying items online, these and other new online payment services could give buyers more confidence in a wider range of e-commerce sites. And coupled with e-commerce services from eBay, Google, Amazon.com (NASDAQ: AMZN - news) (AMZN), and others, they're likely to help smaller merchants who can't afford a credit-card merchant account to compete with bigger players. According to people who have been briefed on the service, GBuy will be pitted most directly against PayPal, particularly in light of PayPal's push since last year to accept payments off the eBay.com site [see BusinessWeek.com, 5/23/05, "PayPal Spreads Its Wings"]. For one, GBuy apparently will sport many of the same functions as PayPal, including the ability of consumers to purchase items without revealing a credit card number and a checkout system that can be integrated with merchants' systems. More important, eBay's merchants increasingly are using Google as another venue to reach potential buyers. So a payment system tied more tightly to Google could be attractiveall the more so because it could be cheaper than PayPal's. Although people familiar with Google's plans said pricing was uncertain, they believe it will come close to PayPal's 1.9% to 2.9% commission, plus 30 cents per transaction. TRUST. But with potential discounts to merchants who use Google's AdWords search ad system, those fees could drop considerably for large merchants. "GBuy definitely goes after the off-eBay PayPal business," notes Jeetil Patel, an analyst with Deutsche Bank Securities Inc. Still, Google will face some big challenges of its own. Indeed, the lengthy gestation of the GBuy servicefirst rumored more than a year agopoints up the sizable challenges involved with offering a payment service [see BusinessWeek.com, 6/21/05, "PayPal: One Tough Nut for Google"]. It's especially tough against an established rival like PayPal, which has 105 million accounts. "Right now, Google's playing catch-up," says Allen Weinberg, cofounder of financial services consultant Glenbrook Partners. "They don't bring anything to the table that other people haven't wallowed in or taken their lumps on." In particular, most of GBuy's challenges come down to trust. For one, it remains to be seen whether consumers will be inclined to trust a Google payment system more than the alternatives, such as credit cards or PayPal. Two possible GBuy features might prompt many to take a flier: a rebate on purchases and a "Trusted GBuy Merchant" logo on product listings. But PayPal has spent years honing fraud prevention. That's something Google would have to hire experts to get up to speed on, not something that could be solved completely with Google's specialty, smart algorithms. "They can't PhD their way out of it," says Weinberg. A bigger hurdle may be persuading merchants that the information GBuy enables Google to gather will be used in a way that benefits them. Jordan Rohan, an analyst with RBC Capital Markets, noted in a June 9 report that Google would be able to gather transaction data to determine which keywords lead to greater sales, not just clicks. "We expect some resistance from merchants who will fear that Google will use the transaction data to charge them more for sponsored links in the future," he wrote. Meanwhile, PayPal is already running hard down the road toward becoming much more than a way to pay for baseball card purchases on eBay. A flurry of new initiatives, from a PayPal credit card to a virtual debit card that will start rolling out next month, makes the unit's ambitions plain. "We're creating the new global standard for online payments," Whitman told shareholders at eBay's annual meeting earlier this month. BRING IT ON. For one, it's quickly moving beyond eBay itself. Last year, PayPal courted other online merchants to accept PayPal in addition to credit cards. It now counts Apple Computer Inc (NASDAQ: AAPL - news) . (AAPL) iTunes Music Store, and Dell Computer (NASDAQ: DELL - news) (DELL) among its merchants. "We want the PayPal mark on every single Web site," Dana Stalder, PayPal's senior vice-president of marketing and business operations, said at eBay's recent member conference in Las Vegas. And next month, it will debut a test version of a "virtual debit card" for use on sites that don't currently accept PayPal. PayPal users will download software to create a small toolbar in a Web browser. When they visit a site that takes Mastercard, they can get a onetime-use MasterCard number that draws on their PayPal account, so they don't have to reveal their credit card to the site. What's more, PayPal is quickly moving beyond just online payments. In April, it announced PayPal Mobile, a way to pay for items using a cell phone. And in May, it teamed with GE Consumer Finance (GE) to launch a PayPal-branded MasterCard credit card. "We think this is a big opportunity to take PayPal beyond Internet payments," eBay CEO Whitman said recently. As a result, "we're ready for competition," PayPal President Jeff Jordan said recently. "We feel like we're competing from a position of strength." At the same time, Google's got money and momentum like few other companies. So the battle's just beginning. From rforno at infowarrior.org Thu Jun 29 08:18:43 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 08:18:43 -0400 Subject: [Infowarrior] - Behind the SWIFT hypocracy this week. Message-ID: (Interestingly the LA Times and WSJ haven't been slammed by the Administration over this story yet, and they also broke the item last week......rf) June 29, 2006 Behind Bush's Fury, a Vow Made in 2001 By SCOTT SHANE http://www.nytimes.com/2006/06/29/washington/29intel.html?_r=1&oref=slogin&p agewanted=print WASHINGTON, June 28 ? Ever since President Bush vowed days after the Sept. 11 attacks to "follow the money as a trail to the terrorists," the government has made no secret of its efforts to hunt down the bank accounts of Al Qaeda and its allies. But that fact has not muted the fury of Mr. Bush, his top aides and many members of Congress at the decision last week by The New York Times and other newspapers to disclose a centerpiece of that hunt: the Treasury Department's search for clues in a vast database of financial transactions maintained by a Belgium-based banking consortium known as Swift. Speaking at a fund-raising event in St. Louis for Senator Jim Talent, Mr. Bush made the news reports his central theme. "This program has been a vital tool in the war on terror," Mr. Bush said. "Last week the details of this program appeared in the press." Mr. Bush received a prolonged, standing ovation from the Republican crowd when he added, "There can be no excuse for anyone entrusted with vital intelligence to leak it ? and no excuse for any newspaper to print it." On Thursday, the House is expected to take up a Republican resolution supporting the tracking of financial transactions and condemning the publication of the existence of the program and details of how it works. The resolution says Congress "expects the cooperation of all news media organizations in protecting the lives of Americans and the capability of the government to identify, disrupt and capture terrorists by not disclosing classified intelligence programs." Democrats are proposing a variant that expresses support for the treasury program but omits the language about the news media. The director of national intelligence, John D. Negroponte, has ordered an assessment of any damage to counterterrorism efforts from the disclosures, but the review is expected to take months, and its findings are likely to remain classified. Experts on terror financing are divided in their views of the impact of the revelations. Some say the harm in last week's publications in The Times, The Los Angeles Times and The Wall Street Journal may have been less in tipping off terrorists than in putting publicity-shy bankers in an uncomfortable spotlight. "I would be surprised if terrorists didn't know that we were doing everything we can to track their financial transactions, since the administration has been very vocal about that fact," said William F. Wechsler, a former Treasury and National Security Council official who specialized in tracking terrorism financing. But Mr. Wechsler said the disclosure might nonetheless hamper intelligence collection by making financial institutions resistant to requests for access to records. "I wouldn't be surprised if these recent articles have made it more difficult to get cooperation from our friends in Europe, since it may make their cooperation with the U.S. less politically palatable," Mr. Wechsler said. Though privacy advocates have denounced the examination of banking transactions, the Swift consortium has defended its cooperation with the counterterrorism program and has not indicated any intention to stop cooperating with the broad administrative subpoenas issued to obtain its data. A former federal prosecutor who handled major terrorism cases, Andrew C. McCarthy, said he believed that the greatest harm from news reports about such classified programs was the message that Americans could not keep secrets. "If foreign intelligence services think anything they tell us will end up in the newspapers, they'll stop sharing so much information," said Mr. McCarthy, now a senior fellow at the Foundation for the Defense of Democracies in Washington. Mr. McCarthy said he thought the Swift disclosure might encourage terrorist plotters to stop moving money through the banking system, depriving the United States and its allies of a valuable window on their activities. "Methods they assumed were safe they now know are not so safe," he said. But Bob Kerrey, a member of the 9/11 commission and former Democratic senator from Nebraska, took a different view, saying that if the news reports drive terrorists out of the banking system, that could actually help the counterterrorism cause. "If we tell people who are potential criminals that we have a lot of police on the beat, that's a substantial deterrent," said Mr. Kerrey, now president of New School University. If terrorists decide it is too risky to move money through official channels, "that's very good, because it's much, much harder to move money in other ways," Mr. Kerrey said. A State Department official, Anthony Wayne, made a parallel point in 2004 before Congress. "As we've made it more difficult for them to use the banking system," Mr. Wayne said, "they've been shifting to other less reliable and more cumbersome methods, such as cash couriers." As such testimony suggests, government agencies have often trumpeted their successes in tracking terrorist funding. President Bush set the tone on Sept. 24, 2001, declaring, "We're putting banks and financial institutions around the world on notice ? we will work with their governments, ask them to freeze or block terrorists' ability to access funds in foreign accounts." Since then, the Treasury Department has produced dozens of news releases and public reports detailing its efforts. Though officials appear never to have mentioned the Swift program, they have repeatedly described their cooperation with financial networks to identify accounts held by people and organizations linked to terrorism. Working with "our allies abroad and our partners in the private sector," an April news release said, "Treasury follows the terrorists' money trails aggressively, exploiting them for intelligence." Representative Peter T. King, Republican of New York, convened a hearing in 2004 where Treasury officials described at length their efforts, assisted by financial institutions, to trace terrorists' money. But he has been among the most vehement critics of the disclosures about the Swift program, saying editors and reporters of The New York Times should be imprisoned for publishing government secrets. In an interview on Wednesday, Mr. King said he saw no contradiction. "Obviously we wanted the terrorists to know we were trying to track them," Mr. King said. "But we didn't want them to know the details." From rforno at infowarrior.org Thu Jun 29 08:25:32 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 08:25:32 -0400 Subject: [Infowarrior] - NYT Editorial: Patriotism and the Press Message-ID: http://www.nytimes.com/2006/06/28/opinion/28Wed1.html?pagewanted=print Editorial Patriotism and the Press Over the last year, The New York Times has twice published reports about secret antiterrorism programs being run by the Bush administration. Both times, critics have claimed that the paper was being unpatriotic or even aiding the terrorists. Some have even suggested that it should be indicted under the Espionage Act. There have been a handful of times in American history when the government has indeed tried to prosecute journalists for publishing things it preferred to keep quiet. None of them turned out well ? from the Sedition Act of 1798 to the time when the government tried to enjoin The Times and The Washington Post from publishing the Pentagon Papers. As most of our readers know, there is a large wall between the news and opinion operations of this paper, and we were not part of the news side's debates about whether to publish the latest story under contention ? a report about how the government tracks international financial transfers through a banking consortium known as Swift in an effort to pinpoint terrorists. Bill Keller, the executive editor, spoke for the newsroom very clearly. Our own judgments about the uproar that has ensued would be no different if the other papers that published the story, including The Los Angeles Times and The Wall Street Journal, had acted alone. The Swift story bears no resemblance to security breaches, like disclosure of troop locations, that would clearly compromise the immediate safety of specific individuals. Terrorist groups would have had to be fairly credulous not to suspect that they would be subject to scrutiny if they moved money around through international wire transfers. In fact, a United Nations group set up to monitor Al Qaeda and the Taliban after Sept. 11 recommended in 2002 that other countries should follow the United States' lead in monitoring suspicious transactions handled by Swift. The report is public and available on the United Nations Web site. But any argument by the government that a story is too dangerous to publish has to be taken seriously. There have been times in this paper's history when editors have decided not to print something they knew. In some cases, like the Kennedy administration's plans for the disastrous Bay of Pigs invasion, it seems in hindsight that the editors were over-cautious. (Certainly President Kennedy thought so.) Most recently, The Times held its reporting about the government's secret antiterror wiretapping program for more than a year while it weighed administration objections. Our news colleagues work under the assumption that they should let the people know anything important that the reporters learn, unless there is some grave and overriding reason for withholding the information. They try hard not to base those decisions on political calculations, like whether a story would help or hurt the administration. It is certainly unlikely that anyone who wanted to hurt the Bush administration politically would try to do so by writing about the government's extensive efforts to make it difficult for terrorists to wire large sums of money. >From our side of the news-opinion wall, the Swift story looks like part of an alarming pattern. Ever since Sept. 11, the Bush administration has taken the necessity of heightened vigilance against terrorism and turned it into a rationale for an extraordinarily powerful executive branch, exempt from the normal checks and balances of our system of government. It has created powerful new tools of surveillance and refused, almost as a matter of principle, to use normal procedures that would acknowledge that either Congress or the courts have an oversight role. The Swift program, like the wiretapping program, has been under way for years with no restrictions except those that the executive branch chooses to impose on itself ? or, in the case of Swift, that the banks themselves are able to demand. This seems to us very much the sort of thing the other branches of government, and the public, should be nervously aware of. We would have been very happy if Congressman Peter King, the Long Island Republican who has been so vocal in citing the Espionage Act, had been as aggressive in encouraging his colleagues to do the oversight job they were elected to do. The United States will soon be marking the fifth anniversary of the war on terror. The country is in this for the long haul, and the fight has to be coupled with a commitment to individual liberties that define America's side in the battle. A half-century ago, the country endured a long period of amorphous, global vigilance against an enemy who was suspected of boring from within, and history suggests that under those conditions, it is easy to err on the side of security and secrecy. The free press has a central place in the Constitution because it can provide information the public needs to make things right again. Even if it runs the risk of being labeled unpatriotic in the process. From rforno at infowarrior.org Thu Jun 29 08:33:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 08:33:24 -0400 Subject: [Infowarrior] - Schneier: It's the Economy, Stupid Message-ID: It's the Economy, Stupid By Bruce Schneier| 02:00 AM Jun, 29, 2006 http://www.wired.com/news/columns/1,71264-0.html I'm sitting in a conference room at Cambridge University, trying to simultaneously finish this article for Wired News and pay attention to the presenter onstage. I'm in this awkward situation because 1) this article is due tomorrow, and 2) I'm attending the fifth Workshop on the Economics of Information Security, or WEIS: to my mind, the most interesting computer security conference of the year. The idea that economics has anything to do with computer security is relatively new. Ross Anderson and I seem to have stumbled upon the idea independently. He, in his brilliant article from 2001, "Why Information Security Is Hard -- An Economic Perspective" (.pdf), and me in various essays and presentations from that same period. WEIS began a year later at the University of California at Berkeley and has grown ever since. It's the only workshop where technologists get together with economists and lawyers and try to understand the problems of computer security. And economics has a lot to teach computer security. We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure. When you start looking, economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the internet is insecure is that liability for attacks is so diffuse. In all of these examples, the economic considerations of security are more important than the technical considerations. More generally, many of the most basic security questions are at least as much economic as technical. Do we spend enough on keeping hackers out of our computer systems? Or do we spend too much? For that matter, do we spend appropriate amounts on police and Army services? And are we spending our security budgets on the right things? In the shadow of 9/11, questions like these have a heightened importance. Economics can actually explain many of the puzzling realities of internet security. Firewalls are common, e-mail encryption is rare: not because of the relative effectiveness of the technologies, but because of the economic pressures that drive companies to install them. Corporations rarely publicize information about intrusions; that's because of economic incentives against doing so. And an insecure operating system is the international standard, in part, because its economic effects are largely borne not by the company that builds the operating system, but by the customers that buy it. Some of the most controversial cyberpolicy issues also sit squarely between information security and economics. For example, the issue of digital rights management: Is copyright law too restrictive -- or not restrictive enough -- to maximize society's creative output? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Is Microsoft's Trusted Computing initiative a good idea, or just another way for the company to lock its customers into Windows, Media Player and Office? Any attempt to answer these questions becomes rapidly entangled with both information security and economic arguments. WEIS encourages papers on these and other issues in economics and computer security. We heard papers presented on the economics of digital forensics of cell phones (.pdf) -- if you have an uncommon phone, the police probably don't have the tools to perform forensic analysis -- and the effect of stock spam on stock prices: It actually works in the short term. We learned that more-educated wireless network users are not more likely to secure their access points (.pdf), and that the best predictor of wireless security is the default configuration of the router. Other researchers presented economic models to explain patch management (.pdf), peer-to-peer worms (.pdf), investment in information security technologies (.pdf) and opt-in versus opt-out privacy policies (.pdf). There was a field study that tried to estimate the cost to the U.S. economy for information infrastructure failures (.pdf): less than you might think. And one of the most interesting papers looked at economic barriers to adopting new security protocols (.pdf), specifically DNS Security Extensions. This is all heady stuff. In the early years, there was a bit of a struggle as the economists and the computer security technologists tried to learn each others' languages. But now it seems that there's a lot more synergy, and more collaborations between the two camps. I've long said that the fundamental problems in computer security are no longer about technology; they're about applying technology. Workshops like WEIS are helping us understand why good security technologies fail and bad ones succeed, and that kind of insight is critical if we're going to improve security in the information age. - - - Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can contact him through his website. From rforno at infowarrior.org Thu Jun 29 10:23:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 10:23:05 -0400 Subject: [Infowarrior] - SC finds military comissions illegal Message-ID: BREAKING..... Supreme Court Rules: Bush Overstepped Authority In Plans For War Crimes Trials At Guantanamo Vote is 5-3... Found military commissions illegal under both military justice law and the Geneva Convention... From rforno at infowarrior.org Thu Jun 29 10:24:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 10:24:00 -0400 Subject: [Infowarrior] - NYT: Supreme Court Blocks War-Crimes Trials at Guantanamo Message-ID: In Loss for Bush, Supreme Court Blocks War-Crimes Trials at Guantanamo By THE ASSOCIATED PRESS http://www.nytimes.com/2006/06/29/washington/29cnd-scotus.html?pagewanted=pr int WASHINGTON (AP) -- The Supreme Court ruled Thursday that President Bush overstepped his authority in ordering military war crimes trials for Guantanamo Bay detainees. The ruling, a rebuke to the administration and its aggressive anti-terror policies, was written by Justice John Paul Stevens, who said the proposed trials were illegal under U.S. law and Geneva conventions. The case focused on Salim Ahmed Hamdan, a Yemeni who worked as a bodyguard and driver for Osama bin Laden. Hamdan, 36, has spent four years in the U.S. prison in Cuba. He faces a single count of conspiring against U.S. citizens from 1996 to November 2001. Two years ago, the court rejected Bush's claim to have the authority to seize and detain terrorism suspects and indefinitely deny them access to courts or lawyers. In this followup case, the justices focused solely on the issue of trials for some of the men. The vote was split 5-3, with moderate Justice Anthony M. Kennedy joining the court's liberal members in ruling against the Bush administration. Chief Justice John Roberts, named to the lead the court last September by Bush, was sidelined in the case because as an appeals court judge he had backed the government over Hamdan. Thursday's ruling overturned that decision. From rforno at infowarrior.org Thu Jun 29 10:39:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 10:39:26 -0400 Subject: [Infowarrior] - VA Laptop Reportedly Recovered Message-ID: MSNBC reporting the stolen VA laptop with the 26 million records has been recovered.....I've not seen other reports yet, though. -rf From rforno at infowarrior.org Thu Jun 29 11:45:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 11:45:37 -0400 Subject: [Infowarrior] - FBI announces VA laptop recovery Message-ID: Baltimore Division Office of Public Affairs PRESS RELEASE FOR IMMEDIATE RELEASE Contact: SA Michelle Crnkovich Thursday, June 29, 2006 410-277-6223 DEPARTMENT OF VETERANS AFFAIRS OFFICE OF INSPECTOR GENERAL (OIG), THE FEDERAL BUREAU OF INVESTIGATION, AND MONTGOMERY COUNTY POLICE DEPARTMENT ANNOUNCE THE RECOVERY OF THE STOLEN LAPTOP AND EXTERNAL HARD DRIVE Baltimore, Maryland ? The Veterans Administration OIG, the Federal Bureau of Investigation, and the Montgomery County Police Department today announce the recovery of the stolen laptop computer, and the external hard drive, taken in a burglary on May 3, 2006. The electronic equipment contained sensitive information concerning over 26 million veterans, and the recovery of the data has been of paramount concern. The protection of the sensitive data, and well being of those potentially affected, have made this investigation the number one priority for the investigating agencies. A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen. A thorough forensic examination is underway, and the results will be shared as soon as possible. The investigation is ongoing. The Veterans Administration OIG, the Federal Bureau of Investigation and the Montgomery County Police Department would like to thank the United States Park Police for their invaluable work in this case. Their efforts led to the recovery of the equipment. ###### Call Baltimore FBI for any additional information SSA Richard J. Kolko, FBI Unit Chief, National Press Office Office of Public Affairs 202.324.8785 Desk 202.324.3691 Office Switchboard Blackberry email richard.kolko at ic.fbi.gov From rforno at infowarrior.org Thu Jun 29 12:29:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 12:29:22 -0400 Subject: [Infowarrior] - REAL ID: A real hard act to follow Message-ID: A real hard act to follow States view the Real ID Act as an unreasonable and costly challenge, but some officials see in it the glimmer of a silver lining http://www.fcw.com/article94987-06-26-06-Print BY John Pulley Published on June 26, 2006 Teresa Takai did not receive a self-destructing taped message inquiring if she would accept the mission. The Real ID Act suddenly appeared as an unfunded mandate from Congress to overhaul states? driver?s licensing on a tight deadline. The act, signed into law May 11, 2005, seeks to prevent illegal aliens and would-be terrorists from getting driver?s licenses. It forces states, within three years of the act?s passage, to require documentation that goes beyond what most states ask license applicants to produce: a photo identity document, documentation of birth, proof of Social Security number, and documentation of an applicant?s name and address of principal residence. In addition, the law requires states to verify those documents and keep digital copies ? two provisions that would necessitate more robust storage capacity and connections between disparate databases than most states have. Among other provisions, the Real ID Act also calls for tamper-proof, machine-readable licenses manufactured in secure areas by employees with security clearances. The law will affect an estimated 240 million driver?s licenses. Yet with the deadline for deployment less than two years away, the federal government still has not issued technical requirements to guide states. ?We think it will be a struggle, to some degree, to even get started by then,? said Tom Jarrett, Delaware?s secretary of technology and chief information technology officer. He is also chairman of the National Association of State Chief Information Officers? Real ID Work Group. Takai, Michigan?s CIO, is in a double bind. She is in the midst of updating a 30-year-old computer system that state officials use to manage driver?s licenses. If she had the luxury of time, she would postpone the upgrade to ensure the new system?s compatibility with Real ID?s requirements. But with retirement looming for the few remaining employees who are proficient in an older technology, Takai can?t wait. She is running two races with separate clocks and finish lines. Her strategy is to upgrade the old system and hope it will be compatible with requirements of the Real ID Act. ?All we can do is guess at what we think the implementation is going to be,? she said. ?If we get it wrong, we?re going to have a brand new system that we will have to go back in and change.? Takai?s dilemma is unusually thorny, but states generally agree that implementing the Real ID Act poses big problems because of insufficient time and money. ?States believe that this time frame is unreasonable, costly and potentially impossible to meet,? the National Governors Association, the National Conference of State Legislatures and the American Association of Motor Vehicle Administrators, wrote in an April letter to the Homeland Security Department. In addition, CIOs rue the federal government?s unwillingness to seek ideas from states about how to implement the Real ID Act ? an attitude that is not without precedent. ?We?re all a little bit gun shy because of the [Health Insurance Portability and Accountability Act of 1996] implementation,? Takai said. ?The states felt we could have reduced the impact on ourselves if we had been able to work with [the Department of Health and Human Services] to define how that implementation would take place.? HIPAA established national standards for electronic health care transactions and national identifiers for providers, health plans and employers, in part to secure the privacy of health data. ?We?re sort of doing a d?j? vu here,? Takai said. Until the federal government issues requirements for new driver?s licenses, no one can say how much it will cost to implement the Real ID Act. Citizens Against Government Waste, a taxpayer advocacy group in Washington, D.C., released a report last fall that projects a total price of $17.4 billion if the government requires radio frequency identification chips, like those embedded in new passports, to become a component of driver?s licenses. Some state officials say mandatory inclusion of RFID in driver?s licenses seems unlikely at present. Otto Doll, South Dakota?s CIO, said that if the new licenses must have a biometric component, it would probably be fingerprints. Even without embedded chips, however, compliance with the act will have significant costs. Some state CIOs have heard that the new licenses will be made of an expensive polycarbonate material manufactured by a single supplier. Polycarbonate is a transparent thermoplastic that is resistant to heat, cold and breakage. Verifying and storing digital copies of applicants? source documents won?t be cheap either. The National Association for Public Health Statistics and Information Systems (NAPHSIS) is testing a previously discarded system that would allow states to verify applicant?s birth certificates in less than 10 seconds. The Electronic Verification of Vital Events (EVVE) was created to improve management of states? birth records and death certificates, but the project was shelved because payments demanded by states in exchange for putting birth information in the system was more than the Social Security Administration was willing to pay. An advisory committee of federal agencies that might use EVVE met in June to consider an acceptable pricing structure, said Garland Land, NAPHSIS? executive director. The Real ID Act?s requirement that states not issue a driver?s license to someone who currently holds a license in another state demands a system for cross-checking data among states? Department of Motor Vehicles offices. They would most likely use pointer systems, similar to an online sex offender registry, Doll said. Unlike the Social Security Administration?s centralized database of Social Security numbers, the national sex-offender public registry connects data from multiple sources. If states are required to store digital images of applicants? documents for as long as 10 years, storage capacity and costs will further strain states? resources. ?We are nearing the petabyte stage in the little state of Wisconsin,? said Matthew Miszewski, the state?s CIO. ?They better give us some money. Space ain?t free.? Acquiring equipment to make the licenses, securing the license-manufacturing area, screening workers and adding employees to handle the influx of customers at state DMV offices are expected to increase costs. Financial issues aside, state CIOs say they desperately need clear directives from the federal government to begin implementation and avoid potential compatibility problems. ?There is no lack of creativity as to how you could accomplish the goals outlined in the act,? Miszewski said. ?Without guidance, you will have 50 different systems.? The challenges will vary throughout jurisdictions. California, with more licensed drivers than other states, faces a volume issue that Doll said will require a major effort to implement the new law. His state has a different concern. Seventy percent of South Dakota?s land area falls under the U.S. Census Bureau?s frontier classification. A step below the rural designation, frontier status designates population density of fewer than seven people per square mile. In the state capital, Pierre, the DMV office is open only three days a week. The rest of the time, employees go on the road to issue and renew licenses to people who are nowhere near a DMV office. The Real ID Act?s onerous requirements could kill that service, with predictable results, Doll said. ?People aren?t going to drive 200 miles? to get a license, he said. Despite the drawbacks, the law could have a silver lining. Once the act is implemented, states will be able to offer more sophisticated digital services, said Miszewski, who envisions a system of cross-functional identification that will analyze customer transactions and offer additional services as needed. As it is now, a family that moves to Wisconsin and wants to take a vacation at one of the state?s lakes must make several stops to acquire necessary licenses, including a Wisconsin driver?s license, state tags for the car, a boat license and, depending on the craft?s size, a license for the trailer on which it sits. ?We don?t do a very good job of customer-services relation management,? Miszewski said. ?The opportunity to create digital identities for citizens in the state is for state CIOs?the key to the kingdom.? Pulley is a freelance writer based in Arlington, Va. States must meet federal standards The Real ID Act of 2005 requires states to comply by May 2008 with stringent new federal standards for issuing driver?s licenses. Privacy advocates say the law creates a national identification card. They add that newly linked databases could jeopardize the security of license holders? personal information. Proponents of the revamped licenses counter that more rigorous standards are necessary to secure the country?s borders and thwart would-be terrorists. In accordance with the law, states must meet the new driver?s license standards by: # Including a full name, date of birth, gender, driver?s license or identification card number, digital photograph, address of principal residence and signature on the license, and physical security features to prevent tampering, counterfeiting or duplication. # Requiring applicants to present a photo identity document, documentation showing date of birth, proof of a Social Security account number or verification that the person is not eligible for a Social Security account number, and documentation showing name and address of principal residence. # Verifying that applicants are U.S. citizens or in the country legally and verifying with the issuing agency the validity and completeness of each document presented by applicants. Those agencies must retain digital images of applicants and source documents for as long as 10 years. # Checking applicants? Social Security account numbers with the Social Security Administration and refusing licenses to applicants holding a driver?s license in another state. # Providing physical security in agencies that produce licenses, including security clearances for workers. # Sharing driver?s license data with all other states. ? John Pulley From rforno at infowarrior.org Thu Jun 29 20:48:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 20:48:47 -0400 Subject: [Infowarrior] - Congress targets social-networking sites Message-ID: Congress targets social-networking sites By Declan McCullagh http://news.com.com/Congress+targets+social-networking+sites/2100-1028_3-608 9574.html Story last modified Thu Jun 29 15:10:07 PDT 2006 The concept of forcing companies to record information about their users' Internet activities to aid in future criminal prosecutions took another twist this week. Rep. Diana DeGette, a Colorado Democrat, originally proposed legislation (click here for PDF) in April that would require Internet service providers to retain activity logs to aid in criminal investigations, including ones involving child abuse. Now DeGette and some of her colleagues in the House of Representatives are suggesting that social-networking sites should be required to do the same thing. "How much would it cost your company to preserve those IP addresses?" DeGette asked at a hearing on Wednesday that included representatives from Facebook, Xanga and Fox Interactive Media, the parent company of MySpace. "You're going to store the data indefinitely?" An IP address is a unique four-byte address used to communicate with a device on a computer network that relies on the Internet Protocol. An IP address associated with CNET.com, for instance, is 216.239.113.101. Michael Angus, executive vice president of Fox Interactive Media, said he agrees with the idea of data retention for MySpace. "As a media company, Fox is very committed to data retention," Angus said. "It helps us police piracy." Rep. John Dingell, a Michigan Democrat, added: "Why can't data that links IP addresses to physical addresses be stored longer?" The concept of mandatory data retention was pioneered by the European Union, which approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers last December. A few months later, the Bush administration endorsed the idea, with Attorney General Alberto Gonzales calling it "an issue that must be addressed" and--as first reported by CNET News.com--following up in private meetings with Internet providers. In those meetings, Justice Department representatives went beyond the argument that data retention was necessary to protect children--and claimed it would aid in terrorism investigations as well. During Wednesday's hearing, politicians also claimed that social-networking sites were not doing enough to verify that their users who claimed to be a certain age were telling the truth. (Recent news reports have said that sex predators are using MySpace and similar sites to meet up with teens.) "There is more you can do," DeGette said. "You can do algorithms that will go beyond just the date of birth that they register, to start to weed out some of the underage users." She also called for the companies to participate in a "national public service program" to distribute an educational video. Two paths for data retention Data retention legislation could follow one of two approaches, and it's not entirely clear which one U.S. politicians will choose. One form could require Internet providers and social-networking sites to record for a fixed time, perhaps one or two years, which IP address is assigned to which user. The other would be far broader, requiring companies to record data such as the identities of e-mail correspondents, logs of who sent and received instant messages (but not the content of those communications), and the addresses of Web pages visited. Earlier in the week, Internet companies tried to forestall potentially intrusive new federal laws by launching a campaign against child pornography designed to tip off police to illegal images. Participants include AOL, EarthLink, Microsoft, United Online and Yahoo. In addition, Comcast announced that it will begin to retain logs that map IP addresses to user identities for 180 days, up from its current policy of 31 days. (The company stressed that it does not record information such as "Internet use or Web surfing habits.") But Rep. Joe Barton, the Texas Republican who heads the Energy and Commerce Committee, said even after hearing the news, that he still wanted to enact "a comprehensive anti-child-pornography" law. "I think the Congress is tired of talking about it," Barton said, adding that it was time to "protect our children against these despicable child predators that are on the loose right now in our land." Barton has not released details about his legislation. This isn't the first time that MySpace and social-networking sites have faced criticism from politicians--and the threat of new federal laws. A bill introduced last month by Rep. Michael Fitzpatrick, a Pennsylvania Republican, would cordon off access to commercial Web sites that let users create public "Web pages or profiles" and also offer a discussion board, chat room or e-mail service. It would affect most schools and libraries, which would be required to render those Web sites inaccessible to minors, an age group that includes some of the category's most ardent users. In addition, politicians proposed a slew of related measures this week, including blocking access to off-color Web sites for all Americans, dispatching "search and destroy" bots that would seek out illegal content, regulating search engines and targeting peer-to-peer networks. From rforno at infowarrior.org Fri Jun 30 12:08:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Jun 2006 12:08:18 -0400 Subject: [Infowarrior] - Another DHS Advisory Coffee Klatch Message-ID: SUMMARY: The Department of Homeland Security announced the establishment of the Critical Infrastructure Partnership Advisory Council (CIPAC) by Notice published in the Federal Register on March 24, 2006 (``First CIPAC Notice''). That Notice identified the purpose of the committee as well as its membership. This Notice identifies the institutions currently serving as CIPAC members. This Notice also identifies the government entities that comprise the Government Coordinating Council for each sector. SUPPLEMENTARY INFORMATION: On March 24, 2006, the Secretary of the Department of Homeland Security (DHS) published notice in the Federal Register (71 FR 14930) announcing the establishment of the Critical Infrastructure Partnership Advisory Council (CIPAC). That first CIPAC Notice identified the CIPAC's intended purpose as facilitating interaction between representatives of government and the community of critical infrastructure and key resources (CI/KR) owners and operators in each critical sector. As set forth in that notice, that interaction will include the following activities: ``planning; coordination; security program implementation; operational activities related to critical infrastructure protection security measures, including incident response, recovery, and reconstitution from events both man- made and naturally occurring; and the sharing of information about threats, vulnerabilities, protective measures, best practices, and lessons learned.'' CIPAC is designed to include as many of the owners and/or operators and the owner and/or operator representative trade associations deemed by each sector's Sector Coordinating Council (SCC) as necessary participants in the activities described in the March 24, 2006 Notice. That first Notice provided a list of the CIPAC membership from each sector as of that date. That first Notice also stated that the CIPAC Executive Secretariat would work with each SCC's leadership and with the Sector Specific Federal Agency for each sector to compile a list of the CIPAC SCC members from each sector. It further stated that the Department would publish a subsequent Notice identifying these additional members of the CIPAC. < - > http://cryptome.org/dhs063006.htm From rforno at infowarrior.org Fri Jun 30 12:09:09 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Jun 2006 12:09:09 -0400 Subject: [Infowarrior] - Under the Broadcast Flag Message-ID: Under the Broadcast Flag Intellectual Property is Intellectual Theft ... at Gun Point By MICHAEL J. SMITH http://www.counterpunch.org/smith06302006.html There's nothing more wonkish than intellectual-property regulation. But intellectual-property enforcement may well turn out to be the lever for government intrusions into private life every bit as profound and extensive as the better-known secret-police initiatives of the Patriot Act. You know all those old myths and stories about dead folk who just won't stay dead -- zombies, vampires, Richard Nixon? Well, there are ideas like that too -- ideas that won't stop clawing their way out of the grave and back into the light of day. One such idea is the "broadcast flag," recently returned aboveground, for the Nth time, tucked into an enormous telecommunications bill (S. 2686), now before the U.S. Senate. "Broadcast flag"? Before your eyes glaze over, give me a few seconds to get you good and scared. Because this one is a real flesh-eating zombie of an idea, and it just won't stay dead. "Broadcast flag" is shorthand for two different but interconnected things. One of them is a flag or tag or attribute, or whatever you want to call it, embedded in a digital audio or video stream, that says "don't copy me without permission." This is the "broadcast flag" in the literal sense. Which might seem harmless. It's like an electronic version of the copyright notice on a book, or that goofy thing about the FBI that leads off every video you rent. But if the government ever got serious about enforcing it.... that's where the Inquisition would come tiptoeing into your TV room, and maybe right onto your lap, as we will see a little later. Well, guess what: Big Media does want the government to enforce the broadcast flag, and the government, ever solicitous for the rights of large-scale property, is eager to oblige. The broadcast-flag initiative now before the Senate resuscitates an attempt by the FCC, back in 2003, to mandate broadcast flag compliance by all digital media devices. That regulation, known to aficionados as FCC 03-273, was subsequently buried with a stake through its heart by a Federal court. Now the Senate is digging it up again, with near-universal participation by Republicans and Democrats alike. The Flag just sailed through the Senate's commerce committee without a recorded vote, a pretty sure sign of bipartisan ownage by the relevant lobby; the frogs and the mice will not be fighting over this one. The only dissenter, so far, is Senator John Sununu of New Hampshire, who seems to have some real libertarian principles, not just a libertarian line of chat like most of his colleagues. The 2003 FCC rule, written to order for the Motion Picture Association of American (MPAA), Recording Industry Association of America (RIAA), the National Football League and other copyright rentiers, is a thicket of obscure, rebarbative language, vague definitions, cross-references, and cabbalistic terms of art. But if you stare at it for a while, the crux becomes pretty clear: "demodulators" must comply with the broadcast flag. And what is a demodulator? It is any device or component that takes a digital TV or audio signal and turns that signal into a stream of bits that can be written to a CD, or shown on a screen, or downloaded to your iPod. Sounds like some kind of electronic gizmo, right? A thing with transistors, and wires, and maybe some pretty blinking lights. Indeed, a demodulator can be just that. And maybe it doesn't seem so terribly tyrannical to mandate certain kinds of behavior on the part of a gizmo. There are plenty of precedents -- cars have to have seatbelts, for example. But here's the rub: a demodulator can also be just a piece of software, or part of a larger piece of software. Computers, including your 14-year-old's laptop, are rapidly becoming so powerful that it's only a matter of time before your 14-year-old can download a demodulator, or a program that includes a demodulator, from some other 14-year-old in Finland -- or write his own, for that matter. Now what happens when that wicked Finn, or your wicked offspring, decides to ignore the Broadcast Flag? Well, the FCC doesn't come right out and say. They don't explicitly include such "software demodulators" in the scope of their regulation, but they don't explicitly exclude them either, and the definition of "demodulator" is certainly broad enough to cover them. And the FCC haven't overlooked the possibility of software demodulators -- they write: "... critics note that ... non-compliant hardware or software demodulators could be produced with relative ease by individuals with some degree of technical sophistication...." They go on to say, ominously, I think: "... we seek further comment on the interplay between a flag redistribution control system and the development of open source software applications, including software demodulators, for digital broadcast television." 'Interplay' is good, isn't it? Interplay nice, kids. But think for a minute about the implications of all this. Obviously, you won't be able to buy a digital TV, or any other digital media device, whose manufacturers haven't certified to the Feds that it honors the Flag. Perhaps they will have to give the Feds the schematics, or the source code for their "firmware" -- the embedded programming that enables the device to operate. And if you want to get around this restriction, and load software onto your laptop that ignores the Flag, then technically, that software is probably contraband and you will have probably committed a federal crime. But will the law be enforced in such cases? I think, sooner or later, it will. Not tomorrow. For tomorrow, and next week, software demodulators will be a very geekish hobby, too small-scale to bother the MPAA and the RIAA. But we have all seen how quickly geekish hobbies can infect the millions. And when that happens with software demodulators, there'll be a crime wave, and the MPAA and RIAA will sit up and take notice. They'll want to find all these bad actors who have loaded non-compliant software onto their laptops. But that's not so easy. There's no way a "content provider" can tell, from his end of the wire, what software the recipient of his digital media stream is running. Ultimately, warrants will have to be issued. Fibbies in flak jackets will charge into your house and confiscate your 14-year-old's computer. Aha! He's running Linux! And he's been visiting Web sites in Finland! Twenty years for the little Commie song pirate! Does this sound unlikely? It shouldn't -- we've already seen it before, with the FBI breaking into houses and the RIAA filing thousands of lawsuits against people accused of "file sharing." Intellectual property enforcement, in other words, will lead to a kind of de facto government software regulation. The software police won't entirely succeed in suppressing contraband software -- we'll have an eternal war, a little like the Drug War, which suits the police just fine, of course. But certainly they will succeed to some extent; the prospect of a midnight raid will keep all but the bold and heedless safely inside the sheepfold of approved software, produced by Microsoft or Apple or Sony or some other large corporation. You know what the next step will be. The approved software manufacturers will be approached, just the way the NSA recently approached the telephone companies. Kiddie porn -- terrorism -- video piracy -- bad things, right? Surely you'll help us defeat terrorism and put child molesters behind bars? Your techies have probably left some back doors into that movie software, right? Tell us more. What's that? You're hesitating? You're not a, uh, child molester yourself -- are you? Y'know, your ex-wife tells some strange stories.... Paranoid, you say? Well, a few years ago it would been paranoid to predict that cops would be searching people's knapsacks in the New York subways, or that the NSA would be monitoring your grandmother's phone calls. There's been a vast expansion, in recent years, of the idea of "intellectual property." You can patent most anything -- Microsoft, I hear, owns all the transcendental numbers except pi, and they're suing Euclid's estate over that. (Just kidding. Sort of.) Copyright is forever, or as near as dammit. Fair use is narrower and narrower, and there are even public parks where it's a copyright violation to take pictures. And this is taking place at the same time that technology is making intellectual property a laughably obsolete idea. Once you've got a stream of bits on your hard drive, there is no power on earth that can stop you from copying it -- except the oldest power, the power of armed men to break your door down and take you away. Michael J. Smith is a computer programmer by day. By night, he conspires to destroy the Democratic Party on his blog, stopmebeforeivoteagain.org. From rforno at infowarrior.org Fri Jun 30 12:21:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Jun 2006 12:21:49 -0400 Subject: [Infowarrior] - French lawmakers approve 'iTunes law' Message-ID: French lawmakers approve 'iTunes law' http://news.yahoo.com/s/ap/20060630/ap_on_hi_te/france_itunes_law_5 By LAURENCE FROST and NATHALIE SCHUCK, Associated Press Writers 2 hours, 51 minutes ago PARIS - French lawmakers gave final approval Friday to legislation that could force Apple Computer Inc. to make its iPod and iTunes Music Store compatible with rivals' music players and online services. Both the Senate and the National Assembly, France's lower house, voted in favor of the copyright bill, which some analysts said could cause Apple Computer Inc. and others to pull their music players and online download stores from France. The vote was the final legislative step before the bill becomes law ? barring the success of a last-ditch constitutional challenge filed last week by the opposition Socialists. Currently, songs bought on iTunes can be played only on iPods, and an iPod can't play downloads from other stores that rival the extensive iTunes music catalog from major artists and labels ? like Sony's Connect and Napster. Apple described the original version of the copyright bill as "state-sponsored piracy" earlier this year, but a company spokesman was not immediately available to comment on Friday's vote. In a statement issued after lawmakers hashed out the final compromise text last week, Apple said it hoped the market would be left to decide "which music players and online music stores are offered to consumers." The final compromise asserts that companies should share the required technical data with any rival that wants to offer compatible music players and online stores, but it toned down many of the tougher measures backed by lower-house lawmakers early on. It also maintained a loophole introduced by senators, which could allow Cupertino, Calif.-based Apple and others to dodge the data-sharing demands by striking new deals with record labels and artists.